Re: [Samba] Making Linux and domain users the same
That did it! Thank you very much. For the benefit of those who come after, here's a bit more detail: If your Windows domain is WINDOMAIN, add these two lines to the global section of your smb.conf file: idmap config windomain : backend = nss idmap config windomain : range = 1000-99 This mapped the windows domain users to local NIS-based Unix users. This is what we needed, as users could now manipulate files in their own home directories from their Windows boxes. Notes: 1) In the idmap statements, the domain must (apparently) be lowercase. 2) In the range statement, make sure that the range of numbers includes all the UIDs of your users. In our case, we had a user with a Unix UID of 96 (bad sysadmin! bad!), so my idmap range was actually 96-99. I didn't confirm that this was necessary. 3) Caveat: One thing was missing: this does *not* fix the user's primary group membership. On our system, for instance, local users belong to the group user, but /Samba users belong to the group domain users. I haven't checked to see if they are also members of user (or of other Unix groups that the local user belongs to), since this wasn't something we needed. - Original Message - From: TAKAHASHI Motonobu mo...@monyo.com To: org-sa...@freed.com Cc: samba@lists.samba.org, tm-samba201...@firstgrade.co.uk Sent: Sunday, March 3, 2013 1:30:52 AM GMT -05:00 US/Canada Eastern Subject: Re: [Samba] Making Linux and domain users the same From: org-sa...@freed.com Date: Sat, 2 Mar 2013 08:44:34 -0500 (EST) Is your /etc/nsswitch.conf setup to use winbind? Yes -- and winbindd is running. $ ls -n total 4 -rw-r--r-- 112903 100 3 Mar 2 03:40 File_Created_In_Linux -rwxrw-rw- 1 16777217 16777216 3 Mar 1 13:12 File_Created_In_Windows And: [global] idmap uid = 16777216-33554431 So your joe user is picking up an IDMAPped UID. That's expected behaviour unless Samba is told any other way to map the name to a Unix UID - it needs to get that information from somewhere. Use idmap_nss instead of idmap_tdb (default). idmap_nss picks uid/gid from /etc/passwd or its altinatives (such as NIS), instead of generating its own value. --- TAKAHASHI Motonobu mo...@monyo.com / @damemonyo facebook.com/takahashi.motonobu -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Making Linux and domain users the same
Thanks once again, Tris. As you see from the previous message, it turns out that there was a simple method to get what I needed. But I still appreciate your help, and the time you took to describe a complex solution in careful detail. - Original Message - From: Tris Mabbs tm-samba201...@firstgrade.co.uk To: Phil Freed u...@freed.com Sent: Saturday, March 2, 2013 6:22:35 PM GMT -05:00 US/Canada Eastern Subject: RE: [Samba] Making Linux and domain users the same Hiya Phil, Glad the message may have been of some interest or use :-) If you mean we need a separate LDAP server, I can set that up - no, no need for that, your PDC will quite happily be doing that for you already and that should be sufficient. The only issue you *might* have with using it is if you do have to disable VLVs within LDAP (and you may not - depends largely on your Linux LDAP client if I remember rightly), you may have problems if you're also running Exchange 2010 - Exchange tends to require VLVs enabled for looking up address books and the like. If you're not running Exchange, it won't be a problem even if you do have to disable VLVs. Best thing is follow the Linux doc.s to setup LDAP (if it isn't already, and from the sound of things it may be in your inherited setup!); if you hit problems, search the M$ KBs for disabling VLV (I think M$ call it Virtual List View). It's something like run adsiedit.msc, expand Configuration[DomainController], expand CN=Configuration,DC=DomainName, expand CN=Services, expand CNWindows NT; right-click CN=Directory Service and pick Properties, in Attributes, click msds-Other-Settings and pick Edit; scroll through the values until you find any DisableVLVSupport=x (where 'x'=0) and change 'x' to 1; if there is no DisableVLVSupport= entry, create one and set it to 1. Or something like that; you may not even need to do it. It's all actually somewhat less complicated than it sounds ... If you can get the LDAP client configuration correct, and figure out what you actually need from the example I posted, it should all just snap into place and start working. Then you'll sit back, scratch your head and think Well, if it was that easy, why couldn't I get it working before? :-) Been there, done that - took be bloomin' ages to get a configuration that worked properly in our setup but now I have it all looks so simple! ... abandon this and write a setfacl script to allow both users to access files in the home directories ... - ah, yes - word of warning about that ... The IDMAP mappings are (potentially) transitory, so you may find that suddenly people can't access things again ... By then, of course, you'll have forgotten how and why you did it (if you're anything like me) and it'll be even more frustrating ... It really does all work very well, when you have it working - until then, it's a right b!tch ... Still, I'm sure you'll get there :-) Good luck! Tris. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] no network interfaces found on OpenIndiana (Illumos)
Hi, I've downloaded the samba 3.6.12 OpenCSW package. I joined openindiana to the the active directory, winbind seems to work fine, I see all the users with wbinfo -u. However, my samba server is not starting. It seems that there is no network card found. 2013/03/06 10:40:39.068405, 0] lib/interface.c:543(load_interfaces) WARNING: no network interfaces found [2013/03/06 10:40:39.072795, 0] smbd/server.c:1082(main) standard input is not a socket, assuming -D option ... [2013/03/06 10:40:39.205210, 0] smbd/server.c:746(open_sockets_smbd) open_sockets_smbd: No sockets available to bind to. Is there some problem that the get_interfaces(talloc_tos(), ifaces); call returns no interfaces on solaris/openindiana ? Any idea? I sure have interfaces: root@openindiana:/# ifconfig -a lo0: flags=2001000849UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL mtu 8232 index 1 inet 127.0.0.1 netmask ff00 e1000g0: flags=1004843UP,BROADCAST,RUNNING,MULTICAST,DHCP,IPv4 mtu 1500 index 3 inet 192.168.250.8 netmask ff00 broadcast 192.168.250.255 ether 8:0:27:bd:35:de lo0: flags=2002000849UP,LOOPBACK,RUNNING,MULTICAST,IPv6,VIRTUAL mtu 8252 index 1 inet6 ::1/128 e1000g0: flags=20002004841UP,RUNNING,MULTICAST,DHCP,IPv6 mtu 1500 index 3 inet6 fe80::a00:27ff:febd:35de/10 ether 8:0:27:bd:35:de -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] S4 : trusting 2003 domain
Hi ! I want to trust a 2003 domain on my S4 PDC The final is to access shares on 2003 domain How do i do this ? Thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] SAMBA bringing NFS server to a halt
Hello, We have a Red Hat 5.3 SAMBA 3.0.33-3.7 Server that shares a few directories to 4 other servers. The other servers are Red Hat 5.3 and one Solaris 10 server. I configured SAMBA to do the following for each share; Force User: User1 Force Group: Group1 Create Mask: 02770 Security Mask: 02770 Directory Mask: 02770 Directory Security Mask: 02770 Inherit Permissions: Yes Inherit ACLS: Yes Inherit Owner: Yes Guest Okay: Yes When the other servers mount the SAMBA shares they work fine until someone starts using SVN or Eclipse. This brings the SAMBA server to basically a halt. Looking at the processes I see about 15000 instances of SMB running. I try running top to see a list of processes but it takes about 10 minutes for it to start and then it will hang when it tries to do its first refresh. Looking at the logs I don't see anything that really stands out on why it is slowing down. Is there something I'm doing wrong in this configuration? Thanks. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] SAMBA bringing NFS server to a halt
On Wed, 2013-03-06 at 06:33 -0500, Joseph, Matthew (EXP) wrote: Hello, We have a Red Hat 5.3 SAMBA 3.0.33-3.7 Server that shares a few directories to 4 other servers. The other servers are Red Hat 5.3 and one Solaris 10 server. Stop right there. Nobody here could care less about someone running a wildly out of date server. There are numerous NFS and Samba fixes in RHEL 5.9 over 5.3 some of which are critical bugs, performance issues and others are ones that make your box open to remote root compromises. Upgrade to RHEL 5.9 and get back if you still have a problem. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] SAMBA bringing NFS server to a halt
I disagree. There can be many reasons why using a later version of a system or an application is not possible. Just as an example, I manage a number of UNIX servers running a range of very old OSes - Solaris 8, AIX 4 and others. I think the oldest operating system we have is a version of MPE/iX. That is part of how we make money. Apart from that, your tone seems to suggest that your mission is not to help and support, but to put somebody down and make them feel stupid; not very commendable, I think. /jan From: samba-boun...@lists.samba.org [samba-boun...@lists.samba.org] on behalf of Jonathan Buzzard [jonat...@buzzard.me.uk] Sent: 06 March 2013 13:02 To: Joseph, Matthew (EXP) Cc: samba@lists.samba.org Subject: Re: [Samba] SAMBA bringing NFS server to a halt On Wed, 2013-03-06 at 06:33 -0500, Joseph, Matthew (EXP) wrote: Hello, We have a Red Hat 5.3 SAMBA 3.0.33-3.7 Server that shares a few directories to 4 other servers. The other servers are Red Hat 5.3 and one Solaris 10 server. Stop right there. Nobody here could care less about someone running a wildly out of date server. There are numerous NFS and Samba fixes in RHEL 5.9 over 5.3 some of which are critical bugs, performance issues and others are ones that make your box open to remote root compromises. Upgrade to RHEL 5.9 and get back if you still have a problem. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] EXTERNAL: Re: SAMBA bringing NFS server to a halt
Hello JAB, Thank you for taking the time to respond to this in a very helpful manner... If the SAMBA community does not care about helping someone with a wildly out of date server then they should state that before letting someone join the mailing list. This is a production server on a closed LAN which we don't have the option of upgrading it to RHEL 5.9 or greater in the near future. So with that being said, anyone have any experience with what I am dealing with? Thanks -Original Message- From: Jonathan Buzzard [mailto:jonat...@buzzard.me.uk] Sent: Wednesday, March 06, 2013 9:03 AM To: Joseph, Matthew (EXP) Cc: samba@lists.samba.org Subject: EXTERNAL: Re: [Samba] SAMBA bringing NFS server to a halt On Wed, 2013-03-06 at 06:33 -0500, Joseph, Matthew (EXP) wrote: Hello, We have a Red Hat 5.3 SAMBA 3.0.33-3.7 Server that shares a few directories to 4 other servers. The other servers are Red Hat 5.3 and one Solaris 10 server. Stop right there. Nobody here could care less about someone running a wildly out of date server. There are numerous NFS and Samba fixes in RHEL 5.9 over 5.3 some of which are critical bugs, performance issues and others are ones that make your box open to remote root compromises. Upgrade to RHEL 5.9 and get back if you still have a problem. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] EXTERNAL: Re: SAMBA bringing NFS server to a halt
On 03/06/2013 08:28 AM, Joseph, Matthew (EXP) wrote: Hello JAB, Thank you for taking the time to respond to this in a very helpful manner... If the SAMBA community does not care about helping someone with a wildly out of date server then they should state that before letting someone join the mailing list. Do not ascribe to the whole community the shortcomings of an individuals the volunteers 'his' opinion please. This is a production server on a closed LAN which we don't have the option of upgrading it to RHEL 5.9 or greater in the near future. So with that being said, anyone have any experience with what I am dealing with? Unless you have 15000 servers connected the fact you have that many processes indicates a serious issue with the server or at least one of the clients. Samba creates just 1 single process per client and all its requests are served by that process. If you are seeing multiple processes it means the client is opening multiple connections. That is wrong and indicate there is probably a bug with either server processes crashing, becoming unresponsive or both, or the client misbehaving.. You may want to consider trying playing with the following parameters on your samba server: - deadtime - max connections - keepalive - reset on zero vc You may also want to prevent samba from dumping core if that is activated as it could put pressure on disks and the kernel if too many processes core all at once. HTH, Simo. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] EXTERNAL: Re: SAMBA bringing NFS server to a halt
Hi Matthew, I am not the best person to help you, regrettably, but I do run samba, so perhaps I can say something that is helpful, even if only by accident. What strikes me is the number of smbd processes; do you really have as many as 15000? I would expect most systems to run out of steam before the process list got that long, but I think there is a way of limiting the number of smb processes. I had a brief look at the man page for smb.conf (which seems to reside in /etc/samba, normally), but there is an obscene number of parameters, so I didn't find the relevant one. I'd suggest that you set a reasonable limit, though; when the limit is reached, users won't be able to connect, but the ones that are on will have a decent performance, at least. It surprises me that this should be connected to SVN or Eclipse; unless you have many 1000s of users you shouldn't really get that many smbd processes. A way to get closer to the source of the problem would be to look in the logs (usually in /var/log/samba, or so); there should be one log per connecting system. What I usually do is delete them all and then look at them a shortish while later when they seem to have grown somewhat. I suspect you will see the same message over and over and hopefully that will give you some idea of what is wrong. I hope this will help you; or if not, perhaps it will provoke a better answer from somebody who knows better. /jan From: samba-boun...@lists.samba.org [samba-boun...@lists.samba.org] on behalf of Joseph, Matthew (EXP) [matthew.jos...@lmco.com] Sent: 06 March 2013 13:28 To: Jonathan Buzzard Cc: samba@lists.samba.org Subject: Re: [Samba] EXTERNAL: Re: SAMBA bringing NFS server to a halt Hello JAB, Thank you for taking the time to respond to this in a very helpful manner... If the SAMBA community does not care about helping someone with a wildly out of date server then they should state that before letting someone join the mailing list. This is a production server on a closed LAN which we don't have the option of upgrading it to RHEL 5.9 or greater in the near future. So with that being said, anyone have any experience with what I am dealing with? Thanks -Original Message- From: Jonathan Buzzard [mailto:jonat...@buzzard.me.uk] Sent: Wednesday, March 06, 2013 9:03 AM To: Joseph, Matthew (EXP) Cc: samba@lists.samba.org Subject: EXTERNAL: Re: [Samba] SAMBA bringing NFS server to a halt On Wed, 2013-03-06 at 06:33 -0500, Joseph, Matthew (EXP) wrote: Hello, We have a Red Hat 5.3 SAMBA 3.0.33-3.7 Server that shares a few directories to 4 other servers. The other servers are Red Hat 5.3 and one Solaris 10 server. Stop right there. Nobody here could care less about someone running a wildly out of date server. There are numerous NFS and Samba fixes in RHEL 5.9 over 5.3 some of which are critical bugs, performance issues and others are ones that make your box open to remote root compromises. Upgrade to RHEL 5.9 and get back if you still have a problem. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] EXTERNAL: Re: SAMBA bringing NFS server to a halt
On Wed, 2013-03-06 at 08:28 -0500, Joseph, Matthew (EXP) wrote: Hello JAB, Thank you for taking the time to respond to this in a very helpful manner... If the SAMBA community does not care about helping someone with a wildly out of date server then they should state that before letting someone join the mailing list. Given you are running RHEL, you should have been over the last four years been reading the security bulletins for RHEL and responding to them appropriately. It should be apparent to any sensible person that the first step would be to check that my distribution does not have fixes for the problems that I am seeing. (hint I am 99% certain it does). This is a production server on a closed LAN which we don't have the option of upgrading it to RHEL 5.9 or greater in the near future. No lan is that closed. That you have no procedure for upgrading the OS on your server which suffers from a number of remote root security holes that require nothing more than a connection to your network is very bad practice. So with that being said, anyone have any experience with what I am dealing with? Read your distro release and security notes. I am 99% certain that this is a known problem that can be fixed by upgrading. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] EXTERNAL: Re: SAMBA bringing NFS server to a halt
A few things aren't clear- - Are Solaris and RHEL servers mounting shares from the primary server as samba clients or NFS clients? - Are people running SVN and Eclipse on Windows or RHEL systems? - Are you using samba to reshare NFS shares? I run a mixed environment of Windows and Linux clients with Solaris servers running samba. The linux clients use NFS (v4 is now the default.) Some of the things I have found are that - It is worth patch solaris to get later version of Samba - if you are using ZFS (not ufs) and you have a complex environment with LDAP and domain trusts.But you really have to test carefully before an upgrade. -Do not use samba to reshare NFS or autofs shares. How are clients checking stuff out from SVN? Via a nfs file share, samba file share, sftp or ssh? I understand the need to maintain stability with a server OS. But I think you do have to plan for an eventual OS upgrade/patch otherwise you end up with a system that you can't get support on. Are you also looking at output of vmstat or iostat ?If disk i/o gets too high, clients may repeat read/write requests which just causes a feedback loop exacerbating the situation.I have seen this with nfs clients. It is like everyone yelling louder to get heard because everyone is yelling. On 03/06/13 08:47, Simo wrote: On 03/06/2013 08:28 AM, Joseph, Matthew (EXP) wrote: Hello JAB, Thank you for taking the time to respond to this in a very helpful manner... If the SAMBA community does not care about helping someone with a wildly out of date server then they should state that before letting someone join the mailing list. Do not ascribe to the whole community the shortcomings of an individuals the volunteers 'his' opinion please. This is a production server on a closed LAN which we don't have the option of upgrading it to RHEL 5.9 or greater in the near future. So with that being said, anyone have any experience with what I am dealing with? Unless you have 15000 servers connected the fact you have that many processes indicates a serious issue with the server or at least one of the clients. Samba creates just 1 single process per client and all its requests are served by that process. If you are seeing multiple processes it means the client is opening multiple connections. That is wrong and indicate there is probably a bug with either server processes crashing, becoming unresponsive or both, or the client misbehaving.. You may want to consider trying playing with the following parameters on your samba server: - deadtime - max connections - keepalive - reset on zero vc You may also want to prevent samba from dumping core if that is activated as it could put pressure on disks and the kernel if too many processes core all at once. HTH, Simo. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] EXTERNAL: Re: SAMBA bringing NFS server to a halt
Presuming you have a RHEL subscription, you should be able to download the ISO's and patches on an internet machine and xfr via sneaker net (USB drive, DVD) to the internal network. You can even set up an internal yum repository. Even with out an internet connection, you still have to consider internal security concerns. With Solaris, you can also download the latest monthly patch cluster (assuming you have a support contract.) This will bring up to samba 3.5.x. or 3.6.x. It also fixes some issues with max group membership, and I recall some mention of kernel and nfs bug fixes. Just make sure you backup all your samba config before patching. On 03/06/13 09:12, Jonathan Buzzard wrote: On Wed, 2013-03-06 at 08:28 -0500, Joseph, Matthew (EXP) wrote: Hello JAB, Thank you for taking the time to respond to this in a very helpful manner... If the SAMBA community does not care about helping someone with a wildly out of date server then they should state that before letting someone join the mailing list. Given you are running RHEL, you should have been over the last four years been reading the security bulletins for RHEL and responding to them appropriately. It should be apparent to any sensible person that the first step would be to check that my distribution does not have fixes for the problems that I am seeing. (hint I am 99% certain it does). This is a production server on a closed LAN which we don't have the option of upgrading it to RHEL 5.9 or greater in the near future. No lan is that closed. That you have no procedure for upgrading the OS on your server which suffers from a number of remote root security holes that require nothing more than a connection to your network is very bad practice. So with that being said, anyone have any experience with what I am dealing with? Read your distro release and security notes. I am 99% certain that this is a known problem that can be fixed by upgrading. JAB. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] EXTERNAL: Re: SAMBA bringing NFS server to a halt
My apologizes Simo, I did not intend with that comment to put down the Samba community as a whole I was just trying to point out a fault with a certain user. I will try fooling around with those options that you listed below and see if any of them remedy my issue. Thanks for taking the time and effort on this issue. Matt -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Simo Sent: Wednesday, March 06, 2013 9:47 AM To: samba@lists.samba.org Subject: Re: [Samba] EXTERNAL: Re: SAMBA bringing NFS server to a halt On 03/06/2013 08:28 AM, Joseph, Matthew (EXP) wrote: Hello JAB, Thank you for taking the time to respond to this in a very helpful manner... If the SAMBA community does not care about helping someone with a wildly out of date server then they should state that before letting someone join the mailing list. Do not ascribe to the whole community the shortcomings of an individuals the volunteers 'his' opinion please. This is a production server on a closed LAN which we don't have the option of upgrading it to RHEL 5.9 or greater in the near future. So with that being said, anyone have any experience with what I am dealing with? Unless you have 15000 servers connected the fact you have that many processes indicates a serious issue with the server or at least one of the clients. Samba creates just 1 single process per client and all its requests are served by that process. If you are seeing multiple processes it means the client is opening multiple connections. That is wrong and indicate there is probably a bug with either server processes crashing, becoming unresponsive or both, or the client misbehaving.. You may want to consider trying playing with the following parameters on your samba server: - deadtime - max connections - keepalive - reset on zero vc You may also want to prevent samba from dumping core if that is activated as it could put pressure on disks and the kernel if too many processes core all at once. HTH, Simo. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] EXTERNAL: Re: SAMBA bringing NFS server to a halt
Hello JAB, You need to understand that installing patches and upgrading servers is not a simple task when it comes to my situation. My first step is to try to figure out if it's a OS fault or if it can be fixed with modifying configurations of the OS or in this case Samba (or my configuration of Samba). You are making a lot of assumptions which is fine if that is what you choose to believe. It is a completely closed LAN with multiple layers of security so let's leave it at that. If the solution is to install patches then it is something I will look into but again that is a long process that I would prefer not to go into if it is not needed for this situation. -Original Message- From: Jonathan Buzzard [mailto:jonat...@buzzard.me.uk] Sent: Wednesday, March 06, 2013 10:12 AM To: Joseph, Matthew (EXP) Cc: samba@lists.samba.org Subject: RE: EXTERNAL: Re: [Samba] SAMBA bringing NFS server to a halt On Wed, 2013-03-06 at 08:28 -0500, Joseph, Matthew (EXP) wrote: Hello JAB, Thank you for taking the time to respond to this in a very helpful manner... If the SAMBA community does not care about helping someone with a wildly out of date server then they should state that before letting someone join the mailing list. Given you are running RHEL, you should have been over the last four years been reading the security bulletins for RHEL and responding to them appropriately. It should be apparent to any sensible person that the first step would be to check that my distribution does not have fixes for the problems that I am seeing. (hint I am 99% certain it does). This is a production server on a closed LAN which we don't have the option of upgrading it to RHEL 5.9 or greater in the near future. No lan is that closed. That you have no procedure for upgrading the OS on your server which suffers from a number of remote root security holes that require nothing more than a connection to your network is very bad practice. So with that being said, anyone have any experience with what I am dealing with? Read your distro release and security notes. I am 99% certain that this is a known problem that can be fixed by upgrading. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] ldap-query operating system attribute
Hello, I'm running samba 4.0.3. when I query the operatingsystem attribute using ldapsearch ... -P 3 (objectCategory=computer) The operatingsystem value returned for Windows 7 Professionnel N is operatingSystem:: V2luZG93c8KgNyBQcm9mZXNzaW9ubmVsIE4= which translate to Windows 7 Professionnel N But when I look at it using dsa.msc I can read Windows 7 Professionnel N For other system, it's fine, I've got Windows XP Professional, Mac OS X, Windows 7 Professionnel I've got only the problem for the 'N' version. Could someone let me know if he can see or not the same problem. thanks -- Ali -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] EXTERNAL: Re: SAMBA bringing NFS server to a halt
Matthew, Can you post your smb.conf so we can see if any looks odd. Also when this happens look to see how many network connects you have with netstat. This may require a tcpdump that has been scrubbed of any sensitive data, if possible. Jonn On 03/06/2013 08:27 AM, Joseph, Matthew (EXP) wrote: Hello JAB, You need to understand that installing patches and upgrading servers is not a simple task when it comes to my situation. My first step is to try to figure out if it's a OS fault or if it can be fixed with modifying configurations of the OS or in this case Samba (or my configuration of Samba). You are making a lot of assumptions which is fine if that is what you choose to believe. It is a completely closed LAN with multiple layers of security so let's leave it at that. If the solution is to install patches then it is something I will look into but again that is a long process that I would prefer not to go into if it is not needed for this situation. -Original Message- From: Jonathan Buzzard [mailto:jonat...@buzzard.me.uk] Sent: Wednesday, March 06, 2013 10:12 AM To: Joseph, Matthew (EXP) Cc: samba@lists.samba.org Subject: RE: EXTERNAL: Re: [Samba] SAMBA bringing NFS server to a halt On Wed, 2013-03-06 at 08:28 -0500, Joseph, Matthew (EXP) wrote: Hello JAB, Thank you for taking the time to respond to this in a very helpful manner... If the SAMBA community does not care about helping someone with a wildly out of date server then they should state that before letting someone join the mailing list. Given you are running RHEL, you should have been over the last four years been reading the security bulletins for RHEL and responding to them appropriately. It should be apparent to any sensible person that the first step would be to check that my distribution does not have fixes for the problems that I am seeing. (hint I am 99% certain it does). This is a production server on a closed LAN which we don't have the option of upgrading it to RHEL 5.9 or greater in the near future. No lan is that closed. That you have no procedure for upgrading the OS on your server which suffers from a number of remote root security holes that require nothing more than a connection to your network is very bad practice. So with that being said, anyone have any experience with what I am dealing with? Read your distro release and security notes. I am 99% certain that this is a known problem that can be fixed by upgrading. JAB. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] EXTERNAL: Re: SAMBA bringing NFS server to a halt
On Wed, 2013-03-06 at 08:28 -0500, Joseph, Matthew (EXP) wrote: Hello JAB, Thank you for taking the time to respond to this in a very helpful manner... Actually it is helpful given the limited and insufficient information you provided. The basic problem is you are looking for a magic fix that likely does not exist because you want to keep running an OS that is many revisions out of date and has numerous serious security holes and a whole slew of known problems as a consequence. Where simply keeping your system properly patched has a good chance of eliminating the problem, which would have known had you been reading the release and security bulletins for RHEL5 over the last four years. There is simply too many NFS and Samba issues in RHEL5.3 for it to be remotely reasonable to expect any help trying to debug a setup still running at that level. Consequently a sensible course of action is to upgrade to something recent that does not have a whole bunch of known problems and serious security holes and if the problem still exists then come back with a more detail explanation of your setup. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] one server two shares two different users login at the same time
Hi, we have a setup where an user has to access two different shares with different useraccounts on one server with one client computer. (in this case Appel Mac) As we had problems connecting to the same hostname I added a second domainname and a second ip to that server. Than we connect to the shares with smb://usern...@servername.domain.de/USERNAME/ Connecting to one share at a time this works like a charm. Connecting to both shares at the same time forces the user to connect multiple times, as the first attempt fails with no access right warnings. From the server logfile I dont get anything helpful to me so far. Any suggestion what might cause the hickup? Or is there a better way in configuring something like this? Thanks for any suggestion! Regards . Götz -- Götz Reinicke IT-Koordinator Tel. +49 7141 969 82 420 Fax +49 7141 969 55 420 E-Mail goetz.reini...@filmakademie.de Filmakademie Baden-Württemberg GmbH Akademiehof 10 71638 Ludwigsburg www.filmakademie.de Eintragung Amtsgericht Stuttgart HRB 205016 Vorsitzender des Aufsichtsrats: Jürgen Walter MdL Staatssekretär im Ministerium für Wissenschaft, Forschung und Kunst Baden-Württemberg Geschäftsführer: Prof. Thomas Schadt -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] EXTERNAL: Re: SAMBA bringing NFS server to a halt
On 03/06/2013 09:46 AM, Jonathan Buzzard wrote: On Wed, 2013-03-06 at 08:28 -0500, Joseph, Matthew (EXP) wrote: Hello JAB, Thank you for taking the time to respond to this in a very helpful manner... Actually it is helpful given the limited and insufficient information you provided. The basic problem is you are looking for a magic fix that likely does not exist because you want to keep running an OS that is many revisions out of date and has numerous serious security holes and a whole slew of known problems as a consequence. Where simply keeping your system properly patched has a good chance of eliminating the problem, which would have known had you been reading the release and security bulletins for RHEL5 over the last four years. There is simply too many NFS and Samba issues in RHEL5.3 for it to be remotely reasonable to expect any help trying to debug a setup still running at that level. Consequently a sensible course of action is to upgrade to something recent that does not have a whole bunch of known problems and serious security holes and if the problem still exists then come back with a more detail explanation of your setup. Jonathan, you are not being helpful here. We all understood you really want Joseph to upgrade, and we all acknowledge that is good practice, but Joseph seem to have constraints he cannot overcome right now. So please stop hammering on this point. If you do not have anything useful to say for his current situation then just ignore this thread and carry on. Simo. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] EXTERNAL: Re: SAMBA bringing NFS server to a halt
On 06.03.2013 15:46, Jonathan Buzzard wrote: Consequently a sensible course of action is to upgrade to something recent I think everybody got your point by now. best regards, Sven -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] EXTERNAL: Re: SAMBA bringing NFS server to a halt
Hey Simo, I modified the entries you listed below and started running a few instances of SVN on the shares and it seems to be holding steady. I'm going to continue testing during the day to see how it does. Looking back on the issue I never noticed the date in which the files were accessed. The Samba clients would be done with a file but the server never clicked in that it should release the files. Like I said I'm going to continue the testing on this to make sure it stays consistent with the current results. Thank you very much for the suggestion. Matt -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Simo Sent: Wednesday, March 06, 2013 9:47 AM To: samba@lists.samba.org Subject: Re: [Samba] EXTERNAL: Re: SAMBA bringing NFS server to a halt On 03/06/2013 08:28 AM, Joseph, Matthew (EXP) wrote: Hello JAB, Thank you for taking the time to respond to this in a very helpful manner... If the SAMBA community does not care about helping someone with a wildly out of date server then they should state that before letting someone join the mailing list. Do not ascribe to the whole community the shortcomings of an individuals the volunteers 'his' opinion please. This is a production server on a closed LAN which we don't have the option of upgrading it to RHEL 5.9 or greater in the near future. So with that being said, anyone have any experience with what I am dealing with? Unless you have 15000 servers connected the fact you have that many processes indicates a serious issue with the server or at least one of the clients. Samba creates just 1 single process per client and all its requests are served by that process. If you are seeing multiple processes it means the client is opening multiple connections. That is wrong and indicate there is probably a bug with either server processes crashing, becoming unresponsive or both, or the client misbehaving.. You may want to consider trying playing with the following parameters on your samba server: - deadtime - max connections - keepalive - reset on zero vc You may also want to prevent samba from dumping core if that is activated as it could put pressure on disks and the kernel if too many processes core all at once. HTH, Simo. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] EXTERNAL: Re: SAMBA bringing NFS server to a halt
On Wed, 2013-03-06 at 10:06 -0500, Simo wrote: [SNIP] Jonathan, you are not being helpful here. Actually I am being helpful, given the limited information provided. There are a whole host of issues with Samba and NFS fixed between RHEL5.3 and RHEL5.8/5.9 that are likely to be related to his problem. Trust me I have the scars to prove it. We all understood you really want Joseph to upgrade, and we all acknowledge that is good practice, but Joseph seem to have constraints he cannot overcome right now. Then I believe he won't be able to fix his problem. He might be able to patch over the problem with deadtime and max connections options but that is not really a fix, and won't address the gaping security holes in his setup. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ldap-query operating system attribute
Hi On 6 March 2013 16:43, Ali Bendriss ali.bendr...@gmail.com wrote: Hello, I'm running samba 4.0.3. when I query the operatingsystem attribute using ldapsearch ... -P 3 (objectCategory=computer) The operatingsystem value returned for Windows 7 Professionnel N is operatingSystem:: V2luZG93c8KgNyBQcm9mZXNzaW9ubmVsIE4= which translate to Windows 7 Professionnel N But when I look at it using dsa.msc I can read Windows 7 Professionnel N Are you worried about the � That's actually a non-breaking space character (like nbsp; in HTML). For other system, it's fine, I've got Windows XP Professional, Mac OS X, Windows 7 Professionnel I've got only the problem for the 'N' version. Could someone let me know if he can see or not the same problem. thanks -- Michael Wood esiot...@gmail.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ldap-query operating system attribute
On Wednesday, March 06, 2013 06:50:46 PM Michael Wood wrote: Hi On 6 March 2013 16:43, Ali Bendriss ali.bendr...@gmail.com wrote: Hello, I'm running samba 4.0.3. when I query the operatingsystem attribute using ldapsearch ... -P 3 (objectCategory=computer) The operatingsystem value returned for Windows 7 Professionnel N is operatingSystem:: V2luZG93c8KgNyBQcm9mZXNzaW9ubmVsIE4= which translate to Windows 7 Professionnel N But when I look at it using dsa.msc I can read Windows 7 Professionnel N Are you worried about the � That's actually a non-breaking space character (like nbsp; in HTML). my mistake in fact it return Windows + something not convertible to utf8. I'm trying to get the computers info in a postgresql database and get in postgresql log file ERROR: invalid byte sequence for encoding UTF8: 0xe2 0xa0 0x37 For other system, it's fine, I've got Windows XP Professional, Mac OS X, Windows 7 Professionnel I've got only the problem for the 'N' version. Could someone let me know if he can see or not the same problem. thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] no network interfaces found on OpenIndiana (Illumos)
On Wed, Mar 06, 2013 at 11:42:02AM +0100, Joeri Vanthienen wrote: Hi, I've downloaded the samba 3.6.12 OpenCSW package. I joined openindiana to the the active directory, winbind seems to work fine, I see all the users with wbinfo -u. However, my samba server is not starting. It seems that there is no network card found. 2013/03/06 10:40:39.068405, 0] lib/interface.c:543(load_interfaces) WARNING: no network interfaces found [2013/03/06 10:40:39.072795, 0] smbd/server.c:1082(main) standard input is not a socket, assuming -D option ... [2013/03/06 10:40:39.205210, 0] smbd/server.c:746(open_sockets_smbd) open_sockets_smbd: No sockets available to bind to. Is there some problem that the get_interfaces(talloc_tos(), ifaces); call returns no interfaces on solaris/openindiana ? Any idea? Use gdb to step through the code and see why it's failing to find interfaces, or add debug statements to the places we return from querying an interface. Sorry, no other easy answer. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] ldap/shared address books
After struggling through the HowTo for quite a while (I have some . . . comments, if anyone is interested), I have a working active directory domain, for which I (and my bosses, who sign the checks) thank everyone. Now is integration time. Is there a way to make a shared address book through Samba? Or am I stuck with beating my head against ldap again? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] various DNS scenarios / setups with samba4 + BIND9
Hello everybody, I am not sure which DNS setup will fit best for my suites. I can imagine, that there are a lot of users out there using also BIND9 servers in their environment and can share their experience. In my case I am running following setup: I have two existing hosts running with DNS and DHCP services. I have setup a DHCP-Cluster with isc-dhcp-server on both machines, that means I have a redundant DHCP-service by this setup. One of the hosts run BIND9 as a master server, while the other host is my slave. He polls and receives updates from the master. It's a classical setup I use. Both machines running Debian GNU/Linux Squeeze and have BIND9 installed. Here's the output and more details about the BIND9 version which is installed: # named -V BIND 9.7.3 built with '--prefix=/usr' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' '--with-dlz-postgres=no' '--with-dlz-mysql=no' '--with-dlz-bdb=yes' '--with-dlz-filesystem=yes' '--with-dlz-ldap=yes' '--with-dlz-stub=yes' '--with-geoip=/usr' '--enable-ipv6' 'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O2' 'LDFLAGS=' 'CPPFLAGS=' As many of you Debian Squeeze users out there know, BIND 9.7.3 is the latest stable package in Debian Squeeze stable repository. The only way to have a newer version installed, would be either to use apt-pinning (which is very dangerous and can mess up your system if you don't know what you are doing!), downloading a package which was built by someone else (Ubuntu has some as I have red on samba4's wiki?) or you package your own version on your system (which I have done already). So I have compiled and built the version BIND 9.8.4.dfsg.P1-5 on one of these two host. I have the .deb package therefore and would be able to install it any time in case I need. Actually I have not installed this 9.8.4 version yet. So let's continue ... Hostname = MASTER - IP = 172.16.1.22 /etc/resolv.conf: domain mycompany.com search mycompany.com dhcp.mycompany.com nameserver 172.16.1.22 nameserver 172.16.1.23 Hostname: SLAVE IP: 172.16.1.23 content of /etc/resolv.conf is: domain mycompany.com search mycompany.com dhcp.mycompany.com nameserver 172.16.1.23 nameserver 172.16.1.22 Now let's look at the new samba4 which comes into the game. Samba4 was configured by tarball source version 4.0.3 with ./configure --enable-selftest --with-quotas --with-acl-support --with-syslog and installed. I did a samba-tool domain classicupgrade --dbdir=/etc/samba3files --use-xattrs=yes --realm=ad.mycompany.com /etc/samba3files/smb.conf -d3 21 |tee /root/classicupgrade.log. As I did not specify and further options, the internal DNS server was used as it is default choice for DNS when nothing else specified. My intension was that I want samba4 to be a different DNS zone, independend of the rest of my network (MASTER+SLAVE). Samba4 should only host and server everything related to Active Directory stuff. But first here's the config of samba4 server Hostname:SAMBA4 - IP: 172.16.1.24 OS: Debian Squeeze GNU/Linux content of /etc/resolv.conf is: domain ad.mycompany.com search ad.mycompany.com nameserver 172.16.1.24 Well, now let's look deeper in detail what happens when a client is turned on. The windows machine is booting, and he gets via DHCP an IP from either MASTER or SLAVE, as these two hosts are responsible for DHCP services. This DHCP-lease also includes the DNS nameserver which points to 172.16.1.22 and 172.16.1.23. That means, all my DHCP-clients always use 172.16.1.22 as DNS, and only if the cannot reach MASTER, they will fall-back to 172.16.1.23 which is the SLAVE. Now I have to tell somehow my BIND9 servers to forward all AD-related requests to samba4 server. That is easily done with this entry in my bind9 configuration (at master+slave): [...] zone ad.mycompany.com { type forward; forwarders { 172.16.1.24 }; }; [...] So I did a clean separation by creating an own zone with name ad.mycompany.com (which is also my samba4 AD realm) and put a forwarder for hat zone. What happens if a client tries to resolve somehost.ad.mycompany.com? He first connects to the master (172.16.1.22), and querying the BIND9 service for somehost.ad.mycompany.com. Bind9 server immediately forwards this request to samba4 server at 172.16.1.24, which will replies to this request and sent the correct answer back to the windows client. Of course all the mandatory test examples mentioned on the samba4 AD HowTo work fine, too, when executed on MASTER, SLAVE or any other DHCP linux host on the net: host -t SRV _ldap._tcp.ad.mycompany.com. returns -- _ldap._tcp.ad.mycompany.com has SRV record 0 100 389 samba4.ad.mycompany.com. host -t SRV _kerberos._udp.ad.mycompany.com. returns --
Re: [Samba] no network interfaces found on OpenIndiana (Illumos)
Solaris 11 added a CIFS server - I don't know if it is openindiana. check the svcs -a command to make sure that there isn't a preexisting CIFS or samba server already running. FYI The latest Solaris 10 + updates has samba 3.5.x or 3.6.x . I had issues with older samba packages from sunfreeware.com and opencsw with 64-bit support, LDAP compatibility and ZFS support. On 03/06/13 12:56, Jeremy Allison wrote: On Wed, Mar 06, 2013 at 11:42:02AM +0100, Joeri Vanthienen wrote: Hi, I've downloaded the samba 3.6.12 OpenCSW package. I joined openindiana to the the active directory, winbind seems to work fine, I see all the users with wbinfo -u. However, my samba server is not starting. It seems that there is no network card found. 2013/03/06 10:40:39.068405, 0] lib/interface.c:543(load_interfaces) WARNING: no network interfaces found [2013/03/06 10:40:39.072795, 0] smbd/server.c:1082(main) standard input is not a socket, assuming -D option ... [2013/03/06 10:40:39.205210, 0] smbd/server.c:746(open_sockets_smbd) open_sockets_smbd: No sockets available to bind to. Is there some problem that the get_interfaces(talloc_tos(), ifaces); call returns no interfaces on solaris/openindiana ? Any idea? Use gdb to step through the code and see why it's failing to find interfaces, or add debug statements to the places we return from querying an interface. Sorry, no other easy answer. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ldap/shared address books
Can you use an LDAP Browser/Editor (e.g Apache Directory Studio) to manage the samba ldap server? Maybe see what attributes you can add/modify?I have used Apache Directory Studio to modify LDAP attributes with Microsoft AD on Win 2003/2008. I would guess the samba 4 ldap schema has to support many of the same attributes. I have not played with samba 4 yet so just a guess. On 03/06/13 13:14, Terry Austin wrote: After struggling through the HowTo for quite a while (I have some . . . comments, if anyone is interested), I have a working active directory domain, for which I (and my bosses, who sign the checks) thank everyone. Now is integration time. Is there a way to make a shared address book through Samba? Or am I stuck with beating my head against ldap again? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ldap/shared address books
Is there a way to make a shared address book through Samba? Or am I stuck with beating my head against ldap again? I installed a program called Davical on my Samba4 server, it provides shared address books and calendars using CalDAV and CardDAV protocol, and authenticates against the active directory. it supports many clients, including outlook if you buy a 3rd party add-on, though I have found many CalDAV/CardDAV clients are a bit lacking. It also allows you to use the AD groups to easily assign permissions. The only real drawback to it is that you have to remember to sync it to the active directory after you add a new user or group, but for me that is a very small price to pay. Hope that is helpful. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ldap/shared address books
I have a couple of LDAP browers that worked with OpenLDAP. They both seem to connect, and give me login errors. I'll see if I can figure out the correct user name/password. It's a start (and more than I really expected, to be honest). On 6 Mar 2013 at 13:52, Gaiseric Vandal wrote: Can you use an LDAP Browser/Editor (e.g Apache Directory Studio) to manage the samba ldap server? Maybe see what attributes you can add/modify?I have used Apache Directory Studio to modify LDAP attributes with Microsoft AD on Win 2003/2008. I would guess the samba 4 ldap schema has to support many of the same attributes. I have not played with samba 4 yet so just a guess. On 03/06/13 13:14, Terry Austin wrote: After struggling through the HowTo for quite a while (I have some . . . comments, if anyone is interested), I have a working active directory domain, for which I (and my bosses, who sign the checks) thank everyone. Now is integration time. Is there a way to make a shared address book through Samba? Or am I stuck with beating my head against ldap again? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] OpenLDAP Samba4 Password Sync
Am 05.03.2013 um 17:09 schrieb TAKAHASHI Motonobu mo...@monyo.com: we currently evaluate Samba4. We've learned so far that we have to use our OpenLDAP-Server for some tools beside Samba4. So we wrote a script that creates Samba4-AD Users when we add them to OpenLDAP. The problem is that we need to sync the passwords when an user changes it within Windows. How can we get the Password Hash from Samba4-AD and is there a way to write it (in case the OpenLDAP password changes). Does this articles help you? https://lists.samba.org/archive/samba/2013-March/171956.html As far as I read, this python script can export the Hash. Hi Takahashi, thanks for your reply. The Tool-Website states: Reads from your Samba4 AD and updates changes password to Google Apps in SHA1 format. Note that this solution requires you to run: samba-tool domain passwordsettings set --store-plaintext=on Also you will have to use Store passwords using reversible encryption for each users. This can be enabled with MS Active Directory snap in tool from Windows. Doesn't sound like a thing you want to do, but seems to be the only way at the moment. At least the sync from OpenLDAP to AD must be possible without those restrictions as samba-tools can transfer the password settings when you do the classic upgrade. So I might try to disallow the users to change their passwords with Windows, force them to change the OpenLDAP-Password-Entry and sync it back to AD (if this is possible when password change is disabled). Best regards Denis Witt -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] sysvolreset failing on glusterfs
thanks for your answer. I don't think it's a permission issue, as the script is invoked as root and I don't think it's changing its uid. I've had a look into the code and what I see is, it's somewhat selective about the method to set ACLs depending on the filesystem AFAIR. The stack trace only shows the python part. The actual error results from C code. Setting ACLs using a windows client seems to work. Furthermore, if I'm mounting the glusterfs volume, in the mount list, the acl option is not shown. I think somewhere a decision about the availabilty of ACLs is going wrong. Very funny, at one occasion it did work, though complaining after minutes of activity, and ACLs were present after that (can't tell if they're correct). But this part is not well reproducable. In fact there is no reasonable way to do a sysvolreset at the moment, lengthening my list of issues. Andreas On 06.03.13 17:44, Mr J Potter wrote: Hi, I had similar problems with gluster. I set up a gluster sysvol first then tried provisioning and it failed with the same error. So it maybe to do with permissions on the sysvol folder itself? It worked if I set up dc and bdc each with local sysvols then moved them onto gluster. Jim On Mar 3, 2013 5:32 PM, Andreas Gaiser/L i...@multifake.net mailto:i...@multifake.net wrote: Hi, I'm trying to setup a domain with two DCs based on 4.0.3. Following some hint, I wanna use glusterfs for the sysvol. Glusterfs it runs nicely. I can set acls on both machines using setfacl and the other one lists them almost immediately with getfacl. But running samba-tool ntacl sysvolreset is failing badly giving the following error. In a later attempt, without significant changes I remember, the script more or less seemed to work and created indeed ACEs, but still came up with this error after some minutes. root@dc1:~# samba-tool ntacl sysvolreset set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_NOT_SUPPORTED. ERROR(runtime): uncaught exception - (-1073741637, 'NT_STATUS_NOT_SUPPORTED') File /opt/samba/lib/python2.6/site-packages/samba/netcmd/__init__.py, line 175, in _run return self.run(*args, **kwargs) File /opt/samba/lib/python2.6/site-packages/samba/netcmd/ntacl.py, line 214, in run lp, use_ntvfs=use_ntvfs) File /opt/samba/lib/python2.6/site-packages/samba/provision/__init__.py, line 1563, in setsysvolacl setntacl(lp,sysvol, SYSVOL_ACL, str(domainsid), use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=s4_passdb) File /opt/samba/lib/python2.6/site-packages/samba/ntacls.py, line 154, in setntacl smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd) Running mount is showing the target fs without ACLs, although they do work, as said before, and although I do have mounted the fs using -o acl,rw. The underlying ext3 fs is of cause running with acls enabled, too. This is what mount looks like for the involved fs's: fusectl on /sys/fs/fuse/connections type fusectl (rw) /dev/xvda3 on /var/glusterfs/brick1 type ext3 (rw,acl,user_xattr) localhost:/dc-vol on /export/dc-vol type fuse.glusterfs (rw,allow_other,max_read=131072) Andreas -- Andreas Gaiser, Berlin, Germany -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] reading binary SID from LDAP
Hi, can somebody please hint me were to find the binary format of SIDs as returned by LDAP. I'd like to convert them to the ASCII representation. Any hint to any kind of code inside samba would be fine. Just don't know where to look at. Thanks in Advance. Andreas -- Andreas Gaiser Berlin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] kerberos
I am having a problem using kerberos I have installed samba4, and it appears to work correctly However I want to create a service principle and every time I try to use kadmin -p admin I get this error: Database error! Required KADM5 principal missing while initializing kadmin interface What am I doing wrong? Is there another command since Samba4 has it own kerberos? Please shed some light on my dilemma. Thank you Saad -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] sysvolreset failing on glusterfs
Do you have extended attributes enabled on your glusterfs filesystem? Out of curiosity, what version of glusterfs are you seeing this problem? On 03/06/2013 04:21 PM, Andreas Gaiser wrote: thanks for your answer. I don't think it's a permission issue, as the script is invoked as root and I don't think it's changing its uid. I've had a look into the code and what I see is, it's somewhat selective about the method to set ACLs depending on the filesystem AFAIR. The stack trace only shows the python part. The actual error results from C code. Setting ACLs using a windows client seems to work. Furthermore, if I'm mounting the glusterfs volume, in the mount list, the acl option is not shown. I think somewhere a decision about the availabilty of ACLs is going wrong. Very funny, at one occasion it did work, though complaining after minutes of activity, and ACLs were present after that (can't tell if they're correct). But this part is not well reproducable. In fact there is no reasonable way to do a sysvolreset at the moment, lengthening my list of issues. Andreas On 06.03.13 17:44, Mr J Potter wrote: Hi, I had similar problems with gluster. I set up a gluster sysvol first then tried provisioning and it failed with the same error. So it maybe to do with permissions on the sysvol folder itself? It worked if I set up dc and bdc each with local sysvols then moved them onto gluster. Jim On Mar 3, 2013 5:32 PM, Andreas Gaiser/L i...@multifake.net mailto:i...@multifake.net wrote: Hi, I'm trying to setup a domain with two DCs based on 4.0.3. Following some hint, I wanna use glusterfs for the sysvol. Glusterfs it runs nicely. I can set acls on both machines using setfacl and the other one lists them almost immediately with getfacl. But running samba-tool ntacl sysvolreset is failing badly giving the following error. In a later attempt, without significant changes I remember, the script more or less seemed to work and created indeed ACEs, but still came up with this error after some minutes. root@dc1:~# samba-tool ntacl sysvolreset set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_NOT_SUPPORTED. ERROR(runtime): uncaught exception - (-1073741637, 'NT_STATUS_NOT_SUPPORTED') File /opt/samba/lib/python2.6/site-packages/samba/netcmd/__init__.py, line 175, in _run return self.run(*args, **kwargs) File /opt/samba/lib/python2.6/site-packages/samba/netcmd/ntacl.py, line 214, in run lp, use_ntvfs=use_ntvfs) File /opt/samba/lib/python2.6/site-packages/samba/provision/__init__.py, line 1563, in setsysvolacl setntacl(lp,sysvol, SYSVOL_ACL, str(domainsid), use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=s4_passdb) File /opt/samba/lib/python2.6/site-packages/samba/ntacls.py, line 154, in setntacl smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd) Running mount is showing the target fs without ACLs, although they do work, as said before, and although I do have mounted the fs using -o acl,rw. The underlying ext3 fs is of cause running with acls enabled, too. This is what mount looks like for the involved fs's: fusectl on /sys/fs/fuse/connections type fusectl (rw) /dev/xvda3 on /var/glusterfs/brick1 type ext3 (rw,acl,user_xattr) localhost:/dc-vol on /export/dc-vol type fuse.glusterfs (rw,allow_other,max_read=131072) Andreas -- Andreas Gaiser, Berlin, Germany -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ldap-query operating system attribute
Hi On 6 March 2013 19:09, Ali Bendriss ali.bendr...@gmail.com wrote: On Wednesday, March 06, 2013 06:50:46 PM Michael Wood wrote: Hi On 6 March 2013 16:43, Ali Bendriss ali.bendr...@gmail.com wrote: Hello, I'm running samba 4.0.3. when I query the operatingsystem attribute using ldapsearch ... -P 3 (objectCategory=computer) The operatingsystem value returned for Windows 7 Professionnel N is operatingSystem:: V2luZG93c8KgNyBQcm9mZXNzaW9ubmVsIE4= which translate to Windows 7 Professionnel N But when I look at it using dsa.msc I can read Windows 7 Professionnel N Are you worried about the � That's actually a non-breaking space character (like nbsp; in HTML). my mistake in fact it return Windows + something not convertible to utf8. It is encoded as UTF-8. It should not be converted to UTF-8. That base64 encoded string decodes to: $ python -c 'print repr(V2luZG93c8KgNyBQcm9mZXNzaW9ubmVsIE4=.decode(base64))' 'Windows\xc2\xa07 Professionnel N' which Python is quite happy to interpret as UTF-8: $ python -c 'print repr(V2luZG93c8KgNyBQcm9mZXNzaW9ubmVsIE4=.decode(base64).decode(utf-8))' u'Windows\xa07 Professionnel N' If you look here: http://en.wikipedia.org/wiki/Non-breaking_space#Encodings you will see that the UTF-8 encoding of a non-breaking space is the two bytes 0xC2 and 0xA0 which is exactly what your data contains. And the Unicode code point is U+00A0, which Python prints as u'\xa0'. So it seems something else is going on between getting the information from Samba and sending it to Postgres. I'm trying to get the computers info in a postgresql database and get in postgresql log file ERROR: invalid byte sequence for encoding UTF8: 0xe2 0xa0 0x37 For other system, it's fine, I've got Windows XP Professional, Mac OS X, Windows 7 Professionnel I've got only the problem for the 'N' version. Could someone let me know if he can see or not the same problem. thanks -- Michael Wood esiot...@gmail.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[SCM] Samba Shared Repository - branch v3-6-test updated
The branch, v3-6-test has been updated via 9d4d9b9 Fix bug #9637 - Renaming directories as guest user in security share mode doesn't work. from eb657c3 winbind: Don't leak centry memory. Reviewed-by: Alexander Bokovoy a...@samba.org http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-test - Log - commit 9d4d9b99740f3500e682a4067a1b5e566845ea27 Author: Jeremy Allison j...@samba.org Date: Tue Mar 5 16:23:06 2013 -0800 Fix bug #9637 - Renaming directories as guest user in security share mode doesn't work. Ensure guest is treated consistently when creating a auth_serversupplied_info struct. Signed-off-by: Jeremy Allison j...@samba.org --- Summary of changes: source3/auth/auth_util.c |6 +- 1 files changed, 5 insertions(+), 1 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 47a8a09..0e1f437 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -925,7 +925,11 @@ NTSTATUS make_serverinfo_from_username(TALLOC_CTX *mem_ctx, result-nss_token = true; result-guest = is_guest; - status = create_local_token(result); + if (is_guest) { + status = make_server_info_guest(mem_ctx, result); + } else { + status = create_local_token(result); + } if (!NT_STATUS_IS_OK(status)) { TALLOC_FREE(result); -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v3-6-test updated
The branch, v3-6-test has been updated via 797c7ff selftest: Skip tests failing on ext4 fs. from 9d4d9b9 Fix bug #9637 - Renaming directories as guest user in security share mode doesn't work. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-test - Log - commit 797c7ff362fad007b0bb1d24f5b10a77c77af5fb Author: Karolin Seeger ksee...@samba.org Date: Wed Mar 6 12:11:53 2013 +0100 selftest: Skip tests failing on ext4 fs. Signed-off-by: Karolin Seeger ksee...@samba.org Reviewed-by: Stefan Metzmacher me...@samba.org --- Summary of changes: source3/selftest/skip |1 + 1 files changed, 1 insertions(+), 0 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/selftest/skip b/source3/selftest/skip index 02166a1..b4de818 100644 --- a/source3/selftest/skip +++ b/source3/selftest/skip @@ -13,6 +13,7 @@ samba3.smbtorture_s3.*.mangle samba3.smbtorture_s3.*.utable samba3.smbtorture_s3.*.pipe_number samba3.smbtorture_s3.*.CHAIN1 +samba3.smbtorture_s3.*.DIR1 #loops on 64 bit linux with ext4 samba3.*base.charset samba3.*raw.acls samba3.*raw.composite -- Samba Shared Repository
autobuild: intermittent test failure detected
The autobuild test system has detected an intermittent failing test in the current master tree. The autobuild log of the failure is available here: http://git.samba.org/autobuild.flakey/2013-03-06-1627/flakey.log The samba3 build logs are available here: http://git.samba.org/autobuild.flakey/2013-03-06-1627/samba3.stderr http://git.samba.org/autobuild.flakey/2013-03-06-1627/samba3.stdout The source4 build logs are available here: http://git.samba.org/autobuild.flakey/2013-03-06-1627/samba.stderr http://git.samba.org/autobuild.flakey/2013-03-06-1627/samba.stdout The top commit at the time of the failure was: commit 7fa4795607f018590caa26b5eca5abb68922c039 Author: Ira Cooper i...@samba.org Date: Wed Mar 6 00:54:43 2013 + waf: add -fstack-protector to LDFLAGS if detected. If we compile with -fstack-protector, we should link with it. Reviewed-by: Andrew Bartlett abart...@samba.org Autobuild-User(master): Andrew Bartlett abart...@samba.org Autobuild-Date(master): Wed Mar 6 04:06:04 CET 2013 on sn-devel-104
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 33a7296 docs: Add documentation for osName and osVer via c666320 net ads join: Add support for specifying the machine account password via 166288b selftest: Fix specification of --machinepass to actually set a unique password from 7fa4795 waf: add -fstack-protector to LDFLAGS if detected. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 33a72968e566f47a3dcb5e8d752d47847d464337 Author: Andrew Bartlett abart...@samba.org Date: Thu Feb 28 23:30:16 2013 +1100 docs: Add documentation for osName and osVer This was previously documented only in the online help. Andrew Bartlett Reviewed-by: Jeremy Allison j...@samba.org Autobuild-User(master): Jeremy Allison j...@samba.org Autobuild-Date(master): Thu Mar 7 01:36:01 CET 2013 on sn-devel-104 commit c66632046d62786dd19c8978847bfc6470da4e89 Author: Andrew Bartlett abart...@samba.org Date: Thu Feb 28 22:59:48 2013 +1100 net ads join: Add support for specifying the machine account password This allows a predictable password to be specified, just like --machinepass does on samba-tool domain join. Andrew Bartlett Reviewed-by: Jeremy Allison j...@samba.org commit 166288b162e7b658b48bc908c71f635928edc5b5 Author: Andrew Bartlett abart...@samba.org Date: Thu Feb 28 22:57:45 2013 +1100 selftest: Fix specification of --machinepass to actually set a unique password Because perl does not assert on dereferencing an invalid hash key we did not notice that the passwords were being set to machine, not machineloCalMemberPass. Andrew Bartlett Reviewed-by: Jeremy Allison j...@samba.org --- Summary of changes: docs-xml/manpages/net.8.xml | 12 +++- selftest/target/Samba4.pm | 12 ++-- source3/utils/net_ads.c | 11 +++ 3 files changed, 28 insertions(+), 7 deletions(-) Changeset truncated at 500 lines: diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml index 01044e1..82849f2 100644 --- a/docs-xml/manpages/net.8.xml +++ b/docs-xml/manpages/net.8.xml @@ -194,7 +194,8 @@ the remote server using command/bin/date/command. /para /refsect2 refsect2 -title[RPC|ADS] JOIN [TYPE] [-U username[%password]] [createupn=UPN] [createcomputer=OU] [options]/title +title[RPC|ADS] JOIN [TYPE] [-U username[%password]] [createupn=UPN] +[createcomputer=OU] [machinepass=PASS] [osName=string osVer=string] [options]/title para Join a domain. If the account already exists on the server, and @@ -220,6 +221,15 @@ a '/'. Please note that '\' is used for escape by both the shell and ldap, so it may need to be doubled or quadrupled to pass through, and it is not used as a delimiter. /para +para +[PASS] (ADS only) Set a specific password on the computer account +being created by the join. +/para +para +[osName=string osVer=String] (ADS only) Set the operatingSystem and +operatingSystemVersion attribute during the join. Both parameters +must be specified for either to take effect. +/para /refsect2 refsect2 diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm index e9e0037..05541d9 100644 --- a/selftest/target/Samba4.pm +++ b/selftest/target/Samba4.pm @@ -881,7 +881,7 @@ sub provision_member($$$) $cmd .= KRB5_CONFIG=\$ret-{KRB5_CONFIG}\ ; $cmd .= $samba_tool domain join $ret-{CONFIGURATION} $dcvars-{REALM} member; $cmd .= -U$dcvars-{DC_USERNAME}\%$dcvars-{DC_PASSWORD}; - $cmd .= --machinepass=machine$ret-{password}; + $cmd .= --machinepass=machine$ret-{PASSWORD}; unless (system($cmd) == 0) { warn(Join failed\n$cmd); @@ -949,7 +949,7 @@ sub provision_rpc_proxy($$$) $cmd .= KRB5_CONFIG=\$ret-{KRB5_CONFIG}\ ; $cmd .= $samba_tool domain join $ret-{CONFIGURATION} $dcvars-{REALM} member; $cmd .= -U$dcvars-{DC_USERNAME}\%$dcvars-{DC_PASSWORD}; - $cmd .= --machinepass=machine$ret-{password}; + $cmd .= --machinepass=machine$ret-{PASSWORD}; unless (system($cmd) == 0) { warn(Join failed\n$cmd); @@ -1036,7 +1036,7 @@ sub provision_promoted_dc($$$) $cmd .= KRB5_CONFIG=\$ret-{KRB5_CONFIG}\ ; $cmd .= $samba_tool domain join $ret-{CONFIGURATION} $dcvars-{REALM} MEMBER --realm=$dcvars-{REALM}; $cmd .= -U$dcvars-{DC_USERNAME}\%$dcvars-{DC_PASSWORD}; - $cmd .= --machinepass=machine$ret-{password}; + $cmd .= --machinepass=machine$ret-{PASSWORD}; unless (system($cmd) == 0) { warn(Join failed\n$cmd); @@ -1049,7 +1049,7 @@ sub provision_promoted_dc($$$) $cmd .= KRB5_CONFIG=\$ret-{KRB5_CONFIG}\ ; $cmd .= $samba_tool domain dcpromo $ret-{CONFIGURATION} $dcvars-{REALM} DC --realm=$dcvars-{REALM};