date:20130620

[Samba] Fix the Issue Windows 8 cannot join if a example.com domain

2013-06-20 Thread Daniel Müller

Dear all,

could anyone approve  if the issue windows 8 could not join a samba3 old
style dot domain, ex.: 'example.com' would not join-- but 'example' join
well!, is solved in any hack?
 
Greetings
Daniel

---
EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen

Tel.: 07071/206-463, Fax: 07071/206-499
eMail: muel...@tropenklinik.de
Internet: www.tropenklinik.de
---

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba+LDAP: NT_STATUS_UNSUCCESSFUL because of primary group SID mismatch

2013-06-20 Thread Philipp Lies

Hi,

I'm trying to get my new samba server running for a few days now and I
start losing my mind over not figuring out what I'm doing wrong. Here's
my setup:

OpenLDAP 2.4.21 server with ~15 groups and 100 users, all having a unix
and a samba NT password stored in the LDAP as well as a User SID and
Primary Group SID assigned and stored in the LDAP, derived from the SID
of the LDAP Server.

Now I want several samba servers to use the LDAP server to authenticate
users.
One samba server is a CentOS 6.3 configured with NSS/PAM using the ldap
server. getent passwd/group returns all users and ssh to the samba
machine works for all users. Samba is v3.6.9-151.el6. Now here's the
smb.conf (I removed the shares):

[global]
workgroup = X
security = user
passdb backend = ldapsam:ldap://myldapserver
ldap suffix = dc=mydomain,dc=com
ldap admin dn = cn=replicator,dc=mydomain,dc=com
ldap user suffix = ou=users
ldap group suffix = ou=groups
ldap machine suffix = ou=computers
ldap ssl = start tls

The ldap connection works, as `pdbedit -L` shows

pm_process() returned Yes
smbldap_search_domain_info: Searching
for:[((objectClass=sambaDomain)(sambaDomainName=SAMBAHOSTNAME))]
StartTLS issued: using a TLS connection
smbldap_open_connection: connection opened
ldap_connect_system: successful connection to the LDAP server
The LDAP server is successfully connected
smbldap_search_paged: base = [dc=mydomain,dc=com], filter =
[((uid=*)(objectclass=sambaSamAccount))],scope = [2], pagesize = [1024]
smbldap_search_paged: search was successful
sid S-1-5-21-[LDAPSID]-5168 does not belong to our domain

and then the last message repeats for all uids.
Using `smbclient -L localhost -U someid` the log file says:

check_ntlm_password:  Checking password for unmapped user
[XXX]\[someid]@[SAMBAHOST] with the new password interface
check_ntlm_password:  mapped user is: [SAMBAHOST]\[someid]@[SAMBAHOST]
StartTLS issued: using a TLS connection
smbldap_open_connection: connection opened
ldap_connect_system: successful connection to the LDAP server
The LDAP server is successfully connected
init_sam_from_ldap: Entry found for user: someid
Home server: SAMBAHOST
Home server: SAMBAHOST
init_group_from_ldap: Entry found for group: 1011
init_group_from_ldap: Entry found for group: 1011
Primary group S-1-5-21-[LDAPSID]-1000 for user someid is a UNKNOWN
and not a domain group
Forcing Primary Group to 'Domain Users' for someid
ntlm_password_check: Checking NTLMv2 password with domain [CIN]
sam_account_ok: Checking SMB password for user someid
The primary group domain sid(S-1-5-21-[LOCALSID]-513) does not match
the domain sid(S-1-5-21-[LDAPSID]) for someid(S-1-5-21-[LDAPSID]-5708)
check_sam_security: make_server_info_sam() failed with
'NT_STATUS_UNSUCCESSFUL'
check_ntlm_password:  Authentication for user [someid] - [someid]
FAILED with error NT_STATUS_UNSUCCESSFUL

What I see here is that the samba server does not recognize the primary
group of the user (which is an existing group in the LDAP)  and therefor
maps the primary group to its local Domain Users group which then
obviously does not match the domainSID of the userid.
But why doesn't the samba server recognize the group? Or is there a
different underlying problem?


What I tried so far:

Changing the SID of the samba server to the SID of the LDAP server, but
`net setlocalsid S-...` did not change the local SID. No error message,
just executed successfully but getlocalsid returned the old SID.

Setting the domainsid of the samba server to the SID of the ldap server.
`net setdomainsid S-...` was successful but the samba server still
refuses to authenticate the users.

Tried adding the server to the domain with `net join XXX` but the answer
was just standalone server cannot join domain.

I tried to run `smbpasswd -a` to add the user to the local samba db
(even though this would not be an option for the final solution, but
that's what other users recommended), but the error didn't change.

How can I either tell samba to ignore the domain SID mismatch or force
samba to have the same SID as the LDAP? Or would this cause other
problems if ~10 Samba Server and the LDAP in the end all have the exact
same SID?

Strangely I have debian/ubuntu servers where I have the same
configuration but there it works. The difference I see is that in the
debian system after the Primary Group ... is UNKNOWN there is no
forcing to Domain Users as group and samba just checks the password of
the user and doesn't care about the primary group SID.

Any ideas what I'm missing there?

Philipp
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] how to delete a locked file in smbclient.

2013-06-20 Thread Hu Jing

I have a samba server in linux and two samba client in windows.

in window xp, I use jcifs to access the file in samba server.
sometimes, a client will lock a file and the other client can't want to
delete the file.
but the client will delete the locked file unsuccesssfully, this is not my
expectation.

so i want to know, is there any configuration in smb.conf to allow clients
delete a locked file.

or in jcifs, can I delete a locked file by force

Thanks for any reply.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba+LDAP: NT_STATUS_UNSUCCESSFUL because of primary group SID mismatch

2013-06-20 Thread Gaiseric Vandal

If I follow correctly the LDAP server is NOT in the domain?   The Samba 
accounts should be using the SID of the Samba PDC not the SID of the  
LDAP server. This of course means that a Samba member server can't 
use the same LDAP back end (at least for Samba authentication.)




Long and short -  I found it easiest to have LDAP server on the same 
machine as the DC.  I have one PDC and one BDC  (sometimes 2 BDC's.)  
Each PDC uses its own ldap server and the ldap servers are configure for 
replication.


The simplest solution may be to set the local and domain sid of the LDAP 
server to the same sid as the DC, and join the LDAP server to the domain 
as a DC.






On 06/20/13 04:26, Philipp Lies wrote:

Hi,

I'm trying to get my new samba server running for a few days now and I
start losing my mind over not figuring out what I'm doing wrong. Here's
my setup:

OpenLDAP 2.4.21 server with ~15 groups and 100 users, all having a unix
and a samba NT password stored in the LDAP as well as a User SID and
Primary Group SID assigned and stored in the LDAP, derived from the SID
of the LDAP Server.

Now I want several samba servers to use the LDAP server to authenticate
users.
One samba server is a CentOS 6.3 configured with NSS/PAM using the ldap
server. getent passwd/group returns all users and ssh to the samba
machine works for all users. Samba is v3.6.9-151.el6. Now here's the
smb.conf (I removed the shares):

 [global]
 workgroup = X
 security = user
 passdb backend = ldapsam:ldap://myldapserver
 ldap suffix = dc=mydomain,dc=com
 ldap admin dn = cn=replicator,dc=mydomain,dc=com
 ldap user suffix = ou=users
 ldap group suffix = ou=groups
 ldap machine suffix = ou=computers
 ldap ssl = start tls

The ldap connection works, as `pdbedit -L` shows

 pm_process() returned Yes
 smbldap_search_domain_info: Searching
for:[((objectClass=sambaDomain)(sambaDomainName=SAMBAHOSTNAME))]
 StartTLS issued: using a TLS connection
 smbldap_open_connection: connection opened
 ldap_connect_system: successful connection to the LDAP server
 The LDAP server is successfully connected
 smbldap_search_paged: base = [dc=mydomain,dc=com], filter =
[((uid=*)(objectclass=sambaSamAccount))],scope = [2], pagesize = [1024]
 smbldap_search_paged: search was successful
 sid S-1-5-21-[LDAPSID]-5168 does not belong to our domain

and then the last message repeats for all uids.
Using `smbclient -L localhost -U someid` the log file says:

 check_ntlm_password:  Checking password for unmapped user
[XXX]\[someid]@[SAMBAHOST] with the new password interface
 check_ntlm_password:  mapped user is: [SAMBAHOST]\[someid]@[SAMBAHOST]
 StartTLS issued: using a TLS connection
 smbldap_open_connection: connection opened
 ldap_connect_system: successful connection to the LDAP server
 The LDAP server is successfully connected
 init_sam_from_ldap: Entry found for user: someid
 Home server: SAMBAHOST
 Home server: SAMBAHOST
 init_group_from_ldap: Entry found for group: 1011
 init_group_from_ldap: Entry found for group: 1011
 Primary group S-1-5-21-[LDAPSID]-1000 for user someid is a UNKNOWN
and not a domain group
 Forcing Primary Group to 'Domain Users' for someid
 ntlm_password_check: Checking NTLMv2 password with domain [CIN]
 sam_account_ok: Checking SMB password for user someid
 The primary group domain sid(S-1-5-21-[LOCALSID]-513) does not match
the domain sid(S-1-5-21-[LDAPSID]) for someid(S-1-5-21-[LDAPSID]-5708)
 check_sam_security: make_server_info_sam() failed with
'NT_STATUS_UNSUCCESSFUL'
 check_ntlm_password:  Authentication for user [someid] - [someid]
FAILED with error NT_STATUS_UNSUCCESSFUL

What I see here is that the samba server does not recognize the primary
group of the user (which is an existing group in the LDAP)  and therefor
maps the primary group to its local Domain Users group which then
obviously does not match the domainSID of the userid.
But why doesn't the samba server recognize the group? Or is there a
different underlying problem?


What I tried so far:

Changing the SID of the samba server to the SID of the LDAP server, but
`net setlocalsid S-...` did not change the local SID. No error message,
just executed successfully but getlocalsid returned the old SID.

Setting the domainsid of the samba server to the SID of the ldap server.
`net setdomainsid S-...` was successful but the samba server still
refuses to authenticate the users.

Tried adding the server to the domain with `net join XXX` but the answer
was just standalone server cannot join domain.

I tried to run `smbpasswd -a` to add the user to the local samba db
(even though this would not be an option for the final solution, but
that's what other users recommended), but the error didn't change.

How can I either tell samba to ignore the domain SID mismatch or force
samba to have the same SID as the LDAP? Or would this cause

Re: [Samba] Samba+LDAP: NT_STATUS_UNSUCCESSFUL because of primary group SID mismatch

2013-06-20 Thread Ricky Nance

You might look into net getlocalsid, net getdomainsid, net setlocalsid and
net setdomainsid commands, you may be able to set the samba servers the
same as your ldap sid... just a though. Remember, messing around with SID's
can cause major issues, so export all sids to file and be ready set them
back if everything goes wrong. (net getdomainsid  sidbackup.txt to export
them on the samba side of things)

Ricky


On Thu, Jun 20, 2013 at 8:04 AM, Gaiseric Vandal
gaiseric.van...@gmail.comwrote:

 If I follow correctly the LDAP server is NOT in the domain?   The Samba
 accounts should be using the SID of the Samba PDC not the SID of the  LDAP
 server. This of course means that a Samba member server can't use the
 same LDAP back end (at least for Samba authentication.)



 Long and short -  I found it easiest to have LDAP server on the same
 machine as the DC.  I have one PDC and one BDC  (sometimes 2 BDC's.)  Each
 PDC uses its own ldap server and the ldap servers are configure for
 replication.

 The simplest solution may be to set the local and domain sid of the LDAP
 server to the same sid as the DC, and join the LDAP server to the domain as
 a DC.






 On 06/20/13 04:26, Philipp Lies wrote:

 Hi,

 I'm trying to get my new samba server running for a few days now and I
 start losing my mind over not figuring out what I'm doing wrong. Here's
 my setup:

 OpenLDAP 2.4.21 server with ~15 groups and 100 users, all having a unix
 and a samba NT password stored in the LDAP as well as a User SID and
 Primary Group SID assigned and stored in the LDAP, derived from the SID
 of the LDAP Server.

 Now I want several samba servers to use the LDAP server to authenticate
 users.
 One samba server is a CentOS 6.3 configured with NSS/PAM using the ldap
 server. getent passwd/group returns all users and ssh to the samba
 machine works for all users. Samba is v3.6.9-151.el6. Now here's the
 smb.conf (I removed the shares):

  [global]
  workgroup = X
  security = user
  passdb backend = ldapsam:ldap://myldapserver
  ldap suffix = dc=mydomain,dc=com
  ldap admin dn = cn=replicator,dc=mydomain,dc=**com
  ldap user suffix = ou=users
  ldap group suffix = ou=groups
  ldap machine suffix = ou=computers
  ldap ssl = start tls

 The ldap connection works, as `pdbedit -L` shows

  pm_process() returned Yes
  smbldap_search_domain_info: Searching
 for:[((objectClass=**sambaDomain)(sambaDomainName=**SAMBAHOSTNAME))]
  StartTLS issued: using a TLS connection
  smbldap_open_connection: connection opened
  ldap_connect_system: successful connection to the LDAP server
  The LDAP server is successfully connected
  smbldap_search_paged: base = [dc=mydomain,dc=com], filter =
 [((uid=*)(objectclass=**sambaSamAccount))],scope = [2], pagesize =
 [1024]
  smbldap_search_paged: search was successful
  sid S-1-5-21-[LDAPSID]-5168 does not belong to our domain

 and then the last message repeats for all uids.
 Using `smbclient -L localhost -U someid` the log file says:

  check_ntlm_password:  Checking password for unmapped user
 [XXX]\[someid]@[SAMBAHOST] with the new password interface
  check_ntlm_password:  mapped user is: [SAMBAHOST]\[someid]@[**
 SAMBAHOST]
  StartTLS issued: using a TLS connection
  smbldap_open_connection: connection opened
  ldap_connect_system: successful connection to the LDAP server
  The LDAP server is successfully connected
  init_sam_from_ldap: Entry found for user: someid
  Home server: SAMBAHOST
  Home server: SAMBAHOST
  init_group_from_ldap: Entry found for group: 1011
  init_group_from_ldap: Entry found for group: 1011
  Primary group S-1-5-21-[LDAPSID]-1000 for user someid is a UNKNOWN
 and not a domain group
  Forcing Primary Group to 'Domain Users' for someid
  ntlm_password_check: Checking NTLMv2 password with domain [CIN]
  sam_account_ok: Checking SMB password for user someid
  The primary group domain sid(S-1-5-21-[LOCALSID]-513) does not match
 the domain sid(S-1-5-21-[LDAPSID]) for someid(S-1-5-21-[LDAPSID]-**5708)
  check_sam_security: make_server_info_sam() failed with
 'NT_STATUS_UNSUCCESSFUL'
  check_ntlm_password:  Authentication for user [someid] - [someid]
 FAILED with error NT_STATUS_UNSUCCESSFUL

 What I see here is that the samba server does not recognize the primary
 group of the user (which is an existing group in the LDAP)  and therefor
 maps the primary group to its local Domain Users group which then
 obviously does not match the domainSID of the userid.
 But why doesn't the samba server recognize the group? Or is there a
 different underlying problem?


 What I tried so far:

 Changing the SID of the samba server to the SID of the LDAP server, but
 `net setlocalsid S-...` did not change the local SID. No error message,
 just executed successfully but getlocalsid returned the old SID.

 Setting the domainsid of the samba server to the

Re: [Samba] Fix the Issue Windows 8 cannot join if a example.com domain

2013-06-20 Thread Carlos R. Pena Evertsz


Hi Daniel,

Try modifying the Network Security: LAN Manager authorization Level.

Run SecPol.msc
SelectLocal PoliciesSecurity OptionsNetwork Security: LAN Manager 
authorization Level


Double click and change to Send LM  NTLM - use NTLMv2 session security 
if  option in the combo box.


I hope this could help.

Sincerely,

Carlos R. P. Evertsz
Santo Domingo, Dominican Republic


Correr el SecPol.msc y selecionar Local PoliciesSecurity 
OptionsNetwork Security: LAN Manager authorization Level
 Aqui seleccionar el Send LM  NTLM - use NTLMv2 session security 
renegotiated



On Jun/20/2013 2:25 AM, Daniel Müller wrote:

Dear all,

could anyone approve  if the issue windows 8 could not join a samba3 old
style dot domain, ex.: 'example.com' would not join-- but 'example' join
well!, is solved in any hack?
  
Greetings

Daniel

---
EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen

Tel.: 07071/206-463, Fax: 07071/206-499
eMail: muel...@tropenklinik.de
Internet: www.tropenklinik.de
---



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba+LDAP: NT_STATUS_UNSUCCESSFUL because of primary group SID mismatch

2013-06-20 Thread Gaiseric Vandal


OK.  I understand (at least a little better.)

So the correct behaviour would be for the standalone workgroup machines 
to say  I don't know who DOMAIN/user1 is, so I will map to local 
user1. The standalone  servers should be using LDAP for unix 
accounts put I don't think you really should use the common LDAP backend 
for samba accounts.You would need to use smbpasswd or pdbedit to 
create local samba users on each member server, which means the member 
server would each use a local tdb database not ldap for samba.


If you want to centralize the samba accounts I think the proper way 
would be to  use member servers.



That being said, if the current set up is working on some machines but 
not  others, I would run testparm -v on each domain member and see if 
there are differences on mapping behavior.   Different os's may have 
slightly different versions of samba and the default smb.conf paramaters 
may have changed.  Also run net groupmap list
 on each member server.   You may need to explicitly set group mappings 
for key windows groups.(i.e. the group sid maps to a unix group.)




e.g.
# net groupmap list
...
Administrators (S-1-5-32-544) - Builtin Admins
Users (S-1-5-32-545) - Builtin Users

 getent group Builtin Admins
Builtin Admins::544:
# getent group Builtin Admins




On 06/20/13 10:40, Philipp Lies wrote:

On 20.06.2013 15:04, Gaiseric Vandal wrote:
If I follow correctly the LDAP server is NOT in the domain?   The 
Samba accounts should be using the SID of the Samba PDC not the SID 
of the  LDAP server. This of course means that a Samba member 
server can't use the same LDAP back end (at least for Samba 
authentication.)
The LDAP server is the PDC, however, there are no domain members. All 
my samba servers are standalone servers which are not domain members. 
This seems to work nicely with my debian machines but not the centos 
ones.









On 06/20/13 04:26, Philipp Lies wrote:

Hi,

I'm trying to get my new samba server running for a few days now and I
start losing my mind over not figuring out what I'm doing wrong. Here's
my setup:

OpenLDAP 2.4.21 server with ~15 groups and 100 users, all having a 
unix

and a samba NT password stored in the LDAP as well as a User SID and
Primary Group SID assigned and stored in the LDAP, derived from the SID
of the LDAP Server.

Now I want several samba servers to use the LDAP server to authenticate
users.
One samba server is a CentOS 6.3 configured with NSS/PAM using the ldap
server. getent passwd/group returns all users and ssh to the samba
machine works for all users. Samba is v3.6.9-151.el6. Now here's the
smb.conf (I removed the shares):

 [global]
 workgroup = X
 security = user
 passdb backend = ldapsam:ldap://myldapserver
 ldap suffix = dc=mydomain,dc=com
 ldap admin dn = cn=replicator,dc=mydomain,dc=com
 ldap user suffix = ou=users
 ldap group suffix = ou=groups
 ldap machine suffix = ou=computers
 ldap ssl = start tls

The ldap connection works, as `pdbedit -L` shows

 pm_process() returned Yes
 smbldap_search_domain_info: Searching
for:[((objectClass=sambaDomain)(sambaDomainName=SAMBAHOSTNAME))]
 StartTLS issued: using a TLS connection
 smbldap_open_connection: connection opened
 ldap_connect_system: successful connection to the LDAP server
 The LDAP server is successfully connected
 smbldap_search_paged: base = [dc=mydomain,dc=com], filter =
[((uid=*)(objectclass=sambaSamAccount))],scope = [2], pagesize = 
[1024]

 smbldap_search_paged: search was successful
 sid S-1-5-21-[LDAPSID]-5168 does not belong to our domain

and then the last message repeats for all uids.
Using `smbclient -L localhost -U someid` the log file says:

 check_ntlm_password:  Checking password for unmapped user
[XXX]\[someid]@[SAMBAHOST] with the new password interface
 check_ntlm_password:  mapped user is: 
[SAMBAHOST]\[someid]@[SAMBAHOST]

 StartTLS issued: using a TLS connection
 smbldap_open_connection: connection opened
 ldap_connect_system: successful connection to the LDAP server
 The LDAP server is successfully connected
 init_sam_from_ldap: Entry found for user: someid
 Home server: SAMBAHOST
 Home server: SAMBAHOST
 init_group_from_ldap: Entry found for group: 1011
 init_group_from_ldap: Entry found for group: 1011
 Primary group S-1-5-21-[LDAPSID]-1000 for user someid is a UNKNOWN
and not a domain group
 Forcing Primary Group to 'Domain Users' for someid
 ntlm_password_check: Checking NTLMv2 password with domain [CIN]
 sam_account_ok: Checking SMB password for user someid
 The primary group domain sid(S-1-5-21-[LOCALSID]-513) does not 
match

the domain sid(S-1-5-21-[LDAPSID]) for someid(S-1-5-21-[LDAPSID]-5708)
 check_sam_security: make_server_info_sam() failed with
'NT_STATUS_UNSUCCESSFUL'
 check_ntlm_password:  Authentication for user [someid] - [someid]
FAILED with error

Re: [Samba] Clustered Samba 3.6.6 connection issues

2013-06-20 Thread Adi Kriegisch

Dear Samba Community,

(answering my own request) 
 we recently did upgrade our data server cluster from Debian Squeeze (Samba
 3.5.6) to Debian Wheezy (Samba 3.6.6).
 The cluster is configured to act as BDC too. After the upgrade, connecting
 to the server works for a short while and then users experience disconnects
[...]
   | This computer was not able to set up a secure session with a domain
   | controller in domain DOMAIN due to the following:
   | The RPC server is unavailable.
[...]
 A test cluster showed that with the very same config files, Samba 3.6.6
 works just fine in a cluster when not being a BDC (domain logons = no and
 security = domain).
We made a huge mistake here: During the upgrade process we shut down ctdb
on the two servers that were upgraded and left one running and serving the
cluster.
After we completed the upgrade, we stopped ctdb on the remaining node and
started it on the freshly upgraded nodes.
That works just fine, but the disabled node still has all 3 cluster ips
configured and sometimes wins the arp response race which leads to
connection requests going to the wrong server and leading to the behavior
we've seen here.
Whenever you plan to do the same (ie. still have a fallback configuration
at least on one node), make sure to manually remove the ip addresses.

-- Adi
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] DNS replication and BDCs

2013-06-20 Thread David González Herrera - [DGHVoIP]


Hi,

For normal readers you kn ow already my setup, but for those new here, I 
have a Samba4 PDC and two BDCs one a samba4 and the other a W2k8 R2 machine.


Yesterday we had problems with our upstream service provider and my PDC 
(Backend BIND 9 DLZ) went down for some hours, as you might guess my 
whole AD was down due to the fact that the main DNS was down.


I would like youi to point me or tell me how do I create a fail-over or 
high availability system so that when one of the DCs is down the other 
takes over Auth tasks and obviously DNS.


I've thought a solution would be to make a slave BIND DNS on another 
slaver and replicate the Samba Zone and add aappropriate NS and A 
records to the main zone so that clients can query another DNS for the 
zone and not fail as I faced yesterday. This is a production environment 
scenario and I have many servers authenticating users against the samba 
server so if this fails everything else does.


I'd really appreciate your advise here.

Thanks again.

--
David Gonzalez
DGHVoIP
USA:
MOBILE: +1.646.559.6200
COL: +57.1.382.6718
COL: +57.4.247.0985
URL: www.dghvoip.com
Skype: davidgonzalezh
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Fix the Issue Windows 8 cannot join if a example.com domain

2013-06-20 Thread Christophe Dezé


hi
read this 
https://www.multifake.net/2013/01/windows-8-not-joining-certain-samba-domains/



Le 20/06/2013 16:25, Carlos R. Pena Evertsz a écrit :

Hi Daniel,

Try modifying the Network Security: LAN Manager authorization Level.

Run SecPol.msc
SelectLocal PoliciesSecurity OptionsNetwork Security: LAN 
Manager authorization Level


Double click and change to Send LM  NTLM - use NTLMv2 session 
security if  option in the combo box.


I hope this could help.

Sincerely,

Carlos R. P. Evertsz
Santo Domingo, Dominican Republic


Correr el SecPol.msc y selecionar Local PoliciesSecurity 
OptionsNetwork Security: LAN Manager authorization Level
 Aqui seleccionar el Send LM  NTLM - use NTLMv2 session security 
renegotiated



On Jun/20/2013 2:25 AM, Daniel Müller wrote:

Dear all,

could anyone approve  if the issue windows 8 could not join a samba3 old
style dot domain, ex.: 'example.com' would not join-- but 'example' 
join

well!, is solved in any hack?
  Greetings
Daniel

---
EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen

Tel.: 07071/206-463, Fax: 07071/206-499
eMail: muel...@tropenklinik.de
Internet: www.tropenklinik.de
---





--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Shared drives not writeable

2013-06-20 Thread Chris Nighswonger

No takers?

On Thu, Jun 6, 2013 at 12:04 PM, Chris Nighswonger 
cnighswon...@foundations.edu wrote:

 I am running Samba 3.6.6 on a Ubuntu 12.10 Samba domain member server.
 Users are authenticated against a Samba DC running 3.6.9 over an LDAP
 backend. I have a share configured as show below. Members of the
 'staff-faculty' group can browse the share, but cannot write files to
 any subdir for which they are not the owner. It appears that the only
 reason they can read/traverse is because of o::r-x.

 What I am looking for is a share where any member of the group may rw,
 but the various users retain ownership of the files/dirs they create.

 Here is what the perms, etc. look like:

 drwxrwxr-x+   2 jdoe staff-faculty 4.0K Jun  6 09:01 test

 The acl looks like this:

 # file: test
 # owner: jdoe
 # group: staff-faculty
 user::rwx
 group::rwx
 group:staff-faculty:rwx
 mask::rwx
 other::r-x

 I can post extended debug information, but thought perhaps there is an
 obvious mistake in my share configuration and so am posting that
 first.

 Kind Regards,
 Chris

 ---

 [Shared Drives]
 comment = Staff-Faculty Shares
 path = /netdrives/shared
 browsable = yes
 read only = no
 inherit acls = no
 inherit permissions = no
 create mask = 0771
 directory mask = 2771
 valid users = @CAMPUS\staff-faculty
 write list = @CAMPUS\staff-faculty
 admin users = @CAMPUS\Domain Admins

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] [CentOS] Samba4 and NFSv4

2013-06-20 Thread Steve Thompson


On Fri, 14 Jun 2013, Steve Thompson wrote:


I still have an issue with user access to the NFSv4 mount, and a
workaround for it, but that's for another time.


And now is another time (but I am at the point on giving up on this for 
now, as it has become a large consumer of time).


To reiterate, I am trying to get Keberized NFSv4 to work with CentOS 6.4 
clients in a Samba4 domain, using sssd and Samba 4.0.5 (no winbind). Now, 
CentOS 6.4 uses kernel 2.6.32-358.6.2.el6 and nfs-utils 1.2.3-36. First of 
all, the Samba4 KDC (a separate pair of systems) appears to be working, 
DNS (samba4+bind9+dlz) is working (forward and reverse), and NFSv4 is 
working just fine with sec=sys (ie no Kerberos), so I believe the basic 
infrastructure to be sound, including ID mapping. I am using the sec=sys 
case in production with Samba4, so I know that to be good (and, 
interestingly, it feels a lot snappier than NFSv3).


NFSv4 mounts with sec=krb5 work fine as long as I create a suitable UPN in 
the Samba database. On the client and server:


# kinit Administrator
# FQDN=`hostname`
# msktutil \
--base CN=Computers \
--keytab /etc/krb5.keytab \
--dont-expire-password \
--no-pac \
--computer-name nfs-$HOST \
--hostname $FQDN \
--service nfs/$FQDN \
--upn nfs/$FQDN \
--user-creds-only

and the nfs/... entries show up within the client and server's 
/etc/krb5.keytab and look correct:


# klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
--
   1 host/fqdn@REALM (des-cbc-crc)
   1 host/fqdn@REALM (des-cbc-md5)
   1 host/fqdn@REALM (arcfour-hmac)
   1 host/fqdn@REALM (aes128-cts-hmac-sha1-96)
   1 host/fqdn@REALM (aes256-cts-hmac-sha1-96)
   1 host/shortname@REALM (des-cbc-crc)
   1 host/shortname@REALM (des-cbc-md5)
   1 host/shortname@REALM (arcfour-hmac)
   1 host/shortname@REALM (aes128-cts-hmac-sha1-96)
   1 host/shortname@REALM (aes256-cts-hmac-sha1-96)
   1 SHORTNAME$@REALM (des-cbc-crc)
   1 SHORTNAME$@REALM (des-cbc-md5)
   1 SHORTNAME$@REALM (arcfour-hmac)
   1 SHORTNAME$@REALM (aes128-cts-hmac-sha1-96)
   1 SHORTNAME$@REALM (aes256-cts-hmac-sha1-96)
   1 HOST/fqdn@REALM (des-cbc-crc)
   1 HOST/fqdn@REALM (des-cbc-md5)
   1 HOST/fqdn@REALM (arcfour-hmac)
   1 HOST/fqdn@REALM (aes128-cts-hmac-sha1-96)
   1 HOST/fqdn@REALM (aes256-cts-hmac-sha1-96)
   2 nfs-shortname$@REALM (arcfour-hmac)
   2 nfs-shortname$@REALM (aes128-cts-hmac-sha1-96)
   2 nfs-shortname$@REALM (aes256-cts-hmac-sha1-96)
   2 nfs/fqdn@REALM (arcfour-hmac)
   2 nfs/fqdn@REALM (aes128-cts-hmac-sha1-96)
   2 nfs/fqdn@REALM (aes256-cts-hmac-sha1-96)

Here /data is the exported bind mount that is underneath the fsid=0 
exports entry:


# mount -t nfs4 -o sec=krb5 server_fqdn:/data /mnt
# (works)

I can browse the mount point as root and all permissions and ownerships 
are correct, except of course that I cannot descend into directories for 
which root (aka nobody) does not have permissions, as expected.


Now as a user (me, with UID 1002), using the server as a client (but using 
a separate client makes no difference), I can't even browse:


$ kinit
$ ls /mnt
ls: cannot access /mnt: Permission denied

and that's as far as I can get. From /var/log/messages:

rpc.gssd[7564]: using FILE:/tmp/krb5cc_1002 as credentials cache for client with uid 
1002 for server server_fqdn
rpc.gssd[7564]: using environment variable to select krb5 ccache 
FILE:/tmp/krb5cc_1002
rpc.gssd[7564]: creating context using fsuid 1002 (save_uid 0)
rpc.gssd[7564]: creating tcp client for server server_fqdn
rpc.gssd[7564]: DEBUG: port already set to 2049
rpc.gssd[7564]: creating context with server nfs@server_fqdn
rpc.gssd[7564]: WARNING: Failed to create krb5 context for user with uid 1002 for 
server fqdn

I have of course researched this at length, and found lots of instances of 
folks seeing the same Failed to create krb5 context message, but no-one 
with the same combination of OS and Samba4, and no resolutions.


I have also tried a Fedora 18 client and server (kernel 3.9.5-201.fc18, 
nfs-utils 1.2.7-6) with a different but equivalent pair of Samba4 domain 
controllers. Again, NFSv4 with sec=sys works fine, and with sec=krb5 it 
fails in *exactly* the same way as for CentOS.


Using nfs ads keytab add nfs... properly creates an SPN, and this is not 
sufficient, on both CentOS and Fedora.


Any ideas? Please stop me from drinking so much coffee. TIA!

-Steve
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Fix the Issue Windows 8 cannot join if a example.com domain

2013-06-20 Thread Carlos R. Pena Evertsz


Ok

Thank you Christophe

On Jun/20/2013 2:38 PM, Christophe Dezé wrote:

hi
read this 
https://www.multifake.net/2013/01/windows-8-not-joining-certain-samba-domains/



Le 20/06/2013 16:25, Carlos R. Pena Evertsz a écrit :

Hi Daniel,

Try modifying the Network Security: LAN Manager authorization Level.

Run SecPol.msc
SelectLocal PoliciesSecurity OptionsNetwork Security: LAN 
Manager authorization Level


Double click and change to Send LM  NTLM - use NTLMv2 session 
security if  option in the combo box.


I hope this could help.

Sincerely,

Carlos R. P. Evertsz
Santo Domingo, Dominican Republic


Correr el SecPol.msc y selecionar Local PoliciesSecurity 
OptionsNetwork Security: LAN Manager authorization Level
 Aqui seleccionar el Send LM  NTLM - use NTLMv2 session 
security renegotiated



On Jun/20/2013 2:25 AM, Daniel Müller wrote:

Dear all,

could anyone approve  if the issue windows 8 could not join a samba3 
old
style dot domain, ex.: 'example.com' would not join-- but 'example' 
join

well!, is solved in any hack?
  Greetings
Daniel

---
EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen

Tel.: 07071/206-463, Fax: 07071/206-499
eMail: muel...@tropenklinik.de
Internet: www.tropenklinik.de
---








--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] [CentOS] Samba4 and NFSv4

2013-06-20 Thread steve

On Thu, 2013-06-20 at 15:21 -0400, Steve Thompson wrote:
 mount -t nfs4 -o sec=krb5 server_fqdn:/data /mnt

What do you have in /etc/idmapd.conf
What does ps aux | grep rpc give?

Can the user browse using nfs3?
mount -t nfs3 -o sec=krb5 server_fqdn:/data /mnt

Have a look at the gotchas. There's loadsa wrong info abut kerberos and
nfs4:
http://linux-nfs.org/wiki/index.php/Nfsv4_configuration

hth
Steve



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] [CentOS] Samba4 and NFSv4

2013-06-20 Thread Steve Thompson


On Thu, 20 Jun 2013, steve wrote:

Thanks for your reply! I am really pulling my hair out over this one, and 
I don't have that much left :(



What do you have in /etc/idmapd.conf


The content of this file is correct as far as I understand it, as it works 
with NFSv3 and NFSv4 with sec=sys:


[General]
Verbosity = 0
Domain = icse.cornell.edu
Local-Realms = TITAN.TEST.CORNELL.EDU

[Mapping]
Nobody-User = nobody
Nobody-Group = nobody

[Translation]
Method = nsswitch

(and I have nsswitch.conf correctly configured).

Note: in my case, the value of Domain in idmapd.conf is NOT the same as 
the DNS domain name. But as I understand it, as long as it is the same on 
all servers and clients, this should not matter, as it is just a label. I 
tried setting it to the DNS domain name, but it didn't make any 
difference. And changing it on just the server and not the clients leaves 
all ownerships as being nobody:nobody instead of the proper ownerships, 
which is (a) expected, and (b) leads me to believe that rpc.idmapd is 
working as it should. Starting rpc.idmapd with -vvv dumps the mappings to 
/var/log/messages, and they are correct. In any case, clients don't all 
have the same DNS domain name.



What does ps aux | grep rpc give?


rpc   1616  0.0  0.0  18972   992 ?Ss   Jun18   0:00 rpcbind
rpcuser   1649  0.0  0.0  25420  1380 ?Ss   Jun18   0:00 rpc.statd
root  1678  0.0  0.0  0 0 ?SJun18   0:00 [rpciod/0]
root  1679  0.0  0.0  0 0 ?SJun18   0:01 [rpciod/1]
root  5789  0.0  0.0  50112  2072 ?Ss   12:06   0:00 rpc.svcgssd 
-vvv
root  5795  0.0  0.0 107304   276 ?Ss   12:06   0:00 rpc.rquotad
root  5799  0.0  0.0  22832  2560 ?Ss   12:06   0:00 rpc.mountd 
--no-nfs-version 2
root  5850  0.0  0.0  36900  1048 ?Ss   12:06   0:00 rpc.idmapd -vvv
root  8807  0.0  0.0  37340  2556 ?Ss   16:37   0:00 rpc.gssd -vvv

All the expected daemons are present, including rpc.gssd and rpc.svcgssd. 
I have rpc.svcgssd running on the clients too, although it should not be 
necessary there (but the CentOS init scripts don't give the option to not 
start it).



Can the user browse using nfs3?
mount -t nfs3 -o sec=krb5 server_fqdn:/data /mnt


No; exactly the same result as NFSv4. But yes with sec=sys.

Have a look at the gotchas. There's loadsa wrong info abut kerberos and 
nfs4: http://linux-nfs.org/wiki/index.php/Nfsv4_configuration


That's one of the many articles that I've read (several times). I don't 
see anything wrong in what I have done (btw, I don't agree that the fsid=0 
export should be mode 1777, and I don't agree that your first exports 
example is the proper way to do it. But in any event I have tried those 
too, to no effect).


Steve
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Problems when saving AutoCAD files

2013-06-20 Thread Santiago Pestarini

2013/6/14 Santiago Pestarini santiago...@gmail.com:
 Hi!
 I was searching for info about this issue and found almost nothing.
 So, let's go directly to the matters...

 - Problem:
 AutoCAD says You do not have permission to save to this location.
 when trying to save the file in the samba share dir.
 (This problem only occur with AutoCAD.)

 - Scenary:
 Running AutoCAD in a WinXP/Win7 PC, opening a DWG AutoCAD file from
 samba share dir in Zentyal Linux server.

 I have Samba 4.0.5 running in my Zentyal 3.0.21, both recently updated.

 - smb.conf contents:
 [global]
 workgroup = ESTUDIO
 realm = ESTUDIO.LAN
 netbios name = zentyal
 server string = Zentyal File Server
 server role = dc
 server role check:inhibit = yes
 server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl,
 winbind, ntp_signd, kcc, dnsupdate
 server signing = auto

 interfaces = lo,eth0
 bind interfaces only = yes

 log level = 3
 log file = /var/log/samba/samba.log

 guest ok = yes
 map to guest = bad user
 guest account = nobody
 auth methods = guest sam_ignoredomain


 [profiles]
 path = /home/samba/profiles
 browseable = no
 read only = no

 [netlogon]
 path = /opt/samba4/var/locks/sysvol/estudio.lan/scripts
 browseable = no
 read only = yes

 [sysvol]
 path = /opt/samba4/var/locks/sysvol
 read only = no

 [homes]
 comment = Directorios de usuario
 path = /home/%S
 read only = no
 browseable = no
 create mask = 0611
 directory mask = 0711
 vfs objects = acl_xattr full_audit scannedonly recycle

 # Shares
 [expedientes]
 comment = Expedientes
 path = /home/samba/shares/expedientes
 browseable = Yes
 read only = No
 force create mode = 0660
 force directory mode = 0660
 vfs objects = acl_xattr full_audit scannedonly recycle

 

 Also read this where Autodesk wash their hands, blaming the server,
 the client, the network, etc:
 http://forums.autodesk.com/t5/Installation-Licensing/Unable-to-save-drawing/td-p/72075

 Please Help!

What about this?
Did I make some mistake in my question?
Please, can someone throw me anything?

I really need some help...
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] [CentOS] Samba4 and NFSv4

2013-06-20 Thread steve

On Thu, 2013-06-20 at 16:57 -0400, Steve Thompson wrote:
 On Thu, 20 Jun 2013, steve wrote:
 
 Thanks for your reply! I am really pulling my hair out over this one, and 
 I don't have that much left :(
 
  What do you have in /etc/idmapd.conf
 
 The content of this file is correct as far as I understand it, as it works 
 with NFSv3 and NFSv4 with sec=sys:
 
 [General]
 Verbosity = 0
 Domain = icse.cornell.edu
 Local-Realms = TITAN.TEST.CORNELL.EDU
 
 [Mapping]
 Nobody-User = nobody
 Nobody-Group = nobody
 
 [Translation]
 Method = nsswitch
 
 (and I have nsswitch.conf correctly configured).
 
 Note: in my case, the value of Domain in idmapd.conf is NOT the same as 
 the DNS domain name. But as I understand it, as long as it is the same on 
 all servers and clients, this should not matter, as it is just a label. I 
 tried setting it to the DNS domain name, but it didn't make any 
 difference. And changing it on just the server and not the clients leaves 
 all ownerships as being nobody:nobody instead of the proper ownerships, 
 which is (a) expected, and (b) leads me to believe that rpc.idmapd is 
 working as it should. Starting rpc.idmapd with -vvv dumps the mappings to 
 /var/log/messages, and they are correct. In any case, clients don't all 
 have the same DNS domain name.
 
  What does ps aux | grep rpc give?
 
 rpc   1616  0.0  0.0  18972   992 ?Ss   Jun18   0:00 rpcbind
 rpcuser   1649  0.0  0.0  25420  1380 ?Ss   Jun18   0:00 rpc.statd
 root  1678  0.0  0.0  0 0 ?SJun18   0:00 [rpciod/0]
 root  1679  0.0  0.0  0 0 ?SJun18   0:01 [rpciod/1]
 root  5789  0.0  0.0  50112  2072 ?Ss   12:06   0:00 rpc.svcgssd 
 -vvv
 root  5795  0.0  0.0 107304   276 ?Ss   12:06   0:00 rpc.rquotad
 root  5799  0.0  0.0  22832  2560 ?Ss   12:06   0:00 rpc.mountd 
 --no-nfs-version 2
 root  5850  0.0  0.0  36900  1048 ?Ss   12:06   0:00 rpc.idmapd 
 -vvv
 root  8807  0.0  0.0  37340  2556 ?Ss   16:37   0:00 rpc.gssd -vvv
 
 All the expected daemons are present, including rpc.gssd and rpc.svcgssd. 
 I have rpc.svcgssd running on the clients too, although it should not be 
 necessary there (but the CentOS init scripts don't give the option to not 
 start it).
 
  Can the user browse using nfs3?
  mount -t nfs3 -o sec=krb5 server_fqdn:/data /mnt
 
 No; exactly the same result as NFSv4. But yes with sec=sys.
 
  Have a look at the gotchas. There's loadsa wrong info abut kerberos and 
  nfs4: http://linux-nfs.org/wiki/index.php/Nfsv4_configuration
 
 That's one of the many articles that I've read (several times). I don't 
 see anything wrong in what I have done (btw, I don't agree that the fsid=0 
 export should be mode 1777, and I don't agree that your first exports 
 example is the proper way to do it. But in any event I have tried those 
 too, to no effect).
 
 Steve

Hi
Nobody agrees with anything for nfs4, so don't worry!
Ok, that narrows it down to kerberos I suppose. What does the mount look
like:
rpc.gssd -fvvv
and the idmapping:
rpc.idmapd -fvvv

The latter may throw up some uidNumbers




-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] [CentOS] Samba4 and NFSv4

2013-06-20 Thread Steve Thompson


On Thu, 20 Jun 2013, steve wrote:


Nobody agrees with anything for nfs4, so don't worry!


:) And boy oh boy is there a lot of just plain nonsense out there!


Ok, that narrows it down to kerberos I suppose. What does the mount look
like:
rpc.gssd -fvvv
and the idmapping:
rpc.idmapd -fvvv


Apart from the Failed to create krb5 context that ultimately comes out 
of rpc.gssd and prevents browsing by non-root users, everything here looks 
as it should.


Steve
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Problems when saving AutoCAD files

2013-06-20 Thread Jeremy Allison

On Thu, Jun 20, 2013 at 06:15:34PM -0300, Santiago Pestarini wrote:
 2013/6/14 Santiago Pestarini santiago...@gmail.com:
  Hi!
  I was searching for info about this issue and found almost nothing.
  So, let's go directly to the matters...
 
  - Problem:
  AutoCAD says You do not have permission to save to this location.
  when trying to save the file in the samba share dir.
  (This problem only occur with AutoCAD.)
 
  - Scenary:
  Running AutoCAD in a WinXP/Win7 PC, opening a DWG AutoCAD file from
  samba share dir in Zentyal Linux server.
 
  I have Samba 4.0.5 running in my Zentyal 3.0.21, both recently updated.
 
  - smb.conf contents:
  [global]
  workgroup = ESTUDIO
  realm = ESTUDIO.LAN
  netbios name = zentyal
  server string = Zentyal File Server
  server role = dc
  server role check:inhibit = yes
  server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl,
  winbind, ntp_signd, kcc, dnsupdate
  server signing = auto
 
  interfaces = lo,eth0
  bind interfaces only = yes
 
  log level = 3
  log file = /var/log/samba/samba.log
 
  guest ok = yes
  map to guest = bad user
  guest account = nobody
  auth methods = guest sam_ignoredomain
 
 
  [profiles]
  path = /home/samba/profiles
  browseable = no
  read only = no
 
  [netlogon]
  path = /opt/samba4/var/locks/sysvol/estudio.lan/scripts
  browseable = no
  read only = yes
 
  [sysvol]
  path = /opt/samba4/var/locks/sysvol
  read only = no
 
  [homes]
  comment = Directorios de usuario
  path = /home/%S
  read only = no
  browseable = no
  create mask = 0611
  directory mask = 0711
  vfs objects = acl_xattr full_audit scannedonly recycle
 
  # Shares
  [expedientes]
  comment = Expedientes
  path = /home/samba/shares/expedientes
  browseable = Yes
  read only = No
  force create mode = 0660
  force directory mode = 0660
  vfs objects = acl_xattr full_audit scannedonly recycle
 
  
 
  Also read this where Autodesk wash their hands, blaming the server,
  the client, the network, etc:
  http://forums.autodesk.com/t5/Installation-Licensing/Unable-to-save-drawing/td-p/72075
 
  Please Help!
 
 What about this?
 Did I make some mistake in my question?
 Please, can someone throw me anything?

If you're using the expedientes share and using acl_xattr
then why are you forcing the posix permissions with

  force create mode = 0660
  force directory mode = 0660

Try removing these..
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Problems when saving AutoCAD files

2013-06-20 Thread Gaiseric Vandal


Is this on all saves ?  Can you do a save as and create a new doc?

I had an issue with Office 2003 on Samba 3.0.x , Solaris 10 with ZFS 
file system.For the 1st 6 saves  the MS app would modify the file.  
Every 7th (?)  save MS would delete the file and write a new one.   The 
probably would be that MS would try set file permissions-  most apps 
would just let the OS handle the file permissions.  Users had the 
appropriate permissions to create and delete files but not modify ACL's.


This had not been an issues with the older UFS file system.   In terms 
of how samba and UFS played together, the unix file perms were the 
classic ugo / rwx.   the ZFS acl's are closer to the Windows ACL's than 
UFS ACL's were.



I am guessing if Autocad is the only app affected then autocad is trying 
to write out some more complex file permissions. I haven't 
worked with samba 4.   Can you adjust acl options in samba config?



On 06/20/13 17:15, Santiago Pestarini wrote:

2013/6/14 Santiago Pestarini santiago...@gmail.com:

Hi!
I was searching for info about this issue and found almost nothing.
So, let's go directly to the matters...

- Problem:
AutoCAD says You do not have permission to save to this location.
when trying to save the file in the samba share dir.
(This problem only occur with AutoCAD.)

- Scenary:
Running AutoCAD in a WinXP/Win7 PC, opening a DWG AutoCAD file from
samba share dir in Zentyal Linux server.

I have Samba 4.0.5 running in my Zentyal 3.0.21, both recently updated.

- smb.conf contents:
[global]
 workgroup = ESTUDIO
 realm = ESTUDIO.LAN
 netbios name = zentyal
 server string = Zentyal File Server
 server role = dc
 server role check:inhibit = yes
 server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl,
winbind, ntp_signd, kcc, dnsupdate
 server signing = auto

 interfaces = lo,eth0
 bind interfaces only = yes

 log level = 3
 log file = /var/log/samba/samba.log

 guest ok = yes
 map to guest = bad user
 guest account = nobody
 auth methods = guest sam_ignoredomain


[profiles]
 path = /home/samba/profiles
 browseable = no
 read only = no

[netlogon]
 path = /opt/samba4/var/locks/sysvol/estudio.lan/scripts
 browseable = no
 read only = yes

[sysvol]
 path = /opt/samba4/var/locks/sysvol
 read only = no

[homes]
 comment = Directorios de usuario
 path = /home/%S
 read only = no
 browseable = no
 create mask = 0611
 directory mask = 0711
 vfs objects = acl_xattr full_audit scannedonly recycle

# Shares
[expedientes]
 comment = Expedientes
 path = /home/samba/shares/expedientes
 browseable = Yes
 read only = No
 force create mode = 0660
 force directory mode = 0660
 vfs objects = acl_xattr full_audit scannedonly recycle



Also read this where Autodesk wash their hands, blaming the server,
the client, the network, etc:
http://forums.autodesk.com/t5/Installation-Licensing/Unable-to-save-drawing/td-p/72075

Please Help!

What about this?
Did I make some mistake in my question?
Please, can someone throw me anything?

I really need some help...


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] [CentOS] Samba4 and NFSv4

2013-06-20 Thread Steve Thompson


On Thu, 20 Jun 2013, John Hodrien wrote:

Is it possible that Samba4 includes a large PAC on the kerberos 
credential and you're going over the limit in kernel?


Well, that is a good avenue to explore. The user that I am testing with 
(me) is only in five groups, but nevertheless I will take a further look 
at that


Five minutes later: holy crap! That is it. I took a user in only one 
group: permission denied. I set the NO_AUTH_DATA_REQUIRED flag in 
userAccountControl (via ldbedit), and hey presto NFSv4+krb5 now works. You 
sir are a steely-eyed missile man!


I'm not convinced your comment about having to run svcgssd on clients is 
enforced due to CentOS init scripts, but it shouldn't cause any bother 
as you say.


No, it doesn't cause any bother. It just seems that the start of both 
rpc.gssd and rpc.svcgssd are conditional on SECURE_NFS being set to yes.

There are no NEED_GSSD or NEED_SVCGSSD or whatever to filter it further.

Thanks,
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Shared drives not writeable

2013-06-20 Thread steve

On Thu, 2013-06-20 at 15:05 -0400, Chris Nighswonger wrote:
 No takers?
 
 On Thu, Jun 6, 2013 at 12:04 PM, Chris Nighswonger 
 cnighswon...@foundations.edu wrote:
 
  I am running Samba 3.6.6 on a Ubuntu 12.10 Samba domain member server.
  Users are authenticated against a Samba DC running 3.6.9 over an LDAP
  backend. I have a share configured as show below. Members of the
  'staff-faculty' group can browse the share, but cannot write files to
  any subdir for which they are not the owner. It appears that the only
  reason they can read/traverse is because of o::r-x.
 
  What I am looking for is a share where any member of the group may rw,
  but the various users retain ownership of the files/dirs they create.
 
  Here is what the perms, etc. look like:
 
  drwxrwxr-x+   2 jdoe staff-faculty 4.0K Jun  6 09:01 test
 
  The acl looks like this:
 
  # file: test
  # owner: jdoe
  # group: staff-faculty
  user::rwx
  group::rwx
  group:staff-faculty:rwx
  mask::rwx
  other::r-x
 
  I can post extended debug information, but thought perhaps there is an
  obvious mistake in my share configuration and so am posting that
  first.
 
  Kind Regards,
  Chris
 
  ---
 
  [Shared Drives]
  comment = Staff-Faculty Shares
  path = /netdrives/shared
  browsable = yes
  read only = no
  inherit acls = no
  inherit permissions = no
  create mask = 0771
  directory mask = 2771
  valid users = @CAMPUS\staff-faculty
  write list = @CAMPUS\staff-faculty
  admin users = @CAMPUS\Domain Admins
 

Hi
OK, I'll have a go.
Either use acls or smb.conf. I've never been able to get a mixture of
both to work. Tidy up:
chgrp -R staff-faculty /netdrives/shared
chmod 0770 /netdrives/shared
chmod g+s /netdrives/shared
setfacl -d -Rm g::rwx /netdrives/shared
set a loose acl for Domain Admins or map them to root

Then just:
[Shared Drives]
path = /netdrives/shared
read only = no
inherit acls = Yes

Worth a try?
Steve



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] [CentOS] Samba4 and NFSv4

2013-06-20 Thread steve

On Thu, 2013-06-20 at 17:44 -0400, Steve Thompson wrote:
 On Thu, 20 Jun 2013, John Hodrien wrote:

 Five minutes later: holy crap! That is it. I took a user in only one 
 group: permission denied. I set the NO_AUTH_DATA_REQUIRED flag in 
 userAccountControl (via ldbedit), and hey presto NFSv4+krb5 now works. 

Great news. Would it be possible to post the directory entry for the
user you ldbedited? I can't see how to set the flag you mention.
Cheers,
Steve
 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] pdbedit error

2013-06-20 Thread Robert Steinmetz AIA


Samba Version 3.6.3 on Ubuntu 12.04 tbdsam back end.

I discovered a couple of accounts we created before the Domain was 
configured was was an account named administrator intended to be the 
Smaba Administrator account. In order to change the domain ai ran this 
command


# pdbedit -I DOMAINNAME -U username

it worked on a number of accounts when I tried it on administrator I get the

# pdbedit -I DOMAINNAME -u administrator
Unable to modify TDB passwd: NT_STATUS_UNSUCCESSFUL!
Unable to modify entry!

# pdbedit -v -u administrator gives the following output

Unix username:administrator
NT username:
Account Flags:[U  ]
User SID: S-1-5-21-1504512832-3249319461-1142831928-500
Primary Group SID:S-1-5-21-1504512832-3249319461-1142831928-513
Full Name:Samba Administrator,,,
Home Directory:   \\hamlet\administrator
HomeDir Drive:U
Logon Script:
Profile Path:deleted for privacy
Domain:   HAMLET
Account desc:
Workstations:
Munged dial:
Logon time:   0
Logoff time:  never
Kickoff time: never
Password last set:Fri, 30 Dec 2005 17:29:27 CST
Password can change:  Fri, 30 Dec 2005 17:29:27 CST
Password must change: never
Last bad password   : 0
Bad password count  : 0
Logon hours : FF

I don't see anything here that looks out of place but I don't know what 
it all means.


--
rob steinmetz
Signature
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] DNS replication and BDCs

2013-06-20 Thread Marc Muehlfeld


Hello David,

Am 20.06.2013 19:55, schrieb David González Herrera - [DGHVoIP]:

I would like youi to point me or tell me how do I create a fail-over or
high availability system so that when one of the DCs is down the other
takes over Auth tasks and obviously DNS.

I've thought a solution would be to make a slave BIND DNS on another
slaver and replicate the Samba Zone and add aappropriate NS and A
records to the main zone so that clients can query another DNS for the
zone and not fail as I faced yesterday. This is a production environment
scenario and I have many servers authenticating users against the samba
server so if this fails everything else does.


When you join a second DC to the AD 
(http://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC), 
then the DNS part is also automatically replicated.


As you already have a second DC, please check, if Samba (or BIND) is 
listening on port 53 to answer DNS queries.


# netstat -taunp | grep :53

Then you only have to configure your clients, to use the second machine 
as DNS server, too.


There's nothing special you have to do here.

You can use BIND or the internal DNS on the other DCs. It don't need to 
be the same than on your first one.



Regards,
Marc
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[SCM] Samba Shared Repository - branch master updated

2013-06-20 Thread Andrew Bartlett

The branch, master has been updated
   via  88c72fc s4-winbind: Add special case for BUILTIN domain
   via  d4091c5 Fix bug #9166 - Starting smbd or nmbd with stdin from 
/dev/null results in EOF on stdin
  from  fc13489 build: Build with system md5.h on OpenIndiana

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 88c72fceb1c86752c52651bdea5b116806dd92c5
Author: Andrew Bartlett abart...@samba.org
Date:   Sat Jun 15 23:01:44 2013 +1000

s4-winbind: Add special case for BUILTIN domain

This should mean that lookups for the BUILTIN domain cause less trouble
then they have in the past, because they will no longer go via the
trusted domain handler.

Andrew Bartlett

Signed-off-by: Andrew Bartlett abart...@samba.org
Reviewed-by: Volker Lendecke v...@samba.org

Autobuild-User(master): Andrew Bartlett abart...@samba.org
Autobuild-Date(master): Thu Jun 20 15:30:00 CEST 2013 on sn-devel-104

commit d4091c5809f174b68714fa50fa501c99617c016e
Author: Jeremy Allison j...@samba.org
Date:   Mon Jun 10 13:33:40 2013 -0700

Fix bug #9166 - Starting smbd or nmbd with stdin from /dev/null results in 
EOF on stdin

Only install the stdin handler if it's a pipe or fifo.

Signed-off-by: Jeremy Allison j...@samba.org

Reviewed-by: Andrew Bartlett abart...@samba.org

---

Summary of changes:
 source3/nmbd/nmbd.c  |   14 +-
 source3/smbd/server.c|   14 +-
 source3/winbindd/winbindd.c  |   15 ++-
 source4/smbd/server.c|   17 ++---
 source4/winbind/wb_dom_info.c|5 +++--
 source4/winbind/wb_init_domain.c |   38 --
 source4/winbind/wb_sid2domain.c  |   14 ++
 7 files changed, 91 insertions(+), 26 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/nmbd/nmbd.c b/source3/nmbd/nmbd.c
index 12afb00..42e2b2f 100644
--- a/source3/nmbd/nmbd.c
+++ b/source3/nmbd/nmbd.c
@@ -130,8 +130,20 @@ static bool nmbd_setup_stdin_handler(struct 
messaging_context *msg, bool foregro
/* if we are running in the foreground then look for
   EOF on stdin, and exit if it happens. This allows
   us to die if the parent process dies
+  Only do this on a pipe or socket, no other device.
*/
-   tevent_add_fd(nmbd_event_context(), nmbd_event_context(), 0, 
TEVENT_FD_READ, nmbd_stdin_handler, msg);
+   struct stat st;
+   if (fstat(0, st) != 0) {
+   return false;
+   }
+   if (S_ISFIFO(st.st_mode) || S_ISSOCK(st.st_mode)) {
+   tevent_add_fd(nmbd_event_context(),
+   nmbd_event_context(),
+   0,
+   TEVENT_FD_READ,
+   nmbd_stdin_handler,
+   msg);
+   }
}
 
return true;
diff --git a/source3/smbd/server.c b/source3/smbd/server.c
index f07bd28..d3cd33e 100644
--- a/source3/smbd/server.c
+++ b/source3/smbd/server.c
@@ -1558,8 +1558,20 @@ extern void build_options(bool screen);
/* if we are running in the foreground then look for
   EOF on stdin, and exit if it happens. This allows
   us to die if the parent process dies
+  Only do this on a pipe or socket, no other device.
*/
-   tevent_add_fd(ev_ctx, parent, 0, TEVENT_FD_READ, 
smbd_stdin_handler, NULL);
+   struct stat st;
+   if (fstat(0, st) != 0) {
+   return false;
+   }
+   if (S_ISFIFO(st.st_mode) || S_ISSOCK(st.st_mode)) {
+   tevent_add_fd(ev_ctx,
+   parent,
+   0,
+   TEVENT_FD_READ,
+   smbd_stdin_handler,
+   NULL);
+   }
}
 
smbd_parent_loop(ev_ctx, parent);
diff --git a/source3/winbindd/winbindd.c b/source3/winbindd/winbindd.c
index 7a0700d..141ca5c 100644
--- a/source3/winbindd/winbindd.c
+++ b/source3/winbindd/winbindd.c
@@ -308,6 +308,8 @@ bool winbindd_setup_stdin_handler(bool parent, bool 
foreground)
bool *is_parent;
 
if (foreground) {
+   struct stat st;
+
is_parent = talloc(winbind_event_context(), bool);
if (!is_parent) {
return false;
@@ -318,8 +320,19 @@ bool winbindd_setup_stdin_handler(bool parent, bool 
foreground)
/* if we are running in the foreground then look

[Samba] Fix the Issue Windows 8 cannot join if a example.com domain

[Samba] Samba+LDAP: NT_STATUS_UNSUCCESSFUL because of primary group SID mismatch

[Samba] how to delete a locked file in smbclient.

Re: [Samba] Samba+LDAP: NT_STATUS_UNSUCCESSFUL because of primary group SID mismatch

Re: [Samba] Samba+LDAP: NT_STATUS_UNSUCCESSFUL because of primary group SID mismatch

Re: [Samba] Fix the Issue Windows 8 cannot join if a example.com domain

Re: [Samba] Samba+LDAP: NT_STATUS_UNSUCCESSFUL because of primary group SID mismatch

Re: [Samba] Clustered Samba 3.6.6 connection issues

[Samba] DNS replication and BDCs

Re: [Samba] Fix the Issue Windows 8 cannot join if a example.com domain

Re: [Samba] Shared drives not writeable

Re: [Samba] [CentOS] Samba4 and NFSv4

Re: [Samba] Fix the Issue Windows 8 cannot join if a example.com domain

Re: [Samba] [CentOS] Samba4 and NFSv4

Re: [Samba] [CentOS] Samba4 and NFSv4

Re: [Samba] Problems when saving AutoCAD files

Re: [Samba] [CentOS] Samba4 and NFSv4

Re: [Samba] [CentOS] Samba4 and NFSv4

Re: [Samba] Problems when saving AutoCAD files

Re: [Samba] Problems when saving AutoCAD files

Re: [Samba] [CentOS] Samba4 and NFSv4

Re: [Samba] Shared drives not writeable

Re: [Samba] [CentOS] Samba4 and NFSv4

[Samba] pdbedit error

Re: [Samba] DNS replication and BDCs

[SCM] Samba Shared Repository - branch master updated

26 matches

Site Navigation

Mail list logo

Footer information