[Samba] Fix the Issue Windows 8 cannot join if a example.com domain
Dear all, could anyone approve if the issue windows 8 could not join a samba3 old style dot domain, ex.: 'example.com' would not join-- but 'example' join well!, is solved in any hack? Greetings Daniel --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba+LDAP: NT_STATUS_UNSUCCESSFUL because of primary group SID mismatch
Hi, I'm trying to get my new samba server running for a few days now and I start losing my mind over not figuring out what I'm doing wrong. Here's my setup: OpenLDAP 2.4.21 server with ~15 groups and 100 users, all having a unix and a samba NT password stored in the LDAP as well as a User SID and Primary Group SID assigned and stored in the LDAP, derived from the SID of the LDAP Server. Now I want several samba servers to use the LDAP server to authenticate users. One samba server is a CentOS 6.3 configured with NSS/PAM using the ldap server. getent passwd/group returns all users and ssh to the samba machine works for all users. Samba is v3.6.9-151.el6. Now here's the smb.conf (I removed the shares): [global] workgroup = X security = user passdb backend = ldapsam:ldap://myldapserver ldap suffix = dc=mydomain,dc=com ldap admin dn = cn=replicator,dc=mydomain,dc=com ldap user suffix = ou=users ldap group suffix = ou=groups ldap machine suffix = ou=computers ldap ssl = start tls The ldap connection works, as `pdbedit -L` shows pm_process() returned Yes smbldap_search_domain_info: Searching for:[((objectClass=sambaDomain)(sambaDomainName=SAMBAHOSTNAME))] StartTLS issued: using a TLS connection smbldap_open_connection: connection opened ldap_connect_system: successful connection to the LDAP server The LDAP server is successfully connected smbldap_search_paged: base = [dc=mydomain,dc=com], filter = [((uid=*)(objectclass=sambaSamAccount))],scope = [2], pagesize = [1024] smbldap_search_paged: search was successful sid S-1-5-21-[LDAPSID]-5168 does not belong to our domain and then the last message repeats for all uids. Using `smbclient -L localhost -U someid` the log file says: check_ntlm_password: Checking password for unmapped user [XXX]\[someid]@[SAMBAHOST] with the new password interface check_ntlm_password: mapped user is: [SAMBAHOST]\[someid]@[SAMBAHOST] StartTLS issued: using a TLS connection smbldap_open_connection: connection opened ldap_connect_system: successful connection to the LDAP server The LDAP server is successfully connected init_sam_from_ldap: Entry found for user: someid Home server: SAMBAHOST Home server: SAMBAHOST init_group_from_ldap: Entry found for group: 1011 init_group_from_ldap: Entry found for group: 1011 Primary group S-1-5-21-[LDAPSID]-1000 for user someid is a UNKNOWN and not a domain group Forcing Primary Group to 'Domain Users' for someid ntlm_password_check: Checking NTLMv2 password with domain [CIN] sam_account_ok: Checking SMB password for user someid The primary group domain sid(S-1-5-21-[LOCALSID]-513) does not match the domain sid(S-1-5-21-[LDAPSID]) for someid(S-1-5-21-[LDAPSID]-5708) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_UNSUCCESSFUL' check_ntlm_password: Authentication for user [someid] - [someid] FAILED with error NT_STATUS_UNSUCCESSFUL What I see here is that the samba server does not recognize the primary group of the user (which is an existing group in the LDAP) and therefor maps the primary group to its local Domain Users group which then obviously does not match the domainSID of the userid. But why doesn't the samba server recognize the group? Or is there a different underlying problem? What I tried so far: Changing the SID of the samba server to the SID of the LDAP server, but `net setlocalsid S-...` did not change the local SID. No error message, just executed successfully but getlocalsid returned the old SID. Setting the domainsid of the samba server to the SID of the ldap server. `net setdomainsid S-...` was successful but the samba server still refuses to authenticate the users. Tried adding the server to the domain with `net join XXX` but the answer was just standalone server cannot join domain. I tried to run `smbpasswd -a` to add the user to the local samba db (even though this would not be an option for the final solution, but that's what other users recommended), but the error didn't change. How can I either tell samba to ignore the domain SID mismatch or force samba to have the same SID as the LDAP? Or would this cause other problems if ~10 Samba Server and the LDAP in the end all have the exact same SID? Strangely I have debian/ubuntu servers where I have the same configuration but there it works. The difference I see is that in the debian system after the Primary Group ... is UNKNOWN there is no forcing to Domain Users as group and samba just checks the password of the user and doesn't care about the primary group SID. Any ideas what I'm missing there? Philipp -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] how to delete a locked file in smbclient.
I have a samba server in linux and two samba client in windows. in window xp, I use jcifs to access the file in samba server. sometimes, a client will lock a file and the other client can't want to delete the file. but the client will delete the locked file unsuccesssfully, this is not my expectation. so i want to know, is there any configuration in smb.conf to allow clients delete a locked file. or in jcifs, can I delete a locked file by force Thanks for any reply. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba+LDAP: NT_STATUS_UNSUCCESSFUL because of primary group SID mismatch
If I follow correctly the LDAP server is NOT in the domain? The Samba accounts should be using the SID of the Samba PDC not the SID of the LDAP server. This of course means that a Samba member server can't use the same LDAP back end (at least for Samba authentication.) Long and short - I found it easiest to have LDAP server on the same machine as the DC. I have one PDC and one BDC (sometimes 2 BDC's.) Each PDC uses its own ldap server and the ldap servers are configure for replication. The simplest solution may be to set the local and domain sid of the LDAP server to the same sid as the DC, and join the LDAP server to the domain as a DC. On 06/20/13 04:26, Philipp Lies wrote: Hi, I'm trying to get my new samba server running for a few days now and I start losing my mind over not figuring out what I'm doing wrong. Here's my setup: OpenLDAP 2.4.21 server with ~15 groups and 100 users, all having a unix and a samba NT password stored in the LDAP as well as a User SID and Primary Group SID assigned and stored in the LDAP, derived from the SID of the LDAP Server. Now I want several samba servers to use the LDAP server to authenticate users. One samba server is a CentOS 6.3 configured with NSS/PAM using the ldap server. getent passwd/group returns all users and ssh to the samba machine works for all users. Samba is v3.6.9-151.el6. Now here's the smb.conf (I removed the shares): [global] workgroup = X security = user passdb backend = ldapsam:ldap://myldapserver ldap suffix = dc=mydomain,dc=com ldap admin dn = cn=replicator,dc=mydomain,dc=com ldap user suffix = ou=users ldap group suffix = ou=groups ldap machine suffix = ou=computers ldap ssl = start tls The ldap connection works, as `pdbedit -L` shows pm_process() returned Yes smbldap_search_domain_info: Searching for:[((objectClass=sambaDomain)(sambaDomainName=SAMBAHOSTNAME))] StartTLS issued: using a TLS connection smbldap_open_connection: connection opened ldap_connect_system: successful connection to the LDAP server The LDAP server is successfully connected smbldap_search_paged: base = [dc=mydomain,dc=com], filter = [((uid=*)(objectclass=sambaSamAccount))],scope = [2], pagesize = [1024] smbldap_search_paged: search was successful sid S-1-5-21-[LDAPSID]-5168 does not belong to our domain and then the last message repeats for all uids. Using `smbclient -L localhost -U someid` the log file says: check_ntlm_password: Checking password for unmapped user [XXX]\[someid]@[SAMBAHOST] with the new password interface check_ntlm_password: mapped user is: [SAMBAHOST]\[someid]@[SAMBAHOST] StartTLS issued: using a TLS connection smbldap_open_connection: connection opened ldap_connect_system: successful connection to the LDAP server The LDAP server is successfully connected init_sam_from_ldap: Entry found for user: someid Home server: SAMBAHOST Home server: SAMBAHOST init_group_from_ldap: Entry found for group: 1011 init_group_from_ldap: Entry found for group: 1011 Primary group S-1-5-21-[LDAPSID]-1000 for user someid is a UNKNOWN and not a domain group Forcing Primary Group to 'Domain Users' for someid ntlm_password_check: Checking NTLMv2 password with domain [CIN] sam_account_ok: Checking SMB password for user someid The primary group domain sid(S-1-5-21-[LOCALSID]-513) does not match the domain sid(S-1-5-21-[LDAPSID]) for someid(S-1-5-21-[LDAPSID]-5708) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_UNSUCCESSFUL' check_ntlm_password: Authentication for user [someid] - [someid] FAILED with error NT_STATUS_UNSUCCESSFUL What I see here is that the samba server does not recognize the primary group of the user (which is an existing group in the LDAP) and therefor maps the primary group to its local Domain Users group which then obviously does not match the domainSID of the userid. But why doesn't the samba server recognize the group? Or is there a different underlying problem? What I tried so far: Changing the SID of the samba server to the SID of the LDAP server, but `net setlocalsid S-...` did not change the local SID. No error message, just executed successfully but getlocalsid returned the old SID. Setting the domainsid of the samba server to the SID of the ldap server. `net setdomainsid S-...` was successful but the samba server still refuses to authenticate the users. Tried adding the server to the domain with `net join XXX` but the answer was just standalone server cannot join domain. I tried to run `smbpasswd -a` to add the user to the local samba db (even though this would not be an option for the final solution, but that's what other users recommended), but the error didn't change. How can I either tell samba to ignore the domain SID mismatch or force samba to have the same SID as the LDAP? Or would this cause
Re: [Samba] Samba+LDAP: NT_STATUS_UNSUCCESSFUL because of primary group SID mismatch
You might look into net getlocalsid, net getdomainsid, net setlocalsid and net setdomainsid commands, you may be able to set the samba servers the same as your ldap sid... just a though. Remember, messing around with SID's can cause major issues, so export all sids to file and be ready set them back if everything goes wrong. (net getdomainsid sidbackup.txt to export them on the samba side of things) Ricky On Thu, Jun 20, 2013 at 8:04 AM, Gaiseric Vandal gaiseric.van...@gmail.comwrote: If I follow correctly the LDAP server is NOT in the domain? The Samba accounts should be using the SID of the Samba PDC not the SID of the LDAP server. This of course means that a Samba member server can't use the same LDAP back end (at least for Samba authentication.) Long and short - I found it easiest to have LDAP server on the same machine as the DC. I have one PDC and one BDC (sometimes 2 BDC's.) Each PDC uses its own ldap server and the ldap servers are configure for replication. The simplest solution may be to set the local and domain sid of the LDAP server to the same sid as the DC, and join the LDAP server to the domain as a DC. On 06/20/13 04:26, Philipp Lies wrote: Hi, I'm trying to get my new samba server running for a few days now and I start losing my mind over not figuring out what I'm doing wrong. Here's my setup: OpenLDAP 2.4.21 server with ~15 groups and 100 users, all having a unix and a samba NT password stored in the LDAP as well as a User SID and Primary Group SID assigned and stored in the LDAP, derived from the SID of the LDAP Server. Now I want several samba servers to use the LDAP server to authenticate users. One samba server is a CentOS 6.3 configured with NSS/PAM using the ldap server. getent passwd/group returns all users and ssh to the samba machine works for all users. Samba is v3.6.9-151.el6. Now here's the smb.conf (I removed the shares): [global] workgroup = X security = user passdb backend = ldapsam:ldap://myldapserver ldap suffix = dc=mydomain,dc=com ldap admin dn = cn=replicator,dc=mydomain,dc=**com ldap user suffix = ou=users ldap group suffix = ou=groups ldap machine suffix = ou=computers ldap ssl = start tls The ldap connection works, as `pdbedit -L` shows pm_process() returned Yes smbldap_search_domain_info: Searching for:[((objectClass=**sambaDomain)(sambaDomainName=**SAMBAHOSTNAME))] StartTLS issued: using a TLS connection smbldap_open_connection: connection opened ldap_connect_system: successful connection to the LDAP server The LDAP server is successfully connected smbldap_search_paged: base = [dc=mydomain,dc=com], filter = [((uid=*)(objectclass=**sambaSamAccount))],scope = [2], pagesize = [1024] smbldap_search_paged: search was successful sid S-1-5-21-[LDAPSID]-5168 does not belong to our domain and then the last message repeats for all uids. Using `smbclient -L localhost -U someid` the log file says: check_ntlm_password: Checking password for unmapped user [XXX]\[someid]@[SAMBAHOST] with the new password interface check_ntlm_password: mapped user is: [SAMBAHOST]\[someid]@[** SAMBAHOST] StartTLS issued: using a TLS connection smbldap_open_connection: connection opened ldap_connect_system: successful connection to the LDAP server The LDAP server is successfully connected init_sam_from_ldap: Entry found for user: someid Home server: SAMBAHOST Home server: SAMBAHOST init_group_from_ldap: Entry found for group: 1011 init_group_from_ldap: Entry found for group: 1011 Primary group S-1-5-21-[LDAPSID]-1000 for user someid is a UNKNOWN and not a domain group Forcing Primary Group to 'Domain Users' for someid ntlm_password_check: Checking NTLMv2 password with domain [CIN] sam_account_ok: Checking SMB password for user someid The primary group domain sid(S-1-5-21-[LOCALSID]-513) does not match the domain sid(S-1-5-21-[LDAPSID]) for someid(S-1-5-21-[LDAPSID]-**5708) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_UNSUCCESSFUL' check_ntlm_password: Authentication for user [someid] - [someid] FAILED with error NT_STATUS_UNSUCCESSFUL What I see here is that the samba server does not recognize the primary group of the user (which is an existing group in the LDAP) and therefor maps the primary group to its local Domain Users group which then obviously does not match the domainSID of the userid. But why doesn't the samba server recognize the group? Or is there a different underlying problem? What I tried so far: Changing the SID of the samba server to the SID of the LDAP server, but `net setlocalsid S-...` did not change the local SID. No error message, just executed successfully but getlocalsid returned the old SID. Setting the domainsid of the samba server to the
Re: [Samba] Fix the Issue Windows 8 cannot join if a example.com domain
Hi Daniel, Try modifying the Network Security: LAN Manager authorization Level. Run SecPol.msc SelectLocal PoliciesSecurity OptionsNetwork Security: LAN Manager authorization Level Double click and change to Send LM NTLM - use NTLMv2 session security if option in the combo box. I hope this could help. Sincerely, Carlos R. P. Evertsz Santo Domingo, Dominican Republic Correr el SecPol.msc y selecionar Local PoliciesSecurity OptionsNetwork Security: LAN Manager authorization Level Aqui seleccionar el Send LM NTLM - use NTLMv2 session security renegotiated On Jun/20/2013 2:25 AM, Daniel Müller wrote: Dear all, could anyone approve if the issue windows 8 could not join a samba3 old style dot domain, ex.: 'example.com' would not join-- but 'example' join well!, is solved in any hack? Greetings Daniel --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba+LDAP: NT_STATUS_UNSUCCESSFUL because of primary group SID mismatch
OK. I understand (at least a little better.) So the correct behaviour would be for the standalone workgroup machines to say I don't know who DOMAIN/user1 is, so I will map to local user1. The standalone servers should be using LDAP for unix accounts put I don't think you really should use the common LDAP backend for samba accounts.You would need to use smbpasswd or pdbedit to create local samba users on each member server, which means the member server would each use a local tdb database not ldap for samba. If you want to centralize the samba accounts I think the proper way would be to use member servers. That being said, if the current set up is working on some machines but not others, I would run testparm -v on each domain member and see if there are differences on mapping behavior. Different os's may have slightly different versions of samba and the default smb.conf paramaters may have changed. Also run net groupmap list on each member server. You may need to explicitly set group mappings for key windows groups.(i.e. the group sid maps to a unix group.) e.g. # net groupmap list ... Administrators (S-1-5-32-544) - Builtin Admins Users (S-1-5-32-545) - Builtin Users getent group Builtin Admins Builtin Admins::544: # getent group Builtin Admins On 06/20/13 10:40, Philipp Lies wrote: On 20.06.2013 15:04, Gaiseric Vandal wrote: If I follow correctly the LDAP server is NOT in the domain? The Samba accounts should be using the SID of the Samba PDC not the SID of the LDAP server. This of course means that a Samba member server can't use the same LDAP back end (at least for Samba authentication.) The LDAP server is the PDC, however, there are no domain members. All my samba servers are standalone servers which are not domain members. This seems to work nicely with my debian machines but not the centos ones. On 06/20/13 04:26, Philipp Lies wrote: Hi, I'm trying to get my new samba server running for a few days now and I start losing my mind over not figuring out what I'm doing wrong. Here's my setup: OpenLDAP 2.4.21 server with ~15 groups and 100 users, all having a unix and a samba NT password stored in the LDAP as well as a User SID and Primary Group SID assigned and stored in the LDAP, derived from the SID of the LDAP Server. Now I want several samba servers to use the LDAP server to authenticate users. One samba server is a CentOS 6.3 configured with NSS/PAM using the ldap server. getent passwd/group returns all users and ssh to the samba machine works for all users. Samba is v3.6.9-151.el6. Now here's the smb.conf (I removed the shares): [global] workgroup = X security = user passdb backend = ldapsam:ldap://myldapserver ldap suffix = dc=mydomain,dc=com ldap admin dn = cn=replicator,dc=mydomain,dc=com ldap user suffix = ou=users ldap group suffix = ou=groups ldap machine suffix = ou=computers ldap ssl = start tls The ldap connection works, as `pdbedit -L` shows pm_process() returned Yes smbldap_search_domain_info: Searching for:[((objectClass=sambaDomain)(sambaDomainName=SAMBAHOSTNAME))] StartTLS issued: using a TLS connection smbldap_open_connection: connection opened ldap_connect_system: successful connection to the LDAP server The LDAP server is successfully connected smbldap_search_paged: base = [dc=mydomain,dc=com], filter = [((uid=*)(objectclass=sambaSamAccount))],scope = [2], pagesize = [1024] smbldap_search_paged: search was successful sid S-1-5-21-[LDAPSID]-5168 does not belong to our domain and then the last message repeats for all uids. Using `smbclient -L localhost -U someid` the log file says: check_ntlm_password: Checking password for unmapped user [XXX]\[someid]@[SAMBAHOST] with the new password interface check_ntlm_password: mapped user is: [SAMBAHOST]\[someid]@[SAMBAHOST] StartTLS issued: using a TLS connection smbldap_open_connection: connection opened ldap_connect_system: successful connection to the LDAP server The LDAP server is successfully connected init_sam_from_ldap: Entry found for user: someid Home server: SAMBAHOST Home server: SAMBAHOST init_group_from_ldap: Entry found for group: 1011 init_group_from_ldap: Entry found for group: 1011 Primary group S-1-5-21-[LDAPSID]-1000 for user someid is a UNKNOWN and not a domain group Forcing Primary Group to 'Domain Users' for someid ntlm_password_check: Checking NTLMv2 password with domain [CIN] sam_account_ok: Checking SMB password for user someid The primary group domain sid(S-1-5-21-[LOCALSID]-513) does not match the domain sid(S-1-5-21-[LDAPSID]) for someid(S-1-5-21-[LDAPSID]-5708) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_UNSUCCESSFUL' check_ntlm_password: Authentication for user [someid] - [someid] FAILED with error
Re: [Samba] Clustered Samba 3.6.6 connection issues
Dear Samba Community, (answering my own request) we recently did upgrade our data server cluster from Debian Squeeze (Samba 3.5.6) to Debian Wheezy (Samba 3.6.6). The cluster is configured to act as BDC too. After the upgrade, connecting to the server works for a short while and then users experience disconnects [...] | This computer was not able to set up a secure session with a domain | controller in domain DOMAIN due to the following: | The RPC server is unavailable. [...] A test cluster showed that with the very same config files, Samba 3.6.6 works just fine in a cluster when not being a BDC (domain logons = no and security = domain). We made a huge mistake here: During the upgrade process we shut down ctdb on the two servers that were upgraded and left one running and serving the cluster. After we completed the upgrade, we stopped ctdb on the remaining node and started it on the freshly upgraded nodes. That works just fine, but the disabled node still has all 3 cluster ips configured and sometimes wins the arp response race which leads to connection requests going to the wrong server and leading to the behavior we've seen here. Whenever you plan to do the same (ie. still have a fallback configuration at least on one node), make sure to manually remove the ip addresses. -- Adi -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] DNS replication and BDCs
Hi, For normal readers you kn ow already my setup, but for those new here, I have a Samba4 PDC and two BDCs one a samba4 and the other a W2k8 R2 machine. Yesterday we had problems with our upstream service provider and my PDC (Backend BIND 9 DLZ) went down for some hours, as you might guess my whole AD was down due to the fact that the main DNS was down. I would like youi to point me or tell me how do I create a fail-over or high availability system so that when one of the DCs is down the other takes over Auth tasks and obviously DNS. I've thought a solution would be to make a slave BIND DNS on another slaver and replicate the Samba Zone and add aappropriate NS and A records to the main zone so that clients can query another DNS for the zone and not fail as I faced yesterday. This is a production environment scenario and I have many servers authenticating users against the samba server so if this fails everything else does. I'd really appreciate your advise here. Thanks again. -- David Gonzalez DGHVoIP USA: MOBILE: +1.646.559.6200 COL: +57.1.382.6718 COL: +57.4.247.0985 URL: www.dghvoip.com Skype: davidgonzalezh -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Fix the Issue Windows 8 cannot join if a example.com domain
hi read this https://www.multifake.net/2013/01/windows-8-not-joining-certain-samba-domains/ Le 20/06/2013 16:25, Carlos R. Pena Evertsz a écrit : Hi Daniel, Try modifying the Network Security: LAN Manager authorization Level. Run SecPol.msc SelectLocal PoliciesSecurity OptionsNetwork Security: LAN Manager authorization Level Double click and change to Send LM NTLM - use NTLMv2 session security if option in the combo box. I hope this could help. Sincerely, Carlos R. P. Evertsz Santo Domingo, Dominican Republic Correr el SecPol.msc y selecionar Local PoliciesSecurity OptionsNetwork Security: LAN Manager authorization Level Aqui seleccionar el Send LM NTLM - use NTLMv2 session security renegotiated On Jun/20/2013 2:25 AM, Daniel Müller wrote: Dear all, could anyone approve if the issue windows 8 could not join a samba3 old style dot domain, ex.: 'example.com' would not join-- but 'example' join well!, is solved in any hack? Greetings Daniel --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Shared drives not writeable
No takers? On Thu, Jun 6, 2013 at 12:04 PM, Chris Nighswonger cnighswon...@foundations.edu wrote: I am running Samba 3.6.6 on a Ubuntu 12.10 Samba domain member server. Users are authenticated against a Samba DC running 3.6.9 over an LDAP backend. I have a share configured as show below. Members of the 'staff-faculty' group can browse the share, but cannot write files to any subdir for which they are not the owner. It appears that the only reason they can read/traverse is because of o::r-x. What I am looking for is a share where any member of the group may rw, but the various users retain ownership of the files/dirs they create. Here is what the perms, etc. look like: drwxrwxr-x+ 2 jdoe staff-faculty 4.0K Jun 6 09:01 test The acl looks like this: # file: test # owner: jdoe # group: staff-faculty user::rwx group::rwx group:staff-faculty:rwx mask::rwx other::r-x I can post extended debug information, but thought perhaps there is an obvious mistake in my share configuration and so am posting that first. Kind Regards, Chris --- [Shared Drives] comment = Staff-Faculty Shares path = /netdrives/shared browsable = yes read only = no inherit acls = no inherit permissions = no create mask = 0771 directory mask = 2771 valid users = @CAMPUS\staff-faculty write list = @CAMPUS\staff-faculty admin users = @CAMPUS\Domain Admins -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [CentOS] Samba4 and NFSv4
On Fri, 14 Jun 2013, Steve Thompson wrote: I still have an issue with user access to the NFSv4 mount, and a workaround for it, but that's for another time. And now is another time (but I am at the point on giving up on this for now, as it has become a large consumer of time). To reiterate, I am trying to get Keberized NFSv4 to work with CentOS 6.4 clients in a Samba4 domain, using sssd and Samba 4.0.5 (no winbind). Now, CentOS 6.4 uses kernel 2.6.32-358.6.2.el6 and nfs-utils 1.2.3-36. First of all, the Samba4 KDC (a separate pair of systems) appears to be working, DNS (samba4+bind9+dlz) is working (forward and reverse), and NFSv4 is working just fine with sec=sys (ie no Kerberos), so I believe the basic infrastructure to be sound, including ID mapping. I am using the sec=sys case in production with Samba4, so I know that to be good (and, interestingly, it feels a lot snappier than NFSv3). NFSv4 mounts with sec=krb5 work fine as long as I create a suitable UPN in the Samba database. On the client and server: # kinit Administrator # FQDN=`hostname` # msktutil \ --base CN=Computers \ --keytab /etc/krb5.keytab \ --dont-expire-password \ --no-pac \ --computer-name nfs-$HOST \ --hostname $FQDN \ --service nfs/$FQDN \ --upn nfs/$FQDN \ --user-creds-only and the nfs/... entries show up within the client and server's /etc/krb5.keytab and look correct: # klist -ke Keytab name: FILE:/etc/krb5.keytab KVNO Principal -- 1 host/fqdn@REALM (des-cbc-crc) 1 host/fqdn@REALM (des-cbc-md5) 1 host/fqdn@REALM (arcfour-hmac) 1 host/fqdn@REALM (aes128-cts-hmac-sha1-96) 1 host/fqdn@REALM (aes256-cts-hmac-sha1-96) 1 host/shortname@REALM (des-cbc-crc) 1 host/shortname@REALM (des-cbc-md5) 1 host/shortname@REALM (arcfour-hmac) 1 host/shortname@REALM (aes128-cts-hmac-sha1-96) 1 host/shortname@REALM (aes256-cts-hmac-sha1-96) 1 SHORTNAME$@REALM (des-cbc-crc) 1 SHORTNAME$@REALM (des-cbc-md5) 1 SHORTNAME$@REALM (arcfour-hmac) 1 SHORTNAME$@REALM (aes128-cts-hmac-sha1-96) 1 SHORTNAME$@REALM (aes256-cts-hmac-sha1-96) 1 HOST/fqdn@REALM (des-cbc-crc) 1 HOST/fqdn@REALM (des-cbc-md5) 1 HOST/fqdn@REALM (arcfour-hmac) 1 HOST/fqdn@REALM (aes128-cts-hmac-sha1-96) 1 HOST/fqdn@REALM (aes256-cts-hmac-sha1-96) 2 nfs-shortname$@REALM (arcfour-hmac) 2 nfs-shortname$@REALM (aes128-cts-hmac-sha1-96) 2 nfs-shortname$@REALM (aes256-cts-hmac-sha1-96) 2 nfs/fqdn@REALM (arcfour-hmac) 2 nfs/fqdn@REALM (aes128-cts-hmac-sha1-96) 2 nfs/fqdn@REALM (aes256-cts-hmac-sha1-96) Here /data is the exported bind mount that is underneath the fsid=0 exports entry: # mount -t nfs4 -o sec=krb5 server_fqdn:/data /mnt # (works) I can browse the mount point as root and all permissions and ownerships are correct, except of course that I cannot descend into directories for which root (aka nobody) does not have permissions, as expected. Now as a user (me, with UID 1002), using the server as a client (but using a separate client makes no difference), I can't even browse: $ kinit $ ls /mnt ls: cannot access /mnt: Permission denied and that's as far as I can get. From /var/log/messages: rpc.gssd[7564]: using FILE:/tmp/krb5cc_1002 as credentials cache for client with uid 1002 for server server_fqdn rpc.gssd[7564]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_1002 rpc.gssd[7564]: creating context using fsuid 1002 (save_uid 0) rpc.gssd[7564]: creating tcp client for server server_fqdn rpc.gssd[7564]: DEBUG: port already set to 2049 rpc.gssd[7564]: creating context with server nfs@server_fqdn rpc.gssd[7564]: WARNING: Failed to create krb5 context for user with uid 1002 for server fqdn I have of course researched this at length, and found lots of instances of folks seeing the same Failed to create krb5 context message, but no-one with the same combination of OS and Samba4, and no resolutions. I have also tried a Fedora 18 client and server (kernel 3.9.5-201.fc18, nfs-utils 1.2.7-6) with a different but equivalent pair of Samba4 domain controllers. Again, NFSv4 with sec=sys works fine, and with sec=krb5 it fails in *exactly* the same way as for CentOS. Using nfs ads keytab add nfs... properly creates an SPN, and this is not sufficient, on both CentOS and Fedora. Any ideas? Please stop me from drinking so much coffee. TIA! -Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Fix the Issue Windows 8 cannot join if a example.com domain
Ok Thank you Christophe On Jun/20/2013 2:38 PM, Christophe Dezé wrote: hi read this https://www.multifake.net/2013/01/windows-8-not-joining-certain-samba-domains/ Le 20/06/2013 16:25, Carlos R. Pena Evertsz a écrit : Hi Daniel, Try modifying the Network Security: LAN Manager authorization Level. Run SecPol.msc SelectLocal PoliciesSecurity OptionsNetwork Security: LAN Manager authorization Level Double click and change to Send LM NTLM - use NTLMv2 session security if option in the combo box. I hope this could help. Sincerely, Carlos R. P. Evertsz Santo Domingo, Dominican Republic Correr el SecPol.msc y selecionar Local PoliciesSecurity OptionsNetwork Security: LAN Manager authorization Level Aqui seleccionar el Send LM NTLM - use NTLMv2 session security renegotiated On Jun/20/2013 2:25 AM, Daniel Müller wrote: Dear all, could anyone approve if the issue windows 8 could not join a samba3 old style dot domain, ex.: 'example.com' would not join-- but 'example' join well!, is solved in any hack? Greetings Daniel --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [CentOS] Samba4 and NFSv4
On Thu, 2013-06-20 at 15:21 -0400, Steve Thompson wrote: mount -t nfs4 -o sec=krb5 server_fqdn:/data /mnt What do you have in /etc/idmapd.conf What does ps aux | grep rpc give? Can the user browse using nfs3? mount -t nfs3 -o sec=krb5 server_fqdn:/data /mnt Have a look at the gotchas. There's loadsa wrong info abut kerberos and nfs4: http://linux-nfs.org/wiki/index.php/Nfsv4_configuration hth Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [CentOS] Samba4 and NFSv4
On Thu, 20 Jun 2013, steve wrote: Thanks for your reply! I am really pulling my hair out over this one, and I don't have that much left :( What do you have in /etc/idmapd.conf The content of this file is correct as far as I understand it, as it works with NFSv3 and NFSv4 with sec=sys: [General] Verbosity = 0 Domain = icse.cornell.edu Local-Realms = TITAN.TEST.CORNELL.EDU [Mapping] Nobody-User = nobody Nobody-Group = nobody [Translation] Method = nsswitch (and I have nsswitch.conf correctly configured). Note: in my case, the value of Domain in idmapd.conf is NOT the same as the DNS domain name. But as I understand it, as long as it is the same on all servers and clients, this should not matter, as it is just a label. I tried setting it to the DNS domain name, but it didn't make any difference. And changing it on just the server and not the clients leaves all ownerships as being nobody:nobody instead of the proper ownerships, which is (a) expected, and (b) leads me to believe that rpc.idmapd is working as it should. Starting rpc.idmapd with -vvv dumps the mappings to /var/log/messages, and they are correct. In any case, clients don't all have the same DNS domain name. What does ps aux | grep rpc give? rpc 1616 0.0 0.0 18972 992 ?Ss Jun18 0:00 rpcbind rpcuser 1649 0.0 0.0 25420 1380 ?Ss Jun18 0:00 rpc.statd root 1678 0.0 0.0 0 0 ?SJun18 0:00 [rpciod/0] root 1679 0.0 0.0 0 0 ?SJun18 0:01 [rpciod/1] root 5789 0.0 0.0 50112 2072 ?Ss 12:06 0:00 rpc.svcgssd -vvv root 5795 0.0 0.0 107304 276 ?Ss 12:06 0:00 rpc.rquotad root 5799 0.0 0.0 22832 2560 ?Ss 12:06 0:00 rpc.mountd --no-nfs-version 2 root 5850 0.0 0.0 36900 1048 ?Ss 12:06 0:00 rpc.idmapd -vvv root 8807 0.0 0.0 37340 2556 ?Ss 16:37 0:00 rpc.gssd -vvv All the expected daemons are present, including rpc.gssd and rpc.svcgssd. I have rpc.svcgssd running on the clients too, although it should not be necessary there (but the CentOS init scripts don't give the option to not start it). Can the user browse using nfs3? mount -t nfs3 -o sec=krb5 server_fqdn:/data /mnt No; exactly the same result as NFSv4. But yes with sec=sys. Have a look at the gotchas. There's loadsa wrong info abut kerberos and nfs4: http://linux-nfs.org/wiki/index.php/Nfsv4_configuration That's one of the many articles that I've read (several times). I don't see anything wrong in what I have done (btw, I don't agree that the fsid=0 export should be mode 1777, and I don't agree that your first exports example is the proper way to do it. But in any event I have tried those too, to no effect). Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problems when saving AutoCAD files
2013/6/14 Santiago Pestarini santiago...@gmail.com: Hi! I was searching for info about this issue and found almost nothing. So, let's go directly to the matters... - Problem: AutoCAD says You do not have permission to save to this location. when trying to save the file in the samba share dir. (This problem only occur with AutoCAD.) - Scenary: Running AutoCAD in a WinXP/Win7 PC, opening a DWG AutoCAD file from samba share dir in Zentyal Linux server. I have Samba 4.0.5 running in my Zentyal 3.0.21, both recently updated. - smb.conf contents: [global] workgroup = ESTUDIO realm = ESTUDIO.LAN netbios name = zentyal server string = Zentyal File Server server role = dc server role check:inhibit = yes server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate server signing = auto interfaces = lo,eth0 bind interfaces only = yes log level = 3 log file = /var/log/samba/samba.log guest ok = yes map to guest = bad user guest account = nobody auth methods = guest sam_ignoredomain [profiles] path = /home/samba/profiles browseable = no read only = no [netlogon] path = /opt/samba4/var/locks/sysvol/estudio.lan/scripts browseable = no read only = yes [sysvol] path = /opt/samba4/var/locks/sysvol read only = no [homes] comment = Directorios de usuario path = /home/%S read only = no browseable = no create mask = 0611 directory mask = 0711 vfs objects = acl_xattr full_audit scannedonly recycle # Shares [expedientes] comment = Expedientes path = /home/samba/shares/expedientes browseable = Yes read only = No force create mode = 0660 force directory mode = 0660 vfs objects = acl_xattr full_audit scannedonly recycle Also read this where Autodesk wash their hands, blaming the server, the client, the network, etc: http://forums.autodesk.com/t5/Installation-Licensing/Unable-to-save-drawing/td-p/72075 Please Help! What about this? Did I make some mistake in my question? Please, can someone throw me anything? I really need some help... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [CentOS] Samba4 and NFSv4
On Thu, 2013-06-20 at 16:57 -0400, Steve Thompson wrote: On Thu, 20 Jun 2013, steve wrote: Thanks for your reply! I am really pulling my hair out over this one, and I don't have that much left :( What do you have in /etc/idmapd.conf The content of this file is correct as far as I understand it, as it works with NFSv3 and NFSv4 with sec=sys: [General] Verbosity = 0 Domain = icse.cornell.edu Local-Realms = TITAN.TEST.CORNELL.EDU [Mapping] Nobody-User = nobody Nobody-Group = nobody [Translation] Method = nsswitch (and I have nsswitch.conf correctly configured). Note: in my case, the value of Domain in idmapd.conf is NOT the same as the DNS domain name. But as I understand it, as long as it is the same on all servers and clients, this should not matter, as it is just a label. I tried setting it to the DNS domain name, but it didn't make any difference. And changing it on just the server and not the clients leaves all ownerships as being nobody:nobody instead of the proper ownerships, which is (a) expected, and (b) leads me to believe that rpc.idmapd is working as it should. Starting rpc.idmapd with -vvv dumps the mappings to /var/log/messages, and they are correct. In any case, clients don't all have the same DNS domain name. What does ps aux | grep rpc give? rpc 1616 0.0 0.0 18972 992 ?Ss Jun18 0:00 rpcbind rpcuser 1649 0.0 0.0 25420 1380 ?Ss Jun18 0:00 rpc.statd root 1678 0.0 0.0 0 0 ?SJun18 0:00 [rpciod/0] root 1679 0.0 0.0 0 0 ?SJun18 0:01 [rpciod/1] root 5789 0.0 0.0 50112 2072 ?Ss 12:06 0:00 rpc.svcgssd -vvv root 5795 0.0 0.0 107304 276 ?Ss 12:06 0:00 rpc.rquotad root 5799 0.0 0.0 22832 2560 ?Ss 12:06 0:00 rpc.mountd --no-nfs-version 2 root 5850 0.0 0.0 36900 1048 ?Ss 12:06 0:00 rpc.idmapd -vvv root 8807 0.0 0.0 37340 2556 ?Ss 16:37 0:00 rpc.gssd -vvv All the expected daemons are present, including rpc.gssd and rpc.svcgssd. I have rpc.svcgssd running on the clients too, although it should not be necessary there (but the CentOS init scripts don't give the option to not start it). Can the user browse using nfs3? mount -t nfs3 -o sec=krb5 server_fqdn:/data /mnt No; exactly the same result as NFSv4. But yes with sec=sys. Have a look at the gotchas. There's loadsa wrong info abut kerberos and nfs4: http://linux-nfs.org/wiki/index.php/Nfsv4_configuration That's one of the many articles that I've read (several times). I don't see anything wrong in what I have done (btw, I don't agree that the fsid=0 export should be mode 1777, and I don't agree that your first exports example is the proper way to do it. But in any event I have tried those too, to no effect). Steve Hi Nobody agrees with anything for nfs4, so don't worry! Ok, that narrows it down to kerberos I suppose. What does the mount look like: rpc.gssd -fvvv and the idmapping: rpc.idmapd -fvvv The latter may throw up some uidNumbers -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [CentOS] Samba4 and NFSv4
On Thu, 20 Jun 2013, steve wrote: Nobody agrees with anything for nfs4, so don't worry! :) And boy oh boy is there a lot of just plain nonsense out there! Ok, that narrows it down to kerberos I suppose. What does the mount look like: rpc.gssd -fvvv and the idmapping: rpc.idmapd -fvvv Apart from the Failed to create krb5 context that ultimately comes out of rpc.gssd and prevents browsing by non-root users, everything here looks as it should. Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problems when saving AutoCAD files
On Thu, Jun 20, 2013 at 06:15:34PM -0300, Santiago Pestarini wrote: 2013/6/14 Santiago Pestarini santiago...@gmail.com: Hi! I was searching for info about this issue and found almost nothing. So, let's go directly to the matters... - Problem: AutoCAD says You do not have permission to save to this location. when trying to save the file in the samba share dir. (This problem only occur with AutoCAD.) - Scenary: Running AutoCAD in a WinXP/Win7 PC, opening a DWG AutoCAD file from samba share dir in Zentyal Linux server. I have Samba 4.0.5 running in my Zentyal 3.0.21, both recently updated. - smb.conf contents: [global] workgroup = ESTUDIO realm = ESTUDIO.LAN netbios name = zentyal server string = Zentyal File Server server role = dc server role check:inhibit = yes server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate server signing = auto interfaces = lo,eth0 bind interfaces only = yes log level = 3 log file = /var/log/samba/samba.log guest ok = yes map to guest = bad user guest account = nobody auth methods = guest sam_ignoredomain [profiles] path = /home/samba/profiles browseable = no read only = no [netlogon] path = /opt/samba4/var/locks/sysvol/estudio.lan/scripts browseable = no read only = yes [sysvol] path = /opt/samba4/var/locks/sysvol read only = no [homes] comment = Directorios de usuario path = /home/%S read only = no browseable = no create mask = 0611 directory mask = 0711 vfs objects = acl_xattr full_audit scannedonly recycle # Shares [expedientes] comment = Expedientes path = /home/samba/shares/expedientes browseable = Yes read only = No force create mode = 0660 force directory mode = 0660 vfs objects = acl_xattr full_audit scannedonly recycle Also read this where Autodesk wash their hands, blaming the server, the client, the network, etc: http://forums.autodesk.com/t5/Installation-Licensing/Unable-to-save-drawing/td-p/72075 Please Help! What about this? Did I make some mistake in my question? Please, can someone throw me anything? If you're using the expedientes share and using acl_xattr then why are you forcing the posix permissions with force create mode = 0660 force directory mode = 0660 Try removing these.. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problems when saving AutoCAD files
Is this on all saves ? Can you do a save as and create a new doc? I had an issue with Office 2003 on Samba 3.0.x , Solaris 10 with ZFS file system.For the 1st 6 saves the MS app would modify the file. Every 7th (?) save MS would delete the file and write a new one. The probably would be that MS would try set file permissions- most apps would just let the OS handle the file permissions. Users had the appropriate permissions to create and delete files but not modify ACL's. This had not been an issues with the older UFS file system. In terms of how samba and UFS played together, the unix file perms were the classic ugo / rwx. the ZFS acl's are closer to the Windows ACL's than UFS ACL's were. I am guessing if Autocad is the only app affected then autocad is trying to write out some more complex file permissions. I haven't worked with samba 4. Can you adjust acl options in samba config? On 06/20/13 17:15, Santiago Pestarini wrote: 2013/6/14 Santiago Pestarini santiago...@gmail.com: Hi! I was searching for info about this issue and found almost nothing. So, let's go directly to the matters... - Problem: AutoCAD says You do not have permission to save to this location. when trying to save the file in the samba share dir. (This problem only occur with AutoCAD.) - Scenary: Running AutoCAD in a WinXP/Win7 PC, opening a DWG AutoCAD file from samba share dir in Zentyal Linux server. I have Samba 4.0.5 running in my Zentyal 3.0.21, both recently updated. - smb.conf contents: [global] workgroup = ESTUDIO realm = ESTUDIO.LAN netbios name = zentyal server string = Zentyal File Server server role = dc server role check:inhibit = yes server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate server signing = auto interfaces = lo,eth0 bind interfaces only = yes log level = 3 log file = /var/log/samba/samba.log guest ok = yes map to guest = bad user guest account = nobody auth methods = guest sam_ignoredomain [profiles] path = /home/samba/profiles browseable = no read only = no [netlogon] path = /opt/samba4/var/locks/sysvol/estudio.lan/scripts browseable = no read only = yes [sysvol] path = /opt/samba4/var/locks/sysvol read only = no [homes] comment = Directorios de usuario path = /home/%S read only = no browseable = no create mask = 0611 directory mask = 0711 vfs objects = acl_xattr full_audit scannedonly recycle # Shares [expedientes] comment = Expedientes path = /home/samba/shares/expedientes browseable = Yes read only = No force create mode = 0660 force directory mode = 0660 vfs objects = acl_xattr full_audit scannedonly recycle Also read this where Autodesk wash their hands, blaming the server, the client, the network, etc: http://forums.autodesk.com/t5/Installation-Licensing/Unable-to-save-drawing/td-p/72075 Please Help! What about this? Did I make some mistake in my question? Please, can someone throw me anything? I really need some help... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [CentOS] Samba4 and NFSv4
On Thu, 20 Jun 2013, John Hodrien wrote: Is it possible that Samba4 includes a large PAC on the kerberos credential and you're going over the limit in kernel? Well, that is a good avenue to explore. The user that I am testing with (me) is only in five groups, but nevertheless I will take a further look at that Five minutes later: holy crap! That is it. I took a user in only one group: permission denied. I set the NO_AUTH_DATA_REQUIRED flag in userAccountControl (via ldbedit), and hey presto NFSv4+krb5 now works. You sir are a steely-eyed missile man! I'm not convinced your comment about having to run svcgssd on clients is enforced due to CentOS init scripts, but it shouldn't cause any bother as you say. No, it doesn't cause any bother. It just seems that the start of both rpc.gssd and rpc.svcgssd are conditional on SECURE_NFS being set to yes. There are no NEED_GSSD or NEED_SVCGSSD or whatever to filter it further. Thanks, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Shared drives not writeable
On Thu, 2013-06-20 at 15:05 -0400, Chris Nighswonger wrote: No takers? On Thu, Jun 6, 2013 at 12:04 PM, Chris Nighswonger cnighswon...@foundations.edu wrote: I am running Samba 3.6.6 on a Ubuntu 12.10 Samba domain member server. Users are authenticated against a Samba DC running 3.6.9 over an LDAP backend. I have a share configured as show below. Members of the 'staff-faculty' group can browse the share, but cannot write files to any subdir for which they are not the owner. It appears that the only reason they can read/traverse is because of o::r-x. What I am looking for is a share where any member of the group may rw, but the various users retain ownership of the files/dirs they create. Here is what the perms, etc. look like: drwxrwxr-x+ 2 jdoe staff-faculty 4.0K Jun 6 09:01 test The acl looks like this: # file: test # owner: jdoe # group: staff-faculty user::rwx group::rwx group:staff-faculty:rwx mask::rwx other::r-x I can post extended debug information, but thought perhaps there is an obvious mistake in my share configuration and so am posting that first. Kind Regards, Chris --- [Shared Drives] comment = Staff-Faculty Shares path = /netdrives/shared browsable = yes read only = no inherit acls = no inherit permissions = no create mask = 0771 directory mask = 2771 valid users = @CAMPUS\staff-faculty write list = @CAMPUS\staff-faculty admin users = @CAMPUS\Domain Admins Hi OK, I'll have a go. Either use acls or smb.conf. I've never been able to get a mixture of both to work. Tidy up: chgrp -R staff-faculty /netdrives/shared chmod 0770 /netdrives/shared chmod g+s /netdrives/shared setfacl -d -Rm g::rwx /netdrives/shared set a loose acl for Domain Admins or map them to root Then just: [Shared Drives] path = /netdrives/shared read only = no inherit acls = Yes Worth a try? Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [CentOS] Samba4 and NFSv4
On Thu, 2013-06-20 at 17:44 -0400, Steve Thompson wrote: On Thu, 20 Jun 2013, John Hodrien wrote: Five minutes later: holy crap! That is it. I took a user in only one group: permission denied. I set the NO_AUTH_DATA_REQUIRED flag in userAccountControl (via ldbedit), and hey presto NFSv4+krb5 now works. Great news. Would it be possible to post the directory entry for the user you ldbedited? I can't see how to set the flag you mention. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] pdbedit error
Samba Version 3.6.3 on Ubuntu 12.04 tbdsam back end. I discovered a couple of accounts we created before the Domain was configured was was an account named administrator intended to be the Smaba Administrator account. In order to change the domain ai ran this command # pdbedit -I DOMAINNAME -U username it worked on a number of accounts when I tried it on administrator I get the # pdbedit -I DOMAINNAME -u administrator Unable to modify TDB passwd: NT_STATUS_UNSUCCESSFUL! Unable to modify entry! # pdbedit -v -u administrator gives the following output Unix username:administrator NT username: Account Flags:[U ] User SID: S-1-5-21-1504512832-3249319461-1142831928-500 Primary Group SID:S-1-5-21-1504512832-3249319461-1142831928-513 Full Name:Samba Administrator,,, Home Directory: \\hamlet\administrator HomeDir Drive:U Logon Script: Profile Path:deleted for privacy Domain: HAMLET Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: never Kickoff time: never Password last set:Fri, 30 Dec 2005 17:29:27 CST Password can change: Fri, 30 Dec 2005 17:29:27 CST Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FF I don't see anything here that looks out of place but I don't know what it all means. -- rob steinmetz Signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] DNS replication and BDCs
Hello David, Am 20.06.2013 19:55, schrieb David González Herrera - [DGHVoIP]: I would like youi to point me or tell me how do I create a fail-over or high availability system so that when one of the DCs is down the other takes over Auth tasks and obviously DNS. I've thought a solution would be to make a slave BIND DNS on another slaver and replicate the Samba Zone and add aappropriate NS and A records to the main zone so that clients can query another DNS for the zone and not fail as I faced yesterday. This is a production environment scenario and I have many servers authenticating users against the samba server so if this fails everything else does. When you join a second DC to the AD (http://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC), then the DNS part is also automatically replicated. As you already have a second DC, please check, if Samba (or BIND) is listening on port 53 to answer DNS queries. # netstat -taunp | grep :53 Then you only have to configure your clients, to use the second machine as DNS server, too. There's nothing special you have to do here. You can use BIND or the internal DNS on the other DCs. It don't need to be the same than on your first one. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 88c72fc s4-winbind: Add special case for BUILTIN domain via d4091c5 Fix bug #9166 - Starting smbd or nmbd with stdin from /dev/null results in EOF on stdin from fc13489 build: Build with system md5.h on OpenIndiana http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 88c72fceb1c86752c52651bdea5b116806dd92c5 Author: Andrew Bartlett abart...@samba.org Date: Sat Jun 15 23:01:44 2013 +1000 s4-winbind: Add special case for BUILTIN domain This should mean that lookups for the BUILTIN domain cause less trouble then they have in the past, because they will no longer go via the trusted domain handler. Andrew Bartlett Signed-off-by: Andrew Bartlett abart...@samba.org Reviewed-by: Volker Lendecke v...@samba.org Autobuild-User(master): Andrew Bartlett abart...@samba.org Autobuild-Date(master): Thu Jun 20 15:30:00 CEST 2013 on sn-devel-104 commit d4091c5809f174b68714fa50fa501c99617c016e Author: Jeremy Allison j...@samba.org Date: Mon Jun 10 13:33:40 2013 -0700 Fix bug #9166 - Starting smbd or nmbd with stdin from /dev/null results in EOF on stdin Only install the stdin handler if it's a pipe or fifo. Signed-off-by: Jeremy Allison j...@samba.org Reviewed-by: Andrew Bartlett abart...@samba.org --- Summary of changes: source3/nmbd/nmbd.c | 14 +- source3/smbd/server.c| 14 +- source3/winbindd/winbindd.c | 15 ++- source4/smbd/server.c| 17 ++--- source4/winbind/wb_dom_info.c|5 +++-- source4/winbind/wb_init_domain.c | 38 -- source4/winbind/wb_sid2domain.c | 14 ++ 7 files changed, 91 insertions(+), 26 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/nmbd/nmbd.c b/source3/nmbd/nmbd.c index 12afb00..42e2b2f 100644 --- a/source3/nmbd/nmbd.c +++ b/source3/nmbd/nmbd.c @@ -130,8 +130,20 @@ static bool nmbd_setup_stdin_handler(struct messaging_context *msg, bool foregro /* if we are running in the foreground then look for EOF on stdin, and exit if it happens. This allows us to die if the parent process dies + Only do this on a pipe or socket, no other device. */ - tevent_add_fd(nmbd_event_context(), nmbd_event_context(), 0, TEVENT_FD_READ, nmbd_stdin_handler, msg); + struct stat st; + if (fstat(0, st) != 0) { + return false; + } + if (S_ISFIFO(st.st_mode) || S_ISSOCK(st.st_mode)) { + tevent_add_fd(nmbd_event_context(), + nmbd_event_context(), + 0, + TEVENT_FD_READ, + nmbd_stdin_handler, + msg); + } } return true; diff --git a/source3/smbd/server.c b/source3/smbd/server.c index f07bd28..d3cd33e 100644 --- a/source3/smbd/server.c +++ b/source3/smbd/server.c @@ -1558,8 +1558,20 @@ extern void build_options(bool screen); /* if we are running in the foreground then look for EOF on stdin, and exit if it happens. This allows us to die if the parent process dies + Only do this on a pipe or socket, no other device. */ - tevent_add_fd(ev_ctx, parent, 0, TEVENT_FD_READ, smbd_stdin_handler, NULL); + struct stat st; + if (fstat(0, st) != 0) { + return false; + } + if (S_ISFIFO(st.st_mode) || S_ISSOCK(st.st_mode)) { + tevent_add_fd(ev_ctx, + parent, + 0, + TEVENT_FD_READ, + smbd_stdin_handler, + NULL); + } } smbd_parent_loop(ev_ctx, parent); diff --git a/source3/winbindd/winbindd.c b/source3/winbindd/winbindd.c index 7a0700d..141ca5c 100644 --- a/source3/winbindd/winbindd.c +++ b/source3/winbindd/winbindd.c @@ -308,6 +308,8 @@ bool winbindd_setup_stdin_handler(bool parent, bool foreground) bool *is_parent; if (foreground) { + struct stat st; + is_parent = talloc(winbind_event_context(), bool); if (!is_parent) { return false; @@ -318,8 +320,19 @@ bool winbindd_setup_stdin_handler(bool parent, bool foreground) /* if we are running in the foreground then look