Re: [Samba] Logon scripts, home directories, and Samba4 AD

[Daniel Müller]

This could do the job
Identify the home share on your samba3 fileserver (certain it is member of
your samba4 domain?!) as dfs root

Ex:
msdfs root= yes

On samba4 ads
[home]
msdfs proxy= \your-samba3-server\homes
read only = No

with rsat point to \your-samba3-server\homes

Good luck
---
EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen

Tel.: 07071/206-463, Fax: 07071/206-499
eMail: muel...@tropenklinik.de
Internet: www.tropenklinik.de
---

-Ursprüngliche Nachricht-
Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im
Auftrag von Lee Allen
Gesendet: Mittwoch, 3. Juli 2013 00:20
An: samba@lists.samba.org; samba-techni...@lists.samba.org
Betreff: [Samba] Logon scripts, home directories, and Samba4 AD

I apologize if this appears twice: I posted it several hours ago and it has
not appeared on the list, so I am tweaking the email address and trying
again.

I have two separate (virtual) servers: one running Samba4 functioning as an
AD controller, and one running Samba 3.6.1  functioning as a file  print
server.

On the Samba3 side I am using security=ads and winbind and authenticating
against the Samba4 ADC.  Everything is working great.

Where things get a little messy is with the [homes] shares.

Here is what I am doing now:

My Samba3 smb.conf has a typical [homes] section.  I create a subdirectory
for each user, and set ownership  permissions.

I create a logon script on the Samba4 system -- one for each user, because
the username is embedded in it:
net use H: \\samba3\username

And then I use RSAT to set the logon script to the correct value for each
user.

It's just a lot of steps that need to be performed (perfectly) for each
user.  Is there a better way?

I see RSAT allows me to specify a Home folder.  Could this be a folder on
the Samba3 server -- ie, \\samba3\username ? (I tried that and it did not
work)

I can imagine some scripts that would create the logon script on the Samba4
system, and create the necessary directories on the Samba3 system.  I could
probably manage that, but I hate to re-invent the wheel --

If there is a clean, orthodox way to do this, I would like to know what it
is.

Thank you.

Lee Allen
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Logon scripts, home directories, and Samba4 AD

[Gémes Géza]

Hi,

This could do the job
Identify the home share on your samba3 fileserver (certain it is member of
your samba4 domain?!) as dfs root

Ex:
msdfs root= yes

On samba4 ads
[home]
 msdfs proxy= \your-samba3-server\homes
 read only = No

with rsat point to \your-samba3-server\homes

Good luck
---
EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen

Tel.: 07071/206-463, Fax: 07071/206-499
eMail: muel...@tropenklinik.de
Internet: www.tropenklinik.de
---
Even easier specify \\your-samba3-server\%USERNAME% as the home folder 
setting under ADUC for all the users you want (you can even select them 
set this once) if you also specify home drive H: it will get mounted at 
that drive letter

-Ursprüngliche Nachricht-
Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im
Auftrag von Lee Allen
Gesendet: Mittwoch, 3. Juli 2013 00:20
An: samba@lists.samba.org; samba-techni...@lists.samba.org
Betreff: [Samba] Logon scripts, home directories, and Samba4 AD

I apologize if this appears twice: I posted it several hours ago and it has
not appeared on the list, so I am tweaking the email address and trying
again.

I have two separate (virtual) servers: one running Samba4 functioning as an
AD controller, and one running Samba 3.6.1  functioning as a file  print
server.

On the Samba3 side I am using security=ads and winbind and authenticating
against the Samba4 ADC.  Everything is working great.

Where things get a little messy is with the [homes] shares.

Here is what I am doing now:

My Samba3 smb.conf has a typical [homes] section.  I create a subdirectory
for each user, and set ownership  permissions.

I create a logon script on the Samba4 system -- one for each user, because
the username is embedded in it:
net use H: \\samba3\username

And then I use RSAT to set the logon script to the correct value for each
user.

It's just a lot of steps that need to be performed (perfectly) for each
user.  Is there a better way?

I see RSAT allows me to specify a Home folder.  Could this be a folder on
the Samba3 server -- ie, \\samba3\username ? (I tried that and it did not
work)

I can imagine some scripts that would create the logon script on the Samba4
system, and create the necessary directories on the Samba3 system.  I could
probably manage that, but I hate to re-invent the wheel --

If there is a clean, orthodox way to do this, I would like to know what it
is.

Thank you.

Lee Allen
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Regards

Geza Gemes
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] [PATCH] Do not close winbind socket during use

[Andrew Bartlett]

On Thu, 2013-06-27 at 11:42 +1000, Andrew Bartlett wrote:
 On Wed, 2013-06-26 at 20:39 +1000, Andrew Bartlett wrote:
  On Mon, 2013-06-24 at 15:26 +, philippe.simo...@swisscom.com wrote:
   Hi Andrew, and by putting more num-callers : 
   
   valgrind --num-callers=50 samba -i -M single
  
  Thanks for getting me that.  I've managed to reproduce it here, but not
  under valgrind, and only when I hack the code to force a timeout.  At
  least this should help me figure out why we process the winbind socket
  close, which is the crux of this issue.
 
 I think I've found the cause of the issue you are hitting.  There is
 still another issue with the nested event loop in the krb5 libs, but
 these two patches should help significantly.
 
 As you have had more luck than I in reproducing this in a unaltered
 setting, please let me know if this helps.
 
 Patches are for git master, but may apply to 4.0 as well.

G'Day,

The original reporter has confirmed to me that this removes the segfault
for him.  It changes it to a 105 sec hang, (due to the winbind client
trying for 5 second at at a time many times). 

Can I get a review on it so we can rid master and eventually 4.0 of this
nasty crash?

Thanks,

Andrew Bartlett

-- 
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org

From df7c099be9366b0439f12d0924bd2192ad4888bd Mon Sep 17 00:00:00 2001
From: Andrew Bartlett abart...@samba.org
Date: Thu, 27 Jun 2013 11:27:03 +1000
Subject: [PATCH 1/2] service_stream: Log if the connection termination is
 deferred or not

---
 source4/smbd/service_stream.c | 6 +-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/source4/smbd/service_stream.c b/source4/smbd/service_stream.c
index 22c4c04..74bb477 100644
--- a/source4/smbd/service_stream.c
+++ b/source4/smbd/service_stream.c
@@ -60,7 +60,11 @@ void stream_terminate_connection(struct stream_connection *srv_conn, const char
 
 	if (!reason) reason = unknown reason;
 
-	DEBUG(3,(Terminating connection - '%s'\n, reason));
+	if (srv_conn-processing) {
+		DEBUG(3,(Terminating connection deferred - '%s'\n, reason));
+	} else {
+		DEBUG(3,(Terminating connection - '%s'\n, reason));
+	}
 
 	srv_conn-terminate = reason;
 
-- 
1.7.11.7

From 0daf694bce47710a62f7e38aa2830bc1b40f3dfc Mon Sep 17 00:00:00 2001
From: Andrew Bartlett abart...@samba.org
Date: Thu, 27 Jun 2013 11:28:03 +1000
Subject: [PATCH 2/2] s4-winbindd: Do not terminate a connection that is still
 pending

Instead, wait until the call attempts to reply, and let it terminate then

(often this happens in the attempt to then write to the broken pipe).

Andrew Bartlett
---
 source4/winbind/wb_samba3_protocol.c |  5 +
 source4/winbind/wb_server.c  | 14 +-
 source4/winbind/wb_server.h  |  5 -
 3 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/source4/winbind/wb_samba3_protocol.c b/source4/winbind/wb_samba3_protocol.c
index 2846e9c..1b78c99 100644
--- a/source4/winbind/wb_samba3_protocol.c
+++ b/source4/winbind/wb_samba3_protocol.c
@@ -297,6 +297,8 @@ NTSTATUS wbsrv_samba3_send_reply(struct wbsrv_samba3_call *call)
 	struct tevent_req *subreq;
 	NTSTATUS status;
 
+	call-wbconn-pending_calls--;
+
 	status = wbsrv_samba3_push_reply(call);
 	NT_STATUS_NOT_OK_RETURN(status);
 
@@ -355,9 +357,12 @@ NTSTATUS wbsrv_samba3_process(struct wbsrv_samba3_call *call)
 		return status;
 	}
 
+	call-wbconn-pending_calls++;
+
 	status = wbsrv_samba3_handle_call(call);
 
 	if (!NT_STATUS_IS_OK(status)) {
+		call-wbconn-pending_calls--;
 		talloc_free(call);
 		return status;
 	}
diff --git a/source4/winbind/wb_server.c b/source4/winbind/wb_server.c
index 983f9f5..fb67d23 100644
--- a/source4/winbind/wb_server.c
+++ b/source4/winbind/wb_server.c
@@ -31,7 +31,14 @@
 
 void wbsrv_terminate_connection(struct wbsrv_connection *wbconn, const char *reason)
 {
-	stream_terminate_connection(wbconn-conn, reason);
+	if (wbconn-pending_calls == 0) {
+		char *full_reason = talloc_asprintf(wbconn, wbsrv: %s, reason);
+		stream_terminate_connection(wbconn-conn, full_reason ? full_reason : reason);
+	} else {
+		DEBUG(3,(wbsrv: terminating connection due to '%s' defered due to %d pending calls\n, 
+			 reason, wbconn-pending_calls));
+		wbconn-terminate = reason;
+	}
 }
 
 static void wbsrv_call_loop(struct tevent_req *subreq)
@@ -41,6 +48,11 @@ static void wbsrv_call_loop(struct tevent_req *subreq)
 	struct wbsrv_samba3_call *call;
 	NTSTATUS status;
 
+	if (wbsrv_conn-terminate) {
+		wbsrv_terminate_connection(wbsrv_conn, wbsrv_conn-terminate);
+		return;
+	}
+
 	call = talloc_zero(wbsrv_conn, struct wbsrv_samba3_call);
 	if (call == NULL) {
 		wbsrv_terminate_connection(wbsrv_conn, wbsrv_call_loop: 
diff --git a/source4/winbind/wb_server.h b/source4/winbind/wb_server.h
index 9b03004..941af68 100644
--- a/source4/winbind/wb_server.h
+++ b/source4/winbind/wb_server.h
@@ -94,9 +94,12 @@ struct 

[Samba] Samba 4 Rhedhat 6 And classicupgrade errors

[GUEI née worou noee]

Hi,
i upgrade on a new server samba3 to samba4 with a LDAP Backend.
I have followed this HowTO 
 http://wiki.samba.org/index.php/Samba4/samba-tool/domain/classicupgrade/HOWTO

until de classicupgrade step
Here is the errors I get 

 /usr/local/samba/bin/samba-tool domain classicupgrade 
--dbdir=/root/samba3/tdbfiles --use-xattrs=yes  --realm=bceao.int 
/root/samba3/tdbfiles/smb.conf

Reading smb.conf
WARNING: The idmap backend option is deprecated
WARNING: The idmap uid option is deprecated
WARNING: The idmap gid option is deprecated
Provisioning
Exporting account policy
Exporting groups
Ignoring group 'Administrateurs' S-1-5-32-544 listed but then not found: Unable 
to enumerate members for alias, (-1073741487,NT_STATUS_NO_SUCH_ALIAS)
Ignoring group 'Operateurs de compte' S-1-5-32-548 listed but then not found: 
Unable to enumerate members for alias, (-1073741487,NT_STATUS_NO_SUCH_ALIAS)
Ignoring group 'Operateurs impression' S-1-5-32-550 listed but then not found: 
Unable to enumerate members for alias, (-1073741487,NT_STATUS_NO_SUCH_ALIAS)
Ignoring group 'Operateurs de sauvegarde' S-1-5-32-551 listed but then not 
found: Unable to enumerate members for alias, 
(-1073741487,NT_STATUS_NO_SUCH_ALIAS)
Ignoring group 'Replicateurs' S-1-5-32-552 listed but then not found: Unable to 
enumerate members for alias, (-1073741487,NT_STATUS_NO_SUCH_ALIAS)
Ignoring group 'Invites' S-1-5-32-546 listed but then not found: Unable to 
enumerate members for alias, (-1073741487,NT_STATUS_NO_SUCH_ALIAS)
Ignoring group 'Operateurs de serveur' S-1-5-32-549 listed but then not found: 
Unable to enumerate members for alias, (-1073741487,NT_STATUS_NO_SUCH_ALIAS)
Ignoring group 'Utilisateurs' S-1-5-32-545 listed but then not found: Unable to 
enumerate members for alias, (-1073741487,NT_STATUS_NO_SUCH_ALIAS)
Exporting users
sid S-1-5-21-3933610348-2251462730-2069165054-1000 does not belong to our domain
  Demoting BDC account trust for z00-dc3, this DC must be elevated to an AD DC 
using 'samba-tool domain promote'
  Skipping wellknown rid=500 (for username=pdc_admin)
  Skipping wellknown rid=501 (for username=nobody)
Ignoring group memberships of 'toto' 
S-1-5-21-1770481708-1631662840-68360779-30866: Unable to enumerate group 
memberships, (-1073741596,NT_STATUS_INTERNAL_DB_CORRUPTION)
Ignoring group memberships of 'etoto' 
S-1-5-21-1770481708-1631662840-68360779-66424: Unable to enumerate group 
memberships, (-1073741596,NT_STATUS_INTERNAL_DB_CORRUPTION)
  Demoting BDC account trust for z00-dc02, this DC must be elevated to an AD DC 
using 'samba-tool domain promote'
Next rid = 66425
Following sids are both user and group sids:
   S-1-5-21-1770481708-1631662840-68360779-3221
ERROR(class 'samba.provision.ProvisioningError'): uncaught exception - 
ProvisioningError: Please remove duplicate sid entries before upgrade.
  File 
/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py, line 
175, in _run
    return self.run(*args, **kwargs)
  File /usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py, 
line 1318, in run
    useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
  File /usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py, line 
778, in upgrade_from_samba3
    raise ProvisioningError(Please remove duplicate sid entries before 
upgrade.)

I create a link to all files wich are in the same directory as the secret.tdb 
file. But this didn't solve the problem.

Please, could anyone help me. 
I have this error since one week and coud not figure it out.
i need help.


MMe GUEI NOEE MELAINE
BP 3108 DAKAR SENEGAL
SERVICE INFORMATIQUE
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Logon scripts, home directories, and Samba4 AD

[Lee Allen]

Thank you, that works great, and it eliminates the need to create logon
scripts for each user.  That's a big improvement.

ADUC complains it cannot create the folder.  Not surprising, because the
specified folder \\samba3\username does not really exist -- it's a [homes]
share, the true pathname is \\samba3\nas\homes\username.

So I still need to create the directory in the samba3 system, and set
permissions appropriately.

Is there a way around this?  The only solution I can see is to write a
script that will create the necessary directories when a user is created.
 But that wouldn't be simple, because it's on a different server -- the
user is created on the samba4 ADC and the shares are on the samba3
fileserver.


On Wed, Jul 3, 2013 at 3:22 AM, Gémes Géza g...@kzsdabas.hu wrote:

 Hi,

 This could do the job
 Identify the home share on your samba3 fileserver (certain it is member of
 your samba4 domain?!) as dfs root

 Ex:
 msdfs root= yes

 On samba4 ads
 [home]
  msdfs proxy= \your-samba3-server\homes
  read only = No

 with rsat point to \your-samba3-server\homes

 Good luck
 --**-
 EDV Daniel Müller

 Leitung EDV
 Tropenklinik Paul-Lechler-Krankenhaus
 Paul-Lechler-Str. 24
 72076 Tübingen

 Tel.: 07071/206-463, Fax: 07071/206-499
 eMail: muel...@tropenklinik.de
 Internet: www.tropenklinik.de
 --**-

 Even easier specify \\your-samba3-server\%**USERNAME% as the home folder
 setting under ADUC for all the users you want (you can even select them set
 this once) if you also specify home drive H: it will get mounted at that
 drive letter

 -Ursprüngliche Nachricht-
 Von: samba-boun...@lists.samba.org [mailto:samba-bounces@lists.**
 samba.org samba-boun...@lists.samba.org] Im
 Auftrag von Lee Allen
 Gesendet: Mittwoch, 3. Juli 2013 00:20
 An: samba@lists.samba.org; 
 samba-technical@lists.samba.**orgsamba-techni...@lists.samba.org
 Betreff: [Samba] Logon scripts, home directories, and Samba4 AD

 I apologize if this appears twice: I posted it several hours ago and it
 has
 not appeared on the list, so I am tweaking the email address and trying
 again.

 I have two separate (virtual) servers: one running Samba4 functioning as
 an
 AD controller, and one running Samba 3.6.1  functioning as a file  print
 server.

 On the Samba3 side I am using security=ads and winbind and authenticating
 against the Samba4 ADC.  Everything is working great.

 Where things get a little messy is with the [homes] shares.

 Here is what I am doing now:

 My Samba3 smb.conf has a typical [homes] section.  I create a subdirectory
 for each user, and set ownership  permissions.

 I create a logon script on the Samba4 system -- one for each user, because
 the username is embedded in it:
 net use H: \\samba3\username

 And then I use RSAT to set the logon script to the correct value for each
 user.

 It's just a lot of steps that need to be performed (perfectly) for each
 user.  Is there a better way?

 I see RSAT allows me to specify a Home folder.  Could this be a folder
 on
 the Samba3 server -- ie, \\samba3\username ? (I tried that and it did not
 work)

 I can imagine some scripts that would create the logon script on the
 Samba4
 system, and create the necessary directories on the Samba3 system.  I
 could
 probably manage that, but I hate to re-invent the wheel --

 If there is a clean, orthodox way to do this, I would like to know what it
 is.

 Thank you.

 Lee Allen
 --
 To unsubscribe from this list go to the following URL and read the
 instructions:  
 https://lists.samba.org/**mailman/options/sambahttps://lists.samba.org/mailman/options/samba

  Regards

 Geza Gemes
 --
 To unsubscribe from this list go to the following URL and read the
 instructions:  
 https://lists.samba.org/**mailman/options/sambahttps://lists.samba.org/mailman/options/samba




-- 
*Lee Allen*
email: l...@leecallen.com
bus: (716) 773-2729
home: (716) 773-2326
cell: (716) 880-0854
fax: (716) 408-8844
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba Domain Rename

[Sandeep Kumar]

Hi Ricky,



Thanks for sharing your opinion



@samba Technical – can you please give me a final Yes or No on this because
no one knows more than you guys



Thanks,

Sandeep



*From:* Ricky Nance [mailto:ricky.na...@gmail.com]
*Sent:* 02 July 2013 20:37
*To:* Sandeep Kumar
*Cc:* Frostyfrog; Michael Wood; Samba Technical; samba@lists.samba.org
*Subject:* Re: [Samba] Samba Domain Rename



Like Michael said, samba 4 as an AD DC would probably not be happy if you
just change the 'workgroup = ' line in your smb.conf (as a matter of fact,
that line shouldn't exist in a AD DC setup in my opinion) the domain is
more than likely embedded very deep inside of the LDB's, and I would
strongly recommend against changing those, however, with sufficient backups
and lots of luck you might be successful in changing it (look into
ldbsearch and ldbedit if you are really REALLY brave). I think even
changing every instance in the LDB's  however will still not work, as
during provision the machine joins itself to the domain (yes it joins
itself to itself if I recall right). I would try to avoid this at all
costs, but if you must do it, starting over may be your best option.



Just my thoughts,

Ricky

-- 
 

www.arborfs.com

This e-mail and any attachment are confidential and contain proprietary 
information, some or all of which may be legally privileged.

It is intended solely for the use of the individual or entity to which it 
is addressed.  If you are not the intended recipient, please notify the 
author immediately by telephone or by replying to this e-mail, and then 
delete all copies of the e-mail on your system.  If you are not the 
intended recipient, you must not use, disclose, distribute, copy, print or 
rely on this e-mail.

Whilst we have taken reasonable precautions to ensure that this e-mail and 
any attachment has been checked for viruses, we cannot guarantee that they 
are virus free and we cannot accept liability for any damage sustained as a 
result of software viruses.  We would advise that you carry out your own 
virus checks, especially before opening an attachment.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Win8 account sees its home share, but does not have permissions to access

[Ricky Nance]

So what is the output of `ls -alhZ /home | grep mark` ?

Ricky
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Logon scripts, home directories, and Samba4 AD

[Daniel Müller]

So you authenticate against the samba4 ads with your samba3 is this true?
Then you can do a root preexec and run a script on your samba3 server every
time
the users connect to [homes].
Ex:

[homes]
root preexec = /path-to-script/./user-home-dir %U


Your script user-home-dir (where $1 is the login of the user):

#!/bin/bash
#if exist directory
if test -d /path-to/your-users-home-dirs/$1
then
#put Directory is already there in a log file
echo $1 Directory already up and running /system/log/eanm.log
else

mkdir  /path-to/your-users-home-dirs/$1
chmod -R 700  /path-to/your-users-home-dirs/$1
chown -R $1:Domain Users / path-to/your-users-home-dirs/$1
echo /path-to/your-users-home-dirs/$1 created /system/log/anm.log
fi


Greetings
Daniel
---
EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen

Tel.: 07071/206-463, Fax: 07071/206-499
eMail: muel...@tropenklinik.de
Internet: www.tropenklinik.de
---

-Ursprüngliche Nachricht-
Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im
Auftrag von Lee Allen
Gesendet: Mittwoch, 3. Juli 2013 14:56
An: Gémes Géza
Cc: samba@lists.samba.org
Betreff: Re: [Samba] Logon scripts, home directories, and Samba4 AD

Thank you, that works great, and it eliminates the need to create logon
scripts for each user.  That's a big improvement.

ADUC complains it cannot create the folder.  Not surprising, because the
specified folder \\samba3\username does not really exist -- it's a [homes]
share, the true pathname is \\samba3\nas\homes\username.

So I still need to create the directory in the samba3 system, and set
permissions appropriately.

Is there a way around this?  The only solution I can see is to write a
script that will create the necessary directories when a user is created.
 But that wouldn't be simple, because it's on a different server -- the user
is created on the samba4 ADC and the shares are on the samba3 fileserver.


On Wed, Jul 3, 2013 at 3:22 AM, Gémes Géza g...@kzsdabas.hu wrote:

 Hi,

 This could do the job
 Identify the home share on your samba3 fileserver (certain it is 
 member of your samba4 domain?!) as dfs root

 Ex:
 msdfs root= yes

 On samba4 ads
 [home]
  msdfs proxy= \your-samba3-server\homes
  read only = No

 with rsat point to \your-samba3-server\homes

 Good luck
 --**-
 EDV Daniel Müller

 Leitung EDV
 Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24
 72076 Tübingen

 Tel.: 07071/206-463, Fax: 07071/206-499
 eMail: muel...@tropenklinik.de
 Internet: www.tropenklinik.de
 --**-

 Even easier specify \\your-samba3-server\%**USERNAME% as the home 
 folder setting under ADUC for all the users you want (you can even 
 select them set this once) if you also specify home drive H: it will 
 get mounted at that drive letter

 -Ursprüngliche Nachricht-
 Von: samba-boun...@lists.samba.org [mailto:samba-bounces@lists.** 
 samba.org samba-boun...@lists.samba.org] Im Auftrag von Lee Allen
 Gesendet: Mittwoch, 3. Juli 2013 00:20
 An: samba@lists.samba.org; 
 samba-technical@lists.samba.**orgsamba-techni...@lists.samba.org
 Betreff: [Samba] Logon scripts, home directories, and Samba4 AD

 I apologize if this appears twice: I posted it several hours ago and 
 it has not appeared on the list, so I am tweaking the email address 
 and trying again.

 I have two separate (virtual) servers: one running Samba4 functioning 
 as an AD controller, and one running Samba 3.6.1  functioning as a 
 file  print server.

 On the Samba3 side I am using security=ads and winbind and 
 authenticating against the Samba4 ADC.  Everything is working great.

 Where things get a little messy is with the [homes] shares.

 Here is what I am doing now:

 My Samba3 smb.conf has a typical [homes] section.  I create a 
 subdirectory for each user, and set ownership  permissions.

 I create a logon script on the Samba4 system -- one for each user, 
 because the username is embedded in it:
 net use H: \\samba3\username

 And then I use RSAT to set the logon script to the correct value for 
 each user.

 It's just a lot of steps that need to be performed (perfectly) for 
 each user.  Is there a better way?

 I see RSAT allows me to specify a Home folder.  Could this be a 
 folder on the Samba3 server -- ie, \\samba3\username ? (I tried that 
 and it did not
 work)

 I can imagine some scripts that would create the logon script on the
 Samba4
 system, and create the necessary directories on the Samba3 system.  I 
 could probably manage that, but I hate to re-invent the wheel --

 If there is a clean, orthodox way to do this, I would like to know 
 what it is.

 Thank you.

 Lee Allen
 --
 To unsubscribe from this list go to the following URL and read the
 instructions:  
 

Re: [Samba] Logon scripts, home directories, and Samba4 AD

[Lee Allen]

Daniel that's perfect - -  the 'root preexec'  is exactly what I need.
Thank you.
On Jul 3, 2013 9:33 AM, Daniel Müller muel...@tropenklinik.de wrote:

 So you authenticate against the samba4 ads with your samba3 is this true?
 Then you can do a root preexec and run a script on your samba3 server every
 time
 the users connect to [homes].
 Ex:

 [homes]
 root preexec = /path-to-script/./user-home-dir %U


 Your script user-home-dir (where $1 is the login of the user):

 #!/bin/bash
 #if exist directory
 if test -d /path-to/your-users-home-dirs/$1
 then
 #put Directory is already there in a log file
 echo $1 Directory already up and running /system/log/eanm.log
 else

 mkdir  /path-to/your-users-home-dirs/$1
 chmod -R 700  /path-to/your-users-home-dirs/$1
 chown -R $1:Domain Users / path-to/your-users-home-dirs/$1
 echo /path-to/your-users-home-dirs/$1 created /system/log/anm.log
 fi


 Greetings
 Daniel
 ---
 EDV Daniel Müller

 Leitung EDV
 Tropenklinik Paul-Lechler-Krankenhaus
 Paul-Lechler-Str. 24
 72076 Tübingen

 Tel.: 07071/206-463, Fax: 07071/206-499
 eMail: muel...@tropenklinik.de
 Internet: www.tropenklinik.de
 ---

 -Ursprüngliche Nachricht-
 Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org]
 Im
 Auftrag von Lee Allen
 Gesendet: Mittwoch, 3. Juli 2013 14:56
 An: Gémes Géza
 Cc: samba@lists.samba.org
 Betreff: Re: [Samba] Logon scripts, home directories, and Samba4 AD

 Thank you, that works great, and it eliminates the need to create logon
 scripts for each user.  That's a big improvement.

 ADUC complains it cannot create the folder.  Not surprising, because the
 specified folder \\samba3\username does not really exist -- it's a [homes]
 share, the true pathname is \\samba3\nas\homes\username.

 So I still need to create the directory in the samba3 system, and set
 permissions appropriately.

 Is there a way around this?  The only solution I can see is to write a
 script that will create the necessary directories when a user is created.
  But that wouldn't be simple, because it's on a different server -- the
 user
 is created on the samba4 ADC and the shares are on the samba3 fileserver.


 On Wed, Jul 3, 2013 at 3:22 AM, Gémes Géza g...@kzsdabas.hu wrote:

  Hi,
 
  This could do the job
  Identify the home share on your samba3 fileserver (certain it is
  member of your samba4 domain?!) as dfs root
 
  Ex:
  msdfs root= yes
 
  On samba4 ads
  [home]
   msdfs proxy= \your-samba3-server\homes
   read only = No
 
  with rsat point to \your-samba3-server\homes
 
  Good luck
  --**-
  EDV Daniel Müller
 
  Leitung EDV
  Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24
  72076 Tübingen
 
  Tel.: 07071/206-463, Fax: 07071/206-499
  eMail: muel...@tropenklinik.de
  Internet: www.tropenklinik.de
  --**-
 
  Even easier specify \\your-samba3-server\%**USERNAME% as the home
  folder setting under ADUC for all the users you want (you can even
  select them set this once) if you also specify home drive H: it will
  get mounted at that drive letter
 
  -Ursprüngliche Nachricht-
  Von: samba-boun...@lists.samba.org [mailto:samba-bounces@lists.**
  samba.org samba-boun...@lists.samba.org] Im Auftrag von Lee Allen
  Gesendet: Mittwoch, 3. Juli 2013 00:20
  An: samba@lists.samba.org;
  samba-technical@lists.samba.**orgsamba-techni...@lists.samba.org
  Betreff: [Samba] Logon scripts, home directories, and Samba4 AD
 
  I apologize if this appears twice: I posted it several hours ago and
  it has not appeared on the list, so I am tweaking the email address
  and trying again.
 
  I have two separate (virtual) servers: one running Samba4 functioning
  as an AD controller, and one running Samba 3.6.1  functioning as a
  file  print server.
 
  On the Samba3 side I am using security=ads and winbind and
  authenticating against the Samba4 ADC.  Everything is working great.
 
  Where things get a little messy is with the [homes] shares.
 
  Here is what I am doing now:
 
  My Samba3 smb.conf has a typical [homes] section.  I create a
  subdirectory for each user, and set ownership  permissions.
 
  I create a logon script on the Samba4 system -- one for each user,
  because the username is embedded in it:
  net use H: \\samba3\username
 
  And then I use RSAT to set the logon script to the correct value for
  each user.
 
  It's just a lot of steps that need to be performed (perfectly) for
  each user.  Is there a better way?
 
  I see RSAT allows me to specify a Home folder.  Could this be a
  folder on the Samba3 server -- ie, \\samba3\username ? (I tried that
  and it did not
  work)
 
  I can imagine some scripts that would create the logon script on the
  Samba4
  system, and create the necessary directories on the Samba3 system.  I
  could probably manage that, but I hate 

[Samba] Migration from 3.5.6-27 to 3.6.16-31

[Bruno Pereira]

Hello,
I have a debian etch with (samba  3.5.6-27,) shares and windows 7 in the
domain. This works ok.
Since i installed the new version 3.6.16-31 I can not login with  domain
users in my windows client and the shares are inaccessible.

I solved the problem with the login,  removing the following line in my
smb.conf:
*ldapsam:trusted = yes*
but why this line works with the version 3.5.6-27 and not works with the
3.6.16-31?

Anyone can help me with this?
Thanks

*My sernet packages:*

dpkg -l | grep sernet
ii  sernet-cifs-mount  
3.5.6-27 mount helper for the cifs vfs
(mostly for ke
ii  sernet-ldb-tools   
3.5.6-27 SerNet Samba ldb tools
ii  sernet-libpam-smbpass  
3.6.16-31pluggable authentication module for
SMB pass
ii  sernet-libsmbclient0   
3.6.16-31shared library that allows
applications to t
ii  sernet-libwbclient0
3.6.16-31client library for interfacing with
winbind
ii  sernet-samba   
3.6.16-31a LanManager-like file and printer
server fo
ii  sernet-samba-common
3.6.16-31Samba common files used by both the
server a
ii  sernet-smbclient   
3.6.16-31a LanManager-like simple client for
Unix
ii  sernet-winbind 
3.6.16-31service to resolve user and group
informatio



*My smb.conf:*

...workgroup = BPEREIRA114
  netbios name = Test
  server string = %h-PDC

  interfaces = lo, eth0
  bind interfaces only = yes

  passdb backend = ldapsam:ldap://127.0.0.1/

  encrypt passwords = yes

  unix password sync = yes

;;  log file = /var/log/samba/%m.log
  log level = 0
  max log size = 10
  syslog = 4
  syslog only = yes

  ;enable privileges = yes

;;  socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

  domain logons = yes
  os level = 80
  preferred master = yes
  domain master = yes
...
  ldap machine suffix = ou=Computers
  ldap group suffix = ou=Groups
  ldap ssl = no
  ldap passwd sync = yes

*ldapsam:trusted = yes*

  load printers = yes
  printing = bsd

  dos charset = 850
  unix charset = iso8859-15

  logon path =
  logon home =
  logon drive =


  include = /etc/samba/smb-print.conf

[share1]
  vfs object = recycle:recycle
  recycle:exclude = *.tmp *.temp *.o *.obj ~$*
  recycle:keeptree = True
  recycle:touch = True
  recycle:versions = True
  recycle:noversions = .doc|.xls|.ppt
  recycle:repository = .Recycle Bin
  recycle:maxsize = 0
  comment =
  path = /temp/share1]
  public = no
  browseable = yes
  readonly = yes
  admin users =
  valid users = @Domain Admins, @Domain Users
  write list = @Domain Admins, @Domain Users
  create mask = 0770
  force create mode = 0770
  force security mode = 0770
  directory mask = 0770


-- 


Bruno Pereira
/IPBrick ID Dpt/   http://www.ipbrick.com/
IPBRICK International
Rua Passos Manuel, 66/76
4000-381 Porto
PortugalTEL: +351 221 207 100
FAX: +351 225 189 722
UCoIP: bpere...@ipbrick.com mailto:bpere...@ipbrick.com
www.ipbrick.com http://www.ipbrick.com/
www.iportaldoc.com http://www.iportaldoc.com/ Facebook
http://www.facebook.com/pages/IPBrick/263923950988/ Twitter
http://twitter.com/IPBrick/ Linked In
http://pt.linkedin.com/in/ipbrick/

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Win8 account sees its home share, but does not have permissions to access

[Dale Schroeder]

This being a Red Hat derivative, is selinux configured to allow this?


On 07/02/2013 2:54 PM, Mark Galeck wrote:

Fedora release 17 (Beefy Miracle)


On Tue, Jul 2, 2013 at 12:16 PM, Ricky Nance ricky.na...@gmail.com wrote:


Mark, which distro are you running?


On Tue, Jul 2, 2013 at 2:00 PM, Mark Galeck m...@xpliant.com wrote:


Can you log into the linux machine with the user mark and write files to

/home/mark without issue?

Certainly. I don't know Samba, but I do know Unix/Linux and as far as I
can tell, everything on Linux is working fine, as well as on the Windows 8
side.


What is the output of smbclient //localhost/homes -Umark -d5 (then at a

smb:\ do ls)

??  Command not found - I can't execute this on Linux.  I use

/bin/systemctl status smb.service

to get status


On Tue, Jul 2, 2013 at 11:52 AM, Ricky Nance ricky.na...@gmail.comwrote:


Can you log into the linux machine with the user mark and write files to
/home/mark without issue? What is the output of smbclient //localhost/homes
-Umark -d5 (then at a smb:\ do ls). Just a couple of things I would look
at\try.

Ricky






--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Migration from 3.5.6-27 to 3.6.16-31

[Bruno Pereira]

Hello,
I have a debian etch with (samba 3.5.6-27,) shares and windows 7 in the
domain. This works ok.
Since i installed the new version 3.6.16-31 I can not login with domain
users in my windows client and the shares are inaccessible.

I solved the problem with the login, removing the following line in my
smb.conf:
*ldapsam:trusted = yes*
but why this line works with the version 3.5.6-27 and not works with the
3.6.16-31?

Anyone can help me with this?
Thanks

*My sernet packages:*

dpkg -l | grep sernet
ii sernet-cifs-mount
3.5.6-27 mount helper for the cifs vfs
(mostly for ke
ii sernet-ldb-tools
3.5.6-27 SerNet Samba ldb tools
ii sernet-libpam-smbpass
3.6.16-31 pluggable authentication module for
SMB pass
ii sernet-libsmbclient0
3.6.16-31 shared library that allows
applications to t
ii sernet-libwbclient0
3.6.16-31 client library for interfacing with
winbind
ii sernet-samba
3.6.16-31 a LanManager-like file and printer
server fo
ii sernet-samba-common
3.6.16-31 Samba common files used by both the
server a
ii sernet-smbclient
3.6.16-31 a LanManager-like simple client for
Unix
ii sernet-winbind
3.6.16-31 service to resolve user and group
informatio



*My smb.conf:*

...workgroup = BPEREIRA114
netbios name = Test
server string = %h-PDC

interfaces = lo, eth0
bind interfaces only = yes

passdb backend = ldapsam:ldap://127.0.0.1/

encrypt passwords = yes

unix password sync = yes

;; log file = /var/log/samba/%m.log
log level = 0
max log size = 10
syslog = 4
syslog only = yes

;enable privileges = yes

;; socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

domain logons = yes
os level = 80
preferred master = yes
domain master = yes
...
ldap machine suffix = ou=Computers
ldap group suffix = ou=Groups
ldap ssl = no
ldap passwd sync = yes

*ldapsam:trusted = yes*

load printers = yes
printing = bsd

dos charset = 850
unix charset = iso8859-15

logon path =
logon home =
logon drive =


include = /etc/samba/smb-print.conf

[share1]
vfs object = recycle:recycle
recycle:exclude = *.tmp *.temp *.o *.obj ~$*
recycle:keeptree = True
recycle:touch = True
recycle:versions = True
recycle:noversions = .doc|.xls|.ppt
recycle:repository = .Recycle Bin
recycle:maxsize = 0
comment =
path = /temp/share1]
public = no
browseable = yes
readonly = yes
admin users =
valid users = @Domain Admins, @Domain Users
write list = @Domain Admins, @Domain Users
create mask = 0770
force create mode = 0770
force security mode = 0770
directory mask = 0770


-- 


Bruno Pereira
/IPBrick ID Dpt/ http://www.ipbrick.com/
IPBRICK International
Rua Passos Manuel, 66/76
4000-381 Porto
Portugal TEL: +351 221 207 100
FAX: +351 225 189 722
UCoIP: bpere...@ipbrick.com mailto:bpere...@ipbrick.com
www.ipbrick.com http://www.ipbrick.com/
www.iportaldoc.com http://www.iportaldoc.com/ Facebook
http://www.facebook.com/pages/IPBrick/263923950988/ Twitter
http://twitter.com/IPBrick/ Linked In
http://pt.linkedin.com/in/ipbrick/


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] file server or member server?

[Jonathan Buzzard]

On Tue, 2013-07-02 at 09:28 +0200, steve wrote:

[SNIP]

 
 Do I have this?
 1. is a domain controller and a file server.
 2. is a member server and a file server.
 

Yes, that is what you have.

 Another question, why do you say:
 '...its a domain server (or domain controller).'
 Which _is_ it? If it's the same thing then why does it have two names?
 

It's English, every word has multiple meanings and the same thing can be
described with multiple words. It is what makes English one of the most
expressive languages there is.


JAB.

-- 
Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk
Fife, United Kingdom.


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Messed up SIDs: How to change machine SID?

[Marcus Mundt]

Dear Samba Gurus,

I got the following errors:
tail -f /var/log/samba/log.wb-DOM1
[2013/07/02 15:49:19.990168,  2] winbindd/winbindd_rpc.c:320(rpc_name_to_sid)
  name_to_sid: failed to lookup name: NT_STATUS_NONE_MAPPED

log.smbd
[2013/07/02 15:40:51.809516,  2] auth/token_util.c:455(finalize_local_nt_token)
  WARNING: Failed to create BUILTIN\Administrators group!  Can Winbind allocate 
gids?
[2013/07/02 15:40:51.811330,  2] auth/token_util.c:479(finalize_local_nt_token)
  WARNING: Failed to create BUILTIN\Users group! Can Winbind allocate gids?


I guess the reason might be this:
net getdomainsid
SID for local machine M1 is:S-1-5-21-3981825222-1828954701-2606613544
SID for domain DOM1 is: S-1-5-21-2762780445-1763757571-3541238449

net getdomainsid
SID for local machine M2 is:S-1-5-21-2913448378-2543514743-1508345481
SID for domain DOM1 is: S-1-5-21-2762780445-1763757571-3541238449


Shouldn't the SIDs be the same except the last digits???

Cheers,
Marcus
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Messed up SIDs: How to change machine SID?

[Gaiseric Vandal]

I have an LDAP backend.

In LDAP, the machine accounts for my  windows and linux clients so show 
the same base SID as the domain SID (ie.. all but the last digits.)


However I also have the mismatch with net getdomainsid -  which 
definately explains why they don't behave as I would expect.   You may 
want to try fixing this with net setlocalsid.   I guess when you joing 
unix  or linux member server to the domain the localsid is not updated.


Re the BUILTIN groups you may want to explicitly map these to unix 
groups rather than relying on winbind to do it



e.g.   I created  unix groups

#getent group 
Builtin Admins::544:
Builtin Users::545:
Builtin Guests::546:

Then mapped the well know built-in Windows groups to the unix groups


#net groupmap add ntgroup=Administrators unixgroup=544 
sid=S-1-5-32-544   type=builtin
#net groupmap add ntgroup=Users unixgroup=545   sid=S-1-5-32-545 
type=builtin
#net groupmap add ntgroup=Guests unixgroup=546 sid=S-1-5-32-546 
type=builtin


# net groupmap list | grep -i builtin

Administrators (S-1-5-32-544) - Builtin Admins
Users (S-1-5-32-545) - Builtin Users
Guests (S-1-5-32-546) - Builtin Guests



The linux samba member servers I use mostly for IT use anyway so I never 
shook out all the bugs.





On 07/03/13 11:49, Marcus Mundt wrote:

Dear Samba Gurus,

I got the following errors:
tail -f /var/log/samba/log.wb-DOM1
[2013/07/02 15:49:19.990168,  2] winbindd/winbindd_rpc.c:320(rpc_name_to_sid)
   name_to_sid: failed to lookup name: NT_STATUS_NONE_MAPPED

log.smbd
[2013/07/02 15:40:51.809516,  2] auth/token_util.c:455(finalize_local_nt_token)
   WARNING: Failed to create BUILTIN\Administrators group!  Can Winbind 
allocate gids?
[2013/07/02 15:40:51.811330,  2] auth/token_util.c:479(finalize_local_nt_token)
   WARNING: Failed to create BUILTIN\Users group! Can Winbind allocate gids?


I guess the reason might be this:
net getdomainsid
SID for local machine M1 is:S-1-5-21-3981825222-1828954701-2606613544
SID for domain DOM1 is: S-1-5-21-2762780445-1763757571-3541238449

net getdomainsid
SID for local machine M2 is:S-1-5-21-2913448378-2543514743-1508345481
SID for domain DOM1 is: S-1-5-21-2762780445-1763757571-3541238449


Shouldn't the SIDs be the same except the last digits???

Cheers,
Marcus


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Win8 account sees its home share, but does not have permissions to access

[Mark Galeck]

[root@v64-sw-dev003-mark /]# ls -alhZ /home | grep mark
drwx--. mark mark unconfined_u:object_r:user_home_dir_t:s0 mark




On Wed, Jul 3, 2013 at 6:26 AM, Ricky Nance ricky.na...@gmail.com wrote:

 So what is the output of `ls -alhZ /home | grep mark` ?

 Ricky

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Win8 account sees its home share, but does not have permissions to access

[Mark Galeck]

how do I check this?


On Wed, Jul 3, 2013 at 7:18 AM, Dale Schroeder 
d...@briannassaladdressing.com wrote:

 This being a Red Hat derivative, is selinux configured to allow this?



 On 07/02/2013 2:54 PM, Mark Galeck wrote:

 Fedora release 17 (Beefy Miracle)


 On Tue, Jul 2, 2013 at 12:16 PM, Ricky Nance ricky.na...@gmail.com
 wrote:

  Mark, which distro are you running?


 On Tue, Jul 2, 2013 at 2:00 PM, Mark Galeck m...@xpliant.com wrote:

  Can you log into the linux machine with the user mark and write files to

 /home/mark without issue?

 Certainly. I don't know Samba, but I do know Unix/Linux and as far as I
 can tell, everything on Linux is working fine, as well as on the
 Windows 8
 side.

  What is the output of smbclient //localhost/homes -Umark -d5 (then at a

 smb:\ do ls)

 ??  Command not found - I can't execute this on Linux.  I use

 /bin/systemctl status smb.service

 to get status


 On Tue, Jul 2, 2013 at 11:52 AM, Ricky Nance ricky.na...@gmail.com
 wrote:

  Can you log into the linux machine with the user mark and write files
 to
 /home/mark without issue? What is the output of smbclient
 //localhost/homes
 -Umark -d5 (then at a smb:\ do ls). Just a couple of things I would
 look
 at\try.

 Ricky





-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Removed params 'force security mode' etc. What to use instead?

[Brian H. Nelson]

Hello list,

I noticed that the fix for bug 9190 (inc in samba 4.0) resulted in the 
removal of the following config parameters:


security mask
force security mode
directory mask
force directory security mode

I have a couple questions regarding this, and haven't really seen any 
good info on it, so...


1) Why were they removed? There doesn't seems to be any explanation in 
the bug notes or release notes. Maybe I'm missing something? (not 
judging, just confused)


2) What can be used instead? I don't see any comparable settings in 
samba to obtain the same effect (preventing clients from removing 
certain security bits from existing files, ie group permissions)



I have a situation currently where it looks like I will need to 
implement the above 'force' settings in my samba 3.x environment to deal 
with some misbehaving OS X clients that insist on stripping group 
permissions from files in certain situations. I'd rather not start using 
settings that I know are removed in future versions, but I'm not sure of 
a better way. Can anyone recommend the best way to deal with this?


Thanks!
Brian



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Win8 account sees its home share, but does not have permissions to access

[Ricky Nance]

You just did, there are rules there ' unconfined_u:object_r:user_home_dir_t'
this leads me to think selinux is your issue, however, I can't say that I
have messed around with selinux at all, so maybe someone else can chime in
and help you out. You should be able to disable it temporarly just to
check. Please refer to the following thread
https://ask.fedoraproject.org/question/10507/how-to-disable-fedora-17-selinux/

Thanks,
Ricky
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Removed params 'force security mode' etc. What to use instead?

[Jonathan Buzzard]

On 03/07/13 19:56, Brian H. Nelson wrote:

[SNIP]



I have a situation currently where it looks like I will need to
implement the above 'force' settings in my samba 3.x environment to deal
with some misbehaving OS X clients that insist on stripping group
permissions from files in certain situations. I'd rather not start using
settings that I know are removed in future versions, but I'm not sure of
a better way. Can anyone recommend the best way to deal with this?


My guess is this is related to the Unix extensions. Basically certain 
versions of OS X; I can't remember which ones but 10.5 sticks in my mind 
but that might be related to symbolic links and it was 10.6 that was the 
problem, notice the file server does Unix extensions and then decides to 
go behind the Samba servers back and fiddle with the permissions.


Here is the kicker however the force settings don't help. It would 
appear that you can override them using the Unix extensions. The only 
solution I could come up with was turning Unix extensions off.


The basics are the SMB client in OS X seems to change it's behaviour 
with every major release, and a working config that deals with them all 
is hard to come by. The rewritten client in 10.7 was particularly bad 
especially in early point releases. From memory it did not become usable 
till 10.7.3



JAB.

--
Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk
Fife, United Kingdom.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba Domain Rename

[Frostyfrog]

Yeah, I've never fully set up a samba *checks samba version* 4 domain. What
I suggested was what I thought might work. I guess it's time for me to
completely set things up and see how it works.

~Frostyfrog
From a friendly web page developer.
^.^


On Tue, Jul 2, 2013 at 2:52 AM, Michael Wood esiot...@gmail.com wrote:

 If Sandeep is running Samba 4 as an Active Directory domain controller,
 then I very much doubt that just editing the workgroup setting in smb.conf
 will fix it.  There are e.g. files in the samba private directory named
 after the domain and also containing the name of the domain.

 I don't know if there's a straightforward way of renaming the domain.  I
 suspect there isn't.

 Sandeep, if you don't get a good answer here, you could try getting the
 attention of one of the Samba developers on the IRC channel, perhaps.


 On 2 July 2013 07:49, Frostyfrog frostyfr...@gmail.com wrote:

 I'm not sure which distro you are using (I use Archlinux), but these steps
 should work if you have command line access (press the key surrounded in
 
 when there is one, don't type the  or the stuff inside):

 1. Login to the server
 2. type: vim /etc/samba/smb.confenter
 3. type: /workgroup =enter
 (If that doesn't work, try it without the equals)
 4. press the arrow keys until it is placed just after the equals
 5. type c$
 6. type in what you want the new domain name to be
 7. press esc
 8. type: :wq
 9. restart samba

 Disclaimer: These steps are not for those who have no idea what they are
 doing (although it may seem that way), please proceed with caution.

 ~Frostyfrog
 From a friendly web page developer.
 ^.^

 On Mon, Jul 1, 2013 at 11:24 PM, Sandeep Kumar sandeep.ku...@arborfs.com
 wrote:

  Hi Team,
 
  I am using  samba 4 Domain in my production environment and everything
 is
  working fine but now for some reason I have to rename the domain
 
  Can you please help on this, I need to do this asap
 
  Waiting for your response………
 
  Many Thanks,
  Sandeep Kumar
  *Arbor Financial Systems Ltd*
  Direct: +91 172 400 6144
  Support: +44 (0) 203 070 9650
  www.arborfs.com


 --
 Michael Wood esiot...@gmail.com
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba Domain Rename

[Andrew Bartlett]

On Tue, 2013-07-02 at 20:07 +0200, Denis Cardon wrote:
 Hi Sandeep,
 
  Changing a domain name, even in an all-Microsoft Windows server
  environment, is strongly discouraged, at least on the user mailing
  lists I am on. Better would be to use the domain migration tools, and
  migrate to a newly named domain.
 
 I had recently to migrate a windows 2003 domaine from a short dns domain 
 name media1 to standard dns name media1.local before migrating to a 
 samba4 domain. There are actually some microsoft tool to do the 
 migration, but it is far from trivial. I don't know if there are 
 anything in samba4 to do the same thing though, and probably the method 
 outlined by Michael might still be the best one.

Indeed, renaming a domain breaks all the base assumptions in AD. 

Samba 4.0 as an AD DC has no code to support this, if it works with the
Microsoft tool that was used in your situation it would be a miracle,
but just occasionally we find this stuff just happens to work because
the hard work is in the client tool, not the DC. 

Andrew Bartlett

-- 
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] samba 4 installation failing several troubleshooting steps

[Joe Johnson]

Troubleshooting steps fail.  Trying to replace a standalone Netware
server with a Samba4 server with AD.  To isolate this test setup,
changed server's static IP address and separated the wiring.  Then
went through the Troubleshooting portion of The Samba Checklist.  Some
tests pass.  Some tests fail.  I'm weak on Samba, DNS and AD.  I
appreciate your instructions on how to overcome the indicated test
failures.

The setup:
- an inexpensive router provides DHCP to a network of three computers
- Samba4 server (SERVER) has static ip 192.168.3.210
- Windows XP Pro SP3 workstation (WORKSTATION)
- Linux Mint workstation (used for ssh to SERVER)
- Domain is domane.lan
- workgroup is OFFICE
- Samba4 downloaded from git, version 4.1.0pre1-GIT-3e66cb7, using internal DNS
- SERVER runs Ubuntu 12 LTS, recent download with updates, no firewall

smb.conf, resolv.conf, and a query result for DNS records may all be seen at
http://pastebin.com/B5gyDi1s  (samba 4 configurations as part of
troubleshooting questions)

When making suggestions, please detail the commands you would like me to try.

1)  WORKSTATION can log into the domain and can ping SERVER by its ip
address.  WORKSTATION initially could not ping SERVER by its name, but
could after an entry for SERVER was added in
C:\windows\system32\drivers\etc\hosts.

2)  SERVER can ping WORKSTATION by its ip address but cannot ping the
workstation by its name.

3)  /usr/local/samba/bin/testparm /usr/local/samba/etc/smb.conf  does
not report any errors.

4)  On WORKSTATION I was never able to get a browse list of shares.
An early error seen in /usr/local/samba/var/log.samba is:

[2013/06/21 22:43:29,  0] ../source4/dsdb/common/util_samr.c:185(dsdb_add_user)
  Failed to create user record
CN=WORKSTATION,CN=Computers,DC=domane,DC=lan: dsdb_access: Access
check failed on CN=Computers,DC=domane,DC=lan

5)  host -t SRV _ldap._tcp.domane.lan.  gives expected results
host -t SRV _kerberos._udp.domane.lan.  gives expected results
host -t A server.domane.lan.  gives expected results

6)  On WORKSTATION, checked the box “Use this connection's DNS suffix in DNS
 registration” in Windows XP's TCP/IP properties, General, Advanced,
DNS.  SERVER still cannot ping workstation by name.

7)  smbclient -L SERVER  does provide a list of shares.

8)  /usr/local/samba/bin/nmblookup -B SERVER __SAMBA__.responds with
querying __SAMBA__. on 127.0.0.1
name_query failed to find name __SAMBA__.

9)  nmblookup -B WORKSTATION.domane.lan '*'
  gives the confusing response
querying * on 192.168.3.255
192.168.3.2 *00
This is confusing because 192.168.3.2 is the ip addres of the Mint
computer running ssh to SERVER.  WORKSTATION has an ip address of
192.168.3.3

10)  nmblookup -d 2 '*'
  responds with
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
added interface eth0 ip=fe80::211:11ff:fe6f:8df0%eth0
bcast=fe80:::::%eth0 netmask=:::::
added interface eth0 ip=192.168.3.210 bcast=192.168.3.255 netmask=255.255.255.0
querying * on 192.168.3.255
Got a positive name query response from 192.168.3.2 ( 192.168.3.2 )
192.168.3.2 *00
Again, this is confusing because 192.168.3.2 is the ip address of the
Minut computer running ssh to SERVER.  WORKSTATION has an ip address
of 192.168.3.3

11)  smbclient //SERVER/INVOICES
  -UAdministrator  requests a password and responds with
session setup failed: NT_STATUS_LOGON_FAILURE
Domain=[OFFICE] OS=[Unix] Server=[Samba 4.1.0pre1-GIT-3e66cb7]
smb: \

12)  smbclient //SERVER/INVOICES
   with a user other and Administrator requests a password and responds with
session setup failed: NT_STATUS_LOGON_FAILURE

13)  On WORKSTATION, the command   net view \\SERVER   responds with a
list of shares.

14)  On WORKSTATION, the command   net use x: \\SERVER\INVOICES
responds well.  If logged in as administrator, it is possible to use
the dir command to see a list of files.

15)  On WORKSTATION, when graphically browsing the network SERVER is
seen but it does not contain a list of shares.  There is nothing to
graphically select to map.  If a share name is known, it can be
manually mapped similar to prior example.

16)  /usr/local/samba/bin
/nmblookup -M OFFICE
  responds with
name_query failed to find name OFFICE#1d
This is in spite of having  preferred master = yes   in smb.conf

Thank you for helping to identify what is going wrong, and for your
suggestions for fixes.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] file server or member server?

[Nick Boyce]

I'll have a go  :)

My 2p:

A Windows domain is an authentication-and-authorisation space, defined
by a database of all usernames known within that space, together with
their passwords, group memberships and much more related stuff.  The
username database (held as a set of files of course) is managed by one
or more servers dedicated to the task of processing logon attempts,
verifying passwords, authorising filesystem access requests, etc.
This type of server is known as a domain controller (or domain server
if you like).

The domain will also contain, in general, many workstations used by
the end-users, and a number of servers holding files, services and
other objects available for the use of the users. The files and
services have permission settings which define which users can access
them and in which ways.  The permission settings reference the
usernames defined in the username database.

Any machine (workstation or server) needing to make use of the
username database must be joined to the domain (which means
exchanging keys, so that secure communication can occur); we call such
machines members of the domain  member servers, member
workstations.  In a medium to large organisation there are usually
quite a few member servers dedicated to file serving, some to web
serving, some to print serving, and a few to more esoteric tasks (SQL,
DNS, DHCP, WINS [does that still exist ?], etc. etc.).

You could refer to these servers as fileservers, webservers,
printservers, SQLservers, DNS servers, etc.  you see the pattern
here ? :-)

You /can/ combine some of these server roles (including domain
controller) in one physical server, but you must be careful about
performance, especially in geographically dispersed networks.  Note
that all access requests must ultimately effectively be processed and
approved by the domain controllers, which can make them pretty busy
machines - so that job is often done by dedicated servers.

There may also be other Windows servers owned by the organisation,
which are not members or controllers of the domain - these servers are
known as stand-alone servers, and their users will not share the same
username  password database as is used within the domain.

Steve Are there any guidelines for this sort of stuff?

Yes.  In the Microsoft world, typically the sysadmins all go on [gulp]
MCSE (Microsoft Certified System Engineer) training programmes,
where all this stuff is taught in some detail - including how to
estimate performance requirements from expected user population 
required data flows, and thus how to arrive at an effective network
and domain design.  Usually you discover that you need an unbelievable
number of servers, and that the cost of server licenses and client
access licenses (an iniquitous concept) is likely to bankrupt your
employer ;-)  After your boss has had a heart attack, you think
about Samba 

I don't know whether or not there are FOSS-world courses which teach
the same (CIFS/SMB/AD) concepts.

You can also find any number of $50 text books on the subject
(Windows Active Directory) in any decent bookstore.
e.g. http://shop.oreilly.com/product/0636920028932.do
Active Directory Cookbook, 4th Edition
Solutions for Administrators  Developers
(but they will usually be focused on Microsoft products).

BTW: if you don't already know about it, you really should also try to
learn as much of the stuff on this website as you possibly can :
http://ubiqx.org/cifs/
It's more about the protocols, rather than domain design - but still
important for a sysadmin (and it's by one of the Samba team).


[I hope this helped ... maybe you already know all this stuff, and I
didn't understand your question .. it was fun trying anyway :)]

Good luck.

Nick
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Apparent bug remains in v4.0.7 - Hosts allow parameter causing errors and vey slow MS Office document access

[Phil Quesinberry]

From smb.conf:
hosts allow = 10.0.0. 127.

Same story using the following syntax instead:
hosts allow = 10.0.0.0/24 127.0.0.1/8

If I comment out the hosts allow line, the slow MS Office document access
and most of the errors in the log go away.

From log.samba:
[2013/07/04 00:15:52,  0]
../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet)
  NTLMSSP NTLM2 packet check failed due to invalid signature!
[2013/07/04 00:15:52,  0]
../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet)
  NTLMSSP NTLM2 packet check failed due to invalid signature!
[2013/07/04 00:16:03,  0]
../source4/lib/socket/access.c:356(socket_check_access)
  socket_check_access: Denied connection to 'smbd' from LOCAL/unixdom
(LOCAL/unixdom)
[2013/07/04 00:16:03,  0]
../source4/lib/socket/access.c:356(socket_check_access)
  socket_check_access: Denied connection to 'smbd' from LOCAL/unixdom
(LOCAL/unixdom)
[2013/07/04 00:16:03,  0]
../source4/lib/socket/access.c:356(socket_check_access)
  socket_check_access: Denied connection to 'smbd' from LOCAL/unixdom
(LOCAL/unixdom)
...
(dozens to hundreds of these Denied connection to smbd messages per
second)

From log.smbd:
[2013/07/04 00:17:11.857930,  1]
../source3/rpc_server/rpc_ncacn_np.c:622(make_external_rpc_pipe_p)
  tstream_npa_connect_recv  to /usr/local/samba/var/run/ncalrpc/np for pipe
wkssvc and user HERSCHLAUREN\vquesinberry failed: Broken pipe
[2013/07/04 00:17:11.860705,  1]
../source3/rpc_server/rpc_ncacn_np.c:622(make_external_rpc_pipe_p)
  tstream_npa_connect_recv  to /usr/local/samba/var/run/ncalrpc/np for pipe
wkssvc and user HERSCHLAUREN\vquesinberry failed: Broken pipe
[2013/07/04 00:17:37.207795,  1]
../source3/rpc_server/rpc_ncacn_np.c:622(make_external_rpc_pipe_p)
  tstream_npa_connect_recv  to /usr/local/samba/var/run/ncalrpc/np for pipe
wkssvc and user HERSCHLAUREN\vquesinberry failed: Connection reset by peer
[2013/07/04 00:17:37.210691,  1]
../source3/rpc_server/rpc_ncacn_np.c:622(make_external_rpc_pipe_p)
  tstream_npa_connect_recv  to /usr/local/samba/var/run/ncalrpc/np for pipe
wkssvc and user HERSCHLAUREN\vquesinberry failed: Connection reset by peer
[2013/07/04 00:17:37.213195,  1]
../source3/rpc_server/rpc_ncacn_np.c:622(make_external_rpc_pipe_p)
  tstream_npa_connect_recv  to /usr/local/samba/var/run/ncalrpc/np for pipe
wkssvc and user HERSCHLAUREN\vquesinberry failed: Connection reset by peer
[2013/07/04 00:17:37.219431,  1]
../source3/rpc_server/rpc_ncacn_np.c:622(make_external_rpc_pipe_p)
  tstream_npa_connect_recv  to /usr/local/samba/var/run/ncalrpc/np for pipe
wkssvc and user HERSCHLAUREN\vquesinberry failed: Connection reset by peer

I just compiled and am now running 4.07 stable but the problem was also
present in 4.0.6.  We'd like to be able to use the hosts allow parameter to
ensure that no one outside the LAN can access the server but I can always
use iptables to do the job if necessary.

Testparm output:
Load smb config files from /usr/local/samba/etc/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section [netlogon]
Processing section [sysvol]
Processing section [homes]
Processing section [hldata]
Processing section [C]
Processing section [D]
Processing section [MacData]
Processing section [QBooks]
Processing section [printers]
Processing section [print$]
Loaded services file OK.
Server role: ROLE_ACTIVE_DIRECTORY_DC
Press enter to see a dump of your service definitions

[global]
workgroup = HERSCHLAUREN
realm = HERSCHLAUREN.COM
server string = HerschLinux
server role = active directory domain controller
passdb backend = samba_dsdb
max log size = 524288
deadtime = 15
add machine script = /usr/sbin/useradd -n -g machines -d /dev/null
-s /sbin/nologin %u
preferred master = Yes
domain master = Yes
wins support = Yes
allow dns updates = nonsecure and secure
dns forwarder = 10.0.0.1
rpc_server:tcpip = no
rpc_daemon:spoolssd = embedded
rpc_server:spoolss = embedded
rpc_server:winreg = embedded
rpc_server:ntsvcs = embedded
rpc_server:eventlog = embedded
rpc_server:srvsvc = embedded
rpc_server:svcctl = embedded
rpc_server:default = external
idmap config * : backend = tdb
invalid users = nobody, root
hosts allow = 10.0.0., 127.
map archive = No
map readonly = no
store dos attributes = Yes
vfs objects = dfs_samba4, acl_xattr

[netlogon]
path = /usr/local/samba/var/locks/sysvol/herschlauren.com/scripts

[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No

[homes]
path = /home
read only = No

[hldata]
comment = Data directory for entire Windows share (Samba)
path = /hldata
valid users = *CENSORED*
read only = No

[C]
comment = C: Drive
path = /hldata/C
valid 

[SCM] Samba Shared Repository - branch v4-0-test updated

[Karolin Seeger]

The branch, v4-0-test has been updated
   via  0b80e93 vfs_streams_xattr: Do not attempt to write empty attribute 
twice
   via  f695430 Initialize the file descriptor in the files_struct before 
trying to close it. Otherwise, if one of the SETXATTR calls had failed, the 
close() call will return EBADF.
  from  9f7cbc7 s3:smbd:smb2: fix setting of scavenge timeout when 
reconnecting durable handles

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-0-test


- Log -
commit 0b80e9376daf07089dac6221a51dff1ffee6cbac
Author: Christof Schmitt christof.schm...@us.ibm.com
Date:   Wed Jun 12 14:55:15 2013 -0700

vfs_streams_xattr: Do not attempt to write empty attribute twice

The create disposition FILE_OVERWRITE_IF is mapped to the flags
O_CREAT|O_TRUNC. In vfs_streams_xattr, this triggers two calls to
SMB_VFS_SETXATTR. The second can fail if O_EXCL is also set, resulting
in an unnecessary error.

Merge the identical code to handle O_CREAT and O_TRUNC to avoid setting
an empty attribute twice. Also add the flags parameter to the debug
message.

Signed-off-by: Christof Schmitt christof.schm...@us.ibm.com
Reviewed-by: Jeremy Allison j...@samba.org
Reviewed-by: Volker Lendecke v...@samba.org
(cherry picked from commit 4cd7e1d283f060e794023d5b0a48a7ec97d33820)

The last two patches address bug #9970 - Backport vfs_streams_xattr fixes 
to 4.0
and 4.1.

Autobuild-User(v4-0-test): Karolin Seeger ksee...@samba.org
Autobuild-Date(v4-0-test): Wed Jul  3 12:22:43 CEST 2013 on sn-devel-104

commit f695430ffb7bb036ffbfdbc5baafb8e8698670e8
Author: Christof Schmitt christof.schm...@us.ibm.com
Date:   Wed Jun 12 14:49:53 2013 -0700

Initialize the file descriptor in the files_struct before trying to close 
it. Otherwise, if one of the SETXATTR calls had failed, the close() call will 
return EBADF.

Signed-off-by: Christof Schmitt christof.schm...@us.ibm.com
Reviewed-by: Jeremy Allison j...@samba.org
Reviewed-by: Richard Sharpe rsha...@samba.org

Autobuild-User(master): Jeremy Allison j...@samba.org
Autobuild-Date(master): Thu Jun 13 01:43:18 CEST 2013 on sn-devel-104
(cherry picked from commit 5c488cfb79873287e769622fd5da43b7a735e29c)

---

Summary of changes:
 source3/modules/vfs_streams_xattr.c |   43 +-
 1 files changed, 12 insertions(+), 31 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/modules/vfs_streams_xattr.c 
b/source3/modules/vfs_streams_xattr.c
index dd1135d..6650021 100644
--- a/source3/modules/vfs_streams_xattr.c
+++ b/source3/modules/vfs_streams_xattr.c
@@ -367,8 +367,8 @@ static int streams_xattr_open(vfs_handle_struct *handle,
int baseflags;
int hostfd = -1;
 
-   DEBUG(10, (streams_xattr_open called for %s\n,
-  smb_fname_str_dbg(smb_fname)));
+   DEBUG(10, (streams_xattr_open called for %s with flags 0x%x\n,
+  smb_fname_str_dbg(smb_fname), flags));
 
if (!is_ntfs_stream_smb_fname(smb_fname)) {
return SMB_VFS_NEXT_OPEN(handle, smb_fname, fsp, flags, mode);
@@ -452,40 +452,20 @@ static int streams_xattr_open(vfs_handle_struct *handle,
goto fail;
}
 
-   if (!NT_STATUS_IS_OK(status)) {
+   if ((!NT_STATUS_IS_OK(status)  (flags  O_CREAT)) ||
+   (flags  O_TRUNC)) {
/*
-* The attribute does not exist
+* The attribute does not exist or needs to be truncated
 */
 
-if (flags  O_CREAT) {
-   /*
-* Darn, xattrs need at least 1 byte
-*/
-char null = '\0';
+   /*
+* Darn, xattrs need at least 1 byte
+*/
+   char null = '\0';
 
-   DEBUG(10, (creating attribute %s on file %s\n,
-  xattr_name, smb_fname-base_name));
+   DEBUG(10, (creating or truncating attribute %s on file %s\n,
+  xattr_name, smb_fname-base_name));
 
-   if (fsp-base_fsp-fh-fd != -1) {
-   if (SMB_VFS_FSETXATTR(
-   fsp-base_fsp, xattr_name,
-   null, sizeof(null),
-   flags  O_EXCL ? XATTR_CREATE : 0) == 
-1) {
-   goto fail;
-   }
-   } else {
-   if (SMB_VFS_SETXATTR(
-   handle-conn, smb_fname-base_name,
-   xattr_name, null, sizeof(null),
-   

[SCM] Samba Shared Repository - branch master updated

[Jeremy Allison]

The branch, master has been updated
   via  2536ee8 Make the output of the crackname script more readable
  from  caf3af3 s3-winbind: Allow sec_initial_uid() to store creds.

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 2536ee8b640c1257dbe28a977ae0b48a62093d0c
Author: Matthieu Patou m...@matws.net
Date:   Sun Jun 30 01:59:53 2013 -0700

Make the output of the crackname script more readable

Signed-off-by: Matthieu Patou m...@matws.net
Reviewed-by: Andreas Schneider a...@samba.org

Autobuild-User(master): Jeremy Allison j...@samba.org
Autobuild-Date(master): Wed Jul  3 23:17:57 CEST 2013 on sn-devel-104

---

Summary of changes:
 source4/scripting/devel/crackname |8 
 1 files changed, 4 insertions(+), 4 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source4/scripting/devel/crackname 
b/source4/scripting/devel/crackname
index b6a372e..2e17985 100755
--- a/source4/scripting/devel/crackname
+++ b/source4/scripting/devel/crackname
@@ -71,8 +71,8 @@ if __name__ == __main__:
 req.names = [names]
 
 (result, ctr) = drs.DsCrackNames(drs_handle, 1, req)
-print # of result %d %ctr.count
+print # of result = %d %ctr.count
 if ctr.count:
-print ctr.array[0].status
-print ctr.array[0].result_name
-print ctr.array[0].dns_domain_name
+print status = %d % ctr.array[0].status
+print result name = %s % ctr.array[0].result_name
+print domain = %s % ctr.array[0].dns_domain_name


-- 
Samba Shared Repository