-- but that requires a world-writable /srv/shared...
I'll have to secure it when the rest is working, hints appreciated...
not really pressing as long as no user is allowed to unix-login to the box).
If some tries w/ smbclient could be useful, here they are.
[ndk@jago ~]$ smbclient -I 137.204.66.31
'\\str00160
Il 23/05/2012 09:11, Jorell ha scritto:
here is what I use in my conf
[ProfileShare]
Uh?
...
path = /home/%D/%U
root preexec = /root/pdc/smbmkhomedir.sh %D %U
ARGH! 'root preexec'. I missed that root bit :(
Tks! You saved my day!
smbmkhomedir.sh
#!/bin/bash
if [ ! -e /home/$1/$2 ]; then
On 23/05/2012 15:30, steve wrote:
If the gidNumber for the gid is stored in AD (as the 2008 and samba4
schema allow) then there can be no clash. It is then no problem in
extracting it and applying it using normal /etc/nsswitch.conf format.
The AD schema is still 2003. And who manages it thinks
On 22/05/2012 22:17, Newman, John W wrote:
Well.. I'm not really sure what that is (I inherited this project). In
smb.conf all he has here is: idmap uid = 1-2 idmap
gid=1-2 I don't see idmap backend = set at all in here. That is
probably a big part of the
Il 25/05/2012 09:57, Marcel Ritter ha scritto:
our setup looks much like yours:
One domain FAUAD containing all our users, and several
domains containing computer objects (and maybe local users).
To prevent inconsistencies in user/group membership, we'd like
to use nss/pam winbind on
Il 13/05/2012 18:38, Jorell ha scritto:
here is what I use in my conf
[ProfileShare]
...
root preexec = /root/pdc/smbmkhomedir.sh %D %U
...
smbmkhomedir.sh
#!/bin/bash
if [ ! -e /home/$1/$2 ]; then
mkdir -p /home/$1/$2
chown $2:Domain Users /home/$1/$2
chmod 4711
Il 28/05/2012 10:29, NdK ha scritto:
Just a quick question: is the ACL needed only for local users (logged on
server, or accessing an NFS share) or for Samba users too?
Since I won't let users directly logon to the server but only via Samba,
I'd prefer to avoid ACL overhead if possible.
Ok, I
Il 28/05/2012 14:15, NdK ha scritto:
Another question: how can I set access permissions so that the webserver
(running on another machine) can have RO access, if I can't give it a
standard account? Can I use machine accounts? And how can I make
Apache automatically access user's home
Il 28/05/2012 15:40, NdK ha scritto:
If I use
smbclient -P '\\str00160-samba\for_web'
I can navigate the share. But How do I 'emulate' that '-P' with
mount.cifs? I tried sec=krb5 but mount fails:
[...]
Still stuck. :(
Isn't there any way to mount a share using *machine* credentials?
I'd try
Il 19/06/2012 13:33, steve ha scritto:
Is it possible to specify more than one
template homedir = xxx
in smb.conf?
I don't think so.
It could be useful for me, too, if possible (say: to have a web-home dir
for some users, on a separate share than their data-home).
But I couldn't define a clear
Hello all.
Since it seems I can't make webserver access a samba share with its
machine credentials (all I could get is a
NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT message in server logs after
extracting pass from secrets.tdb) and I can't add users to AD (and, even
if I could, their passwords
Hello all.
Is it right to have:
idmap backend = tdb
idmap uid = 2000-
idmap gid = 2000-
idmap config PERSONALE:backend = rid
idmap config PERSONALE:base_rid = 500
idmap config PERSONALE:range = 10 - 4999
idmap config
Hello all.
Seems I can't find the root cause of $subj.
When I store a file on my home, it gets chmodded ugo+x ...
My smb.conf is:
-8--
[global]
workgroup = PERSONALE
realm = PERSONALE.EXAMPLE.COM
server string = Local shares
netbios name = STR00160-SAMBA
Il 30/07/2012 09:40, NdK ha scritto:
Seems I can't find the root cause of $subj.
When I store a file on my home, it gets chmodded ugo+x ...
Any hints?
And getting mad at this, too...
Another strange thing is that, with this last command, it stopped
resolving 100013 to PERSONALE\domain_users
Il 01/08/2012 16:07, Jonathan Buzzard ha scritto:
You are wrong, mount your file system with extended attributes enabled
I already do that :)
and then add the following to your smb.conf
# store DOS attributes in extended attributes
ea support = yes
Ops... missed this...
Il 01/08/2012 16:23, Helmut Hullen ha scritto:
Hallo, Jonathan,
Du meintest am 01.08.12:
Seems I can't find the root cause of $subj.
When I store a file on my home, it gets chmodded ugo+x ...
[...]
mount your file system with extended attributes
enabled and then add the following to
Il 02/08/2012 10:49, NdK ha scritto:
map readonly = no
map archive = no
map system = no
map hidden = no
According to the man page, when store dos attributes is set, those
should be ignored. But I added 'em anyway.
Uhm... Seems the man page
Il 02/08/2012 13:50, Jonathan Buzzard ha scritto:
Have you verified that you are storing DOS attributes in extended
attributes, something like this on the server
[root@nabak Pictures]# getfattr -d Thumbs.db
# file: Thumbs.db
Il 02/08/2012 16:19, steve ha scritto:
At the moment, the client side ignores the idmap uid range and bases
everything in the idmap gid range instead. Maybe that is a bug in Samba3?
Don't know... I always kept 'em in the same range.
[global]
realm = polop.site
workgroup = POLOP
security =
Il 02/08/2012 18:42, steve ha scritto:
The shares are mounted via kerberized nfs on the client and _did_ map
correctly before this thread started.
Are you sure you updated /etc/nnsswitch.conf to use winbind after
purging the old Samba install?
BYtE,
Diego.
--
To unsubscribe from this list go
Il 03/08/2012 08:01, steve ha scritto:
getent passwd/group works fine. I get the names and coresponding uid:gid
numbers within the range specified in smb.conf but all I get when I list
files on the nfs share, are numerical uid:gid values. I want those
values to be DOMAIN\username DOMAIN\group
Il 03/08/2012 10:22, steve ha scritto:
It doesn't seem to matter. I can have the same id range on both server
and client. What is uid 327 on the server becomes uid 302 on the
client.
Remember to delete all .tdb files and rejoin the machine between tests
w/ different backends, or you'll
Il 03/08/2012 13:18, steve ha scritto:
Thanks for the tip. In fact, Samba4 defaults to 30-40 which I
think is pretty safe?
Only for a small domain... In our tree it would be WAY too small (could
contain no more than about 20% of the groups we have in a single domain...).
My main
Il 03/08/2012 16:21, steve ha scritto:
That's quite easy in Samba3 but which tdb's must I remove in Samba4? In
fact, how would I rejoin the DC to itself?
You shouldn't use DCs for anything else other than DC. No file server.
No gateway. *Nothing*. They're a crytical piece of your network
Il 04/08/2012 12:00, steve ha scritto:
You have many ways to obtain that same mapping objective. I chose to
use rid 'cause I couldn't modify my AD schema. But the preferred way is
extend AD schema and specify there the UIDs and GIDs.
You don't have to extend the schema. You can store all the
Il 04/08/2012 13:40, steve ha scritto:
Too bad my AD controllers are M$ W2k3, w/o rfc2307 extension :( That's
why I'm stuck with rid.
Ah I see. I didn't mean to offend.
No offense perceived :)
I simply assumed you were using Samba4.
If only I could...
I think m$ gave them the 2008 schema as
Il 04/08/2012 21:13, steve ha scritto:
In comparison, winbind seems overcomplicated and restrictive (and simply
does not work with either Ubuntu nor openSUSE 3.6.3). It also seems very
restricted in that we have turn off unix attributes and use wide links
so we can symlink to the only
Il 05/08/2012 12:32, Jonathan Buzzard ha scritto:
A supported version of Windows Server 2003 (aka the 2003R2) has the
RFC2307 extensions in the schema. The installation of the R2 service
pack extends the schema to include RFC2307, your windows admins simply
don't get a choice over that bit.
Hi all.
I'm getting mad at this.
I use winbind to authenticate users in multiple domains from AD. The
config worked well, before upgrading from 3.5.3 to 3.5.10 in Mandriva.
Now, if I 'winbind -i user.name' (so using the joined domain PERSONALE)
I get the correct info, but if I do a 'winbind -i
On 30/11/2011 08:53, NdK wrote:
Hi all.
I'm getting mad at this.
I use winbind to authenticate users in multiple domains from AD. The
config worked well, before upgrading from 3.5.3 to 3.5.10 in Mandriva.
Now, if I 'winbind -i user.name' (so using the joined domain PERSONALE)
I get
Il 05/12/2011 19:27, Jeremy Allison ha scritto:
If we didn't do this NFS access or local process access
would completely ignore the Windows permissions (which is
not what most people want).
Then why not drop completely TDB storage of permissions and rely on
filesystem alone?
Denormalization is
Hello all.
I only recently discovered 'net ads search'. But it seems '-P' can only
be used by root, while I'd need to let 'radius' user do searches.
Is it dangerous if I make it rw for 'radius' group (or a new group
I'll make 'radius' user a member)?
Any other solution, that maybe lets me have
Il 14/12/2011 14:06, anna-karin.bur...@bjurholm.se ha scritto:
At this school I am working we are setting up a wireless network.
What would be the best way to set up the system to this network? How
should we log in to Samba? What should I consider. The wireless
system has already been
Hello all.
After last update (from winbind-3.5.3 and krb5-1.8.1 to winbind-3.5.10
and krb5-1.9.1) users from a trusted domain can't authenticate any more.
Machines are joined to domain PERSONALE, and users from domain STUDENTI
aren't recognized. Domains are handled by W2k8 or W2k8r2 (I have no
Il 20/02/2012 17:20, Daniel Patrick Sullivan ha scritto:
The first is;
1) Is it possible to deterministically set the domain name that will
be used when the winbind use default domain = Yes option is
configured in /etc/samba/smb.conf? I want to set a default domain,
however I do not want
Il 23/02/2012 15:36, NdK ha scritto:
Hi all.
Noone have an idea? I'm still banging my head against the wall (and some
cracks in the concrete are becoming quite large...).
After last update (from winbind-3.5.3 and krb5-1.8.1 to winbind-3.5.10
and krb5-1.9.1) users from a trusted domain can't
Il 01/03/2012 22:09, Glenn Machin ha scritto:
I am using freeradius2 which then calls ntlm_auth passing the
nt-response and challenge generated as part of the peap mschapv2
exchange. However it does not seem to want to work. The version of
samba I am using is samba3x-3.5.10.
I've recently
Il 03/03/2012 08:04, Andrew Bartlett ha scritto:
I've recently setup a Squeeze box with FR and samba. Have had to use
backports repo since 3.5.6 didn't work and (IIRC) even 3.5.10 gave
troubles. Upgrading to 3.5.11 solved.
The big issue here is that MSCHAPv2 is not NTLMv2. It is only a
Il 08/03/2012 15:47, steve ha scritto:
How do I remove a machine which is o longer connected to the domain?
e.g. the has been stolen or just moved without having unjoined before. I
want to be able to replace the machine with with a new box with same
hostname.
Join another machine w/ the same
Il 16/03/2012 11:39, Benedikt Schindler ha scritto:
did you also have trusted domains? Maybe it is a problem with the
trusted domains. i found these lines in my log. I don't know if they are
connected to our problem:
Well, I can't even authenticate users from trusted domains (I get
domain is
Il 05/04/2012 09:39, steve ha scritto:
Are we losing anything (on a server) by not having the stuff we've
removed? I don't think so.
Yes: the ability to use a TPM (or other HW keystore like smartcards) as
the private key store -- if your server gets compromised, all the
keys/certs on it must be
Hi all.
Is it just me or there's no way to restrict access to [homes] share to
members of an AD group? Or is it treated like an ordinary Unix group via
Winbind mapping? If I use valid users = %S (to give access to the home
only to the owner), every domain user (worse: every user in any trusted
Il 17/04/2012 22:50, Robert Heller ha scritto:
What *exactly* do you want to accomplish here? Do you really want to
ban machines on your LAN from accessing your (office) server?
Not a bad idea. In the good old times, a firewall was enough to keep
bad guys out. But now you can find you're
43 matches
Mail list logo
