RE: [Samba] Winbind and groups
You are welcome :-) On Tue, 2007-12-11 at 11:51 -0600, Ben Vaughan wrote: And the correct answer is... Using a valid users line that looks like this: Valid users = +DOMAIN\group Many thanks to irda on the #samba IRC channel. Ben Ben Vaughan Globalcom IT Infrastructure Support Team [EMAIL PROTECTED] 312 673 4116 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ben Vaughan Sent: Tuesday, December 11, 2007 10:30 AM To: samba@lists.samba.org Subject: [Samba] Winbind and groups Hello Friendly Samba People, I have a working samba install that allows my AD users access to files on my linux box. The linux box is configured via Winbind as a domain member and uses Winbind as the local NSS. I can successfully resolve both users and groups from the AD. Users are currently able to access the samba shares without trouble. I am running into trouble when trying to use groups defined in the AD as valid users or ACLs on the linux box. Smb.conf: [global] security = ADS realm = CORP.CALLGLOBALCOM.COM workgroup = CORP log file = /var/log/samba/%m log level = 2 #winbind / AD stuff winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind expand groups = 2 winbind nss info = rfc2307 winbind nested groups = Yes idmap uid range = 1000 - 3000 idmap gid range = 100 - 3000 idmap domains = CORP idmap config CORP:backend = ad idmap config CORP:default = yes idmap config CORP:readonly = yes [homes] [sysadmins] path = /tmp writeable = yes comment = Globalcom Sysadmins share valid users = @gc_sysadmins create mask = 0775 directory mask = 0775 # getent group gc_sysadmins gc_sysadmins:*:10001:bvaughan # getent passwd bvaughan bvaughan:*:1812:100:Ben Vaughan, IT Systems Overlord:/home/bvaughan:/bin/bash When trying to access the [sysadmins] share defined as above, samba logging says this: user 'CORP\bvaughan' (from session setup) not permitted to access this share (sysadmins) I see the disconnect, the CORP\bvaughan that samba sees here, vs the bvaughan seen in the group entry. Is there a way to make these two come together so the valid users= line works? I am running samba version 3.0.25b-1.el5_1.4 as provided by RedHat. Any help would be appreciated. Ben Ben Vaughan Globalcom IT Infrastructure Support Team [EMAIL PROTECTED] 312 673 4116 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- Simo Sorce Samba Team GPL Compliance Officer [EMAIL PROTECTED] Senior Software Engineer at Red Hat Inc. [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Fc6] was: Re: [Samba] [SECURITY] Buffer overrun in send_mailslot()
Fedora 7 and 8 packages are being released but as you may know FC6 has reached EOL just recently. As I think this is an important security problem I decided to release new packages for FC6 so that people that have not yet finished their migration to newer supported Fedora releases can buy some more time. This is a one off service I felt compelled to release to help people, I am not going to do regular releases for FC6. Packages here: http://simo.fedoraproject.org/samba Simo. On Mon, 2007-12-10 at 07:49 -0600, Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 == == == Subject: Boundary failure in GETDC mailslot == processing can result in a buffer overrun == == CVE ID#: CVE-2007-6015 == == Versions:Samba 3.0.0 - 3.0.27a (inclusive) == == Summary: Specifically crafted GETDC mailslot requests == can trigger a boundary error in the domain == controller GETDC mail slot support which == can be remotely exploited to execute arbitrary == code. == == === Description === Secunia Research reported a vulnerability that allows for the execution of arbitrary code in nmbd. This defect is only be exploited when the domain logons parameter has been enabled in smb.conf. == Patch Availability == A patch addressing this defect has been posted to http://www.samba.org/samba/security/ Additionally, Samba 3.0.28 has been issued as a security release to correct the defect. == Workaround == Samba administrators may avoid this security issue by disabling both the domain logons options in the server's smb.conf file. Note that this will disable all domain controller features as well. === Credits === This vulnerability was reported to Samba developers by Alin Rad Pop, Secunia Research. The time line is as follows: * Nov 22, 2007: Initial report to [EMAIL PROTECTED] * Nov 22, 2007: First response from Samba developers confirming the bug along with a proposed patch. * Dec 10, 2007: Public security advisory made available. == == Our Code, Our Bugs, Our Responsibility. == The Samba Team == -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHXUPeIR7qMdg1EfYRArBPAKDeDyXyeauJuVk0FcHYWbBci0Dw6gCgoYYF UmvJh11x9pp5Nbbg/VYpSJ0= =d7SS -END PGP SIGNATURE- -- Simo Sorce Samba Team GPL Compliance Officer [EMAIL PROTECTED] Senior Software Engineer at Red Hat Inc. [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Fc6] was: Re: [Samba] [SECURITY] Buffer overrun in send_mailslot()
Apologies, the correct URL is: http://simo.fedorapeople.org/samba/ Simo. On Mon, 2007-12-10 at 14:00 -0500, simo wrote: Fedora 7 and 8 packages are being released but as you may know FC6 has reached EOL just recently. As I think this is an important security problem I decided to release new packages for FC6 so that people that have not yet finished their migration to newer supported Fedora releases can buy some more time. This is a one off service I felt compelled to release to help people, I am not going to do regular releases for FC6. Packages here: http://simo.fedoraproject.org/samba Simo. On Mon, 2007-12-10 at 07:49 -0600, Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 == == == Subject: Boundary failure in GETDC mailslot == processing can result in a buffer overrun == == CVE ID#: CVE-2007-6015 == == Versions:Samba 3.0.0 - 3.0.27a (inclusive) == == Summary: Specifically crafted GETDC mailslot requests == can trigger a boundary error in the domain == controller GETDC mail slot support which == can be remotely exploited to execute arbitrary == code. == == === Description === Secunia Research reported a vulnerability that allows for the execution of arbitrary code in nmbd. This defect is only be exploited when the domain logons parameter has been enabled in smb.conf. == Patch Availability == A patch addressing this defect has been posted to http://www.samba.org/samba/security/ Additionally, Samba 3.0.28 has been issued as a security release to correct the defect. == Workaround == Samba administrators may avoid this security issue by disabling both the domain logons options in the server's smb.conf file. Note that this will disable all domain controller features as well. === Credits === This vulnerability was reported to Samba developers by Alin Rad Pop, Secunia Research. The time line is as follows: * Nov 22, 2007: Initial report to [EMAIL PROTECTED] * Nov 22, 2007: First response from Samba developers confirming the bug along with a proposed patch. * Dec 10, 2007: Public security advisory made available. == == Our Code, Our Bugs, Our Responsibility. == The Samba Team == -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHXUPeIR7qMdg1EfYRArBPAKDeDyXyeauJuVk0FcHYWbBci0Dw6gCgoYYF UmvJh11x9pp5Nbbg/VYpSJ0= =d7SS -END PGP SIGNATURE- -- Simo Sorce Samba Team GPL Compliance Officer [EMAIL PROTECTED] Senior Software Engineer at Red Hat Inc. [EMAIL PROTECTED] -- Simo Sorce Samba Team GPL Compliance Officer [EMAIL PROTECTED] Senior Software Engineer at Red Hat Inc. [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Can not add a new NT Workstation to a new (vampired) samba domain
On Mon, 2007-12-10 at 07:17 -0700, Stephen Vermeulen wrote: I was using the Administrator user name, and I was able to log into the BUTLER domain on another Windows box as the Administrator and access the file share on the samba box and create new files in the folder owned by Administrator. I googled this for a bit last night and found quite a few references to this error, but nothing really conclusive. Any suggestions? Raise your log level and make sure your machine add script is indeed working properly (also make sure you do not have nscd running, or make it so that add * script scrripts you have properly tell nscd to refresh their status as nscd do negative caching too). Simo. -- Simo Sorce Samba Team GPL Compliance Officer [EMAIL PROTECTED] Senior Software Engineer at Red Hat Inc. [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] time server = yes
On Thu, 2007-12-06 at 10:34 -0600, Adam Williams wrote: I want my XP clients to update their clocks from my samba server. I have time server = yes in smb.conf, and running ntpd on the server, but my clients aren't updating their clocks. I tried running the command manually logged in as a domain user: net time /setsntp:10.8.2.3 but it just says System error 5 has occurred. Access is denied. Any ideas? Setting the clock is generally a privileged operation. You can manually set it only if you have the right privileges locally on the machine (admin has them but there are registry settings somewhere to relax the constraint for normal users iirc). Simo. -- Simo Sorce Samba Team GPL Compliance Officer [EMAIL PROTECTED] Senior Software Engineer at Red Hat Inc. [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[SCM] Samba Shared Repository - branch v3-2-test updated - initial-v3-2-unstable-504-g78581ad
The branch, v3-2-test has been updated via 78581ad070dd6e1886dd2094cf75ebebbb83d9a6 (commit) via 1b133d111596f7fb6a42e526ab69f621df97956a (commit) via 05bca093d107609f236928f338e2512a628c2c91 (commit) via 705f06a0315df83071b799fc77ecf20510a5a1ac (commit) via f802db70b8675df43fba892986203bbeac2d02f8 (commit) from 66e7e30b13bc6904f20a1b4277143c63f8beec83 (commit) http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-2-test - Log - commit 78581ad070dd6e1886dd2094cf75ebebbb83d9a6 Merge: 1b133d111596f7fb6a42e526ab69f621df97956a 66e7e30b13bc6904f20a1b4277143c63f8beec83 Author: Simo Sorce [EMAIL PROTECTED] Date: Wed Dec 5 17:55:50 2007 -0500 Merge branch 'v3-2-test' of ssh://git.samba.org/data/git/samba into v3-2-simo commit 1b133d111596f7fb6a42e526ab69f621df97956a Merge: 05bca093d107609f236928f338e2512a628c2c91 71770b4c1d021d829deeb53a6ea3b747fce55c84 Author: Simo Sorce [EMAIL PROTECTED] Date: Wed Dec 5 17:54:50 2007 -0500 Merge commit 'origin/v3-2-test' into v3-2-simo commit 05bca093d107609f236928f338e2512a628c2c91 Author: Simo Sorce [EMAIL PROTECTED] Date: Wed Dec 5 17:54:09 2007 -0500 Fix warning commit 705f06a0315df83071b799fc77ecf20510a5a1ac Author: Igor Mammedov [EMAIL PROTECTED] Date: Wed Dec 5 18:23:39 2007 +0300 * helper source for handling cifs kernel module upcall for kerberos authorization * Added -c option to set service prefix to cifs in service principal by default service prefix host is used * replaced malloc/free/srtncpy with replacements from samba project Signed-off-by: Igor Mammedov [EMAIL PROTECTED] commit f802db70b8675df43fba892986203bbeac2d02f8 Author: Igor Mammedov [EMAIL PROTECTED] Date: Wed Dec 5 18:21:29 2007 +0300 * Adds support for cifs.spnego helper into configure and Makefile.in * Added checks for spnego prereq keyutils.h and kerberos in configure.in Signed-off-by: Igor Mammedov [EMAIL PROTECTED] --- Summary of changes: source/Makefile.in | 20 +++- source/client/cifs.spnego.c | 301 +++ source/client/cifs_spnego.h | 46 +++ source/configure.in | 42 ++ 4 files changed, 406 insertions(+), 3 deletions(-) create mode 100644 source/client/cifs.spnego.c create mode 100644 source/client/cifs_spnego.h Changeset truncated at 500 lines: diff --git a/source/Makefile.in b/source/Makefile.in index 532290c..a204ee7 100644 --- a/source/Makefile.in +++ b/source/Makefile.in @@ -170,7 +170,7 @@ PATH_FLAGS = -DSMB_PASSWD_FILE=\$(SMB_PASSWD_FILE)\ \ SBIN_PROGS = bin/[EMAIL PROTECTED]@ bin/[EMAIL PROTECTED]@ @SWAT_SBIN_TARGETS@ @EXTRA_SBIN_PROGS@ -ROOT_SBIN_PROGS = @CIFSMOUNT_PROGS@ +ROOT_SBIN_PROGS = @CIFSMOUNT_PROGS@ @CIFSSPNEGO_PROGS@ BIN_PROGS1 = bin/[EMAIL PROTECTED]@ bin/[EMAIL PROTECTED]@ bin/[EMAIL PROTECTED]@ \ bin/[EMAIL PROTECTED]@ bin/[EMAIL PROTECTED]@ bin/[EMAIL PROTECTED]@ @@ -745,6 +745,8 @@ CIFS_MOUNT_OBJ = client/mount.cifs.o CIFS_UMOUNT_OBJ = client/umount.cifs.o +CIFS_SPNEGO_OBJ = client/cifs.spnego.o + NMBLOOKUP_OBJ = utils/nmblookup.o $(PARAM_OBJ) $(LIBNMB_OBJ) $(RPC_PARSE_OBJ1) $(DOSERR_OBJ) \ $(LIB_NONSMBD_OBJ) $(POPT_LIB_OBJ) $(SECRETS_OBJ) $(LIBSAMBA_OBJ) @@ -1202,6 +1204,11 @@ bin/[EMAIL PROTECTED]@: $(BINARY_PREREQS) $(CIFS_UMOUNT_OBJ) @echo Linking $@ @$(CC) $(FLAGS) -o $@ $(CIFS_UMOUNT_OBJ) $(DYNEXP) $(LDFLAGS) +bin/[EMAIL PROTECTED]@: $(BINARY_PREREQS) $(CIFS_SPNEGO_OBJ) $(LIBSMBCLIENT_OBJ) + @echo Linking $@ + @$(CC) $(FLAGS) -o $@ $(CIFS_SPNEGO_OBJ) $(DYNEXP) $(LDFLAGS) -lkeyutils $(LIBS) \ + $(LIBSMBCLIENT_OBJ) $(KRB5LIBS) $(LDAP_LIBS) + bin/[EMAIL PROTECTED]@: $(BINARY_PREREQS) $(TESTPARM_OBJ) @BUILD_POPT@ @echo Linking $@ @$(CC) $(FLAGS) -o $@ $(TESTPARM_OBJ) $(LDFLAGS) $(DYNEXP) $(LIBS) $(LDAP_LIBS) @POPTLIBS@ @@ -1729,7 +1736,7 @@ bin/[EMAIL PROTECTED]@: script/tests/timelimit.o @echo Linking $@ @$(CC) $(FLAGS) -o $@ $(DYNEXP) script/tests/timelimit.o -install: installservers installbin @INSTALL_CIFSMOUNT@ installman installscripts installdat installmodules @SWAT_INSTALL_TARGETS@ @INSTALL_LIBSMBCLIENT@ @INSTALL_PAM_MODULES@ @INSTALL_LIBSMBSHAREMODES@ +install: installservers installbin @INSTALL_CIFSMOUNT@ @INSTALL_CIFSSPNEGO@ installman installscripts installdat installmodules @SWAT_INSTALL_TARGETS@ @INSTALL_LIBSMBCLIENT@ @INSTALL_PAM_MODULES@ @INSTALL_LIBSMBSHAREMODES@ install-everything: install installmodules @@ -1755,6 +1762,10 @@ installcifsmount: @CIFSMOUNT_PROGS@ @$(SHELL) $(srcdir)/script/installdirs.sh $(INSTALLPERMS_BIN) $(DESTDIR) $(ROOTSBINDIR) @$(SHELL) script/installbin.sh $(INSTALLPERMS_BIN) $(DESTDIR) $(prefix) $(ROOTSBINDIR) @CIFSMOUNT_PROGS
Re: [Samba] Windows clients losing connection to Samba 3.0.27 PDC on FC7 i386
First of all update to 3.0.27a, 3.0.27 had a regression in the security
fix that prompted that release.
Simo.
On Tue, 2007-11-27 at 12:46 -0500, Rubin Bennett wrote:
Hello all...
I have a site of about 50 pcs connected to a Samba domain controller.
The domain has been running flawlessly for several years through several
upgrades, and the last one (From Fedora Core 4/ Samba 3.0.23a to FC7/
Samba 3.0.27) seems to have caused something to come unglued.
The Workstations are periodically booting up in the morning and being
unable to contact the domain controller. The Samba server is giving
failed authentication errors for the workstation itself (not the
username/ password) in log.{workstation}.
The upgrade was done nearly a month ago, and roughly 1/2 of the
workstations in the network were unable to connect the following
morning. It happened again last week and about 10 more workstations
were affected. And it happened again today, where 1 workstation and a
member server (Win2003r2) lost their credentials. This time it was a
really bad deal because the member server runs an application that is
mission critical and therefore no one was able to work until it was
fixed.
In all cases, the users are able to log in by disconnecting their
network cable and rebooting, then logging in with the cached credentials
on the workstations. Reconnecting the NIC after login allowed the users
to connect to network resources on the Samba PDC, and work until a
reboot. A 'permanent' fix is to unjoin the PC from the domain and
rejoin again.
I had assumed that the issue was caused by the upgrade somehow, and that
once every system had been re-joined it would go away. However, the
workstation from this morning had been unjoined and rejoined once before
and now I fear that the issue will keep cropping up all over the place.
Ideas, suggestions, flames? I've copied my smb.conf below for your
review as well.
Thanks very much in advance,
Rubin
/etc/samba/smb.conf
[global]
workgroup = WORKGROUP
netbios name = Server
server string = Network File Server
printcap name = cups
enable privileges = yes
load printers = yes
printcap cache time = 60
printing = cups
keepalive = 1
log file = /var/log/samba/log.%m
max log size = 50
log level = 3
security = user
encrypt passwords = Yes
map to guest = bad user
os level = 65
domain master = yes
preferred master = yes
passdb backend = tdbsam
pam password change = yes
socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192
add machine script = /usr/sbin/useradd -d /dev/null -g 200
-s /bin/false -M %u
oplocks = no
level2 oplocks = no
domain logons = Yes
logon script = login%G.bat
logon drive = Z:
logon home = \\server\%U
logon path = \\server\profiles\%U
wins support = Yes
name resolve order = wins hosts bcast
hide unreadable = Yes
# Added in an attempt to fix broken tdbsam backend...
idmap uid = 1-2
idmap gid = 1-2
dns proxy = yes
# Share Definitions
==
[homes]
comment = Home Directories
create mask = 0700
directory mask = 0700
browseable = No
writable = yes
[netlogon]
comment = Netlogon Scripts
path = /var/lib/samba/netlogon
comment = Network Logon Service
path = /var/lib/samba/netlogon
guest ok = yes
writable = no
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = yes
writable = no
printable = yes
create mode = 0700
;print command = lpr-cups -P %p -o raw %s -r
use client driver = yes
[print$]
path = /var/lib/samba/printers
read only = yes
browseable = yes
force group = noyle
write list = @noyle root
guest ok = yes
inherit permissions = yes
[profiles]
path = /var/lib/samba/profiles
browseable = no
read only = No
guest ok = yes
writable = yes
create mask = 0600
directory mask = 0700
root preexec = PROFILE='/var/lib/samba/profiles/%u'; if [ ! -e
$PROFILE ]; \
then mkdir -pm700 $PROFILE; chown '%u':'%g' $PROFILE;fi
--
Simo Sorce
Samba Team GPL Compliance Officer [EMAIL PROTECTED]
Senior Software Engineer at Red Hat Inc. [EMAIL PROTECTED]
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
[SCM] Samba Shared Repository - branch v3-0-test updated - initial-v3-0-unstable-30-g9acd56a
The branch, v3-0-test has been updated
via 9acd56a247abdc1334fa011063940db6e0d65370 (commit)
from 21e6405e0ca811fc5c74441c38f059ff41dc0c42 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-0-test
- Log -
commit 9acd56a247abdc1334fa011063940db6e0d65370
Author: Simo Sorce [EMAIL PROTECTED]
Date: Tue Nov 20 18:19:54 2007 -0500
32/64 bit compatibility fix
this patch fixes platform where 32 and 64 bit apps can run at the same time
fixed in and tested in Fedora:
https://bugzilla.redhat.com/show_bug.cgi?id=253036
---
Summary of changes:
source/nsswitch/winbindd.c |4 ++--
source/nsswitch/winbindd_nss.h |2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source/nsswitch/winbindd.c b/source/nsswitch/winbindd.c
index 34f04ad..9bbc0f0 100644
--- a/source/nsswitch/winbindd.c
+++ b/source/nsswitch/winbindd.c
@@ -540,8 +540,8 @@ static void request_len_recv(void *private_data, BOOL
success)
}
if (*(uint32 *)(state-request) != sizeof(state-request)) {
- DEBUG(0,(request_len_recv: Invalid request size received:
%d\n,
-*(uint32 *)(state-request)));
+ DEBUG(0,(request_len_recv: Invalid request size received: %d
(expected %d)\n,
+*(uint32 *)(state-request), sizeof(state-request)));
state-finished = True;
return;
}
diff --git a/source/nsswitch/winbindd_nss.h b/source/nsswitch/winbindd_nss.h
index b6c262e..135849a 100644
--- a/source/nsswitch/winbindd_nss.h
+++ b/source/nsswitch/winbindd_nss.h
@@ -319,7 +319,7 @@ struct winbindd_request {
The size is the sizeof the union without the padding aligned
on
an 8 byte boundary. --jerry */
- char padding[1560];
+ char padding[1800];
} data;
union {
SMB_TIME_T padding;
--
Samba Shared Repository
Re: [Samba] 3.0.27a out monday.
Jeremy I found three calls to srvstr_push() in sessetup.c that still uses -1 Is this an overlook? Or was it intentional ? Simo. On Fri, 2007-11-16 at 12:01 -0800, Jeremy Allison wrote: On Fri, Nov 16, 2007 at 10:49:47AM -0800, Jeremy Allison wrote: Just spoke to Jerry, we'll be doing a 3.0.27a on Monday to fix a regression that broke smbfs mounts from Linux. Sorry for the problem. Here's the fix for smbfs + 3.0.27. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- Simo Sorce Samba Team GPL Compliance Officer [EMAIL PROTECTED] Senior Software Engineer at Red Hat Inc. [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Will this binary work on solaris x86?
Mark, you can't run sparc binaries on an x86. You need x86 binaries. Simo. On Fri, 2007-11-16 at 15:19 -0800, Morimoto, Mark K wrote: I am attaching this to the previous email. This is the error I get when trying to start up samba. Does this mean I am trying to run this binary on an x86 platform? # ./samba start ./samba: /opt/samba/sbin/smbd: cannot execute Samba daemon starting ./samba: /opt/samba/sbin/nmbd: cannot execute NetBIOS daemon starting -Original Message- From: Morimoto, Mark K Sent: Friday, November 16, 2007 1:02 PM To: samba@lists.samba.org Subject: [Samba] Will this binary work on solaris x86? samba-3.0.23b-1-noads-sunos5.9-sparc.pkg.gz This is the current binary from samba.org. The file name includes sparc so I am not sure this will run on an x86 platform of solaris? Mark -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- Simo Sorce Samba Team GPL Compliance Officer [EMAIL PROTECTED] Senior Software Engineer at Red Hat Inc. [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Maximum number of files per folder
On Mon, 2007-11-12 at 17:39 -0800, Jeremy Allison wrote: On Mon, Nov 12, 2007 at 08:24:05AM +0100, [EMAIL PROTECTED] wrote: Hello list, we have a small NAS-Box here in our office, running Linux 2.6.13 and Samba 3 (exactly version string is not avalilable for me at moment). Is there a limit, how many files samba will store in one folder? We recognize a massive CPU-Load of the smbd-process, when accessing a folder which stores round about 60 000 small text-files. Is this a samba-Limit or a bug? The kernel and samba is compiled by the NAS-manufactur, so no cimpiler-options are available for me. There are no hard coded limits, only what the OS restricts. However, storing large numbers of files in a folder is a bad idea unless Samba is set up specially to do this. See here : http://us1.samba.org/samba/ftp/HOWTO/Samba-LargeDirectory-HOWTO for details. IIRC ext3 has a (compile time changeable) limit of 32k files per dir by default ... Simo. -- Simo Sorce Samba Team GPL Compliance Officer [EMAIL PROTECTED] Senior Software Engineer at Red Hat Inc. [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: tdb search optimization
On Fri, 2007-11-09 at 21:07 +, Bruno Gomes Pessanha wrote: You might try to do a tdbbackup -n 1 ntprinters.tdb But, this makes tdb bigger, right? Yes Sorry, but I didn't understand why increasing the hash would make search operations faster. Should make a lot less collisions, therefore each search should have more probability to be fullfilled with one lookup without needing to down a list of matches that have the same hash. Simo. -- Simo Sorce Samba Team GPL Compliance Officer [EMAIL PROTECTED] Senior Software Engineer at Red Hat Inc. [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Jonathan Parr presents www.libeldefense.com
Self subscribing spam bot :-( Simo. On Fri, 2007-11-02 at 11:33 +0100, Per Qvindesland wrote: Ok I am blond I know that, but could someone please tell me what the heck this got to do with Samba? Tommy Lee wrote: www.libeldefense.com Without doubt, MP3 on the Internet is a phenomenon. Napster alone is now credited with more than 10 million users. There are plenty of smaller sites offering hundreds of MP3s, and big traffic in MP3 exchanges through ICQ, IRC, Freenet and other Internet formats. But MP3s do have a tiny problem with legality. Many of the most sought after files are illegal, they're rip-off from CDs without the copyright holder's permission. Once you start dealing with truly legal MP3's you're diving into a mixed bag of mediocre and plain poor music that probably couldn't make money anyway, so may as well be given away. This theft of copyright is a genuine weakness in MP3 life, and a moral weakness too. After all, as Bruce Morris points out in http://www.libeldefense.com/Streaming's Gonna Kick MP3 Butthttp://www.libeldefense.com/, musicians need to eat and pay mortgages like everybody else. If they can't get paid they'll have to put down their guitars and go back to accountancy or driving freight trains. http://libeldefense.studioathome.com/ http://libeldefense.blogspirit.com/ http://libeldefense.blogster.com/jonathan_parr_presents.html http://libeldefense.livejournal.com/723.html http://libeldefense.blogspot.com/ http://www.bloglines.com/blog/libeldefense http://libeldefense.bloghi.com/ http://libeldefense.tripod.com/libeldefense/ http://www.yasvs.com/ http://www.greatestjournal.com/users/libeldefense http://www.greatestjournal.com/users/libeldefense/362.html http://www.naymz.com/search/jonathan/parr/1314951 http://www.xanga.com/libeldefense http://libeldefense.multiply.com/journal/ http://20six.co.uk/libeldefense/ http://libeldefense.blogsome.com/ http://www.freewebs.com/libeldefense/ http://dangerell.googlepages.com/home http://www.opendiary.com/entrylist.asp?authorcode=D736464 http://libeldefense.bravehost.com/index.html http://www.my-diary.org/users/296432 http://www.my-diary.org/edit/?action=viewentryentryid=541256338 http://libeldefense.blog.co.uk/ http://clearblogs.com/libeldefense/78969/Jonathan+Parr+presents+www.libeldefense.com.html http://libeldefense.bloggerteam.com/entry.php?u=libeldefensee_id=293138 http://www.ebloggy.com/blog.php?username=libeldefenseid=1 http://libeldefense.blogs.ie/ http://www.teenblog.org/libeldefense/ http://libeldefense.myweblog.com/2007/10/27/jonathan-parr-presents-wwwlibeldefensecom/ http://libeldefense.egoweblog.com/ http://www.bahraichblogs.com/libeldefense/5952/ http://libeldefense.blogbeee.com/ http://portal.blogfusion.com/blogs/libeldefense/ http://noss123network.ning.com/profile/JonathanParr __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- Simo Sorce Samba Team GPL Compliance Officer [EMAIL PROTECTED] Senior Software Engineer at Red Hat Inc. [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Promoting Samba BDC to PDC
On Thu, 2007-11-01 at 10:04 -0700, Ivan Ordonez wrote: What we want to do in the coming days is to turn off and upgrade the PDC and promote one of the BDC to PDC and don't miss a beat. I first stop slapd, slurpd and samba service on the PDC. I then edit the smb.conf file of one of the BDC and make it a PDC. I also added a new line which is security = user. What does it mean you change security ?? What was it before? Are you sure your Domain SIDs are aligned on all DCs ? Simo. -- Simo Sorce Samba Team GPL Compliance Officer [EMAIL PROTECTED] Senior Software Engineer at Red Hat Inc. [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[SCM] Samba Shared Repository - branch v3-2-test updated - initial-v3-2-unstable-132-g95cc019
The branch, v3-2-test has been updated
via 95cc019af775a6ab28ea602ad767fa54d7c86197 (commit)
from 2e92418a138bf2738b77b7e0fcb2fa37ad84fc0c (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-2-test
- Log -
commit 95cc019af775a6ab28ea602ad767fa54d7c86197
Author: Volker Lendecke [EMAIL PROTECTED]
Date: Sun Oct 28 11:58:26 2007 +0100
Enable vfs objects = /full/path/to/object.so
Right now I'm testing a vfs object. I can't right now in make test, because
vfs objects assumes the .so files to be in $libdir/vfs. This patch parses
the
module name out of the object name in case it starts with /. The module
name
is assumed to be the last path component's basename.
---
Summary of changes:
source/smbd/vfs.c | 46 --
1 files changed, 36 insertions(+), 10 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source/smbd/vfs.c b/source/smbd/vfs.c
index b43f37e..e862710 100644
--- a/source/smbd/vfs.c
+++ b/source/smbd/vfs.c
@@ -44,6 +44,8 @@ static struct vfs_init_function_entry *backends = NULL;
static struct vfs_init_function_entry *vfs_find_backend_entry(const char *name)
{
struct vfs_init_function_entry *entry = backends;
+
+ DEBUG(10, (vfs_find_backend_entry called for %s\n, name));
while(entry) {
if (strcmp(entry-name, name)==0) return entry;
@@ -109,6 +111,7 @@ static inline void vfs_set_operation(struct vfs_ops * vfs,
vfs_op_type which,
bool vfs_init_custom(connection_struct *conn, const char *vfs_object)
{
vfs_op_tuple *ops;
+ char *module_path = NULL;
char *module_name = NULL;
char *module_param = NULL, *p;
int i;
@@ -126,9 +129,9 @@ bool vfs_init_custom(connection_struct *conn, const char
*vfs_object)
DEBUG(3, (Initialising custom vfs hooks from [%s]\n, vfs_object));
- module_name = smb_xstrdup(vfs_object);
+ module_path = smb_xstrdup(vfs_object);
- p = strchr_m(module_name, ':');
+ p = strchr_m(module_path, ':');
if (p) {
*p = 0;
@@ -136,31 +139,48 @@ bool vfs_init_custom(connection_struct *conn, const char
*vfs_object)
trim_char(module_param, ' ', ' ');
}
- trim_char(module_name, ' ', ' ');
+ trim_char(module_path, ' ', ' ');
+
+ module_name = smb_xstrdup(module_path);
+
+ if ((module_name[0] == '/')
+ (strcmp(module_path, DEFAULT_VFS_MODULE_NAME) != 0)) {
+
+ /*
+* Extract the module name from the path. Just use the base
+* name of the last path component.
+*/
+
+ SAFE_FREE(module_name);
+ module_name = smb_xstrdup(strrchr_m(module_path, '/')+1);
+
+ p = strchr_m(module_name, '.');
+
+ if (p != NULL) {
+ *p = '\0';
+ }
+ }
/* First, try to load the module with the new module system */
if((entry = vfs_find_backend_entry(module_name)) ||
- (NT_STATUS_IS_OK(smb_probe_module(vfs, module_name))
+ (NT_STATUS_IS_OK(smb_probe_module(vfs, module_path))
(entry = vfs_find_backend_entry(module_name {
DEBUGADD(5,(Successfully loaded vfs module [%s] with the new
modules system\n, vfs_object));
if ((ops = entry-vfs_op_tuples) == NULL) {
DEBUG(0, (entry-vfs_op_tuples==NULL for [%s]
failed\n, vfs_object));
- SAFE_FREE(module_name);
- return False;
+ goto fail;
}
} else {
DEBUG(0,(Can't find a vfs module [%s]\n,vfs_object));
- SAFE_FREE(module_name);
- return False;
+ goto fail;
}
handle = TALLOC_ZERO_P(conn-mem_ctx,vfs_handle_struct);
if (!handle) {
DEBUG(0,(TALLOC_ZERO() failed!\n));
- SAFE_FREE(module_name);
- return False;
+ goto fail;
}
memcpy(handle-vfs_next, conn-vfs, sizeof(struct vfs_ops));
handle-conn = conn;
@@ -183,8 +203,14 @@ bool vfs_init_custom(connection_struct *conn, const char
*vfs_object)
vfs_set_operation(conn-vfs, ops[i].type, handle, ops[i].op);
}
+ SAFE_FREE(module_path);
SAFE_FREE(module_name);
return True;
+
+ fail:
+ SAFE_FREE(module_path);
+ SAFE_FREE(module_name);
+ return False;
}
/*
--
Samba Shared Repository
Re: [SCM] Samba Shared Repository - branch v3-2-test updated - initial-v3-2-unstable-126-g25bbc9a
On Fri, 2007-10-26 at 20:05 -0500, Jeremy Allison wrote: Ensure temporary memory is freed - pointed out by Li, Ying (ESG) [EMAIL PROTECTED]. We aren't currently leaking memory, but are leaving it around for longer than we need to. Jeremy. Thanks for pushing this Jeremy. Simo. -- Simo Sorce Samba Team GPL Compliance Officer [EMAIL PROTECTED] Senior Software Engineer at Red Hat Inc. [EMAIL PROTECTED]
Re: [Samba] Question: backslash in file name
On Thu, 2007-10-25 at 16:31 +0200, Chris Osicki wrote: Hi I have a applikation (Oracle DB) which writes files with a backslash in names, i.e: Log\GEN_INPUT_BASED_2899.csv not a problem for Unix but Samba present it to Windows users as: L2CYOP~L.CSV Is there any way _in Samba_ to strip this 'Log\' and give back to user the GEN_INPUT_BASED_2899.csv part. Tha appliance (EMC Celerra) I've just migrated data from, was magicaly doing this. Thanks for your time and any hint. You could create (or ask someone to do it) a VFS module to mangle these file names before they are passed internally to Samba, and change them again when samba uses them. Simo. -- Simo Sorce Samba Team GPL Compliance Officer [EMAIL PROTECTED] Senior Software Engineer at Red Hat Inc. [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba, AD and non AD Machines
On Tue, 2007-10-23 at 14:42 -0700, Shawn Everett wrote: Based on the link you provided I'd suspect password server should be set to * or cluster (as the NetBIOS name) or a specific node... Just don't set it, Samba is able to do all the discovery needed. Simo. -- Simo Sorce Samba Team GPL Compliance Officer [EMAIL PROTECTED] Senior Software Engineer at Red Hat Inc. [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba hijack the connection?
On Mon, 2007-10-22 at 11:19 +0700, Fajar Priyanto wrote: On Monday 22 October 2007 08:31:46 Fajar Priyanto wrote: Dear all, I have 2 domains: JUPITER.COM (Samba 3.0.23c - Centos5) and WIN.COM (Windows 2000 Adv Srv). I join a windows XP SP1 (MOON), first to Windows domain and then to Samba's. The problem is when I join the XP to Samba's and then try to logon to WIN.COM, the XP is instead logon to Samba, thus the username is not found. The DNS is not a problem, I set the DNS of the XP to Windows' DNS. Why does Samba still handle the logon request? One more info, if I then join the XP back to Windows' and then try to logon both to Samba and Windows, the logon process is OK. Any insight and comments are very welcome. From google I found this: http://www.5starsupport.com/xp-faq/1-102.htm Problem: In Windows XP Pro, is it possible to have multiple domains to login to? Currently, I only have a single domain option. I would like be able to choose from a list of domains when I login. Answer: In one word, no. A computer can only be part of a single domain. However, multiple users from other trusted domains may have permissions to access certain domains while still being logged in to their own domain. This is all part of an Active Directory process. Is that true? The correct answer is: No, a windows machine can be part of only one domain, to be able to login using credentials from multiple domains, the domain the machine is joined to need to trust the other domains. This is not limited to AD, domain trusts exist since windows NT domains. Simo. -- Simo Sorce Samba Team GPL Compliance Officer [EMAIL PROTECTED] Senior Software Engineer at Red Hat Inc. [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba hijack the connection?
On Mon, 2007-10-22 at 11:36 +0700, Fajar Priyanto wrote: On Monday 22 October 2007 11:24:47 herman wrote: In Win XP, you can log into any one of a list of domains. However, you cannot be logged into more than one at a time. Hello Herman, Thanks for the reply. No, I don't want to logon to more than one domain at a time. The reason why we need this is because we're in the migration process. There is already a w2k domain (WIN) and then we setup a samba domain (Jupiter.com). We migrate the users little by little by joining them to Jupiter.com. However, there is a requirement when the management want they would still able to logon back to WIN. This is when the error occurs. Btw, usually it is better to avoid dots in netbios domain names ... -- Simo Sorce Samba Team GPL Compliance Officer [EMAIL PROTECTED] Senior Software Engineer at Red Hat Inc. [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[SCM] Samba Shared Repository - branch v3-0-test updated - initial-v3-0-unstable-6-g5ec7b9f
The branch, v3-0-test has been updated
via 5ec7b9f8b9941c1a0adcd10d52fdffc893c1b1a1 (commit)
from 02cf5380e2deec1eaf10e8c1f393a1ddeee181d9 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-0-test
- Log -
commit 5ec7b9f8b9941c1a0adcd10d52fdffc893c1b1a1
Author: Simo Sorce [EMAIL PROTECTED]
Date: Tue Oct 16 14:06:33 2007 -0400
Fix dimap for trusted domains only case
---
Summary of changes:
source/nsswitch/idmap.c |3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source/nsswitch/idmap.c b/source/nsswitch/idmap.c
index e2fa416..db1c6f3 100644
--- a/source/nsswitch/idmap.c
+++ b/source/nsswitch/idmap.c
@@ -389,7 +389,8 @@ NTSTATUS idmap_init(void)
continue;
}
- if (strequal(dom_list[i], lp_workgroup())) {
+ if ((dom_list[i] != default_domain)
+ strequal(dom_list[i], lp_workgroup())) {
pri_dom_is_in_list = True;
}
/* init domain */
--
Samba Shared Repository
[SCM] Samba Shared Repository - branch v3-2-test updated - initial-v3-2-unstable-57-g8c770c3
The branch, v3-2-test has been updated
via 8c770c367c71d118651964fef63e2fd0fa4a05a5 (commit)
from 5c8adce3f368d51a67d74ae168a0f59a20e1d64c (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-2-test
- Log -
commit 8c770c367c71d118651964fef63e2fd0fa4a05a5
Author: Simo Sorce [EMAIL PROTECTED]
Date: Tue Oct 16 14:16:03 2007 -0400
Fix default domains support using compat syntax.
Without this fix idmap_rid can't be used with the compatible syntax.
Includes fix to keep trusted domains working
---
Summary of changes:
source/winbindd/idmap.c | 43 +--
1 files changed, 29 insertions(+), 14 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source/winbindd/idmap.c b/source/winbindd/idmap.c
index 2c7acc1..022a229 100644
--- a/source/winbindd/idmap.c
+++ b/source/winbindd/idmap.c
@@ -251,12 +251,6 @@ NTSTATUS idmap_close(void)
return NT_STATUS_OK;
}
-/**
- Initialise idmap cache and a remote backend (if configured).
-**/
-
-static const char *idmap_default_domain[] = { default domain, NULL };
-
/
/
@@ -291,6 +285,7 @@ NTSTATUS idmap_init(void)
char *compat_backend = NULL;
char *compat_params = NULL;
const char **dom_list = NULL;
+ const char *default_domain = NULL;
char *alloc_backend = NULL;
BOOL default_already_defined = False;
BOOL pri_dom_is_in_list = False;
@@ -331,10 +326,6 @@ NTSTATUS idmap_init(void)
compat = 1;
compat_backend = talloc_strdup(idmap_ctx, *compat_list);
- if (compat_backend == NULL ) {
- ret = NT_STATUS_NO_MEMORY;
- goto done;
- }
/* strip any leading idmap_ prefix of */
if (strncmp(*compat_list, idmap_, 6) == 0 ) {
@@ -349,6 +340,11 @@ NTSTATUS idmap_init(void)
*compat_list);
}
+ if (compat_backend == NULL ) {
+ ret = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
+
/* separate the backend and module arguements */
if ((p = strchr(compat_backend, ':')) != NULL) {
*p = '\0';
@@ -365,7 +361,25 @@ NTSTATUS idmap_init(void)
}
if ( ! dom_list) {
- dom_list = idmap_default_domain;
+ /* generate a list with our main domain */
+ char ** dl;
+
+ dl = talloc_array(idmap_ctx, char *, 2);
+ if (dl == NULL) {
+ ret = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
+ dl[0] = talloc_strdup(dl, lp_workgroup());
+ if (dl[0] == NULL) {
+ ret = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
+
+ /* terminate */
+ dl[1] = NULL;
+
+ dom_list = dl;
+ default_domain = dl[0];
}
/***
@@ -386,7 +400,8 @@ NTSTATUS idmap_init(void)
continue;
}
- if (strequal(dom_list[i], lp_workgroup())) {
+ if ((dom_list[i] != default_domain)
+ strequal(dom_list[i], lp_workgroup())) {
pri_dom_is_in_list = True;
}
/* init domain */
@@ -407,10 +422,10 @@ NTSTATUS idmap_init(void)
default, False);
if (dom-default_domain ||
- strequal(dom_list[i], idmap_default_domain[0])) {
+ (default_domain strequal(dom_list[i], default_domain))) {
/* make sure this is set even when we match
-* idmap_default_domain[0] */
+* default_domain */
dom-default_domain = True;
if (default_already_defined) {
--
Samba Shared Repository
Re: [SCM] Samba Shared Repository - branch v3-2-test updated - initial-v3-2-unstable-24-g016795c
On Fri, 2007-10-12 at 16:07 +0200, Stefan (metze) Metzmacher wrote: that's wrong as a function is also possible, and now we have no correct string contant in version.h and version.c breaks: time for trying 'git revert g016795c' :-) I had the impression you can't revert once pushed. Simo. -- Simo Sorce Samba Team GPL Compliance Officer [EMAIL PROTECTED] Senior Software Engineer at Red Hat Inc. [EMAIL PROTECTED]
Re: [Samba] Samba/ADS Question
On Thu, 2007-10-11 at 11:59 -0400, Chris Nighswonger wrote: I have successfully joined a Fedora7 client to a W2K AD domain. Everything thus far works as it should. All of my ADS members can log onto the machine, etc. However, when using Nautilus to browse the network, Windows shares are visible, but the user is always prompted for authentication regardless of the permissioning on the the windows share. It appears that samba is using the guest account to attempt the access. I cannot seem to get Google to turn up anything significant on this one. Any help is appreciated. Are you using pam_winbindd to log in? If so you can configure /etc/security/pam_winbind.conf to use krb5_auth = yes and krb5_ccache_type = FILE, this would store your kerberos credentials so that libsmbclient should be able to pick them up when browsing servers and use them. Simo. -- Simo Sorce Samba Team GPL Compliance Officer [EMAIL PROTECTED] Senior Software Engineer at Red Hat Inc. [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[SCM] Samba Shared Repository - branch v3-0-test updated
The branch, v3-0-test has been updated
via b16e4e16340eaa8d93651ba816937e8040b85e95 (commit)
from 65229e966119f0b1537d258854a54105f32ae399 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-0-test
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -
commit b16e4e16340eaa8d93651ba816937e8040b85e95
Author: Simo Sorce [EMAIL PROTECTED]
Date: Thu Oct 11 14:35:34 2007 -0400
Fix default domains support using compat syntax.
Without this fix idmap_rid can't be used with the compatible syntax.
---
Summary of changes:
source/nsswitch/idmap.c | 42 +++---
1 files changed, 27 insertions(+), 15 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source/nsswitch/idmap.c b/source/nsswitch/idmap.c
index aa2e351..e2fa416 100644
--- a/source/nsswitch/idmap.c
+++ b/source/nsswitch/idmap.c
@@ -252,12 +252,6 @@ NTSTATUS idmap_close(void)
return NT_STATUS_OK;
}
-/**
- Initialise idmap cache and a remote backend (if configured).
-**/
-
-static const char *idmap_default_domain[] = { default domain, NULL };
-
/
/
@@ -292,6 +286,7 @@ NTSTATUS idmap_init(void)
char *compat_backend = NULL;
char *compat_params = NULL;
const char **dom_list = NULL;
+ const char *default_domain = NULL;
char *alloc_backend = NULL;
BOOL default_already_defined = False;
BOOL pri_dom_is_in_list = False;
@@ -321,12 +316,6 @@ NTSTATUS idmap_init(void)
} else {
compat = 1;
- compat_backend = talloc_strdup(idmap_ctx, *compat_list);
- if (compat_backend == NULL) {
- ret = NT_STATUS_NO_MEMORY;
- goto done;
- }
-
/* strip any leading idmap_ prefix of */
if (strncmp(*compat_list, idmap_, 6) == 0 ) {
q = *compat_list += 6;
@@ -340,6 +329,11 @@ NTSTATUS idmap_init(void)
*compat_list);
}
+ if (compat_backend == NULL) {
+ ret = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
+
/* separate the backend and module arguements */
if ((p = strchr(compat_backend, ':')) != NULL) {
*p = '\0';
@@ -356,7 +350,25 @@ NTSTATUS idmap_init(void)
}
if ( ! dom_list) {
- dom_list = idmap_default_domain;
+ /* generate a list with our main domain */
+ char ** dl;
+
+ dl = talloc_array(idmap_ctx, char *, 2);
+ if (dl == NULL) {
+ ret = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
+ dl[0] = talloc_strdup(dl, lp_workgroup());
+ if (dl[0] == NULL) {
+ ret = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
+
+ /* terminate */
+ dl[1] = NULL;
+
+ dom_list = dl;
+ default_domain = dl[0];
}
/***
@@ -398,10 +410,10 @@ NTSTATUS idmap_init(void)
default, False);
if (dom-default_domain ||
- strequal(dom_list[i], idmap_default_domain[0])) {
+ (default_domain strequal(dom_list[i], default_domain))) {
/* make sure this is set even when we match
-* idmap_default_domain[0] */
+* default_domain */
dom-default_domain = True;
if (default_already_defined) {
--
Samba Shared Repository
Re: [Samba] Sharing a shared folder
On Tue, 2007-10-09 at 12:34 -0600, Brandon Pedersen wrote: Hey, So, I have a Linux server that is mounting a CIFS share. The server then shares that share to everyone else. My question is does having it routed this way cause a major slow down? Do the files need to be copied to the mediator server before going out to the device that is requesting the file? Or is it able to forward the request to the other server to grab the files directly from there? I am curious about this because we have a big imaging server with a whole bunch of images on it and we are setting up this new server and don't want to move all the images over, thus we just mounted the images directory on the new server. What would you do? Use a DFS Root, and redirect clients. Simo. -- Simo Sorce Samba Team GPL Compliance Officer [EMAIL PROTECTED] Senior Software Engineer at Red Hat Inc. [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba + LDAP
On Mon, 2007-10-08 at 15:45 +0100, Ricardo Manuel Esteves (VI) wrote: Hi, I got samba 3.0.26a on my Fedora 7, and when i try to add users with smbpasswd -a username, it only works if the user exists as a linux user... i got a Centos 4.4 system with samba 3.0.10 and it works even if the user doesn't exists on the system. Can anyone explain me why this happens? is it from this new version (3.0.26a) or may be a problem of Fedora 7? Always been like that since I can remember, and it is by design. Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] numerous IPC$ connections
On Mon, 2007-10-01 at 10:06 -0400, Mike Davis wrote: After upgrading to 3.0.26a and moving to linux my member server gets hundreds of IPC$ connections when I run smbstatus. I also see in my logs the following... [2007/10/01 10:01:15, 0] lib/util_tdb.c:tdb_chainlock_with_timeout_internal(84) tdb_chainlock_with_timeout_internal: alarm (10) timed out for key VALDEZ in tdb /usr/local/samba/private/secrets.tdb I did a dump of secrets on my old server and there wasnt a key for Valdez there. Now valdez is of teh DC's for the Domain. I dont start seeing all of thsi until we get high activity. All the clients do is login into teh domain and then we have a bat file on the DC that mounts their home directory on this server. Can anyone point me in the right direction for tracking down why this is happening. I guess you are describing a situation where you have a lot of process hanging where the smbd is basically stuck. How many smbd process do you have a around when this happen? (ps xa |grep smbd|wc -l) How many clients? On what OS are you running this? Is /usr/local/samba a local file system (ext2/3?)? And most importantly can you reproduce this at will ? Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: svn commit: samba r25495 - in branches: SAMBA_3_2/source/lib/replace/system SAMBA_3_2_0/source/lib/replace/system
On Wed, 2007-10-03 at 22:01 +, [EMAIL PROTECTED] wrote:
Author: jra
Date: 2007-10-03 22:01:25 + (Wed, 03 Oct 2007)
New Revision: 25495
WebSVN:
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=25495
Log:
Fixup definitions for missing sockaddr_storage.
Jeremy.
Modified:
branches/SAMBA_3_2/source/lib/replace/system/network.h
branches/SAMBA_3_2_0/source/lib/replace/system/network.h
Changeset:
Modified: branches/SAMBA_3_2/source/lib/replace/system/network.h
===
--- branches/SAMBA_3_2/source/lib/replace/system/network.h2007-10-03
21:14:20 UTC (rev 25494)
+++ branches/SAMBA_3_2/source/lib/replace/system/network.h2007-10-03
22:01:25 UTC (rev 25495)
@@ -127,7 +127,8 @@
#endif
#ifndef HAVE_SOCKADDR_STORAGE
-#define sockaddr_storage sockaddr
+#define sockaddr_storage sockaddr_in
shouldn't this be:
#define sockaddr_storage sockaddr_in6
?
sockarrd_in6 is bigger in size
Actually even that looks wrong ...
bits/socket.h on my system has this:
struct sockaddr_storage
{
__SOCKADDR_COMMON (ss_);/* Address family, etc. */
__ss_aligntype __ss_align; /* Force desired alignment. */
char __ss_padding[_SS_PADSIZE];
};
Simo.
--
Simo Sorce
Samba Team GPL Compliance Officer
email: [EMAIL PROTECTED]
http://samba.org
Re: svn commit: samba r25495 - in branches: SAMBA_3_2/source/lib/replace/system SAMBA_3_2_0/source/lib/replace/system
On Wed, 2007-10-03 at 15:17 -0700, Jeremy Allison wrote: On Wed, Oct 03, 2007 at 06:05:54PM -0400, simo wrote: On Wed, 2007-10-03 at 22:01 +, [EMAIL PROTECTED] wrote: Author: jra Date: 2007-10-03 22:01:25 + (Wed, 03 Oct 2007) New Revision: 25495 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=25495 Log: Fixup definitions for missing sockaddr_storage. Jeremy. Modified: branches/SAMBA_3_2/source/lib/replace/system/network.h branches/SAMBA_3_2_0/source/lib/replace/system/network.h Changeset: Modified: branches/SAMBA_3_2/source/lib/replace/system/network.h === --- branches/SAMBA_3_2/source/lib/replace/system/network.h 2007-10-03 21:14:20 UTC (rev 25494) +++ branches/SAMBA_3_2/source/lib/replace/system/network.h 2007-10-03 22:01:25 UTC (rev 25495) @@ -127,7 +127,8 @@ #endif #ifndef HAVE_SOCKADDR_STORAGE -#define sockaddr_storage sockaddr +#define sockaddr_storage sockaddr_in shouldn't this be: #define sockaddr_storage sockaddr_in6 ? sockarrd_in6 is bigger in size Nope - because if you don't have sockaddr_storage it's a dead cert you don't have sockaddr_in6 - no IPv6 - so just use IPv4 sockaddr_in. If we find any platforms where this isn't the case I can add an #ifdef HAVE_STRUCT_SOCKADDR_IN6 and use that by preference. not sure this is true, as sockaddr_storage IIRC has been introduced after sockaddr_in6, but I guess we will find it out on the build farm hopefully. The fact is that we usually always cast this structure, maybe we should undefine sockaddr_in6 just to be paranoid ? Simo. Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org
Re: [Samba] Re: Authentication Question; WAS: installing Samba as non-root user
On Wed, 2007-09-26 at 11:39 -0700, [EMAIL PROTECTED] wrote: It's amazing how indignant people get when they think someone hasn't done his homework. I've read the man pages in depth, and the official HOWTO. Unless I overlooked something, no where does it explain the authentication in the kind of detail that is necessary to understand if there's a way to have multiple users have proper access to their home directories when the daemon is not being run as root. You will not find this knowledge in the Samba material simply because it is basic unix architecture knowledge. In unix only root owned process (modulo SELinux) can change privileges. File access is controlled by the kernel and based on said privileges. So logical consequence is: 1. no root - no change in privileges - no access to files beyond existing privileges 2. root - impersonation (change in privileges) - access to files with provided privileges For the password part, I only say that authentication is not magic, it is just an exchange of information (usually involving encryption of some sort to protect said information) to establish a remote process is who it claim it is (or represent). If your app performs authentication, it is the only one that knows about it, and unless it has mighty powers (root) it can't force the rest of the system to believe it. Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Questions about the new idmap interface
Sorry if I already asked about this, do you see the TestGroup from PASING if you do a getent PASING\\TestGroup ? If so there seem to be something fishy as from the log it seem to recognize this group comes from the trusted domain, but still tries to see if it is mapped with Group Mapping, might be a bug, need to drill more into it, and unfortunately, right now I don;t have a setup like yours to test. Simo. On Wed, 2007-09-12 at 09:49 +0200, Marc Muehlfeld wrote: Hi, for easier explanation I used easy expressions on my last postings. Below I provide the original messages/logs, because I don't wanna confuse someone in this huge logfile. Just for explanation: MUC = First domain GENOME = PDC of MUC (Samba 3.0.22) OPERON = MemberServer in domain MUC (Samba 3.0.26a) IT-10 = Workstation in domain PASING (WinXP SP2) PASING = Second domain CODON = PDC of PASING (Samba 3.0.25c) simo schrieb: This is smbd trying to find the group in its SAM (which happens to be on LDAP as well). Are you sure you have a trust with DOM2 ? # net rpc trustdom list Trusted domains list: PASING S-1-5-21-1183370737-3874734740-1589004535 Trusting domains list: PASING S-1-5-21-1183370737-3874734740-1589004535 If so can you please provide the full file log, as before this call there may be useful information. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ADS authentication error
On Fri, 2007-09-14 at 11:39 -0400, Kevin R. Gutch wrote: Hi, I have a fresh install of Fedora 7 and Samba (Version 3.0.26a-0.fc7). Trying to set up ADS authentication. I try net ads join -U Administrator and receive the following error net: relocation error: net: symbol krb5_get_init_creds_opt_alloc, version krb5_3_MIT not defined in file libkrb5.so.3 with link time reference Does anyone know how to fix this? Have you updated the MIT libraries as well ? Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.0.26a Available for Download
On Thu, 2007-09-13 at 08:34 +0200, Mogens Kjaer wrote: Guillermo Gutierrez wrote: What about debian packages? Never tried it, but you might want to look in the folder packaging/Debian in the source tree. A binary package for Debian will be available here soon: http://www.samba.org/samba/ftp/Binary_Packages/Debian/ -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Questions about the new idmap interface
On Tue, 2007-09-11 at 14:39 +0200, Marc Muehlfeld wrote: Hi, I tried to configure the new idmap interface. Currently without much success. I have two samba domains, trusting each other. Each PDC using it's own LDAP server. I tried idmap domains = DOM1, DOM2 idmap config DOM1:default = yes idmap config DOM1:backend = ldap idmap config DOM1:ldap_base_dn = ou=Idmap,dc=dom1,dc=mydomain,dc=de idmap config DOM1:ldap_url = ldap://192.168.0.1 idmap config DOM1:range = 1 - 2 idmap alloc backend = ldap ---^^ this is not enough, you have to explicitly configure the alloc backend For example: idmap alloc config:ldap_base_dn = ou=Idmap,dc=dom1,dc=mydomain,dc=de idmap alloc config:ldap_user_dn = the privileged user dn idmap alloc config:ldap_url = ldap://192.168.0.1 idmap alloc config:range = 1-2 idmap config DOM2:default = no idmap config DOM2:backend = ldap idmap config DOM2:ldap_base_dn = ou=Idmap,dc=dom2,dc=mydomain,dc=de idmap config DOM2:ldap_url = ldap://192.168.1.1 idmap config DOM2:range = 1 - 2 idmap uid = 1-2 idmap gid = 1-2 no need to add these if you use the new options winbind separator = + winbind enum users = yes winbind enum groups = yes template homedir = /home/%U template shell = /bin/false winbind nested groups = yes winbind cache time = 300 winbind nss info = template winbind use default domain = yes But then I have the problem, that samba used the ldap admin dn account and password for both LDAP server, but each have it's own. How can I configure a second password for my trusted domain? you have to specify the ldap_user_dn option for each domain and the use net idmap secret In your case probably net idmap secret DOM1 secret1 net idmap secret alloc secret1 net idmap secret DOM2 secret2 However if you read the man pages for idamp_ldap you will find all these informations. Is there any usefull documentation, best would be with different samples, of the new idmap interface? The manpage didn't helped me much for understanding this. Maybe because you didn't read the actually relevant man page: man idmap_ldap Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Questions about the new idmap interface
On Tue, 2007-09-11 at 17:09 +0200, Marc Muehlfeld wrote: For me it was very confusing for my trusted domain environment. Currently i'm not sure if I really need the two idmap configs. I just have the problem that I can't connect from a DOM2 workstation to a share on a MemberServer of DOM1. On this share I setup valid users = +DOM1\Group1 +DOM2\Group2. Connections from DOM1 workstations are fine (if I'm in Group1), but not from DOM2 (if I'm member of DOM2\Group2). It seems the group of the remote domain is searched inside the LDAP of DOM1 (why isn't winbind just getting the information from the responsible DC?). [2007/09/11 17:02:57, 5] lib/smbldap.c:smbldap_search_ext(1182) smbldap_search_ext: base = [ou=Groups,dc=dom1,dc=mydomain,dc=de], filter = [((objectClass=sambaGroupMapping)(|(displayName=TestGroup)(cn=TestGroup)))], scope = [2] [2007/09/11 17:02:57, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2235) ldapsam_getgroup: Did not find group This specific error is not IDMAP related. This is smbd trying to find the group in its SAM (which happens to be on LDAP as well). Are you sure you have a trust with DOM2 ? If so can you please provide the full file log, as before this call there may be useful information. Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: svn commit: samba r25069 - in branches/SAMBA_3_0_25/source/nsswitch: .
On Mon, 2007-09-10 at 23:29 +, [EMAIL PROTECTED] wrote: Merge to 3_0_25 as well. GĆ¼nther 3_0 and 3_0_25 are closed now we are supposed to commit to 3_0_MAINT. Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org
Re: [Samba] Samba+LDAP with real-time share permissions
On Fri, 2007-08-31 at 10:16 -0300, Steve Scanavarro wrote: Hello everyone! I'm using samba with LDAP, and everything is working fine. But I'm having problems when I change something in the permissions on the share, for example, I have a share called daily. In this share, the permissions are set to the LDAP group called Daily, where steve is a member. Well, when I log in, the share maps ok, but what I want to do is, when I remove the user steve from the LDAP group, his access will be denied in real-time (when remove from the group, stop been able to see anything in the drive). *BUT*, it's not working, the user still have the permissions in the drive 'til logout/login again. This is by design, privileges are set at connection time and never changed. My question is, what if the user logout only in the weekends? In the meanwhile user 'steve' will still have access to the drive? In an experience here, he no longer has access only when I restart Samba, but when I do that, the other drives that are mapped stop working as well, and the user should logout/login again, and then the permissions are ok. (and it's not a good idea to restart samba everytime I change a permission isn't it? :) Thanks in advance for any help/ideas! You can use smbstatus to find out the pid of the specific smbd serving that user and then send this process a shutdown command using smbcontrol, this will disconnect the user and force his workstation to reconnect all drives and perform a new authentication. I think another way could be to simply change the main directory permissions. Instead of adding and removing users to the Daily group, simply deny it access to the directory setting its permissions to --- (no r,w or x). This may be more practical and does not require disconnections, nor constant manipulation of user memberships. Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] How to use ZFS volume
On Tue, 2007-08-28 at 09:58 +0900, [EMAIL PROTECTED] wrote: Hi, I want to use Samba with ZFS volume, although I know 3.0.25c dose not work with ZFS volume. Samba generally will work with any filesystem, the only condition is that it has to be posix compatible. WIth ZFS almost everything will work except native ZFS ACLs, that's what the vfs_zfsacl module is for. And I found modules/vfs_zfsacl.c on Samba-3.0.26. ( http://viewcvs.samba.org/cgi-bin/viewcvs.cgi/branches/SAMBA_3_0_26/source/modules/ ) But I can't find samba-3.0.26.tar.gz on samba.org. After 3.0.25 we decided to change the minor release number because of the amount of changes and the change in license (GPLv2-GPLv3), so the next release, which correspond to the former 3.0.26 code base, is now 3.2.0 and will be released eventually before the end of the year. Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: svn commit: samba r24649 - in branches: SAMBA_3_0_25/source/nsswitch SAMBA_3_2/source/nsswitch SAMBA_3_2_0/source/nsswitch
On Fri, 2007-08-24 at 11:25 +, [EMAIL PROTECTED] wrote: Log: Attempt to fix bug 4917. Simo, please check! Thanks Patrick Rynhart for reporting this. Oh thanks for this fix, looks good. This must have been a huge memory leak on long running winbindd processes. Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org
Re: [Samba] Samba and winbind with LDAP IDMAP backend - user connects with Domain Admin permissions
On Fri, 2007-08-10 at 09:40 -0700, Stang, Sharol wrote: [users] comment = user's home directory path = /mnt/cluster/home/users force group = Domain Admins So if you force _everybody_ to be Domain Admins why do you expect them not to be able to access something owned by Domain Admins ? Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: svn commit: samba r24301 - in branches/SAMBA_4_0/source/selftest: .
On Fri, 2007-08-10 at 08:46 +, [EMAIL PROTECTED] wrote: Author: abartlet Date: 2007-08-10 08:46:29 + (Fri, 10 Aug 2007) New Revision: 24301 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=24301 Log: The less escape characters the better. This changes the winbind seperator to /, which is not an escape character, and uses the fact that we always support / as the DOMAIN/username seperator. Andrew we can't use / as it is the path separator. Anything that uses the user name to build the home directory will come up with something like /home/DOMAIN/username which is not what you expect normally. Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org
Re: [Samba] Performance problem with file 2Gb
Only if you don't compile with large files support, something we support since long. Simo. On Mon, 2007-07-16 at 15:11 +0200, Alessandro Ferrari wrote: There are some problems to transfer big file over 2Gb, It is a filesize limitation of samba. Ale - Original Message - From: SĆ©bastien CRAMATTE [EMAIL PROTECTED] To: samba@lists.samba.org Sent: Monday, July 16, 2007 12:13 PM Subject: [Samba] Performance problem with file 2Gb Hello, I've setup an Samba 3 server on a Debian Etch 4 The server has : - 8x 500Gb raid 5 via 3ware Raid Controller - Filesystem is Ext3 over Lvm2 (I know that be better an Xfs FS instead ... now I can't change it easily ) - Xeon dual core 2 - 2Gb of RAM - connected to a gigabit switch using 2 bonded NIC When I copy big files ( 2Gb MPEG files) from Windows clients the copy do a pause on the end ... If at the same time I open another video from another client the movie playback start to skip frame and become very very slow ... Any Ideas ? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] groups seems broken in samba-3.0.24-7.fc5
On Thu, 2007-07-12 at 23:04 +0200, Volker Lendecke wrote: On Thu, Jul 12, 2007 at 01:39:52PM -0500, Dean Clapper wrote: However if I use group valid users = @admin Fedora bug. Use valid users = +admin FC5 is not maintained anymore anyway, I suggest you to move to F7 where this problem have been fixed. Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [computers] Re: [Samba] XP Home and Samba problem
On Tue, 2007-07-10 at 18:02 +0200, SG wrote: Here's my smb.conf [global] workgroup = GINVEST netbios name = LINACER interfaces = ath0, eth0 bind interfaces only = Yes null passwords = Yes passdb backend = tdbsam username map = /etc/samba/smbusers log level = 3 log file = /var/log/samba/log.%m announce version = 5.0 name resolve order = host wins bcast socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=8192 SO_SNDBUF=8192 printcap name = CUPS os level = 32 wins support = Yes invalid users = root valid users = borzo --^^ you really _don't_ want to put this in the global section, or the only user allowed is borzo everywhere, and guest connections will always be denied. [..] Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind + samba limits with large AD?
On Tue, 2007-07-10 at 23:33 +0200, Ralf Gross wrote: I can't reach http://svnweb.samba.org/. Is there another way to get the 3_2 release by svn/http? Use http://viewcvs.samba.org I will correct the howto. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: svn commit: samba r23803 - in branches/SAMBA_3_2_0/source/utils: .
On Tue, 2007-07-10 at 07:17 +, [EMAIL PROTECTED] wrote: Author: tridge Date: 2007-07-10 07:17:34 + (Tue, 10 Jul 2007) New Revision: 23803 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=23803 Log: fixed the build. This seems to be have broken for quite a while. Modified: branches/SAMBA_3_2_0/source/utils/smbcacls.c Changeset: Modified: branches/SAMBA_3_2_0/source/utils/smbcacls.c === --- branches/SAMBA_3_2_0/source/utils/smbcacls.c 2007-07-10 05:42:52 UTC (rev 23802) +++ branches/SAMBA_3_2_0/source/utils/smbcacls.c 2007-07-10 07:17:34 UTC (rev 23803) @@ -737,7 +737,7 @@ and W2K. JRA. */ - sd = make_sec_desc(ctx,old-revision, old-type, old-owner_sid, old-grp_sid, + sd = make_sec_desc(ctx,old-revision, old-type, old-owner_sid, old-group_sid, NULL, old-dacl, sd_size); fnum = cli_nt_create(cli, filename, WRITE_DAC_ACCESS|WRITE_OWNER_ACCESS); Doh, in 3.0.25b it is old-group_sid, infact changing #if 0 - #if 1 compiled perfectly fine ... very strange. Sorry, I didn't notice it was different in 3_0_26/3_0 Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org
Re: [Samba] winbind idmap customization
On Fri, 2007-07-06 at 14:40 -0500, Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jerome Haltom wrote: Would it be much work to add some sort of format string policy to smb.conf to govern this mapping? winbind user name = [EMAIL PROTECTED] winbind group name = [EMAIL PROTECTED] This would ideally allow lookups for all of the various possibilities to resolve to the single canonical name. Yup. It would be a huge amount of work with no benefit IMO. It would also make the code a lot more fragile imo, we have already been bitten by the winbind separator and winbind use default domain to allow madness slip in again. Not unless it is really really necessary. Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbindd running amok
On Fri, 2007-07-06 at 21:05 +0200, Bernd Schubert wrote: Hello Rune, On Friday 06 July 2007 20:41:05 Rune TĆønnesen wrote: Bernd Schubert skrev: Hi, Hi Bernd mc (Midnight Commander) most likely caches usernames and groups. mc needs the usernames when tje user wants to change ownership of files and directories. You can properly get the same winbindd reaction from getent passwd thanks a lot for your really super fast help. Running 'getent passwd' takes about 10s-40s, which is ok I think for 5 entries. But mc keeps winbindd busy for at least 5-10 min, which is rather critical. This efficiently prevents other logins to this system at all. Well, mc is not the big deal, but our customer has experienced quite a lot problems in the past and I'm afraid they are doing something (don't know what), that does the same as mc. Is there a way to increase disk cache of winbind? It presently takes 50MB, which I guess it too less. Or any other ideas how to tune it? I know that winbindd from samba-3.0.25 is entirely rewritten in aspect to cache, will it also solve those problems? What about simply shutting down enumeration? winbindd enum users = no winbindd enum groups = no Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: svn commit: samba r23718 - in branches/SAMBA_4_0/source/dsdb/samdb/ldb_modules: .
On Thu, 2007-07-05 at 09:02 +0200, Stefan (metze) Metzmacher wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [EMAIL PROTECTED] schrieb: Author: abartlet Date: 2007-07-05 03:06:59 + (Thu, 05 Jul 2007) New Revision: 23718 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=23718 Log: Make Samba4 work against the LDAP backend again. When we set up the schema, we don't have a partitions container yet. The LDAP error differs from that given by LDB, so I think we still have some conformance work to do. yes, the problem is that ldb_tdb returns just 0 search results, but success when the basedn isn't present. And it realy should return LDB_ERR_NO_SUCH_OBJECT in this case, but we have too many code not checking for LDB_ERR_NO_SUCH_OBJECT, so that we would break a lot if we would let ldb_tdb return LDB_ERR_NO_SUCH_OBJECT. I think it is reasonable to change tdb to throw an error if the base does not exists. We need to deal with LDB_ERR_NO_SUCH_OBJECT as ldap backends can happily return that. I will look into this as soon as I can carve some time for it. Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org
Re: [Samba] Error when upgrading to samba 3.0.25b: NT_STATUS_OBJECT_PATH_NOT_FOUND
On Sun, 2007-07-01 at 00:50 -0400, Oliver Schulze L. wrote: Hi, I just upgraded from: samba-3.0.23d-1 to: samba-3.0.25b-3 After starting samba, I could no longer connect to any share, I get this error: NT_STATUS_OBJECT_PATH_NOT_FOUND Read the release notes and learn about root msdfs (ie reboot your windows clients after the upgrade). Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] could not get methods for backend rid
On Fri, 2007-06-29 at 15:33 +0200, Marco Berizzi wrote: winbind enum users = no winbind enum groups = no idmap alloc backend = rid idmap alloc config:range = 1 - 5 You cannot use the rid backend as an alloc backend. So far the only 2 usable backends for alloc are tdb and ldap. Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] NTConfig.pol
On Thu, 2007-06-28 at 08:03 -0400, Adam Tauno Williams wrote: Thanks that is good to hear and know. The Power User is a local group = you would need to add the user(s) on all the computers onto the group Power Users. I am not able to say if this will work out with a policy. You can't add a domain group to the local Power Users group and then add/remove users from the domain group? I think that works. If you want to give Power Users powers on all machines to all those users that's the way to go. But are you sure you want to give Power User privs to Joe on Jane's machine? Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] machine account want use algorithm than sambanextrid
On Wed, 2007-06-27 at 15:00 +0200, Peter Eser wrote: Was questioned before with no answer, but have the same problem: With Samba 3.0.25 with ldap backend, what can i do for using algorithm rid = 2*uid + 1000, when samba create samba attributes (sambasid) of computer account, instead of SambaNextRid from SambaDomainName entry ? Background: I create a machine account with smbldap-tools. After that a uidNumber was given to the machine. If the machine logs on the first time a samba gives a SID to the machine using SambaNextRid. If I leave the SambaNextRid base to 1000 after a while adding machines the machine SIDs are in the range of the user/group SIDs, so it would be better to use the algorithm than SambaNextRid. You shouldn't let smbldap tools create the SID. Samba can very well do it on its own, and that's the preferred and best way. All is need is the posixAccount to attach the sambaSamAccount to ... Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] machine account want use algorithm than sambanextrid
On Wed, 2007-06-27 at 15:11 +0200, Peter Eser wrote: Many thanks for the reply. My thought (from the docs) was that samba use the algorithm for sid building. That's was wrong guess? It used to, but we changed that some time ago. Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] machine account want use algorithm than sambanextrid
On Wed, 2007-06-27 at 15:11 +0200, Peter Eser wrote: Many thanks for the reply. My thought (from the docs) was that samba use the algorithm for sid building. That's was wrong guess? Actually I fixed a bug where we were still using the algorithmic method by mistake when using pdbedit to add a workstation. The fix is in 3.0.25b Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP: Trouble adding Win XP machines to the domain
On Wed, 2007-06-27 at 09:45 -0700, mikelOn wrote: About the samba attributes, when you add a machine account the script add machine must NOT ADD SAMBA ATTRIBUTES, only posix, samba does that alone. Refer to the idealx documentation (if you really want that things work properly, reading the documentation is not an option), it was already discussed here and the documentation explains how to configure that and how it should work. I did set a debug level of 4 and what I saw was a NT_STATUS_NO_SUCH_USER (or something alike) but no more specific details. The machine account (posix) gets created automatically but the samba attributes are not added by samba. look for nscd running, it may cache a negative response and samba never see the created posix attributes in time to add samba stuff. Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] idmap_ad Integration with Windows 2003 pre-R2
With 3.0.25b we support either sfu or rfc2307(R2), if neither of these work, it means you have some other schema. Simo. On Wed, 2007-06-27 at 14:17 -0700, S Murthy Kambhampaty wrote: According to our network admins, we are using the rfc2307(pre-R2) schema. Thanks, Murthy - Original Message From: simo [EMAIL PROTECTED] To: S Murthy Kambhampaty [EMAIL PROTECTED] Cc: samba@lists.samba.org Sent: Friday, June 22, 2007 12:22:10 PM Subject: Re: [Samba] idmap_ad Integration with Windows 2003 pre-R2 On Fri, 2007-06-22 at 08:42 -0700, S Murthy Kambhampaty wrote: Simo, thanks for the info on the configuration syntax. I'm still uncertain whether the rfc2307-related AD schema extensions in Windows 2003 are compatible with Samba, or the R2 schema update is needed. When I use idmap_ad in our Win2k3 environment, on `getent passwd` winbind logs an error of ads_check_posix_schema_mapping: failed NT_STATUS_NONE_MAPPED at libads/ldap_schema.c:ads_check_posix_schema_mapping(243), which suggests that the AD schema does not have the particular uid/gid attribs that winbind is looking for. Could this be due to differences in the schema between the pre-R2 and R2 versions of the AD schema in Win 2k3? It depends, what schema are you using? We support sfu or rfc2307(R2) Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org Ready for the edge of your seat? Check out tonight's top picks on Yahoo! TV. http://tv.yahoo.com/ -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] idmap_ad Integration with Windows 2003 pre-R2
On Thu, 2007-06-21 at 10:55 -0700, S Murthy Kambhampaty wrote: Is then new idmap_ad module capable of getting uid/gid info from a Windows 2003 AD pre-R2 with RFC2307 Unix Identity Mapping Extensions applied? Also, is the correct syntax for specifying the schema_mode as follows: idmap config dom.example.com:schema_mode = rfc2307 Right now we support only the short domain name, not the FQDN domain name, all the rest is like you said. Simo. Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] idmap_ad Integration with Windows 2003 pre-R2
On Fri, 2007-06-22 at 08:42 -0700, S Murthy Kambhampaty wrote: Simo, thanks for the info on the configuration syntax. I'm still uncertain whether the rfc2307-related AD schema extensions in Windows 2003 are compatible with Samba, or the R2 schema update is needed. When I use idmap_ad in our Win2k3 environment, on `getent passwd` winbind logs an error of ads_check_posix_schema_mapping: failed NT_STATUS_NONE_MAPPED at libads/ldap_schema.c:ads_check_posix_schema_mapping(243), which suggests that the AD schema does not have the particular uid/gid attribs that winbind is looking for. Could this be due to differences in the schema between the pre-R2 and R2 versions of the AD schema in Win 2k3? It depends, what schema are you using? We support sfu or rfc2307(R2) Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] NFS quotas: truncated files without warning
On Tue, 2007-06-19 at 16:15 +0200, SER.RI-TIC - David Losada wrote: Opened bug in RHs bugzilla ( https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244848 ) Thank you! Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] NFS quotas: truncated files without warning
On Mon, 2007-06-18 at 12:21 -0700, Jeremy Allison wrote: On Mon, Jun 18, 2007 at 08:48:09PM +0200, SER.RI-TIC - David Losada wrote: Hi Jeremy, actually, I have adapted your patch for applying to the current RHEL4 Samba release (samba-3.0.10-1.4E.12.2). Would you mind to check if I have made any flagrant mistakes? If anyone reads this and decides to try it, please bear in mind it's experimental. Summary of what I have modified from your patch: * no patch for smbd/aio.c , because it's just not there yet in this release * in smbd/fileio.c:sync_file() , doesn't check for the sync always directive, the check's not originally there * in smbd/fileio.c:sync_file() , for accessing the fd, it's just fsp-fd, not fsp-fh-fd * in smbd/reply.c:reply_write() , ignored the hunk around CHECK_WRITE(fsp), because in this release that check is not made * took into account that the checking of conditions for forcing synchronization (lp_strict_sync, lp_sync_always, write_through) hadn't yet been refactored into the fileio.c:sync_file() function If patching from a vanilla samba-3.0.10 release, should apply the smbd_deferred_open_backport patch first. I'm also attaching it for convenience. If your patch makes it to next Samba official release, and this patch receives your blessing, could we put them in consideration of RedHat for an errata? The fact it helps to avoid silent data corruption in an scenario like ours, should be interesting for them. This work looks good - it's not a complex change. The fix will definately be in 3.0.25b, I'll let Simo pick up the change for RH for their older versions if he thinks it's warrented. I'd really prefer an entry in RHs bugzilla to be able to easily pick it up :-) Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] idmap_ad
On Wed, 2007-06-13 at 12:38 -0500, Jerome Haltom wrote: I'm trying to figure out how to configure idmap_ad to *not* map anything that does not have a UID assigned by Active Directory. I do not like randomly allocated UIDs appearing on my systems and would prefer to drive these out centrally. Setting the idmap ranges to nothing seems to cause an error. How can I do this? Samba version? smb.conf? Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] idmap_ad
On Wed, 2007-06-13 at 13:29 -0500, Jerome Haltom wrote: I've tried various combinations of idmap. It actually seems to sort of work if I map the range 1-1, but I doubt this is appropriate. Just map the same range you use on ad. The ad backend is read only no ids can be mapped. Otherqise switch to post 3.0.25 where we have rewritten the idmap subsystem and this kind of things are handled much better. Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] idmap_ad
On Wed, 2007-06-13 at 13:47 -0500, Jerome Haltom wrote: On Wed, 2007-06-13 at 14:41 -0400, simo wrote: Just map the same range you use on ad. The ad backend is read only no ids can be mapped. So, no matter what ranges I map, it will never produce local UID assignments? Okay. Somehow I was fooled into thinking it would. The question is withdrawn an irrelevant then. It will not assign local UID but you will hit AD pretty hard as in 3.0.24 we don't have negative caching in idmap. I suggest you try 3.0.25a (b coming out soon as well) Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: 3.0.25a closing network drive connections?
On Tue, 2007-06-12 at 14:14 -0400, Josh Kelley wrote: On 6/11/07, Gerald (Jerry) Carter [EMAIL PROTECTED] wrote: [2007/06/08 14:02:21, 10] lib/util_sock.c:read_data(525) read_data: read of 4 returned 0. Error = Success [2007/06/08 14:02:21, 10] lib/util_sock.c:receive_smb_raw(672) receive_smb_raw: length 0! [2007/06/08 14:02:21, 3] smbd/process.c:timeout_processing(1328) timeout_processing: End of file from client (client has disconnected). Is anyone else seeing similar problems? Should I open a Bugzilla or post the full debug logs here? The client disconnected. This is not smbd's fault. Upon further investigation, I think that smbd may be sending invalid NOTIFY responses to the client, causing the client to disconnect. I opened a Bugzilla with a level 10 debug log, Wireshark capture, and instructions to reproduce, since I thought that would be better than posting all of that stuff here: https://bugzilla.samba.org/show_bug.cgi?id=4689 I hope it's okay that I did so. Thank you for your time. Very nice tracking job! I am CCing this to samba-technical so that more developers will see it. Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] difficulties in rid mappings in 3.0.25
On Tue, 2007-05-29 at 14:41 +0300, Stefanos Karasavvidis wrote: I use the sernet samba packages on debian sarge and have problems after upgrading to 3.0.25 with rid mappings. My rid configuration for 3.0.24 looks like this idmap backend = rid:ISC=500-1 idmap uid = 500-1 idmap gid = 500-1 after updating to 3.0.25 I get a core dump of winbind (log at the end of the post) with these settings. I tried to use the new configuration options, and indeed winbind doesn't have any problems, but I have difficulties in specifying the options to get the same mappings as before. I tried the following idmap domains = ISC idmap config ISC:default = yes idmap config ISC:backend = rid idmap config ISC:base_rid = 1000 idmap config ISC:range = 500 - 1 But these result in different mappings For example in 3.0.24 (and the old configuration) maps SID S-1-5-21-2054584426-1363897300-1555891258-9296 to uid 9796 (I used wbinfo -S) In 3.0.25 and the new style configuration, maps the same SID to 8796 So the question: what are the correct parameters to get the same mappings as before? Try base_rid = 0, that's the default. Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re : Samba/Winbind slow with Active Directory (Hoogstraten, Ton)
On Mon, 2007-06-04 at 14:11 +0200, Rodolphe A. wrote: How many entries ? TDB Database is limited 250 users. No it is not limited to 250 users. The documentation states that usually for under 250 users installations TDB may be easier and give good results without going the LDAP way. 250 is just an arbitrary line draw in the sand to help in decision making, no hard limit in the code. Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Binary_Packages/Debian
Dear users, I have uploaded the new 3.0.25a packages compiled for sarge. At the same time I have removed older 2.2.x and 3.0.x packages for Woody. Support for back porting packages to Woody was already discontinued, but older packages were still provided. As these packages were not updated after the recent security issues, I decided to remove them to avoid pushing people to use outdated and insecure packages with the believe they are ok because they are hosted on samba.org I am looking to see if I have time to start publishing packages for Etch, I am undecided yet, and I may discontinue this service. If someone is highly motivated and wants to give a hand, please contact me privately. Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Binary_Packages/Debian
On Tue, 2007-05-29 at 11:36 -0400, Miguel Gonzalez CastaƱos wrote: I am pretty confused. Etch is the latest stable version, why this service would be discontinued? The sarge package is already in the official debian oldstable repository? I have historically backported new versions to debian stable, as the Debian policy is to never upgrade packages in stable but just do security updates or fix bugs in that version. Etch is the new stable release so I should stop providing packages for Sarge and start to provide packages for Etch. I am not yet sure I have time to do this. If I can't I will discontinue the service of providing packages for Debian Stable (Etch currently). Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Binary_Packages/Debian
On Tue, 2007-05-29 at 13:44 -0500, Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Christian Perrier wrote: Simo, we already discussed this at SambaXP but why not try to merge the efforts of the Debian packaging team for samba and yours/upstream ones? Simo, One possibility would be to basically swap the Fedora and Debian responsibilities that you and I share. This would make more sense I think. Then you would have complete control over the Fedora packages posted to samba.org and I would be able to dig into dpkg (which I've been interested in doing anyways since I've completed the migration of my servers to Ubuntu). The 3.0.26 release might be a good swap over point. Let me know if you are interested. I like this idea. I have to play with Fedora packages anyway. Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Binary_Packages/Debian
On Tue, 2007-05-29 at 14:35 -0500, Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 simo wrote: One possibility would be to basically swap the Fedora and Debian responsibilities that you and I share. This would make more sense I think. Then you would have complete control over the Fedora packages posted to samba.org and I would be able to dig into dpkg (which I've been interested in doing anyways since I've completed the migration of my servers to Ubuntu). The 3.0.26 release might be a good swap over point. Let me know if you are interested. I like this idea. I have to play with Fedora packages anyway. Yeah. I thought you might. Want to use 3.0.26 as the hand off point? I'll keep rolling the Fedora packages in the 3.0.24/3.0.25 series (ass needed) and you pick up the packaging/RHEL directory in SAMBA_3_0_26. I'll do the same for packaging/Debian/. Make sense. I'll flush the latest changes I have for packaging/Debian/Stable asap. Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Binary_Packages/Debian
On Tue, 2007-05-29 at 16:12 -0400, simo wrote: On Tue, 2007-05-29 at 14:35 -0500, Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 simo wrote: One possibility would be to basically swap the Fedora and Debian responsibilities that you and I share. This would make more sense I think. Then you would have complete control over the Fedora packages posted to samba.org and I would be able to dig into dpkg (which I've been interested in doing anyways since I've completed the migration of my servers to Ubuntu). The 3.0.26 release might be a good swap over point. Let me know if you are interested. I like this idea. I have to play with Fedora packages anyway. Yeah. I thought you might. Want to use 3.0.26 as the hand off point? I'll keep rolling the Fedora packages in the 3.0.24/3.0.25 series (ass needed) and you pick up the packaging/RHEL directory in SAMBA_3_0_26. I'll do the same for packaging/Debian/. Make sense. I'll flush the latest changes I have for packaging/Debian/Stable asap. Jerry, I committed the latest changes I had to make in order to successfully build sarge packages. They are under debian-sarge There are other 2 directories named debian-unstable and debian-woody. They are probably very well outdated, so you may want to actually get rid of them and import etch's debian/ directory in the tree instead. I don;t think we need to maintain also a debian-unstable one unless you are willing to build for unstable or someone else is willing to send back changes when they are done in Debian. Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Any docs to convert samba server to Win2003 server?
On Wed, 2007-05-23 at 10:10 -0500, Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Gary MacKay wrote: Yeah I know. Not a good question to ask on a samba newsgroup. Unfortunately for this client, the software they use requires a Windows server. Since the box is less than a year old, they do not want to purchase a second server for two applications. So, I am left with the task of converting the linux/samba server to WinBloze 2003 Server. There are only 10 workstations so if I have to unjoin them from the current domain and rejoin them I guess I could, but just wondered if there was a way to migrate the SID and such over to the new server? You can use newsid.exe from sysinternals to manually set the SID for a Windows machine. I don't think this applies to an AD DC though. Haven't checked lately. I once tried to join an AD DC to an existing domain after cloning it out from a DC of the domain I was going to join, hence I had the same SID (the join as child domain was failing of course). I was able to fix it in the image, but I think this may work only before promoting the machine to a DC, as after that you have the SID pretty much everywhere in the LDAP store. However the poster may experiment with SID History maybe ? Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Proposed patches for inclusion in Samba 3.0.25a
On Tue, 2007-05-22 at 14:44 +0100, Alex Crow wrote: Gerry, I'm afraid that patch has almost rendered the server uncontactable. I am now getting constant errors in smbd connecting to my LDAP server: May 22 14:36:52 print smbd: nss_ldap: failed to bind to LDAP server ldap://pdc.ifa.net: Can't contact LDAP server May 22 14:36:52 print smbd: nss_ldap: reconnecting to LDAP server (sleeping 4 seconds)... May 22 14:36:56 print smbd: nss_ldap: failed to bind to LDAP server ldap://pdc.ifa.net: Can't contact LDAP server May 22 14:36:56 print smbd: nss_ldap: reconnecting to LDAP server (sleeping 8 seconds)... It seem like your ldap server is down. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] 3.0.25 breaks username map?
On Tue, 2007-05-22 at 11:09 +1200, Jason Haar wrote: Christian Perrier wrote: Quoting Jason Haar ([EMAIL PROTECTED]): Hi there I was using username map under 3.0.24 so that when I connected from DOM\jhaar under (ADS Win2K3) Windows, it was mapped to my local jhaar Unix account - with homedir /home/jhaar, etc. That sounds like samba bug #4620 (https://bugzilla.samba.org/show_bug.cgi?id=4620) ... Do you use security=server? The problem should disappear if you switch to security=domain. Sorry - it's security=ADS. I saw that bug report before and didn't think it applied to me as we're not using security=server Jason I think we have fixed this problem in SAMBA_3_0_25 (commit r23049) and the fix will be in 3.0.25a. Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Auth issues in 3.0.25
On Thu, 2007-05-17 at 13:47 +0100, Matt Baker wrote: Hi All, since an upgrade from 3.0.24 to 3.0.25 on 2 separate sun solaris (v3.8,v3.9) boxes I have experienced an inability to authenticate. $ smbclient -L //serverbox -U username Password: session setup failed: NT_STATUS_LOGON_FAILURE My global config is as follows: workgroup = WORKGROUP server string = SERVERBOX Samba Server security = SERVER [...] In the working version of 3.0.24 I can see that at the same point of mapping the user, the log indicates that all further steps are passed to trying to find the ad server, connecting, verifying the user etc... It doesn't use check_ntlm_password. Any advice would be very welcome, Matt, it seem we found a bug with the security = server authentication method. We have a fix in our svn trees now, and I guess it will be made available ion the next code release. Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: svn commit: samba r22972 - in branches/SAMBA_4_0/source/setup: .
On Thu, 2007-05-17 at 10:33 +, [EMAIL PROTECTED] wrote:
Author: tridge
Date: 2007-05-17 10:33:40 + (Thu, 17 May 2007)
New Revision: 22972
WebSVN:
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=22972
Log:
added the basic ldif needed to support group policies in Samba4. WinXP
clients do correctly see our group policies, but the gpmc admin tool
doesn't yet work to allow you to edit the policies
Modified:
branches/SAMBA_4_0/source/setup/provision.ldif
branches/SAMBA_4_0/source/setup/provision_basedn_modify.ldif
Changeset:
Modified: branches/SAMBA_4_0/source/setup/provision.ldif
===
--- branches/SAMBA_4_0/source/setup/provision.ldif2007-05-17 09:48:17 UTC
(rev 22971)
+++ branches/SAMBA_4_0/source/setup/provision.ldif2007-05-17 10:33:40 UTC
(rev 22972)
@@ -95,3 +95,31 @@
objectCategory: CN=Builtin-Domain,${SCHEMADN}
isCriticalSystemObject: TRUE
+dn: CN={${POLICYGUID}},CN=Policies,CN=System,DC=bludom,DC=tridgell,DC=net
Tridge, I am not sure this is correct :-) ---^^^
Simo.
--
Simo Sorce
Samba Team GPL Compliance Officer
email: [EMAIL PROTECTED]
http://samba.org
Re: [Samba] winbindd tdb cache
On Tue, 2007-05-15 at 18:41 +0200, Bernd Schubert wrote: Hi, we are running into a problem that winbindd sometimes caches negative entries into its tdb database. We are still investigating the reason for that. However, another question, when winbindd caches an entry into its tdb database, is there any timeout for those tdb entries? While walking through the code I don't see any relation between winbindd_cache.c and idmap_tdb.c. Is winbindd_cache.c only for memory related caching? If I would like to add a cache timeout to the tdb database, what would be the best approach? Thanks in advance, Bernd PS: We are still using samba-3.0.22, and for several reasons also don't want to update our customer systems. In 3.0.25 we have reworked the idmap subsystem and we made available both positive and negative cache timeouts for the cache (which is separate from idmap_tdb itself now). If you can;t change version you can probably borrow the code from there somehow. I think I also posted some code for 3.0.24 a few months ago that implemented a negative caching system with timeout, before we decided for the major rework. Search the archives. Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba users and group mapping
On Mon, 2007-05-14 at 18:13 -0300, Sebastian Firpo wrote: HI!, I need to know how Sids numers are generated when I create a user or when I mapped a posix group with a samba group. Depending on the version of samba generated algorithmically for the uid/gid or assigned monotonically incrementing an index. Could I have a samba group and a samba user with the same SID? Will it bring me problems? Many, Windows machines will not be able to distinguish between the user and the group, and neither samba. Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Possible problem w/ 'idmap restore' under 3.0.25rc3 (the sequel)
On Thu, 2007-05-10 at 01:54 -0500, Don Meyer wrote:
At 04:40 PM 5/9/2007, simo wrote:
On Fri, 2007-05-04 at 19:14 -0500, Don Meyer wrote:
At 06:00 PM 5/4/2007, simo wrote:
Sorry for the problem, this slipped through during recent patches to fix
the sid checking layer violation and the idmap offline code.
No problem.
I may have another for you, however. This patch enables me to
successfully restore when using a tdb backend. However, when using
idmap_ldap, it seems that winbind is opening a connection to the ldap
server and not closing it for many updates/queries.
When I try 'net idmap restore' when using idmap_ldap, the command
will plug away until the ldap server starts complaining accept(8)
failed errno=24 (Too many open files). netstat -aln shows around
1000 open connections from winbind on another system. (The one
with 3.0.25rc3+)
Found the problem, see patch for revision 22771.
Another one-liner :/
Thanks again for testing rc3 out.
Simo, you are going to think I'm picking on you, but I think we may
have yet another problem...
No, if there are problem, better to know.
The 22771 patch does fix winbindd's abuse of the ldap server -- when
I start winbind, it opens two sessions to the ldap server. When I
subsequently try the 'net idmap restore' command to restore several
thousand SID-UID/GID mappings, all the transactions flow one of
those TCP sessions. However, the command throws a huge list of
errors (thousands) that we've seen before IIRC, and we thought you
had fixed with patch 22677:
[..]
Afterward, testing the UID mappings that should have been established
(by 'getent passwd {username}' results in allocation of a new number.
I need to know what error you get, I have no errors in storing the IDs,
They get created in ldap for me.
Maybe you can get to the real error the server returns?
My first thought was that perhaps I missed the original patch for
this problem, so I reset the smb.conf back from ldap to tdb mode,
cleaned out /var/lib/samba/ and restarted the smb winbind service,
then issued the same 'net idmap restore' command -- which finished
without a single error, and successfully initialized all the
users/groups to their correct UID/GID.
So, the previous patch fixes TDB mode, but that particular problem
appears to still exist under LDAP mode.
If there is any additional info you need (or tests to run) to help
diagnose this problem, I'd be glad to try to get it for you.
Need to know why the ldap server refuses to create the entries.
I can't repro this.
Simo.
--
Simo Sorce
Samba Team GPL Compliance Officer
email: [EMAIL PROTECTED]
http://samba.org
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Possible problem w/ 'idmap restore' under 3.0.25rc3 (the sequel)
On Fri, 2007-05-11 at 20:32 -0500, Don Meyer wrote: OK, this problem was definitely on my end. I rebuilt fresh packages from SVN, reinstalled reinitialized the LDAP server, and everything worked just fine this time.FWIW, I think I may have mistakenly copied in one of the smb.conf variants that was set up for a master-replica LDAP system when my replica is not replicating. I made sure to use the master-only variant this time, and everything is just fine. Sorry for the false alarm. -D Good to know, thanks again for your testing, it is always really appreciated. Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Possible problem w/ 'idmap restore' under 3.0.25rc3
On Fri, 2007-05-04 at 19:14 -0500, Don Meyer wrote: At 06:00 PM 5/4/2007, simo wrote: Sorry for the problem, this slipped through during recent patches to fix the sid checking layer violation and the idmap offline code. No problem. I may have another for you, however. This patch enables me to successfully restore when using a tdb backend. However, when using idmap_ldap, it seems that winbind is opening a connection to the ldap server and not closing it for many updates/queries. When I try 'net idmap restore' when using idmap_ldap, the command will plug away until the ldap server starts complaining accept(8) failed errno=24 (Too many open files). netstat -aln shows around 1000 open connections from winbind on another system. (The one with 3.0.25rc3+) Found the problem, see patch for revision 22771. Another one-liner :/ Thanks again for testing rc3 out. Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] TDB functionality document
On Wed, 2007-05-09 at 00:05 +0530, Aravinda Guzzar wrote: Hi, Does someone know a document which explains the TDB structure. functionalites, and format of the TDB files etc. I need to understand why some of the TDBs like messages.tdb, unexpected.tdb, brlock if not read_only, locking.tdb, session.tdb, wins.tdb are called with TDB_CLEAR_IF_FIRST tdb flags. This flag is used to clean up the db contents on startup. If the process is the first consumer it will clean out the TDB, otherwise not. This is used because these are temporary TDBs, it make no sense to keep the content when the consumers are restarted from scratch. Why some TDBs are opend with O_RDWR|O_CREAT flags viz. gencache.tdb, group_mapping.tdb, account_policy.tdb, share_info.tdb, secrets.tdb. schannel_store.tdb etc. etc. These are permanent TDBs, you need to create them only if they do not exists, otherwise just open RW. why registry.tdb is uniquely been tried to open with O_RDWR flag and if fails then tried with O_RDWR|O_CREAT flag. no idea and such internal details of the TDBs. I think the best we have right now is in tdb/docs/README Feel free to post wuestions but you will have better chances to reach the developers (ie people that understand TDB internals) by posting at [EMAIL PROTECTED] Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] SAMBA Problem - Users take ownership
On Mon, 2007-05-07 at 09:25 -0600, Travis Bullock wrote: OK. I did an upgrade on this server to FC6 so the new options will be available to me. The inherit owner option seems to do the trick in keeping users from taking ownership. Only one problem left: When I open, edit and change a file it is changing the file permissions from: rwxrwx--- to rwxrw--- Not sure why. Any ideas? see the store dos attributes option Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Upgrade 3.0.24-3.fc5 to 3.0.24-4.fc5 Anomaly
On Sun, 2007-05-06 at 13:51 +0100, Ken Smith wrote: As part of our deployment of FC updates we have upgraded our office server from 3.0.24-3 to 3.0.24.4. We got some strange results. [...] This is probably related to the msdfs root default we changed in the RH packages (and that is going to change in 3.0.25). Have you tried to reboot a client and just un-map and re-map the share? That should have fixed it. Unfortunately this side effect can't be avoided and I preferred making sure we caught it sooner (less people upgraded to 24 yet) than later. See also https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235821 Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Winbind configuration
On Sun, 2007-05-06 at 17:14 +0300, Petteri Hakkarainen wrote: Hi list, Lets say there exists a Windows domain environment I would like to log on to from a Linux workstation using plain Windows domain accounts (no local account on any Linux workstation). Do I need a Samba server configured as a domain member _and_ do I have to configure all the workstations for winbind? For login you just need to use winbindd, you don't need smbd or nmbd running (unless you also want to use file sharing of course. Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: R: R: [Samba] Winbind configuration
On Sun, 2007-05-06 at 20:45 +0300, Petteri Hakkarainen wrote: So there is no need for a samba server to be added as a domain member server? Isn't binding a station to a domain and id mapping done by the samba server? The join is done by the net join utility and id mapping is done by winbindd. Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] cannot start smbd on AIX 5.3
On Sun, 2007-05-06 at 14:29 -0700, Tiucra-Popa Florin Catalin wrote: Hi Jeremy, In other words another cheap answer like: we can't afford to document how you can do it becasue we are too busy to develop new candidates. Don't bother anymore I'll will choose probably to BUY a stable program that can do the job and have at least one support guy that is really support that. No more words to say Jerry and Jeremy already said much of what I would have said, but I'd like to add that if you are inclined to BUY a stable program, then I can tell you that you can BUY samba with support from many vendors. I have no words to say when I see someone expecting Free Support and whining if they don't get it. Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: svn commit: samba r22694 - in branches/SAMBA_4_0/source/lib/ldb/common: .
On Sun, 2007-05-06 at 11:03 +, [EMAIL PROTECTED] wrote: Author: vlendec Date: 2007-05-06 11:03:33 + (Sun, 06 May 2007) New Revision: 22694 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=22694 Log: It seems that AIX 5.3 with XLC has difficulties with ctype.h. This is an attempt to work around this: Maybe it helps if we include other stuff first. This raises a question however: Do we want the DN handling to be locale dependent? isalpha() can return different things depending on the current locale. Uhmm, we may want to add an isascii() on top, just to be sure (attribute names can contain only ascii chars). Thanks, for spotting this. Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org
Re: [Samba] Possible problem w/ 'idmap restore' under 3.0.25rc3
On Fri, 2007-05-04 at 19:14 -0500, Don Meyer wrote: At 06:00 PM 5/4/2007, simo wrote: Sorry for the problem, this slipped through during recent patches to fix the sid checking layer violation and the idmap offline code. No problem. I may have another for you, however. This patch enables me to successfully restore when using a tdb backend. However, when using idmap_ldap, it seems that winbind is opening a connection to the ldap server and not closing it for many updates/queries. When I try 'net idmap restore' when using idmap_ldap, the command will plug away until the ldap server starts complaining accept(8) failed errno=24 (Too many open files). netstat -aln shows around 1000 open connections from winbind on another system. (The one with 3.0.25rc3+) When watching netstat on the ldap server system, each query to winbind that one would expect it to talk to the ldap server generates a new TCP session which hangs around until winbind is restarted. (Granted, I have not wait more than 10 minutes yet, but this seems a bit extreme...)For instance, after winbindd restart, the first 'getent passwd user1' request opens a session. Running that command again does not. (Cached) Running 'getent passwd user2' opens another session, etc. This occurs whether the UID is already present, or if it needs to be added new. If you need more information on any of this, just let me know. It seems so close... ;-) Oh this is pretty bad, it seem there is some problem in the smbldap library recognizing if the connection is still open or not :/ At least you found an easy way to reproduce it which means it should be easy to find how to fix it. I will work on this tomorrow or Monday, thanks for the report, I'll post here as soon as I get a clue on what is wrong and a patch. Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] mount.cifs and sec=krb5
On Fri, 2007-05-04 at 15:17 -0500, Ben Vaughan wrote: Hello fellow Samba folks, I am attempting to mount a cifs share on a RHEL 5 box using mount.cifs. The server is another RHEL 5 box. Both boxes are joined to the same Kerberos realm (AD). I kinit to get my Kerberos tickets. This is the mount command I'm using: mount.cifs //rhel5.server.iastate.edu/benvon ./mnt -o user=benvon,sec=krb5 [..] Does anyone have any advice? I can produce as much logging as may be needed. Ben, the kernel module do not yet support kerberos, that's the problem. If this isn't the proper place to be asking questions about mount.cifs, please redirect me. mount.cifs is fine, it is the kernel module that is still not complete (wrt kerberos), you may ask info on the cifs module to [EMAIL PROTECTED] Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Possible problem w/ 'idmap restore' under 3.0.25rc3
On Fri, 2007-05-04 at 14:36 -0500, Don Meyer wrote: Folks, Maybe it's me, or my systems, but I've found that idmap restore simply doesn't work under samba-3.0.25rc3. When I try to import the idmap.dump file I create from one of my older systems into a fresh 3.0.25rc3 installation, I get a huge stream of errors along the line of could not set mapping of (UID|GID) to sid x. This happened whether I was using idmap_tdb or idmap_ldap. The same idmap.dump file restores successfully on my other 3.0.23 3.0.24 systems. I went further and used getent passwd to populate the system's idmap from the AD (while using idmap_tdb, BTW), and then ran the 'net idmap dump' command, which generated a file that looked fairly identical in structure to the idmap.dump file I got from the previous version. Following this, I tried to 'net idmap restore' the idmap dump file I had just created, and received the same long string of errors. Thus, I suspect there is something not quite right in the 'net idmap restore' functionality... Can you please send me the output with the errors at debug level 10 (just add -d10 to the command)? I will try to fix this in time for 3.0.25 final if possible. Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] v3.0.25-final?
On Fri, 2007-05-04 at 15:23 -0700, Guillermo Gutierrez wrote: How close are we to seeing the final release of samba 3.0.25? From: Gerald (Jerry) Carter [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Samba 3.0.25 and 3.0.26 updates Date: Fri, 04 May 2007 16:44:19 -0500 (17:44 EDT) Mailer: Thunderbird 1.5.0.10 (X11/20070306) Just some updates on what's going on before the weekend. * SAMBA_3_0_RELEASE is 3.0.25 final. There will be a few more minor changes but right now I'm not inclined to do another RC4 in spite of the rather large diff between 3.0.25rc3 and the release tree. Release is planned for May 14. * The SAMBA_3_0_26 svn branch has been created and is now open for general developer churn. The tree will be open for major changes until June 4. After that we'll start locking down and moving towards a stable release in July. * The SAMBA_3_0_26.bzr svn mirror has been pushed out to the normal place http://www.samba.org/~jerry/bzr/ -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Possible problem w/ 'idmap restore' under 3.0.25rc3
On Fri, 2007-05-04 at 14:36 -0500, Don Meyer wrote: Folks, Maybe it's me, or my systems, but I've found that idmap restore simply doesn't work under samba-3.0.25rc3. True, 1 line fix here: http://websvn.samba.org/cgi-bin/viewcvs.cgi/branches/SAMBA_3_0_25/source/nsswitch/winbindd_async.c?rev=22677r1=22675r2=22677 Sorry for the problem, this slipped through during recent patches to fix the sid checking layer violation and the idmap offline code. Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problem with Samba-3.0.25rc3 idmap_ldap (winbind dumps core)
On Wed, 2007-05-02 at 19:34 +, [EMAIL PROTECTED] wrote: On Tue, May 01, 2007 at 02:49:10AM -0500, Don Meyer wrote: [...] Then I traced the secret retrieval process back to passdb/secrets.c, where I then traced the secrets_store_generic function back out to the 'net idmap secret' command. For others reference, to set the ldap_user_dn password for each defined domain, and for the idmap alloc config side, you use the following commands: net idmap secret DOMAIN secret net idmap secret alloc secret (Note: A little pointer dropped in the man page for idmap_ldap would have been quite helpful here...) There is a note in the man pages that say: NOTE In order to use authentication against ldap servers you may need to provide a DN and a password. To avoid exposing the password in plain text in the configuration file we store it into a security store. The net idmap command is used to store a secret for the DN specified in a specific idmap domain. From: http://www.samba.org/samba/docs/man/manpages-3/idmap_ldap.8.html [..] I'm having trouble tracing this beyond the idmap_init function in nsswitch/idmap.c. If this points to a problem in samba, I hope this helps. On the other hand, if this is a problem in my setup, any pointers in the direction of fixing it would be greatly appreciated. A core dump is definitively an issue, I will try to reproduce and fix it today on my train trip or at worst tomorrow. Dan, found the problem, it was our fault. I fixed it in r22645. Here http://websvn.samba.org/cgi-bin/viewcvs.cgi?makepatch=1rev=22645view=rev you can get the patch and apply it to test everything else is ok for you. Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Group permission problems with winbind NFS
On Mon, 2007-04-30 at 23:35 -0500, Don Meyer wrote: [..] This system NFS mounts the remote file storage resource on a backend RHEL4 server. The public facing web frontends also mount these same resources. Here is where things get hinky -- some users can write to the directories on the NFS mount, and some cannot. If the directory in question is owned by the user, then no problems writing. If not, but the directory's owning group contains the user as a member, then only sometimes can the user add/change/remove files in the directory. First, re-exporting NFS mounts via samba is really not a good practice, and we usually discourage it completely. I also thought it might have something to do with nested groups, but even simple groups with only users as members exhibit the failure over NFS. I have had the thought that it could be the length of some of the groupnames, as some of them are pretty long: the longest is 64 bytes. The one I did most testing with is only 10 bytes long, however. The NFS protocol limits the number of groups per user to 16 and truncate all others, so you are not really able to tell the server you are in group #17 or #18 and so on. I am 99.9% sure this is the problem you are experiencing. That's why approximately you can have it working with older groups as they are probably just reported first and result in the first 16. Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: svn commit: samba r22557 - in branches/SAMBA_4_0/source: dsdb/samdb/ldb_modules lib/ldb/common
On Sat, 2007-04-28 at 15:18 +, [EMAIL PROTECTED] wrote: Author: abartlet Date: 2007-04-28 15:18:25 + (Sat, 28 Apr 2007) New Revision: 22557 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=22557 Log: Simo has long bugged me that the paths in the sam.ldb partitions were not relative to the location of the sam.ldb, but instead lp_private_dir(). This fixes that issue. Thank you! Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org
Re: [Samba] Guide to porting to non-unix like systems?
On Sat, 2007-04-28 at 00:43 +0200, Andreas Fredriksson wrote: Hi, I'd like to get a rough idea on how much work it would be to port Samba to a non-unix platform. My plan was to use a slimmed-down samba to read and write files on a particularly unfriendly piece of proprietary hardware we use at work. I'm fine with a minimalistic samba as this port would be for internal, single-developer use and not intended for file serving in general. Andreas, this kind of question would be served better if posted on [EMAIL PROTECTED] as it is about technical matters. Here are some things I'm wondering about, given the background: 1) Is fork() required, or could it be emulated via threads? 2) Could nmdb and smbd share a single process w.r.t 1) or is even possible to drop nmdb and just serve stuff slowly with a single smbd process? 3) Is Samba very tightly tied to the POSIX file/directory APIs? My intended target system has a rich I/O API (including async capabilities and various bells and whistles) but the APIs are fairly exotic and don't map well to e.g. DIR and file descriptors. 4) Is there a checklist somewhere of stuff a target system for smbd/nmbd would have to support to make a port feasible? If you don't have fork, and have a btter I/O API I'd direct you at looking at samba4. Samba4 can run in a single process. Samba4 integrates the NBT functionality without requiring a second daemon. In Samba4 you can write NTVFS modules without necessarily using posix semantics (like samba3 vfs layer require instead). While samba4 is still not released it should be ok for the kind of use you have in mind. Samba4 can have a better memory footprint as well. Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Redundant ldap idmap backend possible?
On Fri, 2007-04-20 at 14:23 +0200, Lars Berntzon wrote: Hi, I have just started to turn my Linux boxes over to use winbind for authentication and ldap based idmap backend servers (open-ldap). As far as I understand the documentation (for version 3.0.23c) it is only possible to specify one ldap server, mine config line looks like: idmap backend = ldap:ldap://idmap.xelerated.com I did try to map the idmap.xelerated.com entry in DNS to two servers, but it only uses the first entry returned from the DNS-servern. I want my environment to work even if one of the LDAP-servers goes down, how do I make implement redundancy? IIRC: ldap:ldap://server1,ldap://server2; Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
