Re: [Samba] NT_STATUS_LOGON_FAILURE configuring samba with ads and no winbind
On 09/05/2012 08:33 PM, Nitin Thakur wrote: I cant figure this out reached to the end of internet. i want to configure samba to work with ADS but no winbind. I am able to do kinit and then net ads join. But every time I try to access the share i get prompted for uid and passwd and then authentication failure. when i look at the logs, server is able to find password server but cant find my ID in AD which exists... I always end up with this error. Get_Pwnam_internals didn't find user [xxx]! [2012/09/05 14:32:59.750611, 1] auth/user_krb5.c:162(get_user_from_kerberos_info) Username XXX\xxx is invalid on this system [2012/09/05 14:32:59.750782, 3] smbd/error.c:81(error_packet_set) error packet at smbd/sesssetup.c(359) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE any pointers? thanks Nitin Nitin, You must have a good reason for wanting to avoid use of winbind. Please share with us your concerns. What is your understanding as to how this should work? - John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba Platform Support Clarification
David, Samba indeed can be used on a wide range of operating systems to provide file and print interoperability with Microsoft Windows platforms. The Samba source code can be compiled to run on many operating system platforms. In the past is has been built and run on Linux, UNIX (all flavors), VME, VMS, MVE, etc. Samba is included with nearly all Linux distributions whether used natively or in virtual machines. You should be able to obtain Samba binaries (RPM packages) for your z/VM -baed Red Hat Linux system. If not, you may have to build them on your platform. - John T. On 06/15/2012 04:04 PM, David Moss wrote: Good evening. I'm seeking to verify the feasibility of using Samba as a file and print server running under the Linux operating system (Red Hat or SUSE), itself running under the System z Virtual Machine (z/VM). The documentation I've seen seems to indicate that Samba runs under Linux, but virtually all the specifics seem to speak in terms of UNIX. So I'd appreciate it for my peace of mind if you could please confirm whether (1) Samba runs under Linux, and even more specifically if possible, (2) whether Samba runs under Linux running under z/VM on System z. Thank you for any clarification you can provide. . Regards Dave Moss Senior Certified Executive Systems Architect Open Group Distinguished Certified IT Architect System z Client Architect IBM Corporation 6710 Rockledge Drive Bethesda, Maryland 20817 US Federal (301) 803-62208-262-6220 Cell Phone 703 268 0402 mo...@us.ibm.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Proposal to change security=share in Samba 4.0
On 02/27/2012 04:58 AM, Andrew Bartlett wrote: I recently proposed on samba-technical that for Samba 4.0, that we change security=share to have the following semantics: - All connections are made as the guest user - No passwords are required, and no other accounts are available. Naturally, full user-name/password authentication remain available in security=user and above. The rationale is that we need a very simple way to run a 'trust the network' Samba server, where users mark shares as guest ok. I want to keep these simple configurations working. At the same time, I want to close the door on one of the most arcane areas of Samba authentication. The problem comes from the fact that Samba never implemented security=share properly: instead of having one password per share, we tried to guess the username, and match that to a username/password pair. Not only is this code complex, it begins to fail with modern clients and modern security settings. For example, NTLMv2 relies on the username and workgroup, but clients which send NTLMv2 do not send these in the 'tree connect' request that contains the password. Instead, we must remember the previous unchecked 'session setup', and apply the password from there. If we instead guess the username, then NTLMv2 will not work. Finally, Samba clients only send LM passwords to security=share servers. LM passwords are very insecure, and are now off by default. As such, Samba clients will not connect to any server running security=share by default. If you use security=share, and feel that your particular configuration cannot be handled any other way, please let me know, so we can find the best to handle your particular requirements. Thanks, Andrew Bartlett Is there any reason we can not do away with security = share and get rid of this altogether? Was there not a prior proposal to deprecate this back in the early days of 3.0.x? - John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Can't remember name of command to temporarily disable a share
On 09/27/2011 10:13 PM, Christ Schlacta wrote: I need to temporarily disable a share for a few days, I remember there was an entry I could add to the share definition to temporarily disable the share (I think it was disabled=true or enabled=false) but I can't remember what it was for sure, nor can I find it in the manual. what is it ? That parameter would be: available = no browseable = no - John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 3.6.0: unable to list Active Directoy users WBC_ERR_DOMAIN_NOT_FOUND
On 08/19/2011 03:54 AM, David Touzeau wrote: Le jeudi 18 août 2011 à 13:26 +0200, Benedikt Schindler a écrit : Am 18.08.2011 06:07, schrieb John H Terpstra: On 08/17/2011 02:05 PM, David Touzeau wrote: I think this new version is not really ready for production... There is so many strange things... Or misunderstanding whats going wrong I respect that some may be experiencing difficulties with deployment of Samba 3.6.0. I have been using 3.6.0 in its various pre-release forms (and now the stable release) for many months without a single problem. I have deployed it in some very complex as well as some simple configurations - all without any issues. The purpose of this response is to point out that Samba 3.6.0 is perhaps not as not really ready for production use readers of this list may interpret from these reports. Cheers, John T. Le lundi 15 août 2011 à 14:07 -0700, Linda W a écrit : ` Peacock,Josh wrote: I am also experiencing the same problems. I am running 3.6 on AIX 6.1. I do have a 3.5.8 installation running without problem (I understand some major changes have happened.) I took the smb.conf from my 3.5.8 install and changed appropriately for 3.6 (At least as far as I catell). Yeah, I still have this error even after downgrading to 3.5.10 -- I think 3.6 corrupted my userdb or changed the format... I suppose I need to allocate a new one and start from scratch to fix it... But lots of problems related to looking up the domain, the PDC and some users. I did try to report it, but since I wasn't certain what was going on and just had a bunch of random symptoms, I got ignored. But I did warn them that other users would likely have problems and should be warned... That was ignored too.. I had the same error until today. It works for me with base_rid = 0 TRY: idmap config MYDOMAIN : backend = rid idmap config MYDOMAIN : range = 6-5000 idmap config MYDOMAIN : base_rid = 0 -- Benedikt i have set idmap config MYDOMAIN : backend = ad Is there any difference using idmap config MYDOMAIN : backend = rid instead idmap config MYDOMAIN : backend = ad When using Active Directory ? Check the man pages (man idmap_rid) and (man idmap_ad): The RID method generates the uid/gid from the RID. As a result all users in Active Directory can access the Samba server. The AD method requires the use of the RFC2307bis extensions to the Active Directory schema and that you populate the uid and gid in with valid values using the Active Directory Users and Group management tool. If you have not populated the RFC2307bis uid/gid values the user will not be able to access the Samba server. Using the AD method the systems administrator has control over which users can and cannot access the Samba server/s. - John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 3.6.0: unable to list Active Directoy users WBC_ERR_DOMAIN_NOT_FOUND
On 08/17/2011 02:05 PM, David Touzeau wrote: I think this new version is not really ready for production... There is so many strange things... Or misunderstanding whats going wrong I respect that some may be experiencing difficulties with deployment of Samba 3.6.0. I have been using 3.6.0 in its various pre-release forms (and now the stable release) for many months without a single problem. I have deployed it in some very complex as well as some simple configurations - all without any issues. The purpose of this response is to point out that Samba 3.6.0 is perhaps not as not really ready for production use readers of this list may interpret from these reports. Cheers, John T. Le lundi 15 août 2011 à 14:07 -0700, Linda W a écrit : ` Peacock,Josh wrote: I am also experiencing the same problems. I am running 3.6 on AIX 6.1. I do have a 3.5.8 installation running without problem (I understand some major changes have happened.) I took the smb.conf from my 3.5.8 install and changed appropriately for 3.6 (At least as far as I catell). Yeah, I still have this error even after downgrading to 3.5.10 -- I think 3.6 corrupted my userdb or changed the format... I suppose I need to allocate a new one and start from scratch to fix it... But lots of problems related to looking up the domain, the PDC and some users. I did try to report it, but since I wasn't certain what was going on and just had a bunch of random symptoms, I got ignored. But I did warn them that other users would likely have problems and should be warned... That was ignored too.. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 3.4, Windows 7, Roaming profiles and Folder redirection
On 07/21/2011 10:07 AM, Tanuki uk wrote: Hello, I'm quite new to Samba administration and I've inherited a working samba setup with roaming profiles however the login and logout times for users has been growing and I'm starting to think it's time do something about it. I'm thinking redirect some folders to a samba share on the network will speed up the login and logout times. The increasing logon and logoff times are most frequently caused by people storing files on their desktops (a VERY bad practice in corporate environments) - the entire desktop is written to the server when the user logs off from a machine. This is particularly problematic when people log onto multiple machines at the same time. Additionally, the files that are stored under My Documents are also copied from the profile server to the workstation at logon and are written back to the profile server at logoff. PS: I came across one site where users had up to 120GB files in their My Documents and up to 20GB on their desktop. Needless to say, they could not afford the long logon and logoff times. :-) Our setup has 25 Windows 7 workstations and about 10 laptop users(also on windows 7) all connecting to one Samba server. The laptops are often not on the main office network so i was planning to use offline file sync for the network drive i would be redirecing to, is this a bad idea for some reason? Should work OK so long as you can educate your users NOT to use the desktop and traditional My Documents to store large volumes of files. Both the Desktop and My Documents folders can be redirected to a network share in the users' home directory - that will help resolve some of the problems. Make sure that you disable the copying of these folders as part of the profile. Refer to the Microsoft knowledge-base for info on how to do that. I've had a look around at various documentation and details seem quite scarce. However all the documentation I've found is targeted at Windows XP or suggests using domain wide Group Policy Objects (GPO's). My understanding is that GPO's can only be used if you have a Windows AD server or Samba 4 however I don't have a Windows server and Samba 4 is abit too bleeding edge for a production deployment(?). If anyone can point me to some good documentation it would be really useful, I would love to see an updated The Official Samba HOWTO and Reference Guide or similar. Thought's comments or insights are also more then welcome. I have no intention to update the Official Samba HOWTO and Reference Guide - it was enough work the first time and when I wrote the update for Samba 3.0.20. If you wish to do that please be my guest! Please check out the Samba3 by Example book I wrote - it has some now-aging info that can still be useful on setting up folder redirection. Additionally, it might be worth your while to check the Samba Wiki for updated info that users have contributed. Cheers, John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 3.4, Windows 7, Roaming profiles and Folder redirection
On 07/21/2011 11:31 AM, Geert Mak wrote: On 21.07.2011, at 17:07, Tanuki uk wrote: Hello, I'm quite new to Samba administration and I've inherited a working samba setup with roaming profiles however the login and logout times for users has been growing and I'm starting to think it's time do something about it. I'd be curious what you are going to do. I personally inherited a similar situation a year ago, where the roaming profiles were supposed to allow the users to work from different locations in a 50 people company spread around two buildings on three floors. As far as I understand the roaming profiles, one has to log out in order to log in. This was the first problem - people used to log into one PC, then into another, and then wonder where their desktop items have gone (last logout overwrites the previous). Could be something has been set wrong, I did not investigate. You are somewhat correct. The profile gets read by each machine that logs onto the network. Conversely, when a users logs off a machine its profile is written back to the profile server. Also they had these huge long loading and unloading times. A profile includes the files on the desktop and in the My Documents folder. Obviously, as this volume of data grows the logon and logoff times will increase. Also, they do not have everywhere the same software (some licenses are expensive). So I stopped using roaming profiles and introduced Remote desktop. Now people, who happen to be somewhere in the company and need to access their PC, just open Remote desktop, remember the last three digits of their IP address (192.168.1.*) and they are on their PC, all apps open as they have left them, etc. Nice solution! - John T. But of course, this is one scenario, which might not be good in all cases. Our users work 80% of their time on their PC and then it happens they need to work for a couple of hours on another PC, which happens to be free at this moment. Just thought it might help to share it with you. Geert. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 3.4, Windows 7, Roaming profiles and Folder redirection
Marc, Thank you for posting this information. It would help significantly if you could also provide Microsoft Knowledgebase references for the registry changes. Cheers, John T. On 07/21/2011 06:22 PM, Marc Cain wrote: Here are the key steps that need to be applied for Windows 7 and WinXp folder redirection in Samba 3.x environments. Feel free to email me off list if you need any more detail: -- For Windows 7 be sure to create a proper default user profile on the workstation using sysprep. It's crucial to the initial profile creation. The first time a user logs onto the domain have a logon script (vbscript works great for this) do the following: -- Copy the applicable folder(s) from the users local profile to locations on the server that are outside the user's remote profile path; for instance to a folder in their home directory. -- Alter the paths in HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders to point to these new locations. The most critical folders, and maybe the only ones you really need to redirect, are Application Data(AppData) and Desktop, though you can redirect anything that's list in User Shell Folders including Downloads. -- Make sure the workstation's local GroupPolicy is set to not roam the folders you've redirected. Windows will continue to copy them up and down from the server's profile folder if you don't set this: User Configuration\Administrative Templates\System\User Profiles \Exclude directories in roaming profile - You will want to look at a couple of other settings in the Local GroupPolicy and tweak to your preferences Computer Configuration\Administrative Templates\System\User Profiles User Configuration\Administrative Templates\System\User Profiles Here's the path structure we use: Profile: \\sambaserver\profiles\username\WinXP \\sambaserver\profiles\username\WinXP.V2 Redirected: \\sambaserver\homes\username\redirectedfolders\Desktop \\sambaserver\homes\username\redirectedfolders\Favorites \\sambaserver\homes\username\redirectedfolders\WinXP\AppData \\sambaserver\homes\username\redirectedfolders\WinXP.V2\AppData The first logon can be long depending on network performance and the number of installed apps, up to a couple of minutes due to the copying of data from local to remote drives. Subsequent logons should only take 5 to 10 seconds (again depending on network performance) since the system is only copying a few megabytes worth of data to and from the profile folder. There are a couple of critical timeout issues that may need to be addressed if you experience long Welcome screens after the initial logon: When the following local GPO is left in its default setting Samba domain logons are delayed for 30 seconds: Computer Configuration\Administrative Templates\System\User Profiles\Set maximum wait time for the network if the user has a roaming user profile or remote home directory. Enable this and set the value to 0 to work around this timeout. A 30 second timeout can occur if you set the local GPO to Run logon scripts synchronously. The fix was to apply an old Vista reg setting. Can be Googled as Vista Run logon scripts synchronously. . Marc On Jul 21, 2011, at 8:07 AM, Tanuki uk wrote: Hello, I'm quite new to Samba administration and I've inherited a working samba setup with roaming profiles however the login and logout times for users has been growing and I'm starting to think it's time do something about it. I'm thinking redirect some folders to a samba share on the network will speed up the login and logout times. Our setup has 25 Windows 7 workstations and about 10 laptop users(also on windows 7) all connecting to one Samba server. The laptops are often not on the main office network so i was planning to use offline file sync for the network drive i would be redirecing to, is this a bad idea for some reason? I've had a look around at various documentation and details seem quite scarce. However all the documentation I've found is targeted at Windows XP or suggests using domain wide Group Policy Objects (GPO's). My understanding is that GPO's can only be used if you have a Windows AD server or Samba 4 however I don't have a Windows server and Samba 4 is abit too bleeding edge for a production deployment(?). If anyone can point me to some good documentation it would be really useful, I would love to see an updated The Official Samba HOWTO and Reference Guide or similar. Thought's comments or insights are also more then welcome. Thanks, Tanuki -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbindd/idmap_ldap.c:472(idmap_ldap_allocate_id) Cannot allocate gid above 20000!
On 05/23/2011 06:37 AM, Jelle de Jong wrote: Hello everybody, I got a few servers that where running stable and somehow winbindd started complaining. There were no users added or any samba related updates. Also the problems did not started on the same day one of the servers started today and on other one months ago... winbindd[14450]: [2011/05/23 13:33:13.442070, 0] winbindd/idmap_ldap.c:472(idmap_ldap_allocate_id) winbindd[14450]: Cannot allocate gid above 2! Jelle, In the [global] stanza do you perhaps have: idmap gid = 0-2 If yes, you need to increase that upper limit. If not, please share with us the output of: testparm -s Cheers, John T. # winbindd --version Version 3.5.6 How can I fix my this? Kind regards, Jelle de Jong -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Win ME couln't login
On 05/15/2011 10:48 PM, yudi shiddiq wrote: I have made samba PDC and tested with client win 7, win xp, and win vista successfully but fail with win millenium edition, the message shows that the password is incorect or access to the server has been denied. Installed s/w : - openldap2-2.4.21-9.1.i586 - openldap2-client-2.4.21-9.1.i586 - samba-3.5.4-4.1.i586 Please give me a clue, because we still have client with OS Win ME Samba 3.5.4 has LANMAN passwords disabled by default. Windows ME requires LANMAN passwords and can not use NT passwords. Windows NT and later (XP, Vista and 7) can make use of NT passwords. To permit Windows ME to log onto a Samba domain you need to add to smb.conf [global] lanman auth = Yes From the smb.conf man page for this parameter note as follows: This parameter determines whether or not smbd(8) will attempt to authenticate users or permit password changes using the LANMAN password hash. If disabled, only clients which support NT password hashes (e.g. Windows NT/2000 clients, smbclient, but not Windows 95/98 or the MS DOS network client) will be able to connect to the Samba host. The LANMAN encrypted response is easily broken, due to its case-insensitive nature, and the choice of algorithm. Servers without Windows 95/98/ME or MS DOS clients are advised to disable this option. When this parameter is set to no this will also result in sambaLMPassword in Samba´s passdb being blanked after the next password change. As a result of that lanman clients won´t be able to authenticate, even if lanman auth is reenabled later on. [cut]...[cut] Default: lanman auth = no Note: After you have enabled lanman auth = yes, you must set all passwords again to create the SambaLMpassword entry in your passdb backend (LDAP in your case). Cheers, John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Settings ACLS from Windows via member server
On 02/24/2011 06:18 AM, Mark Dieterich wrote: John, I just posted a long reply to help you understand how the pieces fit together. Yell out if you are still confused after reading my posting. Thanks for the lengthy reply and also the suggestion to read man pages instead of doc, I didn't realize there was such a big difference. The pieces are starting to fall into place, but I still have more questions. I've become convinced that my member servers need to be running winbind, especially since I want the builtin accounts to work. So... My sense is that my member servers should NOT require the LDAP passdb backend settings. Can someone confirm that only PDC/BDC should require this? Correct. Samba domain member servers do not require NSS-LDAP because winbind can resolve SID to uid/gid. The SID to uid.gid mapping can be stored locally (which means the mappings will differ on each member server in your domain), or the mappings can be stored in LDAP in the idmap suffix specified in the smb.conf file on the domain member itself (this enables the mappings to be shared across Samba domain member servers). On the other hand, some sites require the same uid/gid across domain controllers (PDC/BDC) and domain member servers (dms). Where this is required you CAN use NSS-LDAP to get globally consistent uid/gid values for each user and then use idmap_ldap to handle SID to uid/gid mappings. This configuration can get a little messy and my preference is to not have any domain member server but rather make them all domain controllers - that way all BDCs can share the exact same smb.conf configuration for simpler admin. If so, I think my problem boils down to an issue resolving sids - uids. Playing around with wbinfo on my member workstation, I see that I can resolve things like: [root]# wbinfo -n mkd S-1-5-21-2830206405-3223145701-231191277-7214 SID_USER (1) [root]# wbinfo -n CS.BROWN.EDU\mkd S-1-5-21-2830206405-3223145701-231191277-7214 SID_USER (1) so far so good, but Correct. [root]# wbinfo -S S-1-5-21-2830206405-3223145701-231191277-7214 Could not convert sid S-1-5-21-2830206405-3223145701-231191277-7214 to uid This seemed to work for a short while after I added the passdb LDAP entries to my member server, but I think it was a red herring, as it stopped working and worked only for a select number of users. So the question becomes, what am I missing that is preventing the PDC from resolving these for my member servers? It's quite possible there is some sort of LDAP mapping that we are just missing... we've been running LDAP for a while prior to getting samba up and working, so we had to modify our existing schema and add in the LDAP necessary stuff, rather than let samba do it as we couldn't afford to loose the existing data. Is this where the idmap_ldap stuff comes in? If so, can I just pre-seed these entries so all the information is there and run it in a read only ldap mode? The domain member server should be configured so it can write to the LDAP directory so that it can assign (out of the idmap range provided in the smb.conf file) the idmap entries. These should populate into the idmap suffix container. Cheers, John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Settings ACLS from Windows via member server
On 02/24/2011 06:49 AM, Mark Dieterich wrote: Associated question... When I perform the following looking up on a member server: [root]# wbinfo -S S-1-5-21-2830206405-3223145701-231191277-7214 Could not convert sid S-1-5-21-2830206405-3223145701-231191277-7214 to uid When the result is not cached on the machine doing the lookup (which by the way I can't keep it from caching results even when I toss the -n flag on winbindd), I see traffic between the member server and PDC. Good. The PDC has access to all the information in needs to resolve this query, it's all contained within a user/group entry in LDAP. However, I can see no evidence it is trying to resolve this. If idmap is the portion responsible for this resolution, doesn't it make sense that I should be running idmap_ldap on the PDC? I've been looking over the LDAP schema and it has the following: objectclass ( 1.3.6.1.4.1.7165.2.2.8 NAME 'sambaIdmapEntry' SUP top AUXILIARY DESC 'Mapping from a SID to an ID' MUST ( sambaSID ) MAY ( uidNumber $ gidNumber ) ) which I do NOT have defined in our LDAP db. I'm planning to just toss this in to see whether it helps, but still don't fully understand where the idmap_ldap stuff should be defined... Sorry the pieces just aren't falling into place. Hopefully, I'm not the only one struggling with this and the resulting discussions can someday help others. Mark As mentioned in my previous response, it is best to let smbd (via the idmap handler) automatically create these entries as they are needed. Using nss_ldap to share a common mapping across all domain member servers is a good thing(tm). - John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Settings ACLS from Windows via member server
valuable if you would explain WHYOn 02/23/2011 03:46 AM, John Drescher wrote: On Tue, Feb 22, 2011 at 11:04 AM, Mark Dieterich m...@cs.brown.edu wrote: I have a purely samba domain: samba PDC, BDC, and a collection of clustered member servers that provide CIFS access to our underlying file system. Things are working fine, with the exception of users being able to set ACLS from Windows workstations. When they try to do so, they can search for and properly find domain members, but when they try to apply the changes, the settings simply vanish from the Window! We setup a test share from our PDC and users **can** set permissions properly on this share, so I would think we are looking at a configuration problem on our member servers. A couple generic questions about member servers: 1) Our password backend is stored in LDAP. Currently, we only have the LDAP configuration on the PDC and BDC samba setups. My understanding is that all other machines, including samba member servers, join the domain and get their user information that way, correct? 2) With a non-AD environment, should our samba member servers run winbind? My understanding is not, but this could be part of the problem. I'm happy to provide any other information that may be of help, this problem is driving us nuts! I believe the PDC/BDC does not need winbind but the member servers do. Also you need idmap to work on the member servers. I believe I use a nss backend for my idmap setup at work. John John, It would help the list to understand WHY you believe that winbind is NOT needed by the PDC/BDC, and WHY it is needed on member servers. While subscribers keep explaining what they believe, and keep giving advice based on their belief system, rather than on well reasoned fact, confusion will continue to exist and complaints regarding Samba documentation will continue also. Are you willing to take a brave step to explain your reasoning? Cheers, John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Settings ACLS from Windows via member server
On 02/23/2011 07:26 AM, John Drescher wrote: While subscribers keep explaining what they believe, and keep giving advice based on their belief system, rather than on well reasoned fact, confusion will continue to exist and complaints regarding Samba documentation will continue also. Are you willing to take a brave step to explain your reasoning? This was acquired by several weeks of testing on some version of samba with test PDC/BDC and a few windows clients. I am not sure of the exact version. It was probably 3.0.X. The clients were mostly 32 bit windows XP with a few 64 bit XP machines. Outside of this test domain we have used samba for around 10 years and we are still using the original domain which has grown from a single samba PDC to a PDC with several BDCs, multiple LDAP servers and at least 1/2 dozen domain member servers since the PDC and BDCs do not act as fileservers. I do not have the test setup to try again with more recent samba but I guess I could easily create servers under Virtual Machines. John John, The role of winbindd has morphed considerably since the time the HOWTO document was written. The most recent version of Samba covered by the HOWTO is 3.0.20. The HOWTO has languished since that time. Winbind has been significantly rewritten in 3.2.x, and gain in 3.3.x, and in 3.4.x. It is no surprise that there is confusion regarding its role, when it is needed, and how to configure it. The best place to start (always) is the man pages that ship with the version of Samba you are using. The man pages that should be consulted includes: man winbindd man idmap_nss man idmap_ad man idmap_hash man idmap_rid man idmap_adex The man page for winbindd for samba-3.5.4 says: quote winbindd is a daemon that provides a number of services to the Name service Switch capability found in most modern C libraries, to arbitrary applications via PAM and ntlm_auth and to Samba itself. Even if winbind is not used for nsswitch, it still provides a service to smbd, ntlm_auth and the pam_winbind.so PAM module, by managing connections to domain controllers. In this configuraiton the idmap uid and idmap gid parameters are not required. (This is known as `netlogon proxy only mode´.) The Name Service Switch allows user and system information to be obtained from different databases services such as NIS or DNS. The exact behaviour can be configured through the /etc/nsswitch.conf file. Users and groups are allocated as they are resolved to a range of user and group ids specified by the administrator of the Samba system. The service provided by winbindd is called `winbind´ and can be used to resolve user and group information from a Windows NT server. The service can also provide authentication services via an associated PAM module. The pam_winbind module supports the auth, account and password module-types. It should be noted that the account module simply performs a getpwnam() to verify that the system can obtain a uid for the user, as the domain controller has already performed access control. If the libnss_winbind library has been correctly installed, or an alternate source of names configured, this should always succeed. unquote The components that make up the winbindd services includes: winbindd- the daemon that itself pam_winbind.so - the PAM library module libnss_winbind.so - the NSS library module idmap_xxx.so- Samba modules The Samba modules provide identity mapping/resolution capabilities - see the man pages for details. The idmap_ad, idmap_adex, idmap_has, and idmap_rid modules make use of winbindd. The idmap_nss module can be used with, or without winbind. Samba CAN be used without winbind - that is a fact. Samba's smbd makes calls to the getpwent() group of system calls whenever it needs to obtain the uid/gid for a user of a group. Where NSS has been configured to resolve user and group information via LDAP, a system call to getpwent() will search the libnss libraries in the order they are specified in the nsswitch.conf file. For example: Consider where nsswitch.conf is configured with the following: passwd: files compat ldap hesoid winbind A call to getpwnam() will invoke the libraries specified in the order given until a match is found. These libraries are used in the order (from left to right) specified in the nsswitch.conf file: libnss_files.so libnss_compat.so libnss_ldap.so libnss_hesoid.so libnss_winbind.so Winbindd is necessary when Samba is a domain member server in a Windows domain environment where the domain controllers are running MS Windows (NT later) so that it can obtain user and group credentials from the Microsoft domain controllers. In this role, Samba will need to resolve the Windows user and group SID to a uid/gid tuple. This is handled through a combination of winbindd and the
Re: [Samba] Settings ACLS from Windows via member server
On 02/23/2011 08:23 AM, Mark Dieterich wrote: So... I could use some help explaining this. I finally decided to just start playing and ended up doing the following: 1) Added passdb backend entries on my member servers pointing to LDAP, similar to what the PDC/BDC configurations have. This addition, when viewed from Windows suddenly started displaying SIDs. Going back a few emails in this thread someone else brought up they were seeing this behavior without winbind running. 2) Started up winbind and everything appears to be working now. So my question is, why? I still don't quite understand how all these pieces fit together. Is it wrong to have the passdb backend on a member server? Thanks! Markto Mark, I just posted a long reply to help you understand how the pieces fit together. Yell out if you are still confused after reading my posting. Cheers, John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Adding LDAP Backend to Samba
On 02/12/2011 02:16 AM, J. Echter wrote: Am 05.02.2011 10:33, schrieb J. Echter: ... can nobody tell my where the accounts have to be in? is it correct that idmap is empty? Juergen, Manageability, performance and readability are the key reasons for putting group accounts into an ou=groups, and for having users accounts under ou=users, and machine accounts under another ou. It is quite possible to store all the accounts directly off the root of the LDAP directory - it will work if everything else is configured correctly. This is certainly NOT a recommended configuration, but it can work. You need to make sure that the everything else of your configuration is correct. If you do not understand how the pieces all fit together life gets a bit challenging. The following need to be configured: You need to install and configure an NSS LDAP library. If you use nss_ldap (from http://www.padl.com), the configuration file (ldap.conf) must be correctly configured. This file is often located (compile time option) in /etc. When this has been correctly configured you will see all LDAP user accounts when you execute: getent passwd You should also see all LDAP group accounts when you execute: getent group If these two commands do not work - you need to fix that. Samba relies on being able to resolve POSIX user and group information by simple calls to the getpwent() family of system calls. Next, it is necessary to install and configure the toolset you want to use to maintain and manage accounts in the LDAP directory. Many people make use of the smbldap-tools package. After installation and configuration, use the appropriate tool to validate account information. For example: smbldap-usershow jackb Example: # smbldap-tfarmer dn: uid=tfarmer,ou=People,ou=Users,dc=world,dc=org objectClass: top,person,organizationalPerson,inetOrgPerson,posixAccount,shadowAccount,sambaSamAccount cn: tfarmer sn: tfarmer givenName: tfarmer uid: tfarmer uidNumber: 1021 gidNumber: 513 homeDirectory: /users/tfarmer loginShell: /bin/bash gecos: System User sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 displayName: tfarmer sambaSID: S-1-5-21-726309263-4128913645-1188186429-3042 sambaPrimaryGroupSID: S-1-5-21-726309263-4128913645-1188186429-513 sambaLogonScript: scripts\logon.bat sambaProfilePath: \\%L\profiles\tfarmer sambaHomePath: \\SWEVWE\tfarmer sambaHomeDrive: H: sambaAcctFlags: [U] sambaNTPassword: 4A9F7B6CEFB63E5733F4C44E3DD93362 sambaPwdLastSet: 1264562105 sambaPwdMustChange: 1268450105 userPassword: {SSHA}XrAzItbFAgDFa6BhdffC6s+L6QEyYbBL shadowLastChange: 14636 shadowMax: 45 # smbldap-groupshow engineers dn: cn=Engineers,ou=Groups,dc=world,dc=org objectClass: posixGroup,sambaGroupMapping cn: Engineers gidNumber: 1009 sambaSID: S-1-5-21-726309263-4128913645-1188186429-401050 sambaGroupType: 2 displayName: Engineers description: Finely Trained Technicians memberUid: tfarmer,dlop,jb It is also necessary to correctly configure Samba. Please refer to chapter 5 of the book Samba4-ByExample available from your local bookstore or on-line from: http://www.samba.org/samba/Samba3-ByExample Chapter 5 systematically steps through the process of installation and configuration of a complete Novell SLES (OpenSUSE) -based Samba/LDAP configuration. The example is based on SLES, but it applies for the most part also for RHEL and Fedora. Cheers, John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 3.5.6: can't follow symlinks on shares
On 11/07/2010 10:53 PM, Konstantin Boyandin wrote: Hello, Samba version: 3.5.6, OS CentOS 5.5 64-bit. The problem: I have a share with symlinks leading outside the share. After mounting the shared resource (cifs), I can't proceed through symlinks (permission denied). Setting options follow symlinks = yes wide links = yes for the share doesn't change Samba behaviour. Could someone enlighten me on how to handle this? Thanks. Sincerely, Konstantin Do not use symlinks, rather use bind mounts. - John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] GPLv3 and Mac OS X
On 10/30/2010 02:48 AM, Stephen Norman wrote: This may have been raised before and if so I apologise for not being able to find it. No apology needed. We can discuss this topic on this list. I was wondering if someone on the list can please explain the relationship that GPLv3 has in preventing Apple from distributing updated builds with their operating systems. I've read over the GPLv3 (I'm not lawyer or anything) and I would guess it has something to do with the patent agreements? Why do you believe Apple cannot make use of Samba? That is a very different question from why they might refuse to use it. The word prevention implies a cannot element as opposed to a business decision not to use it. Objection for business reasons is like choosing not to purchase something as opposed to not being able to purchase it for one reason or another. Licensing terms form a contractual boundary to accepted use of a created work in order to preserve the intent (wishes) of those who labored to create it. Samba is the result of many hundreds of man-years of work that was freely contributed for the benefit of all, subject to the specific terms of use that are set out in the GPL. Even if every business on planet Earth should choose not to use it in their products what would be the loss to it creators? I'll admit that I'm not too happy with the GPLv3 and think that, ironically, it is in many ways as restrictive (and in some ways even more so) than closed source software. That's only my opinion though and I understand where it may be useful. Please help us to understand what changes to the licensing terms will cause more people to contribute their labors to its improvement and assure its wider use. What must the creators of Samba give up in order to be successful? What does success look like? How will Apple benefit from this change? How will these benefits help the creators of Samba to better achieve their goals and objectives? If you can convince the authors of Samba that the benefits of being more successful will outweigh what the world will lose you will get a certain hearing. In other words, what must the Samba developers give up and what will be their gain by doing this? Regardless of my opinion, I would like to know about GPLv3 vs. Apple Mac OS X and if there are any plans (i.e. Samba 4) that would allow the software to again be shipped with the operating system. Samba4 is part of the Samba3 code tree. All of Samba will continue to ship under the terms of the GPLv3 until such time as the authors see good reason for change. We respect the right of anyone (person or company) to use or not to use Samba. I would like to see more people benefit from our efforts and our labors. I believe that the GPLv3 is the best way that our users can continue to receive those benefits. The Samba team has chosen to license under the terms of the GPLv3. Cheers, John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] GPLv3 and Mac OS X
On 10/30/2010 12:00 PM, Stephen Norman wrote: On 31/10/2010, at 1:03 AM, John H Terpstra j...@samba.org wrote: On 10/30/2010 02:48 AM, Stephen Norman wrote: This may have been raised before and if so I apologise for not being able to find it. No apology needed. We can discuss this topic on this list. I was wondering if someone on the list can please explain the relationship that GPLv3 has in preventing Apple from distributing updated builds with their operating systems. I've read over the GPLv3 (I'm not lawyer or anything) and I would guess it has something to do with the patent agreements? Why do you believe Apple cannot make use of Samba? That is a very different question from why they might refuse to use it. The word prevention implies a cannot element as opposed to a business decision not to use it. Objection for business reasons is like choosing not to purchase something as opposed to not being able to purchase it for one reason or another. Licensing terms form a contractual boundary to accepted use of a created work in order to preserve the intent (wishes) of those who labored to create it. Samba is the result of many hundreds of man-years of work that was freely contributed for the benefit of all, subject to the specific terms of use that are set out in the GPL. Even if every business on planet Earth should choose not to use it in their products what would be the loss to it creators? Prevention may have been a poor choice of words here. I guess what I'm asking is, if Apple was to ship Samba 3.2 or above with their OS, what other parts of the OS (if any) would need to be released under GPLv3? For instance, if Finder used some part of Samba in it would it too need to be made available as GPLv3? The Samba team does not force anyone to use samba. If someone chooses to use it they must comply with its licensing terms. All derivatives of Samba fall under the same license that samba is under - that is what the GPL seeks to achieve. The GPL seeks to prevent the misuse and misappropriation of software source code. Its that simple. You may not like that, and indeed Apple may not like that, but that's the way it is. Please keep in mind that to use or not to use is a choice! I'll admit that I'm not too happy with the GPLv3 and think that, ironically, it is in many ways as restrictive (and in some ways even more so) than closed source software. That's only my opinion though and I understand where it may be useful. Please help us to understand what changes to the licensing terms will cause more people to contribute their labors to its improvement and assure its wider use. What must the creators of Samba give up in order to be successful? What does success look like? How will Apple benefit from this change? How will these benefits help the creators of Samba to better achieve their goals and objectives? If you can convince the authors of Samba that the benefits of being more successful will outweigh what the world will lose you will get a certain hearing. In other words, what must the Samba developers give up and what will be their gain by doing this? I definitely see your point here so I'll try and explain. Apple is one of the largest users of open source software in the world, with over 50 million users each using open source software. By largest users, I mean the software is on people's machine (server side projects like Apache would have much greater numbers). That is a large number and second only to Microsoft Windows. They have been an advocate for open source software, shipping a number of technologies, including Samba in Mac OS X for almost a decade. They helped kickstart software technologies including Ruby on Rails by being the first to ship the software with the OS, something which continues to be the case today. Let's make sure that credit is given where it is due. For all the good things any corporation or individual does let's say thank you - AND - remember to comply with the license terms under which the contribution was made. If we do not like the license terms, ask for reconsideration by all means, but do not demand it. The author has rights of determination over his/her works. I'm not sure how many users use Samba worldwide, but I'd think that the potential loss of such a number would have been considered during the license transition. After all, Apple aren't going to use code in their OS that might require them to open source some of their key technologies, such as the Finder or Workgroup Manager. Please check your facts. Anyone who produces a derivative work from a licensed software application must comply with the original authors' or licensors' terms and conditions. Remember, noone forces anyone to create a derivative work! Only derivative works are affected. Instead, Apple will be forced to either fork the old code base of Samba (something no one wants) or develop their own
Re: [Samba] Workgroup compared to Domain
On 10/29/2010 03:15 PM, Bruce Richardson wrote: On Thu, Oct 28, 2010 at 09:16:43PM -0400, Robert Moskowitz wrote: Are there any good articles comparing features/functions of a Workgroup compared to a Domain? If you don't want the centralised control of a Windows domain, leave Workgroups well alone; they are fragilel overly complex for what they do and quite obsolete. Better to look at Zero Configuration networking. http://en.wikipedia.org/wiki/Zero_configuration_networking Please help use to understand exactly how ZeroConf helps with user and group management. Confused by your answer! - John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Workgroup compared to Domain
On 10/29/2010 07:41 PM, Bruce Richardson wrote: On Fri, Oct 29, 2010 at 06:50:08PM -0500, John H Terpstra wrote: Please help use to understand exactly how ZeroConf helps with user and group management. Confused by your answer! Are you one of the original posters alternate personalities? No, I am not an alternate personality for the OP. The OP asked for documentation regarding MS Windows workgroups and domains to help him write documentation for the Amahi project. If I understood your reply correctly, you believe UPnP and ZeroConf solves the problem of MS Windows workgroup management. While that may be an option it does not answer the OP request very well - or does it? It certainly does not help him to document the use of Samba which I understood as the nature of his request for assistance. Otherwise, I'm a little confused by yours. The OP has said almost nothing about about what he's actually looking for; I think you're making some unwarranted assumptions about what those needs are. Maybe I am making too many assumptions, in which case mea culpa. Did you even research the Amahi project? Yes! I might know a little bit about UPnP and the use of avahi (zeroconf) - but that is way off topic for questions regarding Samba's workgroup and domain security models. For a lot of it's common uses, UPnP-style solutions are actually appropriate. If the OP has something else in mind, maybe you could ask. If the OP feels inclined perhaps he will respond and clarify. Cheers, John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Windows 7 on startup always loads temporary profiles samba 3.4.8
On 08/25/2010 08:27 AM, Daniel Müller wrote: Dear all, I think this is discussed here several times but this problem driving me mad. I can join the win7 pc to the samba domain on the fly, but after logoff and then logon it always complain about The temporary profile thing (on Win xp it is working!): In my global section: logon script=login.bat logon path=\\%L\homes\%U\profile then: [profiles] comment = Benutzer Profil %U path = /home/samba/share/home/%U/profile guest ok = no browseable = no create mask = 0600 directory mask = 0700 profile acls = yes hide files=/Desktop.ini/Thumbs.db/lost+found force user = %U valid users = %U Domain Admins Suggest you change this to: valid users = %D\%U @%D\Domain Admins - John T. csc policy = disable read only = no Any ideas?? Daniel EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] security = SHARE
On 07/12/2010 07:47 AM, t...@tms3.com wrote: I also encounter this problem that the user security mode work fine, but on share security level, it always return NT_STATUS_WRONG_PASSWORD. Is SHARE on samba 3.4 deprecated ? Can anybody give some advice? user = share is like Windoze95/98 type file share. Shares mode security has been deprecated. Also, the LanMan password required for use with Windows 9x is no longer stored in smbpasswd or in the tdbsam/ldapsam backends. - John T. Thanks. -- View this message in context: http://old.nabble.com/security-%3D-SHARE-tp29102498p29114421.html Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] pam_smbpass.so passdb.tdb support
On 07/05/2010 11:33 PM, kandukuru_sur...@emc.com wrote: Dear John T and samba list, Can you please help me to understand following things. I have browsed the net , points are not clear to me. 1) What exactly doesn't work with the existing smbpasswd based mechanism? -- from http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/passdb.html#i d2593073 This form of password backend does not store any of the MS Windows NT/200x SAM (Security Account Manager) information required to provide the extended controls that are needed for more comprehensive interoperation with MS Windows NT4/200x servers. Here is a comparison of what is stored in smbpasswd v's tdbsam/ldapsam: Description smbpasswd tdbsam/ldapsam - -- --- unix username yes yes Unix UIDyes no LanManPassword (*) can can NTPassword yes yes NT username no yes Account Flags yes yes User SIDno yes Primary Group SID no yes Full Name no yes Home Directory no yes Homedir Drive no yes Logon scriptno yes Profile Pathno yes Domain no yes Account Description no yes Workstationsno yes Munged dial string no yes Logon time no yes Logoff time no yes Password last set yes (**)yes Password can change no yes Password must changeno yes Last bad password no yes Bad password count no yes Logon hours no yes Note (*): LanManPassword is obsoleted, is needed only for Windows 9X clients. Note (**): The password last set info is represented as LCT time in smbpasswd. The information that can not be stored in smbpasswd can be generated on-the-fly from smb.conf default settings, but it is not possible to store these on a per-user basis. what exactly is the above point? is it the only one limitation?. is there any other limitations?.please let me know if any other. Please refer to Microsoft Windows NT4 knowledge-base resource to learn more of why the tsbsam and ldapsam parameters are important. 2) Can we easily convert an existing smbpasswd file to the new format and allow system authentication to work uninterrupted? The smbpasswd file can be migrated to the tdbsam/ldapsam formats by executing: pdbedit -i smbpasswd -e tdbsam or pdbedit -i smbpasswd -e ldapsam The reverse is also possible. - John T. Thanks Suresh -Original Message- From: Kandukuru, Suresh Sent: Saturday, July 03, 2010 9:02 PM To: 'j...@samba.org' Subject: RE: [Samba] pam_smbpass.so passdb.tdb support Thanks John, Created bug at https://bugzilla.samba.org/show_bug.cgi?id=7546. Thanks again. Suresh -Original Message- From: John H Terpstra [mailto:j...@samba.org] Sent: Saturday, July 03, 2010 7:56 PM To: Kandukuru, Suresh Cc: samba@lists.samba.org Subject: Re: [Samba] pam_smbpass.so passdb.tdb support On 07/03/2010 08:50 AM, kandukuru_sur...@emc.com wrote: Dear JHT, Thanks for the quick reply.in http://www.samba.org/samba/history/samba-3.4.0.html . Samba team is recommending to use tdbsam. Not just recommending - it is the default now. The smbpasswd file can not contain the information needed to fully support current MS Windows clients. The result is the smbpasswd format storage of MS Windows networking credentials has been obsoleted. just wanted to know one thing, from samba 3.4 default backend has been changed to tdbsam , why for one of the module pam_smbpass in samba code is still looking for passwords in smbpasswd?.is there any patch for that?. The pam_smbpasswd module has not been updated because noone has contributed the necessary patches. The tdbsam backend has been available since September 2003, so my take on this is that VERY few people use pam_smbpasswd. If more were using it, someone might by now have done something about the lack of support for tsbsam (and ldapsam for that matter) in the pam_smbpasswd module. will this be removed in higher versions of samba than 3.4? Probably. Why don't you file a bug report on https://bugzilla.samba.org ? - that is the only way you might get action on this. I find several people asking the question on net.did not find any answer.anticipating your reply. Sorry to disappoint you. cheers, John T. Configuration changes = !!! ATTENTION !!! The default passdb backend has been changed to 'tdbsam'! That breaks existing setups using the 'smbpasswd' backend without
Re: [Samba] pam_smbpass.so passdb.tdb support
On 07/03/2010 05:29 AM, kandukuru_sur...@emc.com wrote: Hi, Recently I have installed samba 3.4.8 on my device. Since then ftp (vsftp,proftpd) which is taking users from samba database with pam_smbpass.so is not working. After enabling detailed log I have noticed it is looking for the passwords in smbpasswd (/etc/samba/private) which is of zero size . I think all users passwd are located in passwd.tdb.I could fix this by giving passdb backend=smbpasswd . somewhere I read smbpasswd is obsolete , and recommended to use tdbsam .. and /etc/pam.d/ftp file is - r...@storage:/# cat /etc/pam.d/ftp auth required /lib/security/pam_smbpass.so accountrequired /lib/security/pam_nologin.so accountrequired /lib/security/pam_smbpass.so password required /lib/security/pam_smbpass.so sessionrequired /lib/security/pam_unix.so --- How can I tell pam_smbpass module to use passdb.tdb (tdbsam) .?. Please tell me I have been trying for last 2 days. Did not find anything. You can not do that without changing the pam_smbpasswd code. This module specifically operates against the smbpasswd file. -John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] pam_smbpass.so passdb.tdb support
On 07/03/2010 08:50 AM, kandukuru_sur...@emc.com wrote: Dear JHT, Thanks for the quick reply.in http://www.samba.org/samba/history/samba-3.4.0.html . Samba team is recommending to use tdbsam. Not just recommending - it is the default now. The smbpasswd file can not contain the information needed to fully support current MS Windows clients. The result is the smbpasswd format storage of MS Windows networking credentials has been obsoleted. just wanted to know one thing, from samba 3.4 default backend has been changed to tdbsam , why for one of the module pam_smbpass in samba code is still looking for passwords in smbpasswd?.is there any patch for that?. The pam_smbpasswd module has not been updated because noone has contributed the necessary patches. The tdbsam backend has been available since September 2003, so my take on this is that VERY few people use pam_smbpasswd. If more were using it, someone might by now have done something about the lack of support for tsbsam (and ldapsam for that matter) in the pam_smbpasswd module. will this be removed in higher versions of samba than 3.4? Probably. Why don't you file a bug report on https://bugzilla.samba.org ? - that is the only way you might get action on this. I find several people asking the question on net.did not find any answer.anticipating your reply. Sorry to disappoint you. cheers, John T. Configuration changes = !!! ATTENTION !!! The default passdb backend has been changed to 'tdbsam'! That breaks existing setups using the 'smbpasswd' backend without explicit declaration! Please use 'passdb backend = smbpasswd' if you would like to stick to the 'smbpasswd' backend or convert your smbpasswd entries using e.g. 'pdbedit -i smbpasswd -e tdbsam'. The 'tdbsam' backend is much more flexible concerning per user settings like 'profile path' or 'home directory' and there are some commands which do not work with the 'smbpasswd' backend at all. - Thanks Suresh -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of John H Terpstra Sent: Saturday, July 03, 2010 6:31 PM To: samba@lists.samba.org Subject: Re: [Samba] pam_smbpass.so passdb.tdb support On 07/03/2010 05:29 AM, kandukuru_sur...@emc.com wrote: Hi, Recently I have installed samba 3.4.8 on my device. Since then ftp (vsftp,proftpd) which is taking users from samba database with pam_smbpass.so is not working. After enabling detailed log I have noticed it is looking for the passwords in smbpasswd (/etc/samba/private) which is of zero size . I think all users passwd are located in passwd.tdb.I could fix this by giving passdb backend=smbpasswd . somewhere I read smbpasswd is obsolete , and recommended to use tdbsam .. and /etc/pam.d/ftp file is - r...@storage:/# cat /etc/pam.d/ftp auth required /lib/security/pam_smbpass.so accountrequired /lib/security/pam_nologin.so accountrequired /lib/security/pam_smbpass.so password required /lib/security/pam_smbpass.so sessionrequired /lib/security/pam_unix.so --- How can I tell pam_smbpass module to use passdb.tdb (tdbsam) .?. Please tell me I have been trying for last 2 days. Did not find anything. You can not do that without changing the pam_smbpasswd code. This module specifically operates against the smbpasswd file. -John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] sambaLogonScript problem
On 07/03/2010 09:10 AM, Leonardo Carneiro - Veltrac wrote: Hi everyone, I'm having trouble in deploying by group sambaLogonScript. My scripts consist only im mapping network folders. I'm using Samba 3.4.7. Is there a way to debug this? The logs does not show anything about the logon scripts. All my users are set with %G.bat in the ldap backend, but the vast majority of the users are not running the scripts, or running partially. Tks in advance. Leonardo, How are you using a local account on the MS Windows client, or are your users logging into the MS Windows client using the Samba user account? - John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Enabling logs in pam_smbpass in samba source code
On 07/01/2010 09:04 AM, kandukuru_sur...@emc.com wrote: I am facing some problem with samba 3.4.8 PAM pam_smbpass module, both vsftpd,proftpd are not working ..I have opened thread at http://forums.proftpd.org/smf/index.php/topic,4739.0.html it is working fine with samba 3.0.32 I want to see the _log_err messages from pam_smbpass , for that I have added log level=4 and log file= /tmp/samba/sambalog.log. I did not see any of the messages in that samba log file. Please tell me how to enable log for pam_smbpass module in samba, Suresh, From the documentation in the source code: 25 Mar 2001 pam_smbpass is a PAM module which can be used on conforming systems to keep the smbpasswd (Samba password) database in sync with the unix password file. PAM (Pluggable Authentication Modules) is an API supported under some Unices, such as Solaris, HPUX and Linux, that provides a generic interface to authentication mechanisms. For more information on PAM, see http://ftp.kernel.org/pub/linux/libs/pam/ This module authenticates a local smbpasswd user database. If you require support for authenticating against a remote SMB server, or if you're concerned about the presence of suid root binaries on your system, it is recommended that you use pam_winbind instead. Options recognized by this module are as follows: debug - log more debugging info audit - like debug, but also logs unknown usernames use_first_pass - don't prompt the user for passwords; take them from PAM_ items instead try_first_pass - try to get the password from a previous PAM module, fall back to prompting the user use_authtok - like try_first_pass, but *fail* if the new PAM_AUTHTOK has not been previously set. (intended for stacking password modules only) not_set_pass- don't make passwords used by this module available to other modules. nodelay - don't insert ~1 second delays on authentication failure. nullok - null passwords are allowed. nonull - null passwords are not allowed. Used to override the Samba configuration. migrate - only meaningful in an auth context; used to update smbpasswd file with a password used for successful authentication. smbconf=file - specify an alternate path to the smb.conf file. Here is a sample PAM config line in the appropriate file/s in /etc/pam.d: password required pam_smbpass.so use_authtok use_first_pass debug I hope that helps. - John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba Forum vs. Mailing List?`!
On 06/29/2010 07:01 PM, Tom H. Lautenbacher wrote: Hi Linda! I wanted to ask if there is an official Samba Forum No, but there is a WiKi: http://wiki.samba.org There are also the #samba and #samba-technical IRC channels. No need? Why do you need a forum with a mailing list? Because a forum IMHO has certain advantages over a mailing list. Forums are non-standard. Mailing lists have software to process them in many ways. Many are archived -- not something you get with forums. @Standard: Yes, I agree. This is a disadvantage for forums in comparison to other means of communication, such as mailing lists or usenet-news. @Software: What software is there and in which ways can you process mails? @Archive: Anybody running a forum can decide on his own, if he wants to archive things or not. Forums seems to be a 'windows' thing for users when companies want to be able to ignore their user base. Emails cause the companies too much headache because the user's emails end up in employee inboxes and cause distractions from doing real work, so they try to put users in forums, so they won't distract the companies' employees. U, well.. I am self employed and feel distracted and annoyed by all those useless emails from all those mailing-lists that I have to attend, too. My opinion is: Every means of communication has it's functional range. Mailing lists are existing since many years. They were perfect in those pioneer years, when a small group of people worked together on a small thing: Everyone needed to be informed about everything and everybody had to discuss everything. Until today mailing lists serve such small development groups very good. But as projects grow bigger and the group of users with them, IMHO there arises the need for further means of communication. Speaking for me: I am a Samba user since about 2002, using Samba as Administrator of some small-midsized Networks. I do not contribute code or help developing. From time to time I am having a problem with implementing Samba and need quick advice and help. I guess that what you are really arguing for is a quick, free, source of advice that meets your preferences for format and communications method. There are plenty of commercial support providers for Samba from whom you could almost certainly obtain quick and accurate advice. That is a key difference between free advice sources and commercial ones. By definition, in a communications world where everyone's voice is equal there is a mass of mis-information. The challenge faced by the consumer of free information is the burden of filtering out the noise. That burden applies to a mailing list as well as to a forum or a WiKi. In addition to the mass of incorrect information, most public and free information sources (for example Google search) will readily help you to locate people who have a problem, but few who post the solution. There are two key reasons for this: a) By the time the problem has been solved there is pressure to move on. Problem gone, so forget the agony - move on. b) Realization that the problem was caused by an embarrassing mistake. For me now to get help, I needed to subscribe to this mailing list. From this moment on I received approx. 20 emails which do not concern me or my problem. I do not know the answer to all of those questions either, so I can't help anybody. I am just annoyed and bothered by my mailbox getting literally spammed. Since Samba is not the only open source community who's mailing list I am attending, I am receiving daily approx. 30-40 of those emails. For my case a forum would server much better. I could go there, post my question and subscribe to my thread, getting email-notification just about my question. Furthermore I could quickly browse the forum to see, if there are any open topics where I think that I could help someone else out. Given that the forum settings are saving all postings for ever, the whole forum would serve everybody as a very valuable knowledge base, making it easy to find answers for common problems, without bugging anybody or spamming everybody with the 10,000 versions of the same question. I participate in several forums. I also receive approx. 500 emails per day (at one time this was more like 3000 per day). In all cases the noise level is over 90% - its the nature of the beast. Both means of communication can easily live in harmony! Developers or hard core members, who need to stay in touch very intensively and want to participate to ALL communication can continue participating at the mailing list (although it would be easily possible to just subscribe to an analogue topic in the forum and get automatically all messages, but anyway..). Another great plus of Forums is the possibility to use HTML and other functionality. Well I know guys, all hardcore old-school guys among you roll their eyes, because you love plain text stuff. But
Re: [Samba] preferred file system
On 06/28/2010 09:55 AM, Chris Smith wrote: Hello, Is there a preferred file system (ext4, xfs, reiserfs, etc.) for hosting Samba shares used by Windows clients? What do the devs use? Chris Chris, What is the intended use-case for the file system? - How large will the file system/s be? - How deep will directories be? - How many files per directory? - What will be the size distribution of files across the file system? - How many concurrent users will access the file system? - Is it essential to have case preservation? - What file system I/O performance is required/desired? The answer to your question is: Yes, the file system that will best meet your use-case requirements. cheers, John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba PDC and big files
On 06/24/2010 07:04 AM, Pedro Rafael Alves Simoes wrote: Hello, I'm trying to setup a PDC with Samba, but I have the known problem of the roaming profiles: big files. I think it's difficult to guarantee that a inexperienced user will copy is downloaded files, documents, or whatever, to a H:\ share instead of is handy desktop. Other problem is the files of Outlook or Thunderbird that can get big. The goal is to avoid email configuration each time the user changes to another workstation, so I can't configure the email client to store the files locally on the workstation. Could someone give me some lights in how I can circumvent this problem? Thanks. You need folder redirection. Read chapter 5 of my book Samba3-ByExample http://www.samba.org/samba/docs/Samba3-ByExample.pdf - John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] xp clients can't auth after reboot without smb restart
On 06/23/2010 07:50 PM, delpheye wrote: On Wed, Jun 23, 2010 at 5:57 PM, t...@tms3.com wrote: SNIP NetBIOS Names Resolved By Broadcast -- DOMAIN.COM 1C DOMAIN-FS DOMAIN.COM 1C DOMAIN.COM 1C DOMAIN-FS DOMAIN.COM 1C DOMAIN.COM is a bad netbios name. I suggest something with 8 letters or numbers. Samba 3.x does not use FQDN's. DOMAIN.COM is what I have specified as the workgroup only. the netbios name in smb.conf is is just the machine's hostname only. Is there somewhere else I should be looking to change the netbios name? Wrong! Both the machine _AND_ the workgroup name are NetBIOS names. - John T. nbtstat -RR: The NetBIOS names registered by this computer have been refreshed. net use y: \\domain-fs\business Enter the user name for 'domain-fs': username Enter the password for domain-fs: xx System error 64 has occurred. The specified network name is no longer available. Matt On 06/22/2010 04:24 PM, delpheye wrote: On Tue, Jun 22, 2010 at 1:07 PM, Gaiseric Vandal gaiseric.van...@gmail.com mailto:gaiseric.van...@gmail.com wrote: On 06/22/2010 01:55 PM, John Drescher wrote: An error occurred while reconnecting Z: to \\domain-fs\business Microsoft Windows Network: The specified network name is no longer available This connection has not been restored. Looks like a browsing problem to me. Try to reconnect using ip address instead of name. John Are you using WINS? I find that makes a lot of issues go away. I have wins support enabled in Samba and the following lines in nsswitch.conf: debug 1 passwd: files ldap shadow: files ldap group: files ldap hosts: files wins dns bootparams: files ethers: files netmasks: files networks: files protocols: files rpc: files services: files netgroup: files ldap publickey: files automount: files ldap aliases: files Is that all there is to enabling WINS? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Preventing characters in filenames...
On 06/22/2010 05:03 PM, Rod wrote: Is there a way of preventing certain characters being used in filenames as saved by Samba? Basically I wish to prevent prevent files from being saved with the characters ( ) * in the name. Is this possible in Samba? Thanks, qt4. Yes, this is possible - you would need to write a VFS module that filters filenames and that substitutes appropriate alternate characters (or just deletes the offending character). It is not possible without writing a VFS module though. Such a module does not exist today. Samba does not write filenames, it simply passes them through to the operating system from the CIFS client. The VFS layer allows interception of system calls. The module would need to intercept the create() system call, procecss the filename, and then pass the filtered name through to the system function call. The bigger question is how this might be implemented. How do you propose to handle the undesirable characters in a manner that is portable across system locales that use multi-byte names. - John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] weekly samba kerberos failure
On 06/21/2010 02:43 PM, Jeremy Allison wrote: On Mon, Jun 21, 2010 at 12:39:09PM -0400, Hong K Phooey wrote: We have a service on our windows system that drops files onto a samba share every 10 minutes. This has worked fine, except after one week, the system will fail. We usually restart samba and winbind on the linux side, and then restart the service on the windows box to resolve the issue. This week we decieded to let it fail, and after an hour it seemed to allow connections to the samba share. Here is the log file of the failures: 172.19.6.60 (172.19.6.60) closed connection to service lorian [2010/06/21 09:40:03, 1] smbd/sesssetup.c:342(reply_spnego_kerberos) Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE! This repeats every minute until 10:33 am, when the service was able to reconnect to the share. Is there a reason why this would fail every week at the same time? Do these settings have anything to do with the issue? Default: idmap cache time = 604800 (one week) Default: machine password timeout = 604800 For the machine password timeout, is it necessary for it to update this often. Can it be set to only attempt once per year, longer? You can stop it updating the machine password by setting machine password timeout = 0. This looks like an issue with the machine account password being changed. Jeremy What version of samba are you using? I believe that a machine password renewal bug was fixed in 3.5.3. - John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] root postexec issue on both Samba 3.4.5 and 3.0.28
On 06/15/2010 04:50 PM, Andrew Masterson wrote: -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Allen Chen Sent: Friday, June 11, 2010 2:25 PM To: samba@lists.samba.org Subject: [Samba] root postexec issue on both Samba 3.4.5 and 3.0.28 Hi, there I'm using Samba 3.4.5 and 3.0.28 on RHEL 5.2, and I noticed that on both samba servers 'root postexec' script in [netlogon] is executed automatically when logged in for around 11 minutes. This makes me crazy to track when a use is logged out. The man page smb.conf.5 says: postexec (S) This option specifies a command to be run whenever the service is disconnected. I don't understand when a user is still logged in, why 'root postexec' script gets called after 11 minutes. though everything still works fine. I used to have Samba 3.0.22 and 'root postexec' script was executed only when users logout. It doesn't matter how long you have logged in. The postexec script will execute only when the client hangs up the connection. Hanging up of the connection can be considerably delayed after a user logs out. This is a client configuration issue - nothing to do with Samba. Unfortunately, Windows will close idle connections and then re-open them when they are needed. This too is a client behavioral characteristic. Samba does not of its own volition close connections like that. How can I fix this issue? Make sure that the Windows client hangs up the connection as soon as the user logs out. I have no idea how you would do this though - perhaps a search of the Microsoft knowledge-base may turn up a useful pointer. Cheers, John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Google blog post on SambaXP
On 06/11/2010 07:09 PM, Jeremy Allison wrote: In case you missed it, you can see what you were missing :-). http://google-opensource.blogspot.com/2010/06/notes-from-sambaxp-2010.html Jeremy. Jeremy, Thanks for getting that out. Nice! Cheers, John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ARGH... once again samba causes permission errors.
On 05/29/2010 03:21 AM, Jeff Wiegley wrote: I've been doing unix sys. admin for nearly 20 years and yet EVERY single time I have to setup samba I have configuration problems. Jeff, With all respect, please note that Samba is not your usual UNIX networking toolset - it implements SMB/CIFS, a technology that is overloaded with its own specific requirements that need to be understood and correctly handled. Have you read the books: Samba3-ByExample (http://www.samba.org/samba/docs/Samba3-ByExample.pdf) Samba3-HOWTO (http://www.samba.org/samba/docs/Samba3-HOWTO.pdf) These may help to alleviate some of your discomfort with Samba. There are other Samba books, unfortunately all (even the two above) are quite out of date. Not withstanding that they are out of date, the above can still be of value (particularly Samba3-ByExample) because it provides worked example network deployment configurations. Additionally, you may find some useful pointers on the Samba Wiki at: http://wiki.samba.org Before we start let's clear up some common misunderstandings: I have googled for the answer. I have spent the last six hours doing so and trying various suggestions. Most of these suggestions point to solutions involving chown or chmod. These are not the problems (or I will be very surprised). Googling is a good thing (most of the time), but when it comes to Samba issues this will usually turn up a lot of complaints about problems and very few reports that explain how each was solved - if it was solved in the first place. # cat /etc/samba/smb.conf [global] workgroup = CYTE.COM Do NOT use a '.' character in a workgroup/domain name. In MS Windows NT4 (the protocols Samba3 implements) this is not a supported character. It would be better to just declare the workgroup name as CYTE or 'CYTE-COM server string = CyteNAS netbios name = NAS hosts allow = 127., 10.0.10. Is this devices multi-homed? If it is then hosts allow is probably a good things - if not, it is best to start without it and add it later when you know the configuration is working. For diagnostic purposes add the following to the [global] stanza: log file = %L-%m.log max log size = 0 log level = 3 map to guest = bad user When the network is finally stable, and diagnostics are no longer needed, reduce the log level to either 0 or 1. [nas] comment = NAS path = /mnt/nas force user = nas force group = nas read only = No # cat /etc/samba/smbpasswd nas:500:75891A0CAAF2F9828AE88C0FE87091EF:E8C4E8E10FEE888764D18AD4A0AC61F5:[U ]:LCT-4C00625E: What version of Samba are you using? If it is later than 3.0.x (in other words 3.2.x, 3.3.x, 3.4.x, 3.5.x) the default is to use tdbsam, not smbpasswd. If you particularly want to use smbpasswd to store the SMB/CIFS credentials, specify the following in [global] passdb backend = smbpasswd:/etc/samba/smbpasswd # grep nas /etc/passwd nas:x:500:500::/mnt/nas:/bin/bash # grep nas /etc/group nas:x:500: # ls -al /mnt/nas total 16 drwxrwxrwx 2 nas nas 4096 May 28 17:01 . drwxrwxrwx 3 root root 4096 May 28 15:04 .. So before you tell me about permission problems please note the following 1) The permissions on all the files is 777... EVERYBODY can do anything. 2) samba IS configured to force the user and group to the owner of the share path anyways. 3) The group and user exist and they have their passwords configured correctly. I can map the share on my Windows 7 workstation. But any attempt to create anything yields a pop-up window that says: You need permission to perform this action nas(\\NAS) Space free: 89.7 GB Total size: 97.0 GB Why am I getting ANY permission problems??? Frankly. I don't think it is a permission problem. (I set log level to 10; the output is long so I won't include it because I looked through it and didn't see any errors reported or any mention of permission denied.) GRRR! As much as you may not like scanning samba log files, this is the only way to diagnose what is going wrong. It gets worse. a 90GB NAS storage is pretty useless. The NAS is actually a 6TB Raid5 array with an XFS filesystem. But if I actually mount it # /etc/init.d/smb stop # mount /mnt/nas # ls -al /mnt/nas total 8 drwxrwxrwx 2 nas nas 6 May 28 18:11 . drwxrwxrwx 3 root root 4096 May 28 15:04 .. see... no difference in permissions or ownership but now it is a mount point. OK, we feel your pain, but instead of complaining to this list you are better served asking how to diagnose the problem so you can find a solution. Now I can't even map the samba share at all. All I get is a window that says: Attemping to connect to \\NAS\nas (Cancel) And it never seems to go away. and yes, under both
Re: [Samba] upgrade 3.0.28 to 3.5.3 (SerNet package)
On 05/26/2010 05:01 PM, Johan Landerholm wrote: Hi all, I have been upgrading the samba package on a SLES10 (i686) machine with the new SerNet 3.5.3 package. The server is using the ldap backend for users and passwords. It has been working fine until I tried to use a DOS lan manager client. A normal user was not able to net use * \\server\share and authenticate using the userid and password. The error message in the smbd.log file was NT_WRONG_PASSWORD. I have made no changes to the smb.conf file between the two binary versions. If I switch back from 3.5.3 to 3.0.28, the user is able to log map the drive. Is there something that has changed between the two that disables the possibility to use a DOS client with samba ? Yes, LanMan passwords are not supported in later versions. This was done for security reasons. You can re-enable them by adding to smb.conf [globals] lanman auth = yes - John T. The relevant pieces from smb.conf: passdb backend = ldapsam:ldap://127.0.0.1 security = user encrypt passwords = Yes domain logons = yes os level = 35 acl compatibility = Auto client lanman auth = no null passwords = true Thanks for any help! /Johan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] NT4 Migration Doubt?
On 05/26/2010 06:46 PM, Alberto Moreno wrote: Hi people. I'm in process to remove my last NT4 machine here at the company. I had read the migration process tested and looks like works. Now my box is going to run Centos 5.x with LDAP as backend. My only doubt is, once u run the migration tool (vampire) do samba need to have the same IP as the NT server? Is all my doubt, thanks!!! No. - John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba.org has been revised!
On 05/19/2010 09:48 AM, Felix Miata wrote: On 2010/05/19 09:12 (GMT-0400) David Eisner composed: On Tue, May 18, 2010 at 11:22 PM, Felix Miata mrma...@earthlink.net wrote: Not even close. Arguably it's attractive, as long as you don't actually need to use it or read anything on it. Pray your eyes are as good as a 15 year old or you aren't using a high resolution device to access it if so. I like the new design. I'm not particularly young, and I don't have a particularly fancy monitor. I do wear glasses, though. Many people, regardless of age, even with correction, don't see particularly well, but quite well enough to use web pages that respect their defaults. These aren't the only people now being disrespected. All, regardless of eyesight, should be respected. Web designers as a group either don't understand the meaning of that word, or don't think it a necessary part of designing for the web. http://fm.no-ip.com/Inet/shame.html Felix, I respect your right to have and express your opinions regarding the new look of the Samba web site. I also wish to point out the great freedom we have and exercise in the open source community - that of contributing something better. Remember though, that since we are predominately consensus-driven, what you I view as best may not meet with unanimous agreement from the greater community. This gets us back to respect for the right to disagree. Seriously, if you have a strong conviction that the Samba project would be better served with a different look-and-feel, and a more appropriate logical layout, please pursue your concerns - and contribute at least a proof of concept. We are currently short of resources to help manage the web site and the wiki, so if you have an interest and a passion, and plenty of time on your hands, please let us see your hand raised to volunteer to get on with the work needed. I love feedback - good and bad! Cheers, John T. The CSS sizes the fonts in px, though, which is a problem. Exactly. The issue isn't that your monitor has too low a resolution, it's that it's too high. Hogwash: 1-The technology to design web pages with resolution independence is more than a decade old. http://fm.no-ip.com/Auth/Sites/Ksc/ is a very simple example of how it can be done. Apply zoom, or change your default larger or smaller to see how well it can work. 2-High resolution == high quality. Therefore, higher resolution _should_ mean a higher quality web experience. Web fonts are famous for marginal to poor quality. That lack of quality is proportional to DPI. The higher the DPI, the higher the quality, as each character of any given physical size has more px to be rendered with. My default of 24px has nominally 576 px per character, compared to samba's 13px at nominal 169px, which is several orders of magnitude higher quality. 3-A major reason still higher resolution isn't widely available yet is the usability factor. Web pages and software are still being designed as if people were using display hardware manufactured two decades ago. Were page and software designers incorporating resolution independence, even more advanced (still higher DPI) hardware to take advantage of it would be here already. IOW, hardware technology is being held back by anachronistic software and web page design. Have you tried Ctrl-+ a few times? Of course. But it's necessary on virtually every page, because virtually every page is designed either without regard to user defaults (in px), or by setting some base size at a fraction of the defaults (assuming the defaults are incorrectly set too large). Both behaviors (without regard, and assuming wrongly large) are offensive. Ctrl-+ (and minimum font size) are _defensive_ features provided by browser makers. Absent an offense, a defense needn't be applied. Poor legibility, caused primarily by too small fonts, besides being offensive, is a widespread usability problem: http://www.useit.com/alertbox/designmistakes.html -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] net sam/samba ldap: Failed to add user 'xxx' with error: Group already exists.
On 05/18/2010 05:47 AM, Steven Enderle wrote: Hello, we are trying to set up Samba with LDAP Backend. Using the Samba toolchain to add our existing users/groups, the net command seems to get confused about what users and groups are, if both have the same name and are used in the same context. Here is what I tried: ==commandline== - Create the Domain Group # net sam createdomaingroup duplicate -U Administrator%pwd Created domain group duplicate with RID 1172 - Create the User # net rpc user add duplicate -U Administrator%pwd Failed to add user 'duplicate' with error: Group already exists. Other way around, adding first user then group, similar result: - Create the User # net rpc user add duplicate2 -U Administrator%pwd Added user 'duplicate2'. - Create the Domain Group # net sam createdomaingroup duplicate2 -U Administrator%pwd Created domain group duplicate2 with RID 1174 - Add new User to Group # net sam addmem duplicate2 duplicate2 -U Administrator%pwd Can only add members to local groups so far, duplicate2 is a User ==commandline== Samba seems to fail at differentiating groups and users of same name. 1) Is there a way to tell samba/net to add the user duplicate to group duplicate? The MS Windows environment does not allow creation of a user account and a group account with the same name. In order to be able to resolve user and group names it is essential to avoid any ambiguity in resolution of user and group names. 2) Is there a dirty workaround that will get us running anyway? Sure, Don't do it. If you currently have user groups, convert them. 3) What is the background that causes this problem? Is there something I am missing? Make sure your user names and group names are all unique. - John T. Thanks for your help in advance. samba version: 3.5.2-SerNet-Debian smb.conf used: [global] server string = QNAP NAS announce version = 5.1 workgroup = hidden password server = localhost disable netbios = yes wins support = no smb ports = 445 domain logons = no domain master = no local master = no preferred master = no template homedir = /home/%U template shell = /bin/bash os level = 65 winbind use default domain = yes log level = 3 max log size = 2000 debug timestamp = yes interfaces = lo eth0 bind interfaces only = true hostname lookups = yes log file = /var/log/samba/smbd.%m passdb backend = ldapsam:ldap://localhost encrypt passwords = yes ldapsam:trusted = yes ldapsam:editposix = yes ldap admin dn = hidden ldap user suffix = ou=people ldap group suffix = ou=groups ldap idmap suffix = ou=idmap ldap machine suffix = ou=computers ldap passwd sync = Yes ldap suffix = hidden ldap delete dn = Yes ldap ssl = Off idmap config hidden:default = yes idmap config hidden:backend = ldap idmap config hidden:ldap_base_dn = ou=idmap,hidden idmap config hidden:ldap_user_dn = hidden idmap config ER.EMPIC.DE:ldap_url = ldap://localhost idmap config ER.EMPIC.DE:range= 1 - 50 idmap alloc backend = ldap idmap alloc config : ldap_base_dn = ou=idmap,hidden idmap alloc config : ldap_user_dn = hidden idmap alloc config : ldap_url = ldap://localhost idmap uid = 1 - 50 idmap gid = 1 - 50 [empic] comment = My Share path = /export browseable = yes public = yes writable = yes printable = no create mask = 0765 EMPIC-EAP - *The* Standard Software for Aviation Authorities ** IMPORTANT NOTICE / WICHTIGER HINWEIS This communication contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) please note that any distribution, copying or use of this communication or the information in it is strictly prohibited. If you have received this communication in error please notify us immediately by email or by telephone and then delete this email and any copies of it. Diese E-Mail koennte vertrauliche und/oder rechtlich geschuetzte Informationen enthalten. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtuemlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail sind nicht gestattet. ** -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Migrate machine accounts?
On 05/17/2010 11:07 AM, Dean Montgomery wrote: How do I migrate machine accounts from tdbsam backend to ldap backend? I want to change the backend from tdbsam to ldap and I do not want to re-join each machine onto the domain. pdbedit -i tdbsam -e ldapsam - John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] multi-homed samba PDC and NetApp filers
On 05/14/2010 07:14 PM, Carl G. Riches wrote: We are having a problem getting a NetApp filer to re-join a samba domain after a move to a new network. The filer worked fine with samba before the move. Apologies in advance for the long missive. I've tried the following: - re-running the CIFS setup program on the filer - removing the problem filer's samba account, replacing it, and re-running the setup program on the filer - creating a new machine account on the samba server and re- running the setup program on the filer None of these worked. I also looked through a number of mailing list postings about NetApp filers and samba but didn't find any- thing to help. Has anyone gone through this before and provide insight into this problem? Do you happen to specify in your /etc/samba/smb.conf file: interfaces = list of interfaces bind interfaces only = Yes If so, remove them, then retry the domain join. After successfully joining you ca re-enable these parameters. Please let me know if that is the solution. Cheers, John T. We have the following: samba server: Red Hat Enterprise Linux 5.3 kernel 2.6.18 i868 samba 3.0.33 multiple network interfaces: 10.142.36.64/27 10.142.36.96/27 10.142.36.192/26 NetApp filer #1: NetApp Release 7.2.4L1 connected through VPN to samba server network 10.142.36.192/26 NetApp filer #2: NetApp Release 7.3.1.1 connected through VPN to samba server network 10.142.36.64/27 Each filer can ping the samba server. CIFS connections from each filer are registered by the samba server and are logged in the file: 0.0.0.0.log Each of the filers moved to a new network. Filer #1 rejoined the domain but filer #2 can't. A tcpdump of the unsuccessful transaction is: 10:42:38.137963 IP gcc-fs1.netbios-ns mead.netbios-ns: NBT UDP PACKET(137): MULTIHOMED REGISTRATION; REQUEST; UNICAST 10:42:38.138165 IP mead.netbios-ns gcc-fs1.netbios-ns: NBT UDP PACKET(137): WACK; POSITIVE; RESPONSE; UNICAST 10:42:58.270693 IP mead.netbios-ns gcc-fs1.netbios-ns: NBT UDP PACKET(137): REGISTRATION; NEGATIVE; RESPONSE; UNICAST 10:44:11.627124 IP gcc-fs1.netbios-ns mead.netbios-ns: NBT UDP PACKET(137): MULTIHOMED REGISTRATION; REQUEST; UNICAST 10:44:11.627292 IP mead.netbios-ns gcc-fs1.netbios-ns: NBT UDP PACKET(137): WACK; POSITIVE; RESPONSE; UNICAST 10:44:32.309202 IP mead.netbios-ns gcc-fs1.netbios-ns: NBT UDP PACKET(137): REGISTRATION; NEGATIVE; RESPONSE; UNICAST 10:45:45.665702 IP gcc-fs1.netbios-ns mead.netbios-ns: NBT UDP PACKET(137): MULTIHOMED REGISTRATION; REQUEST; UNICAST 10:45:45.665803 IP mead.netbios-ns gcc-fs1.netbios-ns: NBT UDP PACKET(137): WACK; POSITIVE; RESPONSE; UNICAST 10:46:06.312676 IP mead.netbios-ns gcc-fs1.netbios-ns: NBT UDP PACKET(137): REGISTRATION; NEGATIVE; RESPONSE; UNICAST Part of the samba log 0.0.0.0.log related to filer #2 is: [2010/05/14 16:54:52, 3] nmbd/nmbd_winsserver.c:wins_process_name_registration_request(1138) wins_process_name_registration_request: Group name registration for name UWT-1500 IP 10.208.235.134 [2010/05/14 16:54:52, 3] nmbd/nmbd_winsserver.c:wins_process_name_registration_request(1222) wins_process_name_registration_request: Adding IP 255.255.255.255 to group name UWT-1500. [2010/05/14 16:54:52, 4] nmbd/nmbd_packets.c:reply_netbios_packet(940) reply_netbios_packet: sending a reply of packet type: wins_reg UWT-1500 to ip 10.208.235.134 for id 39786 [2010/05/14 16:54:52, 4] libsmb/nmblib.c:debug_nmb_packet(112) nmb packet from 10.208.235.134(137) header: id=39786 opcode=Registration(5) response=Yes header: flags: bcast=No rec_avail=Yes rec_des=Yes trunc=No auth=Yes header: rcode=0 qdcount=0 ancount=1 nscount=0 arcount=0 answers: nmb_name=UWT-1500 rr_type=32 rr_class=1 ttl=345600 answers 0 char .. hex EAD0EB86 [2010/05/14 16:54:52, 5] libsmb/nmblib.c:send_udp(779) Sending a packet of len 62 to (10.208.235.134) on port 137 Thanks, Carl -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] nslookup from Windows resolves domain and pdc correctly but still gets cannot contact on samba 3.2.5-4 on lenny
On 04/28/2010 06:55 AM, Siju George wrote: Hi, I have installed ii samba 2:3.2.5-4lenny9a LanManager-like file and printer server for Unix ii samba-common 2:3.2.5-4lenny9 Samba common files used by both the server and the client On Debian Lenny and i am sharing directories to Windows Users successfully. I configured it as a PDC with the following configuration. [global] workgroup = HIFXNX netbios name = HIFXNXDC server string = HIFXNX Domain Controller, PHP Development Server, Subversion Server, DNS Server interfaces = 172.16.2.0/255.255.255.255 Can this really work? Note the size of the netmask! Maybe better: interfaces = interface_name If necessary to restrict IP address range, us the hosts allow parameter. - John T. bind interfaces only = Yes obey pam restrictions = Yes passdb backend = tdbsam pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . unix password sync = Yes syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 name resolve order = lmhosts host wins bcast add user script = /usr/sbin/adduser --quiet --disabled-password --gecos %u add group script = /usr/sbin/addgroup --force-badname %g add machine script = /usr/sbin/useradd -g machines -c %u machine account -d /var/lib/samba -s /bin/false %u domain logons = Yes os level = 33 preferred master = Auto domain master = Yes dns proxy = No panic action = /usr/share/samba/panic-action %d [homes] comment = Home Directories valid users = %S create mask = 0700 directory mask = 0700 browseable = No [netlogon] comment = Network Logon Service path = /home/samba/netlogon guest ok = Yes share modes = No I can get the domain domain controller resolved using DNS from the Windows XP machine. C:\Documents and Settings\securenslookup hifxnx.local Server: hifxpms.hifxchn2.local Address: 172.16.2.26 Name:hifxnx.local Address: 172.16.2.0 C:\Documents and Settings\securenslookup hifxnxdc.hifxnx.local Server: hifxpms.hifxchn2.local Address: 172.16.2.26 Name:hifxnxdc.hifxnx.local Address: 172.16.2.0 C:\Documents and Settings\secureipconfig /all Windows IP Configuration Host Name . . . . . . . . . . . . : winxsp2-vm Primary Dns Suffix . . . . . . . : Node Type . . . . . . . . . . . . : Unknown IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : AMD PCNET Family PCI Ethernet Adapter Physical Address. . . . . . . . . : 08-00-27-DE-AB-29 Dhcp Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 172.16.2.51 Subnet Mask . . . . . . . . . . . : 255.240.0.0 Default Gateway . . . . . . . . . : 172.17.1.0 DNS Servers . . . . . . . . . . . : 172.16.2.26 172.17.1.0 But when I try to join the domain from the Windows XP machine. I get the error A Domain Controller for the domain hifxnx.local could not be contacted and the debug log file dcdiag.txt contains these details. The following error occurred when DNS was queried for the service location (SRV) resource record used to locate a domain controller for domain hifxnx.local: The error was: DNS name does not exist. (error code 0x232B RCODE_NAME_ERROR) The query was for the SRV record for _ldap._tcp.dc._msdcs.hifxnx.local Common causes of this error include the following: - The DNS SRV record is not registered in DNS. - One or more of the following zones do not include delegation to its child zone: hifxnx.local local . (the root zone) For information about correcting this problem, click Help It will be great if some one can point out the problem to me :-) Thanks --Siju -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Can join AD 2003 domain; can't list shares from other servers
On 04/23/2010 12:14 PM, Mike Leone wrote: I set up an old laptop with Xubuntu 9.10. I configured Samba as to work with my Win2003 AD domain that has MS Services for Unix installed. I can get a Kerberos ticket. I successfully added the laptop to the AD domain. wbinfo -a shows me all users, domain and local. wbinfo -g shows me all groups. wbinfo -a user%password returns successfully. getent passwd works as expected - I see local users, and domain users. net ads info works correctly, returning info. LDAP server: 10.0.0.60 LDAP server name: dim-win2300.DaCrib.local Realm: DACRIB.LOCAL Bind Path: dc=DACRIB,dc=LOCAL LDAP port: 389 Server time: Fri, 23 Apr 2010 13:12:53 EDT KDC server: 10.0.0.60 Server time offset: 1 Looks good. Please show us the content of /etc/nsswitch.conf. And yet: $ smbclient -L workhorse Enter turgon's password: session setup failed: NT_STATUS_ACCESS_DENIED I have no idea why it's failing; I'm not seeing anything in the samba or winbind logs. (workhorse is Ubuntu 9.10, configured as a domain member server) OK. So in your smb.conf file add the following to the [global] stanza: log level = 5 log file = /var/log/samba/%L-%m.log max log size = 0 Then try to connect using smbclient. This will generate a log file that is rather detailed. Check to see the reason it is failing. - John T. I can do the reverse; from workhorse I can see all the shares on the laptop: tur...@workhorse:~$ smbclient -L turgon-laptop Enter turgon's password: Domain=[DACRIB] OS=[Unix] Server=[Samba 3.4.0] Sharename Type Comment - --- IPC$IPC IPC Service (turgon-laptop server (Samba 3.4.0, Domain: DACRIB, Server: turgon-laptop - NT1)) print$ Disk Printer Drivers Domain=[DACRIB] OS=[Unix] Server=[Samba 3.4.0] Server Comment ---- TURGON-LAPTOPturgon-laptop server (Samba 3.4.0, Domain: , Ser WorkgroupMaster ---- DACRIB Hints as to where to go next? It must be something wrong on this specific laptop, since it works from my other server, but I dunno where, since all the other tests work. Firewall is off, on both machines. === smb.conf: [global] workgroup = DACRIB realm = DACRIB.LOCAL server string = %h server (Samba %v, Domain: %D, Server: %L - R) security = ads map to guest = Bad User client use spnego = true client ntlmv2 auth = yes eventlog list = Application System Security SyslogLinux # PAM AUTH encrypt passwords = yes obey pam restrictions = Yes pam password change = true password server = dim-win2300.DaCrib.local passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . unix password sync = Yes log level = 3 syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 domain master = No local master = No os level = 2 dns proxy = No usershare allow guests = Yes panic action = /usr/share/samba/panic-action %d # WINBIND idmap config DACRIB: default = true idmap uid = 1-2 idmap gid = 1-2 idmap config DACRIB:schema_mode = rfc2307 winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind nested groups = Yes winbind refresh tickets = true winbind nss info = rfc2307 winbind separator = + template homedir = /home/%D/%u template shell = /bin/bash ; invalid users = root create mask = 0700 directory mask = 0775 writable = Yes enable privileges = Yes restrict anonymous = 2 wide links = no socket options = TCP_NODELAY -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Is it EVER needed to set up kerberos manually if you usesamba to join an ADS domain as a domain member?
Gary, Microsoft Windows networking is a complex technology. When the MS Windows environment is set up appropriately, OpenSUSE 11.x should be able to join an Active Directory domain without requiring separate manual configuration of kerberos. That should happen behind the YaST2 interface. Please also be aware that you have copied a volunteer subscriber mailing list from which you may (or may not) receive answers. The answers you receive from this list are not necessarily correct, even though the person responding may have the best of intent. If you need professional assistance please refer to the commercial support listings at http://samba.org/samba/support There is never a need to create local accounts when Active Directory domain membership has been correctly set up. It is not only not ideal, it also means that your system is not set up correctly at all. Kind regards, John Terpstra On 04/22/2010 11:47 PM, Gary Wardell wrote: Hi, thank you for this information. Now if I can actually do it. I am a long time windows admin and have never had to mess with kerberos. Always I would simply go to the member machine and join the domain and everything would work. I sort of assumed Samba would be as easy and work the same way. Especially since my friend said that OpenSUSE with Yast would take care of all of the pluming necessary to set things up. No so, and I have been fighting with Samba ever since. I finally got it to sort of work be creating user accounts on the Linux machine that mirrored the AD accounts that were trying to access it. But that is far from ideal. Gary -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org]on Behalf Of Clayton Hill Sent: Thursday, April 22, 2010 17:49 To: samba@lists.samba.org Cc: Duncan Fiander Subject: [Samba] Is it EVER needed to set up kerberos manually if you usesamba to join an ADS domain as a domain member? Hi folks! We finally have an answer to a question posted in 2009... and the answer is: YES SET UP KERBEROS. Here is the original thread: http://www.pubbs.net/200910/samba/27283-samba-is-it-ever-neede d-to-set-u p-kerberos-manually-if-you-use-samba-to-join-an-ads-domain-as- a-domain-m ember.html Now here is the correct answer: -- -- Just a quick experiment for you to try. Logon to a samba member server that has joined a domain and run the following: This should show that we have no Kerberos ticket since we did not do a kinit. (This is because we used net ads join -U Administrator and joined the domain only through the net ads function.) #klist Now query the domain and check the response #net ads user #net ads group From the Computer Management Snap-In on Windows, connect to the samba member server and check to see if you can change ACL's on a Share and if it has any effect. Now initialize Kerberos. #kinit -U ad...@mydomain.net Re-run the commands above and note the change #klist #net ads user #net ads group From the Computer Management Snap-In on Windows, connect to the samba member server and check to see if you can change ACL's on a Share You should find that with Kerberos enabled we are able to see objects in AD we were not previously able to display. Also in the MMC Snap-In if you remove Everyone from the share you will no longer have access to the share. If you add everyone back in, they will have access. You can also add ACL's via Windows Explorer as before. As you can see, this is an important ability you miss out on if you only use net ads join to get your Kerberos ticket. I would hope that a samba team contributor eventually implements this into the net ads join function better so this isn't needed. -Give credit where it is due- Originally Submitted by: Duncan Fiander -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Undocumented TDB files
On 04/23/2010 04:52 AM, Moray Henderson wrote: In samba3-3.3.9-40.el4 and samba3-3.4.7-42.el5 there are 3 .tdb files /var/lib/samba/locking.tdb temporary /var/lib/samba/wins.tdb persistent /var/lib/samba/mutex.tdb temporary which are not documented in http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/install.html# tdbdocs. Sorry. The documentation is getting a little old. Are they persistent or temporary? - John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba PDC with group using same desktop
On 03/30/2010 08:54 AM, M. D. wrote: My goal is to have a business with multiple locations, all have the same desktop for a certain user group. The quick Launch programs, Start Menu and Desktop icons should all be the same, and be 'read only' -- meaning they can't change them. I'm using ClearOS for the PDC, and I have it working already as the PDC, but I'm not quite sure how to setup the remote profiles and lock it so end users cannot modify it, and how to have some users be able to log into that profile and do the changes that are needed. This is my first time working with a domain controller, so probably that's my shortcoming. I don't know exactly how/what a domain controller can do. Any help will be greatly appreciated. Regards, MD Samba3 is fully capable of meeting your needs here but this is not in principal a Samba issue. What is needed is a clear understanding of how desktop profiles are used by MS Windows clients. It also requries an understanding of how to use default network logon profiles, roaming profiles, and how to make use of the NT4 policy editor. Samba3 can emulate many ADS Group Policy effects, but it has to be engineered through creative use of the network default login profile and dynamic mapping inside Samba so that the user will obtain the right group profile. As for the mandatory aspect, that is done by renaming the NTUser.DAT file in the profile to NTUser.MAN. I have responded off-line to the poster with further information. Some of the magic here is covered in chapter 5 of my book, Samba3-ByExample - see http://www.samba.org/samba/docs/Samba3-ByExample.pdf Cheers, John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] (Urgent) Re: Your password expires today problem
Richi, Please file a detailed bug report on https://bugzilla.samba.org with clear steps so that one of the developers can reproduce your problem. Is your installation new, or was is migrated from an earlier version of Samba? - John T. On 03/29/2010 01:45 AM, Richard Lamboj wrote: Good morning John, here is the Output: server-b10:/# ls -al /lib*/libc-*so -rwxr-xr-x 1 root root 1375536 14. Jän 07:51 /lib64/libc-2.7.so -rwxr-xr-x 1 root root 1375536 14. Jän 07:51 /lib/libc-2.7.so server-b10:/# uname -a Linux server-b10.intern.bilcom.at 2.6.32-vs2.3.0.36.26 #1 SMP Thu Dec 10 16:36:45 CET 2009 x86_64 GNU/Linux Some System informations: OS: Debian Lenny Arch: x86_64 Others: Linux VServer Guest Kind Regards Richi Am Sunday 28 March 2010 15:39:54 schrieb John H Terpstra: Please will all who have this problem respond with the output of executing the following: 1) smbd -V 2) ls -al /lib*/libc-*so 3) uname -a Thanks. - John T. On 03/28/2010 07:33 AM, Denis BUCHER wrote: Hello everyone, I have the exact same problem, but without any solution : Le 12.03.2010 08:03, Richard Lamboj a écrit : Its definitly a signed 32 bit int: net sam policy set maximum password age 4294967291 Account policy maximum password age value was: -1 Account policy maximum password age value is now: -5 Does not work: net sam policy set maximum password age never Account policy maximum password age value was: 2147483647 Account policy maximum password age value is now: -1 Does also not work: net sam policy set maximum password age 2147483647 Account policy maximum password age value was: -5 Account policy maximum password age value is now: 2147483647 So when i'am using never it will be set to -1, so it must be a signed integer and this has a maximal value of 2147483647. Napalm and a new Job on the Beach could be the Solution... Am Friday 12 March 2010 02:14:10 schrieb Michael B. Trausch: On 03/11/2010 03:52 PM, Richard Lamboj wrote: Hello, server-p:/# net sam policy set maximum password age 4294967294 Account policy maximum password age value was: -2 Account policy maximum password age value is now: -2 Is that Output Normal? Looks like there is some wrapping going on there. Try: # net sam policy set maximum password age 4294967291 That said, I don't know why there would be wrapping. An unsigned 32-bit integer's maximum value is 4294967295, so 4294967294 (the value that you used) should be something that would fit. I don't know what would cause that to happen that way. I tried all points and IT DOES NOT WORK, always the message Your password expires today, please change your password yes/no : - My users are all UX (I also tried without X, it's even worse) - I tried pdbedit - I tried net sam - removed passdb backend = smbpasswd from config # net sam policy set maximum password age 4294967295 Account policy maximum password age value was: 0 Account policy maximum password age value is now: -1 pdbedit -u mbucher -v gives either Password last set:0 Password can change: 0 Password must change: 0 Last bad password : 0 Bad password count : 0 either Password last set:Thu, 25 Feb 2010 15:17:18 CET Password can change: Thu, 25 Feb 2010 15:17:18 CET Password must change: never Last bad password : 0 Bad password count : 0 Any help would be greatly appreciated we have 90 people here and I really becoming mad about this, I don't know where to search for ? Denis -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] (Urgent) Re: Your password expires today problem
Please will all who have this problem respond with the output of executing the following: 1) smbd -V 2) ls -al /lib*/libc-*so 3) uname -a Thanks. - John T. On 03/28/2010 07:33 AM, Denis BUCHER wrote: Hello everyone, I have the exact same problem, but without any solution : Le 12.03.2010 08:03, Richard Lamboj a écrit : Its definitly a signed 32 bit int: net sam policy set maximum password age 4294967291 Account policy maximum password age value was: -1 Account policy maximum password age value is now: -5 Does not work: net sam policy set maximum password age never Account policy maximum password age value was: 2147483647 Account policy maximum password age value is now: -1 Does also not work: net sam policy set maximum password age 2147483647 Account policy maximum password age value was: -5 Account policy maximum password age value is now: 2147483647 So when i'am using never it will be set to -1, so it must be a signed integer and this has a maximal value of 2147483647. Napalm and a new Job on the Beach could be the Solution... Am Friday 12 March 2010 02:14:10 schrieb Michael B. Trausch: On 03/11/2010 03:52 PM, Richard Lamboj wrote: Hello, server-p:/# net sam policy set maximum password age 4294967294 Account policy maximum password age value was: -2 Account policy maximum password age value is now: -2 Is that Output Normal? Looks like there is some wrapping going on there. Try: # net sam policy set maximum password age 4294967291 That said, I don't know why there would be wrapping. An unsigned 32-bit integer's maximum value is 4294967295, so 4294967294 (the value that you used) should be something that would fit. I don't know what would cause that to happen that way. I tried all points and IT DOES NOT WORK, always the message Your password expires today, please change your password yes/no : - My users are all UX (I also tried without X, it's even worse) - I tried pdbedit - I tried net sam - removed passdb backend = smbpasswd from config # net sam policy set maximum password age 4294967295 Account policy maximum password age value was: 0 Account policy maximum password age value is now: -1 pdbedit -u mbucher -v gives either Password last set:0 Password can change: 0 Password must change: 0 Last bad password : 0 Bad password count : 0 either Password last set:Thu, 25 Feb 2010 15:17:18 CET Password can change: Thu, 25 Feb 2010 15:17:18 CET Password must change: never Last bad password : 0 Bad password count : 0 Any help would be greatly appreciated we have 90 people here and I really becoming mad about this, I don't know where to search for ? Denis -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] PDC migration from suse 8.2 - samba 2.2.7 ldap - to latest versions on ubuntu 8.04
On 03/25/2010 03:33 AM, Vladimir Psenicka wrote: What about Debian Stable with Sernet samba repo, where you can choose Samba 3.4.x or 3.5.x My hints on migrating to new server: 1. install new server (Samba,ldap etc.) 2. set same hostname on new server 3. export ldap data from old server and import them to new server Ensure that all local user and group accounts that are used by samba have the same uid/gid. 4. export SID (net getlocalsid) and set it on new server (net setlocalsid oldsid) Note: net getdomainsid (on old server) net setdomainsid (on new server) 5. configure samba on new server as PDC with ldap and shares in smb.conf from old samba smb.conf (check with testparm) 6. stop samba on old server 7. copy all data (with perms) and netlogon share to new server 8. stop old server 9. start samba on new server a check everything is working fine (domain logon from windows box, shares and perms) This can be done best when no users are logged in samba (maybe at weekend?) P.S. We have ubuntu 8.04 as PDC and Windows 7 can't join to domain Check http://wiki.samba.org for info regarding Windows 7. Cheers, John T. Dne 25.3.2010 01:05, GG napsal(a): Hello Vladimir and hi all, Thanks very much for replying! Any suggested os? I'd go for debian or what advised, I just happen to know ubuntu more... Any strategy or hint on migrating from ancient ldap + samba to a new server? Already tried rsyncing (using all options to keep perms and attributes grp own mod etc) on a twin v-machine but server starts and the ldap auth fails to work :-( I'm a bit stuck at the moment :-( and I have posponed the problem for too long grrr Giorgio On Wed, Mar 24, 2010 at 9:20 AM, Vladimir Psenicka vladimir.pseni...@prodeco.cz wrote: Dne 23.3.2010 15:48, Giorgio napsal(a): Hello, Hopefully I'm in the right place asking for help :-) I need to move from an old physical Suse 8.2 - samba 2.2.7 + ldap - to latest samba versions, I would like to use an ubuntu 8.04 virtual machine. The domain is in production on the physical server, to be dismissed after migration. It is also the file server!!! so /DATA/ has all shared and permission driven file access.. I was following https://help.ubuntu.com/8.10/serverguide/C/samba-dc.html but I realize I am in a different scenario... Production so no errors are admitted :-(, migration to new os and versions.. all at once? I have a dump of the physical server (dd sda mbr and single partitions :) plus an rsync with all permissions daily backup, just to be safe ;) What would you guru's suggest as a strategy? Can I create a new server and add it as secondary domain controller and then once the replica is up? I'd feel quite comfortable with this method. BTW I need a new version of samba as they have already bought Windows 7 boxes (without asking if they were supported arrgh). Thanks to all of you who read or answered :-) Gio Hi. Ubuntu 8.10 is bad idea if you will be connecting Windows 7 into domain, because of old Samba version. Samba 3.4.x or 3.5.x is recommended for Win7. Wait for Ubuntu 10.04 LTS (next month) if you want Ubuntu. -- Vladimir Psenicka -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Notice: Samba Commercial Support
A subscriber wanted to know the status of the Commercial Support pages on the Samba.Org web site. This is a response to the issues raised: 1. The Commercial Samba Support URL is: http://samba.org/samba/support/ 2. The support pages are being *ACTIVELY* maintained. 3. If you find a broken, or inactive link, please report it to: j...@samba.org 4. If you find that any listing does not provide legitimate Samba support please email j...@samba.org immediately. We will contact the owner of that listing to resolve the matter. 5. This posting will (hopefully) avoid a need for future concerns regarding the value and accuracy of Commercial Support listings on the Samba.Org site. Cheers, John H Terpstra -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba and Windows 7 do they work together?
On 03/04/2010 03:22 AM, Moray Henderson wrote: John Drescher wrote: Yes. They work fine together. You need samba-3.3.X or greater. 3.4.X does not allow printing under 64 bit clients but 3.3 or 3.5 are good. I was about to upgrade from 3.3 to 3.4 until I read that. Is the 64-bit printing issue going to be fixed in the 3.4 series? Suggest you visit the samba web site: http://www.samba.org In the right column is a link to the release notes for 3.4.6 I think it says something like: o Fix printing with 64 bit clients (bug #6888). - John T. Moray. To err is human. To purr, feline -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba Commercial Support Web Page Updated
Following up on recent requests for feedback to update support provider entries this serves to confirm that the commercial support area has indeed been update since February 22, 2010. All requests received for listing and for correction or amendment have been applied. If you are a provider of commercial support please check your listing in the support pages. If any of you want to be listed please follow the information on the Commercial Support landing page at: http://www.samba.org/samba/support Also, please note that the Samba Team neither endorses, nor recommends, any company or individual that has a listing. We recommend strongly that before using the services of any listed entry the exercise of due diligence. Cheers, John H Terspstra Samba-Team -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Change samba username with tdbsam backend
On 02/19/2010 06:52 PM, Eden Caldas wrote: How do you do this? This thing is a binary file. And I see no command lines for it. ex; I have an username named Miranda and I want to change to Liara. OK, this is a question that has been asked many times on this list. A complete solution depends on the Samba password backend being used, and on how far you want to go in terms of consistency of change. For example: 1) If the passdb backend = smbpasswd, it is necessary to change: a) The user login name in the smbpasswd file b) The user login name and GECOS information in /etc/passwd and in /etc/shadow, and all group membership information in /etc/groups c) The name of the user's home directory d) The name of the user's desktop profile directory on all MS Windows machine the user makes use of. 2) If the passdb backend = tdbsam, it is necessary to change: a) The users' name in the passdb.tdb file b) The users' login name and GECOS information in /etc/passwd and in /etc/shadow, and all group membership information in /etc/groups c) The name of the user's home directory d) The name of the user's desktop profile directory on all MS Windows machine the user makes use of. 3) If the passdb backend = ldapsam, it is necessary to change: a) The users' identity information in a consistent manner in his/her account record and in all group memberships b) The name of the user's home directory c) The name of the user's desktop profile directory on all MS Windows machine the user makes use of. The problem is that if the account information is deleted (can be done) it must be restored with the same UID and GID, and with full preservation of the users' fully qualified SID. If this does not happen, his/her profile will not longer work correctly and user applications will be broken in the MS Windows environment. There exists no simple, portable tool that can affect the type of change you are seeking. At the best of times, this is a a complex administrative task that requires knowledge of the consequences of each step taken. A failure to apprehend such consequences will lead ot interesting observations and results. - John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Change samba username with tdbsam backend
On 02/19/2010 08:39 PM, Eden Caldas wrote: a) The users' name in the passdb.tdb file That's what I want to know. How do I do it? OK - you will lose information, but here is a quick solution: a) pdbedit -i tdbsam -e smbpasswd b) pdbedit -x user_name c) Edit the smbpasswd file (it is a text file) d) pdbedit -i smbpasswd -e tdbsam I am not sure it will work, but try it - what do you have to lose? - John T. 2010/2/20 John H Terpstra j...@samba.org: On 02/19/2010 06:52 PM, Eden Caldas wrote: How do you do this? This thing is a binary file. And I see no command lines for it. ex; I have an username named Miranda and I want to change to Liara. OK, this is a question that has been asked many times on this list. A complete solution depends on the Samba password backend being used, and on how far you want to go in terms of consistency of change. For example: 1) If the passdb backend = smbpasswd, it is necessary to change: a) The user login name in the smbpasswd file b) The user login name and GECOS information in /etc/passwd and in /etc/shadow, and all group membership information in /etc/groups c) The name of the user's home directory d) The name of the user's desktop profile directory on all MS Windows machine the user makes use of. 2) If the passdb backend = tdbsam, it is necessary to change: a) The users' name in the passdb.tdb file b) The users' login name and GECOS information in /etc/passwd and in /etc/shadow, and all group membership information in /etc/groups c) The name of the user's home directory d) The name of the user's desktop profile directory on all MS Windows machine the user makes use of. 3) If the passdb backend = ldapsam, it is necessary to change: a) The users' identity information in a consistent manner in his/her account record and in all group memberships b) The name of the user's home directory c) The name of the user's desktop profile directory on all MS Windows machine the user makes use of. The problem is that if the account information is deleted (can be done) it must be restored with the same UID and GID, and with full preservation of the users' fully qualified SID. If this does not happen, his/her profile will not longer work correctly and user applications will be broken in the MS Windows environment. There exists no simple, portable tool that can affect the type of change you are seeking. At the best of times, this is a a complex administrative task that requires knowledge of the consequences of each step taken. A failure to apprehend such consequences will lead ot interesting observations and results. - John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Change samba username with tdbsam backend
On 02/19/2010 08:51 PM, Eden Caldas wrote: You are not sure if it will work? Right. It should work. Try it. But there will be a loss of information. So there's no way of doing this without losing information? Correct. The tdbsam (passdb.tdb) file stores more information than the smbpasswd file does. You should execute: pdbedit -Lv user_name and make careful record of the user's SID and other Windows per-user settings. You may have to restore that separately using pdbedit. Password aging information will be lost. Any per-user setting for Windows home folder, profile information, per-user logon script, etc. will be lost unless you reset it. - John T. 2010/2/20 gu...@lorenzutti.com.ar: A very small contribution... you should also rename the user in passwd and shadow. On 02/19/2010 08:39 PM, Eden Caldas wrote: a) The users' name in the passdb.tdb file That's what I want to know. How do I do it? OK - you will lose information, but here is a quick solution: a) pdbedit -i tdbsam -e smbpasswd b) pdbedit -x user_name c) Edit the smbpasswd file (it is a text file) d) pdbedit -i smbpasswd -e tdbsam I am not sure it will work, but try it - what do you have to lose? - John T. 2010/2/20 John H Terpstra j...@samba.org: On 02/19/2010 06:52 PM, Eden Caldas wrote: How do you do this? This thing is a binary file. And I see no command lines for it. ex; I have an username named Miranda and I want to change to Liara. OK, this is a question that has been asked many times on this list. A complete solution depends on the Samba password backend being used, and on how far you want to go in terms of consistency of change. For example: 1) If the passdb backend = smbpasswd, it is necessary to change: a) The user login name in the smbpasswd file b) The user login name and GECOS information in /etc/passwd and in /etc/shadow, and all group membership information in /etc/groups c) The name of the user's home directory d) The name of the user's desktop profile directory on all MS Windows machine the user makes use of. 2) If the passdb backend = tdbsam, it is necessary to change: a) The users' name in the passdb.tdb file b) The users' login name and GECOS information in /etc/passwd and in /etc/shadow, and all group membership information in /etc/groups c) The name of the user's home directory d) The name of the user's desktop profile directory on all MS Windows machine the user makes use of. 3) If the passdb backend = ldapsam, it is necessary to change: a) The users' identity information in a consistent manner in his/her account record and in all group memberships b) The name of the user's home directory c) The name of the user's desktop profile directory on all MS Windows machine the user makes use of. The problem is that if the account information is deleted (can be done) it must be restored with the same UID and GID, and with full preservation of the users' fully qualified SID. If this does not happen, his/her profile will not longer work correctly and user applications will be broken in the MS Windows environment. There exists no simple, portable tool that can affect the type of change you are seeking. At the best of times, this is a a complex administrative task that requires knowledge of the consequences of each step taken. A failure to apprehend such consequences will lead ot interesting observations and results. - John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Change samba username with tdbsam backend
On 02/19/2010 11:41 PM, Jeremy Allison wrote: On Fri, Feb 19, 2010 at 08:33:36PM -0600, John H Terpstra wrote: There exists no simple, portable tool that can affect the type of change you are seeking. At the best of times, this is a a complex administrative task that requires knowledge of the consequences of each step taken. A failure to apprehend such consequences will lead ot interesting observations and results. The correct way to do this is for winbindd to be able to fully specify UNIX accounts internally (ie. inside it's own equivalent of /etc/passwd, /etc/shadow, and tdbsam). We used to have this capability in winbindd but it got removed a long time ago (around the early Samba 3.0.x timeframe I recall) as no one made use of it. Samba has from the outset implicitly viewed all Windows security objects from the perspective of a UNIX user or group account. This is one of Sambas' Achilles heals. It would have been much easier had we implemented a selectable way of mapping Windows security objects (users, groups, trust accounts, etc.) to UNIX accounts. For example; it would have been possible to map Windows groups such as Domain Users account to a particular UNIX user _OR_ group, without requiring explicit mapping of MS Windows users to a discrete UNIX user account and Windows groups to a discrete UNIX group. Had we kept a barrier between the Windows world and the UNIX world that allows flexible mapping to a UNIX user _OR_ group account we would have had a really nifty and flexible environment. We now have kind-of a prison that forces a lot of complex constraints on the UNIX admin. I've been thinking of resurrecting this again at some point. Is this really a good idea? I'm not sure. If winbindd is the full controller of local account info then normal RPC tools can change an account name by simply changing the stored name property in the database. Agreed. Think of the flexibility this would provide in respect of ACLs handling too! A disconnection of the tie between the Windows and UNIX worlds has considerable merit. I'll start thinking about adding this back into winbindd as a winbindd local accounts option. Probably would do it differently from the earlier implementation now though :-). Before we do this, please let us fundamentally rethink the best way to architect the relationship between the Windows and UNIX worlds. For example, how would this impact the Global v's Local Windows account infrastructure? A fully flexible mapping system could replace the need for much of the current IDMAP infrastrucure also. Maybe it is time to awake from the dream, hopefully not to the realization that it was actually a nightmare. ;-) - John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 3.2.5 / Debian Lenny var full
On 02/18/2010 05:14 AM, Didier Roques wrote: Hi i've got a server with lenny installed on it with samba 3.2.5. My problem is that the var partition is sometimes full. In fact, if i use df command I watch the partition full, but if I use du command the partition is not full. If i use lsof command i see plenty of log samba files into /var/log/samba wich are very big, i have - to kill the process given by lsof associated to log samba file (smbd process) - to restart samba to see the partition not full. Is there a bug with this official version of samba with lenny ? or have you got a solution for me. I have seen this problem with samba-3.2.3 at a large site. It would strike once every two months or so, when it happened an 80GB /var/log/samba partition would fill up in 1 or 2 minutes. We never got to the bottom of this, the problem has not reappeared since the site moved to samba-3.3.4. My advice is to update to 3.4.5 or later. - John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Commercial Support Listings - Samba Web Site
This is a reissue of the request for updates to the commercial support listings on the Samba web site. Please use the below form for any update required. Recently there have been complaints from users who have sought commercial support for Samba and who were unable to contact many of the people and companies who are listed on the samba web site as providing commercial support. The Commercial Support entries have not been validated for a number of years and housekeeping is needed. If your name or your company is listed (or you wish to be listed on the Samba web site) as providing commercial support for Samba, please send an email to j...@samba.org with the following information: Subject: Samba Commercial Support Listing 1. Business Name: 2. Contact Name: 3. Business address: 4. City: 5. State or Province: 6. Country: 7. Web URL: 8. Telephone Number/s: 9. Email address/es: 10. A description of the services you provide (max 100 words): 11. Specialty samba capabilities: 12. Special Notes: We are in process of contacting every company that is currently listed as providing commercial support. Those that are not contactable or have not responded will be deleted from the list in 14 days time. Kind regards, John H Terpstra Samba Team -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba Web Site: Commercial Support Listings
Folks, There have been complaints from users who have sought commercial support for Samba and who were unable to contact many of the people and companies who as listed on the samba web site as providing commercial support. These entries have not been maintained for a number of years and housekeeping is clearly needed. If your name or your company is listed as providing commercial support for Samba, please send an email to j...@samba.org with the following information: Subject: Samba Commercial Support Listing 1. Business Name: 2. Contact Name: 3. Business address: 4. City: 5. State or Province: 6. Country: 7. Web URL: 8. Email address/es: 9. A description of the services you provide (max 100 words): 10. Specialty samba capabilities: For the United States of America: Over the next 2 weeks an attempt will be made to contact every support entry. Those that are not contactable will be deleted from the list in 14 days time. Kindest regards, John H Terpstra -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] BDC passwd changes
On 02/04/2010 05:21 PM, Mike Fabre wrote: Hello I have a network setup with one Samba PDC and two Samba BDCs separated by routers (ref http://www.cybersource.com.au/users/mikef/samba/). In this test environment the Samba servers all use the master OpenLDAP server on the PDC, but the production system will have OpenLDAP servers (using master-slave replication) on all Samba servers. I can't get the Windows XP client to change a password or enroll on the domain when connected to either of the BDC's networks, however both functions work fine when connected directly to the PDC's network. If the XP client is enrolled onto the domain while connected to the PDC's network then it successfully authenticates against the domain on all three networks, incl after being relocated to either BDC network. Anyone got any ideas what my problem might be? Mike, In your smb.conf files for you have interface only = yes - if so, remove it and it should work. Check Samba bugzilla - there is a bug report about this. - John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] BDC passwd changes
On 02/04/2010 06:05 PM, Mike Fabre wrote: On Thu, Feb 04, 2010 at 05:34:41PM -0600, John H Terpstra wrote: On 02/04/2010 05:21 PM, Mike Fabre wrote: Hello I have a network setup with one Samba PDC and two Samba BDCs separated by routers (ref http://www.cybersource.com.au/users/mikef/samba/). In this test environment the Samba servers all use the master OpenLDAP server on the PDC, but the production system will have OpenLDAP servers (using master-slave replication) on all Samba servers. I can't get the Windows XP client to change a password or enroll on the domain when connected to either of the BDC's networks, however both functions work fine when connected directly to the PDC's network. If the XP client is enrolled onto the domain while connected to the PDC's network then it successfully authenticates against the domain on all three networks, incl after being relocated to either BDC network. Anyone got any ideas what my problem might be? In your smb.conf files for you have interface only = yes - if so, remove it and it should work. Check Samba bugzilla - there is a bug report about this. I don't have that option set in any of the config files, so I tried add 'interface only = no' on all three then ran testparm and it said 'Ignoring unknown parameter interface only'. Is this the bug you are talking about: https://bugzilla.samba.org/show_bug.cgi?id=6970 That bug mentions the 'bind interfaces only' and 'interfaces' options which I also don't have in any of my config files and when I added it and ran testparm it didn't give me an error but the config it gave back didn't have either of those options in it. You are correct, the parameter is bind interfaces only = No, See: https://bugzilla.samba.org/show_bug.cgi?id=6348 - John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] roaming profiles and Documents and setting with non-standard Windows 2k3 administrator RID.....
On 01/27/2010 08:29 PM, Daniel R. Gore wrote: Because of the extremely restrictive security environment we work under, our Windows Admins have disabled the administrator account on our Domain and created a new account with administrator rights. The result is that the common RID of 500 which maps to the Linux UID and GID of 500 is no longer valid. This means that when the Windows Domain controller, via the Domain Administrator (which has another name and RID) tries to make an account on the samba share where the profiles are intended for, it fails because Samba expects this to come from the well known RID of 500. Is there any way to specify in Samba what RID number to expect and use for Domain Administration management? Thanks. Dan Dan, You can assign suitable rights and privileges using the net utility as follows: net rpc grant rights DOMAIN\Group Name SeMachineAccountPrivilege SeTakeOwnershipPrivilege SeBackupPrivilege SeRestorePrivilege SeRemoteShutdownPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege -Uadministrator%password When correctly processed for domain group Whatchamacallit you will get something that looks like this: net rpc rights list accounts -Uwinadmin%n3v3rgessit BUILTIN\Print Operators No privileges assigned BUILTIN\Account Operators No privileges assigned BUILTIN\Backup Operators No privileges assigned BUILTIN\Server Operators No privileges assigned BUILTIN\Administrators SeMachineAccountPrivilege SeTakeOwnershipPrivilege SeBackupPrivilege SeRestorePrivilege SeRemoteShutdownPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege Everyone No privileges assigned URDOMAIN\Whatchamacallit SeMachineAccountPrivilege SeTakeOwnershipPrivilege SeBackupPrivilege SeRestorePrivilege SeRemoteShutdownPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege Yell if you need more help. Cheers, John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Options for responding to this group?
On 01/15/2010 07:54 AM, Peter Olcott wrote: Is the only option for responding to posts in this group to receive ALL of the messages posted in this group by email? 1) Subscribers to the samba mailing list can control whether or not they receive messages that are posted to the list. This is an on/off setting in the subscribers' optional settings. 2) Subscribers who elect to receive messages posted to the list will receive ALL messages postings. 3) There is no option to filter on message subject. 4) List subscribers can post to the list. Messages sent by a subscriber will be sent directly to the list. 5) Non-subscribers can also post to the list. Messages sent by a non-subscriber will be held for moderation. It is up to the moderator to determine what will be accepted or rejected. 6) There are a number of moderators, each exercises his/her own discretion. 7) There have been (and possibly still are) subscribers who elect not to receive postings to the mailing list. 8) Subscribers who elect not to receive postings CAN post to the list. - John Terpstra a list moderator -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Options for responding to this group?
On 01/15/2010 10:40 AM, Peter Olcott wrote: On Fri, Jan 15, 2010 at 8:42 AM, John H Terpstra j...@samba.org wrote: On 01/15/2010 07:54 AM, Peter Olcott wrote: Is the only option for responding to posts in this group to receive ALL of the messages posted in this group by email? 1) Subscribers to the samba mailing list can control whether or not they receive messages that are posted to the list. This is an on/off setting in the subscribers' optional settings. 2) Subscribers who elect to receive messages posted to the list will receive ALL messages postings. 3) There is no option to filter on message subject. 4) List subscribers can post to the list. Messages sent by a subscriber will be sent directly to the list. 5) Non-subscribers can also post to the list. Messages sent by a non-subscriber will be held for moderation. It is up to the moderator to determine what will be accepted or rejected. 6) There are a number of moderators, each exercises his/her own discretion. 7) There have been (and possibly still are) subscribers who elect not to receive postings to the mailing list. 8) Subscribers who elect not to receive postings CAN post to the list. - John Terpstra a list moderator How do subscribers that elect to NOT receive email postings respopnd to s specific message such as this one? a) We have quite a few subscribers who read the samba list archives via the web. b) What response does this message require? My intent was to inform newer subscribers who were not aware that not being sent list postings is a real option. Cheers, John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba with full audit and trash
On 12/15/2009 01:10 PM, Andre Losnak wrote: Hi list i running my samba with full audit module, when i run recycle together full audit fails. I can run samba with full audit + recycle? Yes. Use the following: vfs object = recycle full_audit - John T. Thanks. My conf: in [GLOBAL]: #lixeira vfs object = recycle recycle:repository = /hda1/lixeira/.recycle/%U recycle:keeptree = Yes recycle:touch = Yes recycle:versions = Yes recycle:maxsize = 0 recycle:minsize = 1 recycle:exclude = *.tmp *.temp *.o *.obj ~$* *.~?? recycle:excludedir = /tmp /temp /cache recycle:noversions = *.doc *.xls *.ppt *.docx *.xlsx #auditoria vfs objects = full_audit full_audit:success = open, opendir, write, unlink, rename, mkdir, rmdir, chmod, chown full_audit:prefix = %u|%I|%S full_audit:failure = none full_audit:facility = local5 full_audit:priority = notice in shares: vfs object = recycle recicle:repository = /hda1/lixeira/.recycle/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 size
On 12/15/2009 05:35 PM, theHog wrote: Hi, I've built samba 4 from the git repository, but... the resulting (stripped) binaries take 504 MB disk space! Is that what it is or did I do something wrong? theHog No, you did it right. I want to know how you did that! Mine is 1.2GB for the whole of it. ;-) - John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Vista clients having Issues Copying files from Samba Server
Anthony Giggins wrote: Hello, I'm running samba-3.0.33 (samba-3.0.33-3.15.el5_4) On Centos 5.4 and some files have issues being copied from the Samba server to the Vista (Service Pack 1) clients local disk via Windows Explorer, copying too the Samba server also has no issues and copying via the CMD prompt has no problem, I'm getting the following errors 1. Invalid MS-DOS Function http://seven.dorksville.net/gallery/v/Misc+Photos/image001.png.html 2. invalid file handle (When you click Try Again) http://seven.dorksville.net/gallery/v/Misc+Photos/image002.png.html It will then cycle through these 2 errors each time you click try again. Windows XP does not have any issues with the same files and other files also dont have an issue to the Vista Clients. There are also the following logs generated on the server that correspond to these errors lib/util_sock.c:send_smb(761) Error writing 75 bytes to client. -1. (Broken pipe) lib/util_sock.c:write_data(562) write_data: write failure in writing to client 192.168.0.237. Error Broken pipe lib/util_sock.c:write_data(562) write_data: write failure in writing to client 192.168.0.240. Error Broken pipe Any help or suggestions would be greatly apprieciated. Regards, Anthony Seeing as I got not replies I went and upgraded to 3.2.15 from sernet http://ftp.sernet.de/pub/samba/tested/centos/5/repodata/index.html And I'm seeing the same errors on the vista side but here are the logs from the server, Dec 13 11:16:39 newsrv smbd[32555]: [2009/12/13 11:16:39, 0] lib/util_sock.c:read_socket_with_timeout(939) Dec 13 11:16:39 newsrv smbd[32555]: [2009/12/13 11:16:39, 0] lib/util_sock.c:get_peer_addr_internal(1676) Dec 13 11:16:39 newsrv smbd[32555]: getpeername failed. Error was Transport endpoint is not connected Dec 13 11:16:39 newsrv smbd[32555]: read_socket_with_timeout: client 0.0.0.0 read error = Connection reset by peer. are there any known issues with Vista? and is there any known working minimum version? Cheers, Anthony Please update to Samba 3.4.3 or later. Many Vista and Windows 7 support related issues have been addressed during the 3.4.x series. Firstly, if the Samba logs note an invalid function all, that may mean an upgrade to a more recent version of Samba is needed. When a Windows client notes an invalid function call or an invalid file handle the cause may be problems in the network transport layer. Secondly, note what the Samba server log message says. Short translation is: I was taking to the client, but the client went away and did not respond! The client dropped the connection. In all likeliness this is not a Samba problem and may actually be a network problem. It is a problem regularly seen with low-cost ethernet interfaces and cheap ether-switches. Kindest, John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] migrating NT4 PDC net rpc vampire errors with capital letters
Ryan Davis wrote: Hi, I have searched for days on Google and can't find a clear answer to my question. I have a NT4 PDC which I am migrating to Samba 3 (Version 3.4.2-47.fc12) on FC12 with kernel(2.6.31.5-127.fc12.i686). I am using tdbsam as my passdb backend. I setup Samba as a BDC and then joined to NT4 Domain succesfully. When I go to vampire the accounts I get lots of errors and some user accounts get transfered over. It turns that all the user accounts that transfer are those that don't have a capital letter in their username on the NT4 domain server. Most do and don't get transfered. There seems to be errors with my groups and Computer accounts. I was able in the past to vampire all the accounts (even capital letters) so any ideas would be great. Some Linux systems will not allow creation of user or group accounts that have uppercase characters or spaces in them. OpenSUSE 11.2 does not have this limitation. Perhaps you can ask on the FedoraProject list to find how to disable the restriction against uppercase characters in user and group names. While it is an admirable intention of some Linux distros to stop users from creating stupid account names, when migrating from MS Windows this is a real handicap. - John T. Thanks in advance. Here is a type of error I get: Creating account: Ryan useradd: invalid user name 'Ryan' fetch_account: Running the command `/usr/sbin/useradd -m 'Ryan'' gave 3 Could not create posix account info for 'Ryan' I get this error for groups: Creating unix group: 'SophosDomainPowerUser' groupadd: 'SophosDomainPowerUser' is not a valid group name smb_create_group: Running the command `/usr/sbin/groupadd 'SophosDomainPowerUser'' gave 3 and for Computer names: Creating account: LIMS1$ useradd: invalid user name 'LIMS1$' fetch_account: Running the command `/usr/sbin/useradd -s /bin/false -d /dev/null 'LIMS1$'' gave 3 Here is my smb.conf [global] workgroup = GENOME1 netbios name = HERCULES passdb backend = tdbsam domain master = No domain logons = Yes os level = 40 add user script = /usr/sbin/useradd %u -n -g users delete user script = /usr/sbin/userdel %u add group script = /usr/sbin/groupadd %g delete group script = /usr/sbin/groupdel %g add machine script = /usr/sbin/useradd -n -c Workstation (%u) -M -d /nohome -s /bin/false %u # username map = /etc/samba/smbusers logon path = logon home = # wins support = yes [files] comment = SAMBA File Server path = /files read only = No -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Wins, browsing, browse.dat and wins.dat
On 11/16/2009 08:21 AM, Eric PEYREMORTE wrote: Hi, I have troubles understanding wins and network browsing functionnality. I have a samba server(pdc) on a different subnet than my clients. The server smb.conf has wins support = Yes, the client are configured to use the wins server. In the wins.dat, i can see all the computers. In the browse.dat i have only computers/servers that are in the same subnet. When i try to browse the network via network neighborbood i only see the computers that are in the same subnet ( the same that are in the browse.dat ) I've read the howto about wins, but can't understand how my computers can be visible in the network neighborhood... I thought that setting a wins server would be the solution but i think i'm wrong. Could someone helped me ? ( I googled all the day for that ...) Thanks, Eric Have you configured ALL you MS Windows clients TCP/IP settings to use the Samba WINS server? The Samba3-HOWTO has a fairly detailed chapter on network browsing. What part of it does not make sense? http://www.samba.org/samba/docs/Samba3-HOWTO.pdf - John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] LDAP Examples
On 10/31/2009 03:22 PM, Miguel Medalha wrote: Actually never mind. Just found it at http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/passdb.html in table Table 11.3. I would suggest starting there with figuring out LDAP and Samba. Yes. Over the years, I also discovered that searching for information and collecting useful bits of knowledge from here and there and putting them together is actually much better than bitching around and complaining that things are not as they should be. I was able to install a few production servers with Samba and LDAP just by actually reading the information provided both in Samba How-To and Samba by Example. Amazing, uh? I am delighted to see that my efforts at documentation have not been wasted and that someone actually has gained advantage from them. It would be even better to see contributions from those who gained any benefit in the form of updates and additions that will make the Samba3-HOWTO and Samba3-ByExample more valuable and useful. I am convinced that you can contribute some observations or things learned that others would find valuable. Please, please do contribute to the Samba documentation. Cheers, John Terpstra -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] upgrade and secrets.tdb file ?
On 10/12/2009 08:50 AM, Frank Bonnet wrote: Hello Is the secrets.tdb file preserved when doing a normal upgrade after compiling Samba ( configure, make , make install ) ? Thanks a lot Yes, because a 'normal' upgrade, make install does not touch the secrets.tdb file. This file is created when the samba daemons are started. - John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] TOSHAG-Winbind.xml translate finished and some bug found
On 10/09/2009 01:51 AM, Michael Wood wrote: Hi 2009/10/8 John H Terpstra - Samba Team j...@samba.org: On 10/08/2009 03:01 AM, ITPFS oota wrote: Now, TOSHARG-VFS.xml translate to Japanese finished(3.4.0 base). And some bug found. [...] on your system. Please refer to the PAM Web site ulink url=http://www.kernel.org/pub/linux/libs/pam//. is this? Yes. I do believe that to compile Samba with PAM support the pam development libraries are needed. Please refer to the ulink url=http://www.kernel.org/pub/linux/libs/pam//PAM Web site/ulink. I think he was proposing to replace: ulink url=http://www.kernel.org/pub/linux/libs/pam// with: ulink url=http://www.kernel.org/pub/linux/libs/pam/;PAM Web site/ulink Thanks for the clue-bat! I needed that. I have committed that change to the GIT tree. Thanks so much oota-san. - John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] TOSHAG-Winbind.xml translate finished and some bug found
On 10/08/2009 03:01 AM, ITPFS oota wrote: Now, TOSHARG-VFS.xml translate to Japanese finished(3.4.0 base). And some bug found. indextermprimaryUID/primary/indexterm indextermprimaryGID/primary/indexterm indextermprimarySID/primary/indexterm indextermprimaryidmap uid/primary/indexterm indextermprimaryidmap gid/primary/indexterm indextermprimaryidmap backend/primary/indexterm indextermprimary/primaryLDAP/indexterm -- is indextermprimaryLDAP/primary/indexterm? That is a bogus entry. I removed it. Winbind maintains a database called winbind_idmap.tdb in which it stores mappings between UNIX UIDs, GIDs, and NT SIDs. This mapping is used only for users and groups that do not have a local UID/GID. It stores the UID/GID allocated from the idmap uid/gid range that it has mapped to the NT SID. Users on the UNIX machine can then use NT user and group names as they would quotenative/quote UNIX names. They can chown files so they are owned by NT domain users or even login to the UNIX machine and run a UNIX X-Window session as a domain user./para X Window System (See man X) Not sure what to do with that. I removed the '-', but the word session seems appropriate, so I left it as it was. indextermprimaryboot disk`/primary/indexterm - typo? Typo fixed. Thanks. If you have a Samba configuration file that you are currently using, emphasisBACK IT UP!/emphasis If your system already uses PAM, emphasisback up the filename/etc/pam.d/filename directory contents!/emphasis If you haven't already made a boot disk, emphasisMAKE ONE NOW!/emphasis /para To allow domain users the ability to access Samba shares and files, as well as potentially other services provided by your Samba machine, PAM must be set up properly on your machine. In order to compile the Winbind modules, you should have at least the PAM development libraries installed on your system. Please refer to the PAM Web site ulink url=http://www.kernel.org/pub/linux/libs/pam//. is this? Yes. I do believe that to compile Samba with PAM support the pam development libraries are needed. Please refer to the ulink url=http://www.kernel.org/pub/linux/libs/pam//PAM Web site/ulink. indextermprimarywinbindd daemon/primary/indexterm indextermprimarysmbd/primary/indexterm indextermprimarynmbd/primary/indexterm indextermprimary/etc/init.d/smb/primary/indexterm indextermprimary/etc/init.d/samba/primary/indexterm indextermprimary/usr/local/samba/bin/primary/indexterm indextermprimary/primary/indexterm | indextermprimary/primary/indexterm |unneceasary indextermprimary/primary/indexterm | Removed. para Again, if you would like to run Samba in dual daemon mode, replace: -winbindd? Fixed. Thanks for finding that. programlisting /usr/local/samba/sbin/winbindd /programlisting in the script above with: programlisting /usr/local/samba/sbin/winbindd -D /programlisting The filename/etc/pam.d/ftp/filename file can be changed to allow Winbind ftp access in a manner similar to the samba file. My filename/etc/pam.d/ftp/filename file was changed to look like this: - smb.conf? Fixed. That word samba should have been: filename/etc/pam.d/samba/filename programlisting auth required /lib/security/pam_listfile.so item=user sense=deny \ file=/etc/ftpusers onerr=succeed -- --- Oota Toshiya --- t-oota at dh.jp.nec.com NEC Systems Software Operations Unit Shiba,Minato,Tokyo IT Platform Solutions DivisionJapan,Earth,Solar system (samba-jp/ldap-jp Staff,mutt-j/samba-jp postmaster) The changes were committed to the master GIT branch. Cheers, John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Log entries with truncated service names
On 10/06/2009 08:55 PM, Matthew Dickinson wrote: Hi, Situation: I'm seeing lots (~500k per day) of log entries like: smbd[13939]: itlab-pc06 (:::10.51.51.103) couldn't find service it261 In this case, the last character of the request is truncated - it should be it2610 I'm seeing the same/similar issue to http://lists.samba.org/archive/samba/2009-March/147277.html I've dismissed this over the last few weeks as a minor inconvenience, but I'm now convinced that it's affecting the performance of the Windows client machines that are connecting to it - a 30 second operation on local disk, takes upwards of 5 mins over a network connection, generating thousands of entries similar to the above. This isn't unique - over the last 16 business hours (it's in a lab in a university dept.), there have been ~900k similar entries. It's also not just for this particular share, it's on all of the home shares that have been accessed, and also all of the 4 defined shares in smb.conf. Also, it's across many different hosts, and affecting different Windows OS's. My primary testing has been using Windows7 - I have a lab of 33 machines with this OS, but I believe I've also seen this from Windows XP and Vista hosts. Also, it's not restricted to this particular host: Turing (RHEL5) - tried versions samba-3.0.33-3.14.el5 samba3x-3.3.5-0.40.el5 Babbage (RHEL4) exhibits the same, samba-3.0.33-0.17.el4 Babbage which has higher use (in the last 48 hours), has seen a total of 150 different host/service combinations from the logs, across different networks with different clients and different OS's. I've got output from log level = 10 from turing, and I've got a tcpdump from the server end with the communication with one of the machines. Interestingly, the truncated request is visible in wireshark. I'd rather not share the complete set of logs publically on the list, but will send off-list to others (that and they're ~2MB). Please let me know any further debugging steps that are necessary. Thanks, Matthew Please file a bug report on https://bugzilla.samba.org and upload the logfiles as part of the bug report. Also, please provide as much info as necessary so that one of the Samba developers can reproduce the problem. Thanks. - John Terpstra -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Print queue show jobs when queried from windows, nothing in cups
On 09/25/2009 03:30 PM, William Marshall wrote: We have a print server running RHEL 4, w/ samba-3.0.33-0.15.el4 When viewed from windows, one queue on the system has the remains of 264 print jobs - some dating back to April, but I can't find where the information is coming from. Apparently the jobs print fine, but then the information sticks in the queue information. Running lpq on the Samba system shows: # lpq -a no entries I dumped a few tdbs and upped my log level to 10, but I didn't see any logging from cups_queue_get. I thought Samba would go into that code to reload the queue information. Any hints on what to try next to clean up my queue? Thanks, - Bill Suggest you check the CUPS printing directory (/var/spool/cups) for the presence of completed print job info. If these exist: a) Remove them all, then restart CUPS. b) Edit /etc/cups/cupsd.conf so it will delete completed print job info. - John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Still problems with samba 3.4.1 / ldap and search for users ans machines
On 09/12/2009 11:59 AM, Ralf Hornik Mailings wrote: Hi List, It is simply not possible to create users and machines in an OU other than ou=people,ldab_base_dn Even when I change this in smb.conf, smbpasswd -a user or -a -m machine always fails with NT_STATUS_NO_SUCH_USER. Is this a desired behaviour? Has anyone else created machine/user accounts in a different container? Thank you and best regards Ralf Of over 100 LADP Samba installation I have completed over 80% successfully use: uid='username',ou=People,ou=Users,ldap_base_dn uid='machine',ou=Computers,ou=Users,ldap_base_dn If you follow chapter 5 of Samba3-ByExample, it should work for you too. http://www.samba.org/samba/docs/Samba3-ByExample.pdf - John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] HELP: Samba server crashing on me
-state.edu/~millerti Open Graphics Project -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- Do Lipton Tea employees take coffee breaks? | |0| | Jobst Schmalenbach, jo...@barrett.com.au, General Manager | | |0| Barrett Consulting Group P/L The Meditation Room P/L |0|0|0| +61 3 9532 7677, POBox 277, Caulfield South, 3162, Australia -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- John H Terpstra If at first you don't succeed, don't go sky-diving! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] HELP: Samba server crashing on me
On 09/06/2009 10:47 PM, Timothy Normand Miller wrote: I'm stymied by the fact that no matter what I set the CFLAGS to in the environment, the compile is optimizing out symbols, but here's what I'm finding in the source: static bool open_sockets_smbd(bool is_daemon, bool interactive, const char *smb_ports) { ... struct dns_reg_state * dns_reg = NULL; ... nothing that modifies dns_reg ... /* process pending nDNS responses */ if (dns_register_smbd_reply(dns_reg, r_fds, idle_timeout)) { --num; } ... } Then the function dns_register_smbd_reply blindly rereferences the first argument: bool dns_register_smbd_reply(struct dns_reg_state *dns_state, fd_set *lfds, struct timeval *timeout) { int mdnsd_conn_fd = -1; if (dns_state-srv_ref == NULL) { return false; } ... } So, can anyone tell me what I might do to avoid this sequence of events? It didn't happen before. I don't know what's causing it to happen now. On Sun, Sep 6, 2009 at 11:26 PM, Timothy Normand Millertheo...@gmail.com wrote: This is where smbd is getting signal 11 (see the ***): /* Processes reply from mDNS daemon. Returns true if a reply was received */ bool dns_register_smbd_reply(struct dns_reg_state *dns_state, fd_set *lfds, struct timeval *timeout) { int mdnsd_conn_fd = -1; if (dns_state-srv_ref == NULL) { // *** RIGHT HERE AT LINE 171 *** return false; } mdnsd_conn_fd = DNSServiceRefSockFD(dns_state-srv_ref); /* Process reply from daemon. Handles any errors. */ if ((mdnsd_conn_fd != -1) (FD_ISSET(mdnsd_conn_fd,lfds)) ) { DNSServiceErrorType err; err = DNSServiceProcessResult(dns_state-srv_ref); if (err != kDNSServiceErr_NoError) { DEBUG(3, (failed to process mDNS result (err %d), re-trying\n, err)); schedule_dns_register_smbd_retry(dns_state, timeout); } return true; } return false; } It appears that dns_state is null, which is evident from the stack trace: #6 dns_register_smbd_reply (dns_state=0x0, lfds=0x7fffbf342960, timeout=0x7fffbf342af0) at smbd/dnsregister.c:171 That's called from here in server.c, in main(): if (dns_register_smbd_reply(dns_reg, r_fds, idle_timeout)) { --num; } Unfortunately, I can't debug further since dns_reg is optimized out by -O2. Please file a bug report on https://bugzilla.samba.org - attach all the info you presented on this list, and also the output of testparm -s. Suggest you also include the output of smbd -b and of uname -a. What is your platform? Did you compile Samba yourself or is this from a recognized packaged source? Would like to understand why you have this problem and noone else has reported this problem. Cheers, John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] FAT32 format HDD recognizes as NTFS
On 08/26/2009 08:58 PM, Jonathon Doran wrote: Quoting Sallow Yang sallow.y...@gmail.com: Hi, The following are my steps: 1. Insert a FAT32 format HDD into usb port of Linux PC. 2. After HDD mounted successfully, configure and start samba to share the HDD. 3. Using Map Network Drive of Windows XP to map the HDD to a windows network drive. 4.Open the mapped network drive, can see NTFS file system on the left details. It shows the wrong info, could anybody help me? Thanks in advance!! Samba allows a directory your Linux box to appear to be an NTFS volume. That is its purpose. It really doesn't matter what the original filesystem is: you can export an ext3 filesystem, ext4, xfs, FAT32... whatever the original filesystem is, the Samba clients (for example your XP machine) will see it as an NTFS volume. This isn't really all that different (in my opinion) from the way that NFS will make directories appear as NFS volumes. It didn't matter what the original filesystem was in that case either. Please refer to the man page for smb.conf. Look up the parameter fstype. - John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] BDC Promotion and Netbios...
On 08/24/2009 12:15 PM, Brian H wrote: We are replacing a failing PDC. When promoting a BDC to replace an existing PDC, can you change the NETBIOS name field to match that of the original PDC without causing problems? Brian H binaryno...@gmail.com http://www.binarynomad.com Sure, but you must reset the domain SID after you change the server name. Before changing the server name: net getdomainsid Stop winbind, smbd, nmbd. Change the server name. After changing the server name, and BEFORE starting nmbd, smbd, and winbind: net setdomainsid S-1-5-21-xx-xxx- per the domain SID reported by 'net getdomainsid' - John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Migrating to replacement PDC
On 08/19/2009 09:41 PM, Brian H wrote: I've been reading the SAMBA documentation at: http://us3.samba.org/samba/docs/man/Samba-Guide/upgrades.html#id2600749 But I just need some confirmation since this is our primary server, and I'm not fully confident about what I read. SITUATION: We currently have a Samba server running as our Primary Domain Controller which is authenticating against a local LDAP database. The hardware is failing so we need to build a replacement box. Machine hostnames are based off of asset tags, so the hostnames will be different between the two servers. The intention is to build the NEW server with a unique hostname and temp IP address, and the same smb.conf. Then at the point of migration, change the IP address of the NEW server to that of the OLD server, start up SAMBA, and then let it take over as the PDC. QUESTIONS: And from what I understand, as long as I make sure the NEW server has the same NETBIOS name in the /etc/samba/smb.conf file, then it should pull the domain SID from LDAP the first time it is started. Not at all. You need to configure the new server as a BDC. Then BEFORE joining it to the domain, import the domain SID as follows: net rpc getsid Now join the domain: net rpc join Then you can shutdown both servers when you are ready, convert the BDC to the PDC, convert the old PDC to a BDC, restart both servers, or just the PDC and you will be in business. PS: The PDC has: domain logons = Yes domain master = Yes The BDC has: domain logons = Yes domain master = No Does this mean I don't need to import the secrets.tdb or manually set the SID with net setlocalsid S-1-5-21-22-2394995923-3994118334, or change the hostname that of the OLD server? No. No need to do this. Cheers, John T. MISC FACTS: OLD Server Hostname: asset01 DNS Name(s): asset01 PDC LDAP NETBIOS: PDC IP: 172.16.1.1 Services: SAMBA, LDAP NEW Server (future values are in ) Hostname: asset02 DNS Name(s): asset02 asset02 PDC LDAP NETBIOS: PDC IP: 172.16.1.2 172.16.1.1 Services: SAMBA, LDAP Brian H binaryno...@gmail.com http://www.binarynomad.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Keeping a list of NetBIOS names on a network?
On 08/18/2009 02:22 PM, Matthew Dempsky wrote: On Mon, Aug 17, 2009 at 11:01 AM, John H Terpstra - Samba Teamj...@samba.org wrote: Use the findsmb utility that ships as part of the Samba tarball. I've been playing with this some, and it doesn't seem to find all NetBIOS names on the network. Presumably because not all hosts respond to the initial broadcast wildcard query. I also played with running nmbd, and found it seems to create a browse.dat no matter what, but that it only lists itself unless it's configured as the browse master. Is there a way to query the network's browse master to find all known NetBIOS names? Could I then run nmbd with a low os level so it's only elected browse master if the network doesn't already have a browse master? (Or is it guaranteed there will always be a browse master if there are any names on the network?) Thanks for the help so far! :) Matthew, The nmbd utility is akin to the Microsoft Windows Browser Service. It also provides the WINS Service IF wins support = Yes is set in the [global] stanza in the smb.conf file. The list of NetBIOS names that is in use within a particular network is complete only IF: a) All windows systems are configured to use NetBIOS over TCP/IP b) Samba is correctly configured either as a WINS server, or as a WINS client. c) If Samba is NOT the WINS server, then a Windows Server must provide the WINS server service. d) All Windows clients have been configured to use the WINS server. e) The WINS database is NOT corrupt. If the above are NOT complied with, the local browse list will not be complete for all NetBIOS names that are in use within the scope of the entire network. The Samba NetBIOS extensions (that are used only by nmbd) to get around bad WINS implementations, or where it is not used, are not 100% reliable in assuring a complete list of NetBIOS names. These extended features are: remote browse sync remote announce All clients and servers on which NetBIOS over TCP/IP has been enabled will participate in the election of the local master browser. The heuristics by which the master browser is elected is somewhat complicated. Samba's OS Level is a means of prejudicing the election criteria in favor of the Samba server if it is set high enough - but it does NOT guarantee that the Samba server will win the election. If you do not run nmbd on your Samba server then there is no way for Samba to participate in NetBIOS browsing processes. Only nmbd sends out the NetBIOS workgroup announcements and the NetBIOS host announcements that are necessary for Samba to participate in the browse master election process, and that are necessary for Samba to appear in a browse list. The solution to network browsing problems and inconsistencies in the NT4 domain and workgroup networking world is to use nmbd and WINS. Active Directory does not depend on WINS, instead it uses a combination of LDAP and DNS for browse list handling. However, it is possible to enable NetBIOS over TCP/IP on any Active Directory member Windows system and thereby ensure that it participates in the NetBIOS-based browsing process. The ability to find a NetBIOS name on the network presupposes that the particular node that might own such a name has been correctly configured to support NetBIOS over TCP/IP. In the absence of a WINS Server but with enablement of NetBIOS over TCP/IP even ADS domain members can participate in NetBIOS-based browse list management. I hope that answers your questions. - John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Keeping a list of NetBIOS names on a network?
On 08/17/2009 12:53 PM, Matthew Dempsky wrote: I'm trying to make some DNS server software aware of NetBIOS names on the local network. Is there an easy and efficient way using Samba to keep track of what NetBIOS names are present? Thanks. Use the findsmb utility that ships as part of the Samba tarball. Hopefully your favorite Linux distribution does include it. - John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Win98 asks for IPC$ password SOLVED
On 08/13/2009 12:47 PM, Helmut Hullen wrote: Hallo, Steve, Du meintest am 13.08.09: You need to enable lanman password support on your Ubuntu Samba server: [global] ... lanman auth = yes client lanman auth = yes ... My experiments indicate that client plaintext auth = Yes is also necessary. I don't know why, but the dreaded IPC$ password symptom happens if that is left out. Maybe the Windows 9x clients are set to unencrypted passwords. No Helmut, Win 9X has encrypted password support on by default. It only supports LanMan passwords, not NTpasswords. Long time ago that was the default for Windows and for Samba. LanMan passwords are weaker than NT password hashes - that is why they were disabled in Samba recently. Now encrypted passwords is the default for Windows and for Samba. This has been the case with Windows since Windows 9x and with Samba sinc September 2003 when Samba 3.0.x shipped. - John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Win98 asks for IPC$ password SOLVED
On 08/13/2009 03:15 PM, Helmut Hullen wrote: Hallo, John, Du meintest am 13.08.09: necessary. I don't know why, but the dreaded IPC$ password symptom happens if that is left out. Maybe the Windows 9x clients are set to unencrypted passwords. No Helmut, Win 9X has encrypted password support on by default. It only supports LanMan passwords, not NTpasswords. As i was remembered: Windows 98 had encrypted passwords by default, Windows 95 not. Long time ago ... Viele Gruesse! Helmut I believe that SP2 for Win95 disabled plain text passwords. Support for encrypted passwords was on from the outset if I recall correctly. Even so, I believe Win9X only supports LanMan passwords - only Windows NT 3.10 and later supports NT passwords. - John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] re reading config
On 08/07/2009 07:05 PM, smb2...@gmail.com wrote: Ryan Novosielski wrote: Terry wrote: Hi I am using freebsd 6.2-RELEASE with Samba version 3.0.24 out of interest does it read the config periodically on its own with out restarting it ? Pretty sure it does, but I never wait. I was troubleshooting some issues today and reading the HowTo book. In one location it warned about editing the .conf file on a running system, since it DOES re-read it on each new connection or at approx 60 second intervals. Then in another chapter made an apparently conflicting statement about remember to restart after the changes. From what I saw today on 3.3.x it did reconfig itself on the fly. -RW Ryan, It may seem conflicting on the surface. Really, if you make changes to the smb.conf file that affects the way Samba works then smbd, nmbd, and/or winbind must be restarted. Consider for example, a change of: security = user to security = ads In the above case, the operating mode must be reset, and that happens only on restarting the Samba daemons. On the other hand, consider what happens when changing share stanza from: path = /somewhere/deep to path = /somewhereelse/notsodeep Any connections that existed prior to a connection being set up will remain in effect with the previous setting while any new connection will use the new setting. I hope that helps to clarify. Cheers, John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] re reading config
On 08/07/2009 07:48 PM, Miguel Medalha wrote: You can force it without restarting with the following commands: For smbd smbcontrol smbd reload-config For nmbd: smbcontrol nmbd reload-config For winbind: smbcontrol winbindd reload-config The process number can also be used instead of the daemon's name. For samba version 3.3 you can force all 3 daemon's to reload configuration with the following command: smbcontrol all reload-config Miguel, Thanks for pointing that out. Now its in the archive we can hope that people will find it. - John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] No responses, not a one?
On 07/27/2009 01:41 PM, Wikked one wrote: Hi Guys, I would love to update to the latest version ,nothing would make me happier in fact. However each time I've made an attempt to build samba without an RPM I've been led down the rabbit hole of dependencies ,so I've learned to use the version that comes with the operating system. I did a yum update on Samba which brought me up to the versions I've posted. As far as error go this is the message when I make an attempt to access another samba share with the machine in question. Suggest you update to the RPMS provided by SerNet for your OS. They are usually current and correctly built. - John T. [2009/07/27 14:20:01, 0] passdb/passdb.c:pdb_increment_bad_password_count(1477) pdb_increment_bad_password_count: pdb_get_account_policy failed. I’ve got a Samba NT4 domain with multiple samba member servers serving files using domain security. Current member servers are all running CentOS 4.7 with 3.0.28-0.el4.9 I have no issues (except aging) with these systems. I’m upgrading a major file server with CentOS5.3 64 bit with Samba 3.0.33-3.7el5_3.1 ,it’s all setup and configured but here’s a show stopper for implementation. When I attempt to access another Samba server with this version ,I am prompted for authentication,even though the machine has full domain access. Additionally I have been mounting a domain member share on a non domain member server in order to back it up with a command in the /etc/fstab. This no longer works and even when I specify the administrator and password I have a wrong password error. Here’s the 3.0.28 config file [global] workgroup = workgroup netbios name = OldSystem passdb backend=ldapsam:ldap://System.MyGroup.com idmap backend = ldap://192.168.1.1 security = domain encrypt passwords= yes ldap suffix=dc=MyGroup,dc=com ldap machine suffix = ou=Computers ldap user suffix =ou=Users ldap group suffix =ou=Groups ldap admin dn =cn=Manager,dc=MyGroup,dc=com ldap passwd sync=yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 os level = 20 local master = no wins server =192.168.1.1 log level= 5 idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 template shell = /bin/false winbind use default domain = no [SHARE] writeable = yes valid users = @Domain Users path = /usr/smb/share force directory mode = 777 force create mode = 777 nt acl support =yes And the 3.0.33 config file workgroup = workgroup security = domain idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 template shell = /bin/false winbind use default domain = false winbind offline logon = false ldap user suffix = ou=Users socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 wins server = 192.168.1.1 winbind trusted domains only = yes idmap backend = ldap://192.168.1.1 encrypt passwords = yes passdb backend = ldapsam:ldap://System.MyGroup.com nt acl support = yes netbios name = NewSystem ldap machine suffix = ou=Computers ldap group suffix = ou=Groups ldap passwd sync = yes ldap suffix = dc=MyGroup,dc=com local master = no winbind enum groups = no os level = 20 ldap admin dn = cn=Manager,dc=MyGroup,dc=com log level = 5 [NEWSHARE] nt acl support = yes guest account = administrator writeable = yes path = /raid/smb/newshare force directory mode = 777 force create mode = 777 valid users = @Domain Users Any help? Thanks! _ Bing™ brings you maps, menus, and reviews organized in one place. Try it now. http://www.bing.com/search?q=restaurantsform=MLOGENpubl=WLHMTAGcrea=TXT_MLOGEN_Local_Local_Restaurants_1x1 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba _ Bing™ brings you maps, menus, and reviews organized in one place. Try it now. http://www.bing.com/search?q=restaurantsform=MLOGENpubl=WLHMTAGcrea=TXT_MLOGEN_Local_Local_Restaurants_1x1 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba _ Windows Live™ SkyDrive™: Store, access, and share your photos. See how. http://windowslive.com/Online/SkyDrive?ocid=TXT_TAGLM_WL_CS_SD_photos_072009 -- John H Terpstra If at first you don't succeed, don't go sky-diving! -- To unsubscribe from this list go to the following URL and read the instructions: https
Re: [Samba] Firewall rules to block other's computers browse list
On 07/27/2009 06:39 PM, David Christensen wrote: MargoAndTodd wrote: My Samba server/firewall has three (two real, one virtual) network cards: eth0.5: connects to a terminal server eth0: internal network with about 10 XP workstations eth1: the Internet An Internet firewall should be a dedicated machine. Please help us to understand why an Internet firewall should be a dedicated machine. There might be one or two people on this list who would disagree with this assertion. Cheers, John T. I use IPCop: http://www.ipcop.org/ IPCop has a reasonably simple installer, an excellent CGI interface, lots of features, and is light-weight -- I ran a Pentium 166 machine with 32 MB RAM, 4 GB HDD, and three 10/100 Mbps NIC's until recently. It could have used more RAM, but it worked. HTH, David -- John H Terpstra If at first you don't succeed, don't go sky-diving! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] tdbsam.
On 07/24/2009 03:03 PM, Linux Addict wrote: The documentation says As a general guide, the Samba Team does not recommend using the tdbsam backend for sites that have 250 or more users. Since we moved default passbd backend to tdbsam, does that statements still holds true. I have to claim responsibility for that statement! Mea Culpa. The statement ins the HOWTO was never intended to reflect on the technical ability, or otherwise, of the tdbsam but rather a fact that there are not many locations that have more than 250 users in a single network location. If your network users are spread across multiple physical location it is mostly desirable to have more than just a single PDC. It is a simple fact that the tdbsam passdb backend is not able to support a PDC and BDCs - for that it is necessary to use ldapsam. Many sites have installed thousands of users with a tdbsam without any problem. The tdbsam passdb backend is full up to the task. It just can not be conveniently used with BDCs. As an FYI, I am using Samba-3.2.4, idmap_rid with tdbsam as backend for about 3 years with 2000 users on member server configuration authenticating AD 2003. Occasionally I had db corrupt issues, but restarting winbind resolved most of the times. No argument with that statement - agreed. I am planning an upgrade to 4. Please someone confirm me on if tdbsam is improved to hold huge no. of objects. ~LA - John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] TOSHAG-WindowsClientConfig.xml translate finished and some bug and typo(?) found
On 07/23/2009 01:33 AM, OPC oota wrote: Now, TOSHARG-WindowsClientConfig.xml translate to Japanese finished(3.4.0 base). And some bug and typo(?) found. Thank you for your follow-through. The typos have been fixed in the master source branch. Cheers, John T. - indextermprimarynetwork difficulty/primary/indexterm indextermprimarynetwork client/primary/indexterm indextermprimaryclient client instructions/primary/indexterm --- duplicate? Fixed. Occasionally network administrators report difficulty getting Microsoft Windows clients to interoperate correctly with Samba servers. It seems that some folks just cannot accept the fact that the right way Many network administrators will want to use DHCP to configure all client TCP/IP protocol stack settings. (For information on how to configure the ISC DHCP server for Windows client support see link linkend=DHCPthe DNS and DHCP Configuration Guide/link, link linkend=DHCPDHCP Server/link. _ forget ) Added. /para The example system uses manually configured DNS settings. When finished making changes, click the guibuttonOK/guibutton to commit the settings. See link linkend=WXPP014/. figure id=WXPP014 titleDNS Configuration./title imagefileWXPP014/imagefile /figure _ needless? The title/title metatags were needed at one time to get around a preprocessor bug. You can remove them if you wish, but I decided to just leave them there. /para/step figure id=w2kp001titleLocal Area Connection Properties./titleimagefilew2kp001/imagefile/figure _needless? /para/step steppara indextermprimaryLocal Area Connection Properties/primary/indexterm indextermprimaryTCP/IP/primary/indexterm indextermprimaryDNS/primary/indexterm indextermprimaryISC DHCP server/primary/indexterm Many network administrators will want to use DHCP to configure all client TCP/IP protocol stack settings. (For information on how to configure the ISC DHCP server for Windows client support see link linkend=DHCPthe DNS and DHCP Configuration Guide /link, --duplicate? No, not duplicated - it is in a different section. link linkend=DHCPDHCP Server/link. /para The default setting is DHCP-enabled operation (i.e., quoteObtain an IP address automatically/quote). See link linkend=w2kp002/. figure id=w2kp002titleInternet Protocol (TCP/IP) Properties./titleimagefilew2kp002/imagefile/figure _neadless? /para steppara Click the guimenuAdvanced/guimenu button to proceed with TCP/IP configuration. Refer to link linkend=w2kp003/link. figure id=w2kp003titleAdvanced Network Settings./titleimagefilew2kp003/imagefile/figure _neadless? /para figure id=w2kp004titleDNS Configuration./titleimagefilew2kp004/imagefile/figure _neadless? /para/step See link linkend=w2kp005/link. figure id=w2kp005 titleWINS Configuration./titleimagefilew2kp005/imagefile _neadless? /figure See link linkend=WME001/link. figure id=WME001 titleThe Windows Me Network Configuration Panel./title _neadless? imagefileWME001/imagefile indextermprimaryDHCP/primary/indexterm indextermprimaryTCP/IP/primary/indexterm indextermprimaryISC DHCP server/primary/indexterm Many network
Re: [Samba] Question on Samba and Sun Directory Server 5.2
On 07/22/2009 04:32 PM, Gary Peck wrote: I have been asked to implement Samba and integrate it with our Sun Directory 5.2 servers. I am looking for any advice that will point me in the right direction. Such as Schema modifications and such. I have found articles talking about openldap but nothing really about Sun's Directory Server. I have just started researching this, so any help would be appreciated. Thanks, Gary Suggest you check the Samba tarball. Look in the directory /examples/LDAP for a file called samba-schema-netscapeds5.x - this may help you. - John T. -- John H Terpstra If at first you don't succeed, don't go sky-diving! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Request for feedback
A number of years back it became necessary to limit the size of messages that could be posted to the samba mailing list. The current limit is 64 KBytes. While it continues be be desirable to block large spam messages, I believe it is time to ask current subscribers for their preferences. This list is here to serve the wishes and needs of our subscribers. We wonder if the time is right to review the size limit of messages that can be sent to this list. Please help us to understand your wishes. What size limit should we observe for messages to this list? 1) 64 KBytes 2) 128 KBytes 3) 256 KBytes 4) 512 KBytes 5) 1 MByte 6) 2 MBytes 7) Any size Please indicate your preference by reply to this list. Thanks. - John T. List moderator -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbindd: Exceeding 200 client connections, no idle connection found
Rene wrote: Jeremy Allison schrieb: On Mon, Jul 13, 2009 at 11:53:15AM -0400, Linux Addict wrote: On Sun, Mar 22, 2009 at 3:37 PM, Elvar el...@elvar.org wrote: Elder Souza wrote: No prob Jeremy, thanx for your help! Elder Souza (71) 9972-7573 / (71) 8801-5734 On Tue, Oct 21, 2008 at 5:47 PM, Jeremy Allison j...@samba.org wrote: On Tue, Oct 21, 2008 at 05:44:05PM -0300, Elder Souza wrote: It has been fixed after what version? Do you know? Don't have the time to check the release notes right now, but it's definately fixed in 3.0.32 and 3.2.4. Jeremy. I just downloaded version 3.0.33 and when I view the local.h file I still see 200 defined as the max simultaneous connections. Is it really fixed? Some of my installations require more than 200 simultaneous connections. I'm still using an older version but until I modified this to 400+ I had problems. /* Max number of simultaneous winbindd socket connections. */ #define WINBINDD_MAX_SIMULTANEOUS_CLIENTS 200 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba I am using 3.2.4 but I still get this messages. I had many production servers hit 100% CPU due to winbind. I had to stop winbind 3 times through rc script to stop winbind. I didn't have verbose log enabled, but I would go straight and upgrade if you guys think this is resolved in latest versions. Ah. My statement that this was fixed in 3.2.4 was wrong, sorry about that. I've checked back in the release notes and the fix for this bug (3204) was discovered by Richard Sharpe in Jan 2009, and 3.2.4 dates from 18 September 2008. The fix went into the 3.2 tree on 2009-01-08, and so it will have been fixed on the 03 February 2009 release Samba 3.2.8 and above. Sorry for the mistake in claiming it was fixed in 3.2.4. Jeremy. Hi there, got the same problem on a Samba 3.3.1 installation. winbindd log is filling up faster than logrotate is able to clean it, and my machine finally ends up with a full partition. Searched the Web now half the day and found that it should be solved in 3.2.8. Is there any other known Issue how this behavior can occur? René The same problem was experienced in a 4200 user site with 3.3.2 but has not happened since 3.3.4 went in. The problem first occurred with 3.0.30, also with 3.2.3, then moved to 3.3.2, and in each case was highly intermittent and we could not get a lock on what was causing it because it was always a sudden-death problem that blew up the /var/log/samba file system. At its worst the problem ate up 72GB of storage in a matter of minutes. Also, only one server out of a dozen was ever affected. This makes the matter highly suspicious. I would suggest moving to 3.3.4 or later, but do not rule out that you may have a platform integrity problem. Perhaps one of the library files is damaged. cheers, John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] TOSHARG-StandAloneServer.xml translate finish and some 1 typo found
OPC oota wrote: Now, TOSHARG-StandAloneServer.xml translate to Japanese finished(3.3.4 base). and 1 typo found. If all that is needed is a server for read-only files, or for printers alone, it may not make sense to effect a complex installation. For example, a drafting office needs to store old drawings and reference standards. Noone can write files to the server because it is legislatively - None? or No one? important that all documents remain unaltered. A share-mode read-only standalone server is an ideal solution. /para -- --- Oota Toshiya --- t-oota at dh.jp.nec.com NEC Computers Software Operations Unit Shiba,Minato,Tokyo Open Source Software Platform Development Division Japan,Earth,Solar system (samba-jp/ldap-jp Staff,mutt-j/samba-jp postmaster) Oota-san, Thank you. I replaced the word noone with the more correct form nobody. According to Wikipedia the word noone is an obsolete form of nobody. Apparently, the word noone if an incorrect form of no one, are is a poor usage of English. Thanks for pointing out the typos and gramatical challenges you find as the docs are being translated. Congratulations on the progress you are making. Cheers, John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Re: TOSHARG-DomainMember.xml translate finish and some bug found
Jelmer Vernooij wrote: Hi, OPC oota wrote: Now, TOSHARG-DomainMember.xml translate to Japanese finished. and Some bug found. procedure titleServer Manager Account Machine Account Management/title ---Domain? steppara From the menu select guimenuComputer/guimenu. /para/step When the user elects to make the client a domain member, Windows 200x prompts for an account and password that has privileges to create machine accounts in the domain. A Samba administrator account (i.e., a Samba account that has constantroot/constant privileges on the Samba server) must be entered here; the operation will fail if an ordinary user account is given. --- Can user who have SeMachineAccountPrivilege rights join machine ? I'm not sure how this works in Samba 3 actually, hopefully somebody else knows. Jelmer, I already fixed this and added explanation regarding setting user the SeMachineAccountPrivilege. - John T. para indextermprimaryADS/primary/indexterm indextermprimarySRV records/primary/indexterm indextermprimaryDNS zon/primary/indexterm ---zone? Fixed. indextermprimaryKerberos/primary/indexterm indextermprimaryCreate the Computer Account/primary/indexterm indextermprimaryTesting Server Setup/primary/indexterm indextermprimary/primary/indexterm -why null? Thanks, fixed. If all you want is Kerberos support in smbclient;, then you can skip directly to link indextermprimarykinit/primary/indexterm indextermprimaryrights/primary/indexterm You need to log in to the domain using userinputkinit --- login ? replaceableUSERNAME/replaceable@replaceableREALM/replaceable/userinput. replaceableUSERNAME/replaceable must be a user who has rights to add a machine to the domain. /para/listitem/varlistentry Similar to the previous chapter, I think log in is also valid. Cheers, Jelmer -- John H Terpstra If at first you don't succeed, don't go sky-diving! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] max. length of a username
Helmut Hullen wrote: Hallo, how long may a valid samba username be? Viele Gruesse! Helmut Usually the length of a username is limited by the host operating system. Many older UNIX systems limit usernames to 8 characters. Under OpenSUSE 11.2 (not yet released) it is possible to use the useradd utility to add a username up to 29 characters in length. It is possible to add that user to the tdbsam password backend using smbpasswd -a. That account is valid within Samba (at least using smbclient). So the answer is: What is the limit of the operating system that is hosting your Samba? - John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba