Re: [Samba] winbind: uid range is ignored
Il 05/08/2012 12:32, Jonathan Buzzard ha scritto: A supported version of Windows Server 2003 (aka the 2003R2) has the RFC2307 extensions in the schema. The installation of the R2 service pack extends the schema to include RFC2307, your windows admins simply don't get a choice over that bit. Good to know. They can't use unmaintained servers (Italian law requires to update at least every 6 months...), so they must have it... They don't get populated by default however so that is another battle to be had, but it is a lot easier to win than a schema extension. That's for sure :) But maybe I can win this (after summer holidays). BYtE, Diego. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind: uid range is ignored
Il 03/08/2012 16:21, steve ha scritto: That's quite easy in Samba3 but which tdb's must I remove in Samba4? In fact, how would I rejoin the DC to itself? You shouldn't use DCs for anything else other than DC. No file server. No gateway. *Nothing*. They're a crytical piece of your network infrastructure and must be as closed as possible. The NFS server doesn't care about Samba at all: it reveives UIDs adn GIDs and stores 'em as given. No mapping happens here. What makes me think you have a *big* misunderstanding about what winbnd mapping does is this sentence from another message: If winbind is doing the mapping correctly it should map 327 to 302 No. Winbind maps back and forth between user *names* (and groups) and *UIDs* (and GIDs), not between server UIDs and local GIDs ! It doesn't know if an UID is local or from a server. So, that means that (given no other kind of access to the NFS server is allowed) it's enough that all your *clients* use the same mapping between SIDs and UIDs/GIDs and you're OK. If not, you have a big problem. You have many ways to obtain that same mapping objective. I chose to use rid 'cause I couldn't modify my AD schema. But the preferred way is extend AD schema and specify there the UIDs and GIDs. Hope this helps to clarify. BYtE, Diego. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind: uid range is ignored
Il 04/08/2012 12:00, steve ha scritto: You have many ways to obtain that same mapping objective. I chose to use rid 'cause I couldn't modify my AD schema. But the preferred way is extend AD schema and specify there the UIDs and GIDs. You don't have to extend the schema. You can store all the rfc2307 attributes and objects (posixAccount, posixGroup, uidNumber,gidNumber. . .) in the m$ schema that ships with S4. Too bad my AD controllers are M$ W2k3, w/o rfc2307 extension :( That's why I'm stuck with rid. My aim is to have: idmap config : MYDOMAIN : backend = ad and idmap config : MYDOMAIN : range = abc-def recognised and with the uidNumber and gidNumber attributes being pulled from AD rather than any other mapping. To this end I have a test user user object with: objectClass: posixAccount uidNumber: xyz gidNumber abc and a test group object: objectClass: posixGroup gidNumber: abc I assume that with the ad backend both the user and group will come from AD and not idmap. Well, idmap queries its backend for the mapping. Just waiting for the test lan to install and compile a totally new openSUSE 12.1 with Samba4 and a vBox openSUSE client, also fresh install. How am I doing? Should work at the first try. But someone else that already used S4 and AD backend can confirm for sure. :) BYtE, Diego. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind: uid range is ignored
Il 04/08/2012 13:40, steve ha scritto: Too bad my AD controllers are M$ W2k3, w/o rfc2307 extension :( That's why I'm stuck with rid. Ah I see. I didn't mean to offend. No offense perceived :) I simply assumed you were using Samba4. If only I could... I think m$ gave them the 2008 schema as a result of a court case. That _does_ have rfc2307. I don't know the background... I'm just a normal user w/ usually big troubles. So big that it seems nobody knows the answer :( Should work at the first try. Really need this one. I have to compare winbind with nss-ldapd to do this stuff. Have the latter going fine. What you can't do with ldap (IIUC) is nested group membership. W/ AD you can have it. Up to you if that's important enough (for me it was: I usually place the service.admins group into the service.allowed one, so that all admins are automatically allowed... BYtE, Diego -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind: uid range is ignored
Il 04/08/2012 21:13, steve ha scritto: In comparison, winbind seems overcomplicated and restrictive (and simply does not work with either Ubuntu nor openSUSE 3.6.3). It also seems very restricted in that we have turn off unix attributes and use wide links so we can symlink to the only available folder for unixHomeDirectory. I can tell for sure that it works perfectly in Ubuntu 12.04LTS (IIRC the exact version) w/ RID backend. Uh? wide links seems a bad idea to me... At least from a security perspective. Why a single home directory? We have a single NFS share containing folders for the two domains and inside those a folder for each home. We are trying to migrate away from that, preferring a '[homes]' share where users will place the data they want to have available on every PC. This way even Firefox should work... Anyway, I've not given up yet, but it really does look like winbind is past it's sell by date;) Once you have it working, it's addictive :) BYtE, Diego. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind: uid range is ignored
Il 03/08/2012 08:01, steve ha scritto: getent passwd/group works fine. I get the names and coresponding uid:gid numbers within the range specified in smb.conf but all I get when I list files on the nfs share, are numerical uid:gid values. I want those values to be DOMAIN\username DOMAIN\group rather than numerical values. How do I do that? Use *the same* range on both server and clients. The uid:gid values are not in the range set in smb.conf. They are the uid:gid values in idmap _on the server_. Its as if nsswitch is ignoring winbind. Obvious. NFS passes *numeric* IDs, so if a file is owned by userid 123456 on the server, then the client will see the same 123456 uid. That, if not correctly mapped, would give another user access to it (negating access to the original one). Actually, as long as you only allow NFS access to the server, it's enough that all clients use the same mapping (the server could know nothing about samba, winbind, ad and so on). But you'll need trusted clients (ever wondered why 'client' contains 'lie'? ). BYtE, Diego. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind: uid range is ignored
Il 03/08/2012 10:22, steve ha scritto: It doesn't seem to matter. I can have the same id range on both server and client. What is uid 327 on the server becomes uid 302 on the client. Remember to delete all .tdb files and rejoin the machine between tests w/ different backends, or you'll get big troubles. Since you can control your domain, stick to ad backend. And remember to keep uids/gids stored in AD in a safe range (less than 500 and ... wooops! -- remember 0 is root, that could get squashed to nobody by NFS). Hope reinstall brings you good news :) BYtE, Diego. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind: uid range is ignored
Il 03/08/2012 13:18, steve ha scritto: Thanks for the tip. In fact, Samba4 defaults to 30-40 which I think is pretty safe? Only for a small domain... In our tree it would be WAY too small (could contain no more than about 20% of the groups we have in a single domain...). My main problem is on the 3.6 client where the ad backend is not honoured. As you say, I've gone for a reinstall with an openSUSE client which has a patched 3.6.6 so hoping. . . Might even be that not honoured was simply due to caching: you had tdb backend (that assigns uids/gids sequentially as needed), then switched to rid, but cache still contained old values from tdb. That's why I told you to temove *all* .tdb files and rejoin. BYtE, Diego. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] 'x' bit always set?
Il 01/08/2012 16:23, Helmut Hullen ha scritto: Hallo, Jonathan, Du meintest am 01.08.12: Seems I can't find the root cause of $subj. When I store a file on my home, it gets chmodded ugo+x ... [...] mount your file system with extended attributes enabled and then add the following to your smb.conf # store DOS attributes in extended attributes ea support = yes Added this. store dos attributes = yes This was already there. map readonly = no map archive = no map system = no map hidden = no According to the man page, when store dos attributes is set, those should be ignored. But I added 'em anyway. This is the result when I put a file via Dolphin's smb:// handler: root@str00160-samba:/srv/shared/PERSONALE# getfacl diego.zuccato # file: diego.zuccato # owner: diego.zuccato # group: domain_users # flags: s-- user::rwx user:str00160-backup:rw-#effective:--- group::rwx #effective:--x mask::--x other::--x default:user::rwx default:user:diego.zuccato:rwx default:group::--x default:group:domain_users:--x default:mask::rwx default:other::--- root@str00160-samba:/srv/shared/PERSONALE# getfacl diego.zuccato/* # file: diego.zuccato/index.html # owner: diego.zuccato # group: domain_users user::rwx user:diego.zuccato:rwx group::--x group:domain_users:--x mask::rwx other::--- root@str00160-samba:/srv/shared/PERSONALE# getfattr -d diego.zuccato/* # file: diego.zuccato/index.html user.DOSATTRIB=0sMHgyMwADEQAAACAAADcWNMuJcM0BAAA= The folder 'diego.zuccato' is created by those commands run as root: mkdir -p $home $log 21 chown $domain\\$user:$domusers $home $log 21 chmod 4711 $home $log 21 setfacl --set=d:u::rwX,d:g::--X,d:o::---,d:u:$domain\\$user:rwX,d:g:$domusers:--X $home $log 21 where $home is, obviously, /srv/shared/PERSONALE/diego.zuccato ... IIUC, uppercase 'X' should set 'x' bit only on dirs and on files where it's explicitly set, so I think it's Samba adding it... but why? That's why I'm getting mad at it... :( Another problem I just noticed: effective permissions for str00160-backup is --x instead of rwx and it's not set on the file ??? ARGH! I start hating ACLs ! BYtE, Diego. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] 'x' bit always set?
Il 02/08/2012 10:49, NdK ha scritto: map readonly = no map archive = no map system = no map hidden = no According to the man page, when store dos attributes is set, those should be ignored. But I added 'em anyway. Uhm... Seems the man page is contraddictory... In map * says they get ignored, in store dos addtibutes it says they should be set to 'no' to avoid fallback... Mah! This is the result when I put a file via Dolphin's smb:// handler: Just to be sure, I now used smbclient: $ smbclient -U diego.zuccato //str00160-samba/diego.zuccato/ Enter diego.zuccato's password: Domain=[PERSONALE] OS=[Unix] Server=[Samba 3.5.6] smb: \ put index.html putting file index.html as \index.html (79,6 kb/s) (average 79,6 kb/s) smb: \ ls . D0 Thu Aug 2 11:03:44 2012 .. D0 Thu Aug 2 11:03:35 2012 index.html A 163 Thu Aug 2 11:03:44 2012 65535 blocks of size 33553920. 65535 blocks available But the result is always the same: root@str00160-samba:/srv/shared/PERSONALE/diego.zuccato# ls -l totale 8 -rwxrwx---+ 1 diego.zuccato domain_users 163 2 ago 11.03 index.html Sigh! BYtE, Diego. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] 'x' bit always set?
Il 02/08/2012 13:50, Jonathan Buzzard ha scritto: Have you verified that you are storing DOS attributes in extended attributes, something like this on the server [root@nabak Pictures]# getfattr -d Thumbs.db # file: Thumbs.db user.DOSATTRIB=0sMHgyNgAAAwADEQAAACYAAIASVa5FHs0BAAA= Yup. As written in the message before the quoted one: root@str00160-samba:/srv/shared/PERSONALE# getfattr -d diego.zuccato/* # file: diego.zuccato/index.html user.DOSATTRIB=0sMHgyMwADEQAAACAAADcWNMuJcM0BAAA= Note the lack of map hidden = no in my original reply was down to cut and paste error out of my smb.conf I added it. My smb.conf (stripped to the homes definition) is: -8-- [global] workgroup = PERSONALE realm = PERSONALE.DIR.UNIBO.IT server string = Shares for Astronomy Dept. netbios name = STR00160-SAMBA security = ADS encrypt passwords = true password server = personale.dir.unibo.it log file = /var/log/samba/log.%m log level = 0 max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=32768 SO_SNDBUF=32768 local master = No dns proxy = No wins server = 137.204.25.77 # Should fix instability of name resolution (gid-to-name) client schannel = no # Unix extensions give troubles with permissions from Mac clients unix extensions = no wide links = no # We need a local user for str00160-web auth methods = guest sam winbind:ntdomain #winbind separator = - winbind enum users = No winbind enum groups = No winbind offline logon = Yes winbind nested groups = Yes winbind normalize names = Yes winbind refresh tickets = Yes winbind use default domain = yes idmap backend = tdb idmap uid = 1-9 idmap gid = 1-9 idmap config PERSONALE : backend = rid idmap config PERSONALE : base_rid = 500 idmap config PERSONALE : range = 10 - 4999 idmap config STUDENTI : backend = rid idmap config STUDENTI : base_rid = 500 idmap config STUDENTI : range = 5000 - template homedir = /srv/shared/%D/%U template shell = /bin/bash # Don't show a printers icon when browsing the server show add printer wizard = no load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes [homes] comment = Home Directories # Standard options for homes browseable = no read only = no create mask = 0600 directory mask = 0711 # Fix reported capacity block size = 4096 # Use ACL to store attributes acl group control = Yes inherit acls = Yes ea support = Yes store dos attributes = yes dos filemode = yes map hidden = no map system = no map archive = no map readonly = no # I want users to be able to sare their data... #valid users = %D\%S path = /srv/shared/%D/%S # Equivalent of pam_mkhomedir, but more versatile root preexec = /opt/checklogon '%S' '%H' '%u' '%P' '%D' '%U' -8-- Didn't yet try to tune it too much... Is there something evidently wrong? Could create mask be connected to the wrong permissions I see (not the main x bit set issue, the other)? Is there a tutorial eplaining how does ACLs and EAs interact with Samba? BYtE, Diego. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind is it possible to have the same uid and gid numbers everywhere?
Il 02/08/2012 16:19, steve ha scritto: At the moment, the client side ignores the idmap uid range and bases everything in the idmap gid range instead. Maybe that is a bug in Samba3? Don't know... I always kept 'em in the same range. [global] realm = polop.site workgroup = POLOP security = ADS wide links = Yes unix extensions = No template shell = /bin/bash winbind enum users = Yes winbind enum groups = Yes idmap config POLOP : backend = rid idmap config POLOP : base_rid = 500 idmap config POLOP : range = 30-40 Is what I want a possibility? For sure if you keep the same range for UIDs and GIDs. That's what I'm doing since 3 years from PCs joined to an AD (win 2k3) domain that needed access to NFS home (hence consistent UID/GID mapping is a must). And across 2 domains (well, really more, but I was not interested in the others). Another (better) fix would be to store uid and gid in Samba schema, but I can't help you with that sine I can't alter our schema. BYtE, Diego. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind: uid range is ignored
Il 02/08/2012 18:42, steve ha scritto: The shares are mounted via kerberized nfs on the client and _did_ map correctly before this thread started. Are you sure you updated /etc/nnsswitch.conf to use winbind after purging the old Samba install? BYtE, Diego. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] 'x' bit always set?
Il 30/07/2012 09:40, NdK ha scritto: Seems I can't find the root cause of $subj. When I store a file on my home, it gets chmodded ugo+x ... Any hints? And getting mad at this, too... Another strange thing is that, with this last command, it stopped resolving 100013 to PERSONALE\domain_users ... any possible reason? Even worse, today: # wbinfo -G 100013 S-1-5-21-2162351890-1506888927-3107636301-513 # wbinfo -s S-1-5-21-2162351890-1506888927-3107636301-513 PERSONALE\Domain_Users 2 # id diego.zuccato uid=108036(diego.zuccato) gid=100013 gruppi=100013,164120(tecniciastro),... Note that tecniciastro is in the same domain as the unresolved 100013. And 100013 remains unresolved only for 'id'. But nsswitch should be OK or tecniciastro would be unresolved too... ARGH! Please, help! Tks, Diego. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] 'x' bit always set?
Il 01/08/2012 16:07, Jonathan Buzzard ha scritto: You are wrong, mount your file system with extended attributes enabled I already do that :) and then add the following to your smb.conf # store DOS attributes in extended attributes ea support = yes Ops... missed this... store dos attributes = yes That one is already there map readonly = no map archive = no map system = no And I removed these during the tests... Tomorrow I'll try. But I can't understand why it changes the x bit even when copying from/to a Linux machine... Doesn't that break a lot of Linux clients? Tks a lot! Now I should only discover what's breaking gid-to-name resolution and I'll be set to offer 5TB+ of space to our students :) BYtE, Diego. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] 'x' bit always set?
Hello all. Seems I can't find the root cause of $subj. When I store a file on my home, it gets chmodded ugo+x ... My smb.conf is: -8-- [global] workgroup = PERSONALE realm = PERSONALE.EXAMPLE.COM server string = Local shares netbios name = STR00160-SAMBA security = ADS encrypt passwords = true password server = personale.example.com log file = /var/log/samba/log.%m log level = 0 max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=32768 SO_SNDBUF=32768 local master = No dns proxy = No wins server = 192.168.25.77 # Fixes instability of name resolution (gid-to-name) client schannel = no # Unix extensions give troubles with permissions from Macs unix extensions = no wide links = no # We need a local user for str00160-web and backup auth methods = guest sam winbind:ntdomain winbind enum users = No winbind enum groups = No winbind offline logon = Yes winbind nested groups = Yes winbind normalize names = Yes winbind refresh tickets = Yes winbind use default domain = yes # Catch other domains idmap backend = tdb idmap uid = 1-9 idmap gid = 1-9 idmap config PERSONALE : backend = rid idmap config PERSONALE : base_rid = 500 idmap config PERSONALE : range = 10 - 4999 idmap config STUDENTI : backend = rid idmap config STUDENTI : base_rid = 500 idmap config STUDENTI : range = 5000 - template homedir = /srv/shared/%D/%U # Don't show a printers icon when browsing the server show add printer wizard = no load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes [homes] comment = Home Directories # Standard options for homes browseable = no read only = no create mask = 0600 directory mask = 0711 # Fix reported capacity block size = 4096 # Use ACL to store attributes acl group control = Yes inherit acls = Yes store dos attributes = yes dos filemode = yes # I want users to be able to sare their data... #valid users = %D\%S path = /srv/shared/%D/%S # Equivalent of pam_mkhomedir, but more versatile root preexec = /opt/checklogon '%S' '%H' '%u' '%P' '%D' '%U' -8-- The underlying fs supports acls and xattrs: /dev/sdb1 on /srv/shared type xfs (rw,acl,user_xattr,quota) # getfacl /srv/shared/PERSONALE/diego.zuccato/ getfacl: Removing leading '/' from absolute path names # file: srv/shared/PERSONALE/diego.zuccato/ # owner: diego.zuccato # group: 100013 # flags: s-- user::rwx user:str00160-backup:rw-#effective:--- group::rwx #effective:--x mask::--x other::--x default:user::rwx default:user:diego.zuccato:rwx default:group::--x default:group:100013:--x default:mask::rwx default:other::--- Another strange thing is that, with this last command, it stopped resolving 100013 to PERSONALE\domain_users ... any possible reason? I can see [2012/07/30 09:29:23.572740, 0] winbindd/winbindd_ads.c:1039(lookup_groupmem) ads_ranged_search failed with: Invalid DN syntax in log.wb-PERSONALE . Before that, it was correctly resolved: # id diego.zuccato uid=108036(diego.zuccato) gid=100013(domain_users) gruppi=100013(domain_users),[...] but now: # id diego.zuccato uid=108036(diego.zuccato) gid=100013 gruppi=100013,[...] Before I added client schannel = no it happened randomly and quite frequently. The domain is M$ AD. Samba is 3.5.6 . Tks, Diego. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Config doubt
Hello all. Is it right to have: idmap backend = tdb idmap uid = 2000- idmap gid = 2000- idmap config PERSONALE:backend = rid idmap config PERSONALE:base_rid = 500 idmap config PERSONALE:range = 10 - 4999 idmap config STUDENTI:backend = rid idmap config STUDENTI:base_rid = 500 idmap config STUDENTI:range = 5000 - in smb.conf to use the given ranges for PERSONALE and STUDENTI, reserving the (small) range 2000- for every other domain? I'm only interested in users and groups from the two big domains, but I've had clashes with groups in another domain making id user.name return numeric-only GIDs (since they mapped to two different groups in two domains). If it's the wrong solution, which is the right one (except defining a range for every domain in the forest: I can't do that)? Tks, Diego. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Local user when security=ADS
Hello all. Since it seems I can't make webserver access a samba share with its machine credentials (all I could get is a NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT message in server logs after extracting pass from secrets.tdb) and I can't add users to AD (and, even if I could, their passwords would automatically expire in 6 months), is it possible to have a locally-defined user when the server is joined to AD? This way I could use the locally-defined user credentials from the client to mount the share... Or is there a better way? Tks, Diego. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind template homedir liimitations
Il 19/06/2012 13:33, steve ha scritto: Is it possible to specify more than one template homedir = xxx in smb.conf? I don't think so. It could be useful for me, too, if possible (say: to have a web-home dir for some users, on a separate share than their data-home). But I couldn't define a clear semantic for multiple [homes], even if at all possible. Everyone seems to have their Linux home directories created in the same folder, which makes administration difficult. We'd like to organise users into sub folders. You can differentiate on the domain and other info, replacing parts of path with macros. Maybe not much, but it's a start. BYtE, Diego. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba home folder share
Il 28/05/2012 15:40, NdK ha scritto: If I use smbclient -P '\\str00160-samba\for_web' I can navigate the share. But How do I 'emulate' that '-P' with mount.cifs? I tried sec=krb5 but mount fails: [...] Still stuck. :( Isn't there any way to mount a share using *machine* credentials? I'd try using a credentials file, but I don't know if/how can I extract machine password... Any help really welcome -- even a you can't do that... TIA BYtE, Diego. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba home folder share
Il 13/05/2012 18:38, Jorell ha scritto: here is what I use in my conf [ProfileShare] ... root preexec = /root/pdc/smbmkhomedir.sh %D %U ... smbmkhomedir.sh #!/bin/bash if [ ! -e /home/$1/$2 ]; then mkdir -p /home/$1/$2 chown $2:Domain Users /home/$1/$2 chmod 4711 /home/$1/$2 setfacl --set=d:u::rwx,d:g::--x,d:o::---,d:u:$2:rwx,d:g:'domain users':--x /home/$1/$2 fi exit 0 Just a quick question: is the ACL needed only for local users (logged on server, or accessing an NFS share) or for Samba users too? Since I won't let users directly logon to the server but only via Samba, I'd prefer to avoid ACL overhead if possible. Tks, Diego. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba home folder share
Il 28/05/2012 10:29, NdK ha scritto: Just a quick question: is the ACL needed only for local users (logged on server, or accessing an NFS share) or for Samba users too? Since I won't let users directly logon to the server but only via Samba, I'd prefer to avoid ACL overhead if possible. Ok, I self-answer this one: ACLs are needed if you want to let users choose who can access their files. Another question: how can I set access permissions so that the webserver (running on another machine) can have RO access, if I can't give it a standard account? Can I use machine accounts? And how can I make Apache automatically access user's home/public_html? Maybe I'm just confused and I'll realize just after sending... BYtE, Diego. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba home folder share
Il 28/05/2012 14:15, NdK ha scritto: Another question: how can I set access permissions so that the webserver (running on another machine) can have RO access, if I can't give it a standard account? Can I use machine accounts? And how can I make Apache automatically access user's home/public_html? Maybe I'm just confused and I'll realize just after sending... Well... nearly. But stuck again. I defined another share: [for_web] comment = Exported to webserver browseable = no read only = yes path = /srv/shared valid users = STR00160-WEB$ ACL already only allows '--x' to str00160-web$ . If I use smbclient -P '\\str00160-samba\for_web' I can navigate the share. But How do I 'emulate' that '-P' with mount.cifs? I tried sec=krb5 but mount fails: root@str00160-web:~# mount.cifs '\\str00160-samba\for_web' /mnt/ -o ro,sec=krb5 mount error(2): No such file or directory Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) If I omit '-o' it asks for a password... I'm sure I'm missing something... Any hint? I tried reading man page multiple times, but w/o results... :( BYtE, Diego. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba as member of multi domain AD (nss/pam)
Il 25/05/2012 09:57, Marcel Ritter ha scritto: our setup looks much like yours: One domain FAUAD containing all our users, and several domains containing computer objects (and maybe local users). To prevent inconsistencies in user/group membership, we'd like to use nss/pam winbind on the unix side to get users/groups out of our AD. Add winbind to /etc/nss.conf (passwd and group lines). Then use idmap rid for the domains you're interested in (and tdb fot eventual others): idmap backend = tdb idmap uid = 1-9 idmap gid = 1-9 idmap config PERSONALE:backend = rid idmap config PERSONALE:base_rid = 500 idmap config PERSONALE:range = 10 - 4999 idmap config STUDENTI:backend = rid idmap config STUDENTI:base_rid = 500 idmap config STUDENTI:range = 5000 - Users and groups in PERSONALE and STUDENTI are consistent across all servers, while other domains receive first come first served ids. However for most purposes it'd be nice to only get the short user names (user instead of FAUAD+user) for all domains (or at least for a selectable domain). AFAIK the default domain is the one the computer object is created in (in our case this is *not* the one containing the user objects). I haven't found an option to specify this default domain without changing the domain location of the computer object. Neither did I. I tried really hard with: idmap domains = PERSONALE STUDENTI idmap config PERSONALE:default = no idmap config STUDENTI:default = yes To make 'STUDENTI' the default domain while the server is joined to 'PERSONALE', but it didn't work. Maybe someone have a clue. Any idea about how to solve this is welcome :-) I'm in the dark like you :( BYtE, Diego. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Restricting access to [homes]
Il 12/04/2012 11:57, Jonathan Buzzard ha scritto: Sorry to reopen an old thread, but it seems I can't understand (or still miss) something... The problem: Is it just me or there's no way to restrict access to [homes] share to members of an AD group? Or is it treated like an ordinary Unix group via Winbind mapping? If I use valid users = %S (to give access to the home only to the owner), every domain user (worse: every user in any trusted domain) can access his/her own share... if path exists. That leads to the second problem: is it possible to automatically create the home dir if it's missing (w/o requiring the user to log on the server)? Sort of pam_mkhomedir for shares... Proposed solution: Use the exec option for the share to call out a script to create the home directory and set ownership etc. correctly. Note if no home directory exists then you cannot access the share, so your script to create their home directory automatically can test to see if they are a member of a suitable group. And that seems all good... It actually IS all good, as long as I only consider users in the domain the server is member of. But I have the majority of users from another (trusted) domain. And when they try to access their home (tried accessing share as user.name, DOMAIN\user.name, DOMAIN/user.name) they don't get authenticated and the preexec script isn't called :? In smb.conf I have: [global] ... template homedir = /srv/shared/%D/%U [homes] valid users = %S preexec = /opt/checklogon '%S' '%H' '%u' 'p=%p' 'D=%D' 'U=%U' And /opt/checklogon (w/o checks) is: #!/bin/bash echo checklogon S=$1 H=$2 u=$3 p=$4 D=$5 U=$6 /tmp/checklogon.log mkdir $4 (preexec script is run as the authenticated user accessing the share, so no need to chown -- but that requires a world-writable /srv/shared... I'll have to secure it when the rest is working, hints appreciated... not really pressing as long as no user is allowed to unix-login to the box). If some tries w/ smbclient could be useful, here they are. [ndk@jago ~]$ smbclient -I 137.204.66.31 '\\str00160-samba\diego.zuccato' -U diego.zuccato Enter diego.zuccato's password: Domain=[PERSONALE] OS=[Unix] Server=[Samba 3.5.6] smb: \ ls . D0 Wed May 23 08:44:44 2012 .. D0 Wed May 23 08:44:44 2012 60073 blocks of size 262144. 53984 blocks available smb: \ ndk@jago ~]$ smbclient -I 10.1.5.32 '\\str00160-samba\diego.zuccato2' -U STUDENTI\\diego.zuccato2 Enter STUDENTI\diego.zuccato2's password: Domain=[PERSONALE] OS=[Unix] Server=[Samba 3.5.6] tree connect failed: NT_STATUS_ACCESS_DENIED [ndk@jago ~]$ smbclient -I 10.1.5.32 '\\str00160-samba\STUDENTI\diego.zuccato2' -U STUDENTI\\diego.zuccato2 Enter STUDENTI\diego.zuccato2's password: Domain=[PERSONALE] OS=[Unix] Server=[Samba 3.5.6] tree connect failed: NT_STATUS_BAD_NETWORK_NAME [ndk@jago ~]$ smbclient -I 10.1.5.32 '\\str00160-samba\STUDENTI/diego.zuccato2' -U STUDENTI\\diego.zuccato2 Enter STUDENTI\diego.zuccato2's password: Domain=[PERSONALE] OS=[Unix] Server=[Samba 3.5.6] tree connect failed: NT_STATUS_BAD_NETWORK_NAME On the first, the home for PERSONALE\diego.zuccato gets created. But it seems there's no way (I could find) to make it create the home for STUDENTI\diego.zuccato2 ... Any hint welcome! TIA, Diego. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Restricting access to [homes]
Il 23/05/2012 09:11, Jorell ha scritto: here is what I use in my conf [ProfileShare] Uh? ... path = /home/%D/%U root preexec = /root/pdc/smbmkhomedir.sh %D %U ARGH! 'root preexec'. I missed that root bit :( Tks! You saved my day! smbmkhomedir.sh #!/bin/bash if [ ! -e /home/$1/$2 ]; then mkdir -p /home/$1/$2 chown $2:Domain Users /home/$1/$2 chmod 4711 /home/$1/$2 setfacl --set=d:u::rwx,d:g::--x,d:o::---,d:u:$2:rwx,d:g:'domain users':--x /home/$1/$2 fi exit 0 I just tweaked it a bit to check group membership. Any faster way than gid=$(wbinfo -Y $(wbinfo -n $group)) if [ ! 0 -eq $(wbinfo -r $user | grep -c $gid) ]; then ... that calls wbinfo 3 times? instead of using 'valid users' maybe try setting path = /home/%S I used valid users = %D\%S AND path= (%H seems undefined for trusted domains users). This way (I think) if username != sharename = no access. But IIUC that should never happen (unless someone is trying to access another user's home -- maybe I should allow it to let users share files changing ACLs?). The current checklogon script I'm using is: #!/bin/bash allowed=personaleStudenti log=/tmp/checklogon.log sharename=$1 home=$2 givenUser=$3 p=$4 domain=$5 user=$6 echo checklogon: home=$home S=$1 H=$2 u=$3 P=$4 D=$5 U=$6 $log if [ ! -e $home ]; then if [ ! 0 -eq $(wbinfo -r $domain\\$user | grep -c $(wbinfo -Y $(wbinfo -n $allowed))) ]; then domusers=$(wbinfo -Y $(wbinfo -n $domain\\domain_users)) mkdir -p $home $log 21 chown $domain\\$user:$domusers $home $log 21 chmod 4711 $home $log 21 setfacl --set=d:u::rwx,d:g::--x,d:o::---,d:u:$domain\\$user:rwx,d:g:$domusers:--x $home $log 21 fi fi exit 0 I've had to obtain DOMAIN\domin_users gid before chown or it gave an error (maybe due to a clash from a trusted domain -- still trying to understand how can it happen). And I'm still having issues with setfacl (I never used ACLs before, so I have to study a bit). BTW it's been a great leap forward! BYtE, Diego. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Restricting access to [homes]
On 23/05/2012 15:30, steve wrote: If the gidNumber for the gid is stored in AD (as the 2008 and samba4 schema allow) then there can be no clash. It is then no problem in extracting it and applying it using normal /etc/nsswitch.conf format. The AD schema is still 2003. And who manages it thinks the world is Win-only :( It's easier to talk a mountain into moving itself than making 'em change a single bit in the schema... [...] With ldapd/nslcd running, you can chown and chmod using the names of the AD groups and users exactly as advertised in getent passwd or wbinfo calls. It is then reflected perfectly by the filer. OK, with samba4 and cifs/s3fs there are currently a few problems but under 3.6 it maps perfectly. I'm using Squeeze, that ships w/ 3.5.6 (I know it's old, and actually it gives troubles when its ntlm_auth is used by FreeRadius!). I'm locked into using idmap rid: winbind enum users = No winbind enum groups = No winbind offline logon = Yes winbind nested groups = Yes winbind normalize names = Yes winbind refresh tickets = Yes winbind use default domain = yes # old values, changed to see if it could fix the wrong mapping #winbind uid = 10-10001 #winbind gid = 10-10001 winbind uid = 1-9 winbind gid = 1-9 idmap domains = PERSONALE STUDENTI idmap config PERSONALE:backend = rid idmap config PERSONALE:base_rid = 500 idmap config PERSONALE:range = 10 - 4999 idmap config STUDENTI:backend = rid idmap config STUDENTI:base_rid = 500 idmap config STUDENTI:range = 5000 - But: root@str00160-samba:~# wbinfo -n domain_users S-1-5-21-2162351890-1506888927-3107636301-513 SID_DOM_GROUP (2) root@str00160-samba:~# wbinfo -Y S-1-5-21-2162351890-1506888927-3107636301-513 100013 root@str00160-samba:~# wbinfo -G 100013 S-1-5-21-725345543-1425521274-682003330-11022 As you can see, the mapping from gid to sid resolves to a different domain (and, obv, different group). I'm not interested in resolving users and groups from other domains except PERSONALE and STUDENTI, so if it would be possible to disable 'em, it would be great! And I hate not being able to understand why it happens. I already deleted all .tdb files (except secrets.tdb, or I'd have had to rejoin the machine), with samba and winbind services stopped. No nscd or similar daemon installed (I remember reading it could give problems). I can't enable enum users or enum groups due to the size of the directory (last time I did a wbinfo -g it took hours to complete, on 100Mbit link!). BYtE, Diego. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Grant only one AD group to samba share ?
On 22/05/2012 22:17, Newman, John W wrote: Well.. I'm not really sure what that is (I inherited this project). In smb.conf all he has here is: idmap uid = 1-2 idmap gid=1-2 I don't see idmap backend = set at all in here. That is probably a big part of the problem isn't it? If you have to keep a consistent uid and gid mapping (not really needed, unless you use NFS, I think), use another idmap backend. I used RID that applies a simple formula to the SID to obtain uid and gid consistent across all the clients accessing an NFS server. Are nsswitch.conf and PAM configured for authentication? For what kind of authentication? /etc/nsswitch and /etc/pam/* are untouched from the defaults. Edit /etc/nsswitch.conf to include winbind as data source for both passwd and group info. Once you've done this, you'll be able to use AD names as standard *nix names, and the reverse mapping will automatically happen (like when doing an ls -l). If you don't do that, you'll keep getting unknown group. PS: I prefer to keep normalize names, that makes AD names lowercase and replaces spaces with underscores. This is my winbind-related part of smb.conf: # Big dir -- I must disable enums. If your dir is small, enable 'em! winbind enum users = No winbind enum groups = No # Allow logon even if network isn't available winbind offline logon = Yes # Deep-resolve groups (heavy and slow!) winbind nested groups = Yes # *nix-friendly names winbind normalize names = Yes winbind refresh tickets = Yes winbind use default domain = yes winbind uid = 1-9 winbind gid = 1-9 idmap domains = PERSONALE STUDENTI idmap config PERSONALE:backend = rid idmap config PERSONALE:base_rid = 500 idmap config PERSONALE:range = 10 - 4999 idmap config STUDENTI:backend = rid idmap config STUDENTI:base_rid = 500 idmap config STUDENTI:range = 5000 - BYtE, Diego. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Preventing brute force password attacks
Il 17/04/2012 22:50, Robert Heller ha scritto: What *exactly* do you want to accomplish here? Do you really want to ban machines on your LAN from accessing your (office) server? Not a bad idea. In the good old times, a firewall was enough to keep bad guys out. But now you can find you're hosting some botnet zombies on PCs that only had web access. And once a PC is a zombie, it's really easy for an attacker to use it like you'd use a VPN server. BTW, probably the botmaster will already have a valid share password (stolen from the user), but if not he'll probably try to attack other machines from LAN. BYtE, Diego. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Restricting access to [homes]
Hi all. Is it just me or there's no way to restrict access to [homes] share to members of an AD group? Or is it treated like an ordinary Unix group via Winbind mapping? If I use valid users = %S (to give access to the home only to the owner), every domain user (worse: every user in any trusted domain) can access his/her own share... if path exists. That leads to the second problem: is it possible to automatically create the home dir if it's missing (w/o requiring the user to log on the server)? Sort of pam_mkhomedir for shares... I have to handle laboratories w/ a lot of students, and pre-creating homes would be impractical, while giving access to everybody in the university is a waste of resources... TIA, Diego. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 high cpu load[SOLVED]
Il 05/04/2012 09:39, steve ha scritto: Are we losing anything (on a server) by not having the stuff we've removed? I don't think so. Yes: the ability to use a TPM (or other HW keystore like smartcards) as the private key store -- if your server gets compromised, all the keys/certs on it must be revoked and re-issued. But probably you aren't interested in such a thing. BTW I agree that 5 minutes is really too much time (much more than needed to generate a 2048-bit RSA key on a smartcard!). BYtE, Diego. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Domain users are loosing there groups after some time.
Il 16/03/2012 11:39, Benedikt Schindler ha scritto: did you also have trusted domains? Maybe it is a problem with the trusted domains. i found these lines in my log. I don't know if they are connected to our problem: Well, I can't even authenticate users from trusted domains (I get domain is not local to KDC message)... BYtE, Diego -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 how to remove a machine from the domain
Il 08/03/2012 15:47, steve ha scritto: How do I remove a machine which is o longer connected to the domain? e.g. the has been stolen or just moved without having unjoined before. I want to be able to replace the machine with with a new box with same hostname. Join another machine w/ the same name -- that should change macine account's password so the stolen one can't reconnect any more. But to be absolutely sure, join it, use net ads leave (that removes machine account from AD) and rejoin it. Just my two cents... BYtE, Diego. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Can ntlm_auth version 3.5.10 be used to perform ntlmv2 authentication against a w2008 DC?
Il 03/03/2012 08:04, Andrew Bartlett ha scritto: I've recently setup a Squeeze box with FR and samba. Have had to use backports repo since 3.5.6 didn't work and (IIRC) even 3.5.10 gave troubles. Upgrading to 3.5.11 solved. The big issue here is that MSCHAPv2 is not NTLMv2. It is only a little more secure than NTLM. There is a flag in logon_parameters that the FR runs ntlm_auth to obtain NT key. So, IIUC, it should do an NTLMv2 auth in the last step. Am I wrong? BYtE, Diego. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Can ntlm_auth version 3.5.10 be used to perform ntlmv2 authentication against a w2008 DC?
Il 01/03/2012 22:09, Glenn Machin ha scritto: I am using freeradius2 which then calls ntlm_auth passing the nt-response and challenge generated as part of the peap mschapv2 exchange. However it does not seem to want to work. The version of samba I am using is samba3x-3.5.10. I've recently setup a Squeeze box with FR and samba. Have had to use backports repo since 3.5.6 didn't work and (IIRC) even 3.5.10 gave troubles. Upgrading to 3.5.11 solved. BYtE, Diego. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Error accessing others domains in forest
Il 23/02/2012 15:36, NdK ha scritto: Hi all. Noone have an idea? I'm still banging my head against the wall (and some cracks in the concrete are becoming quite large...). After last update (from winbind-3.5.3 and krb5-1.8.1 to winbind-3.5.10 and krb5-1.9.1) users from a trusted domain can't authenticate any more. Machines are joined to domain PERSONALE, and users from domain STUDENTI aren't recognized. Domains are handled by W2k8 or W2k8r2 (I have no control on these). Today, first day with students, about 50 couldn't login but 3 succeeded. That's really strange, since all PCs have the same config files (they're cloned from a single machine). Please help! Any idea can be useful! PS: I tried, while configuring the initial machine, setting idmap domains = PERSONALE STUDENTI idmap config PERSONALE:default = no idmap config STUDENTI:default = yes in smb.conf to try letting students login without the need to specify studenti\ in front of their name. Obviously it didn't work. Is it something I didn't understand or a bug? BYtE, Diego. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Error accessing others domains in forest
Hello all. After last update (from winbind-3.5.3 and krb5-1.8.1 to winbind-3.5.10 and krb5-1.9.1) users from a trusted domain can't authenticate any more. Machines are joined to domain PERSONALE, and users from domain STUDENTI aren't recognized. Domains are handled by W2k8 or W2k8r2 (I have no control on these). Last lines from /var/log/samba/log.wb-STUDENTI report: [2012/02/23 10:42:20.205656, 3] libads/sasl.c:793(ads_sasl_spnego_bind) ads_sasl_spnego_bind: got server principal name = edge$@STUDENTI.DIR.UNIBO.IT [2012/02/23 10:42:20.239823, 1] libsmb/clikrb5.c:789(ads_krb5_mk_req) ads_krb5_mk_req: smb_krb5_get_credentials failed for ldap/edge.studenti.dir.unibo...@studenti.dir.unibo.it (Realm not local to KDC) [2012/02/23 10:42:20.311687, 1] libsmb/clikrb5.c:789(ads_krb5_mk_req) ads_krb5_mk_req: smb_krb5_get_credentials failed for ldap/edge.studenti.dir.unibo...@studenti.dir.unibo.it (Realm not local to KDC) [2012/02/23 10:42:20.311765, 0] libads/sasl.c:823(ads_sasl_spnego_bind) kinit succeeded but ads_sasl_spnego_krb5_bind failed: Realm not local to KDC [2012/02/23 10:42:20.312246, 1] winbindd/winbindd_ads.c:126(ads_cached_connection) ads_connect for domain STUDENTI failed: Realm not local to KDC [2012/02/23 11:04:15.428341, 3] winbindd/winbindd_dual.c:53(child_read_request) child_read_request: read_data failed: NT_STATUS_END_OF_FILE 'edge' is one of the DCs of the STUDENTI domain, but it seems the PC can't acquire a ticket for that domain. Machine is correctly joined, and actually my employee account works. But not the student one :( [root@str00160-bibl4 ~]# wbinfo -i studenti\\diego.zuccato2 Could not get info for user studenti\diego.zuccato2 [root@str00160-bibl4 ~]# wbinfo -i diego.zuccato diego.zuccato:*:108036:100013:Mat032398:/home/PERSONALE/diego.zuccato:/bin/bash I already tried deleting all .tdb files (in /etc/samba and /var/cache/samba ) and rejoining (some hickups here, but net ads testjoin reports join is OK). My /etc/samba/smb.conf is the same that worked for a couple of years: [global] workgroup = PERSONALE realm = PERSONALE.DIR.UNIBO.IT server string = %v security = ADS encrypt passwords = Yes #password server = atu.personale.dir.unibo.it log file = /var/log/samba/log.%m log level = 3 max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 local master = No dns proxy = No #winbind separator = - winbind enum users = No winbind enum groups = No winbind offline logon = Yes winbind nested groups = Yes winbind normalize names = Yes winbind refresh tickets = Yes winbind use default domain = yes winbind uid = 10-1 winbind gid = 10-1 idmap config PERSONALE:backend = rid idmap config PERSONALE:base_rid = 500 idmap config PERSONALE:range = 10 - 4999 idmap config STUDENTI:backend = rid idmap config STUDENTI:base_rid = 500 idmap config STUDENTI:range = 5000 - template homedir = /home/local/%D/%U template shell = /bin/bash And the same for my /etc/krb5.conf (but I think this one gets ignored): [logging] default = FILE:/var/log/kerberos/krb5libs.log kdc = FILE:/var/log/kerberos/krb5kdc.log admin_server = FILE:/var/log/kerberos/kadmind.log [libdefaults] ticket_lifetime = 24000 default_realm = PERSONALE.DIR.UNIBO.IT dns_lookup_realm = true dns_lookup_kdc = true [realms] PERSONALE.DIR.UNIBO.IT = { kdc = aki.PERSONALE.DIR.UNIBO.IT:88 admin_server = aki.PERSONALE.DIR.UNIBO.IT:749 default_domain = PERSONALE.DIR.UNIBO.IT } [domain_realm] .PERSONALE.DIR.UNIBO.IT = PERSONALE.DIR.UNIBO.IT [kdc] profile = /etc/kerberos/krb5kdc/kdc.conf [login] krb4_convert = false krb4_get_tickets = false [appdefaults] pam = { debug = true ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = true mappings = ([a-z\.]*)@studio.unibo.it STUDENTI-$1 } Too bad I already upgraded more than 60 machines to the new packages... What can I do to fix it? Next week students start coming to the lab... TIA! BYtE, Diego. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] A couple of quick questions
Il 20/02/2012 17:20, Daniel Patrick Sullivan ha scritto: The first is; 1) Is it possible to deterministically set the domain name that will be used when the winbind use default domain = Yes option is configured in /etc/samba/smb.conf? I want to set a default domain, however I do not want the default domain to reflect the domain membership of the server. I do not see this in the documentation, although I admittedly haven't looked *that* hard. That would be useful to me, too. I tried setting idmap config STUDENTI:default = yes w/o results (machine is joined to PERSONALE domain). 2) I am using a configuration line such as the following to restrict access; winbind use default domain = Yes authrequisite pam_succeed_if.so user ingroup AD\org_cri_cri_galaxy_administrators debug This is working all fine and good, although I would like to actually have another group. It seems that whenever I add another similar line the pam auth bombs out after the first failure. Is it possible to restrict authorization to multiple groups in this manner? I think it can check only one group, but that's not a problem: just create a group (whose membership you'll check) that contains the other groups you want to enable access. I usually do that for users allowed to access a machine: a 'machinename-authorized' group that contains 'lab-administrators' group and users/groups allowed to access that machine. This way I can be sure 'lab-administrators' are allowed access. BYtE, Diego. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Searching in AD
Hello all. I only recently discovered 'net ads search'. But it seems '-P' can only be used by root, while I'd need to let 'radius' user do searches. Is it dangerous if I make it rw for 'radius' group (or a new group I'll make 'radius' user a member)? Any other solution, that maybe lets me have on output just the result (or an empty line if no results)? Tks, Diego. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] wireless
Il 14/12/2011 14:06, anna-karin.bur...@bjurholm.se ha scritto: At this school I am working we are setting up a wireless network. What would be the best way to set up the system to this network? How should we log in to Samba? What should I consider. The wireless system has already been purchased by people who have left. If those APs support WPA2-Enterprise, just setup a FreeRadius server to use ntlm_auth for authenticating users. What do you mean exactly with log in to Samba? Do you have a print server? a file server? a mail server? a web server? Every kind of server requires its own auth... but it could be not too hard to make a SSO (single-sign-on) system, so that the user only gives his credentials once for the whole session. BYtE, Diego. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] VFS ACL modules - question to developers
Il 05/12/2011 19:27, Jeremy Allison ha scritto: If we didn't do this NFS access or local process access would completely ignore the Windows permissions (which is not what most people want). Then why not drop completely TDB storage of permissions and rely on filesystem alone? Denormalization is (usually) bad... BYtE, Diego. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Failing identification of users in trusted domains?
On 30/11/2011 08:53, NdK wrote: Hi all. I'm getting mad at this. I use winbind to authenticate users in multiple domains from AD. The config worked well, before upgrading from 3.5.3 to 3.5.10 in Mandriva. Now, if I 'winbind -i user.name' (so using the joined domain PERSONALE) I get the correct info, but if I do a 'winbind -i STUDENTI\\another.name' the answer is a 'Could not get info for user STUDENTI\another.name'... On other machines, the same config works well. I already tried uninstalling samba (both -winbind and -common), removing /etc/samba, /var/cache/samba and /var/lib/samba then reinstalling after copying /etc/samba/smb.conf from a working machine and rejoining. Doing a tail -f /var/log/samba/* I could see the following: [2011/11/28 11:43:51.053242, 10] winbindd/winbindd_cache.c:536(refresh_sequence_number) refresh_sequence_number: PERSONALE time ok [2011/11/28 11:43:51.053578, 10] winbindd/winbindd_cache.c:581(refresh_sequence_number) refresh_sequence_number: PERSONALE seq number is now 343528996 [2011/11/28 11:43:51.053681, 10] winbindd/winbindd_cache.c:913(wcache_save_name_to_sid) wcache_save_name_to_sid: STUDENTI\DIEGO.ZUCCATO2 - S-1-5-21-790525478-1035525444-682003330-86279 (NT_STATUS_OK) [2011/11/28 11:43:51.053756, 10] winbindd/winbindd_cache.c:935(wcache_save_sid_to_name) wcache_save_sid_to_name: S-1-5-21-790525478-1035525444-682003330-86279 - diego.zuccato2 (NT_STATUS_OK) [2011/11/28 11:43:51.053805, 1] ../librpc/ndr/ndr.c:251(ndr_print_function_debug) wbint_LookupName: struct wbint_LookupName out: struct wbint_LookupName type : * type : SID_NAME_USER (1) sid : * sid : S-1-5-21-790525478-1035525444-682003330-86279 result : NT_STATUS_OK [2011/11/28 11:43:51.053997, 4] winbindd/winbindd_dual.c:1532(fork_domain_child) Finished processing child request 63 [2011/11/28 11:43:51.054045, 10] winbindd/winbindd_dual.c:1548(fork_domain_child) Writing 3532 bytes to parent [2011/11/28 11:43:51.054113, 10] lib/events.c:183(get_timed_events_timeout) == log.winbindd == [2011/11/28 11:43:51.054550, 5] winbindd/winbindd_getpwnam.c:138(winbindd_getpwnam_recv) Could not convert sid S-1-5-21-790525478-1035525444-682003330-86279: NT_STATUS_UNSUCCESSFUL [2011/11/28 11:43:51.054670, 10] winbindd/winbindd.c:655(wb_request_done) wb_request_done[17597:GETPWNAM]: NT_STATUS_UNSUCCESSFUL It seems my account in STUDENTI gets written to cache, but then winbind doesn't read it back And why is the Any hints? Tks! Noone w/ an idea? :( BYtE, Diego. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Failing identification of users in trusted domains?
Hi all. I'm getting mad at this. I use winbind to authenticate users in multiple domains from AD. The config worked well, before upgrading from 3.5.3 to 3.5.10 in Mandriva. Now, if I 'winbind -i user.name' (so using the joined domain PERSONALE) I get the correct info, but if I do a 'winbind -i STUDENTI\\another.name' the answer is a 'Could not get info for user STUDENTI\another.name'... On other machines, the same config works well. I already tried uninstalling samba (both -winbind and -common), removing /etc/samba, /var/cache/samba and /var/lib/samba then reinstalling after copying /etc/samba/smb.conf from a working machine and rejoining. Doing a tail -f /var/log/samba/* I could see the following: [2011/11/28 11:43:51.053242, 10] winbindd/winbindd_cache.c:536(refresh_sequence_number) refresh_sequence_number: PERSONALE time ok [2011/11/28 11:43:51.053578, 10] winbindd/winbindd_cache.c:581(refresh_sequence_number) refresh_sequence_number: PERSONALE seq number is now 343528996 [2011/11/28 11:43:51.053681, 10] winbindd/winbindd_cache.c:913(wcache_save_name_to_sid) wcache_save_name_to_sid: STUDENTI\DIEGO.ZUCCATO2 - S-1-5-21-790525478-1035525444-682003330-86279 (NT_STATUS_OK) [2011/11/28 11:43:51.053756, 10] winbindd/winbindd_cache.c:935(wcache_save_sid_to_name) wcache_save_sid_to_name: S-1-5-21-790525478-1035525444-682003330-86279 - diego.zuccato2 (NT_STATUS_OK) [2011/11/28 11:43:51.053805, 1] ../librpc/ndr/ndr.c:251(ndr_print_function_debug) wbint_LookupName: struct wbint_LookupName out: struct wbint_LookupName type : * type : SID_NAME_USER (1) sid : * sid : S-1-5-21-790525478-1035525444-682003330-86279 result : NT_STATUS_OK [2011/11/28 11:43:51.053997, 4] winbindd/winbindd_dual.c:1532(fork_domain_child) Finished processing child request 63 [2011/11/28 11:43:51.054045, 10] winbindd/winbindd_dual.c:1548(fork_domain_child) Writing 3532 bytes to parent [2011/11/28 11:43:51.054113, 10] lib/events.c:183(get_timed_events_timeout) == log.winbindd == [2011/11/28 11:43:51.054550, 5] winbindd/winbindd_getpwnam.c:138(winbindd_getpwnam_recv) Could not convert sid S-1-5-21-790525478-1035525444-682003330-86279: NT_STATUS_UNSUCCESSFUL [2011/11/28 11:43:51.054670, 10] winbindd/winbindd.c:655(wb_request_done) wb_request_done[17597:GETPWNAM]: NT_STATUS_UNSUCCESSFUL It seems my account in STUDENTI gets written to cache, but then winbind doesn't read it back And why is the name all upper case when I wrote it lower case? Any hints? Tks! BYtE, Diego. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba