[Samba] Forcing clients to use NTLMv2 in 3.6.12
All, I need to force XP clients to use NTLMv2 when mapping to samba 3.6.12. My config is: ntlm auth = No client NTLMv2 auth = Yes client lanman auth = No client plaintext auth = No lanman auth = No XP systems can still map shares with the above config. If I add: max protocol = SMB2 min protocol = SMB2 W7 systems map shares, XP systems cannot map shares even if I change LAN Manager authentication level to: Send NTLMv2 response only or Send NTLMv2 response only\refuse LM NTLM. Any ideas? -Kevin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] 3.6.12 build
All, I'm still struggling to get samba 3.6.12 built on a Solaris 8 sparc system. I built openldap 2.4.35 with --disable-ipv6 --disable-bdb --disable-hdb --disab le-mdb --enable-passwd. I built samba with: ./configure -prefix=/opt/XRX --exec-prefix=/opt/XRX --with-configdir=/etc/samba --with-privatedir=/et c/samba/private --with-lockdir=/var/samba/locks --with-statedir=/var/samba/locks --with-cachedir=/var/samb a/locks --with-piddir=/var/run --with-logfilebase=/var/samba/log --with-static-modules=vfs_solarisacl --wi th-shared-modules=vfs_prealloc,vfs_cacheprime,vfs_commit,idmap_ldap,idmap_tdb2,idmap_rid,idmap_ad,idmap_ha sh,idmap_adex --enable-shared --with-readline --with-acl-support --with-aio-support --with-pam --with-auto mount --with-dnsupdate=no --with-ldap --with-winbind --with-ads Samba fails during configure: checking for LDAP support... yes checking ldap.h usability... yes checking ldap.h presence... yes checking for ldap.h... yes checking lber.h usability... yes checking lber.h presence... yes checking for lber.h... yes checking for ber_tag_t... yes checking for ber_scanf in -llber... no checking for ber_sockbuf_add_io... no checking for LDAP_OPT_SOCKBUF... yes checking for LBER_OPT_LOG_PRINT_FN... yes checking for ldap_init in -lldap... yes checking for ldap_set_rebind_proc... yes checking whether ldap_set_rebind_proc takes 3 arguments... 3 checking for ldap_initialize... no checking whether LDAP support is used... yes checking for Active Directory and krb5 support... yes checking for ldap_initialize... (cached) no configure: error: Active Directory support requires ldap_initialize -Kevin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Building 3.6.12
All, I'm trying to build Samba 3.6.12 on Solaris 8 sparc using studio 12. Is this the correct forum to ask questions? This is my first build so any tips/tricks are appreciated. What are the prerequisites to get samba to compile so that it will join an AD domain? TIA, -Kevin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Building 3.6.12
I can patch Solaris 10 to get Samba 3.6.12 and takes about 5 mins to complete. I know moving off Solaris 8 would be the best path to take however it's not my decision to make... -Kevin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Build 3.6.12 on Solaris 8
All, I need to build samba 3.6.12 on solaris 8 using studio 12. Has anyone accomplished this and willing to share tips, tricks, or notes? -Kevin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] /var/samba/locks/smb_krb5/krb5.conf.DOM
All, I am running Solaris 10 and Samba 3.6.6. We use intelligent DNS and have more than 10 ADs. In /etc/krb5/krb5.conf I configure kdc and admin_server to point to the IDNS server so any one of our functioning ADs can be used dynamically. I've noticed that /var/samba/locks/smb_krb5/krb5.conf.DOM get created when net ads join is run. I've also noticed that the kdc is set to an IP address and appears to be dynamic. Can someone tell me what/how this file is controlled and if there are smb.conf settings to manually control this file? TIA, -Kevin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Error creating host keytab
I am running Samba 3.0.35. When I run net ads join or net ads keytab create I see that the keytab file cannot be created. Here's a portion of the log: [2013/03/20 07:57:50, 3] libads/kerberos.c:(337) kerberos_secrets_store_des_salt: Storing salt host/pitviper.DOMAIN@REALM [2013/03/20 07:57:50, 2] libads/kerberos_keytab.c:(260) ads_keytab_add_entry: Using default system keytab: FILE:/etc/krb5/krb5.keytab [2013/03/20 07:57:50, 3] libads/kerberos_keytab.c:(184) smb_krb5_kt_add_entry: adding keytab entry for (host/pitviper.DOMAIN@REALM) with encryption type (1) and version (8) [2013/03/20 07:57:50, 1] libads/kerberos_keytab.c:(189) smb_krb5_kt_add_entry: adding entry to keytab failed (Cannot write to specified key table) [2013/03/20 07:57:50, 1] libads/kerberos_keytab.c:(346) ads_keytab_add_entry: Failed to add entry to keytab file [2013/03/20 07:57:50, 1] libads/kerberos_keytab.c:(508) ads_keytab_create_default: ads_keytab_add_entry failed while adding 'host'. [2013/03/20 07:57:50, 1] utils/net_ads.c:(1647) Error creating host keytab! Joined 'PITVIPER' to realm 'REALM' [2013/03/20 07:57:50, 2] utils/net.c:(1075) return code = 0 I've tried creating /etc/krb5/krb5.keytab with no luck. Any ideas? TIA -Kevin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 3.6.6 authentication
Can anyone tell me if Kerberos is a requirement for windows server 2008R2 AD NTLM or NTLMv2 authentication? TIA, -Kevin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Authentication in 2008R2 AD
What is the earliest version of Samba that will authenticate in a native 2008R2 AD? Is Kerberos a requirement to authenticate to native 2008R2 AD? TIA, -Kevin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] username map is not functioning
All, When the company upgraded AD from 2003 to 2008R2 users lost the ability to access Samba shares without being prompted for a password. I've upgraded Samba from 3.0.30 to 3.6.6. I would like to continue using username map to map my users however it appears the map is being ignored. The only way I can get this config to work is by adding an account that matches the unix account using smbpasswd. Any ideas? [global] bind interfaces only= Yes case sensitive = Yes comment = Global Definitions create mask = 0775 directory mask = 0775 follow symlinks = No guest account = ftp guest ok= No host msdfs = No hosts allow = 13.,127. hosts deny = ALL idmap config * : backend = tdb interfaces = nge0,lo0 kernel oplocks = No level2 oplocks = No map to guest= Bad UID max disk size = 131072 oplocks = No preserve case = Yes unix extensions = No lm announce = No local master= No max protocol= SMB2 min protocol= NT1 name resolve order = host,bcast,wins,lmhosts netbios name= TYRELL security= DOMAIN username map= /etc/samba/users.map wins server = xxx.xxx.xxx.xxx workgroup = DOMAINNAME log file= /var/samba/log/log.%m log level = 4 syslog = 2 [ColorQube] path= /ColorQube writeable = Yes browseable = Yes create mask = 666 directory mask = 777 directory security mask = 777 inherit permissions = Yes guest ok= Yes [read] fake oplocks= Yes path Thanks in advance. -Kevin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] username map is not functioning
This appears to be an IDMAP username mapping issue not an issue with the username map file. I think this is not an issue with the username map file. Thanks for the reply. -Kevin On Mon, 11 Mar 2013, Kevin Shaw wrote: When the company upgraded AD from 2003 to 2008R2 users lost the ability to access Samba shares without being prompted for a password. I've upgraded Samba from 3.0.30 to 3.6.6. I would like to continue using username map to map my users however it appears the map is being ignored. The only way I can get this config to work is by adding an account that matches the unix account using smbpasswd. Any ideas? This sounds to me like Samba bug 8881. It isn't clear to me that anyone in the Samba team cares enough about this bug to get it fixed. https://bugzilla.samba.org/show_bug.cgi?id=8881 -- 73, Ged. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Trying to understand authentication
I am running Solaris 10 u8 running Samba 3.6.6. Windows server 2008R2 runs AD. I don't understand samba authentication and hope someone might be able to help me understand the process. The following configuration appears to be functional. NIS is running and Winbind is not. Pam.conf has not been touched. Nsswitch.conf has the default configuration for nis. Pdbedit -Lv shows no users. How are domain users authenticating to my Samba server? I'm guessing that net rpc join had something to do with it? [global] bind interfaces only= Yes case sensitive = Yes comment = Global Definitions create mask = 0775 directory mask = 0775 follow symlinks = No guest account = ftp guest ok= No host msdfs = No hosts allow = 13.,127. hosts deny = ALL idmap config * : backend = tdb interfaces = nge0,lo0 kernel oplocks = No level2 oplocks = No map to guest= Bad UID max disk size = 131072 oplocks = No preserve case = Yes unix extensions = No lm announce = No local master= No max protocol= SMB2 min protocol= NT1 name resolve order = host,bcast,wins,lmhosts netbios name= SERVER security= DOMAIN username map= /etc/samba/users.map wins server = xxx.xxx.xxx.xxx workgroup = DOMAINNAME log file= /var/samba/log/log.%m log level = 4 syslog = 2 [ColorQube] path= /ColorQube writeable = Yes browseable = Yes create mask = 666 directory mask = 777 directory security mask = 777 inherit permissions = Yes guest ok= Yes [read] fake oplocks= Yes path TIA, -Kevin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] New Samba PDC for medium-sized mixed client domain
Hi all, I've recently inherited sysadmin duties for what is currently a badly-networked hodgepodge of Windows XP and 7 machines (currently about 50, but slowly growing). I would like to tie them to a domain, and we have a separate requirement for a common staff fileshare. We have a third-party contractor quoting later this week for what I suspect will be a Windows Server based network, and I would like to be able to propose a Samba-based alternative. I have used Samba before personally, but only for providing fileshares, never for authentication. Is Samba 3 suitable for the role I have in mind, or would I need Samba 4? Can someone give me the current state of play for Samba 4? I understand from the wiki that it is not generally recommended for production use, though it would appear that some people are running it thus - can anyone give me an indication of its stability? Additionally, I would also like to be able to reduce licence fee costs by using Linux-based workstations for new staff members whenever possible. Can someone point me towards a decent howto or tutorial for joining a Linux client to a Samba domain? All the examples I've seen seem to be for connecting Windows to a Samba DC, or Linux to a Windows DC. Many thanks. -Andy Shaw -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] New Samba PDC for medium-sized mixed client domain
Daniel Müller wrote: First of all you should know what you want, a nt-style Domain or a ADS!? Well, if it's practical at this point, I'd be happier running an ADS - in particular, unless I've missed something, this would enable me to set group policies for the client machines, which is potentially quite useful. I suppose the question, then, is the S4+S3 combination production-ready? The next step is , you can substitute Exchange with OPENCHANGE/SOGo as part of your Samba4 ads. Fortunately, email is currently a completely separate system, hosted off-site, so I don't immediately need to worry about it :) Hadn't heard of the Openchange project before, though - will look into it with interest. Good Luck Daniel Thanks! I meant to mention before, by the way, that I obviously do intent to set up a test network rather than sticking any solution straight into production, so there shouldn't be any concerns on that score. -Andy Shaw -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Re: Windows client does not recognize password change...
Hello, Does anyone have any suggestions on how I might troubleshoot this issue? I haven't heard any suggestions and I'd really like to solve this. I've googled this and every email that has the same No such attribute - modify/delete: sambaPwdMustChange error message has no response to it. So, if anyone has any suggestions, I'm all ears! Thank you, Jason Jason Shaw wrote: Hello! SuSE Linux 10.0 Samba 3.0.20b OpenLDAP backend IDEALX scripts v0.9.2 Windows XP SP2 client Everything seems to be working except when changing your password from the Windows client (CTRL-ALT-DEL and Change password). When I try to change the password I get the following error message. The User name or old password is incorrect. Letters in passwords must be typed using the correct case. But the kicker is that the PDC *did* change both Linux and Windows passwords; the client machine is saying there's an error when the password was changed. According to the log file for the machine, it looks like it may have failed because it couldn't find the sambaPwdMustChange attribute. But using a LDAP browser, I see that the sambaPwdMustChange is there. Any suggestions on how to fix this or what the problem may be? Thank you! Jason [2006/10/04 13:13:00, 5] passdb/secrets.c:secrets_fetch_trusted_domain_password(325) secrets_fetch failed! [2006/10/04 13:13:11, 2] passdb/pdb_ldap.c:init_sam_from_ldap(499) init_sam_from_ldap: Entry found for user: jason [2006/10/04 13:13:11, 7] passdb/login_cache.c:login_cache_read(83) Looking up login cache for user jason [2006/10/04 13:13:11, 7] passdb/login_cache.c:login_cache_read(97) No cache entry found [2006/10/04 13:13:11, 2] passdb/pdb_ldap.c:init_sam_from_ldap(499) init_sam_from_ldap: Entry found for user: jason [2006/10/04 13:13:11, 7] passdb/login_cache.c:login_cache_read(83) Looking up login cache for user jason [2006/10/04 13:13:11, 7] passdb/login_cache.c:login_cache_read(97) No cache entry found [2006/10/04 13:13:12, 4] passdb/pdb_ldap.c:ldapsam_update_sam_account(1714) ldapsam_update_sam_account: user jason to be modified has dn: uid=jason,ou=People,dc=amiwest,dc=com [2006/10/04 13:13:12, 2] passdb/pdb_ldap.c:init_ldap_from_sam(926) init_ldap_from_sam: Setting entry for user: jason [2006/10/04 13:13:12, 1] passdb/pdb_ldap.c:ldapsam_modify_entry(1516) ldapsam_modify_entry: Failed to modify user dn= uid=jason,ou=People,dc=amiwest,dc=com with: No such attribute modify/delete: sambaPwdMustChange: no such value [2006/10/04 13:13:12, 0] passdb/pdb_ldap.c:ldapsam_update_sam_account(1741) ldapsam_update_sam_account: failed to modify user with uid = jason, error: modify/delete: sambaPwdMustChange: no such value (Success) [2006/10/04 13:13:12, 2] passdb/pdb_ldap.c:init_sam_from_ldap(499) init_sam_from_ldap: Entry found for user: jason [2006/10/04 13:13:12, 7] passdb/login_cache.c:login_cache_read(83) Looking up login cache for user jason [2006/10/04 13:13:12, 7] passdb/login_cache.c:login_cache_read(97) No cache entry found [2006/10/04 13:13:12, 0] libsmb/smbencrypt.c:decode_pw_buffer(540) decode_pw_buffer: incorrect password length (190012133). [2006/10/04 13:13:12, 0] libsmb/smbencrypt.c:decode_pw_buffer(541) decode_pw_buffer: check that 'encrypt passwords = yes' dn: uid=jason,ou=People,dc=amiwest,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount objectClass: sambaSamAccount objectClass: sambaSamAccount sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 displayName: Jason Shaw sambaPasswordHistory: sambaPwdCanChange: 2 sambaAcctFlags: [UX] sambaPwdLastSet: 1159992792 sambaPwdMustChange: 1163880792 modifiersName: cn=Manager,dc=amiwest,dc=com modifyTimestamp: 20061004201312Z (some stuff cut) /etc/openldap/slapd.conf: access to attr=userPassword,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaPwdMustChange by self write by * auth /etc/samba/smb.conf: [global] enable privileges = Yes username map = /etc/samba/smbusers unix password sync = Yes passwd program = /opt/IDEALX/sbin/smbldap-passwd %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n passwd chat debug = Yes encrypt passwords = Yes log level = 1 passdb:7 ldap passwd sync = Yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Windows client does not recognize password change...
Hello! SuSE Linux 10.0 Samba 3.0.20b OpenLDAP backend IDEALX scripts v0.9.2 Windows XP SP2 client Everything seems to be working except when changing your password from the Windows client (CTRL-ALT-DEL and Change password). When I try to change the password I get the following error message. The User name or old password is incorrect. Letters in passwords must be typed using the correct case. But the kicker is that the PDC *did* change both Linux and Windows passwords; the client machine is saying there's an error when the password was changed. According to the log file for the machine, it looks like it may have failed because it couldn't find the sambaPwdMustChange attribute. But using a LDAP browser, I see that the sambaPwdMustChange is there. Any suggestions on how to fix this or what the problem may be? Thank you! Jason [2006/10/04 13:13:00, 5] passdb/secrets.c:secrets_fetch_trusted_domain_password(325) secrets_fetch failed! [2006/10/04 13:13:11, 2] passdb/pdb_ldap.c:init_sam_from_ldap(499) init_sam_from_ldap: Entry found for user: jason [2006/10/04 13:13:11, 7] passdb/login_cache.c:login_cache_read(83) Looking up login cache for user jason [2006/10/04 13:13:11, 7] passdb/login_cache.c:login_cache_read(97) No cache entry found [2006/10/04 13:13:11, 2] passdb/pdb_ldap.c:init_sam_from_ldap(499) init_sam_from_ldap: Entry found for user: jason [2006/10/04 13:13:11, 7] passdb/login_cache.c:login_cache_read(83) Looking up login cache for user jason [2006/10/04 13:13:11, 7] passdb/login_cache.c:login_cache_read(97) No cache entry found [2006/10/04 13:13:12, 4] passdb/pdb_ldap.c:ldapsam_update_sam_account(1714) ldapsam_update_sam_account: user jason to be modified has dn: uid=jason,ou=People,dc=amiwest,dc=com [2006/10/04 13:13:12, 2] passdb/pdb_ldap.c:init_ldap_from_sam(926) init_ldap_from_sam: Setting entry for user: jason [2006/10/04 13:13:12, 1] passdb/pdb_ldap.c:ldapsam_modify_entry(1516) ldapsam_modify_entry: Failed to modify user dn= uid=jason,ou=People,dc=amiwest,dc=com with: No such attribute modify/delete: sambaPwdMustChange: no such value [2006/10/04 13:13:12, 0] passdb/pdb_ldap.c:ldapsam_update_sam_account(1741) ldapsam_update_sam_account: failed to modify user with uid = jason, error: modify/delete: sambaPwdMustChange: no such value (Success) [2006/10/04 13:13:12, 2] passdb/pdb_ldap.c:init_sam_from_ldap(499) init_sam_from_ldap: Entry found for user: jason [2006/10/04 13:13:12, 7] passdb/login_cache.c:login_cache_read(83) Looking up login cache for user jason [2006/10/04 13:13:12, 7] passdb/login_cache.c:login_cache_read(97) No cache entry found [2006/10/04 13:13:12, 0] libsmb/smbencrypt.c:decode_pw_buffer(540) decode_pw_buffer: incorrect password length (190012133). [2006/10/04 13:13:12, 0] libsmb/smbencrypt.c:decode_pw_buffer(541) decode_pw_buffer: check that 'encrypt passwords = yes' dn: uid=jason,ou=People,dc=amiwest,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount objectClass: sambaSamAccount objectClass: sambaSamAccount sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 displayName: Jason Shaw sambaPasswordHistory: sambaPwdCanChange: 2 sambaAcctFlags: [UX] sambaPwdLastSet: 1159992792 sambaPwdMustChange: 1163880792 modifiersName: cn=Manager,dc=amiwest,dc=com modifyTimestamp: 20061004201312Z (some stuff cut) /etc/openldap/slapd.conf: access to attr=userPassword,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaPwdMustChange by self write by * auth /etc/samba/smb.conf: [global] enable privileges = Yes username map = /etc/samba/smbusers unix password sync = Yes passwd program = /opt/IDEALX/sbin/smbldap-passwd %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n passwd chat debug = Yes encrypt passwords = Yes log level = 1 passdb:7 ldap passwd sync = Yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Cases where Samba modifies a file without changing the timestamp?
On Tue, 19 Sep 2006, Marc SCHAEFER wrote: apart from the mmap(2)ed DBM files that Samba uses, are they any cases where Samba will *modify* data files without setting the mtime ? I have issues with rsync not seeing changes to Samba exported files (md5sum don't match). The mtime is however in the very distant past (say 2004), but the content seems to have changed. Let me guess: these files' names end in the string .XLS, right? From what I've heard, apparently MS, in their infinite wisdom, decided it would be neat if Excel wrote things into files and then set their modification time back to what it was before modifying the files. To me, the intent behind modification time seems fairly obvious, but apparently some bright person at MS has a different interpretation[1]. I'm not sure if MS has any documentation about this phenomenon, but the Unison folks do mention it in a changelog[2]: + Excel files are now handled specially, so that the fastcheck optimization is skipped even if the fastcheck flag is set. (Excel does some naughty things with modtimes, making this optimization unreliable and leading to failures during change propagation.) - Logan [1] My guess is that Excel writes lock information into the document's file, and the MS person decided that modification time should be interpreted to apply to the conceptual document rather than the file, but that's just a guess. Or maybe they were somehow forced into it because of http://support.microsoft.com/kb/324491/ . [2] at https://svn.cis.upenn.edu/svnroot/unison/trunk/src/NEWS . -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Home dirs problem
On Tue, 12 Sep 2006, Marian Neagul wrote: I have a question about mapping users home directory's to samba. The homedir layout is based on an old one used on NIS+ system. The structure is something like: /users /group1 /user1 /user2 ... /group2 /user3 ... /group3 /group3_1 /user4 ... /group3_2 ... /group4 /user5 How can I configure samba to use this home directory's? The user data is stored in LDAP (including the home directory and other information not related to samba: qmail-ldap, courier, etc) ? The only option I've found is something similar to: path = /home/%U Can samba retrieve the home directory from LDAP? Do you mean that if you do finger user or getent passwd user that the directory you want shows up in that output? If so, just delete the path statement from the [homes] section. Samba will use the user's home directory by default. Note, however, that you didn't really make a distinction between the Unix system using the data stored in LDAP as its password database (through some mechanism like nsswitch) and the home directory data just being in LDAP. I believe that if the Unix system isn't using the LDAP data and passing it through to calls like getpwent(), then Samba won't use the LDAP data either. - Logan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] passwd program example for parsing new password typed?
On Wed, 6 Sep 2006, Gianluca Cecchi wrote: This could allow me to synchronize the passwords of the two domains' users during the normal windows password change operation. That's a little odd to have two sets of accounts that are kept identical between two different domains. But, maybe there is a reason for it. I have only to set up the passwd program of smb.conf accordingly. By default it is passwd %u and I read that it makes use of expect to get the passwd typed by the user (not clear how... where to find docs?) No, it uses an Expect-like (not actual Expect, I think) script to talk to the passwd program. The user's password comes in plaintext from the Windows client machine to Samba, if I understand correctly. So the interaction between Samba and the passwd command doesn't involve getting the password typed by the user. I would like instead to substitute it with a script that 1) runs the passwd program locally as by default 2) runs a remote shell to the other samba host to run the script specified above for AD change. Any hint on how to give to the script the password typed by the user? Thaks in advance for your help. Look at the passwd chat Samba parameter. This defines how Samba communicates with the passwd program. You can substitute your own chat script to specify how it interacts with your own script instead of the passwd command. For example, your script might look like this: #! /bin/sh username=$1 echo send password now read password # do whatever you want with $username and $password Then I believe you'd want this in your smb.conf: unix password sync = yes passwd program = /path/to/my/script %u passwd chat = send password now %n\n That should take care of the glue between Samba and your script, but then you have the small matter of glue between your script and /usr/bin/passwd. Previously, Samba could take care of that for you, but if you wrap the passwd command with your script, you're going to have to use Expect or something to do it. - Logan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Domain SID does not match built in domain groups SIDs...
You are correct. I have users and groups with the correct domain SID, but there are a few groups that have the wrong domain SID and I want to correct them. I ended up just stopping the Samba daemon and editing the bad groups' SIDs with and LDAP editor. It may have not been as safe as your way, but it seems to have worked. Thank you for helping! Jamrock wrote: Jason Shaw [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Would remapping them correct the SIDs? Can I just use a LDAP editor and manually change the SID to what it should be without screwing up other things? To my understanding, all the important Samba data is stored in LDAP. So I shouldn't have to worry about the contents of smbpasswd, secrets.tdb, or anything of that nature, right? Given I can just edit the SIDs, I do know that I may have to restart the SMB daemon, rejoin some users to groups, correct the local administrators group on workstations, etc. I understand the clean up, I don't want to ruin anything else that's not a simple text edit or command call. There is a utility that allows you to change the domain's SID. Search the archives and the documentation for net setlocalsid I do not want to change the domain or the server SID. Doing so would invalid the users I have already entered. I just want to fix a couple of groups that have bad SIDs. It sounds as if you are saying that the users have the same SID as the domain. However some groups have incorrect SID's. If you are keeping the POSIX and Windows user information in LDAP, you can do the following: Make a backup of the folder containing the ldap data. Use ldapsearch to export the contents of the ldap directory to a file. This provides a second backup Use ldapsearch to dump the group information to a file. Modify the SID information in the second (group) file and use ldapmodify to bring the correct information back into the ldap directory. This is based on the assumption that the domain's SID is correct and the users' SID's are correct. Only the groups' SID's are incorrect. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Linux as PDC
On Fri, 1 Sep 2006, Rob Watkin wrote: I will post the latest version smb.conf file below. I have followed the instructions in http://us4.samba.org/samba/docs/man/Samba-HOWTO- Collection/FastStart.html section Domain Controller for the most part. I have one server (TAU) and one Windows XP client (vm-201). I can get vm-201 to join my BC workgroup but not the domain. I am rebooting the XP machine and restarting samba on TAU between experiments. I have just noticed the following error in the log file which I think is at the bottom of all this! When I try to get the XP box to join the BC domain it asks for a username and password, I give tom ** and then I have to admit that I myself don't understand the exact requirements on what type of account is required here, but it must be some sort of administrator account, not a regular user account, that you use to join to the domain. So you need to use root, or possibly some other privileged account, but I know root works. - Logan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Domain SID does not match built in domain groups SIDs...
Would remapping them correct the SIDs? Can I just use a LDAP editor and manually change the SID to what it should be without screwing up other things? To my understanding, all the important Samba data is stored in LDAP. So I shouldn't have to worry about the contents of smbpasswd, secrets.tdb, or anything of that nature, right? Given I can just edit the SIDs, I do know that I may have to restart the SMB daemon, rejoin some users to groups, correct the local administrators group on workstations, etc. I understand the clean up, I don't want to ruin anything else that's not a simple text edit or command call. There is a utility that allows you to change the domain's SID. Search the archives and the documentation for net setlocalsid I do not want to change the domain or the server SID. Doing so would invalid the users I have already entered. I just want to fix a couple of groups that have bad SIDs. Looking through the IDEALX scripts, it appears that I can just edit these SIDs with an LDAP editor; they appear to only modify the LDAP, no other Samba files (secrets.tdb, etc). But I'm not certain and do not want to proceed until I know I won't screw myself over by doing so. Does anyone see anything wrong with this? Should I just delete these groups and recreate them? Would that be a more smart way? Thank you, Jason -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Domain SID does not match built in domain groups' SIDs...
It appears that the built in domain groups' SIDs do not match the domain's SID. I used the IDEALX scripts to create these accounts and I obviously thought everything was fine before proceeding to add users and groups. Did you change the SID inside the IDEALX scripts? I bet I populated these groups before I changed the SID in the IDEALX scripts while testing things out and I never went back to correct it. I see that the SID is currently set correctly for them. Thanks for pointing that out! Seeing that set correctly makes me a bit more comfortable using those scripts. Any suggestions on how I can correct this without wiping out the users and groups I've already added? Hmmm, you can remap it. :) Would remapping them correct the SIDs? Can I just use a LDAP editor and manually change the SID to what it should be without screwing up other things? To my understanding, all the important Samba data is stored in LDAP. So I shouldn't have to worry about the contents of smbpasswd, secrets.tdb, or anything of that nature, right? Given I can just edit the SIDs, I do know that I may have to restart the SMB daemon, rejoin some users to groups, correct the local administrators group on workstations, etc. I understand the clean up, I don't want to ruin anything else that's not a simple text edit or command call. Thank you, Jason Felipe Augusto van de Wiel wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 08/30/2006 04:16 PM, Jason Shaw escreveu: Hello, I'm having a few problems, but I'm thinking this should be fixed first. It may solve my other issues. It appears that the built in domain groups' SIDs do not match the domain's SID. I used the IDEALX scripts to create these accounts and I obviously thought everything was fine before proceeding to add users and groups. Did you change the SID inside the IDEALX scripts? Any suggestions on how I can correct this without wiping out the users and groups I've already added? Hmmm, you can remap it. :) Samba PDC 3.0.20b OpenLDAP backend # net groupmap list Domain Admins (S-1-5-21-220492119-3728255649-3324185874-512) - Domain Admins Domain Users (S-1-5-21-220492119-3728255649-3324185874-513) - Domain Users Domain Guests (S-1-5-21-220492119-3728255649-3324185874-514) - Domain Guests Domain Computers (S-1-5-21-220492119-3728255649-3324185874-515) - Domain Computers # net getlocalsid SID for domain FS02 is: S-1-5-21-580359677-1468577533-2286006929 Much appreciated! Jason Kind regards, - -- Felipe Augusto van de Wiel [EMAIL PROTECTED] Coordenadoria de Tecnologia da Informação (CTI) - SEDU/PARANACIDADE http://www.paranacidade.org.br/ Phone: (+55 41 3350 3300) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Debian - http://enigmail.mozdev.org iD8DBQFE9vNxCj65ZxU4gPQRAr+8AJ4vYKoKwbZ99LHFBU71PqnwzK7VhgCgpIwx wFJ4M2ngWacJ1FK5pEW5hgo= =k0AI -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] 100% CPU usage
On Wed, 30 Aug 2006, Felipe Augusto van de Wiel wrote: On 08/30/2006 02:22 AM, Mary Steiner escreveu: I am running Samba 2.2.7-5.8.0 on Fedora Core #1 and am having a problem with smb daemons using up all of the CPU. The other thing is that *maybe* you are really under heavy load, so you need to upgrade the hardware or downgrade the number of users. ;) I would hope that, in most cases, if the load is really high, this would max out the machine's I/O capacity way before it maxes out its CPU capacity. Of course, that depends on the hardware, but these days, CPUs are really fast, and I don't think Samba is that inefficient... Of course, the other suggestion is to updated to a non-ancient version of Samba. - Logan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Domain SID does not match built in domain groups' SIDs...
Hello, I'm having a few problems, but I'm thinking this should be fixed first. It may solve my other issues. It appears that the built in domain groups' SIDs do not match the domain's SID. I used the IDEALX scripts to create these accounts and I obviously thought everything was fine before proceeding to add users and groups. Any suggestions on how I can correct this without wiping out the users and groups I've already added? Samba PDC 3.0.20b OpenLDAP backend # net groupmap list Domain Admins (S-1-5-21-220492119-3728255649-3324185874-512) - Domain Admins Domain Users (S-1-5-21-220492119-3728255649-3324185874-513) - Domain Users Domain Guests (S-1-5-21-220492119-3728255649-3324185874-514) - Domain Guests Domain Computers (S-1-5-21-220492119-3728255649-3324185874-515) - Domain Computers # net getlocalsid SID for domain FS02 is: S-1-5-21-580359677-1468577533-2286006929 Much appreciated! Jason -- - Jason Shaw | Information Systems Administrator Analytical Methods, Inc. | E-mail: [EMAIL PROTECTED] 2133 152nd Ave NE| Phone:(425) 643-9090 Redmond, WA 98052 USA | FAX: (425) 746-1299 - -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Rev #2 of the 3.02.3c patch
On Wed, 30 Aug 2006, Gerald (Jerry) Carter wrote: I've uploaded the *final* 3.0.23c roll up patch to http://samba.org/~jerry/patches/patch-3.0.23b-3.0.23c-gwc-2.diffs.gz. I've already cut the 3.0.23c tarballs so unless there is a major problem, this will be the final change set. Please report *any* bugs that you find. Well, I'm not positive it's a bug, but with 3.0.23b, I can go to the (Windows Explorer context menu) Properties-Security dialog and look at the list of Group or user names, and every file I've tried shows the group's SID before the user's SID. This isn't the order I expect, and in fact, it's different from what I see on 3.0.10 system which runs against the same ldapsam data. With 3.0.10, I get what I expect: Group or user names: +---+ | (H) Logan Shaw (MYDOMAIN\lshaw) | | (HH) engineer (MYDOMAIN\engineer) | | (HH) Everyone | +---+ (The (H) represents the single-human-head icon, meaning user, and the (HH) represents the two-human-heads icon, meaning group, I guess.) With the 3.0.23b, I get something like this instead: Group or user names: +---+ | (HH) engineer (MYDOMAIN\engineer) | | (HH) Everyone | | (H) Logan Shaw (MYDOMAIN\lshaw) | +---+ Note that the user appears at the bottom of the list. I think this is probably related to something else I'm seeing: when an Excel or Word file is open and locked by a user and someone else tries to open it, they get a message that it's locked by engineer (the group) rather than lshaw (the username). So, what relevance does this have to 3.0.23c? Well, it's happening with 3.0.23b, and I spent about 15 minutes looking through the 3.0.23b-3.0.23c patch you just posted today (patch-3.0.23b-3.0.23c-gwc-2.diffs.gz), and I couldn't see any code changes that looked related. Unfortunately, I can't really take the server down to test the patched version for real. Also, I'm fairly sure it didn't happen with 3.0.22 and that I haven't changed smb.conf in any meaningful way since moving from 3.0.22 to 3.0.23b, making me believe it's a function of the samba version rather than the config. So, I realize that's not the ideal bug report, but is it possible someone running 3.0.23c could check and see if they are seeing a similar issue? - Logan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Configure Options while build Samba and OpenLDAP?
On 08/28/2006 05:30 AM, updatemyself . escreveu: can anyone help me to know what all are the compailing option to use.. while build my samba and open-ldap rpm from sourse. On Tue, 29 Aug 2006, updatemyself . wrote: what about.. ldap options..? any one can help? I rebuilt Samba for Slackware and added LDAP in the build since Slackware doesn't have LDAP by default (at all). All I had to do was set these environment variables: CFLAGS=-I/usr/local/pkg/openldap/include LDAP_LDFLAGS=-L/usr/local/pkg/openldap/lib -Wl,-rpath,/usr/local/pkg/openldap/lib and add this ./configure option: --with-ldap=yes The two environmen variables were only needed because I have my OpenLDAP libraries installed in a non-standard place. (There isn't a Slackware package for OpenLDAP that I know of, and I didn't feel like making one, so I just put all the OpenLDAP stuff in its own directory to keep it separate.) If you have your OpenLDAP includes in /usr/include and your OpenLDAP libraries in /usr/lib, you wouldn't need those two environment variables. All that applies to Slackware, but it should be fairly similar for Debian, I would think. - Logan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Storing privilege info in ldap
On Tue, 29 Aug 2006, David Williams wrote: I have a Samba server 3.0.22 pdc on Gentoo Linux with a ldap backend all working fine. I am now going to add a bdc to the setup. It seems that the privilege info is stored locally rather than in ldap. I suspect that it's in account_policy.tdb but I'm not sure. I can see the accounts on the bdc and logon fine but the rights are missing when i run net rpc rights list. I can add the info in manually but that creates a future admin job. Is there any way to store the rights in LDAP? Isn't this the exact same question that was answered under the subject Question regarding Samba rights about 3 hours ago? - Logan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Wrong Username reported to MS Office if file is opened already
On Wed, 16 Aug 2006, [EMAIL PROTECTED] wrote: I run a Suse 9.3 with Samba 3.013. If a User opens a file which another User has already opened M$ Office reports that the User who saved the file the last time has locked the file, not the actual User, who holds it open. My Sambaserver is a Domain Member of a W2k Domain. I don't know the solution, but I suspect the answer you're going to get is to try upgrading to something more recent, like 3.0.23b, since your 3.0.13 is fairly old. Also, I have a similar issue, but instead of the previous user, what I see is the Unix group name instead of the username. So maybe related, but maybe not. - Logan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] How to get Samba's share directories
On Thu, 24 Aug 2006, Nguyen Anh Phu wrote: Is there any tool that can get Samba service (share directory) and its full path? Maybe its output likes this: [share] /home/share [setup] /home/setup In my own setup, I addressed this problem by creating a top-level /share. All Samba shares reside there. If I want to use disk space from a different filesystem and see it under /share, I can use something like an automounter (most automounters can mount local filesystems using a local database), a bind mount in Linux, an lofs mount in Solaris, etc. - Logan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] file locked by wrong user
I'm having a weird problem which I think may be a bug, but I'm not sure, so I think I'll describe it and see if it rings a bell with anyone. Basically, the story is this: there's a file owned by a Unix user lshaw (i.e. me) and whose group ownership is engineer. Now, I open this file on one Windows XP computer, then go try and open it again on another XP machine. On the second computer, I get the usual This file is locked by ___, do you want to open a read-only copy? message. But the problem is the ___ is engineer rather than lshaw. In other words, it is showing the group instead of the username. I've noticed this with Word, Excel, and Powerpoint files. (Those were the 3 file types that I could think of off the top of my head whose apps like to lock files.) As far as I can tell, this happens for all users, i.e. no matter who opens a file, and no matter who looks at it, it appears to locked by the group instead of the user. I'm running Samba 3.0.23b. I think I may have seen this on 3.0.20, but I can't recall for sure. Also, for what it's worth, if I, in Windows XP, navigate to a file that experiences this problem and hit Properties and then do the Security tab, I see the group listed as the first item under Group or user names:. It looks like this: engineer (DOMAIN\engineer) Everyone Logan Shaw (DOMAIN\lshaw) This isn't a show-stopper bug, but it is a little inconvenient when something is locked to not have a way to know who has locked it. If it matters, the correct numeric uid (that corresponds to lshaw) shows up in the second column of the smbstatus -L output. - Logan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] How to unlock the locked file.
On Wed, 16 Aug 2006, Jacky Chan wrote: I just upgrade from SUSE9.3 to SUSE10.0 and running samba-3.0.22-11. I have a workstation which store outlook.pst on Samba share. Yesterday, this workstation get hang and after a cold boot. It can't access the outlook.pst anymore, the system reported the pst file is using by someone and outlook can't open it?. Sometimes this works: 1. Login to the samba server. 2. Run a smbstatus. 3. Find the pid of the process that has the lock on the file in the third section of the output. 4. Verify that it matches the expected user and hostname in the first and second sections of the smbstatus output. 5. Run ps -ef and see how long the smbd with that pid has been running. 6. If it has been running since before the computer was last rebooted, it's a left over smbd. Kill JUST THAT ONE smbd. (And make sure you get the right one -- it should be one that has a parent pid not equal to 1.) - Logan-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] smbldap-tools and disabling a user
Hey everyone, When someone leaves the company, I prefer to disable their account rather than remove it (so that you can see who owns any files they might leave on a filesystem somewhere). I'm using an LDAP backend for Samba, and I'm using smbldap-tools to manage accounts. So, today I was going to disable an account for the first time since switching over from plain /etc/passwd and /etc/samba/smbpasswd, and it doesn't seem like there is any tool that can handle both Unix and Samba accounts. Specifically, smbldap-usermod has a -I option, which is described as disable user. It sets the D flag on the Samba account info, but it doesn't have any effect on the RFC 2307 userPassword. I noticed smbldap_tools.pm has a disable_user() sub in it, which is even exported from the module, but nothing calls it, and when I tried calling it myself from a little Perl code, it didn't seem to work. Oh, and I can't really use the straightforward passwd -l command, because I'm using Slackware, which doesn't grok LDAP. I ended up writing a little bash script which uses ldapmodify, which does the job, but I'm wondering if there's a better way that I'm missing. It seems odd that smbldap-useradd supports adding both Unix and Samba accounts, and smbldap-userdel supports deleting both, but smbldap-usermod only supports disabling the Samba half of things... - Logan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] LDAP+Samba only posixaccount possible?
On Fri, 11 Aug 2006, Juha-Matti Ung wrote: Hi!Is it possible to get the samba authenticate a user and map to his homedirectory only using posixaccount or are there some attributes that windows absolutely require like in the samba-objectclasses? I'm 99% certain this isn't possible. Windows uses a different password hashing scheme from what Unix/Linux systems use, so the user's password must be stored in both forms. The only exception might be if you want to make your Windows machines send plaintext passwords, but I'm not even sure if that's supported on newer versions of Windows. - Logan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Domain migration from 2.2.x to 3.0.x
On Fri, 11 Aug 2006, Rory Vieira wrote: One of my customers is running a pretty old Redhat 8 (Psyche) server with Samba 2.2.something (I think 7). Next week I'm planned to upgrade his Redhat platform to SuSE 9.3 and also update his samba to 3.0.23b. I did almost the exact same thing going from RedHat 7.2 with Samba 2.2 to Slackware 10.2 with Samba 3.0.22, and managed to pull it off with no real problems. My biggest worry is that this customer has about 14 workstations already in the 2.2.x domain. I would like to know WHAT to do so I won't have to re-add all those machines again, as this will take up a lot of my time. From memory, I believe you need to do the following: 1) Copy the machine accounts over, preserving the flags, the LM and NT hashed passwords, etc. They are just smbpasswd entries with special usernames (with $ in them), so this isn't all that complicated. With only 14 machines, I might just do it by hand. 2) Make sure the new server has the same NetBIOS name as the old. (This might not be necessary. On the other hand, you probably want to do it anyway.) 3) Make sure the new server has the same domain as the old. 4) Make sure the new server has the same SID as the old. There are lots of ways of doing this, but I believe the one I used was to run rpcclient's lookupsids command against the domain itself to get the old SID on 2.2.x, then I used net setlocalsid to set it on the new 3.0.22 system. Or something along those lines. :-) 5) This might or might not be necessary, but make sure the machine accounts have the same SID as before as well. That list might not be complete. For me, things were easier since I was moving from one machine to another in the process, so I could compare settings on both and make changes incrementally until I was satisfied everything was good. - Logan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Regarding samba compilation
On Wed, 9 Aug 2006, samid wrote: Am trying to add some Debug statement to smbd, for example in service.c. But problem is when I recomplile and make install, smbd doesnt get updated with that code. problem here is this smbd executable(usr/sbin/smbd) doesnt get updated with the latest install. please help.. I would try to isolate the problem. Is smbd getting built correctly and incorporating your changes? Run strings smbd and see if your debug message is in the version that's built after you do make. Also, check and see where smbd is being installed by make install. I would do this by doing make install make.install.log 21. Then run grep smbd make.install.log or look through it with less or your favorite text editor and see what path it really installs to. - Logan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba pdc and notebook in domain
On Wed, 9 Aug 2006, bob_bipbip wrote: hello, when my computer's client is not connected to network (and so cannot connect to pdc), they are not able to log in, they have a message telling us that the system can't log in because the domain is unavailable, how to permit people to log in even if they are not connected to network? By default, Windows supports up to 10 (I think) cached logons. That means if you user abc logs on while the domain controller IS available, then they can log on later when the domain controller is NOT available, assuming there haven't been 10 people who have logged on since then. So, with a little planning (always be sure to logon before you disconnect, so that your identity is in the cache), you can use only the network user accounts without having to create separate local accounts. That makes things a lot cleaner and simpler, I think. - Logan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] make -j
So, I'm building 3.0.23b for Slackware (since they don't have it out yet[1]), and I've noticed these two lines in the script that Slackware uses to build Samba 3.0.23 from source (which I'm modifying to build 3.0.23b): # -j options don't seem to work... make Anyone know why that comment might be there? Is it true that Samba can't be built with -j2 or similar arguments to make? Maybe just on Slackware? The reason I'm asking is that I happen to have this server with Dual 1.0 GHz PIII Xeons, and it takes forever to build on this machine. It sure would be nice if it could 0.5*forever instead. [whine] Especially since I discovered a minor error in the build I was going to put on the server 15 minutes ago, and now have to build again twice: once to find the error in the build script, and another time to build it cleanly from scratch, thus delaying me from going home by at least 30 minutes. ;-) [/whine] - Logan [1] And no, you don't want my version once I'm done building it, since I'm building it against the OpenLDAP that I have installed, and by default Slackware has no LDAP. But I would be willing to share the 3.0.23 SlackBuild script that I modified for 3.0.23b if anyone wants it... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Applying security updates
On Tue, 8 Aug 2006, Steve1 Boothright wrote: A security update for samba 3.0.1 - 3.0.22 was posted on samba.org on the 10th July. Does anyone know how to apply to update? Everytime I click on the download link I just get the following text Index: source/smbd/service.c === --- source/smbd/service.c(revision 16676) +++ source/smbd/service.c(working copy) @@ -763,6 +763,11 @@ smb_panic(make_connection: PANIC ERROR. Called as nonroot\n); } +if (conn_num_open() 2047) { +*status = NT_STATUS_INSUFF_SERVER_RESOURCES; +return NULL; +} + if(lp_security() != SEC_SHARE) { vuser = get_valid_user_struct(vuid); if (!vuser) { That's a patch against the source. Save it into a file, say samba-patch-2006-07-10, then cd to the directory that contains source, then type patch samba-patch-2006-07-10 and the patch program should apply the changes to the file source/smbd/service.c. Then rebuild the binaries. - Logan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] disabling roaming profiles for some networks only
On Tue, 8 Aug 2006, John Mason wrote: What about also enabling roaming profiles, but doing folder redirection? I use it and so it take much less time since each machine is configured to mount their my documents, desktop, etc. which makes their profile large rather than include them in the profile. I don't think that would work so well for our environment. The issue isn't the space used in the profile. It's the speed at which it can be copied over and back. Turning folders like the desktop into mounts from the server would prevent slow logons, but in exchange what we'd get is files on the desktop taking minutes to open after someone had logged in. The pipe between the offices is about 1.5 megabit/s bandwidth with a latency of about 70 ms, and this makes access to files over SMB (or CIFS) really slow. I'd *love* to improve responsiveness of the server, but my guess is that the protocol just doesn't deal with latency very well (most file sharing protocols don't), so no amount of tuning is going to make a huge difference. Plus, of course, if you open a 10 megabyte file over a 1.5 megabit/s link, the theoretical best time you're ever going to see is about 53 seconds. And people do put 10 megabyte files on their desktops. - Logan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] disabling roaming profiles for some networks only
On Mon, 7 Aug 2006, simo wrote: On Mon, 2006-08-07 at 17:23 -0500, Logan Shaw wrote: I'm looking for a way to turn off roaming profiles only for those users which are at the remote site. Set the logon home and logon path explicitly in the passdb backend for the users who need it and leave the general ones blank. You must use either the tdbsam or ldapsam backlends to do that. That's an idea, but I'd really rather have it keyed off what network they're logging in from. It's not uncommon for users from one office to travel to the other. Then, they get there and have only (say) 2 days to get whatever done while they're traveling, and they spend the first 2 hours of their limited time waiting for their machine to finish logging them. It's a bit of a nuisance. :-) In particular, there could even be cases where someone uses the same user account and same machine at the local office and at the one 1000 miles away. This can happen when a user takes their laptop with them. And yeah, I can educate my users about this, but that doesn't completely stop it from happening, because it's not the type of thing people understand well or realize they need to remember when they're traveling. All in all, I guess this is more of a weakness of the design of Windows networking than anything else. Still, if there is a Samba solution to the problem, I'd welcome it... - Logan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] converting Linux users paswords to Samba
On Mon, 7 Aug 2006, FTuzi wrote: I have a Fedora 5 system with about 300 users and 2 printers. Samba is running on the sole server. There are also about 2 dozen Windows XP computers in use, but there is no domain and no Active Directory. All the computers are standalone. Users desire to use the Samba printers and access their home directories in the Linux system. I have setup and have Samba running fine. Using Webmin, I converted all Linux users to Samba users. BUT the passwords don't convert. I don't believe there is any way of converting the passwords. Both Unix and Windows use a one-way hash system. It's possible to get the hashed password from the cleartext password, but not vice versa. (That's enough for authentication purposes because it allows you to verify a password, which is all you need.) Since Unix/Linux and Windows/Samba use different one-way hash schemes from each other, you will have to create the Windows hashes[1], and that requires access to the cleartext passwords, which you don't have available on a Unix/Linux system. So, you're going to have to have users re-enter their passwords. One possible solution to this problem is to assign every user a new password for Samba only and let them know what it is, then give them a mechanism to change both. By the way, I would probably go ahead and set up the Linux machine as a domain controller. That won't help your passwords issue, but at some point you may want to have people logon to Windows machines and they might as well be able to use a unified set of accounts to do it. Also, if the users need to use Samba shares regularly, it's just as easy for them to logon at the beginning of the session. That way they only have to type their password when they logon to the Windows machine and not every time they access a new share. - Logan [1] There are actually two types: Lan Manager (LM) and Windows NT (NT). -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] 'ldap machine suffix' is ignored?
On Mon, 7 Aug 2006, Mike A. Kuznetsov wrote: I'm using samba-3.0.23 (Revision: 16921, from ports collection, under FreeBSD 6.1 with OpenLDAP 2.3.24 smbldap-tools-0.9.2a) as PDC with following config: [ snip snip snip... ] [global] ldap group suffix = ou=groups ldap idmap suffix = ou=idmap ldap machine suffix = ou=computers ldap passwd sync = Yes ldap suffix = dc=mydomain,dc=ru And I can't join domain from WinXP workstation (WINHOST, for ex.) with the error No such user I believe in newer versions of Samba, ldap suffix is no longer added to ldap machine suffix or to any of the others. So, you need to put this instead: ldap group suffix = ou=groups,dc=mydomain,dc=ru ldap idmap suffix = ou=idmap,dc=mydomain,dc=ru ldap machine suffix = ou=computers,dc=mydomain,dc=ru This seems to have changed sometime between 3.0.10 and 3.0.22, although when specifically it changed I don't know. - Logan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] disabling roaming profiles for some networks only
Hey everyone. We have two offices accessing the same Samba server, which is a PDC and file server. The server is located in one of the offices, but the other office is only connected by a relatively slow link (1.5 megabit/s). I'm looking for a way to turn off roaming profiles only for those users which are at the remote site. (It's a tad inconvenient when it takes an hour or two to login due to a 1 GB roaming profile!) I could turn roaming profiles off for everyone, but we do have some users here at the same site as the server who don't have their own computers and could take advantage of roaming profiles. Obviously, I can do this by running the Group Policy editor on every machine at the remote site, but I'd really like something where this can be controlled by the server. I know I can leave logon path and logon home undefined and that will turn off roaming profiles for everyone, but I only want to turn it off for users on a certain network. So, is there any way to do that? - Logan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] strangely lingering lock, samba 3.0.22
Hello everyone, Today a user (call them 'abc') came to me and described the following sequence of events: 1. They opened an Excel file, made some changes, saved it, and closed it. 2. They tried to open it again and got an error dialog within Excel that says this: File in Use FooBar.xls is locked for editing by 'abc'. Open 'Read-Only' or, click 'Notify' to open read-only and receive notication when the document is no longer in use. 3. They rebooted their desktop machine and tried again, and got the same dialog again. No matter what they do, the file remains locked. The same file is locked for other Windows users and on other Windows computers as well, so obviously there is some sort of state on the Samba server that is telling the clients that the file is locked. So, I logged into the Samba server (3.0.22 running on Slackware 10.2, with kernel 2.4.31), and tried to see if I could see any evidence of a lock. The file did not show up in the output of smbstatus --locks. Running fuser on the file didn't show that any process had it open. So apparently no process has it open on the Linux machine. Also, I noticed that if I make a copy of the file on the Linux machine (cp FooBar.xls FooBar-new.xls), the copy does not retain the lock. So, it would appear that this is not related to the actual contents of the file. I also tracked down the individual smbd that user abc's machine is connected to and killed it. Another one restarted, but the lock was still not released. For what it's worth, I have oplocks = no and level2 oplocks = no in my smb.conf, so presumably this isn't an oplock issue. Anyone have any ideas what's going on? As far as I can tell, this must be a server-related issue since all clients see the file as locked, and it's apparently not an issue with the contents of the file (like Excel writing some flag into the actual file contents itself), but I can't find any indication on the server that the file is locked. - Logan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] strangely lingering lock, samba 3.0.22
On Tue, 1 Aug 2006, Jeremy Allison wrote: On Tue, Aug 01, 2006 at 03:35:09PM -0500, Logan Shaw wrote: Today a user (call them 'abc') came to me and described the following sequence of events: 1. They opened an Excel file, made some changes, saved it, and closed it. 2. They tried to open it again and got an error dialog within Excel that says this: File in Use FooBar.xls is locked for editing by 'abc'. Open 'Read-Only' or, click 'Notify' to open read-only and receive notication when the document is no longer in use. I added cleanup code for 3.0.23 that should fix this issue. You might want to try 3.0.23a to see if it fixes it. Wow, Jeremy, thanks for the quick response. It's a fairly important server, for us at least, so it's hard to justify installing a release as a test unless the issue is serious, which this isn't really. So I'll probably wait until 3.0.23b (which seems like it could be more solid than 3.0.23 and 3.0.23a), but I will keep an eye out for this problem and whether 3.0.23b fixes it when I install that. - Logan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba connections issues (3.0.23 on Solaris 8 with NIS+)
On Mon, 24 Jul 2006, Gerald (Jerry) Carter wrote: Gilles Vautour wrote: I'm curious if anyone has suggestions about a problem we have encountered. We have recently upgraded a 2.2.8a server to 3.0.23. The server in question is running Solaris 8 with NIS+. Storage is from our SAN. Since the migration, we have found that we no longer have access to several shares. They are connected, but we are unable to get to them. You win the award for the biggest change in an upgrade :-) Not funny to you I know I think I might be a challenger for that title. I went from 2.2.7 to 3.0.22 and switched from /etc/passwd to OpenLDAP (with PADL) and moved from RedHat 7.2 to Slackware 10.2 and renumbered the Unix uids while preserving the SIDs, all in one fell swoop, and all of this on the domain controller. And the amazing thing is, it actually worked... - Logan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] mount a window 2003 nfs share on a sun running solaris10
On Tue, 18 Jul 2006, Don Rauenhorst wrote: Is there a way to mount a shared 2.5 tb volume from 1 2003 windows onto a sun running solaris 10. is there a simple way to do this with samba? Samba is an SMB (a/k/a CIFS) server, so if you are mounting an NFS share as the subject says, Samba won't help. Also, Samba does the file server end of things, not the client. In Unix terms, that means it helps you export filesystems but not mount them. - Logan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ldap smbpasswd automation (anyway around smbpasswd)
On Fri, 21 Jul 2006, oly wrote: okay managed to get accounts working by running smbpasswd username then entering there password, is there anyway i can make it use ldap or fill in the list from ldap, i have about 80 users in there and need to add about 800 more i do not want to sit and enter the password for around 900 users must be an easier way? it was very easy to get the accounts into ldap beacause i generated the ldifs from a userlist using calc. Do you have smb.conf pointing at an LDAP server for the user database, with a passdb backend directive? If so, then you've probably got the configuration right and all you need is a tool to populate the LDAP database. There is a set of Perl scripts called smbldap-tools that is bundled with Samba; this works pretty well for creating accounts and so on. smbldap-useradd -a someuser will add someuser to the Samba user list (and to the Unix user list as well; I believe the tool can handle it if the Unix user already exists in LDAP). As for the passwords, if you have the plaintext passwords in a database, you can pipe them into smbldap-passwd and it will change them. For example: #! /bin/sh while read user pass do { echo $pass echo $pass } | /path/to/smbldap-passwd $user done END_OF_DATA joebob joepass jimbob jimpass END_OF_DATA If you don't have the plaintext passwords, unfortunately there is no way to recover them from the crypt()ed versions in /etc/shadow or similar and convert them to Windows format. - Logan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Running Samba daemons
On Fri, 21 Jul 2006, [EMAIL PROTECTED] wrote: How can I make a system user other than root (i.e., adm, sys) start the Samba daemons (smbd and nmbd) on an AIX5L platform? I'd be surprised if it's even possible. Samba needs to create files as the user that connects to the share. If you run it as non-root, how could it create and access files as other users? I suppose it might theoretically be possible if you run a configuration with only guest users, but I doubt Samba allows for that. - Logan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] can't save 0 size file in samba 2.0.7
On Wed, 19 Jul 2006, liu jack wrote: I think that samba 2.0.7 is also useful for embeded system. Because smbd ,nmbd files in samba 3 are too big for embeded system. Is the size of samba 2.0.7 really that much smaller than 2.2.12? Even if it is, my guess is that the size difference between 2.0.7 and 2.0.9 is really quite small. - Logan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Unable to add computer to domain
On Tue, 18 Jul 2006, User 1 wrote: Pls help, I am in the progress implementing Samba as LDAP as PDC on FC5, I followed the instruction of samba3-ldap-howto, now I am unable to add computer to domain.. Tried to check /var/log/samba and found the following: [2006/07/18 14:55:44, 0] rpc_server/srv_samr_nt.c:_samr_create_user(2404) _samr_create_user: Running the command `/usr/sbin/smbldap-useradd -w nb02$' gave 9 Hmm... $ grep -c 'exit.*9' smbldap-useradd 1 Seems like since there is only one way for smbldap-useradd to exit with code 9, maybe that's something you should look into. - Logan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Changing file mode behind the scenes doesn't show up
I have a XP box mounting a share from a Samba server. I create a file on the share via the XP box. The XP Properties dialog for the file shows that it is read/write (the Unix side shows the file to have 744 permissions, as expected). Now, on the Unix side, I chmod the file to be 544 (i.e. readonly). Back on the XP side, however, the Properties box still shows the file to be read/write. Presumably something is caching the file attributes and eventually Windows will catch up and show the right attributes. My question is: is there anything I can do configuration-wise to make this happen faster? David -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] [SECURITY] Samba 3.0.1 - 3.0.22: memory exhaustion DoSagainst smbd
On Tue, 11 Jul 2006, Gerald (Jerry) Carter wrote: Guillermo Gutierrez wrote: (Blond-moment question) I take it then, that this bug doesn't apply to version 3.0.23? Actually, you are the second person to ask me this. :-) I thought that since both the security and release announcement can from me, it would be obvious. The security bug announcement did say that versions up through 3.0.22 were affected, but there are two possible explanations for the appearance of that statement: 1. At the time the security announcement was written, 3.0.23 had been released and was known not to be affected by the security problem, and therefore wasn't included in the list of versions affected. 2. At the time the security announcement was written, 3.0.23 had not been released and wasn't included in the list of versions affected because 3.0.23 did not exist. In order to figure out which, the reader has to determine whether whoever wrote the security announcement knew that 3.0.23 existed. You posted both announcements to the list, but (a) that doesn't mean you wrote both of them (release announcements are usually written by the developer, but security advisories are often written up by some security team and then reposted all over the place), and (b) that doesn't mean, even if you wrote the security advisory, that it was written after 3.0.23 was released; maybe they were both written within 10 minutes of each other because that was when you had time to send out some e-mail messages. In practice, maybe an easy way to deal with this is to include in any security advisory two lists of versions: those known to be affected and those known not to be affected. (ISC does something like this with their security matrix for BIND.) - Logan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] very very weird problem, Samba completely broken
On Fri, 7 Jul 2006, Craig White wrote: On Fri, 2006-07-07 at 17:45 -0400, Eric Evans wrote: This is very strange and frustrating. Our users complained that they weren't able to get ANY Samba access, not even being able to map a network drive (forgetting for now about that domain logon thing for a while). So I went into the /etc/samba/smb.conf and took out all of the statements that had anything to do with domain controlling and net logons, basically restoring the smb.conf to the state it was in before I started messing around with all that domain controller stuff. probably would be much easier if you understood Windows Networking principles. For what it's worth, I had a hard time with this when I first began working with Samba. I had no difficulty with the Unix end or with networking in general, but when you're coming from a Unix background and setting up Samba on your server, it takes some time to wade through and get oriented with Windows networking concepts. I found that the best thing for me was to read the book Implementing CIFS. Even though it's targeted at developers, it seemed to cover things from a Unix point of view. I found that a much more helpful source of conceptual information than the Samba docs, which are really targeted at the Samba implementation of the set of protocols rather than the protocols themselves. [2006/07/07 17:24:18, 0] nmbd/nmbd_incomingrequests.c:process_name_refresh_request(183) process_name_refresh_request: unicast name registration request received for name WORKGROUP00 from IP 128.253.175.150 on subnet UNICAST_SUBNET. [2006/07/07 17:24:18, 0] nmbd/nmbd_incomingrequests.c:process_name_refresh_request(184) Error - should be sent to WINS server Nothing below suggests that you are using a WINS server...not in the Windows clients, not in smb.conf. Make life easy for yourself, add 'wins support = yes' to smb.conf and change your dhcp server to use 128.253.175.150 as WINS server and node type = '8' Based on the log message, it seems that 128.253.175.150 was the IP of the host that sent the request, not the destination of the request. At least that's how I interpret should be sent to WINS server. To me, that phrase means I got a request as if somebody thought I was the WINS server but I'm not, so I thought I'd let you know somebody thinks I am. In other words, 128.253.175.150 is the address of a misconfigured client. (Or the server that generated that log message needs wins support = yes turned on.) - Logan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] query about PC setups
On Thu, 6 Jul 2006, Eric Evans wrote: Thanks for the info. I've been trying to get this to work but I'm having difficulty with it. I put the statement logon script = startup.bat in my [global] section. I also inserted [netlogon] path=/usr/local/samba/lib browseable = no share modes = no into the smb.conf. And I made a startup.bat which I placed in /usr/local/samba/lib, and which contains only the command net use h: /homes. But when I log in to the PC, unfortunately it doesn't connect me to the homes share automatically like I thought it should. I checked the samba logs and I don't see any error messages there. Anybody have ideas about what I might be doing wrong? startup.bat is a batch file that is going to be executed by the Windows machine when you logon to Windows. The Windows machine doesn't understand a command like net use h: /homes because /homes is a path that has meaning only on the Unix machine and doesn't mean anything to Windows. You're going to want something like net use h: \\sambaserver\homes instead. Also, it should be automatically connecting you to your home directory by virtue of having logon path and logon drive specified in smb.conf, so you don't need to add a net use command for your home directory. It's only needed for other shares. - Logan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] linux windows synchronisation account : linux client configuration
On Fri, 30 Jun 2006, Edmundo Valle Neto wrote: Stephane Durieux escreveu: I m trying to make unix and linux password synchronisation with samba using ldap backend, the only question that remains : How can I make passwd command use the samba server ? You can use the ldap passwd sync = yes option. With that option the LDAP, NT and LM hashes are synchronized, when changed THROUGH SAMBA. I believe the question was how they can make /usr/bin/passwd cause Samba passwords to be updated. If a Unix (Linux) user runs /usr/bin/passwd, it should not change just their Unix password but should also change their LM and NT passwords. At least that is the request as I am reading it. In other words, the request is how to preserve the /usr/bin/passwd interface that Unix users may be familiar with, while at the same time not causing that interface to cause passwords to go out of sync. Unfortunately, I don't know an answer to that question... - Logan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ldap password sync and RFC2307 hash schemes
On Fri, 30 Jun 2006, Logan Shaw wrote: I'm running Samba on Slackware 10.2. As near as I can tell based on looking at the glibc source, my options for Unix passwords (in /etc/passwd, or LDAP -- same options) are these: 1. crypt() with plain old, busted traditional hashing. 2. crypt() with MD5 hashing, via $1$saltsalt$hashhashhashhash format; the crypt() function the special format and automatically uses the MD5 algorithm. Now, here's the question: how do I do the equivalent thing for Samba? How do I make Samba know it should use the crypt scheme for userPassword? If I put ldap password sync = Yes into smb.conf, then it is going to update userPassword attributes, but how is it going to know that I need it to use the crypt hash scheme? Or does it send a plaintext password and let the LDAP server take care of that? Is this a function of Samba or is it a function of the LDAP server? To answer my own question, the answer seems to be that Samba will do an exop (extended operation) when talking to the LDAP server and will ask it to change the password. That means I can have the OpenLDAP server select the correct password hashing scheme by putting this into slapd.conf: password-hash {CRYPT} password-crypt-salt-format $1$%.8s In other words, slapd.conf has very similar options to what I had put into smbldap.conf. (Now, if I could only figure out why sometimes ldappasswd, which triggers a password exop, causes my password to get reset to *. But that's another battle, I think...) - Logan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Trouble with windows mounts after reboot of windows server
Evert wrote: The problem is that I have a couple of shares of a W2K server mounted with Samba on my (Gentoo) Linux. This works fine, until the W2K server gets rebooted. After that the shares are just timing out, and they are impossible to unmount/remount... :-/ On Tue, 27 Jun 2006, Evert wrote: Anyone...? I know I'm not the only one with this problem... :-/ You're probably not, but if you're exporting shares from W2K and mounting them on Linux, that's not a Samba problem as far as I know. Samba is only used when Linux is the server, not when it's mounting a CIFS filesystem from a remote server. - Logan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba WINS Questions
On Tue, 27 Jun 2006, Vincent Fonteneau wrote: Finaly WINS problem solved, I'm not so sure. The WINS server is supposed to maintain a dynamic database that is updated every time some NetBIOS names are registered or deregistered on the network. Just stuffing data into the databases like that isn't likely to really work properly. WINS replication is used (but I don't know if I can use the expression replication) by entering new parameters in /var/lib/samba/wins.dat before starting smb daemon on BDC1 the wins.dat should goes with : MYDOMAIN#00 1151663528 255.255.255.255 e4R MYDOMAIN#1b 1151589720 192.168.2.71 64R MYDOMAIN#1c 1151663528 192.168.2.71 193.168.2.71 e4R MYDOMAIN#1e 1151663528 255.255.255.255 e4R MYPDC#00 1151589720 192.168.2.71 66R MYPDC#03 1151589720 192.168.2.71 66R MYPDC#20 1151589720 192.168.2.71 66R MYBDC1#00 1151663528 193.168.2.71 66R MYBDC1#03 1151663528 193.168.2.71 66R MYBDC1#20 1151663528 193.168.2.71 66R MYBDC2#00 1151663528 194.168.2.71 66R MYBDC2#03 1151663528 194.168.2.71 66R MYBDC2#20 1151663528 194.168.2.71 66R on BDCs the wins.dat should goes with : MYDOMAIN#00 1151663528 255.255.255.255 e4R MYDOMAIN#1b 1151589720 192.168.2.71 64R MYDOMAIN#1c 1151663528 192.168.2.71 193.168.2.71 194.168.2.71 e4R MYDOMAIN#1e 1151663528 255.255.255.255 e4R MYPDC#00 1151589720 192.168.2.71 66R MYPDC#03 1151589720 192.168.2.71 66R MYPDC#20 1151589720 192.168.2.71 66R MYBDC1#00 1151663528 193.168.2.71 66R MYBDC1#03 1151663528 193.168.2.71 66R MYBDC1#20 1151663528 193.168.2.71 66R MYBDC2#00 1151663528 194.168.2.71 66R MYBDC2#03 1151663528 194.168.2.71 66R MYBDC2#20 1151663528 194.168.2.71 66R That should be pretty good until Thu Jun 29 14:02:00 2006 (UTC) when the entries with the timestamp 1151589720 will expire. If you're going to hardcode data into WINS, at least read the documentation on how to do that: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/NetworkBrowsing.html#id2554221 Of course, I still recommend that you don't try to force software to do replication when it wasn't designed to do that. - Logan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba WINS Questions
On Tue, 27 Jun 2006, Vincent Fonteneau wrote: MYPDC#00 1151589720 192.168.2.71 66R MYBDC1#00 1151663528 193.168.2.71 66R MYBDC2#00 1151663528 194.168.2.71 66R Also, I forgot to mention: 193.168.2.71 and 194.168.2.71 (note the 193 and 194) are not RFC 1918 private IP addresses. That particular range of private IP addresses only goes from 192.168.0.0 up to 192.168.255.255. If you want to use private addresses, there are 17,891,328 private IP addresses available, so why cause yourself (and possibly, others) problems by using public ones? - Logan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba-3.0.22 with Heimdal Kerberos - compilation problem
On Sat, 24 Jun 2006, Doug VanLeuven wrote: Nir Barkan wrote: I'm trying to compile samba-3.0.22 with Heimdal Kerberos on Solaris 8 When I configure compile from non -standard libs, I explicitly set the paths required. Some people like to put it on the command line, but I created a shell script to invoke configure with my required options and compiler flags. These are commented on at the end of output from ./configure --help #!/bin/sh export LIBS=-L/usr/local/ldap/lib -L/usr/local/lib export CFLAGS=-O2 -L/usr/local/ldap/include -I/usr/local/include export CPPFLAGS=-I/usr/local/ldap/include ./configure \ (flag1=opt) \ (flag2=opt) On Solaris, you may want to do a -R for every -L you do (if using shared libraries); this will embed the path into the executable so that you don't have to LD_LIBRARY_PATH nonsense. To the original person with the problem: if you could post your compiler command line (the gcc or cc that actually generates that error message), that might help, since it would be nice to see what -I arguments and so on that the Makefile is passing it. Also, by the way, export FOO=bar isn't legal Bourne shell syntax. It works in ksh and bash, but in sh you need FOO=bar ; export FOO or similar. Of course, on a Linux system /bin/sh often is something other than straight Bourne shell, but if you're relying on non-Bourne shell features, you should put #!/bin/bash or something. Not that it matters a whole heck of a lot in a script that is designed to wrap configure, though... - Logan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba WINS Questions
On Mon, 26 Jun 2006, Vincent Fonteneau wrote: I'm using Samba 3.0.21c with PDC and severals BDC in different subnets. I'm triing to use Wins servers on all the BDC servers and on the PDC. The problems occurs in the network browsing. Hopefully someone will correct me if I'm wrong (please...), but as far as I know, the only valid WINS configuration is to have exactly one WINS server for a given domain. WINS servers can't sync, so if you have more than one, you would have two different, inconsistent view of the NetBIOS names available within the domain. - Logan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] smbldap-passwd and uppercased schemes
Hey everyone, I'm looking at the IDEALX smbldap-passwd script (the version which comes with samba 3.0.22, in the examples directory), and it seems to want to set the password scheme to an uppercase string, i.e.: {CRYPT}foobarfoobar {MD5}barfoobarfoo However, looking at RFC 2307 ( http://www.ietf.org/rfc/rfc2307.txt ), in section 5.3, it would appear that these are supposed to be lowercase, like this: {crypt}foobarfoobar {md5}barfoobarfoo So, my question is, is the scheme case-sensitive? The RFC doesn't give any indication that case is irrelevant, but smbldap-passwd uses uppercase and (presumably) gets away with it. Obviously I easily hack the script to fix this, but I only want to do that if it's really necessary -- I like to stick with vanilla versions of things unless there's a good reason not to. - Logan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: SOLVED! Re: [Samba] Files are being saved as read-only
On Mon, 26 Jun 2006, Rob Tanner wrote: It turns out that the problem is a Microsoftism since it only happens with Office documents. It also tiurns out that only if profile acls is set to 'yes' in smb.conf do you see the problem. Set it to 'no' and no problem. Wierd eh?? I believe I remember hearing somewhere that, instead of (the Win32 equivalent of) open(); write(); write(); write(); close();, lots of MS products first create a new file, then write the save data to the new file, then remove the old file, then rename the new to have the same name as the old[1]. The point being, when these apps are saving a file, they're not updating an existing file; instead, they're CREATING a new file. So, I would check if new files are created read-only by default; maybe that is the real problem. - Logan [1] There is some benefit to this approach: you've always got a complete copy of the file on disk at any given time, for one thing. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Off topic NSS_LDAP
On Fri, 23 Jun 2006, IT wrote: Anybody can copile NSS_LDAP under Solaris 10 ?, i have a trouble compiling this tool. Doesn't Solaris have built-in support for ldap in nsswitch.conf? Why would you need to compile your own? - Logan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Upgrading to latest version on Solaris 2.6...
On Thu, 22 Jun 2006, Mathew W. Hurd wrote: i'm currently running version 2.0.7 on my Solaris 2.6 box. i'd like to upgrade to the latest (samba-3.0.22-1-noads-sunos5.9-sparc.pkg.gz) but i am not certain if it is compatible with my version of Solaris. That wouldn't be compatible, because based on the sunos5.9 in the filename, it would be a package for SunOS 5.9, i.e. Solaris 9. That will mean it's linked against all Solaris 9 versions of the shared libraries and may rely on other binary interfaces as well. Sun does a very good job of ensuring that binary compatibility is retained when you take software built on an older system and bring it forward to a newer system, but the reverse isn't true, so I wouldn't expect that package to work. If I were you, I'd do one of three things: 1) Build from source. Not really that hard, hopefully. 2) Upgrade and get off Solaris 2.6 and onto something which isn't positively ancient. :-) 3) Go digging for a binary package from somewhere else. For instance, http://www.sunfreeware.com/ seems to have a Samba 3.0.10 built for SPARC Solaris 2.6. Maybe you can find a newer one somewhere else. Hope that helps... - Logan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] change ldap passwd
On Wed, 21 Jun 2006, Craig Jackson wrote: I have what I believe to be a working samba installation using ldap as the back end. The set up is workgroup only -- no domain. Can someone tell me how root might change a user's samba password at the command prompt? I read pdbedit man page and saw nothing about changing passwords. Thanks. # smbpasswd joebob - Logan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] LDAP GID-SID without winbind?
Hello everyone, In my new Samba environment, I have a few servers that use LDAP for Unix accounts (via PADL's NSS stuff). This is working fine for Unix accounts, and everything is in LDAP. These servers are also going to run Samba, with the ldapsam backend. I've noticed that ldapsam allows me to maintain a UID-SID mapping by simply putting the SID in the sambaSID attribute for a (domain) user. That is, I can manually assign the SID when I create the account. Is there any simple equivalent thing for GID-SID mappings for groups? I'd really like to just choose a SID when I choose a GID at the same time I'm adding the group. And I'd like it to be a SID that matches the domain SID; that would help keep things uniform across servers. I've looked at the documentation quite a lot, and the only thing I've seen allusions to so far that allows GID-SID mapping to be stored in LDAP is using idmap with winbind. It seems very strange to me that there's an easy way to do this (without winbind) for users but there isn't for groups. For what it's worth, I'm trying to avoid winbind (at least, using NSS going through winbind) because the new PDC is also to be a Samba file server, smtp/pop3/imap mail server, etc. Basically, I just want all Unix UIDs and GIDs and all SIDs to be specified manually in LDAP. I notice in the figures in Chapter 11 of the official HOWTO that it shows winbind querying ldapsam to do GID-SID mapping. Is it possible that winbind (one d) refers to winbindd (two ds -- the daemon) and this implies that I can have LDAP-based GID-SID mapping by running the winbindd daemon but not setting up winbind anywhere in /etc/nsswitch.conf? Thanks for any insight -- I've spent hours today looking through the documentation and I've learned a lot, but I haven't learned the one thing I need to know... :-) - Logan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: password change on WinXP
On Sat, 17 Jun 2006, Petteri Larjos wrote: Thank you Conrad for answering. If I remember correctly the laptop users need two accounts (local and remote) even though samba is PDC or one could not logon when not connected to LAN. How this is handled? As I understand it, Windows clients will cache logon information. So you can logon once while connected to the LAN and thus having the PDC accessible, then in the future when you are disconnected from the LAN, you can still logon and the Windows client will authenticate you using the locally cached authentication info. Here's a MS knowledge base article about it: http://support.microsoft.com/kb/q172931/ Now, what I don't know is whether taking advantage of this is considered a best practice in the Windows world. For all I know, the cached information might expire after a week or something, which could leave someone in a bind if they are away from the LAN for too long (say, on a business trip). Anyone have comments about that? - Logan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] wins vs. browsing, and documentation
I've been reading Chapter 9 (Network Browsing) of the Official Samba-3 HOWTO and Reference Guide, and the documentation is causing me some confusion. Up at the very top of the chapter, it says: WINS is the best tool for resolution of NetBIOS names to IP addresses; however, WINS is not involved in browse list handling except by way of name-to-address resolution. But then there is a whole section in this chapter called WINS: The Windows Internetworking Name Server. If the two aren't related[1], then why is WINS covered in the browsing chapter? Is this just a quirk of the way the documentation is laid out, or does it imply there is a closer connection between browsing and WINS? I think it is the former, but it gets a little confusing, particularly when the same chapter is discussing two different types of synchronization: synchronization between LMBs and DMBs (which Samba *does* support -- I think) and also discussing synchronization of data between WINS servers (which Samba does *not* support). - Logan [1] except that browse servers use WINS name services to find each other, but then lots of other things use WINS to find each other, so that's hardly a special situation. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Mommy, where do RIDs come from?
Hey everyone, I'm preparing for a transition in which I'll be moving everything (PDC, WINS server, big file shares) off an old Linux server running Samba 2.2.7 onto a much newer Linux system running Samba 3.0.22. In the process, I'll be switching from smbpasswd (only thing supported under Samba 2.x, if I understand correctly) to ldapsam on Samba 3.x. I want to keep the same domain name and preserve SIDs for users and machine accounts (and the domain) so that clients can just start using the new PDC without disruption (except possible reboot, which is OK), so my plan is to populate the password database on the new server with the exact same usernames and SIDs and hashes that are in use on the old server. (I may clean up the UIDs, though.) However, I've noticed something odd: /etc/samba/smbpasswd on 2.2.7 doesn't contain any RIDs or SIDs. And yet, if I run rpcclient and do lookupnames lshaw against the 2.x server, I can see that my (lshaw's) SID is formed of the domain SID plus some RID that comes from somewhere. But, *where* is that RID coming from? I presume it is some sort of persistent mapping, but what stores it? It's not in smbpasswd, because it doesn't contain RIDs (only UIDs). It doesn't seem to be in any of the files /var/cache/samba/*.tdb either, but I could be missing something. I suppose since I can use rpcclient to get the correct SID, this is partly just a matter of curiousity, but I think I'd feel better if I knew what was really going on... Also, as long as I'm asking questions, can anyone spot holes in my idea of swapping out the PDC with a new one that has identical data? It seems like as long as the data is identical, the clients should be able to transition over with no problems. It'd be just like a client switching from a PDC to a BDC, right? - Logan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Windows XP and Samba 3.0.22 -- don't mix?
On Tue, 13 Jun 2006, Jeremy Allison wrote: are using it successfully (and I'm not saying that lightly). If the process seems stuck try attaching to it with gdb or strace and find out what it's doing. Don't use kill -9, that can damage internal Samba databases. It seems to me that, in most cases (there are exceptions), doing a kill -9 isn't any more harmful than the machine crashing or power being lost. How resistant is smbd to the machine losing power? Would the same risk exist? - Logan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba 3.0.22 and hebrew file names
On Tue, 13 Jun 2006, Shlomi . wrote: We had an old Sun server running Solaris 2.6 with samba 2.2.2, Now we upgrade it to Solaris 9 with Samba 3.0.22, but we have one problem. The file names that are in Hebrew looks on the Windows clients as lines or squares. On the old samba server there were no char settings, on the new samba server I set the char to 862 and the display and unix chars to ISO8859-8 and UTF-8 - it didn't help. I guess that the samba doesn't know were to get the CP862 file. I researched internationalization with Samba a while back, and this is the conclusion I came to: 1. Any given installation of Samba 3 uses three different character sets: (1) the character set of filenames on disk, (2) unicode for speaking to (Windows) clients that support unicode in CIFS, and (3) a legacy codepage for clients that use an older version of CIFS and don't support Unicode. 2. Samba 3 converts freely between these different character sets at runtime as needed. 3. Samba 2 doesn't support Unicode at all (or at least not for filenames), so its on-disk character set is always the same as the character set it uses when communicating to clients, and it does no conversion. Based on these three facts (if I'm remembering them right), I would guess what has happened is this: when using Samba 2, you set your Samba server to use the Hebrew codepage (862, I guess). This means that all the filenames got created on disk using that character set. But then you upgraded to Samba 3 and are using the same set of files. Now Samba 3 is expecting to see Unicode filenames but the files are still codepage 862. The best solution is probably to set Samba to use Unicode on the disk, then rename all your files to Unicode names. Somewhere out there is a script that can do this. Samba should automatically speak Unicode to newer Windows clients, so as long as you work out the on-disk character set and have that set up properly, everything should be good. Once you have Samba set up to do Unicode on disk, you should be able to connect from a Windows client and create some files using Hebrew characters and they should show up properly. That would be a good test and would help prove that all you need to do is get the existing filenames into the right format. One more thing: since (as I understand it) Samba can also speak with a fixed 8-bit codepage to legacy clients that do not support Unicode, you might want to set that codepage to 862 in the configuration file. I forget what the directive is, but there is one that controls what Samba speaks on the wire to clients that don't support Unicode. - Logan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Deleting undeletable files gives no error
I have an odd problem that involves clients deleting files they should not be able to delete, and claiming success, but then the files come back again. Here's the setup: I have a filesystem that contains a file foobar.txt owned by user test, group test. Permissions on this file are 644, permissions on the enclosing directory are 777. I share this filesystem via samba (version 3.0.20), using this config: [test] path=/mnt/test writable = yes browsable = yes hide dot files = yes wide links = no delete readonly = yes guest ok = yes guest only = yes force create mode = 400 force directory mode = 700 force user = test force group = test I mount this share on an XP box. I delete foobar.txt. It works and all is well. Then I do the same exact test except mount /mnt/test readonly. Now, when I delete foobar.txt, it seems to work, but refreshing the XP window or doing dir again shows the file wan't actually deleted. Obviously you can't delete a file off of a readonly filesystem, but (and here's the problem) shouldn't there have been an error message given? The delete failed, but the user wasn't informed. David -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Deleting undeletable files gives no error
On Fri, Feb 24, 2006 at 11:33:44AM -0600, Gerald (Jerry) Carter wrote: David Shaw wrote: Then I do the same exact test except mount /mnt/test readonly. Now, when I delete foobar.txt, it seems to work, but refreshing the XP window or doing dir again shows the file wan't actually deleted. Obviously you can't delete a file off of a readonly filesystem, but (and here's the problem) shouldn't there have been an error message given? The delete failed, but the user wasn't informed. This is by design. The internal checks for deleting a file (needed for delete-on-close semantics) only look at the file system permissions. Maybe Jeremy has an idea but if you mount a filesystem ro, I would say just mark the share with (read only = yes). I don't see a need to add any other changes. Perhaps readonly is not the best example. I'm concerned because the same thing happens with any of the many reasons why unlink() might fail. For example, EIO from a hardware problem, EACCES because the file has the immutable (uchg) or undeletable flag set, running over a filesystem that has a notion of retention (can't delete until 2007), etc. David -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Deleting undeletable files gives no error
On Fri, Feb 24, 2006 at 10:52:10AM -0800, Jeremy Allison wrote: On Fri, Feb 24, 2006 at 01:32:02PM -0500, David Shaw wrote: Perhaps readonly is not the best example. I'm concerned because the same thing happens with any of the many reasons why unlink() might fail. For example, EIO from a hardware problem, EACCES because the file has the immutable (uchg) or undeletable flag set, running over a filesystem that has a notion of retention (can't delete until 2007), etc. There's nothing we can do about it other than look at the share and file permissions. In POSIX you can only know for sure if you are allowed to delete a file if you actually do the delete. Windows clients do the following option to delete : open with delete intent - set delete on close - close. They expect any error to be returned on the open with delete intent call, if we return an error on the close (when we actually do the delete) then they don't display that error to the client (as you have noticed). The problem is that the action of setting the delete on close is separate from the open action, and can also be reversed by unsetting it. This means we can't just open and unlink on the open with delete intent request as would be natural under POSIX. What we have is the best compromise we could create. Thanks, for both you and Jerry. That's a very clear explanation. David -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] win2k usrmgr.exe returns remote procedure call failed
Matt Schwartz wrote: It might be simply that a tdb has become corrupt. Try deleting the .tdb files from your samba locks directory and rebuilding group mapping. Thanks for the tip, but this had no effect. I went so far as to remove all .tdb files in the /usr/local/samba tree. -Original Message- From: [EMAIL PROTECTED] Sent: Sunday, June 12, 2005 2:35 AM To: samba@lists.samba.org Subject: [Samba] win2k usrmgr.exe returns remote procedure call failed -- Derek Shaw BIS Business Information Systems Inc. Victoria, BC. voice: 250-885-2021 fax: 250-386-4060 GnuPG Public Key ID: 0x5553C338 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] win2k usrmgr.exe returns remote procedure call failed
Matt Schwartz wrote: It might be simply that a tdb has become corrupt. Try deleting the .tdb files from your samba locks directory and rebuilding group mapping. Further experience to add here after re-creating all the .tdb files. I have a win2k workstation temporarily sharing a directory. I have dis-joined and rejoined this machine to the samba (NT) domain. I did this after I unmapped and re-mapped the NT groups for the domain Then I needed to fix the access permissions on the shared directory. In the sharing permissions for this folder I cannot add the mapped groups to the list of authorized users/groups. I can add individual users from the samba domain, and the well-known NT groups. I suspect this is a different symptom of the same problem causing the rpc failed message when trying to use the windows usrmgr.exe tool. Any ideas which logs I should be monitoring to see the difference between my replica server and this production server for this issue? On a different tangent -- is there a way to re-create or re-print the list of files that were installed by samba (the list that shows up on the screen when one types make install)? I'd like to compare the lists between the two machines. TIA for any other tips or ideas. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Derek Shaw Sent: Sunday, June 12, 2005 2:35 AM To: samba@lists.samba.org Subject: [Samba] win2k usrmgr.exe returns remote procedure call failed -- Derek Shaw BIS Business Information Systems Inc. Victoria, BC. voice: 250-885-2021 fax: 250-386-4060 GnuPG Public Key ID: 0x5553C338 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] win2k usrmgr.exe returns remote procedure call failed
WHAT I HAVE: I've inherited a production debian system. uname reveals kernel 2.4.18-bf2.4. I am now running samba 3.0.14a with a completely stock from source install (as part of my troubleshooting activities). The machine acts as a PDC for win2k clients. It uses smbpasswd for the password back end. There are approx 20 users. It also serves dhcp, ntp, mysql and apache. WHAT I WANT: I want to have a person at the client's site able to log on as root and use the srvtools in win2k to manage the groups and users. In other words, they need to be able to use usrmgr.exe to manage the users and groups of the domain from one of the win2k workstations. WHAT THE ERROR MESSAGE SAYS: if I double click on on a user, a standard windows error dialogue comes up User Manager for Domains The following error occurred accessing the properties of the user XX: The remote procedure call failed: The user properties cannot be edited or viewed at this time. [OK] if I double click on a group (well-known or mapped unix group) the same error dialogue comes up User Manager for Domains The following error occurred accessing the properties of the group YY: The remote procedure call failed: The group properties cannot be edited or viewed at this time. [OK] If I then immediately double click again on one of the items (user or group) the dialogue is a little different: User Manager for Domains The following error occurred accessing the properties of the [user|group] ZZ: The handle is invalid. The user properties cannot be edited or viewed at this time. [OK] WHAT I HAVE DONE SO FAR: Since it is a production machine, I have built a replica to experiment with. It has the same debian kernel and stock from source install of samba 3.0.14a. I copied the smb.conf file, /etc/passwd, /etc/shadow, and private/smbpasswd files and the directory and permissions structure of the production server. The objective was to make as close a copy as I could of the conditions, users and groups on the production server (excluding mysql, dhcp, and apache). I have not been able to replicate the problem. That is, usrmgr.exe works as expected when the replica is acting as PDC. On the production server I have set the logging up to 10 and used usrmgr.exe. None of the log files had any activity at all. When I did this with the replica server, there were the expected entries in the logs. Other than this problem with rpc, the production server seems to operate correctly. For example, I can add machines to the domain. The user/group management tools work in the debian linux environment (except net rpc commands). I've unmapped and remapped the groups, compared the passwd, shadow and smbpasswd files (just in case). I have been thru all the troubleshooting checklists in the HOW-TO collection, and searched that document extensively. Hours with Google have proved fruitless. So the issue seems to be, what part of the linux install is missing from my production machine that supports the rpc needs of usrmgr.exe? What should I post here that would help with troubleshooting? Any other suggestions, tips, pointers, etc. are most welcome, as I have run out of knowledge and ideas. TIA! d. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] is the domain admin password stored on the local machine?
Tomasz Chmielewski wrote: I just wanted to know if the domain admin password is stored on the local machine, when that machine joins the domain? Or is it just used to authenticate, and it is not stored anywhere on the workstation? you may want to read this Microsoft document about cached domain logons http://tinyurl.com/93w7h or this one: http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/gp/579.asp in brief: Set the registry value HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount to 0. here's why: http://www.irongeek.com/i.php?page=security/cachecrack -- Derek Shaw BIS Business Information Systems Inc. Victoria, BC. voice: 250-885-2021 fax: 250-386-4060 GnuPG Public Key ID: 0x5553C338 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Demote old NT4 PDC to member of Samba domain?
Mi wrote: Hi, When installing Samba, I made it a PDC in a new domain. Now I would like the old NT4 PDC in the old domain to become a plain host in my Samba domain. Is this possible? I need to keep the old NT4 machine because it's running the Symantec Corporate Edition NAV. In other words, I have NEWDOMAIN with Samba PDC and all clients OLDDOMAIN with NT4 PDC alone, no client Can my NT4 PDC become a plain client in NEWDOMAIN? yes it can. I have done this (and more) with a 3rd-party tool called UPromote. It saved me a lot of face, about 5 years ago. When I realized that I would have to rebuild a PDC to become a member server, at about 2 am, for the next day, I refused to believe it. And under the conditions of the time, I was happy to pay the price they were asking. I've used it a number of times since, always without fail. Of course a backup (like a ghost image) is always a good idea before starting. http://utools.com/UPromote.asp Cheers! d. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] File And Folder Sharing Security
Anuwa Mohamad Jamili wrote: Dear Fellows, Anyone can help me.. how to protect the file or folder each time user create from delete/remove/rename Example : User1 create new file under share folder -- test How can I protect every file under folder test from delete or remove or rename.. check the force create mode option in the smb.conf man page (and consider how the other force options might interact with what you want to do). you may also want to consider the use of the sticky bit on the directory (http://en.wikipedia.org/wiki/Chmod). Cheers! d. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Incorrect This folder already contains a file named... error
I am trying to export a Fuse filesystem filesystem via Samba (Samba 3.0.7, latest CVS Fuse on kernel 2.6.10). Fuse (http://fuse.sourceforge.net) is a library and kernel module to allow writing filesystems in userspace. I'm having a problem, however, in one odd place. Basically, the export works, and files are readable. However, when putting a new file in via drag-and-drop, windows (XP) pops up a dialog saying that the file already exists, and asking if it should it be replaced. Needless to say, the file doesn't already exist. I took a look at the logs and the sequence of filesystem events during a drop looks basically like this: GETATTR /testfile returns ENOENT (20-30 getattr and getdirs for /testfile, /, and /* here - Samba does this for some reason) MKNOD /testfile GETATTR /testfile returns success Now the popup happens: This folder already contains a file named testfile. Along with an offer to replace the current zero-length file with the one I'm dropping in. testfile didn't exist before the drag-and-drop - something requested the file be created after the I dropped the file in, but before the popup happened. I understand that there was a bug in Samba a while back that looked like this, but it was fixed. This problem seems to only happen with Fuse, and using a regular filesystem works fine. It's possible that my filesystem program or Fuse itself is doing something unusual that is confusing Samba. Can someone point me in the right direction here? Thanks, David -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: FeedbackNeeded -- Re: [Samba] Winbind and case sensitivity (revisited)
Note that my original problem was fixed when I sent in this patch: http://lists.samba.org/archive/samba-technical/2004-July/036575.html That said, I still think it would be useful to flatten usernames to lowercase in some cases. Tom On Mon, 30 Aug 2004 09:34:46 -0500, Gerald (Jerry) Carter [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Tom Shaw wrote: | I've had a look through the archives and found | this discussion on winbind and case sensitivity: | http://lists.samba.org/archive/samba/2004-February/080321.html ... | The issue is that winbind will in some cases return | a username capitalized as per the NT database (ie when | the user is looked up by uid), and in other cases as | per the way the user typed it (ie when the | user is looked up by username). This has cause problems | for me in integrating a Unix system into a Windows | environment. | | Has anyone done any work on making a patch like the | one Andrew Bartlett proposed? Andrew and I spoke about this briefly on IRC last week while debugging a different winbindd bug. It would be a pretty trivial change but one that would have a large impact on existing sites I think. So the question is how many installations will break if winbindd all of a sudden starts lower casing usernames? If I can be adequate feedback on this, we'll consider making the change. cheers, jerry - - Alleviating the pain of Windows(tm) --- http://www.samba.org GnuPG Key- http://www.plainjoe.org/gpg_public.asc If we're adding to the noise, turn off this song--Switchfoot (2003) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBMzsGIR7qMdg1EfYRAgBZAJ9ZyKhCAHvnd+IuzSyToiF7XVF/fQCgg6jz YXkKckL/BlBDctRji6nEEHg= =SWjw -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Winbind and case sensitivity (revisited)
Hi I've had a look through the archives and found this discussion on winbind and case sensitivity: http://lists.samba.org/archive/samba/2004-February/080321.html The issue is that winbind will in some cases return a username capitalized as per the NT database (ie when the user is looked up by uid), and in other cases as per the way the user typed it (ie when the user is looked up by username). This has cause problems for me in integrating a Unix system into a Windows environment. Has anyone done any work on making a patch like the one Andrew Bartlett proposed? Andrew Bartlett wrote: I would accept a patch that made samba 'forced' to lower case. (It would lowercase all output, and force all input to be in lower case). If nothing has been done yet, I'd be happy to have a go. The new option to smb.conf would be: winbind force case = lower/upper How does that sound? Tom Shaw -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: GPY, there was every
shadowy denigrate pompano append indulgent snip expert oases chou devoid lounge dempsey edward agriculture objectivity ingot airborne housewives embryo macdougall redtop streptomycin borneo brookside emissivity axial -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] A device attached to the system is not functioning.
I'm attempting to access a Solaris server (bart) which was previously a member of an NT resource domain running SAMBA 2.2.1a after it has been upgraded to SAMBA 3.0.1pre3. When I attempt to browse it with a Windows 2000 workstation, I get a box saying: \\bart is not accessible. A device attached to the system is not functioning. if a do smbclient -U (my account) -L bart it returns session setup failed: NT_STATUS_UNSUCCESSFUL. smbd.log reports open_sockets_smbd: accept: Software caused connection abort. I get a logfile for my IP address that reports lib/util_sock.c:get_peer_addr(940) getppername failed. Error was Transport endpoint is not connected What's wrong? This communication is intended for the use of the recipient to which it is addressed, and may contain confidential, personal and or privileged information. Please contact us immediately if you are not the intended recipient of this communication, and do not copy, distribute, or take action relying on it. Any communication received in error, or subsequent reply, should be deleted or destroyed. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Q: Drives need remapped under Win2k against Solaris Sambaserver
Hello, I'm running Samba 2.2.2 on a Solaris 7 machine and we are just now deploying Win2K to our desktops. We have discovered that on the Win2K boxes that mapped Samba drives will need to be remapped after a user logs out and logs back in. I've done a google search and seen the question listed before but no possible solutions or work-arounds were listed. Has anyone else seen this before? TIA, MIke --- Mike ShawVOICE: +1(317)306-3084 UNIX AdministratorFAX: +1(317)306-4253 Raytheon Technical Services 6125 E. 21st St., Indianapolis, IN 46219 USA INET: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] 2939 Dark Reality
Enter The Site http://teenz-baby.com/rapemix/ -BEGIN PGP SIGNATURE- Version: 2.5.5 y34a5bMrCq94qABA5U5bC3kT8/qm6UlvuzVcYQqDg0FnRgpi/qCBBivenEyTa3xf g7YF9glOxqlBDLL4kyre0X7xQUvreoy25MvLh44fUF8R=7apUi/1456AgwDAyp=L hhmzrg7gjnqB8tl7a8QS=mq5O25qpfPrx85gR9SlA+AFp2lmq+hAnhtO8937t h1aaBj1vVjqAbot1nt8O/2qPBJDVbp+Q+i6mHRhUF0QE8mvjsF/EWWFQ6/=UmSZo 9gwHL22E/Rc0OollD=z4p64l8o=h4oORe/k/4Tgy=1ZhUYnZ=VEVsd/8UB5n5K+g aou4AE6jWmokLwVJ6Z52QunAj8/88qmFHE+oAKl/Xd+yptVH9jEixtI0YOOtXiom 4q36RmBBmia=7SOcPRP4Ylm8ueBPPR+Ol=RqaZgymt2Fk+pdDuO8Jep67z0n5R8 -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba