RE: [Samba] Re: read and write list
I don't think you need the read only = no as the write list should be sufficient and I suspect the read only = no means that the share is writeable to everyone. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Igor Kryltsov Sent: 17 March 2004 02:44 To: [EMAIL PROTECTED] Subject: [Samba] Re: read and write list As there is no answers I will try to be more specific: 1) I installed newer version of Samba after reading http://lists.samba.org/archive/samba/2003-April/065184.html 2) My share configuration now looks like: [web_applications_ams_development] comment = Web Application AMS Development path = /var/ams guest ok = Yes write list = @"AMITY+Domain Admins" write list = @"Domain Admins" read only = No volume = WEB_APPLICATION_AMS_DEVELOPMENT I do not belong to group "Domain Admins" but still can write to share. "Igor Kryltsov" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Hi, > > I can not find information how to configure a share to allow everyone read > access and users of specific NT group write access. > Now my smb.conf looks like: > [global] > log level = 2 > syslog = 2 > workgroup = AMITY > netbios name = AMITYDEVEL > guest account = nobody > security = server > password server = AMDATA > hosts allow = 10. > local master = yes > socket options = TCP_NODELAY > writable = yes > guest ok = yes > syslog only = yes > max log size = 1000 > [web_applications_ams_development] > path = /var/ams > comment = Web Application AMS Development > volume = WEB_APPLICATION_AMS_DEVELOPMENT > guest ok = no > # read only = yes > # writable = no > # read list = guest > # write list = igork > # write list = @"AMITY+AWS_AMS_Update" > # write list = @"AMITY+Domain Admins" > # valid groups = @"AMITY+AWS_AMS_Update" > valid groups = @"AMITY+Domain Admins" > > .. and I am lost. > > Please help, if you can. > > Thank you, > > Igor > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba > -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba *** Emails aren't always secure, and they may be intercepted or changed after they've been sent. Abbey doesn't accept liability if this happens. If you think someone may have interfered with this email, please get in touch with the sender another way. This message doesn't create or change any contract. Abbey doesn't accept responsibility for damage caused by any viruses contained in this email or its attachments. Emails may be monitored. If you've received this email by mistake, please let the sender know at once that it's gone to the wrong person and then destroy it without copying, using, or telling anyone about its contents. Abbey National plc Reg.No. 2294747, Abbey National Treasury Services plc Reg. No. 2338548, Cater Allen International Ltd Reg. No. 2572704, and Inscape Investments Limited Reg. No. 3839455 are all registered in England and have their Registered Offices at: Abbey National House, 2 Triton Square, Regent's Place, London, NW1 3AN. Abbey National plc only advises on its own life assurance, pension and collective investment scheme products. Inscape Investments Limited is authorised and regulated by the Financial Services Authority for the provision of investment management services and only advises on the collective investment schemes, pensions, and life assurance products of the Abbey Marketing Group. Abbey and Inscape are registered trademarks of Abbey National plc. Abbey National Treasury Services plc is a Member of the London Stock Exchange. Abbey National Treasury Services US Branch (ANTSUS) is an overseas Branch of Abbey National Treasury Services plc. ANTSUS' address in the US is 400 Atlantic Street, Stamford, Connecticut, 06901, USA. Regulated by the Federal Reserve Bank and the State of Connecticut. Cater Allen International Ltd is a subsidiary of Abbey National Treasury Services plc, and is a Member of The London Stock Exchange. Abbey National Securities Inc. (ANSI) is Incorporated in Delaware USA. ANSI's address in the US is 400 Atlantic Street, Stamford, Connecticut, 06901, USA. Registered as a Broker Dealer with the Securities and Exchange Commission (SEC). Regulated by the SEC and National Association of Securities Dealers, Inc. (NASD), and a member of (NASD). Abbey National Securities Inc. is an indirect subsidiary of Abbey National Treasury Services plc. Abbey National Asset Managers Ltd. Reg. No. 106669. Registered Office: Abbey National House, 301 St Vincent Street, Gl
RE: [Samba] Samba as AD domain member
Have answered some of my own questions by RTFM ( see below ). Still interested to know if anyone has any ideas on replicating tdbs or if ldap backend is much easier. Also is there any way to get a user in a trusted domain with a unix account on the server to exhibit the same behaviour as that which you get with "winbind trusted domains only = yes" for the samba server domain i.e. is there anyway to extend the behaviour to have a list of domains for which winbind id mapping should not happen is an existing unix account is in place? any info would be greatly appreciated. thanks tim -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wright, Tim (ANTS) Sent: 20 February 2004 14:17 To: '[EMAIL PROTECTED]' Subject: [Samba] Samba as AD domain member Hi we're running 3.0.1 on Solaris 9 ( with NIS/flat files as the NS ) as a member server of the AD domain ( via kinit and then net join ). there's a couple of things we've noticed and I'm not sure if they're just the way it works or configuration problems: (1) we assign the gid an uid mappings with idmap in smb.conf and I thought that winbindd would not assign uid/gids if they already present which appears not to be the case? No it isn't the case as the smb.conf man page very clearly states (2) all we are using winbindd for is to give access to file shares ( not for logging into the unix server with AD account or anything ), and we seem to have a slight issue in that (i) a AD user with no unix account accesses a share and winbindd creates a unix account fot it and it is gtranted access to the share if it satisfies the valid users etc - good (ii) a AD user with a valid unix account ( with the same username in AD and NIS ) tries to access a share and sambd now validates the user as AD\username rather than just username - bad If you set winbind trusted domains only = yes then this is fine for users in the same AD domain as the Samba server. (3) Occasionally things just seem to stop working and the only way I can find to fix it is to clear out the lockdir of all tdb files and restart ( symptoms will be things like net status sessions hangs, net groupmap list hangs, wbinfo -r starts having issues ) (4) The samba stuff is running on a cluster ( active passive with dameons running on both nodes all the time and just the share configuration failing over ) - is there any way of ensuring that the tdb files are consistent between the two ( I saw something on this list about a similar issue with a backup print server ) - I'm I right in thinking we could set up an ldap backend to store the tdb information ( if so is this advisable or is it going to complicate things too much ). thanks tim *** This communication (including any attachments) contains confidential information. If you are not the intended recipient and you have received this communication in error, you should destroy it without copying, disclosing or otherwise using its contents. Please notify the sender immediately of the error. Internet communications are not necessarily secure and may be intercepted or changed after they are sent. Abbey National Treasury Services plc does not accept liability for any loss you may suffer as a result of interception or any liability for such changes. If you wish to confirm the origin or content of this communication, please contact the sender by using an alternative means of communication. This communication does not create or modify any contract and, unless otherwise stated, is not intended to be contractually binding. Abbey National Treasury Services plc. Registered Office: Abbey National House, 2 Triton Square, Regents Place, London NW1 3AN. Registered in England under Company Registration Number: 2338548. Regulated by the Financial Services Authority (FSA). *** -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba *** This communication (including any attachments) contains confidential information. If you are not the intended recipient and you have received this communication in error, you should destroy it without copying, disclosing or otherwise using its contents. Please notify the sender immediately of the error. Internet communications are not necessarily secure and may be intercepted or changed after they are sent. Abbey National Treasury Services plc does not accept liability for any loss you may suffer as a result of interception or any liability for such changes. If you wish to confirm the origin or content of this communication, please contact the sender by using an alternative means of communication. This communication does not create o
[Samba] Solaris interposer code for nsswitch.conf
Hi there was a mail a while back on this list about using the LD_PRELOAD feature on Solaris in order to override the location of nsswitch.conf for smbd so only it would use winbindd. I did some digging and came up with the code at the bottom of this mail ( I've overridden every file open call I could find, but I think it's only the _open() call which is actually necessary ). Initial testing seems to show it working ok - may be of use to some people. tim. ps I'm not a C coder so this may not be the best in the world - if anyone can do it better then please fix and post to the list. /* * Intercept open() call so that rather than using /etc/nsswitch.conf, * a different file can be used. Build as follows: * cc -o nsswitch_interposer.so -G -Jpic nsswitch_interposer.c * setenv LD_PRELOAD $cwd/nsswitch_interposer.so * run smbd * * Remove the printf statements in each function when using in earnest - they are just there for debugging. */ #include #include #include FILE* fopen(const char *fpath, const char *mode ){ static FILE * (*func)(const char*, const char *); if(!func) func = ( FILE * (*)(const char*, const char *))dlsym(RTLD_NEXT, "fopen"); if(strcmp(fpath,"/etc/nsswitch.conf")==0) fpath = "/etc/nsswitch_samba.conf"; printf("calling fopen(%s, %s)\n", fpath, mode); return(func(fpath, mode)); } FILE* fopen64(const char *fpath, const char *mode ){ static FILE * (*func)(const char*, const char *); if(!func) func = ( FILE * (*)(const char*, const char *))dlsym(RTLD_NEXT, "fopen64"); if(strcmp(fpath,"/etc/nsswitch.conf")==0) fpath = "/etc/nsswitch_samba.conf"; printf("calling fopen64(%s, %s)\n", fpath, mode); return(func(fpath, mode)); } int open(const char *path, int oflag ){ static int (*func)(const char*, int); if(!func) func = ( int (*)(const char*, int))dlsym(RTLD_NEXT, "open"); if(strcmp(path,"/etc/nsswitch.conf")==0) path = "/etc/nsswitch_samba.conf"; printf("calling open(%s, %d)\n", path, oflag); return(func(path, oflag)); } int _open(const char *path, int oflag ){ static int (*func)(const char*, int); if(!func) func = ( int (*)(const char*, int))dlsym(RTLD_NEXT, "_open"); if(strcmp(path,"/etc/nsswitch.conf")==0) path = "/etc/nsswitch_samba.conf"; printf("calling _open(%s, %d)\n", path, oflag); return(func(path, oflag)); } *** This communication (including any attachments) contains confidential information. If you are not the intended recipient and you have received this communication in error, you should destroy it without copying, disclosing or otherwise using its contents. Please notify the sender immediately of the error. Internet communications are not necessarily secure and may be intercepted or changed after they are sent. Abbey National Treasury Services plc does not accept liability for any loss you may suffer as a result of interception or any liability for such changes. If you wish to confirm the origin or content of this communication, please contact the sender by using an alternative means of communication. This communication does not create or modify any contract and, unless otherwise stated, is not intended to be contractually binding. Abbey National Treasury Services plc. Registered Office: Abbey National House, 2 Triton Square, Regents Place, London NW1 3AN. Registered in England under Company Registration Number: 2338548. Regulated by the Financial Services Authority (FSA). *** -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba as AD domain member
Hi we're running 3.0.1 on Solaris 9 ( with NIS/flat files as the NS ) as a member server of the AD domain ( via kinit and then net join ). there's a couple of things we've noticed and I'm not sure if they're just the way it works or configuration problems: (1) we assign the gid an uid mappings with idmap in smb.conf and I thought that winbindd would not assign uid/gids if they already present which appears not to be the case? (2) all we are using winbindd for is to give access to file shares ( not for logging into the unix server with AD account or anything ), and we seem to have a slight issue in that (i) a AD user with no unix account accesses a share and winbindd creates a unix account fot it and it is gtranted access to the share if it satisfies the valid users etc - good (ii) a AD user with a valid unix account ( with the same username in AD and NIS ) tries to access a share and sambd now validates the user as AD\username rather than just username - bad (3) Occasionally things just seem to stop working and the only way I can find to fix it is to clear out the lockdir of all tdb files and restart ( symptoms will be things like net status sessions hangs, net groupmap list hangs, wbinfo -r starts having issues ) (4) The samba stuff is running on a cluster ( active passive with dameons running on both nodes all the time and just the share configuration failing over ) - is there any way of ensuring that the tdb files are consistent between the two ( I saw something on this list about a similar issue with a backup print server ) - I'm I right in thinking we could set up an ldap backend to store the tdb information ( if so is this advisable or is it going to complicate things too much ). thanks tim *** This communication (including any attachments) contains confidential information. If you are not the intended recipient and you have received this communication in error, you should destroy it without copying, disclosing or otherwise using its contents. Please notify the sender immediately of the error. Internet communications are not necessarily secure and may be intercepted or changed after they are sent. Abbey National Treasury Services plc does not accept liability for any loss you may suffer as a result of interception or any liability for such changes. If you wish to confirm the origin or content of this communication, please contact the sender by using an alternative means of communication. This communication does not create or modify any contract and, unless otherwise stated, is not intended to be contractually binding. Abbey National Treasury Services plc. Registered Office: Abbey National House, 2 Triton Square, Regents Place, London NW1 3AN. Registered in England under Company Registration Number: 2338548. Regulated by the Financial Services Authority (FSA). *** -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba