Re: [Samba] BUILTIN groups mapping via winbind!!

[Kaustubh Chaudhari]

Hi Herman,

Ok, i got an idea, thanks a lot for putting your time in this and 
helping me out. :)


Regards,
Kaustubh

herman wrote:

Kaustubh Chaudhari wrote:

Hi Herman.

This is really a helpful information, but i am not able to understand 
why in built group we cant see a mapping for a normal user, as if we 
look Builtin is also a OU and we have some Builtin users and groups 
in it.


If i create a OU and groups or users in it than i can see all those 
but just not with Buitin.


Feel free to correct me, if you find i am wrong.

Thanks for your interest in this.
Regards,
Kaustubh. 
Well, I have found that Winbind can get confused when you do things in 
ADS that you should not do - for example cross linked users and groups 
after you dragged records around.  WinXP clients may still work, but 
the only way to fix Winbind is to delete the offending records in 
ADS.  The problem is that how you are supposed to find the offending 
records is impossible to say.  Sometimes you can fix it by trying to 
remember when it last worked and deleting everything that was changed 
since.  Sometimes, the only way to fix things is to give up and 
re-install ADS.


Sooo, try to roll back till you get to a working situation, then make 
your changes very carefully and with frequent backups.  I run ADS on 
VMware and take a snapshot before every change I make to it, so I can 
roll back without too much hassle as soon as things stop working.  
Unfortunately, Winbind is still immature and not as robust as one may 
like it to be.


Cheers,

Herman


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] ACL changes on Samba NT 4.0 Member Server

[John Drescher]

On 11/1/07, Hans-Wilhelm Heisinger <[EMAIL PROTECTED]> wrote:
>
>  John,
>
>  Thank you for the reply. Below is the output from mount and ls -al.
> Yes I can login as CPDOM+admin and create files, but connecting to the share
> as CPDOM+admin doesn't work.
>
>  Hans
>
>  [EMAIL PROTECTED] ~]# mount
>  /dev/mapper/VolGroup00-LogVol00 on / type ext3 (rw)
>  proc on /proc type proc (rw)
>  sysfs on /sys type sysfs (rw)
>  devpts on /dev/pts type devpts (rw,gid=5,mode=620)
>  /dev/hda1 on /boot type ext3 (rw,acl)
>  tmpfs on /dev/shm type tmpfs (rw)
>  none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
>  sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)
>
>  [EMAIL PROTECTED] ~]# ls -al /files
>  total 5196
>  drwxrwxrwx  3 root root4096 Nov  1 10:17 .
>  drwxr-xr-x 26 root root4096 Nov  1 05:25 ..
>  -rwxrw-rw-  1 root root 413 Feb 24  2006 AS400.WS
>  -rwxrw-rw-  1 root root 398 Jul 27 14:13 dnsb.txt
>  -rwxrw-rw-  1 root root 3100432 May 22  2006 Dsclient.exe
>  drwxrwxrwx  2 root root4096 Apr  7  2005 Fonts
>  -rwxrw-rw-  1 root root1411 Aug 15 08:09 hans.txt
>  -rwxrw-rw-  1 root root   61440 Sep 14 08:57 IDTag.exe
>  -rwxrw-rw-  1 root root  262727 Apr 21  2003 keyfinder.exe
>  -rwxrw-rw-  1 root root   25088 Mar 22  2007 Label6x4 layout with text.doc
>  -rwxrw-rw-  1 root root   60416 Jun  6 09:41 Label proposal II.xls
>  -rwxrw-rw-  1 root root   90112 May  9  2006 OfficeTime.exe
>  -rwxrw-rw-  1 root root 317 Jul  3 07:51 OutputsLisec.txt
>  -rwxrw-rw-  1 root root  173231 May  4  1999 REPLICA.HLP
>  -rwxrw-rw-  1 root root1101 Apr 25  2005 Salesreport.dtf
>  -rw-rw-rw-  1 root root 481 Nov  1 08:42 smb.conf
>  -rwxrw-rw-  1 root root   69632 Mar  4  2004 system.mdw
>  -rwxrw-rw-  1 root root  491008 May 10 13:20 TSClient.doc
>  -rwxrw-rw-  1 root root  782848 Jun 30  2006 WIP LOCATIONS.xls
>  -rwxrw-rw-  1 root root5632 Aug  4  2004 wmi.dll
>  -rwxrw-rw-  1 root root   16930 May 31  1994 XCOPY.EXE
>
>
>
>

It is possible the problem is that the owner and group of the share
are both root. I never do that for any of my working samba shares. The
owner can be a user or possibly root but the group is always a group
that the users I want to change acls. I see from the docs that dos
filemode is supposed to fix that so maybe this is not the case.

Can you set a log level of 10 and see if there are any errors caused
when you try to change the acls?

John
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] BUILTIN groups mapping via winbind!!

[herman]

Kaustubh Chaudhari wrote:

Hi Herman.

This is really a helpful information, but i am not able to understand 
why in built group we cant see a mapping for a normal user, as if we 
look Builtin is also a OU and we have some Builtin users and groups in 
it.


If i create a OU and groups or users in it than i can see all those 
but just not with Buitin.


Feel free to correct me, if you find i am wrong.

Thanks for your interest in this.
Regards,
Kaustubh. 
Well, I have found that Winbind can get confused when you do things in 
ADS that you should not do - for example cross linked users and groups 
after you dragged records around.  WinXP clients may still work, but the 
only way to fix Winbind is to delete the offending records in ADS.  The 
problem is that how you are supposed to find the offending records is 
impossible to say.  Sometimes you can fix it by trying to remember when 
it last worked and deleting everything that was changed since.  
Sometimes, the only way to fix things is to give up and re-install ADS.


Sooo, try to roll back till you get to a working situation, then make 
your changes very carefully and with frequent backups.  I run ADS on 
VMware and take a snapshot before every change I make to it, so I can 
roll back without too much hassle as soon as things stop working.  
Unfortunately, Winbind is still immature and not as robust as one may 
like it to be.


Cheers,

Herman
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Authenticates on lan but not through VPN

[John Adams]

Hi

We have a samba server which has been working fine for four years, SAMBA is 
configured as an Active directory domain member (SECURITY=ADS in the conf 
file), using Kerberos tickets to allow it to authenticate users. 

SAMBA is not however performing in pure native ADS mode as it is using WINBIND 
TRUSTED DOMAINS ONLY=YES
Local and VPN connected users have worked fine.

About a week ago we added a Windows 2003r2 server as a domain controller this 
involved upgrading the schema on the w2000 server
to let it work with the 2003 server.

Things seemed to be working Ok until four days later when we restarted the 
samba server (after making all the servers use the same time server). 

We were getting error rec_free read bad magic messages in /var/log/messages 
saying the tdb files are corrupt, Though this has now stopped.

It now no longer authenticates users who access the samba server through the 
VPN, though local users are fine. VPN users are asked to type in a username and 
password, repeatedly even if they enter the correct ones.

No firewall, samba.conf or VPN settings have been changed.

Any ideas what we can do to allow the external VPN users connect again.

John
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] several users with several printers

[Guido Lorenzutti]

Ok but I have 2000 users and 600 printers. Do you have something working
to map the printers to the users, or group of users, in the build time
of the netlogon?
How do you setup permissions in the samba to allow or deny access to the
printers? Do you set individual printers like shares in the samba?

Tnxs in advance.


Roel van Meer wrote:
> Guido Lorenzutti writes:
>
>> Hi people. I have a Samba PDC with Microsoft Clients. My printserver is
>> a CUPS and I would like to know how do you handle if you have more than
>> 2000 users and you have to set up the printers for each one.
>> Do you use a netlogon script to map the printers?
>> Do you set individual permissions for each printer in the samba?
>> Do you setup every printer by hand?
>
> We use automatically generated login scripts from which the printers
> are added. For this, we use the following command:
> RUNDLL32 PRINTUI.DLL,PrintUIEntry /in /q /n\\SERVERNAME\PRINTERNAME
>
> The precise grokking of this has been excellently described in my
> dead-tree version of the official samba-3 howto and reference guide.
>
> Regards,
>
> roel
>

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Compile samba to ARM cross compiler

[Bjørn Tore Sund]

On 31/10/07 05:26, "herman" <[EMAIL PROTECTED]> wrote:

> hce wrote:
>> Hi,
>> 
>> Can the samba be compiled by ARM cross compiler (arm/3.4.1/arm-linux)?
>> I am currently downloaded samba-3.0.26a tar ball. I guess I have
>> following two choices, please advice which one make sense.
>> 
>> 1. Run configurate under a linux pc distribution such as FC6, then
>> modify Makefile to the cross compiler path and lib.
>> 
>> 2. Modify configurate to directly run under ARM cross compiler.
>> 
>> Thank you.
>> 
>> Jim
>>   
> 1 and 2 amounts to the same thing.  I have compiled Samba for the Arm
> about 5 years ago, so it can probably still be done.  Please don't ask
> me anything about it though...
> :)

It was also how the Linux-based ARM PDA Sharp Zaurus exported local data to
the PC it was syncing with.  Latest version of the OS for that must be about
four years now, so the unit is just old enough that I _think_ it must have
run Samba 2.X.  If Samba 3.X fails you may want to try that, at least it's
known to have been run on ARM.

Bjørn
-- 
Bjørn Tore Sund   Phone: 555-84894   Email:   [EMAIL PROTECTED]
IT department VIP:   81724   Support: http://bs.uib.no
Univ. of Bergen

When in fear and when in doubt, run in circles, scream and shout.


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Hosts Disappearing

[Gaiseric Vandal]

I find having all clients point to a  WINS server (whether Samba is
the WINS client or WINS server) avoids most browsing issues.

On 10/25/07, Shawn Everett <[EMAIL PROTECTED]> wrote:
> > I have a problem with my long-running Samba workgroup where hosts will
> > stop
> > coming up in "View Network Computers".   Only the UNIX system with Samba
> > running shows up.  If I restart Samba on the UNIX system then the hosts
> > start showing up again in a few minutes.
> >
> > Any thoughts out there?
> >
> > Thanks, Rick
> >
> Past experience with this is that it's a browser service issue.
>
> Programs like browmon and browstat can be downloaded to figure out which
> machine thinks it's the master browser on the network.
>
> An easy fix is to disable/stop the computer browser service on all
> machines except the server.
>
> Shawn
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] PDC promotion and getlocalsid errror

[Gaiseric Vandal]

I relatively recently implemented Samba 3.026a (Solaris PDC)I then
moved the PDC role to another machine.  On the new pdc  I 1st grabbed
the domain SID

newpdc# net rpc getsid -S oldpdc
Storing SID --for Domain MYDOMAIN in secrets.tdb
newpdc#

and then updated the smb.conf file on each machine to convert the PDC
to member server and vice versa.

If I ran the "net getlocalsid" command on the old PDC prior to the
migration, it would return the SID for the domain.

oldpdc #  net getlocalsid MYDOMAIN

SID for domain MYDOMAIN is:  S-1--99

oldpdc#



If I run "get getlocalsid"  on the new PDC I get

newpdc#  net getlocalsid

[2007/11/01 14:52:55, 0] utils/net.c:net_getlocalsid(622)

  Can't fetch domain SID for name: NEWPDC

newpdc #


However explicity specifying the domain name seems OK

newpdc#  net getlocalsid MYDOMAIN

SID for domain MYDOMAIN is:  S-1--99


As far as I can tell everything is working OK.   But did I mis a step
in the change over?

Thanks
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba+LDAP problems

[Marcelo Mogrovejo]

Edmundo Valle Neto wrote:

Marcelo Mogrovejo escreveu:

Hi

(...)

I read this documents and i begin again with samba+ldap...
This time i have not problems, except when i try to create an user 
for testing.
I create a testuser and i add a password for his but when i try to 
login with this user, hi doesn't login...
for exameple with command "su testuser" as root it show me "Id 
desconocido: testuser" or "Unknown Id: testuser".


i don't know why happen it...


(...)

Have you configured NSS? "gentent passwd" shows the user?

NSS is the same of /etc/nsswitch.conf ??
No, getent passwd doesn't show me the users i created...

regards
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Member server - group and user mapping with winbind

[Gaiseric Vandal]

Hi all

I am still unsure of the correct way to configure member servers.

I  have one PDC (Samba 3.026a on Solaris 9) and several member servers
(including Samba 3.026a on Solaris 9 and 10, and Samba 3.024 on Fedora
core 6.)  Each machine uses NIS for unix accounts.


The "Samba by Examble" Book indicates that even if I am using NIS for
user accounts, and not using LDAP for a idmap backend, I still need to
use winbindd to map SID's.   It isn't clear to me if I do need to
update nsswitch.conf to use winbindd.   I don't think I want to update
nsswitch.conf to use winbindd-  after all I still want my unix level
logins (e.g. ssh ) to be done against NIS and not "windows" accounts.

If I start smbd and nmbd on a member server, I can connect to a share
from a windows 2000 or XP client.  If I look at the permissions on a
folder, if shows "Unix Account/someuser" or "UnixGroup/somegroup"
instead of "Domain/someuser" or "domain/someaccount."  If I want to
add users, I can browser users or groups from the domain but the
permissions don't hold.  If, after I have already connected to a
share, and then start winbindd, the file permissions will show the
domain component, and I can set permissions.
However, if I start winbindd before I connect to the share, I just get
prompted for a user name and password-  and I am unable to connect.
It doesn't matter how I have configured nsswitch.conf so it  it seems
that smbd will attempt to use winbindd directly, if available, and not
via the "name service switch" mechanism.


Member server smb.conf includes the following:


 idmap uid = 1-2
 idmap gid = 1-2
 template shell = /bin/bash
 winbind use default domain = yes
 winbind trusted domains only = no
 winbind enum users = Yes
 winbind enum groups = Yes
 Workgroup = MYDOMAIN
 security = domain
 Password server = MYPDC



Running "wbinfo -u" and "wbinfo -g"  on a mamber server (with winbindd
running) will list my domain user and groups.

I appreciate if any one can share some light on either what the problem is
or at least can clarify how winbindd should be working.

Thanks
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] ACL changes on Samba NT 4.0 Member Server

[Hans-Wilhelm Heisinger]

John,

   Thank you for the reply. Below is the output from mount and ls -al.  
Yes I can login as CPDOM+admin and create files, but connecting to the 
share as CPDOM+admin doesn't work.


Hans

[EMAIL PROTECTED] ~]# mount
/dev/mapper/VolGroup00-LogVol00 on / type ext3 (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
/dev/hda1 on /boot type ext3 (rw,acl)
tmpfs on /dev/shm type tmpfs (rw)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)

[EMAIL PROTECTED] ~]# ls -al /files
total 5196
drwxrwxrwx  3 root root4096 Nov  1 10:17 .
drwxr-xr-x 26 root root4096 Nov  1 05:25 ..
-rwxrw-rw-  1 root root 413 Feb 24  2006 AS400.WS
-rwxrw-rw-  1 root root 398 Jul 27 14:13 dnsb.txt
-rwxrw-rw-  1 root root 3100432 May 22  2006 Dsclient.exe
drwxrwxrwx  2 root root4096 Apr  7  2005 Fonts
-rwxrw-rw-  1 root root1411 Aug 15 08:09 hans.txt
-rwxrw-rw-  1 root root   61440 Sep 14 08:57 IDTag.exe
-rwxrw-rw-  1 root root  262727 Apr 21  2003 keyfinder.exe
-rwxrw-rw-  1 root root   25088 Mar 22  2007 Label6x4 layout with text.doc
-rwxrw-rw-  1 root root   60416 Jun  6 09:41 Label proposal II.xls
-rwxrw-rw-  1 root root   90112 May  9  2006 OfficeTime.exe
-rwxrw-rw-  1 root root 317 Jul  3 07:51 OutputsLisec.txt
-rwxrw-rw-  1 root root  173231 May  4  1999 REPLICA.HLP
-rwxrw-rw-  1 root root1101 Apr 25  2005 Salesreport.dtf
-rw-rw-rw-  1 root root 481 Nov  1 08:42 smb.conf
-rwxrw-rw-  1 root root   69632 Mar  4  2004 system.mdw
-rwxrw-rw-  1 root root  491008 May 10 13:20 TSClient.doc
-rwxrw-rw-  1 root root  782848 Jun 30  2006 WIP LOCATIONS.xls
-rwxrw-rw-  1 root root5632 Aug  4  2004 wmi.dll
-rwxrw-rw-  1 root root   16930 May 31  1994 XCOPY.EXE



John Drescher wrote:

On 11/1/07, Hans-Wilhelm Heisinger <[EMAIL PROTECTED]> wrote:
  

I have a Samba 3.0.24-7 on Fedora 6 as a member of an Windows NT 4.0
domain, with a simple share setup with ACLs.  The permissions on the
share from Windows XP Pro Security tab shows Everyone, and root (Unix
Group\root) without any Permissions.  When trying to add permissions
from XP while logged on as CPDOM+admin the error is display "Unable to
save permission changes on "share name" on "server name" Access is
denied.  Files can be copied to the share but can't be opened.  Below is
the smb.conf.  I believe ACLs would work if I add access.  I tried
setting the ACLs using setfacl and then the permissions show full
control from XP, but I'm still unable to change permissions or open files.

[global]

winbind separator = +
idmap uid = 1-2
idmap gid = 1-2
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = no

security = domain
workgroup = CPDOM
netbios name = FILE_SRV
password server = XSERVER
server string =


[data]
comment = FILES
path = /files
guest ok = yes
create mask = 0777
writeable = yes
nt acl support = yes
oplocks = no
browseable = yes
dos filemode = yes
admin users =




Your smb.conf file looks fine. Can  CPDOM+admin log into the unix
system and create files? You are mounting your unix filesystem with
acls enabled? Also can you post an ls -al on /files
  

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Promoting Samba BDC to PDC

[simo]

On Thu, 2007-11-01 at 10:04 -0700, Ivan Ordonez wrote:
> What we want to do in the coming days is to turn off and upgrade the
> PDC 
> and promote one of the BDC to PDC and don't miss a beat.   I first
> stop 
> slapd, slurpd and samba service on the PDC.  I then edit the smb.conf 
> file of one of the BDC and make it a PDC.  I also added a new line
> which 
> is security = user.

What does it mean you change security ??

What was it before?

Are you sure your Domain SIDs are aligned on all DCs ?

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer <[EMAIL PROTECTED]>
Senior Software Engineer at Red Hat Inc. <[EMAIL PROTECTED]>

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] ADS WINBIND WIN2K3 usernames with dots

[Michael Melia Jr.]

I am new to this list and fairly new to samba.

I am running samba 3.0.24 on debian etch with winbind and krb5 in ads
security mode.  Everything appears to be working perfectly.  I can see
users and groups with wbinfo and getent.  I can even access shares I
setup using the domain admin account from the w2k3 ad infrastructure.
The problem is all our username in ad have dots (except the admin).  So
the usernames are [EMAIL PROTECTED]

When I try and "set valid users = WORKGROUP\firstname.lastname" in
smb.conf, I am unable to connect to the share from another machine.  If
I use a username without dots (and I created a few test ones to try) and
set "valid users = WORKGROUP\username" in smb.conf then I can get into
the share no problem.

How can I get my usernames with dots to work correctly with samba?

Thanks.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Promoting Samba BDC to PDC

[Ivan Ordonez]

Hi,

Our domain is setup with one Primary Domain Controller and two Backup 
Domain Controllers, and a member server.  All domain controllers (PDC 
and BDCs) are running Gentoo Linux with Samba and LDAP.  The member 
server (fileserver) is a SUNS machine running Solaris.  We do everything 
(add, edit, modify groups and accounts) on the PDC and it will then sync 
all the changes to the BDC by way of SLURPD, then from the BDC to 
another BDC.  To access the shared file on the member server (Solaris), 
the user will authenticate using the PDC which is the password server on 
smb.conf file of the member server.


What we want to do in the coming days is to turn off and upgrade the PDC 
and promote one of the BDC to PDC and don't miss a beat.   I first stop 
slapd, slurpd and samba service on the PDC.  I then edit the smb.conf 
file of one of the BDC and make it a PDC.  I also added a new line which 
is security = user.
I run a testparm command after making changes to BDC's smb.conf file and 
it showed that it is now the Primary Domain Controller.  I edit the 
member server's smb.conf file and change the password server line to 
match the new PDC.


password server = IP of the new PDC

I login to one of the test machine and see if I can login and it worked, 
but when I tried to map to one of our shared drive, it ask for username 
and password.  Somehow the member server doesn't know that the password 
server has now been changed.  There is not much error on the logs that 
are helpful. 


I made sure that I restarted the samba service every time I made changes.

Please help.

Thanks.


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] ACL changes on Samba NT 4.0 Member Server

[John Drescher]

On 11/1/07, Hans-Wilhelm Heisinger <[EMAIL PROTECTED]> wrote:
> I have a Samba 3.0.24-7 on Fedora 6 as a member of an Windows NT 4.0
> domain, with a simple share setup with ACLs.  The permissions on the
> share from Windows XP Pro Security tab shows Everyone, and root (Unix
> Group\root) without any Permissions.  When trying to add permissions
> from XP while logged on as CPDOM+admin the error is display "Unable to
> save permission changes on "share name" on "server name" Access is
> denied.  Files can be copied to the share but can't be opened.  Below is
> the smb.conf.  I believe ACLs would work if I add access.  I tried
> setting the ACLs using setfacl and then the permissions show full
> control from XP, but I'm still unable to change permissions or open files.
>
> [global]
>
> winbind separator = +
> idmap uid = 1-2
> idmap gid = 1-2
> winbind enum users = yes
> winbind enum groups = yes
> winbind use default domain = no
>
> security = domain
> workgroup = CPDOM
> netbios name = FILE_SRV
> password server = XSERVER
> server string =
>
>
> [data]
> comment = FILES
> path = /files
> guest ok = yes
> create mask = 0777
> writeable = yes
> nt acl support = yes
> oplocks = no
> browseable = yes
> dos filemode = yes
> admin users =
>

Your smb.conf file looks fine. Can  CPDOM+admin log into the unix
system and create files? You are mounting your unix filesystem with
acls enabled? Also can you post an ls -al on /files
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] ACL changes on Samba NT 4.0 Member Server

[Hans-Wilhelm Heisinger]

I have a Samba 3.0.24-7 on Fedora 6 as a member of an Windows NT 4.0 
domain, with a simple share setup with ACLs.  The permissions on the 
share from Windows XP Pro Security tab shows Everyone, and root (Unix 
Group\root) without any Permissions.  When trying to add permissions 
from XP while logged on as CPDOM+admin the error is display "Unable to 
save permission changes on "share name" on "server name" Access is 
denied.  Files can be copied to the share but can't be opened.  Below is 
the smb.conf.  I believe ACLs would work if I add access.  I tried 
setting the ACLs using setfacl and then the permissions show full 
control from XP, but I'm still unable to change permissions or open files.


[global]

   winbind separator = +
   idmap uid = 1-2
   idmap gid = 1-2
   winbind enum users = yes
   winbind enum groups = yes
   winbind use default domain = no

   security = domain
   workgroup = CPDOM
   netbios name = FILE_SRV
   password server = XSERVER
   server string =


[data]
   comment = FILES
   path = /files
   guest ok = yes
   create mask = 0777
   writeable = yes
   nt acl support = yes
   oplocks = no
   browseable = yes
   dos filemode = yes
   admin users = CPDOM+admin


Hans
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] File permissions issue: different behavior between samba and unix

[Eric Diven]

I'm seeing behavior that I was hoping somebody could explain.  I have a
share set up that will be a repository for company-wide data.  There are
three classes of people who can access it, readers, read/writers, and
admins.  Readers and read/writers are self explanatory, admins have
read/write access, and can change the permissions/ownership of files.

Read and write access is controlled by ACLs on the filesystem (see
below), admin access is controlled by smb.conf.  Read and admin access
works as expected.  Reader/Writer access is behaving unexpectedly.  A
writer can create a file in the share, the ownerships, permissions, and
ACLs are inherited as I expect them to be.  Now it gets strange.  

Once I've created a file, I can't rename it and get the error permission
denied.  I can write to the file itself, but not change its name or
delete it.  Yes I'm aware that rename/delete permission is a function of
the parent directory perms, not the file perms.  As I understand, file
creation requires exactly the same permissions (rwx) as rename and
delete.  Hence the unexpectedness of this.

Now it gets *REALLY* strange:

I can create, rename, and remove directories without difficulty.  I
don't get errors either renaming or deleting them.

One last bit of strangeness:

If I change the group ownership of the directory to the writer's group,
the unexpected behavior goes away.  This seems to suggest to me that
something strange is happening with the ACLs in samba in the case of
file rename or delete.

Samba version is 3.0.24, the issue is reproducible on Solaris and
CentOS.  I hesitate to call this a bug, because there could be a reason
for this, but this behavior is not consistent with how this works under
unix at the shell.  I duplicated the reader/writer permissions and acls
with a non-domain user and group, and observed the behavior I expected,
namely that I could rename and remove the file I had created.

If you want logs or further information, I can send them to you.

Thanks,

~Eric

Here are the perms and acls I've set up on the directory.  Note that the
setgid bit is set so that files created in the diretory inherit root
group 
ownership:

bash-3.00# ls -ld afiles
drwxrws---+  2 root root 512 Nov  1 10:21 afiles

bash-3.00# getfacl afiles
# file: afiles
# owner: root
# group: root
user::rwx
user:afile:rwx  #effective:rwx
group::rwx  #effective:rwx
group:afile:rwx #effective:rwx
group:W2K3TEST+areaders:r-x #effective:r-x
group:W2K3TEST+awriters:rwx #effective:rwx
group:W2K3TEST+admins:rwx   #effective:rwx
mask:rwx
other:---
default:user::rwx
default:group::rwx
default:group:W2K3TEST+areaders:r-x
default:group:W2K3TEST+awriters:rwx
default:group:W2K3TEST+admins:rwx
default:mask:rwx
default:other:---
bash-3.00#

Here is the share definition as spat back out from testparm

[afiles]
path = /honda/afiles
admin users = W2K3TEST+bobadmin, @W2K3TEST+admins
read only = No
inherit permissions = Yes
inherit acls = Yes
inherit owner = Yes

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Accumulating smbd processes and sockets in CLOSE_WAIT state

[Christoph Kaegi]

Hello list

The below mentionned problem just occured again.

We had about 673 smbd Processes running and 1746 
Locks (as reported by smbstatus) when it happened.

Again, the only unusual thing smbd.log said was:
 8< 
[2007/11/01 15:44:14, 0] lib/util_tdb.c:tdb_chainlock_with_timeout_internal(84)
  tdb_chainlock_with_timeout_internal: alarm (10) timed out for key replay 
cache mutex in tdb /etc/samba/private/secrets.tdb
 8< 

Restarting samba helped for the moment but when will
the problem occur again?

What could trigger such a problem? And what can I do to 
better diagnose it?

Thanks
Chris

On 25.10-21:48, Christoph Kaegi wrote:
> 
> Our central fileserver is a Samba 3.0.25b on Solaris 9 and has 
> 10'000 users (several hundreds at the same time).
> 
> This week it died on us and when I inspected the machine, it
> was out of 8GB Memory and 16GB Swap because thousands of 
> smbd processes were running.
> netstat -na showed that many hundreds of connections to 
> port 445 were in CLOSE_WAIT state.
> 
> We first thought it could be some sort of DoS Attack, but now I 
> also discovered a lot of the following entries in smbd.log at 
> the times the server became unresponsive:
> 
>  8< 
> [2007/10/25 15:40:30, 0] 
> lib/util_tdb.c:tdb_chainlock_with_timeout_internal(84)
>   tdb_chainlock_with_timeout_internal: alarm (10) timed out for key replay 
> cache mutex in tdb /etc/samba/private/secrets.tdb
>  8< 
> 
> The same thing happened three times now, all of them at a time
> when presumably a peak of users (around 600-900) tried to use
> the server. Every time the number of network connections in
> CLOSE_WAIT state and the number of smbd processes was massively 
> increasing.
> 
> Others seem to have similar problems (like 
> http://marc.info/?l=samba&m=119263114612187&w=2).
> 
> The fileserver has been performing OK now for several months 
> with this Samba Release.
> 
> I'd be grateful if anybody could give me some insight
> about how we can solve this.
> Loosing fileservice for all of staff and students 
> several times a week builds some considerable pressure
> on me...
> 

-- 
--
Christoph Kaegi   [EMAIL PROTECTED]
--
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba+LDAP problems

[Edmundo Valle Neto]

Have you configured NSS? "gentent passwd" shows the user?


Its "getent".


Edmundo
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Serving MS Access Databases, with ACL

[jayendren anand maduray]

Hi Dale, thanks for the explanation.

I understand were you are coming from now.

I certainly hope to be of help to you someday.

God bless.

Dale Schroeder wrote:
I have nothing against posix acl's.  In fact, I make sure I install 
the acl package on every Debian system I build.  It's just a 
preference.  I like the way things behave with group permissions.  I 
prefer to administer through permissions.  If I use posix acl's, it is 
usually to remove a permission rather than add.  If it is your 
preference to set controls via acl's, then do what is most comfortable 
for you.


Conversely, I use Windows acl's quite a bit to fine tune access on 
shares _from_ Windows systems.  The flexibility is much greater in 
Windows acl's, and do much more for me than posix acl's.  That being 
said, I still prefer the power of posix systems for servers, and use 
them whenever feasible. More info 
here: http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/AccessControls.html#id376593


I am not the world's foremost expert on nix; just someone like you, 
learning new things, using that which I've experienced to try to help 
someone else.  I hope I've done some of that for you! :-\


Dale

jayendren anand maduray wrote:

Hi Dale.

Thank you for this.

I will try some tests.
Can you elaborate on why you do not like ACLs?
Had some bad experiences?

God bless.

Dale Schroeder wrote:

Jayendren,

Rather than acls, my preference (and it's only a preference) would 
be to create a group for the database users.  Add user1 and user2 to 
that group.  Then ==>


chown root.database_group /srv/samba/file-server/studies/databases

For security, let the permissions of this directory be no greater 
than 775.  (It looks like that is what you already have.)  If you go 
with MySQL, you can customize the access levels on a user-by-user 
basis on global settings, database settings, table settings, etc.  
The security options list is quite extensive.  If you prefer GUI 
administration of MySQL (I do), Navicat is the program of choice.  
http://www.navicat.com/

It's not free, but is an affordable extension to a free database server.

The only things I would say need changing in your smb.conf are:
create mode = 0775
veto oplock files = /*.mdb/*.MDB*/*  #don't forget the trailing 
slash (/)


Good luck to you, Nick, and Nico.

Dale

jayendren anand maduray wrote:

Hi Dale.

Thanks for this, would you guys be able to send me a complete 
example, that would allow read/write access for two users

(you can call them user1, and user2)

Alternatively, you can comment on this one:
--
Creating the directories, and set permissions:

#mkdir /srv/samba/file-server/studies/databases
#setfacl -R -m u:user1:rwx,u:user2:rwx 
/srv/samba/file-server/studies/databases

#getfacl /srv/samba/file-server/studies/databases
# file:
# owner: root
# group: root
user::rwx
user:user1:rwx
user:user2:rwx
group::r-x
mask::rwx
other::r-x


The share entry in smb.conf:

[databases]
path = /srv/samba/file-server/studies/databases
create mode = 0777
writeable = yes
browseable = yes
valid users = user1 user2 root
writelist = user1 user2 root
veto oplock files = /*.mdb/*.MDB
nt acl support = yes
nt pipe support = yes
nt status support = yes
inherit permissions = yes
inherit acls = yes

#smbcontrol smbd reload-config
Global parameter acl compatibility found in service section!
--
Nick/Nico, we must look at moving access databases to SQL/MySQL 
backends, soon.

(See message from Dale/David below)

God bless.

Dale Schroeder wrote:

jayendren anand maduray wrote:

Hi All.
Greetings from South Africa.

I have a Samba LDAP server (v 3.022) running on Ubuntu 6.10
Its serving about 200 users, with profiles, and domain logons.

I want to start serving MS Access Databases on it, with the  best 
speed performance as possible.
At the moment, the back ends for these databases, are about 200+ 
MB, and will grow over the next few years.


Basically, the share should serve about 4 users, with read/write 
access.

I am using the XFS file system, with ACL support.

Has anyone setup such shares in smb.conf?
I would really like to see an example.

Lastly, I do not think I want to use oplocks.

That's a wise choice. In the share, use:

veto oplock files = /*.mdb/*.MDB/

David's suggestion about splitting the databases into Access 
frontend and MySQL backend is also wise.  It has been my 
experience that large Access databases corrupt quite easily.  That 
no longer happens in the setup David mentioned.


Dale


Any help, will be greatly appreciated.

God bless.

*Ellison, David* david.ellison at atkinsglobal.com 


/Wed Oct 31 15:03:52 GMT 2007/
Greetings,

This is a little off topic, but may be usefull to you. If the DB is
going to grow much more than that, I

[Samba] Jonathan Parr presents www.libeldefense.com

[Tommy Lee]

www.libeldefense.com

Yahoo! has immense reach. Without doubt, you must be in Yahoo. It can bring
you up to 50% of your traffic or more! Fortunately, you can now get listed
in Yahoo! in seven days for a cost of just $199 - often worthwhile. You
should get back your investment in a matter of days. The most important
thing is to have a domain name that is high on the alphabetic order (starts
with a number or an 'a') and also to include your primary keyword phrase -
the one most people use to find your site - in your Web site name (title)
and its description.

Once you get listed, you should also sign up to have your site become a
sponsored site within Yahoo! It costs $25 to $300 or more a month at the
time of writing, depending on the category. Sponsored sites appear in a
separate, clearly demarcated listing box, located on appropriate category
pages in the Directory at the top - which means more traffic.


http://libeldefense.studioathome.com/

http://libeldefense.blogspirit.com/

http://libeldefense.blogster.com/jonathan_parr_presents.html

http://libeldefense.livejournal.com/723.html

http://libeldefense.blogspot.com/

http://www.bloglines.com/blog/libeldefense

http://libeldefense.bloghi.com/

http://libeldefense.tripod.com/libeldefense/

http://www.yasvs.com/

http://www.greatestjournal.com/users/libeldefense

http://www.greatestjournal.com/users/libeldefense/362.html

http://www.naymz.com/search/jonathan/parr/1314951

http://www.xanga.com/libeldefense

http://libeldefense.multiply.com/journal/

http://20six.co.uk/libeldefense/

http://libeldefense.blogsome.com/

http://www.freewebs.com/libeldefense/

http://dangerell.googlepages.com/home

http://www.opendiary.com/entrylist.asp?authorcode=D736464

http://libeldefense.bravehost.com/index.html

http://www.my-diary.org/users/296432

http://www.my-diary.org/edit/?action=viewentry&entryid=541256338

http://libeldefense.blog.co.uk/

http://clearblogs.com/libeldefense/78969/Jonathan+Parr+presents+www.libeldefense.com.html

http://libeldefense.bloggerteam.com/entry.php?u=libeldefense&e_id=293138

http://www.ebloggy.com/blog.php?username=libeldefense&id=1

http://libeldefense.blogs.ie/

http://www.teenblog.org/libeldefense/

http://libeldefense.myweblog.com/2007/10/27/jonathan-parr-presents-wwwlibeldefensecom/

http://libeldefense.egoweblog.com/

http://www.bahraichblogs.com/libeldefense/5952/

http://libeldefense.blogbeee.com/

http://portal.blogfusion.com/blogs/libeldefense/

http://noss123network.ning.com/profile/JonathanParr


__
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] BUILTIN groups mapping via winbind!!

[Kaustubh Chaudhari]

Hi Herman.

This is really a helpful information, but i am not able to understand 
why in built group we cant see a mapping for a normal user, as if we 
look Builtin is also a OU and we have some Builtin users and groups in it.


If i create a OU and groups or users in it than i can see all those but 
just not with Buitin.


Feel free to correct me, if you find i am wrong.

Thanks for your interest in this. 


Regards,
Kaustubh.


herman wrote:

Kaustubh Chaudhari wrote:

 Hi all,

   When i create a group in AD and adds users in the same than with
   #getent group i can see the group and its members properly.

   But if i add a user to BUILTIN say BUILTIN Guests group than i 
dont see

   its members.
   ==
kktest:x:10026:kk,Administrator
BUILTIN+Guests:x:10019:
   ==

   Here i have added kk user to both kktest and BUILTIN+Guests group. 
But i

   cant see kk associated with BUILTIN Guests.

   I know that BUILTIN groups have pre defined sid by microsoft, and its
   mapping is done separately.(I found this in idmap.c)

   Is this a normal behavior?

   Would appreciate if someone can explain the reasons for this.

   Regards,
   Kaustubh.
In general you need to define an Organizational Unit (OU), then define 
your groups and users inside that OU.  It should then show up with 
Samba winbind.


Some don'ts:
Don't rename anything.
Don't drag and drop anything from one OU to another OU.
Don't make a user in one OU a member of a group in another OU.
It is even not a good idea to delete anything.
If you need to fix a typing mistake, define a new record - don't try 
to edit the mistake.

Make frequent backups of ADS.

Some dos:
Apply security policies to OUs, not to users.
Run ADS on VMware, so that you can take snapshots as backups.

The reason for the above cautions is that ADS (mostly) work using the 
GUIDs, while Samba uses the text strings. So you don't want to get in 
a situation where ADS re-use an old GUID and changes to text strings 
are applied inconsistently, which confuses winbind, so changing any 
text string after it has been defined can also screw things up.


'Hope that helps!

Herman


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Accessing usershares on Redhat EL 5

[Wehrer, Michael J.]

I have enabled user shares and have the following entries in
/etc/samba/smb.conf

usershare allow guests = Yes
usershare max shares = 32
usershare owner only = No
usershare path = /var/lib/samba/usershares
usershare prefix allow list = /usr/alcoa/mesif/mes_data
usershare prefix deny list =
usershare template share = template

I have created two shares using the redhat samba configuration script.
These shares show up in the smb.conf file and on the network with no
problems.

I have created several shares using the net usershare add function. The
files for these shares are located in /var/lib/samba/usershares. I am
providing the contents for one of these files below.

#VERSION 2
path=/usr/alcoa/mesif/mes_data/AN
comment=guest_ok=y
usershare_acl=S-1-1-0:R
guest_ok=y

I am unable to see these shares on the network. I am certain that I must
be missing a step or that I have misconstrued the use of the usershares
facility. Can someone point me in the right direction? I am trying to
use the net usershare facility because the application I am developing
must programmatically create shares based on the contents of a
configuration file and the application does not have root access. If
usershares is not the answer, is there another way to programmatically
create and export a share?

Thanks, in advance for your help.

Mike Wehrer
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Serving MS Access Databases, with ACL

[jayendren anand maduray]

Hi Dale.

Thank you for this.

I will try some tests.
Can you elaborate on why you do not like ACLs?
Had some bad experiences?

God bless.

Dale Schroeder wrote:

Jayendren,

Rather than acls, my preference (and it's only a preference) would be 
to create a group for the database users.  Add user1 and user2 to that 
group.  Then ==>


chown root.database_group /srv/samba/file-server/studies/databases

For security, let the permissions of this directory be no greater than 
775.  (It looks like that is what you already have.)  If you go with 
MySQL, you can customize the access levels on a user-by-user basis on 
global settings, database settings, table settings, etc.  The security 
options list is quite extensive.  If you prefer GUI administration of 
MySQL (I do), Navicat is the program of choice.  http://www.navicat.com/

It's not free, but is an affordable extension to a free database server.

The only things I would say need changing in your smb.conf are:
create mode = 0775
veto oplock files = /*.mdb/*.MDB*/*  #don't forget the trailing slash (/)

Good luck to you, Nick, and Nico.

Dale

jayendren anand maduray wrote:

Hi Dale.

Thanks for this, would you guys be able to send me a complete 
example, that would allow read/write access for two users

(you can call them user1, and user2)

Alternatively, you can comment on this one:
--
Creating the directories, and set permissions:

#mkdir /srv/samba/file-server/studies/databases
#setfacl -R -m u:user1:rwx,u:user2:rwx 
/srv/samba/file-server/studies/databases

#getfacl /srv/samba/file-server/studies/databases
# file:
# owner: root
# group: root
user::rwx
user:user1:rwx
user:user2:rwx
group::r-x
mask::rwx
other::r-x


The share entry in smb.conf:

[databases]
path = /srv/samba/file-server/studies/databases
create mode = 0777
writeable = yes
browseable = yes
valid users = user1 user2 root
writelist = user1 user2 root
veto oplock files = /*.mdb/*.MDB
nt acl support = yes
nt pipe support = yes
nt status support = yes
inherit permissions = yes
inherit acls = yes

#smbcontrol smbd reload-config
Global parameter acl compatibility found in service section!
--
Nick/Nico, we must look at moving access databases to SQL/MySQL 
backends, soon.

(See message from Dale/David below)

God bless.

Dale Schroeder wrote:

jayendren anand maduray wrote:

Hi All.
Greetings from South Africa.

I have a Samba LDAP server (v 3.022) running on Ubuntu 6.10
Its serving about 200 users, with profiles, and domain logons.

I want to start serving MS Access Databases on it, with the  best 
speed performance as possible.
At the moment, the back ends for these databases, are about 200+ 
MB, and will grow over the next few years.


Basically, the share should serve about 4 users, with read/write 
access.

I am using the XFS file system, with ACL support.

Has anyone setup such shares in smb.conf?
I would really like to see an example.

Lastly, I do not think I want to use oplocks.

That's a wise choice. In the share, use:

veto oplock files = /*.mdb/*.MDB/

David's suggestion about splitting the databases into Access 
frontend and MySQL backend is also wise.  It has been my experience 
that large Access databases corrupt quite easily.  That no longer 
happens in the setup David mentioned.


Dale


Any help, will be greatly appreciated.

God bless.

*Ellison, David* david.ellison at atkinsglobal.com 


/Wed Oct 31 15:03:52 GMT 2007/
Greetings,

This is a little off topic, but may be usefull to you. If the DB is
going to grow much more than that, I would use a real SQL backend to the
database. The MS Access DB backend is ok, however starts to suffer when
they become huge, by the sounds of things they may. I am sure there are
people with 700mb, 900mb etc Access databases, but its best to split the
front end from the database and use a SQL database like MySQl for the
backend.

Just food for thought :)

Cheers.
Dave

--
Jayendren Anand Maduray
Microsoft Certified Professional
Network Plus
Senior IT Administrator

Perinatal HIV Research Unit
Wits Health Consortium
University of the Witwatersrand

Alternate email address: [EMAIL PROTECTED]
Fax Number: 0866857317

...There are 10 types of people, 
those who understand binary 
and those who do not...
  



No virus found in this incoming message.
Checked by AVG. 
Version: 7.5.503 / Virus Database: 269.15.15/1101 - Release Date: 10/31/2007 10:06 AM
  


--
Jayendren Anand Maduray
Microsoft Certified Professional
Network Plus
Senior IT Administrator

Perinatal HIV Research Unit
Wits Health Consortium
University of the Witwatersrand

Alternate email address: [EMAIL PROTECTED]
Fax Number: 0866857317

...There are 10 types of people, 
those who un

Re: [Samba] How to make "Add permission" for folder in system with ntacl support?

[Toby Bluhm]

Georgy Goshin wrote:
Definitely possible in Samba.  Start with the correct POSIX 
permissions on the directories, then follow the references below.


This chapter, in general
http://us4.samba.org/samba/docs/man/Samba-HOWTO-Collection/AccessControls.html 



and this section, in particular
http://us4.samba.org/samba/docs/man/Samba-HOWTO-Collection/AccessControls.html#id374339 



with or without POSIX acl's should explain how to do what you want.


Please please please. I've tried already combinations this weekend, 
spen two days and lost any understanding of logic of file permissions 
and gived up! Please make someone for me small sample please!



Thanks in advance,
Georgy


I believe your original message said you wanted a directory that users 
could only write to but not read?


On samba server:

sudo mkdir test
sudo chown root.root test
sudo chmod 733 test

Now anyone should be able to copy a file to test directory, but not read 
it. Note - this will only work if you use copy in a cmd prompt. GUI file 
explorer tools typically want to read dir content first - not possible 
with these permissions.



Perhaps you should explain what you're trying to achieve - there may be 
better ways to do it.



--
Toby Bluhm
Midwest Instruments Inc.
30825 Aurora Road Suite 100
Solon Ohio 44139
440-424-2240


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba+LDAP problems

[Edmundo Valle Neto]

Marcelo Mogrovejo escreveu:

Hi

(...)

I read this documents and i begin again with samba+ldap...
This time i have not problems, except when i try to create an user for 
testing.
I create a testuser and i add a password for his but when i try to 
login with this user, hi doesn't login...
for exameple with command "su testuser" as root it show me "Id 
desconocido: testuser" or "Unknown Id: testuser".


i don't know why happen it...


(...)

Have you configured NSS? "gentent passwd" shows the user?
If I remember right, smbldap-tools creates users with a null shell by 
default too.



Regards.

Edmundo Valle Neto
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] samba in ADS problem

[damiend]

Hi all

I have two samba server on the network a week woring fine, then yesterday 
morning they just stopped.

In the log I get the following 

any ideas whats going on ?



[2007/11/01 10:23:30, 3] smbd/process.c:switch_message(926)
  switch message SMBsesssetupX (pid 5671) conn 0x0
[2007/11/01 10:23:30, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2007/11/01 10:23:30, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1244)
  wct=12 flg2=0xc807
[2007/11/01 10:23:30, 2] smbd/sesssetup.c:setup_new_vc_session(1200)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old 
resources.
[2007/11/01 10:23:30, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1029)
  Doing spnego session setup
[2007/11/01 10:23:30, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1060)
  NativeOS=[] NativeLanMan=[] PrimaryDomain=[]
[2007/11/01 10:23:30, 3] smbd/sesssetup.c:reply_spnego_negotiate(697)
  reply_spnego_negotiate: Got secblob of size 1510
[2007/11/01 10:23:30, 3] libads/kerberos_verify.c:ads_keytab_verify_ticket(172)
  ads_keytab_verify_ticket: krb5_rd_req failed for all 24 matched keytab 
principals
[2007/11/01 10:23:30, 3] libads/kerberos_verify.c:ads_secrets_verify_ticket(279)
  ads_secrets_verify_ticket: enc type [23] failed to decrypt with error Decrypt 
integrity check failed
[2007/11/01 10:23:30, 3] libads/kerberos_verify.c:ads_verify_ticket(427)
  ads_verify_ticket: krb5_rd_req with auth failed (Decrypt integrity check 
failed)
[2007/11/01 10:23:30, 1] smbd/sesssetup.c:reply_spnego_kerberos(316)
  Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
[2007/11/01 10:23:30, 3] smbd/error.c:error_packet_set(106)
  error packet at smbd/sesssetup.c(318) cmd=115 (SMBsesssetupX) 
NT_STATUS_LOGON_FAILURE
[2007/11/01 10:23:30, 3] smbd/process.c:process_smb(1068)
  Transaction 9 of length 1644
[2007/11/01 10:23:30, 3] smbd/process.c:switch_message(926)
  switch message SMBsesssetupX (pid 5671) conn 0x0
[2007/11/01 10:23:30, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2007/11/01 10:23:30, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1244)
  wct=12 flg2=0xc807
[2007/11/01 10:23:30, 2] smbd/sesssetup.c:setup_new_vc_session(1200)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old 
resources.
[2007/11/01 10:23:30, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1029)
  Doing spnego session setup
[2007/11/01 10:23:30, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1060)
  NativeOS=[] NativeLanMan=[] PrimaryDomain=[]
[2007/11/01 10:23:30, 3] smbd/sesssetup.c:reply_spnego_negotiate(697)
  reply_spnego_negotiate: Got secblob of size 1510
[2007/11/01 10:23:30, 3] libads/kerberos_verify.c:ads_keytab_verify_ticket(172)
  ads_keytab_verify_ticket: krb5_rd_req failed for all 24 matched keytab 
principals
[2007/11/01 10:23:30, 3] libads/kerberos_verify.c:ads_secrets_verify_ticket(279)
  ads_secrets_verify_ticket: enc type [23] failed to decrypt with error Decrypt 
integrity check failed
[2007/11/01 10:23:30, 3] libads/kerberos_verify.c:ads_verify_ticket(427)
  ads_verify_ticket: krb5_rd_req with auth failed (Decrypt integrity check 
failed)
[2007/11/01 10:23:30, 1] smbd/sesssetup.c:reply_spnego_kerberos(316)
  Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
[2007/11/01 10:23:30, 3] smbd/error.c:error_packet_set(106)
  error packet at smbd/sesssetup.c(318) cmd=115 (SMBsesssetupX) 
NT_STATUS_LOGON_FAILURE
[2007/11/01 10:23:30, 3] smbd/process.c:process_smb(1068)
  Transaction 10 of length 1644
[2007/11/01 10:23:30, 3] smbd/process.c:switch_message(926)
  switch message SMBsesssetupX (pid 5671) conn 0x0
[2007/11/01 10:23:30, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2007/11/01 10:23:30, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1244)
  wct=12 flg2=0xc807
[2007/11/01 10:23:30, 2] smbd/sesssetup.c:setup_new_vc_session(1200)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old 
resources.
[2007/11/01 10:23:30, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1029)
  Doing spnego session setup
[2007/11/01 10:23:30, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1060)
  NativeOS=[] NativeLanMan=[] PrimaryDomain=[]
[2007/11/01 10:23:30, 3] smbd/sesssetup.c:reply_spnego_negotiate(697)
  reply_spnego_negotiate: Got secblob of size 1510
[2007/11/01 10:23:30, 3] libads/kerberos_verify.c:ads_keytab_verify_ticket(172)
  ads_keytab_verify_ticket: krb5_rd_req failed for all 24 matched keytab 
principals
[2007/11/01 10:23:30, 3] libads/kerberos_verify.c:ads_secrets_verify_ticket(279)
  ads_secrets_verify_ticket: enc type [23] failed to decrypt with error Decrypt 
integrity check failed
[2007/11/01 10:23:30, 3] libads/kerberos_verify.c:ads_verify_ticket(427)
  ads_verify_ticket: krb5_rd_req with auth failed (Decrypt integrity check 
failed)
[2007/11/01 10:23:30, 1] smbd/sesssetup.c:reply_spnego_kerberos(316)
  Failed to verify

Re: [Samba] can't remove groups in AD

[Martin Hauptmann]

I can see, change and set any permissions with getfacl/setfacl.

I can see these permissions in Windows but cannot change some of the
properties. For example I cannot set full access rights for other groups
even if I am the owner of the directory/file. The changes are being
silently ignored. I can (un)check the properties and accept the changes,
but these changes do not take place when I review the properties in
windows or getfacl.

Martin

Jordan Keyes schrieb:
> Martin,
>
> What command exactly are you trying to run to remove the permissions for the
> group "Everyone"?
>
>
> Jordan
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf
> Of Martin Hauptmann
> Sent: Tuesday, October 30, 2007 12:03 PM
> To: samba@lists.samba.org
> Subject: Re: [Samba] can't remove groups in AD
>
> This problem is really annoying, I cannot use security groups but I need
> to do that.
>
> Please tell me if you need more information. I am using Samba since 2001
> and never had that kind of trouble.
>
> The system is an ubuntu 7.10 server with an amd64-kernel.
>
> I am ready to offer any available information, including log (I do not
> see error/failure/warning-messages when using log level 4) and any
> configurations.
>
> Thank you in advance!
>
> Martin
>
>
> Martin Hauptmann schrieb:
>   
>> Hi,
>>
>> I set up a samba 3.0.26a as an ads-member of a windows 2003 Small
>> Business Server.
>> Every windows user in the domain can read and write their files,
>> everyone's happy.
>> My Problem is, that I cannot set up security groups in the AD. When I
>> try, I do not get an error message, but my changes are being silently
>> ignored.
>> I cannot set rights exceeding read,write, execute and owner.
>> E.g. I cannot remove the group 'everyone' from the file access list.
>> When I do and confirm I do not get an error message, but when I review
>> the settings, nothing has changed, 'everyone' is still in the list.
>> It is the same when I try to set or unset full access to files - no
>> error message, but no success.
>> I tried different settings concerning heritage, but that did not help.
>>
>> There are some other postings in the mailing list that sound quite
>> similar, related to versions >3.0.25. Maybe there is a bug in these
>> versions?
>>
>> My smb.conf: http://www.pastebin.ca/753491
>>
>> Regards
>>
>> Martin
>>   
>> 
>
>   

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba