[Samba] Re: Redhat 3 upgrade

[Scott Lovenberg]

Alan Bunch wrote:

I am currently running Red Hat v 3 samba rpm's.

samba-common-3.0.9-1.3E.14.3
samba-3.0.9-1.3E.14.3
samba-client-3.0.9-1.3E.14.3

I would like to run the current release version to see if I can clean up 
some of the problems I am having.  File locking and not releasing are 
the most troubling.
I am looking for advice for executing this upgrade without breaking too 
much, such as, configuration files being in different place from the "as 
distributed" vs the "Red Hat distributed" versions.  This is a PDC with 
an LDAP back end and mostly just works.


Any advise would be helpful

Alan


Do you have either an extra box or the resources to clone your current 
machine to a VM?  I've found this ability worth its weight in gold since 
you never know what's going to break until you put all the parts 
together.  RHEL 3 to current Samba is quite a step... even if you went 
RHEL 3 to RHEL 5, you're jumping forward about 3 years.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] how to know if kernel supports oplocks

[Michael Heydon]

Eric PEYREMORTE wrote:

Hi,

I've read that i should put "kernel support = no" in smb.conf if my 
kernel doesn't support oplocks.

I don't know where you read that, but:

1. There is no "kernel support" option

2. Assuming you mean "kernel oplocks", the man page specifically says " 
You should never need to touch this parameter."



But i can't find how to know if my kernel support it.
According to the man page, IRIX and linux 2.4 (and presumably greater) 
support it.

I'm running a fedora core 4.

If i compile the kernel manually, which option should i enable ?(i 
can't find a oplocks option)
It sounds like it relies on a generic change notification system rather 
than something that is specificly designed for oplocks, probably Inotify 
or maybe just dnotify.


From the kernel's menuconfig help on inotify: "If unsure, say Y". If 
you are compiling your own kernel you should only remove things that you 
*know* you wont need. Stick with the recommended or existing settings 
everywhere else and you don't have anything to worry about.


Eric



*Michael Heydon - IT Administrator *
[EMAIL PROTECTED] 

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Redhat 3 upgrade

[Alan Bunch]

I am currently running Red Hat v 3 samba rpm's.

samba-common-3.0.9-1.3E.14.3
samba-3.0.9-1.3E.14.3
samba-client-3.0.9-1.3E.14.3

I would like to run the current release version to see if I can clean up 
some of the problems I am having.  File locking and not releasing are 
the most troubling. 

I am looking for advice for executing this upgrade without breaking too 
much, such as, configuration files being in different place from the "as 
distributed" vs the "Red Hat distributed" versions.  This is a PDC with 
an LDAP back end and mostly just works.


Any advise would be helpful

Alan
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] ZFS shadow copy patches

[Paul B. Henson]

On Fri, 4 Apr 2008, Ed Plese wrote:

> Despite having only few minor changes to make to the patches, various
> circumstances delayed the process and I never got back to it to get it
> finished up and resubmitted for inclusion.  I finished this up tonight
> and sent it off to the developer that had previously reviewed the
> patches.

Cool, thanks much.

> There's a new shadow_copy2 module in Samba 3.2 that has much of the
> functionality of the enhancements I'd been working on for the existing
> shadow copy module.

I didn't see any mention of that in the release notes, perhaps it hasn't
been added to the documentation yet.


-- 
Paul B. Henson  |  (909) 979-6361  |  http://www.csupomona.edu/~henson/
Operating Systems and Network Analyst  |  [EMAIL PROTECTED]
California State Polytechnic University  |  Pomona CA 91768
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] ACL strange behaviour

[Carlos Lorenzo Matés]

El Lunes, 7 de Abril de 2008, toni escribió:
> El Fri, 04 Apr 2008 21:04:21 +0200
>
> Carlos Lorenzo Matés <[EMAIL PROTECTED]> ha escrit:
> > Hi Toni.
> >
> > El Viernes, 4 de Abril de 2008, toni escribió:
> > > hi john,
> > >
> > > El Fri, 04 Apr 2008 09:12:38 -0400
> > >
> > > John Drescher <[EMAIL PROTECTED]> ha escrit:
> > > > On Fri, Apr 4, 2008 at 7:39 AM, toni <[EMAIL PROTECTED]> wrote:
> > > > > hi,
> > > > >
> > > > >  i'm experiencing a strange behaviour when setting ACL from
> > > > > Windows XP clients (server is BDC with LDAP) after migrating
> > > > > service from SLES 9.3 to SLES 10.1:
> > > > >
> > > > >  i can't set ACL to a folder to give access to individual users
> > > > > without allowing the group of the creator. step by step, i
> > > > > tried to remove group permissions (which worked fine) but, when
> > > > > i add permissions to other users, group permissions become
> > > > > effective for the group in the directory (but no in its
> > > > > subfolders)
> > > > >
> > > > >  the correct behaviour is that i can allow access to several
> > > > > users without access for the group, and this was working after
> > > > > the migration.
> > > > >
> > > > >  it could be a different ACL behaviour between SLES 9 (Samba
> > > > >  3.0.20b-3.17-1297-SUSE) and SLES 10 (Samba
> > > > > 3.0.28-0.2-1625-SUSE-CODE10)?
> >
> > We had the same problems, finally we have downgrade our samba to
> > 3.0.24 wich is SLES 10 + SP1 base version.
>
> verified, it works with 3.0.24!
> (SLES 10 + SP1, with codename: Samba 3.0.24-2.36-1616-SUSE-CODE10)
>
> do you know if this issue were reported to samba, i cannot find any ACL
> related bug in samba's bugtracker.
>
> if not i will fill a bug report.

No, but i opened some bug reports with novell (i had a premium service for 
support), and they have not been able to solve this, i think that novell is 
involved in the samba development, but i dont' know if they had reported this 
problem to the samba devs.

if you open the bug, please put the link here and i will add the information i 
sent to novell regarding this bug.

also i think you sould report this to novell if you have a SLES 


Thanks





-- 
Un saludo.

Carlos Lorenzo Matés.
clmates AT mundo-r.com


signature.asc
Description: This is a digitally signed message part.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba 3.0.24 handling LDAP responses incorrectly

[Volker Lendecke]

On Mon, Apr 07, 2008 at 03:19:00PM -0400, Ryan Steele wrote:
> It's not defined in my Samba source, but I guess that was the wrong
> place to look.  On my system, /usr/include/ldap.h does in fact have that
> defined.  However, Samba still returns NT_STATUS_UNSUCCESSFUL, and
> Windows still  reports that the password couldn't be changed because the
> domain was unavailable... have I zigged where I should've zagged, or is
> Samba not setting rc properly when it gets the response from LDAP?

Please check that your LDAP server indeed does return 0x13
over the 389 connection. You might also add a DEBUG
statement right above the #if defined(LDAP_CONSTRAINT_VIOLATION) 
to check what smbd sees. That's at least what I would do.

Volker


pgpjjJRceeDKq.pgp
Description: PGP signature
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba 3.0.24 handling LDAP responses incorrectly

[Ryan Steele]

Volker Lendecke wrote:
> On Mon, Apr 07, 2008 at 02:03:32PM -0400, Ryan Steele wrote:
>   
>> #if defined(LDAP_CONSTRAINT_VIOLATION)
>> if (rc == LDAP_CONSTRAINT_VIOLATION)
>> return NT_STATUS_PASSWORD_RESTRICTION;
>> #endif
>>
>> ...to pdb_ldap.c didn't seem to change the behavior at all.  I suspect
>> it's because LDAP_CONSTRAINT_VIOLATION isn't defined anywhere in my
>> 3.0.24 source, though I could certainly be wrong.  I'm grabbing the
>> latest source from git to see where that's defined, but if anybody wants
>> to head me off at the pass with the information, it's certainly welcome.
>> 
>
> If your LDAP libs don't have that define, you might try to
> use the value from OpenLDAP:
>
> #define LDAP_CONSTRAINT_VIOLATION   0x13
>
> Volker
>   

It's not defined in my Samba source, but I guess that was the wrong
place to look.  On my system, /usr/include/ldap.h does in fact have that
defined.  However, Samba still returns NT_STATUS_UNSUCCESSFUL, and
Windows still  reports that the password couldn't be changed because the
domain was unavailable... have I zigged where I should've zagged, or is
Samba not setting rc properly when it gets the response from LDAP?

Thanks,
Ryan


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: RE [Samba] smbldap-useradd -w won't create machine account

[Hector Blanco]

I finally solved it with the LAM tool that John Drescher said
(http://lam.sourceforge.net/) but I don't feel very comfortable with
that... I'd like to know why that tool works and the others don't :S
Over all why the command line tools didn't do what I was expecting...

I also tried to do what said in Jerome's link but it didn't work :(
I'll keep trying, anyway... the tutorial
http://download.gna.org/smbldap-tools/docs/samba-ldap-howto/ seems
really good)

With the Lam tool I created the host account for the "enano" machine,
and that was enough...



2008/4/7, Jerome Tournier <[EMAIL PROTECTED]>:
> Le Wed, Apr 02, 2008 at 06:36:43PM +0200, Hector Blanco a ecrit:
>
> > The thing is that the machine is properly created, but the Samba parts
>  > doesn't appear. Is like if smbldap-adduser worked only "partially" :S
>
>
> smbldap-useradd should not add any samba attributes. Samba itself will do
>  the job when joigning the domain with a priviledge account. For that, you
>  can have a look at
>  http://download.gna.org/smbldap-tools/docs/samba-ldap-howto/#htoc67
>
>  --
>  Jérôme Tournier
>  GPG key ID (pgp.mit.edu): 75FE0A51
>
> --
>
> To unsubscribe from this list go to the following URL and read the
>  instructions:  https://lists.samba.org/mailman/listinfo/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba 3.0.24 handling LDAP responses incorrectly

[Volker Lendecke]

On Mon, Apr 07, 2008 at 02:03:32PM -0400, Ryan Steele wrote:
> 
> #if defined(LDAP_CONSTRAINT_VIOLATION)
> if (rc == LDAP_CONSTRAINT_VIOLATION)
> return NT_STATUS_PASSWORD_RESTRICTION;
> #endif
> 
> ...to pdb_ldap.c didn't seem to change the behavior at all.  I suspect
> it's because LDAP_CONSTRAINT_VIOLATION isn't defined anywhere in my
> 3.0.24 source, though I could certainly be wrong.  I'm grabbing the
> latest source from git to see where that's defined, but if anybody wants
> to head me off at the pass with the information, it's certainly welcome.

If your LDAP libs don't have that define, you might try to
use the value from OpenLDAP:

#define LDAP_CONSTRAINT_VIOLATION   0x13

Volker


pgpNsUosNVbTR.pgp
Description: PGP signature
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Questions about Active Directory Password Cache overlay

[Wes Modes]

Thanks to Buchan Milne, I'm looking into the Active Directory Password 
Cache overlay for OpenLDAP, which seems to offer more or less what I'm 
trying to do.  Is anyone here experienced with it?  Is this the right 
place to ask or is there an openLDAP overlays list?


I understand this description of ADPC:

   Active Directory Password Cache
   ===


   Active Directory does not provide any means to read user credentials on any
   public
   API. It is possible, to install additional libraries as password sniffer to
   catch and forward cleartext passwords on changes. In case you cannot or 
simply
   dont
   want to install such libraries, the Active Directory Password Cache overlay
   is your option.

   The Active Directory Password Cache overlay allows to mirror user account
   credentials without any modification on the AD server. It only takes one
   occasional simple bind authentication against the OpenLDAP server.

   If the credential has not been mirrored yet, the overlay uses the
   krbPrincipalName
   and the password provided by the user to perform a Kerberos init against the
   Active Directory. A successful Kerberos init guarantees a correct password 
for
   this principal, and therefor the bind finally succeeds.

   Within this overlay operation, the password gets encrypted with the default
   OpenLDAP hash alorithm and stored as userPassword attribute. There is an 
option
   to update the sambaNTPassword also (using code borrowed from Howard Chu's
   smbk5pwd overlay). All following simple bind authentications will first try
   these cached credentials, making the OpenLDAP server independent from AD.

   In case the user changes its password on the Active Directory server, the old
   password stays valid in OpenLDAP until the user first presents the new 
password
   for an simple bind. Within this bind operation, the overlay performs another
   Kerberos init and updates the cached credentials in OpenLDAP.

It is clear to me that after a password change, that a failure to 
authenticate initiates a new auth attempt against the KDC, and if it 
succeeds, ADPC caches the passwd as a hash in OpenLDAP.  But if Samba 
fails to authenticate against the hash stored in sambaNTPassword, is a 
new authentication attempt made against the KDC?  And if it does, where 
does it get the passwd to hash (since Samba never gets the passwd in 
NTLM authentication)?


Practically speaking, it seems that the password that the overlay hashes 
has to come from a source other than Samba.  A web app?  How have people 
used it in the past? 


W.

--

Wes Modes
Server Administrator & Programmer Analyst
McHenry Library
Computing & Network Services
Information and Technology Services
459-5208
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba 3.0.24 handling LDAP responses incorrectly

[Ryan Steele]

Volker Lendecke wrote:
> On Fri, Apr 04, 2008 at 04:47:56PM -0400, John Drescher wrote:
>   
>> I think the bug/problem is that this message is being displayed
>> instead of "Password could not be changed for user
>>   tester: Constraint violation" and "does not pass required number  of
>> strength checks (1 of 3)."
>> 
>
> Current 3.2 has the attached code. Might help for you.
>
> Volker
>   
Adding:

#if defined(LDAP_CONSTRAINT_VIOLATION)
if (rc == LDAP_CONSTRAINT_VIOLATION)
return NT_STATUS_PASSWORD_RESTRICTION;
#endif

...to pdb_ldap.c didn't seem to change the behavior at all.  I suspect
it's because LDAP_CONSTRAINT_VIOLATION isn't defined anywhere in my
3.0.24 source, though I could certainly be wrong.  I'm grabbing the
latest source from git to see where that's defined, but if anybody wants
to head me off at the pass with the information, it's certainly welcome.

Thanks,
Ryan
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Domain Member Server /home/user creation - help needed

[Ryan Novosielski]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

[EMAIL PROTECTED] wrote:
> For almost 10 years our school has been using samba as a PDC to provide a
> network drive for each of our students,.  Now I need to install a domain
> member server (DMS) to share the load.  I am running samba 3.0.28 on
> Fedora 7 using the tdbsam backend on the PDC.  I have successfully brought
> up a samba DMS using winbind and the idmap_rid backend.
> 
> I want to have all new students use the DMS for their roaming profiles and
> for their network drive.  Upon first logon of a new user, a directory is
> automatically created for the user in the profile share on the DMS. 
> However, I don?t know how to cause the home directory to be created on the
> DMS for the network drive.  On XP Pro, the user home share shows up on the
> DMS, but is not accessible because the directory does not exist.
> 
> If at this point, I copy the roaming profile directory for the user (which
> is empty) to the home directory, then the home directory is now present
> with the proper ownership and the home drive is now usable by the user.
> 
> e.g. on the DMS, with userid ?mark?
> 
> cp ?a /var/samba/profiles/mark /home
> 
> The [homes] share on the DMS is
> 
>  [homes]
> Path = /home/%U
> comment = Home Directories
> browseable = no
> writable = yes
> available = yes
> public = no
> 
> So my question is how can I get the home directory for a user created with
> the proper ownership the first time the user signs in?  Is there any kind
> of script that can be invoked on the DMS?  Is there any way winbind can
> create the home directory when it creates the UID/GID for the user?

Yes, read the docs on this one -- I've seen it in there. What you may be
missing is that generally whatever calls adduser/useradd/whatever your
system calls it can be told what to use as a skel directory (a standard
one is /etc/skel, but you can have more than one and use a flag to point
it to the right one).

HTH.

- --
  _  _ _  _ ___  _  _  _
 |Y#| |  | |\/| |  \ |\ |  | |Ryan Novosielski - Systems Programmer II
 |$&| |__| |  | |__/ | \| _| |[EMAIL PROTECTED] - 973/972.0922 (2-0922)
 \__/ Univ. of Med. and Dent.|IST/AST - NJMS Medical Science Bldg - C630
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFH+k1Imb+gadEcsb4RAjUlAKCgvduEr1jp6FiF6pB4AyTy83NkKgCgiDaL
kKz1v0p2gO3eF1CIKK2hkjk=
=pcSp
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Domain Member Server /home/user creation - help needed

[Udo Rader]

On Mon, 2008-04-07 at 11:00 -0400, [EMAIL PROTECTED] wrote:
> For almost 10 years our school has been using samba as a PDC to provide a
> network drive for each of our students,.  Now I need to install a domain
> member server (DMS) to share the load.  I am running samba 3.0.28 on
> Fedora 7 using the tdbsam backend on the PDC.  I have successfully brought
> up a samba DMS using winbind and the idmap_rid backend.
> 
> I want to have all new students use the DMS for their roaming profiles and
> for their network drive.  Upon first logon of a new user, a directory is
> automatically created for the user in the profile share on the DMS. 
> However, I don’t know how to cause the home directory to be created on the
> DMS for the network drive.  On XP Pro, the user home share shows up on the
> DMS, but is not accessible because the directory does not exist.
> 
> If at this point, I copy the roaming profile directory for the user (which
> is empty) to the home directory, then the home directory is now present
> with the proper ownership and the home drive is now usable by the user.
> 
> e.g. on the DMS, with userid “mark”
> 
> cp –a /var/samba/profiles/mark /home
> 
> The [homes] share on the DMS is
> 
>  [homes]
> Path = /home/%U
> comment = Home Directories
> browseable = no
> writable = yes
> available = yes
> public = no
> 
> So my question is how can I get the home directory for a user created with
> the proper ownership the first time the user signs in?  Is there any kind
> of script that can be invoked on the DMS?  Is there any way winbind can
> create the home directory when it creates the UID/GID for the user?

use pam_mkhomedir for that purpose:

ftp://ftp.eu.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-pam_mkhomedir.html

-- 
Udo Rader

bestsolution.at EDV Systemhaus GmbH
http://www.bestsolution.at



signature.asc
Description: This is a digitally signed message part
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Domain Member Server /home/user creation - help needed

[mrosamba]

For almost 10 years our school has been using samba as a PDC to provide a
network drive for each of our students,.  Now I need to install a domain
member server (DMS) to share the load.  I am running samba 3.0.28 on
Fedora 7 using the tdbsam backend on the PDC.  I have successfully brought
up a samba DMS using winbind and the idmap_rid backend.

I want to have all new students use the DMS for their roaming profiles and
for their network drive.  Upon first logon of a new user, a directory is
automatically created for the user in the profile share on the DMS. 
However, I don’t know how to cause the home directory to be created on the
DMS for the network drive.  On XP Pro, the user home share shows up on the
DMS, but is not accessible because the directory does not exist.

If at this point, I copy the roaming profile directory for the user (which
is empty) to the home directory, then the home directory is now present
with the proper ownership and the home drive is now usable by the user.

e.g. on the DMS, with userid “mark”

cp –a /var/samba/profiles/mark /home

The [homes] share on the DMS is

 [homes]
Path = /home/%U
comment = Home Directories
browseable = no
writable = yes
available = yes
public = no

So my question is how can I get the home directory for a user created with
the proper ownership the first time the user signs in?  Is there any kind
of script that can be invoked on the DMS?  Is there any way winbind can
create the home directory when it creates the UID/GID for the user?

Mark Orenstein
East Granby, CT School System

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] samba3.0.22 - "net setlocalsid" with no effect

[Friedrich Strohmaier]

Hi Doug, *,

I was calling sernet support.. ;o))

Doug VanLeuven schrieb:

[..]

>I used a VM machine, FC5, samba-3.0.23c-1.fc5 because it's the scratch
>machine I have.
>Here's what I did to reset the SID of the new PDC (hoping that's what
>you want to do)

>#On the PDC, smbd, nmbd, & winbind stopped.

I've no winbindd running..

>[EMAIL PROTECTED] ~]# testparm -sv 2>&1|less
>..
>Server role: ROLE_DOMAIN_PDC
>..

>[EMAIL PROTECTED] ~]# service smb start
>Starting SMB services: [  OK  ]
>Starting NMB services: [  OK  ]

># List current unwanted SID

>[EMAIL PROTECTED] ~]# net getlocalsid
>SID for domain VMPDC is: S-1-5-21-893123068-2258791905-4052818733
 ^^
.. doesn't hit the nail. "machine" would say the correct thing..

>[EMAIL PROTECTED] samba]# net rpc info
>Password:
>Domain Name: VMWKGP
  ^^
This one is the domain..

>Domain SID: S-1-5-21-893123068-2258791905-4052818733
>Sequence number: 1207290693
>Num users: 1
>Num domain groups: 0
>Num local groups: 0

>#Change PDC SID to something else

>[EMAIL PROTECTED] samba]# net setlocalsid
>S-1-5-21-9-2258791905-4052818733

did work ..

>[EMAIL PROTECTED] samba]# net setdomainsid
>S-1-5-21-9-2258791905-4052818733

didn't work - "command not recogized" ..

I succeeded manipulating the domain SID with following steps:

On my ubuntu dapper box:
#stop sambaservice:
/etc/inid.d/samba stop
/etc/init.d/samba stop
 * Stopping Samba daemons...  [ OK ]

mv /var/lib/samba/secrets.tdb /var/lib/samba/secrets.tdb.bak 
net setlocalsid SID_WANTED  #new secrets.tdb is created

net getdomainsid
SID for domain PDC_MACHINE is: SID_WANTED
SID for domain DOMAIN is: SID_WANTED

Heureka!!

And even better: moving secrets.tdb.bak to secrets.tdb showed the old
values. Thus I can do some testing before really changing things. :o))

Ah not to forget:
/etc/init.d/samba start
 * Starting Samba daemons  [ OK ]

[..]

First step is done - now I have to go there at late hour, change things
and do tests.

Thanks for your help - I'll report more :o))
-- 
Friedrich
beste Grüße/best regards
von der/from the
Sonnenalb - Germany

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Re: How to create a write-only share?

[Alex Harrington]

 
> Thanks for the answer but in this case anyone can look into the folder
and see the file 
> list. Sometimes even a filenames could be the secret. So this is not
helps us.

Set "hide unreadable = yes" on the share.

Alex
-- 
Alex Harrington - Network Manager, Longhill High School

t: 01273 304086 | e: [EMAIL PROTECTED]
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Re: How to create a write-only share?

[Scott Lovenberg]

Ash Gosh wrote:

On Mon, Apr 7, 2008 at 11:21 AM, Scott Lovenberg <[EMAIL PROTECTED]>
wrote:

  

  I think I did this once a couple of years ago using NT style policy and
the firewall policy object.  IIRC, I did it all at the file system level;
each computers' SYSTEM service was allowed to write to a text file that it
couldn't read.  The files was owned as "root:someGroup" with 720 perms.
This file was in a directory called 'logs' owned "root:someGroup" with 710
perms.  The directory that 'logs' was contained within was owned by
"root:someGroup" with 710 perms and was exported as a hidden share (I think
I used the '$' hidden share trick), which 'someGroup' was allowed to write
to.  That's off the top of my head, and it may not be correct, but if you
can mock it up with VMWare and a liveCD, that will at least get the ball
rolling, I hope.  I'm fairly sure it worked as advertised, but it never made
it to production, so I didn't document it or anything.




Hello again,

I did not understood corrctly: did you made all with fs permissions, what
about and what is NT style policy and the firewall policy object?
Does this helps me to allow anyone to copy / paste a file into the shares
where they have no access?

Thanks,
Ash.
  
Yeah, disregard the part about NT policy, it was background info that I 
thought might help you to understand what I was trying to accomplish; 
it's not important to the topic at hand.  Let me change the permissions 
a bit so as to be more accurate (the second folder was not needed, I 
think I might have had something else in mind):


directory|  owner  |  group |  perms
topFolder  root  someGroup7730

That should work, and it'll make every file owned by root, who will be 
the only one who can delete it.  Just make sure no one figures out how 
to put a shell script in this folder and execute it! ;)
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] how to know if kernel supports oplocks

[Eric PEYREMORTE]

Hi,

I've read that i should put "kernel support = no" in smb.conf if my 
kernel doesn't support oplocks.

But i can't find how to know if my kernel support it.
I'm running a fedora core 4.

If i compile the kernel manually, which option should i enable ?(i can't 
find a oplocks option)


Eric
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Re: How to create a write-only share?

[Ash Gosh]

On Mon, Apr 7, 2008 at 11:21 AM, Scott Lovenberg <[EMAIL PROTECTED]>
wrote:

>   I think I did this once a couple of years ago using NT style policy and
> the firewall policy object.  IIRC, I did it all at the file system level;
> each computers' SYSTEM service was allowed to write to a text file that it
> couldn't read.  The files was owned as "root:someGroup" with 720 perms.
> This file was in a directory called 'logs' owned "root:someGroup" with 710
> perms.  The directory that 'logs' was contained within was owned by
> "root:someGroup" with 710 perms and was exported as a hidden share (I think
> I used the '$' hidden share trick), which 'someGroup' was allowed to write
> to.  That's off the top of my head, and it may not be correct, but if you
> can mock it up with VMWare and a liveCD, that will at least get the ball
> rolling, I hope.  I'm fairly sure it worked as advertised, but it never made
> it to production, so I didn't document it or anything.
>

Hello again,

I did not understood corrctly: did you made all with fs permissions, what
about and what is NT style policy and the firewall policy object?
Does this helps me to allow anyone to copy / paste a file into the shares
where they have no access?

Thanks,
Ash.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Re: How to create a write-only share?

[Ash Gosh]

On Mon, Apr 7, 2008 at 12:29 PM, Jason Haar <[EMAIL PROTECTED]>
wrote:

> Real easy. We did it to create a "quarantine share" for Windows AV agents
> to move viruses to. The share is world-writable - but not readable by anyone
>
> You simply create a share and set the following smb.conf settings
>
> [sharename]
>  path = /dir
>  read only = No
>   create mask = 0333
>   directory mask = 0333
>   guest ok = Yes
>
> Then if the actual directory is 1777, then anyone can write to it. Of
> course you can always fiddle with those perms to suit...
>
Hello Jason,

Thanks for the answer but in this case anyone can look into the folder and
see the file list. Sometimes even a filenames could be the secret. So this
is not helps us.

Thanks,
Ash.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Re: How to create a write-only share?

[Jason Haar]

Ash Gosh wrote:

I need to create a share that will be readoble by root only (by owner) and
writeable for all. 
Real easy. We did it to create a "quarantine share" for Windows AV 
agents to move viruses to. The share is world-writable - but not 
readable by anyone


You simply create a share and set the following smb.conf settings

[sharename]
 path = /dir
 read only = No
   create mask = 0333
   directory mask = 0333
   guest ok = Yes

Then if the actual directory is 1777, then anyone can write to it. Of 
course you can always fiddle with those perms to suit...



--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: RE [Samba] smbldap-useradd -w won't create machine account

[Jerome Tournier]

Le Wed, Apr 02, 2008 at 06:36:43PM +0200, Hector Blanco a ecrit:
> The thing is that the machine is properly created, but the Samba parts
> doesn't appear. Is like if smbldap-adduser worked only "partially" :S

smbldap-useradd should not add any samba attributes. Samba itself will do
the job when joigning the domain with a priviledge account. For that, you
can have a look at
http://download.gna.org/smbldap-tools/docs/samba-ldap-howto/#htoc67

-- 
Jérôme Tournier  
GPG key ID (pgp.mit.edu): 75FE0A51
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] ACL strange behaviour

[toni]

El Fri, 04 Apr 2008 21:04:21 +0200
Carlos Lorenzo Matés <[EMAIL PROTECTED]> ha escrit:

> Hi Toni.
> 
> 
> El Viernes, 4 de Abril de 2008, toni escribió:
> > hi john,
> >
> > El Fri, 04 Apr 2008 09:12:38 -0400
> >
> > John Drescher <[EMAIL PROTECTED]> ha escrit:
> > > On Fri, Apr 4, 2008 at 7:39 AM, toni <[EMAIL PROTECTED]> wrote:
> > > > hi,
> > > >
> > > >  i'm experiencing a strange behaviour when setting ACL from
> > > > Windows XP clients (server is BDC with LDAP) after migrating
> > > > service from SLES 9.3 to SLES 10.1:
> > > >
> > > >  i can't set ACL to a folder to give access to individual users
> > > > without allowing the group of the creator. step by step, i
> > > > tried to remove group permissions (which worked fine) but, when
> > > > i add permissions to other users, group permissions become
> > > > effective for the group in the directory (but no in its
> > > > subfolders)
> > > >
> > > >  the correct behaviour is that i can allow access to several
> > > > users without access for the group, and this was working after
> > > > the migration.
> > > >
> > > >  it could be a different ACL behaviour between SLES 9 (Samba
> > > >  3.0.20b-3.17-1297-SUSE) and SLES 10 (Samba
> > > > 3.0.28-0.2-1625-SUSE-CODE10)?
> > > >
> 
> 
> We had the same problems, finally we have downgrade our samba to
> 3.0.24 wich is SLES 10 + SP1 base version.

verified, it works with 3.0.24!
(SLES 10 + SP1, with codename: Samba 3.0.24-2.36-1616-SUSE-CODE10)

do you know if this issue were reported to samba, i cannot find any ACL
related bug in samba's bugtracker.

if not i will fill a bug report.

thanks for all,

toni

> 
> I had tested with 3.0.25 and 3.0.28 and had problems, also with
> domain trust with an NT domain
> 
> 
> Greetings
> 
 
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Re: How to create a write-only share?

[Scott Lovenberg]

Ash Gosh wrote:

On Fri, Apr 4, 2008 at 6:55 PM, Ash Gosh <[EMAIL PROTECTED]> wrote:

  

Hi!

I need to create a share that will be readoble by root only (by owner) and
writeable for all. We replacing a dead Windows NT 4.0 server and there was a
permission type called "Add" and our users uses this type of permission
often. They creates a shares where other users can add files but can not
read or even list it. I saw a thread here called "How to make "Add
permission" for folder in system withntacl 
support?"
but there was no solution published. I beleive that there is a solution, I
hope so.





Hello,

It's me again, sorry for bothering. Does this problem has a solution? I need
to replace a dead Win NT 4 server qickly so please let's start a discussion.
Maby I'll need to select an filesystem other than ext3 or even the server
OS, to Solaris with ZFS for example? Please help

Thanks in advance,
Ash.
  
I think I did this once a couple of years ago using NT style policy and 
the firewall policy object.  IIRC, I did it all at the file system 
level; each computers' SYSTEM service was allowed to write to a text 
file that it couldn't read.  The files was owned as "root:someGroup" 
with 720 perms.  This file was in a directory called 'logs' owned 
"root:someGroup" with 710 perms.  The directory that 'logs' was 
contained within was owned by "root:someGroup" with 710 perms and was 
exported as a hidden share (I think I used the '$' hidden share trick), 
which 'someGroup' was allowed to write to.  That's off the top of my 
head, and it may not be correct, but if you can mock it up with VMWare 
and a liveCD, that will at least get the ball rolling, I hope.  I'm 
fairly sure it worked as advertised, but it never made it to production, 
so I didn't document it or anything.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: How to create a write-only share?

[Ash Gosh]

On Fri, Apr 4, 2008 at 6:55 PM, Ash Gosh <[EMAIL PROTECTED]> wrote:

> Hi!
>
> I need to create a share that will be readoble by root only (by owner) and
> writeable for all. We replacing a dead Windows NT 4.0 server and there was a
> permission type called "Add" and our users uses this type of permission
> often. They creates a shares where other users can add files but can not
> read or even list it. I saw a thread here called "How to make "Add
> permission" for folder in system withntacl 
> support?"
> but there was no solution published. I beleive that there is a solution, I
> hope so.
>


Hello,

It's me again, sorry for bothering. Does this problem has a solution? I need
to replace a dead Win NT 4 server qickly so please let's start a discussion.
Maby I'll need to select an filesystem other than ext3 or even the server
OS, to Solaris with ZFS for example? Please help

Thanks in advance,
Ash.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] PDC migration: printing trouble.

[L.P.H. van Belle]

I had this problem also.

I was using the Point en Print Setup for upload the printer drivers.
i also tried deleting the registry keys in windows, but my solution was.

i reuploaded ( overwrited ) my printer drivers, set de settings per printer
again, and my problem was solved.
No slow printer properties screens, or slow selecting the printer.

Louis


>-Oorspronkelijk bericht-
>Van: [EMAIL PROTECTED] 
>[mailto:[EMAIL PROTECTED] Namens 
>Remy Zandwijk
>Verzonden: vrijdag 4 april 2008 20:43
>Aan: John Drescher
>CC: samba@lists.samba.org
>Onderwerp: Re: [Samba] PDC migration: printing trouble.
>
>John Drescher wrote:
>
>>>  we've been moving an old Samba 2.2.x PDC install to a 
>Samba 3.0.28 PDC
>>> install. We copied the ntdrivers.tdb and ntprinters.tdb 
>from to old to the
>>> new server. After the migration, everything was just fine, 
>except printing
>>> seemed to be somewhat slower. As more and more user logged 
>on, the machine
>>> got really
>>>  sluggish and printing took quite long. We figured out 
>we've got bitten by:
>>>
>> 
>> Is there a lot of network activity and a long delay between clicking
>> the print button on windows?
>
>Hi John. Yes, there is.
>
>-Remy
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/listinfo/samba
>

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba