Re: [Samba] Samba Authentication - User ID Pass-Thru?
SNIP Now the issue I'm having may not have a workaround, but I'm just looking for ideas. When users on the client (any computer on the network) write a file to the "server" that they see, it is in turn writing back to the Samba share on the file server. Thus, no matter who writes the file, it's written to the actual filesystem as the user by which the gateway mounts the share on the file server. Can anybody think of any way to pass along the user ID up the chain so that it's written to the filesystem as the originating user? Long and short of it no. This can also cause some serious other problems. Don't know why you want to do this, but here's a solution. (Using LDAP backend would make this spiffy, but this should be ok) On the server where stuff actually rights, share that as an NFS share and mount it on the "Gateway" server. Then share the nfs mount point via samba. The LDAP part comes in because you can have both servers using ldap for users and groups and keep your permissions and UID/GID stuff global. I can make sure the user accounts line up on the two servers, that's no big deal. I'm just wondering if it's possible. It's not a showstopper for me if everything gets written as the same user, I can deal with that. (Although I am having issues with create masks and group writability, but that's for another time.) I'm just tossing the question out to the group to see if it's anything that's been dealt with before or anything interesting enough to warrant discussion/collaboration. The answer might even be to use something other than Samba between the gateway server and the file server. I'm certainly open to suggestions on that. The only other related technology with which I have any experience is NFS and I chose Samba over that simply for the stability and robustness in unexpected situations. It's been my experience in the past that NFS gets pretty unstable when the network connection drops and can hang a machine's shutdown procedures. This is to be avoided in this particular situation because, in the event of a power failure detected by the UPS, properly stopping the services and unmounting the filesystem cleanly are critical. The _only_ job of the file server on the back end is to protect the data. If anybody has any suggestions I'd really appreciate it. Thanks! -- Regards, David P. Donahue "It's hard enough to live in a world where you grow old and die, why be disharmonious?" - Jack Kerouac -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba Authentication - User ID Pass-Thru?
I probably have an odd setup, so please bear with me. To simplify as much
as possible, I have two servers and a client. The first server is the
back-end file server and is accessible only by the second ("gateway")
server. (The second server has dual ethernet, one of which is a crossover
to the file server.) The file server has a Samba share that's pretty simple
and open, and the gateway server mounts it. Then the gateway server has a
Samba share at that mount point to share the back-end server out to the
network. Again, bear with me on that :)
Now the issue I'm having may not have a workaround, but I'm just looking for
ideas. When users on the client (any computer on the network) write a file
to the "server" that they see, it is in turn writing back to the Samba share
on the file server. Thus, no matter who writes the file, it's written to
the actual filesystem as the user by which the gateway mounts the share on
the file server. Can anybody think of any way to pass along the user ID up
the chain so that it's written to the filesystem as the originating user? I
can make sure the user accounts line up on the two servers, that's no big
deal. I'm just wondering if it's possible.
It's not a showstopper for me if everything gets written as the same user, I
can deal with that. (Although I am having issues with create masks and
group writability, but that's for another time.) I'm just tossing the
question out to the group to see if it's anything that's been dealt with
before or anything interesting enough to warrant discussion/collaboration.
The answer might even be to use something other than Samba between the
gateway server and the file server. I'm certainly open to suggestions on
that. The only other related technology with which I have any experience is
NFS and I chose Samba over that simply for the stability and robustness in
unexpected situations. It's been my experience in the past that NFS gets
pretty unstable when the network connection drops and can hang a machine's
shutdown procedures. This is to be avoided in this particular situation
because, in the event of a power failure detected by the UPS, properly
stopping the services and unmounting the filesystem cleanly are critical.
The _only_ job of the file server on the back end is to protect the data.
If anybody has any suggestions I'd really appreciate it. Thanks!
--
Regards,
David P. Donahue
"It's hard enough to live in a world where you grow old and die, why be
disharmonious?"
- Jack Kerouac
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Preventing Windows from changing file permissions
--- Original message --- Subject: Re: [Samba] Preventing Windows from changing file permissions From: Jeremy Allison To: av78us vaal Cc: Date: Saturday, 15/05/2010 5:16 PM On Sat, May 15, 2010 at 04:30:54AM -0700, av78us vaal wrote: Hi, Is there a way to configure samba such that Windows applications are not allowed to change file permissions for existing files in the share. I just want to be able to read and modify the files from Windows without affecting the file permissions inadvertently. I do not care about any Windows side file attributes such as ACL. I tried several things including parameters such as 'map archive = no', 'security mask = xxx' etc. Nothing seem to result in what exactly I want. This is surprising considering that my requirement is very simple. You can always set "nt acl support = no", which is an old option from when we first added Windows ACLs. Also setting map XXX = no will stop DOS attributes being mapped to POSIX permissions. Not knowing precisely the error...but how about force user = on the share? Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4-alpha11
--- Original message --- Subject: Re: [Samba] Samba4-alpha11 From: Andrew Bartlett To: Cc: Date: Saturday, 15/05/2010 5:14 AM On Fri, 2010-05-14 at 12:21 -0700, t...@tms3.com wrote: Just thought I'd say that samba4 is working quite nicely. Samba4 DC on Ubuntu server. Added a W2k3R2 and W2k8R2 server as DC's. Took a little bit of play to get it done, but not much. The only thing I've noticed so far (still in early lab stage) is a GC issue. Now if I can upgrade a Samba3-LDAP domain This should not be to hard, as a one-way, change the schema upgrade. If you want to help with that, I can point you some of the tools and existing attempts that you could build on. As I am without portfolio, so to speak, at the moment, and have a nice little lab, t'would be appreciated. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Cisco Inc. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Preventing Windows from changing file permissions
On Sat, May 15, 2010 at 04:30:54AM -0700, av78us vaal wrote: > Hi, > Is there a way to configure samba such that Windows applications are not > allowed to change file permissions for existing files in the share. > I just want to be able to read and modify the files from Windows without > affecting the file permissions inadvertently. I do not care about any Windows > side file attributes such as ACL. > I tried several things including parameters such as 'map archive = no', > 'security mask = xxx' etc. Nothing seem to result in what exactly I want. > This is surprising considering that my requirement is very simple. You can always set "nt acl support = no", which is an old option from when we first added Windows ACLs. Also setting map XXX = no will stop DOS attributes being mapped to POSIX permissions. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Preventing Windows from changing file permissions
--- Original message --- Subject: [Samba] Preventing Windows from changing file permissions From: av78us vaal To: Date: Saturday, 15/05/2010 4:28 AM Hi, Is there a way to configure samba such that Windows applications are not allowed to change file permissions for existing files in the share. I just want to be able to read and modify the files from Windows without affecting the file permissions inadvertently. What changes are you seeing specifically, what app is doing it etc. Would help... I do not care about any Windows side file attributes such as ACL. I tried several things including parameters such as 'map archive = no', 'security mask = xxx' etc. Nothing seem to result in what exactly I want. This is surprising considering that my requirement is very simple. Is this possible in samba. thanks,Aneesh -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Unix password sync
>On Fri, May 14, 2010 at 3:46 PM, Alessandro Grandi wrote: > > If I login the server as a user of the domain and I try: > > $smbpasswd > > I put the old password, then the new and I get the following: > > "SAMR connection to machine NT_STATUS_ACCESS_DENIED failed. Error was > > 127.0.0.1, but LANMAN password changed are disabled. > > Failed to change password for " > This is bug #2128 - https://bugzilla.samba.org/show_bug.cgi?id=2128 > Originally reported for version 3.0.8 and still broken in 3.5.2. Makes > it impossible to test unix password sync without a Windows box. > > You probably have to edit your password chat. Visually examine what > happens when you change the unix password and edit the chat to match. I tryied to edit my "passwd chat" but it still don't work. This is my output when I change the user password (as root): #passwd silvia Immettere nuova password UNIX: Reimmettere la nuova password UNIX: passwd: password aggiornata correttamente So my passwd chat is: passwd chat = *Immettere*nuova*password*UNIX:*%n*\n* *Reimmettere*la*nuova*password*UNIX:*%n*\n* *passwd:*password*aggiornata*correttamente* but it still don't work. I tried also some different values for passwd chat (even something like: passwd chat = *nuova*password*%n*\n* *nuova*password*%n*\n* *password*) but no way... Maybe there is something I've not understood in the passwd chat sintax? I don't know... I'd like to setup this feature but it's not a critical one (I don't think I'll setup LDAP just for this). Thank you everyone is spending time to answer me! (I appreciate it so much :-) Alessandro -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 - where is libnss_winbind.so?
On Wed, 2010-05-12 at 19:27 +0200, Laurent BARRAILLE wrote: > Since samba 4 alpha 11 libnss_winbind.so is not compiled. > There is some info in the the samba-technical mailing list : > > http://lists.samba.org/archive/samba-technical/2010-March/069882.html You can use the libnss_winbind built from the source3 build. You need to set (in smb.conf) winbindd socket directory = /tmp/.winbindd Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Cisco Inc. signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 and group policy password policy
Hi, I am not sure if this a bug or a feature with Samba, but what is happening here is the LDAP server has the complexities in LDAP, and changing the Group Policy doesn't seem to have any impact (at least I wasn't able to fix it). I ended up having to manually edit the LDAP server. Sadly I can't remeber how I modified ldap now. It was months ago. Probably it would be easier to do modify the python script at install time. --Andrew On 05/15/2010 02:42 AM, Christophe Deze wrote: Hello I had the same problem during my test of samba. I disabled complexity requierement ... I can't change password with a simple one. I miss something ? thanks Le 14/04/2010 14:31, Santiago Perez Agra a écrit : Hi every one, I'm testing Samba4 with the guide posted on the wiki http://wiki.samba.org/index.php/Samba4/HOWTO#Step_1:_Download_Samba4, all our tests results ok but one of them crash: Group Policy works ok on a new organizational unit in deploy security task over desktop users but when i create a new user over this ou, with the dsa.msc group policy> Computer Configuration> Windows Settings> Security Settings> Account Policies> Password Policy> Password must need complexity requirement set as "Not defined" but when dsa.msc asks you about the new password of the user it answer that you need to meet this restrictions, this can be avoid with the linux samba command net newuser ... but what does happen when a user is asked about to change your password because password age is next to expire ... Our goal is to replace all windows XP desktops to ubuntu desktops but we have a number of desktops that is not possible to change XP so we need to implement an AD alternative and Samba 4 is perfect, with group policy support now. Thanks a lot in advance to all of you -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4-alpha11
On Fri, 2010-05-14 at 12:21 -0700, t...@tms3.com wrote: > Just thought I'd say that samba4 is working quite nicely. Samba4 DC > on Ubuntu server. Added a W2k3R2 and W2k8R2 server as DC's. Took a > little bit of play to get it done, but not much. > > The only thing I've noticed so far (still in early lab stage) is a GC > issue. > > Now if I can upgrade a Samba3-LDAP domain This should not be to hard, as a one-way, change the schema upgrade. If you want to help with that, I can point you some of the tools and existing attempts that you could build on. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Cisco Inc. signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 and group policy password policy
On Sat, 2010-05-15 at 08:42 +0200, Christophe Deze wrote: > Hello > I had the same problem during my test of samba. > I disabled complexity requierement ... > I can't change password with a simple one. > > > I miss something ? Samba does not honour group policy itself (it just hosts it for Windows clients to apply locally. See the 'net pwsettings' command for the way to change these settings in the Samba4 domain until this functionality is extended. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Cisco Inc. signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Preventing Windows from changing file permissions
Hi, Is there a way to configure samba such that Windows applications are not allowed to change file permissions for existing files in the share. I just want to be able to read and modify the files from Windows without affecting the file permissions inadvertently. I do not care about any Windows side file attributes such as ACL. I tried several things including parameters such as 'map archive = no', 'security mask = xxx' etc. Nothing seem to result in what exactly I want. This is surprising considering that my requirement is very simple. Is this possible in samba. thanks,Aneesh -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] What is the preferred way to inherit permission on a pdc?
On Thu, May 6, 2010 at 10:08 AM, Luca Olivetti wrote: > En/na Aniruddha ha escrit: > >> For now I solved this problem by adding 'inherit permissions = yes' >> and 'force group = mygroup' to smb.conf. > > Instead of the latter I use the sticky bit on the group in a folder, I still > have to use the "inherit permissions = yes". > This way I can have just one share with different write access in different > folders. > Thanks! That is a great idea. I also found some more information about this topic here; http://www.samba.org/samba/docs/man/Samba3-ByExample/kerberos.html#id2614269 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
