[Samba] Problem with `profiles`
I'm trying to move some roaming profiles from Domain A to B. All of the profiles are from XP SP3. The originating machine is Debian 5/AMD64, samba 3.4.5 from Debian packages. The destination machine is Ubuntu 9.10, but x86. From everything I've read and found online, `profiles` is supposed to work for XP with no problems. When I attempt to do a SID change on NTUSER.DAT, I get this: semirhage:~# profiles NTUSER.DAT ndr_pull_error(11): ndr_pull_relative_ptr1 rel_offset(716800) ndr- data_size(4096) ndr_pull_security_descriptor failed: NDR_ERR_BUFSIZE prs_grow: Buffer overflow - unable to expand buffer by 36 bytes. ndr_pull_error(11): ndr_pull_relative_ptr1 rel_offset(716800) ndr- data_size(4096) ndr_pull_security_descriptor failed: NDR_ERR_BUFSIZE prs_grow: Buffer overflow - unable to expand buffer by 36 bytes. ndr_pull_error(11): ndr_pull_relative_ptr1 rel_offset(716800) ndr- data_size(4096) ndr_pull_security_descriptor failed: NDR_ERR_BUFSIZE prs_grow: Buffer overflow - unable to expand buffer by 36 bytes. ~~ App. 400 lines cut ~~ -data_size(36864) ndr_pull_security_descriptor failed: NDR_ERR_BUFSIZE prs_grow: Buffer overflow - unable to expand buffer by 36 bytes. read_block: invalid block header! regfio_rootkey: corrupt registry file ? No root key record located Could not get rootkey This happens on every NTUSER.DAT that I try, on every machine. Googling and trying to fix for 2 days, at a loss. Any direction much appreciated! Thanks, Wes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problem with `profiles`
Just as a followup, the `profiles` binary provided by the Debian Samba 3.2.5 package work as expected. Is the 3.4.x series expecting a different registry format? Wes On Wednesday 07 April 2010 12:57:10 pm Wes Deviers wrote: I'm trying to move some roaming profiles from Domain A to B. All of the profiles are from XP SP3. The originating machine is Debian 5/AMD64, samba 3.4.5 from Debian packages. The destination machine is Ubuntu 9.10, but x86. From everything I've read and found online, `profiles` is supposed to work for XP with no problems. When I attempt to do a SID change on NTUSER.DAT, I get this: semirhage:~# profiles NTUSER.DAT ndr_pull_error(11): ndr_pull_relative_ptr1 rel_offset(716800) ndr- data_size(4096) ndr_pull_security_descriptor failed: NDR_ERR_BUFSIZE prs_grow: Buffer overflow - unable to expand buffer by 36 bytes. ndr_pull_error(11): ndr_pull_relative_ptr1 rel_offset(716800) ndr- data_size(4096) ndr_pull_security_descriptor failed: NDR_ERR_BUFSIZE prs_grow: Buffer overflow - unable to expand buffer by 36 bytes. ndr_pull_error(11): ndr_pull_relative_ptr1 rel_offset(716800) ndr- data_size(4096) ndr_pull_security_descriptor failed: NDR_ERR_BUFSIZE prs_grow: Buffer overflow - unable to expand buffer by 36 bytes. ~~ App. 400 lines cut ~~ -data_size(36864) ndr_pull_security_descriptor failed: NDR_ERR_BUFSIZE prs_grow: Buffer overflow - unable to expand buffer by 36 bytes. read_block: invalid block header! regfio_rootkey: corrupt registry file ? No root key record located Could not get rootkey This happens on every NTUSER.DAT that I try, on every machine. Googling and trying to fix for 2 days, at a loss. Any direction much appreciated! Thanks, Wes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + LDAP: Changing user's group
I'm having this same problem, but it's new. Using 3.4.2 Debian packages, recently upgraded. I never had any type of LDAP group caching problem until the last 2 weeks. I added a user to an LDAP group as normal because they needed access to a new share. Cleared the nscd caches as normal. The service definition uses force group = +groupName valid users = @admins, @groupName write list = @admins, @groupName All of the people previously in @groupName retain access to the share. The person I just added cannot access it. getent, groups, etc all return the correct group membership. If I add the account explicitly to valid users write list, it works as soon as I do an smbd reload. Did some behavior change or have we stumbled on a new bug? Wes On Monday 30 November 2009 07:29:33 am davefu wrote: Hi, thanks for answering. I have only 1 Samba server. When I mentioned changes on groups, I meant on LDAP server. LDAP is used on both system and samba environments. When changing groups on users, those changes are instant on the system environment, but not on Samba. - I create a new Folder A, with full permissions for Group A - User B (belonging to group B), logs via SSH to the server, and can't access the Folder A. - User B logs via Samba using his Windows desktop machine, and can't access the Folder A (previously configured inside a Samba Resource). - Now I add User B to Group A via LDAP. He belongs now to Group A and Group B. - Getent group | grep User B shows correctly both groups on the user. - User B correctly access Folder A, write files, etc via console, ssh, or any kind of regular system authentication (since system is using pam libraries, configured to use LDAP as backend). - User B still can't access Folder A in any way. Samba has cached User B credentials, and haven't checked LDAP again for a while. The only option is to restart Samba, or wait randomly until Samba refreshes / syncs LDAP info about that user again. Hope this little story explains my problem better. Sorry for my english. Thanks! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ldapsam, smbpasswd and posixAccount
On Tuesday 06 October 2009 03:11:29 pm Thorsten Scherf wrote: On [Tue, 06.10.2009 12:13], Adam Williams wrote: are you loading samba.schema in your slapd.conf? yes. running smbpasswd -a works without any problem when the user doesn't already exists with posix-attrs in LDAP. I'm not sure that there's a mechanism to tell smbpasswd that the LDAP user already exists, but without Samba attributes. Since smbpasswd is probably just generating an LDIF and dumping it onto the server instead of using much logic, you'll probably either have to do smbpasswd -a first and then write your own changeType: MODIFY LDIF for POSIX, or use something (like LAM) that does both. Wes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Atribute 'userPAssword' not allowed
Your schema is missing an entry for userPassword. In my schema, that's defined as part of the Core schema and is referenced inside posixAccount, which is where I think most people keep it. But it can also be a special-purpose kind of attribute that interacts with the LDAP server more than other attribs will. Caveat, though, is that I'm using OpenDS and not OpenLDAP. I don't *think* it's different for userPassword, though. Wes On Tuesday 22 September 2009 06:35:25 am Bruno Steven wrote: Hello I am trying add smbpasswd for user root , my environment is samba integrated with openldap , I found the message down at moment that was creating smbpasswd for root, with command smbpasswd -a root , show this log in my sladp.log ldap_read: want=80, got=80 : 17 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e 34 32 30 .1.3.6.1.4.1.420 0010: 33 2e 31 2e 31 31 2e 31 81 36 30 34 80 26 75 69 3.1.11.1.604.ui 0020: 64 3d 72 6f 6f 74 2c 6f 75 3d 70 65 73 73 6f 61 d=root,ou=pessoa 0030: 73 2c 64 63 3d 61 6d 62 6c 69 76 72 65 2c 64 63 s,dc=amblivre,dc 0040: 3d 63 6f 6d 82 08 70 69 6c 61 73 74 72 6f 05 00 =com..pilastro.. ldap_read: want=8 error=Resource temporarily unavailable Entry (uid=root,ou=pessoas,dc=amblivre,dc=com), attribute 'userPassword' not allowed entry failed schema check: attribute 'userPassword' not allowed By log , the schema samba not allowed attribute 'userPassword' , Somebody know how resolve this problem ? -- Bruno Steven - Administrador de sistemas. LPIC-1 - LPI ID: lpi000119659 / Code: p2e4wz47e4 https://www.lpi.org/caf/Xamman/certification MCP-Windows 2003 - TranscriptID: 793804 / Access Code: 080089100 https://mcp.microsoft.com/authenticate/validatemcp.aspx -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Failing to add XP SP3 client to Samba domain
On Monday 21 September 2009 04:27:07 pm Steve Cayford wrote: Looking at smbldap-useradd I can see that it first creates a posix machine account with this code in smbldap_tools.pm: my $add = $ldap-add ( uid=$user,$config{computersdn}, attr = [ 'objectclass' = [ 'top', 'account', 'posixAccount' ], 'cn'= $user, 'uid' = $user, 'uidNumber' = $uid, 'gidNumber' = $gid, 'homeDirectory' = '/dev/null', 'loginShell'= '/bin/false', 'description' = 'Computer', 'gecos' = 'Computer', ] ); Then it tries to modify the entry with this code in smbldap-useradd which is where it dies: my $modify = $ldap_master-modify ( uid=$userName,$config{computersdn}, changes = [ replace = [ objectClass = [ 'top', 'person', 'organizationalPerson', 'inetOrgPerson', 'posixAccount', 'sambaSAMAccount']], add = [sambaLogonTime = '0'], add = [sambaLogoffTime = '2147483647'], add = [sambaKickoffTime = '2147483647'], add = [sambaPwdCanChange= '0'], add = [sambaPwdMustChange = '2147483647'], add = [sambaPwdLastSet = $date], add = [sambaAcctFlags = '[I ]'], add = [sambaLMPassword = $lmpassword], add = [sambaNTPassword = $ntpassword], add = [sambaSID = $user_sid], add = [sambaPrimaryGroupSID = $config{SID}-515] ] ); It's defining it as objectClass 'account' in the first entry. attr = [ 'objectclass' = [ 'top', 'account', 'posixAccount' ], You'll have to look at your schema, but you can probably get away with replacing account in the first codelet with inetOrgPerson Wes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Verification on HOW adding a machines works
On my setup, I have libnss and libpam set to filter out machine POSIX accounts. All of my machine accounts have a UID higher than 1, so I can filter it something like this: nss_base_passwd dc=domain,dc=com?sub?(uidNumber=) (objectClass=posixAccount) nss_base_shadow dc=domain,dc=com?sub?(uidNumber=) (objectClass=posixAccount) Standard Linux utilities will never see machine accounts using NSS calls (like getent), but the accounts do exist and Samba doesn't seem to have a problem with them. So I think you'll be okay. Wes On Thursday 17 September 2009 11:46:32 pm Todd E Thomas wrote: I'm straddling the half-way point between samba and ldap. When adding a machine to the domain, functionally, it works like you would expect. You enter in the domain, enter your credentials, and reboot. The computer is able to function as a machine on the domain. I'm using the smbldap-tools as suggested in the wiki. Here's the script: add machine script = /usr/sbin/smbldap-useradd -w -g 100 -c Workstation (%u) -d /dev/null -s /sbin/nologin %u When checking on details of the process: # getent passwd biggie$:x:1008:100:Workstation (biggie$):/nohome:/sbin/nologin (works for me) # getent group | grep users users:x:100: (the machine is not listed as a member of the group) Should machines be displayed as a member of the group they are added to like users? ldapsearch -x -b dc=ptest,dc=us (objectclass=*) | less # machines, ptest.us dn: ou=machines,dc=ptest,dc=us ou: machines objectClass: organizationalRole cn: machines (the ou that biggie is added to) # BIGGIE$, machines, ptest.us dn: uid=BIGGIE$,ou=machines,dc=ptest,dc=us uid: BIGGIE$ objectClass: sambaSamAccount objectClass: account displayName: BIGGIE$ (biggie's ldap entry) -- Thanks for the assist, Todd E Thomas C: 515.778.6913 It's a frail music knits the world together. -Robert Dana -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ACL misbehavior moving from POSIX ACL - acl_xattr
On Friday 18 September 2009 02:06:41 pm Miguel Medalha wrote: Please pardon me if I insist, but I am doing it with the interest of the community in mind, not just bitching about it. I really don't see why this could not be implemented. Perhaps it goes somewhat against established thinking but it really seems possible to me. NOTE: Perhaps we wouldn't even need a VFS module, only a smb.conf parameter to switch the behavior of the samba daemon? Please note: all disk operations would be done in the name of that special user, using full permissions. Ownership and rights would then be filtered by the adequate layer to be seen by clients in the appropriate way. Best regards Miguel Miguel (and others..) I've been dinking around with implementing this in my spare time, using the existing 3.3 VFS ACL_xattr module as a guide. I *think* the number of modifications to get it to work that way are pretty minor, actually. Of course, I could be completely wrong because my C is very rusty and I'm not all that familiar with the Samba source code. Jeremy's idea is pretty straightforward; if you just discard any filesystem- level ACL operations, the existing xattr code should still work. Then, you can do some share definitions to force user group ownership of everything, and hopefully walk away. If somebody who's better at it wants to work on the problem, that would be awesome, because I have little confidence in my own. But I'll keep at it and see what happens. Wes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Failing to add XP SP3 client to Samba domain
On Friday 18 September 2009 04:29:47 pm Steve Cayford wrote: Hi, I'm running samba 3.2.5 as a domain controller on a Debian Lenny server with authentication data stored in a local openldap instance. The server has been running smoothly since I originally set it up on Sarge. I upgraded to Etch a while back and then to Lenny about a month ago. I'm trying to add a new Windows XP SP3 client to the domain for the first time since the latest upgrade and I'm getting the error message The user name could not be found on the client. I've joined clients to the domain previously with no problems using the root account on the server. Upon examining the ldap entries I can see that an account *was* created for the computer (named foshan), but it is incomplete as it only has the following attributes: cnfoshan$ description Computer gecos Computer gidNumber 515 homeDirectory /dev/null loginShell/bin/false uid foshan$ uidNumber 4905 Steve, Are you using OpenLDAP? Is it possible that during the Debian upgrade, the OpenLDAP schema files got changed, and so it's failing because updates would violate the schema (perhaps, because, the samba schema file is now missing or not being loaded..?) Somewhere in there, I think Debian switched from using OpenLDAP with schema configuration files to schema-over-LDAP updates. If it tried to convert your schema and failed, or even just flat-out ignored it, that would cause the problem. Turn slapd's logging to debug or sniff the LDAP transaction when you try to join the machine and see what that gets you? Wes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ACL misbehavior moving from POSIX ACL - acl_xattr
On Wednesday 16 September 2009 06:01:21 pm Miguel Medalha wrote: I am ignorant enough on these low-level matters. I almost understand your statement. But... consider the following: - At the filesystem level ALL the permissions are 666 or 777 - The above are ONLY seen by the VFS layer, not by the client side - The VFS module writes the real ACLs as extended attributes only (or some other method), always setting them as 666/777 at the filesystem level - Clients only see the ACLs provided to them *by the VFS layer* and never directly from the filesystem Wouldn't this provide any desired type of ACLs? What am I missing here? Thank you That's the direction I'm heading experimentally; there are a few shortcomings that I can think of right away, but they can be mitigated (and the upside is big from a usability standpoint, I think) - If there's a flaw discovered in Samba that takes place in non-root code, the filesystem level ACLs will still prevent information disclosure. If you turn over all ACL validation to Samba and that validation is what can be bypassed, then you've lost a layer of protection. - POSIX ACLs mean that you can set permissions from Windows and those permissions will be also affect non-Samba services (FTP and such). In lots of installations that's probably nice to have, but for a dedicated file server where the only user interface is Samba, it wouldn't matter. - How to apply actions might be odd; Traverse Folders is pretty self- explanatory and is easy to manage in the virtual ACL database. Take Ownership is slightly harder: if you take ownership of a set of files, does that imply fake ownership in just ACLs, or real ownership at the POSIX layer? If Take Ownership doesn't change the UNIX owner, it means that any action on a file owned by POSIX user A but owned by NTACL user Z would have to be run as root. Adding more root operations is generally considered Bad. A bit farther on, and the logical next step, then, is that you don't actually need matching POSIX accounts anymore, By the time you've implemented the VFS ACL the way you and I were thinking (and trust that it's secure) you can just run the entire Samba infrastructure as UID = samba, and let the VFS ACL layer take care of all access control. Every file on the server is now owned by POSIX user samba, libnss-ldap is no longer necessary Of course, that idea has been debated thoroughly both on mailing lists and anywhere two Samba users meet on the street, so I'm not touching it : ) Is that along the lines you were thinking, or did I totally miss? Best, Wes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] ACL misbehavior moving from POSIX ACL - acl_xattr
List, I had Samba 3.0 running on Debian Lenny configured to use POSIX ACLs on ext3. They worked fine, or at least as fine as NT - POSIX mapping ever did. After testing 3.3 with acl_xattr on using a different machine, I decided to give it a whirl on the production server. And yes, I know it's experimental. I defined a share thusly: vfs objects = acl_xatt acl map full control = true inherit acls = yes map acl inherit = yes map read only = Permissions nt acl support = yes acl group control = true dos filemode = yes enable privileges = yes store dos attributes = yes This is identical to the setup on the test machine, which worked correctly. On the production machine, trying to set ACLs via XP's Explorer interface fails with a permission denied. The log: set_canon_ace_list: sys_acl_set_file type file failed for file TestDirectory/Test (Operation not supported). Having both POSIX ACL and the VFS object turned on produced some interest results, so last night I unmounted /samba, turned off -o acl, and remounted it. It now has user_xattr turned on, but -o acl is *off*. Restarted Samba, everything seemed to work. In the harsh light of users' morning, it appears that Samba is still trying to use the POSIX ACL layer to store ACLs, although that's a best guess based on the error message. How can I insist that Samba use the vfs object ACL module, instead of the POSIX acls? Thanks! Wes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ACL misbehavior moving from POSIX ACL - acl_xattr
On Wednesday 16 September 2009 12:56:11 pm Jeremy Allison wrote: On Wed, Sep 16, 2009 at 11:18:58AM -0400, Wes Deviers wrote: SNIP How can I insist that Samba use the vfs object ACL module, instead of the POSIX acls? You can't at the moment. Samba still requires the incoming ACL to be converted into an underlying file system ACL, as the underlying filesystem still must have the final decision on access decisions. The NT acl is stored as an extra layer of ACL metadata on top of this, which is also consulted. You could slot in a null ACL module underneath the acl_xattr layer that always allowed acl set and returned an allow everyone acl on read, but that isn't coded yet (shouldn't be too hard though). Currently if you want native NT ACLs only I suggest you use the NFSv4 module, which is pretty close to native Windows ACLs. Jeremy Jeremy, As always, thank you for your reply! I'm confused now. I have a VirtualBox instance set up identically, except that the underlying filesystem (ext3) has never had -o acl set on it, only -o user_xattr. What I've been doing, which is dangerous but effective, is setting file creation mode to 666 and letting the Samba VFS ACL layer take care of everything. That's worked. As I understood the system under the new VFS module, Samba does its internal ACL checks and if those pass, it then attempts file operations as normal, which may or may not work depending on the real file permissions. If I have POSIX ACLs applied, those also have to agree; otherwise, the normal UGO permissions are what must work. I'm clear through this part. Where I'm confused is that on a machine that I do have working, there is no POSIX ACL support, but the Samba VFS layer works brilliantly. Inheritance, take ownership, everything works on the VFS layer without needing any POSIX ACLs. On the old server, I've taken a machine that was previously storing the Samba ACL metadata as POSIX mappings, pulled the POSIX mappings out from under it, and tried to get it to use the VFS module exclusively. All files/dirs are 666 or 777. According to my reading, since there are no POSIX extended ACLs, if the VFS layer passes an access, then it only should be compared against the standard UGO permissions. Testing on a virtual machine seemed to confirm this. I think you read my question as: Why am I denied access because of my POSIX ACLs, even though the VFS ACL module is in place? I'm clear on what's involved there, I think. What I was *trying* to make my question: Since I've turned POSIX ACLs *off* at the filesystem layer by removing the ACL mount option, why does Samba continue to want to store it's ACL metadata in the POSIX ACL layer instead of the VFS module? So, no Linux ACLs, and a+rwx on all files/directories. It works on one machine : ( Or, alternately, Does Samba, with vfs object = acl_xattr, store ACLs both as a user_xattr AND an ext3 ACL at the same time? My limited testing shows that *not* to be the case, but I'm certainly not the expert. Thanks again! Wes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problem with net rpc .
On Wednesday 16 September 2009 08:46:31 am Bruno Steven wrote: Hi guys ... I have samba Version 3.0.33-3.7.el5_3.1 integrated with Openldap I have trying run the command *net rpc join -U root , * but show message Creation of workstation account failedUnable to join domain TEST.COM. ... Have you created the LDAP posixAccount item for the machine account? When I did it, I kept forgetting that you do still have to create an entry with a posixAccount object class for the machine, just as if it were a normal, non- LDAP entry. Wes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] The network path was not found
On Tuesday 28 October 2008 15:49:28 mimagabooks wrote: This is my first attempt at creating a samba pdc. I am receiving the following error when I try joining the samba pdc. The following error occurred attempting to join the domain MAGABOOKS.ORG: The network path was not found. I am using SuSE 11.0 with: samba-3.2.3-0.1 smbldap-tools 0.9.5-1 openldap-2.4.9-7.4 bind-9.4.2-39.2 dhcp-server-3.0.6-86.1 My config files are as follows: *smb.conf* [global] unix charset = LOCALE workgroup = MAGABOOKS.ORG netbios name = arizona passdb backend =ldapsam:ldap://arizona.magabooks.org; Have you tried it w/out the .ORG (both client server side) ? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba over bridged ethernet VPN
On Tuesday 30 September 2008 18:07:25 Daniel Bye wrote: Thanks for your reply, Wes. ... As for the routing between sites, if I understand correctly what you're asking, then it's simply a small LAN in the office attached via a commodity ADSL modem, with Samba and OpenVPN running on the same host. OpenVPN is running in bridged Ethernet mode, and assigns IP addresses to connecting clients. Therefore, effectively there is no routing between sites, as far as our CIFS/SMB clients are concerned. However, the physical routing is essentially as you'd expect - the office is on a standard domestic grade ADSL link, as are two of the remote users. The other remote users and I are connected over cable, and all are subject to our upstream providers' routing policies. I'm going to try fiddling with the MTU/fragment/mssfix settings in my OpenVPN configs, and see how we get on. If you're using Linux routers, a good diag tool is iperf, which has a maximum MTU discovery mode. The problem (apparently) comes in because fragmenting OpenVPN packets is Bad. So if you set no-fragment then large packets just get dropped, which is also Bad. It can also come from an interface or router in the middle that's broken somehow. In my case, I had a PCI T1 interface that wasn't reporting the correct MTU for path discovery. It was reporting 1500 as standard but it actually cut off somewhere around 1480; I think the driver implementation was broken. Normally it wouldn't be an issue, but since OVPN can't be fragmented it became a problem. Regardless, I hard-set the MTU on the ethernet devices (both ends) to 1400 and that fixed the transport issue. In theory, you can do the same in the OVPN config (such that it pre-fragments, basically) but it didn't work as well for me. Good luck! Wes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba over bridged ethernet VPN
On Monday 29 September 2008 12:33:33 Daniel Bye wrote: Hi all, I have Samba 3.0.32 on FreeBSD-7-RELEASE, set up to act as a very simple workgroup file server (i.e., no domain or anything fancy like that). It is the latest version of Samba available in ports. I am seeing timeouts and connection reset errors in my per-client logs such as the following. For clients on the local LAN, the errors don't cause any real problems. However, for remote clients connected over OpenVPN in bridged Ethernet mode over cheap domestic ADSL lines, they result in the clients being unable to open or otherwise manipulate files on the server. SNIP This client machine is running WinXP Pro, but we are seeing the same for WinXP Home, Vista HP, FreeBSD and Linux-based clients. I have found several references to the same problem in numerous mailing list archives and bug reports around the web, but none of them seems to have a definite fix. Anyone know of anything I can try here? Thanks for any help or insights you can offer... Dan Dan, I've had problems similar to this with OpenVPN when path MTU discovery was broken. In theory it should never break, but there have been a few times when I've had to tweak it by hand. The general theory, if you're unfamiliar, is that different networking media have different Maximum Transmission Units (MTU) which is the largest size an L2 chunk can be and still be transported. In Ethernet, it's typically 1500 bytes (+ some overhead, the actual max is 1514). Your OVPN link is probably using 1500 as well. But OpenVPN wraps some header information around the Ethernet frame to deliver it correctly; what can happen is that the payload size can be larger that 1500 on the VPN link, forcing the entire frame to be dropped. A quick way to diagnose this..if you ssh and do commands with minimal output, it will work fine. If you do a huge directory listing, it will spaz and die (because you go from small to large packets). Have you seen anything like that? Can you give us a quick breakdown of how the routing looks between sites? Wes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] How to move a samba PDC to a diffrent box
On Tue 3 Jun 2008 4:42:40 am ml wrote: Hello List, i have got a samba pdc running based on the smbldap tools and Debian Sarge. Now we would like to move everything over to Ubuntu Hardy. Can i simply: - Create the same users and groups with the same id on Hardy - Move the files and profiles over by keeping their permissions (rsync -avzp ...) - Set the samba SID to be the old orginial one (i do not know how this could be done and if it even works) Will i then simply be able to log back in with my Windows clients? Is there a HowTo explaining this scenario? Thanks, Mario I don't know how official it is, but if you move all the files and everything beforehand, making sure to keep the ACLs, then shutdown samba on machine 1. Then move /etc/samba /var/lib/samba to the new machine, overwriting the existing ones created by the .debs. Start samba on the new machine, and you're done. Of course, that's not very high-availability, and it's assuming you're not using LDAP or something...even though it should work. Have to make sure everybody is off of the original. I may be forgetting something, but I've done it dozens of times; one of the benefits of samba versus MS implementations is that there's much magic involved and so it really can be as simple as moving the files. Wes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Username case mangling -- Linux username is mixed-case, Samba returns lower-case
On Tue 8 Apr 2008 12:56:45 pm Steve Briggs wrote: As an aside while checking the samba documentation, I saw references to how Linux usernames should always be all lower case. Why? I've had mixed-case names for over 6 years and am unaware of any problems until now. Certainly, standard tools let you create mixed-case usernames without complaint. TIA, Steve Basically...for exactly the problem you have here. That's a convention that's been around for many years, for various reasons. First, you'll occasionally run into problems like that. Second, on large production environments, if you allow mixed case usernames people will forget them daily; it's best to just say lowercase only. Third, you never know when you might need to expand into a system that *is* case sensitive. On modern Linux systems it's not such a problem, but it used to be, and the Proper Ettiquite for Systems Administrators Guidebook still says lowercase. I'll note that Debian and children do not, by default, allow uppercase names: [EMAIL PROTECTED]:/home/wes# adduser YonNewblette adduser: Please enter a username matching the regular expression configured via the NAME_REGEX[_SYSTEM] configuration variable. Use the `--force-badname' option to relax this check or reconfigure NAME_REGEX or NAME_REGEX_SYSTEM. [EMAIL PROTECTED]:/home/wes# adduser yonnewblette Adding user `yonnewblette' ... And I would submit that no well-behaved GNU/Linux system should allow uppercase in usernames. Unfortunately, I can't help you with your -actual- problem. As a workaround, you could create a second username, steve, with the same UID/GID and $HOME, and add it to the Steve group and it should work effectively the same way. I don't like workarounds, but if it's a toLower() in the Samba code then you're either SOL or you'll have to change the code. Wes ___ _ You rock. That's why Blockbuster's offering you one month of Blockbuster Total Access, No Cost. http://tc.deals.yahoo.com/tc/blockbuster/text5.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba authentication to Kerberos via OpenLDAP, third and last try
On Thu 3 Apr 2008 5:00:36 pm Wes Modes wrote: Volker Lendecke wrote: On Thu, Apr 03, 2008 at 01:34:30PM -0700, Wes Modes wrote: The question and the challenge: Any leads on how I might convince Samba to pass the input password on to OpenLDAP so that OpenLDAP can authenticate it against Kerberos? The only chance is that you modify each client's registry to send plain text passwords to the server over the network, downgrading your security to what telnet provided ages ago. You can guess that this is ABSOLUTELY NOT recommended. If you go with standard Windows authentication schemes, the SMB server never sees the user's plain text password which would be required to authenticate against Kerberos. Volker Yeah, I'm not so keen on sending plaintext passwords anywhere. It is already moderately-well documented how to connect Samba up to use Kerberos authentication. And my guess is that the Kerberos model would not allow passwords to be sent plaintext. More likely an encrypted hash gets passed? I don't know the precise mechanism, but would like to. But beyond that, how could one use Samba to pass that encrypted password to LDAP to pass on to Kerberos to authenticate? Note: this is from my experience and research, both of which are extensive but probably wrong. I wanted to do a similar thing (poor-man's SSO). I believe the problem is twofold: 1) The client never actually sends the password. By default, it sends a response to a challenge from the server; the response is based on the password. So the password, in any form, never traverses the network unless you explicitly turn on that compatibility model. Samba can't forward what it doesn't have. 2) Using LDAP for authentication is...a hack, to put it bluntly. Everybody does it, but we probably shouldn't. The problem is that in either authentication scenario (bind against LDAP = Good! or query the tree for user/pw/group/etc) would require modifications to the LDAP server. It could accept the password, request a certificate and then store the token and return the Correct answer if the token is good and intentionally return an incorrect answer if the Kerb auth fails. Since you can't send passwords in plaintext for obvious reasons, a simple or complex way to do this escapes me. I assume that you're not doing domain logins. You could write a web interface or quick Java craplet (or a keylogger...) that takes a login from the user and captures their password. Then you can feed that to a process on the LDAP server which authenticates against kerberos; if the authentication succeeds, you dump the hashed/crypted version of the password into the LDAP directory for authentication use later. Convoluted, but you could make it work. Wes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] permission puzzle
That's expected behavior if I'm reading your description correctly. When you do the initial CIFS mount using -o username, you're associating that username with the connection via the Linux kernel, not via any type of samba VFS layer. So no matter how the machine accesses it (samba, NFS, shell, FTP server) it's always going to be associated using username=marc. You then connect to the smb share as jim, but as far as smbfs/cifsFS is concerned, you're constantly connected to the Windows machine as marc. There's two authentications going on, and neither are related at all. You're assuming there's some sort of authentication pass through when there isn't (by design). If you turned on anonymous access via FTP, you'd also find that you could write to /cddrive via the FTP server as well. : ) Wes On Wed 26 Mar 2008 4:39:17 pm Marc Fromm wrote: I created a share on windows with a windows user marc having access to the share. On the Linux machine I created two samba users marc and jim with associated Linux accounts marc and jim. On Linux I connect to the share on windows with the windows user marc mount -t cifs //140.160.42.58/shareonwindows /cddrive -o username=marc I made cddrive a samba share on the Linux box by entering it into the smb.conf file On a second windows computer I map a network drive to the cddrive samba share on Linux using the samba user marc. User marc can create and delete files. Here is the puzzle: On the second windows computer I can map a network drive to the cddrive samba share on Linux using the samba user jim and create and delete files. There is not a jim account on the windows computer where the windows share is located. If I adjust the share settings on the windows share for the windows user marc, both samba users marc and jim are affected equally. Example: on the windows share I only allow marc to read, then neither samba marc nor jim on the second windows computer can create a file. Marc Marc Fromm Information Technology Specialist II Financial Aid Department Western Washington University Phone: 360-650-3351 Fax: 360-788-0251 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] log output and browse list problem
Samba List: I have a multisite setup connected via T1/VPN. Each site has it's own SMB server (Debian 4.1) and between 6 and 70 PCs connected to it at a time. Each is a PDC for it's respective site, on different domain names. Any given site may have to access files stored on a different site's server, so SMB traffic is allowed between locations. We've had a problem for a while now where the browse list on PCs never expires old entries. For instance, one of the IT employees had a testing workgroup set up that still appears in the browse list 8 months after he's left. We've tried the turn everything off suggestion but it's 1) hard to know if we really got *everything* off; we're a bit of a 24/7 operation and 2) a minor problem, so we haven't dedicated that much time to figuring it out. One of the servers sporadically has a weird log entry, though, and I think it might be related. Once or twice a week, the log output looks like: nmbd/nmbd_synclists.c:complete_sync(284) sync with DELETEME(0.0.0.0) for workgroup TEMP completed (0 records) : 15 Time(s) nmbd/nmbd_synclists.c:complete_sync(284) sync with HARRIS(0.0.0.0) for workgroup SERVERS completed (3 records) : 18 Time(s) nmbd/nmbd_synclists.c:complete_sync(284) sync with HARRIS(0.0.0.0) for workgroup SERVERS completed (4 records) : 3 Time(s) nmbd/nmbd_synclists.c:complete_sync(284) sync with JAZZ(0.0.0.0) for workgroup HARMONY completed (0 records) : 26 Time(s) nmbd/nmbd_synclists.c:complete_sync(284) sync with JAZZ(0.0.0.0) for workgroup HARMONY completed (0 records)‹ QjœG íÝksÛÈv.àÏɯÀGNUÆÆ•ÔÉ©‚$‰/*�’ÇN�rYczoW,Q-ïøߧ$¨I€M¨›½¼‰KÚëQãÒ÷ÕÿåÚv÷í¼uÛ–Ýö«û–ûÿŸ_nß²ÿ{úùíû›¿CöÕ§ïó´:]ï�·øl=Ýß¾›}ù#äß}š?Ìî?Íþ'´ÞþúüøöñéþíâóÝíç·O÷³ÿy˜ýýsöå û˜Õj¶Ûù�Àõ}¿ó‡õma}þþ8ûüå·ÅÿëÛ½õóŸìçÏ‹ÿ/è 3넶tÐAtÐAtÐAò_.tÐA NOTE: This email sent in plain text (I hope!) so it might not look correct, but it's supposed to look like Unicode-to-ASCII non-sense. This is followed by hundreds of pages of special character gook. That particular machine is running 3.0.24-6etch9, as are other machines...but it's the only one with Log Vomit. Any thoughts? Thanks! Wes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problems running samba in vmware
I had a similar problem using a machine running 3 VMs on a Linux host (Debian). I don't know what was actually wrong, but switching to a non-onboard NIC helped considerably. My working theory was that the combination of a crappy onboard chipset + promiscuous operation + VMWare Magic was causing it to drop packets, or generate too many interrupts, or something. As is always the case, I didn't have enough time to properly debug it, just fix it. Another theory I had, totally unsubstantiated but possible, was samba network interaction with the VMWare clock skewing problem under Linux 2.6. I'd try putting a high-quality NIC on the machine and see what happens. Another thing you might try is loading up the VMWare drive in VirtualBox and setting it up that way. VirtualBox uses Linux bridging instead of VMWare Magic, and I've seen it fix some things that VMWare didn't handle nicely. Wes On 03/06/2008 04:56 PM, Adam Zimmer wrote: I have now removed those socket options. I am running Linux 2.6.22. However, the delays persist. Any other ideas? I thought it might be name resolution so I tried: name resolve order = wins host bcast But this hasn't helped either. Adam Zimmer President Arius Software Corporation (519) 885-9045 x122 Charles Marcus wrote: On 3/6/2008, Adam Zimmer ([EMAIL PROTECTED]) wrote: I have tried various socket options including SO_RCVBUF=8192, SO_SNDBUF=8192, IPTOS_LOWDELAY, TCP_NODELAY, SO_KEEPALIVE. At the moment I have set SO_RCVBUF and SO_SNDBUF to be equal to 1400 as I noticed the MTU of the network card was 1500 which seems to but down on the broken pipes. I'm not saying this is cauing your problem, but you shouldn't be setting these at all, as long as you have a modern kernel (2.6 series)... These haven't been needed for a long time. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba