[Samba] Permisson issue - unix permissions ignored
Hi, I have a share dev. This share should be readable by all domain users. Beneath this share, there is a folder source which should only accessibly by developers. This folder has unix permissions set to 770 (recursive) , owner is user build and group is develop. Share setup is: [dev] comment = Dev path = /export/dev valid users = @MYDOMAIN\domain-users force group = @MYDOMAIN\develop browseable = yes read only = no create mask = 0664 directory mask = 0775 access based share enum = yes security in smb.conf is set to security = ads. If I connect to this share by a user that is member in domain-user and NOT in develop I can read all files - also all files beneath source. Trying the same on a unix console with the user gives a Permissions denied like expected. Why did samba ignores the unix file permissions on folder source ? What setting could be wrong? Cheers, Daniel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Permisson issue - unix permissions ignored
I figured out that force group works a little bit different as expected. Adding a + before the group did the job. force group = +@MYDOMAIN\develop Sorry for wasting your time. Daniel -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Zabel, Daniel Gesendet: Dienstag, 25. Oktober 2011 11:44 An: samba@lists.samba.org Betreff: [Samba] Permisson issue - unix permissions ignored Hi, I have a share dev. This share should be readable by all domain users. Beneath this share, there is a folder source which should only accessibly by developers. This folder has unix permissions set to 770 (recursive) , owner is user build and group is develop. Share setup is: [dev] comment = Dev path = /export/dev valid users = @MYDOMAIN\domain-users force group = @MYDOMAIN\develop browseable = yes read only = no create mask = 0664 directory mask = 0775 access based share enum = yes security in smb.conf is set to security = ads. If I connect to this share by a user that is member in domain-user and NOT in develop I can read all files - also all files beneath source. Trying the same on a unix console with the user gives a Permissions denied like expected. Why did samba ignores the unix file permissions on folder source ? What setting could be wrong? Cheers, Daniel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] access based share enum
Hi, I use Samba 3.6.1 from Sernet on Centos 6. In my smb.conf i have configured. access based share enum = yes I also have a share were valid users = @MYDOMAIN\download is configured. When a user ( not a member of MYDOMAIN\download) does a net view \\servername file:///\\servername or is browsing the shares by MS Explorer, this share is still visible. What else must be done to hide the share for users that have no access? Cheers, Daniel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] show only existing userhomes
A few weeks ago i have asked the following question, but it was not answered. This is my setup for userhomes: [homes] comment = Home Directory hosts deny = 192.168.128.0/255.255.255.0 valid users = %S read only = No browseable = No create mask = 0600 directory mask = 0700 hide unreadable = yes access based share enum = yes I want to show home folder only if it exists in filesystem. Is there a possibility to do so? Cheers, Daniel -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Zabel, Daniel Gesendet: Mittwoch, 5. Oktober 2011 11:53 An: samba@lists.samba.org Betreff: [Samba] show only existing userhomes Hi, Is it possible to show only userhomes that really exist in filesystem? Only a few userhomes do exist on our samba fileserver , but at this moment for every user that connect to this server a userhome is shown, but mostly it doesn´t exists - so it couldn´t be opened. I´ve tried to configure it by using hide unreadable = yes on our homeshare but this didn´t help. Any Idea? We use Samba 3.6.0. Cheers, Daniel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] template options ignored
How do you configure winbind nss info parameter? winbind nss info = rfc2307 template --- Other winbind settings: winbind normalize names = yes winbind use default domain = yes winbind offline logon = yes winbind cache time = 180 winbind enum users = no winbind enum groups = no winbind nested groups = yes winbind trusted domains only = no auth methods = winbind idmap settings. idmap config MYDOMAIN:default = yes idmap config MYDOMAIN:schema_mode = rfc2307 idmap config MYDOMAIN:backend = ad idmap config MYDOMAIN:range = 1-50 And have you tried against newly created AD user when you examine shell and homedir for the user? Both system are test installations, that's why i have deleted the winbind cache after each test (/var/lib/samba/*). Should be the same as trying newly created AD user, right? --- Daniel Zabel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] template options ignored
Hi, i have installed samba 3.5.11 on centos 5 and samba 3.6.0 on centos 6. Both system are connected to a Microsoft Domain. AD Users can resolved and getent passwd username or wbinfo -i username works. Now I have setup some template options in my smb.conf: template shell = /sbin/nologin template homedir = /home/%U This options seems to be completely ignored. getent passwd username and wbinfo -i username returns the configured values from AD. Are there other options that affect this behavior? Did I understand the options wrong? -- Daniel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] show only existing userhomes
Hi, Is it possible to show only userhomes that really exist in filesystem? Only a few userhomes do exist on our samba fileserver , but at this moment for every user that connect to this server a userhome is shown, but mostly it doesn´t exists - so it couldn´t be opened. I´ve tried to configure it by using hide unreadable = yes on our homeshare but this didn´t help. Any Idea? We use Samba 3.6.0. Cheers, Daniel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] No Access after enabling SMB2
Hello, i have a Samba Server running on CentOS 5.6 with samba package 3.5.8 from SerNet. Shares can accessed until I enable max protocol = smb2, after that no access is possible. In the samba logfiles such an access is logged with: Failed to parse NTLMSSP packet, could not extract NTLMSSP command Followed by a dump_data. Any ideas? Cheers, Daniel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] How can I confirm that idmap_ad is being used?
Hi Kai, Have a look at: log.winbindd-idmap Also have a look at: https://bugzilla.samba.org/show_bug.cgi?id=6322 Not totally sure but I think you have to configure it separately for each domain for which you want to use it, using disjoint ranges. Cheers, Daniel -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Kai Lanz Gesendet: Dienstag, 17. Mai 2011 02:56 An: samba@lists.samba.org Betreff: [Samba] How can I confirm that idmap_ad is being used? How can I confirm that idmap_ad is being called? I've configured Samba with --with-shared-modules=idmap_ad, built and installed it; the file ad.so is now present in /usr/local/samba/lib/ idmap/ as expected. I then added the following to smb.conf: idmap backend = tdb idmap uid = 65536 - 99 idmap gid = 65536 - 99 idmap config SU : backend = ad idmap config SU : schema_mode = rfc2307 idmap config SU : range = 1 - 65535 idmap config WIN : backend = ad idmap config WIN : schema_mode = rfc2307 idmap config WIN : range = 1 - 65535 Now I fire up winbindd with debug-level = 10, and issue some queries via wbinfo. Some requests work as expected, some fail, but when I look in log.winbindd I never see any reference to idmap.c or idmap_ad.c. I'd like to confirm that this module is being used. I went so far as to deliberately break the smb.conf by specifying idmap config SU range = 1 - which I expected to produce an error from idmap_ad_initialize(), invalid filter range. But that message is never logged; instead I see only errors from winbindd_util.c, add_trusted_domain(): [2011/05/16 16:57:11.442318, 1] winbindd/winbindd_util.c: 204(add_trusted_domain) invalid range syntax in idmap config SU: 1 - Have I missed out on some crucial bit of configuration that's required to enable idmap_ad? -- Kai Lanz Stanford University School of Earth Sciences -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] How can I confirm that idmap_ad is being used?
Hi Kai, I've looked at that file; it's empty. (Not a single entry.) I run my tests with winbindd -n -d 10 -D. Try to add to your smb.conf: log level = 3 idmap:10 winbind:10 to force idmap Logging also to Debuglevel 10. Note the disjoint ranges for each domain. I still get the same failures with wbinfo S, U, G, and Y. It seems I'm still missing something, since our wbinfo doesn't resolve everything correctly. Is nsswitch.conf important, perhaps? It doesn't seem to make any difference whether I add winbind to the passwd and group lines or not. Is that expected? Did net ads testjoin and net ads info work? Nsswicth.conf is important! Should look like this: passwd:files winbind group: files winbind These winbind relevant seetings I have also in my config winbind nss info = rfc2307 template winbind normalize names = yes winbind use default domain = yes winbind offline logon = yes winbind cache time = 180 winbind enum users = yes winbind enum groups = yes winbind nested groups = yes winbind trusted domains only = no Cheers, Daniel Hi Daniel, On May 17, 2011, at 5:50 AM, Zabel, Daniel wrote: Have a look at: log.winbindd-idmap I've looked at that file; it's empty. (Not a single entry.) I run my tests with winbindd -n -d 10 -D. Also have a look at: https://bugzilla.samba.org/show_bug.cgi?id=6322 Now, this is interesting! The problem Edgar Holleis describes sounds exactly like the one I am facing. See my post to the Samba mailing list, Winbindd can't convert between SIDs and uid/gid. Edgar said: Winbind correctly resolves: User-Name-SID (wbinfo -n), Group-Name-SID (wbinfo -s) What doesn't work: SID-UID (wbinfo -S), UID-SID (wbinfo -U), GID (wbinfo -Y), GID-UID SID-(wbinfo -G) (Except, wbinfo -s is SID-User-name, the reverse of wbinfo -n, not Group-Name-SID as Edgar wrote...) That's the same pattern of success and failure I get in my wbinfo tests. So, how does one go from Edgar's bug report, with 4 failing wbinfo queries, to your comment, wbinfo resolves everything correctly? I'm running samba-3.5.8 on OpenSolaris. Following Michael Adam's example, I tried the following in my smb.conf: idmap backend = tdb idmap uid = 5 - 9 idmap gid = 5 - 9 idmap config SU : backend = ad idmap config SU : schema_mode = rfc2307 idmap config SU : range = 1 - 2 idmap config WIN : backend = ad idmap config WIN : schema_mode = rfc2307 idmap config WIN : range = 3 - 4 Note the disjoint ranges for each domain. I still get the same failures with wbinfo S, U, G, and Y. It seems I'm still missing something, since our wbinfo doesn't resolve everything correctly. Is nsswitch.conf important, perhaps? It doesn't seem to make any difference whether I add winbind to the passwd and group lines or not. Is that expected? -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org ] Im Auftrag von Kai Lanz Gesendet: Dienstag, 17. Mai 2011 02:56 An: samba@lists.samba.org Betreff: [Samba] How can I confirm that idmap_ad is being used? How can I confirm that idmap_ad is being called? I've configured Samba with --with-shared-modules=idmap_ad, built and installed it; the file ad.so is now present in /usr/local/samba/lib/ idmap/ as expected. I then added the following to smb.conf: idmap backend = tdb idmap uid = 65536 - 99 idmap gid = 65536 - 99 idmap config SU : backend = ad idmap config SU : schema_mode = rfc2307 idmap config SU : range = 1 - 65535 idmap config WIN : backend = ad idmap config WIN : schema_mode = rfc2307 idmap config WIN : range = 1 - 65535 Now I fire up winbindd with debug-level = 10, and issue some queries via wbinfo. Some requests work as expected, some fail, but when I look in log.winbindd I never see any reference to idmap.c or idmap_ad.c. I'd like to confirm that this module is being used. I went so far as to deliberately break the smb.conf by specifying idmap config SU range = 1 - which I expected to produce an error from idmap_ad_initialize(), invalid filter range. But that message is never logged; instead I see only errors from winbindd_util.c, add_trusted_domain(): [2011/05/16 16:57:11.442318, 1] winbindd/winbindd_util.c: 204(add_trusted_domain) invalid range syntax in idmap config SU: 1 - Have I missed out on some crucial bit of configuration that's required to enable idmap_ad? -- Kai Lanz Stanford University School of Earth Sciences -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- Kai Lanz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getent passwd strange behavior
Can anybody give me a hint where get_dc_list fetches the entries. Because - [2011/04/11 12:24:13.560317, 3, effective(0, 0), real(0, 0)] libsmb/namequery.c:1880(get_dc_list) get_dc_list: preferred server list: , * - seems to be wrong. Cheers, Daniel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] getent passwd strange behavior
Hi, I have a problem with the combo of CentOS 5.5, the latest Samba Packages from Sernet and our Active Directory. Samba Packages installed: samba3-cifsmount-3.5.8-43.el5 samba3-client-3.5.8-43.el5 samba3-3.5.8-43.el5 samba3-utils-3.5.8-43.el5 samba3-winbind-32bit-3.5.8-43.el5 samba3-winbind-3.5.8-43.el5 When I try to get all users or groups via getent command, only local users/groups are displayed. If I try to fetch information for an individual user or group by getent everything is working as expected. getent passwd cvadmin shows: cvadmin:*:5582:499:cvadmin:/home/cvadmin:/bin/sh but getent passwd only shows local users nsswitch.conf is configured, domain join was successful and my smb.conf looks like this: [global] workgroup = MYDOMAIN password server = ldap.mydomain.com realm = MYDOMAIN.COM security = ads #idmap idmap domains = BUILTIN, MYDOMAIN idmap config MYDOMAIN:default = yes idmap config MYDOMAIN:schema_mode = rfc2307 idmap config MYDOMAIN:backend = ad idmap config MYDOMAIN:range = 100-50 idmap alloc backend = tdb idmap config BUILTIN:backend = tdb idmap alloc backend = tdb idmap uid = 100-50 idmap gid = 100-50 winbind nss info = rfc2307 winbind normalize names = yes winbind use default domain = true winbind offline logon = false winbind cache time = 180 winbind enum users = yes winbind enum groups = yes winbind nested groups = Yes server string = %h auth methods = winbind allow trusted domains = No We have 2 other Samba Servers using an older Version of Samba with different configurations (old idmap schema) which both works properly. Any suggestion how we could solve the problem? Cheers, Daniel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getent passwd strange behavior
Hi Noé, thank you for your quick reply. cvadmin is a domain user. Interesting that you have no problems using the old schema. If I try in /etc/samba/smb.conf [global] workgroup = MYDOMAIN password server = ldap.mydomain.com realm = MYDOMAIN.COM security = ads idmap uid = 100-50 idmap gid = 100-50 idmap backend = ad winbind nss info = rfc2307 winbind normalize names = yes winbind use default domain = true winbind offline logon = false winbind cache time = 180 winbind enum users = yes winbind enum groups = yes winbind nested groups = Yes No domainuser could be resolved anymore. Same config work on our other samba servers. /var/log/samba/log.winbind-idmap shows: [2011/04/11 12:24:13.560317, 3, effective(0, 0), real(0, 0)] libsmb/namequery.c:1880(get_dc_list) get_dc_list: preferred server list: , * [2011/04/11 12:24:13.560365, 3, effective(0, 0), real(0, 0)] libsmb/namequery.c:1119(resolve_lmhosts) resolve_lmhosts: Attempting lmhosts lookup for name *0x1c [2011/04/11 12:24:13.560467, 3, effective(0, 0), real(0, 0)] libsmb/namequery_dc.c:169(rpc_dc_name) Could not look up dc's for domain * [2011/04/11 12:24:13.560487, 0, effective(0, 0), real(0, 0)] libads/ldap.c:337(ads_find_dc) ads_find_dc: no realm or workgroup! Don't know what to do [2011/04/11 12:24:13.560505, 1, effective(0, 0), real(0, 0)] winbindd/idmap_ad.c:143(ad_idmap_cached_connection_internal) ad_idmap_init: failed to connect to AD [2011/04/11 12:24:13.560518, 1, effective(0, 0), real(0, 0)] winbindd/idmap_ad.c:543(idmap_ad_sids_to_unixids) ADS uninitialized: Invalid parameter [2011/04/11 12:24:13.560564, 3, effective(0, 0), real(0, 0)] winbindd/idmap.c:684(idmap_new_mapping) default domain not writable Cheers, Daniel Von: Noé Puyal [mailto:npu...@valls.cat] Gesendet: Montag, 11. April 2011 10:41 An: Zabel, Daniel Betreff: Re: [Samba] getent passwd strange behavior Hi Daniel First of all, one question, cvadmin is a domain user or local user? If cvadmin is a local user you should raise the 100 to a number after the last UID and GID. Also, as you said, I have all my samba servers with old idmap schema working properly. Good morning El lun, 11-04-2011 a las 09:38 +0200, Zabel, Daniel escribió: idmap uid = 100-50 idmap gid = 100-50 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba