[Samba] Windows API SetFileTime sets mtime and atime as the same

2006-09-05 Thread Hui Wang 

Hello Everyone,

I think i found something not very right in "smbd/dosmode.c". When I use
SetFileTime to adjust mtime and atime for files, and the result always leads
to update the mtime and atime to the same value.

After some investigation, I found the issue is cause by
smbd/dosmode.c:set_filetime function, the related codes goes below,

   struct utimbuf times;

   if (null_mtime(mtime))
   return(True);

!!times.modtime = times.actime = mtime;

   if (file_utime(conn, fname, ×)) {
   DEBUG(4,("set_filetime(%s) failed:
%s\n",fname,strerror(errno)));
   return False;
   }

   return(True);

the line marked with !! shows that smbd will always set modtime and actime
as the same value before calling utime to update file, this is even true
with 3.0.23c src. I guess I should not be the 1st person who came into this.
I wish somebody could tell me how to make SetFileTime work with samba, or
any workround to make atime separately is also welcome.

Nelson
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Failed to setup guest info

2006-09-05 Thread Dean Crawford 
Reading some of the other threads I've also pulled this further 
information in a hope someone can point me in the right direction to get 
this working.


Extract from pdbedit -Lv nobody

Opening cache file at /var/cache/samba/login_cache.tdb
Looking up login cache for user nobody
No cache entry found
No cache entry, bad count = 0, bad time = 0
Unix username:nobody
NT username:  nobody
Account Flags:[NDU]
User SID: S-1-5-21-3036719436-1097781103-347993853-2998
smbldap_search_ext: base => [ou=Group,dc=CRAWFORD_HOUSE,dc=NET], filter 
=> [(&(objectClass=sambaGroupMapping)(gidNumber=65534))], scope => [2]

Primary Group SID:S-1-5-21-3036719436-1097781103-347993853-513
Full Name:nobody
Home Directory:   \\PDC-SRV\nobody
HomeDir Drive:H:
Logon Script:
Profile Path: \\PDC-SRV\profiles\nobody
Domain:   CRAWFORD_HOUSE

/var/log/samba/log.smbd with  log level = 9
[2006/09/05 22:24:13, 6] passdb/pdb_interface.c:pdb_getsampwsid(320)
pdb_getsampwsid: Building guest account
[2006/09/05 22:24:13, 5] lib/smbldap.c:smbldap_search_ext(1179)
smbldap_search_ext: base => [ou=Group,dc=CRAWFORD_HOUSE,dc=NET], filter 
=> [(&(objectClass=sambaGroupMapping)(gidNumber=65534))], scope => [2]

[2006/09/05 22:24:13, 3] passdb/lookup_sid.c:store_gid_sid_cache(1038)
store_gid_sid_cache: gid 65534 in cache -> S-1-22-2-65534
[2006/09/05 22:24:13, 3] passdb/lookup_sid.c:fetch_gid_from_cache(999)
fetch gid from cache 65534 -> S-1-22-2-65534
[2006/09/05 22:24:13, 3] smbd/sec_ctx.c:pop_sec_ctx(339)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/09/05 22:24:13, 3] smbd/sec_ctx.c:push_sec_ctx(208)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2006/09/05 22:24:13, 3] smbd/uid.c:push_conn_ctx(345)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2006/09/05 22:24:13, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2006/09/05 22:24:13, 5] auth/auth_util.c:debug_nt_user_token(449)
NT user token: (NULL)
[2006/09/05 22:24:13, 5] auth/auth_util.c:debug_unix_user_token(475)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2006/09/05 22:24:13, 3] smbd/sec_ctx.c:pop_sec_ctx(339)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/09/05 22:24:13, 3] passdb/lookup_sid.c:fetch_sid_from_gid_cache(979)
fetch sid from gid cache 65534 -> S-1-22-2-65534
[2006/09/05 22:24:13, 5] auth/auth_util.c:make_server_info_sam(603)
make_server_info_sam: made server info for user nobody -> nobody
[2006/09/05 22:24:13, 5] lib/smbldap.c:smbldap_search_ext(1179)
smbldap_search_ext: base => [ou=Group,dc=CRAWFORD_HOUSE,dc=NET], filter 
=> [(&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-32-544))], scope => 
[2]

[2006/09/05 22:24:13, 5] lib/smbldap.c:smbldap_search_ext(1179)
smbldap_search_ext: base => [ou=Group,dc=CRAWFORD_HOUSE,dc=NET], filter 
=> [(&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-32-545))], scope => 
[2]

[2006/09/05 22:24:13, 5] lib/smbldap.c:smbldap_search_ext(1179)
 smbldap_search_ext: base => [ou=Group,dc=CRAWFORD_HOUSE,dc=NET], 
filter => 
[(&(|(objectclass=sambaGroupMapping)(sambaGroupType=4))(|(sambaSIDList=S-1-5-21-3036719436-1097781103-347993853-501)(sambaSIDList=S-1-22-2-65534)(sambaSIDList=S-1-1-0)(sambaSIDList=S-1-5-2)(sambaSIDList=S-1-5-32-546)))], 
scope => [2]

[2006/09/05 22:24:13, 0] smbd/server.c:main(960)
ERROR: failed to setup guest info.

Thanks

Dean Crawford



Dean Crawford wrote:
I've been trying for the past week to get Samba and LDAP to work 
together as a PDC on my Gentoo box and allow some XP boxes to get in.


I've read and followed the how-to's (emerged and unmergred more then a 
few times)


My LDAP accounts all seem to work when I do the ssh test into them.

Changing the domain in XP fails with the "network path not found 
error" even after all the registry tweaks. While tring to work through 
this issue I discoved that smbd is not starting correctly.


Code:
thebird # tail /var/log/samba/log.smbd
[2006/08/24 20:28:01, 3] smbd/uid.c:push_conn_ctx(345)
 push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2006/08/24 20:28:01, 3] smbd/sec_ctx.c:set_sec_ctx(241)
 setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2006/08/24 20:28:01, 3] smbd/sec_ctx.c:pop_sec_ctx(339)
 pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/08/24 20:28:01, 3] 
passdb/lookup_sid.c:fetch_sid_from_gid_cache(979)

 fetch sid from gid cache 65534 -> S-1-22-2-65534
[2006/08/24 20:28:01, 0] smbd/server.c:main(960)
 ERROR: failed to setup guest info.


I'm thinking that the failed to setup guest info needs to be the first 
thing fixed. I thought I had disabled guest accounts in my smb.conf so 
don't understand why it fails.


I have samba-3.0.23a installed. Here is my smb.conf. I don't have 
networked printers so I commented out all the printer calls.


Code:
#=== Global Settings 
=

[global]

# 1. Server Naming Options:
  workgroup = CRAWFORD_HOUSE
  netbios name = TheBird
  se

Re: [Fwd: Re: [Samba] No access to mandatory profiles]

2006-09-05 Thread Martin Hochreiter 





Martin Hochreiter wrote:

Hi!

I have the problem that I can't log in with all users (that have 
mandatory profiles) except

that one who is owner of the directory.


Check the "map readonly" setting.  Windows will not
load a registry hive if it sees the DOS ReadOnly
attribute set.




cheers, jerry
=

Hi jerry!

The map readonly setting does not affect anything ...
It only works if I set "ignore user settings" on the windows machines 
(group rights editor)...


lg



--





--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] authenticating using winbindd against NT4 domain fails

2006-09-05 Thread Doug Sampson 
Since version 3.0.23b, I have been having trouble getting Windows & OSX
users to access an NT domain member server running FreeBSD 5.4. It is now at
3.0.23c (installed this morning the 5th).

[EMAIL PROTECTED]:/usr/local/lib# net rpc user
Password:
Could not connect to server 127.0.0.1
Connection failed: NT_STATUS_NO_LOGON_SERVERS

[EMAIL PROTECTED]:/usr/local/lib# net rpc user
Password:
Could not connect to server 127.0.0.1
Connection failed: NT_STATUS_NO_LOGON_SERVERS

[EMAIL PROTECTED]:/usr/local/lib# net rpc testjoin -U root
Join to 'DSP' is OK

[EMAIL PROTECTED]:/usr/local/lib# net rpc info
Password:
Domain Name: DSP
Domain SID: S-1-5-21-2008768363-1786319642-1659389152
Sequence number: 16744
Num users: 116
Num domain groups: 16
Num local groups: 1

[EMAIL PROTECTED]:/usr/local/lib# net rpc testjoin
Join to 'DSP' is OK

[EMAIL PROTECTED]:/usr/local/lib# wbinfo -u   >>> works OK
[EMAIL PROTECTED]:/usr/local/lib# wbinfo -g   >>> works OK


[EMAIL PROTECTED]:/usr/local/lib# tail -n 25 /var/log/samba/log.wb-DSP
  cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe \lsarpc failed with error
NT_STATUS_BUFFER_TOO_SMALL
[2006/09/05 20:07:07, 0] nsswitch/winbindd_dual.c:child_read_request(49)
  Got invalid request length: 0
[2006/09/05 20:08:22, 0]
rpc_client/cli_pipe.c:cli_rpc_pipe_open_noauth(2265)
  cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe \lsarpc failed with error
NT_STATUS_BUFFER_TOO_SMALL
[2006/09/05 20:23:42, 0] nsswitch/winbindd_dual.c:child_read_request(49)
  Got invalid request length: 0
[2006/09/05 20:25:00, 0]
rpc_client/cli_pipe.c:cli_rpc_pipe_open_noauth(2265)
  cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe \lsarpc failed with error
NT_STATUS_BUFFER_TOO_SMALL
[2006/09/05 21:00:06, 0] nsswitch/winbindd_dual.c:child_read_request(49)
  Got invalid request length: 0
[2006/09/05 21:00:06, 0]
rpc_client/cli_pipe.c:cli_rpc_pipe_open_noauth(2265)
  cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe \lsarpc failed with error
NT_STATUS_BUFFER_TOO_SMALL
[2006/09/05 21:00:06, 0] lib/util_sock.c:write_data(564)
  write_data: write failure. Error = Broken pipe
[2006/09/05 21:00:06, 0] nsswitch/winbindd_dual.c:fork_domain_child(825)
  Could not write result
[2006/09/05 21:00:06, 0]
rpc_client/cli_pipe.c:cli_rpc_pipe_open_noauth(2265)
  cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe \lsarpc failed with error
NT_STATUS_BUFFER_TOO_SMALL
[2006/09/05 21:00:06, 0] lib/util_sock.c:write_data(564)
  write_data: write failure. Error = Broken pipe
[2006/09/05 21:00:06, 0] nsswitch/winbindd_dual.c:fork_domain_child(825)
  Could not write result
[2006/09/05 21:00:06, 0]
rpc_client/cli_pipe.c:cli_rpc_pipe_open_noauth(2265)
  cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe \lsarpc failed with error
NT_STATUS_BUFFER_TOO_SMALL

[EMAIL PROTECTED]:/usr/local/lib# tail -n 25 /var/log/messages
Sep  5 20:25:00 aries winbindd[640]: [2006/09/05 20:25:00, 0]
rpc_client/cli_pipe.c:cli_rpc_pipe_open_noauth(2265)
Sep  5 20:25:00 aries winbindd[640]:   cli_rpc_pipe_open_noauth:
rpc_pipe_bind for pipe \lsarpc failed with error NT_STATUS_BUFFER_TOO_SMALL
Sep  5 20:25:11 aries apcupsd[557]: apcupsd 3.12.3 (26 April 2006) freebsd
startup succeeded
Sep  5 21:00:06 aries nmbd[627]: [2006/09/05 21:00:06, 0]
nmbd/nmbd.c:terminate(58)
Sep  5 21:00:06 aries nmbd[627]:   Got SIGTERM: going down...
Sep  5 21:00:06 aries winbindd[640]: [2006/09/05 21:00:06, 0]
nsswitch/winbindd_dual.c:child_read_request(49)
Sep  5 21:00:06 aries winbindd[640]:   Got invalid request length: 0
Sep  5 21:00:06 aries winbindd[862]: [2006/09/05 21:00:06, 0]
rpc_client/cli_pipe.c:cli_rpc_pipe_open_noauth(2265)
Sep  5 21:00:06 aries winbindd[862]:   cli_rpc_pipe_open_noauth:
rpc_pipe_bind for pipe \lsarpc failed with error NT_STATUS_BUFFER_TOO_SMALL
Sep  5 21:00:06 aries nmbd[847]: [2006/09/05 21:00:06, 0]
nmbd/nmbd.c:terminate(58)
Sep  5 21:00:06 aries nmbd[847]:   Got SIGTERM: going down...
Sep  5 21:00:06 aries winbindd[862]: [2006/09/05 21:00:06, 0]
lib/util_sock.c:write_data(564)
Sep  5 21:00:06 aries winbindd[862]:   write_data: write failure. Error =
Broken pipe
Sep  5 21:00:06 aries winbindd[862]: [2006/09/05 21:00:06, 0]
nsswitch/winbindd_dual.c:fork_domain_child(825)
Sep  5 21:00:06 aries winbindd[862]:   Could not write result
Sep  5 21:00:06 aries winbindd[921]: [2006/09/05 21:00:06, 0]
rpc_client/cli_pipe.c:cli_rpc_pipe_open_noauth(2265)
Sep  5 21:00:06 aries winbindd[921]:   cli_rpc_pipe_open_noauth:
rpc_pipe_bind for pipe \lsarpc failed with error NT_STATUS_BUFFER_TOO_SMALL
Sep  5 21:00:06 aries nmbd[906]: [2006/09/05 21:00:06, 0]
nmbd/nmbd.c:terminate(58)
Sep  5 21:00:06 aries nmbd[906]:   Got SIGTERM: going down...
Sep  5 21:00:06 aries winbindd[921]: [2006/09/05 21:00:06, 0]
lib/util_sock.c:write_data(564)
Sep  5 21:00:06 aries winbindd[921]:   write_data: write failure. Error =
Broken pipe
Sep  5 21:00:06 aries winbindd[921]: [2006/09/05 21:00:06, 0]
nsswitch/winbindd_dual.c:fork_domain_child(825)
Sep  5 21:00:06 aries winbindd[921]:   Could not w

[Samba] RE: ads_kinit_password failed: Preauthentication failed

2006-09-05 Thread Lachlan 

Just curious, why is this thread so broken? 
What did I do wrong in my post?


Lachlan wrote:
> 
> Hi,
> 
> Thanks for the replies. I hope this reply ends in the right thread.
> and I am sorry to Markus for hijacking your previous thread.
> 
> -- snip ---
> 
> 

-- 
View this message in context: 
http://www.nabble.com/ads_kinit_password-failed%3A-Preauthentication-failed-tf2202561.html#a6163445
Sent from the Samba - General forum at Nabble.com.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Usershare parameters

2006-09-05 Thread Cybionet 

Thank you Jeremy. As usual your answer are clear and effective.

Robert

On Mon, Sep 04, 2006 at 10:53:25PM -0400, Cybionet wrote:
  
 I set usershare max shares to 10, and then with an user (and with 
different user)  I add 15 shares definition . When I use the net 
usershare list -l , I see all the 15 usershares and can access to these 
shares with a Windows client. A difference with your example in the 
documentation, I use ACL(EA) to authorize a group of user to add share 
definitions.



Thanks for pointing this out. You've found an interesting bug
that I'm actually disinclined to fix.

When the usershare code was initially added, each smbd scanned
the usershare directory in total to create a usershare. This is 
such a resource intensive operation if there are a lot of usershares

that I added the "usershares max shares" parameter.

Volker pointed out the scalability issues with scanning a directory
at all, and so the resultant code that was released doesn't scan
the directory unless someone is requesting smbd to list the number
of shares - ie. by doing a smbclient -L //server.

What this means is that the "max shares" restriction doesn't get
triggered unless someone explicitly enumerates the share list as
above. But it also means that it's not a big issue, as the real
problem that this parameter was trying to fix has already been
solved (by the direct lookup from smbd of the requested sharename).

So what I'm going to do is add the restriction to the 'net' command,
where it will be advisory instead of mandatory (as people can always
create usershare files using 'vi' rather than the convenience of the
net command). I'll update the docs to this effect.

  
 I have read the majority of documentation about usershare, and in the 
one in the smb.conf, I can read 'All other share parameters not 
specified in the user defined share definition are copied from this 
named share.' Then how it is work?



What you have to do is create a "template share" as a normal share
definition in the smb.conf file, eg.

[template]
force user = foo

and setting 'usershare template share = template' would mean
all created usershares would inherit 'force user = foo'.

Hope that helps,

Jeremy.


  


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Usershare parameters

2006-09-05 Thread Jeremy Allison 
On Mon, Sep 04, 2006 at 10:53:25PM -0400, Cybionet wrote:
> 
>  I set usershare max shares to 10, and then with an user (and with 
> different user)  I add 15 shares definition . When I use the net 
> usershare list -l , I see all the 15 usershares and can access to these 
> shares with a Windows client. A difference with your example in the 
> documentation, I use ACL(EA) to authorize a group of user to add share 
> definitions.

Thanks for pointing this out. You've found an interesting bug
that I'm actually disinclined to fix.

When the usershare code was initially added, each smbd scanned
the usershare directory in total to create a usershare. This is 
such a resource intensive operation if there are a lot of usershares
that I added the "usershares max shares" parameter.

Volker pointed out the scalability issues with scanning a directory
at all, and so the resultant code that was released doesn't scan
the directory unless someone is requesting smbd to list the number
of shares - ie. by doing a smbclient -L //server.

What this means is that the "max shares" restriction doesn't get
triggered unless someone explicitly enumerates the share list as
above. But it also means that it's not a big issue, as the real
problem that this parameter was trying to fix has already been
solved (by the direct lookup from smbd of the requested sharename).

So what I'm going to do is add the restriction to the 'net' command,
where it will be advisory instead of mandatory (as people can always
create usershare files using 'vi' rather than the convenience of the
net command). I'll update the docs to this effect.

>  I have read the majority of documentation about usershare, and in the 
> one in the smb.conf, I can read 'All other share parameters not 
> specified in the user defined share definition are copied from this 
> named share.' Then how it is work?

What you have to do is create a "template share" as a normal share
definition in the smb.conf file, eg.

[template]
force user = foo

and setting 'usershare template share = template' would mean
all created usershares would inherit 'force user = foo'.

Hope that helps,

Jeremy.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] AD logins using winbind looking for user in /etc/shadow

2006-09-05 Thread Jason Mogavero 

I'm running CentOS 4.3 with the most recent samba-client and samba-common
rpms.  I've managed to configure samba/winbind to allow me to join the box
to the AD, create the UID and GID mappings,  etc.  However, when I try to
connect via ssh, the account cannot log in.  /var/log/messages says the
following:

Sep  5 17:15:25 kdcdmz sshd[6263]: error: Could not get shadow information
for jason.mogavero
Sep  5 17:15:25 kdcdmz sshd[6263]: Failed password for jason.mogavero from
172.16.102.28 port 3646 ssh2

net ads status, getent passwd, and wbinfo all show the expected output with
no errors.  I'll include some of that output at the end of the config files.

It shouldn't be looking for a shadow password, it should be checking against
the AD user database, right?  Here are my configs.  I've poured over them
and compared them to several How-Tos and working configs and can't find
anything different.  If this would be better placed in the PAM list, let me
know and I'll send it there.

/etc/samba/smb.conf

workgroup = KDCTEST
realm = KDCTEST.COM
password server = adauth.kdctest.com
security = ads
encrypt passwords = yes
allow trusted domains = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
winbind separator = \
winbind cache time = 10
idmap uid = 1-2
idmap gid = 1-2
winbind enum users = yes
winbind enum groups = yes
template shell = /bin/bash
winbind use default domain = yes
template shell = /bin/bash
template homedir = /home/%U
client use spnego = yes


/etc/krb5.conf

[libdefaults]
default_realm = kdctest.com
dns_lookup_realm = true
dns_lookup_kdc = true
default_tkt_enctypes = des-cbc-md5
default_tgs_enctypes = des-cbc-md5

[appdefaults]
pam = {
  debug = false
  ticket_lifetime = 36000
  renew_lifetime = 36000
  forwardable = true
  krb4_convert = false
}

[realms]
 KDCTEST.COM = {
 kdc = adauth.kdctest.com:88
 admin_server = adauth.kdctest.com:749
 default_domain = kdctest.com

   }




kdctest.com = {
 kdc = adauth.kdctest.com
 admin_server = adauth.kdctest.com
}

KDCTEST.COM = {
 kdc = adauth.kdctest.com
}

[domain_realm]

   kdctest.com = KDCTEST.COM
   .kdctest.com = KDCTEST.COM
   adauth.kdctest.com = KDCTEST.COM


/etc/nsswitch.conf

passwd: files winbind
shadow: files
group:  files winbind

hosts:  files dns

bootparams: files
ethers: files
netmasks:   files
networks:   files
protocols:  files winbind
rpc:files
services:   files winbind
netgroup:   files winbind
publickey:  files
automount:  files winbind
aliases:files


/etc/pam.d/sshd

#%PAM-1.0
auth   required pam_stack.so service=system-auth
auth   required pam_nologin.so
accountrequired pam_stack.so service=system-auth
password   required pam_stack.so service=system-auth
sessionrequired pam_stack.so service=system-auth
sessionrequired pam_loginuid.so

And finally, /etc/pam.d/system-auth

authrequired  /lib/security/$ISA/pam_env.so
authsufficient/lib/security/$ISA/pam_unix.so likeauth nullok
#authsufficient/lib/security/$ISA/pam_krb5.so use_first_pass
authsufficient/lib/security/$ISA/pam_winbind.so use_first_pass
authrequired  /lib/security/$ISA/pam_deny.so

account required  /lib/security/$ISA/pam_unix.so
account sufficient/lib/security/$ISA/pam_succeed_if.so uid < 100
quiet
#account [default=bad success=ok user_unknown=ignore]
/lib/security/$ISA/pam_krb5.so
#account [default=bad success=ok user_unknown=ignore]
/lib/security/$ISA/pam_winbind.so
account sufficient/lib/security/$ISA/pam_winbind.so use_first_pass
account required  /lib/security/$ISA/pam_permit.so

passwordrequisite /lib/security/$ISA/pam_cracklib.so retry=3 type=
passwordsufficient/lib/security/$ISA/pam_unix.so nullok use_authtok
md5 shadow
#passwordsufficient/lib/security/$ISA/pam_krb5.so use_authtok
passwordsufficient/lib/security/$ISA/pam_winbind.so use_first_pass
passwordrequired  /lib/security/$ISA/pam_deny.so

session required  /lib/security/$ISA/pam_limits.so
session required  /lib/security/$ISA/pam_unix.so
session sufficient/lib/security/$ISA/pam_winbind.so use_first_pass
#session optional  /lib/security/$ISA/pam_krb5.so


Now here's some output from testing AD connectivity:

net ads info
LDAP server: 172.16.102.28
LDAP server name: adauth
Realm: KDCTEST.COM
Bind Path: dc=KDCTEST,dc=COM
LDAP port: 389
Server time: Tue, 05 Sep 2006 17:37:55 GMT
KDC server: 172.16.102.28
Server time offset: -14

getent passwd  (just the AD stuff is shown here)
administrator:*:1:1:Administrator:/home/administrator:/bin/bash
guest:*:10001:10001:Guest:/home/guest:/bin/bash
adauth$:*:10002:10002:ADAUTH:/home/adauth_:/bin/bash
krbtgt:*:10003:1:krbtgt:/home/krbtgt:/bin/bash
jason.mogavero:*:10004:1:Jason Mogavero:/home/jason.mogavero:/bin/bash
kdctest02$:*:10005:10003:KDCTEST02:/home/kdctest02_:/bi

[Samba] Re: Domain SID does not match built in domain groups SIDs...

2006-09-05 Thread Jason Shaw 
You are correct. I have users and groups with the correct domain SID, 
but there are a few groups that have the wrong domain SID and I want to 
correct them.


I ended up just stopping the Samba daemon and editing the bad groups' 
SIDs with and LDAP editor. It may have not been as safe as your way, but 
it seems to have worked.


Thank you for helping!


Jamrock wrote:

"Jason Shaw" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]

Would remapping them correct the SIDs? Can I just >>use a LDAP editor

and

manually change the SID to what it should be without >>screwing up

other

things? To my understanding, all the important Samba >>data is stored

in

LDAP. So I shouldn't have to worry about the >>contents of smbpasswd,
secrets.tdb, or anything of that nature, right?
Given I can just edit the SIDs, I do know that I may >>have to restart

the

SMB daemon, rejoin some users to groups, correct >>the local
administrators group on workstations, etc. I >>understand the clean

up, I

don't want to ruin anything else that's not a simple text >>edit or
command call.


There is a utility that allows you to change the domain's SID.  Search

the

archives and the documentation for "net setlocalsid"


I do not want to change the domain or the server SID. Doing so would
invalid the users I have already entered. I just want to fix a couple of
groups that have bad SIDs.


It sounds as if you are saying that the users have the same SID as the
domain.  However some groups have incorrect SID's.

If you are keeping the POSIX and Windows user information in LDAP, you can
do the following:

Make a backup of the folder containing the ldap data.

Use ldapsearch to export the contents of the ldap directory to a file.  This
provides a second backup

Use ldapsearch  to dump the group information to a file.

Modify the SID information in the second (group) file and use ldapmodify to
bring the correct information back into the ldap directory.

This is based on the assumption that the domain's SID is correct and the
users' SID's are correct. Only the groups' SID's are incorrect.




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Wierd Configuration

2006-09-05 Thread Robert Adkins 

Rob Watkin wrote:

Hi Everyone,

I have a strange network design problem and I suspect that Samba may be
part of the solution. Any suggestions welcome. :-) Here goes:

Two organisations are sharing a single network of 30 Win95/98 clients
with a few XP workstations. The network is owned and managed by a third
organisation and the Internet connection is not too hot. So far so
good :-). Org-1 wants to pay for their own Internet connection and have
asked me to help. I hope to do this using a Linux box running Samba
supporting roving profiles (which they need anyway) and Squid.

Whats more Org-3 probably wont want me changing the default gateways on
the PC's oh and worse there is _no_ DNS whatsoever!

So far I have everything working as follows. When a new user is created
her roving profile is copied from a template which already has Firefox
setup with the necessary proxy settings. When she logs in if she uses
Firefox then she will get the new fast connection but IE will deliver
the old. (By the way, this works for Firefox but not IE because the
latter saves it's configuration settings under HKEY_LOCAL_MACHINE or
similar). I guess I will be able to handle email with Thunderbird in the
same way.

If your still with, thanks for reading so far! :-)

So if a user is a member of the Samba domain then they will
automatically get access to the new fast connection via the proxy
server.

My problem is to block access to Squid for users who have not been
authenticated into the domain(Org-2). I could get the users to log into
Squid manually but that would mean losing centralised user management.

Thanks
Rob
  
   Go to the Squid mailing list, after checking the Squid documentation 
about User Authentication.


   You should have your Squid answer fairly quickly.

   Regards,
   Rob
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Samba w/ Multinet on OpenVMS 7.3-2

2006-09-05 Thread Wesling, Mark 
I am trying to find source/object files for Samba for OpenVMS using
Multinet 5.0.  Install guide would also be helpful.  Currently run Samba
on Unix.
 
Thanks
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] User Group SID behavior has changed from 21b to 23c

2006-09-05 Thread Gerald (Jerry) Carter 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Mario,

>> Yup.  And if this was a problem for you, it would have
>> been really good to know during the 6 months of development
>> between 3.0.22 and 3.0.23 or even the 2 months between
>> 3.0.23 and 3.0.23c.
> 
> No, it wasn't. Was only thinking about and never would 
> have expected it to work that way and will never like this
> from a general point of view. However, i think this will
> not become a problem for me but might for people who
> don't know the samba behaviour. But you seem to know well
> what you are doing...

You can always worry about possibly scenarios and sometimes
you play "What if" so much that you are held back by
imaginary environments.  The fact is that the RID algorithm
dug us in a hole and we had to pull ourselves outside
somehow.

So far, the cases we were really concerned about have been
non-issues.  Ironically enough, the main problems we had
with 3.0.23 is that we weren't aggressive enough and allowed
the RID algorithm to stay with smbpasswd which meant that
it operated differently than the tdb or ldap implementations.



cheers, jerry
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFE/eTyIR7qMdg1EfYRAiZmAJ4+N/c1NyrFHqrSRKJ/scrOtsDQVQCgjJK8
rrSdFc+bep+BkfqY3cep8Ls=
=X17e
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] User Group SID behavior has changed from 21b to 23c

2006-09-05 Thread Mario Lipinski 
> Yup.  And if this was a problem for you, it would have
> been really good to know during the 6 months of development
> between 3.0.22 and 3.0.23 or even the 2 months between
> 3.0.23 and 3.0.23c.

No, it wasn't. Was only thinking about and never would have expected it
to work that way and will never like this from a general point of view.
However, i think this will not become a problem for me but might for
people who don't know the samba behaviour. But you seem to know well
what you are doing...


> This was also outlined in the release notes.

Must have missed out the part with the default mapping to rid 513. :/
The group mapping stuff is clear.


Mario



signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Wierd Configuration

2006-09-05 Thread Rob Watkin 
Hi Everyone,

I have a strange network design problem and I suspect that Samba may be
part of the solution. Any suggestions welcome. :-) Here goes:

Two organisations are sharing a single network of 30 Win95/98 clients
with a few XP workstations. The network is owned and managed by a third
organisation and the Internet connection is not too hot. So far so
good :-). Org-1 wants to pay for their own Internet connection and have
asked me to help. I hope to do this using a Linux box running Samba
supporting roving profiles (which they need anyway) and Squid.

Whats more Org-3 probably wont want me changing the default gateways on
the PC's oh and worse there is _no_ DNS whatsoever!

So far I have everything working as follows. When a new user is created
her roving profile is copied from a template which already has Firefox
setup with the necessary proxy settings. When she logs in if she uses
Firefox then she will get the new fast connection but IE will deliver
the old. (By the way, this works for Firefox but not IE because the
latter saves it's configuration settings under HKEY_LOCAL_MACHINE or
similar). I guess I will be able to handle email with Thunderbird in the
same way.

If your still with, thanks for reading so far! :-)

So if a user is a member of the Samba domain then they will
automatically get access to the new fast connection via the proxy
server.

My problem is to block access to Squid for users who have not been
authenticated into the domain(Org-2). I could get the users to log into
Squid manually but that would mean losing centralised user management.

Thanks
Rob

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] User Group SID behavior has changed from 21b to 23c

2006-09-05 Thread Gerald (Jerry) Carter 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Mario,

> So do I get it right, that Samba set the primaryGroupSID 
> to the "Domain Users" SID, if the users primary unix
> group is not mapped to nt group and even if the
> user is not member of it? And only if the users primary
> group is mapped, this one is assigned to his samba
> account as primaryGroupSID?

Yes.  But let me clarify that this is not some flippant
decision our own part.  Windows requires that the
users primaryGroupSID matches the same domain as the
user's SID.  Therefore Windows assigns the rid 513
as the primary group to all accounts that that do not
have a valid group which can be assigned.

For example, if you have a freshly installed Windows
XP client, the local Administrator has a primary group
RID of 513 even though no such group really exists on
the box. When the client OS is first installed the only
groups available are in the BUILTIN domain.

Now the problems with mapping users and groups on Unix
to a Windows domain model is that you are mapping two
32-bit number ranges into one.  Samba introduced
a RID algorithm in the 2.0 release to handle this.
But the RID algorithm is not flexible enough to handle
things like migrated domains.  The only way to real deal
with that is persistent RID allocation.

So once you start introducing RID allocation, you either
have to map all users and group (not just ones in Samba's
passdb) to a valid SID or assign the unmapped ones a SID
that is guaranteed not to conflict with the RID allocator.
Hence the new S-1-22-1-{1,2} domains.

The problem with the primaryGroupSID attribute is that
it is too difficult to guarantee that is properly reflects
the real unix primary group.  It will get out of sync.
So we decided to honor the Unix group membership in all
cases since this is what you would really expect anyways.

So when you start honoring the real Unix primary group,
you run the chance that the real primary group is in the
the S-1-22-2 domain.  But Windows won't allow this.

Hence you have to have some RID that is guaranteed to
always be available as the user's primary group.  We choose
513 since this is what Windows does.  There was several
weeks worth of discussion about this and it was a fairly
early change during the 3.0.23 development cycle.

> So, if I have given the Domain Users richts not to all 
> my users. And I got a user who is not member of a mapped
> group. His primary group rid is 513 and he is allowed
> to log on to a workstation.
> 
> And I have given some special permissions to a folder 
> for the Domain Users group. Then my user is able to
> gain the permissions the users of the Domain Users group
> have which he is not intended to have.
> 
> I hope it's not really working that way...

Yup.  And if this was a problem for you, it would have
been really good to know during the 6 months of development
between 3.0.22 and 3.0.23 or even the 2 months between
3.0.23 and 3.0.23c.

You can fix the situation by manually running
'net groupmap unixgroup=foo' for the user's real primary
group and it will automatically be reported by pdbedit.

This was also outlined in the release notes.





cheers, jerry
=
Samba--- http://www.samba.org
Centeris ---  http://www.centeris.com
"What man is a man who does not make the world better?"  --Balian
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFE/d74IR7qMdg1EfYRAp4pAJ42ssaXlU6pY1D8BvJrlTGwdLs2egCdEW/2
BCSFeARIBr//3ES2mi3+Kb8=
=5Zxq
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] User Group SID behavior has changed from 21b to 23c

2006-09-05 Thread Mario Lipinski 
Hi,

thx for the fast reply.

Am Dienstag, den 05.09.2006, 14:43 -0500 schrieb Gerald (Jerry) Carter:
> The stance now is that the primaryGroupSID attribute
> in the passdb ignored and the actual value is generated
> on the fly based on the user's real Unix primary group.

So do I get it right, that Samba set the primaryGroupSID to the "Domain
Users" SID, if the users primary unix group is not mapped to nt group
and even if the user is not member of it?
And only if the users primary group is mapped, this one is assigned to
his samba account as primaryGroupSID?

So, if I have given the Domain Users richts not to all my users. And I
got a user who is not member of a mapped group. His primary group rid is
513 and he is allowed to log on to a workstation.

And I have given some special permissions to a folder for the Domain
Users group. Then my user is able to gain the permissions the users of
the Domain Users group have which he is not intended to have.

I hope it's not really working that way...


Mario



signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] User Group SID behavior has changed from 21b to 23c

2006-09-05 Thread Gerald (Jerry) Carter 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Mario,

> i am expecting also a behavior i cannot follow with groups.
> 
>> # pdbedit -L -v law
>> WARNING: The "printer admin" option is deprecated
>> Unix username:law
>> NT username:  law
>> Account Flags:[HUX]
>> User SID: S-1-5-21-4092459118-2595994810-1099795350-3002
>> Primary Group SID:S-1-5-21-4092459118-2595994810-1099795350-513
> 
> 
> However, i am not member of the mapped group 
> with the rid 513...

Doesn't matter.  This is how Windows does it.  You're
primary group has to be in the same domain as the passdb.
Windows uses 513 as a special RID that always exists.
If you map the user's real primary Unix group to a valid
SID, you will get that reported.

The stance now is that the primaryGroupSID attribute
in the passdb ignored and the actual value is generated
on the fly based on the user's real Unix primary group.





cheers, jerry
=
Samba--- http://www.samba.org
Centeris ---  http://www.centeris.com
"What man is a man who does not make the world better?"  --Balian
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFE/dN0IR7qMdg1EfYRAtTaAKC2/Qc+dI/YSd6ZktDItx7yBOqEugCgnFCo
whQoih3o1XEVboM+EJNCPS0=
=Y0i9
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] User Group SID behavior has changed from 21b to 23c

2006-09-05 Thread Mario Lipinski 
Hello,

i am expecting also a behavior i cannot follow with groups.

> # pdbedit -L -v law
> WARNING: The "printer admin" option is deprecated
> Unix username:law
> NT username:  law
> Account Flags:[HUX]
> User SID: S-1-5-21-4092459118-2595994810-1099795350-3002
> Primary Group SID:S-1-5-21-4092459118-2595994810-1099795350-513


However, i am not member of the mapped group with the rid 513...


Mario



signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Migration 2.x-> 3.0 with new server, sharing files during migration process?

2006-09-05 Thread Andreas Gerstenberg 

Hi!

Felipe Augusto van de Wiel schrieb:


Old Samba server/environment:
 Samba 2.x
 Authentication via W2k Server (security = DOMAIN)
 Server has more than 100 netbios aliases
 No POSIX-ACL's
 Users and Groups are stored in /etc/{passwd,groups}
 Access to shares via "valid users = @group" in smb.conf
 other authorization done via file/directory rights

New Samba Server/environment:
 Samba 3 as AD Member Server (security = ADS)
 POSIX-ACLs
 winbind


[...]


Why 01 month to migrate the users? It could be done with
a script in a few hours. As I see you scenario, you should be
able to prepare the new environment at least with the new users
and share the account information.

If you are speaking about phisically migrate them, that
I can understand, but if you are able to set two environments
sharing the underground information using Samba, you should be
able to achieve what you want.


OK, I think I have to start a bit more at the beginning.

There is an existing network with a Samba 2.2.8a server in "OLDDOMAIN"
("old environment") and I have to setup a completely new designed
network. There are about 200 Users in about 30 subsidiaries connected
via VPN to the old network, which have to switched step by step to the
new network "NEWDOMAIN" ("new environment").

Lets make it a bit more illustrated: Lets say the headquarter with the
old Samba server is located in New York and there are 2 subsidiary, one
in Los Angeles and the other one in San Francisco. There are 3 users:

* User "bob", works in the Los Angeles office, belongs to the group
"marketing" and have access to the Samba share "marketing"

* User "mary", works in the San Francisco also belongs to the group
"marketing" and have also access to the share "marketing"

* User "john", works in both offices (one day in LA, next day SF), also
belongs to the group "marketing" and therefore have also have access to
the marketing share.

The files in that share have the acl 0770 with the group "marketing", so
all 3 user can read/write the files and if "mary" has opened a file, it
will be locked, so everything is working fine..

Because I can't switch 30 subsidiaries within one day, I have to switch
them step by step, so lets say, I will switch the LA office to the new
network with the new Samba server, so "bob" is in the new network,
"mary" is still in the old network and for "john" it changes where ever 
he is. Just copy the files do not work, I must have access to the same

data (files) with locking, etc.

I think, there is only one way for me to solve this problem: copy the
files to the new server and running 2 instances of Samba on one machine
which shares the same files within 2 different networks (domains).
1) migrate the users from "OLDDOMAIN" to one instance of Samba on the
new server with ADS support (winbind), bind on one interface within the
old network.
2) run a second instance of Samba on the same machine, bound to the NIC
in the new network, ADS-connected to "NEWDOMAIN".
3) hoping that the Linux kernel as well as Samba handles the locking
correctly.

Of course I have to correct the SID <-> UID/GID mapping within one of
both instance "by hand", so that user "OLDDOMAIN\bob" (uid: 12334/gid:
56789) has the same uid/gid then "NEWDOMAIN\new_username_of_bob".

What do you think? Does this solution work?

regards,
Andy

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: More on the archive bit

2006-09-05 Thread Gerald (Jerry) Carter 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Aaron Kincer wrote:

> My first very uneducated guess is that the mechanism 
> the programs use to actually modify the file on disk
> and save changes is different in a way that breaks
> archive bit behavior on Samba for some and not others.
> 
> I'll keep digging into Google, but meanwhile back at 
> the ranch, any ideas?

Do you have a server with user_xattr support on the file
system ?  If so, try setting the 'store dos attributes = yes'
to bypass any funniness with unix permission bits.

The 3.0.22 test (or even 3.0.23c) is a good idea.





cheers, jerry
=
Samba--- http://www.samba.org
Centeris ---  http://www.centeris.com
"What man is a man who does not make the world better?"  --Balian
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFE/ch/IR7qMdg1EfYRAs++AJsFv7bv2Xo8367HPKUvZljNHNRAHACfe570
dJDGXgpMsDdLMbCbcZ5ChpY=
=VxLk
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Re: samba + ldap query filter

2006-09-05 Thread Michael Gasch 



it seems that is not used in new versions of samba :(

the official advise is to configure it via nss-ldap configuration file

micha
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Problems with access to shared directory

2006-09-05 Thread intel Man 
I have configured a drive letter to a shared directory:  g:\vfp6 valid user: 
 ingenieria


When I want to enter to another directory:  \ \ server\fs user:admin

This it doesn't allow me to enter requesting me repeatedly the user and the 
password.


Reproducing the problem:

- Entering to the drive g:
- Entering to the other directory: \ \ server\fs with the user: admin
- Refused access


- Not to ENTER to the drive g:
- Entering to the other directory: \ \ server\fs with the user: admin
- Access ok



Server:   samba 3.0.23c
Client Windows 2000 is ok
Client WIndows XP is error

--smb.conf---
[global]
workgroup = USI
netbios name = COPISERVICE
server string = Servidor Samba %v
smb passwd file = /etc/samba/smbpasswd
log level = 0
log file = /var/log/samba/%m.log
max log size = 20
smb ports = 139
max xmit = 65535
socket options = TCP_NODELAY SO_SNDBUF=65536 SO_RCVBUF=65536 
IPTOS_LOWDELAY
dns proxy = No
kernel oplocks = No
lock spin count = 100
lock spin time = 30
ldap ssl = no
admin users = admin
oplocks = No
level2 oplocks = No
strict locking = No

[homes]
comment = Home Directories
valid users = %S
read only = No
create mask = 0664
directory mask = 0775
browseable = No

[vfp6]
path = /usr/fs/vfp6
valid users = @general
read only = No

[fs]
path = /usr/fs
valid users = admin
read only = No




-Log---
[2006/09/05 11:07:52, 10] smbd/share_access.c:user_ok_token(208)
 User ingenieria not in 'valid users'
[2006/09/05 11:07:52, 2] smbd/service.c:make_connection_snum(571)
 user 'ingenieria' (from session setup) not permitted to access this share 
(fs)

[2006/09/05 11:07:52, 3] smbd/error.c:error_packet(146)


Here I attempt login like user admin and show user ingenieria?

Is bug in samba or is normal?

Thanx

Luis Rivera
Lima-Peru


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] User Group SID behavior has changed from 21b to 23c

2006-09-05 Thread Gerald (Jerry) Carter 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Mike,

> I am using LDAP as my backend. I have 6 PDC's running 
> Samba 3.0.21b, each domain has a different SID. I
> store all user,groups,and machine accounts in one
> LDAP database. So that when I create a user once,
> all domains can see the user. This keeps me
> from having to create a user account on
> each domain for cross domain file sharing.
...
> I have setup a new PDC for DOMAIN2 using 3.0.23c
> Now in DOMAIN2 when I type:
> pdbedit -v -u mikec
> I get:
> 
> NT username:  mikec
> Account Flags:[U  ]
> User SID: S-1-5-21-1629861336-2395076261-3235541152-3001
> Primary Group SID:*S-1-5-21-2781067772-1786132867-2942848841-513*
> 
> When try to conect to a Samba Server in DOMAIN2 from 
> DOMAIN1 I get the error message
>  _net_sam_logon: user DOMAIN2\mikec has user sid
> S-1-5-21-1629861336-2395076261-3235541152-3001
>   but group sid S-1-5-21-2781067772-1786132867-2942848841-513.
>  The conflicting domain portions are not supported for 
>  NETLOGON calls
> 
> The behavior in 3.0.23c has changed from 3.0.21b

Yup.  And you were relying on unsupported behavior
in previous releases.  We have never supported sharing
an ldapsam passdb backend between multiple domains
in the 3.0 series.






cheers, jerry
=
Samba--- http://www.samba.org
Centeris ---  http://www.centeris.com
"What man is a man who does not make the world better?"  --Balian
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFE/bfgIR7qMdg1EfYRAl3AAKDpFeMG4gUTp2eYo7xxhftEQ/nN8gCeIuoD
r27k/qsKT1f300pa55zPp3g=
=Wo+s
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] User Group SID behavior has changed from 21b to 23c

2006-09-05 Thread Mike Cauble 
I am using LDAP as my backend. I have 6 PDC's running Samba 3.0.21b, 
each domain has a different SID. I store all user,groups,and machine 
accounts in one LDAP database. So that when I create a user once, all 
domains can see the user. This keeps me from having to create a user 
account on each domain for cross domain file sharing.


The behavior for Domains running Samba 3.0.21b is a follows.

DOMAIN1 has a SID of S-1-5-21-1629861336-2395076261-3235541152
DOMAIN2 has a SID of S-1-5-21-2781067772-1786132867-2942848841

In DOMAIN1 I type:
pdbedit -v -u mikec
I get:
Unix username:mikec
NT username:  mikec
Account Flags:[U  ]
User SID: S-1-5-21-1629861336-2395076261-3235541152-3001
Primary Group SID:*S-1-5-21-1629861336-2395076261-3235541152-513*

In DOMAIN2 I type:
pdbedit -v -u mikec
I get
Unix username:mikec
NT username:  mikec
Account Flags:[U  ]
User SID: S-1-5-21-1629861336-2395076261-3235541152-3001
Primary Group SID:*S-1-5-21-1629861336-2395076261-3235541152-513*

Which is correct.

I have setup a new PDC for DOMAIN2 using 3.0.23c
Now in DOMAIN2 when I type:
pdbedit -v -u mikec
I get:

NT username:  mikec
Account Flags:[U  ]
User SID: S-1-5-21-1629861336-2395076261-3235541152-3001
Primary Group SID:*S-1-5-21-2781067772-1786132867-2942848841-513*

When try to conect to a Samba Server in DOMAIN2 from DOMAIN1 I get the 
error message
 _net_sam_logon: user DOMAIN2\mikec has user sid 
S-1-5-21-1629861336-2395076261-3235541152-3001

  but group sid S-1-5-21-2781067772-1786132867-2942848841-513.
 The conflicting domain portions are not supported for NETLOGON calls

The behavior in 3.0.23c has changed from 3.0.21b

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] No access to mandatory profiles

2006-09-05 Thread Gerald (Jerry) Carter 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Martin Hochreiter wrote:
> Hi!
> 
> I have the problem that I can't log in with all 
> users (that have mandatory profiles) except
> that one who is owner of the directory.

Check the "map readonly" setting.  Windows will not
load a registry hive if it sees the DOS ReadOnly
attribute set.




cheers, jerry
=
Samba--- http://www.samba.org
Centeris ---  http://www.centeris.com
"What man is a man who does not make the world better?"  --Balian
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD4DBQFE/aCaIR7qMdg1EfYRAnUkAJ97+P/heZd4xm4Z8BSXKzNBCDiL1QCVE/ke
90LjsYqKdhCGYaVu1DZmew==
=foaw
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Question about inter-domain trusts

2006-09-05 Thread Aidan Dixon 
I've looked in the recent archives and haven't really found anything 
about this so...


I'm trying to establish a two-way trust relationship between two local 
domains.  The MS Win2k3 ADS server now trusts my Samba PDC (3.0.23c, 
Linux 2.6.17) alright but when I try to use /net rpc trustdom establish/ 
I have a few problems.  The key one is that I am /net rpc/ is unable to 
find a domain controller.


On closer inspection I find that "net rpc trustdom establish" goes 
looking for a Domain Master Browser for the target domain.  But with 
nmblookup and nbtstat I find there is no local DMB for the domain I want 
to trust.   Modifying utils/net.c:net_find_pdc() so that it looks for 
Domain Controllers (type #1e) instead of DMBs (type #1b) seems to fix 
the resolution problem.  But is this modification semantically 
correct?   Or must there be a local DMB for that domain?  Curiously, 
there are a few error cases in net_rpc.c:rpc_trustdom_establish() where 
the command carries on regardless of errors with consequent segfaults.


Wisdom gratefully received...
TIA,

--
Aidan Dixon


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] OS X Clients getting thrown off shares

2006-09-05 Thread Nick Wales 
My Samba server has slowed down dramatically since yesterday  
afternoon, although I'm not seeing any obvious signs of issues  
occurring in the smbd.log or in messages.log. Load average is low and  
there is plenty of memory left.


Also, OS X clients are getting logged off at random intervals and I'm  
finding this message in the individual samba host log files which is  
my only clue as to what is happening.


smbd/service.c:close_cnum(841)

Any ideas anyone?

nick


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] No access to mandatory profiles

2006-09-05 Thread Martin Hochreiter 

Hi!

I have the problem that I can't log in with all users (that have
mandatory profiles) except that one who is owner of the
directory.

(windows states that It can't load the profile because of secu[global]
   workgroup = FH_STP
   server string = FH StP LDAP-PDC
   passdb backend = ldapsam
   log level = 1
   log file = /var/log/samba/log.%m
   max log size = 50
   announce version = 7
   load printers = No
   disable spoolss = Yes
   show add printer wizard = No
   add machine script = /var/configfiles/CreateLDAPws %u
   logon script = %G.cmd
   logon drive = H:
   logon home = \\homes\%U
   domain logons = Yes
   os level = 255
   preferred master = Yes
   domain master = Yes
   dns proxy = No
   wins support = Yes
   ldap admin dn = "uid=Admin,ou=Users,dc=fh-stpoelten,dc=ac.at"
   ldap group suffix = ou=Groups
   ldap machine suffix = ou=Clients
   ldap passwd sync = Yes
   ldap suffix = dc=fh-stpoelten,dc=ac.at
   ldap ssl = start tls
   ldap user suffix = ou=Users
   printing = bsd
   print command = lpr -r -P'%p' %s
   lpq command = lpq -P'%p'
   lprm command = lprm -P'%p' %j

[homes]
   comment = Home Directories
   read only = No
   create mask = 0600
   directory mask = 0700
   browseable = No
   wide links = No
   follow symlinks = No

[netlogon]
   comment = Network Logon Service
   path = /var/samba/netlogon
   locking = No
   share modes = No

[Profiles]
   path = /var/samba/profiles
   read only = No
   create mask = 0777
   guest ok = Yes
   hide dot files = No
rity
problems).

Samba is 3.22 smb.conf follows:


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: SAMBA + DHCP : browse list disappears

2006-09-05 Thread sebastien 

> Hi guys,
>
> I have a strange one here: our samba 3.0.22 wich is shown as Local
> Master is removing servers (by"server" i mean any PC in our workgroup)
> after some time (from 30 minutes to an hour). Logs show :
> "expire_old_servers removing from list" ... when set to a fixed IP
> without DHCP involved, machines are kept in the list.
> We run dhcpd to update Bind 9. Doing "dig" on removed machines shows
> complete name resolution (and reverse) . I am running out of ideas ...
> it seems that @ some point samba considers that the machine are not
> there anymore ... while they are ... fiddling with the dhcp server time
> lease did not improve ... Abviously something is wrong around dns+dhcp
> but cannot see it.
>
> Any ideas ? or pointers ?
>
> THanks
>
> Seb
>
>
>
>
>   

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] winbind auth against ads not working via remote login-solaris 10. - Success!!

2006-09-05 Thread Garrett, Joseph 
Update: Success

The corrective action was to move the below pam.conf settings to the top
of each section.

auth sufficient /usr/lib/security/pam_winbind.so try_first_pass
account sufficient  /usr/lib/security/pam_winbind.so try_first_pass
session sufficient  /usr/lib/security/pam_winbind.so try_first_pass

-Original Message-
From: Garrett, Joseph 
Sent: Thursday, August 31, 2006 8:40 AM
To: samba@lists.samba.org
Subject: RE: [Samba] winbind auth against ads not working via remote
login-solaris 10.

update: OS not allowing a winbind auth on Solaris 10 console. 

I added the below winbind options(see smb.conf). I now get
"NT_STATUS_OS" for the user(see winbind log) as I try to login but
Solaris 10 still reports a "Login Incorrect". What other OS configure am
I missing? Does the 
nss_winbind.so libraries need to be copied anywhere else?  



I copied the libnss_winbind.so  to /lib and /usr/lib and made the below
links.
/lib/nss_winbind.so 
/lib/nss_winbind.so.1

Nsswitch.conf is using "file nis winbind" . See pam.conf below.

Thanks and God bless!


Winbind Log:--
[2006/08/31 08:17:43, 5]
nsswitch/winbindd_pam.c:winbindd_dual_pam_auth(445)
  Plain-text authentication for user jgarrett returned NT_STATUS_OK
(PAM: 0)


Smb.conf

# cat smb.conf
# Global parameters
[global]
workgroup = MYDOMAIN
server string = Samba Server pdtsun03
password server = MYPWDSERVERS
encrypt passwords = yes
log level = 10
log file = /usr/local/samba/var/log.%m
max log size = 50
dns proxy = No
guest account = visitor

realm = MYREALM
security = ads
ldap ssl = no
idmap uid = 1-2
idmap gid = 1-2

winbind cache time = 2
winbind use default domain = Yes
winbind trusted domains only = Yes
winbind nested groups = Yes

winbind uid = 20001-4
winbind gid = 20001-4

# allow enumeration of winbind users and groups
winbind enum users = yes
winbind enum groups = yes
# give winbind users a real shell (only needed if they have telnet
access)


Pam.conf--

# cat /etc/pam.conf
#
#ident  "@(#)pam.conf   1.2804/04/21 SMI"
#
# Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
#
# PAM configuration
#
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
#
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login   auth requisite  pam_authtok_get.so.1
login   auth required   pam_dhkeys.so.1
login   auth required   pam_unix_cred.so.1
login   auth required   pam_unix_auth.so.1
login   auth required   pam_dial_auth.so.1
login   auth sufficient /usr/lib/security/pam_winbind.so
try_first_pass debug
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin  auth sufficient pam_rhosts_auth.so.1
rlogin  auth requisite  pam_authtok_get.so.1
rlogin  auth required   pam_dhkeys.so.1
rlogin  auth required   pam_unix_cred.so.1
rlogin  auth required   pam_unix_auth.so.1
rlogin  auth sufficient /usr/lib/security/pam_winbind.so
try_first_pass debug
#
# Kerberized rlogin service
#
krlogin auth required   pam_unix_cred.so.1
krlogin auth bindingpam_krb5.so.1
krlogin auth required   pam_unix_auth.so.1
krlogin auth sufficient /usr/lib/security/pam_winbind.so
try_first_pass debug
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required   pam_unix_cred.so.1
rsh auth sufficient /usr/lib/security/pam_winbind.so
try_first_pass debug
#
# Kerberized rsh service
#
krshauth required   pam_unix_cred.so.1
krshauth bindingpam_krb5.so.1
krshauth required   pam_unix_auth.so.1
krshauth sufficient /usr/lib/security/pam_winbind.so
try_first_pass debug
#
# Kerberized telnet service
#
ktelnet auth required   pam_unix_cred.so.1
ktelnet auth bindingpam_krb5.so.1
ktelnet auth required   pam_unix_auth.so.1
ktelnet auth sufficient /usr/lib/security/pam_winbind.so
try_first_pass debug
#
# PPP service (explicit because of pam_dial_auth)
#
ppp auth requisite  pam_authtok_get.so.1
ppp auth required   pam_dhkeys.so.1
ppp auth required   pam_unix_cred.so.1
ppp auth required   pam_unix_auth.so.1
ppp auth required   pam_dial_auth.so.1
ppp auth sufficient /usr/lib/security/pam_winbind.so
try_first_pass debug
#
# Default definitions for Authentication management
# Used when service name is not explicitly m

Re: AW: [Samba] samba and BUILTIN groups

2006-09-05 Thread Jörg Horchler 
I have not read the release notes in all details - I should better do it
in future ;-) 

Am Dienstag, den 05.09.2006, 07:02 -0500 schrieb Gerald (Jerry) Carter:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> Jörg Horchler wrote:
> > Curious - I found the problem: 
> > 
> > Our old server runs with 'valid users = @' for all shares. This
> > syntax works. 
> > 
> > I ran smb with log level 10 on the new server and saw that it tries to
> > find the group 'Unix Group\'. After changing the parameter to
> > 'valid users = @\' in our smb.conf it works!
> > 
> > Is this a new behaviour?
> 
> Yes and No.  Fully qualifying domain names in smb.conf
> has been recommended since 3.0.8. WIth the 3.0.23 series,
> this has become a requirement.  Did you read the release notes?
> 
> 
> 
> 
> 
> cheers, jerry
> =
> Samba--- http://www.samba.org
> Centeris ---  http://www.centeris.com
> "What man is a man who does not make the world better?"  --Balian
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.4 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQFE/WdOIR7qMdg1EfYRAqp3AJ0WKclPj8pWNge4n9yhxmt+AdRBjgCg45Q+
> EzMd18YgAWkDpejwMDDOABk=
> =gnWJ
> -END PGP SIGNATURE-
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Re: question about wiki.samba.org

2006-09-05 Thread simo 
On Tue, 2006-09-05 at 07:41 -0500, Deryck Hodge wrote:
> On 9/4/06, simo <[EMAIL PROTECTED]> wrote:

> > I think that many looks at it, maybe we should make it more visible.
> >
> > Deryck,
> > what do you think?
> >
> 
> Yes, it needs a link from samba.org.  I think that would be enough.
> I'll grab that now.

Thanks!

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer
email: [EMAIL PROTECTED]
http://samba.org

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Re: question about wiki.samba.org

2006-09-05 Thread Deryck Hodge 

On 9/4/06, simo <[EMAIL PROTECTED]> wrote:

On Mon, 2006-09-04 at 17:29 +0200, Franz Pfoertsch wrote:
> You are right!
>
> but there is no link from www.samba.org to the wiki, so it is only a hidden
> side.
>
> The developers didn't use the wiki.

This is not true, but we can probably use it more, I agree on this.

> the article about clustering is great, we need some more of stuff like this.
>
> I think about a page about the smb.conf, but it makes no sence when the
> developer did not write into the wiki.
> 
(http://wiki.samba.org/index.php/Samba_Features_added/changed_%28by_release%29#Changes_in_smb.conf)
>
> I hope everybody is using the wiki

I think that many looks at it, maybe we should make it more visible.

Deryck,
what do you think?



Yes, it needs a link from samba.org.  I think that would be enough.
I'll grab that now.

Cheers,
deryck

--
Deryck Hodgehttp://www.devurandom.org/
Web Developer, Naples News http://www.naplesnews.com/
Samba Team http://www.samba.org/
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: AW: [Samba] samba and BUILTIN groups

2006-09-05 Thread Gerald (Jerry) Carter 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Jörg Horchler wrote:
> Curious - I found the problem: 
> 
> Our old server runs with 'valid users = @' for all shares. This
> syntax works. 
> 
> I ran smb with log level 10 on the new server and saw that it tries to
> find the group 'Unix Group\'. After changing the parameter to
> 'valid users = @\' in our smb.conf it works!
> 
> Is this a new behaviour?

Yes and No.  Fully qualifying domain names in smb.conf
has been recommended since 3.0.8. WIth the 3.0.23 series,
this has become a requirement.  Did you read the release notes?





cheers, jerry
=
Samba--- http://www.samba.org
Centeris ---  http://www.centeris.com
"What man is a man who does not make the world better?"  --Balian
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFE/WdOIR7qMdg1EfYRAqp3AJ0WKclPj8pWNge4n9yhxmt+AdRBjgCg45Q+
EzMd18YgAWkDpejwMDDOABk=
=gnWJ
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: AW: [Samba] samba and BUILTIN groups

2006-09-05 Thread Jörg Horchler 
Curious - I found the problem: 

Our old server runs with 'valid users = @' for all shares. This
syntax works. 

I ran smb with log level 10 on the new server and saw that it tries to
find the group 'Unix Group\'. After changing the parameter to
'valid users = @\' in our smb.conf it works!

Is this a new behaviour?

Am Freitag, den 25.08.2006, 12:04 +0200 schrieb Horchler, Joerg:
> Hi Jerry, 
>  
> just a question to what I don't understand: I think on both servers nested 
> groups work correct (for example: I'm member of the group "sysop" which has 
> no unix ID. The group "sysop" itself is member of the group "admin" which has 
> the unix gid 500 in our Active Directory. When I type "id -a jhorchle" then I 
> can see that I'm in the group 'admin'. This is the correct behaviour isn't 
> it?)
> So our idmap backend is 'ad' but nested groups are working. 
>  
> I will check krb5 to see whether this works. 
>  
> Cheers 
> Jörg
> 
> 
> 
> Von: Gerald (Jerry) Carter [mailto:[EMAIL PROTECTED]
> Gesendet: Mo 21.08.2006 23:12
> An: Horchler, Joerg
> Cc: samba@lists.samba.org
> Betreff: Re: [Samba] samba and BUILTIN groups
> 
> 
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> Jörg Horchler wrote:
> 
> > 'winbind nss info' from 'sfu' to 'rfc2307' everything
> > worked as expected in the first look. Winbind resolved
> > our Windows-Users and groups correct. (wbinfo and
> > getent work perfect!)
> >
> > But when I try to connect to a share on the server
> > I get the following error:
> >
> > [2006/08/18 15:22:19, 0] auth/auth_util.c:create_local_nt_token(903)
> >   create_local_nt_token: Failed to create BUILTIN\Administrators group!
> 
> 
> There's a limitation that nested groups can only work
> if you have a allocating idmap backend (tdb or ldap).
> Please file a bug to help me track this.
> 
> But this is not causing the authentication failure you
> are seeing.  CHeck your Krb5 client install to track that
> down.
> 
> 
> 
> 
> 
> cheers, jerry
> =
> Samba--- http://www.samba.org 
>  
> Centeris ---  http://www.centeris.com 
>  
> "What man is a man who does not make the world better?"  --Balian
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.4 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org 
>  
> 
> iD8DBQFE6iHIIR7qMdg1EfYRAhZYAKCMhndL75xhpItANgoBlSo7fhcOSQCeLBj/
> DtikkPKI3p8yLUTU8fuHWRo=
> =ASuu
> -END PGP SIGNATURE-
> 
> 
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] What about MS06-040

2006-09-05 Thread Gerald (Jerry) Carter 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

[EMAIL PROTECTED] wrote:
> Hi,
> 
> I have some problem with computer browser and Net Logon.
> I suspect the MS-patches named MS06-40 (921883).
> 
> http://www.microsoft.com/technet/security/Bulletin/MS06-040.mspx
> 
> Could anyone confim if this patches couse problem or not.


I've not noticed any issues with the MS patch and Samba.



cheers, jerry
=
Samba--- http://www.samba.org
Centeris ---  http://www.centeris.com
"What man is a man who does not make the world better?"  --Balian
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFE/WXwIR7qMdg1EfYRAsNhAKCPNnaPfbUWxw8QQ4pFCa/40EfdZgCfWzz6
RuvnaqqqpCW0htiPWgcJnMQ=
=Durn
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Non-root accounts cannot join the Samba PDC:s domain

2006-09-05 Thread BJörn Lindqvist 

BJörn Lindqvist wrote:
> It is inconsistent with other "net" commands. I.e:
>
> net rpc user info someuser
>
> where the name does not have to be fully qualified

The net command is a kitchen sink that needs to be
broken into multiple commands.  You don't have to qualify
the name in your example because it is implicitly
qualified by the domain of the server you are connecting to.


I see, thanks.


>> > net rpc rights grant Everybody SeMachineAccountPrivilege
>>
>> This is a security hole.  I really would recommend
>> against this.  It's about the same as 'guest account = root'.
>
> Why? If it is, then how else do enable computers to
> join your domain?

It's the same as saying 'admin users = +users'.

I suggest creating a group mapping (let's call it "Unix Admins")
and then running


I still don't understand why this is a security hole. And even if
there is, I see no other way to solve my problem . There are a few
hundred computers all connected to a Windows Active Directory. They
need all to join the Samba domain. The only feasible way I know of
making the transistion is to give all users the
SeMachineAccountPrivilege and then have each user migrate his or her
own computer.

--
mvh Björn
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] What about MS06-040

2006-09-05 Thread stephane . purnelle 
Hi,

I have some problem with computer browser and Net Logon.
I suspect the MS-patches named MS06-40 (921883).

http://www.microsoft.com/technet/security/Bulletin/MS06-040.mspx

Could anyone confim if this patches couse problem or not.

Actually I use samba 3.0.21c and I would like to know if samba 3.0.23c 
could resolve problem.


thanks


Stéphane Purnelle

---
Stéphane PURNELLE [EMAIL PROTECTED]
Service Informatique   Corman S.A.   Tel : 00 32 087/342467
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] smbmount and smbumount

2006-09-05 Thread Luca Manganelli 

Hi,

I'm using Ubuntu Dapper Drake 6.06 and Samba 3.0.22 provided by default.

I mounted a samba share:

 smbmount //testpc/folder  /home/myuser/folder  -o username=,passwd=

it mounted successfully.

If I do the 'mount' command, I see the samba mounted folder on my mounts.

I did some operations and then umounted it:

 smbumount /home/myuser/folder

The 'mount' command shows me that the folder isn't mounted,

BUT:

I can see inside it and do file operations. The folder isn't umounted.
And I cannot umount it because it is not in mount list anymore.


Any suggestions?
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba