AW: [Samba] Adding users with usrmgr/smbldap-useradd
Hi, have a look at LDAP Suffix, usersdn, computersdn and so on in smbldap.conf. Are they configured right? We have also set slaveLDAP and masterLDAP values. I dont rely on (If not defined) Mit freundlichen Grüßen Benjamin Oeltze Systems Engineer S DE SE PS N/O Fujitsu Siemens Computers Hildesheimer Str. 25 30880 Laatzen Telephone: 05118489 1872 Mobile: 016096354617 Email: mailto: [EMAIL PROTECTED] Internet: http://www.fujitsu-siemens.com Von: [EMAIL PROTECTED] im Auftrag von Mark Rutherford Gesendet: Fr 01.12.2006 17:08 An: samba@lists.samba.org Betreff: [Samba] Adding users with usrmgr/smbldap-useradd Samba 3.0.23d, on Debian Sarge - using the samba.org packages smbldap-tools 0.9.2 Greetings all, I am trying to set up a new PDC using LDAP, etc. Adding/deleting/modifying users in LDAP works fine using phpldapadmin. These users also work just fine logging in/out. I am trying to get the usrmgr tool to also work, so im working on the scripts on the server. I am getting this error however when I use smbldap-useradd: Can't call method get_value on an undefined value at ./smbldap-useradd line 197, DATA line 283. The line in the file contains the following code: $userGroupSID = $group_entry-get_value('sambaSID'); Not being a perl expert, not really sure what it wants. In smbldap.conf I have this set: SID=S-1-5-21-1662024183-4127337904-449993581 Unless it wants something else? I really have no idea on this one. I am assuming that since this is not working on the server that usrmgr is not going to work either. I can add machines using the same script (smbldap-useradd -w %u) I am running this to add users as such: smbldap-useradd -a %u Some oddities with usrmgr also, In usrmgr all the users that were added to LDAP do exist. There are no groups shown in in the bottom of the view in the groups area. I can modify the users to my hearts desire, changing their passwords, logon times, etc and that all works. If I try to add a group I get an 'access denied' If I try to add a user i get an error 'the username could not be found' (I am assuming this is because there is no working script? YET.) I know not all of the windows management tools actually work, but as long as users can be removed/added it really does not matter to me. I can add machines using srvmgr and that also works fine. Ideas anyone? Thanks for the help -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba https://abgvpn2.fujitsu-siemens.com/https/0/lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Cannot rename file
Any takers on this question - I've got no replies so far. Thanks Pieter Viljoen -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pieter Viljoen - MWEB Sent: Thursday, November 30, 2006 23:37 To: samba@lists.samba.org Subject: [Samba] Cannot rename file Hi I've upgraded my OS from Redhat AS2.1 to Redhat AS4. The samba upgraded from samba-2.2.7-3.21as to samba-3.0.10-1.4E.9. I use this only to see the Linux filesystem as a drive on my PC. The problem is that I cannot rename a file. Put, Get and Copy works fine. The error I get (after about 30 sec) is any of the following (no specific pattern): Cannot rename filename: The specified network name is no longer available. or Cannot rename filename: The path is too deep filename = the file on disk without the extention All information I got so far relates to file links or network problems. None of these are applicable. Thank you Pieter Viljoen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Cannot rename file
Pieter Viljoen - MWEB schrieb: Any takers on this question - I've got no replies so far. We need more information about your system. Please post your smb.conf. What is your client OS (Windows 9x/NT/2k/XP/Vista,...)? Regards -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] restrict what users can log onto each workstation
I have a Samba server with Windows XP clients, and roaming profiles for every user. At this moment everyone can log onto any workstation, but it shouldn't be like that: there are some workstations where anyone can log into, but three of them should be restricted to some specific users. I thought about making local users for them, but we need all users to have roaming profiles, I can't make local users expect for the Administrator account. Can this be done with Samba? _ Descarga gratis la Barra de Herramientas de MSN http://www.msn.es/usuario/busqueda/barra?XAPID=2031DI=1055SU=http%3A//www.hotmail.comHL=LINKTAG1OPENINGTEXT_MSNBH -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Macro expansion in LDAP entries like %L no longer works with 3.0.23d
Thanks for your reply. You're right, it's my fault. I overlooked this new option since 3.0.21 in whatsnew.txt. Maybe it should also be mentioned in the explicite Changes to passdb backend section. ;-) Now I have one question: According to an old diskussion http://lists.samba.org/archive/samba/2004-January/078010.html it sounds like macro-expansion for the ldap-backend is something like an undocumented feature. Is this right and may it disappear in the future? Best regards, Oli Am Montag 04 Dezember 2006 07:05 schrieb Volker Lendecke: On Sun, Dec 03, 2006 at 11:26:41PM +0100, Oliver Burtchen wrote: I just want to note this for other users having problems with roaming profiles after upgrading their samba. As far as I can see this change is not described somewhere else. I updated a samba PDC from 3.0.21b to 3.0.23d and had problems logging in an Windows XP using roaming profiles complaining just about not finding a network-path. Profiles could not be loaded. It took me 1 day to figure out that ldap entries like sambaProfilePath: \\%L\Profiles sambaHomePath: \\%L\home do not longer work like they did with samba 3.0.21b. Now you have to hard-code the path like sambaProfilePath: \\Servername\Profiles sambaHomePath: \\Servername\home for all users in ldap. Hope this helps someone having the same problem. Look at the changed defaults, now you have to set passdb expand explicit = yes Volker -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] restrict what users can log onto each workstation
Hi, Toni Casueps schrieb: ... but three of them should be restricted to some specific users. You can create a special account for this computers and, if you use LDAP, add the machine name (without $) to attribute sambaUserWorkstations of the user. You can do this with the usermanager too, if you configured your your smb.conf right. Best regards Marc -- Marc Muehlfeld Zentrum fuer Humangenetik und Laboratoriumsmedizin Dr. Klein und Dr. Rost Lochhamer Str. 29 - D-82152 Martinsried Telefon: +49(0)89/895578-0 - Fax: +49(0)89/895578-78 http://www.medizinische-genetik.de -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Users that can add computers to Domain
timothy johnson schrieb: have every else in samba working right now, except printers, but since I havent tried that, nor do I know how I can benefit from using samba for printing. Anyways any help in the right direction would help. A little hint on your printing system would have been helpful. If you use cups, this link (and the whole domain, of course...) might be interesting: http://us2.samba.org/samba/docs/man/Samba-HOWTO-Collection/CUPS-printing.html timbo -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] can join a domain, but users are not able to log in
Chris Hellwig schrieb: - the attached log file is the clients log (log.clientname) - in that log-file one can find Checking password for unmapped user [EMAIL PROTECTED] with the new password interface where poseidon is the clients name. But there is nothing in the log-file which points to a users name. did you set the smbpasswd for the user? And: I got it from your mail that you added the client to the domain on the server. Is that right? I add my clients from the client machine (Win2K: System settings - System - Domain membership or whatever, don't have windows at home :-) This works good for me and i didn't know there was a different way; i figured that the domain settings need to be processed by the client. Maybe you should join the domain from the client and try again. But these are amateur thougts of course ;-) Hth, timbo -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Facing Problem for Window XP Client On Samba PDC
Junaid schrieb: Hi, i want to make Samba PDC, i have created domain and now when i give name of domain in WindowXP it requires the password, i do it by user name=root its password. But it gives error. Unknown User or bad password. Did you set the smbpasswd for root? timbo -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Strange behaviour with shares
That snippet of code doesn't tell much. And the file should be smb.conf, not samba.conf. Could you post the entire contents of the file smb.conf located at /etc/samba? If what you say is accurate, then my guess is there is a section called [share installs] in the smb.conf. James Dinkel -Original Message- From: sp4mmed Hotmail I have recently discovered a rather strange happening with regards to shares on one of our servers. A user wanted to access a folder on our public directory and typed in the following in their explorer: \\server\share installs What happened then is the strange part: they came face-to-face with the root folder of the server! I'm not an expert and the shares were set up by a techie who has since left the company, so I couldn't ask him what he had done. Here is a snippet of the samba.conf file that pertains to the above share: [server] path = /shares/share read only = No create mask = 0777 force create mode = 0777 directory mask = 0777 force directory mode = 0777 guest only = Yes guest ok = Yes As I said, I am not an expert, but the create mask, directory mode, etc seem a little strange to me. Our samba server version is 3.0.23a-1 If anyone has any suggestions or needs any further information with regards to this, please let me know. I would hate to think that I have a broken server implementation here. (Although I wouldn't be too surprised!) Many thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Removing display of domain
It was magically cleared up by (yet another) reboot. Go figure. Thanks for the assist. Guenter Schillinger wrote: Hallo, make sure that nscd isn't running. Günter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] test
please ignore, just testing if i can post to the list! :) -- Victor Medina [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] disable printing ?
Hi, is it possible to disable the whole printing subsystem ? When our cups server is hanging, the samba print server is also not working, but the file server (which is not printing and also not sharing any printer) is looking for the printer list It's a Novell SLES 9 running samba-3.0.20b-3.4. Bye, Peer -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] LDAP, checkpwnam and PDC
Hiya, I'm trying to set up a Samba PDC with an LDAP backend. I experienced problems joining machines to domains, the machine account was created, but Windows said user name cannot be found. I resolved this by adding ldap to /etc/nsswitch.conf, but this has the side effect of allowing ldap users to login to the server via SSH. Whilst I can understand the need for LDAP users to be accessible to the system, i.e. checkpwnam etc for permisisons, I don't want users to be able to login to anywhere except the client Windows 2000/XP boxes. People (only 3) who can login via SSH already have real user accounts in /etc/passwd etc. Is there a way to stop this being allowed? Thanks. Ben -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] LDAP, checkpwnam and PDC
Hi, On 12/4/06, Ben Wheare [EMAIL PROTECTED] wrote: Hiya, I'm trying to set up a Samba PDC with an LDAP backend. I experienced problems joining machines to domains, the machine account was created, but Windows said user name cannot be found. I resolved this by adding ldap to /etc/nsswitch.conf, but this has the side effect of allowing ldap users to login to the server via SSH. Whilst I can understand the need for LDAP users to be accessible to the system, i.e. checkpwnam etc for permisisons, I don't want users to be able to login to anywhere except the client Windows 2000/XP boxes. People (only 3) who can login via SSH already have real user accounts in /etc/passwd etc. Is there a way to stop this being allowed? Check your sshd (/etc/ssh/sshd_config) configuration, specially the AllowUsers and/or AllowGroups options. -- Carlos Eduardo Pedroza Santiviago -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Fwd: Re: [Samba] Migrating to samba from windows NT domain]
Yes, this would be possible; 1. Vampire your accounts on to a new Samba DC 2. Disconnect it from network 3. Denote your NT Dc's 4. Rejoin them to the Samba Domain NOTE: As the other person said, while possible, this would be a bitch of a job. You said you need to maintain your NT server anyway, why not just put the files and printers and what not on samba and leave the user accounts to NT for the time being. Hell you could even throw your NT hosts inside a virtualisation product to throw in some redundance / fault tolerance. Short answer be prepared for a lot of planning, testing, backing up, recovering before you attempt this. Otherwise rethink your mode of attack. Cheers, On 11/30/06, James Watkins [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: On Saturday 25 November 2006 10:18, Pere Rodr�guez wrote: Unfortunately I have running various services in PDC and BDC servers that I must remain after the migrations, so I can't stop PDC and BDC servers permanently after the migration to Samba. Can I deactivate PDC and BDC services in Windows NT servers? According to this document: http://www.microsoft.com/technet/archive/winntas/proddocs/concept/xcp01. mspx?mfr=true http://www.microsoft.com/technet/archive/winntas/proddocs/concept/xcp01 .mspx?mfr=true (scroll down to the section Removing a Computer from a Domain) it is not possible to remove a BDC from a domain without reinstalling the OS. However, there are commercial products which claim to be able to 'demote' a BDC to a standalone server, allowing the administrator to rejoin it to the same, or presumably another domain as a member server. Note: I have never used any of these products and cannot comment on how well they work, if at all. I think you may have a lot of work on your hands here since samba is not able to join a domain as a BDC when the PDC is on NT so it's not a simple demote-promote exercise. You may need to create a whole new samba-based domain. I'm not an expert at this so I can't offer you much practical advice but if you decide to go ahead with it, I wish you the very best of luck. Cheers, James. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba https://lists.samba.org/mailman/listinfo/samba -- IK -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] LDAP, checkpwnam and PDC
If you dont want some users to be able to login using their posix accounts give to them a null shell, put /bin/false in the shell attribute. I dont know what distribution do you use or what is the default of idealx scripts, but in Debian, smbldap-tools (the packaged idealx scripts) does that by default. That way any access that requires a shell will not work for these users. Regards. Edmundo Valle Neto Ben Wheare escreveu: Hiya, I'm trying to set up a Samba PDC with an LDAP backend. I experienced problems joining machines to domains, the machine account was created, but Windows said user name cannot be found. I resolved this by adding ldap to /etc/nsswitch.conf, but this has the side effect of allowing ldap users to login to the server via SSH. Whilst I can understand the need for LDAP users to be accessible to the system, i.e. checkpwnam etc for permisisons, I don't want users to be able to login to anywhere except the client Windows 2000/XP boxes. People (only 3) who can login via SSH already have real user accounts in /etc/passwd etc. Is there a way to stop this being allowed? Thanks. Ben -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba problem with web farm
Hello list, After using NFS with windows with the SFU windows extensions and somes sad stories with it, i have decided to migrate to samba. Good choice cause everything is right except one thing. I get an error on a ASP .NET application only. I get a Failed to start monitoring changes to '\\UNCSERVER\path\aspapplication'. I have search on internet and found somes things about this. First : http://support.microsoft.com/kb/810886 I set the value on the client http server to the maximum. But the message continue to appear. When I run the filemon.exe i get a : 19:30:27w3wp.exe:13572 DIRECTORY \\UNCSERVER\path\aspapplication\TOO MANY COMMANDS Change Notify The TOO MANY COMMANDS seem to relate to the MaxCmds, but i have put at his maximum, in the registry or a samba limitation? When i browse the repertory from explorer.exe no problems and no errors. When i restart iis the website work very well but after 10minutes i get this message. Nothing appear in the smbstatus in relation with the ASP application... It run on a unique share path. I have found some posts who deal with this problem on this list with no responses/solutions. I can give a wireshark capture from a windows http server to a developer, run my samba in debug mode and make a dump during this occur. Thanks in advance for the resolution of this problem. Salutations -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] LDAP Change, file browsing pause
After switching from Netscape LDAP to OpenLDAP, file browsing has a random 10-20 second pause or hesitation when opening explorer or File-Open dialog boxes. After the initial pause, the directory browsing runs lightning fast. The pause cannot be consistently recreated, but occurs often at random times throughout the day. This occurs after the users' machines have been idle (or share has been idle) for 10 minutes or greater. Sometimes a machine can sit for hours and have no pause. There are no errors being generated by samba, and nothing ever times out, but there is a definate random lengthy pause. The system was running great before the LDAP change with several thousand users. The only statement that changed in the samba config was the ldap address. I am not the admin for the LDAP system so I cannot post the config. Any comments or tips would be greatly appreciated. Environment: Servers: RHEL4 SAMBA Ver: 3.0.8 12 SAMBA servers with 300 to 6000 users each, spread in different LANS 1 Central LDAP system Pertinent smb.conf entries: [global] workgroup = x server string = Administration Server obey pam restrictions = Yes passdb backend = ldapsam:ldap://x algorithmic rid base = (different for each server) passwd program = /usr/bin/passwd %u unix password sync = Yes log file = /var/log/samba/%m.log smb ports = 139 time server = Yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 load printers = No logon script = USERS/%u.bat logon path = logon drive = F: domain logons = Yes os level = 65 preferred master = Yes domain master = Yes dns proxy = No wins support = Yes ldap admin dn = cn=xx ldap group suffix = ou=Groups ldap machine suffix = ou=People ldap suffix = dc=xxx,dc=xx ldap ssl = no ldap user suffix = ou=People Thanks! TOM -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] PDC/BDC trouble
All, I'm using an LDAP backend for a test PDC/BDC setup. Both the PDC and BDC are using the same LDAP server. Both the PDC and BDC are running 3.0.23c on Sarge, and I've verified that both the PDC and BDC will authenticate users via smbclient. XP clients are able to login to the domain fine, and all is generally swell. My PDC is also my WINS server, and I've verified that XP clients on other subnets see two DOMAIN#1c records, so both DCs are being presented to clients. The problem I'm having is this: When SMBD on the PDC stops, XP clients will no longer authenticate; the specific error is the system cannot log you on now because the domain GSS is not available. NMBD is still running, and XP clients still see 2 #1c records. Why don't my XP clients fail over to my BDC? Both the PDC and BDC are operating in their designated roles: test-pdc:/etc/samba# testparm Load smb config files from /etc/samba/smb.conf Processing section [netlogon] Loaded services file OK. Server role: ROLE_DOMAIN_PDC test-bdc:/var/log/samba# testparm Load smb config files from /etc/samba/smb.conf Processing section [netlogon] Loaded services file OK. Server role: ROLE_DOMAIN_BDC smb.conf is pretty similar on both machines; the full file is included below. Here are the differences: [EMAIL PROTECTED]:~/documents/Samba3/backup$ diff pdc.smb.conf bdc.smb.conf 3,4c3,4 netbios name = GSS-PDC server string = Samba 3 PDC --- netbios name = GSS-BDC server string = Samba 3 BDC 13c13 os level = 255 --- os level = 200 15,16c15,16 domain master = yes preferred master = yes --- domain master = no preferred master = no 18c18 wins support = yes --- wins server = 172.21.24.5 # test-pdc's IP address The same SID is returned for both machine and domain queries on the PDC and BDC: test-pdc:~# net getlocalsid GSS SID for domain GSS is: S-1-5-21-1079125125-2089603153- test-pdc:~# net getlocalsid SID for domain GSS-PDC is: S-1-5-21-1079125125-2089603153- test-bdc:~# net getlocalsid GSS SID for domain GSS is: S-1-5-21-1079125125-2089603153- test-bdc:~# net getlocalsid SID for domain GSS-BDC is: S-1-5-21-1079125125-2089603153- How can I ensure that XP clients will authenticate against the BDC if the PDC is unavailable? Thanks, Ryan ### smb.conf on the PDC ### [global] workgroup = GSS netbios name = GSS-PDC server string = Samba 3 PDC passwd program = /opt/ChangePasswordSecure %u passwd chat timeout = 6 passwd chat = *new*password* %n\n *new*password* %n\n *successfully* . unix password sync = Yes log level = 1 max log size = 0 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 os level = 255 domain logons = yes domain master = yes preferred master = yes dns proxy = no wins support = yes preexec = sh -c 'echo Welcome to GSS domain | /usr/bin/smbclient -M %m -I %i ' enable privileges = yes passdb backend = ldapsam:ldap://ldapserver.1240.good-sam.com; ldap admin dn = cn=Directory Manager ldap suffix = o=good-sam.com add machine script = /usr/sbin/smbldap-useradd -w %u /tmp/smbldap-useradd-machine.log 21 rename user script = /usr/sbin/rename.pl %unew %uold /tmp/smbldap-rename-machine.log 21 [netlogon] comment = Network Logon Service path = /opt/netlogon write list = user1, user2 guest ok = Yes - This email transmission and any documents, files or previous email messages attached to it may contain information that is confidential or legally privileged. If you are not the intended recipient, you are hereby notified that any disclosure, copying, printing, distributing or use of this transmission is strictly prohibited. If you have received this transmission in error, please immediately notify the sender by telephone or return email and delete the original transmission and its attachments without reading or saving in any manner. The Evangelical Lutheran Good Samaritan Society. - -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smbd_audit: log_success() failed to get vfs_handle-data!
*This message was transferred with a trial version of CommuniGate(r) Pro* Greetings, Volker === Nov 30 15:07:56 calypso smbd_audit: [2006/11/30 15:07:56, 0] modules/vfs_full_audit.c:log_success(682) Nov 30 15:07:56 calypso smbd_audit: log_success() failed to get vfs_handle-data! === Can you send a debug level 10 log? Thanks, Volker Well, full log of simple creation of one folder and changing ACLs on it is for about 4Mb of text, so I've selected only intresting things (on my point of view =) ). But, IMHO, this log gives nothing intresting... I have test machine, also running freebsd-5.3, samba-3.0.23d and it has same samba config as on working servers. It has share, named ports, which is located in /usr/ports/distfiles/1. Here folder 123 was created, file 2.8.5rel.3.patch.gz was copied, and then ACLs on 123 was changed. === [2006/12/04 11:45:12, 10] smbd/service.c:set_conn_connectpath(122) set_conn_connectpath: service ports, connectpath = /usr/ports/distfiles [2006/12/04 11:45:12, 3] smbd/vfs.c:vfs_init_default(219) Initialising default vfs hooks [2006/12/04 11:45:12, 3] smbd/vfs.c:vfs_init_custom(247) Initialising custom vfs hooks from [full_audit] Successfully loaded vfs module [full_audit] with the new modules system [2006/12/04 11:45:12, 5] smbd/vfs.c:vfs_init_custom(293) Checking operation #0 (type 0, layer 2) Accepting operation type 0 from module full_audit [2006/12/04 11:45:12, 5] smbd/vfs.c:vfs_init_custom(293) Checking operation #1 (type 1, layer 2) Accepting operation type 1 from module full_audit [2006/12/04 11:45:12, 5] smbd/vfs.c:vfs_init_custom(293) Checking operation #2 (type 2, layer 2) Accepting operation type 2 from module full_audit [2006/12/04 11:45:12, 5] smbd/vfs.c:vfs_init_custom(293) Checking operation #3 (type 3, layer 2) Accepting operation type 3 from module full_audit [2006/12/04 11:45:12, 5] smbd/vfs.c:vfs_init_custom(293) Checking operation #4 (type 4, layer 2) Accepting operation type 4 from module full_audit [2006/12/04 11:45:12, 5] smbd/vfs.c:vfs_init_custom(293) Checking operation #5 (type 5, layer 2) Accepting operation type 5 from module full_audit [2006/12/04 11:45:12, 5] smbd/vfs.c:vfs_init_custom(293) Checking operation #6 (type 6, layer 2) Accepting operation type 6 from module full_audit [2006/12/04 11:45:12, 5] smbd/vfs.c:vfs_init_custom(293) Checking operation #7 (type 7, layer 2) Accepting operation type 7 from module full_audit [2006/12/04 11:45:12, 5] smbd/vfs.c:vfs_init_custom(293) Checking operation #8 (type 8, layer 2) Accepting operation type 8 from module full_audit [2006/12/04 11:45:12, 5] smbd/vfs.c:vfs_init_custom(293) Checking operation #9 (type 9, layer 2) Accepting operation type 9 from module full_audit [2006/12/04 11:45:12, 5] smbd/vfs.c:vfs_init_custom(293) Checking operation #10 (type 10, layer 2) Accepting operation type 10 from module full_audit [2006/12/04 11:45:12, 5] smbd/vfs.c:vfs_init_custom(293) Checking operation #11 (type 11, layer 2) Accepting operation type 11 from module full_audit [2006/12/04 11:45:12, 5] smbd/vfs.c:vfs_init_custom(293) Checking operation #12 (type 12, layer 2) Accepting operation type 12 from module full_audit [2006/12/04 11:45:12, 5] smbd/vfs.c:vfs_init_custom(293) Checking operation #13 (type 13, layer 2) Accepting operation type 13 from module full_audit [2006/12/04 11:45:12, 5] smbd/vfs.c:vfs_init_custom(293) Checking operation #14 (type 14, layer 2) Accepting operation type 14 from module full_audit [2006/12/04 11:45:12, 5] smbd/vfs.c:vfs_init_custom(293) Checking operation #15 (type 15, layer 2) Accepting operation type 15 from module full_audit [2006/12/04 11:45:12, 5] smbd/vfs.c:vfs_init_custom(293) Checking operation #16 (type 16, layer 2) Accepting operation type 16 from module full_audit [2006/12/04 11:45:12, 5] smbd/vfs.c:vfs_init_custom(293) Checking operation #17 (type 17, layer 2) Accepting operation type 17 from module full_audit [2006/12/04 11:45:12, 5] smbd/vfs.c:vfs_init_custom(293) Checking operation #18 (type 18, layer 2) Accepting operation type 18 from module full_audit [2006/12/04 11:45:12, 5] smbd/vfs.c:vfs_init_custom(293) Checking operation #19 (type 19, layer 2) Accepting operation type 19 from module full_audit [2006/12/04 11:45:12, 5] smbd/vfs.c:vfs_init_custom(293) Checking operation #20 (type 20, layer 2) Accepting operation type 20 from module full_audit [2006/12/04 11:45:12, 5] smbd/vfs.c:vfs_init_custom(293) Checking operation #21 (type 21, layer 2) Accepting operation type 21 from module full_audit [2006/12/04 11:45:12, 5] smbd/vfs.c:vfs_init_custom(293) Checking operation #22 (type 22, layer 2) Accepting operation type 22 from module full_audit [2006/12/04 11:45:12, 5] smbd/vfs.c:vfs_init_custom(293) Checking operation #23 (type 23, layer 2) Accepting operation type 23 from module full_audit [2006/12/04 11:45:12, 5] smbd/vfs.c:vfs_init_custom(293)
[Samba] One share works, one doesn't
I'm using FC6 and Windows XP Pro. I have two shares defined as such: [docs] comment = My documents path = /home/gmc/for_backup read only = no public = no valid users = gmc [vmware] path = /vmware read only = yes public = no valid users = gmc The directories look like this: [EMAIL PROTECTED] for_backup]# ls -ld /home/gmc/for_backup /vmware drwxr-xr-x 19 gmc gmc 4096 Dec 2 11:51 /home/gmc/for_backup drwxr-xr-x 8 gmc gmc 1024 Dec 3 00:09 /vmware I get the following messages when connecting to the shares: [2006/12/04 11:50:28, 0] smbd/service.c:make_connection_snum(911) '/home/gmc/for_backup' does not exist or permission denied when connecting to [docs] Error was Permission denied [2006/12/04 12:08:10, 1] smbd/service.c:make_connection_snum(941) gordonxpc (10.1.1.11) connect to service vmware initially as user gmc (uid=500, gid=500) (pid 4898) Why can I connect to vmware, which is read-only, but not docs, which is rw? The connection to vmware shows it's using user gmc which has rw permissions on the directory. I'm using user level security. I don't think anything else in the global section matters here. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Write permissions no working
I am having a problem assigning write permissions to shares. I have joined my RHEL 4 server to our Windows 2003 domain and have gotten to authenticate through Active Directory. I can log on to the machine using my Windows AD account. However, any shares I create seem to be read only. I can't create files/folders in the shares or modify the documents from my Windows machine. One of my share definitions is below. If you need to see the rest of my SMB.conf file, let me know. The snippet below should give SBM\Domain Admins read access an the SBM\agiuoco account write access to the snmp share, correct? [snmp] path = /etc/snmp/ read list = @SBM+Domain Admins write list = SBM+agiuoco public = no browseable = no ___ Aaron Giuoco Systems Admin Atlantia Offshore Limited e: [EMAIL PROTECTED] ph: 281-899-4385 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Broken pipe errors on samba server
I'm running a fairly simple samba server on a sun V440, solaris 9 Samba version: 3.0.10 smbd daemon only In the server logs I'm getting: write_socket_data: write failure. Error = Broken pipe write_socket: Error writing 4 bytes to socket 5: ERRNO = Broken pipe Error writing 4 bytes to client. -1. (Broken pipe) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 Closing connections Yielding connection to Server exit (process_smb: send_smb failed.) timeout_processing: End of file from client (client has disconnected). The XP Pro clients report few problems (other than occasional performance) Wondering if these error messages are an issue and how I might correct them Here is my smb.conf file: # Samba config file # Date: Mon Oct 24 09:47:54 PDT 2005 # Global parameters [global] workgroup = HANFORD server string = rlp3ep Samba Server security = SHARE encrypt passwords = Yes min passwd length = 6 passwd program = /usr/bin/passwd %u passwd chat = *password* %n\n *password* %n\n username level = 1 unix password sync = Yes log level = 3 syslog = 2 log file = /usr/local/samba/var/log.%m max log size = 2000 name resolve order = host deadtime = 15 local master = No [homes] comment = rlp3ep User's home directories read only = No browseable = No [LCBaseline] comment = P3e Lifecycle Baseline path = /h/lcb username = lcb valid users = lcb read only = No create mask = 0640 directory mask = 0750 [ContractIGE] comment = P3e Contract Independent Government Estimates path = /h/cige username = cige valid users = cige read only = No create mask = 0640 directory mask = 0750 [ConvertHTM] comment = P3e to HTM file conversion path = /h/htmc username = htmc valid users = htmc read only = No create mask = 0640 directory mask = 0750 [IPC$] hosts deny = 0.0.0.0/0 Thanks, Greg -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] authenticating NT users with space in username?
I know it's ridiculous, but I have a userbase where every username has a space in it. IE: temp user. Is it possible to use samba to authenticate these users? So far I have been able to accept usernames without spaces flawlessly, but not the ones with spaces. Any help would be appreciated, thanks! -- View this message in context: http://www.nabble.com/authenticating-NT-users-with-space-in-username--tf2756812.html#a7687140 Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] LDAP, checkpwnam and PDC
Hi, Carlos Eduardo Pedroza Santiviago schrieb: People (only 3) who can login via SSH already have real user accounts in /etc/passwd etc. You don`t need to create special real user accounts, like you call them. Restrict sshd with AllowGroups, AllowUsers, DenyGroups and/or DenyUsers. Also you can set the loginShell-attribute in LDAP to /bin/false for users who don`t need a shell. Best regards Marc -- Marc Muehlfeld Zentrum fuer Humangenetik und Laboratoriumsmedizin Dr. Klein und Dr. Rost Lochhamer Str. 29 - D-82152 Martinsried Telefon: +49(0)89/895578-0 - Fax: +49(0)89/895578-78 http://www.medizinische-genetik.de -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] can join a domain, but users are not able to log in
did you set the smbpasswd for the user? Yes (otherwise I could not use the servers shares), I can use the server like a standalone server. And: I got it from your mail that you added the client to the domain on No, no... The client has to join - Chris Tim Boneko schrieb: Chris Hellwig schrieb: - the attached log file is the clients log (log.clientname) - in that log-file one can find Checking password for unmapped user [EMAIL PROTECTED] with the new password interface where poseidon is the clients name. But there is nothing in the log-file which points to a users name. did you set the smbpasswd for the user? And: I got it from your mail that you added the client to the domain on the server. Is that right? I add my clients from the client machine (Win2K: System settings - System - Domain membership or whatever, don't have windows at home :-) This works good for me and i didn't know there was a different way; i figured that the domain settings need to be processed by the client. Maybe you should join the domain from the client and try again. But these are amateur thougts of course ;-) Hth, timbo -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and Heimdal Kerberos V Authentication
Matt Proud írta: Gemes, Thank you. I had seen this link a while ago. I had wanted to avoid placing authentication data in the LDAP database, but I guess that this could work. Have you done this yourself? Do you have any useful comments or suggestions to make? That schema file referenced in this document does not seem to be available. Where can I find it? Best, Matt On 11/29/06, Gémes Géza [EMAIL PROTECTED] wrote: Matt Proud írta: Hello, I maintain a network of numerous Linux workstations, several Apples, and a few Windows machines. The Apples and Windows XP machines already grab shared data via Samba and the remaining data is exported to the Linux machines via NFS. I am in the process of migrating the existing authentication system from XYZ123 to Kerberos and going to place user data---with the exception of passwords into OpenLDAP. I am curious whether it is possible to have Samba authenticate against Kerberos as a password backend, particularly with the Heimdal implementation. I really am not much of a Windows guru and try to avoid the OS as much as possible; but I have gathered that from 2000 onwards it has supported Kerberos V for authentication. Would this mean that the winbind backend could be used to talk to the Kerberos server? I really want to avoid having to write any custom scripts or wrappers to synchronize passwords between Samba and Kerberos. What are everybody's thoughts? Thank you, Matt Recommended reading: http://www.pdc.kth.se/heimdal/heimdal.html#Using-LDAP-to-store-the-database Cheers Geza Yes I use it with ~1000 users, and it's working like charm, you just have to take care of the ACLs of passwords stored on LDAP as stated on Samba and Heimdal documentations, also if you want nonsasl binds you may want to set the userPassword attributes to [EMAIL PROTECTED] I've attached my /usr/lib/sasl2/slapd.conf, /etc/default/saslauthd (I use debian), and hdb.schema (I've found it googleing). Good Luck! Geza # Definitions for a Kerberos V KDC schema # # $Id: hdb.schema,v 1.3 2005/04/25 17:33:40 lha Exp $ # # This version is compatible with OpenLDAP 1.8 # # OID Base is iso(1) org(3) dod(6) internet(1) private(4) enterprise(1) padl(5322) kdcSchema(10) # # Syntaxes are under 1.3.6.1.4.1.5322.10.0 # Attributes types are under 1.3.6.1.4.1.5322.10.1 # Object classes are under 1.3.6.1.4.1.5322.10.2 # Syntax definitions #krb5KDCFlagsSyntax SYNTAX ::= { # WITH SYNTAXINTEGER #--initial(0), -- require as-req #--forwardable(1), -- may issue forwardable #--proxiable(2), -- may issue proxiable #--renewable(3), -- may issue renewable #--postdate(4),-- may issue postdatable #--server(5), -- may be server #--client(6), -- may be client #--invalid(7), -- entry is invalid #--require-preauth(8), -- must use preauth #--change-pw(9), -- change password service #--require-hwauth(10), -- must use hwauth #--ok-as-delegate(11), -- as in TicketFlags #--user-to-user(12), -- may use user-to-user auth #--immutable(13) -- may not be deleted # ID { 1.3.6.1.4.1.5322.10.0.1 } #} #krb5PrincipalNameSyntax SYNTAX ::= { # WITH SYNTAXOCTET STRING #-- String representations of distinguished names as per RFC1510 # ID { 1.3.6.1.4.1.5322.10.0.2 } #} # Attribute type definitions attributetype ( 1.3.6.1.4.1.5322.10.1.1 NAME 'krb5PrincipalName' DESC 'The unparsed Kerberos principal name' EQUALITY caseExactIA5Match SINGLE-VALUE SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.5322.10.1.2 NAME 'krb5KeyVersionNumber' EQUALITY integerMatch SINGLE-VALUE SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) attributetype ( 1.3.6.1.4.1.5322.10.1.3 NAME 'krb5MaxLife' EQUALITY integerMatch SINGLE-VALUE SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) attributetype ( 1.3.6.1.4.1.5322.10.1.4 NAME 'krb5MaxRenew' EQUALITY integerMatch SINGLE-VALUE SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) attributetype ( 1.3.6.1.4.1.5322.10.1.5 NAME 'krb5KDCFlags' EQUALITY integerMatch SINGLE-VALUE SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) attributetype ( 1.3.6.1.4.1.5322.10.1.6 NAME 'krb5EncryptionType' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) attributetype ( 1.3.6.1.4.1.5322.10.1.7 NAME 'krb5ValidStart' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.5322.10.1.8 NAME 'krb5ValidEnd' EQUALITY generalizedTimeMatch
[Samba] Error looking up domain users
Hello, I'm trying to query one of my remote domains for users via wbinfo -u --domain=EUROPE and receiving Error looking up domain users. I have been successfully able to look up users in multiple domains i.e. wbinfo -u --domain=UK. My current domain is called NTDOMAIN in which I have my Ubuntu Dapper (6.06) box, running winbind 3.0.22-1ubuntu3.1 and samba 3.0.22-1ubuntu3.1. NTDOMAIN is hosted on a NT4 SP6a PDC, EUROPE is a Windows Server 2003 R2 SP1, and 2-way trusts are established. I have winbind running as winbind -d 100 for maximum logging. Steps I've tried: * I have confirmed that the trust between NTDOMAIN - EUROPE validates (via Windows tools) * Tried using a user account with full domain privileges in the EUROPE domain via wbinfo --set-auth=user=EUROPE/user%password but no change. * Successfully logged in from one domain to another (i.e. an NTDOMAIN user logged in to a machine joined to the EUROPE domain, and vice versa) While tailing the log /var/log/samba/0.0.0.0_0.0.0.0_winbindd_.log I see that the samba box successfully detects the PDC role server for the EUROPE domain and locates the correct IP address, the samba box tries to authenticate against the EUROPE domain using it's NTDOMAIN computer account, and negotiates security authentication mechanisms. I then see this error in the log: [2006/12/04 16:05:04, 4] nsswitch/winbindd_cm.c:cm_prepare_connection(305) authenticated session setup failed with No logon workstation trust account I don't understand this, the samba box would not have a workstation account in the EUROPE domain, it is joined to the NTDOMAIN domain. I've attached results of some wbinfo commands. [EMAIL PROTECTED]:~# wbinfo -m UK EUROPE [EMAIL PROTECTED]:~# wbinfo --sequence: EUROPE : DISCONNECTED UK : 4969 S-LNX003-50 : 1 BUILTIN : 1 NTDOMAIN : 34338 [EMAIL PROTECTED]:~# wbinfo -D NTDOMAIN Name : NTDOMAIN Alt_Name : SID : deleted Active Directory : No Native: No Primary : Yes Sequence : 34338 [EMAIL PROTECTED]:~# wbinfo -D EUROPE Name : EUROPE Alt_Name : europe.deleted SID : deleted Active Directory : Yes Native: No Primary : No Sequence : -1 [EMAIL PROTECTED]:~# wbinfo -t checking the trust secret via RPC calls succeeded /etc/samba/smb.conf: workgroup = NTDOMAIN security = domain password server = deleted deleted winbind separator = / winbind cache time = 10 idmap uid = 1-2 idmap gid = 1-2 winbind enum users = yes winbind enum groups = yes obey pam restrictions = no winbind nested groups = yes Any suggestions? I'd be happy to provide more log or configuration file data. Thanks very much! -- Michael Coburn Enterprise Systems Adminstrator -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] LDAP, checkpwnam and PDC
On 05/12/2006, at 4:28 AM, Ben Wheare wrote: Hiya, I'm trying to set up a Samba PDC with an LDAP backend. I experienced problems joining machines to domains, the machine account was created, but Windows said user name cannot be found. I resolved this by adding ldap to /etc/nsswitch.conf, but this has the side effect of allowing ldap users to login to the server via SSH. Whilst I can understand the need for LDAP users to be accessible to the system, i.e. checkpwnam etc for permisisons, I don't want users to be able to login to anywhere except the client Windows 2000/XP boxes. People (only 3) who can login via SSH already have real user accounts in /etc/passwd etc. Do these people have multiple user accounts? (one for samba and one for their real one?) ... I would consider it a bad idea to do so (IMHO). Is there a way to stop this being allowed? The way I achieve this (since in my setup I'm the only person who is allowed to log into the linux boxes) is to make sure all other users have no password entry in the ldap database (note: they have the samba passowrd entries, just not the posix one), and to make sure their home folder is /dev/null and their login shell is /bin/false. I think if there's also probably a shadow option that disables the posix account (haven't checked yet) - since my method may be able to be bypassed by a user executing a given command at the ssh command line - actually I'll look into that as soon as I get into work today. I'm not sure if doing that would actually prevent samba from using the account for SMB purposes. -- Matt Skerritt [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] restrict what users can log onto each workstation
On 04/12/2006, at 9:56 PM, Toni Casueps wrote: I have a Samba server with Windows XP clients, and roaming profiles for every user. At this moment everyone can log onto any workstation, but it shouldn't be like that: there are some workstations where anyone can log into, but three of them should be restricted to some specific users. I thought about making local users for them, but we need all users to have roaming profiles, I can't make local users expect for the Administrator account. Can this be done with Samba? OK, it sounds like your samba server is a PDC, so I'll assume it is. This solution won't work if it's not (I don't think). If I understand you correctly, you want these specific users to be able to log into any machine on the network (including the 3 restricted ones), right? And you want everybody else to be able to log into all the machines except the 3 restricted ones? I'd probably do this by making a group which the specific users are all a member of (and nobody else), then go into the local security policies of the restricted workstations (Control Panel - Administratrative Tools - Local Security Policy), and modifyf the entries Log on Locally and Deny logon locally to suit (which will involve putting your new group into the log on locally policy, and removing users from it, and probably a few others as well). Note: I haven't tested this method, it's just the way I'd try going about it if I was in your shoes. You can probably even set hte local security policies through System Policy if you use that - but you'll likely have to custom write your own policy template. -- Matt Skerritt [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: QMAIL + SAMBA + LDAP
It's working... just by using ldap passwd sync. I thought userPassword was a field of qmailUser and ldap passwd sync didn't know it. I was trying to find a way to integrate them by using a backend or something like it. Thanks a lot. P.S.: I received a lot of messages sent directly to me... there are a lot of brazilians here. Does anyone know if there is a group like that here in Brazil? -- Allysson Steve Mota Lacerda [EMAIL PROTECTED] http://www.stevelacerda.net -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Winbindd question
Hi, Matt Skerritt schrieb: - Insert the following lines on your PDC's smb.conf: winbind enum groups = yes winbind enum users = yes winbind trusted domains only = yes winbind use default domain = yes template homedir = /home/%U template shell = /bin/false - Start Winbind. - Join the PDC to its own domain (net rpc join) - Check if it was successful (net rpc testjoin) - Check if the shared secrets of Winbind are OK (wbinfo -t) - Test if you can authenticate a user via winbind (wbinfo -a user%password) I execute all steps, but wbinfo still only get groups and users of the trusted domain and not of the PDC itself. I configured nsswitch.conf for winbind, so that I get the user and groups of the trusted domain too, when i execute getent. The funny thing is, when I add TRUSTDOMAIN\user to a local group and su to that user (after template shell = /bin/bash), I can access shares that this group is allowed to, when im logged in as that user e. g. via ssh. But when I try to access the same folder over samba, I get a access-denied-error. Any ideas? Best regards Marc -- Marc Muehlfeld Zentrum fuer Humangenetik und Laboratoriumsmedizin Dr. Klein und Dr. Rost Lochhamer Str. 29 - D-82152 Martinsried Telefon: +49(0)89/895578-0 - Fax: +49(0)89/895578-78 http://www.medizinische-genetik.de -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] howto force file deletion with restricted permissions
with delete readonly = yes I have a workaround, but then all users can delete a file with restricted permissions, not only the owner of the directory. Nobody any idea? thanks,Peter Hi, I'm running recent samba with acls and ldap (no force user or force group). Now I have a problem with file deletion. If a user A gives user B write permission on a directory and user B restricts the permission of his files in the directory of A (e.g. r, can be done via windows), then user A is not able to delete this files in his directory via Samba. Under linux the user can use rm -f to delete anyway. Somebody know a solution for this? man thanks,Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Cannot connect to Samba-3.0.23d (and earlier) from other trusted AD domains
Hi there We have a bunch of Samba 3.0.10+ CentOS4.4 servers that are working 100% fine when connected to from users who are members of the same ADS domain our Samba servers are members of. However, users from other ADS domains (we are all W2K3-based) on our network cannot connect - they get NT_STATUS_ACCESS_DENIED. The shares they are trying to connect to have no share-level permission checks - we want any valid account to be able to connect. auth methods = sam, winbind, winbind is used and wbinfo -m shows the domains we trust. And yet people in those domains cannot login. ntlm_auth - which uses winbind - is able to authenticate such accounts - but it looks like Samba doesn't care what winbind thinks - it must be blocking for another reason. The logs show Samba starts as expected by looking up otherDom\username, but it always falls back to doing Get_Pwnam_internals calls to winbind on the username by itself, and obviously receives a no such user error from winbind. winbind settings in smb.conf are: auth methods = winbind winbind separator = \ winbind cache time = 3600 winbind enum users = Yes winbind enum groups = No winbind use default domain = No winbind trusted domains only = No winbind nested groups = Yes winbind nss info = template winbind refresh tickets = No winbind offline logon = No We have tried this with both security = domain and security = ADS - no difference. finger myDomain\\username works, but finger otherDomain\\username immediately fails, with log.wb-otherDomain reporting error getting user info for sid S-1-5-21-1644491937-1078081533-682003330-6760 ...and yet wbinfo --sid-to-name maps that back to the correct username, and wbinfo --name-to-sid maps the username to the same SID. As mentioned earlier, ntlm_auth with such an account and correct password returns OK. Any ideas? It smells so close to working... -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba file security
I am newbie for samba configuration at security level. I have read all the documents but could not resolve my problem. My problem is as below and would like your help to resolve it I have installed Samba - 3.0.0-14 on Redhat ES 3 and everthing is working fine. But I want that all the member can read the files and put the file on shared folder but can not delete it. I want to protect it from deletion. Only the super user of the system can delete it but not the samba users. Please guide me on this problem. Thanks - Naveen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
svn commit: samba r20025 - in branches/SAMBA_4_0/source/libnet: .
Author: metze Date: 2006-12-04 09:40:16 + (Mon, 04 Dec 2006) New Revision: 20025 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=20025 Log: - implement the windows2003update revision search - finish the infrastructure fsmo detail searches metze Modified: branches/SAMBA_4_0/source/libnet/libnet_become_dc.c Changeset: Modified: branches/SAMBA_4_0/source/libnet/libnet_become_dc.c === --- branches/SAMBA_4_0/source/libnet/libnet_become_dc.c 2006-12-03 21:05:18 UTC (rev 20024) +++ branches/SAMBA_4_0/source/libnet/libnet_become_dc.c 2006-12-04 09:40:16 UTC (rev 20025) @@ -25,6 +25,7 @@ #include lib/ldb/include/ldb.h #include lib/ldb/include/ldb_errors.h #include lib/db_wrap.h +#include dsdb/samdb/samdb.h struct libnet_BecomeDC_state { struct composite_context *creq; @@ -88,7 +89,15 @@ uint32_t domain_behavior_version; uint32_t config_behavior_version; uint32_t schema_object_version; + uint32_t w2k3_update_revision; } ads_options; + + struct becomeDC_fsmo { + const char *dns_name; + const char *server_dn_str; + const char *ntds_dn_str; + struct GUID ntds_guid; + } infrastructure_fsmo; }; static void becomeDC_connect_ldap1(struct libnet_BecomeDC_state *s); @@ -292,11 +301,43 @@ return NT_STATUS_OK; } +static NTSTATUS becomeDC_ldap1_w2k3_update_revision(struct libnet_BecomeDC_state *s) +{ + int ret; + struct ldb_result *r; + struct ldb_dn *basedn; + static const char *attrs[] = { + revision, + NULL + }; + + basedn = ldb_dn_new_fmt(s, s-ldap1.ldb, CN=Windows2003Update,CN=DomainUpdates,CN=System,%s, + s-domain.dn_str); + NT_STATUS_HAVE_NO_MEMORY(basedn); + + ret = ldb_search(s-ldap1.ldb, basedn, LDB_SCOPE_BASE, +(objectClass=*), attrs, r); + talloc_free(basedn); + if (ret != LDB_SUCCESS) { + return NT_STATUS_LDAP(ret); + } else if (r-count != 1) { + talloc_free(r); + return NT_STATUS_INVALID_NETWORK_RESPONSE; + } + + s-ads_options.w2k3_update_revision = ldb_msg_find_attr_as_uint(r-msgs[0], revision, 0); + + talloc_free(r); + return NT_STATUS_OK; +} + static NTSTATUS becomeDC_ldap1_infrastructure_fsmo(struct libnet_BecomeDC_state *s) { int ret; struct ldb_result *r; struct ldb_dn *basedn; + struct ldb_dn *ntds_dn; + struct ldb_dn *server_dn; static const char *_1_1_attrs[] = { 1.1, NULL @@ -305,6 +346,14 @@ fSMORoleOwner, NULL }; + static const char *dns_attrs[] = { + dnsHostName, + NULL + }; + static const char *guid_attrs[] = { + objectGUID, + NULL + }; basedn = ldb_dn_new_fmt(s, s-ldap1.ldb, WKGUID=2fbac1870ade11d297c400c04fd8d5cd,%s, s-domain.dn_str); @@ -333,7 +382,46 @@ return NT_STATUS_INVALID_NETWORK_RESPONSE; } + s-infrastructure_fsmo.ntds_dn_str = samdb_result_string(r-msgs[0], fSMORoleOwner, NULL); + if (!s-infrastructure_fsmo.ntds_dn_str) return NT_STATUS_INVALID_NETWORK_RESPONSE; + talloc_steal(s, s-infrastructure_fsmo.ntds_dn_str); + talloc_free(r); + + ntds_dn = ldb_dn_new(s, s-ldap1.ldb, s-infrastructure_fsmo.ntds_dn_str); + NT_STATUS_HAVE_NO_MEMORY(ntds_dn); + + server_dn = ldb_dn_get_parent(s, ntds_dn); + NT_STATUS_HAVE_NO_MEMORY(server_dn); + + ret = ldb_search(s-ldap1.ldb, server_dn, LDB_SCOPE_BASE, +(objectClass=*), dns_attrs, r); + if (ret != LDB_SUCCESS) { + return NT_STATUS_LDAP(ret); + } else if (r-count != 1) { + talloc_free(r); + return NT_STATUS_INVALID_NETWORK_RESPONSE; + } + + s-infrastructure_fsmo.dns_name = samdb_result_string(r-msgs[0], dnsHostName, NULL); + if (!s-infrastructure_fsmo.dns_name) return NT_STATUS_INVALID_NETWORK_RESPONSE; + talloc_steal(s, s-infrastructure_fsmo.dns_name); + + talloc_free(r); + + ret = ldb_search(s-ldap1.ldb, ntds_dn, LDB_SCOPE_BASE, +(objectClass=*), guid_attrs, r); + if (ret != LDB_SUCCESS) { + return NT_STATUS_LDAP(ret); + } else if (r-count != 1) { + talloc_free(r); + return NT_STATUS_INVALID_NETWORK_RESPONSE; + } + + s-infrastructure_fsmo.ntds_guid = samdb_result_guid(r-msgs[0], objectGUID); + + talloc_free(r); + return NT_STATUS_NOT_IMPLEMENTED; } @@ -357,6 +445,9 @@ c-status =
svn commit: samba r20026 - in branches/SAMBA_4_0/source/libnet: .
Author: metze Date: 2006-12-04 10:02:08 + (Mon, 04 Dec 2006) New Revision: 20026 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=20026 Log: - store the infrastructure server_dn_str - implement the rid manager info searches metze Modified: branches/SAMBA_4_0/source/libnet/libnet_become_dc.c Changeset: Modified: branches/SAMBA_4_0/source/libnet/libnet_become_dc.c === --- branches/SAMBA_4_0/source/libnet/libnet_become_dc.c 2006-12-04 09:40:16 UTC (rev 20025) +++ branches/SAMBA_4_0/source/libnet/libnet_become_dc.c 2006-12-04 10:02:08 UTC (rev 20026) @@ -98,6 +98,8 @@ const char *ntds_dn_str; struct GUID ntds_guid; } infrastructure_fsmo; + + struct becomeDC_fsmo rid_manager_fsmo; }; static void becomeDC_connect_ldap1(struct libnet_BecomeDC_state *s); @@ -394,6 +396,9 @@ server_dn = ldb_dn_get_parent(s, ntds_dn); NT_STATUS_HAVE_NO_MEMORY(server_dn); + s-infrastructure_fsmo.server_dn_str = ldb_dn_alloc_linearized(s, server_dn); + NT_STATUS_HAVE_NO_MEMORY(s-infrastructure_fsmo.server_dn_str); + ret = ldb_search(s-ldap1.ldb, server_dn, LDB_SCOPE_BASE, (objectClass=*), dns_attrs, r); if (ret != LDB_SUCCESS) { @@ -422,10 +427,112 @@ talloc_free(r); - return NT_STATUS_NOT_IMPLEMENTED; + return NT_STATUS_OK; } +static NTSTATUS becomeDC_ldap1_rid_manager_fsmo(struct libnet_BecomeDC_state *s) +{ + int ret; + struct ldb_result *r; + struct ldb_dn *basedn; + const char *reference_dn_str; + struct ldb_dn *ntds_dn; + struct ldb_dn *server_dn; + static const char *rid_attrs[] = { + rIDManagerReference, + NULL + }; + static const char *fsmo_attrs[] = { + fSMORoleOwner, + NULL + }; + static const char *dns_attrs[] = { + dnsHostName, + NULL + }; + static const char *guid_attrs[] = { + objectGUID, + NULL + }; + basedn = ldb_dn_new(s, s-ldap1.ldb, s-domain.dn_str); + NT_STATUS_HAVE_NO_MEMORY(basedn); + + ret = ldb_search(s-ldap1.ldb, basedn, LDB_SCOPE_BASE, +(objectClass=*), rid_attrs, r); + talloc_free(basedn); + if (ret != LDB_SUCCESS) { + return NT_STATUS_LDAP(ret); + } else if (r-count != 1) { + talloc_free(r); + return NT_STATUS_INVALID_NETWORK_RESPONSE; + } + + reference_dn_str= samdb_result_string(r-msgs[0], rIDManagerReference, NULL); + if (!reference_dn_str) return NT_STATUS_INVALID_NETWORK_RESPONSE; + + basedn = ldb_dn_new(s, s-ldap1.ldb, reference_dn_str); + NT_STATUS_HAVE_NO_MEMORY(basedn); + + talloc_free(r); + + ret = ldb_search(s-ldap1.ldb, basedn, LDB_SCOPE_BASE, +(objectClass=*), fsmo_attrs, r); + talloc_free(basedn); + if (ret != LDB_SUCCESS) { + return NT_STATUS_LDAP(ret); + } else if (r-count != 1) { + talloc_free(r); + return NT_STATUS_INVALID_NETWORK_RESPONSE; + } + + s-rid_manager_fsmo.ntds_dn_str = samdb_result_string(r-msgs[0], fSMORoleOwner, NULL); + if (!s-rid_manager_fsmo.ntds_dn_str) return NT_STATUS_INVALID_NETWORK_RESPONSE; + talloc_steal(s, s-rid_manager_fsmo.ntds_dn_str); + + talloc_free(r); + + ntds_dn = ldb_dn_new(s, s-ldap1.ldb, s-rid_manager_fsmo.ntds_dn_str); + NT_STATUS_HAVE_NO_MEMORY(ntds_dn); + + server_dn = ldb_dn_get_parent(s, ntds_dn); + NT_STATUS_HAVE_NO_MEMORY(server_dn); + + s-rid_manager_fsmo.server_dn_str = ldb_dn_alloc_linearized(s, server_dn); + NT_STATUS_HAVE_NO_MEMORY(s-rid_manager_fsmo.server_dn_str); + + ret = ldb_search(s-ldap1.ldb, server_dn, LDB_SCOPE_BASE, +(objectClass=*), dns_attrs, r); + if (ret != LDB_SUCCESS) { + return NT_STATUS_LDAP(ret); + } else if (r-count != 1) { + talloc_free(r); + return NT_STATUS_INVALID_NETWORK_RESPONSE; + } + + s-rid_manager_fsmo.dns_name= samdb_result_string(r-msgs[0], dnsHostName, NULL); + if (!s-rid_manager_fsmo.dns_name) return NT_STATUS_INVALID_NETWORK_RESPONSE; + talloc_steal(s, s-rid_manager_fsmo.dns_name); + + talloc_free(r); + + ret = ldb_search(s-ldap1.ldb, ntds_dn, LDB_SCOPE_BASE, +(objectClass=*), guid_attrs, r); + if (ret != LDB_SUCCESS) { + return NT_STATUS_LDAP(ret); + } else if (r-count != 1) { + talloc_free(r); + return NT_STATUS_INVALID_NETWORK_RESPONSE; + } + + s-rid_manager_fsmo.ntds_guid = samdb_result_guid(r-msgs[0], objectGUID); + + talloc_free(r); + +
svn commit: samba r20027 - in branches/SAMBA_4_0/source/dsdb/common: .
Author: metze Date: 2006-12-04 11:07:59 + (Mon, 04 Dec 2006) New Revision: 20027 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=20027 Log: restore instanceType and systemFlags values, which got lost in http://viewcvs.samba.org/cgi-bin/viewcvs.cgi/branches/SAMBA_4_0/source/dsdb/common/flags.h?p1=branches%2FSAMBA_4_0%2Fsource%2Finclude%2Fads.hrev=17930r1=15511r2=17930 metze Modified: branches/SAMBA_4_0/source/dsdb/common/flags.h Changeset: Modified: branches/SAMBA_4_0/source/dsdb/common/flags.h === --- branches/SAMBA_4_0/source/dsdb/common/flags.h 2006-12-04 10:02:08 UTC (rev 20026) +++ branches/SAMBA_4_0/source/dsdb/common/flags.h 2006-12-04 11:07:59 UTC (rev 20027) @@ -95,3 +95,25 @@ #define GTYPE_DISTRIBUTION_GLOBAL_GROUP0x0002 /* 2 */ #define GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP 0x0004 /* 4 */ #define GTYPE_DISTRIBUTION_UNIVERSAL_GROUP 0x0008 /* 8 */ + +#define INSTANCE_TYPE_IS_NC_HEAD 0x0001 +#define INSTANCE_TYPE_UNINSTANT0x0002 +#define INSTANCE_TYPE_WRITE0x0004 +#define INSTANCE_TYPE_NC_ABOVE 0x0008 +#define INSTANCE_TYPE_NC_COMING0x0010 +#define INSTANCE_TYPE_NC_GOING 0x0020 + +#define SYSTEM_FLAG_CR_NTDS_NC 0x0001 +#define SYSTEM_FLAG_CR_NTDS_DOMAIN 0x0002 +#define SYSTEM_FLAG_CR_NTDS_NOT_GC_REPLICATED 0x0004 +#define SYSTEM_FLAG_SCHEMA_BASE_OBJECT 0x0010 +#define SYSTEM_FLAG_DISALLOW_MOVE_ON_DELETE0x0200 +#define SYSTEM_FLAG_DOMAIN_DISALLOW_MOVE 0x0400 +#define SYSTEM_FLAG_DOMAIN_DISALLOW_RENAME 0x0800 +#define SYSTEM_FLAG_CONFIG_ALLOW_LIMITED_MOVE 0x1000 +#define SYSTEM_FLAG_CONFIG_ALLOW_MOVE 0x2000 +#define SYSTEM_FLAG_CONFIG_ALLOW_ERNAME0x2000 +#define SYSTEM_FLAG_DISALLOW_DELTE 0x8000 + +#define DS_BEHAVIOR_WIN20000 +#define DS_BEHAVIOR_WIN20032
svn commit: samba r20028 - in branches/SAMBA_4_0/source/dsdb/common: .
Author: metze Date: 2006-12-04 11:08:56 + (Mon, 04 Dec 2006) New Revision: 20028 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=20028 Log: fix typos metze Modified: branches/SAMBA_4_0/source/dsdb/common/flags.h Changeset: Modified: branches/SAMBA_4_0/source/dsdb/common/flags.h === --- branches/SAMBA_4_0/source/dsdb/common/flags.h 2006-12-04 11:07:59 UTC (rev 20027) +++ branches/SAMBA_4_0/source/dsdb/common/flags.h 2006-12-04 11:08:56 UTC (rev 20028) @@ -112,7 +112,7 @@ #define SYSTEM_FLAG_DOMAIN_DISALLOW_RENAME 0x0800 #define SYSTEM_FLAG_CONFIG_ALLOW_LIMITED_MOVE 0x1000 #define SYSTEM_FLAG_CONFIG_ALLOW_MOVE 0x2000 -#define SYSTEM_FLAG_CONFIG_ALLOW_ERNAME0x2000 +#define SYSTEM_FLAG_CONFIG_ALLOW_RENAME0x4000 #define SYSTEM_FLAG_DISALLOW_DELTE 0x8000 #define DS_BEHAVIOR_WIN20000
svn commit: samba r20029 - in branches/SAMBA_4_0/source/libnet: .
Author: metze Date: 2006-12-04 16:30:27 + (Mon, 04 Dec 2006) New Revision: 20029 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=20029 Log: - implement source_dsa site object search metze Modified: branches/SAMBA_4_0/source/libnet/libnet_become_dc.c Changeset: Modified: branches/SAMBA_4_0/source/libnet/libnet_become_dc.c === --- branches/SAMBA_4_0/source/libnet/libnet_become_dc.c 2006-12-04 11:08:56 UTC (rev 20028) +++ branches/SAMBA_4_0/source/libnet/libnet_become_dc.c 2006-12-04 16:30:27 UTC (rev 20029) @@ -69,6 +69,7 @@ const char *dns_name; const char *netbios_name; const char *site_name; + struct GUID site_guid; const char *server_dn_str; const char *ntds_dn_str; } source_dsa; @@ -532,7 +533,34 @@ return NT_STATUS_OK; } +static NTSTATUS becomeDC_ldap1_site_object(struct libnet_BecomeDC_state *s) +{ + int ret; + struct ldb_result *r; + struct ldb_dn *basedn; + basedn = ldb_dn_new_fmt(s, s-ldap1.ldb, CN=%s,CN=Sites,%s, + s-dest_dsa.site_name, + s-forest.config_dn_str); + NT_STATUS_HAVE_NO_MEMORY(basedn); + + ret = ldb_search(s-ldap1.ldb, basedn, LDB_SCOPE_BASE, +(objectClass=*), NULL, r); + talloc_free(basedn); + if (ret != LDB_SUCCESS) { + return NT_STATUS_LDAP(ret); + } else if (r-count != 1) { + talloc_free(r); + return NT_STATUS_INVALID_NETWORK_RESPONSE; + } + + s-source_dsa.site_guid = samdb_result_guid(r-msgs[0], objectGUID); + + talloc_free(r); + return NT_STATUS_OK; +} + + static void becomeDC_connect_ldap1(struct libnet_BecomeDC_state *s) { struct composite_context *c = s-creq; @@ -561,6 +589,9 @@ c-status = becomeDC_ldap1_rid_manager_fsmo(s); if (!composite_is_ok(c)) return; + c-status = becomeDC_ldap1_site_object(s); + if (!composite_is_ok(c)) return; + composite_error(c, NT_STATUS_NOT_IMPLEMENTED); }
svn commit: samba r20030 - in branches/SAMBA_4_0/source/libnet: .
Author: metze Date: 2006-12-04 17:27:46 + (Mon, 04 Dec 2006) New Revision: 20030 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=20030 Log: - implement the computer object search - fix a source vs. dest dsa bug metze Modified: branches/SAMBA_4_0/source/libnet/libnet_become_dc.c Changeset: Modified: branches/SAMBA_4_0/source/libnet/libnet_become_dc.c === --- branches/SAMBA_4_0/source/libnet/libnet_become_dc.c 2006-12-04 16:30:27 UTC (rev 20029) +++ branches/SAMBA_4_0/source/libnet/libnet_become_dc.c 2006-12-04 17:27:46 UTC (rev 20030) @@ -69,7 +69,6 @@ const char *dns_name; const char *netbios_name; const char *site_name; - struct GUID site_guid; const char *server_dn_str; const char *ntds_dn_str; } source_dsa; @@ -81,9 +80,11 @@ /* constructed */ const char *dns_name; const char *site_name; + struct GUID site_guid; const char *computer_dn_str; const char *server_dn_str; const char *ntds_dn_str; + uint32_t user_account_control; } dest_dsa; struct { @@ -554,13 +555,51 @@ return NT_STATUS_INVALID_NETWORK_RESPONSE; } - s-source_dsa.site_guid = samdb_result_guid(r-msgs[0], objectGUID); + s-dest_dsa.site_guid = samdb_result_guid(r-msgs[0], objectGUID); talloc_free(r); return NT_STATUS_OK; } +static NTSTATUS becomeDC_ldap1_computer_object(struct libnet_BecomeDC_state *s) +{ + int ret; + struct ldb_result *r; + struct ldb_dn *basedn; + char *filter; + static const char *attrs[] = { + distinguishedName, + userAccountControl, + NULL + }; + basedn = ldb_dn_new(s, s-ldap1.ldb, s-domain.dn_str); + NT_STATUS_HAVE_NO_MEMORY(basedn); + + filter = talloc_asprintf(basedn, ((|(objectClass=user)(objectClass=computer))(sAMAccountName=%s$)), +s-dest_dsa.netbios_name); + NT_STATUS_HAVE_NO_MEMORY(filter); + + ret = ldb_search(s-ldap1.ldb, basedn, LDB_SCOPE_SUBTREE, +filter, attrs, r); + talloc_free(basedn); + if (ret != LDB_SUCCESS) { + return NT_STATUS_LDAP(ret); + } else if (r-count != 1) { + talloc_free(r); + return NT_STATUS_INVALID_NETWORK_RESPONSE; + } + + s-dest_dsa.computer_dn_str = samdb_result_string(r-msgs[0], distinguishedName, NULL); + if (!s-dest_dsa.computer_dn_str) return NT_STATUS_INVALID_NETWORK_RESPONSE; + talloc_steal(s, s-dest_dsa.computer_dn_str); + + s-dest_dsa.user_account_control = samdb_result_uint(r-msgs[0], userAccountControl, 0); + + talloc_free(r); + return NT_STATUS_OK; +} + static void becomeDC_connect_ldap1(struct libnet_BecomeDC_state *s) { struct composite_context *c = s-creq; @@ -592,6 +631,9 @@ c-status = becomeDC_ldap1_site_object(s); if (!composite_is_ok(c)) return; + c-status = becomeDC_ldap1_computer_object(s); + if (!composite_is_ok(c)) return; + composite_error(c, NT_STATUS_NOT_IMPLEMENTED); }
svn commit: samba r20031 - in branches/SAMBA_4_0/source/libnet: .
Author: metze Date: 2006-12-04 18:20:03 + (Mon, 04 Dec 2006) New Revision: 20031 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=20031 Log: - implement earching for an existing server object - implement adding a server object metze Modified: branches/SAMBA_4_0/source/libnet/libnet_become_dc.c Changeset: Modified: branches/SAMBA_4_0/source/libnet/libnet_become_dc.c === --- branches/SAMBA_4_0/source/libnet/libnet_become_dc.c 2006-12-04 17:27:46 UTC (rev 20030) +++ branches/SAMBA_4_0/source/libnet/libnet_become_dc.c 2006-12-04 18:20:03 UTC (rev 20031) @@ -600,6 +600,154 @@ return NT_STATUS_OK; } +static NTSTATUS becomeDC_ldap1_server_object_1(struct libnet_BecomeDC_state *s) +{ + int ret; + struct ldb_result *r; + struct ldb_dn *basedn; + const char *server_reference_dn_str; + struct ldb_dn *server_reference_dn; + struct ldb_dn *computer_dn; + + basedn = ldb_dn_new_fmt(s, s-ldap1.ldb, CN=%s,CN=Servers,CN=%s,CN=Sites,%s, + s-dest_dsa.netbios_name, + s-dest_dsa.site_name, + s-forest.config_dn_str); + NT_STATUS_HAVE_NO_MEMORY(basedn); + + ret = ldb_search(s-ldap1.ldb, basedn, LDB_SCOPE_BASE, +(objectClass=*), NULL, r); + talloc_free(basedn); + if (ret == LDB_ERR_NO_SUCH_OBJECT) { + /* if the object doesn't exist, we'll create it later */ + return NT_STATUS_OK; + } else if (ret != LDB_SUCCESS) { + return NT_STATUS_LDAP(ret); + } else if (r-count != 1) { + talloc_free(r); + return NT_STATUS_INVALID_NETWORK_RESPONSE; + } + + server_reference_dn_str = samdb_result_string(r-msgs[0], serverReference, NULL); + if (!server_reference_dn_str) return NT_STATUS_INVALID_NETWORK_RESPONSE; + server_reference_dn = ldb_dn_new(r, s-ldap1.ldb, server_reference_dn_str); + NT_STATUS_HAVE_NO_MEMORY(server_reference_dn); + + computer_dn = ldb_dn_new(r, s-ldap1.ldb, s-dest_dsa.computer_dn_str); + NT_STATUS_HAVE_NO_MEMORY(computer_dn); + + /* +* if the server object belongs to another DC in another domain in the forest, +* we should not touch this object! +*/ + if (ldb_dn_compare(computer_dn, server_reference_dn) != 0) { + talloc_free(r); + return NT_STATUS_OBJECT_NAME_COLLISION; + } + + /* if the server object is already for the dest_dsa, then we don't need to create it */ + s-dest_dsa.server_dn_str = samdb_result_string(r-msgs[0], distinguishedName, NULL); + if (!s-dest_dsa.server_dn_str) return NT_STATUS_INVALID_NETWORK_RESPONSE; + talloc_steal(s, s-dest_dsa.server_dn_str); + + talloc_free(r); + return NT_STATUS_OK; +} + +static NTSTATUS becomeDC_ldap1_server_object_2(struct libnet_BecomeDC_state *s) +{ + int ret; + struct ldb_result *r; + struct ldb_dn *basedn; + const char *server_reference_bl_dn_str; + static const char *attrs[] = { + serverReferenceBL, + NULL + }; + + /* if the server_dn_str has a valid value, we skip this lookup */ + if (s-dest_dsa.server_dn_str) return NT_STATUS_OK; + + basedn = ldb_dn_new(s, s-ldap1.ldb, s-dest_dsa.computer_dn_str); + NT_STATUS_HAVE_NO_MEMORY(basedn); + + ret = ldb_search(s-ldap1.ldb, basedn, LDB_SCOPE_BASE, +(objectClass=*), attrs, r); + talloc_free(basedn); + if (ret != LDB_SUCCESS) { + return NT_STATUS_LDAP(ret); + } else if (r-count != 1) { + talloc_free(r); + return NT_STATUS_INVALID_NETWORK_RESPONSE; + } + + server_reference_bl_dn_str = samdb_result_string(r-msgs[0], serverReferenceBL, NULL); + if (!server_reference_bl_dn_str) { + /* if no back link is present, we're done for this function */ + talloc_free(r); + return NT_STATUS_OK; + } + + /* if the server object is already for the dest_dsa, then we don't need to create it */ + s-dest_dsa.server_dn_str = samdb_result_string(r-msgs[0], serverReferenceBL, NULL); + if (s-dest_dsa.server_dn_str) { + /* if a back link is present, we know that the server object is present */ + talloc_steal(s, s-dest_dsa.server_dn_str); + } + + talloc_free(r); + return NT_STATUS_OK; +} + +static NTSTATUS becomeDC_ldap1_server_object_add(struct libnet_BecomeDC_state *s) +{ + int ret; + struct ldb_message *msg; + char *server_dn_str; + + /* if the server_dn_str has a valid value, we skip this lookup */ + if (s-dest_dsa.server_dn_str) return
Rev 28: merged from Peter in http://samba.org/~tridge/ctdb/
revno: 28 revision-id: [EMAIL PROTECTED] parent: [EMAIL PROTECTED] parent: [EMAIL PROTECTED] committer: Andrew Tridgell [EMAIL PROTECTED] branch nick: tridge timestamp: Tue 2006-12-05 08:06:15 +1100 message: merged from Peter added: ib/ib-20061204130028-c3a456433f6d7a53 ib/ibwrapper.c ibwrapper.c-20061204130028-0125b4f5a72f4b11 ib/ibwrapper.h ibwrapper.h-20061204130028-32755c6266dd3c49 ib/ibwrapper_internal.h ibwrapper_internal.h-20061204130028-47f0a7e658b16ca2 revno: 27.1.3 merged: [EMAIL PROTECTED] parent: [EMAIL PROTECTED] committer: Peter Somogyi [EMAIL PROTECTED] branch nick: ctdb timestamp: Mon 2006-12-04 19:48:11 +0100 message: Implementing basic data structure handling... revno: 27.1.2 merged: [EMAIL PROTECTED] parent: [EMAIL PROTECTED] committer: Peter Somogyi [EMAIL PROTECTED] branch nick: ctdb timestamp: Mon 2006-12-04 14:27:46 +0100 message: Just testing the bzr e-mail plugin... revno: 27.1.1 merged: [EMAIL PROTECTED] parent: [EMAIL PROTECTED] committer: Peter Somogyi [EMAIL PROTECTED] branch nick: ctdb timestamp: Mon 2006-12-04 14:02:08 +0100 message: Added infiniband transport implementation(incomplete) and interface. Diff too large for email (680, the limit is 200).
svn commit: samba r20032 - in branches/SAMBA_4_0/source/lib/ldb/common: .
Author: idra Date: 2006-12-05 02:48:58 + (Tue, 05 Dec 2006) New Revision: 20032 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=20032 Log: Add ldb_search_exp_fmt() This functions adds support of a memory context to hook the results to and a printf style exp_fmt partameter to easily build expressions at once. Modified: branches/SAMBA_4_0/source/lib/ldb/common/ldb.c Changeset: Modified: branches/SAMBA_4_0/source/lib/ldb/common/ldb.c === --- branches/SAMBA_4_0/source/lib/ldb/common/ldb.c 2006-12-04 18:20:03 UTC (rev 20031) +++ branches/SAMBA_4_0/source/lib/ldb/common/ldb.c 2006-12-05 02:48:58 UTC (rev 20032) @@ -795,6 +795,42 @@ } /* + a useful search function where you can easily define the expression and that + takes a memory context where results are allocated +*/ + +int ldb_search_exp_fmt(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, struct ldb_result **result, +struct ldb_dn *base, enum ldb_scope scope, const char * const *attrs, +const char *exp_fmt, ...) +{ + struct ldb_result **res; + char *expression; + va_list ap; + int ret; + + *result = NULL; + + va_start(ap, exp_fmt); + expression = talloc_vasprintf(mem_ctx, exp_fmt, ap); + va_end(ap); + + if ( ! expression) { + return LDB_ERR_OPERATIONS_ERROR; + } + + ret = ldb_search(ldb, base, scope, expression, attrs, res); + + if (ret == LDB_SUCCESS) { + talloc_steal(mem_ctx, res); + result = res; + } + + talloc_free(expression); + + return ret; +} + +/* add a record to the database. Will fail if a record with the given class and key already exists */
svn commit: samba r20033 - in branches/SAMBA_4_0/source/lib/ldb/common: .
Author: idra Date: 2006-12-05 03:52:58 + (Tue, 05 Dec 2006) New Revision: 20033 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=20033 Log: Never commit before testing Never commit before testing Never commit before testing :-) Modified: branches/SAMBA_4_0/source/lib/ldb/common/ldb.c Changeset: Modified: branches/SAMBA_4_0/source/lib/ldb/common/ldb.c === --- branches/SAMBA_4_0/source/lib/ldb/common/ldb.c 2006-12-05 02:48:58 UTC (rev 20032) +++ branches/SAMBA_4_0/source/lib/ldb/common/ldb.c 2006-12-05 03:52:58 UTC (rev 20033) @@ -803,11 +803,12 @@ struct ldb_dn *base, enum ldb_scope scope, const char * const *attrs, const char *exp_fmt, ...) { - struct ldb_result **res; + struct ldb_result *res; char *expression; va_list ap; int ret; + res = NULL; *result = NULL; va_start(ap, exp_fmt); @@ -818,11 +819,13 @@ return LDB_ERR_OPERATIONS_ERROR; } - ret = ldb_search(ldb, base, scope, expression, attrs, res); + ret = ldb_search(ldb, base, scope, expression, attrs, res); if (ret == LDB_SUCCESS) { talloc_steal(mem_ctx, res); - result = res; + *result = res; + } else { + talloc_free(res); } talloc_free(expression);
svn commit: samba r20034 - in branches/SAMBA_4_0/source: auth/gensec dsdb/samdb/ldb_modules kdc lib/ldb/include lib/ldb/tools param rpc_server/lsa rpc_server/samr
Author: idra Date: 2006-12-05 04:25:27 + (Tue, 05 Dec 2006) New Revision: 20034 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=20034 Log: Start using ldb_search_exp_fmt() Modified: branches/SAMBA_4_0/source/auth/gensec/schannel_state.c branches/SAMBA_4_0/source/dsdb/samdb/ldb_modules/samldb.c branches/SAMBA_4_0/source/kdc/hdb-ldb.c branches/SAMBA_4_0/source/lib/ldb/include/ldb.h branches/SAMBA_4_0/source/lib/ldb/tools/ad2oLschema.c branches/SAMBA_4_0/source/param/share_ldb.c branches/SAMBA_4_0/source/rpc_server/lsa/dcesrv_lsa.c branches/SAMBA_4_0/source/rpc_server/samr/dcesrv_samr.c Changeset: Modified: branches/SAMBA_4_0/source/auth/gensec/schannel_state.c === --- branches/SAMBA_4_0/source/auth/gensec/schannel_state.c 2006-12-05 03:52:58 UTC (rev 20033) +++ branches/SAMBA_4_0/source/auth/gensec/schannel_state.c 2006-12-05 04:25:27 UTC (rev 20034) @@ -183,27 +183,19 @@ struct ldb_result *res; int ret; const struct ldb_val *val; - char *expr=NULL; *creds = talloc_zero(mem_ctx, struct creds_CredentialState); if (!*creds) { return NT_STATUS_NO_MEMORY; } - expr = talloc_asprintf(mem_ctx, ((computerName=%s)(flatname=%s)), - computer_name, domain); - if (expr == NULL) { - return NT_STATUS_NO_MEMORY; - } - - ret = ldb_search(ldb, NULL, LDB_SCOPE_SUBTREE, expr, NULL, res); - talloc_free(expr); + ret = ldb_search_exp_fmt(ldb, mem_ctx, res, +NULL, LDB_SCOPE_SUBTREE, NULL, + ((computerName=%s)(flatname=%s)), computer_name, domain); if (ret != LDB_SUCCESS) { DEBUG(3,(schannel: Failed to find a record for client %s: %s\n, computer_name, ldb_errstring(ldb))); - talloc_free(res); return NT_STATUS_INVALID_HANDLE; } - talloc_steal(mem_ctx, res); if (res-count != 1) { DEBUG(3,(schannel: Failed to find a record for client: %s (found %d records)\n, computer_name, res-count)); talloc_free(res); Modified: branches/SAMBA_4_0/source/dsdb/samdb/ldb_modules/samldb.c === --- branches/SAMBA_4_0/source/dsdb/samdb/ldb_modules/samldb.c 2006-12-05 03:52:58 UTC (rev 20033) +++ branches/SAMBA_4_0/source/dsdb/samdb/ldb_modules/samldb.c 2006-12-05 04:25:27 UTC (rev 20034) @@ -297,14 +297,11 @@ struct ldb_result *dom_res; struct ldb_result *res; uint32_t old_rid; - char *filter; /* find if this SID already exists */ - - filter = talloc_asprintf(mem_ctx, (objectSid=%s), -ldap_encode_ndr_dom_sid(mem_ctx, sid)); - - ret = ldb_search(module-ldb, NULL, LDB_SCOPE_SUBTREE, filter, attrs, res); + ret = ldb_search_exp_fmt(module-ldb, mem_ctx, res, +NULL, LDB_SCOPE_SUBTREE, attrs, +(objectSid=%s), ldap_encode_ndr_dom_sid(mem_ctx, sid)); if (ret == LDB_SUCCESS) { if (res-count 0) { talloc_free(res); @@ -332,13 +329,11 @@ dom_sid-num_auths--; /* find the domain DN */ - - filter = talloc_asprintf(mem_ctx, ((objectSid=%s)(objectclass=domain)), + ret = ldb_search_exp_fmt(module-ldb, mem_ctx, dom_res, +NULL, LDB_SCOPE_SUBTREE, attrs, +((objectSid=%s)(objectclass=domain)), ldap_encode_ndr_dom_sid(mem_ctx, dom_sid)); - - ret = ldb_search(module-ldb, NULL, LDB_SCOPE_SUBTREE, filter, attrs, dom_res); if (ret == LDB_SUCCESS) { - talloc_steal(mem_ctx, dom_res); if (dom_res-count == 0) { talloc_free(dom_res); /* This isn't an operation on a domain we know about, so nothing to update */ Modified: branches/SAMBA_4_0/source/kdc/hdb-ldb.c === --- branches/SAMBA_4_0/source/kdc/hdb-ldb.c 2006-12-05 03:52:58 UTC (rev 20033) +++ branches/SAMBA_4_0/source/kdc/hdb-ldb.c 2006-12-05 04:25:27 UTC (rev 20034) @@ -525,26 +525,20 @@ struct ldb_message ***pmsg) { int ret; - char *cross_ref_filter; struct ldb_result *cross_ref_res; struct ldb_dn *partitions_basedn = samdb_partitions_dn(ldb_ctx, mem_ctx); - cross_ref_filter = talloc_asprintf(mem_ctx, - (((|((dnsRoot=%s)(nETBIOSName=*))(nETBIOSName=%s))(objectclass=crossRef))(ncName=*)), - realm, realm); - if (!cross_ref_filter) { -
svn commit: samba r20035 - in branches: SAMBA_3_0/source/nsswitch SAMBA_3_0_24/source/nsswitch
Author: jra Date: 2006-12-05 06:15:23 + (Tue, 05 Dec 2006) New Revision: 20035 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=20035 Log: Fix obvious horrible bug in falling back to MS-RPC methods. Jeremy. Modified: branches/SAMBA_3_0/source/nsswitch/winbindd_ads.c branches/SAMBA_3_0_24/source/nsswitch/winbindd_ads.c Changeset: Modified: branches/SAMBA_3_0/source/nsswitch/winbindd_ads.c === --- branches/SAMBA_3_0/source/nsswitch/winbindd_ads.c 2006-12-05 04:25:27 UTC (rev 20034) +++ branches/SAMBA_3_0/source/nsswitch/winbindd_ads.c 2006-12-05 06:15:23 UTC (rev 20035) @@ -109,7 +109,6 @@ status = ads_connect(ads); if (!ADS_ERR_OK(status) || !ads-config.realm) { - extern struct winbindd_methods msrpc_methods, cache_methods; DEBUG(1,(ads_connect for domain %s failed: %s\n, domain-name, ads_errstr(status))); ads_destroy(ads); @@ -118,12 +117,10 @@ server, fall back to MSRPC */ if (status.error_type == ENUM_ADS_ERROR_SYSTEM status.err.rc == ECONNREFUSED) { + extern struct winbindd_methods reconnect_methods; + /* 'reconnect_methods' is the MS-RPC backend. */ DEBUG(1,(Trying MSRPC methods\n)); - if (domain-methods == cache_methods) { - domain-backend = msrpc_methods; - } else { - domain-methods = msrpc_methods; - } + domain-backend = reconnect_methods; } return NULL; } Modified: branches/SAMBA_3_0_24/source/nsswitch/winbindd_ads.c === --- branches/SAMBA_3_0_24/source/nsswitch/winbindd_ads.c2006-12-05 04:25:27 UTC (rev 20034) +++ branches/SAMBA_3_0_24/source/nsswitch/winbindd_ads.c2006-12-05 06:15:23 UTC (rev 20035) @@ -109,7 +109,6 @@ status = ads_connect(ads); if (!ADS_ERR_OK(status) || !ads-config.realm) { - extern struct winbindd_methods msrpc_methods, cache_methods; DEBUG(1,(ads_connect for domain %s failed: %s\n, domain-name, ads_errstr(status))); ads_destroy(ads); @@ -118,12 +117,10 @@ server, fall back to MSRPC */ if (status.error_type == ENUM_ADS_ERROR_SYSTEM status.err.rc == ECONNREFUSED) { + extern struct winbindd_methods reconnect_methods; + /* 'reconnect_methods' is the MS-RPC backend. */ DEBUG(1,(Trying MSRPC methods\n)); - if (domain-methods == cache_methods) { - domain-backend = msrpc_methods; - } else { - domain-methods = msrpc_methods; - } + domain-backend = reconnect_methods; } return NULL; }
svn commit: samba r20036 - in branches/SAMBA_3_0/source/lib/ldb/common: .
Author: vlendec Date: 2006-12-05 06:25:12 + (Tue, 05 Dec 2006) New Revision: 20036 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=20036 Log: Merge ldb_search_exp_fmt -- Thanks simo Modified: branches/SAMBA_3_0/source/lib/ldb/common/ldb.c Changeset: Modified: branches/SAMBA_3_0/source/lib/ldb/common/ldb.c === --- branches/SAMBA_3_0/source/lib/ldb/common/ldb.c 2006-12-05 06:15:23 UTC (rev 20035) +++ branches/SAMBA_3_0/source/lib/ldb/common/ldb.c 2006-12-05 06:25:12 UTC (rev 20036) @@ -795,6 +795,45 @@ } /* + a useful search function where you can easily define the expression and that + takes a memory context where results are allocated +*/ + +int ldb_search_exp_fmt(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, struct ldb_result **result, +struct ldb_dn *base, enum ldb_scope scope, const char * const *attrs, +const char *exp_fmt, ...) +{ + struct ldb_result *res; + char *expression; + va_list ap; + int ret; + + res = NULL; + *result = NULL; + + va_start(ap, exp_fmt); + expression = talloc_vasprintf(mem_ctx, exp_fmt, ap); + va_end(ap); + + if ( ! expression) { + return LDB_ERR_OPERATIONS_ERROR; + } + + ret = ldb_search(ldb, base, scope, expression, attrs, res); + + if (ret == LDB_SUCCESS) { + talloc_steal(mem_ctx, res); + *result = res; + } else { + talloc_free(res); + } + + talloc_free(expression); + + return ret; +} + +/* add a record to the database. Will fail if a record with the given class and key already exists */
svn commit: samba r20037 - in branches/SAMBA_3_0/source/registry: .
Author: vlendec Date: 2006-12-05 07:36:14 + (Tue, 05 Dec 2006) New Revision: 20037 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=20037 Log: Reduce code size slightly by shuffling stuff around Modified: branches/SAMBA_3_0/source/registry/reg_api.c branches/SAMBA_3_0/source/registry/reg_frontend.c Changeset: Modified: branches/SAMBA_3_0/source/registry/reg_api.c === --- branches/SAMBA_3_0/source/registry/reg_api.c2006-12-05 06:25:12 UTC (rev 20036) +++ branches/SAMBA_3_0/source/registry/reg_api.c2006-12-05 07:36:14 UTC (rev 20037) @@ -62,81 +62,67 @@ const struct nt_user_token *token, struct registry_key **pkey) { - struct registry_key *key; - WERROR err; - + SMB_ASSERT(hive != NULL); SMB_ASSERT(hive[0] != '\0'); SMB_ASSERT(strchr(hive, '\\') == NULL); - if (!(key = TALLOC_ZERO_P(mem_ctx, struct registry_key))) { - return WERR_NOMEM; - } - - if (!(key-token = dup_nt_token(key, token))) { - TALLOC_FREE(key); - return WERR_NOMEM; - } - - err = regkey_open_internal(key, key-key, hive, token, - desired_access); - - if (!W_ERROR_IS_OK(err)) { - TALLOC_FREE(key); - return err; - } - - *pkey = key; - return WERR_OK; - + return regkey_open_onelevel(mem_ctx, NULL, hive, token, desired_access, + pkey); } WERROR reg_openkey(TALLOC_CTX *mem_ctx, struct registry_key *parent, const char *name, uint32 desired_access, struct registry_key **pkey) { - struct registry_key *key; + struct registry_key *direct_parent = parent; WERROR err; - char *path; + char *p, *path, *to_free; + size_t len; - if (!(key = TALLOC_ZERO_P(mem_ctx, struct registry_key))) { + if (!(path = SMB_STRDUP(name))) { return WERR_NOMEM; } + to_free = path; - if (!(key-token = dup_nt_token(key, parent-token))) { - TALLOC_FREE(key); - return WERR_NOMEM; - } + len = strlen(path); - if (name[0] == '\0') { - /* -* Make a copy of the parent -*/ - path = talloc_strdup(key, parent-key-name); + if ((len 0) (path[len-1] == '\\')) { + path[len-1] = '\0'; } - else { - /* -* Normal subpath open -*/ - path = talloc_asprintf(key, %s\\%s, parent-key-name, - name); - } - if (!path) { - TALLOC_FREE(key); - return WERR_NOMEM; - } + while ((p = strchr(path, '\\')) != NULL) { + char *name_component; + struct registry_key *tmp; - err = regkey_open_internal(key, key-key, path, parent-token, - desired_access); - TALLOC_FREE(path); + if (!(name_component = SMB_STRNDUP(path, (p - path { + err = WERR_NOMEM; + goto error; + } - if (!W_ERROR_IS_OK(err)) { - TALLOC_FREE(key); - return err; + err = regkey_open_onelevel(mem_ctx, direct_parent, + name_component, parent-token, + SEC_RIGHTS_ENUM_SUBKEYS, tmp); + SAFE_FREE(name_component); + + if (!W_ERROR_IS_OK(err)) { + goto error; + } + if (direct_parent != parent) { + TALLOC_FREE(direct_parent); + } + + direct_parent = tmp; + path = p+1; } - *pkey = key; - return WERR_OK; + err = regkey_open_onelevel(mem_ctx, direct_parent, path, parent-token, + desired_access, pkey); + error: + if (direct_parent != parent) { + TALLOC_FREE(direct_parent); + } + SAFE_FREE(to_free); + return err; } WERROR reg_enumkey(TALLOC_CTX *mem_ctx, struct registry_key *key, Modified: branches/SAMBA_3_0/source/registry/reg_frontend.c === --- branches/SAMBA_3_0/source/registry/reg_frontend.c 2006-12-05 06:25:12 UTC (rev 20036) +++ branches/SAMBA_3_0/source/registry/reg_frontend.c 2006-12-05 07:36:14 UTC (rev 20037) @@ -301,31 +301,33 @@ return regdb_close(); } -WERROR regkey_open_onelevel( TALLOC_CTX *mem_ctx, REGISTRY_KEY *parent, -REGISTRY_KEY **regkey, const char *name, - const struct nt_user_token