Re: ***SPAM*** [Samba] LDAP logonHours problem

2007-11-26 Thread Peter Eser 
time ago I fiddled alot with sambaLogonHours. The 2 main problems I can
rethink of where

the Sunday are the first 6 FF, but the first hour is the most RIGHT bit
of this FF

sambaLogonHours is in UTC so you have to calc with your timezone (and that
is weired with
daylight saving times, because I believe the bits must be shuffled when
daylight saving time changes)

This was all try and error, did not found a documentation wich was precise
enough. No warranties.



- Original Message -
From: "Peter Molnar" <[EMAIL PROTECTED]>
To: 
Sent: Tuesday, November 27, 2007 12:18 AM
Subject: ***SPAM*** [Samba] LDAP logonHours problem


> Hi!
>
> I have a problem according to the logonHours setting in my Samba Domain.
>
> Users are in LDAP, and everyone has a logonHours attribute, which could
be:
>
> - login is possible at any time
> - login is only possible between 7AM and 12PM(mindnight), 7h-24h in 24
> hours format, I'm going to use 24h format here in this post.
>
> Samba manual states than logonHours is a 168 bit mask, starting with
> Sunday 0h-1h, each bit represents an hour of the week, converted into
> Hex.
>
> Therefore:
>
> For 'any time' login, I'm using
> "FF" This works, users who
> have this in logonHours, can log in at any time.
>
> For logins limited to 7h-24h, I'm using:
> 01010101010101
>
> Here comes the problem, the limited users cannot log in before 10h,
> they get the error "out of login time". Samba log says the same, and
> the timestamp there is correct.
>
> Saturday in the morning, i've tried setting different logonHours
> attributes on my own account, to see which one shold be 1 to let me
> log in at that time (between 7h and 8h)
>
> Surprisingly, I got this: "40"
>
> Well, it's 6 hours earier than I expected, but OK, let's try this
> mask: "7FFFC07FFFC07FFFC07FFFC07FFFC07FFFC07FFFC0"
>
> It worked in the morning but in the afternoon, it didn't.
>
> What could be the problem? My calculations are bad, or timezone
> problem (Hungary, central european time, UTC+1)? Can anyone please
> send me a working logonHours string, or calculate the correct string
> for logins 7h-24h.
>
> Until we figure out what's wrong, can I override the LDAP logonHours
> attributes from smb.conf, to allow everyone to log in, at any time?
>
> Regards,
> Peter
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] "map to guest" in share definition?

2007-11-26 Thread Michael Heydon 
As I understand it, the client is authenticated before it specifies 
which share it wants (except under share level security) so having map 
to guest as a per share setting isn't possible.


Couldn't you just specify guest ok = no on the other shares? what issues 
with home directories?


We have several shares with guest access, several without and a homes 
share and haven't had any problems.


*Michael Heydon - IT Administrator *
[EMAIL PROTECTED] 



Tim Bates wrote:

Is it possible to use "map to guest" in a single share?
We have 2 or 3 shares where I want this behavior, but for most I would 
like to not use it due to issues with home directories with bad users.


I would simply try moving that line to a share definition to see what 
happens, but I don't want to break a live server to test (and have no 
spare Samba boxes right now).


Tim B

**
This message is intended for the addressee named and may contain
privileged information or confidential information or both. If you
are not the intended recipient please delete it and notify the sender.
**

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] "map to guest" in share definition?

2007-11-26 Thread Tim Bates 

Is it possible to use "map to guest" in a single share?
We have 2 or 3 shares where I want this behavior, but for most I would 
like to not use it due to issues with home directories with bad users.


I would simply try moving that line to a share definition to see what 
happens, but I don't want to break a live server to test (and have no 
spare Samba boxes right now).


Tim B

**
This message is intended for the addressee named and may contain
privileged information or confidential information or both. If you
are not the intended recipient please delete it and notify the sender.
**
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Access control question.

2007-11-26 Thread Josh Kelley 
On Nov 26, 2007 3:13 PM, Matt Lozier <[EMAIL PROTECTED]> wrote:
> Thanks for this.  I did think about using ACLs, but even if I set this up
> (for *every* directory that our users need access to) won't they still be
> able to *see* those directories even if they don't have r/w/x permission?

Add "hide unreadable = yes" to your smb.conf.

Josh Kelley
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Installation problem of SAMBA 3.0.23a on HP-UX 11.23

2007-11-26 Thread Eric Roseme 
Ryan is correct for both topics.  Go here to get the correct compiler 
(4.2.2):


http://hpux.cs.utah.edu/hppd/hpux/Gnu/gcc-4.2.2/

Also, if you are attempting to compile and install 3.0.23a, you should 
consider using HP CIFS Server 3.0h, which is Samba 3.0.22 plus fixes 
from each release through 3.0.25.  It's free for HP-UX:


http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B8725AA

This is an easy download, install and configure.

Eric Roseme
Hewlett-Packard

Ryan Novosielski wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

A compile of Samba requires HP's AnsiC (non-bundled) compiler, or GCC.
At least, I'm pretty sure that's the case.

Anyhow, CIFS/9000 is pretty up-to-date these days. You might consider
not bothering and just installing that from HP.

=R

Béland wrote:

To whom it concern,
 
 
There was no problem at all with the installation of the Depot.
 
Before running the ./configure command I'm setting the following variables like this (as it's mentionned in the README file) :
 
export CFLAGS="-O -DWITH_SYSLOG -DGUEST_ACCOUNT=\\\"smbnull\\\""

export CPPFLAGS="-I/opt/iexpress/openldap/include"
export LDFLAGS="-L/opt/iexpress/openldap/lib"
 
Here is the 'configure' command that I'm using (as it's mentionned in the README file) 
 
./configure \

--sbindir=\${BINDIR} \
--with-krb5  \
--with-ldap \
--with-ldapsam \
--with-ads \
--with-libiconv=/usr/local \
--with-quotas   \
--prefix=/usr/local/samba \
--with-acl-support \
--with-winbind \
--with-pam \
--with-sendfile-support \
--with-shared-modules=idmap_rid \
--disable-pie \
--with-aio-support

And here is the output of that command :
 
SAMBA VERSION: 3.0.23a

checking for gcc... no
checking for cc... cc
checking for C compiler default output file name... configure: error: C compiler
 cannot create executables
See `config.log' for more details.
 
 
And here is the output of the config.log :
 
This file contains any messages produced by compilers while

running configure, to aid debugging if configure makes a mistake.
 
It was created by configure, which was

generated by GNU Autoconf 2.59.  Invocation command line was
 
  $ ./configure --sbindir=${BINDIR} --with-krb5 --with-ldap --with-ldapsam --wit

h-ads --with-libiconv=/usr/local --with-quotas --prefix=/usr/local/samba --with-
acl-support --with-winbind --with-pam --with-sendfile-support --with-shared-modu
les=idmap_rid --disable-pie --with-aio-support
 
## - ##

## Platform. ##
## - ##
 
hostname = trsoracle01

uname -m = ia64
uname -r = B.11.23
uname -s = HP-UX
uname -v = U
 
/usr/bin/uname -p = unknown

/bin/uname -X = unknown
 
/bin/arch  = unknown

/usr/bin/arch -k   = unknown
/usr/convex/getsysinfo = unknown
hostinfo   = unknown
/bin/machine   = unknown
/usr/bin/oslevel   = unknown
/bin/universe  = unknown
 
PATH: /usr/bin

PATH: /usr/sbin
PATH: /sbin
 


## --- ##
## Core tests. ##
## --- ##
 
configure:1901: checking for gcc

configure:1930: result: no
configure:1981: checking for cc
configure:1997: found /usr/bin/cc
configure:2007: result: cc
configure:2171: checking for C compiler version
configure:2174: cc --version &5
(Bundled) cc: HP aC++/ANSI C B3910B A.05.50 [May 15 2003]
configure:2177: $? = 0
configure:2179: cc -v &5
configure:2182: $? = 0
configure:2184: cc -V &5
(Bundled) cc: HP aC++/ANSI C B3910B A.05.50 [May 15 2003]
configure:2187: $? = 0
configure:2210: checking for C compiler default output file name
configure:2213: cc -O -DWITH_SYSLOG -DGUEST_ACCOUNT=\"smbnull\" -D_SAMBA_BUILD_
-I/opt/iexpress/openldap/include -L/opt/iexpress/openldap/lib conftest.c  >&5
(Bundled) cc: warning 922: "-O" is unsupported in the bundled compiler, ignored.
Error 100: "", line 0 # String and character constants cannot span
 lines.
configure:2216: $? = 2
configure: failed program was:
| /* confdefs.h.  */
|
| #define PACKAGE_NAME ""
| #define PACKAGE_TARNAME ""
| #define PACKAGE_VERSION ""
| #define PACKAGE_STRING ""
| #define PACKAGE_BUGREPORT ""
| /* end confdefs.h.  */
|
| int
| main ()
| {
|
|   ;
|   return 0;
| }
configure:2254: error: C compiler cannot create executables
See `config.log' for more details.
 
##  ##

## Cache variables. ##
##  ##
 
ac_cv_env_CC_set=''

ac_cv_env_CC_value=''
ac_cv_env_CFLAGS_set=set
ac_cv_env_CFLAGS_value='-O -DWITH_SYSLOG -DGUEST_ACCOUNT=\"smbnull\"'
ac_cv_env_CPPFLAGS_set=set
ac_cv_env_CPPFLAGS_value=-I/opt/iexpress/openldap/include
ac_cv_env_CPP_set=''
ac_cv_env_CPP_value=''
ac_cv_env_LDFLAGS_set=set
ac_cv_env_LDFLAGS_value=-L/opt/iexpress/openldap/lib
ac_cv_env_build_alias_set=''
ac_cv_env_build_alias_value=''
ac_cv_env_host_alias_set=''
ac_cv_env_host_alias_value=''
ac_cv_env_target_alias_set=''
ac_cv_env_target_alias_value=''
ac_cv_prog_ac_ct_CC=cc
libc_cv_fpie=no
 
## - ##

## Output variables. ##
## - ##
 
ACL_LIBS=''

AR=''
AUTH_LIBS=''
AUTH_MODULES=''
AUTH_STATIC=''
A

Re: [Samba] Re: XFS and inherit permissions bug?

2007-11-26 Thread David Disseldorp 
Hi

On Fri, 09 Nov 2007 15:05:22 +0100
"[EMAIL PROTECTED]" <[EMAIL PROTECTED]> wrote:

> Hello
> 
> Here are some more informations.
> 
> General infos on my Samba configuration
> ###
> 
> The server is a Debian Etch with distro kernel & Samba package
> (2.6.18-5-686 & 3.0.24-6etch4).
> Users shell is set to /bin/false, they are only accessing this server
> through Samba.
> 
> All files are owned by user root (Administrator) and group
> smb-Administrators (Domain Admins). The basic rights are rwx for root
> and smb-Administrators and nothing for other.
> The inherit permissions parameter is set in smb.conf for Administrator
> user and Domain Admins group to have access to all the files, the
> inherit owner is set to have all files owned by user root, and all
> folders are setgid to have all files owned by group smb-Administrators.
> 
> The users get their access rights using acls and the inherit acls
> parameter is set in smb.conf.
> 
> The windows attributes (archive, hidden and system) are stored in
> extended attributes.

Finally got to the bottom of this one. To sum it up, the setgid bit is lost
by XFS under certain circumstances when performing acl_set_file() as non 
root during inherit_access_acl().

This is different to how EXT3 behaves in this case - setgid remains.

Samba 3.0.24 source/smbd/vfs.c:
370 int vfs_MkDir(connection_struct *conn, const char *name, mode_t mode)
371 {
372 int ret;
373 SMB_STRUCT_STAT sbuf;
374
375 if(!(ret=SMB_VFS_MKDIR(conn, name, mode))) {
376
377 inherit_access_acl(conn, name, mode);

After this there is a check whether any high mode bits are lost (setgid):

384 if(mode & ~(S_IRWXU|S_IRWXG|S_IRWXO) &&
385 !SMB_VFS_STAT(conn,name,&sbuf) && (mode & 
~sbuf.st_mode))
386 SMB_VFS_CHMOD(conn,name,sbuf.st_mode | (mode & 
~sbuf.st_mode));

Only problem is the SMB_VFS_CHMOD does a chmod_acl() which eventually ends up
calling acl_set_file(), and where back to where we started ;)

Anyhow this patch for 3.0.24 should fix the setgid inheritance problem:

- start patch -
Index: samba-3.0.24.vanilla/source/smbd/posix_acls.c
===
--- samba-3.0.24.vanilla.orig/source/smbd/posix_acls.c  2007-11-02 
11:12:05.338179162 +1100
+++ samba-3.0.24.vanilla/source/smbd/posix_acls.c   2007-11-22 
17:09:31.351873317 +1100
@@ -3450,7 +3450,12 @@
if ((ret = chmod_acl_internals(conn, posix_acl, mode)) == -1)
goto done;

+   /*
+* high mode bits (SGID) may be lost if acl_set_file is not run as root
+*/
+   become_root();
ret = SMB_VFS_SYS_ACL_SET_FILE(conn, to, SMB_ACL_TYPE_ACCESS, 
posix_acl);
+   unbecome_root();

  done:
- end patch -

The XFS team are looking into the issue. Thanks again for your bug report.

Cheers, Dave

> 
> 
> Reproducing the problem
> ###
> 
> In the base dir of one of my shares I have:
> 
> [EMAIL PROTECTED]:~ # ll /srv/samba/data_inf/
> total 436
> drwxrws---+  7 root smb-Administrators .
> drwxr-xr-x  16 root root   ..
> drwxrws---+ 11 root smb-Administrators ARCHIVES_INF
> drwxrws---+  5 root smb-Administrators BROUILLON_INF
> -rw-rwx---+  1 root smb-Administrators DCI-INF-L-001-F.xls
> drwxrws---+ 10 root smb-Administrators ESPACE_INF
> drwxrws---+  6 root smb-Administrators ESPACE_INF_PUBLIC
> drwxrws---+  2 root smb-Administrators MODELES_INF
> [EMAIL PROTECTED]:~ # getfacl /srv/samba/data_inf/
> getfacl: Removing leading '/' from absolute path names
> # file: srv/samba/data_inf
> # owner: root
> # group: smb-Administrators
> user::rwx
> group::rwx
> group:smb-Inf:rwx
> group:smb-Bme-Fr:r-x
> mask::rwx
> other::---
> 
> >From a Windows client I create a new dir test1:
> 
> [EMAIL PROTECTED]:~ # ll /srv/samba/data_inf/
> total 440
> drwxrws---+  8 root smb-Administrators .
> drwxr-xr-x  16 root root   ..
> drwxrws---+ 11 root smb-Administrators ARCHIVES_INF
> drwxrws---+  5 root smb-Administrators BROUILLON_INF
> -rw-rwx---+  1 root smb-Administrators DCI-INF-L-001-F.xls
> drwxrws---+ 10 root smb-Administrators ESPACE_INF
> drwxrws---+  6 root smb-Administrators ESPACE_INF_PUBLIC
> drwxrws---+  2 root smb-Administrators MODELES_INF
> drwxrwx---+  2 root smb-Administrators test1
> [EMAIL PROTECTED]:~ # getfacl /srv/samba/data_inf/test1/
> getfacl: Removing leading '/' from absolute path names
> # file: srv/samba/data_inf/test1
> # owner: root
> # group: smb-Administrators
> user::rwx
> group::rwx
> group:smb-Inf:rwx
> group:smb-Bme-Fr:r-x
> mask::rwx
> other::---
> 
> The test1 dir is owned by the group smb-Administrators because the . dir
> is setgid, but it is not setgid.
> From a Windows client I create a new dir test2 in dir test1:
> 
> [EMAIL PROTECTED]:~ # ll /srv/samba/data_inf/test1/
> total 16
> drwxrwx---+ 3 root smb-Administrators   18 2007-11-0

[Samba] LDAP logonHours problem

2007-11-26 Thread Peter Molnar 
Hi!

I have a problem according to the logonHours setting in my Samba Domain.

Users are in LDAP, and everyone has a logonHours attribute, which could be:

- login is possible at any time
- login is only possible between 7AM and 12PM(mindnight), 7h-24h in 24
hours format, I'm going to use 24h format here in this post.

Samba manual states than logonHours is a 168 bit mask, starting with
Sunday 0h-1h, each bit represents an hour of the week, converted into
Hex.

Therefore:

For 'any time' login, I'm using
"FF" This works, users who
have this in logonHours, can log in at any time.

For logins limited to 7h-24h, I'm using:
01010101010101

Here comes the problem, the limited users cannot log in before 10h,
they get the error "out of login time". Samba log says the same, and
the timestamp there is correct.

Saturday in the morning, i've tried setting different logonHours
attributes on my own account, to see which one shold be 1 to let me
log in at that time (between 7h and 8h)

Surprisingly, I got this: "40"

Well, it's 6 hours earier than I expected, but OK, let's try this
mask: "7FFFC07FFFC07FFFC07FFFC07FFFC07FFFC07FFFC0"

It worked in the morning but in the afternoon, it didn't.

What could be the problem? My calculations are bad, or timezone
problem (Hungary, central european time, UTC+1)? Can anyone please
send me a working logonHours string, or calculate the correct string
for logins 7h-24h.

Until we figure out what's wrong, can I override the LDAP logonHours
attributes from smb.conf, to allow everyone to log in, at any time?

Regards,
Peter
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] smb.conf question. multiple /home/shares

2007-11-26 Thread Michael Heydon 
Have a look at the section of the man page regarding  the [homes] share. 
It will do all this automatically.


In it's simplest form

[homes]
read only = no

will share everyones home directory read write as \\server\username.


*Michael Heydon - IT Administrator *
[EMAIL PROTECTED] 


Dimitris Theoharis wrote:

Hi

This is what i want to do :
each windows pc will have its own /home/username on this samba server.
for example i have added 3 users so far and my .conf is like this :
[george]
   comment = Home
   path = /home/george
   #valid users = %S
   read only = no
   browsable = yes
[trandism]
   comment = Home
   path = /home/trandism
   read only = no
   browsable = yes
[xristoforos]
   comment = Home
   path = /home/xristoforos
   read only = no
   browsable = yes


now , when each user logs in will he get a \\serverip\username on his
explorer window?

i will include here my smb.conf too . make any suggestions you want ;)


cat /etc/samba/smb.conf
[global]
log file = /var/log/samba/log.%m
hide unreadable = yes
logon drive = H:
hide dot files = yes
null passwords = no
hosts allow = ALL
netbios name = Master
server string = %h server (Samba, Debian)
logon script = \\192.168.10.198\netlogon\%U.bat
workgroup = OCR
logon path = \\192.168.10.198\%U
security = user
domain logons = yes
log level = 3
winbind cache time = 10

   #passdb backend = tdbsam
   #username map = /etc/samba/smbusers
   #name resolve order = lmhosts bcast hosts
   #preferred master = yes
   #os level = 65

   # Default logon


   # Useradd scripts
   #add user script = /usr/sbin/adduser --quiet --disabled-password
--gecos "" %u
   #delete user script = /usr/sbin/userdel -r %u
   #add group script = /usr/sbin/groupadd %g
   #delete group script = /usr/sbin/groupdel %g
   #add user to group script = /usr/sbin/usernod -G %g %u
   #add machine script = /usr/sbin/useradd -s /bin/false/ -d /var/lib/nobody %u
   #idmap uid = 15000-2
   #idmap gid = 15000-2
   #template shell = /bin/bash

   # set the loglevel

  #[public]
   #path = /home/shares
   #browseable = yes
   #public = yes
   #write list = @users


[george]
   comment = Home
   path = /home/george
   #valid users = %S
   read only = no
   browsable = yes
[trandism]
   comment = Home
   path = /home/trandism
   read only = no
   browsable = yes
[xristoforos]
   comment = Home
   path = /home/xristoforos
   read only = no
   browsable = yes

[netlogon]
   comment = Network Logon Service
   path = /home/samba/netlogon
   admin users = Administrator
   valid users = %U
   read only = no
   guest ok = yes
   writable = no
   #share modes = no

[profile]
   comment = User profiles
   path = /home/samba/profiles
   valid users = %U
   create mode = 0600
   directory mode = 0700
   writable = yes
   browsable = no
   guest ok = no

[allusers]
  comment = All Users
  path = /home/shares/allusers
  valid users = @users
  force group = users
  create mask = 0660
  directory mask = 0771
  writable = yes
  

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Wondering if there is an option like banner

2007-11-26 Thread Michael Heydon 
I'm not 100% sure (I've only ever used security = user), but I believe 
you can still have map to guest = bad user, they may still be prompted 
for a username and password but they could put in almost anything 
(except a valid username) and they would be granted access.


The man page only says that you map to guest isn't valid with security = 
share, which suggests that it should work when you are authing against 
another server.


*Michael Heydon - IT Administrator *
[EMAIL PROTECTED] 



Max León wrote:

Well while the global option security is still set as server, it will prompt
for a user and a password, I do have it set to a guest account, which I
designated to nobody but the user must know this and this is why I'm looking
for an easy embedded way to let hem be aware of it.


On 11/23/07, Koenraad Lelong <[EMAIL PROTECTED]> wrote:
  

Max León schreef:


Hi everyone,
I have been googling quite a bit and going through the samba
  

documentation


looking for something like a banner for a share and nothing came up.
I need to setup a public share on a server that is currently running
  

with


server security, so I addedd the nobody account to the smbpasswd with
  

null


password, but I want to set a banner on the share that let people know
this.  Is this possible?
Running samba 3.0.26a on slackware 12.0


Thanks so much.
  

There is a comment field for the share.

Regards,
Koenraad Lelong.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Strange file permissions

2007-11-26 Thread DNL 



Mark Adams wrote:

Is sgid on the top level dir?

Set for subdirectory cp, but not for projects as different directories at that 
level require no access control
/projects/cp# ls -al
total 164
drwxrws--- 26 dnl cp 4096 2007-11-23 15:37 .
drwxr-xr-x 17 rootroot   4096 2007-11-16 22:35 ..
drwxrws---  2 daniel  cp 4096 2007-06-18 11:52 4 Spencer Close
drwxrws---  2 daniel  cp 4096 2007-09-01 19:20 Addresses



Also have you tried force group samba option?
My understanding is that this would force the same group for all the PROJECT share, but I only want it for a subdirectory. Am I forced into 
making projects/cp a separate share and using this samba option?


Mark.

Thanks for your response.
Dave.



On 24 Nov 2007, at 13:13, DNL <[EMAIL PROTECTED]> wrote:


Hi
I have a samba server with tdbsam passwords, and a share, PROJECTS,
which is accessed by various XP home clients, the usenames and passwords
being manually synced to the samba ones (less than 10 users, and only 4
workstations). There is one win2K machine, which is a domain member. 
Subdirectories on PROJECTS have g+s set, so only users,
who are members of specific Linux groups, have access to the files in 
them.

Recently, a laptop with XP professional has been connected, and the user
on it can access the correct directories, but when he edits or creates a
file, the group owner and file permissions are wrong:

/home/projects/cp/CP 2007# ls -alt
total 2932
drwxrwsrw-  4 daniel  cp  4096 2007-11-24 12:35 .
-r  1 haffers BUILTIN\users 197120 2007-11-24 12:34 CP 11 
Nova.xls
-rw-rw-rw-  1 haffers BUILTIN\users 199168 2007-11-23 19:47 CP 10 
Octa.xls

drwxrwsrwx  2 daniel  cp  4096 2007-11-23 19:34 FORMS 2007
-rw-rw-rw-  1 haffers BUILTIN\users 299520 2007-11-23 19:20 2007 
ANALYSIS.xls

drwxrws--- 26 dnl cp  4096 2007-11-23 15:37 ..
-r  1 haffers BUILTIN\users 197120 2007-11-23 14:40 CP 10 Oct.xls
-rwxrwx---  1 haffers cp196608 2007-11-18 18:51 CP 11 Nov.xls
-rwxrwx---  1 haffers cp192512 2007-11-18 17:47 CP 09 Sep.xls

The files he creates are therefore unusable until permissions are 
changed.

Various searches on the internet and reading of the Samba documentation
have failed give me any idea on why this is happening, or how to put it
right. How is Samba managing to not respecting the Linux g+s bit? How 
do I make this system work correctly? Can you assist?


Background information:
The log-on of the user on the XP professional machine:

# tail -14 andylap.old
[2007/11/24 01:32:01, 1] smbd/service.c:close_cnum(1150)
andylap (192.168.0.168) closed connection to service projects
[2007/11/24 11:13:20, 2] smbd/sesssetup.c:setup_new_vc_session(799)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2007/11/24 11:13:20, 2] smbd/sesssetup.c:setup_new_vc_session(799)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2007/11/24 11:13:20, 2] lib/access.c:check_access(323)
Allowed connection from (192.168.0.168)
[2007/11/24 11:13:20, 2] smbd/reply.c:reply_tcon_and_X(711)
Serving IPC$ as a Dfs root
[2007/11/24 11:13:20, 2] auth/auth.c:check_ntlm_password(309)
check_ntlm_password: authentication for user [haffers] -> [haffers]
-> [haffers] succeeded
[2007/11/24 11:13:20, 2] smbd/utmp.c:sys_utmp_update(419)
utmp_update: uname:/var/run/utmp wname:/var/log/wtmp

# head -24 andylap
[2007/11/24 11:13:20, 2] lib/access.c:check_access(323)
Allowed connection from (192.168.0.168)
[2007/11/24 11:13:20, 1] smbd/service.c:make_connection_snum(950)
andylap (192.168.0.168) connect to service projects initially as user
haffers (uid=529, gid=502) (pid 17358)
[2007/11/24 11:13:20, 2] smbd/reply.c:reply_tcon_and_X(711)
Serving projects as a Dfs root
[2007/11/24 11:13:20, 2] smbd/utmp.c:sys_utmp_update(419)
utmp_update: uname:/var/run/utmp wname:/var/log/wtmp
[2007/11/24 11:13:20, 1] smbd/service.c:close_cnum(1150)
andylap (192.168.0.168) closed connection to service projects
[2007/11/24 11:13:20, 2] auth/auth.c:check_ntlm_password(309)
check_ntlm_password: authentication for user [haffers] -> [haffers]
-> [haffers] succeeded
[2007/11/24 11:13:20, 2] smbd/utmp.c:sys_utmp_update(419)
utmp_update: uname:/var/run/utmp wname:/var/log/wtmp
[2007/11/24 11:13:20, 2] lib/access.c:check_access(323)
Allowed connection from (192.168.0.168)
[2007/11/24 11:13:20, 1] smbd/service.c:make_connection_snum(950)
andylap (192.168.0.168) connect to service projects initially as user
haffers (uid=529, gid=502) (pid 17358)
[2007/11/24 11:13:20, 2] smbd/reply.c:reply_tcon_and_X(711)
Serving projects as a Dfs root
[2007/11/24 11:14:36, 2] lib/access.c:check_access(323)
Allowed connection from (192.168.0.168)
[2007/11/24 11:14:36, 2] smbd/reply.c:reply_tcon_and_X(711)
Serving IPC$ as a Dfs root

The most recent problem file in that log:
/var/log/samba# grep Nova andylap
 unix_mode(cp/CP 2007/CP 11 Nova.xls) inheriti

[Samba] Point-and-Print driver problems with unprivileged users on XP

2007-11-26 Thread Marcus Sobchak <[EMAIL PROTECTED]> 
Hi,

I've problems to install printer drivers as a normal user with
unprivileged rights on WinXP in a samba 3.0.24 domain (debian etch)
using the "Point-and-Print" mechanism. I've read Volker Lendecke's Samba
book on page 131 footnote 1, which mention to enable "point and print".
Which reg keys do I have to set to install drivers by "Point and Print"?
I've set keys like described in

  http://support.microsoft.com/kb/319939/en

but this does not work? Installing the drives from the print$ share
working as domain admin works works fine. Therefore I think, I've
forgotten to set some rights on the local XP machine.

smb.conf:

[global]

load printers = yes
printing = cups
printcap name = cups



[printers]
comment = All Printers
browseable = no
path = /var/spool/samba
printable = yes
public = no
writable = no
create mode = 0700

[print$]
comment = Drucker Treiber
path = /var/lib/samba/printers
browseable = yes
read only = yes 
guest ok = no
write list = root, ntadmin

Cheers,
Marcus

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Upgraded from 3.0.24 to 3.0.27a now no admin permissions

2007-11-26 Thread Gary MacKay 
I have verified all of the "net groupmap list" groups are still mapped 
right. The "net rpc " commands show the proper SID's and users that are 
members of the adm (unix) and "Domain Admins" groups. Everything seems 
correct, except that now there are no admin priviliges. All users can 
log in to the server and their workstations fine. The problem are all of 
the users who are members of the "Domain Admins" group do not have admin 
rights now. What changed?? All I did was download the tarball for 
3.0.27a and run the RHEL/makerpms.sh script. After that I just did a rpm 
-Uvh samba*.rpm and it upgraded with no errors.



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] [samba pdc] serverbased profiles doesnt load at winxp login

2007-11-26 Thread John Drescher 
> at the moment it work that user can login on my clients (all windows xp pro
> sp2), the homedrive is mapped corretly, the only thing that doesn't work, is
> that the serverbased profile is saved automatically on the server, so that
> the user can downlad the profile at login.
>
>
You did not mention what the exact problem is. My guess is you need
profile acls = yes in your profiles share.

John
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] [samba pdc] serverbased profiles doesnt load at winxp login

2007-11-26 Thread John Drescher 
> You did not mention what the exact problem is. My guess is you need
> profile acls = yes in your profiles share.
>
Sorry that is at the end of your email. Possibly this is a nmbd problem.

John
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] [samba pdc] serverbased profiles doesnt load at winxp login

2007-11-26 Thread Christian 
ive installed samba 3 on a debian 4, the samba server should act like a pdc.


 

at the moment it work that user can login on my clients (all windows xp pro
sp2), the homedrive is mapped corretly, the only thing that doesn't work, is
that the serverbased profile is saved automatically on the server, so that
the user can downlad the profile at login.

 

here is my smb.conf:

[global] 

 workgroup = lecture 

 server string = %h server 

 netbios name = samba_pdc 

 interfaces = 127.0.0.1, 192.168.10.0/24 

 hosts allow = 127.0.0.1, 192.168.10.0/24 

 hosts deny = all 

 map to guest = Bad User 

 passwd program = /usr/bin/passwd %u 

 passwd chat = *password* %n\n *password* %n\n *changed* 

 passwd chat debug = yes 

#username map = /etc/samba/smbusers 

 unix password sync = yes 

 log level = 2 

 passdb backend = smbpasswd 

 encrypt passwords = yes 

 log file = /var/log.%m 

 

#Samba als PDC 

 

 domain logons = yes 

 preferred master = Yes 

 domain master = Yes 

 os level = 65 

#netbios name = samba_pdc 

 logon path = \\%L\home\samba\profiles\%U

 logon drive = Z: 

 logon script = logon.bat 

 wins support = yes 

 name resolve order = wins lmhosts host bcast 

 admin users = root 

 security = user 

#guest ok = no 

 encrypt passwords = yes 

 null passwords = no 

 

[homes] 

 comment = Home Directories 

 valid users = %S 

 read only = no 

 inherit acls = yes 

 browseable = no 

 

[profiles] 

 comment = Network Profiles Service 

 path = /home/samba/profiles

 read only = no 

 create mask = 0600 

 directory mask = 0700 

 store dos attributes = yes 

 browsable = no 

 guest ok = no 

 printable = no 

#hide files = /desktop.ini/outlook*.Ink/*Briefcase*/ 

 

 

[public] 

 comment = Public 

 path = /home/samba/public 

 browseable = yes 

 create mask = 0777 

 directory mask = 0777 

 guest ok = yes 

 writeable = yes 

 share modes = yes 

 

[netlogon] 

 comment = Network Logon Service 

 path = /home/samba/netlogon 

 writeable = no 

 browseable = no

 

i created the directories of the profiles manually, and give the rights 0777
(for testing). i assigned the profiles to their owners.

 

here is the log (with an error!):

 

[2007/11/13 15:52:15, 2] lib/access.c:check_access(323) 

  Allowed connection from  (192.168.10.2) 

[2007/11/13 15:52:15, 2] smbd/reply.c:reply_tcon_and_X(711) 

  Serving IPC$ as a Dfs root 

[2007/11/13 15:52:15, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2797) 

  Returning domain sid for domain LECTURE ->
S-1-5-21-1599594011-1679142555-2671711842 

[2007/11/13 15:52:18, 2] lib/access.c:check_access(323) 

  Allowed connection from  (192.168.10.2) 

[2007/11/13 15:52:18, 2] smbd/reply.c:reply_tcon_and_X(711) 

  Serving IPC$ as a Dfs root 

[2007/11/13 15:52:18, 2] lib/access.c:check_access(323) 

  Allowed connection from  (192.168.10.2) 

[2007/11/13 15:52:18, 2] smbd/reply.c:reply_tcon_and_X(711) 

  Serving IPC$ as a Dfs root 

[2007/11/13 15:52:18, 0] smbd/service.c:make_connection() 

  x20 (192.168.10.2) couldn't find service home 

[2007/11/13 15:52:18, 2] lib/access.c:check_access(323) 

  Allowed connection from  (192.168.10.2) 

[2007/11/13 15:52:18, 2] smbd/reply.c:reply_tcon_and_X(711) 

  Serving IPC$ as a Dfs root

 

(x20 is the netbios name of a client)

 

The Server is pingable from the clients with ip and the netbios name! for
tests i also set the smb-server as wins and dns on the clients - with the
same error on login. 

 

when a user logs in onto a client the user profile doesnt load, and a error
message pop up, for about 30 seconds, with the circa message: "the
networkname cant be found".

 

the profiles are set to serverbased on the clients (its the standard).

 

i dont know if its important, but: the clients login through vpn (the vpn
server is the same machine as the samba server), vpn seems to work
correctly.

sorry for my bad english. hope someone can help.

chris

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Access control question.

2007-11-26 Thread Matt Lozier 
Hi Andrew,

Thanks for this.  I did think about using ACLs, but even if I set this up
(for *every* directory that our users need access to) won't they still be
able to *see* those directories even if they don't have r/w/x permission?

I'm looking for a way to setup user permissions so that they can only see
that which they have access to.

Thanks again for the pointer, and if any thought come to mind, please do
share!

---
Matt Lozier
IT Analyst
972.644.2581, ext. 248
972.661.2701  fax
 

 
The information contained in this message or any attached document is
confidential and intended only for the individual(s) or entity to which it
is addressed.   The information should be considered privileged and
confidential.  If you are not the intended recipient, you are hereby
notified that any unauthorized use of the information contained in or
transmitted with the communication, or dissemination, distribution, or
copying of this communication is strictly prohibited by law.  If you have
received this communication in error, please inform the sender by
immediately returning this communication to the sender and then deleting the
original message and any copy of it in your possession.
-Original Message-
From: Andrew Sherlock-CF [mailto:[EMAIL PROTECTED] 
Sent: Thursday, November 22, 2007 8:34 AM
To: Matt Lozier; samba@lists.samba.org
Subject: RE: [Samba] Access control question.

Hi Matt,

You may wish to look into the 'setfacl' command.

http://bama.ua.edu/cgi-bin/man-cgi?setfacl+1

Hope this helps!

--- 

> -Original Message-
> From: Matt Lozier [mailto:[EMAIL PROTECTED] 
> Sent: 21 November 2007 17:39
> To: Andrew Sherlock-CF; samba@lists.samba.org
> Subject: RE: [Samba] Access control question.
> 
> Hi Andrew,
> 
> Thank you for your response.  The only problem with going 
> this route is that
> I really need to have finer grain control over what the users 
> are able to
> access.
> 
> I have situations where user1 needs to have access to 
> /smbshare/dir1 and
> dir3 then user2 needs to have access to /smbshare/dir1/subdir1 and
> /smbshare/dir3, but *no* access to /smbshare/dir1.  I suppose 
> that the real
> problem lies in the poor setup of the root /smbshare.  
> However, any changes
> to this configuration are out of the question because too 
> many people who
> are resistant to change already understand things the way they are ;-)
> 
> If I understand LDAP properly (I'm new to this technology) 
> then I should be
> able to store user permissions in the LDAP database, no?
> 
> Thanks,
> Matt
> 
> 
> -Original Message-
> From: Andrew Sherlock-CF [mailto:[EMAIL PROTECTED] 
> Sent: Wednesday, November 21, 2007 11:07 AM
> To: Matt Lozier; samba@lists.samba.org
> Subject: RE: [Samba] Access control question.
> 
> Is it out of the question to create many different shares and then
> secure the system on a per-share basis?
> 
> I'm securing shares individually using Active Directory.
> In each share config I have:
> valid [EMAIL PROTECTED] @MR_ADGROUP_FOR_READING
> write [EMAIL PROTECTED]
> read [EMAIL PROTECTED]
> 
> Create different groups for each share and you're golden.
> 
> Of course, this model can be followed without AD.
> 
> --- 
> 
> > -Original Message-
> > From: [EMAIL PROTECTED] 
> > [mailto:[EMAIL PROTECTED]
> > g] On Behalf Of Matt Lozier
> > Sent: 21 November 2007 15:58
> > To: samba@lists.samba.org
> > Subject: [Samba] Access control question.
> > 
> > Hello,
> > 
> >  
> > 
> > I have a general administrative question concerning Samba shares.
> > 
> >  
> > 
> > I have a large amount of data that about 25 users have 
> > limited access to.  I
> > only want these users to have access to a sub-set of this 
> > data, but I also
> > only want the users to see that which they have access to.
> > 
> >  
> > 
> > So, for example, suppose that the share looks like thus: 
> > 
> > /smbshare
> > 
> > /smbshare/dir1
> > 
> > /smbshare/dir2
> > 
> > /smbshare/dir3
> > 
> >  
> > 
> > And I only want the users to see that they have access to 
> > /smbshare/dir1 and
> > /smbshare/dir3.  The way that this is currently setup is that I have
> > symlinks from the user's home directory to /smbshare/dir1 and
> > /smbshare/dir3.  That way then the user maps their home 
> > share, they only see
> > dir1 and dir3 - dir2 is out of sight, and thus (hopefully) 
> > out of mind.
> > 
> >  
> > 
> > Is there a better way to implement what I'm trying to do?  
> > I'm currently
> > looking into setting up permissions as an LDAP directory and 
> > using this as
> > the means to control access to the data - have also 
> > considered using ACLs -
> > not sure which way to go!
> > 
> >  
> > 
> > Any and all help / input is appreciated.
> > 
> >  
> > 
> > Thank you,
> > 
> > Matt
> > 
> > -- 
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/listinfo/samba
> > 
> 
> http://www.bbc.co.uk/
> This e-ma

Re: [Samba] Share root directory appears in subdirectories. (Well, can't actually see it but can cd into it, even if its not there.) (Serious bug?)

2007-11-26 Thread Mark Adams 

Check your filesystem.

Reminder, unmount then fsck.ext3 /my/dev/path

Mark.


On 24 Nov 2007, at 14:58, "Wiesner Thomas" <[EMAIL PROTECTED]>  
wrote:


Additionally to the problems I reported earlier, I'Ve discovered  
another problem with my server/client setup.


find reports

find: WARNING: Hard link count is wrong for ./foo: this may be a bug  
in your filesystem driver.
Automatically turning on find's -noleaf option.  Earlier results may  
have failed to include directories that should have been searched.


in one directory and if I browse this directorya and I see
completely wrong files in it (Actually, I seem to see the contents  
of the upper level directory). This problem doesn't appear with

Win2K clients and the filesystem itself is OK.

Samba Version 3.0.24 on the server (Debian Etch), according to smbd - 
V.

As mount helper I use mount.cifs, compiled from samba-3.0.26a.
The kernels on the server and client are the Debian default kernels (2.6.18-5-486 
 and 2.6.18-5-686).


The directory structure looks like:
/dir1/dir2/dir3

where dir2 is the mountpoint.

If I 'cd' into dir4 from dir3, I see the contest of dir2. It may  
have to do with the fact, that the name of dir4 is the

same as dir2 ...

Example:
/coffee/cup$ ls
 Dir contents of cup
/coffee/cup$ cd foo
/coffee/cup/foo$ ls
 cup, water
/coffee/cup/foo$ cd cup
/coffee/cup/foo/cup$ ls
 The contents of /coffee/cup and not of /coffee/cup/foo/cup are  
shown and I can even access those wrong files!


This seems to be a definite bug in either Samba or the filesystem  
driver. This may even be a security hole in some way.

(Can't think of any now, but who knows.)

I played around a bit and found the following out: The problem  
appears when a directory has the same name as the mount point.

I can even 'cd' into a directory which isn't there:

(Mount point is gstorage, share name is gstorage too, don't know if  
this matters, I haven't investigated it)

/cifsmounts/gstorage$ cd anydir
/cifsmounts/gstorage/anydir$ cd gstorage
/cifsmounts/gstorage/anydir/gstorage$
Crazy. I seem to be in the root of the share again(!), even if the  
directory gstorage doesn't exist in 'anydir'.
I called it anydir, because it works from any directory (but it must  
be one level below the share root).
In /cifsmounts/gstorage/anydir/gstorage I can see the contents of  
the root of the share, again. If there is a dir with the share name

the contents are overridden, like described above.

I've tried this on a client running 2.6.22.10. Same problem from  
this one too. Seems to be either an undisovered kernel or Samba Bug.



 mfg Wiesner Thomas
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Strange file permissions

2007-11-26 Thread Mark Adams 

Is sgid on the top level dir?

Also have you tried force group samba option?

Mark.


On 24 Nov 2007, at 13:13, DNL <[EMAIL PROTECTED]> wrote:


Hi
I have a samba server with tdbsam passwords, and a share, PROJECTS,
which is accessed by various XP home clients, the usenames and  
passwords
being manually synced to the samba ones (less than 10 users, and  
only 4
workstations). There is one win2K machine, which is a domain member.  
Subdirectories on PROJECTS have g+s set, so only users,
who are members of specific Linux groups, have access to the files  
in them.
Recently, a laptop with XP professional has been connected, and the  
user
on it can access the correct directories, but when he edits or  
creates a

file, the group owner and file permissions are wrong:

/home/projects/cp/CP 2007# ls -alt
total 2932
drwxrwsrw-  4 daniel  cp  4096 2007-11-24 12:35 .
-r  1 haffers BUILTIN\users 197120 2007-11-24 12:34 CP 11  
Nova.xls
-rw-rw-rw-  1 haffers BUILTIN\users 199168 2007-11-23 19:47 CP 10  
Octa.xls

drwxrwsrwx  2 daniel  cp  4096 2007-11-23 19:34 FORMS 2007
-rw-rw-rw-  1 haffers BUILTIN\users 299520 2007-11-23 19:20 2007  
ANALYSIS.xls

drwxrws--- 26 dnl cp  4096 2007-11-23 15:37 ..
-r  1 haffers BUILTIN\users 197120 2007-11-23 14:40 CP 10  
Oct.xls
-rwxrwx---  1 haffers cp196608 2007-11-18 18:51 CP 11  
Nov.xls
-rwxrwx---  1 haffers cp192512 2007-11-18 17:47 CP 09  
Sep.xls


The files he creates are therefore unusable until permissions are  
changed.
Various searches on the internet and reading of the Samba  
documentation
have failed give me any idea on why this is happening, or how to put  
it
right. How is Samba managing to not respecting the Linux g+s bit?  
How do I make this system work correctly? Can you assist?


Background information:
The log-on of the user on the XP professional machine:

# tail -14 andylap.old
[2007/11/24 01:32:01, 1] smbd/service.c:close_cnum(1150)
andylap (192.168.0.168) closed connection to service projects
[2007/11/24 11:13:20, 2] smbd/sesssetup.c:setup_new_vc_session(799)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2007/11/24 11:13:20, 2] smbd/sesssetup.c:setup_new_vc_session(799)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2007/11/24 11:13:20, 2] lib/access.c:check_access(323)
Allowed connection from (192.168.0.168)
[2007/11/24 11:13:20, 2] smbd/reply.c:reply_tcon_and_X(711)
Serving IPC$ as a Dfs root
[2007/11/24 11:13:20, 2] auth/auth.c:check_ntlm_password(309)
check_ntlm_password: authentication for user [haffers] -> [haffers]
-> [haffers] succeeded
[2007/11/24 11:13:20, 2] smbd/utmp.c:sys_utmp_update(419)
utmp_update: uname:/var/run/utmp wname:/var/log/wtmp

# head -24 andylap
[2007/11/24 11:13:20, 2] lib/access.c:check_access(323)
Allowed connection from (192.168.0.168)
[2007/11/24 11:13:20, 1] smbd/service.c:make_connection_snum(950)
andylap (192.168.0.168) connect to service projects initially as user
haffers (uid=529, gid=502) (pid 17358)
[2007/11/24 11:13:20, 2] smbd/reply.c:reply_tcon_and_X(711)
Serving projects as a Dfs root
[2007/11/24 11:13:20, 2] smbd/utmp.c:sys_utmp_update(419)
utmp_update: uname:/var/run/utmp wname:/var/log/wtmp
[2007/11/24 11:13:20, 1] smbd/service.c:close_cnum(1150)
andylap (192.168.0.168) closed connection to service projects
[2007/11/24 11:13:20, 2] auth/auth.c:check_ntlm_password(309)
check_ntlm_password: authentication for user [haffers] -> [haffers]
-> [haffers] succeeded
[2007/11/24 11:13:20, 2] smbd/utmp.c:sys_utmp_update(419)
utmp_update: uname:/var/run/utmp wname:/var/log/wtmp
[2007/11/24 11:13:20, 2] lib/access.c:check_access(323)
Allowed connection from (192.168.0.168)
[2007/11/24 11:13:20, 1] smbd/service.c:make_connection_snum(950)
andylap (192.168.0.168) connect to service projects initially as user
haffers (uid=529, gid=502) (pid 17358)
[2007/11/24 11:13:20, 2] smbd/reply.c:reply_tcon_and_X(711)
Serving projects as a Dfs root
[2007/11/24 11:14:36, 2] lib/access.c:check_access(323)
Allowed connection from (192.168.0.168)
[2007/11/24 11:14:36, 2] smbd/reply.c:reply_tcon_and_X(711)
Serving IPC$ as a Dfs root

The most recent problem file in that log:
/var/log/samba# grep Nova andylap
 unix_mode(cp/CP 2007/CP 11 Nova.xls) inheriting from cp/CP 2007
 unix_mode(cp/CP 2007/CP 11 Nova.xls) inherit mode 42776
 haffers opened file cp/CP 2007/CP 11 Nova.xls read=Yes write=No  
(numopen=3)

 unix_mode(cp/CP 2007/CP 11 Nova.xls) inheriting from cp/CP 2007
 unix_mode(cp/CP 2007/CP 11 Nova.xls) inherit mode 42776
 haffers opened file cp/CP 2007/CP 11 Nova.xls read=No write=No  
(numopen=4)

 haffers closed file cp/CP 2007/CP 11 Nova.xls (numopen=3)
 haffers closed file cp/CP 2007/CP 11 Nova.xls (numopen=2)
 unix_mode(cp/CP 2007/CP 11 Nova.xls) inheriting from cp/CP 2007
 unix_mode(cp/CP 2007/CP 11 Nova.xls) inherit mode 42776
 haffers opened file cp/CP 2007/CP 11

Re: [Samba] Pls delete this off the internet IMMEDIATELY

2007-11-26 Thread Ryan Novosielski 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

You've got to be kidding.

If it was something you sent to a mailing list, forget it, it's
hopeless. You may get it removed from one place, but there are so many
places that archive mailing lists that when it leaves your machine, it's
out there.

=R

[EMAIL PROTECTED] wrote:
> http://groups.google.com/group/linux.samba/browse_thread/thread/d669e5e24f24e1f6/236c73e8a362b5e6?hl=en&q=jpmchase.com#236c73e8a362b5e6
> 
> -
> This communication is for informational purposes only. It is not
> intended as an offer or solicitation for the purchase or sale of
> any financial instrument or as an official confirmation of any
> transaction. All market prices, data and other information are not
> warranted as to completeness or accuracy and are subject to change
> without notice. Any comments or statements made herein do not
> necessarily reflect those of JPMorgan Chase & Co., its subsidiaries
> and affiliates.
> 
> This transmission may contain information that is privileged,
> confidential, legally privileged, and/or exempt from disclosure
> under applicable law. If you are not the intended recipient, you
> are hereby notified that any disclosure, copying, distribution, or
> use of the information contained herein (including any reliance
> thereon) is STRICTLY PROHIBITED. Although this transmission and any
> attachments are believed to be free of any virus or other defect
> that might affect any computer system into which it is received and
> opened, it is the responsibility of the recipient to ensure that it
> is virus free and no responsibility is accepted by JPMorgan Chase &
> Co., its subsidiaries and affiliates, as applicable, for any loss
> or damage arising in any way from its use. If you received this
> transmission in error, please immediately contact the sender and
> destroy the material in its entirety, whether in electronic or hard
> copy format. Thank you.
> 
> Please refer to http://www.jpmorgan.com/pages/disclosures for
> disclosures relating to UK legal entities.


- --
  _  _ _  _ ___  _  _  _
 |Y#| |  | |\/| |  \ |\ |  | |Ryan Novosielski - Systems Programmer II
 |$&| |__| |  | |__/ | \| _| |[EMAIL PROTECTED] - 973/972.0922 (2-0922)
 \__/ Univ. of Med. and Dent.|IST/AST - NJMS Medical Science Bldg - C630
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHSxfUmb+gadEcsb4RAmSJAKC9AmsTlMRBg4UW3W5Eu653iKfVVgCgtuGS
B76etu3kFdsfXTPZOX/J+n8=
=GZNO
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Pls delete this off the internet IMMEDIATELY

2007-11-26 Thread patrick . r . bussey 
http://groups.google.com/group/linux.samba/browse_thread/thread/d669e5e24f24e1f6/236c73e8a362b5e6?hl=en&q=jpmchase.com#236c73e8a362b5e6

-
This communication is for informational purposes only. It is not
intended as an offer or solicitation for the purchase or sale of
any financial instrument or as an official confirmation of any
transaction. All market prices, data and other information are not
warranted as to completeness or accuracy and are subject to change
without notice. Any comments or statements made herein do not
necessarily reflect those of JPMorgan Chase & Co., its subsidiaries
and affiliates.

This transmission may contain information that is privileged,
confidential, legally privileged, and/or exempt from disclosure
under applicable law. If you are not the intended recipient, you
are hereby notified that any disclosure, copying, distribution, or
use of the information contained herein (including any reliance
thereon) is STRICTLY PROHIBITED. Although this transmission and any
attachments are believed to be free of any virus or other defect
that might affect any computer system into which it is received and
opened, it is the responsibility of the recipient to ensure that it
is virus free and no responsibility is accepted by JPMorgan Chase &
Co., its subsidiaries and affiliates, as applicable, for any loss
or damage arising in any way from its use. If you received this
transmission in error, please immediately contact the sender and
destroy the material in its entirety, whether in electronic or hard
copy format. Thank you.

Please refer to http://www.jpmorgan.com/pages/disclosures for
disclosures relating to UK legal entities.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Query a Windows 2003 AD server for specific information

2007-11-26 Thread Rondall Stewart 
The Question:  What command do I use to query a Windows 2003 AD server to 
return the Organizational Unit of a specific users? Also, what would be the 
command that would return the “Home Directory” path as specified in the Account 
Properties of the Windows 2003 account?

The Environment: Windows 2003 Domain with 1 plus users
8000 Windows 2k/XP workstations
1100 Terminal Clients connecting to SuSE Linux Enterprise Server 10
Authentication between Linux and Windows using Samba Version 
3.0.24-2.28-1354-SUSE-CODE10
Winbind Version 3.0.24-2.28-1354-SUSE-CODE10

All users have a “home directory”  located on a Windows server.  The path is 
set in their AD account and  mapped to H: When they login to a XP or 2000 
workstation.  This is setup in a school district.  Users can be either logged 
into windows or into Linux.   

The path to the home directory is ODD at best.  I didn't set it up, nor can I 
change it.

For teachers they are mapped to \\server\teachers\”username”
For students it is a little more complicated.  Each school has it own OU.  
Therefor, the Windows admins created a path that is similar to this 
\\server\”OUname”\”username”  The problem is there are 1 students divided 
between 30 OUs.

Thanks in advance.



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Winbind / AIX 5.3 returns incomplete user informations

2007-11-26 Thread Jérôme Oufella 
Hi,

We are facing a problem on AIX 5.3 (latest patch) where the following
behavior happens. Reproduced with versions of samba from 3.0.23 to
3.0.26a.


# Normal behavior :
# id and id username should return the same info
#
[EMAIL PROTECTED]:/# id
uid=0(root) gid=0(system)
groups=2(bin),3(sys),7(security),8(cron),10(audit),11(lp)

[EMAIL PROTECTED]:/# id root
uid=0(root) gid=0(system)
groups=2(bin),3(sys),7(security),8(cron),10(audit),11(lp)



# Now let's su to a winbind user :
[EMAIL PROTECTED]:/# su winuser1

# Running id only returns the users principal group.
# this also affects file ownership checks in smbd, which is our main
problem.
[EMAIL PROTECTED]:/# id
uid=10013(winuser1) gid=10002(domain users)


# while id  returns the full list :

[EMAIL PROTECTED]:/$ id winuser1
uid=10013(winuser1) gid=10002(domain users)
groups=10283(lint-lecsysteme-gpic-inventaire),10277(lint-lecsysteme),10224(lint-lec
ysteme-imax),10186(lint-lecsysteme-gpic),10162(lint-lecsysteme-txtele),10132(gint-app-lecinstructdocfisc),10119(gint-prd-lecs
steme-txtele),10118(gint-dev-lecconstatsinfractions),10819(gsamba),10106(gint-prd-lecsysteme),10101(gint-prd-lecresshum-abonn
bus),10094(gint-prd-lecsysteme-gpic),10090(gint-prd-lecsysteme-imax),10084(gint-prd-lecdgpar-interne),10083(gint-app-lecproji
pact),10077(gint-app-lecdgpar-bd),10063(gint-prd-lecdgpar),10050(gint-prd-lecsysteme-gpic-inventaire),10048(gint-prd-lecsonda
e-rev_loi-reg),10047(gint-prd-lecdgppb),10046(gint-app-lecdgpar),10039(rdgppb-utilisateursbd),10037(gint-prd-lecdgppb-bd),100
8(gint-prd-lectelecommunication),10016(gint-prd-lecinfojuridique),10006(gint-prd-lecdgpar-bd),10001(BUILTIN\users)

# lsuser also returns the "normal/full" list, as the previous command.

Is there anyone having success with winbind on this system /release ?

Regards,

Jerome

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] DFS enumeration on a Samba hosted DFS tree.

2007-11-26 Thread Sean 
I've translated a Windows based DFS tree to a Samba based (3.0.23c)
one and it seems to work quite well from Windows Explorer and cmd.exe.
First off, I have a relatively big tree.

grep dfscmd /root/dfs.cmd | wc -l
1614

One issue I've noticed that tree enumeration and manipulation from a
Windows machine to a Samba based DFS root just doesn't work at all.

For instance dfscmd.exe (a long time friend):
dfscmd /view \\SERVER\dfs
\\SERVER\array
\\SERVER\dfs\ROOT_LINK
\\SERVER\\
\\SERVER\\

This is pretty interesting since first item is the 'other share' on
the machine (not the DFS share) which shouldn't be enumerated in the
output at all (AFAIK).
The second is the only link in the root of the dfs tree.
Not sure what to make of the tail two entries here.

As well I've written up a small tool to check each link in the DFS
tree (to detect broken links) using the Win32 API function NetDfsEnum.
Basically (this is going to get pretty mangled):

result = NetDfsEnum(argv[1],3,MAX_PREFERRED_LENGTH,(LPBYTE
*)&root,&numEntries,&hResume);
while(result==ERROR_SUCCESS) {
for(iterator=1;iterator<=numEntries;iterator++) {   
   info = dfsEntry->Storage;
   
for(numStorage=dfsEntry->NumberOfStorages;numStorage>0;numStorage--) {
 
swprintf_s(buffer,MAX_PATH,L"%s\\%s\\*",info->ServerName,info->ShareName);
 hFind = FindFirstFile(buffer,&FindFileData);  // If you can
list the contents of a UNC, odds are it isn't broken.
}
}
result = NetDfsEnum(argv[1],3,MAX_PREFERRED_LENGTH,(LPBYTE
*)&root,&numEntries,&hResume);
}

This obviously is not complete but basically this will run infinitely
because it will resolve the same output as dfscmd but if you noticed
the last two links are self referential so we've got a recursive
infinite loop going on.  Taking out the while loop obviously fixes the
problem (and assuming NetDfsEnum will always return the entire tree on
the first invocation [not a valid assumption]) but still I can't
resolve the tree properly programatically since I get the same output
as dfscmd.exe.

Now I've figured out that the NetDfsEnum RPC call is returning this
stuff because most of my links are pretty deep.  Meaning I have a
large tree of folders with DFS links being the leafs of the tree.
When Samba lists the dfs root it sees the 'root' folders and the one
DFS link (which could account for the trailing '\\SERVER\\' links
though there are more than 2 folders in the root).

ssh [EMAIL PROTECTED] ls -l /home/dfs
total 20
drwxr-xr-x  10 nobody  nogroup   512 Nov 26 09:52 .
drwxr-xr-x   5 rootwheel 512 Nov 26 08:46 ..
drwxr-xr-x   5 rootnogroup   512 Nov 26 09:52 A
drwxr-xr-x   5 rootnogroup   512 Nov 26 09:52 B
drwxr-xr-x   4 rootnogroup   512 Nov 26 09:52 C
drwxr-xr-x   4 rootnogroup   512 Nov 26 09:52 D
lrwxr-xr-x   1 rootnogroup25 Nov 26 09:52 ROOT_LINK ->
msdfs:serverb\array

So it looks like the Samba NetDfsEnum handler doesn't recurse into
directories (understandable though annoying for me) nor results in any
usable enumeration of a hosted dfs tree.

So my question here is how do you suggest I enumerate the Samba hosted
DFS tree from a Windows machine reliably?
There doesn't seem to be a deterministic way of enumerating the leaf
nodes of the tree, which if there was then I can just make new or
update the tools I have to use that (ie. traverse the share tree
looking for DFS leaf nodes and return filtered result links).

As well I'm going to assume that NetDfsAdd* NetDfsMove* and
NetDfsRemove* will also not work as I can't use dfscmd.exe to map or
unmap anything in the Samba hosted tree (response is always 'Access is
denied', yet the DFS root folder and sub-folders are all owned by the
guest user).

-- 
Sean
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] NTConfig.POL

2007-11-26 Thread Oscar Mas 

Dimitris Theoharis wrote:

Hi
where do i find the above "script"? so i can place it in my netlogon folder?
thanks
  
The "Script" is the netlogon.bat, but is not of samba i keys of regedit 
of W$. Example:


server:~# vi netlogon.bat

@echo off
title Policy My Enterprise
rem Home Page Internet Explorer
reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" 
/t REG_SZ /d "http://www.fiac.es"; /f

rem Start Classic
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer 
/v NoSimpleStartMenu /t REG_DWORD /d 1 /f
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer 
/v NoSimpleStartMenu /t REG_DWORD /d 1 /f

rem Sincronize time with the server
net time \\192.168.30.11 /set /yes


--
ilimit...


*Oscar Mas*
[EMAIL PROTECTED]

ÀREA SISTEMES
0034 937 333 375
VOLTA 1, PIS 5
08224 TERRASSA.BCN

Aquest enviament és confidencial i està destinat únicament a la persona a qui 
s'ha enviat.
Pot contenir informació privada sotmesa al secret professional, la distribució 
de la qual està prohibida per la legislació vigent.


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] NTConfig.POL

2007-11-26 Thread Adam Tauno Williams 

> where do i find the above "script"? so i can place it in my netlogon folder?

"Above"?  I assume you mean NTConfig.pol from the subject.  

(a) it isn't a script
(b) YOU create it with the policy editor (poledit.exe)
(c) Not a Samba question,  policies are a Windows domain administration
issue, entirely, 110%.  In an NT4 domain (which is what Samba 3
provides) the DC doesn't actually do anything in relation to policies
other than serve the file at a prescribed location.

http://www.microsoft.com/technet/archive/winntas/maintain/featusability/prof_pol.mspx?pf=true

-- 
Adam Tauno Williams, Network & Systems Administrator
Consultant - http://www.whitemiceconsulting.com
Developer - http://www.opengroupware.org

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] samba profiles

2007-11-26 Thread Sven Buchstaller 
Hi list

 

I got a small problem, i use atm 3X Samba Servers

1XPDC

1XBDC

1XFileserver

 

ATM I have all profiles/homes on the PDC, but I need it on BDC too.

My thought  the best way is I move the /homes to the Fileserver.

And now comes my problem, what must I change on the smb.conf? 

Logon path = \\fileserver\profiles\.msprofiles
 

Logon home =\\fileserver\profiles\%U\9xprofile

And on share:

[profiles]

comment = Network Profiles Service

path =  /Data/samba/home  <---that's my DIR where the files are

 

is this ok ?? 

 

 

[global]

workgroup = Domain

server string = Samba

map to guest = Bad User

passdb backend = ldapsam:ldap://server.intern

log level = 3

log file = /var/log/samba/%U.log

debug uid = Yes

smb ports = 139

deadtime = 120

printcap name = /etc/printcap

logon script = logon.bat

logon path = \\%L\profiles\.msprofile

logon drive = H:

logon home = \\%L\%U\.9xprofile

 

[homes]

comment = Home Directories

valid users = %S, %D%w%S

read only = No

inherit acls = Yes

browseable = No

 

[profiles]

comment = Network Profiles Service

path = %H

read only = No

acl check permissions = No

create mask = 0600

directory mask = 0700

profile acls = Yes

 

[users]

comment = All users

path = /home

read only = No

inherit acls = Yes

 

THX for support/help

 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] NTConfig.POL

2007-11-26 Thread Dimitris Theoharis 
Hi
where do i find the above "script"? so i can place it in my netlogon folder?
thanks
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] useradd scripts

2007-11-26 Thread Dimitris Theoharis 
Hi
can someone explain me please exactly how these scripts work ? How can
i have them automatically  add users etc?
If i add use them like this i get the NT STATUS CONNECTION REFUSED errors

   # Useradd scripts
   add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u
   delete user script = /usr/sbin/userdel -r %u
   add group script = /usr/sbin/groupadd %g
   delete group script = /usr/sbin/groupdel %g
   add user to group script = /usr/sbin/usernod -G %g %u
   add machine script = /usr/sbin/useradd -s /bin/false/ -d /var/lib/nobody %u
   idmap uid = 15000-2
   dmap gid = 15000-2
   template shell = /bin/bash



the samba server is a stand along server. This is my conf. Please advise:


[global]
log file = /var/log/samba/log.%m
template homedir = //192.168.10.198/home/%U
hide unreadable = yes
logon drive = H:
hide dot files = yes
null passwords = no
hosts allow = ALL
netbios name = Master
server string = %h server (Samba, Debian)
logon script = \\192.168.10.198\netlogon\%U.bat
workgroup = OCR
logon path = \\192.168.10.198\%U
security = user
domain logons = yes
log level = 3
winbind cache time = 10
#socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
[homes]
 comment = Homes
 browseable = yes
 writable = yes
 valid users = %S
 read only = no
 create mode = 0600
 directory mode = 0700
 path = /home/%U
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] slow perf without winbind nested groups = no and ldpa backend

2007-11-26 Thread jean-marc pouchoulon 

Helo samba list,

We are using a samba (3.0.25b-1.el5_1.2) PDC ( users are in an LDAP 
backend ).
The perfs were bad  and there were errors until I set winbind nested 
groups = no  in smb.conf.


I saw this post
http://lists.samba.org/archive/samba-technical/2005-May/040946.html
saying

"What I would like to do is to make clear that people should always use
idmap_ldap when they use ldapsam." 



I have no needs for winbind and no idmap backend is set.

am I wrong ?
what is the link with "winbind nested groups" option ?



thanks in advance for your answers.


jmp


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba