Re: [Samba] Samba keeps resetting smbpasswd permissions
On Fri, 2008-04-11 at 22:44 +0200, Volker Lendecke wrote: > On Fri, Apr 11, 2008 at 01:28:18PM -0700, Jeremy Allison wrote: > > smbpasswd is a Samba private file. We've (in the past) changed the > > format (although we don't tend to use it much now we have tdb and > > LDAP backends). Can't you use ntlm_auth to do the authentication, > > and go via Samba smbd itself ? That would be the most portable and > > forward supported method of doing things ? > "freeradius ntlm_auth" gives 5140 hits in a popular search > engine, so there most be *something*, and this would indeed > be the best solution IMO. We run a FreeRADIUS server that authenticates users of a wireless network via PEAP against a SambaDC. It works very well, and the process/configuration is well documented. -- Adam Tauno Williams, Network & Systems Administrator Consultant - http://www.whitemiceconsulting.com Developer - http://www.opengroupware.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] PDC migration: printing trouble. Summary.
On Fri, 2008-04-11 at 08:42 -0500, Gerald (Jerry) Carter wrote: > Björn Jacke wrote: > | On 2008-04-11 at 13:52 +0200 Helmut Hullen sent off: > |> No patch attached. > | > | yes, it's useless as long as Mailman is removing the attached patch > | each time. > | > | Look at the mail header: > | > | X-Content-Filtered-By: Mailman/MimeDel 2.1.5 > | > | If Mailman thinks a mail has bogous attachments it should remove and > | bounce back the complete mailbut the mail should not be silently > | altered. Jerry (are you the list maintainer?), can you have look at > | the problem please? > > Tim normally deals with the postfix/mailman interaction. > If he doesn't have time I'll look into it next week. The current behaviour of the samba list is to strip attachments that aren't multipart/{mixed,alternative,signed}, various digital signature types and text/plain. There doesn't seem to be an official MIME type for patches, after a quick browse through the list at: http://www.iana.org/assignments/media-types/ What MIME type is your mailer sending? Tim. > > > > > cheers, jerry > - -- > = > Samba--- http://www.samba.org > Likewise Software - http://www.likewisesoftware.com > "What man is a man who does not make the world better?" --Balian > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.2.2 (Darwin) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFH/2rRIR7qMdg1EfYRAnBUAJ9y1gVYQBVtpOjzk0ddzqSKOAN68gCgyPiA > I0V9rmX2ahGEvDJUJNv9eiQ= > =Z8hO > -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] write list vs read list
On Wednesday 09 April 2008, Luca Ferrari wrote: > [LABORATORIO_SMB] > comment = Cartella privata Laboratorio > path = /mnt/samba/lab_smb > browsable = yes > available = yes > valid users = @laboratorio @estero > write list = @laboratorio > read list = @estero > writable = yes > printable = no > force group = laboratorio Try: [LABORATORIO_SMB] comment = Cartella privata Laboratorio path = /mnt/samba/lab_smb browsable = yes valid users = @laboratorio, @estero write list= @laboratorio read only = yes -- Chris -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba keeps resetting smbpasswd permissions
On Fri, Apr 11, 2008 at 01:28:18PM -0700, Jeremy Allison wrote: > smbpasswd is a Samba private file. We've (in the past) changed the > format (although we don't tend to use it much now we have tdb and > LDAP backends). Can't you use ntlm_auth to do the authentication, > and go via Samba smbd itself ? That would be the most portable and > forward supported method of doing things ? "freeradius ntlm_auth" gives 5140 hits in a popular search engine, so there most be *something*, and this would indeed be the best solution IMO. Volker pgpVlDSKyEWQw.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba keeps resetting smbpasswd permissions
On Fri, Apr 11, 2008 at 10:28:27PM +0200, Martin v. Wittich wrote: > > With the current configuration, there's unfortunately just no simple way > to use the smbpasswd file as a back-end for other applications; in the > case of FreeRADIUS I have to use smbpasswd because the MSCHAPv2 protocol > that is used for authentication is incompatible to the /etc/passwd hashes. > Having to recompile Samba would also be an unfortunate solution because > we would have to deploy Samba as a custom package to >300 servers - > forcing us to maintain the package for every security update that is yet > to come. smbpasswd is a Samba private file. We've (in the past) changed the format (although we don't tend to use it much now we have tdb and LDAP backends). Can't you use ntlm_auth to do the authentication, and go via Samba smbd itself ? That would be the most portable and forward supported method of doing things ? Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba keeps resetting smbpasswd permissions
Gerald (Jerry) Carter wrote: > Sure. Add a permission mode define to local.h and let > it be changed there at compile time. I don't think there is enough pent > up demand to make this a run-time parameter. That's all I'm saying. Maybe all other people that had this problem just bit the bullet and ran their apps as root, or used workarounds like a cronjob that would make a daily copy of the smbpasswd file? ;) As far as I know there are no other applications that enforce hard-coded permissions on their files; for example OpenSSH and sendmail just print error messages like "permissions too open" or "cannot open : world writable directory" and let root decide. I think that is a better way to handle permissions - although these programs in fact know that the permissions are broken, they won't touch them. Samba changes the permissions even when they're not broken. With the current configuration, there's unfortunately just no simple way to use the smbpasswd file as a back-end for other applications; in the case of FreeRADIUS I have to use smbpasswd because the MSCHAPv2 protocol that is used for authentication is incompatible to the /etc/passwd hashes. Having to recompile Samba would also be an unfortunate solution because we would have to deploy Samba as a custom package to >300 servers - forcing us to maintain the package for every security update that is yet to come. Martin v. Wittich -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba keeps resetting smbpasswd permissions
On Fri, Apr 11, 2008 at 03:03:37PM -0500, Gerald (Jerry) Carter wrote: > > Sure. Add a permission mode define to local.h and let > it be changed there at compile time. I don't think there is enough pent > up demand to make this a run-time parameter. That's all I'm saying. Ok, that sounds like a good solution to me. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba keeps resetting smbpasswd permissions
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ryan Novosielski wrote: > Gerald (Jerry) Carter wrote: >> Volker Lendecke wrote: >>> On Fri, Apr 11, 2008 at 02:19:02PM +0200, Martin v. Wittich wrote: Are there any plans to remove that code or at least make in configurable? For example, there could be options like this in the smb.conf file: smb passwd owner = root smb passwd group = freerad smb passwd mode = 640 >>> I'd much rather go with a solution that keeps the existing >>> permissions on smbpasswd. >> I'd much rather just leave this as a local mod for this person :-) >> And the let upstream stay the same. > > He does have a point though. If you want to use this file format, it > should probably be up to you what permissions you want on it -- > certainly to allow another group to read it if necessary. I myself have > not had this need, but I could see it. > > Unless the preferred situation would be to use something other than > smbpasswd for something like that anyway. Sure. Add a permission mode define to local.h and let it be changed there at compile time. I don't think there is enough pent up demand to make this a run-time parameter. That's all I'm saying. jerry -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFH/8QZIR7qMdg1EfYRAiYsAJ9hg1cIR1YJdosEa99ReZpKkc3m5gCeICmk ceu4nWDK+vx3o3x/bDt7gno= =dMwJ -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba keeps resetting smbpasswd permissions
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Gerald (Jerry) Carter wrote: > Volker Lendecke wrote: >> On Fri, Apr 11, 2008 at 02:19:02PM +0200, Martin v. Wittich wrote: >>> Are there any plans to remove that code or at least make in >>> configurable? For example, there could be options like this in the >>> smb.conf file: >>> >>> smb passwd owner = root >>> smb passwd group = freerad >>> smb passwd mode = 640 >> I'd much rather go with a solution that keeps the existing >> permissions on smbpasswd. > > I'd much rather just leave this as a local mod for this person :-) > And the let upstream stay the same. He does have a point though. If you want to use this file format, it should probably be up to you what permissions you want on it -- certainly to allow another group to read it if necessary. I myself have not had this need, but I could see it. Unless the preferred situation would be to use something other than smbpasswd for something like that anyway. - -- _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Systems Programmer II |$&| |__| | | |__/ | \| _| |[EMAIL PROTECTED] - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/AST - NJMS Medical Science Bldg - C630 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFH/8Kimb+gadEcsb4RAlncAJ9eOnt59WGX9fDXz3EXw6aWlHck8ACgzLaP M2zKqOsU6yShgb3a3MKc4wM= =O8o+ -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba keeps resetting smbpasswd permissions
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Volker Lendecke wrote: > On Fri, Apr 11, 2008 at 02:19:02PM +0200, Martin v. Wittich wrote: >> Are there any plans to remove that code or at least make in >> configurable? For example, there could be options like this in the >> smb.conf file: >> >> smb passwd owner = root >> smb passwd group = freerad >> smb passwd mode = 640 > > I'd much rather go with a solution that keeps the existing > permissions on smbpasswd. I'd much rather just leave this as a local mod for this person :-) And the let upstream stay the same. jerry -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFH/7+mIR7qMdg1EfYRAmM8AJ48AYQweZHNl7QFC/0nMo4WNo1cLACeNfD/ M/BncZ+HvWE9NZhbFIA00Q4= =CKAh -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: WINS and Subnets [was: Help: justification for Linux PDC vs Windows...]
On Fri, 11 Apr 2008, Greg J. Zartman, P.E. wrote: You only need 1 WINS server for your organization (or 2 for redundancy). We have multiple subnets here at OSU and only 2 WINS servers. Our DHCP servers had out the WINS server IP addresses to all clients, and Samba is configured to use them as well. You DO need a master browser on each subnet. Are you pointing your clients on a given subnet to the "local master" for WINS queries or the primary WINS server? I have a couple subnets, but hand out the Primary WINS ip to ALL of my clients. WINS browsing across the subnets fine, but updates from the subnets tend to be really slow. All clients are given the IP addresses of the 2 WINS servers. We don't configure local master browsers explicitly on our subnets - the Windows computers can elect a local master for themselves automatically. Andy -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Trouble with trusted domains
On Fri, Apr 11, 2008 at 08:34:40AM -0500, Gerald (Jerry) Carter wrote: > | Oh, I did not see that code. Can you point me at the right > | lines? > > Hey Volker, > > $ git-log b442644bac2a7d5853440254257ca34a8e7c25de > (SVN r22072). Okay, thanks! Volker pgpPEWSEC5hQK.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba keeps resetting smbpasswd permissions
On Fri, Apr 11, 2008 at 02:19:02PM +0200, Martin v. Wittich wrote: > Are there any plans to remove that code or at least make in > configurable? For example, there could be options like this in the > smb.conf file: > > smb passwd owner = root > smb passwd group = freerad > smb passwd mode = 640 I'd much rather go with a solution that keeps the existing permissions on smbpasswd. Volker pgpRfp5ZGdIUu.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] WINS and Subnets [was: Help: justification for Linux PDC vs Windows...]
You only need 1 WINS server for your organization (or 2 for redundancy). We have multiple subnets here at OSU and only 2 WINS servers. Our DHCP servers had out the WINS server IP addresses to all clients, and Samba is configured to use them as well. You DO need a master browser on each subnet. Are you pointing your clients on a given subnet to the "local master" for WINS queries or the primary WINS server? I have a couple subnets, but hand out the Primary WINS ip to ALL of my clients. WINS browsing across the subnets fine, but updates from the subnets tend to be really slow. Greg -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] write list vs read list
Luca Ferrari schrieb: valid users = @laboratorio @estero luca.ferrari from man smb.conf: Example: valid users = greg, @pcusers Did you try comma-separating all entries? readU Frank -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Help: justification for Linux PDC vs Windows...
JJB wrote: As I understand it, you need a WINS server for every subnet - we figured this out after the fact, so we now have 3 servers running Samba so that everyone can see all members of the workgroup (we are rolling out the domain slowly - in the meanwhile, we don't want to lose browse functionality). If anyone has a written proceedure for how to get this working with only one multi-homed server (does that mean one server with 1 network card for each subnet, or one card with 3 addresses somehow associated with it?) please post a link or email it to me. Thanks - Joel A single WINS server can work just fine across multiple workgroups and subnets. All that this required is to specify the WINS address on the client in the same way you'd specify the DNS address. That can even be done through DHCP. -Brian -- --- Brian H. Nelson Youngstown State University System Administrator Media and Academic Computing bnelson[at]cis.ysu.edu --- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Help: justification for Linux PDC vs Windows...
On Fri, 11 Apr 2008, JJB wrote: As I understand it, you need a WINS server for every subnet - we figured this out after the fact, so we now have 3 servers running Samba so that everyone can see all members of the workgroup (we are rolling out the domain slowly - in the meanwhile, we don't want to lose browse functionality). If anyone has You only need 1 WINS server for your organization (or 2 for redundancy). We have multiple subnets here at OSU and only 2 WINS servers. Our DHCP servers had out the WINS server IP addresses to all clients, and Samba is configured to use them as well. You DO need a master browser on each subnet. All of this is well documented in the Official Samba HOWTO in Chapter 10. Andy -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Help: justification for Linux PDC vs Windows...
JJB > Yan Seiner wrote: >> Yup. For small-ish networks, nt4 servers are 'good enough'. >> >> Last I checked, MS imposes an artificial limit on its servers, where a >> server can only serve its own subnet. Samba doesn't have this limit. >> So >> a single multi-homed samba server can do the work of several MS servers. >> >> So you don't need AD with samba as much since everything is on one >> server >> anyway whereas with MS you need multiple servers and all the management >> overhead that entails. >> >> I could be wrong on this; it was true the last time I ripped out a bunch >> of MS servers and replaced them with samba. This was some time ago >> Anyone know if it's still a limitation? >> >> > > As I understand it, you need a WINS server for every subnet - we figured > this out after the fact, so we now have 3 servers running Samba so that > everyone can see all members of the workgroups (we are rolling out the > domain slowly - in the meanwhile, we don't want to lose functionality. > If anyone has a written proceedure for how to get this working with only > one multi-homed server (does that mean one server with 1 network card > for each subnet, or one card with 3 addresses somehow associated with > it?) please post a link or email it to me. It's been a while, so bear with me. You assign multiple IP addresses to your ethernet card: ifconfig eth0 192.168.128.1 ifconfig eth0:1 192.168.129.1 ifconfig eth0:2 192.168.130.1 and so on. You can also do this through your distro's network configuration. Then in smb.conf you tell samba to listen on those interfaces. I think that's it. You end up with one workgroup that different subnets can see. If you want different workgroups I think you can run multiple samba daemons with different interfaces set up and different workgroup names. You'd probably have to separate out all of the volatile files like *tbd, but I can't say. As long as the IP addresses are different this should not cause problems. ISTR I had to do some voodoo with wins forwarding but that may be because I had remote servers connected via VPN. Not written down in any detail but perhaps others can fill in. -- Windows is like a canary in a coal mine, it's the first thing to die on your network. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Help: justification for Linux PDC vs Windows...
Yan Seiner wrote: Greg J. Zartman, P.E. Fact is, most of us don't have farms of domain controllers and hundreds and hundreds of users. Most of us manage small to medium sized networks that can benefit hugely by the cost savings of deploying Samba instead of Windows. I'm not talking about just costs of software licenses; but cost of hardware, sys admin staff, and down time. Yup. For small-ish networks, nt4 servers are 'good enough'. Last I checked, MS imposes an artificial limit on its servers, where a server can only serve its own subnet. Samba doesn't have this limit. So a single multi-homed samba server can do the work of several MS servers. So you don't need AD with samba as much since everything is on one server anyway whereas with MS you need multiple servers and all the management overhead that entails. I could be wrong on this; it was true the last time I ripped out a bunch of MS servers and replaced them with samba. This was some time ago Anyone know if it's still a limitation? As I understand it, you need a WINS server for every subnet - we figured this out after the fact, so we now have 3 servers running Samba so that everyone can see all members of the workgroup (we are rolling out the domain slowly - in the meanwhile, we don't want to lose browse functionality). If anyone has a written proceedure for how to get this working with only one multi-homed server (does that mean one server with 1 network card for each subnet, or one card with 3 addresses somehow associated with it?) please post a link or email it to me. Thanks - Joel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba keeps resetting smbpasswd permissions
On Fri, Apr 11, 2008 at 02:19:02PM +0200, Martin v. Wittich wrote: > Volker Lendecke wrote: > > On Fri, Apr 11, 2008 at 11:58:12AM +0200, Martin v. Wittich wrote: > >> Is there a way to stop Samba from modifying the smbpasswd permissions? I > >> already googled and looked through the Samba manpages, but I can't > >> really find a solution. > > > > There is none, sorry. > > Oh, I see... I've looked into the Samba source. > source/passdb/pdb_smbpasswd.c, in function startsmbfilepwent from line 317: > > /* Make sure it is only rw by the owner */ > #ifdef HAVE_FCHMOD > if(fchmod(fileno(fp), S_IRUSR|S_IWUSR) == -1) { > #else > if(chmod(pfile, S_IRUSR|S_IWUSR) == -1) { > #endif > DEBUG(0, ("startsmbfilepwent_internal: failed to set 0600 > permissions on password file %s. \ > Error was %s\n.", pfile, strerror(errno) )); > pw_file_unlock(fileno(fp), lock_depth); > fclose(fp); > return NULL; > } > > Are there any plans to remove that code or at least make in > configurable? For example, there could be options like this in the > smb.conf file: > > smb passwd owner = root > smb passwd group = freerad > smb passwd mode = 640 That's a little too heavyweight for what we need really. No one ever complained about it before :-). I'd accept a patch to disable that code with an option. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Working PDC: "Initialization failed for alloc backend"
My home domain includes a Samba 3.0.28a PDC on Fedora 8, a winXP and a win2K machine. It seems to be working well but I'm constantly getting the below error messages in the logs. What do they mean and do I need to do anything about them? Apr 10 18:19:18 pc100 winbindd[3063]: [2008/04/10 18:19:18, 0] nsswitch/idmap.c:idmap_alloc_init(750) Apr 10 18:19:18 pc100 winbindd[3063]: ERROR: Initialization failed for alloc backend, deferred! Apr 10 18:19:18 pc100 smbd[3397]: [2008/04/10 18:19:18, 0] auth/auth_util.c:create_builtin_administrators(792) Apr 10 18:19:18 pc100 smbd[3397]: create_builtin_administrators: Failed to create Administrators Apr 10 18:19:18 pc100 winbindd[3063]: [2008/04/10 18:19:18, 0] nsswitch/idmap.c:idmap_alloc_init(750) Apr 10 18:19:18 pc100 winbindd[3063]: ERROR: Initialization failed for alloc backend, deferred! Apr 10 18:19:18 pc100 smbd[3397]: [2008/04/10 18:19:18, 0] auth/auth_util.c:create_builtin_users(758) Apr 10 18:19:18 pc100 smbd[3397]: create_builtin_users: Failed to create Users Thanks, Philip Pawley -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Help: justification for Linux PDC vs Windows...
Greg J. Zartman, P.E. > > Fact is, most of us don't have farms of domain controllers and hundreds and hundreds of users. Most of us manage small to medium sized networks that can benefit hugely by the cost savings of deploying Samba instead of Windows. I'm not talking about just costs of software licenses; but cost of hardware, sys admin staff, and down time. Yup. For small-ish networks, nt4 servers are 'good enough'. Last I checked, MS imposes an artificial limit on its servers, where a server can only serve its own subnet. Samba doesn't have this limit. So a single multi-homed samba server can do the work of several MS servers. So you don't need AD with samba as much since everything is on one server anyway whereas with MS you need multiple servers and all the management overhead that entails. I could be wrong on this; it was true the last time I ripped out a bunch of MS servers and replaced them with samba. This was some time ago Anyone know if it's still a limitation? -- Windows is like a canary in a coal mine, it's the first thing to die on your network. -- Windows is like a canary in a coal mine, it's the first thing to die on your network. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Help: justification for Linux PDC vs Windows...
Yep - which is why I think your bosses are correct. Deploying a *new* NT4 domain in 2008 is just nuts. When most clients are XP or Vista and many applications have integration with AD. You've been brainwashed by M$. It is not nuts to deploy a new Samba server in 2008. Samba 3.x configured with an LDAP auth backend and Winbind offers at least 80% of the functionality that the typical windows network admin and user needs. As a file server, Samba walks all over Windows in terms of performance and cost. Neither Windows XP nor Vista require AD and I've yet to see a mainstream application that REQUIRES it either. If your network configuration demands that deploy AD, then let windows handle that function and plug Samba in where it excels. I've been following this list since before Samba could do NT4 DC functionality. One thing that is a constraint is users trying to implement extremely complex network configurations when they likely don't need them. Much of this is rooted in the fact that M$ tends to throw loads of functionality options at its users and make these functionalities seem easy to implement by front ending them with some type of wizard. Users attempt to blindly deploy things without asking themselves "Do I really need this." Fact is, most of us don't have farms of domain controllers and hundreds and hundreds of users. Most of us manage small to medium sized networks that can benefit hugely by the cost savings of deploying Samba instead of Windows. I'm not talking about just costs of software licenses; but cost of hardware, sys admin staff, and down time. Greg -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba & Active Directory - Login from non Domain Machine
I have Samba running on debian etch using winbind and my windows 2003 active directory infrastructure. Everything works find. I have one issue. I cannot connect to a share from a machine that is not on the domain. If I try to connect to the share from a windows xp box that is not on the domain that the samba server is in, I am prompted for a username and password. If I put in my domain credentials, I still get an access denied message. However if I login to a computer that is on the domain using credentials that are part of the group that is allowed access to the same share, I can get into that share without an problem or prompt (as you would expect). I just don't understand why I cannot connect from a machine that is not a member of the domain. Any thoughts? Also, how do you have samba re-read the smb.conf file without having to restart smbd on debian? Thanks, Michael -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] samba and mac
Hi everybody, I testing a samba 3.0.24 server on debian 4.0r1 in a network with mac, linux and windows client that have to access the samba share. Now all is working good but a client with mac os x 10.3.9 still has some problems: I can connect to the samba shares and I can create, modify and delete files. Also I can copy files between mac and samba using the terminal and the CP command. The only thing I can't do is drag and drop file in the samba share. Has anyone some ideas about this matter? Thanks a lot, Matteo -- Email.it, the professional e-mail, gratis per te: http://www.email.it/f Sponsor: Offerta SKY a 15 al mese: vedi tutto quello che vuoi tra Mondo, Cinema, Sport e Calcio. * Solo con SKY puoi avere così tanto per così poco! Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=7778&d=11-4 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbindd: Exceeding 200 client connections, no idle connection found
Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Elvar wrote: | | | | [2008/04/08 09:40:54, 0] nsswitch/winbindd.c:process_loop(850) | | winbindd: Exceeding 600 client connections, no idle connection found | | [2008/04/08 09:40:55, 0] nsswitch/winbindd.c:rw_callback(383) | | PANIC: assert failed at nsswitch/winbindd.c(383) | | [2008/04/08 09:40:55, 0] nsswitch/winbindd.c:process_loop(850) | | winbindd: Exceeding 600 client connections, no idle connection found | | [2008/04/08 09:40:55, 0] nsswitch/winbindd.c:rw_callback(383) | | which log file are these showing up in? And what version | of Samba is this? | |> These show up in /var/log/samba/log.winbindd. Samba 3.0.28,1. That would make the most sense but doesn't really indicate which pipe it is talking about. If you can get lsof up and running or use the equivalent or /proc//fd from Linux on FreeBSD to look at open file descriptors, that will help. Using sockstat I found many entries which look similar to below. I'm obviously not pasting them all but I tried to copy / paste some of each. The 4th column over is the FD number of the socket. squidntlm_auth 49260 4 stream -> /var/db/samba/winbindd_privileged/pipe squidntlm_auth 49259 4 stream -> /var/db/samba/winbindd_privileged/pipe root smbd 1137 19 stream -> /var/db/samba/winbindd_privileged/pipe root winbindd 1134 11 stream /tmp/.winbindd/pipe root winbindd 1134 12 stream /var/db/samba/winbindd_privileged/pipe root winbindd 1134 14 stream -> ?? root winbindd 1134 18 stream /var/db/samba/winbindd_privileged/pipe root winbindd 1134 19 stream /var/db/samba/winbindd_privileged/pipe Thanks, Elvar -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbindd: Exceeding 200 client connections, no idle connection found
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Elvar wrote: | | | | [2008/04/08 09:40:54, 0] nsswitch/winbindd.c:process_loop(850) | | winbindd: Exceeding 600 client connections, no idle connection found | | [2008/04/08 09:40:55, 0] nsswitch/winbindd.c:rw_callback(383) | | PANIC: assert failed at nsswitch/winbindd.c(383) | | [2008/04/08 09:40:55, 0] nsswitch/winbindd.c:process_loop(850) | | winbindd: Exceeding 600 client connections, no idle connection found | | [2008/04/08 09:40:55, 0] nsswitch/winbindd.c:rw_callback(383) | | which log file are these showing up in? And what version | of Samba is this? | |> These show up in /var/log/samba/log.winbindd. Samba 3.0.28,1. That would make the most sense but doesn't really indicate which pipe it is talking about. If you can get lsof up and running or use the equivalent or /proc//fd from Linux on FreeBSD to look at open file descriptors, that will help. cheers, jerry - -- = Samba--- http://www.samba.org Likewise Software - http://www.likewisesoftware.com "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFH/3DbIR7qMdg1EfYRAvZQAKDvvmCYbLTEB5gKF4WP2LKren3+fgCguuV7 lEE0M4C23nxcuIja+F68R0U= =vh8R -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbindd: Exceeding 200 client connections, no idle connection found
Scott Lovenberg wrote: Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Elvar wrote: | | Just an update on this. I recompiled and installed putting in 600 as the | max simultaneous clients since they have 550 computers. After having | done that, internet connectivity was working great for about a month | whereas before daily max connections would be reached and users would be | stuck at the proxy auth prompt. Unfortunately the same thing occurred | yesterday. What I don't understand is how it could be reached when the | total number of computers is only 550. Sounds like a web proxy server right ? so the question is whether or not the proxy server is spawning multiple auth requests to handle multiple connection attempts from a single client or not. | Any hints or feedback on this would be greatly appreciated. Output from | the log.winbindd file is below. I only pasted a few of them, but the log | had many listed in a row until the local IT person three finger saluted | the box. | | Also, is there any way to view the current number of winbindd processes | in use? I'd love to monitor that using Zabbix or something and have it | auto respond when the total reaches 590 or something similar. It's more about the number of open fds which includes the ones between parent and child processes. Use lsof to monitor and match the pid with right winbindd process. Also look at what other files winbindd process have opened. | | [2008/04/08 09:40:54, 0] nsswitch/winbindd.c:process_loop(850) | winbindd: Exceeding 600 client connections, no idle connection found | [2008/04/08 09:40:55, 0] nsswitch/winbindd.c:rw_callback(383) | PANIC: assert failed at nsswitch/winbindd.c(383) | [2008/04/08 09:40:55, 0] nsswitch/winbindd.c:process_loop(850) | winbindd: Exceeding 600 client connections, no idle connection found | [2008/04/08 09:40:55, 0] nsswitch/winbindd.c:rw_callback(383) which log file are these showing up in? And what version of Samba is this? | | | | Kind regards, | Elvar | Not sure if it means anything, but aren't there a number of addons that use squid (ntlm_auth?) as an interface between samba and apache or PAM? I've never been brave enough to go down that road, but perhaps they've got something like that going on? 'lsof' should tell the tale if that's the case, I suppose. Yes, Squid comes with it's own NTLM AUTH mechanism but it does not support the --require-membership option which allows me to force users to be a part of a specific "internet access" group. That's why I'm using winbindd. Elvar -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbindd: Exceeding 200 client connections, no idle connection found
Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Elvar wrote: | | Just an update on this. I recompiled and installed putting in 600 as the | max simultaneous clients since they have 550 computers. After having | done that, internet connectivity was working great for about a month | whereas before daily max connections would be reached and users would be | stuck at the proxy auth prompt. Unfortunately the same thing occurred | yesterday. What I don't understand is how it could be reached when the | total number of computers is only 550. Sounds like a web proxy server right ? so the question is whether or not the proxy server is spawning multiple auth requests to handle multiple connection attempts from a single client or not. Yes, definitely a web proxy server. I'm running Squid 2.6.18 on FreeBSD 6-stable. | Any hints or feedback on this would be greatly appreciated. Output from | the log.winbindd file is below. I only pasted a few of them, but the log | had many listed in a row until the local IT person three finger saluted | the box. | | Also, is there any way to view the current number of winbindd processes | in use? I'd love to monitor that using Zabbix or something and have it | auto respond when the total reaches 590 or something similar. It's more about the number of open fds which includes the ones between parent and child processes. Use lsof to monitor and match the pid with right winbindd process. Also look at what other files winbindd process have opened. I don't believe FreeBSD has lsof but I think sockstat will do the job? | | [2008/04/08 09:40:54, 0] nsswitch/winbindd.c:process_loop(850) | winbindd: Exceeding 600 client connections, no idle connection found | [2008/04/08 09:40:55, 0] nsswitch/winbindd.c:rw_callback(383) | PANIC: assert failed at nsswitch/winbindd.c(383) | [2008/04/08 09:40:55, 0] nsswitch/winbindd.c:process_loop(850) | winbindd: Exceeding 600 client connections, no idle connection found | [2008/04/08 09:40:55, 0] nsswitch/winbindd.c:rw_callback(383) which log file are these showing up in? And what version of Samba is this? These show up in /var/log/samba/log.winbindd. Samba 3.0.28,1. | | | | Kind regards, | Elvar | - -- = Samba--- http://www.samba.org Likewise Software - http://www.likewisesoftware.com "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFH/2vLIR7qMdg1EfYRAv0NAJ98OJaQ55dXIzFt00kSlMgTJnvJ0ACgyw5X xroiCmlfyo8Z/U0jc1EqUKI= =OQ18 -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbindd: Exceeding 200 client connections, no idle connection found
Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Elvar wrote: | | Just an update on this. I recompiled and installed putting in 600 as the | max simultaneous clients since they have 550 computers. After having | done that, internet connectivity was working great for about a month | whereas before daily max connections would be reached and users would be | stuck at the proxy auth prompt. Unfortunately the same thing occurred | yesterday. What I don't understand is how it could be reached when the | total number of computers is only 550. Sounds like a web proxy server right ? so the question is whether or not the proxy server is spawning multiple auth requests to handle multiple connection attempts from a single client or not. | Any hints or feedback on this would be greatly appreciated. Output from | the log.winbindd file is below. I only pasted a few of them, but the log | had many listed in a row until the local IT person three finger saluted | the box. | | Also, is there any way to view the current number of winbindd processes | in use? I'd love to monitor that using Zabbix or something and have it | auto respond when the total reaches 590 or something similar. It's more about the number of open fds which includes the ones between parent and child processes. Use lsof to monitor and match the pid with right winbindd process. Also look at what other files winbindd process have opened. | | [2008/04/08 09:40:54, 0] nsswitch/winbindd.c:process_loop(850) | winbindd: Exceeding 600 client connections, no idle connection found | [2008/04/08 09:40:55, 0] nsswitch/winbindd.c:rw_callback(383) | PANIC: assert failed at nsswitch/winbindd.c(383) | [2008/04/08 09:40:55, 0] nsswitch/winbindd.c:process_loop(850) | winbindd: Exceeding 600 client connections, no idle connection found | [2008/04/08 09:40:55, 0] nsswitch/winbindd.c:rw_callback(383) which log file are these showing up in? And what version of Samba is this? | | | | Kind regards, | Elvar | - -- = Samba--- http://www.samba.org Likewise Software - http://www.likewisesoftware.com "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFH/2vLIR7qMdg1EfYRAv0NAJ98OJaQ55dXIzFt00kSlMgTJnvJ0ACgyw5X xroiCmlfyo8Z/U0jc1EqUKI= =OQ18 -END PGP SIGNATURE- Not sure if it means anything, but aren't there a number of addons that use squid (ntlm_auth?) as an interface between samba and apache or PAM? I've never been brave enough to go down that road, but perhaps they've got something like that going on? 'lsof' should tell the tale if that's the case, I suppose. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] write list vs read list
On Thursday 10 April 2008 Luca Ferrari's cat, walking on the keyboard, wrote: > Uhm..I've checked the file permissions, and since they are 777 I guess this > is not the problem. Moreover, since I've got a NT_STATUS_ACCESS_DENIED I > think that it is something that prevents users to access the share at all. > Any suggestion? It is strange, this is the definition of the share: [LABORATORIO_SMB] comment = Cartella privata Laboratorio path = /mnt/samba/lab_smb browsable = yes available = yes valid users = @laboratorio @estero luca.ferrari write list= @laboratorio read list = @estero luca.ferrari writable = yes printable = no force group = laboratorio where I've added myself to the valid and read list. Then I forced a reload of the configuration: [EMAIL PROTECTED]:~# /etc/init.d/samba reload * Reloading /etc/samba/smb.conf... but if I check the configuration with testparm I got: [LABORATORIO_SMB] comment = Cartella Laboratorio Sassuolo path = /mnt/samba/laboratorio_smb valid users = @laboratorio read list = @estero, luca.ferrari write list = @laboratorio force group = laboratorio read only = No as you can see the luca.ferrari user is not added to the valid users list! This could be the problem that such user always gets a NT_STATUS_ACCESS_DENIED??? Any suggestion? Thanks, Luca -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbindd: Exceeding 200 client connections, no idle connection found
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Elvar wrote: | | Just an update on this. I recompiled and installed putting in 600 as the | max simultaneous clients since they have 550 computers. After having | done that, internet connectivity was working great for about a month | whereas before daily max connections would be reached and users would be | stuck at the proxy auth prompt. Unfortunately the same thing occurred | yesterday. What I don't understand is how it could be reached when the | total number of computers is only 550. Sounds like a web proxy server right ? so the question is whether or not the proxy server is spawning multiple auth requests to handle multiple connection attempts from a single client or not. | Any hints or feedback on this would be greatly appreciated. Output from | the log.winbindd file is below. I only pasted a few of them, but the log | had many listed in a row until the local IT person three finger saluted | the box. | | Also, is there any way to view the current number of winbindd processes | in use? I'd love to monitor that using Zabbix or something and have it | auto respond when the total reaches 590 or something similar. It's more about the number of open fds which includes the ones between parent and child processes. Use lsof to monitor and match the pid with right winbindd process. Also look at what other files winbindd process have opened. | | [2008/04/08 09:40:54, 0] nsswitch/winbindd.c:process_loop(850) | winbindd: Exceeding 600 client connections, no idle connection found | [2008/04/08 09:40:55, 0] nsswitch/winbindd.c:rw_callback(383) | PANIC: assert failed at nsswitch/winbindd.c(383) | [2008/04/08 09:40:55, 0] nsswitch/winbindd.c:process_loop(850) | winbindd: Exceeding 600 client connections, no idle connection found | [2008/04/08 09:40:55, 0] nsswitch/winbindd.c:rw_callback(383) which log file are these showing up in? And what version of Samba is this? | | | | Kind regards, | Elvar | - -- = Samba--- http://www.samba.org Likewise Software - http://www.likewisesoftware.com "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFH/2vLIR7qMdg1EfYRAv0NAJ98OJaQ55dXIzFt00kSlMgTJnvJ0ACgyw5X xroiCmlfyo8Z/U0jc1EqUKI= =OQ18 -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] PDC migration: printing trouble. Summary.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Björn Jacke wrote: | On 2008-04-11 at 13:52 +0200 Helmut Hullen sent off: |> No patch attached. | | yes, it's useless as long as Mailman is removing the attached patch | each time. | | Look at the mail header: | | X-Content-Filtered-By: Mailman/MimeDel 2.1.5 | | If Mailman thinks a mail has bogous attachments it should remove and | bounce back the complete mailbut the mail should not be silently | altered. Jerry (are you the list maintainer?), can you have look at | the problem please? Tim normally deals with the postfix/mailman interaction. If he doesn't have time I'll look into it next week. cheers, jerry - -- = Samba--- http://www.samba.org Likewise Software - http://www.likewisesoftware.com "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFH/2rRIR7qMdg1EfYRAnBUAJ9y1gVYQBVtpOjzk0ddzqSKOAN68gCgyPiA I0V9rmX2ahGEvDJUJNv9eiQ= =Z8hO -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Trouble with trusted domains
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Volker Lendecke wrote: | On Thu, Apr 10, 2008 at 05:27:24PM -0500, Gerald (Jerry) Carter wrote: |>> We should ask CONTOSO.COM. I'm afraid this is a known |>> limitation right now. It could be coded up, but it is not |>> yet. |> Volker, This is already done in 3.2 so I'm guessing you say |> we should backport this fix? | | Oh, I did not see that code. Can you point me at the right | lines? Hey Volker, $ git-log b442644bac2a7d5853440254257ca34a8e7c25de (SVN r22072). cheers, jerry - -- = Samba--- http://www.samba.org Likewise Software - http://www.likewisesoftware.com "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFH/2jwIR7qMdg1EfYRAjKeAKDJM/hCW5o8NDnbnGgThRE/Kmx/+ACeNyAo m+RD2UHwdQyTXtHGHeMGjLg= =etTx -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba keeps resetting smbpasswd permissions
Volker Lendecke wrote: > On Fri, Apr 11, 2008 at 11:58:12AM +0200, Martin v. Wittich wrote: >> Is there a way to stop Samba from modifying the smbpasswd permissions? I >> already googled and looked through the Samba manpages, but I can't >> really find a solution. > > There is none, sorry. Oh, I see... I've looked into the Samba source. source/passdb/pdb_smbpasswd.c, in function startsmbfilepwent from line 317: /* Make sure it is only rw by the owner */ #ifdef HAVE_FCHMOD if(fchmod(fileno(fp), S_IRUSR|S_IWUSR) == -1) { #else if(chmod(pfile, S_IRUSR|S_IWUSR) == -1) { #endif DEBUG(0, ("startsmbfilepwent_internal: failed to set 0600 permissions on password file %s. \ Error was %s\n.", pfile, strerror(errno) )); pw_file_unlock(fileno(fp), lock_depth); fclose(fp); return NULL; } Are there any plans to remove that code or at least make in configurable? For example, there could be options like this in the smb.conf file: smb passwd owner = root smb passwd group = freerad smb passwd mode = 640 Martin v. Wittich -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] PDC migration: printing trouble. Summary.
On 2008-04-11 at 13:52 +0200 Helmut Hullen sent off: > No patch attached. yes, it's useless as long as Mailman is removing the attached patch each time. Look at the mail header: X-Content-Filtered-By: Mailman/MimeDel 2.1.5 If Mailman thinks a mail has bogous attachments it should remove and bounce back the complete mailbut the mail should not be silently altered. Jerry (are you the list maintainer?), can you have look at the problem please? Cheers Björn -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Fileshares failing
Forgot to include the smb.conf file, and also say that wbinfo -u and -g both return results ok.. # Samba config file created using SWAT # from 0.0.0.0 (0.0.0.0) # Date: 2008/01/24 17:37:46 [global] log file = /var/log/samba/%m.log idmap gid = 16777216-33554431 passwd chat = *New*password* %n\n *Retype*new*password* %n\n socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 obey pam restrictions = Yes winbind use default domain = Yes realm = DOMAINNAME.LOCAL passwd program = /usr/bin/passwd %u template shell = /bin/bash dns proxy = No cups options = raw server string = S3 SVN Server invalid users = root idmap uid = 16777216-33554431 password server = ubiq-serv1.domainname.local unix password sync = Yes template homedir = /home/%U workgroup = DOMAINNAME os level = 20 auto services = centos printcap name = /etc/printcap security = ads preferred master = no winbind separator = # max log size = 50 pam password change = Yes [printers] comment = All Printers path = /var/spool/samba printable = Yes browseable = No [centos] comment = Centos 4 & 5 Repository path = /var/www/html/centos guest ok = Yes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adrian Marsh Sent: 11 April 2008 12:51 To: samba@lists.samba.org Subject: [Samba] Fileshares failing Hi, I used to have a set of samba shares working fine on a Centos 4 machine, accessed by XP clients and authenticated against a 2003 SBS server. Then I did a yum upgrade and a week later noticed that the seldom-used SMB shares have stopped working. No other changes to the Centos server, and no domain changes. The XP clients now just keep prompting for authentication. A wireshark trap shows I'm getting a STATUS_LOGON_FAILURE (0xc06d) returned to the client. The log for that PC gives the below.I also login to the server using SSH, which is turn uses PAM to authenticate as well, and that succeeds ok. So I'm guessing this might be a computer account problem, rather than a user access problem. What would the next debug steps be? [2008/04/11 12:15:59, 0] auth/pampass.c:smb_pam_error_handler(73) smb_pam_error_handler: PAM: session setup failed : System error [2008/04/11 12:15:59, 1] smbd/session.c:session_claim(143) pam_session rejected the session for domainname#marsh [smb/25659/101] [2008/04/11 12:15:59, 1] smbd/password.c:register_vuid(310) Failed to claim session for vuid=101 [2008/04/11 12:15:59, 0] auth/pampass.c:smb_pam_error_handler(73) smb_pam_error_handler: PAM: session setup failed : System error [2008/04/11 12:15:59, 1] smbd/session.c:session_claim(143) pam_session rejected the session for domainname#marsh [smb/25660/101] [2008/04/11 12:15:59, 1] smbd/password.c:register_vuid(310) Failed to claim session for vuid=101 [2008/04/11 12:15:59, 0] auth/pampass.c:smb_pam_error_handler(73) smb_pam_error_handler: PAM: session setup failed : System error [2008/04/11 12:15:59, 1] smbd/session.c:session_claim(143) pam_session rejected the session for domainname#marsh [smb/25661/101] [2008/04/11 12:15:59, 1] smbd/password.c:register_vuid(310) Failed to claim session for vuid=101 [2008/04/11 12:15:59, 0] auth/pampass.c:smb_pam_error_handler(73) smb_pam_error_handler: PAM: session setup failed : System error [2008/04/11 12:15:59, 1] smbd/session.c:session_claim(143) pam_session rejected the session for domainname#marsh [smb/25661/103] [2008/04/11 12:15:59, 1] smbd/password.c:register_vuid(310) Failed to claim session for vuid=103 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] PDC migration: printing trouble. Summary.
Hallo, Björn, Du (bj) meintest am 11.04.08: >> no patch attached :-) > something has munched up my mail, there was the patch attached. The > signature got broken, too. Strange. Attched is the patch again, now > unsigned. No patch attached. Viele Gruesse! Helmut -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Fileshares failing
Hi, I used to have a set of samba shares working fine on a Centos 4 machine, accessed by XP clients and authenticated against a 2003 SBS server. Then I did a yum upgrade and a week later noticed that the seldom-used SMB shares have stopped working. No other changes to the Centos server, and no domain changes. The XP clients now just keep prompting for authentication. A wireshark trap shows I'm getting a STATUS_LOGON_FAILURE (0xc06d) returned to the client. The log for that PC gives the below.I also login to the server using SSH, which is turn uses PAM to authenticate as well, and that succeeds ok. So I'm guessing this might be a computer account problem, rather than a user access problem. What would the next debug steps be? [2008/04/11 12:15:59, 0] auth/pampass.c:smb_pam_error_handler(73) smb_pam_error_handler: PAM: session setup failed : System error [2008/04/11 12:15:59, 1] smbd/session.c:session_claim(143) pam_session rejected the session for domainname#marsh [smb/25659/101] [2008/04/11 12:15:59, 1] smbd/password.c:register_vuid(310) Failed to claim session for vuid=101 [2008/04/11 12:15:59, 0] auth/pampass.c:smb_pam_error_handler(73) smb_pam_error_handler: PAM: session setup failed : System error [2008/04/11 12:15:59, 1] smbd/session.c:session_claim(143) pam_session rejected the session for domainname#marsh [smb/25660/101] [2008/04/11 12:15:59, 1] smbd/password.c:register_vuid(310) Failed to claim session for vuid=101 [2008/04/11 12:15:59, 0] auth/pampass.c:smb_pam_error_handler(73) smb_pam_error_handler: PAM: session setup failed : System error [2008/04/11 12:15:59, 1] smbd/session.c:session_claim(143) pam_session rejected the session for domainname#marsh [smb/25661/101] [2008/04/11 12:15:59, 1] smbd/password.c:register_vuid(310) Failed to claim session for vuid=101 [2008/04/11 12:15:59, 0] auth/pampass.c:smb_pam_error_handler(73) smb_pam_error_handler: PAM: session setup failed : System error [2008/04/11 12:15:59, 1] smbd/session.c:session_claim(143) pam_session rejected the session for domainname#marsh [smb/25661/103] [2008/04/11 12:15:59, 1] smbd/password.c:register_vuid(310) Failed to claim session for vuid=103 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] PDC migration: printing trouble. Summary.
On 2008-04-11 at 12:39 +0200 Volker Lendecke sent off: > On Fri, Apr 11, 2008 at 12:10:10PM +0200, Björn Jacke wrote: > > How about this patch being commited upstream? > > no patch attached :-) something has munched up my mail, there was the patch attached. The signature got broken, too. Strange. Attched is the patch again, now unsigned. Cheers Björn -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-37-0, fax: +49-551-37-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba keeps resetting smbpasswd permissions
On Fri, Apr 11, 2008 at 11:58:12AM +0200, Martin v. Wittich wrote: > Is there a way to stop Samba from modifying the smbpasswd permissions? I > already googled and looked through the Samba manpages, but I can't > really find a solution. There is none, sorry. Volker pgpGxYAUadCH9.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba keeps resetting smbpasswd permissions
Hello, I am trying to use the smbpasswd file from Samba as the password backend for FreeRADIUS. I already managed to get FreeRADIUS to work, but Samba keeps resetting the smbpasswd permissions to: iserv samba # ll /etc/samba/smbpasswd -rw--- 1 root root 4.9K 2008-04-11 10:26 /etc/samba/smbpasswd The permissions have to look like this so FreeRADIUS can access it: # chgrp freerad /etc/samba/smbpasswd # chmod g+r /etc/samba/smbpasswd iserv samba # ll smbpasswd -rw-r- 1 root freerad 4.9K 2008-04-11 10:26 smbpasswd Is there a way to stop Samba from modifying the smbpasswd permissions? I already googled and looked through the Samba manpages, but I can't really find a solution. Distro: Debian GNU/Linux 4.0 (etch) Samba version: current etch package, 3.0.24-6etch9 Martin v. Wittich -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] PDC migration: printing trouble. Summary.
On 2008-04-09 at 21:31 +0200 Remy Zandwijk sent off: > Second: all printers had an 'invalid users' setting in the share definition. > It turned out that this considerably stresses the CPU. It took about 10 > seconds for the properties to show up for a 'HP 4250PS driver' printer. While > truss-ing the smbd process, we saw that the smbpasswd file was opened for 85 I had a similar issue some days ago with an smbd torturing it's LDAP server quite a lot. There was a directory with lots of different group ACEs on the files and hide unreadable being activated on that share. As lots of clients having change notification on that directory, smbd had a really hard time asking the LDAP server for gid-to-sid and uid-to-sid resolution. As this was a PDC winbind coudn't cache the results from the LDAP server. The increased amount of requests were a result of the exact uid/sid mappings introducted in 3.0.23c. "Hide unreadable" was the trigger that was causing so may checks to be done. As a result each client triggered some hundreds of LDAP request every 5 seconds. It might be that your "invalid users" parameter also triggers a huge amount of requests. You might try to use the attached patch which Volker wrote to cache uid/gid to sid requests in memory with 1h TTL. The patch was done against 3.0.25. That patch reduced the load that smbd put on the LDAP server dramatically. How about this patch being commited upstream? Cheers Björn -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-37-0, fax: +49-551-37-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen pgp2lCqhuTD52.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba