[Samba] Samba 3.2.3 Available for Download
nice that debian maintainers are fast this time :D 27 August 2008 - Samba 3.2.3 Available for Download .. security release .. Great ! thanx. Louis >-Oorspronkelijk bericht- >Van: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] Namens >Christian Perrier >Verzonden: donderdag 28 augustus 2008 7:51 >Aan: samba@lists.samba.org >Onderwerp: [Samba] Samba 3.2.3 in Debian unstable > >> We're doing our best, folks. >> >> 3.2.2 packages are ready (working the package wasn't that >> straightforward after some binary renaming that happened for cifs >> utilities..as well as some (good) changes to libraries installation). >> >> 3.2.1 entered testing two days ago and we now need to talk with our >> release team to get a pre-agreement by them that they will accept >> 3.2.2 for lenny. Steve Langasek is the one who know how to write such >> mails (he combines two qualities I don't have: being an >English native >> speaker and understandign Samba's code...:-) ). > > >Steve Langasek uploaded 3.2.3 packages in Debian unstable yesterday, >about two hours after Karolin announced it..:-) > >These packages are targeted to enter Debian testing, ie the >"soon-to-be-released-when-it's-ready" next Debian version. > >I don't know whether it will make it to Ubuntu >"whatever-funky-name-they'll-give-to-their-next-version" but I bet it >will as I suppose that Steve will take care of this..:-) > > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/listinfo/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba 3.2.3 in Debian unstable
> We're doing our best, folks. > > 3.2.2 packages are ready (working the package wasn't that > straightforward after some binary renaming that happened for cifs > utilities..as well as some (good) changes to libraries installation). > > 3.2.1 entered testing two days ago and we now need to talk with our > release team to get a pre-agreement by them that they will accept > 3.2.2 for lenny. Steve Langasek is the one who know how to write such > mails (he combines two qualities I don't have: being an English native > speaker and understandign Samba's code...:-) ). Steve Langasek uploaded 3.2.3 packages in Debian unstable yesterday, about two hours after Karolin announced it..:-) These packages are targeted to enter Debian testing, ie the "soon-to-be-released-when-it's-ready" next Debian version. I don't know whether it will make it to Ubuntu "whatever-funky-name-they'll-give-to-their-next-version" but I bet it will as I suppose that Steve will take care of this..:-) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] nested group support still broken in 3.2.2?
I just thought of something else. Are there any Samba limits on Universal groups vs Global vs Domain Local (this is a Win2K3 env). Obviously the problem I'm having involves a Universal Group - but it contains a mixture of Universal and Global groups. The top one (ie domain3\group2) is a Distribution List too BTW (not just a Security Group). -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] shadow_copy for homes share
On Wed, Aug 27, 2008 at 11:09 PM, Cory Coager <[EMAIL PROTECTED]>wrote: > I'm guessing this patch isn't part of binaries distributed through SLES > which is why it isn't working for me. Thanks for the info. > > Maybe you can go about it a different way and offer a "recovery" drive to the users. Rather than using "homes" for the shadow_copy, which is posing problems for you, setup another share called "recover" that points to the snapshot area. Users can then to browse into their home directory via the "recover" share and recover/view their old files. Cheers, Aaron -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Solaris nss_ldap vs PADL nss_ldap
Quoting "Douglas E. Engert" <[EMAIL PROTECTED]>: > > > Duncan Brannen wrote: > > > > > > Hi All, > > Any thoughts on why, while everything seems ok at the OS level > > (getent , id -a ) Samba > > doesn't pickup any supplementary groups when Solaris is configured with > > 'group: files ldap' in > > nsswitch.conf and using it's own native nss_ldap.so.1 but does when > > using PADL's nss_ldap? > > Everything else is equal. > > Have you tried using Solaris version withthis in the nsswitch.conf: > > group: compat > group_compat ldap > > and adding the + in the /etc/group file. > > This appears to work as expected, getting groups info from both > local and ldap. > > Or (I have not tried this): > > group: files [SUCCESS=continue] ldap I haven't no, I'm not going to be in a position to test this till next week now probably, but I'll give it a go and post back what I find. All the users and groups are in LDAP only so it never occurred I might need to (esp with OS level stuff seemingly working) Thanks for the info. Cheers, Duncan > > > > > > Do they use/accept different calls or could it be an openldap vs native > > ldap incompatibility, > > Samba being compiled against the openldap libraries. > > > > Samba seems not to compile against the native libraries due to a lack of > > ldap_start_tls_s > > > > Solaris 10 and Samba 3.2.2 > > > > Cheers, > > Duncan > > > > -- > > Douglas E. Engert <[EMAIL PROTECTED]> > Argonne National Laboratory > 9700 South Cass Avenue > Argonne, Illinois 60439 > (630) 252-5444 > -- University of St Andrews Webmail: https://webmail.st-andrews.ac.uk -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] nested group support still broken in 3.2.2?
Gerald (Jerry) Carter wrote: What is "winbind expand groups" set to ? Oh sorry - "3". I've just tried something. I upped "log level = 10", deleted "/var/lib/samba/winbind*" (to trash cached values), cleaned out /var/log/samba/* and restarted winbind. Then I tried "id localDomain\user" and "getent group localDomain\group" and they worked successfully. Then I tried the "getent group domain3\group2" mentioned in my example: remote domain containing groups containing users from many (trusted) other domains. It *immediately* returned with no content (which is odd - yesterday it returned 5 domain3 users). Strangely, I didn't see a log.wb-domain3 created. Then I ran "wbinfo -u", and immediately all the log.wb- files appeared - one per trusted domain. It hung for many minutes while it went all over the world (I had tcpdump running) via LDAP downloading "stuff". Eventually I got "Error looking up domain users" - probably hit a timeout. I'm not surprised :-) However, winbindd was still downloading "stuff" - in fact there are now 167 copies of winbind running on my FC8 box and it's still working at the problem ;-) "wbinfo -m|wc" reports 14 BTW - so I don't know how 167 showed up. Then I ran "getent group domain3\group2" again, this time it hung for 5 secs - before returning nothing again :-( Grep'ping /var/log/sambe/* for the groupname shows only 'getgrnam domain3\group2' - no real error as such PS: there are now 155 winbindd processes running - so it did come down a bit. But I don't think that's normal? Under 3.0.30 it never seemed to go above 10-ish? -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Security leak in map_nt_perms?
On Wed, Aug 27, 2008 at 11:15:20PM +0200, Abramo Bagnara wrote:
> Jeremy Allison ha scritto:
> > On Sat, Aug 16, 2008 at 09:42:51AM +0200, Abramo Bagnara wrote:
> >> This is exactly what I'd expect...
> >
> > Hmmm, not what I'd expect :-). I'll have to check into the POSIX
> > mapping further, been a while since I wrote it. Are you checking
> > on a system with POSIX ACLs enabled or just straight POSIX permissions ?
>
> Any news?
No, haven't got to this yet. One more question, were you setting
the user or group ACE to '---' or an alternate user or group
ACE to '---' ?
> Are you willing to accept a patch that make samba to ignore request to
> allow FILE_{READ|WRITE}_{ATTRIBUTES|EA) when computing resulting Unix
> permission/ACL?
Not without examining this code thoroughly first, sorry.
Jeremy.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Security leak in map_nt_perms?
Jeremy Allison ha scritto:
> On Sat, Aug 16, 2008 at 09:42:51AM +0200, Abramo Bagnara wrote:
>> This is exactly what I'd expect...
>
> Hmmm, not what I'd expect :-). I'll have to check into the POSIX
> mapping further, been a while since I wrote it. Are you checking
> on a system with POSIX ACLs enabled or just straight POSIX permissions ?
Any news?
Are you willing to accept a patch that make samba to ignore request to
allow FILE_{READ|WRITE}_{ATTRIBUTES|EA) when computing resulting Unix
permission/ACL?
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] [ANNOUNCE] Samba 3.2.2 Available for Download
Brian H. Nelson wrote: Michael Adam wrote: ... What is more, rpath also has some bad effects (when updating libraries, e.g.), so it should not be set unconditionally. Could you elaborate on why/when setting rpath would cause problems? I'm having trouble coming up with an example. I think there was an issue with RPATH in the executable taking higher priority than the LD_LIBRARY_PATH environment variable and Linux distributions updating libraries in a funny way (moving the old libraries to a different directory). On Solaris LD_LIBRARY_PATH always had a higher priority than RPATH although I think this broke some standard. To comply with standards, RUNPATH was introduced which has a lower priority than LD_LIBRARY_PATH matching the behaviour of the Solaris RPATH. The -R option on Solaris now sets both RPATH and RUNPATH but RPATH is ignored when RUNPATH is present. A cannot think of any objection to using -R with $ORIGIN on Solaris. See: http://docs.sun.com/app/docs/doc/817-1984/6mhm7pld8?a=view#indexterm-814 I don't see why there should be a problem on Linux provided the RPATH only includes directories which are part of the Samba build and are exclusive to Samba. /opt/samba/bin, /opt/samba/lib and RPATH=$ORIGIN/../lib would be OK. /usr/local/bin, /usr/local/lib and RPATH=$ORIGIN/../lib would bad. /usr/bin, /usr/lib and RPATH=$ORIGIN/../lib would be very bad. Nick -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] pam mounted shares unmount themselves after a while, sorta
Hello all, I have a samba PDC and about 20 linux clients. The linux clients authenticate to the PDC via pam_winbind and mount a share automatically at login via pam_mount. The problem is that client-side the shares seem to get into a bad state after a while (like a day). The share does not show up when I run df, but it still seems to be partially mounted. I say "partially mounted" because I can run smbumount on the share and I don't get an error. After I run smbumount, I can logout/login and the automatic mounting via pam_mount will work. This problem may be partially due to our less than perfect network. Does anyone have this problem, and is there a workaround? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] nested group support still broken in 3.2.2?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jason Haar wrote: > Hi there > > I've just upgraded to 3.2.2 and it still looks like nested group support > isn't finished? > > e.g. if I have "domain1/user1" in group "domain2/group1" and that in > turn is in "domain3/group2" (i.e. domain1/user1 is in domain3/group2), > then "getent group domain3/group2" should return domain1/user1 - and yet > it doesn't. "winbind enum groups" is enabled if that matters (it didn't > seem to make a difference) > > However, "id domain1/user1" does show that domain3/group2 is listed as > one of that users groups - so it's working well in that direction...? > > Am I right, or have we got a problem that could actually be fixed? :-) > This is under FC8. What is "winbind expand groups" set to ? cheers, jerry - -- = Samba--- http://www.samba.org Likewise Software - http://www.likewisesoftware.com "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFItb3iIR7qMdg1EfYRAuz6AJ9gOmDHWYGrJgQTvGZkzyhXzuW5vgCfXLje 0eUmatOrEzoRc8CrTCN5p4s= =efXx -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] nested group support still broken in 3.2.2?
Hi there I've just upgraded to 3.2.2 and it still looks like nested group support isn't finished? e.g. if I have "domain1/user1" in group "domain2/group1" and that in turn is in "domain3/group2" (i.e. domain1/user1 is in domain3/group2), then "getent group domain3/group2" should return domain1/user1 - and yet it doesn't. "winbind enum groups" is enabled if that matters (it didn't seem to make a difference) However, "id domain1/user1" does show that domain3/group2 is listed as one of that users groups - so it's working well in that direction...? Am I right, or have we got a problem that could actually be fixed? :-) This is under FC8. Thanks! -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Can't export [homes] share.
Hi to everybody. I have an Ubuntu server running Samba 3, and its 25 Kubuntu clients. This server does authenticate the users added (to Samba and to Ubuntu linux itself), but those users can't see their /home directory. What's going wrong??? Below is the server's smb.conf: --- [global] workgroup = CCLAB netbios name = SLAB server string = Servidor LABCOMP domain master = yes domain logons = yes logon script = netlogon.bat logon home = \\%L\%U\.profiles logon path = \\%L\profiles\%U security = user encrypt passwords = yes enable privileges = yes passdb backend = tdbsam preferred master = yes local master = yes os level = 100 wins support = yes [netlogon] comment = Serviço de Logon path = /var/samba/netlogon read only = yes browseable = no [homes] valid users = %S create mask = 0700 directory mask = 0700 browseable = no [profiles] path = /var/profiles writeable = yes browseable = no create mask = 0600 directory mask = 0700 And below is the client's smb.conf: - [global] netbios name = CPU-3 workgroup = CCLAB winbind use default domain = yes obey pam restrictions = yes security = domain encrypt passwords = true wins server = 172.17.60.1 winbind uid = 1-2 winbind gid = 1-2 template shell = /bin/bash template homedir = /home/%U winbind separator = + invalid users = root - Thanks in advance to all. - HELCIO WAGNER DA SILVA Novos endereços, o Yahoo! que você conhece. Crie um email novo com a sua cara @ymail.com ou @rocketmail.com. http://br.new.mail.yahoo.com/addresses -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Howto control ssh logins with winbind ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Andreas Ladanyi wrote: Hi, with NIS the "compat" Mode in /etc/nsswitch.conf was available. So you could exclude user/group from login to the host. I read this mechanism is not possible with winbind. If you are using pam_winbind, look at the require-membership-of PAM config option. Hi jerry, thats perfect ! Thanks a lot, Andy cheers, jerry - -- = Samba--- http://www.samba.org Likewise Software - http://www.likewisesoftware.com "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFItWW7IR7qMdg1EfYRArzvAKCcLvmmhbvJdJInM4KekRb0QrYz/wCeMRpj 5TODQaVEu2bIYUOqsQyTpHc= =2eAv -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Vista SP1 and roaming profiles
I'm setting up new computers w/ Vista SP1 that are replacing computers that were XP SP3. Vista is not using the roaming profiles that the XP users were using. instead of using for example \\server\profiles\jdoe, it is making a \\server\profiles\jdoe.V2 that Vista uses, and so I have to re-set up Seamonkey/Firefox/Thunderbird, redirect my documents, etc. Is there any way to have VIsta SP1 use the same profile without .V2 that XP was using? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Installing Drivers into [print$]
Hi, I was looking though the easy Add Printer Wizard Driver Installation instructions here http://us6.samba.org/samba/docs/man/Samba-HOWTO-Collection/classicalprinting.html#id2620623 but found that it did not work. After saying no to "Do you want to install the driver now" when properties comes up nothing is editable so one can't connect to advanced or new driver to install drivers and one never finds a place where the copy to server option comes up. I assume this must be due to changes in Windows. (The smb.conf file is right and the right directories exist and can be written to.) Does anybody know of a work around or new way to accomplish this? -- John Baker Network Systems Administrator Marlboro College Phone: 451-7551 off campus; 551 on campus -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Excessive disk activity from browse.dat regeneration
Greetings, I'm trying to track down and eliminate the sources of excessive disk activity in an idle system that is resulting in premature hard disk failure. Access time updates to inodes turned out to be the worst culprit, triggering writes every 35 seconds or so. Mounting filesystems with the noatime option fixed that problem. But not too far behind inode updates is the frequent regeneration of the browse.dat file by nmbd. My first thought was to move browse.dat to a tmpfs so nmbd could create the file as often as it likes without chewing up our hard disks. But the lock directory that contains browse.dat also contains a bunch of other files and some of them seem to want to be persistent. I started down the path of spinning a web of symlinks to put everything in a place where it will be happy. But there seem to be several different lifecycles represented in this collection of files and making them all happy is looking trickier than I had hoped. This seems like the sort of thing that other people would have figured out by now. I've searched the samba archives and haven't found any discussions on exactly this point. Before I dig deeper into the code, could some of you more experienced Samba hands point me to a work-around for this problem? Thanks. I'm using Samba 3.0.0 on Redhat 7.3. (Yes, I know that's very old.) Bret Orsburn -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Slow and unpredictable Samba performance?
> On Wednesday 27 August 2008 15:17:34 John Drescher wrote: > >> > # /opt/csw/bin/net ads testjoin >> > [2008/08/27 14:37:58, 0] ../samba-3.2.2/source/param/params.c:(531) >> > params.c:OpenConfFile() - Unable to open configuration >> > file "/etc/opt/csw/samba/smb.conf": >> >No such file or directory >> > ADS support not compiled in >> >> So do you have your smb.conf at >> >> /etc/opt/csw/samba/smb.conf > > Wow, I didn't even notice that the configuration changed path. But anyway, > it > doesn't help - what's with this part: > > # /opt/csw/bin/net ads testjoin > [2008/08/27 15:42:53, 0] ../samba-3.2.2/source/param/loadparm.c:(7172) > Ignoring unknown parameter "realm" > ADS support not compiled in I will give you a Samba 3.2.3 package shortly .. Dennis -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Solaris nss_ldap vs PADL nss_ldap
Duncan Brannen wrote: Hi All, Any thoughts on why, while everything seems ok at the OS level (getent , id -a ) Samba doesn't pickup any supplementary groups when Solaris is configured with 'group: files ldap' in nsswitch.conf and using it's own native nss_ldap.so.1 but does when using PADL's nss_ldap? Everything else is equal. Have you tried using Solaris version withthis in the nsswitch.conf: group: compat group_compat ldap and adding the + in the /etc/group file. This appears to work as expected, getting groups info from both local and ldap. Or (I have not tried this): group: files [SUCCESS=continue] ldap Do they use/accept different calls or could it be an openldap vs native ldap incompatibility, Samba being compiled against the openldap libraries. Samba seems not to compile against the native libraries due to a lack of ldap_start_tls_s Solaris 10 and Samba 3.2.2 Cheers, Duncan -- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Public share with samba/ Winbind
Hi, my samba server work fine for all user in my domain (security = ads) but i have to create a public share wich is RWX for all user ( wich are not logged into the domain)... Guest ok = yes and browseable = yes too but if the user is not record on the DC, i am ejected ... Thanks for your help I just set that up yesterday. In the global section, try adding map to guest = Bad Password take care, -- Matt Richardson IT Consultant College of Arts and Letters CSU San Bernardino work: (909)537-7598 fax: (909)537-5926 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] [ANNOUNCE] Samba 3.2.2 Available for Download
On Wed, 27 Aug 2008, Michael Adam wrote: Michael Adam wrote: Hi folks! Nicholas Brealey wrote: James Kosin wrote: -Original Message- From: Daniel Eischen [mailto:[EMAIL PROTECTED] Using -rpath/-R is the norm for Solaris packages. Samba already is built with knowledge of where it is installed and where its lib, data, var, etc directories reside. What is _not_ the norm, is having to set LD_LIBRARY_PATH in order for your applications to work. Take a look at all the packages at sunfreeware.com - they are all built for /usr/local and, at least from hundred or so packages I've installed from there, none require LD_LIBRARY_PATH to work when their libraries are in /usr/local/lib. I had the plan to provide the option of linking with an rpath as a configure option. But it is not so easy to get it right for all supported platforms (Nicholas only mentioned solaris and Linux...). And I did not have the time yet to complete this in an upstream compliant manner. Patches welcome!! To be more concrete: I suggest adding a configure option "--enable-rpath" that adds the appropriate LDFLAGS when appropriate for the build system (e.g. solaris and linux for a start) and gives notice when the system is unsupported (for rpath). Yes, it if is not on be default, then having a knob to enable it is the next best thing. See http://gitweb.samba.org/?p=samba.git;a=commit;h=3a0f781352f364ce625a35ffd78257b27d984c47 and http://gitweb.samba.org/?p=samba.git;a=commitdiff;h=6850dc242b010bdcef5e427e51be04201f55b7f3 for what has already been in the sources and has been removed. By the way: It is not strictly necessary to modify the sources to create binaries linked with an rpath: By setting an appropriate "LDFLAGS" environment variable containing an RPATH option before calling configure, you can use an RPATH option for your install without modifying the sources, since the configure script picks up any externally set LDFLAGS and CFLAGS settings! ... :-) That is nice to know too. -- DE -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net rpc group addmem returns NT_STATUS_ACCESS_DENIED
John H Terpstra wrote: On Monday 25 August 2008 08:56:23 Duncan Brannen wrote: Hi All, I'm trying to add a user to a group using /usr/local/samba/bin/net rpc group addmem room11 dunk -Uroot%password The user is added to the group as far as I can tell but the command returns NT_STATUS_ACCESS_DENIED This is on Solaris 10 (Sparc) and Samba 3.2.1, OS and Samba are both configured to lookup users and groups in LDAP. /usr/local/samba/bin/net rpc group members room11 -Uroot%password CROOMTEST\dunk Trying to remove the user from the group returns NT_STATUS_MEMBER_NOT_IN_GROUP and the user is not removed from the group in LDAP (running smbldap-groupmod manually removes the user from LDAP) In smb.conf, I have add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u" "%g" With log level set to 10 I see the following for the add that may or may not be relevant. Should the access check granted and required values be equal? [2008/08/25 12:59:48, 4] rpc_server/srv_pipe.c:api_rpcTNP(2297) api_rpcTNP: samr op 0x16 - api_rpcTNP: rpc command: SAMR_ADDGROUPMEMBER [2008/08/25 12:59:48, 6] rpc_server/srv_pipe.c:api_rpcTNP(2323) api_rpc_cmds[22].fn == 200be4 samr_AddGroupMember: struct samr_AddGroupMember in: struct samr_AddGroupMember group_handle : * group_handle: struct policy_handle handle_type : 0x (0) uuid : 0500---b248-b49e9051 rid : 0x0bb8 (3000) flags: 0x0005 (5) [2008/08/25 12:59:48, 4] rpc_server/srv_lsa_hnd.c:find_policy_by_hnd_internal(168) Found policy hnd[0] [000] 00 00 00 00 05 00 00 00 00 00 00 00 B2 48 B4 9E .H.. [010] 90 51 00 00 .Q.. [2008/08/25 12:59:48, 5] rpc_server/srv_samr_nt.c:access_check_samr_function(227) _samr_AddGroupMember: access check ((granted: 0f001f; required: 04) [2008/08/25 12:59:48, 10] rpc_server/srv_samr_nt.c:_samr_AddGroupMember(4651) sid is S-1-5-21-440367617-1876916578-3462541782-3003 [2008/08/25 12:59:48, 10] groupdb/mapping.c:get_domain_group_from_sid(132) get_domain_group_from_sid ... [2008/08/25 12:59:50, 3] groupdb/mapping.c:smb_add_user_group(352) smb_add_user_group: Running the command `/usr/local/sbin/smbldap-groupmod -m "dunk" "room11"' gave 0 [2008/08/25 12:59:50, 10] lib/system_smbd.c:sys_getgrouplist(122) sys_getgrouplist: user [dunk] [2008/08/25 12:59:50, 3] smbd/sec_ctx.c:push_sec_ctx(224) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 ... [2008/08/25 12:59:50, 10] passdb/lookup_sid.c:legacy_gid_to_sid(1170) LEGACY: gid 512 -> sid S-1-5-21-440367617-1876916578-3462541782-512 samr_AddGroupMember: struct samr_AddGroupMember out: struct samr_AddGroupMember result : NT_STATUS_ACCESS_DENIED For delmem I again get the same access check granted value _samr_DeleteGroupMember: access check ((granted: 0f001f; required: 08) then Get_Pwnam_internals did find user [dunk]! [2008/08/25 14:41:10, 3] smbd/sec_ctx.c:pop_sec_ctx(432) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2008/08/25 14:41:10, 10] passdb/lookup_sid.c:legacy_sid_to_uid(1213) LEGACY: sid S-1-5-21-440367617-1876916578-3462541782-3000 -> uid 1000 samr_DeleteGroupMember: struct samr_DeleteGroupMember out: struct samr_DeleteGroupMember result : NT_STATUS_MEMBER_NOT_IN_GROUP Any thoughts or pointers as to where I should be looking? Have you tried to execute this script manually? Example: smbldap-useradd -G new_group user_name If that works, check that you gave Samba permission to update the LDAP directory. Did you execute the following?: smbpasswd -w LDAP_Secret_Password also, check that the user you are using to do this, and/or the group that user belongs to, has the rights and privileges needed to do this: net rpc rights list accounts -Uroot%password - John T. Hi John, For what it's worth, the error message has gone now I'm using 3.2.2 and padl's nss_ldap library and I'm assuming it's the padl nss_ldap library that's solved it. A cursory glance at the ldap logs and what happens there looks similar, user still successfully added to the group. If I'd kept digging at this it may have shown why the groups were not showing up in windows. Cheers, Duncan -- The University of St Andrews is a charity registered in Scotland : No SC013532 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba Groups questions
Short answer, yes. You should/do get all the groups listed with ifmember /list but get different results with the Solaris nsswitch.conf than padl's nsswitch.conf. I have it working, through changing only this one library. There may of course have been problems with my ldap_client_file that didn't show up at the OS level but scuppered what samba was asking for. Didn't see any error messages though. Cheers. Duncan Brannen wrote: Hi, When Samba is running as a PDC and a workstation is joined to the Domain, should the user logged into the workstation be able to see all the groups they are a member of using `ifmember /list`? Is the below output as expected? I'm I correct thinking that as all my groups originate in the Unix world, I don't need winbind to allow the Workstations to see them? For what it's worth, Solaris 10 (Sparc) Samba 3.2.1 and OpenLDAP, everything bar the Samba version should be irrelevant as it's hidden behind nsswitch and passdb backend? It's a clean OS / Ldap install with the smbldap tools used to populate the directory and create the user, then 'net rpc' used to create groups and add members. Thanks, Duncan - On the PDC /usr/local/samba/bin/net rpc group members room11 -Uroot%password CROOMTEST\dunk /usr/local/samba/bin/net groupmap list Domain Admins (S-1-5-21-440367617-1876916578-3462541782-512) -> Domain Admins Domain Users (S-1-5-21-440367617-1876916578-3462541782-513) -> Domain Users Domain Guests (S-1-5-21-440367617-1876916578-3462541782-514) -> Domain Guests Domain Computers (S-1-5-21-440367617-1876916578-3462541782-515) -> Domain Computers Administrators (S-1-5-32-544) -> Administrators Account Operators (S-1-5-32-548) -> Account Operators Print Operators (S-1-5-32-550) -> Print Operators Backup Operators (S-1-5-32-551) -> Backup Operators Replicators (S-1-5-32-552) -> Replicators room11 (S-1-5-21-440367617-1876916578-3462541782-3003) -> room11 room9 (S-1-5-21-440367617-1876916578-3462541782-3005) -> room9 getent group ... room11::1001:dunk getent passwd ... dunk:x:1000:512:System User:/home/dunk:/bin/bash - On the workstation net group /domain room11 returns dunk as a member net group /domain returns a list of all the groups mapped on the pdc that start S-1-5-21- ifmember /list returns the primary group CROOMTEST\Domain Admins \Everyone BUILTIN\Administrators BUILTIN\Users \Local NT Authority\INTERACTIVE NT Authority\Authneticated Users -- The University of St Andrews is a charity registered in Scotland : No SC013532 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba PDC with groups in LDAP
To answer my own question, I had to use Padls' nss_ldap to make this work. I'd thought with Solaris 9 and later I could get away with using the Sun libraries but obviously not. Hope to help someone else Cheers Duncan Duncan Brannen wrote: Hi All, I'm wondering if anyone can shed some light on a problem I'm having. I have a samba PDC with an LDAP backend, keeping the smb.conf file constant, When I have /etc/nsswitch.conf configured with groups: files ldap Then /usr/local/samba/bin/net rpc user info dbb only returns my primary group. If I have /etc/nsswitch.conf configured with groups: files nis Then all my groups are shown when running the same net rpc command. In both cases, groups dbb and id -a dbb show all the groups I am a member of, getent group groupName shows the members of the group and /usr/local/samba/bin/net groupmap list provides a list of groups (from LDAP) eg Domain Users (S-1-5-21-440367617-1876916578-3462541782-513) -> Domain Users Domain Guests (S-1-5-21-440367617-1876916578-3462541782-514) -> Domain Guests Domain Computers (S-1-5-21-440367617-1876916578-3462541782-553) -> Domain Computers Domain Vagrants (S-1-5-21-440367617-1876916578-3462541782-554) -> Domain Vagrants Domain Sidekicks (S-1-5-21-440367617-1876916578-3462541782-590) -> Domain Sidekicks Domain Admins (S-1-5-21-440367617-1876916578-3462541782-512) -> domadm The group objects in LDAP look like dn: cn=,ou=Groups,dc=st-andrews,dc=ac,dc=uk objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: cn: memberUid: user1 memberUid: user2 memberUid: ... description: Some Descriptive Term Here sambaSID: S-1-5-21-xxx-yyy-zzz- sambaGroupType: 2 displayName: Whatever where S-1-5-21-xxx-yyy-zzz is our domain SID Watching the ldap logs, when I run net/rpc usr info dbb, samba looks up all the groups root is in (&objectClass=sambaGroupMapping)(gidNumber=...)), for sambaSID=s-1-5-32-544 and 545, then for a whole bunch of sambaSIDLists (I have none setup) or sambaGroupMapping,sambaGroupType=4 It then looks up my account, searches for my primary group both by its gidNumber, then by its sambaSID, and then it stops. Is there extra configuration need for looking up groups in ldap? It feels like an OS issue but the OS commands seem to return the correct output. OS is Solaris 10 sparc. Samba versions are 3.0.23c and 3.2.1 Thanks, Duncan -- The University of St Andrews is a charity registered in Scotland : No SC013532 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Solaris nss_ldap vs PADL nss_ldap
Hi All, Any thoughts on why, while everything seems ok at the OS level (getent , id -a ) Samba doesn't pickup any supplementary groups when Solaris is configured with 'group: files ldap' in nsswitch.conf and using it's own native nss_ldap.so.1 but does when using PADL's nss_ldap? Everything else is equal. Do they use/accept different calls or could it be an openldap vs native ldap incompatibility, Samba being compiled against the openldap libraries. Samba seems not to compile against the native libraries due to a lack of ldap_start_tls_s Solaris 10 and Samba 3.2.2 Cheers, Duncan -- The University of St Andrews is a charity registered in Scotland : No SC013532 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: problems with DFS
Seem to be netbios related, after some modifications it now works if server is accessed through ip address instead of name. I´m a bit lost now to why normal shares work with \\name\share but not dfs shares, \\FQDN\share also fails. \\name\share 0.00 10.1.20.201 -> 10.1.9.34SMB Session Setup AndX Request 0.2410.1.9.34 -> 10.1.20.201 TCP microsoft-ds > sunlps-http [ACK] Seq=1 Ack=1351 Win=11680 Len=0 0.02013410.1.9.34 -> 10.1.20.201 SMB Session Setup AndX Response, Error: STATUS_LOGON_FAILURE 0.023257 10.1.20.201 -> 10.1.9.34SMB Session Setup AndX Request 0.03206010.1.9.34 -> 10.1.20.201 SMB Session Setup AndX Response, Error: STATUS_LOGON_FAILURE 0.216549 10.1.20.201 -> 10.1.9.34SMB Trans2 Request, QUERY_PATH_INFO, Query File Basic Info, Path: \it-service 0.21789010.1.9.34 -> 10.1.20.201 SMB Trans2 Response, QUERY_PATH_INFO 0.218327 10.1.20.201 -> 10.1.9.34SMB Trans2 Request, FIND_FIRST2, Pattern: \it-service\* 0.21902310.1.9.34 -> 10.1.20.201 SMB Trans2 Response, FIND_FIRST2, Error: STATUS_OBJECT_NAME_NOT_FOUND 0.240259 10.1.20.201 -> 10.1.9.34SMB Session Setup AndX Request 0.25649310.1.9.34 -> 10.1.20.201 SMB Session Setup AndX Response, Error: STATUS_LOGON_FAILURE 0.261364 10.1.20.201 -> 10.1.9.34SMB Trans2 Request, QUERY_PATH_INFO, Query File Basic Info, Path: \it-service 0.26260510.1.9.34 -> 10.1.20.201 SMB Trans2 Response, QUERY_PATH_INFO 0.262962 10.1.20.201 -> 10.1.9.34SMB NT Create AndX Request, Path: \it-service 0.26367010.1.9.34 -> 10.1.20.201 SMB NT Create AndX Response, FID: 0x, Error: STATUS_OBJECT_NAME_NOT_FOUND 0.264969 10.1.20.201 -> 10.1.9.34SMB Session Setup AndX Request 0.268266 10.1.20.201 -> 10.1.9.34SMB NT Cancel Request 0.26829310.1.9.34 -> 10.1.20.201 TCP microsoft-ds > sunlps-http [ACK] Seq=404 Ack=5869 Win=20250 Len=0 0.27679410.1.9.34 -> 10.1.20.201 SMB Session Setup AndX Response, Error: STATUS_LOGON_FAILURE 0.27741910.1.9.34 -> 10.1.20.201 SMB NT Trans Response, , Error: STATUS_CANCELLED 0.277587 10.1.20.201 -> 10.1.9.34TCP sunlps-http > microsoft-ds [ACK] Seq=5869 Ack=518 Win=63473 Len=0 0.278332 10.1.20.201 -> 10.1.9.34SMB Close Request, FID: 0x1bb7 0.27907210.1.9.34 -> 10.1.20.201 SMB Close Response 0.462238 10.1.20.201 -> 10.1.9.34TCP sunlps-http > microsoft-ds [ACK] Seq=5914 Ack=557 Win=63434 Len=0 If accessed by ip address\share 0.00 10.1.20.201 -> 10.1.9.34SMB Trans2 Request, QUERY_PATH_INFO, Query File Basic Info, Path: \10.1.9.34\drift 0.00120010.1.9.34 -> 10.1.20.201 SMB Trans2 Response, QUERY_PATH_INFO 0.001843 10.1.20.201 -> 10.1.9.34SMB Trans2 Request, QUERY_FS_INFO, Query FS Size Info 0.00297110.1.9.34 -> 10.1.20.201 SMB Trans2 Response, QUERY_FS_INFO 0.003553 10.1.20.201 -> 10.1.9.34SMB Trans2 Request, QUERY_PATH_INFO, Query File Basic Info, Path: \10.1.9.34\drift\it-service 0.00430010.1.9.34 -> 10.1.20.201 SMB Trans2 Response, QUERY_PATH_INFO, Error: STATUS_PATH_NOT_COVERED 0.005632 10.1.20.201 -> 10.1.9.34SMB Trans2 Request, GET_DFS_REFERRAL, File: \10.1.9.34\drift\it-service\ 0.01046810.1.9.34 -> 10.1.20.201 SMB Trans2 Response, GET_DFS_REFERRAL 0.183732 10.1.20.201 -> 10.1.9.34TCP scp > microsoft-ds [ACK] Seq=453 Ack=484 Win=63597 Len=0 3.136382 10.1.20.201 -> 10.1.9.34SMB NT Cancel Request 3.13709410.1.9.34 -> 10.1.20.201 SMB NT Trans Response, , Error: STATUS_CANCELLED 3.137466 10.1.20.201 -> 10.1.9.34SMB Close Request, FID: 0x1bf3 3.13829810.1.9.34 -> 10.1.20.201 SMB Close Response 3.356468 10.1.20.201 -> 10.1.9.34TCP scp > microsoft-ds [ACK] Seq=538 Ack=598 Win=63483 Len=0 On Wed, Aug 27, 2008 at 9:27 AM, Henrik Beckman <[EMAIL PROTECTED]>wrote: > Hi, > > We have been a samba shop since way back and have used DFS quit a lot the > last years. > When we went with security ads instead of domain our dfs died. > We have tried 3.028(sun) in solaris wich we are leaving and 3.2.1 in linux, > our migration target. > > For our 3.2.1 installation the config looks liket this and the problem > manifests itself as a empty share. > > [Global] > kernel oplocks = False > oplocks = False > level2 oplocks = False > realm = SGU.SE > workgroup = SGU > netbios name = fs4 > server string = fs4 > security = ADS > use kerberos keytab = true > password server = ad1 ad2 > wins server = 10.1.9.10 10.1.9.9 > name resolve order = ads hosts wins bcast > > map to guest = Bad User > disable netbios = No > log level = 5 > client use spnego = Yes > server signing = auto > host msdfs = Yes > #msdfs root = Yes > ntlm auth = No > lanman auth = no > > dos charset = ISO8859-1 > unix charset = ISO8859-1 > > winbind trusted domains only = yes > > [drift-a] > msdfs root = Yes > path = /export/dfsroot > read only = no > guest ok = yes > > ls -l in /export/dfsroot > drift-a -> msdfs:file
Re: [Samba] Slow and unpredictable Samba performance?
On Wednesday 27 August 2008 15:43:49 Jakov Sosic wrote: > # /opt/csw/bin/net ads testjoin > [2008/08/27 15:42:53, 0] ../samba-3.2.2/source/param/loadparm.c:(7172) > Ignoring unknown parameter "realm" > ADS support not compiled in OK, it seems that 3.0.32 from blastwave (thanx Dennis) works OK. I just have to figure it out how to get my 'getent passwd'/'getent group' to work with this winbindd It worked nicely with Sun's, but now I just can't get it to. # /opt/csw/bin/wbinfo -u [list of Domain users] # /opt/csw/bin/wbinfo -g [list of domain groups] # getent passwd [only /etc/passwd users, no one from domain] So, now I will need some explanations to solve this one. I already have these enteries in /etc/nsswitch.conf group: files compat winbind passwd: files compat winbind And, what about modfying pam.conf and adding winbind.so is supposed to help with what? Or is it only to allow Domain users to ssh to server with their AD credentials? Because I don't need the ssh... When I try to access the share from the Windows workstation, login screen displays, and after entering credentials, log says the following (I beleive this is the relevant part): [2008/08/27 16:24:39, 3] reply_spnego_negotiate: Got secblob of size 1271 [2008/08/27 16:24:39, 10] secrets_named_mutex: got mutex for replay cache mutex [2008/08/27 16:24:39, 10] ads_secrets_verify_ticket: enc type [1] failed to decry pt with error Bad encryption type [2008/08/27 16:24:39, 10] ads_secrets_verify_ticket: enc type [3] failed to decry pt with error Bad encryption type [2008/08/27 16:24:39, 3] ads_secrets_verify_ticket: enc type [23] failed to decry pt with error Decrypt integrity check failed [2008/08/27 16:24:39, 10] secrets_named_mutex: released mutex for replay cache mu tex [2008/08/27 16:24:39, 3] ads_verify_ticket: krb5_rd_req with auth failed (Decrypt integrity check failed) [2008/08/27 16:24:39, 10] ads_verify_ticket: returning error NT_STATUS_LOGON_FAIL URE [2008/08/27 16:24:39, 1] Failed to verify incoming ticket with error NT_STATUS_LO GON_FAILURE! [2008/08/27 16:24:39, 3] error packet at ../samba-3.0.32/source/smbd/sesssetup.c( 318) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE -- |Jakov Sosic|ICQ: 28410271| PGP: 0x965CAE2D | = | start fighting cancer -> http://www.worldcommunitygrid.org/ | signature.asc Description: This is a digitally signed message part. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Public share with samba/ Winbind
Andreas Ladanyi a écrit : Hi Alexandre, i have not seen your smb.conf, but guest ok = yes browseable = yes (to get the share listet in the explorer) should work. We use "security = ads" and it works. Is the "guest = ok" parameter accepted by samba ? Does samba run ? You could test your smb.conf with the "testparm" program. Type "testparm" on the command line. Bye, Andy Hi, my samba server work fine for all user in my domain (security = ads) but i have to create a public share wich is RWX for all user ( wich are not logged into the domain)... Guest ok = yes and browseable = yes too but if the user is not record on the DC, i am ejected ... Thanks for your help -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Howto control ssh logins with winbind ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Andreas Ladanyi wrote: > Hi, > > with NIS the "compat" Mode in /etc/nsswitch.conf was > available. So you could exclude user/group from login to > the host. I read this mechanism is not possible > with winbind. If you are using pam_winbind, look at the require-membership-of PAM config option. cheers, jerry - -- = Samba--- http://www.samba.org Likewise Software - http://www.likewisesoftware.com "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFItWW7IR7qMdg1EfYRArzvAKCcLvmmhbvJdJInM4KekRb0QrYz/wCeMRpj 5TODQaVEu2bIYUOqsQyTpHc= =2eAv -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Winbind and Global Catalog
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sven Anders wrote: > Gerald (Jerry) Carter schrieb: >> Sven, >> >>> Does winbind work with a Global Catalog? >> Winbind does not rely upon global catalog. I added >> some search APi recently for GC support but there are >> not currently being used. > > What does this mean? > Does winbind do not use the global catalog at all? Not currently. >> This should work in spite of GC or not. But enumerating >> users is really expensive and I wonder if you really have >> to do that. But that is another topic. > > What other possibilities do I have? Some faster? > >> What doesn "wbinfo -m"? Sounds more like and problem with the >> in forest trusts. What Samba version are you running? > > I'm running Samba-3.0.28a. In the release notes for 3.2.0, you will see that the support for domain and forest trusts was greatly improved. Winbind and Active Directory Integration: o Full support for Windows 2003 cross-forest, transitive trusts and one-way domain trusts. I'd suggest you give that version a try. > The "wbinfo -m" command lists all domains > (GROUP and GROUP1..GROUP10). > > Isn't joining to the CG-domain (GROUP) enough? Do I > have join to each domain separatly? It should be but we learned a lot during the work on 3.2.0. Basically we use a 3step process to discover all possible trust paths now in Winbind.I feel much more confident in the trusted domain support in 3.2.x that previous releases. cheers, jerry - -- = Samba--- http://www.samba.org Likewise Software - http://www.likewisesoftware.com "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFItWRGIR7qMdg1EfYRAvUJAJ4gwC8far7qWtFDlQAcaqAiLD+3lQCePf5J fH3c5CQMAS8DlNQ6p359fDY= =Dr5K -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] [ANNOUNCE] Samba 3.2.2 Available for Download
Michael Adam wrote: To be more concrete: I suggest adding a configure option "--enable-rpath" that adds the appropriate LDFLAGS when appropriate for the build system (e.g. solaris and linux for a start) and gives notice when the system is unsupported (for rpath). See http://gitweb.samba.org/?p=samba.git;a=commit;h=3a0f781352f364ce625a35ffd78257b27d984c47 and http://gitweb.samba.org/?p=samba.git;a=commitdiff;h=6850dc242b010bdcef5e427e51be04201f55b7f3 for what has already been in the sources and has been removed. From link #2: What is more, rpath also has some bad effects (when updating libraries, e.g.), so it should not be set unconditionally. Could you elaborate on why/when setting rpath would cause problems? I'm having trouble coming up with an example. Thanks, -Brian -- --- Brian H. Nelson Youngstown State University System Administrator Media and Academic Computing bnelson[at]cis.ysu.edu --- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Slow and unpredictable Samba performance?
On Wednesday 27 August 2008 15:17:34 John Drescher wrote: > > # /opt/csw/bin/net ads testjoin > > [2008/08/27 14:37:58, 0] ../samba-3.2.2/source/param/params.c:(531) > > params.c:OpenConfFile() - Unable to open configuration > > file "/etc/opt/csw/samba/smb.conf": > >No such file or directory > > ADS support not compiled in > > So do you have your smb.conf at > > /etc/opt/csw/samba/smb.conf Wow, I didn't even notice that the configuration changed path. But anyway, it doesn't help - what's with this part: # /opt/csw/bin/net ads testjoin [2008/08/27 15:42:53, 0] ../samba-3.2.2/source/param/loadparm.c:(7172) Ignoring unknown parameter "realm" ADS support not compiled in -- |Jakov Sosic|ICQ: 28410271| PGP: 0x965CAE2D | = | start fighting cancer -> http://www.worldcommunitygrid.org/ | signature.asc Description: This is a digitally signed message part. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] [ANNOUNCE] Samba 3.2.2 Available for Download
Michael Adam wrote: > Hi folks! > > Nicholas Brealey wrote: > > James Kosin wrote: > > >-Original Message- > > >From: Daniel Eischen [mailto:[EMAIL PROTECTED] > > > > > >>Using -rpath/-R is the norm for Solaris packages. Samba > > >>already is built with knowledge of where it is installed > > >>and where its lib, data, var, etc directories reside. > > >> > > >>What is _not_ the norm, is having to set LD_LIBRARY_PATH in > > >>order for your applications to work. Take a look at all > > >>the packages at sunfreeware.com - they are all built for > > >>/usr/local and, at least from hundred or so packages I've > > >>installed from there, none require LD_LIBRARY_PATH to work > > >>when their libraries are in /usr/local/lib. > > I had the plan to provide the option of linking with an > rpath as a configure option. But it is not so easy to get > it right for all supported platforms (Nicholas only mentioned > solaris and Linux...). And I did not have the time yet to > complete this in an upstream compliant manner. > > Patches welcome!! To be more concrete: I suggest adding a configure option "--enable-rpath" that adds the appropriate LDFLAGS when appropriate for the build system (e.g. solaris and linux for a start) and gives notice when the system is unsupported (for rpath). See http://gitweb.samba.org/?p=samba.git;a=commit;h=3a0f781352f364ce625a35ffd78257b27d984c47 and http://gitweb.samba.org/?p=samba.git;a=commitdiff;h=6850dc242b010bdcef5e427e51be04201f55b7f3 for what has already been in the sources and has been removed. By the way: It is not strictly necessary to modify the sources to create binaries linked with an rpath: By setting an appropriate "LDFLAGS" environment variable containing an RPATH option before calling configure, you can use an RPATH option for your install without modifying the sources, since the configure script picks up any externally set LDFLAGS and CFLAGS settings! ... :-) Cheers - Michael -- Michael Adam <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-37-0, fax: +49-551-37-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.SerNet.DE, mailto: Info @ SerNet.DE pgpEZP5KAXBCl.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net rpc vampire in release 3.2.x
On Wednesday 27 August 2008 07:57:25 Marc Aurel wrote: > did someone already try vampire with the 3.2.x-release? > since i upgraded from 3.0.x i get problems with the > creation of machine accounts. > when i start sucking a pdc in my ldapserver the following > errors come up with every machineaccount on the pdc: > > > 1.) > Creating account: SP1$ > /usr/sbin/smbldap-usermod: user SP1_ doesn't exist > [2008/08/27 14:09:45, 0] groupdb/mapping.c:smb_set_primary_group(312) >smb_set_primary_group: Running the command `/usr/sbin/smbldap-usermod -g > 'Domain Users' 'SP1_'' gave 1 > > 2.) > User SP1_ does not exist: create it first ! > > > what instantly strikes is that there is an _ instead > of the $ in the pcname which cannot work. > I guess the second error comes up when the script tries to set > the correct password!? Afterwards nevertheless there are > machineaccount-passwords in the ldap-database but they seem > wrong because machineconnects fail. > everything else is flawlessly imported (users, groups, groupmemberships). > i didn't change anything in the configuration which worked > perfectly with vampire in 3.0.x > > > ExampleLDAPentry of the above mentioned machine after import: > - > > dn: uid=SP1$,ou=Computers,dc=test,dc=com > objectClass: top > objectClass: account > objectClass: posixAccount > objectClass: sambaSamAccount > cn: SP1$ > uid: SP1$ > uidNumber: 1071 > gidNumber: 515 > homeDirectory: /dev/null > loginShell: /bin/false > description: Computer > gecos: Computer > structuralObjectClass: account > entryUUID: be6e3366-087c-102d-9d48-4b401f1e60f4 > creatorsName: cn=manager,dc=test,dc=com > createTimestamp: 20080827120929Z > sambaSID: S-1-5-21-378104194-1064922793-1509252994-1090 > sambaPrimaryGroupSID: S-1-5-21-378104194-1064922793-1509252994-513 > sambaNTPassword: 5C49A9927C59942A46F193C41446FFD5 > sambaPwdLastSet: 1162907539 > sambaAcctFlags: [W ] > entryCSN: 20080827120929.102086Z#00#000#00 > modifiersName: cn=manager,dc=test,dc=com > modifyTimestamp: 20080827120929Z > > > smb.conf (suck-configuration) > - > > [global] > workgroup = PRESSFK > netbios name = DEBIANPDC > wins server = 192.168.200.3 > > ## Domäne > # > domain master = No > domain logons = Yes > passdb backend = ldapsam:ldap://127.0.0.1 > > ## Benutzerverwaltung ldapsam > # > add user script = /usr/sbin/smbldap-useradd -m '%u' > delete user script = /usr/sbin/smbldap-userdel '%u' > add machine script = /usr/sbin/smbldap-useradd -w '%u' > add group script = /usr/sbin/smbldap-groupadd -p '%g' > delete group script = /usr/sbin/smbldap-groupdel '%g' > add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g' > delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' > '%g' set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' > > ## LDAP > ### > ldap suffix = dc=test,dc=com > ldap admin dn = cn=manager,dc=test,dc=com > ldap machine suffix = ou=Computers > ldap user suffix = ou=People > ldap group suffix = ou=Groups > ldap idmap suffix = ou=Idmap > ldap passwd sync = Yes > ldap delete dn = Yes > ldap ssl = No Please file a bug report on https://bugzilla.samba.org Thanks. - John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Slow and unpredictable Samba performance?
On Wed, Aug 27, 2008 at 8:42 AM, Jakov Sosic <[EMAIL PROTECTED]> wrote: > On Tuesday 26 August 2008 21:30:39 Dennis Clarke wrote: > >> Well you have my attention .. too bad you don't have a purchase order. :-) >> >> What are your problems with the new CSWsamba .. please be specific. > > > Problem with your version 3.2.2 is the following: > > # /opt/csw/bin/net -V > Version 3.2.2 > > # /opt/csw/bin/net ads testjoin > [2008/08/27 14:37:58, 0] ../samba-3.2.2/source/param/params.c:(531) > params.c:OpenConfFile() - Unable to open configuration > file "/etc/opt/csw/samba/smb.conf": >No such file or directory > ADS support not compiled in > > So do you have your smb.conf at /etc/opt/csw/samba/smb.conf John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] shadow_copy for homes share
I'm guessing this patch isn't part of binaries distributed through SLES which is why it isn't working for me. Thanks for the info. Aaron Browne wrote: Take a look on this page.. http://www.edplese.com/samba-with-zfs.html The 3-paths.patch contains a description of exactly what you are trying to do.. >From patch : +Below is example usage for a single large filesystem mounted +at /home that contains all of the home directories. The +snapshots reside in /snapshots/home. + +[homes] + path = /home/%U + public = no + writable = yes + printable = no + vfs object = shadow_copy + shadow_copy: path = /snapshots/home + shadow_copy: subpath = %U + shadow_copy: format = $Y.$m.$d-$H.$M.$S + shadow_copy: sort = desc + shadow_copy: localtime = yes The information contained in this communication is intended only for the use of the recipient(s) named above. It may contain information that is privileged or confidential, and may be protected by State and/or Federal Regulations. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication, or any of its contents, is strictly prohibited. If you have received this communication in error, please return it to the sender immediately and delete the original message and any copy of it from your computer system. If you have any questions concerning this message, please contact the sender. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] [ANNOUNCE] Samba 3.2.2 Available for Download
Hi folks! Nicholas Brealey wrote: > On Solaris I think the best option for packages which have a directory > structure like: > > package/bin > package/lib > > is to link the executables with: > -R$ORIGIN/../lib > > (In a Makefile use: LDFLAGS = -R\$$ORIGIN/../lib) > > This means the package can installed anywhere and still pick up the > correct libraries. > > Using LD_LIBRARY_PATH or crle is bad practice. Well, we had the discussion of whether to use rpath or LD_LIBRARY_PATH (or ld.so.conf) already on this and/or the samba-technical mailing list. (I should look up that thread...) > James Kosin wrote: > >-Original Message- > >From: Daniel Eischen [mailto:[EMAIL PROTECTED] > > > >>Using -rpath/-R is the norm for Solaris packages. Samba > >>already is built with knowledge of where it is installed > >>and where its lib, data, var, etc directories reside. > >> > >>What is _not_ the norm, is having to set LD_LIBRARY_PATH in > >>order for your applications to work. Take a look at all > >>the packages at sunfreeware.com - they are all built for > >>/usr/local and, at least from hundred or so packages I've > >>installed from there, none require LD_LIBRARY_PATH to work > >>when their libraries are in /usr/local/lib. Well on the other hand, in Linux distributions, it is considered bad practise to link using an RPATH. You either put your libs into /usr/lib or /usr/local/lib or else use a ld.so.conf file. So there are advocates for and more significantly against each of rpath and LD_LIBRARY_PATH. I decided not to compile with an RPATH because at that time most people argued that this is a bad thing. 1. easiest solution: put libs into folder searched by dynamic linker (e.g. /usr/lib) 2. next solution: use LD_LIBRARY_PATH when installing to /some/package/dir (or use an ld.so.conf file when available) 3. modify LDFLAGS to use an rpath. I had the plan to provide the option of linking with an rpath as a configure option. But it is not so easy to get it right for all supported platforms (Nicholas only mentioned solaris and Linux...). And I did not have the time yet to complete this in an upstream compliant manner. Patches welcome!! > James Kosin wrote: > >Actually, I'll have to check to see if Michael back-ported the configure > >option to specify the destination directory for the libraries. The > >default seems to be in the %prefix/lib/samba directory with many > >packages moving them to the %prefix/lib directory and keeping the rest > >in the %prefix/lib/samba structure. * creation and installation of shared libs as filename = SONAME and symlink .so --> .so.VERSION is fixed in samba 3.2.2. (Bug #5592) * splitting of libdir into libdir (for the libs) and modulesdir (for shared modules and such) is done in v3-devel / v3-3-test. This probably won't go into 3.2.X since it is a new feature and not really a bug. This will be 3.3.0 (planned for Dec 15, 2008). Thanks for your thougths and comments. This is much appreciated. Cheers - Michael -- Michael Adam <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-37-0, fax: +49-551-37-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.SerNet.DE, mailto: Info @ SerNet.DE pgpVo0Cv87h4V.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] net rpc vampire in release 3.2.x
did someone already try vampire with the 3.2.x-release? since i upgraded from 3.0.x i get problems with the creation of machine accounts. when i start sucking a pdc in my ldapserver the following errors come up with every machineaccount on the pdc: 1.) Creating account: SP1$ /usr/sbin/smbldap-usermod: user SP1_ doesn't exist [2008/08/27 14:09:45, 0] groupdb/mapping.c:smb_set_primary_group(312) smb_set_primary_group: Running the command `/usr/sbin/smbldap-usermod -g 'Domain Users' 'SP1_'' gave 1 2.) User SP1_ does not exist: create it first ! what instantly strikes is that there is an _ instead of the $ in the pcname which cannot work. I guess the second error comes up when the script tries to set the correct password!? Afterwards nevertheless there are machineaccount-passwords in the ldap-database but they seem wrong because machineconnects fail. everything else is flawlessly imported (users, groups, groupmemberships). i didn't change anything in the configuration which worked perfectly with vampire in 3.0.x ExampleLDAPentry of the above mentioned machine after import: - dn: uid=SP1$,ou=Computers,dc=test,dc=com objectClass: top objectClass: account objectClass: posixAccount objectClass: sambaSamAccount cn: SP1$ uid: SP1$ uidNumber: 1071 gidNumber: 515 homeDirectory: /dev/null loginShell: /bin/false description: Computer gecos: Computer structuralObjectClass: account entryUUID: be6e3366-087c-102d-9d48-4b401f1e60f4 creatorsName: cn=manager,dc=test,dc=com createTimestamp: 20080827120929Z sambaSID: S-1-5-21-378104194-1064922793-1509252994-1090 sambaPrimaryGroupSID: S-1-5-21-378104194-1064922793-1509252994-513 sambaNTPassword: 5C49A9927C59942A46F193C41446FFD5 sambaPwdLastSet: 1162907539 sambaAcctFlags: [W ] entryCSN: 20080827120929.102086Z#00#000#00 modifiersName: cn=manager,dc=test,dc=com modifyTimestamp: 20080827120929Z smb.conf (suck-configuration) - [global] workgroup = PRESSFK netbios name = DEBIANPDC wins server = 192.168.200.3 ## Domäne # domain master = No domain logons = Yes passdb backend = ldapsam:ldap://127.0.0.1 ## Benutzerverwaltung ldapsam # add user script = /usr/sbin/smbldap-useradd -m '%u' delete user script = /usr/sbin/smbldap-userdel '%u' add machine script = /usr/sbin/smbldap-useradd -w '%u' add group script = /usr/sbin/smbldap-groupadd -p '%g' delete group script = /usr/sbin/smbldap-groupdel '%g' add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g' delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g' set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' ## LDAP ### ldap suffix = dc=test,dc=com ldap admin dn = cn=manager,dc=test,dc=com ldap machine suffix = ou=Computers ldap user suffix = ou=People ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap passwd sync = Yes ldap delete dn = Yes ldap ssl = No -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Slow and unpredictable Samba performance?
On Tuesday 26 August 2008 21:30:39 Dennis Clarke wrote: > Well you have my attention .. too bad you don't have a purchase order. :-) > > What are your problems with the new CSWsamba .. please be specific. Problem with your version 3.2.2 is the following: # /opt/csw/bin/net -V Version 3.2.2 # /opt/csw/bin/net ads testjoin [2008/08/27 14:37:58, 0] ../samba-3.2.2/source/param/params.c:(531) params.c:OpenConfFile() - Unable to open configuration file "/etc/opt/csw/samba/smb.conf": No such file or directory ADS support not compiled in -- |Jakov Sosic|ICQ: 28410271| PGP: 0x965CAE2D | = | start fighting cancer -> http://www.worldcommunitygrid.org/ | signature.asc Description: This is a digitally signed message part. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] shadow_copy for homes share
On Tue, Aug 26, 2008 at 10:29 PM, Cory Coager <[EMAIL PROTECTED]>wrote: > I have successfully setup shadow_copy for normal shares on our samba test > server. However, I cannot get it working for the homes share because of its > uniqueness. > > Here is the homes share: > > [homes] > comment = Home Directories > read only = No > create mask = 0700 > directory mask = 0700 > browseable = no > fstype = XFS 1.2 > vfs object = shadow_copy > shadow_copy: path = /samba/homes/ > shadow_copy: subpath = %D+%U > > The users authenticate against Active Directory. The path to the snapshots > is located at /samba/homes/@GMT-.MM.DD-HH.MM.SS Using the subpath each > individual files should be located at > /samba/homes/@GMT-.MM.DD-HH.MM.SS/DOMAIN+user but the previous versions > tab is missing on this share. What am I doing wrong? > > > Take a look on this page.. http://www.edplese.com/samba-with-zfs.html The 3-paths.patch contains a description of exactly what you are trying to do.. >From patch : +Below is example usage for a single large filesystem mounted +at /home that contains all of the home directories. The +snapshots reside in /snapshots/home. + +[homes] + path = /home/%U + public = no + writable = yes + printable = no + vfs object = shadow_copy + shadow_copy: path = /snapshots/home + shadow_copy: subpath = %U + shadow_copy: format = $Y.$m.$d-$H.$M.$S + shadow_copy: sort = desc + shadow_copy: localtime = yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Winbind and Global Catalog
Gerald (Jerry) Carter schrieb: > Sven, > >> Does winbind work with a Global Catalog? > > Winbind does not rely upon global catalog. I added > some search APi recently for GC support but there are > not currently being used. What does this mean? Does winbind do not use the global catalog at all? > This should work in spite of GC or not. But enumerating > users is really expensive and I wonder if you really have > to do that. But that is another topic. What other possibilities do I have? Some faster? > What doesn "wbinfo -m"? Sounds more like and problem with the > in forest trusts. What Samba version are you running? I'm running Samba-3.0.28a. The "wbinfo -m" command lists all domains (GROUP and GROUP1..GROUP10). Isn't joining to the CG-domain (GROUP) enough? Do I have join to each domain separatly? Do you need more info? What else can I check? Regards Sven -- Sven Anders <[EMAIL PROTECTED]> () Ascii Ribbon Campaign /\ Support plain text e-mail ANDURAS service solutions AG Innstraße 71 - 94036 Passau - Germany Web: www.anduras.de - Tel: +49 (0)851-4 90 50-0 - Fax: +49 (0)851-4 90 50-55 Rechtsform: Aktiengesellschaft - Sitz: Passau - Amtsgericht Passau HRB 6032 Mitglieder des Vorstands: Sven Anders, Marcus Junker Vorsitzender des Aufsichtsrats: Mark Peters signature.asc Description: OpenPGP digital signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] problems with DFS
Hi, We have been a samba shop since way back and have used DFS quit a lot the last years. When we went with security ads instead of domain our dfs died. We have tried 3.028(sun) in solaris wich we are leaving and 3.2.1 in linux, our migration target. For our 3.2.1 installation the config looks liket this and the problem manifests itself as a empty share. [Global] kernel oplocks = False oplocks = False level2 oplocks = False realm = SGU.SE workgroup = SGU netbios name = fs4 server string = fs4 security = ADS use kerberos keytab = true password server = ad1 ad2 wins server = 10.1.9.10 10.1.9.9 name resolve order = ads hosts wins bcast map to guest = Bad User disable netbios = No log level = 5 client use spnego = Yes server signing = auto host msdfs = Yes #msdfs root = Yes ntlm auth = No lanman auth = no dos charset = ISO8859-1 unix charset = ISO8859-1 winbind trusted domains only = yes [drift-a] msdfs root = Yes path = /export/dfsroot read only = no guest ok = yes ls -l in /export/dfsroot drift-a -> msdfs:filer2\drift-a Domain servers are 2008 for, domainlevel is still 2003. We have all our users both in Unix LDAP and AD so we map username to username, no idmap ranges. HELP! /Henrik -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Public share with samba/ Winbind
Hi Alexandre, i have not seen your smb.conf, but guest ok = yes browseable = yes (to get the share listet in the explorer) should work. We use "security = ads" and it works. Is the "guest = ok" parameter accepted by samba ? Does samba run ? You could test your smb.conf with the "testparm" program. Type "testparm" on the command line. Bye, Andy Alexandre Mackow schrieb: Hi all, i have a samba dataserver who works fine with AD authentification ... I need a share who was accessible for everybody ( outside the main domain) .. Is it possible when " security = ads" ? I try public = yes , guest = ok .. But i need to authentificate myself. Thanks a lot. ++ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] [ANNOUNCE] Samba 3.2.2 Available for Download
Quoting Dennis Clarke ([EMAIL PROTECTED]): > out of more than just idle curiosity .. how are you going to deliver > Samba? As one package or as eight or nine little broken up packages such > that other packages which have dependencies will need to only install > something small? > > I hope you can see why I am asking. samba in Debian has "always" (at least for so many years that I can't really remember unless digging in changelogs) been split into several packages: [EMAIL PROTECTED]:~/src/debian/samba/samba-3.2.2/debian$ grep "^Package:" control Package: samba Package: samba-common Package: samba-tools Package: smbclient Package: swat Package: samba-doc Package: samba-doc-pdf Package: smbfs Package: libpam-smbpass Package: libsmbclient Package: libsmbclient-dev Package: winbind Package: samba-dbg Package: libwbclient0 I think that anyone can easily spot what is in what package..:-) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
