[Samba] Re: samaba winwind
Chavez, James R. schrieb: I am using 3.2.3, so it must be available for this version? I do not see it in the man smb.conf output if it is. Any links or docs available out there that can help me grasp this a little better. Gotta ask. I cant see something in the "man smb.conf" too, but i found a man page named "idmap_nss.8", so "man 8 idmap_nss" show you a nice example. But i have to say, i look it up from an "old" source tree from 3.0.31 Or type "apropos idmap" and you should get list the "idmap nss" man page. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Strange!!! Clients only log on to samba bdc
Hello to all, My samba servers are doing strange things . Ive set up a smba-ldap as PDC and another as BDC. Everything was ok until last week. Suddenly all clients log on to my BDC not longer to the PDC. Testparm didn t show any changes the PDC results Server role=ROLE_DOMAIN_PDC and the BDC Server role=ROLE_DOMAIN_BDC. I put the os level of the PDC to 240 and the BDCs to 86 nothing changed. I also changed the Preferred master to no. How can I force the xp and vista clients only to log on to the PDC? Greetings Daniel Müller Tropenklinik Paul-Lechler-Krankenhaus [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] inherited acl
Thanks Nagel for such a great explanation. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
WG: [Samba] Samba LDAP entries for Password Change
Hello, This must be set in LDAP: sambaPwdCanChange=1 ;or you will never be asked to change your password sambaPwdLastSet=0 sambaPwdMustChange=0; on my Suse this must be set too try it out for your machine And how you' ve been told the sambaMaxPwdAge must be set. Greetings Daniel -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Jorge Concha C. Gesendet: Dienstag, 16. September 2008 23:36 An: Albrecht Dreß; samba@lists.samba.org Betreff: Re: [Samba] Samba LDAP entries for Password Change Hi... sorry for my bad english. > - when a new account is created, the user immediately must change the > password when [s]he first logs in; > - after that, the password shall expire after x days. sambaMaxPwdAge = number of seconds (60 x 60 x 24 x nDays) sambaPwdLastSet = set to '0' at create the account. good luck Jorge C. On Tue, 16 Sep 2008 10:27:53 -0400, Albrecht Dreß <[EMAIL PROTECTED]> wrote: > Hi all, > > I have a question regarding the enforced change of passwords in Samba > 3.0.28 (coming with Ubuntu Hardy) in connection with a LDAP backend. In > particular, I am looking for a documentation how the fields > sambaMinPwdAge, sambaMaxPwdAge (from sambaDomain), sambaPwdCanChange and > sambaPwdMustChange (from sambaSAMAccount) interact. > > I would like to have the following: > - when a new account is created, the user immediately must change the > password when [s]he first logs in; > - after that, the password shall expire after x days. > > Unfortunately, I tried a number of combinations without success. > Everything seems to be controlled by the sambaMaxPwdAge setting (seconds > relative to sambaPwdLastSet when the password must be changed?), and the > other entries seem to be irrelevant? > > Any documentation/pointer would be welcome! > > Thanks, Albrecht. > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba -- Using Opera's revolutionary e-mail client: http://www.opera.com/mail/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: samaba winwind
Hi Michael, ah, ok. Was this feature add since 3.0.29 ? I could see nothing in the changelog since 3.0.28. It sounds interesting. You must not be using 3.0.28. The config format changed and they made an nss backend available. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Solaris 8 & samba 3.2.3: present but cannot be compiled
On Tue, Sep 16, 2008 at 01:07:18PM -0700, William Wilson wrote: > When we run configure using: > ./configure --prefix=/nau/samba --without-LD --with-ldap --with-static- > libs=libtalloc,libtdb --with-krb5=/nau/local --with-ads > > We get the following: > configure: WARNING: ldap.h: present but cannot be compiled > configure: WARNING: ldap.h: check for missing prerequisite headers? > configure: WARNING: ldap.h: see the Autoconf documentation > configure: WARNING: ldap.h: section "Present But Cannot Be Compiled" > configure: WARNING: ldap.h: proceeding with the preprocessor's result > configure: WARNING: ldap.h: in the future, the compiler will take > precedence > configure: WARNING: ## ## > configure: WARNING: ## Report this to [EMAIL PROTECTED] ## > configure: WARNING: ## ## The corresponding snippet of config.log is needed here. Volker pgpfaH3q73elC.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Why are some error messages printed to stdout?
Hi Jeremy, Thanks for pointing that out. I see now that only the torture/* files are like that. Other files that I looked at were correctly using fprintf(stderr, ... ) for error cases. Regards. On Tue, Sep 16, 2008 at 6:45 PM, Jeremy Allison <[EMAIL PROTECTED]> wrote: > On Tue, Sep 16, 2008 at 06:30:48PM -0400, Bhairav Shah wrote: > > Hello, > > > > I am writing a perl script that makes use of Samba and I find that some > of > > the error messages are getting printed to stdout. This kinda creates a > > problem with trying to figure out whether the message output is really an > > error or not. Any reason why some of the error outputs are not sent out > > over stderr? > > > > As an example, in the torture_open_connection_share method in the > > torture/util_smb.c file, the following line prints the error to stdout: > > printf("Failed to open connection - %s\n", > nt_errstr(status)); > > > > I noticed a few others that were doing the same thing. I was expecting > to > > see fprintf (stderr ...) for these kinds of messages. > > Bug. Torture isn't as carefully written as some of the other > parts of Samba as it was meant as an internal test tool. > > Jeremy. > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: what's good for security=ads ?
hi: thanks a lot for your explain !! i will keep an eys on vista issue, although i think we will just by pass this os. with "security = domain", the "rid" idmap backend seems the best i can get. i hope i can migrate to samba 4.0 smoothly in the future. thanks again for your kindly help!! Regards, tbskyd -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] sync always, strict sync, cache question
On Tue, Sep 16, 2008 at 09:51:33AM -0700, Eric Roseme wrote: > --- > > > Samba defaults to asynchronous writes. smbd writes to memory buffer, > then returns to processing. Buffer is flushed to disk later. This is > the most efficient behavior. > > Windows CreateFile API has the FILE_FLAG_WRITE_THROUGH flag, which > requests synchronous writes. smbd writes to memory buffer, blocks until > buffer contents are written to disk, which results in poor performance, > but better data integrity. > > When "strict sync = yes" (default = no) Samba honors the > FILE_FLAG_WRITE_THROUGH flag, and results in synchronous writes when > called by the CreateFile API. > > When "sync always = yes" (default = no) Samba executes all writes > synchronously. This requires that “strict sync = yes”. > > StrictSync SyncAlways ff_write_through Sync-Writes > no no nono > yes no nono > yes no yes Yes (slow) > no yesyes no > yes yesyes/noyes (very slow) > > Eric Roseme Great summation Eric, nothing has changed since then so it's still accurate ! Thanks, Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Question "Access Denied"
You'll need to provide more info. Assuming you are trying to join the MACHINE to the domain, the username you are using doesn't have permission to join machines to the domain. You'd have the same problem in a Windows domain. You need to use an account that has permission. Of course, this is just one possibility, there could be LOTS of reasons. Yours may or may not be the same. Can you explain better what you are trying to do? > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > On Behalf Of Joshua Martin > Sent: Tuesday, September 16, 2008 3:37 PM > To: samba@lists.samba.org > Subject: [Samba] Question "Access Denied" > > It seems that people all across the net have had issues with > the particular error of "Access Denied" when an XP user > attempts to join a domain - but no readily available answers > are given. > > What might be causing this error? I'm using an Ubuntu 8.04 > server with all the defaults for the Samba server installation. > > -- > _ > > Joshua S. Martin > > > CONFIDENTIALITY NOTE: This e-mail message, including any > attachment(s), contains information that may be confidential, > protected by the attorney client or other legal privileges, > and or proprietary non public information. > If you are not an intended recipient of this message or an > authorized assistant to an intended recipient, please notify > the sender by replying to this message and then delete it > from your system. Use, dissemination, distribution, or > reproduction of this message and or any of its attachments > (if any) by unintended recipients is not authorized and may > be unlawful. > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Unable to Create a LocalGroup, NT_STATUS_ACCESS_DENIED
I'm getting following response below to the command 'net sam createlocalgroup demo -d 3': [2008/09/16 16:03:46, 3] param/loadparm.c:lp_load(5065) lp_load: refreshing parameters [2008/09/16 16:03:46, 3] param/loadparm.c:init_globals(1445) Initialising global parameters [2008/09/16 16:03:46, 3] param/params.c:pm_process(572) params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" [2008/09/16 16:03:46, 3] param/loadparm.c:do_section(3804) Processing section "[global]" [2008/09/16 16:03:46, 3] param/params.c:pm_process(572) params.c:pm_process() - Processing configuration file "/etc/samba/winbind.conf" [2008/09/16 16:03:46, 3] param/params.c:pm_process(572) params.c:pm_process() - Processing configuration file "/etc/samba/shares.conf" [2008/09/16 16:03:46, 2] lib/interface.c:add_interface(81) added interface ip=10.1.130.249 bcast=10.1.130.255 nmask=255.255.255.0 [2008/09/16 16:03:46, 3] groupdb/mapping.c:pdb_default_create_alias(464) Could not get a gid out of winbind Creating demo failed with NT_STATUS_ACCESS_DENIED [2008/09/16 16:03:46, 2] utils/net.c:main(1075) return code = -1 I can't seem to find any real solutions to this problem, although I have seen other users with similar posts. Here's the relevant sections from my smb.conf file: [global] server string = security = ads workgroup = DOMAIN realm = DOMAIN.COM encrypt passwords = yes os level = 1 local master = no domain master = no preferred master = no dns proxy = no allow trusted domains = no restrict anonymous = 2 load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes log level = 3 admin users = root, Administrator socket options = TCP_NODELAY IPTOS_LOWDELAY Here's the relevant stuff from winbind.conf idmap domains = DOMAIN idmap config DOMAIN: default = yes idmap config DOMAIN: backend = rid idmap config DOMAIN: range = 1000-2 winbind use default domain = yes winbind separator = + winbind enum users = yes winbind enum groups = yes winbind nested groups = yes template shell = /bin/bash template homedir = /home/%U I've also noticed this in my logs whenever smb and winbind are restarted: nmbd[2065]: [2008/09/16 16:30:12, 0] nmbd/nmbd.c:terminate(68) nmbd[2065]: Got SIGTERM: going down... smbd[2384]: [2008/09/16 16:30:12, 0] smbd/server.c:main(986) smbd[2384]: standard input is not a socket, assuming -D option nmbd[2387]: [2008/09/16 16:30:12, 0] nmbd/nmbd.c:main(752) nmbd[2387]: standard input is not a socket, assuming -D option smbd[2385]: [2008/09/16 16:30:12, 0] auth/auth_util.c:create_builtin_administrators(844) smbd[2385]: create_builtin_administrators: Failed to create Administrators smbd[2385]: [2008/09/16 16:30:12, 0] auth/auth_util.c:create_builtin_users(810) smbd[2385]: create_builtin_users: Failed to create Users smbd[2385]: [2008/09/16 16:30:12, 0] auth/auth_util.c:create_builtin_administrators(844) smbd[2385]: create_builtin_administrators: Failed to create Administrators smbd[2385]: [2008/09/16 16:30:12, 0] auth/auth_util.c:create_builtin_users(810) smbd[2385]: create_builtin_users: Failed to create Users winbindd[2410]: [2008/09/16 16:31:23, 0] nsswitch/winbindd_cache.c:initialize_winbindd_cache(2230) winbindd[2410]: initialize_winbindd_cache: clearing cache and re-creating with version number 1 I'm trying to setup nested groups. I would like to have a local group on my Linux box that contains the members of an AD group as some of its members. I am running CentOS 5.2 and have used 3.0.28 that comes with it, and have also tried with 3.0.32 provided by SerNet both have produced the same errors. Any help someone could provide would be much appreciated. M@ Confidentiality Notice: This communication (including any attachments) may contain privileged or confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this communication and/or shred the materials and any attachments and are hereby notified that any disclosure, copying, or distribution of this communication, or the taking of any action based on it, is strictly prohibited. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Why are some error messages printed to stdout?
On Tue, Sep 16, 2008 at 06:30:48PM -0400, Bhairav Shah wrote: > Hello, > > I am writing a perl script that makes use of Samba and I find that some of > the error messages are getting printed to stdout. This kinda creates a > problem with trying to figure out whether the message output is really an > error or not. Any reason why some of the error outputs are not sent out > over stderr? > > As an example, in the torture_open_connection_share method in the > torture/util_smb.c file, the following line prints the error to stdout: > printf("Failed to open connection - %s\n", nt_errstr(status)); > > I noticed a few others that were doing the same thing. I was expecting to > see fprintf (stderr ...) for these kinds of messages. Bug. Torture isn't as carefully written as some of the other parts of Samba as it was meant as an internal test tool. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Re: samaba winwind
I am using 3.2.3, so it must be available for this version? I do not see it in the man smb.conf output if it is. Any links or docs available out there that can help me grasp this a little better. Gotta ask. Thanks James -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael St. Laurent Sent: Tuesday, September 16, 2008 3:26 PM To: Andreas Ladanyi; samba@lists.samba.org Subject: RE: [Samba] Re: samaba winwind > > I'm not a Samba developer but in the latest releases of the 3.0.x tree > > you can use the idmap backend of "nss" to get the old behavior of > > mapping the Windows account name to the same account name in Unix. > > mmm for "idmap backend" the man smb.conf say: > > idmap_tdb (default) > idmap_ldap > idmap_rid > idmap_tdb > > and not documented in this lines > > idmap_ad > > > > I think what you mean is the "winbind nss info" parameter, which is > used to get nss info like "home dir" and "login shell" for unix users > from active directory with existing windows user/group (called mapping). > > I read the possible values: > > template > sfu > > and not documented on this lines > > rfc2307 You must not be using 3.0.28. The config format changed and they made an nss backend available. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba CONFIDENTIALITY This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Why are some error messages printed to stdout?
Hello, I am writing a perl script that makes use of Samba and I find that some of the error messages are getting printed to stdout. This kinda creates a problem with trying to figure out whether the message output is really an error or not. Any reason why some of the error outputs are not sent out over stderr? As an example, in the torture_open_connection_share method in the torture/util_smb.c file, the following line prints the error to stdout: printf("Failed to open connection - %s\n", nt_errstr(status)); I noticed a few others that were doing the same thing. I was expecting to see fprintf (stderr ...) for these kinds of messages. Thanks, Stan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Question "Access Denied"
It seems that people all across the net have had issues with the particular error of "Access Denied" when an XP user attempts to join a domain - but no readily available answers are given. What might be causing this error? I'm using an Ubuntu 8.04 server with all the defaults for the Samba server installation. -- _ Joshua S. Martin CONFIDENTIALITY NOTE: This e-mail message, including any attachment(s), contains information that may be confidential, protected by the attorney client or other legal privileges, and or proprietary non public information. If you are not an intended recipient of this message or an authorized assistant to an intended recipient, please notify the sender by replying to this message and then delete it from your system. Use, dissemination, distribution, or reproduction of this message and or any of its attachments (if any) by unintended recipients is not authorized and may be unlawful. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Re: samaba winwind
> > I'm not a Samba developer but in the latest releases of the 3.0.x tree > > you can use the idmap backend of "nss" to get the old behavior of > > mapping the Windows account name to the same account name in Unix. > > mmm for "idmap backend" the man smb.conf say: > > idmap_tdb (default) > idmap_ldap > idmap_rid > idmap_tdb > > and not documented in this lines > > idmap_ad > > > > I think what you mean is the "winbind nss info" parameter, which is > used to get nss info like "home dir" and "login shell" for unix users > from active directory with existing windows user/group (called mapping). > > I read the possible values: > > template > sfu > > and not documented on this lines > > rfc2307 You must not be using 3.0.28. The config format changed and they made an nss backend available. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Re: samaba winwind
> >> I'm not a Samba developer but in the latest releases of the 3.0.x tree > >> you can use the idmap backend of "nss" to get the old behavior of > >> mapping the Windows account name to the same account name in Unix. > > > > mmm for "idmap backend" the man smb.conf say: > > > > idmap_tdb (default) > > idmap_ldap > > idmap_rid > > idmap_tdb > > > > and not documented in this lines > > > > idmap_ad > > > > I think what you mean is the "winbind nss info" parameter, which is > used to > > get nss info like "home dir" and "login shell" for unix users from > active > > directory with existing windows user/group (called mapping). > > Nah, he means what he means (at least that's my guess). > > I use a modified nss_ldap (that does /novel/ things) combind with samba. > In > my smb.conf I have: > > idmap config MYDOMAIN:backend = nss > > Works like a *charm*. Against a big AD (>90k users) with lots of groups > it > works great. That's it exactly. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba LDAP entries for Password Change
Hi... sorry for my bad english. - when a new account is created, the user immediately must change the password when [s]he first logs in; - after that, the password shall expire after x days. sambaMaxPwdAge = number of seconds (60 x 60 x 24 x nDays) sambaPwdLastSet = set to '0' at create the account. good luck Jorge C. On Tue, 16 Sep 2008 10:27:53 -0400, Albrecht Dreß <[EMAIL PROTECTED]> wrote: Hi all, I have a question regarding the enforced change of passwords in Samba 3.0.28 (coming with Ubuntu Hardy) in connection with a LDAP backend. In particular, I am looking for a documentation how the fields sambaMinPwdAge, sambaMaxPwdAge (from sambaDomain), sambaPwdCanChange and sambaPwdMustChange (from sambaSAMAccount) interact. I would like to have the following: - when a new account is created, the user immediately must change the password when [s]he first logs in; - after that, the password shall expire after x days. Unfortunately, I tried a number of combinations without success. Everything seems to be controlled by the sambaMaxPwdAge setting (seconds relative to sambaPwdLastSet when the password must be changed?), and the other entries seem to be irrelevant? Any documentation/pointer would be welcome! Thanks, Albrecht. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- Using Opera's revolutionary e-mail client: http://www.opera.com/mail/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: samaba winwind
On Tue, 16 Sep 2008, Andreas Ladanyi wrote: I'm not a Samba developer but in the latest releases of the 3.0.x tree you can use the idmap backend of "nss" to get the old behavior of mapping the Windows account name to the same account name in Unix. mmm for "idmap backend" the man smb.conf say: idmap_tdb (default) idmap_ldap idmap_rid idmap_tdb and not documented in this lines idmap_ad I think what you mean is the "winbind nss info" parameter, which is used to get nss info like "home dir" and "login shell" for unix users from active directory with existing windows user/group (called mapping). Nah, he means what he means (at least that's my guess). I use a modified nss_ldap (that does /novel/ things) combind with samba. In my smb.conf I have: idmap config MYDOMAIN:backend = nss Works like a *charm*. Against a big AD (>90k users) with lots of groups it works great. jh -- "Some women respond to the whip, some to the kiss. Most of them like a mixture of both, but none of them answer to the mind alone, to the intellectual demand, unless they are man dressed as woman." -- Ian Fleming -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: samaba winwind
I'm not a Samba developer but in the latest releases of the 3.0.x tree you can use the idmap backend of "nss" to get the old behavior of mapping the Windows account name to the same account name in Unix. mmm for "idmap backend" the man smb.conf say: idmap_tdb (default) idmap_ldap idmap_rid idmap_tdb and not documented in this lines idmap_ad I think what you mean is the "winbind nss info" parameter, which is used to get nss info like "home dir" and "login shell" for unix users from active directory with existing windows user/group (called mapping). I read the possible values: template sfu and not documented on this lines rfc2307 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] inherited acl
Am Dienstag, 16. September 2008 schrieb vishesh: > Thanks Nagel > > That means > "inherit permission" and "inherit acl" parameter should be used only > when default acl not present on parent directory. > No, if you want to be sure that permissions are inhereted properly, you need both, default permissions and "inherit permissions/acl". If "inherit permissions/acl" is missing, the default acl are inherited but may be they are modified. The man page reads: inherit acls (S) This parameter can be used to ensure that if default acls exist on parent directories, they are always honored when creating a new file or subdirectory in these parent directories. The default behavior is to use the unix mode specified when creating the directory. Enabling this option sets the unix mode to 0777, thus guaranteeing that default directory acls are propagated. The important point is, that the unix mode is set to 0777, if "inherit acl = yes" is set. Otherwise the unix mode, that is active for the user context Samba is running in, will be taken. I will give an example to make things clear. Imagine you have a directory with the following acls: default:mask::rwx default:user::rwx default:user:my_account:r-x and the effective user mode is not 0777 but 0666 and "inherit acl" is set to "no". In this case the new file gets the following acls default:mask::rw- default:user::rw- default:user:my_account:r-- Please recognize the missing executive bit. The acl of the new object is the logical AND operation of the default acl and the effective unix mode. The acl are inherited anyway, no matter what "inherit acl" says. But the result might be different from what you expect. Matthias Nagel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: what's good for security=ads ?
d tbsky schrieb: hi: we have a 2003 R2 domain. it is running on 2003 native mode. we want to setup some samba member file servers. our client is windows xp. i try samba 3.2 with "security = domain" and "idmap backend = rid". it seems fine. but i saw there are more advanced options in samba like "security = ads" and even parameter about "rfc2307" to mix windows and samba. they are complex settings and i wonder what benefits they bring to us. our situation is: we want to use samba as file server for windows xp,and we have one single 2003 R2 domain. we may want to migrate to samba 4.0 when it is ready. is simple "security = domain" enough?, or we should setup "security = ads" to prepare for the future? thanks a lot for your help!! Shortly ! The difference between "domain" and "ads" as i understand: domain = NT4 style domain membership In my experience it should be enough unless using Vista clients. ads = like NT4 + kerberos = If you want to use "ads" you have to setup a little kerberos client configuration on your samba server. This is a little bit more work. General: We had issues from windows Vista client to connect to samba server unless we changed from "domain" to "ads" mode, but i dont know the exactly background. But maybe it help to set: client ntlmv2 auth = yes in smb.conf for SMB auth negotiatening with the vista client without changing from "domain" to "ads". Before using Vista "domain" membership works very well with 2003 R2 (native mode), Windows XP and winbind. RFC2307: This is a schemata extension (part of 2003 R2) for ActiveDirectory to make it possible to put posix information to an existing Windows user/group. This information are read out by winbind if: winbind nss info = rfc2307 is set ! I hope i could help you. If i type something wrong please correct me. I'am writing about my experience and tests. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Solaris 8 & samba 3.2.3: present but cannot be compiled
When we run configure using: ./configure --prefix=/nau/samba --without-LD --with-ldap --with-static- libs=libtalloc,libtdb --with-krb5=/nau/local --with-ads We get the following: configure: WARNING: ldap.h: present but cannot be compiled configure: WARNING: ldap.h: check for missing prerequisite headers? configure: WARNING: ldap.h: see the Autoconf documentation configure: WARNING: ldap.h: section "Present But Cannot Be Compiled" configure: WARNING: ldap.h: proceeding with the preprocessor's result configure: WARNING: ldap.h: in the future, the compiler will take precedence configure: WARNING: ## ## configure: WARNING: ## Report this to [EMAIL PROTECTED] ## configure: WARNING: ## ## checking for ldap.h... yes checking lber.h usability... yes checking lber.h presence... yes checking for lber.h... yes checking for ber_tag_t... yes checking for ber_scanf in -llber... yes checking for ber_sockbuf_add_io... yes checking for LDAP_OPT_SOCKBUF... no checking for LBER_OPT_LOG_PRINT_FN... yes checking for ldap_init in -lldap... yes checking for ldap_set_rebind_proc... yes checking whether ldap_set_rebind_proc takes 3 arguments... 3 checking for ldap_initialize... no checking whether LDAP support is used... yes checking for Active Directory and krb5 support... yes checking for ldap_initialize... (cached) no configure: error: Active Directory support requires ldap_initialize Any ideas? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] testjoin fails, but join works
Has anyone ever seen this condition before? net rpc testjoin fails, but net rpc join succeeds. Running samba 3.0.32 on CentOS 5.2: [EMAIL PROTECTED] samba]# net rpc testjoin -S ROARK -D ADMIN -U awilliam Password: [2008/09/16 08:44:27, 0] rpc_client/cli_pipe.c:get_schannel_session_key_common(2445) get_schannel_session_key: could not fetch trust account password for domain 'ADMIN' [2008/09/16 08:44:27, 0] utils/net_rpc_join.c:net_rpc_join_ok(81) net_rpc_join_ok: failed to get schannel session key from server ROARK for domain ADMIN. Error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO Join to domain 'ADMIN' is not valid [EMAIL PROTECTED] samba]# net rpc join -S ROARK -D ADMIN -U awilliam Password: Joined domain ADMIN. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] write only permissions
Steve, This thread from last May might be of help to you. It shows how to define the share for a dropbox. Being curious, I set up a test share to try it out; it works. http://lists.samba.org/archive/samba/2008-May/140429.html Dale Steve Rippl wrote: Hi, We've just put in a Samba fileserver to replace our windows box for our School District and it seems to be working great. I have a question about defining some specific permissions though. We set up 'Drop boxes' for teachers that kids can drag files into, but they don't have read permission so they can't read each others submitted work. Here's what is looks like on the fileserver [EMAIL PROTECTED]:/srv/materials/WHS/VanCleek# getfacl Drop_Box/ # file: Drop_Box # owner: admin # group: domain\040admins user::rwx user:vancleek:rwx group::rwx group:whs\040student:-wx mask::rwx other::--- default:user::rwx default:user:vancleek:rwx default:group::rwx default:group:whs\040student:-wx default:mask::rwx default:other::--- and the view through windows security tab shows Traverse folder/Create Files/Write Attributes/Write Extended Attributes/Read permissions. Needless to say this doesn't seem to work! The student account (in the right group) is not allowed to drop a file into that folder. If I add g:wsd\\whs\ Student:rwx then the student can do anything sucessfully, with -wx nothing?!! Can anyone help? Many thanks, Steve Rippl Technology Director Woodland School District -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] write only permissions
On Mon, 2008-09-15 at 15:40 -0700, Jeremy Allison wrote: > On Mon, Sep 15, 2008 at 01:57:55PM -0700, Steve Rippl wrote: > > Hi, > > > > We've just put in a Samba fileserver to replace our windows box for our > > School District and it seems to be working great. I have a question > > about defining some specific permissions though. We set up 'Drop boxes' > > for teachers that kids can drag files into, but they don't have read > > permission so they can't read each others submitted work. Here's what > > is looks like on the fileserver > > > > [EMAIL PROTECTED]:/srv/materials/WHS/VanCleek# getfacl Drop_Box/ > > # file: Drop_Box > > # owner: admin > > # group: domain\040admins > > user::rwx > > user:vancleek:rwx > > group::rwx > > group:whs\040student:-wx > > mask::rwx > > other::--- > > default:user::rwx > > default:user:vancleek:rwx > > default:group::rwx > > default:group:whs\040student:-wx > > default:mask::rwx > > default:other::--- > > > > and the view through windows security tab shows Traverse folder/Create > > Files/Write Attributes/Write Extended Attributes/Read permissions. > > Needless to say this doesn't seem to work! The student account (in the > > right group) is not allowed to drop a file into that folder. If I add > > g:wsd\\whs\ Student:rwx then the student can do anything sucessfully, > > with -wx nothing?!! > > > > Can anyone help? > > Ok, the problem is that students need to be able to read > the containing directory in order to be able to drag and > drop new files there. The reason is that Samba needs to > be able to scan the directory on their behalf in order > to do case insensitive lookups. > > But so long as you don't mind allowing the students to > see the names of each others files, you can set up a > DropBox so that students can write into it (and their > own files) but not edit or see others files. > > Firstly, you want to make sure that files created in > the DropBox directory are not owned by the student's > primary group, but by the group owner of the DropBox > direcotry. So : > > chgrp teachers DropBox > > to make it owned by the teachers group. Then set the > setgid bit on the DropBox directory to make sure > that files created within there have an owning group > of teachers. > > chmod g+s DropBox > > Then ensure that a file in DropBox can be renamed > or deleted by only the owner of the file, or by the > owner of the directory, or by root (same permissions > that /tmp has). > > chmod +t DropBox > > Then allow students to write into the directory > by adding an ACL > > setfacl -m g:students:rwx DropBox > > So long as the defaul acl is set so that "others" > have no permissions, files written by a student > into that directory will be owned by themselves > but will have an owning group of "teachers", and > students will not be able to read each others > files. > > If you need to be cause the files to be owned > by the owner of the directory, not by the students > who created them you need to set up a separate > share as described above, but then add the > share level parameter : > > inherit owner = yes > > which will cause files created within the > directories in that share to be owned by > the containing directory, not the creating > owner. > > Hope this helps, > > Jeremy. Works like a charm! Many thanks. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] sync always, strict sync, cache question
Chris Fanning wrote: snip But I am worried about the cache that Samba makes use of. We would like samba to write to disk immediately. We've found these two options for smb.conf sync always = yes strict sync = yes I can't quiet see the difference between the two in my case. If I set 'sync always = yes' _or_ 'strict sync = yes', I can copy files at 70MB/s (similar to NFS using async). If I set both options, file transfer speed drops to about 20MB/s Does that mean that I do need to set both options to ensure the cache is written to disk before the server returns the ok to the client? How could I test this? And now while I'm here ;) , does anyone have any other recommendations for this kind of setup? Thanks, Chris. Hi Chris, I did an investigation on this in 2003. Here are the results. Not sure if things have changed since then. --- Samba defaults to asynchronous writes. smbd writes to memory buffer, then returns to processing. Buffer is flushed to disk later. This is the most efficient behavior. Windows CreateFile API has the FILE_FLAG_WRITE_THROUGH flag, which requests synchronous writes. smbd writes to memory buffer, blocks until buffer contents are written to disk, which results in poor performance, but better data integrity. When "strict sync = yes" (default = no) Samba honors the FILE_FLAG_WRITE_THROUGH flag, and results in synchronous writes when called by the CreateFile API. When "sync always = yes" (default = no) Samba executes all writes synchronously. This requires that “strict sync = yes”. StrictSync SyncAlways ff_write_through Sync-Writes no no nono yes no nono yes no yes Yes (slow) no yesyes no yes yesyes/noyes (very slow) Eric Roseme -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Re: samaba winwind
> Chavez, James R. schrieb: > > Michael, Andreas, and list, > > Quick questions for clarity please. Using Winbind and having the uid and > gid consistent across all linux and Solaris servers is something I have > struggled with. So is it fair to say that without SFU, or extending schema > with RFC2307, or using Windows 2003R2 and manually populating these Active > Directory user objects with Unix attributes, you cannot manually specify > which Unix uid is mapped to a Windows ID? > > You can use OpenLDAP for example instead of SFU or RFC2307 extension:-) > > But: Yes, this is at least my experience. > > There is a "net groupmap" command which will write to the tdb database > backend, but didnt ever used this and dont know if this command is > relevant in this context. I remember this command is (only) used when > setup an Samba domain controller to map the builtin windows groups > 512,513,514. Although there is no "net usermap" command. > > > > > I ask this because in certain locations where I work we have existing > Unix infrastructures based on NIS. Therefore all access to data is based > upon these NIS uid and gid permissions in these environments. The Windows > group has been pushing Linux out in these locations and in some cases, > insisting they be joined to Active Directory, and authenticate local and > SSH logins with Winbind. My issue with this is that the existing resources > that the staff accesses have permissions based on NIS permissions. So when > logging in with Active Directory credentials, these AD users are > dynamically allocated a Unix uid by Winbind that has no longer has access > to established resources based on the NIS permissions. > > > > What I have done in certain areas is migrated all uid, gid, and host > information from NIS into an OpenLDAP directory. Then use Kerberos (AD > creds)to authenticate then map the Kerberos name to the 8 character Unix > name in LDAP using PADL's nss_ldap. I could just create the LDAP usernames > the same as the Kerberos names but wanted to keep with the 8 character > scheme, I think AIX still has this limitation. This seems to work but if I > can use Winbind to statically map existing Unix uid to Windows ID's that > would be less work. > > > > Is there in fact a way to use Winbind and use the NIS uid and gid info > that already exists? From what I have read so far all Winbind uid > generation is dynamic. Please correct me if I am wrong. > > We had the same constellation in our institute and we put all uids/gids > from NIS to Active Directory "by hand", bit by bit. About 200 users. > > I dont know a way to you nis AND winbind at the same time, so the > ActiveDirectory system will read information from NIS and put it > together with the Windows AD information, without to migrate the > uids/gids. > > I hope a samba developer could answer this question positive :-) I'm not a Samba developer but in the latest releases of the 3.0.x tree you can use the idmap backend of "nss" to get the old behavior of mapping the Windows account name to the same account name in Unix. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] what's good for security=ads ?
hi: we have a 2003 R2 domain. it is running on 2003 native mode. we want to setup some samba member file servers. our client is windows xp. i try samba 3.2 with "security = domain" and "idmap backend = rid". it seems fine. but i saw there are more advanced options in samba like "security = ads" and even parameter about "rfc2307" to mix windows and samba. they are complex settings and i wonder what benefits they bring to us. our situation is: we want to use samba as file server for windows xp,and we have one single 2003 R2 domain. we may want to migrate to samba 4.0 when it is ready. is simple "security = domain" enough?, or we should setup "security = ads" to prepare for the future? thanks a lot for your help!! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba LDAP entries for Password Change
Hi all, I have a question regarding the enforced change of passwords in Samba 3.0.28 (coming with Ubuntu Hardy) in connection with a LDAP backend. In particular, I am looking for a documentation how the fields sambaMinPwdAge, sambaMaxPwdAge (from sambaDomain), sambaPwdCanChange and sambaPwdMustChange (from sambaSAMAccount) interact. I would like to have the following: - when a new account is created, the user immediately must change the password when [s]he first logs in; - after that, the password shall expire after x days. Unfortunately, I tried a number of combinations without success. Everything seems to be controlled by the sambaMaxPwdAge setting (seconds relative to sambaPwdLastSet when the password must be changed?), and the other entries seem to be irrelevant? Any documentation/pointer would be welcome! Thanks, Albrecht. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] sync always, strict sync, cache question
Hello, I've been using samba to share folders for a number of years now. thankyou very much to the samba team. Now I'm posed with some questions. I have a couple of servers hosting desktops for thinclient users. Until now I have been mounting /home with NFS on these servers. Recently we have upgraded the whole system and have run into write performance issues with the NFS server. time dd if=/dev/zero of=/home/testfile bs=16k count=16384 268435456 bytes (268 MB) copied, 45.0461 seconds, 6.0 MB/s This is much too slow for the gigabit network. We can improve this a lot by exporting /home with the async option (60-70MB/s), but the NFS documentation strongly recommends against using async (opposed to sync) because of possible firesystem corruption if the NFS server crashes. This is a cache issue. After numerous tests we have given up trying to get it working properly. And we've been trying CIFS. Everything works well and write speed is a lot better. time dd if=/dev/zero of=./testfile bs=16k count=16384 268435456 bytes (268 MB) copied, 3.6 seconds, 74.4 MB/s But I am worried about the cache that Samba makes use of. We would like samba to write to disk immediately. We've found these two options for smb.conf sync always = yes strict sync = yes I can't quiet see the difference between the two in my case. If I set 'sync always = yes' _or_ 'strict sync = yes', I can copy files at 70MB/s (similar to NFS using async). If I set both options, file transfer speed drops to about 20MB/s Does that mean that I do need to set both options to ensure the cache is written to disk before the server returns the ok to the client? How could I test this? And now while I'm here ;) , does anyone have any other recommendations for this kind of setup? Thanks, Chris. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Owner and Group ignored over preference to ACLs
Hi Karolin After some time, I finally managed to recompile samba rather than using the default RPMs. I have a feeling that the default didn't have --enable-acls support, which would explain it ignoring ACL information. Thanks for your help; it works now! Regards, Justin On Tue, 2008-07-29 at 08:35 +0200, Karolin Seeger wrote: > Hi Justin, > > On Mon, Jul 28, 2008 at 03:07:51PM +0100, Justin Finkelstein wrote: > > I've just recently upgraded one of our servers from Fedora Core to > > CentOS 5.2 and a side effect of this is that Samba is now version > > 3.0.28-1.el5_2.1. > > > > Following this upgrade, I have noticed an odd behaviour: samba ONLY uses > > ACLs to provide permissions to XP clients connecting to the server. > > > > Some research as has said that this may be due to the deprecation of acl > > group control, which is now replaced by the 'dos filemode' option. > > However, changing this doesn't the desired affect. > > > > To be clear: the desired effect, for me, is to have owner and group > > information (as well as ACLs) used to determine permissions for > > connected users. > > > > I've yet to find an answer to this via google. > > > > Has anyone else experience this and have some feedback? > > I think this one is fixed in 3.0.31 with the attached patch. > Details can be found at https://bugzilla.samba.org/show_bug.cgi?id=5202. > Can you try that? > > Karolin > -- Redwire Design Limited 54 Maltings Place 169 Tower Bridge Road London SE1 3LJ www.redwiredesign.com [ 020 7403 1444 ] - voice [ 020 7378 8711 ] - fax -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba migration woes
Hallo, g, Du (myitguru) meintest am 15.09.08: > I am trying to migrate samba from a box with Mandrake 10.1 with Samba > 3.0.10 to a new box running CentOS 5.2 with Samba 3.0.28. The two > versions of samba are too differnet to simply copy the config and tdb > files over to the new box and the Mandrake box won't upgrade past > 3.0.10. I could really use some suggestions. Thanks Where's the problem? If you take the old "samba.cnf" for the new samba version then samba will tell you which parameters are not allowed ("obsolete"). testparm -s >/dev/null If your passwd file lies in "/etc/samba/private" then you have to copy the complete directory contents to the new machine (especially a file "secrets.tdb" with the "local SID"). You don't need to copy the tdb files in "/var/lock/samba" - they are created new if they don't exist on the new system. Perhaps you need to put every client out of the domain, restart the client and put it into the domain again. Viele Gruesse! Helmut -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba