[Samba] Nested groups are completely missing
All of my nested groups are missing after building Samba 3.3.3. For example, using the local "Administrators" group with Domain\Domain Admins was not built by default, nor was the local "Users" group that would normally have "Domain Users" in it. Aren't these supposed to be visible after I join the server to the domain? They appear to be missing, at least when I try to manage the server using Computer Management. And it is joined to the domain; wbinfo -u and wbinfo -g work flawlessly. Security is set to ADS. A "net groupmap list" comes up empty. Any ideas? Thanks, Bill D. "Give a man a fish and you've freed him up for the day to write a poem, compose a song, or howl at the Gods. Teach a man to fish and you've doomed him to a lifetime as a fisherman." -Rodney Anonymous -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Users cannot rename, delete files on AD-member Samba server
What about unix extensions? enabled or disabled? Unix extensions seem to bypass force group statements... On Fri, Apr 10, 2009 at 10:26 AM, Jeremy Allison wrote: > On Fri, Apr 10, 2009 at 11:46:53AM -0400, Goldschrafe, Jeffrey wrote: >> Hi there! >> >> I'm having some strange permissions issues with one of my systems that's >> on an Active Directory domain. >> >> Here's the basic background: >> >> - System is joined to AD domain. Users authenticate fine via Kerberos, >> and are authorized via an AD user group. They can browse the share, >> create files, etc. without incident. "valid users" lets them in. >> - User information for the system (nsswitch) comes out of LDAP. The >> LDAP is non-AD (a legacy OpenLDAP setup), but the usernames all line up >> and Samba can resolve each user's UID/GID and secondary groups without a >> problem. >> - The share is semantically owned by a single Unix group. >> - That security group is mapped in "net groupmap" to a Unix group. I'm >> not entirely sure if this is actually necessary. >> - Share has "force create mode = 0664" and "force directory mode = >> 0775" to ensure that files are writable by the group by default. >> >> When a user connects to the share using a Windows client (XP or Vista), >> they are unable to rename folders, and unable to rename or delete files. >> They are able to delete folders, as long as the folders do not contain >> any files. This means that when using Explorer to create a file or >> folder, it can be created with the default name (e.g. "New Folder" or >> "New Text Document.txt") but any attempt to assign a >> semantically-meaningful name will fail with an "access denied" error. >> This applies to renaming existing files as well, of course. >> >> When the same user connects from a Mac or Linux client, through Finder, >> Dolphin or smbclient, the same exact operations work. The user can >> rename and delete just fine as long as it isn't from Windows. > > We need to see level 10 logs of what is going on here before we > can determine the problem. What version of Samba are you using ? > > Jeremy. > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] [samba4][LDAP]: memberOf: attribute type undefined
Dear i'm trying to run samba4 on a debian lenny with LDAP backend when execute slapd -f /etc/samba/ldap/slapd.conf -h ldapi://%2Fetc%2Fsamba%2Fldap% 2Fldapi -d4294967295 the slapd server crash with this output : <<< dnPrettyNormal: , line 57 (refint_attributes nonSecurityMemberBL nonSecurityMember msDS-NonMembersBL msDS-NonMembers directReports manager bridgeheadServerListBL bridgeheadTransportList msDS-ObjectReferenceBL msDS-ObjectReference msCOM-UserLink msCOM-UserPartitionSetLink msDs-masteredBy msDS-hasMasterNCs siteObjectBL siteObject queryPolicyBL queryPolicyObject masteredBy hasMasterNCs managedObjects managedBy serverReferenceBL serverReference memberOf member) /etc/samba/ldap/slapd.conf: line 57: refint_attributes : attribute type undefined lt-slapd destroy: freeing system resources. slapd stopped. Howto fix it ? best regards. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Users cannot rename, delete files on AD-member Samba server
On Fri, Apr 10, 2009 at 11:46:53AM -0400, Goldschrafe, Jeffrey wrote: > Hi there! > > I'm having some strange permissions issues with one of my systems that's > on an Active Directory domain. > > Here's the basic background: > > - System is joined to AD domain. Users authenticate fine via Kerberos, > and are authorized via an AD user group. They can browse the share, > create files, etc. without incident. "valid users" lets them in. > - User information for the system (nsswitch) comes out of LDAP. The > LDAP is non-AD (a legacy OpenLDAP setup), but the usernames all line up > and Samba can resolve each user's UID/GID and secondary groups without a > problem. > - The share is semantically owned by a single Unix group. > - That security group is mapped in "net groupmap" to a Unix group. I'm > not entirely sure if this is actually necessary. > - Share has "force create mode = 0664" and "force directory mode = > 0775" to ensure that files are writable by the group by default. > > When a user connects to the share using a Windows client (XP or Vista), > they are unable to rename folders, and unable to rename or delete files. > They are able to delete folders, as long as the folders do not contain > any files. This means that when using Explorer to create a file or > folder, it can be created with the default name (e.g. "New Folder" or > "New Text Document.txt") but any attempt to assign a > semantically-meaningful name will fail with an "access denied" error. > This applies to renaming existing files as well, of course. > > When the same user connects from a Mac or Linux client, through Finder, > Dolphin or smbclient, the same exact operations work. The user can > rename and delete just fine as long as it isn't from Windows. We need to see level 10 logs of what is going on here before we can determine the problem. What version of Samba are you using ? Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Users cannot rename, delete files on AD-member Samba server
Hi there! I'm having some strange permissions issues with one of my systems that's on an Active Directory domain. Here's the basic background: - System is joined to AD domain. Users authenticate fine via Kerberos, and are authorized via an AD user group. They can browse the share, create files, etc. without incident. "valid users" lets them in. - User information for the system (nsswitch) comes out of LDAP. The LDAP is non-AD (a legacy OpenLDAP setup), but the usernames all line up and Samba can resolve each user's UID/GID and secondary groups without a problem. - The share is semantically owned by a single Unix group. - That security group is mapped in "net groupmap" to a Unix group. I'm not entirely sure if this is actually necessary. - Share has "force create mode = 0664" and "force directory mode = 0775" to ensure that files are writable by the group by default. When a user connects to the share using a Windows client (XP or Vista), they are unable to rename folders, and unable to rename or delete files. They are able to delete folders, as long as the folders do not contain any files. This means that when using Explorer to create a file or folder, it can be created with the default name (e.g. "New Folder" or "New Text Document.txt") but any attempt to assign a semantically-meaningful name will fail with an "access denied" error. This applies to renaming existing files as well, of course. When the same user connects from a Mac or Linux client, through Finder, Dolphin or smbclient, the same exact operations work. The user can rename and delete just fine as long as it isn't from Windows. Additionally: - When the file is created from Windows, it has the correct permissions on the server. - If a file is created from a Mac or Linux client, or locally on the server, it cannot be deleted or renamed from a Windows client. - If a file is created from a Windows client, it can be renamed or deleted from a Mac or Linux client without issue. The following things make the operations work on Windows: - Adding the users or groups to the "admin users" attribute for the share. - Setting "force group" to be the group that owns the share directory on the filesystem. The fact that "force group" makes this work implies that there may be some kind of problem resolving the group membership, but only for Windows clients. This doesn't really make a lot of sense to me, so it's just wild speculation on my part about where the problem actually is. Any ideas? Jeff Goldschrafe Systems Engineer Cold Spring Harbor Laboratory 1 Bungtown Road Cold Spring Harbor, NY 11724 http://www.cshl.edu -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Occasional loss of connection between Windows clients and Samba under stress
On Fri, 2009-04-10 at 12:30 +, Brebner, Gavin wrote: > Problem seen on more than 1 server, and more than 1 client type. > Windows clients = Windows Server 2003 or Windows XP sp3. > Samba = 3.0-25b or 3.2.3 (clustered) > My clients connect ok, and I have no problems with basic operations - copying > files etc. However, if I run applications in a cygwin > environment that create decent stress e.g. writing a 1GB file with iozone - I > get a failure with 'no route to host or network' reported. > I've a perl script that hits similar issues - multiple processes run creating > files, and some - but not all - of the processes tend to hit > an issue that stops the process opening a file. Generally, the share remains > accessible, but sometimes it gets listed as disconnected > and I need to disconnect and re-mount. > I'm guessing this is somehow a bad reaction to a slow response. Is there a > timeout > I could experiment with ? Anyone else seen this ? Debug suggestions ? bad NIC - and/or - bad switch Would be my first guesses. I'd try to duplicate the failure using non-CIFS traffic. Generate myriad HTTP requests, or ping floods with large packet size, etc... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] directory permission problems
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Adam Williams wrote: > jerry wrote: >> >> >> You might want to search bugzilla.samba.org. There was a recent >> reporter having some broken behavior with "force group". I don't >> remember the specifics or version. >> >> >> >> > is there another way other then using force group = grants that will > make the group ownership of any files/folders written to that share be > owned by the group grants? I use "inherit permissions = yes" and the enable the setgid bit on directories. It allows a bit more flexibility that force XXX parameter IMO. cheers, jerry - -- = http://git.plainjoe.org/ CODE "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJ32IDIR7qMdg1EfYRAn3dAKDzE7jU/QT+mZfqxL4cRLYwmf9VywCgkoMX 0HdxtIqpiKCg+2yFu0Ly0kk= =r7KX -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] directory permission problems
jerry wrote: You might want to search bugzilla.samba.org. There was a recent reporter having some broken behavior with "force group". I don't remember the specifics or version. is there another way other then using force group = grants that will make the group ownership of any files/folders written to that share be owned by the group grants? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] directory permission problems
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Adam Williams wrote: > I have shares such as the one below. Users in the group (in this > example, the group grants) can access the root directory of the share > (\\roark\grants) just fine, and it and all files and subfolder > permissions are 770 and owned by the group grants, but users have > problems going into subfolders, getting access denied errors. Or, in > the root directory they can create files, but not delete or rename them, > even though the file is created with ownership of group grant, they are > in the grants group, and permissions are 770. The only fix would be to > chmod -R 777 /samba/grants. Has anyone had this problem or know of a > solution? > > [grants] ... >force group = grants You might want to search bugzilla.samba.org. There was a recent reporter having some broken behavior with "force group". I don't remember the specifics or version. cheers, jerry - -- = http://git.plainjoe.org/ CODE "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJ30zbIR7qMdg1EfYRAj3AAKDk5S1h8KldfV0uHVJjRGIgTzjUXACgkx0v ytVIZ1gLTS4tpM0fUx6geJk= =Azw9 -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] directory permission problems
I have shares such as the one below. Users in the group (in this example, the group grants) can access the root directory of the share (\\roark\grants) just fine, and it and all files and subfolder permissions are 770 and owned by the group grants, but users have problems going into subfolders, getting access denied errors. Or, in the root directory they can create files, but not delete or rename them, even though the file is created with ownership of group grant, they are in the grants group, and permissions are 770. The only fix would be to chmod -R 777 /samba/grants. Has anyone had this problem or know of a solution? [grants] path = /samba/grants force directory mode = 0770 browseable = No create mask = 0770 force create mode = 0770 directory mask = 0770 force directory mode = 0770 writeable = Yes force group = grants valid users = @grants csc policy = disable profile acls = yes nt acl support = no force security mode = 777 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Occasional loss of connection between Windows clients and Samba under stress
Problem seen on more than 1 server, and more than 1 client type. Windows clients = Windows Server 2003 or Windows XP sp3. Samba = 3.0-25b or 3.2.3 (clustered) My clients connect ok, and I have no problems with basic operations - copying files etc. However, if I run applications in a cygwin environment that create decent stress e.g. writing a 1GB file with iozone - I get a failure with 'no route to host or network' reported. I've a perl script that hits similar issues - multiple processes run creating files, and some - but not all - of the processes tend to hit an issue that stops the process opening a file. Generally, the share remains accessible, but sometimes it gets listed as disconnected and I need to disconnect and re-mount. I'm guessing this is somehow a bad reaction to a slow response. Is there a timeout I could experiment with ? Anyone else seen this ? Debug suggestions ? Thanks, Gavin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Some questions about Samba and LDAP
Hello, I have been using Samba for years (login onto the PC, files and printers sharing) and since recently I have a LDAP server running and serving authentication to few Unix systems (mail, web, Zope, ssh, etc.) Now that I set-up a new server to use with Samba, I would like to integrate Samba into the existing LDAP. All the doc I could find so far is about creating a LDAP service from scratch which is not my case. My questions are: - in slapd configuration, what are the minimum accesses (ACL) that should be granted to the various attributes of samba schema? By default my LDAP server is quite protected and allows no access to any attribute, unless specified otherwise. I could find: ## allow the "ldap admin dn" access, but deny everyone else access to attrs=SambaLMPassword,SambaNTPassword by dn="cn=Samba Admin,ou=People,dc=quenya,dc=org" write by * none But what about the other attributes? - I have my users database existing in LDAP, how can I add Samba support? I understand that I should modify the objectClass of each user to include sambaSamAccount, but then each user must also have an attribute sambaSID. How can I generate that attribute? - Is there a way to implement filter on the list of users? Nss_ldap, pam_ldap for example allow to configure an optional filter, so only the users with the correct attribute will have access to a specific service (I separate the users that can log to their Unix account onto the machine from the suers that can use a specific service on that machine). Is there a similar filter with Samba or should I differenciate with the use/unuse of objectClass sambaSamAccount? - All what I read so far mention updating the sambaLMPassword and sambaNTPassword with the command smbpasswd. I already have a set of tools that I use to manage the users account (and that synchronize account/password on many systems (database, radius, etc)), what can I use to manage sambaLM/NTPassword within my local tools? Best regards, Olivier -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba