[Samba] CTDB: Clustered NFS, reboot, requires me to exportfs -r(a)

[Charles Hammitt]

Hi Samba,

   I hope you are doing well.  I run a cifs / nfs CTDB clustered NAS 
solution, and I find that when I reboot any of the nodes in the cluster, 
I must re-export the nfs mounts so they show up properly.  Perhaps this 
is a general linux nfs bug and I am barking up the wrong tree, but I 
haven't found any problem / solution mentioning this as of yet besides 
my own known workaround of re-exporting once the service comes up.


   As you can see below, it exports the first host defined, but skips 
over the second two until I re-export.  Not sure if it is the space 
between the first host and the second host and the third, or if it is 
because my first host is defined by IP, and the second two are define by 
hostname.  But the cause is likely one or the other.


hostnames and ips are omitted, but you should get the idea.

*%cat /etc/exports *

/gpfs/nfs/share n.n.n.n(rw,root_squash,fsid=nnn) 
n.n.n.n(rw,root_squash,fsid=nnn) n.n.n.n(rw,root_squash,fsid=nnn)


*%showmount -e *

Export list for :
/gpfs/nfs/share n.n.n.n

*%exportfs -r*

*%showmount -e *

Export list for :
/gpfs/nfs/share n.n.n.n, n.n.n.n, n.n.n.n




regards,

Charles
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] CTDB: Clustered NFS, reboot, requires me to exportfs -r(a)

[Charles Hammitt]

Hi Samba,

   I hope you are doing well.  I run a cifs / nfs CTDB clustered NAS 
solution, and I find that when I reboot any of the nodes in the cluster, 
I must re-export the nfs mounts so they show up properly.  Perhaps this 
is a general linux nfs bug and I am barking up the wrong tree, but I 
haven't found any problem / solution mentioning this as of yet besides 
my own known workaround of re-exporting once the service comes up.


   As you can see below, it exports the first host defined, but skips 
over the second two until I re-export.  Not sure if it is the space 
between the first host and the second host and the third, or if it is 
because my first host is defined by IP, and the second two are define by 
hostname...or something related...


hostnames and ips are omitted, but you should get the idea.

*%cat /etc/exports *

/gpfs/nfs/share n.n.n.n(rw,root_squash,fsid=nnn) 
n.n.n.n(rw,root_squash,fsid=nnn) n.n.n.n(rw,root_squash,fsid=nnn)


*%showmount -e *

Export list for :
/gpfs/nfs/share n.n.n.n

*%exportfs -r*

*%showmount -e *

Export list for :
/gpfs/nfs/share n.n.n.n, n.n.n.n, n.n.n.n




regards,

Charles

--

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] several domain

[Michael Wood]

2009/9/3 azzouz :
> Michael Wood wrote:
>>
>> 2009/9/3 azzouz :
[...]
>>> i write instead :
>>>
>>> test -x `/usr/sbin/nmbd -D -s $CONFIG_FILE` -a -x `/usr/sbin/smbd -D -s
>>> $CONFIG_FILE` || exit 0
>>
>> This will run nmbd and will probably complain about "test: too many
>> arguments" (same for smbd) because you're supposed to call "test -x"
>> with a filename, and not with the string "smbd version ... Copyright
>
> in fact it work fine. No complain from smbd

I'm glad you have it working, but that line is wrong anyway :)

"test -x /usr/sbin/smbd" means:
Is the file called /usr/sbin/smbd executable?  It does not run
/usr/sbin/smbd.  It just looks at the file to see if it is executable.

"test -x `/usr/sbin/smbd -D -s $CONFIG_FILE`" means:
Run /usr/sbin/smbd with parameters -D -s $CONFIG_FILE and get the
output.  (The output could be something like "smbd version
3.4.0-GIT-a3e9b62-devel started.
Copyright Andrew Tridgell and the Samba Team 1992-2009" or it could be nothing.)

If the output was "smbd version..." then the test line will expand to:

test -x smbd version...

and you will get an error about "too many arguments".

If the output was blank, then the test line will expand to:

test -x

I'm not sure why, but that does not complain and also returns
"success", so in your case I suspect this is what's happening.

But despite "test" not complaining or failing, that line still starts
smbd and nmbd when it isn't supposed to!  They are supposed to be
started further down in the script.  That line is only to see if they
are executable.

I hope my explanation is clear.

-- 
Michael Wood 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba authentication against Linux-based Kerberos

[Robert Markula]

David Markey wrote:
> Otherwise you could do some pam hackery, perhaps stacking pam_winbind and
> pam_krb5 for password changing. You would have to do this on all the nodes
> on your network. and for the windows side of things you could write a
> password change script, which would be called by samba on a password
> change.

Thanks David!
Heimdal Kerberos is - in our case - no solution, as we're using MIT
Kerberos. So it's either some "pam hackery" (in which case the
distribution of the changes would pose no problems as all of our nodes
are configured centrally via cfengine) or we'll leave it the way it is
(advising users to change their passwords twice). I'll have a look at it
and see if I've got the time to dig deeper into this topic.

If anybody has ever done such a thing - don't be shy and share your
knowledge!

Cheers,
Robert

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] SMBClient will not connect to Server2003

[Jean M. Vandette]

Greetings all

 

We have been using a older version Samba 2.2.12 it has been working well

from the samba server we mount a share from a Server2003 which has

been working for the last 3 years until last week now we get " and
unspecified error has occurred"

we have turned off the firewall on the server and tried allot of different

things but have yet to get this working again, anyone else run into this and

have a possible solution?  The server can mount the samba just will not work

anymore in reverse.

 

Any suggestions would be greatly appreciated.

 

Jean M. Vandette

 

 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] How do I tell winbind to always send kerberos pre-auth to Active Directory DC

[Volker Lendecke]

On Thu, Sep 03, 2009 at 05:10:38PM +0200, Andreas Dan Larsson wrote:
> This message is not fatal in any way, all it means is that
> the client did not pre-authenticate it self to the
> domaincontroller. The domaincontroller responds to the
> client that it needs pre-auth to proceed, the client then
> supply the pre-auth info. So the "error" in it self is
> quite harmless, my concern is that its appearing a bit to
> often. Some clients log this message to the
> domaincontroller up to 10-20 times a minute, could this
> indicate that something is broken?

Ok, 10-20 times a minute is definitely too much, you would
need to look at traces why it happens so often. Apart from
that, this behaviour is something winbind has no direct
control over, this is done by the Kerberos libraries we use.
You might want to look at the docs for krb5.conf if there's
any setting you can use to stop the non-preauth requests.
I'm afraid I don't have those docs handy right now, and I'm
behind a slow mobile connection.

Volker


signature.asc
Description: Digital signature
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] several domain

[azzouz]

Michael Wood wrote:

2009/9/3 azzouz :
[...]
  

There is a probleme !

in the /etc/init.d/smb file there is a test:

# See if the daemons are there
test -x /usr/sbin/nmbd -a -x /usr/sbin/smbd || exit 0



This means:
Test to see if /usr/sbin/nmbd is executable and /usr/sbin/smbd is
executable.  If not, then exit 0.
i.e. it just tests to see if the nmbd and smbd daemons are both executable.
This line does not actually run nmbd or smbd.

  

have i to comment this line. If so it could cause conflict. can't it ?



No, leave that as it was.

  

i write instead :

test -x `/usr/sbin/nmbd -D -s $CONFIG_FILE` -a -x `/usr/sbin/smbd -D -s
$CONFIG_FILE` || exit 0



This will run nmbd and will probably complain about "test: too many
arguments" (same for smbd) because you're supposed to call "test -x"
with a filename, and not with the string "smbd version ... Copyright
  

in fact it work fine. No complain from smbd

Andrew Tridgell..." etc.

  

in summary:

i create tow file in /etc/init.d: samb.domain1 and samba.domain2



OK

  

when il execute the first one i get tow smbd instance a one of nmbd (i don't
use yet wins). It 's normal.
But when execute the second one i get only one instance of nmbd. And vise
versa.

I think that the amount og instance of smbd is limited. Where could
configure the amount of instance



I don't know about this.  Did you specify in each config file that
each smbd must listen on its own interface only?

  

Yes. And what resolve is that specify also the option "bind interfaces
only = yes" and now it work very well.

An other question : i use ldap for the account. What about you ?
could i configure tow domain in ldap with different SID ?



I have not yet used LDAP with Samba.

  

thanks to you


Y.


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] several domain

[azzouz]

azzouz wrote:

azzouz wrote:

azzouz wrote:

Clément VERET wrote:

2009/9/2 azzouz :
 

Hi !

Is it possible for one samba server to manage several domain ( seral
instance) ?



Just run multiple smbd process with different config file and log 
dir :

smbd -s=$CONFIG_FILE -l=$LOG_PATH -D

You need to specify a different interface for each samba server as
well. Then, all you have to do is copying the original /etc/init.d/smb
file and modify the parameters for your second domain.
  

Great!

Thanks!

Are there some who test this sort of configuration ?
Don't this cause problems of load and availability  ?

Y.



Hi!

There is a probleme !

in the /etc/init.d/smb file there is a test:

# See if the daemons are there
test -x /usr/sbin/nmbd -a -x /usr/sbin/smbd || exit 0

have i to comment this line. If so it could cause conflict. can't it ?



i write instead :

test -x `/usr/sbin/nmbd -D -s $CONFIG_FILE` -a -x `/usr/sbin/smbd -D 
-s $CONFIG_FILE` || exit 0



in summary:

i create tow file in /etc/init.d: samb.domain1 and samba.domain2


when il execute the first one i get tow smbd instance a one of nmbd 
(i don't use yet wins). It 's normal.
But when execute the second one i get only one instance of nmbd. And 
vise versa.


I think that the amount og instance of smbd is limited. Where could 
configure the amount of instance




An other question : i use ldap for the account. What about you ?
could i configure tow domain in ldap with different SID ?


Thanks you help


Y.


I don't know why but it work now. I get tow smbd instance and one nmbd 
for the tow domain.
before i have just excuted smbd and nmbd in the fly. And now when the 
init.d script it works. Why ? i don't know.


Now i am going to test with ldap
what resolve the probleme is that i specify also the option "bind 
interfaces only = yes" and now it work very well


Y.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] How do I tell winbind to always send kerberos pre-auth to Active Directory DC

[Andreas Dan Larsson]

Hi List,
I have reported this issue before but I did not get an answer, ill try one more 
time before I register it as a bug incase I am doing something wrong. 

I'm evaluating the use of samba/winbind to join our linuxhosts into active 
directory. My testsetup use win2k3 R2 with rfc2307 schema fields populated on 
the server side. For the most part the project is humming along nicely.

However, I have noticed that the domaincontrollers get spammed with a lot of 
messages in the event log. The events look like this:

Failure Audit  - Security - 675

Pre-Authentication failed:
User Name:  machineaccount$
User ID:DOMAIN\\machineaccount$
Service Name:   krgtgt/DOMAIN
Pre-Authentication type:0x0
Failure Code:   0x19
Client Address: ipofclient

This message is not fatal in any way, all it means is that the client did not 
pre-authenticate it self to the domaincontroller. The domaincontroller responds 
to the client that it needs pre-auth to proceed, the client then supply the 
pre-auth info. So the "error" in it self is quite harmless, my concern is that 
its appearing a bit to often. Some clients log this message to the 
domaincontroller up to 10-20 times a minute, could this indicate that something 
is broken?

My other concern is that this message will totally flood the logs of the 
domaincontrollers in the event of a full scale rollout on all linux clients. 

The solution i believe is to always send KRB5_PADATA_ENC_TIMESTAMP as pre-auth 
when connecting to a Active Directory domain controller. I have searched for a 
config option to enable this behavior without finding one. I have also searched 
the source code to see where the connection to the domaincontroller is set up. 
I have however been unsuccessful in figuring out how i tell sasl to make the 
connection using pre-auth.

Unless i have misunderstood my problem i believe this will benefit anyone that 
integrate their samba machines into Active Directory.

Other solutions i found via google solve the problem by disabling pre-auth all 
together. This solution is totally unacceptable from a security point of view.

For reference i have used samba 3.2.5 from debian lenny and samba 3.3.3 from 
lenny backports to test this. 

Any advice on how to proceed would be appreciated.

Andreas Larsson
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] several domain

[azzouz]

azzouz wrote:

azzouz wrote:

Clément VERET wrote:

2009/9/2 azzouz :
 

Hi !

Is it possible for one samba server to manage several domain ( seral
instance) ?



Just run multiple smbd process with different config file and log dir :
smbd -s=$CONFIG_FILE -l=$LOG_PATH -D

You need to specify a different interface for each samba server as
well. Then, all you have to do is copying the original /etc/init.d/smb
file and modify the parameters for your second domain.
  

Great!

Thanks!

Are there some who test this sort of configuration ?
Don't this cause problems of load and availability  ?

Y.



Hi!

There is a probleme !

in the /etc/init.d/smb file there is a test:

# See if the daemons are there
test -x /usr/sbin/nmbd -a -x /usr/sbin/smbd || exit 0

have i to comment this line. If so it could cause conflict. can't it ?



i write instead :

test -x `/usr/sbin/nmbd -D -s $CONFIG_FILE` -a -x `/usr/sbin/smbd -D 
-s $CONFIG_FILE` || exit 0



in summary:

i create tow file in /etc/init.d: samb.domain1 and samba.domain2


when il execute the first one i get tow smbd instance a one of nmbd (i 
don't use yet wins). It 's normal.
But when execute the second one i get only one instance of nmbd. And 
vise versa.


I think that the amount og instance of smbd is limited. Where could 
configure the amount of instance




An other question : i use ldap for the account. What about you ?
could i configure tow domain in ldap with different SID ?


Thanks you help


Y.


I don't know why but it work now. I get tow smbd instance and one nmbd 
for the tow domain.
before i have just excuted smbd and nmbd in the fly. And now when the 
init.d script it works. Why ? i don't know.


Now i am going to test with ldap
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] several domain

[azzouz]

azzouz wrote:

Clément VERET wrote:

2009/9/2 azzouz :
 

Hi !

Is it possible for one samba server to manage several domain ( seral
instance) ?



Just run multiple smbd process with different config file and log dir :
smbd -s=$CONFIG_FILE -l=$LOG_PATH -D

You need to specify a different interface for each samba server as
well. Then, all you have to do is copying the original /etc/init.d/smb
file and modify the parameters for your second domain.
  

Great!

Thanks!

Are there some who test this sort of configuration ?
Don't this cause problems of load and availability  ?

Y.



Hi!

There is a probleme !

in the /etc/init.d/smb file there is a test:

# See if the daemons are there
test -x /usr/sbin/nmbd -a -x /usr/sbin/smbd || exit 0

have i to comment this line. If so it could cause conflict. can't it ?



i write instead :

test -x `/usr/sbin/nmbd -D -s $CONFIG_FILE` -a -x `/usr/sbin/smbd -D -s 
$CONFIG_FILE` || exit 0



in summary:

i create tow file in /etc/init.d: samb.domain1 and samba.domain2


when il execute the first one i get tow smbd instance a one of nmbd (i 
don't use yet wins). It 's normal.
But when execute the second one i get only one instance of nmbd. And 
vise versa.


I think that the amount og instance of smbd is limited. Where could 
configure the amount of instance




An other question : i use ldap for the account. What about you ?
could i configure tow domain in ldap with different SID ?


Thanks you help


Y.


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Problem to join Win20900 ADS realm

[Javier Argentina]

Some help, please?

2009/9/2, JAP :
> Dear samba team:
>
> I've some troubles to join a GNU/Linux Debian “squeeze” machine to a
> Windows 2000 ADS realm. I've studied everything about samba, but this
> problem cause that I cant print in the Windows servers and I've other
> problems.
> I've joined machines in this domain before ( I made a recipe at
> http://wiki.debian.org/SAMBAclienteWindows)
> But in the last days, I've a problem with the disk, and was necessary to
> set up all the system again.
> And it's impossible to me join the domain!
> I'd tracked everything in the web about this problem, but I did not find
> the solution.
> Attaches all the information about the net / samba configuration and the
> errors.
>
> Please, if you can help me.
>
> Javier
>
> -
>
> My host: station91
> My user: win-user5
> My password: win-pass
> My domain: company
> My realm: local.company
> My KDC administrative server: serverpdc1
> My KDC secondary server: serverbdc7
>
> -
>
>
> # /etc/network/interfaces
> #
> # This file describes the network interfaces available on your system
> # and how to activate them. For more information, see interfaces(5).
>
> # The loopback network interface
> auto lo
> iface lo inet loopback
>
> # LOCAL
>   allow-hotplug eth0
>   auto eth0
>   iface eth0 inet dhcp
>   post-up route del default gw 10.111.1.254
>   post-up route del -net 10.111.1.0 netmask 255.255.255.0 dev eth0
>   post-up route add -net 10.0.0.0 netmask 255.0.0.0 dev eth0
>   post-up net time set -S serverpdc1
>
> -
>
> # /etc/krb5.conf
>
> [libdefaults]
> default_realm = LOCAL.COMPANY
>
> # The following krb5.conf variables are only for MIT Kerberos.
>  krb4_config = /etc/krb.conf
>  krb4_realms = /etc/krb.realms
>  kdc_timesync = 1
>  ccache_type = 4
>  forwardable = true
>  proxiable = true
>
> [realms]
> LOCAL.COMPANY = {
>   kdc = serverbdc7
>   kdc = serverpdc1
>   kdc = serverbdc2
>   kdc = serverbdc5
>   admin_server = serverpdc1
> }
>
> [domain_realm]
>   .local.company = LOCAL.COMPANY
>   local.company = LOCAL.COMPANY
>
> [login]
>   krb4_convert = true
>   krb4_get_tickets = false
>
> -
>
>
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages installed, try:
> # `info libc "Name Service Switch"' for information about this file.
>
> passwd:  files winbind ldap
> group:   files winbind ldap
> shadow:  files
>
> hosts:   files wins mdns4_minimal [NOTFOUND=return] dns mdns4
> networks:files
>
> protocols:   db files
> services:db files
> ethers:  db files
> rpc: db files
>
> netgroup:nis
>
> -
>
>
> # /etc/samba/smb.conf
> # Samba config file created using SWAT
> # from UNKNOWN (��t)
> # Date: 2009/09/02 08:30:38
>
> [global]
>   ldap ssl ads = Yes
>   idmap gid = 1-2
>   passwd chat = *Enter\snew\s*\spassword:* %n\n
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>   obey pam restrictions = Yes
>   browse list = No
>   dns proxy = No
>   idmap uid = 1-2
>   local master = No
>   workgroup = COMPANY
>   os level = 0
>   winbind refresh tickets = Yes
>   update encrypted = Yes
>   printcap name = cups
>   security = ADS
>   winbind separator = +
>   max log size = 1000
>   lanman auth = Yes
>   log file = /var/log/samba/log.%m
>   include = /etc/samba/dhcp.conf
>   wins server = eth0:10.111.1.201
>   auth methods = winbind, krb5, ldap, guest, sam
>   interfaces = eth0
>   username map = /etc/samba/smbusers
>   domain master = No
>   winbind trusted domains only = yes
>   realm = LOCAL.COMPANY
>   winbind use default domain = Yes
>   server string = %h - Jefe Almacenaje (13-6922)
>   password server = serverbdc7, serverpdc1, *
>   unix password sync = Yes
>   template homedir = /home/%U
>   syslog = 0
>   panic action = /usr/share/samba/panic-action %d
>   pam password change = Yes
>
> [homes]
>   comment = Home Directories
>   valid users = %S
>   create mask = 0700
>   directory mask = 0700
>   browseable = No
>
> [printers]
>   comment = All Printers
>   path = /var/spool/samba
>   create mask = 0700
>   printable = Yes
>   browseable = No
>
> [print$]
>   comment = Printer Drivers
>   path = /var/lib/samba/printers
> [homes]
>   comment = Home Directories
>   valid users = %S
>   create mask = 

[Samba] mount error 13 = Permission denied -> what is the correct samba configuration for guest access from windows client

[c . monty]

hi!

I have configured samba with different shares, of which one is accessible for 
guest from client windows.
the output of testparm:
Load smb config files from /etc/samba/smb.conf
Processing section "[install]"
Processing section "[printers]"
Processing section "[print$]"
Loaded services file OK.
Server role: ROLE_STANDALONE

[global]
workgroup = NETZWERK
server string = %h server (Samba, Ubuntu 8.04 LTS)
obey pam restrictions = Yes
passdb backend = tdbsam
pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n 
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
unix password sync = Yes
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
unix extensions = No
dns proxy = No
usershare allow guests = Yes
panic action = /usr/share/samba/panic-action %d
invalid users = root

the share is defined like this:
[install]
comment = Unattended 4.8
path = /mnt/iso/unattended-4.8/install
guest ok = Yes
locking = No

when I execute the command on the client machine 
u...@client:~$ sudo mount -t cifs -o username=guest ///install 
/mnt/share/
the following error is returned
mount error 13 = Permission denied
Refer to the mount.cifs(8) manual page (e.g.man mount.cifs) 

in the global section of smb.conf I've also defined
guest account   = nouser
unix extensions = no


I'm wondering why this is not displayed in the output of testparm?

the samba server is running on ubuntu 8.04 LTS.
there's no guest user account defined.
instead the user "nouser" and the group "nogroup" exist.

therefore I cannot passwd -a guest, this will fail.

question:
what do I have to configure in smb.conf in order to allow guest access from a 
windows client?
how do I define a password for this user "guest"? or is no password required?

THX

if I execute command
u...@client:~$ sudo mount -t cifs -o username= 
///install /mnt/share/
everthing works after entering the password.


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] AD integration and machine account access to shares

[Andersson Fredrik]

Dear all,

I'm facing a weird problem that I can't seem to find any information about.
I have joined in a machine running samba 3.2 into an Active Directory 
environment (security = ads).
Even though user and group access works perfectly, when I try to access with a 
machine account, it fails to map it.
"libsmb/ntlmssp.c:ntlmssp_server_auth(745)  Got user=[] domain=[] 
workstation=[SERVERNAME] len1=1 len2=0"
is the only thing I get in the log, after which it falls back to anonymous 
log-on and maps to guest.

I find this odd, seeing as Winbind has no issues retrieving info about machine 
accounts and their group memberships.

I would greatly appreciate any pointers here, as I've not been able to find 
anything in the documentation or on various forums.

Thanks & Regards,
Fredrik




Relevant info from smb.conf:

 [global]

workgroup = AD1
security = ADS
server string = LINUXBOX
encrypt passwords = Yes
username level = 0
map to guest = Bad User
null passwords = yes
max log size = 10
socket options = TCP_NODELAY SO_KEEPALIVE SO_SNDBUF=32768 SO_RCVBUF=32768
os level = 32
preferred master = Yes
dns proxy = No
config file = /etc/config/smb.conf
smb passwd file=/etc/config/smbpasswd
username map = /etc/config/smbusers
guest account = guest
directory mask = 0777
create mask = 0777
#enable asu support = no
force unknown acl user = yes

log level = 10
log file = /usr/local/samba/lib/log.%m
include = /usr/local/samba/lib/smb.conf.%m

oplocks = yes
locking = yes
disable spoolss = yes
load printers = no
dos charset = UTF8
force directory security mode = 
template shell = /bin/sh
veto files = /.AppleDB/.AppleDouble/.AppleDesktop/:2eDS_Store/Network Trash 
Folder/Temporary Items/TheVolumeSettingsFolder/@__thumb/@__desc/
delete veto files = yes
map archive = yes
map system = yes
map hidden = yes
map read only = yes
deadtime = 10
ldap suffix = dc=AD1,dc=DOMAIN,dc=COM
use sendfile = yes
case sensitive = auto
display charset = UTF8
unix extensions = no
wins support = no
realm = ad1.domain.com
password server = adserver. ad1.domain.com
pam password change = yes
winbind separator = +
idmap uid = 30001-30
idmap gid = 30001-30
winbind enum users = yes
winbind enum groups = yes
winbind cache time = 3600
winbind use default domain = Yes
winbind nested groups = Yes
obey pam restrictions = yes
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba+cups printing. drivers on clients.

[Adam Tauno Williams]

On Thu, 2009-09-03 at 09:39 +0400, Sergey Karapetyan wrote:
> Any help?
> May be samba or windows clients can forcefully serve\takes drivers always 
> then printer installing?

?  Automatic printer driver installation works very well.  The procedure
is covered in the Samba documentation.



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba and chroot

[Gary Dale]

Eric Vielet wrote:

Hi all,

Is there a way with samba to "chroot" the user in order than he can't 
browse up ?
I guess we can to that through Unix rights, but maybe samba can do 
that without changing the rights on the directories ?


Regards,



I'm not sure what you're asking. Network shares can't be browsed up 
above the share point. Are you asking about giving your users shell 
access to the server?

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Question regarding access to shares from LOCALadministrator account

[Jamrock]

"Jobst Schmalenbach"  wrote in message
news:20090903032607.ga4...@senna.barrett.com.au...
>
> Hi.
>
> How do I give access to shares from the LOCAL administrator account to a
share(s) on the samba server?
> (workstation is domain member, without the need to specify a password).
>
> -- smb.conf
>   domain logons = Yes
>   os level = 200
>   domain master = Yes
>   security = user
> --
>
> I have read chapters 12,13,15 but there seems to be no way I can put the
> "local administrator" into /etc/group nor mapping it via "net groupmap".
> I can do it the other way around i.e. mapping a local group to a group
> on the server, but for one share only I need to have access for the local
> administrator to the share on the server.
>
>
> Jobst

I hope I understand your question.  I think you want the local administrator
on a workstation to access a share on a server.

The local administrator account on a workstation exists only on that
workstation.  It cannot access shares on another machine.

This is so with Samba and Windows.

I would do the following:

Create a domain user account

Add it to the local administrator's group on the workstation

Grant it access to the share on the Samba server





-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba and chroot

[Eric Vielet]

Hi all,

Is there a way with samba to "chroot" the user in order than he can't 
browse up ?
I guess we can to that through Unix rights, but maybe samba can do that 
without changing the rights on the directories ?


Regards,

--
Eric Vielet   | C.R.T. Informatique
Tel: (+33) 2 35 59 63 30  | 403 route de Darnetal
Fax: (+33) 2 35 59 63 40  | 76230 Bois Guillaume
Email : eric.vie...@crt.fr| http://www.crt.fr/

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba-PDC: One fresh installed XP-Machine can't load the Profiles

[Daniel Spannbauer]

Hello,

I have a Samba-PDC (Samba 3.0.23d) with a ldap-Backend.
On serveral XP-Machines I can log in with my domain-account, everything 
is running fine. But one freh installed XP-Machine can't load my profile.
I can't find anything in the Logs (loglevel 5) that seems to point to 
the problem of my PDC:


Can anybody help me to fix this?

Heres the smb.conf:

b-login# cat /etc/samba/smb.conf

; Configuration file for smbd.
; 


; For the format of this file and comprehensive descriptions of all the
; configuration option, please refer to the man page for smb.conf(5).

[global]
server string = b-login
workgroup = marco
; speed optimierungen
socket options = TCP_NODELAY
share modes = no
debug level = 5
debug uid = yes
getwd cache = yes
;   read size = 65536
preserve case = yes
log level = 3

printer admin = ds
domain logons = yes
domain master = yes
local master = Yes
preferred master = Yes
ldap admin dn = cn=Administrator,dc=marco,dc=de
ldap delete dn = No
ldap group suffix = ou=group
ldap ssl = off
ldap suffix = dc=marco,dc=de
ldap user suffix = ou=people
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=idmap
ldap passwd sync = yes
logon path = \\%L\%U\.ntprofile
logon home = \\%L\%U\.ntprofile
logon drive = H:
passdb backend = ldapsam:"ldap://10.3.1.3";
security = user
add machine script = /usr/sbin/useradd  -c Machine -d 
/var/lib/nobody -s /bin/false %m$

printing = cups
printcap name = cups
printcap cache time = 750
cups options =
smb ports = 139
local master = no
kernel oplocks = No
wins server = gate
name resolve order = wins host bcast
security = user
netbios aliases = homedirs

[homes]
comment = Home Directory
browseable = no
writable = yes

[printers]
comment = All Printers
browseable = no
printable = yes
public = yes
writable = no
path = /tmp
create mode = 0700
guest only = Yes
guest ok = Yes


[print$]
comment = Printer Driver Download Area
path = /etc/samba/drivers
browsable = yes
guest ok = yes
read only = yes
write list = ds



[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
write list = root ds


Thanks

Regards

Daniel


--
Daniel Spannbauer Software Entwicklung
marco Systemanalyse und Entwicklung GmbH  Tel   +49 8333 9233-27 Fax -11
Rechbergstr. 4 - 6, D 87727 Babenhausen   Mobil +49 171 4033220
http://www.marco.de/  Email d...@marco.de
Geschäftsführer Martin Reuter HRB 171775 Amtsgericht München
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Password-less share, for certain users.

[Jamrock]

"Michael Heydon"  wrote in message
news:4a9f440c.4010...@jaswin.com.au...
> On 3/09/2009 11:04 AM, Jamrock wrote:
> > Try the "valid users" option in the smb.conf.  If I remember correctly,
you
> > can set this to a group.  That way only the members of the group should
have
> > access to the share.
> >
> > valid users = @accounts
> >
> If they connect as a guest, then there is nothing to compare against the
> valid users setting.

If they connect as guest there is no way to restrict specific users to the
share.  All users would be logged in as guest.

If they are on a network and are authenticated, they can access the share
without having to enter an additional password.

The valid users command would then restrict  specific users to the share.

Another way to do this is to use the Linux security logic to restrict access
to the share.  I prefer this approach.



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Simple CIFS Linux permission

[Gary Dale]

Willem P. Botha wrote:
Have you tried connecting as your user account and letting the force 
user in smb.conf do its work? When your Windows clients connect, they 
are using their own ids and that is working. Why are you doing it 
differently for Linux?




Now that is the weird thing, The windows clients are also connecting
with the same details. There is now domain controller on this network.
Everybody connect to a DHCP server that the Router manages, and thus I
have a browse master war in my network, but that is another problem. 


So far I can figure, the windows clients don't have the same gid's as
Linux, and thus don't have the same problem. I am just not sure how
windows figures that it should use the login user to save files. 

  

You're using username "fileserver" to connect the share on Windows?

After giving it some more thought, I still cannot figure out what you 
are trying to do. If you want to give everyone write access to the 
files, why not just set the permissions to a+rwx and forget about all 
this "force user" stuff? I suspect that turning off "guest" access and 
opening it up to anyone who can provide connection privileges will work 
better.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Simple CIFS Linux permission

[Willem P. Botha]

> Here is an example from my server:
> //192.168.254.35/projects  /mnt/engin  cifs 
> noperm,uid=enginuser,gid=Engineers,credentials=/root/creds  0 0
> 
> Does that help?

The param noperm seems to do the trick :D

I left the uid and gid out, and even though my permissions in my KDE
browsers is still false, it allows me to delete and copy files to the
share.. 

I guess this is the default behaviour of Windows then. 

Thanks a million Mark :D 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Simple CIFS Linux permission

[Willem P. Botha]

> Have you tried connecting as your user account and letting the force 
> user in smb.conf do its work? When your Windows clients connect, they 
> are using their own ids and that is working. Why are you doing it 
> differently for Linux?
> 
Now that is the weird thing, The windows clients are also connecting
with the same details. There is now domain controller on this network.
Everybody connect to a DHCP server that the Router manages, and thus I
have a browse master war in my network, but that is another problem. 

So far I can figure, the windows clients don't have the same gid's as
Linux, and thus don't have the same problem. I am just not sure how
windows figures that it should use the login user to save files. 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Vista + samba 3.4 member server problem (solved)

[Hannu Tikka]

I noticed that vista uses AES encryption by default(which XP don't use).
Found an article: http://pronichkin.com/blog/Lists/Posts/Post.aspx?ID=15
and changed the Vista encrytpion method. Vista can now connect to the
member server.

I tried both mit (1.41) and heimdal (1.21) kerberos and I tought they can
do AES but somehow it didn't work. Operating system is 64 bit opensuse
10.1

> Hi!
>
> I have samba4 domain controller + samba 3.4 member server.
> On XP login to domain and connection to member server works ok.
> Vista can login to domain but can't get connected to member server.
>

regards
Hannu



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 3.3.7 -> smbd panic in printing.

[Clément VÉRET]

Same problem with Samba 3.3.6 and 3.3.5 :(

The backtrace is shorter but the result is still here : I cannot
properly install or print through my samba server. Could it be a
problem at compilation time (no error reported) ? I'm rebuilding from
source rpm provided by sernet.

Le 1 septembre 2009 12:20, Clément VERET a écrit :
> Hi everyone,
>
> Recently upgraded to 3.3.7 on a test server (can do everything on it
> if you need to test something like patch, configuration options,
> etc…), and got big problems with printing very similar to
> http://www.mail-archive.com/samba@lists.samba.org/msg97841.html
> signaled for version 3.2.6
>
> I'm on CentOS 5.3 recently updated (with sernet packages) and I
> checked that I have the correct patch (included in the 3.3.0 release
> if I'm right…) with the close_all_print_db(); (in file
> source/printing/print_cups.c).
>
> But it still doesn't work. On the official CentOS version 3.0.33, I
> installed my printers without any troubles, upgrade to 3.3.7 and then
> can't print anymore (losing configurations, etc…). Tried on a fresh
> install with 3.3.7 -> same result…
>
> Here is the panic part :
>
> $ cat po-7678.log
> [2009/09/01 12:12:38,  0] smbd/service.c:make_connection(1288)
>  po-7678 (10.92.20.115) couldn't find service
> ::{2227a280-3aea-1069-a2de-08002b30309d}
> [2009/09/01 12:12:48,  1] smbd/service.c:make_connection_snum(1115)
>  po-7678 (10.92.20.115) connect to service print$ initially as user
> nobody (uid=99, gid=99) (pid 1030)
> [2009/09/01 12:12:57,  0] smbd/nttrans.c:call_nt_transact_ioctl(1989)
>  call_nt_transact_ioctl(0x90100): Currently not implemented.
> [2009/09/01 12:12:59,  1] smbd/service.c:make_connection_snum(1115)
>  po-7678 (10.92.20.115) connect to service print$ initially as user
> nobody (uid=99, gid=99) (pid 1030)
> [2009/09/01 12:12:59,  1] smbd/service.c:close_cnum(1327)
>  po-7678 (10.92.20.115) closed connection to service print$
> [2009/09/01 12:12:59,  1] smbd/service.c:make_connection_snum(1115)
>  po-7678 (10.92.20.115) connect to service print$ initially as user
> nobody (uid=99, gid=99) (pid 1030)
> [2009/09/01 12:12:59,  1] smbd/service.c:close_cnum(1327)
>  po-7678 (10.92.20.115) closed connection to service print$
> [2009/09/01 12:12:59,  0] lib/debug.c:reopen_logs(663)
>  Unable to open new log file /var/log/samba/po-7678.log: Permission denied
> [2009/09/01 12:12:59,  0] lib/util_tdb.c:tdb_wrap_log(886)
>  tdb(/var/lib/samba/notify.tdb): tdb_reopen: open failed (Permission denied)
> [2009/09/01 12:12:59,  0] lib/util.c:reinit_after_fork(1054)
>  tdb_reopen_all failed.
> [2009/09/01 12:12:59,  0] printing/print_cups.c:cups_pcap_load_async(432)
>  cups_pcap_load_async: reinit_after_fork() failed
> [2009/09/01 12:12:59,  0] lib/util.c:smb_panic(1673)
>  PANIC (pid 1117): cups_pcap_load_async: reinit_after_fork() failed
> [2009/09/01 12:12:59,  0] lib/util.c:log_stack_trace(1777)
> [2009/09/01 12:12:59,  0] lib/debug.c:reopen_logs(663)
>  BACKTRACE: 22 stack frames:
>  Unable to open new log file /var/log/samba/po-7678.log: Permission denied
>   #0 smbd(log_stack_trace+0x1a) [0x2b8c7813d620]
> [2009/09/01 12:12:59,  0] lib/debug.c:reopen_logs(663)
>   #1 smbd(smb_panic+0x5b) [0x2b8c7813d730]
>  Unable to open new log file /var/log/samba/po-7678.log: Permission denied
> [2009/09/01 12:12:59,  0] lib/debug.c:reopen_logs(663)
>   #2 smbd(cups_cache_reload+0x27c) [0x2b8c78103e14]
>  Unable to open new log file /var/log/samba/po-7678.log: Permission denied
>   #3 smbd(pcap_cache_reload+0x109) [0x2b8c781007b5]
> [2009/09/01 12:12:59,  0] lib/debug.c:reopen_logs(663)
>   #4 smbd(reload_printers+0x25) [0x2b8c78353dfc]
>  Unable to open new log file /var/log/samba/po-7678.log: Permission denied
>   #5 smbd(reload_services+0x154) [0x2b8c78354043]
> [2009/09/01 12:12:59,  0] lib/debug.c:reopen_logs(663)
>   #6 smbd(add_printer_hook+0x24d) [0x2b8c7807ed34]
>  Unable to open new log file /var/log/samba/po-7678.log: Permission denied
>   #7 smbd(_spoolss_addprinterex+0x205) [0x2b8c78088e2c]
>   #8 smbd [0x2b8c78073c95]
>   #9 smbd(api_pipe_request+0x42a) [0x2b8c780af529]
>   #10 smbd [0x2b8c780aa9ac]
>   #11 smbd(write_to_internal_pipe+0x7cc) [0x2b8c780ab7b6]
>   #12 smbd(write_to_pipe+0x135) [0x2b8c780ab9fe]
>   #13 smbd [0x2b8c77f13005]
>   #14 smbd [0x2b8c77f13695]
>   #15 smbd(reply_trans+0x72e) [0x2b8c77f14327]
>   #16 smbd [0x2b8c77f6bff2]
>   #17 smbd [0x2b8c77f6cfab]
>   #18 smbd(smbd_process+0xc23) [0x2b8c77f6dc89]
>   #19 smbd(main+0x2135) [0x2b8c78356679]
>   #20 /lib64/libc.so.6(__libc_start_main+0xf4) [0x2b8c7b1c7974]
>   #21 smbd [0x2b8c77ef8b59]
> [2009/09/01 12:13:00,  0] lib/fault.c:dump_core(231)
>  dumping core in /var/log/samba/cores/smbd
>
> Any ideas on what's wrong ?
>
> Regards.
> --
> Clément Véret
>



-- 
Clément Véret
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba