Re: [Samba] joining 2008 DC
Note, that you try to do the oposite. Adding Windows to a Smaba PDC and not Samba to a 2008 AD. Nevertheless, I successfully added a Windows 2008 server to my Samba P.D.C. by doing the same steps as for Windows 7. See http://wiki.samba.org/index.php/Windows7 Op 1-7-2010 20:30, Indexer schreef: On 02/07/2010, at 3:34 AM, Nick Couchman wrote: We have several Samba systems of varying versions joined to our Windows Server 2008 Active Directory domain. I don't recall having to do anything special to get it working. That is interesting, as i have just been tearing out my hair for a few hours attempting to get a server 2008 system to join the samba PDC. What version of samba are you using? William -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Default Hidden Disk Shares
Interesting to see you say it's dangerous. The way the Windows version works is that you have to be part of the Administrator group to be able to see them, which I would have thought secure enough? Who would I contact to request this as a feature enhancement? Thanks, Rob. -Original Message- From: Jeremy Allison [mailto:j...@samba.org] Sent: 01 July 2010 19:31 To: Atkinson, Robert Cc: samba@lists.samba.org Subject: Re: [Samba] Default Hidden Disk Shares On Thu, Jul 01, 2010 at 02:01:22PM +0100, Atkinson, Robert wrote: Windows automatically creates an Admin level disk share as \\server\volume$ file:///\\server\volume$ . Can anyone tell me if Samba automatically does the same without having to define these in SMB.CONF? No, sorry. That would be rather dangerous IMHO. You can easily define these yourself if you need them and export the root of the filesystem. Jeremy. *** Any opinions expressed in email are those of the individual and not necessarily those of the company. This email and any files transmitted with it are confidential and solely for the use of the intended recipient or entity to whom they are addressed. It may contain material protected by attorney-client privilege. If you are not the intended recipient, or a person responsible for delivering to the intended recipient, be advised that you have received this email in error and that any use is strictly prohibited. Random House Group + 44 (0) 20 7840 8400 http://www.randomhouse.co.uk http://www.booksattransworld.co.uk http://www.kidsatrandomhouse.co.uk Generic email address - enquir...@randomhouse.co.uk Name Registered Office: THE RANDOM HOUSE GROUP LIMITED 20 VAUXHALL BRIDGE ROAD LONDON SW1V 2SA Random House Group Ltd is registered in the United Kingdom with company No. 00954009, VAT number 102838980 *** -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Default Hidden Disk Shares
Have a look at expandrive and use ssh... Exposing the root dir via samba isn't a feature the community would support - Original Message - From: samba-boun...@lists.samba.org samba-boun...@lists.samba.org To: Jeremy Allison j...@samba.org Cc: samba@lists.samba.org samba@lists.samba.org Sent: Fri Jul 02 18:05:52 2010 Subject: Re: [Samba] Default Hidden Disk Shares Interesting to see you say it's dangerous. The way the Windows version works is that you have to be part of the Administrator group to be able to see them, which I would have thought secure enough? Who would I contact to request this as a feature enhancement? Thanks, Rob. -Original Message- From: Jeremy Allison [mailto:j...@samba.org] Sent: 01 July 2010 19:31 To: Atkinson, Robert Cc: samba@lists.samba.org Subject: Re: [Samba] Default Hidden Disk Shares On Thu, Jul 01, 2010 at 02:01:22PM +0100, Atkinson, Robert wrote: Windows automatically creates an Admin level disk share as \\server\volume$ file:///\\server\volume$ . Can anyone tell me if Samba automatically does the same without having to define these in SMB.CONF? No, sorry. That would be rather dangerous IMHO. You can easily define these yourself if you need them and export the root of the filesystem. Jeremy. *** Any opinions expressed in email are those of the individual and not necessarily those of the company. This email and any files transmitted with it are confidential and solely for the use of the intended recipient or entity to whom they are addressed. It may contain material protected by attorney-client privilege. If you are not the intended recipient, or a person responsible for delivering to the intended recipient, be advised that you have received this email in error and that any use is strictly prohibited. Random House Group + 44 (0) 20 7840 8400 http://www.randomhouse.co.uk http://www.booksattransworld.co.uk http://www.kidsatrandomhouse.co.uk Generic email address - enquir...@randomhouse.co.uk Name Registered Office: THE RANDOM HOUSE GROUP LIMITED 20 VAUXHALL BRIDGE ROAD LONDON SW1V 2SA Random House Group Ltd is registered in the United Kingdom with company No. 00954009, VAT number 102838980 *** -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Notice This email and any attachments are strictly confidential and subject to copyright. They may contain privileged information. If you are not the intended recipient please delete the message and notify the sender. You should not read, copy, use, change, alter or disclose this email or its attachments without authorisation. The company and any related or associated companies do not accept any liability in connection with this email and any attachments including in connection with computer viruses, data corruption, delay, interruption, unauthorised access or unauthorised amendment. Any views expressed in this email and any attachments do not necessarily reflect the views of the company or the views of any of our related or associated companies. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Default Hidden Disk Shares
OK, thanks Steve- one can only try J Robert. From: Steve Tempest [mailto:steve.temp...@gts.apn.com.au] Sent: 02 July 2010 09:39 To: Atkinson, Robert; j...@samba.org Cc: samba@lists.samba.org Subject: Re: [Samba] Default Hidden Disk Shares Have a look at expandrive and use ssh... Exposing the root dir via samba isn't a feature the community would support - Original Message - From: samba-boun...@lists.samba.org samba-boun...@lists.samba.org To: Jeremy Allison j...@samba.org Cc: samba@lists.samba.org samba@lists.samba.org Sent: Fri Jul 02 18:05:52 2010 Subject: Re: [Samba] Default Hidden Disk Shares Interesting to see you say it's dangerous. The way the Windows version works is that you have to be part of the Administrator group to be able to see them, which I would have thought secure enough? Who would I contact to request this as a feature enhancement? Thanks, Rob. -Original Message- From: Jeremy Allison [mailto:j...@samba.org] Sent: 01 July 2010 19:31 To: Atkinson, Robert Cc: samba@lists.samba.org Subject: Re: [Samba] Default Hidden Disk Shares On Thu, Jul 01, 2010 at 02:01:22PM +0100, Atkinson, Robert wrote: Windows automatically creates an Admin level disk share as \\server\volume$ file:///\\server\volume$ . Can anyone tell me if Samba automatically does the same without having to define these in SMB.CONF? No, sorry. That would be rather dangerous IMHO. You can easily define these yourself if you need them and export the root of the filesystem. Jeremy. * ** Any opinions expressed in email are those of the individual and not necessarily those of the company. This email and any files transmitted with it are confidential and solely for the use of the intended recipient or entity to whom they are addressed. It may contain material protected by attorney-client privilege. If you are not the intended recipient, or a person responsible for delivering to the intended recipient, be advised that you have received this email in error and that any use is strictly prohibited. Random House Group + 44 (0) 20 7840 8400 http://www.randomhouse.co.uk http://www.booksattransworld.co.uk http://www.kidsatrandomhouse.co.uk Generic email address - enquir...@randomhouse.co.uk Name Registered Office: THE RANDOM HOUSE GROUP LIMITED 20 VAUXHALL BRIDGE ROAD LONDON SW1V 2SA Random House Group Ltd is registered in the United Kingdom with company No. 00954009, VAT number 102838980 * ** -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Notice This email and any attachments are strictly confidential and subject to copyright. They may contain privileged information. If you are not the intended recipient please delete the message and notify the sender. You should not read, copy, use, change, alter or disclose this email or its attachments without authorisation. The company and any related or associated companies do not accept any liability in connection with this email and any attachments including in connection with computer viruses, data corruption, delay, interruption, unauthorised access or unauthorised amendment. Any views expressed in this email and any attachments do not necessarily reflect the views of the company or the views of any of our related or associated companies. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Synchronisation using LDAP
Hello All, I am trying to set up a sync between google apps professional and samba4, we are currently in the fase to use samba4 instead of our current windows 2008 AD. However, I can't seem to browse the internal LDAP server. I am using the alpha12. Whenever I try to connect, I recieve no such attribute. Please advise on how to connect properly. -- Jorijn Schrijvershof -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Synchronisation using LDAP
SNIP I am trying to set up a sync between google apps professional and samba4, we are currently in the fase to use samba4 instead of our current windows 2008 AD. However, I can't seem to browse the internal LDAP server. I use yee olde reliable LDAP browser and connect the same way I do to M$. IP Addy: Base DN: DC=mydomain,DC=extension User DN: CN=Administrator,CN=Users (append base DN). Do note, that for M$ and for Samba4 the caps ARE necessary. Cheers, I am using the alpha12. Whenever I try to connect, I recieve no such attribute. Please advise on how to connect properly. -- Jorijn Schrijvershof -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Fail to join a Windows 2008 R2 to a Samba+LDAP PDC version 3.5.4
Hi there, this is my config, I have a CentOS 5.3 x86_64 full updated with Xen enabled with Samba 3.5.4 sernet RPMs. I have a virtual machine running Windows 2008 R2 Foundation running full virtualized on the same machine. When i tried to join the Windows 2008 to the domain i get this message: The following error ocurred attempting to join the domain MYDOMAIN: A device attached to the system is not functioning. The Windows 2008 registry was modified to be able to join the domain as recommended on internet: |HKLM\System\CurrentControlSet\Services\LanmanWorkstation\Parameters DWORD DomainCompatibilityMode = 1 DWORD DNSNameResolutionRequired = 0 ||HKLM\System\CurrentControlSet\Services\Netlogon\Parameters DWORD RequireSignOrSeal = 0 DWORD RequireStrongKey = 0 | This is my config: smb.conf [global] unix charset = ISO8859-1 workgroup = MYDOMAIN netbios name = pdc passdb backend = ldapsam:ldap://127.0.0.1 username map = /etc/samba/smbusers log level = 10 log file = /var/log/samba/%m.log max log size = 50 name resolve order = hosts lmhost wins bcast wins support = yes time server = Yes show add printer wizard = No add user script = /usr/sbin/smbldap-useradd -a -m %u delete user script = /usr/sbin/smbldap-userdel -r %u add group script = /usr/sbin/smbldap-groupadd -p %g delete group script = /usr/sbin/smbldap-groupdel %g add user to group script = /usr/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g set primary group script = /usr/sbin/smbldap-usermod -g %g %u add machine script = /usr/sbin/smbldap-useradd -w -i %u passwd program = /usr/sbin/smbldap-passwd %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated* ldap password sync = Yes enable privileges = Yes logon script = %U.bat OR netlogon.bat logon path = \\%L\profiles\%U logon drive = H: domain logons = Yes preferred master = Yes domain master = Yes ldap admin dn = cn=Administrador,dc=mydomain,dc=local ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap machine suffix = ou=Computers ldap passwd sync = Yes ldap suffix = dc=mydomain,dc=local ldap user suffix = ou=Users ldap ssl = off idmap backend = ldap:ldap://127.0.0.1 idmap uid = 1-2 idmap gid = 1-2 printer admin = Administrador map acl inherit = Yes printing = cups printcap name = CUPS [homes] comment = Home Directories valid users = %S read only = No browseable = No [netlogon] comment = Network Logon Service path = /var/lib/samba/netlogon guest ok = Yes locking = No [profiles] comment = Network Profiles Share path = /var/lib/samba/profiles read only = No profile acls = Yes create mode = 0600 directory mode = 0700 writable = yes browseable = No store dos attributes = Yes slapd.conf # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include/etc/openldap/schema/core.schema include/etc/openldap/schema/cosine.schema include/etc/openldap/schema/inetorgperson.schema include/etc/openldap/schema/nis.schema include /etc/openldap/schema/samba3.schema include /etc/openldap/schema/dyngroup.schema # Allow LDAPv2 client connections. This is NOT the default. allow bind_v2 # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referralldap://root.openldap.org pidfile/var/run/openldap/slapd.pid argsfile/var/run/openldap/slapd.args # Load dynamic backend modules: modulepath/usr/lib64/openldap # Modules available in openldap-servers-overlays RPM package # Module syncprov.la is now statically linked with slapd and there # is no need to load it here # moduleload accesslog.la # moduleload auditlog.la # moduleload denyop.la # moduleload dyngroup.la # moduleload dynlist.la # moduleload lastmod.la # moduleload pcache.la # moduleload ppolicy.la # moduleload refint.la # moduleload retcode.la # moduleload rwm.la # moduleload smbk5pwd.la # moduleload translucent.la # moduleload unique.la # moduleload valsort.la # modules available in openldap-servers-sql RPM package: # moduleload back_sql.la # The next three lines allow use of TLS for encrypting connections using a # dummy test certificate which you can generate by changing to # /etc/pki/tls/certs, running make slapd.pem, and fixing permissions on # slapd.pem so that the ldap user or group can read it. Your client software # may balk at self-signed certificates, however. # TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt # TLSCertificateFile /etc/pki/tls/certs/slapd.pem # TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem # Sample security restrictions #Require integrity protection (prevent hijacking) #Require 112-bit (3DES or better) encryption for updates #
[Samba] WG: Synchronisation using LDAP
Hello, Try with ldapadmin (sourceforge) Point your configuration to yoursambaldapserver Port: 389 Version3 Example: Base: CN=Configuration,DC=yourads,DC=yourads Drop in your Username and password. This is working for me --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Jorijn Schrijvershof Gesendet: Freitag, 2. Juli 2010 13:40 An: samba@lists.samba.org Betreff: [Samba] Synchronisation using LDAP Hello All, I am trying to set up a sync between google apps professional and samba4, we are currently in the fase to use samba4 instead of our current windows 2008 AD. However, I can't seem to browse the internal LDAP server. I am using the alpha12. Whenever I try to connect, I recieve no such attribute. Please advise on how to connect properly. -- Jorijn Schrijvershof -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Fail to join a Windows 2008 R2 to a Samba+LDAP PDC version3.5.4
SNIP Hi there, this is my config, I have a CentOS 5.3 x86_64 full updated with Xen enabled with Samba 3.5.4 sernet RPMs. I have a virtual machine running Windows 2008 R2 Foundation running full virtualized on the same machine. When i tried to join the Windows 2008 to the domain i get this message: The following error ocurred attempting to join the domain MYDOMAIN: A device attached to the system is not functioning. I have that error as well. To the best of my knowledge it is happening because smbldap tools are calling smbpasswd right after the ldap add of the machine, however, some nss dependent service is using a cached copy of ldap which does not contain the new machine entry. If you simply rejoin the domain after you receive the error, things should work fine. Cheers, TMS III The Windows 2008 registry was modified to be able to join the domain as recommended on internet: |HKLM\System\CurrentControlSet\Services\LanmanWorkstation\Parameters DWORD DomainCompatibilityMode = 1 DWORD DNSNameResolutionRequired = 0 ||HKLM\System\CurrentControlSet\Services\Netlogon\Parameters DWORD RequireSignOrSeal = 0 DWORD RequireStrongKey = 0 | This is my config: smb.conf [global] unix charset = ISO8859-1 workgroup = MYDOMAIN netbios name = pdc passdb backend = ldapsam:ldap://127.0.0.1 username map = /etc/samba/smbusers log level = 10 log file = /var/log/samba/%m.log max log size = 50 name resolve order = hosts lmhost wins bcast wins support = yes time server = Yes show add printer wizard = No add user script = /usr/sbin/smbldap-useradd -a -m %u delete user script = /usr/sbin/smbldap-userdel -r %u add group script = /usr/sbin/smbldap-groupadd -p %g delete group script = /usr/sbin/smbldap-groupdel %g add user to group script = /usr/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g set primary group script = /usr/sbin/smbldap-usermod -g %g %u add machine script = /usr/sbin/smbldap-useradd -w -i %u passwd program = /usr/sbin/smbldap-passwd %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated* ldap password sync = Yes enable privileges = Yes logon script = %U.bat OR netlogon.bat logon path = \\%L\profiles\%U logon drive = H: domain logons = Yes preferred master = Yes domain master = Yes ldap admin dn = cn=Administrador,dc=mydomain,dc=local ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap machine suffix = ou=Computers ldap passwd sync = Yes ldap suffix = dc=mydomain,dc=local ldap user suffix = ou=Users ldap ssl = off idmap backend = ldap:ldap://127.0.0.1 idmap uid = 1-2 idmap gid = 1-2 printer admin = Administrador map acl inherit = Yes printing = cups printcap name = CUPS [homes] comment = Home Directories valid users = %S read only = No browseable = No [netlogon] comment = Network Logon Service path = /var/lib/samba/netlogon guest ok = Yes locking = No [profiles] comment = Network Profiles Share path = /var/lib/samba/profiles read only = No profile acls = Yes create mode = 0600 directory mode = 0700 writable = yes browseable = No store dos attributes = Yes slapd.conf # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include/etc/openldap/schema/core.schema include/etc/openldap/schema/cosine.schema include/etc/openldap/schema/inetorgperson.schema include/etc/openldap/schema/nis.schema include /etc/openldap/schema/samba3.schema include /etc/openldap/schema/dyngroup.schema # Allow LDAPv2 client connections. This is NOT the default. allow bind_v2 # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referralldap://root.openldap.org pidfile/var/run/openldap/slapd.pid argsfile/var/run/openldap/slapd.args # Load dynamic backend modules: modulepath/usr/lib64/openldap # Modules available in openldap-servers-overlays RPM package # Module syncprov.la is now statically linked with slapd and there # is no need to load it here # moduleload accesslog.la # moduleload auditlog.la # moduleload denyop.la # moduleload dyngroup.la # moduleload dynlist.la # moduleload lastmod.la # moduleload pcache.la # moduleload ppolicy.la # moduleload refint.la # moduleload retcode.la # moduleload rwm.la # moduleload smbk5pwd.la # moduleload translucent.la # moduleload unique.la # moduleload valsort.la # modules available in openldap-servers-sql RPM package: # moduleload back_sql.la
Re: [Samba] Synchronisation using LDAP
Hi, Thanks for replying, altough I tried several ways to connect, it still gives me the no such attribute. Is there a way to test the connection from localhost to check database integrity? Jorijn On Fri, Jul 2, 2010 at 2:37 PM, t...@tms3.com wrote: SNIP I am trying to set up a sync between google apps professional and samba4, we are currently in the fase to use samba4 instead of our current windows 2008 AD. However, I can't seem to browse the internal LDAP server. I use yee olde reliable LDAP browser and connect the same way I do to M$. IP Addy: Base DN: DC=mydomain,DC=extension User DN: CN=Administrator,CN=Users (append base DN). Do note, that for M$ and for Samba4 the caps ARE necessary. Cheers, I am using the alpha12. Whenever I try to connect, I recieve no such attribute. Please advise on how to connect properly. -- Jorijn Schrijvershof -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- Jorijn Schrijvershof T: +31 (0)61481 W: http://jorijn.com/ E: jor...@jorijn.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] check_reduced_name
Hi, I've installed a new samba server (3.4.7) with LDAP and some users are having problems to access their folders. The error is shown below. [2010/07/02 09:17:14, 1] smbd/vfs.c:932(check_reduced_name) reduce_name: couldn't get realpath for bkp/* It occurs randomly. Every time the machine comes up, some users get this error and others start having access again. Does anybody have a hint what could be done? Thanks, Renato Mendes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Fail to join a Windows 2008 R2 to a Samba+LDAP PDC version3.5.4
The weird thing is this i tried that too ... but i receive this error: The following error occurred attempting to join the domain MYDOMAIN: The specified account already exists. I had to delete to LDAP Workstation account every time that I tried a solution. To this time i see that problem that you mention on the internet but on Centos apparently there is not a workaround to this nss caching thing. The possible workarounds that I imagine is editing smbldap-useradd, on the workstation option including to do not exit if the workstation account exists (I do not know to much Perl). Or the easy one, once is created the workstation account on ldap directory, disable the add machine script and restart samba service. and then back again the Windows 2008 joinning process. Once the Windows 2008 is in the domain, enable the add machine script option and restart again. The ugly thing is that there are several Windows 7 workstations on the network. How i can solve that nss error ? Thanks for your help German t...@tms3.com wrote: SNIP Hi there, this is my config, I have a CentOS 5.3 x86_64 full updated with Xen enabled with Samba 3.5.4 sernet RPMs. I have a virtual machine running Windows 2008 R2 Foundation running full virtualized on the same machine. When i tried to join the Windows 2008 to the domain i get this message: The following error ocurred attempting to join the domain MYDOMAIN: A device attached to the system is not functioning. I have that error as well. To the best of my knowledge it is happening because smbldap tools are calling smbpasswd right after the ldap add of the machine, however, some nss dependent service is using a cached copy of ldap which does not contain the new machine entry. If you simply rejoin the domain after you receive the error, things should work fine. Cheers, TMS III The Windows 2008 registry was modified to be able to join the domain as recommended on internet: |HKLM\System\CurrentControlSet\Services\LanmanWorkstation\Parameters DWORD DomainCompatibilityMode = 1 DWORD DNSNameResolutionRequired = 0 ||HKLM\System\CurrentControlSet\Services\Netlogon\Parameters DWORD RequireSignOrSeal = 0 DWORD RequireStrongKey = 0 | This is my config: smb.conf [global] unix charset = ISO8859-1 workgroup = MYDOMAIN netbios name = pdc passdb backend = ldapsam:ldap://127.0.0.1 username map = /etc/samba/smbusers log level = 10 log file = /var/log/samba/%m.log max log size = 50 name resolve order = hosts lmhost wins bcast wins support = yes time server = Yes show add printer wizard = No add user script = /usr/sbin/smbldap-useradd -a -m %u delete user script = /usr/sbin/smbldap-userdel -r %u add group script = /usr/sbin/smbldap-groupadd -p %g delete group script = /usr/sbin/smbldap-groupdel %g add user to group script = /usr/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g set primary group script = /usr/sbin/smbldap-usermod -g %g %u add machine script = /usr/sbin/smbldap-useradd -w -i %u passwd program = /usr/sbin/smbldap-passwd %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated* ldap password sync = Yes enable privileges = Yes logon script = %U.bat OR netlogon.bat logon path = \\%L\profiles\%U logon drive = H: domain logons = Yes preferred master = Yes domain master = Yes ldap admin dn = cn=Administrador,dc=mydomain,dc=local ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap machine suffix = ou=Computers ldap passwd sync = Yes ldap suffix = dc=mydomain,dc=local ldap user suffix = ou=Users ldap ssl = off idmap backend = ldap:ldap://127.0.0.1 idmap uid = 1-2 idmap gid = 1-2 printer admin = Administrador map acl inherit = Yes printing = cups printcap name = CUPS [homes] comment = Home Directories valid users = %S read only = No browseable = No [netlogon] comment = Network Logon Service path = /var/lib/samba/netlogon guest ok = Yes locking = No [profiles] comment = Network Profiles Share path = /var/lib/samba/profiles read only = No profile acls = Yes create mode = 0600 directory mode = 0700 writable = yes browseable = No store dos attributes = Yes slapd.conf # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include/etc/openldap/schema/core.schema include/etc/openldap/schema/cosine.schema include/etc/openldap/schema/inetorgperson.schema include/etc/openldap/schema/nis.schema include
Re: [Samba] Samba as a Client Accessing Windows 2008 Roaming Profiles
I guess I've always known this, but I suppose you can't have Linux synchronize profiles like Windows does simply because X.org and the other systems don't really work together to log off a user like Windows does (an automatically synchronize their profile back to the server). Anyways, now that I've had my epiphany about how that all really works, why use NFS? Why not just use CIFS? I mean, it would be a lot easier because then there wouldn't be any username/access/permissions hell. I realize NFS may be more stable/reliable in theory, but CIFS seems like such an easier solution considering it would be storing everything using the same credentials for the Kerberos login. One thing that does concern me about CIFS - and this is likely why you stated I should use NFS - is sockets/symlinks may not play nicely with CIFS? Or is that a myth now days? Thanks, Nick Betcher, CPhT Certified Pharmacy Technician On Wed, Jun 30, 2010 at 11:59 PM, t...@tms3.com wrote: Any suggestions (beyond scrap it all and start over with the proper solution) are greatly appreciated. Openfiler (http://www.openfiler.com/ Linux based) or FreeNAS ( http://sourceforge.net/projects/freenas/ FreeBSD based) as an NFS server. You should be able to use pam_winbind winbind AD domain joining and idmaping to manage ID's across the Linux WS's and the NAS. Have the Linux WS's mount the /home (or whatever you're using for the *nix users) directory as an NFS share from the NAS. Cheers, TMS III Thanks, Nick Betcher, CPhT Certified Pharmacy Technician -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba3 to samba4 migration
Hi, I realized the following test: I create a domain in S4 the same SID and NETBIOS NAME as the S3. Then I created some users in the S4 domain and changed to have the same SID of S3. With this, simply remove the machine from the domain S3 and S4 in the field include again (did this through a script) and the user logged and kept his profile on the windows. I released the script as the domain logonscript of S3. So all that connected to S3 domain was moved to S4 automatically. This would be an acceptable way? What problems might happen? Ps.: It's easy to make a script that takes data from S3 to the S4 (I use OpenLDAP with S3). The S4 is getting very good! Thanks for all. Luciano A. Baramarchi Em 30/06/2010, às 19:00, Indexer escreveu: Hi, We are in the same situation with large user/group/machine set needed to be ported to the new s4 world. The only solution i can see at the moment would be to dump the contents of the appropriate LDAP sections (it being users/group/machines/etc) into ldif(s) in a format acceptable by s4 and then add them using ldbadd (and possbly sync using ldbmodify later on). Would it be a worthwhile to add yet another net cmd utility to allow importing stuff from existing LDAP infrastructure (maybe conceptually simmilar to existing vampire cmd)? Slightly off topic, but is Samba4 planning to support openLDAP as a backend, potentially, able to convert a live running samba3 PDC with OpenLDAP to samba4 with no change (for the negative) to users or machines etc? I am just finishing deploying samba3 as a PDC with OpenLDAP, but the organisation I am doing this for wants to keep OpenLDAP in long term use, with hopefully no disruptions to the Users. The ability to upgrade to samba4 on top of this would be exactly something that we have in mind (hopefully!) Thank you four all your continued work, it is greatly appreciated and keeps me running one less heater i mean windows server. William -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Default Hidden Disk Shares
On Fri, Jul 02, 2010 at 09:05:52AM +0100, Atkinson, Robert wrote: Interesting to see you say it's dangerous. The way the Windows version works is that you have to be part of the Administrator group to be able to see them, which I would have thought secure enough? Sure, we could make it a root-only export. The problem is, if we have a security issue (and these have been known to happen from time to time), you've exported your entire filesystem out *without a way to turn it off*. That's the problem with doing it by default. Who would I contact to request this as a feature enhancement? Just add the relevent share to your smb.conf files. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Default Hidden Disk Shares
99.9% of sys admins will not want this enabled by default so there is no good purpose forcing that on the rest of the userbase. Just add the relevent share to your smb.conf files. I agree. It will take less than 5 minutes to do that. John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Default Hidden Disk Shares
On Fri, Jul 2, 2010 at 2:05 AM, Atkinson, Robert ratkin...@tbs-ltd.co.ukwrote: Interesting to see you say it's dangerous. The way the Windows version works is that you have to be part of the Administrator group to be able to see them, which I would have thought secure enough? This is not true, the share is advertised to anyone who asks. The Windows client only hides shares that end with a '$'. By default Windows gives access only to administrators (by default), but they are by no means hidden. Robert LeBlanc Life Sciences Undergraduate Education Computer Support Brigham Young University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Fail to join a Windows 2008 R2 to a Samba+LDAP PDC version3.5.4
I found the error: smb.conf add machine script = /usr/sbin/smbldap-useradd -w -i %u i changed to add machine script = /usr/sbin/smbldap-useradd -w %u smbldap-useradd -i option is made for trust accounts German German Molano wrote: The weird thing is this i tried that too ... but i receive this error: The following error occurred attempting to join the domain MYDOMAIN: The specified account already exists. I had to delete to LDAP Workstation account every time that I tried a solution. To this time i see that problem that you mention on the internet but on Centos apparently there is not a workaround to this nss caching thing. The possible workarounds that I imagine is editing smbldap-useradd, on the workstation option including to do not exit if the workstation account exists (I do not know to much Perl). Or the easy one, once is created the workstation account on ldap directory, disable the add machine script and restart samba service. and then back again the Windows 2008 joinning process. Once the Windows 2008 is in the domain, enable the add machine script option and restart again. The ugly thing is that there are several Windows 7 workstations on the network. How i can solve that nss error ? Thanks for your help German t...@tms3.com wrote: SNIP Hi there, this is my config, I have a CentOS 5.3 x86_64 full updated with Xen enabled with Samba 3.5.4 sernet RPMs. I have a virtual machine running Windows 2008 R2 Foundation running full virtualized on the same machine. When i tried to join the Windows 2008 to the domain i get this message: The following error ocurred attempting to join the domain MYDOMAIN: A device attached to the system is not functioning. I have that error as well. To the best of my knowledge it is happening because smbldap tools are calling smbpasswd right after the ldap add of the machine, however, some nss dependent service is using a cached copy of ldap which does not contain the new machine entry. If you simply rejoin the domain after you receive the error, things should work fine. Cheers, TMS III The Windows 2008 registry was modified to be able to join the domain as recommended on internet: |HKLM\System\CurrentControlSet\Services\LanmanWorkstation\Parameters DWORD DomainCompatibilityMode = 1 DWORD DNSNameResolutionRequired = 0 ||HKLM\System\CurrentControlSet\Services\Netlogon\Parameters DWORD RequireSignOrSeal = 0 DWORD RequireStrongKey = 0 | This is my config: smb.conf [global] unix charset = ISO8859-1 workgroup = MYDOMAIN netbios name = pdc passdb backend = ldapsam:ldap://127.0.0.1 username map = /etc/samba/smbusers log level = 10 log file = /var/log/samba/%m.log max log size = 50 name resolve order = hosts lmhost wins bcast wins support = yes time server = Yes show add printer wizard = No add user script = /usr/sbin/smbldap-useradd -a -m %u delete user script = /usr/sbin/smbldap-userdel -r %u add group script = /usr/sbin/smbldap-groupadd -p %g delete group script = /usr/sbin/smbldap-groupdel %g add user to group script = /usr/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g set primary group script = /usr/sbin/smbldap-usermod -g %g %u add machine script = /usr/sbin/smbldap-useradd -w -i %u passwd program = /usr/sbin/smbldap-passwd %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated* ldap password sync = Yes enable privileges = Yes logon script = %U.bat OR netlogon.bat logon path = \\%L\profiles\%U logon drive = H: domain logons = Yes preferred master = Yes domain master = Yes ldap admin dn = cn=Administrador,dc=mydomain,dc=local ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap machine suffix = ou=Computers ldap passwd sync = Yes ldap suffix = dc=mydomain,dc=local ldap user suffix = ou=Users ldap ssl = off idmap backend = ldap:ldap://127.0.0.1 idmap uid = 1-2 idmap gid = 1-2 printer admin = Administrador map acl inherit = Yes printing = cups printcap name = CUPS [homes] comment = Home Directories valid users = %S read only = No browseable = No [netlogon] comment = Network Logon Service path = /var/lib/samba/netlogon guest ok = Yes locking = No [profiles] comment = Network Profiles Share path = /var/lib/samba/profiles read only = No profile acls = Yes create mode = 0600 directory mode = 0700 writable = yes browseable = No store dos attributes = Yes slapd.conf # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. #
Re: [Samba] Default Hidden Disk Shares
I think I missed part of the conversation, but what would be the purpose of this feature? (I am not even sure why Windows does this.) On 07/02/2010 02:15 PM, Robert LeBlanc wrote: On Fri, Jul 2, 2010 at 2:05 AM, Atkinson, Robertratkin...@tbs-ltd.co.ukwrote: Interesting to see you say it's dangerous. The way the Windows version works is that you have to be part of the Administrator group to be able to see them, which I would have thought secure enough? This is not true, the share is advertised to anyone who asks. The Windows client only hides shares that end with a '$'. By default Windows gives access only to administrators (by default), but they are by no means hidden. Robert LeBlanc Life Sciences Undergraduate Education Computer Support Brigham Young University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Fail to join a Windows 2008 R2 to a Samba+LDAP PDC version3.5.4
I found the error already and i solve it but now i have another issue: Once the Windows 2008 R2 Foundation join the domain shows me this message: **The server did not finish checking the license compliance. If the server is joined to a domain, make sure that the server can connect to a domain controller. If the license compliant check cannot be completed, the server will automatically shut down in 0 hour(s) 30 minute(s).** **Classical licensing crap ... but the PDC did not have any user created, I think that the Windows 2008 expect to search a AD server, counts the users created and if meets the limitations do not kill itself ... There is any option to work around this ... ** German t...@tms3.com wrote: SNIP Hi there, this is my config, I have a CentOS 5.3 x86_64 full updated with Xen enabled with Samba 3.5.4 sernet RPMs. I have a virtual machine running Windows 2008 R2 Foundation running full virtualized on the same machine. When i tried to join the Windows 2008 to the domain i get this message: The following error ocurred attempting to join the domain MYDOMAIN: A device attached to the system is not functioning. I have that error as well. To the best of my knowledge it is happening because smbldap tools are calling smbpasswd right after the ldap add of the machine, however, some nss dependent service is using a cached copy of ldap which does not contain the new machine entry. If you simply rejoin the domain after you receive the error, things should work fine. Cheers, TMS III The Windows 2008 registry was modified to be able to join the domain as recommended on internet: |HKLM\System\CurrentControlSet\Services\LanmanWorkstation\Parameters DWORD DomainCompatibilityMode = 1 DWORD DNSNameResolutionRequired = 0 ||HKLM\System\CurrentControlSet\Services\Netlogon\Parameters DWORD RequireSignOrSeal = 0 DWORD RequireStrongKey = 0 | This is my config: smb.conf [global] unix charset = ISO8859-1 workgroup = MYDOMAIN netbios name = pdc passdb backend = ldapsam:ldap://127.0.0.1 username map = /etc/samba/smbusers log level = 10 log file = /var/log/samba/%m.log max log size = 50 name resolve order = hosts lmhost wins bcast wins support = yes time server = Yes show add printer wizard = No add user script = /usr/sbin/smbldap-useradd -a -m %u delete user script = /usr/sbin/smbldap-userdel -r %u add group script = /usr/sbin/smbldap-groupadd -p %g delete group script = /usr/sbin/smbldap-groupdel %g add user to group script = /usr/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g set primary group script = /usr/sbin/smbldap-usermod -g %g %u add machine script = /usr/sbin/smbldap-useradd -w -i %u passwd program = /usr/sbin/smbldap-passwd %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated* ldap password sync = Yes enable privileges = Yes logon script = %U.bat OR netlogon.bat logon path = \\%L\profiles\%U logon drive = H: domain logons = Yes preferred master = Yes domain master = Yes ldap admin dn = cn=Administrador,dc=mydomain,dc=local ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap machine suffix = ou=Computers ldap passwd sync = Yes ldap suffix = dc=mydomain,dc=local ldap user suffix = ou=Users ldap ssl = off idmap backend = ldap:ldap://127.0.0.1 idmap uid = 1-2 idmap gid = 1-2 printer admin = Administrador map acl inherit = Yes printing = cups printcap name = CUPS [homes] comment = Home Directories valid users = %S read only = No browseable = No [netlogon] comment = Network Logon Service path = /var/lib/samba/netlogon guest ok = Yes locking = No [profiles] comment = Network Profiles Share path = /var/lib/samba/profiles read only = No profile acls = Yes create mode = 0600 directory mode = 0700 writable = yes browseable = No store dos attributes = Yes slapd.conf # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include/etc/openldap/schema/core.schema include/etc/openldap/schema/cosine.schema include/etc/openldap/schema/inetorgperson.schema include/etc/openldap/schema/nis.schema include /etc/openldap/schema/samba3.schema include /etc/openldap/schema/dyngroup.schema # Allow LDAPv2 client connections. This is NOT the default. allow bind_v2 # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referralldap://root.openldap.org pidfile
Re: [Samba] Default Hidden Disk Shares
Sharing of complete$ drives may no longer be a default in WinVista / 2008. Some of the other$ shares such as IPC$ and ADMIN$ may be needed to manage your Linux shares remotely using windows compmgmt.msc and remote registry. http://book.opensourceproject.org.cn/sysadmin/samba/sambao3rd/opensource/0596007698/samba3-chp-9-sect-7.html On 7/2/10, Gaiseric Vandal gaiseric.van...@gmail.com wrote: I think I missed part of the conversation, but what would be the purpose of this feature? (I am not even sure why Windows does this.) On 07/02/2010 02:15 PM, Robert LeBlanc wrote: On Fri, Jul 2, 2010 at 2:05 AM, Atkinson, Robertratkin...@tbs-ltd.co.ukwrote: Interesting to see you say it's dangerous. The way the Windows version works is that you have to be part of the Administrator group to be able to see them, which I would have thought secure enough? This is not true, the share is advertised to anyone who asks. The Windows client only hides shares that end with a '$'. By default Windows gives access only to administrators (by default), but they are by no means hidden. Robert LeBlanc Life Sciences Undergraduate Education Computer Support Brigham Young University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Long delays when launching programs for the first timein my Windows 7 Profile (Samba 3.4.3 as PDC)
*SOLVED* Hello TMSIII, hello all Thank you all for all your help and advice that you provided me! I did analyze with sysinternals process related tools and saw that the system does absolutely nothing suspicious in the long freeze-times. Everything seemed just idle and waiting for nothing. maybe some antivirus interaction? Will check with sysinternals but assume no, because oft he locally-is-everything-fine thing. This was the hint that lead me directly to the problem. Although I had the same thought as TMIII (can't be any software's fault, since it locally-everything-is-fine), I took the idea of TMSIII and tried it out and deactivated the antivirus/firewall tool (Kaspersky Internet Security (KIS) 2010). Result: Everything worked like a charm! So the problem was the antivirus/firewall suite and not Samba, DNS or any other network daemon. Kaspersky support guided me to a setting in the firewall of KIS (set local network from local network to trusted network). Since then all programs start quickly as they should, even in the roaming profiles. For some reason this setting never affected local profiles but only roaming profiles. I do not know why. I did not try it out yet, but I expect that the very long creation times for new profiles has exactly the same cause, as the very long startup of first-time-launches of software. So I assume that this problem is gone now, too. So finally it was indeed a problem which had nothing at all to do with Samba, but only with general networking and firewalling. Thank you all! Best regards Tom From: t...@tms3.com [mailto:t...@tms3.com] Sent: Donnerstag, 1. Juli 2010 00:16 To: Linda W Cc: Tom H. Lautenbacher; samba@lists.samba.org Subject: [?? Probable Spam] Re: [Samba] Long delays when launching programs for the first timein my Windows 7 Profile (Samba 3.4.3 as PDC) Well -- not exactly -- I have almost the same symptom -- but on logout -- it takes up to 45 minutes for my Win7 profile to be copied to my PDC. But I've tried Samba 3.5.2, 3.5.3 and 3.5.3. Hey...that's something to try. Try the latest released version and see if you have the same symptoms/problems! I've not had these problems. (I don't call it a problem if someone with a 10GB profile has slow login logout times...anywho). But I typically place profiles on a mount that does not have ACL's turned on. More recently on ZFS volumes. Be interesting to see network traffic. TMS III But I am using both a Win7-64 and WinXP client to log into my PDC and generate continuous havoc. Just wait until you try using winbind to authenticate security on your linux PDC! Ha! Warning -- keep a rescue disk around in case you get locked out of your system! ;^] On top of roaming profiles, I used the group policy client to create roaming profiles for all clients -- even if they were not part of the domain! (this was when I was having problems joining my computers to the domain reliably). Anyway -- I have long logins on Win7 (~ 4-5 minutes, vs. about 20 seconds on XP). Where I get the real long pauses are on logout -- I've seen it finsh after 45 minutes one time -- the clients are communicating to the PDC but at speeds usually 100K/s. I know that it is not likely to be samba's fault in regards to the speed, since I get *up to* 100MB read/write to samba during benchmark testing. maybe some antivirus interaction? Will check with sysinternals but assume no, because oft he locally-is-everything-fine thing. the login/logouts -- read about them on MS's website...look up under profile loading ... it talks about how multi-gig profiles will really slow down first time loading. As I wrote, I am having the problem with FRESH CREATED profiles, which are just a few kilobytes of size! --- Ok -- that's just weird. No argument! If you think it is a network problem, use wireshark -- it will let you observe the network traffic. (google it) it's also free. Thank you Linda. You need to become familiar with all these diagnotic tools (that and get yourself a procmail email filter so you can filter out all the garbage from all the email groups you have to subscribe to to just keep things working!)... Do you know a good windows-alternative to procmail? Isn't the new outlook 2010 able to group emails into threads? You can run all the linux utils -- including procmail under cygwin on windows. I missed all the linux utils so much -- I installed cygwin on windows 7 years ago and haven't done without it since! You can even run a local IMAP server on your windows box -- let your windows box download all your email from your ISP -- then connect to the local server with Outlook or Thunderbird and use IMAP. OR -- better -- use your server as an email server as well! My server downloads my email from my ISP (see linux util 'fetchmail'), then it calls my filter script (or it could call procmail). It also calls spamassassin before it tries to deliver it
Build status as of Fri Jul 2 06:00:01 2010
URL: http://build.samba.org/ --- /home/build/master/cache/broken_results.txt.old 2010-07-01 00:00:03.0 -0600 +++ /home/build/master/cache/broken_results.txt 2010-07-02 00:00:05.0 -0600 @@ -1,4 +1,4 @@ -Build status as of Thu Jul 1 06:00:01 2010 +Build status as of Fri Jul 2 06:00:01 2010 Build counts: Tree Total Broken Panic @@ -14,7 +14,7 @@ samba-web0 0 0 samba_3_current 28 28 4 samba_3_master 28 28 1 -samba_3_next 28 28 3 +samba_3_next 28 28 2 samba_4_0_test 30 30 0 samba_4_0_waf 30 30 2 talloc 30 7 0
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via d9429a8... s3-registry: remove 2 byte winreg type limitation. via ddb8fae... s3-registry: allow to read NULL entries (that we allow to store) back from the tdb. via 6da0402... s4-smbtorture: enable extended SetValue test against Samba3. via 786198e... s3-registry: remove unused reg_util_marshalling code. via b381fba... s3-registry: avoid using registry_value union. from 84c5dd1... s4-ldb: fixed error handling in openldap backend http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit d9429a874c5bd463f4b89db55fdae14b1764a494 Author: Günther Deschner g...@samba.org Date: Thu Jul 1 11:22:20 2010 +0200 s3-registry: remove 2 byte winreg type limitation. We already pull and push 4 byte winreg type in the registry.tdb, we were just not using full 4 bytes within the reg_object functions. With this change we finally pass the set extended value torture test. Guenther commit ddb8fae40174c72be8b3b6fc1c67cbaad3343153 Author: Günther Deschner g...@samba.org Date: Thu Jul 1 15:50:58 2010 +0200 s3-registry: allow to read NULL entries (that we allow to store) back from the tdb. Guenther commit 6da040261debcbd4b193caf9d5a055efad898aca Author: Günther Deschner g...@samba.org Date: Thu Jul 1 03:04:39 2010 +0200 s4-smbtorture: enable extended SetValue test against Samba3. Guenther commit 786198e523257de75d9238cd993594e5f8a8a4b7 Author: Günther Deschner g...@samba.org Date: Thu Jul 1 02:57:19 2010 +0200 s3-registry: remove unused reg_util_marshalling code. Guenther commit b381fba0892021f164223bae8b0951014a28735e Author: Günther Deschner g...@samba.org Date: Tue Jun 29 16:13:15 2010 +0200 s3-registry: avoid using registry_value union. Just pull and push data as is. Guenther --- Summary of changes: libgpo/gpext/gpext.c| 13 +- source3/Makefile.in |3 - source3/include/registry.h | 22 +--- source3/lib/smbconf/smbconf_reg.c | 68 +++--- source3/libgpo/gpext/registry.c | 21 +-- source3/libgpo/gpext/scripts.c |8 +- source3/libgpo/gpo_reg.c| 78 +++ source3/registry/reg_api.c | 24 +--- source3/registry/reg_backend_db.c |8 +- source3/registry/reg_objects.c |6 +- source3/registry/reg_objects.h |4 +- source3/registry/reg_util_marshalling.c | 216 --- source3/registry/reg_util_marshalling.h | 32 - source3/rpc_server/srv_eventlog_nt.c| 13 ++- source3/rpc_server/srv_winreg_nt.c | 51 +++- source3/utils/net_registry.c| 40 +- source3/utils/net_registry_util.c | 30 - source3/utils/net_rpc_registry.c| 54 - source3/wscript_build |2 - source4/torture/rpc/winreg.c|5 +- 20 files changed, 242 insertions(+), 456 deletions(-) delete mode 100644 source3/registry/reg_util_marshalling.c delete mode 100644 source3/registry/reg_util_marshalling.h Changeset truncated at 500 lines: diff --git a/libgpo/gpext/gpext.c b/libgpo/gpext/gpext.c index 865a725..9a09337 100644 --- a/libgpo/gpext/gpext.c +++ b/libgpo/gpext/gpext.c @@ -281,13 +281,16 @@ static NTSTATUS gp_ext_info_add_reg(TALLOC_CTX *mem_ctx, switch (type) { case REG_SZ: case REG_EXPAND_SZ: - data-v.sz.str = talloc_strdup(mem_ctx, data_s); - NT_STATUS_HAVE_NO_MEMORY(data-v.sz.str); - data-v.sz.len = strlen(data_s); + if (!push_reg_sz(mem_ctx, data-data, data_s)) { + return NT_STATUS_NO_MEMORY; + } break; - case REG_DWORD: - data-v.dword = atoi(data_s); + case REG_DWORD: { + uint32_t v = atoi(data_s); + data-data = data_blob_talloc(mem_ctx, NULL, 4); + SIVAL(data-data.data, 0, v); break; + } default: return NT_STATUS_NOT_SUPPORTED; } diff --git a/source3/Makefile.in b/source3/Makefile.in index 905ab4c..afca6c3 100644 --- a/source3/Makefile.in +++ b/source3/Makefile.in @@ -563,8 +563,6 @@ LIBMSRPC_GEN_OBJ = librpc/gen_ndr/cli_lsa.o \ # UTIL_REG_OBJ = ../libcli/registry/util_reg.o -REG_UTIL_MARSHALLING_OBJ = registry/reg_util_marshalling.o - REG_INIT_BASIC_OBJ = registry/reg_init_basic.o REG_INIT_SMBCONF_OBJ = registry/reg_init_smbconf.o REG_INIT_FULL_OBJ = registry/reg_init_full.o @@ -592,7 +590,6 @@ REG_BASE_OBJ =
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 6234153... s4/schema: remove unnecessary deletion of dsdb_schema cached pointer from d9429a8... s3-registry: remove 2 byte winreg type limitation. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 62341537d7c43d678e66ba663ad07be629e3328e Author: Anatoliy Atanasov anatoliy.atana...@postpath.com Date: Fri Jul 2 11:39:39 2010 +0300 s4/schema: remove unnecessary deletion of dsdb_schema cached pointer This is needed so we can find and free old schemas based using the cached pointer --- Summary of changes: source4/dsdb/schema/schema_set.c |3 --- 1 files changed, 0 insertions(+), 3 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/schema/schema_set.c b/source4/dsdb/schema/schema_set.c index da5ad3c..e09d207 100644 --- a/source4/dsdb/schema/schema_set.c +++ b/source4/dsdb/schema/schema_set.c @@ -536,9 +536,6 @@ void dsdb_make_schema_global(struct ldb_context *ldb, struct dsdb_schema *schema talloc_unlink(talloc_autofree_context(), global_schema); } - /* Wipe any reference to the exact schema - we will set 'use the global schema' below */ - ldb_set_opaque(ldb, dsdb_schema, NULL); - /* we want the schema to be around permanently */ talloc_reparent(ldb, talloc_autofree_context(), schema); global_schema = schema; -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 61e9560... s3-net: forgot to set type in winreg getvalue operation. from 6234153... s4/schema: remove unnecessary deletion of dsdb_schema cached pointer http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 61e956036e28b8fe8c57ab47c478a542cbf44532 Author: Günther Deschner g...@samba.org Date: Fri Jul 2 13:08:00 2010 +0200 s3-net: forgot to set type in winreg getvalue operation. Guenther --- Summary of changes: source3/utils/net_rpc_registry.c |2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/utils/net_rpc_registry.c b/source3/utils/net_rpc_registry.c index 0f781bb..0814235 100644 --- a/source3/utils/net_rpc_registry.c +++ b/source3/utils/net_rpc_registry.c @@ -608,6 +608,8 @@ static NTSTATUS rpc_registry_getvalue_internal(struct net_context *c, goto done; } + value-type = type; + print_registry_value(value, raw); done: -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 86cde0a... Tests for user-change-password and force-password-change access rights from 61e9560... s3-net: forgot to set type in winreg getvalue operation. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 86cde0a7dc8388747060a11f101f715645ef0eae Author: Nadezhda Ivanova nivan...@samba.org Date: Fri Jul 2 16:38:05 2010 +0300 Tests for user-change-password and force-password-change access rights --- Summary of changes: source4/dsdb/tests/python/acl.py | 246 +- 1 files changed, 242 insertions(+), 4 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/tests/python/acl.py b/source4/dsdb/tests/python/acl.py index 5bf3ff9..0f8fd0c 100755 --- a/source4/dsdb/tests/python/acl.py +++ b/source4/dsdb/tests/python/acl.py @@ -16,7 +16,9 @@ import samba.getopt as options from ldb import ( SCOPE_BASE, LdbError, ERR_NO_SUCH_OBJECT, ERR_INSUFFICIENT_ACCESS_RIGHTS) - +from ldb import ERR_CONSTRAINT_VIOLATION +from ldb import Message, MessageElement, Dn +from ldb import FLAG_MOD_REPLACE, FLAG_MOD_DELETE from samba.ndr import ndr_pack, ndr_unpack from samba.dcerpc import security @@ -154,7 +156,7 @@ url: www.example.com dn: + group_dn + objectClass: group sAMAccountName: + group_dn.split(,)[0][3:] + -groupType: 2147483650 +groupType: 4 url: www.example.com if desc: @@ -415,7 +417,7 @@ displayName: test_changed res = self.ldb_admin.search(self.base_dn, expression=(distinguishedName=%s) % str(OU=test_modify_ou1, + self.base_dn)) self.assertEqual(res[0][displayName][0], test_changed) -def _test_modify_u2(self): +def test_modify_u2(self): 6 Modify two attributes as you have DS_WRITE_PROPERTY granted only for one of them mod = (OA;;WP;bf967953-0de6-11d0-a285-00aa003049e2;;%s) % str(self.user_sid) # First test object -- User @@ -641,7 +643,7 @@ Member: CN=test_modify_user2,CN=Users, + self.base_dn 13 User with WP modifying Member #a second user is given write property permission user_sid = self.get_object_sid(self.get_user_dn(self.user_with_wp)) -mod = (OA;;WP;;;%s) % str(user_sid) +mod = (A;;WP;;;%s) % str(user_sid) self.dacl_add_ace(CN=test_modify_group2,CN=Users, + self.base_dn, mod) ldif = dn: CN=test_modify_group2,CN=Users, + self.base_dn + @@ -1023,12 +1025,230 @@ class AclRenameTests(AclTests): res = self.ldb_admin.search(self.base_dn, expression=(distinguishedName=%s) % ou3_dn) self.assertNotEqual(res, []) +#tests on Control Access Rights +class AclCARTests(AclTests): + +def setUp(self): +super(AclCARTests, self).setUp() +self.user_with_wp = acl_car_user1 +self.user_with_pc = acl_car_user2 +self.create_enable_user(self.user_with_wp) +self.create_enable_user(self.user_with_pc) +self.ldb_user = self.get_ldb_connection(self.user_with_wp, self.user_pass) +self.ldb_user2 = self.get_ldb_connection(self.user_with_pc, self.user_pass) + +def tearDown(self): +super(AclCARTests, self).tearDown() +self.delete_force(self.ldb_admin, self.get_user_dn(self.user_with_wp)) +self.delete_force(self.ldb_admin, self.get_user_dn(self.user_with_pc)) + +def test_change_password1(self): +Try a password change operation without any CARs given +#users have change password by default - remove for negative testing +desc = self.read_desc(self.get_user_dn(self.user_with_wp)) +sddl = desc.as_sddl(self.domain_sid) +sddl = sddl.replace((OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD), ) +sddl = sddl.replace((OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS), ) +self.modify_desc(self.get_user_dn(self.user_with_wp), sddl) +try: +self.ldb_user.modify_ldif( +dn: + self.get_user_dn(self.user_with_wp) + +changetype: modify +delete: unicodePwd +unicodePwd:: + base64.b64encode(\samba...@\.encode('utf-16-le')) + +add: unicodePwd +unicodePwd:: + base64.b64encode(\thatsAcomplPASS2\.encode('utf-16-le')) + +) +except LdbError, (num, _): +self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) +else: +# for some reason we get constraint violation instead of insufficient access error +self.fail() + +def test_change_password2(self): +Make sure WP has no influence +desc = self.read_desc(self.get_user_dn(self.user_with_wp)) +sddl = desc.as_sddl(self.domain_sid) +sddl = sddl.replace((OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD), ) +sddl = sddl.replace((OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS), ) +self.modify_desc(self.get_user_dn(self.user_with_wp),