[Samba] Samba performance

[Juan Pablo]

Hi everyone,

I'm trying to use samba in a small video post production house but we are not 
getting the performance we expected.

Our setup:

- CenOS 5.6 x86-64
- samba.x86_64 (3.0.33-3.29.el5_6.2 and 3.6.0rc1)
- Intel based server (One 4 core Xeon E5620  @ 2.40GHz, 8 GB RAM)
- 4 Intel Gigagit ethernet NIC ports with 802.3ad bonding connected to a switch 
configured tu use 802.3ad
- 8 2TB 7.2 krpm SATA disks with hardware RAID5 (RAID stripe size 1024 bytes, 
controller and disk cache enabled, readahead enabled)
- XFS filesystem (created with the following parameters: size=64k -d 
su=1024k,sw=7)
- Average file size in the share: 8 MByte
- Gigabit network composed by Cat5E certified cabling and DLink DGS-3427 
gigabit 
switch.
- Intel I7 based terminals with Intel gigabit NIC, running Windows 7


Test results:

OS access: 

Sequential write (1 x 31 GByte file): 500 MByte/s
Sequential read (1 x 31 GByte file): 780 MByte/s
Write (1000 files 8 MByte each): 249 MByte/s average
Read (1000 files 8 MByte each): 158 MByte/s average
Simultaneous write (4 processes each writing 1000 files of 8 MByte each ): 188 
MByte/s average
Simultaneous read (4 processes each reading 1000 files of 8 MByte each): 118 
MByte/s average

Samba local access (stock CentOS samba 3.0.33 connecting from the same server 
with smbclient):

Sequential read (1 x 31 GByte file):  267 MByte/s
Read (1000 files 8 MByte each): 71 MByte/s average
Simultaneous read (4 processes each reading 1000 files of 8 MByte each): 102 
MByte/s average

Samba local access (Samba 3.6.0rc1 compiled from GIT repo. Connecting from the 
same server with smbclient):

Read (1000 files 8 MByte each): 95 MByte/s average
Simultaneous read (4 processes each reading 1000 files of 8 MByte each): 103 
MByte/s average

Samba server accessed from Windows 7 terminals (samba 3.6.0rc1):

Read (1 terminal copying from samba fileserver to local disk 1000 files 8 MByte 
each): 60 MByte/s average
Simultaneous read (4 terminals each copying from samba fileserver to local disk 
1000 files of 8 MByte each): 70 MByte/s average

Note: Simultaneos read speed is measured adding the size of all transfered 
files 
and dividing it by the time taken to transfer these files.

I will appreciate any feedback about the results we are getting and advice on 
how to improve this.

Thanks in advance

Juan Pablo
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Can I write to wondows folder

[Edwin Quijada]

I added user to "Domain Admins" and nothing. I have a group named 
Administrators with 544 I suposed that is the local administartor but nothing.I 
have other user adminnew and it can write into this folder as Administartor 
domain too.I think when I create a user and move this user into this group 
nothing happens. I have the user equijada and see thisWe can write into the 
folder but these users can add users/machines to my domain and it can 
be.debian-pdc:/var/lib/samba/netlogon# id adminnewuid=1002(adminnuevo) 
gid=513(Domain Users) grupos=512(Domain Admins),513(Domain 
Users)debian-pdc:/var/lib/samba/netlogon# id equijadauid=1006(equijada) 
gid=512(Domain Admins) grupos=64238(domadm),512(Domain Admins)Both belong to 
domain admins but just andminnew can write into WiNDOWS/ always, but now 
something more weird happens now equijada can too.really, I dont know why this 
behaviour for example groups domadm was erased and it tells that exist. I am 
using ldapadmin.exe to mamage users and
  groups maybe will be the app??
*---* 
*-Edwin Quijada 
*-Developer DataBase 
*-JQ Microsistemas 

*-Soporte PostgreSQL

*-www.jqmicrosistemas.com
*-809-849-8087
*---*





> Date: Wed, 25 May 2011 15:02:13 -0400
> From: gaiseric.van...@gmail.com
> To: samba@lists.samba.org
> Subject: Re: [Samba] Can I write to wondows folder
> 
> I am not sure if the Administrators group is required on the PDC-  any 
> way it would be a group specific to the PDC.
> 
> Making domain users members of the "Domain Administrators" group should 
> have worked.   When an XP machine joins the domain , the "Domain Users" 
> group should be added automatically the the local Administrators group 
> on that PC-  and by extension those users will have local admin rights.
> I added user to "Domain Admins" and nothing. I have a group named 
> Administrators with 544 I suposed that is the local administartor but 
> nothing.I have other user adminnew and it can write into this folder as 
> Administartor domain too.
I think when I create a user and move this user into this group nothing 
happens. I have the user equijada and see this
We can write into the folder but these users can add users/machines to my 
domain and it can be.

debian-pdc:/var/lib/samba/netlogon# id adminnewuid=1002(adminnuevo) 
gid=513(Domain Users) grupos=512(Domain Admins),513(Domain Users)
debian-pdc:/var/lib/samba/netlogon# id equijadauid=1006(equijada) 
gid=512(Domain Admins) grupos=64238(domadm),512(Domain Admins)
Both belong to domain admins but just andminnew can write into WiNDOWS/ always, 
but now something more weird happens now equijada can too.
really, I dont know why this behaviour for example groups domadm was erased and 
it tells that exist. I am using ldapadmin.exe to mamage users and groups maybe 
will be the app??

  
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Cannot authenticate new ldap users (unless they are in /etc/passwd too)

[Gaiseric Vandal]

"pdbedit -Lv username" shd show you the unix user id.

IF you create a new samba user (e.g. with "smbpasswd -a username"  or 
"pdbedit ")
 AND the user does not already exist as a unix user (in ldap or 
/etc/passwd)
THEN smbpasswd (or pdbedit) should complain UNLESS samba is 
automatically allocating uid/gid's.



Does smb.conf define an idmap ou in ldap?

Did you try configuring /etc/nsswitch.conf as follows?

passwd: files ldap
shadow: files ldap
group:  files ldap

I use Apache Directory Studio for an ldap browser/editor-   that (or a 
similar product) may help you poke around ldap and see what is being 
created.  I don't have any of the smbldap scripts installed on my 
servers.  What version of unix/linux are you using.





On 05/25/2011 04:49 PM, Sean Boran wrote:

Hi,

@Gaiseric: Yes, I have option 2, the LDAP entries include UNIX account 
details such as UID.
(I can for example, login via ssh with the ldap accounts: which shows 
that the unix account details are ok and nss works)

Samba is somehow not seeing ldap unix accounts though.
I've also now noticed that it is not seeing the group membership in 
ldap either, although "getent groups" and "id" show the groups.


@Takahashi: Log level 10 is interesting. But co-in cidentailly after 
enabling it, and a a delay of one day, the logins are working fine, 
even if the /etc/passwd entry is removed.


I'm going to have to do more tests, thanks for the tips though.

Sean

On 24 May 2011 18:15, Gaiseric Vandal > wrote:


You still need a "unix" account to back the samba account-  this
can be done in several ways
   -  have a local unix acct in /etc/passwd
   -  have the LDAP entry for your samba user also include your
"unix" account info.
   -  have winbind allocate unix uid's and gid's dynamically for
samba accounts in your local domain.


I use option 2 -  LDAP for both unix and samba authentication.  I
initially used nis for unix and TBD for samba, then moved both to
a consolidated LDAP backend.

If you don't need LDAP auth for unix level logins , it may be
sufficient to add uid and gid to the LDAP entry and skip the unix
password field.

I have not tried option 3.



On 05/23/2011 05:47 PM, Sean Boran wrote:

Hi,

I migrated a PDC to use an ldap backend and am having fun with
a few last
issues..
Existing user accounts and machine accounts were migrated, and
existing
users can authenticate.

Now I've added some new users and none of them can authenticate.
e.g. for the user "inktec".

The user can login via SSH, but not mount a share:
smbclient server3\\someshare -U=inktec mypassword

May 23 19:40:47 server3 smbd[7364]: [2011/05/23 19:40:47,  0]
passdb/pdb_get_set.c:211(pdb_get_group_sid)
May 23 19:40:47 server3 smbd[7364]:   pdb_get_group_sid:
Failed to find Unix
account for inktec
May 23 19:40:47 server3 smbd[7364]: [2011/05/23 19:40:47,  1]
auth/auth_util.c:577(make_server_info_sam)
May 23 19:40:47 server3 smbd[7364]:   User inktec in passdb,
but getpwnam()
fails!
May 23 19:40:47 server3 smbd[7364]: [2011/05/23 19:40:47,  0]
auth/auth_sam.c:355(check_sam_security)
May 23 19:40:47 server3 smbd[7364]:   check_sam_security:
make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER'

Sama can see the users and groups.
The following find the user just fine:
ldapsearch  -x  '(uid=inktec)'
pdbedit -L -v inktec
getent passwd inktec
smbldap-usershow inktec

id inktec
uid=18664(inktec) gid=513(Domain Users) groups=513(Domain
Users),203(buser)

Users were added with the tool "smbldap-useradd -a", and also with
"ldapadmin"...
I also compared the ldap entries for users that work fine with
the new users
in ldap admin, they are basically the same.

Perhaps related is that on a  Windows XP client in the domain,
if inktec is
added to a User Groups such as Remote Desktop Users, windows
complains
"Information return for object picket for object inktec was
incomplete".

Then by chance I added the test user (inktec) to /etc/passwd
(but not to
shadow), just to see. It worked!
Its like the passwd line is nssswitch_conf is being ignored?
group:  compat ldap
passwd: compat ldap
shadow: compat ldap
But then why did "getent passwd inktec" work, and why would
SSH login work.

Before ldap I would add users with both "useradd" and
"smbpasswd -a", but
this should not be necessary with the ldap store?

Thanks in advance,

Sean


-- 
To unsubscribe from this list go to the follo

Re: [Samba] Cannot authenticate new ldap users (unless they are in /etc/passwd too)

[Sean Boran]

Hi,

@Gaiseric: Yes, I have option 2, the LDAP entries include UNIX account
details such as UID.
(I can for example, login via ssh with the ldap accounts: which shows that
the unix account details are ok and nss works)
Samba is somehow not seeing ldap unix accounts though.
I've also now noticed that it is not seeing the group membership in ldap
either, although "getent groups" and "id" show the groups.

@Takahashi: Log level 10 is interesting. But co-in cidentailly after
enabling it, and a a delay of one day, the logins are working fine, even if
the /etc/passwd entry is removed.

I'm going to have to do more tests, thanks for the tips though.

Sean

On 24 May 2011 18:15, Gaiseric Vandal  wrote:

> You still need a "unix" account to back the samba account-  this can be
> done in several ways
>-  have a local unix acct in /etc/passwd
>-  have the LDAP entry for your samba user also include your "unix"
> account info.
>-  have winbind allocate unix uid's and gid's dynamically for samba
> accounts in your local domain.
>
>
> I use option 2 -  LDAP for both unix and samba authentication.  I initially
> used nis for unix and TBD for samba, then moved both to a consolidated LDAP
> backend.
>
> If you don't need LDAP auth for unix level logins , it may be sufficient to
> add uid and gid to the LDAP entry and skip the unix password field.
>
> I have not tried option 3.
>
>
>
> On 05/23/2011 05:47 PM, Sean Boran wrote:
>
>> Hi,
>>
>> I migrated a PDC to use an ldap backend and am having fun with a few last
>> issues..
>> Existing user accounts and machine accounts were migrated, and existing
>> users can authenticate.
>>
>> Now I've added some new users and none of them can authenticate.
>> e.g. for the user "inktec".
>>
>> The user can login via SSH, but not mount a share:
>> smbclient server3\\someshare -U=inktec mypassword
>>
>> May 23 19:40:47 server3 smbd[7364]: [2011/05/23 19:40:47,  0]
>> passdb/pdb_get_set.c:211(pdb_get_group_sid)
>> May 23 19:40:47 server3 smbd[7364]:   pdb_get_group_sid: Failed to find
>> Unix
>> account for inktec
>> May 23 19:40:47 server3 smbd[7364]: [2011/05/23 19:40:47,  1]
>> auth/auth_util.c:577(make_server_info_sam)
>> May 23 19:40:47 server3 smbd[7364]:   User inktec in passdb, but
>> getpwnam()
>> fails!
>> May 23 19:40:47 server3 smbd[7364]: [2011/05/23 19:40:47,  0]
>> auth/auth_sam.c:355(check_sam_security)
>> May 23 19:40:47 server3 smbd[7364]:   check_sam_security:
>> make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER'
>>
>> Sama can see the users and groups.
>> The following find the user just fine:
>> ldapsearch  -x  '(uid=inktec)'
>> pdbedit -L -v inktec
>> getent passwd inktec
>> smbldap-usershow inktec
>>
>> id inktec
>> uid=18664(inktec) gid=513(Domain Users) groups=513(Domain
>> Users),203(buser)
>>
>> Users were added with the tool "smbldap-useradd -a", and also with
>> "ldapadmin"...
>> I also compared the ldap entries for users that work fine with the new
>> users
>> in ldap admin, they are basically the same.
>>
>> Perhaps related is that on a  Windows XP client in the domain, if inktec
>> is
>> added to a User Groups such as Remote Desktop Users, windows complains
>> "Information return for object picket for object inktec was incomplete".
>>
>> Then by chance I added the test user (inktec) to /etc/passwd (but not to
>> shadow), just to see. It worked!
>> Its like the passwd line is nssswitch_conf is being ignored?
>> group:  compat ldap
>> passwd: compat ldap
>> shadow: compat ldap
>> But then why did "getent passwd inktec" work, and why would SSH login
>> work.
>>
>> Before ldap I would add users with both "useradd" and "smbpasswd -a", but
>> this should not be necessary with the ldap store?
>>
>> Thanks in advance,
>>
>> Sean
>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Winbind Trust -- grr

[Aaron E.]

I guess the client/server question is a moot point as I don't even have 
winbind running on my DC..


On 05/25/2011 04:09 PM, Aaron E. wrote:

Ah, a new avenue to look down..

winbind cache was 300, idmap cache is set to 7 days so I changed them
both to 60 seconds restarted services and rejoined domain, hoping that
the problem would happen right away, this was not the case though.

Was your issue on the server side or client side? I have not changed
server only client.. I try to keep server settings aside as last resort..

Thanks much,
aaron

On 05/25/2011 02:47 PM, Gaiseric Vandal wrote:

It may be related to a caching issue. Use testparm -v to check the
values for the following:

idmap cache time
winbind cache time


I had a problem with samba 3.0.x where idmap entries would populate for
users in a trusted domain- but after the cache time expired the cache
would not repopulate and I would "loose" the trusted users. Increasing
the cache time at least reduced how frequently I had to delete the cache
entries. This is not a solution but may be will help locate the problem.


On 05/25/2011 12:16 PM, Aaron E. wrote:

First, Thanks for any and all help

I can't seem to figure out what I need to do, I've been fighting this
for a month and am now beating my head off my desk with no solution to
be found. I've read others having this issue but they were all older
versions.. I am using 3.5.4,, Please read over and give me some input..

Every 7 days winbindd fails on the trust secret. The only way I can
figure to fix it is rejoin the domain.

My only solution I can think of is script and cron so the machine
rejoins the domain every 6 days on it's own..

I believe I'm forced to use winbind due to dansguardian using
ntlm_auth. Dansguardian cant use ldap connection.

Now My smb.conf is as follows on the squid server..
[global]
workgroup = EXAMPLE
netbios name = squid1
server string = Squid1
security = domain
password server = netfiles1san, netfiles2san
log level = 3
log file = /var/log/samba/%m.log
max log size = 0
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
preferred master = False
local master = No
domain master = False
dns proxy = No
;Winbind
winbind refresh tickets = false
winbind separator = /
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
idmap uid = 1-2
idmap gid = 1-2

smb.conf on my DC relevent info is as follows
security = user
LDAP Backend
master

Possibly an issue with using domain on the squid server and user on
the DC??








--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Winbind Trust -- grr

[Aaron E.]

Ah, a new avenue to look down..

winbind cache was 300, idmap cache is set to 7 days so I changed them 
both to 60 seconds restarted services and rejoined domain, hoping that 
the problem would happen right away, this was not the case though.


Was your issue on the server side or client side? I have not changed 
server only client.. I try to keep server settings aside as last resort..


Thanks much,
aaron

On 05/25/2011 02:47 PM, Gaiseric Vandal wrote:

It may be related to a caching issue. Use testparm -v to check the
values for the following:

idmap cache time
winbind cache time


I had a problem with samba 3.0.x where idmap entries would populate for
users in a trusted domain- but after the cache time expired the cache
would not repopulate and I would "loose" the trusted users. Increasing
the cache time at least reduced how frequently I had to delete the cache
entries. This is not a solution but may be will help locate the problem.


On 05/25/2011 12:16 PM, Aaron E. wrote:

First, Thanks for any and all help

I can't seem to figure out what I need to do, I've been fighting this
for a month and am now beating my head off my desk with no solution to
be found. I've read others having this issue but they were all older
versions.. I am using 3.5.4,, Please read over and give me some input..

Every 7 days winbindd fails on the trust secret. The only way I can
figure to fix it is rejoin the domain.

My only solution I can think of is script and cron so the machine
rejoins the domain every 6 days on it's own..

I believe I'm forced to use winbind due to dansguardian using
ntlm_auth. Dansguardian cant use ldap connection.

Now My smb.conf is as follows on the squid server..
[global]
workgroup = EXAMPLE
netbios name = squid1
server string = Squid1
security = domain
password server = netfiles1san, netfiles2san
log level = 3
log file = /var/log/samba/%m.log
max log size = 0
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
preferred master = False
local master = No
domain master = False
dns proxy = No
;Winbind
winbind refresh tickets = false
winbind separator = /
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
idmap uid = 1-2
idmap gid = 1-2

smb.conf on my DC relevent info is as follows
security = user
LDAP Backend
master

Possibly an issue with using domain on the squid server and user on
the DC??






--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Can I write to wondows folder

[Gaiseric Vandal]

I am not sure if the Administrators group is required on the PDC-  any 
way it would be a group specific to the PDC.


Making domain users members of the "Domain Administrators" group should 
have worked.   When an XP machine joins the domain , the "Domain Users" 
group should be added automatically the the local Administrators group 
on that PC-  and by extension those users will have local admin rights.


If you log into the PC as the domain Administrator, can you write into 
C:\Windows?  Can you even create a local user account?   This would 
verify that the domain Administrator really had local administrator 
rights.  I had one issue after upgrading one of my domain controllers 
where the group mapping wasn't working properly-  so on the Windows 
systems using that DC,  any permissions assigned to Domain Admins or 
Domain Users was didn't work since the users weren't seen in the groups.







On 05/24/2011 02:07 PM, Edwin Quijada wrote:


Hi!I have Samba 3.2.5 as PDC for 20 users with windws XP now I need that 5 
users can write into C:\windows folder from each machine in my LAN. I have a 
Administrators group with RID 544 and i added these users to this group but it 
doesnt work, I did the same adding to Domain Admin and didnt .
There is a something way to give to these users access to can write into this 
folder
Thks.
*---*
*-Edwin Quijada
*-Developer DataBase
*-JQ Microsistemas

*-Soporte PostgreSQL

*-www.jqmicrosistemas.com
*-809-849-8087
*---*






--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] human understandable log format?

[Gaiseric Vandal]

Can you have hard link or symbolically link one (or more) log files to 
another?


I use perl to split up and restructure log file entries-  not for the 
samba logs tho.


It looks like samba can send messages to syslog.  If you use "syslog-ng" 
you have a lot of flexibility for logging events based of 
host/service/text strings to whatever file(s) you want.



On 05/25/2011 10:29 AM, Andreas Heinlein wrote:

Am 25.05.2011 15:45, schrieb ion coting:

Anyone... help!?

On Thu, May 19, 2011 at 4:19 PM, ion coting  wrote:


Hi,
I would like to look at a logfile containing simple summary lines like
this:

timestamp - client ip - user - action (eg. login, connect to a share) -
result (ok, password wrong, permission denied, io error, etc)

I find log.smb and log.nmb very complicated and smbaudit too; also i would
like to have all this information in a single log gile.

How can I achieve this? Is there any native samba combination of options in
smb.conf that can result in achieving this type of log? Can (and how?) I
configure samba in such a way that some external tools can parse and extract
this information from logfiles?

thank you



I'd like to see this too, but I don't think it's possible. I have wasted
several hours when debugging samba problems and dealing with
hard-to-read logfiles. But there is no way to configure logging except
for the amount (log level) and destination.

It may help a bit to use substitutions in the log file destinations, so
e.g.using "log file = /var/log/samba/log.%I.%U" in your smb.conf will
create one log file per client and user on the server, like
/var/log/samba/log.10.0.0.24.bob for user bob on client 10.0.0.24.
Still, it's sometimes difficult to get actions and results sorted out.

Bye,
Andreas


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Winbind Trust -- grr

[Gaiseric Vandal]

It may be related to a caching issue.  Use testparm -v to check the 
values for the following:


idmap cache time
winbind cache time


I had a problem with samba 3.0.x where idmap entries would populate for 
users in a trusted domain- but after the cache time expired the cache 
would not repopulate and I would "loose" the trusted users.
Increasing the cache time at least reduced how frequently I had to 
delete the cache entries.This is not a solution but may be will help 
locate the problem.



On 05/25/2011 12:16 PM, Aaron E. wrote:

First, Thanks for any and all help

I can't seem to figure out what I need to do, I've been fighting this 
for a month and am now beating my head off my desk with no solution to 
be found. I've read others having this issue but they were all older 
versions.. I am using 3.5.4,, Please read over and give me some input..


Every 7 days winbindd fails on the trust secret. The only way I can 
figure to fix it is rejoin the domain.


My only solution I can think of is script and cron so the machine 
rejoins the domain every 6 days on it's own..


I believe I'm forced to use winbind due to dansguardian using 
ntlm_auth. Dansguardian cant use ldap connection.


Now My smb.conf is as follows on the squid server..
[global]
workgroup = EXAMPLE
netbios name = squid1
server string = Squid1
security = domain
password server = netfiles1san, netfiles2san
log level = 3
log file = /var/log/samba/%m.log
max log size = 0
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
preferred master = False
local master = No
domain master = False
dns proxy = No
;Winbind
winbind refresh tickets = false
winbind separator = /
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
idmap uid = 1-2
idmap gid = 1-2

smb.conf on my DC relevent info is as follows
security = user
LDAP Backend
master

Possibly an issue with using domain on the squid server and user on 
the DC??





--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Winbind Trust -- grr

[Aaron E.]

First, Thanks for any and all help

I can't seem to figure out what I need to do, I've been fighting this 
for a month and am now beating my head off my desk with no solution to 
be found. I've read others having this issue but they were all older 
versions.. I am using 3.5.4,, Please read over and give me some input..


Every 7 days winbindd fails on the trust secret. The only way I can 
figure to fix it is rejoin the domain.


My only solution I can think of is script and cron so the machine 
rejoins the domain every 6 days on it's own..


I believe I'm forced to use winbind due to dansguardian using ntlm_auth. 
Dansguardian cant use ldap connection.


Now My smb.conf is as follows on the squid server..
[global]
workgroup = EXAMPLE
netbios name = squid1
server string = Squid1
security = domain
password server = netfiles1san, netfiles2san
log level = 3
log file = /var/log/samba/%m.log
max log size = 0
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
preferred master = False
local master = No
domain master = False
dns proxy = No
;Winbind
winbind refresh tickets = false
winbind separator = /
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
idmap uid = 1-2
idmap gid = 1-2

smb.conf on my DC relevent info is as follows
security = user
LDAP Backend
master

Possibly an issue with using domain on the squid server and user on the DC??


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Problems with group assignments

[F. David del Campo Hill]

Dear All,

We finally managed to find out what was wrong: winbind was running!

It seems that the SaMBa package we had from SUN/Oracle installed and 
started winbind (unlike in the old server and the Linux server). Once we 
disabled winbind (why did it think it was necessary to run winbind in the first 
place?), it all started working again: usernames and passwords are 
authenticated against AD, and group membership is checked against the local 
/etc/group file.

Thank you all for your help.

Yours,

David del Campo


PS: Maybe someone should amend the smb.conf man page to the effect that if you 
run winbind, the system will ignore the "@", "+" and "&" symbols under the 
"(in)valid users" and "write list" tags.



> -Original Message-
> From: samba-boun...@lists.samba.org [mailto:samba-
> boun...@lists.samba.org] On Behalf Of F. David del Campo Hill
> Sent: 23 May 2011 17:16
> To: muel...@tropenklinik.de; samba@lists.samba.org
> Subject: Re: [Samba] Problems with group assignments
> 
> Dear Daniel,
> 
>   The usernames and passwords are already authenticating against
> ADS; the problem is the groups. We want the groups to "authenticate"
> against the local UNIX groups, NOT ADS (like the original server did,
> and the documentation states); having the groups work through ADS will
> make us have to keep the local and ADS groups synchronized manually,
> which we do not want to do (the new server is also a NFS server, so we
> cannot have the two types of groups drift apart).
> 
>   David
> 
> 
> 
> > -Original Message-
> > From: Daniel Müller [mailto:muel...@tropenklinik.de]
> > Sent: 23 May 2011 07:52
> > To: F. David del Campo Hill; samba@lists.samba.org
> > Subject: AW: [Samba] Problems with group assignments
> >
> > What about your ADS? You are authenticate against your ADS?!
> > Why don't use winbind?
> > http://wiki.samba.org/index.php/Samba_&_Active_Directory
> >
> > Good Luck
> > Daniel
> >
> > ---
> > EDV Daniel Müller
> >
> > Leitung EDV
> > Tropenklinik Paul-Lechler-Krankenhaus
> > Paul-Lechler-Str. 24
> > 72076 Tübingen
> >
> > Tel.: 07071/206-463, Fax: 07071/206-499
> > eMail: muel...@tropenklinik.de
> > Internet: www.tropenklinik.de
> > ---
> > -Ursprüngliche Nachricht-
> > Von: samba-boun...@lists.samba.org [mailto:samba-
> > boun...@lists.samba.org] Im
> > Auftrag von F. David del Campo Hill
> > Gesendet: Freitag, 20. Mai 2011 14:44
> > An: samba@lists.samba.org
> > Betreff: [Samba] Problems with group assignments
> >
> > Dear All,
> >
> > We are trying to transfer a SaMBa installation from an old server
> > to
> > a newer more up-to-date one. The original server was sharing files to
> > Windows XP systems in Active Directory (Windows Server 2003 R2
> > version), but
> > as we move to Windows 7 and Active Directory (Windows Server 2008 R2
> > version) we need to upgrade the service.
> >
> > The old server was part of a NIS domain, with the "valid users",
> > "write list", etc entries in its smb.conf referring to the NIS groups
> > using
> > the "@" sign (which the documentation says it means "is interpreted
> as
> > an
> > NIS netgroup first (if your system supports NIS), and then as a UNIX
> > group
> > if the name was not found in the NIS netgroup database"; see
> > http://samba.org/samba/docs/man/manpages-
> > 3/smb.conf.5.html#INVALIDUSERS). It
> > all worked fine as it picked users' group membership from NIS.
> >
> > The new server is a Solaris 10 box running SaMBa 3.5.5, and we
> > are
> > having problems with it picking up the group memberships. The old
> > server's
> > smb.conf was transplanted to the new server (with a few path
> changes),
> > and
> > the new server was successfully added to our Active Directory domain.
> > As the
> > new server is NOT a member of NIS, we made a copy of all the
> > smb.conf-relevant groups to its local /etc/group and added all the
> > users to
> > the /etc/passwd file. With these changes we can access the shares
> using
> > the
> > AD usernames and passwords as long as they are not access-limited by
> > "valid
> > users", so the integration of the server into AD is working. But if
> we
> > add a
> > "valid users = @group" line to the share in smb.conf, it will
> > completely
> > refuse access to all users, even the ones belonging to the group.
> > Leaving
> > the share accessible to all, but adding a "write list = @group" line
> to
> > smb.conf, will allow access, but no one will be able to write to it,
> > even
> > the members of the group. If we chan
> >  ge the "write list" and "valid users" lines to list the usernames
> > directly
> > instead of through a group membership, it works. To avoid even
> > attempting to
> > talk to NIS, we changed the "@" signs for "+", but it still kept
> > refusing to
> > recognize group memberships (NIS or local UNIX ones). So it see

Re: [Samba] human understandable log format?

[Jeremy Allison]

On Wed, May 25, 2011 at 04:29:51PM +0200, Andreas Heinlein wrote:
> Am 25.05.2011 15:45, schrieb ion coting:
> > Anyone... help!?
> >
> > On Thu, May 19, 2011 at 4:19 PM, ion coting  wrote:
> >
> >> Hi,
> >> I would like to look at a logfile containing simple summary lines like
> >> this:
> >>
> >> timestamp - client ip - user - action (eg. login, connect to a share) -
> >> result (ok, password wrong, permission denied, io error, etc)
> >>
> >> I find log.smb and log.nmb very complicated and smbaudit too; also i would
> >> like to have all this information in a single log gile.
> >>
> >> How can I achieve this? Is there any native samba combination of options in
> >> smb.conf that can result in achieving this type of log? Can (and how?) I
> >> configure samba in such a way that some external tools can parse and 
> >> extract
> >> this information from logfiles?
> >>
> >> thank you
> >>
> >>
> 
> I'd like to see this too, but I don't think it's possible. I have wasted
> several hours when debugging samba problems and dealing with
> hard-to-read logfiles. But there is no way to configure logging except
> for the amount (log level) and destination.
> 
> It may help a bit to use substitutions in the log file destinations, so
> e.g.using "log file = /var/log/samba/log.%I.%U" in your smb.conf will
> create one log file per client and user on the server, like
> /var/log/samba/log.10.0.0.24.bob for user bob on client 10.0.0.24.
> Still, it's sometimes difficult to get actions and results sorted out.

What would really help is if someone went through the "things"
that Samba does, and comes out with a list of "user loggable"
events, such as "user logged on", "connection dropped", "connected
to share" etc. If the list were small enough (i.e. so it didn't
turn into a parallel debug system) we could then instrument
the code at these points, then emit event-log records that
were readable by the Windows event log viewer (or a UNIX
equivalent) - or even to a separate "user events" log file
(or syslog).

It would have to be a limited list, and not include IO
events (opening file, read file etc.) as these are better
handled by the audit modules, or when we add the audit ACLs,
the audit ACL logging.

Someone from HP (not mentioning any names here but he might
remember who he is :-) did promise a couple of years ago at
SambaXP to do this, but I'm guessing he didn't have time.

If someone came up with this I'd certainly help push it
into the code.

Jeremy.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] human understandable log format?

[Andreas Heinlein]

Am 25.05.2011 15:45, schrieb ion coting:
> Anyone... help!?
>
> On Thu, May 19, 2011 at 4:19 PM, ion coting  wrote:
>
>> Hi,
>> I would like to look at a logfile containing simple summary lines like
>> this:
>>
>> timestamp - client ip - user - action (eg. login, connect to a share) -
>> result (ok, password wrong, permission denied, io error, etc)
>>
>> I find log.smb and log.nmb very complicated and smbaudit too; also i would
>> like to have all this information in a single log gile.
>>
>> How can I achieve this? Is there any native samba combination of options in
>> smb.conf that can result in achieving this type of log? Can (and how?) I
>> configure samba in such a way that some external tools can parse and extract
>> this information from logfiles?
>>
>> thank you
>>
>>

I'd like to see this too, but I don't think it's possible. I have wasted
several hours when debugging samba problems and dealing with
hard-to-read logfiles. But there is no way to configure logging except
for the amount (log level) and destination.

It may help a bit to use substitutions in the log file destinations, so
e.g.using "log file = /var/log/samba/log.%I.%U" in your smb.conf will
create one log file per client and user on the server, like
/var/log/samba/log.10.0.0.24.bob for user bob on client 10.0.0.24.
Still, it's sometimes difficult to get actions and results sorted out.

Bye,
Andreas
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] human understandable log format?

[ion coting]

Anyone... help!?

On Thu, May 19, 2011 at 4:19 PM, ion coting  wrote:

> Hi,
> I would like to look at a logfile containing simple summary lines like
> this:
>
> timestamp - client ip - user - action (eg. login, connect to a share) -
> result (ok, password wrong, permission denied, io error, etc)
>
> I find log.smb and log.nmb very complicated and smbaudit too; also i would
> like to have all this information in a single log gile.
>
> How can I achieve this? Is there any native samba combination of options in
> smb.conf that can result in achieving this type of log? Can (and how?) I
> configure samba in such a way that some external tools can parse and extract
> this information from logfiles?
>
> thank you
>
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Pdbedit cannot modify SID

[Guillaume]

Hi,

I'm trying to migrate from a SME server to an Ubuntu 10.04
Domain names are the same (domain SID already retrieved)

example
User john on SME server has SID 
S-1-5-21-1222067456-3914006320-3959678504-11026
User john on Ubuntu server has SID 
S-1-5-21-1222067456-3914006320-3959678504-3010


Not to loose Windows profiles, I'm trying to modify john's SID on Ubuntu 
server :

pdbedit -u john -U S-1-5-21-1222067456-3914006320-3959678504-11026

Result shows no change in SID. No error message.

Can you help ?


--
Guillaume
06 24 68 25 24

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba