Re: [Samba] V4 - New Install - Missing Zone File
> > >> -- > > > Thank you for your help! I was able to get a new Bind version to somewhat > > > work. I was able to join an XP machine to the domain but DNS seems to not > > > be updating correctly. Below you will find the logs that I am seeing. > > > > > > /var/log/messages: > > > > > > > > > Feb 21 16:39:39 davis named[1163]: validating @0x24c0d30: com SOA: no > > > valid signature found > > > Feb 21 16:39:39 davis named[1163]: validating @0x220f220: com SOA: no > > > valid signature found > > > Feb 21 16:39:39 davis named[1163]: validating @0x220f220: > > > CK0POJMG874LJREF7EFN8430QVIT8BSM.com NSEC3: no valid signature found > > > Feb 21 16:39:39 davis named[1163]: validating @0x24c0d30: > > > CK0POJMG874LJREF7EFN8430QVIT8BSM.com NSEC3: no valid signature found > > > Feb 21 16:39:39 davis named[1163]: validating @0x198b010: > > > A2MEHD73GB2UACB908FCH30EPFLFHMH7.com NSEC3: no valid signature found > > > Feb 21 16:39:39 davis named[1163]: validating @0x24c0d30: > > > A2MEHD73GB2UACB908FCH30EPFLFHMH7.com NSEC3: no valid signature found > > > Feb 21 16:39:40 davis named[1163]: validating @0x24c0d30: > > > 3RL0HJSI26SCTO21AV9TVIGIPUVPJAI1.com NSEC3: no valid signature found > > > Feb 21 16:39:40 davis named[1163]: validating @0x198b010: > > > 3RL0HJSI26SCTO21AV9TVIGIPUVPJAI1.com NSEC3: no valid signature found > > > > > > > > > samba output in single mode: > > > > > > > > > samba -i -M single > > > samba version 4.0.0alpha18-GIT-89586ed started. > > > Copyright Andrew Tridgell and the Samba Team 1992-2012 > > > samba: using 'single' process model > > > ../source4/dsdb/dns/dns_update.c:294: Failed DNS update - > > > NT_STATUS_UNSUCCESSFUL > > > > > > > > > Any ideas as to what that could me? Thank you for your time and have a > > > great day! > > Hi > > I think DLZ is the default. I didn't specify any dns-backend when > > provisioning but I got files I needed to include for named. I had to > > make 2 changes to the bind 9 config as detailed here: > > http://linuxcostablanca.blogspot.com/2012/01/samba-4-ubuntu.html > > HTH > > Steve > > Hello Steve, I have the entries in my /etc/named.conf. Not sure what else to > try. Based on the logs samba4 is unable to update DNS. And Bind is having > issues with a signature by what the /var/log/messages is saying. Any ideas as > to what it could be? > One note I would like to add. I am now using Bind 9.8.1 compiled from source. It seems to load the DLZ driver just fine. The issue I am having is that samba4 is trying to update DNS and can't. When I add a new server to the domain DNS can't resolve that new server. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] V4 - New Install - Missing Zone File
steve wrote: > On 02/22/2012 12:46 AM, jdf...@cox.net wrote: > >> The default DNS backend has changed to BIND9_DLZ. This means the DNS > >> records are stored in Samba4's AD tree instead of in a normal zone > >> file. > >> > >> I've not tried the above, so am not sure exactly how to set it up. > >> There are some posts about it in the samba-technical mailing list > >> archives, though. > >> > >> For the zone file, re-provision with the following option: > >> > >>--dns-backend=BIND9_FLATFILE > >> > >> The BIND9_FLATFILE backend is the old way. BIND9_DLZ and > >> SAMBA_INTERNAL are the two new methods. BIND9_DLZ needs a recent > >> version of bind with DLZ dlopen support. The SAMBA_INTERNAL does not > >> yet support signed DNS updates (last I heard). > >> > >> Since I provisioned samba4 before the DLZ option was available I have > >> stuck with BIND9_FLATFILE for now. > >> > >> If you're just starting out, you might want to try the DLZ backend. > >> > >> -- > > Thank you for your help! I was able to get a new Bind version to somewhat > > work. I was able to join an XP machine to the domain but DNS seems to not > > be updating correctly. Below you will find the logs that I am seeing. > > > > /var/log/messages: > > > > > > Feb 21 16:39:39 davis named[1163]: validating @0x24c0d30: com SOA: no > > valid signature found > > Feb 21 16:39:39 davis named[1163]: validating @0x220f220: com SOA: no > > valid signature found > > Feb 21 16:39:39 davis named[1163]: validating @0x220f220: > > CK0POJMG874LJREF7EFN8430QVIT8BSM.com NSEC3: no valid signature found > > Feb 21 16:39:39 davis named[1163]: validating @0x24c0d30: > > CK0POJMG874LJREF7EFN8430QVIT8BSM.com NSEC3: no valid signature found > > Feb 21 16:39:39 davis named[1163]: validating @0x198b010: > > A2MEHD73GB2UACB908FCH30EPFLFHMH7.com NSEC3: no valid signature found > > Feb 21 16:39:39 davis named[1163]: validating @0x24c0d30: > > A2MEHD73GB2UACB908FCH30EPFLFHMH7.com NSEC3: no valid signature found > > Feb 21 16:39:40 davis named[1163]: validating @0x24c0d30: > > 3RL0HJSI26SCTO21AV9TVIGIPUVPJAI1.com NSEC3: no valid signature found > > Feb 21 16:39:40 davis named[1163]: validating @0x198b010: > > 3RL0HJSI26SCTO21AV9TVIGIPUVPJAI1.com NSEC3: no valid signature found > > > > > > samba output in single mode: > > > > > > samba -i -M single > > samba version 4.0.0alpha18-GIT-89586ed started. > > Copyright Andrew Tridgell and the Samba Team 1992-2012 > > samba: using 'single' process model > > ../source4/dsdb/dns/dns_update.c:294: Failed DNS update - > > NT_STATUS_UNSUCCESSFUL > > > > > > Any ideas as to what that could me? Thank you for your time and have a > > great day! > Hi > I think DLZ is the default. I didn't specify any dns-backend when > provisioning but I got files I needed to include for named. I had to > make 2 changes to the bind 9 config as detailed here: > http://linuxcostablanca.blogspot.com/2012/01/samba-4-ubuntu.html > HTH > Steve Hello Steve, I have the entries in my /etc/named.conf. Not sure what else to try. Based on the logs samba4 is unable to update DNS. And Bind is having issues with a signature by what the /var/log/messages is saying. Any ideas as to what it could be? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] V4 - New Install - Missing Zone File
On 02/22/2012 12:46 AM, jdf...@cox.net wrote: The default DNS backend has changed to BIND9_DLZ. This means the DNS records are stored in Samba4's AD tree instead of in a normal zone file. I've not tried the above, so am not sure exactly how to set it up. There are some posts about it in the samba-technical mailing list archives, though. For the zone file, re-provision with the following option: --dns-backend=BIND9_FLATFILE The BIND9_FLATFILE backend is the old way. BIND9_DLZ and SAMBA_INTERNAL are the two new methods. BIND9_DLZ needs a recent version of bind with DLZ dlopen support. The SAMBA_INTERNAL does not yet support signed DNS updates (last I heard). Since I provisioned samba4 before the DLZ option was available I have stuck with BIND9_FLATFILE for now. If you're just starting out, you might want to try the DLZ backend. -- Thank you for your help! I was able to get a new Bind version to somewhat work. I was able to join an XP machine to the domain but DNS seems to not be updating correctly. Below you will find the logs that I am seeing. /var/log/messages: Feb 21 16:39:39 davis named[1163]: validating @0x24c0d30: com SOA: no valid signature found Feb 21 16:39:39 davis named[1163]: validating @0x220f220: com SOA: no valid signature found Feb 21 16:39:39 davis named[1163]: validating @0x220f220: CK0POJMG874LJREF7EFN8430QVIT8BSM.com NSEC3: no valid signature found Feb 21 16:39:39 davis named[1163]: validating @0x24c0d30: CK0POJMG874LJREF7EFN8430QVIT8BSM.com NSEC3: no valid signature found Feb 21 16:39:39 davis named[1163]: validating @0x198b010: A2MEHD73GB2UACB908FCH30EPFLFHMH7.com NSEC3: no valid signature found Feb 21 16:39:39 davis named[1163]: validating @0x24c0d30: A2MEHD73GB2UACB908FCH30EPFLFHMH7.com NSEC3: no valid signature found Feb 21 16:39:40 davis named[1163]: validating @0x24c0d30: 3RL0HJSI26SCTO21AV9TVIGIPUVPJAI1.com NSEC3: no valid signature found Feb 21 16:39:40 davis named[1163]: validating @0x198b010: 3RL0HJSI26SCTO21AV9TVIGIPUVPJAI1.com NSEC3: no valid signature found samba output in single mode: samba -i -M single samba version 4.0.0alpha18-GIT-89586ed started. Copyright Andrew Tridgell and the Samba Team 1992-2012 samba: using 'single' process model ../source4/dsdb/dns/dns_update.c:294: Failed DNS update - NT_STATUS_UNSUCCESSFUL Any ideas as to what that could me? Thank you for your time and have a great day! Hi I think DLZ is the default. I didn't specify any dns-backend when provisioning but I got files I needed to include for named. I had to make 2 changes to the bind 9 config as detailed here: http://linuxcostablanca.blogspot.com/2012/01/samba-4-ubuntu.html HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] V4 - New Install - Missing Zone File
> The default DNS backend has changed to BIND9_DLZ. This means the DNS > records are stored in Samba4's AD tree instead of in a normal zone > file. > > I've not tried the above, so am not sure exactly how to set it up. > There are some posts about it in the samba-technical mailing list > archives, though. > > For the zone file, re-provision with the following option: > > --dns-backend=BIND9_FLATFILE > > The BIND9_FLATFILE backend is the old way. BIND9_DLZ and > SAMBA_INTERNAL are the two new methods. BIND9_DLZ needs a recent > version of bind with DLZ dlopen support. The SAMBA_INTERNAL does not > yet support signed DNS updates (last I heard). > > Since I provisioned samba4 before the DLZ option was available I have > stuck with BIND9_FLATFILE for now. > > If you're just starting out, you might want to try the DLZ backend. > > -- Thank you for your help! I was able to get a new Bind version to somewhat work. I was able to join an XP machine to the domain but DNS seems to not be updating correctly. Below you will find the logs that I am seeing. /var/log/messages: Feb 21 16:39:39 davis named[1163]: validating @0x24c0d30: com SOA: no valid signature found Feb 21 16:39:39 davis named[1163]: validating @0x220f220: com SOA: no valid signature found Feb 21 16:39:39 davis named[1163]: validating @0x220f220: CK0POJMG874LJREF7EFN8430QVIT8BSM.com NSEC3: no valid signature found Feb 21 16:39:39 davis named[1163]: validating @0x24c0d30: CK0POJMG874LJREF7EFN8430QVIT8BSM.com NSEC3: no valid signature found Feb 21 16:39:39 davis named[1163]: validating @0x198b010: A2MEHD73GB2UACB908FCH30EPFLFHMH7.com NSEC3: no valid signature found Feb 21 16:39:39 davis named[1163]: validating @0x24c0d30: A2MEHD73GB2UACB908FCH30EPFLFHMH7.com NSEC3: no valid signature found Feb 21 16:39:40 davis named[1163]: validating @0x24c0d30: 3RL0HJSI26SCTO21AV9TVIGIPUVPJAI1.com NSEC3: no valid signature found Feb 21 16:39:40 davis named[1163]: validating @0x198b010: 3RL0HJSI26SCTO21AV9TVIGIPUVPJAI1.com NSEC3: no valid signature found samba output in single mode: samba -i -M single samba version 4.0.0alpha18-GIT-89586ed started. Copyright Andrew Tridgell and the Samba Team 1992-2012 samba: using 'single' process model ../source4/dsdb/dns/dns_update.c:294: Failed DNS update - NT_STATUS_UNSUCCESSFUL Any ideas as to what that could me? Thank you for your time and have a great day! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] SELinux Samba Exception on EL6
In RHEL 6, disable_trans booleans were replaced by permissive domains. I'd suggest that you take a look at page 60 of the RHEL Security-Enhanced Linux documentation for more information. http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/pdf/Security-Enhanced_Linux/Red_Hat_Enterprise_Linux-6-Security-Enhanced_Linux-en-US.pdf Andrew Philipoff Infrastructure Manager UCSF Department of Medicine - IT Services 415-476-1344 -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Prashanth Sundaram Sent: Tuesday, February 21, 2012 12:52 PM To: samba@lists.samba.org Subject: [Samba] SELinux Samba Exception on EL6 We are planning to migrate to EL6 and came across this issue that I am trying to get around. Current system spec: Samba-3.5.10 Selinux-policy-3.7.19 Policycoreutils-2.0.83 Autofs-5.0.5 In EL5 we disabled selinux for samba using 'smbd_disable_trans' directive and the shares work fine. On RHEL6 I couldn't find this Boolean. Is there an alternate directive that accomplishes same? The mounts that I want to share using samba have "autofs_t" context and I don't want to change it. Any recommendations? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba w/AD auth on AIX, w/o local users
Hi all, I have Sabma v3.6.0 installed on an AIX 6.1 machine (oslevel 6100-07-02). The packages come courtesy of Bill Jojo's pware repository (thanks, Bill! Was going insane trying to satisfy dependencies...). I have joined the host to the AD domain and can authenticate myself against Windows 2008 AD (using AD group memberships, as defined in smb.conf per share), but users who want access to the shares cannot do so unless they have a local account on the AIX host. Now, I was pretty sure this was possible, but some extensive searching has netted results that are ambiguous at best. I'm OK with creating local accounts with /bin/false as their default shells, but I would much prefer to have no local footprint for users connecting to shares (it's an audit hot-topic). Can this be done with this version of Samba? If so, I will gladly post my smb.conf, perhaps I'm missing a key directive... Thanks in advance for any and all help! Steve This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] SELinux Samba Exception on EL6
We are planning to migrate to EL6 and came across this issue that I am trying to get around. Current system spec: Samba-3.5.10 Selinux-policy-3.7.19 Policycoreutils-2.0.83 Autofs-5.0.5 In EL5 we disabled selinux for samba using 'smbd_disable_trans' directive and the shares work fine. On RHEL6 I couldn't find this Boolean. Is there an alternate directive that accomplishes same? The mounts that I want to share using samba have "autofs_t" context and I don't want to change it. Any recommendations? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Join to domain
On 02/21/2012 05:29 PM, sandy.napo...@eccmg.cupet.cu wrote: Hello list, iam again with the same problem, i need help.Iam follow the step in the URL https://wiki.samba.org/index.php/Samba4_joining_a_domain, when i run bin/samba-tool domain join samba.example.com DC -Uadministrator --realm=samba.example.com i have the follow error. root@backup:/usr/local/samba/bin# ./samba-tool domain join eccmg.cupet.cu DC -Usandy --realm=eccmg.cupet.cu Finding a writeable DC for domain 'eccmg.cupet.cu' Found DC siscont.eccmg.cupet.cu Password for [WORKGROUP\sandy]: Hi Dunno, but when we've had troubles joining clients it's been either 1. dns. Set the ip of your server as the only setting in resolv.conf 2. make sure sandy can kinit from the box u r trying to join. Salu2 Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Join to domain
Hello list, iam again with the same problem, i need help.Iam follow the step in the URL https://wiki.samba.org/index.php/Samba4_joining_a_domain, when i run bin/samba-tool domain join samba.example.com DC -Uadministrator --realm=samba.example.com i have the follow error. root@backup:/usr/local/samba/bin# ./samba-tool domain join eccmg.cupet.cu DC -Usandy --realm=eccmg.cupet.cu Finding a writeable DC for domain 'eccmg.cupet.cu' Found DC siscont.eccmg.cupet.cu Password for [WORKGROUP\sandy]: workgroup is ECCMG realm is eccmg.cupet.cu checking sAMAccountName Adding CN=BACKUP,OU=Domain Controllers,DC=eccmg,DC=cupet,DC=cu Adding CN=BACKUP,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=eccmg,DC=cupet,DC=cu Adding CN=NTDS Settings,CN=BACKUP,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=eccmg,DC=cupet,DC=cu Join failed - cleaning up checking sAMAccountName Deleted CN=BACKUP,OU=Domain Controllers,DC=eccmg,DC=cupet,DC=cu Deleted CN=BACKUP,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=eccmg,DC=cupet,DC=cu ERROR(runtime): uncaught exception - (-1073741790, 'Access denied') File "/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/__init__.py", line 162, in _run return self.run(*args, **kwargs) File "/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/domain.py", line 180, in run machinepass=machinepass) File "/usr/local/samba/lib/python2.6/site-packages/samba/join.py", line 967, in join_DC ctx.do_join() File "/usr/local/samba/lib/python2.6/site-packages/samba/join.py", line 872, in do_join ctx.join_add_objects() File "/usr/local/samba/lib/python2.6/site-packages/samba/join.py", line 467, in join_add_objects ctx.join_add_ntdsdsa() File "/usr/local/samba/lib/python2.6/site-packages/samba/join.py", line 416, in join_add_ntdsdsa ctx.DsAddEntry([rec]) File "/usr/local/samba/lib/python2.6/site-packages/samba/join.py", line 326, in DsAddEntry ctx.drsuapi_connect() File "/usr/local/samba/lib/python2.6/site-packages/samba/join.py", line 305, in drsuapi_connect (ctx.drsuapi_handle, ctx.bind_supported_extensions) = drs_utils.drs_DsBind(ctx.drsuapi) File "/usr/local/samba/lib/python2.6/site-packages/samba/drs_utils.py", line 144, in drs_DsBind (info, handle) = drs.DsBind(misc.GUID(drsuapi.DRSUAPI_DS_BIND_GUID), bind_info) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] V4 - New Install - Missing Zone File
On 02/21/2012 12:26 PM, JDFire wrote: Hello List, I am trying to compile and install Samba 4 using the wiki guide on Centos 6.2. I am currently using the current source from git. It seems that the zone file used for Bind is not configured and not installed in the private directory. Is there any way to get this file generated so I can finish my install? Thank you for your time and have a great day!! Kind regards, Jeremy Hi Armed only with this information: rerun make where you downloaded the git. Then reprovision. HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] V4 - New Install - Missing Zone File
Hi On 21 February 2012 13:26, JDFire wrote: > Hello List, > > I am trying to compile and install Samba 4 using the wiki guide on Centos > 6.2. I am currently using the current source from git. It seems that the zone > file used for Bind is not configured and not installed in the private > directory. > > Is there any way to get this file generated so I can finish my install? The default DNS backend has changed to BIND9_DLZ. This means the DNS records are stored in Samba4's AD tree instead of in a normal zone file. I've not tried the above, so am not sure exactly how to set it up. There are some posts about it in the samba-technical mailing list archives, though. For the zone file, re-provision with the following option: --dns-backend=BIND9_FLATFILE The BIND9_FLATFILE backend is the old way. BIND9_DLZ and SAMBA_INTERNAL are the two new methods. BIND9_DLZ needs a recent version of bind with DLZ dlopen support. The SAMBA_INTERNAL does not yet support signed DNS updates (last I heard). Since I provisioned samba4 before the DLZ option was available I have stuck with BIND9_FLATFILE for now. If you're just starting out, you might want to try the DLZ backend. -- Michael Wood -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] A windows user can create a file, but cannot delete
Michael P. Demelbauer wrote: > > > > I have encountered a weird problem (FreeBSD 8.2, samba34-3.4.14). > > A user can create files in a samba share but cannot delete files from > > it (unless she is the owner of the file). > > > > The user is a member of a group with rwx permissions on this directory > > granted by a Posix ACL entry. The user can create and delete files in > > the directory from the shell on the file server (which is correct > > according to Unix logic), but only create from the Windows client. > > > > smbd seems to be interfering somehow with unlink(). If I make the user > > the owner of the file, or a member of the file's primary group, now > > the user can delete the file. If a user is a member of some other > > group which has rwx permissions on the directory, the user can only > > create files but not delete them. > > > > Certainly it's not a Unix permission issue. There is no "read only" > > attribute on the files, no sticky bit on the directory, no weird > > UFS file flags and attributes. > > > > I have tried "acl check permissions" both yes and no with no effect. > > > > TIA for any ideas. I have seen people with similar problems, like > > http://lists.samba.org/archive/samba/2006-May/120521.html > > but never a solution. > > Sorry, I'm not a Samba-expert, but as far as I know, the following > parameter(s?) in smb.conf take care of this in our config > (samba-3.0.9-1.3E.5 on an older linux machine): > inherit permission = yes > > As far as we tested it, Linux-ACLs are working as expected with this. > > One more question: You put default permissions on your ACL-entries > (setfacl ... -m -d ... here) to define what permissions the > directory passes on? Yes, there are default permissions (setfacl -d) on the directory but this (and permissions inheritance) should be irrelevant for my question. As I said, the directory in question has correct permissions: $ getfacl . # file: . # owner: domogatskajaev # group: ntd user::rwx group::rwx group:noc:rwx group:oe:rwx group:ptl:rwx mask::rwx other::r-x $ Yet members of groups like "noc" or "oe" (other than "ntd") cannot delete files from it unless they are owners of the file. > Or are you talking of normal UNIX-Permissions not ACLs? POSIX ACLs. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] V4 - New Install - Missing Zone File
Hello List, I am trying to compile and install Samba 4 using the wiki guide on Centos 6.2. I am currently using the current source from git. It seems that the zone file used for Bind is not configured and not installed in the private directory. Is there any way to get this file generated so I can finish my install? Thank you for your time and have a great day!! Kind regards, Jeremy -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Privilege Attribute Certificate (PAC) Disabled/Samba authentication
Hi Andrew, >Why not run NFS on a different principal? (eg add a new server-nfs >principal and set a servicePrincpalName: nfs/server) Thanks. Creating a new machine account in AD for nfs was my fallback option if I couldn't make it work. I'll go ahead with that (unless there is an easier way to achieve the same end in AD). Cheers Don -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] A windows user can create a file, but cannot delete
On Tue, Feb 21, 2012 at 12:43:14PM +0700, Victor Sudakov wrote: > Colleagues, > > I have encountered a weird problem (FreeBSD 8.2, samba34-3.4.14). > A user can create files in a samba share but cannot delete files from > it (unless she is the owner of the file). > > The user is a member of a group with rwx permissions on this directory > granted by a Posix ACL entry. The user can create and delete files in > the directory from the shell on the file server (which is correct > according to Unix logic), but only create from the Windows client. > > smbd seems to be interfering somehow with unlink(). If I make the user > the owner of the file, or a member of the file's primary group, now > the user can delete the file. If a user is a member of some other > group which has rwx permissions on the directory, the user can only > create files but not delete them. > > Certainly it's not a Unix permission issue. There is no "read only" > attribute on the files, no sticky bit on the directory, no weird > UFS file flags and attributes. > > I have tried "acl check permissions" both yes and no with no effect. > > TIA for any ideas. I have seen people with similar problems, like > http://lists.samba.org/archive/samba/2006-May/120521.html > but never a solution. > > -- > Victor Sudakov, VAS4-RIPE, VAS47-RIPN > sip:suda...@sibptus.tomsk.ru > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba Sorry, I'm not a Samba-expert, but as far as I know, the following parameter(s?) in smb.conf take care of this in our config (samba-3.0.9-1.3E.5 on an older linux machine): inherit permission = yes As far as we tested it, Linux-ACLs are working as expected with this. One more question: You put default permissions on your ACL-entries (setfacl ... -m -d ... here) to define what permissions the directory passes on? Or are you talking of normal UNIX-Permissions not ACLs? Cheers Michael -- Michael P. Demelbauer Systemadministration WSR Arsenal, Objekt 20 1030 Wien -- /earth is 98% full ... please delete anyone you can. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] A windows user can create a file, but cannot delete
Daniel M?ller wrote: > What kind of file? A simple txt-file or a office file??? Any file, no difference. > Did you watch the creation on the server? Excuse me, what do you mean? Of course the file is created on the server in the specified directory. But later on, other users cannot delete it though they have write access to this directory. > Is it only to one single user? Any user. Unless the user is the owner of the file, or member of the file's primary group, the user cannot delete the file via SMB. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] A windows user can create a file, but cannot delete
What kind of file? A simple txt-file or a office file??? Did you watch the creation on the server? Is it only to one single user? --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Volker Lendecke Gesendet: Dienstag, 21. Februar 2012 07:29 An: Victor Sudakov Cc: samba@lists.samba.org; adam.niel...@uq.edu.au Betreff: Re: [Samba] A windows user can create a file, but cannot delete Hi! Are you using security=share? We have issues there right now that need resolving. With best regards, Volker Lendecke On Tue, Feb 21, 2012 at 12:43:14PM +0700, Victor Sudakov wrote: > Colleagues, > > I have encountered a weird problem (FreeBSD 8.2, samba34-3.4.14). > A user can create files in a samba share but cannot delete files from > it (unless she is the owner of the file). > > The user is a member of a group with rwx permissions on this directory > granted by a Posix ACL entry. The user can create and delete files in > the directory from the shell on the file server (which is correct > according to Unix logic), but only create from the Windows client. > > smbd seems to be interfering somehow with unlink(). If I make the user > the owner of the file, or a member of the file's primary group, now > the user can delete the file. If a user is a member of some other > group which has rwx permissions on the directory, the user can only > create files but not delete them. > > Certainly it's not a Unix permission issue. There is no "read only" > attribute on the files, no sticky bit on the directory, no weird UFS > file flags and attributes. > > I have tried "acl check permissions" both yes and no with no effect. > > TIA for any ideas. I have seen people with similar problems, like > http://lists.samba.org/archive/samba/2006-May/120521.html > but never a solution. > > -- > Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-37-0, fax: +49-551-37-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.sernet.de, mailto:kont...@sernet.de -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba domain member server using only nss ldap
Thanks, I'll try your solution On Mon, Feb 20, 2012 at 10:56 AM, Angel Bosch wrote: > Hi, > > not sure if you solved this. I'll give my advice anyway. > > > if you know how to configure NSS/LDAP at system level is the simplest way > i've found to configure a member server. > > first, be sure to have all nss related configured (nsswitch.conf, > ldap.conf) and check it with "getent passwd" and "getent group". > > once you have that, create a machine account on the PDC and join the > member server (net rpc join). > > then configure member server as a simple file server with no reference to > LDAP. you don't need any ldap setting in smb.conf, just something like: > > > [global] >workgroup = MYDOM >server string = %h server >security = DOMAIN >password server = mypdc.example.com > > [prova3] >comment = proves de membre samba >path = /tmp/prova3 >read only = No >guest ok = Yes > > > > > this is the simplest way i've found to do it. > > regards, > > abosch > > > > - Original Message - > From: "Alex Domoradov" > To: samba@lists.samba.org > Sent: Wednesday, February 15, 2012 10:29:19 PM > Subject: Re: [Samba] Samba domain member server using only nss ldap > > > On a member server, the ldap backend should not be needed for user and > group look up. You do need some sort of idmapping for the unix level to > see the UID's and GID's assigned to the samba users, and use those uid's > and gid's to set file permissions. > I need to do idmapping via winbind or something else? > > > I haven't had much luck with member servers either. it does get trickier > when you have ldap used for both unix accounts and samba accounts. I > found it easier to configure my primary machines as domain controllers. > I need to use LDAP only for samba accounts, not local (unix) > > > I think generally your nsswitch.conf file should include entries to allow > unix to retrieve uid's and gid's from winbind. > > passwd: files ldap winbind > > shadow: files ldap winbind > > group: files ldap winbind > but according to > > http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#sdcsdmldapIf > I have one domain and all server are the member of this domain there > is > no need to use winbind at all. Did I miss something? > > > This means that you would be able to type "getent user1" and "getent > MYDOMAIN\user1." I > I don't need such case, in my case local and domain users always unique > > > I think it appears you are getting group information from winbind since > have the "force group" entry in smb.conf. > It's strange. When I added force user to the share description, samba set > uid of the new file from ldap > > > You should look at the man page for idmap_nss. In theory, this should > let you use a local backend to store the idmap entries, and the idmap > system should use map the SID's to the existing unix uid and gid. Never > worked for me in practice. > I read the man > http://www.samba.org/samba/docs/man/manpages-3/idmap_nss.8.html but didn't > get clear understanding > > > Alternately, you may want to manually edit the idmap entries in ldap. > The domain controller should have automatically created them. > there are a 10-15 entries in the ou Idmap > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba