Re: [Samba] Samba Share - MS Excel when saving "can't access the file, there are several possible reasons"

2012-07-02 Thread Daniel Müller 
Hi,

Try this

directory mask=2770
force directory mode=2770
create mask = 2770
force create mode=2770
force security mode=2770
force directory security mode=2770
force group= yourgroup

Give the directory the sticky bit for the group

Good Luck
Daniel

---
EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen

Tel.: 07071/206-463, Fax: 07071/206-499
eMail: muel...@tropenklinik.de
Internet: www.tropenklinik.de
---
-Ursprüngliche Nachricht-
Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im
Auftrag von Günter Kukkukk
Gesendet: Dienstag, 3. Juli 2012 06:45
An: samba@lists.samba.org
Betreff: Re: [Samba] Samba Share - MS Excel when saving “can't access the
file, there are several possible reasons”

Am Dienstag, 3. Juli 2012, 06:16:45 schrieb Gibransyah Fakhri:
> Hello all samba fans.., Long live open source :) Thanks for the 
> @adminbot for approving me to joining this milis.
> 
> Please allow me to ask the question,
> I have a weird problem in my samba share. I have one share definition 
> for 3 client (A,B,C) This share contain some excel file which having a 
> lot of formula and linked each other.
> Client A access the file with libre office (ubuntu), client B access 
> with WinXP & MS Office 2003, The write and read process working 
> successfuly on Both of them.
> 
> The problem occur when client C accessing the same file with MS Excel
> 2003 (windows xp). This messagebox appear when he saving the file :
> 
> "Microsoft office excel cannot access the \\192.168.1.23\myshare\ 
> There are several possible reasons:
> 
>  - The File ort path does not exist The file is being used by 
> another program.
>  - The workbook you are trying to save has the same name as a
>  - Currently open workbooks."
> 
> I was trying http://support.microsoft.com/kb/291204 but it didnt work.
> Below is my share definition :
> 
> [brainshare]
> comment = brainshare
> path = /opt/brainshare/
> valid users = @brainshare
> force group = brainshare
> read only = No
> create mask = 0775
> veto files = /*.scr/*.eml/thumbs.com/
> 
> Help me please... Thanks in advance !
> Server: Ubuntu 10.10, Samba version 3.5.4
> 
> --
> Thinking out of the box

what does "smbstatus" (run as root) on the samba server show when all 3
clients have the same file open?

Does this only happen when _all_ 3 clients access that file at the same
time?

So, does it work when only B and C (windows xp) clients access that file?

Cheers, Günter
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba Share - MS Excel when saving “can't access the file, there are several possible reasons”

2012-07-02 Thread Günter Kukkukk 
Am Dienstag, 3. Juli 2012, 06:16:45 schrieb Gibransyah Fakhri:
> Hello all samba fans.., Long live open source :)
> Thanks for the @adminbot for approving me to joining this milis.
> 
> Please allow me to ask the question,
> I have a weird problem in my samba share. I have one share definition
> for 3 client (A,B,C) This share contain some excel file which having a
> lot of formula and linked each other.
> Client A access the file with libre office (ubuntu), client B access
> with WinXP & MS Office 2003, The write and read process working
> successfuly on Both of them.
> 
> The problem occur when client C accessing the same file with MS Excel
> 2003 (windows xp). This messagebox appear when he saving the file :
> 
> "Microsoft office excel cannot access the \\192.168.1.23\myshare\
> There are several possible reasons:
> 
>  - The File ort path does not exist The file is being used by
> another program.
>  - The workbook you are trying to save has the same name as a
>  - Currently open workbooks."
> 
> I was trying http://support.microsoft.com/kb/291204 but it didnt work.
> Below is my share definition :
> 
> [brainshare]
> comment = brainshare
> path = /opt/brainshare/
> valid users = @brainshare
> force group = brainshare
> read only = No
> create mask = 0775
> veto files = /*.scr/*.eml/thumbs.com/
> 
> Help me please... Thanks in advance !
> Server: Ubuntu 10.10, Samba version 3.5.4
> 
> --
> Thinking out of the box

what does "smbstatus" (run as root) on the samba server show when
all 3 clients have the same file open?

Does this only happen when _all_ 3 clients access that file at the same time?

So, does it work when only B and C (windows xp) clients access that file?

Cheers, Günter
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba Share - MS Excel when saving “can't access the file, there are several possible reasons”

2012-07-02 Thread Gibransyah Fakhri 
Hello all samba fans.., Long live open source :)
Thanks for the @adminbot for approving me to joining this milis.

Please allow me to ask the question,
I have a weird problem in my samba share. I have one share definition
for 3 client (A,B,C) This share contain some excel file which having a
lot of formula and linked each other.
Client A access the file with libre office (ubuntu), client B access
with WinXP & MS Office 2003, The write and read process working
successfuly on Both of them.

The problem occur when client C accessing the same file with MS Excel
2003 (windows xp). This messagebox appear when he saving the file :

"Microsoft office excel cannot access the \\192.168.1.23\myshare\
There are several possible reasons:

 - The File ort path does not exist The file is being used by
another program.
 - The workbook you are trying to save has the same name as a
 - Currently open workbooks."

I was trying http://support.microsoft.com/kb/291204 but it didnt work.
Below is my share definition :

[brainshare]
comment = brainshare
path = /opt/brainshare/
valid users = @brainshare
force group = brainshare
read only = No
create mask = 0775
veto files = /*.scr/*.eml/thumbs.com/

Help me please... Thanks in advance !
Server: Ubuntu 10.10, Samba version 3.5.4

--
Thinking out of the box
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Error building samba-4.0.0beta2 on Solaris 10 update 9

2012-07-02 Thread Andrew Bartlett 
On Tue, 2012-06-26 at 12:05 +0100, Tom Crummey wrote:
> Hello,
> 
> When attempting to build samba-4.0.0beta2 on Solaris 10 update 9, the
> following error is produced:
> 
> 
> 
> [ 530/3371] Compiling lib/tdb/test/external-agent.c
> ../lib/tdb/test/external-agent.c:7:17: error: err.h: No such file or
> directory
> Waf: Leaving directory `/usr/local/src/samba-4.0.0beta2/bin'
> Build failed:  -> task failed (err #1):
> {task: cc external-agent.c -> external-agent_17.o}
> *** Error code 1
> make: Fatal error: Command failed for target `all'
> 
> I've seen some postings regarding something similar on samba-technical,
> but they seemed to imply the issue had been fixed. What have I missed?
> 
> ./configure --prefix=/opt/samba

We think this is all fixed in Samba 4.0 beta3, which I just released.

Andrew Bartlett

-- 
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 & Smart card logon

2012-07-02 Thread Andrew Bartlett 
On Mon, 2012-07-02 at 17:24 +0300, Charalampos Anargyrou wrote:
> Hello list,
> 
> I have installed and configured a domain with Samba version 
> 4.0.0beta2-GIT-7e80b89 on a CentOS 6.2
> 
> I can successfully join a Windows PC in the domain (both Windows XP and 
> Windows 7 tested)
> 
> Now, I am trying to move a step forward and I would like to configure 
> Samba to accept Windows smart card logon
> This is a requirement for a project I am involved to
> 
> I have already installed the required client on Windows and I have a 
> smart card for testing
> I have already installed EJBCA as my CA on CentOS 6.2
> 
> On Samba wiki the how to in 
> http://wiki.samba.org/index.php/Samba4/Smart_Card_Login is not ready, so 
> if anyone can help I will appreciate it
> According to the headers in the how to, I have to configure Heimdal to 
> accept PKINIT
> I found a guide on 
> http://www.h5l.org/manual/HEAD/info/heimdal/Setting-up-PK_002dINIT.html
> I've also found a guide on 
> http://k5wiki.kerberos.org/wiki/Pkinit_configuration for MIT Kerberos 
> which has some more info on the certificates
> 
> I have created the Kerberos certificate according to what I have 
> understood from the guides but I don't know how to test if the 
> certificate is correct
> So, my first question is how to test if the Kerberos certificate is correct?
> Second question is when I create a client certificate (I think I 
> understood from the guides how to create) how I will test it?
> Will a kinit command like "kinit -C FILE:$HOME/clientcert.crt 
> example-user@EXAMPLE-DOMAIN" be enough to test the client certificate?

I think so, see testprogs/blackbox/test_pkinit.sh for our tests of this
functionality. 

> And a final question (for now) is if there is any kind of documentation 
> related to "Configure Samba4 to know about the certificate" and where I 
> can find it?

Sorry, while some have had success with this, we didn't end up getting
it documented.  If you could fill in the wiki with your experiences,
that would be most valuable to others!

Andrew Bartlett

-- 
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] smb.conf for around 2500 users

2012-07-02 Thread John Heim 

From: "steve" 
To: 
Sent: Monday, July 02, 2012 4:09 PM
Subject: Re: [Samba] smb.conf for around 2500 users



On 02/07/12 21:17, Matthieu Patou wrote:

On 07/02/2012 08:39 AM, steve wrote:

Samba4 with Linux and Windows clients wanting to get the same home
folder data.

Hi
A college has students arranged with Linux home directories according
to which year they belong to and which class within that year, a or b
or whatever, they belong to e.g.:
/home2/students/year7/year7a/student1
/home2/students/year7/year7a/student2
...
...
/home2/students/year13/year13a/student2500

To get at the same data on windows, I was thinking of a share for each
of the classes e.g.
[year7a]
path = /home2/students/year7/year7a
read only = No
browsable = No
...
...
[year13a]
path = /home2/students/year13/year13a
read only = No
browsable = No

and mapping a drive letter to the share e.g.
map Z: to \\server\year7a\%USERNAME%

That would make lots of shares but would make it readable to non admins.

Is there a limit on the number of shares per installation?
Any other ideas of how to go about it? e.g. I thought about OU's but
we do not want to administer from Windows.



Did you thought about making a new directory ie.
/home2/students/data with a link to each real user and then sharing data
like that

[data]
path = /home2/students/data
read only = No
browsable = No

And then use ADUC or ldbedit to specify the connect to attribute and set
it to \\servername\data\%username%


Hi Matthieu,
That looks promising. Will cifs symlink, or are we still at ext4 level 
here?


Are you saying that a real student e.g.
/home2/students/year7/year7a/steve
has a symlink in
/home2/students/data
??
Would that be e.g. for student steve:
ln -s /home2/students/year7/year7a/steve /home2/students/data/steve
(or is the link the other way around?)

All students then have a link in
/home2/students/data/
irrespective of which class they are in.

For all students, I then map, e.g.  Z:
 to
\\servername\data\%USERNAME%

Am I close?



Well, that would probably work but we have a similar problem and took a 
different approach. We configure a net share through a logon script for our 
users. In our smb.conf, we configure samba to call a  perl script called 
sambalogon like this:


root preexec = /usr/local/sbin/sambalogin %U %m %M %G %L
root postexec = rm -f /var/lib/samba/netlogon/%U.bat

The preexec script generates a Windows batch script that  maps the user's 
home to their X: drive. The postexec command deletes the Windows batch file. 
In the perl script, we  do an ldap query to get the user's home and then put 
a "net use" command into the batch script that maps their home to their X: 
drive.


#!/usr/bin/perl
open LOGON, ">/var/lib/samba/netlogon/$user.bat";
print LOGON "\@ECHO OFF\r\n";
my $home = &gethome ($user, $group);
if ($home)
 { print LOGON "NET USE X: $home\\homes\r\n"; }

The exact contents of the gethome function is left as an excersize for the 
reader.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] smb.conf for around 2500 users

2012-07-02 Thread Lukasz Zalewski 

On 02/07/2012 21:20, steve wrote:

On 02/07/12 18:50, Lukasz Zalewski wrote:

On 02/07/12 17:20, steve wrote:

On 02/07/12 17:49, Jonathan Buzzard wrote:


On Mon, 2012-07-02 at 17:39 +0200, steve wrote:


Hi Steve,
Have you considered using autofs to do all of the mapping work for you,
so that you have only one /homes/ (or whatever else you want to call it)
to worry about?

L

Hi Lukasz

Yes, that's exactly what we are doing at the moment. Our Linux clients
get their home directory automounted via nfs. It works fine.

What I want is for that same home directory to be mapped to a windows
drive letter. My method of having one share per class works, but would
create over 30 shares. I'm not sure that having this many shares is
advisable. I can find few examples of smb.conf's with more than but a
handful of shares.

Cheers,
Steve


Hi Steve,
Maybe I have misunderstood what you are trying to do but if you already 
have automounter doing the right thing - maybe for the sake of argument 
mapping

/home2/students/year7/year7a/student1
/home2/students/year7/year7a/student2
...
...
/home2/students/year13/year13a/student2500
to
/homes/student1
/homes/student2
...
...
/homes/student250

then you need only [homes] share in the smb.conf,
and then (similarly to Matthieu's suggestion) provide 
\\servername\%username%

for homeDirectory attribute (and profilePath if you want roaming profiles)?


HTH

L
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] smb.conf for around 2500 users

2012-07-02 Thread Steve Thompson 

On Mon, 2 Jul 2012, steve wrote:

What I want is for that same home directory to be mapped to a windows drive 
letter. My method of having one share per class works, but would create over 
30 shares. I'm not sure that having this many shares is advisable. I can find 
few examples of smb.conf's with more than but a handful of shares.


I have over 1000 shares - it works fine.

Steve
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] smb.conf for around 2500 users

2012-07-02 Thread steve 

On 02/07/12 18:50, Lukasz Zalewski wrote:

On 02/07/12 17:20, steve wrote:

On 02/07/12 17:49, Jonathan Buzzard wrote:


On Mon, 2012-07-02 at 17:39 +0200, steve wrote:


Hi Steve,
Have you considered using autofs to do all of the mapping work for you,
so that you have only one /homes/ (or whatever else you want to call it)
to worry about?

L

Hi Lukasz

Yes, that's exactly what we are doing at the moment. Our Linux clients 
get their home directory automounted via nfs. It works fine.


What I want is for that same home directory to be mapped to a windows 
drive letter. My method of having one share per class works, but would 
create over 30 shares. I'm not sure that having this many shares is 
advisable. I can find few examples of smb.conf's with more than but a 
handful of shares.


Cheers,
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] smb.conf for around 2500 users

2012-07-02 Thread steve 

On 02/07/12 21:17, Matthieu Patou wrote:

On 07/02/2012 08:39 AM, steve wrote:

Samba4 with Linux and Windows clients wanting to get the same home
folder data.

Hi
A college has students arranged with Linux home directories according
to which year they belong to and which class within that year, a or b
or whatever, they belong to e.g.:
/home2/students/year7/year7a/student1
/home2/students/year7/year7a/student2
...
...
/home2/students/year13/year13a/student2500

To get at the same data on windows, I was thinking of a share for each
of the classes e.g.
[year7a]
path = /home2/students/year7/year7a
read only = No
browsable = No
...
...
[year13a]
path = /home2/students/year13/year13a
read only = No
browsable = No

and mapping a drive letter to the share e.g.
map Z: to \\server\year7a\%USERNAME%

That would make lots of shares but would make it readable to non admins.

Is there a limit on the number of shares per installation?
Any other ideas of how to go about it? e.g. I thought about OU's but
we do not want to administer from Windows.



Did you thought about making a new directory ie.
/home2/students/data with a link to each real user and then sharing data
like that

[data]
path = /home2/students/data
read only = No
browsable = No

And then use ADUC or ldbedit to specify the connect to attribute and set
it to \\servername\data\%username%


Hi Matthieu,
That looks promising. Will cifs symlink, or are we still at ext4 level here?

Are you saying that a real student e.g.
/home2/students/year7/year7a/steve
has a symlink in
/home2/students/data
??
Would that be e.g. for student steve:
ln -s /home2/students/year7/year7a/steve /home2/students/data/steve
(or is the link the other way around?)

All students then have a link in
/home2/students/data/
irrespective of which class they are in.

For all students, I then map, e.g.  Z:
 to
\\servername\data\%USERNAME%

Am I close?

Cheers and thanks for your patience.
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] smb.conf for around 2500 users

2012-07-02 Thread Matthieu Patou 

On 07/02/2012 08:39 AM, steve wrote:
Samba4 with Linux and Windows clients wanting to get the same home 
folder data.


Hi
A college has students arranged with Linux home directories according 
to which year they belong to and which class within that year, a or b 
or whatever, they belong to e.g.:

/home2/students/year7/year7a/student1
/home2/students/year7/year7a/student2
...
...
/home2/students/year13/year13a/student2500

To get at the same data on windows, I was thinking of a share for each 
of the classes e.g.

[year7a]
path = /home2/students/year7/year7a
read only = No
browsable = No
...
...
[year13a]
path = /home2/students/year13/year13a
read only = No
browsable = No

and mapping a drive letter to the share e.g.
map Z: to \\server\year7a\%USERNAME%

That would make lots of shares but would make it readable to non admins.

Is there a limit on the number of shares per installation?
Any other ideas of how to go about it? e.g. I thought about OU's but 
we do not want to administer from Windows.

Did you thought about making a new directory ie.
/home2/students/data with a link to each real user and then sharing data 
like that


[data]
path = /home2/students/data
read only = No
browsable = No

And then use ADUC or ldbedit to specify the connect to attribute and set 
it to \\servername\data\%username%


This fields accept a couple of placeholder I let you discover the others 
(search engines are your friend).


Matthieu.


Cheers,
Steve




--
Matthieu Patou
Samba Team
http://samba.org

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] smb.conf for around 2500 users

2012-07-02 Thread Lukasz Zalewski 

On 02/07/12 17:20, steve wrote:

On 02/07/12 17:49, Jonathan Buzzard wrote:


On Mon, 2012-07-02 at 17:39 +0200, steve wrote:

Samba4 with Linux and Windows clients wanting to get the same home
folder data.

Hi
A college has students arranged with Linux home directories according to
which year they belong to and which class within that year, a or b or
whatever, they belong to e.g.:
/home2/students/year7/year7a/student1
/home2/students/year7/year7a/student2
...
...
/home2/students/year13/year13a/student2500

To get at the same data on windows, I was thinking of a share for each
of the classes e.g.
[year7a]
path = /home2/students/year7/year7a
read only = No
browsable = No
...
...
[year13a]
path = /home2/students/year13/year13a
read only = No
browsable = No

and mapping a drive letter to the share e.g.
map Z: to \\server\year7a\%USERNAME%



Deal with it through your NSS mechanism so that the file server knows
for \\server\%USERNAME% where the users home directory is actually
located and then you can just use the special [homes] share.

I do this with winbind and the unixHomeDirectory attribute in AD.

JAB.


Hi Jonathan
Thanks for the quick response.

I think I must be missing something here because as far as I can see,
winbindd puts all users into the directory specified in template
homedir. [homes] then picks out the user from there.

At the moment we are using nss-pam-ldapd to grab the unixHomeDirectory
from AD. How do I get winbindd or nss to map unixHomeDirectory to
something I can then map to a windows drive letter?

Cheers,
Steve


Hi Steve,
Have you considered using autofs to do all of the mapping work for you, 
so that you have only one /homes/ (or whatever else you want to call it) 
to worry about?


L
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] A device attached to the system is not functioning

2012-07-02 Thread Lukasz Zalewski 

On 02/07/12 16:15, Alan Holt wrote:

Also, this is SID of groups in domain:

# net groupmap list
Domain Admins (S-1-5-21-2139989288-483860436-2398042574-512) ->  Domain
Admins
Domain Users (S-1-5-21-2139989288-483860436-2398042574-513) ->  Domain Users
Domain Guests (S-1-5-21-2139989288-483860436-2398042574-514) ->  Domain
Guests
Domain Computers (S-1-5-21-2139989288-483860436-2398042574-515) ->  Domain
Computers
Administrators (S-1-5-32-544) ->  Administrators

and this is SID of my user:
# pdbedit -Lv alexander
User SID: S-1-5-21-2139989288-483860436-2398042574-3186
Primary Group SID:S-1-5-21-3745118107-2241246581-749181168-513-513

They are completely different 



Hi Alan,
I do not know how you came about this setup, but from a quick glance the 
sid defined in alexander's Primary Group SID is incorrect:

Domain Users' sid is defined by
SID: S-1-5-21domain-513 (from http://support.microsoft.com/kb/243330)
So it seems to me that:
1) you have additional -513 appended at the end
2) Your domain portion of the sid for Primary Group SID is different to 
the one used in the User SID and to the ones listed by net groupmap admins
So shouldn't alexander's Primary Group SID be 
S-1-5-21-2139989288-483860436-2398042574-513?


HTH

L
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] smb.conf for around 2500 users

2012-07-02 Thread steve 

On 02/07/12 17:49, Jonathan Buzzard wrote:


On Mon, 2012-07-02 at 17:39 +0200, steve wrote:

Samba4 with Linux and Windows clients wanting to get the same home
folder data.

Hi
A college has students arranged with Linux home directories according to
which year they belong to and which class within that year, a or b or
whatever, they belong to e.g.:
/home2/students/year7/year7a/student1
/home2/students/year7/year7a/student2
...
...
/home2/students/year13/year13a/student2500

To get at the same data on windows, I was thinking of a share for each
of the classes e.g.
[year7a]
path = /home2/students/year7/year7a
read only = No
browsable = No
...
...
[year13a]
path = /home2/students/year13/year13a
read only = No
browsable = No

and mapping a drive letter to the share e.g.
map Z: to \\server\year7a\%USERNAME%



Deal with it through your NSS mechanism so that the file server knows
for \\server\%USERNAME% where the users home directory is actually
located and then you can just use the special [homes] share.

I do this with winbind and the unixHomeDirectory attribute in AD.

JAB.


Hi Jonathan
Thanks for the quick response.

I think I must be missing something here because as far as I can see, 
winbindd puts all users into the directory specified in template 
homedir. [homes] then picks out the user from there.


At the moment we are using nss-pam-ldapd to grab the unixHomeDirectory 
from AD. How do I get winbindd or nss to map unixHomeDirectory to 
something I can then map to a windows drive letter?


Cheers,
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] smb.conf for around 2500 users

2012-07-02 Thread Jonathan Buzzard 

On Mon, 2012-07-02 at 17:39 +0200, steve wrote:
> Samba4 with Linux and Windows clients wanting to get the same home 
> folder data.
> 
> Hi
> A college has students arranged with Linux home directories according to 
> which year they belong to and which class within that year, a or b or 
> whatever, they belong to e.g.:
> /home2/students/year7/year7a/student1
> /home2/students/year7/year7a/student2
> ...
> ...
> /home2/students/year13/year13a/student2500
> 
> To get at the same data on windows, I was thinking of a share for each 
> of the classes e.g.
> [year7a]
> path = /home2/students/year7/year7a
> read only = No
> browsable = No
> ...
> ...
> [year13a]
> path = /home2/students/year13/year13a
> read only = No
> browsable = No
>
> and mapping a drive letter to the share e.g.
> map Z: to \\server\year7a\%USERNAME%
> 

Deal with it through your NSS mechanism so that the file server knows
for \\server\%USERNAME% where the users home directory is actually
located and then you can just use the special [homes] share.

I do this with winbind and the unixHomeDirectory attribute in AD.

JAB.

-- 
Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk
Fife, United Kingdom.


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] smb.conf for around 2500 users

2012-07-02 Thread steve 
Samba4 with Linux and Windows clients wanting to get the same home 
folder data.


Hi
A college has students arranged with Linux home directories according to 
which year they belong to and which class within that year, a or b or 
whatever, they belong to e.g.:

/home2/students/year7/year7a/student1
/home2/students/year7/year7a/student2
...
...
/home2/students/year13/year13a/student2500

To get at the same data on windows, I was thinking of a share for each 
of the classes e.g.

[year7a]
path = /home2/students/year7/year7a
read only = No
browsable = No
...
...
[year13a]
path = /home2/students/year13/year13a
read only = No
browsable = No

and mapping a drive letter to the share e.g.
map Z: to \\server\year7a\%USERNAME%

That would make lots of shares but would make it readable to non admins.

Is there a limit on the number of shares per installation?
Any other ideas of how to go about it? e.g. I thought about OU's but we 
do not want to administer from Windows.


Cheers,
Steve

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] A device attached to the system is not functioning

2012-07-02 Thread Alan Holt 
Also, this is SID of groups in domain:

# net groupmap list
Domain Admins (S-1-5-21-2139989288-483860436-2398042574-512) -> Domain
Admins
Domain Users (S-1-5-21-2139989288-483860436-2398042574-513) -> Domain Users
Domain Guests (S-1-5-21-2139989288-483860436-2398042574-514) -> Domain
Guests
Domain Computers (S-1-5-21-2139989288-483860436-2398042574-515) -> Domain
Computers
Administrators (S-1-5-32-544) -> Administrators

and this is SID of my user:
# pdbedit -Lv alexander
User SID: S-1-5-21-2139989288-483860436-2398042574-3186
Primary Group SID:S-1-5-21-3745118107-2241246581-749181168-513-513

They are completely different 

-- 
*בברכה, *
*אלכס ברבר*
*+9 72 54 285 952 3
*
*www.linuxspace.org* 
*--*
*Best regards.*
*Alex Berber*
*+9 72 54 285 952 3*
*www.linuxspace.org* 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] A device attached to the system is not functioning

2012-07-02 Thread Alan Holt 
Not this is problem right now.
Something wrong with SID ...
but what..

please any suggestions ..

Also for users that already were created I see in logs this error:

  _netr_LogonSamLogon: user MYDOMAINE.COM\elad has user sid
S-1-5-21-2139989288-483860436-2398042574-3070
   but group sid S-1-5-21-3745118107-2241246581-749181168-513-513.
  *The conflicting domain portions are not supported for NETLOGON calls*

And also I can get into samba with new user alex:

# smbclient -L localhost -U alex
Enter zvika's password:
Domain=[MYDOMAINE.COM] OS=[Unix] Server=[Samba 3.5.11-79.fc14]


On Mon, Jul 2, 2012 at 6:06 PM, John Drescher  wrote:

> On Mon, Jul 2, 2012 at 11:01 AM, Alan Holt  wrote:
> > What does it mean?
> > This is name of my domain:
> >
> > # vi /etc/smbldap-tools/smbldap.conf
> > 
> > suffix="dc=mydomaine,dc=com"
> > 
>
> I am talking about the workgroup setting in smb.conf
>
> This should not contain a "."
>
> John
>



-- 
*בברכה, *
*אלכס ברבר*
*+9 72 54 285 952 3
*
*www.linuxspace.org* 
*--*
*Best regards.*
*Alex Berber*
*+9 72 54 285 952 3*
*www.linuxspace.org* 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] A device attached to the system is not functioning

2012-07-02 Thread John Drescher 
On Mon, Jul 2, 2012 at 11:01 AM, Alan Holt  wrote:
> What does it mean?
> This is name of my domain:
>
> # vi /etc/smbldap-tools/smbldap.conf
> 
> suffix="dc=mydomaine,dc=com"
> 

I am talking about the workgroup setting in smb.conf

This should not contain a "."

John
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] A device attached to the system is not functioning

2012-07-02 Thread Alan Holt 
What does it mean?
This is name of my domain:

# vi /etc/smbldap-tools/smbldap.conf

suffix="dc=mydomaine,dc=com"






On Mon, Jul 2, 2012 at 5:51 PM, John Drescher  wrote:

> On Mon, Jul 2, 2012 at 10:49 AM, Alan Holt  wrote:
> > Dear all,
> > I was looking a lot around of Internet, but still did not find some
> > solution for my problem.
> > I have SAMBA and domain with ldap, everything have been fine until today.
> >
> > Like usually I did create new user in domain and tried to get into my
> > domain on Windows 7 and Windows XP machines.
> > Then I have got this error:
> >
> > "A device attached to the system is not functioning"
> > I checked SAMBA logs and found this:
> >
> > ==> /var/log/samba/xp-8a995003b537.log <==
> > [2012/07/02 17:38:28.626582,  1]
> > rpc_server/srv_pipe_hnd.c:1602(serverinfo_to_SamInfo_base)
> >   _netr_LogonSamLogon: user MYDOMAINE.COM\alex has user sid
> > S-1-5-21-2139989288-483860436-2398042574-3228
> >but group sid S-1-5-21-3745118107-2241246581-749181168-513-513.
> >   The conflicting domain portions are not supported for NETLOGON calls
> >
> > I guess it's happens because some problems with SID. I did check SID for
> > user alex:
> >
> > # pdbedit -L -v alex
> > User SID:  S-1-5-21-2139989288-483860436-2398042574-3228
> > Primary Group SID:S-1-5-21-3745118107-2241246581-*749181168-513*-513
> > Domain:MYDOMAIN.COM
> >
> > Also I did check SID for my domain:
> > # net getlocalsid  MYDOMAIN .COM
> > SID for domain  MYDOMAIN .COM is: S-1-5-21-3745118107-2241246581-*
> > 749181168-513*
> >
> > So could you please to help to solve this issue?
> > Thanks.
> >
>
> I do not believe windows likes samba3 / windows nt domains having a
> "." in the domain name
>
> John
>



-- 
*בברכה, *
*אלכס ברבר*
*+9 72 54 285 952 3
*
*www.linuxspace.org* 
*--*
*Best regards.*
*Alex Berber*
*+9 72 54 285 952 3*
*www.linuxspace.org* 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] A device attached to the system is not functioning

2012-07-02 Thread John Drescher 
On Mon, Jul 2, 2012 at 10:49 AM, Alan Holt  wrote:
> Dear all,
> I was looking a lot around of Internet, but still did not find some
> solution for my problem.
> I have SAMBA and domain with ldap, everything have been fine until today.
>
> Like usually I did create new user in domain and tried to get into my
> domain on Windows 7 and Windows XP machines.
> Then I have got this error:
>
> "A device attached to the system is not functioning"
> I checked SAMBA logs and found this:
>
> ==> /var/log/samba/xp-8a995003b537.log <==
> [2012/07/02 17:38:28.626582,  1]
> rpc_server/srv_pipe_hnd.c:1602(serverinfo_to_SamInfo_base)
>   _netr_LogonSamLogon: user MYDOMAINE.COM\alex has user sid
> S-1-5-21-2139989288-483860436-2398042574-3228
>but group sid S-1-5-21-3745118107-2241246581-749181168-513-513.
>   The conflicting domain portions are not supported for NETLOGON calls
>
> I guess it's happens because some problems with SID. I did check SID for
> user alex:
>
> # pdbedit -L -v alex
> User SID:  S-1-5-21-2139989288-483860436-2398042574-3228
> Primary Group SID:S-1-5-21-3745118107-2241246581-*749181168-513*-513
> Domain:MYDOMAIN.COM
>
> Also I did check SID for my domain:
> # net getlocalsid  MYDOMAIN .COM
> SID for domain  MYDOMAIN .COM is: S-1-5-21-3745118107-2241246581-*
> 749181168-513*
>
> So could you please to help to solve this issue?
> Thanks.
>

I do not believe windows likes samba3 / windows nt domains having a
"." in the domain name

John
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] A device attached to the system is not functioning

2012-07-02 Thread Alan Holt 
Dear all,
I was looking a lot around of Internet, but still did not find some
solution for my problem.
I have SAMBA and domain with ldap, everything have been fine until today.

Like usually I did create new user in domain and tried to get into my
domain on Windows 7 and Windows XP machines.
Then I have got this error:

"A device attached to the system is not functioning"
I checked SAMBA logs and found this:

==> /var/log/samba/xp-8a995003b537.log <==
[2012/07/02 17:38:28.626582,  1]
rpc_server/srv_pipe_hnd.c:1602(serverinfo_to_SamInfo_base)
  _netr_LogonSamLogon: user MYDOMAINE.COM\alex has user sid
S-1-5-21-2139989288-483860436-2398042574-3228
   but group sid S-1-5-21-3745118107-2241246581-749181168-513-513.
  The conflicting domain portions are not supported for NETLOGON calls

I guess it's happens because some problems with SID. I did check SID for
user alex:

# pdbedit -L -v alex
User SID:  S-1-5-21-2139989288-483860436-2398042574-3228
Primary Group SID:S-1-5-21-3745118107-2241246581-*749181168-513*-513
Domain:MYDOMAIN.COM

Also I did check SID for my domain:
# net getlocalsid  MYDOMAIN .COM
SID for domain  MYDOMAIN .COM is: S-1-5-21-3745118107-2241246581-*
749181168-513*

So could you please to help to solve this issue?
Thanks.


-- 
*בברכה, *
*אלכס ברבר*
*+9 72 54 285 952 3
*
*www.linuxspace.org* 
*--*
*Best regards.*
*Alex Berber*
*+9 72 54 285 952 3*
*www.linuxspace.org* 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba 4 & Smart card logon

2012-07-02 Thread Charalampos Anargyrou 

Hello list,

I have installed and configured a domain with Samba version 
4.0.0beta2-GIT-7e80b89 on a CentOS 6.2


I can successfully join a Windows PC in the domain (both Windows XP and 
Windows 7 tested)


Now, I am trying to move a step forward and I would like to configure 
Samba to accept Windows smart card logon

This is a requirement for a project I am involved to

I have already installed the required client on Windows and I have a 
smart card for testing

I have already installed EJBCA as my CA on CentOS 6.2

On Samba wiki the how to in 
http://wiki.samba.org/index.php/Samba4/Smart_Card_Login is not ready, so 
if anyone can help I will appreciate it
According to the headers in the how to, I have to configure Heimdal to 
accept PKINIT
I found a guide on 
http://www.h5l.org/manual/HEAD/info/heimdal/Setting-up-PK_002dINIT.html
I've also found a guide on 
http://k5wiki.kerberos.org/wiki/Pkinit_configuration for MIT Kerberos 
which has some more info on the certificates


I have created the Kerberos certificate according to what I have 
understood from the guides but I don't know how to test if the 
certificate is correct

So, my first question is how to test if the Kerberos certificate is correct?
Second question is when I create a client certificate (I think I 
understood from the guides how to create) how I will test it?
Will a kinit command like "kinit -C FILE:$HOME/clientcert.crt 
example-user@EXAMPLE-DOMAIN" be enough to test the client certificate?


And a final question (for now) is if there is any kind of documentation 
related to "Configure Samba4 to know about the certificate" and where I 
can find it?



Kind Regards,
Charalampos
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Windows 7 v. Samba: why is default network profile in 'NETLOGON/Default User.v2' not used?

2012-07-02 Thread Dave Ewart 
On Friday, 29.06.2012 at 17:33 +0200, Harry Jede wrote:

> According to "KB-973289" http://support.microsoft.com/kb/973289 the
> owner should be "everyone". Everyone has SID S-1-1-0
> http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q243330 . Do
> you have a usermapping for "everyone"?

(Thanks for your reply, Harry)

We don't, actually: I read those instructions and, since our NETLOGON
share is not generally writeable and our Samba isn't configured to use
ACLs, those permissions wouldn't apply when following the recipe as
described in the link above.  Nowhere I've read suggests that the
ownership setting is *critical*: our NETLOGON share presents as
read-only guest, in effect.

Do you think the ownership is critical and that Windows is rejecting the
use of 'Default User.v2' simply because it can't ascertain that it's
"EVERYONE"-owned, despite the fact that it could read it if it tried?!

(I admit I side-stepped this part of the process and hoped it wouldn't
matter, since reconfiguring Samba to allow this type of change would be
potentially disruptive!)

Thanks,

Dave.

-- 
Dave Ewart
da...@ceu.ox.ac.uk
Computing Manager, Cancer Epidemiology Unit
University of Oxford / Cancer Research UK
N 51.7516, W 1.2152


signature.asc
Description: Digital signature
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] DMZ Kerberos authentication, is Samba needed or helpful?

2012-07-02 Thread Andrew Bartlett 
On Sat, 2012-06-30 at 13:14 -0400, Nico Kadel-Garcia wrote:
> I'm dealing with an environment with AD servers in a normal working
> environment, all working and happy. I'm using bare Kerberos
> authentication for my Linux hosts to authenticate local accounts
> against the AD server, all well and good, I've not needed to integrate
> LDAP support and don't want to.
> 
> But there are DMZ VLAN's with hosts exposed directly to the Internet.
> I'd like to allow those hosts similar authentication, and do *NOT*
> want to slap an AD server into the DMZ, for more security reasons than
> I can count. What I'd love to do is to set up either a Samba server,
> slaved to the master AD servers, to handle authentication and *not*
> allow propagating any changes to AD servers, basically a pure slave
> server. This way, I can do it on a far more secure Linux system than
> most AD servers could ever hope to be and protect it from the DMZ
> hosts or accidental external exposure.
> 
> Or, if I can do it, just set up a pure Kerberos slave. Again, I can
> secure that a lot more than I can hope to secure an AD server. And I'd
> love to have that *only* handle authentication, not allow password
> changing or queries against the Kerberos.
> 
> Will I need or benefit from Samba for this? Or has someone here done
> the simple Kerberos slave setup and can point me to some notes?
> 
> [ In case it's not clear, I wrote some of the early Samba ports to
> SunOS, so I know the basic capabilities and architecture. ]

Samba 4.0 as an AD RODC would seem to fit the bill here.  

Andrew Bartlett

-- 
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba share access problems

2012-07-02 Thread Derek Lewis 
Hello,

I have Samba 3.6.6 compiled and running under Ubuntu 10.04 server, I
upgraded from 3.5.x and used the same share and configuration file.

I have access problems from my Windows machines "network path not found"
that I am trying to diagnose via smbclient from the server console: with
smbclient...

When I run, smblcient -L wen-chang\,. For any of my users, I see the
error message "Error returning browse list: NT STATUS OK".

The shares are browseable=yes, so I think this is a permissions problem or
an issue with the way I created my Samba users.

Suggestions on additional tests to locate the problem?
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4 DC replication

2012-07-02 Thread Daniel Müller 
To your login.bat or login cmd  add:
netsh interface ipv4 add dns  local "Your-Lan-Connection" static
your.new.dns.server 255.255.255.0 

This should do the job.

---
EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen

Tel.: 07071/206-463, Fax: 07071/206-499
eMail: muel...@tropenklinik.de
Internet: www.tropenklinik.de
---
-Ursprüngliche Nachricht-
Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im
Auftrag von Matthieu Patou
Gesendet: Sonntag, 1. Juli 2012 05:56
An: samba@lists.samba.org
Betreff: Re: [Samba] Samba4 DC replication

On 06/26/2012 12:56 AM, steve wrote:
> Hi
> We have just added a second DC to our existing domain. Replication is 
> working fine. We have setup the second DC with bind DLZ and that too 
> is working fine (except that the DNS partition is not replicated).
>
> So, we now have two DC's and so also two DNS servers.
>
> Question, Do I now have to go to every client and add the new IP for 
> the new DNS?
That's an administration question not an Samba one.

--
Matthieu Patou
Samba Team
http://samba.org

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba