Re: [SAMBA] samba - bind : program guideline suggestion
I'm currently developping a program that takes the smbtree output, parse it, retrieve all connected workstations, then call nmblookup for each workstation, resolve the IP, create a BIND zone file with this. Why not use wins hook? Now; to secure this programs; I tought about 2 things - secure the program using pipes However; I would have to make an update at each samba release since there's no way to guarante that the smbtree and nmblookup arguments and output will be the exact same file format as the current one Have you checked out the python bindings (included on most distros now i think) if the hook scripts are not sufficient? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] using samba through a VPN
the internet using openvpn. I've been told that samba (through no fault of its own) doesn't work very well through a VPN. Rubbish. I have a ~dozen users using it via a VPN, it works just the same as if they were local (albiet more slowly, for obvious reasons). I want the workstations in the new network to be able to logon to the domain and access the file shares hosted by the samba PDC in the first network. Will I be able to do this? Easily? :) If you have WINS, etc... setup properly it will 'just work'. All the same requirements as if it was Win32 on your servers. The thing to use is a DHCP server that also provides clients with the IP address of the PDC through the netbios-name-servers option in the ISC DHCP server. Yep, whether this is DHCP or not depends on your VPN technology of choise, but you need to get that information (WINS server) down to the client. Also best to set the clients node type to be WINS only and not use broadcast, but that is always true. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: using samba through a VPN
If you find smb too slow, you should try using http to serve the files across the VPN. Set up apache to use samba authentication and you should be all set. You could even run both Samba and Apache at the same time, and see for yourself which works out better. We use Davenport, which is a DAV--CIFS/SMB portal, to provide DAV access to all our Samba volumes. Davenport is a setup-and-go app, very nice and has worked well for us. http://{hostname}:8080/davenport and you see the domains workgroups listed, you drill down through hosts to volumes just like using Network Neighborhood. A volume can be browsed as a web page (for non-DAV clients like Win9x) or as a DAV volume. DAV is much faster over VPN links than native SMB. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] VFS module to block directory listing
I wonder if it is posible to write a VFS module to block the listing of directory in a share? The files inside the directory should be accesible for read/write operations, but should be able to list the files in the directory. Is that posible? Can't you do this exact thing with UNIX filesystem permissions? Remove the x permission from the directory. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: A little help with nss_ldap - User xxx in passdb, but getpwnam() fails!
I just tested your settings and they seem to be working. The auth takes much longer now, maybe because it is working. When checking shares the getpwnam does not even get called any more. I noticed many SMB_VFS, NT_STATUS_NO_SUCH_OBJECT in the log, I guess that let's me know VFS was complied in my binary. How is the ldap.conf in the /etc/ directory different then the one found in /etc/openldap/ There is a very simple way to determine this. [EMAIL PROTECTED]:~ rpm -qf /etc/ldap.conf pwdutils-2.6.90-6 [EMAIL PROTECTED]:~ rpm -qf /etc/openldap/ldap.conf openldap2-client-2.2.15-5 So you know from what packages came which file. When I check the MAN page only /etc/openldap/ldap.conf comes up, I'm curious about the other options I am seeing in the other ldap.conf located in the /etc/ directory. Look in the /etc/ldap.conf, it should be very verbosely commented. Most of the I can make an educated guess as to their function, but it would be nice to have a verified definition of some of these parameters. The PAM and NSS modules come from PADL (www.padl.com) you can download the tgz's and look at the documentation they contain. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Lagging failed login attempts
Are failed client logins on the XP clients logged anywhere ? How about non-domain member clients accessing shares ? It completely depends on your logging settings. Perhaps show your smb.conf global section so we can tell. In my setup, and from the looks of things around here, a lot of other peoples, is that there is a main log.smbd file and then also a log for each machine. Check in those if you are so configured. I'm sure we'll have better info for you once we see your globals. None of which are terribly useful or consice for loggin access attempts. You can log successful access attempts into utmp (ala who), but I don't know of anyway to log failed access attempt. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] LDAP and userPassword
Perhaps this is a stupid question, but if you are using a LDAP backend, is there any requirement to have a userPassword for a user for them to be able Only if you want to authenticate other services to the DSA. to authenticate to a Samba PDC? No (well, unless it is requried by schema). Or must they only have a sambaNTPassword? Also, which password does smbclient use, userPassword or sambaNTPassword? It uses sambaLMPassword or sambaNTPassword depending upon the strength of the client. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] LDAP and userPassword
Perhaps this is a stupid question, but if you are using a LDAP backend, is there any requirement to have a userPassword for a user for them to be able Only if you want to authenticate other services to the DSA. to authenticate to a Samba PDC? No (well, unless it is requried by schema). Or must they only have a sambaNTPassword? Also, which password does smbclient use, userPassword or sambaNTPassword? It uses sambaLMPassword or sambaNTPassword depending upon the strength of the client. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Why %M makes two log files?
I use log.%M to get per client logs. This works but I always end up with - [EMAIL PROTECTED] root]# cd /var/log/samba [EMAIL PROTECTED] samba]# ls -l log.pc01699 -rw-r--r--1 root root 2642617 Nov 12 07:30 log.pc01699 [EMAIL PROTECTED] samba]# host pc01699 pc01699.morrison.iserv.net has address 192.168.19.191 [EMAIL PROTECTED] samba]# host 192.168.19.191 191.19.168.192.in-addr.arpa domain name pointer PC01699.morrison.iserv.net. [EMAIL PROTECTED] samba]# ls -l log.192.168.19.191 -rw-r--r--1 root root0 Oct 15 07:26 log.192.168.19.191 [EMAIL PROTECTED] samba]# DNS works both ways, but I always get a log.{IP NUMBER} file as well as log.{MACHINE NAME}. The log.{IP NUMBER} files are always zero sized. Is this a bug or a misconfiguration of something (if so, pointers appreciated)? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Why %M makes two log files?
On Fri, Nov 12, 2004 at 08:26:54AM -0500, Adam Tauno Williams wrote: I use log.%M to get per client logs. This works but I always end up with - [EMAIL PROTECTED] root]# cd /var/log/samba [EMAIL PROTECTED] samba]# ls -l log.pc01699 -rw-r--r--1 root root 2642617 Nov 12 07:30 log.pc01699 [EMAIL PROTECTED] samba]# host pc01699 pc01699.morrison.iserv.net has address 192.168.19.191 [EMAIL PROTECTED] samba]# host 192.168.19.191 191.19.168.192.in-addr.arpa domain name pointer PC01699.morrison.iserv.net. [EMAIL PROTECTED] samba]# ls -l log.192.168.19.191 -rw-r--r--1 root root0 Oct 15 07:26 log.192.168.19.191 [EMAIL PROTECTED] samba]# Me too, but I use %m instead of %M. Same here, that was a type. But the result is the same, I also get empty log files with an IP number in addition to the correct log files with the client's netbios name. samba-3.0.7 and 3.0.8. Same. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Logon fails due to The system cannot find the file specified
I have a couple of Windows 2000 boxes that only accept logons from users who have logged onto the system before. For new users the logon appears to succeed, proceeds to Loading your personal settings and then the following error appears - Windows cannot log you on because the profile cannot be loaded. Contact your network administrator. DETAIL - The system cannot find the file specified. - after which the user is thrown out. I've chased this around quite a bit, I'm not certain if it is a workstation problem, a Samba problem, etc... I have ~200 other Windows 2000/XP workstations that are working. I've cranked up the debug level and read the logs, and set auditing on the local filesystem. Nothing seems to elucidate the cause of the problem. Would be nice if it just came out and said which file couldn't be found. :) -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Slow login/out with XP and SAMBA PDC?
I thought the profile copy was smart and only copied files that had changed? What can I do improve this performance? Maybe theoretically, but we've seen it 'stupid' on frequent occasions. Really best just to redirect the My Documents short cut to a real share (such as a home directory) that doesn't have to get copied all over the place. Along this same note ... I am pondering the implications of mapping certain parts of the profile (My Documents, maybe My Pictures) to a network drive. But I think this won't work for my truly roaming users (laptop users). Do any of you redirect the profile directories based on membership of, say, a We use some substitution smarts on the samba side to direct what a user sees as \\{server}\Documents, but otherwise we only use policies (via ntconfig.pol) for making changes on the client. 'laptop' group or some such thing? I know that I can write registry keys based on group membership with Kixtart. Or am I wrong and laptops won't have a problem with it? If a laptop user saves a file in My Documents they will expect to have access to the file even when offline. Thoughts? I would just like to know how you all generally handle it. We disable roaming profiles on laptops; they only lead to user confusion in that case (IMHO). You can still syncronize other folders using M$'s sync thingy, or use something like Novell's iFolder. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] LDAP suffix question
I would like to have a DIT similar to this for my Samba server : ou=People,dc=domain,dc=com: users accounts ou=Group,dc=Domain,dc=com: groups ou=Hosts,dc=domain,dc=com: machine accounts ou=Samba,dc=domain,dc=com: Samba specific stuff, such as sambaDomain, sambaUnixIdPool, etc My understanding is that ldap [user|group|machine] suffix is relative to ldap suffix. Example : ldap suffix = dc=domain,dc=com ldap user suffix = ou=People Thus, the effective ldap user suffix would be ou=People,dc=domain,dc=com. This does not match the DIT I would like to achieve, as I would need to specify lateral suffix for user, group, machine. I tried : ldap suffix = ou=Samba,dc=domain,dc=com ldap user suffix = ou=People,dc=domain,dc=com ... But it does not work. Any idea how to achieve that ? The reason I would like to design my DIT in such a way is strictly cosmetic, as I would prefer not to clutter the root with sambaDomain and sambaUnixIdPool entry. I'd recommend creating something like ou=SAM,dc=domain,dc=... ou=People,ou=SAM,dc=domain,dc=... ou=Groups,ou=SAM,dc=domain,dc=... ou=Hosts,ou=SAM,dc=domain,dc=... And keep everything Samba (or NSS) uses under the ou=SAM. This totally avoids (a) having to do root level sub searches, which are always bad, expecially as your Dit grows to contain other stuff, (b) lets your partition the PDC stuff off from the rest of your Dit, good if you want it to have its own server or Samba decides to implement their own LDAP server, you can just place it in your Dit without having to refactor anything and (c) makes it easier to delegate the permission peculiar to PDC operations. If you really want an ou=People at the root that is still possible, you simply use a subordinate proxy to place the contents of ou=People,ou=SAM,... at ou=People,dc=domain,... then mail clients can query what they expect to find and you can also drop out all the attributes and objectclasses they don't need to see. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Slow login/out with XP and SAMBA PDC?
I thought the profile copy was smart and only copied files that had changed? What can I do improve this performance? Maybe theoretically, but we've seen it 'stupid' on frequent occasions. Really best just to redirect the My Documents short cut to a real share (such as a home directory) that doesn't have to get copied all over the place. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] config.pol
I use samba 3.0.1pre1 I make a config.pol with .adm templates. But, when I use it in netlogon, register are no set. netlogon and config.pol have correct permissions. Shouldn't it be ntconfig.pol? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] SuSE9.1 Hylafax 4.1.8-21
I have recently installed a machine with the above mentioned configuration. The machine will be a fax-server. It will only receive (at the moment) faxes and store them on its hard-drive. the problem is that all the faxes that I receive are either black pages or they are white pages with a black thick stripe horizontaly. Can someone please give me a hand with this?? This is the Samba list, ask on the HylaFax list about HylaFax. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba PDC in many branch offices + one LDAP database - how to change passwords?
As it is relatively easy to have one LDAP database across all office branches, I don't know how to make Samba 3 to read/retrieve usernames/passwords from local OpenLDAP slave, but to write added machines/changed passwords to the master OpenLDAP server (which would then replicate the changes to all its slaves). If you have the smbldap-tools configured properly with the right master and slave set, then adding machines is not a problem. Changing passwords is also not a problem provided you have LDAP referrals set up properly. Setting up referrals is really more of a question for the openldap folks, and probably covered in the setup guide at openldap. Heh, ask at OpenLDAp group, they point you to Samba group; ask at Samba group, they point you back to OpenLDAP :) Just to clarify, mostly for the archives: Setting up referrals is NIETHER a Samba OR OpenLDAP question. It is an LDAP issue, referrals are a standard LDAP thing, supported by every decent DSA. The OpenLDAP lists are for questions SPECIFICALLY for OpenLDAP related issues, referrals would not be such an issue. *ANY* decent LDAP text will cover referrals, and questions about referrals would be appropriate to the [EMAIL PROTECTED] list (generic LDAP discussion) - but again, they are a well documented standard type of thing. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Third party LDAP as backend
I'm planning a Samba3 new installation. I need to make Samba interact with a third party directory server (it's a standard implementation that can be accessed with ldapsearch, ldapadd, etc). Is it possible to use ldapsam with an LDAP directory that's not running under OpenLDAP? Yes; I've communicated with people using both NDS and SW. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Third party LDAP as backend
I'm planning a Samba3 new installation. I need to make Samba interact with a third party directory server (it's a standard implementation that can be accessed with ldapsearch, ldapadd, etc). Is it possible to use ldapsam with an LDAP directory that's not running under OpenLDAP? Yes; I've communicated with people using both NDS and SW. Great... did you use the same procedure as for OpenLDAP or is there some customization? *I* didn't do this, I just know it can be done. You need to get the samba.schema file into a format your DSA likes. Beyond that Samba doesn't do anything crazy and should work with any DSA. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] automatically authenticate domain logged-on users in apache with AD/NTDOM?
I don't use MS products at all, so I have very little knowledge with them, but I believe Microsoft has as protocol where Internet Explorer can automatically authenticate against an IIS server, and given that the server and client are on the same NT domain, and the client user is logged in to that domain, the user is automatically logged in without the need to give away the password one more time to the webserver. You're talking about NTLM. What is happening between the web server the web client? Is the protocol open or reverse engineered? Can this authentication be done using apache @ unix (perhaps by apache interacting with samba somehow)? On the server side - yes, even current versions of SASL support NTLM. Any ideas or links to more info about this would be much appreciated. On the UNIX/LINUX client side I think your stuck; nothing I've found supports it. If you in an AD domain or Kerberos environment you can probably do the same thing with GSSAPI. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.0.7 OpenLDAP performance problem
I am using a Samba PDC with OpenLDAP. After updating my Samba 2.2.7 to version 3.0.7, I encountered the following problem : All my Windows-clients are able to logon to the Domain but it takes several minutes until the Client finally is logged on. If I try to open a directory that is stored on the server, it takes several minutes, too. The profiles I am using are not stored on the server except their home-directories. I testet the Samba update several times on a VMware machine with virtual server and clients and it worked perfectly every try. I got same kind of effect after upgrading 3.0.5 - 3.0.7. OpenLDAP + perbuilt Samba on SuSE 8.2 (downgraded back to 3.0.5 and everything is ok again) Just as a balancing point-of-view; we have 3.0.7 + OL 2.2.17 and performance is very good (~200 XP/2000 clients). Are you sure things like name resolution are working properly? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Applications that need admin privileges
Hi guys, I have a working samba and openldap pdc which is actively being tested. I have a group of users that have specifics tools to use such as oracle client tools (sqlplus etc). I tried to logon as a test user and run the sqlplus but nothing happened, I tried adding this user to the local poweruser group but it produced the same result. Can this be achieved? It works fine if this user is a member of local admin group which I dont want to do because I want to limit what they can do to their workstations. Anyone out here who had a similar experience? Thanks for any help Oh yes, it is called $([EMAIL PROTECTED]@R%** crappy PC software. If the software is broken and needs Admin privileges you don't have much of a choice, but you can still apply policies to an account with Admin privileges. And don't forget to write a very nasty letter to the software shop telling them to fix their software their non-compatble software! -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: root preexec script runs twice
[netlogon] is a special share. I would guess Windows mounts it more than once when user logins but you should see it then with 'log level = 5' as 'cmd=/home/samba/scripts/create-login-script.sh adrian.h' line in smbd logs. Have you tried to put this 'root preexec' into [home] share instead? Workstations will connect/disconnect/reconnect to volumes at-will; there is just no getting around that. Your preexec scripts need to be able to cope with that fact, either check the date on something and bail if the script has already been run (or more recently that some interval) or use the parameters to avoid running for the same tuple (User+workstation) multiple times. signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Scaleable LDAP Backends for Samba; Domain Controllers group access
objectclass ( 1.3.6.1.4.1.6921.1.18 NAME 'nssBisGroup' DESC 'Adds POSIX Attributes To A GroupOfNames' SUP top AUXILIARY MUST ( cn, gidNumber ) MAY ( userPassword, description ) ) Uh... gee, on second thought I don't see how this is going to work with the smbldap scripts nor do I know if this will take a sambaGroupMapping. sambaGroupMapping is ***AUXILIARY***, so you can essentially stick it on anything. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] SuSE 9.1 Pro
Hi, the simple answer is dont use suse firewall,( iptables scripts are easy to google ) and study more chapters from Samba Browsing That's not very nice, the Suse 'firewall' is well written. And you can't expect everyone to learn that much about paket filtering just to run samba. And it works with samba. Sorry Holger, but my opinion is different, suse firewall may be good written, but learning about packet filtering and networking is helpfull in any way. Agree, the SuSe firewall is nice, but it is really for simple workstation/desktop setups. If you want to do more advanced setups you need to leave the tool behind. I recommend fwbuilder - http://freshmeat.net/projects/fwbuilder/ The UI is intuitive and you can build VERY sophisticated rule stacks. Even Windows admins manage to figure it out. signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Scaleable LDAP Backends for Samba; Domain Controllers group access
As far as I know, it *HAS* to be done this way because the posixGroup schema is way out of date (it wont take a dn as a member). That is true, well the out of date part. It doesn't have to be done this way. This info according to the gurus on the OpenLDAP list. In effect we have to keep a duplicate set of group records for those that will have access to the database. No. Duplicate is bad, only a matter of time till someone screws it up, and debugging the ensuing wierdness will be a real headache. For example, if you want to give group based access to a group like Domain Controllers, you would have to keep a duplicate record using a different objectClass. Recent versions of NSS LDAP support RFC2307BIS, where groups can contain member attributes rather than memberuid attributes. So OS groups can be objectclass groupOfNames rather than posixAccount. The schema is busted however, since posixGroup is structural. So load - objectclass ( 1.3.6.1.4.1.6921.1.18 NAME 'nssBisGroup' DESC 'Adds POSIX Attributes To A GroupOfNames' SUP top AUXILIARY MUST ( cn, gidNumber ) MAY ( userPassword, description ) ) Since groupOfNames already requires cn, you just add a gidNumber and the objectclass to groups that you want to be OS groups. And set the NSS configuration to: nss_map_objectclass posixGroup nssBisGroup pam_member_attribute member -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: Re: [Samba] Authenticateing DC's on an ldap backend... nobody knows how?
Could explain more your problem ? On samba there are machine account for windows NT4, 2000, XP but no separation between workstation and server and DC. ? A machine account is machine account, only WINS cares about the difference. And also, there are no specific group for machine which are managed by samba. This is an entirely site specific setup thing. If you want all your machine accounts created with a given gidNumber you can certainly do that. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Do software raids don't dance Samba?
It seems to me like - at least my - software raid can't dance Samba. I've got a box with SUSE 9.1 (Linux datagarden 2.6.4-54.5-default #1 Fri May 7 16:47:49 UTC 2004 x86_64 x86_64 x86_64 GNU/Linux) and I've dld and compiled Samba version 3.0.7-1.1-SUSE. And as you might guess from the subject, I'd like to use it together software raid (levl5)to store this and that. I'm using the default raid software package that gets shipped with 9.1 together with a Highpoint RocketRAID 454 ATA card with 8 disks If your using a RAID card you are not using software RAID, or maybe you are, but in combindation with hardware RAID. As I am a Linux beginner, I can't really tell you what version of raid software the box s using. If I run raid0run -V it tells me mkraid version 0.90.0 and if I run raidstart -V it says raidstart v0.3d compiled for md raidtools-1.00.3. Hmmm I'd look at the Highpoint drivers. I've been using raid5 with samba-3_0 svn for a couple months now without incident. Agree. Remove the RAID card and use just software RAID, or get a reputable RAID card. We've been using Samba on Linux/RAID via both hardware and software(md) without incident for **years**. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Application Server
Hi there! Is possible to install software on the Samba Server and make users run that software from their workstations instead of installing locally? I know that it could take down the network perfomance but it could be useful for some little software like 7-zip, yahoo messenger, etc... It is an issue of the specific application, not Samba. Some software works well that way, others not at all. I'd guess most packages will not work this way, Windows has a habit of placing locks on files that prevent the same instance of an install from working from more than one workstation. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Script to clean the recycles...
What I wanna to do is put one script on cron.daily to : 1. Clean all the files on the directories .recyycle(see below) that are older than 15 days. \files\production\.recycle \files\directory\.recycle \files\it_teste\.recycle \files\adm\sandra\.recycle \files\testing\piedro\.recycle \files\system\sources\.recycle \files\system\testing\.recycle \files\system\cvs\.recycle 2. Clean all the files on all the user homes that are older than 7 days. I have +/- 50 users and I wanna to make something automatic, that I donĀ“t need to give maintaince on the script after creating a new user... Ideas? man find -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Which distribution to rollout
I have some reservations about fedora - I just dont know how stable it is for a production server (our services are mainly samba/ldap/ntp/ssh/rsync/clamav) - we have about 15 samba servers in production currently. RHEL - well - the cost is a factor gentoo - takes to long to deploy Mandrake 10? What are some of the samba users recommendations? SuSe. Inexpensive and pretty much gauranteed not to be dropped. We are just using the ordinary Pro version, it works very will. Still does all the normal RPM based management, and Red Carpet supports it. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: samba w/ ldap - groups scalability and performance
I have a suggestion. I think you can partition off the groups by putting them in sub OU's of your groups OU. Yes, and you could partition those OUs across servers. Alternatively you could use some Balanceing Domain Controllers with disconnected authentication. This entails setting up Balanceing Domain Controllers, each with a local LDAP slave server. Makeking everything local (replicated from the main LDAP server) for each of your BDC's should improve performance as you can then have several machines answering requests for groups without them haveing to constantly query the main LDAP server. Yes, and a BDC without its own replica sort of takes the B out of BDC. If you have sufficient RAM have you tried using a proxy backend, then the redundant group lookups are simply cached and fed back to the client. I am having problems with samba and ldap as concerns groups. We have ... perhaps only those groups where the user is a member? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Network Drives Dropping Out
The redXs mean the connection has been dropped probably due to idle time, this is done in order to conserve resources on the server. This is normal. http://support.microsoft.com/default.aspx?scid=kb;en-us;297684 http://support.microsoft.com/default.aspx?scid=kb;EN-US;138365 I even have the red-crosses some times in my two-computer-home-network, but every time i double click the crossed-out share i can access it without problems. I am looking after a site that is running redhat 7.2 and Samba 3.0.2a-1. There is a mixture of Windows 98 and Windows XP clients on the network. Recently the Windows XP clients have been having problems with mapped network drives. The drives map fine but certain times during the day users get access denied error messages when accessing the drives. This lasts for a few minutes and without having to touch anything they are back working normally. Sometimes the drives in XP also come up with red 'x' next to them. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Just a quick suggestion for backup solution, please???
Ive been using samba for a while, but I have no backups... Id just like something simple and effective, with some easy way to Restore files... Any quick suggestion, please? If you have ACL support enabled on you Samba server make sure your backup solution supports backing up meta-data and extended attributes. 99 of out 100 do NOT. Our solution (even after looking at commercial packages) has been to use XFS filesystems and xfsdump/xfsrestore. I have read good things about Arkeia (www.arkeia.com). They have a light version that is free. And crazy expensive. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Profiles pemissions and ldap backend
Two quick questions: 1. For a samba server what backend would produce the best performance with samba. ldbm or bdb? bdb performance will always be MANY ORDERS OF MAGNITUDE faster than ldbm. And ldbm is depricated anyway. Make sure your using a recent OpenLDAP version, not one of the antique ones provided with your distribution. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Memory allocation error: failed to expand to 1108555744 bytes
I saw the following log entry when connecting to a print share on a Samba 3.0.7 box from a Windows 2000 client. I assume the attempt to allocate 1Gb+ of RAM has got to be wrong? [2004/09/14 11:07:14, 1] smbd/service.c:make_connection_snum(648) pcladydeath (192.168.1.110) connect to service print$ initially as user pcnet (uid=288, gid=230) (pid 18501)[2004/09/14 11:07:17, 0] smbd/connection.c:register_message_flags(220) register_message_flags: tdb_fetch failed [2004/09/14 11:07:19, 0] lib/util.c:Realloc(856) Memory allocation error: failed to expand to 1108555744 bytes [2004/09/14 11:07:19, 0] rpc_parse/parse_prs.c:prs_grow(270) prs_grow: Realloc failure for size 1108555744. [2004/09/14 11:07:19, 0] rpc_server/srv_spoolss.c:api_spoolss_rfnpcnex(341) spoolss_io_r_rfnpcnex: unable to marshall SPOOL_R_RFNPCNEX. [2004/09/14 11:07:19, 0] rpc_server/srv_pipe.c:api_rpcTNP(1563) api_rpcTNP: spoolss: SPOOLSS_RFNPCNEX failed. [2004/09/14 11:07:19, 0] smbd/connection.c:register_message_flags(220) register_message_flags: tdb_fetch failed -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Migrate BACK to WINDOWS - Talk me out of it QUICK
We have just started to roll out Thinstation thin-clients that are connecting to Win TSRV servers. What is being planned is 1 Terminal Server per location. This will significantly reduce the adminstrative nightmare on multiple Windows boxes and centralize it. However, this is where I start to feel that I am having too many servers per location, seeing that the windows server could do what the Samba server is doing, I am in debate about moving back to windows (I have will need to licenses and boxes there anyhows) No! Bad! Having the same box to DC/WINS/DNS/etc... as runs user apps is a disaster (trust me, I've dismantled refactored the networks of shops that tried to put everything on one windows machine). One other option is just ot house a ginormous WIN-TSRV at the central That would be my choice. location. However, I am afraid of issues with printing back to the remote locations (pushing large files through the 1/2 T-1 to print). Verses all the filesystem and other support (profiles, WINS, DNS, LDAP, etc...) traffic? Use QoS to relagte the print traffic to second-class status and/or tunnell the print traffic through a compressor (postscript is wonderfully compressible, and some printers support compression themselves). Another option is to remove the samba servers from the remote location, and just have a samba PDC with authenticating windows tsrv machines. - I dont like this option for some reason Is the TS actually useful without a connection to the central servers (database, middleware, etc...)? Do you still have stand-alone workstations, laptops, etc..? The TS probably caches the profile/login anyway so it might remain usable for a time even if the circuit it down. I really dont want to move away from the SAMBA backend, but at the same time dont want to stay with it just because I 'like it' and I 'want to'. So I am looking for discussion/arguements as to why I should stay with the Samba server and a win-tsrv server, as opposed to just moving to a MS backend. Whatever your have - samba or not - don't pile it all on one machine, and certainly not on a terminal server running user apps. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samab 3.0.6 problems
I have noticed a few people post issues with 3.0.6 and I wonder if there is a bug somewhere? I did run a trace using ethereal - when opening files, packets just stopped between client and server except for a few keepalives. The samba logs didn't contain much info for my level of knowledge (debug level @ 3). If anyone is interested in identifying a problem, can you propose the debug level required and if a trace is required. I can install 3.0.6 again for a while to test. Try disabling sendfile. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] SIDs , RIDs UIDs
Hi , I want to understand the above terms , where can I find good doucmentation please ? Any decent UNIX administration text, any decent NT administration text. Or ftp://ftp.kalamazoolinux.org/pub/pdf/CIFSnPOSIX.pdf -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] LDAP WBEL
That is a good reference. But any out there on the web that are freely available? Dozens, if not hundreds. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] IP Appears Rather Than Servername
Since we updated to 3.0.6 we are having an oddity that the server IP appears in printer UNCs rather than the IP address. For instance printer \\barbel\grdps appears in the printer status box as 192.168.1.9 on grdps. It still works, but this is both odd and unsightly. DNS forward and reverse is working. It does this on both our 3.0.6 servers. On adding \\sardine\pdfconv print queue, it addes \\192.168.1.12\pdfconv in the printer list. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] 3.0.6 string overflow by 1
I updated one of my file servers to 3.0.6, and while file serving is improved (no M$-Office file already open messages), every time I access a printer my logs flood with messages like to those below. It seems I can set printer properites, etc... but when I print the jobs seem to go to never-never land (still researching where the jobs go). [2004/08/20 08:46:27, 0] lib/util_str.c:safe_strcpy_fn(600) ERROR: string overflow by 1 (32 - 31) in safe_strcpy [\\192.168.1.12\HP Business Inkjet 2250 PS] [2004/08/20 08:46:27, 0] lib/util_str.c:safe_strcpy_fn(600) ERROR: string overflow by 1 (32 - 31) in safe_strcpy [\\192.168.1.12\HP Business Inkjet 2250 PS] [2004/08/20 08:46:28, 0] lib/util_str.c:safe_strcpy_fn(600) ERROR: string overflow by 1 (32 - 31) in safe_strcpy [\\192.168.1.12\HP Business Inkjet 2250 PS] [2004/08/20 08:46:28, 0] lib/util_str.c:safe_strcpy_fn(600) ERROR: string overflow by 1 (32 - 31) in safe_strcpy [\\192.168.1.12\HP Business Inkjet 2250 PS] [2004/08/20 08:46:28, 0] lib/util_str.c:safe_strcpy_fn(600) ERROR: string overflow by 1 (32 - 31) in safe_strcpy [\\192.168.1.12\HP Business Inkjet 2250 PS] [2004/08/20 08:46:28, 0] lib/util_str.c:safe_strcpy_fn(600) ERROR: string overflow by 1 (32 - 31) in safe_strcpy [\\192.168.1.12\HP Business Inkjet 2250 PS] [2004/08/20 08:46:28, 0] lib/util_str.c:safe_strcpy_fn(600) ERROR: string overflow by 1 (32 - 31) in safe_strcpy [\\192.168.1.12\HP Business Inkjet 2250 PS] [2004/08/20 08:46:28, 0] lib/util_str.c:safe_strcpy_fn(600) -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] LDAP and Password Values
Samba schema and related indices were added and containers created. Added user xxx to LDAP database via phpLDAPadmin and executed smbpasswd -a xxx -D 256 Besides the does not exist issues, the attribute sambaDomainName was added. Are there additional containers and/or attributes that I have overlooked in the documentation? No, sambaAccount and sambaDomain are the only required objects - so long as they are below the search root it doesn't matter where you put them (it doesn't matter to Samba anyway, it may matter for other site-specific reasons). Of course without sambaGroupMapping aux objects on at least some of your posixGroups your installation will be of minimal utility - you need the required groups like Domain Administrators, Power Users, etc... to get 'normal' NT behaviour. Lastly, is the sambaSID value consistant accross users sans the hyphen integer suffix? If they are all in the same domain, yes. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] LDAP and Password Values
Where I remain unclear is the ldap password sync flag in smb.conf. If set to yes, does a Windows NT/2K/XP user participating with Samba3 in a workgroup (security=user) automatically have his or her password transparently synchronized on the Samba box the next time he or she attempts to utilize a Samba resource ( if previously changed on the user workstation) or is ldap password sync a Domain-member-specific implementation. It is domain specific because it happens at time of password change. Samba changes userpassword on behalf of the user. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] LDAP and Password Values
I remain unclear regarding Samba and LDAP. It appears that mkntpwd is required to generate a viable sambaNTPassword and sambaLMPassword attribute values. No. But I believe I read that the current incarnation of smbpasswd can accomplish this. Yes, this is all done via the PDB backend. Lastly, when utilzing phpLDAPadmin, do the NT and LM password fields contain the values generated by mkntpwd? phpLDAPadmin might implement it's own mechanism. Generating an NT hash is a documented thing. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Win Integration: possible solution?
I'm still looking for a possible integration of MIT K5 and AFS through the windows login, so I will ask you a question. A first considerations is that afs+k5 works fine but we have to create a local account with a fake password. The profile will be on the local disk. We can gain tickets and the token necessary to access \\AFS. The problem is: how to avoid a local account? You can't. You'd need Samba to be able to perform a domain account login (using the Kerberos SAM) and then acquire a ticket on the clients behalf. You can't do this (yet). What about samba? I don't know, but maybe some of you can help me with this solution. Samba can be a gateway being a windows domain. Sort of, but it can't do things a PDC can't do - like Kerberos. Samba is an NT4 domain controller not an ADS. we set windows to look for a remote profile instead of the local one, so that we mimic what we do on afs, k5 and setting login on a mit kdc? But... how to do this? You can dig out what information exists on lorikeet, but it is not (yet) a real/complete solution. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] explain me exactly about ldap
i wanna know exactly the principal functions of ldap, if is posible send me a example because im not very clear about this protocol with samba. Samba uses LDAP for the same purposes/reasons everything else does - a secure, high-performance, highly available, hierarchical data repository. There are several very good texts on LDAP. Acquire a copy of Understanding and Deploying LDAP Directory Services ISBN#0672323168 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: locks cooperating with a server side process
I'm having a problem where I can gain the lock but the process is still writing to the file. If your building a 'drop box' so to speak, where a process picks up files after they are copied in, perhaps you want to look into hooking for application into 'fam' http://oss.sgi.com/projects/fam/ man fam: ... fam is a server that tracks changes to the filesystem and relays these changes to interested applications. Applica tions such as fm(1G) and mailbox(1) present an up-to-date view of the filesystem. In the absence of fam, these applications and others like them are forced to poll the filesystem to detect changes. fam is more efficient. Applications can request fam to monitor any files or directories in any filesystem. When fam detects changes to monitored files, it notifies the appropriate applica tion. The FAM API provides a programmatic interface to fam; see fam(3X). fam is informed of filesystem changes as they happen by the kernel through the imon(7M) pseudo device driver. If asked to monitor files on an NFS mounted filesystem, fam tries to use fam on the NFS server to monitor files. If fam cannot contact a remote fam, it polls the files instead. fam also polls special files. ... -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: What happened to this list?
I've wondered that too. Samba gets better and this list seems to get less useful. Excellent documentation is now available. MANY of the questions/topics routinely posted to this list could be resolved if the posters availed themselves of that resource. We've implemented an extensive Samba/LDAP network with integrated DNS DHCP - everything required was in the appropriate documentation. Good question for the Samba team though... what can be done to enhance support so that we (the implementers) can be comfortable using Samba for mission critical apps in complex environments (PDC, LDAP, etc...) Do we just need the address to have pizza delivered to, or is the problem bigger than that!? (aka some sort of RedHat style support company where we pay for support) There are many places to purchase commercial support. If your in the Great Lakes region I can provide you with a list of some very competent companies. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Building samba 3 with iPlanet DS5
I believe you need to build it against the openldap libraries, but then you can point it against any LDAP server you wish once it's built. Of course I haven't tried that, but it seems to be the consensus I've found. Yes. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] best filesystem choice for samba (was: new user cannot logon)
The consensus seems to be XFS but I'm not sure how proven this filesystem is (I know SGI have used it since Irix 6.5 but that's a different OS). Been using it for years under Linux 2.4.x, and now 2.6.x, never had a lick of trouble. I need quotas and would like acls, but most of all want a fast reliable system. Sounds like XFS. Reports indicate that ext2/3 is particularly slow, especially for long file listings and many people Yep, also seems to get slower over time and just generally slower when it starts to get past 50% full. complain have corruption issues with reiser (nut maybe that's RedHat only). Reiserfs, ick! I'd want a raise before I used that, many horror stories. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] pam_ldap...help!
I'm trying to install pam_ldap on my fedora core 1 machine. It is asking for liblber.so and libldap.so dependencies even though I have them in /usr/lib. Should I just go install it with out a dependencies? what is wrong with this picture? Why are you asking here and NOT on the pam_ldap list (PADL.com)? This has nothing to do with Samba. Your probably using mismatched packages, find the correct Fedora packages, or rebuild them from the source RPM. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] which XP clients registry hacks are necessary now?
I've read alot of dated material about various registry hacks to make various patch levels of XP Clients work. NONE NONE NONE NONE NONE NONE NONE NONE NONE NONE NONE NONE Even Windows 2003 will merrily join a domain controlled by a recent version of Samba. I know, I can show you one. It seems this issue of registry hacks is posted at least once a day - the answer is NONE, NONE, NONE, NONE, NONE, NONE, NONE, NONE, NONE, NONE, NONE, NONE. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] password expiry message -
pwdLastSet: 1086920093 logonTime: 0 logoffTime: 0 kickoffTime: 0 pwdCanChange: 0 pwdMustChange: 0 RECAP - samba controlled domain (2.2.8a) with an LDAP backend. Everything was working snazzy, till I changed my password yesterday. Now when I log in (win2k server sp4) I get the password will expire today message. We always had the same issue under 2.2.x. It supports password aging, force change (sort of), etc... but doesn't actually update all the attributes. Set the pwdMustChange to some ridiculous value in the future and, as I recall, the message will go away. Update to 3.0.x where this stuff actually works. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Winbind - More Info
Ok.. I figured a lot of this out... But I am lost on how to keep the UID and GIDs identical. How do I make sure system A uses the same IDs that system B will use? winbind with idmap (see Samba HOWTO Collection) or better yet, NSS with an LDAP backend. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] And the LDIF thing
Sorry.. One more email.. I tried to create the IDMAP container on the LDAP with an example I found: dn: ou=Idmap,dc=softeng,dc=com objectClass: organizationalUnit ou: idmap structuralObjectClass: organizationalUnit Try dopping the structuralObjectClass line, or either use objectclass OR structuralObjectClass. You haven't said what DSA or version of DSA your using. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] login script
I have a solaris machine running samba, and a lot of computers with windows 2000. I need to generate a log file with the time when a user logon into the machine and the time when the user logout. Have you tried just capturing 03 (messagnger) WINS registrations and deregistrations via DNS hook? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and Terminal Server
Is Samba only a Windows File Server/Domain Controller, or can it act as terminal server for windows clients too? No, you need a M$ OS to be a M$ Terminal server (if you intend to run M$ apps). -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba3 + LDAP
Is there any way to make it so that Samba3 with an LDAP backend doesn't need to create local linux accounts to work? Thanks. You *NEED* a POSIX account for each CIFS account, no way around that. Just use NSS and store the POSIX accounts in LDAP along with the CIFS accounts. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] films on Desktops and roaming profiles
I'd like to ask you what do you limit Desktops syncing in case users put large files on them, e.g. films. Downloading / uploading such large files can generate lots of unnecessary traffic. Is there any kind of filtering possible ? Other solutions ? Via policies, just like with a Windows DC. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba3 + LDAP
Does this mean that it would be impossible to create a Virtual Samba Server. I currently use Slackware which does not use PAM so LDAP though NSS I don't think is possible for me. Nah. You don't need PAM. But NSS is part of glibc, so it would be amazing if you couldn't use the posixAccounts/posixGroups in LDAP. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba3 + LDAP
Does this mean that it would be impossible to create a Virtual Samba Server. I currently use Slackware which does not use PAM so LDAP though NSS I don't think is possible for me. Nah. You don't need PAM. But NSS is part of glibc, so it would be amazing if you couldn't use the posixAccounts/posixGroups in LDAP. Apologies if this sounds like I am contradicting you, but I have just looked at padl.com (the people who do nss_ldap) and they do say that Linux with Linux-PAM is a requirement. Are you referring to a different implementation? Do you have an nsswitch.conf file in /etc (or somewhere)? If not then they've extracted NSS and probably your only option is to use something like a NIS/LDAP gateway (beyond the scope of this list) or switch distributions. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Microsoft in a Samba Domain
We are planing to move from Netware to Samba in the near future. The trouble we have is that we have about 50 Microsoft servers in various Domains and Workgroups. These will be brought into the new domain structure when they are replaced (In the near future as well). If we could then we would replace all the Microsoft servers (who wouldn't) but they are application servers that will cost to much to replace. When Samba is the PDC and we are authenticating to an LDAP directory, will Microsoft be able to use the LDAP directory in a Samba Domain? No, M$ never authenticates using an LDAP directory (even in an Active Directory realm). The servers will authenticate against the Samba DC, which will use the LDAP directory on their behalf. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] difference between domain (no member) and workgroup
I hope someone can tell me what is the difference between a domain (who I am not member of) and a workgroup in samba with the same name. Allot. Consult a CIFS text. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.0.4 PDC w/ LDAP - XP client
logs look fine, reg.patches applied, uid=0 used, machines and users in the same ou=Users ... You don't need ANY registry patches to run a Samba PDC. Perhaps your using some bits of stale documentation. I recommend using the two Samba PDF collections, and nothing else - too much out there is really horked up or just old. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Help Samba Virtual Servers (Host aliases) configuration problem
WHAT I AM TRYING TO ACCOMPLISH: I want this one server to present itself to Windows Networking as both ctstools and ftp such that when clients browse to \\ctstools all they see is the [tools] share and that when they browse to \\ftp they see whatever shares I place there. I'm missing something simple. I know it. include and - %L the NetBIOS name of the server. This allows you to change your config based on what the client calls you. Your server can have a dual personality. See man smb.conf -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Suse Linux OpenExchange Server (Samba 2.2.5) and XP
Yes, ntconfig.pol OK, so we need to create a .pol file. It seems that the tools that will do this for NT/2000 don't cope with XP because (as it was explained to me) XP now supports a bigger, deeper registry and the tools can't load the .adm files. ntconfig.pol works fine for XP clients. MMC (or rather the group policy object editor snap-in) allows fiddling with the local registry, but apparently doesn't support saving a .pol file. So what do other people use to create .pol files for use with XP ? poledit.exe; just like for NT and 2000 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] LDAP, is just me or the Samba How-to?
I was trying to restart my LDAP service and used /etc/init.d/slapd restart, but it said slapd: unrecognized service. so I tried /etc/init.d ldap restart and it says that restarts the service slapd [ok]. I tried to look for the service on webmin and slapd doesn't even exist. Is the problem on my side or is there a mistake on the Samba-HOWTO-Collection? Different distro's call the service different things. slapd is OpenLDAP's deamon for providing ldap. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba, pam, and kerberos
Im not a complete expert in this area, but. If you try winbind its got to have a correctly configured kerberos client to contact the AD. Could you try this but specify your MIT Kerberos kdc instead. Samba cannot currently acquire Kerberos tickets on behalf of the client -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba, pam, and kerberos
Ahh well, worth a shot. There is some development effort to integrate OpenLDAP, Samba, Heimdal. So you will be able to do this someday. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Suse Linux OpenExchange Server (Samba 2.2.5) and XP
Now, everything seems to be going down the pan, and it looks like the problem is that XP has dropped support for 'old style' controls and only supports Access Control Lists - so tit seems to log in a user, but then the permissions are all screwed as it can't get the info it wants from the server. Reading the howtos suggests that Samba 3* supports stuff that XP is looking for, but the guy who we've taken on to do the XP stuff isn't convinced - suggesting that even with 'group apping (is that the right bit ?) XP will still fail. Rubbish, we have a Samba 3.0.3 PDC with LDAP SAM and XP with all the latest patches works fine except for the password change issue which is fixed in 3.0.4 (and only started occurring a couple of patches ago). All I want is for users to have to authenticate against the central database (LDAP), and for the various group memberships to be honoured when accessing files off the server. Work great. Has anyone else dealt with this sort of thing ? Every day, we've had a Samba PDC with LDAP backed since 2.2.1a Does XP work reliably with Samba 3 as PDC ? Yes. I'm also told that if we have roaming profiles, then the XP machines will store loads of c**p on the server and keep moving it back and forth as each user logs in/out - is this the case ? Yes, if your net-admin is a 'nit, and doesn't define any policies. Even with a real PDC you get this behaviour. Is there any way of dealing with it (eg having the machine pull the files down as needed) ? Yes, ntconfig.pol PS - any help gratefully received, preferably before my manager starts saying things to the effect of this wouldn't have happened if you'd stuck with MS. Yes, it all will. You'll face ALL the same issues you've mentioned. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] tdb_fetch failed
Don't hi-jack threads! I have a samba server 3.0.0-15 acting as a PDC on a Windows domain (98, XP and 2000). Is there a way to automatically install printers to windows clients when users log in? Maybe by running a logon script... Yes. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Good day!
But I do have one request for help; is there a way in which I can allow users connected to the Samba machine to change thier Samba passwords via a web interface? Or probably a command in which I can change it from Windows? Ctrl-Alt-Del, Change Password -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Making shares invisible to unauthorized users
So, I want to set up each share so that it is only readable and writeable by a single user. And so that only that user can see the share. What are the key settings to achieve this kind of visibility and access control? I have figured out most of my Samba issues on my own, but I have a deadline today to get this issue resolved and I would appreciate hearing from someone who knows the solution. Define each share in a file such as smb.{username}.conf and include = smb.%U.conf in your master smb.conf. The share will only exist for the matching user. You can do the same by machine name or primary group. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] humble plea - once more
Asked this question with absolutely no response - seems it's a high volume list ;-) This has been answered many times. Is there no way for unix crypt password - ntPassword conversion ? No. Just too strange - someone must have met the problem of moving existing unix users to NT domain before. Yep. You make everyone change their password. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] OpenLDAP,heimdal kerberos,sasl, wich order?
http://www.math.gatech.edu/~dijuremo/ldap/ However, you can add Kerberos to your existing Samba LDAP server. That is, if you run Heimdal 0.6.1 (or better still a snapshot) you can use your sambaNTpassword as the type 23 encryption key, and have linux/unix/OSX clients use kerberos. Just curious is Heimdal will honor account flags like locked or disabled? And does it update/use the password can/must change attributes (for expiration, etc..)? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Unlocking Accounts
|pdbedit -c='[]' user will clear all flags | Removing the 'U' flag is probably a bad idea (breaks some user manager | function at least), so I would suggest | pdbedit -c='[U]' The U flag is set by default. I tested it before I sent the mail. I get - [EMAIL PROTECTED] root]# pdbedit -c='[U]' --user=adam Can only set [NDHLX] flags Setting to no flags seems to strip of everything but U - [EMAIL PROTECTED] root]# pdbedit -c='[]' --user=adam Unix username:adam NT username: adam Account Flags:[U ] User SID: S-1-5-21-2037442776-3290224752-88127236-1874 Primary Group SID:S-1-5-21-2037442776-3290224752-88127236-1461 Full Name:Adam Williams Home Directory: \\sardine\homedir HomeDir Drive:F Logon Script: cis.bat Profile Path: \\BARBEL\PROFILES\adam Domain: BACKBONE Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: Mon, 18 Jan 2038 22:14:07 GMT Kickoff time: Mon, 18 Jan 2038 22:14:07 GMT Password last set:Thu, 25 Mar 2004 22:06:54 GMT Password can change: Thu, 25 Mar 2004 22:06:54 GMT Password must change: Mon, 18 Jan 2038 22:14:07 GMT Last bad password : 0 Bad password count : 0 Setting to lock the account, leaves U intact - [EMAIL PROTECTED] root]# pdbedit -c='[L]' --user=adam Unix username:adam NT username: adam Account Flags:[UL ] User SID: S-1-5-21-2037442776-3290224752-88127236-1874 Primary Group SID:S-1-5-21-2037442776-3290224752-88127236-1461 Full Name:Adam Williams Home Directory: \\sardine\homedir HomeDir Drive:F Logon Script: cis.bat Profile Path: \\BARBEL\PROFILES\adam Domain: BACKBONE Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: Mon, 18 Jan 2038 22:14:07 GMT Kickoff time: Mon, 18 Jan 2038 22:14:07 GMT Password last set:Thu, 25 Mar 2004 22:06:54 GMT Password can change: Thu, 25 Mar 2004 22:06:54 GMT Password must change: Mon, 18 Jan 2038 22:14:07 GMT Last bad password : 0 Bad password count : 0 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] LDAP Q: What for use Containers
well, on NDS and Netware you could give file system access rights to a container and then all users in that container would inherit these rights. BTW, Windows and AD also cannot do this. This just doesn't conceptually exist in a windows domain; but you might be able to use dynamic groups in OpenLDAP to fake it. Dynamic groups are assembled by the DSA based on a variety of criteria, which could I suppose, include being the leaf of a given container. Basically it is a way to not use groups but assign information to objects based on their position in the LDAP tree. I can imagine many more uses, e.g. default servers, logon servers, share access rights, ... The point is, is there any use of the hierarchical structure of the LDAP directory for Samba ? Or does Samba use the LDAP dir only like flat file or SQL DB ? Samba uses LDAP via a password database, so in many ways it treats them all the same. But you can do alot in the DSA to streamline things. AFAIK there is not yet much or maybe any support for such settings, but I want to discuss why not and wether others find it a useful thing to have. I'd suggest digging into dynamic groups, overlays, etc... in very recent version of OpenLDAP and see if you can achieve what you want. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Migrate Samba accounts to LDAP
How are you ? Is tdb the standard passwd backend (/usr/local/samba/private/smbpasswd) ? I suppose. I'm looking at migrating my Samba-3.0.1 server which has the standard tdb backend to Samba-3.0.2a with an LDAP backend. I plan to use nss_ldap too. What would be the best way of doing this ? Any assistance would be greatly appreciated. Get the LDAP backend all setup (add user, etc...) then use pdbedit's import/export functionality. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Directory listing with 11k files very slow to list
| I have a samba server which has a directory with 11764 files. (The | program stores information about jobs and each job has 3 files, | nothing I can do about it). | When I do a listing of that directory using smbclient, it takes 15+ | seconds to complete, same thing on Windows XP. | Does anyone have any ideas on how I can speed this up? Three letters - XFS. We had terrible problems like this, we ditched ext2/3 and moved to XFS. Things are much better now. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Unlocking Accounts
Once an account gets the L flag set in sambaAcctFlags is there a utility way to clear the lock on the account? I can clear the sambaBadPasswordCount with pdbedit -z, but that leaves the account in a locked state. I don't see any way to use pdbedit or smbpassword to unlock an account (although I can enable/disable an account). -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Why ((objectClass=sambaDomain)(sambaDomainName=SARDINE))?
I have a member server that is constantly querying the LDAP server with - ((objectClass=sambaDomain)(sambaDomainName=SARDINE)) - when security=domain and workgroup=backbone. The server DOES authenticate domain users, and everything seems to work, but this draining resources. This is RH9, Samba 3.0.3pre2 (although I'm pretty certain I saw this on 3.0.2) and OpenLDAP openldap-2.1.25-1 (local replicant). [2004/04/16 15:52:09, 10] lib/smbldap.c:smbldap_connect_system(770) ldap_connect_system: Binding to ldap server ldapi:/// as cn=Manager,o=Morrison Industries,c=US [2004/04/16 15:52:09, 3] lib/smbldap.c:smbldap_connect_system(805) ldap_connect_system: succesful connection to the LDAP server [2004/04/16 15:52:09, 4] lib/smbldap.c:smbldap_open(856) The LDAP server is succesful connected [2004/04/16 15:52:09, 5] lib/smbldap.c:rebindproc_connect_with_state(698) rebindproc_connect_with_state: Rebinding as cn=Manager,o=Morrison Industries,c=US [2004/04/16 15:52:09, 0] lib/smbldap.c:smbldap_search_suffix(1125) smbldap_search_suffix: Problem during the LDAP search: (No such object) [2004/04/16 15:52:09, 2] lib/smbldap.c:smbldap_search_domain_info(1351) Problem during LDAPsearch: No such object [2004/04/16 15:52:09, 2] lib/smbldap.c:smbldap_search_domain_info(1352) Query was: , ((objectClass=sambaDomain)(sambaDomainName=SARDINE)) [2004/04/16 15:52:09, 2] passdb/pdb_ldap.c:pdb_init_ldapsam(2457) pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the domain pdb_init_ldapsam: Continuing on regardless, will be unable to allocate new users/groups, and will risk BDCs having inconsistant SIDs Adam Tauno Williams Network Systems Administrator Morrison Industries Grand Rapids, Mi. USA -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Restricting Access To a Workstation
My PDC is a Samba-3.0.3pre2/LDAPSAM/Redhat box. I'd like to restrict logon access to a specific workstation to members of a given group. My initial throught was to specify a valid [EMAIL PROTECTED] in the globals section of an included file (smb.conf.%m kind of thing). Only this doesn't seem to do anything; valid users is a share only directive? Is there anyway to limit logon access to a specific workstation via samba? Adam Tauno Williams Network Systems Administrator Morrison Industries Grand Rapids, Mi. USA -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba/Cracklib Documentation?
I'm testing Samba 3.0.3pre2 and am particularly interested in the new --with-cracklib support. I see the configuration directive to enable cracklib functionality in the changelog, but am curious if anyone has any additional documentation. The man pages, etc... appear not to be updated yet. Is there any mechanism for 'tweaking' the password strenth rules, as there is with pam_cracklib? If not does anyone have a URL, etc..., on what cracklib actually checks/requires? The only documentation I've been able to find on cracklib is pretty much the original 1997 Usenet post; which isn't terribly precise. I'd like to explain to my test users the kind of criteria their new passwords have to meet. Adam Tauno Williams Network Systems Administrator Morrison Industries Grand Rapids, Mi. USA -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: samba on distro...
Are there certain extra's for payed distros if they run as server, or are the distro's only extra featured in terms of configuration. In other words: are free versions as stable as their costly counterparts? Sometimes. Usually they have better support. Sometimes they have specially patched kernels. Can they handle the same Samba-loads of 200 users. Will free versions go on their knees if those 200 log in in the same minute? No way. Three samba servers here, all RedHat 9 with SGI's XFS kernels. Handle ~250 users with a load average of 0.20 (thats the peak on the PDC while everyone is logging in and loading their roaming profiles at 8-9am). The PDC is also the OpenLDAP master. (if hardware is ideal - gigabit backbone, hp proliant server 3GHz, 1Gig RAM) Why should I want to buy a server-version if I can get a distro for free... Do you want the support? Some shops use support, others don't. For a mere 200 users I certainly wouldn't bother. P.S. My samba boxes are all less powerful hardware than yours. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Resolving computername from ip
Is there, on a intranet, any way to resolve the computername from its ip ? I have a setup where I know which users are on which ip, and I wan't to notify some events to some users with a smbclient -M. But since I don't know the computername, I don't know any way to send the popups... nmblookup -A? Setup an intranet DNS service and propogate WINS information into it with wins hook. If you are using an LDAP passdb bind has a very good ldap-sdb module so you can keep host zone information in the same Dit as well; nice for administration. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Resolving computername from ip
Is there, on a intranet, any way to resolve the computername from its ip ? I have a setup where I know which users are on which ip, and I wan't to notify some events to some users with a smbclient -M. But since I don't know the computername, I don't know any way to send the popups... nmblookup -A? Setup an intranet DNS service and propogate WINS information into it with wins hook. If you are using an LDAP passdb bind has a very good ldap-sdb module so you can keep host zone information in the same Dit as well; nice for administration. Is this better than dynamic update DNS?, SOL. I suppose it depends on what you want to accomplish. It seems more flexible and extensible to me than raw DDNS, but the big boon is management. Adjusting DNS records can then be done through the same tool/interface you use for user, groups, mail routing, etc Add in the LDAP patch for ISC's DHCP server and you've almost got an end-to-end directory enabled network. Works very well for us; just throwing it out there since I think these solutions get overlooked alot. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ldap backends separate samba user account and machine account
I have setup a samba PDC with ldap backends. I don't want to mess my LDAP database with machine accounts, I use it to auth UNIX and MAIL servers. Can some one give me some good idea? Put the machine accounts in a seperate organizational unit or parition. I don't see how they constitute a mess and why you wouldn't want them in with everything else. Samba 3.x lets you use multiple backends. They just get searched in the order they are listed. But you can only add accounts automatically to the first one. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] password chat program timeout
after some investigation, I found out why my users always get an error back when they try to change their passwords on win2k. unix password sync option is enabled and passwords are synchronised via passwd chat. All acounts are stored in ldap. With the value of 2000 ms in smbd/chgpasswd.c(function expect) I always got timeout messages in the logs. The reason for the timeout seems to be the relative long ldap-lookup. However with a value of 5000 ms it works, users can change their (unix-)passwords over samba. Is there a chance to have a default value of 5000 ms or even longer in the next release? I also wonder if somebody else observed this kind of timeout issue. We have seen this too. It would be ideal if this were a configuration directive. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Is there a buffer or cache setting in samba?
Looking at a Linux monitoring program -- I believe it's called XOSVIEW - -- I think I can see the problem. Take a look at - ftp://ftp.kalamazoolinux.org/pub/pdf/PerfTune2001.pdf And use smbtorture to test your throughput to Samba after each tweak (BACKING UP smb.conf BEFORE EVERY CHANGE, making the change, and doing a service smb restart, then test - repeat). -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Samba on ReiserFS
O.K., I am not bound to ReiserFS, but I want to use a journaling file system and ACLs. What filesystems would You recommend? Or does somebody know a solution for the problem with the ReiserFS? I'm using XFS (currently 2.4.21 vanilla with XFS 1.3 patch) and I can recommend it. Stable, fast and feature rich. Prior to start using of journalling fs I made some research over net. And found XFS (comparing to ext3, ReiserFS, JFS) - IMHO - the best one. We've also been using XFS for years and I second the recommendation. It is journalized, supports ACLs and other EA, support dynamic resizing (if used alongside LVM) and has excellent support tools. Remember that your backup solution needs to support ACLs/EA as well as your filesystem. The XFS tools have been very reliable. XFS performance is excellent, and we haven't seen any degradation over time like we see with ext2/3. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba 2.2.6 to samba3.0
i want to update samba 2.2.6 to 3.0. i have samba-ldap installed. i don't want to create all the machine again. What files i have to save from samba 2.2.6 to have all the machines in the domaine after installed you just need to maintain the same domain SID (and name of course0 rpcclient's lsaquery command on the old installation to determine this then use net setlocalsid with that value on the new installation. Be aware that the ldap schema has changed so you'll have to migrate your data (or i'm told there are some compatibility ldap options - google if you want that) If you use the same configure options (--with-ldapsam) then these are enabled by default. Otherwise, it's the ldapsam_compat passdb backend. When we converted our PDC to 3.0 we first just upgraded Samba (bieng careful to migrate the SID of course) and used ldapsam_compat, then after a week of successful operation we converted the Dit using the provided scripts and switched to ldapsam. This provides a low-risk and almost painless upgrade route. The ldapsam provides lots of advantages over ldapsam_compat, so it is worth it to move. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3 Production
Is anyone using Samba 3 in a production environment? If so what version and how stable is it? I'm running Samba3 RC4 in production and it's been running for over a month with no hiccups. We have five Samba 3.0.0 servers (one PDC, one print server, one fileserver, two other misc. boxes) with ~200 users spread across two states (frame-relay) running Windows 95 through XP. We started using Samba 3 as of pre1 since even then it was faster and more featureful than 2.2.8. Except for some minor hiccups with WINS (that may no even have beens Samba's fault as the problem evaporated as spontaneously as it appeared) Samba 3.0.0 has been truly a dream to work with. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba