Re: [Samba] Issue with pam_winbind for MS AD authentication and moduleoptions
Have tested it but it didn't made any difference unfortunatelly. Perhaps my pam config is still wrong, don't know, but it looks like a small bug to me that maybe has not been noticed yet, and if so, perhaps a timeout option in pam_winbind could do the job, who knows!! cheers, Andre Miles, Noal wrote: > I haven't tested but perhaps this pam entry in system-auth will help > (insert before winbind account entry) > > account sufficient/lib/security/$ISA/pam_succeed_if.so uid < 100 > quiet > > Noal > > -Original Message- > From: Andre Fernando Goldacker [mailto:[EMAIL PROTECTED] > Sent: Wednesday, April 04, 2007 11:06 AM > To: Andre Fernando Goldacker > Cc: Miles, Noal; samba@lists.samba.org > Subject: Re: [Samba] Issue with pam_winbind for MS AD authentication and > moduleoptions > > > I made a mistake, group in nsswitch.conf looks like this: > > group: files winbind > > sorry about that!! > > Andre > > Andre Fernando Goldacker wrote: > >> Hello! >> >> passwd, shadow and group looks as follows in nsswitch.conf: >> >> passwd: files winbind >> shadow: files >> group: files group >> >> What really confuses me is that when my AD server is up and running, >> root or any local user logs in with no problem. And even when AD >> server is down, after trying a zillion times, root and other local >> users login, and then if I log them out and try again a few minutes >> later it won't go again, then again after a few minutes it works again >> > > >> and it keeps going like that. >> >> My guess is that when it's not going pam_winbind and winbind are >> trying to connect to the AD Server resulting in a huge delay in the >> login process afecting also local users login. That's why I was >> wondering if there is a "timeout" option or something for pam_winbind >> to avoid that. Well, that's my guess I could be wrong and maybe the >> problem is something else. >> >> Anyway thank's so far for your help, if you or anyone has a light... >> >> Andre >> >> >> >> Miles, Noal wrote: >> >> >>> You have files before winbind in /etc/nsswitch.conf for passwd, >>> shadow, group? >>> >>> Noal >>> >>> -Original Message- >>> From: [EMAIL PROTECTED] >>> [mailto:[EMAIL PROTECTED] On >>> Behalf Of Andre Fernando Goldacker >>> Sent: Wednesday, April 04, 2007 8:40 AM >>> To: samba@lists.samba.org >>> Subject: [Samba] Issue with pam_winbind for MS AD authentication and >>> moduleoptions >>> >>> >>> Hello! >>> >>> I've configured samba with winbind and pam_winbind module to >>> authenticate users that connect to my linux box against MS AD. >>> >>> Works like a charm. If a user exists both in AD and locally, login >>> should assume local users. Again, it works pretty well (It seems at >>> least with my current config). >>> >>> If my AD server goes down for any reason, local users should be able >>> to login. For example, root has to login always no matter if my AD >>> server exploded. >>> >>> That's where is the problem. When I shutdown my AD server and I try >>> to login with a local user (root as well), my guess is that it seems >>> that pam_winbind waits for a very very long time trying to find my AD >>> > > >>> server to authenticate that even the local login times out. I don't >>> really know if that is the reason for this behaviour, but if it is, >>> I'm wondering if there is a hidden or maybe a new "timeout" option >>> for pam_winbind module as I didn't found anything related in the man >>> pages and the mailing lists archive. Or maybe if login finds the user >>> > > >>> in the local database, bypass winbind authentication, don't know if >>> that is possible. >>> >>> The reason why I came up with this idea is that when the AD server is >>> > > >>> down and I try to login with root for eg. over and over many times, >>> after a while it goes (looks like pam config order is right), but a >>> few minutes later it won't again, which made me thought that perhaps >>> winbind or pam_winbind are trying to estabilish a connection with AD >>> and somehow because of that the whole process slows down so much that >>&g
Re: [Samba] Issue with pam_winbind for MS AD authentication and moduleoptions
Hi, Thanks for your reply! As you said that you have a similiar issue, I think you can achieve this with pam_winbind module as well, with the cached_login option set and with "winbind offline logon" enabled in your smb.conf file if I'm correct. In both cases, I can't think of how it could work when you have for example two usernames with the same name in ad and linux but with different passwords. Any ideas Andre Sebastian Knieschewski wrote: > Hi, > > maybe this isn't exactly what you're looking for, but it could help you: > > "pam_ccreds" > > cached credentials, this should give you full access to your server > even if the ad-server is down. I haven't used this module yet. Just > found it today while looking for a solution concerning a similar issue. > > Good luck! > > Sebastian Knieschewski > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Issue with pam_winbind for MS AD authentication and moduleoptions
I made a mistake, group in nsswitch.conf looks like this: group:files winbind sorry about that!! Andre Andre Fernando Goldacker wrote: > Hello! > > passwd, shadow and group looks as follows in nsswitch.conf: > > passwd: files winbind > shadow: files > group: files group > > What really confuses me is that when my AD server is up and running, > root or any local user logs in with no problem. > And even when AD server is down, after trying a zillion times, root and > other local users login, and then if I log them out and try again a few > minutes later it won't go again, then again after a few minutes it works > again and it keeps going like that. > > My guess is that when it's not going pam_winbind and winbind are trying > to connect to the AD Server resulting in a huge delay in the login > process afecting also local users login. That's why I was wondering if > there is a "timeout" option or something for pam_winbind to avoid that. > Well, that's my guess I could be wrong and maybe the problem is > something else. > > Anyway thank's so far for your help, if you or anyone has a light... > > Andre > > > > Miles, Noal wrote: > >> You have files before winbind in /etc/nsswitch.conf for passwd, shadow, >> group? >> >> Noal >> >> -Original Message- >> From: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] On >> Behalf Of Andre Fernando Goldacker >> Sent: Wednesday, April 04, 2007 8:40 AM >> To: samba@lists.samba.org >> Subject: [Samba] Issue with pam_winbind for MS AD authentication and >> moduleoptions >> >> >> Hello! >> >> I've configured samba with winbind and pam_winbind module to >> authenticate users that connect to my linux box against MS AD. >> >> Works like a charm. If a user exists both in AD and locally, login >> should assume local users. Again, it works pretty well (It seems at >> least with my current config). >> >> If my AD server goes down for any reason, local users should be able to >> login. For example, root has to login always no matter if my AD server >> exploded. >> >> That's where is the problem. When I shutdown my AD server and I try to >> login with a local user (root as well), my guess is that it seems that >> pam_winbind waits for a very very long time trying to find my AD server >> to authenticate that even the local login times out. I don't really know >> if that is the reason for this behaviour, but if it is, I'm wondering if >> there is a hidden or maybe a new "timeout" option for pam_winbind module >> as I didn't found anything related in the man pages and the mailing >> lists archive. Or maybe if login finds the user in the local database, >> bypass winbind authentication, don't know if that is possible. >> >> The reason why I came up with this idea is that when the AD server is >> down and I try to login with root for eg. over and over many times, >> after a while it goes (looks like pam config order is right), but a few >> minutes later it won't again, which made me thought that perhaps winbind >> or pam_winbind are trying to estabilish a connection with AD and somehow >> because of that the whole process slows down so much that even local >> login times out. >> >> Samba is configured to catch UID's, GID's from AD using SFU and ad idmap >> backend. Only users that are members of a specified AD group are able to >> login. The purpose of the machine is to be an application server and >> share folders based on AD users and group permissions. >> >> My system is RHEL AS3 with update 7 and samba-3.0.24 >> >> Below are my pam lines in the system-auth file: >> >> #%PAM-1.0 >> # This file is auto-generated. >> # User changes will be destroyed the next time authconfig is run. >> authrequired /lib/security/$ISA/pam_env.so >> authsufficient/lib/security/$ISA/pam_unix.so likeauth nullok >> authsufficient/lib/security/$ISA/pam_winbind.so >> try_first_pass require_membership_of=DOMAIN+group >> authrequired /lib/security/$ISA/pam_deny.so >> >> account required /lib/security/$ISA/pam_unix.so nullok_secure >> account sufficient/lib/security/$ISA/pam_winbind.so >> >> passwordrequired /lib/security/$ISA/pam_cracklib.so retry=3 >> passwordsufficient/lib/security/$ISA/pam_unix.so nullok >> use_authtok md5 shadow >> passwordrequired /lib/security/$ISA/pam_deny.so >> >> ses
Re: [Samba] Issue with pam_winbind for MS AD authentication and moduleoptions
Hello! passwd, shadow and group looks as follows in nsswitch.conf: passwd: files winbind shadow: files group: files group What really confuses me is that when my AD server is up and running, root or any local user logs in with no problem. And even when AD server is down, after trying a zillion times, root and other local users login, and then if I log them out and try again a few minutes later it won't go again, then again after a few minutes it works again and it keeps going like that. My guess is that when it's not going pam_winbind and winbind are trying to connect to the AD Server resulting in a huge delay in the login process afecting also local users login. That's why I was wondering if there is a "timeout" option or something for pam_winbind to avoid that. Well, that's my guess I could be wrong and maybe the problem is something else. Anyway thank's so far for your help, if you or anyone has a light... Andre Miles, Noal wrote: > You have files before winbind in /etc/nsswitch.conf for passwd, shadow, > group? > > Noal > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of Andre Fernando Goldacker > Sent: Wednesday, April 04, 2007 8:40 AM > To: samba@lists.samba.org > Subject: [Samba] Issue with pam_winbind for MS AD authentication and > moduleoptions > > > Hello! > > I've configured samba with winbind and pam_winbind module to > authenticate users that connect to my linux box against MS AD. > > Works like a charm. If a user exists both in AD and locally, login > should assume local users. Again, it works pretty well (It seems at > least with my current config). > > If my AD server goes down for any reason, local users should be able to > login. For example, root has to login always no matter if my AD server > exploded. > > That's where is the problem. When I shutdown my AD server and I try to > login with a local user (root as well), my guess is that it seems that > pam_winbind waits for a very very long time trying to find my AD server > to authenticate that even the local login times out. I don't really know > if that is the reason for this behaviour, but if it is, I'm wondering if > there is a hidden or maybe a new "timeout" option for pam_winbind module > as I didn't found anything related in the man pages and the mailing > lists archive. Or maybe if login finds the user in the local database, > bypass winbind authentication, don't know if that is possible. > > The reason why I came up with this idea is that when the AD server is > down and I try to login with root for eg. over and over many times, > after a while it goes (looks like pam config order is right), but a few > minutes later it won't again, which made me thought that perhaps winbind > or pam_winbind are trying to estabilish a connection with AD and somehow > because of that the whole process slows down so much that even local > login times out. > > Samba is configured to catch UID's, GID's from AD using SFU and ad idmap > backend. Only users that are members of a specified AD group are able to > login. The purpose of the machine is to be an application server and > share folders based on AD users and group permissions. > > My system is RHEL AS3 with update 7 and samba-3.0.24 > > Below are my pam lines in the system-auth file: > > #%PAM-1.0 > # This file is auto-generated. > # User changes will be destroyed the next time authconfig is run. > authrequired /lib/security/$ISA/pam_env.so > authsufficient/lib/security/$ISA/pam_unix.so likeauth nullok > authsufficient/lib/security/$ISA/pam_winbind.so > try_first_pass require_membership_of=DOMAIN+group > authrequired /lib/security/$ISA/pam_deny.so > > account required /lib/security/$ISA/pam_unix.so nullok_secure > account sufficient/lib/security/$ISA/pam_winbind.so > > passwordrequired /lib/security/$ISA/pam_cracklib.so retry=3 > passwordsufficient/lib/security/$ISA/pam_unix.so nullok > use_authtok md5 shadow > passwordrequired /lib/security/$ISA/pam_deny.so > > session required /lib/security/$ISA/pam_limits.so > session required /lib/security/$ISA/pam_unix.so > session required /lib/security/$ISA/pam_mkhomedir.so umask=0022 > skel=/etc/skel > > Considering that if a user exists both in the local user database and > AD, login has to assume local user (seems to be working fine), could > someone give me a hint if I'm in the right path, and maybe an idea why > or what I could do when my AD servers goes down to my local users > (including root) log in normally?? > > Any help will be greatly appreciated, > > Andre > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Issue with pam_winbind for MS AD authentication and module options
Hello! I've configured samba with winbind and pam_winbind module to authenticate users that connect to my linux box against MS AD. Works like a charm. If a user exists both in AD and locally, login should assume local users. Again, it works pretty well (It seems at least with my current config). If my AD server goes down for any reason, local users should be able to login. For example, root has to login always no matter if my AD server exploded. That's where is the problem. When I shutdown my AD server and I try to login with a local user (root as well), my guess is that it seems that pam_winbind waits for a very very long time trying to find my AD server to authenticate that even the local login times out. I don't really know if that is the reason for this behaviour, but if it is, I'm wondering if there is a hidden or maybe a new "timeout" option for pam_winbind module as I didn't found anything related in the man pages and the mailing lists archive. Or maybe if login finds the user in the local database, bypass winbind authentication, don't know if that is possible. The reason why I came up with this idea is that when the AD server is down and I try to login with root for eg. over and over many times, after a while it goes (looks like pam config order is right), but a few minutes later it won't again, which made me thought that perhaps winbind or pam_winbind are trying to estabilish a connection with AD and somehow because of that the whole process slows down so much that even local login times out. Samba is configured to catch UID's, GID's from AD using SFU and ad idmap backend. Only users that are members of a specified AD group are able to login. The purpose of the machine is to be an application server and share folders based on AD users and group permissions. My system is RHEL AS3 with update 7 and samba-3.0.24 Below are my pam lines in the system-auth file: #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. authrequired /lib/security/$ISA/pam_env.so authsufficient/lib/security/$ISA/pam_unix.so likeauth nullok authsufficient/lib/security/$ISA/pam_winbind.so try_first_pass require_membership_of=DOMAIN+group authrequired /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so nullok_secure account sufficient/lib/security/$ISA/pam_winbind.so passwordrequired /lib/security/$ISA/pam_cracklib.so retry=3 passwordsufficient/lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow passwordrequired /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so session required /lib/security/$ISA/pam_mkhomedir.so umask=0022 skel=/etc/skel Considering that if a user exists both in the local user database and AD, login has to assume local user (seems to be working fine), could someone give me a hint if I'm in the right path, and maybe an idea why or what I could do when my AD servers goes down to my local users (including root) log in normally?? Any help will be greatly appreciated, Andre -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] wbinfo not looking up groups in mixed MS NT/2k AD
I've upgraded to samba-3.0.20b and it's working fine. nscd isn't running. I've noticed that, when I add / remove someone to / from the group "internet", which in my case is the one I give internet access, it is taking a while for the user appear / be removed in the group when I run getent group, the user appears only after a while, more or less 10 minutes. Is there a setting or something in which it updates quicker?? Thanks in advance, André On Sat, 2005-10-15 at 17:24 -0600, John H Terpstra wrote: > On Friday 14 October 2005 12:25, Andre Fernando Goldacker wrote: > > Upgraded to samba-3.0.20b and it's working fine now. > > > > I've noticed that, when I add / remove someone to / from the group > > "internet", which in my case is the one I give internet access, it is > > taking a while for the user appear / be removed in the group, when I do > > getent group the user only appears after a while, more or less 10 > > minutes. Is there a setting or something in which it updates quicker?? > > Pleae check that nscd is not running. It sounds like it may be. > > - John T. > > > > > Thanks in advance, > > > > André > > > > On Fri, 2005-10-14 at 10:14 -0300, Felipe Augusto van de Wiel wrote: > > > -BEGIN PGP SIGNED MESSAGE- > > > Hash: SHA1 > > > > > > Andre Fernando Goldacker escreveu: > > > [...] > > > > > > > wbinfo -n 'EARTH\testgroup' > > > > Could not lookup name EARTH\testgroup > > > > > > > > I think that's the reason why my squid can't match users / groups. > > > > My winbind log file reports me the following lines when I try to > > > > match user/group from squid: > > > > > > > > [2005/10/13 16:46:48, 0] lib/util_sid.c:string_to_sid(301) > > > > string_to_sid: Sid Could not lookup name internet does not start > > > > with 'S-'. > > > > [2005/10/13 16:46:48, 1] > > > > nsswitch/winbindd_sid.c:winbindd_sid_to_gid(241) > > > > > > > > Could not cvt string to sid Could not lookup name internet > > > > Any clues why I can lookup users, but not goups? > > > > My AD has about 1100 users and 150 groups. > > > > Any help will be much appreciated, > > > > > > Never saw this problem before, but looking at the logs, > > > looks like your group entry does not have the proper field set, > > > or the field is not right, in other words, it does not start > > > with a "S-" like all the SID's. > > > > > > It is not much help, but perhaps could be a start, > > > good luck! Kind regards, > > > > > > - -- > > > // > > > // Felipe Augusto van de Wiel <[EMAIL PROTECTED]> > > > // CTI/Suporte - SEDU/PARANACIDADE > > > // http://www.paranacidade.org.br/ > > > // > > > -BEGIN PGP SIGNATURE- > > > Version: GnuPG v1.4.1 (GNU/Linux) > > > Comment: Using GnuPG with Debian - http://enigmail.mozdev.org > > > > > > iD8DBQFDT69HCj65ZxU4gPQRAud7AKCXdp+qPvaiyDX10VuqO3WpftM5MgCfQ4rN > > > t1bixV+pGNo1N9MTvz9SfsA= > > > =AqZF > > > -END PGP SIGNATURE- > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] wbinfo not looking up groups in mixed MS NT/2k AD
Upgraded to samba-3.0.20b and it's working fine now. I've noticed that, when I add / remove someone to / from the group "internet", which in my case is the one I give internet access, it is taking a while for the user appear / be removed in the group, when I do getent group the user only appears after a while, more or less 10 minutes. Is there a setting or something in which it updates quicker?? Thanks in advance, André On Fri, 2005-10-14 at 10:14 -0300, Felipe Augusto van de Wiel wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Andre Fernando Goldacker escreveu: > [...] > > wbinfo -n 'EARTH\testgroup' > > Could not lookup name EARTH\testgroup > > > I think that's the reason why my squid can't match users / groups. > > My winbind log file reports me the following lines when I try to > > match user/group from squid: > > > [2005/10/13 16:46:48, 0] lib/util_sid.c:string_to_sid(301) > > string_to_sid: Sid Could not lookup name internet does not start > > with 'S-'. > > [2005/10/13 16:46:48, 1] > > nsswitch/winbindd_sid.c:winbindd_sid_to_gid(241) > > > Could not cvt string to sid Could not lookup name internet > > Any clues why I can lookup users, but not goups? > > My AD has about 1100 users and 150 groups. > > Any help will be much appreciated, > > Never saw this problem before, but looking at the logs, > looks like your group entry does not have the proper field set, > or the field is not right, in other words, it does not start > with a "S-" like all the SID's. > > It is not much help, but perhaps could be a start, > good luck! Kind regards, > > - -- > // > // Felipe Augusto van de Wiel <[EMAIL PROTECTED]> > // CTI/Suporte - SEDU/PARANACIDADE > // http://www.paranacidade.org.br/ > // > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.1 (GNU/Linux) > Comment: Using GnuPG with Debian - http://enigmail.mozdev.org > > iD8DBQFDT69HCj65ZxU4gPQRAud7AKCXdp+qPvaiyDX10VuqO3WpftM5MgCfQ4rN > t1bixV+pGNo1N9MTvz9SfsA= > =AqZF > -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] wbinfo not looking up groups in mixed MS NT/2k AD
Hello, I'm having trouble when I try do get a group SID from my domain, the user lookup and authentication is working fine. Actually what I'm trying to do is to authenticate squid against MS AD using winbind. I need to restrict access by group, so I'm using wbinfo_group.pl to do it. The machine has been built to be a proxy server only. I'm using Suse Linux 9.3 Professional samba-3.0.13-1.1 squid-2.5.STABLE9-4.4 Below are my .conf files: /etc/nsswitch.conf passwd: files winbind shadow: files nis group: files winbind hosts: files lwres dns networks: files dns services: files protocols: files rpc:files ethers: files netmasks: files netgroup: files winbind publickey: files bootparams: files automount: files nis aliases:files /etc/samba/smb.conf [global] workgroup = EARTH server string = Samba Server netbios name = Mordor printing = cups printcap name = cups printcap cache time = 750 cups options = raw printer admin = @ntadmin, root, administrator security = ads realm = EARTH.COM allow trusted domains = no password server = ads01.earth.com ads02.earth.com encrypt passwords = yes winbind uid = 5000-1 winbind gid = 5000-1 # winbind use default domain = yes winbind separator = \\ winbind enum users = yes winbind enum groups = yes template homedir = /home/%D/%U template shell = /bin/bash Auth lines from my squid.conf file: auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic external_acl_type grupo ttl=900 concurrency=70 % LOGIN /usr/sbin/wbinfo_group.pl acl acesso external grupo internet acl CONNECT method CONNECT acl rede proxy_auth REQUIRED src 172.31.16.0/24 http_access allow acesso If I change to just authenticate users against the AD it works, but group restrictions don't... OK, let's see what's going on wbinfo -t checking the trust secret via RPC calls succeeded Looks ok... wbinfo -u EARTH\user1 EARTH\user2 EARTH\user3 ... Looks great too... wbinfo -g BUILTIN\system operators BUILTIN\replicators BUILTIN\guests BUILTIN\power users BUILTIN\print operators BUILTIN\administrators BUILTIN\account operators BUILTIN\backup operators BUILTIN\users EARTH\domain users EARTH\domain guests EARTH\domain computers EARTH\group policy creator owners EARTH\schema adm Again everything seems to be fine, as with the getent passwd and getent group too... getent passwd root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/bin/bash daemon:x:2:2:Daemon:/sbin:/bin/bash EARTH\user1:x:502:501:User1:/home/EARTH/user1:/bin/bash EARTH\user2:x:503:501:User2:/home/EARTH/user2:/bin/bash EARTH\user3:x:504:501:User3:/home/EARTH/user3:/bin/bash getent group root:x:0: bin:x:1:daemon EARTH\domain users:x:501: EARTH\domain guests:x:504: EARTH\domain computers:x:503: EARTH\testgroup:x:603:EARTH\user1,EARTH\user-xyz Let's try to authenticate a user wbinfo -a 'EARTH\user1%testuser' plaintext password authentication succeeded challenge/response password authentication succeeded OK, let's try to get a user SID wbinfo -n 'EARTH\user1' S-1-5-21-1707697585-1731156218-134157935-4028 User (1) But the same with a group SID doesn't work, and theres nothing in the winbind log file wbinfo -n 'EARTH\testgroup' Could not lookup name EARTH\testgroup I think that's the reason why my squid can't match users / groups. My winbind log file reports me the following lines when I try to match user/group from squid: [2005/10/13 16:46:48, 0] lib/util_sid.c:string_to_sid(301) string_to_sid: Sid Could not lookup name internet does not start with 'S-'. [2005/10/13 16:46:48, 1] nsswitch/winbindd_sid.c:winbindd_sid_to_gid(241) Could not cvt string to sid Could not lookup name internet Any clues why I can lookup users, but not goups? My AD has about 1100 users and 150 groups. Any help will be much appreciated, André -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba