[Samba] SID consistency between two samba servers
I'm lost a bit, probably, but I have next setup. server-1: OSX leopard SAMBA server, acts as PDC with odsam backend. server-2: member of samba domain, hosted by server-1. At the same time server-2 host /home directories on NFS and configured as nss_ldap client of OD LDAP on server-1. So, samba users and local users are the same. How can I make sure that server-2 will use the same SIDs for users/groups? Problem is simple: when I connect as DOMAIN/myuser to home directory of myuser on server-2 and check permissions, I see permissions for Unix User/myuser not DOMAIN/myuser. How to make sure that samba on server-2 will generate proper SIDs? Anton. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] SID consistency between two samba servers
Figured out myself idmap backend nss + windbind do the trick! On Feb 9, 2010, at 4:09 AM, Anton Starikov wrote: I'm lost a bit, probably, but I have next setup. server-1: OSX leopard SAMBA server, acts as PDC with odsam backend. server-2: member of samba domain, hosted by server-1. At the same time server-2 host /home directories on NFS and configured as nss_ldap client of OD LDAP on server-1. So, samba users and local users are the same. How can I make sure that server-2 will use the same SIDs for users/groups? Problem is simple: when I connect as DOMAIN/myuser to home directory of myuser on server-2 and check permissions, I see permissions for Unix User/myuser not DOMAIN/myuser. How to make sure that samba on server-2 will generate proper SIDs? Anton. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] join samba server to openldap/kerberos directory
I googled a lot but didn't find any answer. My problem is next: I have Openldap/kerberos directory. I have samba (samba-A), which acts as NT PDC and use ldap/kerberos as backend. I have another samba server (samba-B) which I want to authenticate users in my directory. Of course I can join it to my samba NT PDC, it works, but by this a loose ability to authenticate via kerberos tickets. Is it possible for samba-B to see my directory as AD? In order to be able net ads join and have full set of possible authentications for samba-B? What kind of records should I add to my Openldap/Kerberos directory in order to be able to perform net join ADS? Obviously I can't have full AD functionality here, but I don't need one. I just want it to simulate AD enough that second samba server can join to use it for authentication. AFAIK, if my KDC is based on MIT there is other workaround in case of security=user, but there are some extra reasons why I would be in ADS mode. Anton. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] mac client: folder copy problem
Probably it can be related. In my case filesync of portable directories with samba server always fail for newly created directories with error 0:: 09/12/16 06:49:55.282 EXCEPTION: Invalid argument -SStoreFileOperator_FS applyPermissionsFromObject: (StoreFileOperator-FS.m:508): chflags('/Network/Servers/samba.server.host/cifstest/', flags=0)-- Error Domain=NSPOSIXErrorDomain Code=22 UserInfo=0x10058c170 Invalid argument It tries to chflags after creation of directory and get this error. Anton. On Dec 16, 2009, at 6:37 PM, Ryan Suarez wrote: Volker Lendecke wrote: On Wed, Dec 16, 2009 at 09:30:18AM -0800, Jeremy Allison wrote: Yes, I have seen this at a customer site. I've stared at the logs and sniffs for MANY hours, but I could not find anything. If you solve this, please let me know :-) Try pinging George and James (CC:ed on this :-). Hopefully they can help. Already done. Jht mentioned that turning off winbind fixed it for him ... :-) hmm, this server isn't even running winbind... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] mac client: folder copy problem
And although it creates directory, it doesn't copy contents, because it stops process of copying directory after this error. If I repeat filesync, the contents of directory will be copid (cause directory is already here). So, it looks exactly the same. If so, then problem in chflags(). I expect that samba on linux is compiled without support for chflags, obviously. I presume that settings unix extensions = no would probably fix this, but it has a drawback, because then you loose native unix things like symlinks etc. Which is, at least in our case is not possible, cause shares accessed by both, mac and linux clients over NFS (the same clients on different hosts) and symlinks are heavily used. I think, OSX client, when it sees that server supports unix extensions, expects that on other side is OSX server with samba which supports chflags. So, if we don't discuss rewrite of OSX cifs FS, then only solution is to emulate chflags support on samba side (or convert flags to XFS/ETX3 attrs somehow) On Dec 16, 2009, at 6:48 PM, Anton Starikov wrote: Probably it can be related. In my case filesync of portable directories with samba server always fail for newly created directories with error 0:: 09/12/16 06:49:55.282 EXCEPTION: Invalid argument -SStoreFileOperator_FS applyPermissionsFromObject: (StoreFileOperator-FS.m:508): chflags('/Network/Servers/samba.server.host/cifstest/', flags=0)-- Error Domain=NSPOSIXErrorDomain Code=22 UserInfo=0x10058c170 Invalid argument It tries to chflags after creation of directory and get this error. Anton. On Dec 16, 2009, at 6:37 PM, Ryan Suarez wrote: Volker Lendecke wrote: On Wed, Dec 16, 2009 at 09:30:18AM -0800, Jeremy Allison wrote: Yes, I have seen this at a customer site. I've stared at the logs and sniffs for MANY hours, but I could not find anything. If you solve this, please let me know :-) Try pinging George and James (CC:ed on this :-). Hopefully they can help. Already done. Jht mentioned that turning off winbind fixed it for him ... :-) hmm, this server isn't even running winbind... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] mac client: folder copy problem
On Dec 16, 2009, at 7:08 PM, Jeremy Allison wrote: On Wed, Dec 16, 2009 at 07:00:09PM +0100, Anton Starikov wrote: And although it creates directory, it doesn't copy contents, because it stops process of copying directory after this error. If I repeat filesync, the contents of directory will be copid (cause directory is already here). So, it looks exactly the same. If so, then problem in chflags(). I expect that samba on linux is compiled without support for chflags, obviously. I presume that settings unix extensions = no would probably fix this, but it has a drawback, because then you loose native unix things like symlinks etc. Which is, at least in our case is not possible, cause shares accessed by both, mac and linux clients over NFS (the same clients on different hosts) and symlinks are heavily used. I think, OSX client, when it sees that server supports unix extensions, expects that on other side is OSX server with samba which supports chflags. So, if we don't discuss rewrite of OSX cifs FS, then only solution is to emulate chflags support on samba side (or convert flags to XFS/ETX3 attrs somehow) Hmmm. Looks like a client bug then, in that they don't cope with an error on chflags set. What error is the Samba server returning here ? Of course it is client error. But it is much easy to add dirty hack to samba on server that fooling around bunch of clients. Does Apple opensource their implementation of smbfs? George, what errors can the MacOSX client cope with and continue ? Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] mac client: folder copy problem
Yep, and there is some other problem with OSX client and linux samba server: smbd_audit: cifstest|IP_HERE|cifstest|chmod_acl|fail (No data available)|Desktop/ddldldl|755 smbd_audit: cifstest|IP_HERE|cifstest|chmod_acl|fail (No data available)|Library/Application Support/Growl/Tickets/.fstemp.+PHD-R-722svsk6Bb5-cifstest+jMHkRwxhxN3.noindex|644 cmsdata smbd_audit: cifstest|IP_HERE|cifstest|chmod_acl|fail (No data available)|Library/Application Support/Growl/Tickets/.fstemp.+PHD-R-722svsk6Bb5-cifstest+jMHkRwxhxN3.noindex|744 It is with unix extensions = yes. On Dec 16, 2009, at 7:08 PM, Jeremy Allison wrote: On Wed, Dec 16, 2009 at 07:00:09PM +0100, Anton Starikov wrote: And although it creates directory, it doesn't copy contents, because it stops process of copying directory after this error. If I repeat filesync, the contents of directory will be copid (cause directory is already here). So, it looks exactly the same. If so, then problem in chflags(). I expect that samba on linux is compiled without support for chflags, obviously. I presume that settings unix extensions = no would probably fix this, but it has a drawback, because then you loose native unix things like symlinks etc. Which is, at least in our case is not possible, cause shares accessed by both, mac and linux clients over NFS (the same clients on different hosts) and symlinks are heavily used. I think, OSX client, when it sees that server supports unix extensions, expects that on other side is OSX server with samba which supports chflags. So, if we don't discuss rewrite of OSX cifs FS, then only solution is to emulate chflags support on samba side (or convert flags to XFS/ETX3 attrs somehow) Hmmm. Looks like a client bug then, in that they don't cope with an error on chflags set. What error is the Samba server returning here ? George, what errors can the MacOSX client cope with and continue ? Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] mac client: folder copy problem
But what is strange, is the fact that I don't see chflags commands, during audit of server side. And, obviously, client accepts chmod_acl errors silently. (Although I don't have ACL's on files on server side, as result). So, it looks like client knows that server doesn't support chflags, and complains locally. Can it be an issue, that vfs_audit doesn't audit chflags if they unsupported on server side? On Dec 16, 2009, at 7:51 PM, Anton Starikov wrote: Yep, and there is some other problem with OSX client and linux samba server: smbd_audit: cifstest|IP_HERE|cifstest|chmod_acl|fail (No data available)|Desktop/ddldldl|755 smbd_audit: cifstest|IP_HERE|cifstest|chmod_acl|fail (No data available)|Library/Application Support/Growl/Tickets/.fstemp.+PHD-R-722svsk6Bb5-cifstest+jMHkRwxhxN3.noindex|644 cmsdata smbd_audit: cifstest|IP_HERE|cifstest|chmod_acl|fail (No data available)|Library/Application Support/Growl/Tickets/.fstemp.+PHD-R-722svsk6Bb5-cifstest+jMHkRwxhxN3.noindex|744 It is with unix extensions = yes. On Dec 16, 2009, at 7:08 PM, Jeremy Allison wrote: On Wed, Dec 16, 2009 at 07:00:09PM +0100, Anton Starikov wrote: And although it creates directory, it doesn't copy contents, because it stops process of copying directory after this error. If I repeat filesync, the contents of directory will be copid (cause directory is already here). So, it looks exactly the same. If so, then problem in chflags(). I expect that samba on linux is compiled without support for chflags, obviously. I presume that settings unix extensions = no would probably fix this, but it has a drawback, because then you loose native unix things like symlinks etc. Which is, at least in our case is not possible, cause shares accessed by both, mac and linux clients over NFS (the same clients on different hosts) and symlinks are heavily used. I think, OSX client, when it sees that server supports unix extensions, expects that on other side is OSX server with samba which supports chflags. So, if we don't discuss rewrite of OSX cifs FS, then only solution is to emulate chflags support on samba side (or convert flags to XFS/ETX3 attrs somehow) Hmmm. Looks like a client bug then, in that they don't cope with an error on chflags set. What error is the Samba server returning here ? George, what errors can the MacOSX client cope with and continue ? Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] mac client: folder copy problem
On Dec 16, 2009, at 9:28 PM, James Peach wrote: Please file a bug at http://bugreporter.apple.com and attach the packet trace. This will help us to make a case to fix this in an update. Thanks, I will do my best! :) Anton -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] mac client: folder copy problem
One question. The fact that client ignore ACL capabilities of server, it is also normal for current smbfs implementation? On Dec 16, 2009, at 9:28 PM, James Peach wrote: 2009/12/16 Jeremy Allison j...@samba.org: On Wed, Dec 16, 2009 at 07:00:09PM +0100, Anton Starikov wrote: And although it creates directory, it doesn't copy contents, because it stops process of copying directory after this error. If I repeat filesync, the contents of directory will be copid (cause directory is already here). So, it looks exactly the same. If so, then problem in chflags(). I expect that samba on linux is compiled without support for chflags, obviously. I presume that settings unix extensions = no would probably fix this, but it has a drawback, because then you loose native unix things like symlinks etc. Which is, at least in our case is not possible, cause shares accessed by both, mac and linux clients over NFS (the same clients on different hosts) and symlinks are heavily used. I think, OSX client, when it sees that server supports unix extensions, expects that on other side is OSX server with samba which supports chflags. So, if we don't discuss rewrite of OSX cifs FS, then only solution is to emulate chflags support on samba side (or convert flags to XFS/ETX3 attrs somehow) Hmmm. Looks like a client bug then, in that they don't cope with an error on chflags set. What error is the Samba server returning here ? George, what errors can the MacOSX client cope with and continue ? FileSync wants to create accurate copies of files, including all their metadata. We just pass the error up the stack. The current code does not look too closely at the unix capabilities, we should be looking at the flags mask in the UNIX_INFO2 response and handling the case where the server doesn't understand any flags. Please file a bug at http://bugreporter.apple.com and attach the packet trace. This will help us to make a case to fix this in an update. -- James Peach | jor...@gmail.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] mac client: folder copy problem
On Dec 16, 2009, at 9:45 PM, James Peach wrote: 2009/12/16 Anton Starikov ant.stari...@gmail.com: One question. The fact that client ignore ACL capabilities of server, it is also normal for current smbfs implementation? Even in 10.5, the smbfs client does not ignore the filesystem ACL support attribute. With unix extensions enabled? Then I don't understand. Where is the problem. On server side I see smbd_audit: antst|xxx|antst|sys_acl_get_file|ok|. smbd_audit: antst|xxx|antst|sys_acl_get_file|ok|. smbd_audit: antst|xxx|antst|sys_acl_get_entry|ok| smbd_audit: antst|xxx|antst|sys_acl_free_acl|ok| smbd_audit: antst|xxx|antst|sys_acl_free_acl|ok| smbd_audit: antst|xxx|antst|get_nt_acl|ok|. a file: # getfacl /home/antst/tt1 getfacl: Removing leading '/' from absolute path names # file: home/antst/tt1 # owner: antst # group: cmsusers user::rw- user:mohand:rwx group::r-- mask::rwx other::--- And on client side: ls -le /tmp/qq1/tt1 -rw-r- 1 antst cmsusers 0 Dec 16 20:19 /tmp/qq1/tt1 And if I try to set ACL from OSX I get $ chmod +a mohand allow write /tmp/qq1/tt1 chmod: Failed to set ACL on file '/tmp/qq1/tt1': Operation not supported Looking into the source code of client (thanks for link) I see that CIFS_UNIX_POSIX_ACLS_CAP is not referenced in the sources (except header file, where it is defined). Although it can mean nothing and you can use somewhere in the code just numerical value. Anton -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] mac client: folder copy problem
On Dec 16, 2009, at 10:13 PM, James Peach wrote: It doesn't use unix ACLs, it uses SMB ACLs. Then with unix extension = yes there os no way for propagation of ACL's? BTW, I tried it with unix extension = no on server side. According to google it used to work on 10.5.x in this way. But on 10.6.2 it results in the same behavior: chmod: Failed to set ACL on file '/tmp/qq1/tt1': Operation not supported Anton. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] mac client: folder copy problem
On Dec 16, 2009, at 10:28 PM, Ryan Suarez wrote: Anton Starikov wrote: Then with unix extension = yes there os no way for propagation of ACL's? BTW, I tried it with unix extension = no on server side. According to google it used to work on 10.5.x in this way. Nope, I'm testing with OSX v10.5.7 client and we have 'unix extensions=no' explicitly set on the server. This problem still occurs. Then I don't understand. I found few cases on the internet, where disabling of unix extensions helped to enable ACL for 10.5.x. Probably it was with older versions of Leopard with older of smbfs. Anton. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] mac client: folder copy problem
On Dec 17, 2009, at 8:22 AM, George K Colley wrote: On Dec 16, 2009, at 1:39 PM, Anton Starikov wrote: On Dec 16, 2009, at 10:28 PM, Ryan Suarez wrote: Anton Starikov wrote: Then with unix extension = yes there os no way for propagation of ACL's? BTW, I tried it with unix extension = no on server side. According to google it used to work on 10.5.x in this way. Nope, I'm testing with OSX v10.5.7 client and we have 'unix extensions=no' explicitly set on the server. This problem still occurs. Then I don't understand. I found few cases on the internet, where disabling of unix extensions helped to enable ACL for 10.5.x. Probably it was with older versions of Leopard with older of smbfs. unix extension on or off has no affect on ACL support. We turn on NT Style ACL support only if we think the Server, Client and Network Log in user all belong to the same Domain. How to check it or enforce it? Setup is next: 1) On OSX 10.5 server OpenDirectory + samba PDC. 2) Linux server with samba (member of domain hosted on OSX) 3) OSX 10.6 client. OSX client login as OpenDirectory user. In opendirectory apple-user-homeurl set to point to samba share on linux server. Anton. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] mac client: folder copy problem
On Dec 17, 2009, at 8:35 AM, George K Colley wrote: unix extension on or off has no affect on ACL support. We turn on NT Style ACL support only if we think the Server, Client and Network Log in user all belong to the same Domain. How to check it or enforce it? Setup is next: 1) On OSX 10.5 server OpenDirectory + samba PDC. ON 10.5 we require that the mount point be owned by an AD user and the log user is an AD user. There is no AD. OSX server acts as PDC. But in smb.conf on this server it is pointed that profiles and homes should be taken from linux server (for windows clients domain logons). We mount nothing on 10.5 server itself. it just acts as authorization center for all kind of services. On linux file-server, obviously, home shares are same user home directories we share over NFS. So, permissions are OK. 2) Linux server with samba (member of domain hosted on OSX) Can't be some with 10.5 clients Didn't get your point here. 3) OSX 10.6 client. OSX client login as OpenDirectory user. In opendirectory apple-user-homeurl set to point to samba share on linux server. Need to return the correct info in the WhoAMI call. I will need to look at the code. So let me get back to you on this one. OK, I'll test it today. Anton. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Kerberos authentication when accessing samba domain member when PDC is also samba
Hi! I have next setup: PDC: Samba 3.0.25b-apple, Mac OS X 10.5.8 server. (Lets call it Serv2) Machines can join domain. Clients can use kerberos to authenticate. Everything works pretty good. Domain member: Samba 3.2.7-11.4.1-2210-SUSE-CODE11, OpenSUSE 11.1. (Lets call it Serv2) this server joined domain. Clients can connets, server authenticate clients on domain controller, everything good, with one exception. Clients can't use kerberos authentication when they access Serv2. Serv2 unable to check validity of tickets. Is it possible to have such config working (samba domain members accept kerberos authentication) without Windows-based ADS? Here I provide effective [global] section for both servers Serv1: Server role: ROLE_DOMAIN_PDC [global] dos charset = 437 unix charset = UTF-8-MAC display charset = UTF-8-MAC workgroup = MY_DOMAIN realm = XX.MY.REALM.HERE server string = PDC auth methods = guest, odsam map to guest = Bad User obey pam restrictions = Yes passdb backend = odsam lanman auth = No use kerberos keytab = Yes log level = 2 debug pid = Yes max xmit = 131072 name resolve order = lmhosts wins bcast host max smbd processes = 100 printcap name = cups add user script = /usr/bin/opendirectorypdbconfig -c create_user_account -r %u -n /LDAPv3/127.0.0.1 add machine script = /usr/bin/opendirectorypdbconfig -c create_computer_account -r %u -n /LDAPv3/127.0.0.1 logon script = logon.cmd logon path = XXX logon drive = XXX logon home = XXX domain logons = Yes os level = 65 preferred master = Yes domain master = Yes wins server = 130.89.4.21 usershare path = /var/samba/shares idmap domains = default idmap alloc backend = odsam idmap negative cache time = 5 com.apple:filter shares by access = yes darwin_streams:brlm = yes idmap config default:backend = odsam idmap config default:default = yes acl check permissions = No ea support = Yes stream support = Yes use sendfile = Yes printing = cups print command = lpq command = %p lprm command = include = /var/db/smb.conf vfs objects = darwinacl, darwin_streams Serv2: Server role: ROLE_DOMAIN_MEMBER [global] workgroup = MY_DOMAIN realm = XX.MY.REALM.HERE server string = file-server security = domain map to guest = Bad User password server = my.pdc.hostname.here log file = /var/log/samba/log.%m.%U printcap name = cups add machine script = /usr/sbin/useradd -c Machine -d /var/lib/nobody -s /bin/false %m$ domain master = No wins server = wins_servers_here winbind use default domain = Yes cups options = raw include = /etc/samba/dhcp.conf I tried to put security = ADS for Serv2, but it doesn't change a lot. And, obviously, you can't net ads join on Serv2. Because Serv1 isn't really ADS. Does anyone have ideas how to get this setup working? I'm pretty sure there should be some magical trick! Cause Serv1 definitely can accept krb5 tickets, and Serv2 able to use this method, at least in case of ADS controller above. Of course I can try to work it different way (put security=USER for Serv2 and spend days and hours trying to get it authorize against open-directory, but I would rather prefer to stick to domain concept). Anton. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba