Re: [Samba] loging user actions
from time to time some of our users delete files. But none of them do confess that they have deleted the file. I want to find at the samba logs which user has deleted the file. I´m using the audit-vfs module but there are only messages about opening and closing of files. Can anybody give me a hint for using samba logs to find the users I´m searching for? This is not a direct answer to your question, but rather a suggestion of a different strategy that might resolve your underlying problem: At a combined middle/high school we implemented vfs-recycle, so our deleted files aren't really deleted but rather are moved to a network trash can (which we then regularly trim with 'find' really removing files that haven't been touched in a week). Our requests related to deleted files (why?, please access your backup, etc.) went to ZERO. Our students (who are notoriously impulsive and forgetful) don't ever ask us where a file went any more. We found the vfs-recycle strategy works incredibly well for us. We have a second backup mechanism also, but in the last couple of years it's never ever been used nor even investigated. As far as our user students are concerned, the vfs-recycle by itself takes care of all their problems. -Chuck Kollars -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] config-file for recycle bin
config-file = /etc/samba/recycle.conf vfs object = recycle recycle:subdir_mode = 0770 recycle:keeptree = Yes recycle:repository = Recycle Bin recycle:versions = Yes recycle:directory_mode = 0770 Ignoring unknown parameter config-file My working system has all the same lines in it _except_ the config-file line. I think you missed something like a change of font that was supposed to indicate instructions and instead interpreted it as something literal to go in the file. -Chuck Kollars -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba password hashes exposed to ldapsearch
... I see that the samba password hashes are shown with a simple ldapsearch command. ... I do not have this problem. My /etc/openldap/slapd.conf includes the lines at the end of this message. The passwords are not visible via ldapsearch, yet the Samba on the same machine can still access them (probably because it runs as root). (The lines also include a provision for syncrepl replication, which probably isn't relevant to Samba usage.) -Chuck Kollars ### set up some restrictions to not make passwords visible access to attrs=sambaLMPassword,sambaNTPassword,MMSNumber,userPassword by dn.exact=cn=ReplicateUser,dc=ipswichschools,dc=org read by * auth # Default read access to everything else # (should be last to act as default) # (not optional - without this it doesn't work right) access to * by * read -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] server-side AND client-side symlinks?
How can I have both server-side and client-side symlinks? Server-side symlinks are needed for example when what appears to the user to be a single mounted directory is actually tens of little pieces tied together by symlinks. Having those symlinks coalesces many mounts that would all have to be perfect in parallel into a single mount that's either fully successful or not. Client-side symlinks are needed for example when an application rearranges names and directories into a more understandable outline. Each symlink has a context - server-side links usually make no sense if interpreted on the client, and client-side links usually make no sense if interpreted on the server. It appears the unix/linux extensions are all or none. With them on, all symlinks are visible to and interpreted by the _client_. With them off, all symlinks are invisibly interpreted by the _server_ (and the client isn't even allowed to create any). How can I note which symlinks are server-side and which are client-side, and have Samba interpret the server-side ones internally yet at the same time make the client-side ones visible to the user? thanks! -Chuck Kollars Looking for last minute shopping deals? Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] number of aces in big endian format?
... I thought all the data over the wire was in little endian format! ... Huh? Ever since the original ARPAnet network data (possibly except Microsoft) has been in BIGendian format. See for example http://www.ietf.org/rfc/ien/ien137.txt for details. It's easy to get the impression the native numeric order of the Intel chip is correct; more likely it's a horrid hack inherited from the micro world via the Z80. thanks! -Chuck Kollars Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Is Samba Shadowcopying can be used in Production Environement with more than 20 TB of data
... there will be more than 20TB of data to be backup weekly which will take lots of hours. ... Check out the `rsync` spinoff of Samba. `Rsync`s basic idea is copy what's changed rather than just copying everything. It does so very well and very quickly. Copying only changed files can easily be a couple of orders of magnitude quicker than copying the whole thing. The possible flaw with this strategy that used to keep people from implementing it was that the determination of what's changed had to be _perfect_. A backup's no good if it only contains 99% of the current data. The `rsync` tool provides the needed reliabilty, making this strategy possible in real life rather than just pie in the sky. (Of course your backup medium needs to be a disk farm rather than tapes...) My situation is much smaller than yours: a little over 1000 users with a total of a little over 100GB of data. When I started using `rsync`, my backups went from many hours once a month (clearly not frequent enough, but we couldn't afford to do better) to ~10 minutes every day. (I don't use any features of Samba itself, and I don't use any aspect of LVM.) And that ~10 minutes is even with the backup on a separate machine accessed over a network, so bandwidth's limited to 100MB. A SAN would probably do quite a bit better. (The completely separate machine is our way of avoiding a single point of failure.) (And because the backup is to another disk, the backup disk can be made available read-only to lots of folks. As a result, in my situation anybody can restore any individual file at any time virtually instantaneously.) (The first time will of course take a long long time, but after that daily updates will be real quick.) -Chuck Kollars Looking for last minute shopping deals? Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] using cifs to access posix acl from a linux client
We would like to mount a Linux server running samba using a cifs mount from a linux client (linux- linux) and still be able to access the extended attributes. Acl's work on the native filesystem, however when we mount the samba server on the Linux client using mount -t cifs //localhost/test test -o username=xxx Then the extended attributes are no longer visible, only the default posix rights. Any idea's? My experience over the last year in probing deeply into the interaction of Linux ACLs with Samba (but I'm not a Samba expert and coult be wrong:-) is you can't get there from here. While you can get Samba to pretty much use the Linux ACLs on the _server_ side, Linux ACLs will never behave _exactly_ the same way they do for a user who's directly logged on nor will they be visible to the _client_. I found the implementation of Linux ACLs to still be a little more off the beaten path than I assumed naively at first. It interacts weirdly with quotas; I can crash it (admittedly my kernel is now out of date). I had to get a special version of `rsync` that understood and propagated Linux ACLs (the regular one doesn't). And I'm even a little doubtful about full support in NFS. good luck! -Chuck Kollars Be a better Globetrotter. Get better travel answers from someone who knows. Yahoo! Answers - Check it out. http://answers.yahoo.com/dir/?link=listsid=396545469 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] broken pipe
Just a guess - I'm not a Samba guru: This looks to me like the student shutdown procedure is press the power button rather than click Start-Shutdown-Shutdown-OK. If so, the solution is don't do that. In summary, if the students turn off the power while some disk operations are still pending in the PC's memory, there's nothing Samba can do to make it right. The best it can do is sense something is wrong, force all the files closed, and force a disconnect ...which seems to be exactly what it's doing. Maybe it's time for a short lesson in orderly shutdown. Especially make sure the teacher understands the awful consequences of an abrupt shutdown. It's like having a power failure every day. Show them the logs. Better yet, find a student file that's unusable because it's corrupted and show them that. It's very believable to me that the herd mentality has asserted itself and all the students are doing the same (wrong?) thing. If the students are working right up to the class end time, then want to leave as quickly as possible, instruct them it's better (although not great:-) to _start_ an orderly shutdown then leave than it is to turn off the power. thanks! -Chuck Kollars Got a little couch potato? Check out fun summer activities for kids. http://search.yahoo.com/search?fr=oni_on_mailp=summer+activities+for+kidscs=bz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Samba ACLs?
From: Chuck Kollars ckollars9 at yahoo.com Subject: Samba ACLs? Date: 2006-08-19 02:46:45 GMT How exactly do Samba 3.x and ACLs interrelate? ... I started out naively assuming that the *nix uidNumber/gidNumber Samba mapped the end user to would behave exactly the same whether they were a Samba user or were logged on locally. ... After a year I think I understand well enough to answer my own question (of course I may be wrong anyway:-): The overdefined term ACL may refer to _either_ Windows file permissions (including the NT variant) _or_ the Linux/Posix file permissions extension. In the Samba context questions about ACLs can be indeterminate and often elicit answers from the other point of view. At root, Samba does everything in terms of the Windows ACL, then maps the result as best it can to *nix permissions. Samba offers a number of configuration options for tweaking the way it handles Windows ACLs, including some methods that have no exact analogue in the Windows world. Samba lets you mash --within limits-- the *nix permission bits it calculates. Recent versions of Samba are pretty good --again within limits-- at being compatible with Linux/Posix ACLs and assigning a Linux/Posix ACL to every file and folder when it's created. But despite all the possible tweaks, the unchanging core is that Samba always calculates the initial *nix permissions according to its mapping of permissions from the Windows world. So even though most of a Linux/Posix ACL may be retained and even honored, Samba ignores the default:user::xxx and default:group::xxx parts of a Linux/Posix ACL. There's no way to configure Samba so it assigns permissions to new files and folders _exactly_ the same way a native Linux user would see them. thanks! -Chuck Kollars Luggage? GPS? Comic books? Check out fitting gifts for grads at Yahoo! Search http://search.yahoo.com/search?fr=oni_on_mailp=graduation+giftscs=bz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] net rpc password?
When I try to execute `net rpc group` it asks Password:, then no matter what I enter it's always wrong. (I suspect this means I skipped a whole section of installation I shouldn't have.) So far I haven't found an answer in the HOWTO; I must be looking in the wrong spot. Where _should_ I start looking? thanks! __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] POSIX ACLs (not Windows)
I'm going crazy trying to deal with file and directory perms set by Samba's attempt to echo Windows ACLs. I log in directly to my Linux box and tweak ACLs until they work exactly like I wish them to. But when I then access those files through Samba, I get _different_results_, apparently because Samba is trying awfully hard to emulate Windows. How can I tell Samba when handling perms to forget Windows compatibility, just do what native POSIX would do? thanks! (Windows is too weird for me. We only have Windows workstations because the school administration says we have to, and we don't use their file permissions at all [We couldn't even if we wanted to because we don't bother to run `newsid` after imaging, so lots of our machines have the same SID]. I'm very glad my Windows ACLs via Samba are somehow broken, and I intend to keep it that way.) __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] drop off domain?
I recently upgraded a very old system to Samba 3 with an LDAP back end. Almost everything is hunky-dory. However I'm experiencing a weird problem with the Windows XP machines that are domain members. When I join those machines to my upgraded domain everything seems fine. But when I go back and try them again a day later, sometimes I find they've lost their domain membership. (I've assumed there's some interference from some other operation going on at the same time in another part of the building, but I can't figure out exactly what. Theat means a] I don't know how to avoid the problem and b]I have no confidence it won't happen AGAIN another day later.) Has anybody else experienced anything similar? __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba ACLs?
How exactly do Samba 3.x and ACLs interrelate? With the mount parameter I've turned on ACLs on the whole filesystem that Samba has various pointers into (including all the home directories and the netlogon). I started out naively assuming that the *nix uidNumber/gidNumber Samba mapped the end user to would behave exactly the same whether they were a Samba user or were logged on locally. But my experience is a file created through Samba and a file created locally by `touch` do _not_ necessarily have the exact same permissions/ACLs. Most likely there's some pattern to what permissions/ACLs are actually created by Samba; but I haven't succeeded in figuring it out. What's the recipe for figuring out exactly what permissions/ACLs a file created through Samba will actually be given? thanks! __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: administrator privileges
. (To minimize confusion, it's probably best to use the same names [Domain Admins, Domain Users, Domain Guests] and numbers [512, 513, 514] on the *nix side.) (If your version of Samba-LDAP can't handle embedded white space, you'll need to change these names to DomainAdmins, DomainUsers, and DomainGuests.) If these three entries don't exist, Windows can get quite unhappy; there might even be warnings about this in the Samba logs. (Note _many_ instructions incorrectly give the Windows group numbers 0x200, 0x201, and 0x202 as 200, 201, and 202. Don't be suckered even though this error has become _very_ widespread. Remember, 0x200=512!=200.) Folks who use the smbldap-tools to help them migrate have all this set up already (whether they realize it or not). `smbldap-populate` sets up all the needed Windows-related infrastructure items in the LDAP database. So all the folks who use the smbldap-tools never see this problem. Folks who create a brand new LDAP database via roll your own though can easily forget these entries. It will initially appear that everything works okay, but later the symptoms of not being able to join workstations to the domain, many `net ...` commands not working right, and error messages about administrator privileges will arise. - If you're not quite sure which entries need to be made, here's an LDAP dump of the relevant entries from a working system. On this system user Manager is the superuser used to join workstations to the domain (as well as the LDAP access bootstrap). The domain SID in this example was S-1-5-21-4049341300-984804467-2912306435. = dn: cn=Manager,dc=ipswichschools,dc=org cn: Manager objectClass: simpleSecurityObject objectClass: organizationalRole objectClass: sambaSamAccount objectClass: posixAccount objectClass: shadowAccount userPassword:: e01ENX0xbEVka1dSNUQzcFhOL0dYaW1CR2V3PT0= description: Network and LDAP administrator sambaSID: S-1-5-21-4049341300-984804467-2912306435-500 uid: Manager sambaPrimaryGroupSID: S-1-5-21-4049341300-984804467-2912306435-512 gidNumber: 513 homeDirectory: /sambahome/it/Manager uidNumber: 0 sambaHomePath: \\CONE-SVR1\Manager sambaLMPassword: 30E885A764F8325DDA2BD47997BC678C sambaNTPassword: 7F00FBA67E9258530EC4D71969286CF6 dn: ou=WindowsGroups,dc=ipswichschools,dc=org ou: WindowsGroups objectClass: top objectClass: organizationalUnit dn: cn=DomainAdmins,ou=WindowsGroups,dc=ipswichschools,dc=org cn: DomainAdmins gidNumber: 512 objectClass: posixGroup objectClass: top objectClass: sambaGroupMapping sambaGroupType: 2 sambaSID: S-1-5-21-4049341300-984804467-2912306435-512 displayName: DomainAdmins description: Windows Domain Administrators dn: cn=DomainUsers,ou=WindowsGroups,dc=ipswichschools,dc=org cn: DomainUsers gidNumber: 513 objectClass: posixGroup objectClass: top objectClass: sambaGroupMapping sambaGroupType: 2 sambaSID: S-1-5-21-4049341300-984804467-2912306435-513 displayName: DomainUsers description: Windows Domain Users dn: cn=DomainGuests,ou=WindowsGroups,dc=ipswichschools,dc=org cn: DomainGuests gidNumber: 514 description: Windows Domain Guests objectClass: posixGroup objectClass: top objectClass: sambaGroupMapping sambaGroupType: 2 sambaSID: S-1-5-21-4049341300-984804467-2912306435-514 displayName: DomainGuests cheers! -- Chuck Kollars - principal Kollars Informatics Ipswich, Massachusetts, USA -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] become_domain_master_query_fail
Here's my wild guess: I suspect the key to solving your problem will be identifying what changed. If it's really true that it worked for two years and that no software was reconfigured, then the prime suspect is hardware. I think one way to produce these log messages is if the Network Interface Card on the Primary Domain Controller went bust. Can you control that machine directly and check out its network connectivity (NIC diagnostics, `ping`, web browse, etc.)? Or what about the network thingy (probably a hub) that it plugs into. Do other devices wired to the same box still work right? Is there evidence the whole box has become isolated from the main network (probably by a cable jiggled loose)? good luck! Hi all, Everything was working fine with my samba server, until two days ago, when the clients started to say domain is not available when we tried to login. Looking at nmbd.log I found some errors but have no idea how to fix them...It has worked perfectly for almost two years... Does anyone have an idea? Thanks, Loc Etienne Logfile: [2006/04/27 09:02:26, 0] nmbd/nmbd_become_lmb.c:become_local_master_stage2(396) * Samba name server AGEPOLY is now a local master browser for workgroup AGEPOLY on subnet 128.178.29.62 * [2006/04/27 09:02:47, 0] nmbd/nmbd_browsesync.c:find_domain_master_name_query_fail(353) find_domain_master_name_query_fail: Unable to find the Domain Master Browser name AGEPOLY1b for the workgroup AGEPOLY. Unable to sync browse lists in this workgroup. [2006/04/27 09:07:16, 0] nmbd/nmbd_become_dmb.c:become_domain_master_browser_wins(327) become_domain_master_browser_wins: Attempting to become domain master browser on workgroup AGEPOLY, subnet UNICAST_SUBNET.[2006/04/27 09:07:16, 0] -- Chuck Kollars - principal Kollars Informatics [EMAIL PROTECTED] http://www.theatlantic.com/doc/print/200512/iraq-withdrawal PO Box 776 Ipswich MA 01938-0776 +1-978-412-0017 (voiceFAX) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Where SIDs In Old Old Samba?
I'm migrating from a very very old Samba (Cobalt Qube Network Appliance, seemingly some 2.1... Samba version). I've got over a hundred Windows XP clients that have joined the existing domain. I want to migrate all those memberships to the new Samba so I don't have to visit every one of those client machines individually. I think I know how ...except I haven't been able to find the SIDs of those machine domain members. I have the name (with trailing $), the uidNumber, and two passwords ...but no SID. This old Samba is so very old that `net idmap dump` just says command not found; apparently there wasn't even a `net ...` command in Samba back then. Can somebody remember what file the SIDs might be in? (I can probably get them out even if it's a binary file or is base64 encoded. But I need to know THE FILE NAME.) So if you have a dim memory of what file the SIDs were stored in way back then, please let me know. tia! __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] ? BDC LDAP
Can I set up a *second* server as a BDC yet still have all my file-share requests routed to the *first* server? In other words can I have *two* domain controllers but only *one* file share? If I can, what's the rough sketch of the configuration I want? My short-term goal is to not have any Microsoft software in the back room so as to avoid paying the Gates tax. (My long-term goal is in a few years to not have any Microsoft software on the clients either for the same reason.) (Or maybe I'm not asking the right specific question, missing the forest for the trees. If you'd like to back up and view the whole picture and offer some meta-advice, here's my situation: I'm hosting home directories for each of ~800 students and teachers. [A flash/thumb drive for every user would cost a whole lot more than a couple servers in the back room.] I currently use domain login only to a] allow a startup script to map the home directory to a drive and b] validate credentials right away so it doesn't need to be done at file save time. Currently I do all this with only *one* Samba server acting as both a file share and a PDC; it works tolerably well, but seems overly risky.) -- Chuck Kollars - principal Kollars Informatics -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba