Re: [Samba] Make CIFS look like NFS
Edward Ned Harvey wrote: I'm trying to run an IMAP mail server (Dovecot) in a virtual machine. However, I do not want the messages stored within the virtual disk. So - the question was how the virtual machine could access those files. Dovecot has been setup and tested with NFS. However, when I asked The best answer to this question is exactly what you're doing - testing it will give you results probably more convincing than anything anyone could say to you. That being said ... NFS is a more native network filesystem for unix machines, so it really only makes sense to use samba if you have some compelling reason not to use NFS. Do you have some reason NFS would be bad in this case? I had tried NFS previously - and didn't enjoy it. I had numerous lockups. Samba appeared to provide a much more fault-tolerant environment. I will admit it's possible there were physical connectivity issues that have since been corrected. There are many differences between samba and nfs, however, there are only two that I think are likely to be true roadblocks for you. File permissions ... In samba you can configure the umask to be whatever you like, but you can't do it on a file-by-file basis. So you're missing granularity there if you need it. And in samba, certain characters (most notably the ':' colon character) are not valid. For Maildir support, the colon character is a necessity (at least under Dovecot). It'd be neat if Samba had an option to allow non-Windows legal characters in filenames. However, Dovecot has another format (dbox) that uses standard characters, so that gets around the filename issue. There may be some difference in the way file locking is handled. This would only matter if you had more than one system accessing the same files at the same time - but I don't think that's the case for you, huh. Because it's an imap server, and you're not going to run two separate imap servers on the same directory. The issue you mentioned with missing tmp files ... sounds bogus to me. I can't think of any way samba could cause that, unless it's just a side-effect of one of the aforementioned possible roadblocks. What I saw happening was temp files would be created, but not deleted - and they had what looked like Samba-specific names (I haven't tried this is a month, sorry I'm not more specific). The files could not be deleted unless I broke the connection. I'm assuming that Dovecot was trying some kind of file-locking request that works on local or NFS files - but seems to break horribly under CIFS. That's really what I'm asking about I guess - what difference is there in how CIFS implements various filelock and fsync options compared with NFS (and there must be something, otherwise I wouldn't have had the problems). -- Daniel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Make CIFS look like NFS
Michal Dobroczynski wrote: Hi Daniel, Can you specify what NFS features are important to you in such case? (in other words please define look like NFS) Regards, Michal Oh - you want me to be specific? What fun would that be? ;-) Ok, specifics... I'm trying to run an IMAP mail server (Dovecot) in a virtual machine. However, I do not want the messages stored within the virtual disk. So - the question was how the virtual machine could access those files. Dovecot has been setup and tested with NFS. However, when I asked about compatibility with CIFS, I was told it would probably not work. Testing on my own showed that in fact that this resulted in problems - it appeared temp files would be created and never deleted. I tried a few different smb.conf mount parameters that SEEMED appropriate - but wasn't able to get it to work. So... I guess my specific question would be how can I setup CIFS so Dovecot will work with it as happily as it does with NFS? -- Daniel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Make CIFS look like NFS
Is it possible to make CIFS look like NFS via some configuration/mount options? What I mean is, from a client point of view, will the mounted share behave EXACTLY like NFS will? -- Daniel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Postscript parameter
I've seen some references to a postscript setting in smb.conf, but the current version doesn't recognize it. Has this been replaced? -- Daniel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Fsync directories
Does Samba/smbfs/cifs support fsync'ing of directories? Are there particular smb.conf settings to adjust for this? -- Daniel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] File permissions
John H Terpstra wrote: On Sunday 18 January 2009 18:38:25 Daniel L. Miller wrote: Is it possible to define file rights, such that - The file is owned by root, with full privleges on the Linux server. The file is shared by a group users. The shared file should be available for read and write access. That part's easy - but now Deny delete, overwrite, or rename access to this file. Is this possible? -- Daniel Please explain how a user can have write access to a file but not overwrite access? The ability to write implies the ability to change the name as well as the contents of a file. Can you provide a clear description of what you really wish to achieve? - John T. Oh - you want me to tell you want I want to do, so you can tell me the right way how - instead of helping with the wrong way to do it? Geez... Ok, since you insist. I'm trying to accommodate Quickbooks (Enterprise Edition). Users need to be able to open the file for read write access or Quickbooks complains. However, I don't want the clients to be able to destroy the file (outside of Quickbooks). So I need to allow read/write via Samba - but I want to protect the file as much as possible. I have the UNIX file owned by root (which the QB SQL server runs as). The UNIX group ownership is the windows users. Setting the UNIX group privileges to read only results in QB errors. So I don't see how to protect it just using UNIX privileges - so I thought perhaps there was a way via Samba. I (mis)remember some Windoze ACL's might allow for this type of special access control. If Quickbooks used a real SQL interface, then it wouldn't be a problem. But...it doesn't. -- Daniel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] File permissions
Is it possible to define file rights, such that - The file is owned by root, with full privleges on the Linux server. The file is shared by a group users. The shared file should be available for read and write access. That part's easy - but now Deny delete, overwrite, or rename access to this file. Is this possible? -- Daniel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problems with accessing samba printer from Windows
In your global section, add something like: idmap uid=1-2 idmap gid=1-2 bill purvis wrote: Hi, I recently migrated from Madrake/Mandriva to Ubuntu (8.04) on the machine with the printer attached. When I set up samba originally my understanding of it was very limited. It's probably even more limited now (brain cells dying off! :-) ). However, at least it did what I wanted - gave access to the printer and a scratch disk area for the Windows machines. When I migrated to Ubuntu, I copied the bits I thought relevant into the distributed smb.conf and started it up. I didn't get around to testing the Windows access until today. When I tried to print or open the scratch area on Windows it fails to make the connection. I tried deleting the printer entry and re-creating it with 'add printer' but that failed also. I've check the various log files on the server and found lines like: idmap uid range missing or invalid idmap will be unable to map foreign SIDs [2008/11/14 16:52:34, 0] nsswitch/idmap.c:idmap_alloc_init(750) ERROR: Initialization failed for alloc backend, deferred! that was in the log.winbindd-idmap file. Nothing else notable. I'm attaching a copy of the essential bits of the smb.conf file as listed by testparm. I'd be grateful if someone who knows more about samba can advise me what to try next. Many thanks, Bill --smb.conf-- [global] server string = Samba Server %v map to guest = Bad User log file = /var/log/samba/log.%m max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 dns proxy = No hosts allow = 192.168.1., 192.168.2., 127. [homes] comment = Home Directories read only = No browseable = No [printers] comment = All Printers path = /var/spool/samba create mask = 0700 guest ok = Yes printable = Yes browseable = No [print$] path = /var/lib/samba/printers write list = @adm, root inherit permissions = Yes guest ok = Yes [pdf-gen] comment = PDF Generator (only valid users) path = /var/tmp printable = Yes printing = bsd print command = /usr/share/samba/scripts/print-pdf %s %H //%L/%u %m %I %J lpq command = /bin/true lprm command = lprm -P'%p' %j [backups] comment = Backup Disk 1 path = /back1 read only = No guest ok = Yes -- -- Daniel L. Miller, VP - Engineering, SET AM Fire Electronic Services, Inc. [AMFES] [EMAIL PROTECTED] 702-312-5276 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Access Denied to Printers / Same thing here
Peter Van den Wildenbergh wrote: Daniel L. Miller wrote: Hi! Trying to trace down a problem with printer sharing. I don't see anything glaringly obvious with my smb.conf. I am using LDAP and CUPS. Using a Windoze client, accessing a printer I receive the friendly Access denied, unable to connect. Checking the Samba logs, I find: [2008/11/07 18:26:08, 0] param/loadparm.c:process_usershare_file(8268) process_usershare_file: share name ::{2227a280-3aea-1069-a2de-08002b30309d} contains invalid characters (any of %*?|/\+=;:,) [2008/11/07 18:26:08, 0] param/loadparm.c:process_usershare_file(8268) process_usershare_file: share name ::{2227a280-3aea-1069-a2de-08002b30309d} contains invalid characters (any of %*?|/\+=;:,) [2008/11/07 18:26:08, 0] smbd/service.c:make_connection(1362) daniel (192.168.0.60) couldn't find service ::{2227a280-3aea-1069-a2de-08002b30309d} I don't HAVE any shares with invalid characters - that I'm aware of. Is it possible there's something hiding in a corrupted tdb file? I've tried deleting ntprinters.tdb without improvement. Is the case of the filenames in /usr/share/cups/drivers and /var/lib/samba/printers significant? -- Daniel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Access Denied to Printers
Hi! Trying to trace down a problem with printer sharing. I don't see anything glaringly obvious with my smb.conf. I am using LDAP and CUPS. Using a Windoze client, accessing a printer I receive the friendly Access denied, unable to connect. Checking the Samba logs, I find: [2008/11/07 18:26:08, 0] param/loadparm.c:process_usershare_file(8268) process_usershare_file: share name ::{2227a280-3aea-1069-a2de-08002b30309d} contains invalid characters (any of %*?|/\+=;:,) [2008/11/07 18:26:08, 0] param/loadparm.c:process_usershare_file(8268) process_usershare_file: share name ::{2227a280-3aea-1069-a2de-08002b30309d} contains invalid characters (any of %*?|/\+=;:,) [2008/11/07 18:26:08, 0] smbd/service.c:make_connection(1362) daniel (192.168.0.60) couldn't find service ::{2227a280-3aea-1069-a2de-08002b30309d} I don't HAVE any shares with invalid characters - that I'm aware of. Is it possible there's something hiding in a corrupted tdb file? I've tried deleting ntprinters.tdb without improvement. -- Daniel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] [ANNOUNCE] Samba 3.2.2 Available for Download
Since all I saw were bugfixes, no feature changes - do we need to *gently* press the Debian team to use 3.2.2, instead of 3.2.1? -- Daniel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Configuring Samba with NIS
Harvey, Edward wrote: Hey all. I have a bunch of linux servers, all using NIS to maintain username/password/UID/GID information. I'm trying to make the filesystems browsable from Windows XP, while maintaining correct UID/GID info. It seems this would be really simple, just let the user login to \\linuxmachine with his/her linux username password, and everything they do happens as them. As you know - no such thing. :-( I'm using RHEL 4u4 x86_64, samba 3.0.10-1.4E.9, swat 3.0.10-1.4E.9 In swat, it seems to indicate available auth methods are guest sam winbind and some deprecated stuff I shouldn't use. I guess there is no auth method to use the local passwd/shadow files, or NIS database? Also, I guess there is no idmap backend to simply map UID/GID based on username? * I cannot use the essentially randomly generated UID/GID scheme. * I will have a very difficult time to use winbind (I don't have windows domain admin access, and those who do are difficult to convince they should type the domain admin pass on some prompt when they don't understand the prompt.) * I prefer not to use a cronjob on every machine to regenerate the smbpasswd all the time. Also, by looking around, it doesn't appear this is possible anyway. Is there any graceful solution here? I don't see the need for *yet* another password database... Thanks for any suggestions... I have been googling and browsing fanatically Probably not the answer you want - but have you considered migrating your NIS solution to LDAP? I say this because after being frustrated with my own (small) NIS implementation, moving to LDAP solved a number of problems for me. Whether it solved more than it created -- Daniel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.2.0 in Debian lenny
Christian Perrier wrote: Quoting Ryan Novosielski ([EMAIL PROTECTED]): Seems to me they should have been a lot more reluctant to freeze on a point zero release rather than reluctant at this point. I would be willing to bet that there are a lot of serious problems that would appear with any first release. Debian is a collection of thousands of software. We can't wait for each of them to release their point releasesSo, indeed, the freeze has to happen at some time and that time may be infortunate for some of the software that are part of the distribution. FWIW, the very same deal had to happen with KDE. I know Debian tends to backport patches, but it would seem like this would be a bit of a pain to start from this point. Only security patches. I agree that it would be infortunate to have lenny stuck with 3.2.0 while we all know there will be a few point releases for Samba. That, indeed, is one of the reasons for which we should continue the effort started a few months ago to bring back some .deb packages on samba.org and have these packages to be as close as possible of packages provided in Debian (and Ubuntu) itself so that users can choose to either stick with what's provided with their distro and to follow bleeding edge versions. I'm probably wrong (I usually am) - but my understanding is if there is a problem with a released package, and the distro team doesn't want to upgrade to a new upstream version, the responsibility for repairing those problems lies with the packagers. Based on the release notes I just saw on 3.2.1 - all I saw were bugfixes, not feature additions. That should be reason enough to pull it in to Lenny. -- Daniel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.2.0 in Debian lenny
Jason A. Nunnelley wrote: I'm probably wrong (I usually am) - but my understanding is if there is a problem with a released package, and the distro team doesn't want to upgrade to a new upstream version, the responsibility for repairing those problems lies with the packagers. Based on the release notes I just saw on 3.2.1 - all I saw were bugfixes, not feature additions. That should be reason enough to pull it in to Lenny. Are we talking about what makes it into the next release of the OS distro, or what makes it into the apt-get repository? I'm not understanding the distinction - unless you're referring to non-official apt sources. For me, as a someone who knows enough to get into REAL trouble...I love packages and avoid source-based installs whenever possible. From the standpoint of wanting Debian to continue to be a trusted, stable platform - if the Samba team says 3.2.1 is a very important fix to 3.2.0, I'd hope the Debian team approves it. If 3.2.0 is buggy - it will result in users blaming Debian when their long-running Samba servers start having issues. It would be one thing if a really cool feature was left out - and now implemented. It's something else when there is are known problems - and a fix is now available that adds no functionality (it doesn't, right?). From the standpoint of a *slightly* more educated user, if there's an unofficial repository I can reach out to for an updated version, and it's compatible with the distro's outdated version - that gets me functional. -- Daniel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Setting up PDC w/ LDAP
John H Terpstra wrote: On Tuesday 27 May 2008 05:45:24 pm Daniel L. Miller wrote: OK, payment in advance: :-) :-) :-) Wait a minute, let me change currencies Awe .. forget it! ;-) I'm assuming my last payment still has me covered - if you need more retainer please let me know. Almost there. Really Do I NEED those builtin groups for anything? Do I WANT those builtin groups for anything (besides avoiding those nuisance error messages in my samba logs)? You do not need them specifically. They can be useful, but they are certainly not essential. I'm still coming up with a good question to ask on this part First: Do NOT use a domain name that has a '.' in it. That has unexpected name resolution consequences. A Samab smb.conf workgroup= parameter should not have a dot in it. Ok...now that I've setup everything (again, for the nth time), do I need to reconfigure the server and every client? Or just rename it on the server and the change will automagically propagate? It is safer to re-add your clients to the domain. Even though it is the domain SID that really matters. If it changes you can reset it to the original value, there are some operations that are tied to the domain name, so it is best to readd the clients to the domain. Is there a better (read: more efficient, automated, less labor-intensive, more fun, whatever) method to re-add than manually visiting each workstation (either physically or via RDC of some sort), leaving the old domain, and then joining the new one? -- Daniel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Setting up PDC w/ LDAP
I've almost got it. I swear I've almost got it (and I've been doing a lot of swearing lately). I re-built my PDC, starting from scratch. I'm not using the editposix extensions anymore - I'm using the smbldap tools as shown (I think) in the Samba by Example. I really really thought I did everything right. Obviously I was wrong. What works - all my workstations and logins. Add/create users, join workstations to domain. Just about everything. The last little item - winbind. I suppose I need to give some vitals: Samba 3.0.28a. Samba PDC - no Windows servers, no BDC's, no member servers. Linux and Windows XP workstations. OpenLDAP backend with combined Unix and Windows users (using LDAP-Account Manager). First question: under this configuration, do I need winbind at all? If the answer is yes, second question: wbinfo -t yields checking the trust secret via RPC calls succeeded wbinfo -u yields Error looking up domain users The logfile log.wb-AMFESLAN.LOCAL has [2008/05/27 12:17:40, 1] rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(625) cli_pipe_validate_current_pdu: RPC fault code DCERPC_FAULT_OP_RNG_ERROR received from remote machine BUBBA pipe \lsarpc fnum 0x7169! logfile log.winbindd-idmap has [2008/05/27 12:17:40, 1] nsswitch/idmap.c:idmap_init(377) Initializing idmap domains [2008/05/27 12:17:40, 0] nsswitch/idmap.c:idmap_init(388) idmap_init: Ignoring domain AMFESLAN.LOCAL I should also mention that I can't add the built-in or local groups using net. partial output of testparm: Processing section [printers] Loaded services file OK. Server role: ROLE_DOMAIN_PDC Press enter to see a dump of your service definitions [global] workgroup = AMFESLAN.LOCAL realm = AMFESLAN.LOCAL server string = %h server (Samba, Ubuntu) map to guest = Bad User obey pam restrictions = Yes passdb backend = ldapsam:ldap://localhost pam password change = Yes passwd program = /usr/sbin/smbldap-passwd -u %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *all*authentication*tokens*updated* username map = /etc/samba/smbusers unix password sync = Yes syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 time server = Yes socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=20480 SO_SNDBUF=20480 add user script = /usr/sbin/smbldap-useradd -m %u delete user script = /usr/sbin/smbldap-userdel %u add group script = /usr/sbin/smbldap-groupadd -p %g delete group script = /usr/sbin/smbldap-groupdel %g add user to group script = /usr/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g set primary group script = /usr/sbin/smbldap-usermod -g %g %u add machine script = /usr/sbin/smbldap-useradd -w %u logon script = logon.cmd logon path = \\%L\profiles\%U\%a logon drive = U: logon home = domain logons = Yes os level = 64 preferred master = Yes domain master = Yes wins support = Yes ldap admin dn = cn=admin,dc=amfeslan,dc=local ldap delete dn = Yes ldap group suffix = ou=groups ldap idmap suffix = ou=idmap ldap machine suffix = ou=machines,ou=users ldap passwd sync = Yes ldap suffix = dc=amfeslan,dc=local ldap ssl = no ldap user suffix = ou=users panic action = /usr/share/samba/panic-action %d idmap backend = ldap:ldap://127.0.0.1 idmap uid = 1-2 idmap gid = 1-2 winbind enum users = Yes winbind enum groups = Yes ea support = Yes profile acls = Yes veto oplock files = /*.QBW/*.qbw/*.MDB/*.mdb/ dos filemode = Yes [printers] comment = All Printers path = /var/spool/samba create mask = 0700 guest ok = Yes printable = Yes browseable = No -- Daniel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Setting up PDC w/ LDAP
John H Terpstra wrote: On Tuesday 27 May 2008 02:22:15 pm Daniel L. Miller wrote: I've almost got it. I swear I've almost got it (and I've been doing a lot of swearing lately). Swearing does not help much. :-) It does too! I haven't broken a single keyboard! I re-built my PDC, starting from scratch. I'm not using the editposix extensions anymore - I'm using the smbldap tools as shown (I think) in the Samba by Example. Now that is a really good guide. (Biased opinion of course!) It is a pity that this book is a little out of date. Someone really should contribute updates to it I guess. I'd be delighted to - but at the moment it'd be the blind leading the totally clueless. I really really thought I did everything right. Obviously I was wrong. Ah, you mean you have been learning to swim. A good start to using Samba. Unfortunately I still splash far too much without making efficient forward progress. I can go sideways really good though! First question: under this configuration, do I need winbind at all? That depends! You can probably get away without winbind. If you do need it, you should update the configuration since winbindd has changed since Samba 3.0.20 - the version the book was last updated for. Something I haven't seen in print yet - so I'll ask the question. WHEN is the appropriate time to use winbind with PDC's and BDC's? If the only (intended) purpose is for member servers and joining Windows NT/2000+ domains - please say so. The 3.2 Using Samba says ...in the majority of cases |winbind| is of primary interest for use with domain member servers (DMSs) and domain member clients (DMCs). - but that's not quite the same as, In an exclusively Samba server environment, with a common LDAP backend (replicated or single), winbind offers no additional features and in fact can cause problems. Do NOT use winbind in such a configuration. If the answer is yes, second question: wbinfo -t yields checking the trust secret via RPC calls succeeded wbinfo -u yields Error looking up domain users It is no longer possible to use wbinfo on the PDC itself. See Samba Bugzilla bug no. 5453. I should also mention that I can't add the built-in or local groups using net. Correct. For that you will need the new winbind configuration syntax - you are running 3.0.28 aren't you? See man idmap_ldap, or man idmap_tdb. Now I'm more confused. I'm reviewing those pages - and while I do see some other parameters, they say in their absence they will default to using the ones I've specified. I don't see what I'm missing. I've revised to show: idmap domains = AMFESLAN.LOCAL idmap alloc backend = ldap winbind enum users = Yes winbind enum groups = Yes idmap alloc config:range = 1-2 idmap alloc config:ldap_url = ldap://127.0.0.1 idmap alloc config:ldap_base_dn = ou=idmap,dc=amfeslan,dc=local idmap config AMFESLAN.LOCAL:range = 1-2 idmap config AMFESLAN.LOCAL:ldap_url = ldap://127.0.0.1 idmap config AMFESLAN.LOCAL:ldap_base_dn = ou=idmap,dc=amfeslan,dc=local idmap config AMFESLAN.LOCAL:backend = ldap idmap config AMFESLAN.LOCAL:default = yes Functionality and error messages remain the same. I hope that helps. Helps a lot - but I'm needy and greedy and would still appreciate more of your insight. -- Daniel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Setting up PDC w/ LDAP
OK, payment in advance: :-) :-) :-) Wait a minute, let me change currencies _.-'-._ .' _ _ '. / (o) (o) \ | | | \ / | \ '. .' / '. `'---'` .' '-._.-' _.-'-._ .' _ _ '. / (o) (o) \ | | | \ / | \ '. .' / '. `'---'` .' '-._.-' _.-'-._ .' _ _ '. / (o) (o) \ | | | \ / | \ '. .' / '. `'---'` .' '-._.-' John H Terpstra wrote: Something I haven't seen in print yet - so I'll ask the question. WHEN is the appropriate time to use winbind with PDC's and BDC's? Winbind is needed when you have domain member servers, and to deal with SIDs for users of trusted foreign domains. Winbind is essential for interdomain trust handling. If all your clients are domain members, and you never get clients from trusted domains on the network, you do not need winbind. You can operate without it without loss of service, but you will not have use of BUILTIN groups (these are created and managed by winbind. Almost there. Really Do I NEED those builtin groups for anything? Do I WANT those builtin groups for anything (besides avoiding those nuisance error messages in my samba logs)? If a couple clients are non-domain members (laptops that periodically plug-in) - but still no trusted domains involved - is there any need for winbind? First: Do NOT use a domain name that has a '.' in it. That has unexpected name resolution consequences. A Samab smb.conf workgroup= parameter should not have a dot in it. Ok...now that I've setup everything (again, for the nth time), do I need to reconfigure the server and every client? Or just rename it on the server and the change will automagically propagate? And beyond updating my srv records, will this have other DNS consequences? idmap domains = AMFESLAN.LOCAL idmap alloc backend = ldap winbind enum users = Yes winbind enum groups = Yes idmap alloc config:range = 1-2 idmap alloc config:ldap_url = ldap://127.0.0.1 idmap alloc config:ldap_base_dn = ou=idmap,dc=amfeslan,dc=local idmap config AMFESLAN.LOCAL:range = 1-2 idmap config AMFESLAN.LOCAL:ldap_url = ldap://127.0.0.1 idmap config AMFESLAN.LOCAL:ldap_base_dn = ou=idmap,dc=amfeslan,dc=local idmap config AMFESLAN.LOCAL:backend = ldap idmap config AMFESLAN.LOCAL:default = yes IDMAP is used to allocate unique UID/GID's for users from a trusted domain so they can access resources in our domain. IDMAP is also used to create BUILTIN groups. Ok...that part I get. What I don't get - 1. Is the above config (other than the domain name) correct? 2. How does this config differ from my original one - since the docs say the previous version should have worked? -- Daniel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3 + LDAP with multiple ou's
Daniel Cristian Cruz wrote: I had a LDAP tree with this structure: dc=base + ou=unit1 + ou=People + ou=Groups + ou=Computers + ou=unit2 + ou=People + ou=Groups + ou=Computers + ou=unit3 + ou=People + ou=Groups + ou=Computers ... And I need people from unit1 logging on unit2, unit3, etc What is the purpose of splitting your users/groups/computers into these units? Especially if (as you're inferred from your post) there's no difference in login privileges between units? Daniel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba + LDAP - now with ldapsam extensions
John H Terpstra wrote: On Thursday 11 October 2007 22:57, Daniel L. Miller wrote: Are the IDEALX tools necessary for complete integration with LDAP? Or is the built-in support sufficiently advanced now? Daniel What does complete integration with LDAP mean to you? You are not the first person to ask questions like these. It would help me to write more useful documentation if I could better understand what is behind the questions. Do the ldapsam:trusted: and ldapsam:editposix extensions provide - (pause whilst I search for the correct word) - equivalent functionality to the IDEALX tools? Or are they solutions for different applications? For typical applications, with a PDC, mixed Unix and Windows workstations, file and print sharing - are the extensions a simpler way to achieve the - (wait, need to substitute word again) - equivalent level of LDAP integration? -- Daniel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba + LDAP
John H Terpstra wrote: On Thursday 11 October 2007 22:57, Daniel L. Miller wrote: Are the IDEALX tools necessary for complete integration with LDAP? Or is the built-in support sufficiently advanced now? Daniel Daniel, What function do you believe the IDEALX tools serve? Why do you think these scripts are needed? What makes you think that built-in support might be the right (or best) solution? Have you read the Samba documentation? Specifically, is there anything in the Samba3-HOWTO or in Samba3-ByExample that would lead you to believe that there is any attempt to supercede the necessity for the IDEALX tools (or an alternative set of scripts that is external to Samba itself)? What does complete integration with LDAP mean to you? You are not the first person to ask questions like these. It would help me to write more useful documentation if I could better understand what is behind the questions. In case you do not know of the books Samba3-HOWTO and Samba3-byExample they can be obtained from: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf http://www.samba.org/samba/docs/Samba3-ByExample.pdf The IDEALX tools are a means of creating and managing UNIX user and group accounts in the LDAP directory. Samba can then create and manage the Windows (SambaSAM) account information that is necessary to support Windows network activities. As a network administrator, I want total control over how UNIX accounts are managed in my LDAP directory and I would not want this done by Samba - particularly if that removes my ability to control how this is done. Your mileage may vary, but I suspect most UNIX administrators who manage Samba would not want to lose control of the UNIX part of the directory. For example, if Samba had total control over all Windows networking (Samba) accounts, and the Windows network administrator deletes a user account, but the users also has vital UNIX files, how should the deletion of the UNIX account information be handled? By keeping the LDAP administration scripts that impact the UNIX account management separate from the Windows (Samba) account part, the administrator can exercise greater control over. - Just my $0.02 worth. Cheers, John T. By built-in support, I am referring to the ldapsam:trusted and ldapsam:editposix extensions - documented at: http://wiki.samba.org/index.php/Ldapsam_Editposix Because using these extensions appeared to simplify my configuration, and inferred that they were optimized, I thought this was the future of Samba+LDAP and the IDEALX scripts were a holdover from the past. Since I have had difficulty in getting this configuration to work solidly - I'm still questioning whether or not these extensions are what I should be using. Complete integration to me means after setting the appropriate smb.conf parameters - and having a configured LDAP backend - no information is stored external to the LDAP server and standard tools for Samba account manipulation perform all needed functions without the need for manipulating the LDAP database directly. Such account manipulation should be exclusive to Samba - if the UNIX accounts are also LDAP based then obviously the UNIX accounts MAY be impacted by such Samba configuration - but it should not be a requirement for any Samba accounts to map to UNIX - unless the administrator wants that. How to handle account deletion is a matter of individual preference - both for Samba and for UNIX. In any case, the option to either leave the user files intact, move them to a repository, or delete upon account deletion should be a simple configuration setting. I'm still learning how all these components interconnect - I have yet to have a fully-functional Samba PDC, that has no errors/warnings in the logs, and communicates with the compatible Windows NT tools for domain manipulation. I had thought that if the IDEALX tools had been superseded by the ldapsam:trusted extensions, that was one less item I had to worry about. Daniel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] SAMBA+LDAP-How to promote Administrator with all priviliges?
Torsten wrote: Frank Van Damme schrieb: On 10/11/07, Torsten [EMAIL PROTECTED] wrote: Frank Van Damme schrieb: You problem is that the account does not have uid number 0. If it has, it has a root account on your unix box and you're all set. o.k, but uid 0 is reserved for root, isn't it? and it should be possible to have more than one account with administrative priviliges. Yes, uid 0 is for root, but you can easily have a user in ldap with uid 0 and one in /etc/passwd or similar. Try it. o.k. I believe you (;-), but still, wthat if I want to promote my assistent and my housekeeper with administrative piviliges? I cant give them all uid0. Samba administrator is totally different from Linux root. While typically the Linux root user is also shown as a Samba administrator - this is not necessary and in fact can be a security consideration. Unless your configuration requires Samba users to also be Linux users, your Samba users - and administrators - have nothing to do with Linux privileges. -- Daniel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba + LDAP
Are the IDEALX tools necessary for complete integration with LDAP? Or is the built-in support sufficiently advanced now? Daniel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba performance tuning
Andrew Sherlock-CF wrote: I wonder if tshark or netstat could be useful here I don't know the tools, which is why I was asking. Daniel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba performance tuning
Hi all! I've seen a number of posts regarding Samba performance - either comments about perceived poor performance, or recommended parameter changes. Instead of some arbitrary buffer numbers, or play with it until it works, are there any analysis tools that can give quantitative answers ? Something where instead of just saying, Samba is too slow, I could say, on a quad-opteron system, with 4G RAM, and full-duplex 100BaseT network, SambaMark reports a score of 237.. Maybe that's too much of a dream - is there a particular file size/copy/read technique and associated analysis that I should try? -- Daniel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Winbind and LDAP
I've been having a miserable time trying to get Winbind working. All of the literature I've found seems to indicate it just works - which I'd love - but it hasn't gone that way for me. Because I'm already using LDAP, it seemed to make sense to use the LDAP support for Winbind. But Winbind continues to give errors and generally be unhappy. Besides using the current schema, and setting the idmap parameters in smb.conf - is there another magic trick to getting it to work? -- Daniel A spam trap for your crawler pleasure: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Winbind usage
With only a Samba PDC, with everything defined in LDAP, is there any requirement for Winbind? -- Daniel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Setting up new Samba domain (again)
Hi! I'm trying to get a Samba-based domain working properly. I'm using an LDAP backend. Right now all the users have been created, and machine accounts as well - but some things at the domain level aren't 100%. Adding new machines usually results in a error, which I get around and then have it working - but I continue to see error messages in the logs. I'm assuming it's something to do with an SID/RID situation. I also cannot run winbind. My ldap configuration appears to be good - samba/nss/pam are all happy reading the base username/password info from my directory. A question - user-related commands typically operate without error, but host-related commands typically return something like: net lookup name daniel$ [2007/08/23 17:48:02, 0] passdb/pdb_get_set.c:pdb_get_group_sid(211) pdb_get_group_sid: Failed to find Unix account for daniel$ I have my users in a ou=People,dc=etc... and my hosts in a ou=machines,dc=etc... Is it a problem to have the hosts separate? Or do I need to have both the Hosts and Users visible to my nss/pam ldap searches? net rpc user returns the list of users defined in LDAP. Other net rpc and net rap commands also seem to work fine. net getdomainsid returns: SID for domain BUBBA is: S-1-5-21-3700198395-718176177-3880976514 SID for domain AMFESLAN.LOCAL is: S-1-5-21-713085561-268141546-2762641992 There shouldn't be a BUBBA domain (that's the name of the server). net sam list builtin returns nothing. net usersidlist returns: [2007/08/23 17:44:38, 0] utils/net_rpc.c:net_usersidlist(4724) Could not get the user/sid list net groupmap list returns: Domain Users (S-1-5-21-713085561-268141546-2762641992-513) - domusers Domain Admins (S-1-5-21-713085561-268141546-2762641992-512) - domadmins Hosts (S-1-5-21-713085561-268141546-2762641992-515) - domhosts Winbind logfile shows: [2007/08/23 17:43:43, 0] libsmb/clientgen.c:cli_receive_smb(112) Receiving SMB: Server stopped responding testparm shows no errors. Output follows: [EMAIL PROTECTED]:~# testparm Load smb config files from /etc/samba/smb.conf Processing section [printers] Processing section [print$] Processing section [netlogon] Processing section [profiles] Processing section [homes] Processing section [Data] Loaded services file OK. Server role: ROLE_DOMAIN_PDC Press enter to see a dump of your service definitions [global] workgroup = AMFESLAN.LOCAL realm = AMFESLAN.LOCAL server string = %h server (Samba, Ubuntu) obey pam restrictions = Yes passdb backend = ldapsam:ldap://localhost algorithmic rid base = 1000 passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* . syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 time server = Yes socket options = TCP_NODELAY IPTOS_LOWDELAY add user script = /usr/sbin/smbldap-useradd -m %u delete user script = /usr/sbin/smbldap-userdel %u add group script = /usr/sbin/smbldap-groupadd -p %g delete group script = /usr/sbin/smbldap-groupdel %g add user to group script = /usr/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g set primary group script = /usr/sbin/smbldap-usermod -g %g %u add machine script = /usr/sbin/smbldap-useradd -w %u domain logons = Yes os level = 64 preferred master = Yes domain master = Yes wins support = Yes ldap admin dn = cn=admin,dc=amfeslan,dc=local ldap group suffix = ou=group ldap idmap suffix = ou=People ldap machine suffix = ou=machines ldap passwd sync = Yes ldap suffix = dc=amfeslan,dc=local ldap ssl = no ldap user suffix = ou=People panic action = /usr/share/samba/panic-action %d idmap backend = ldap idmap uid = 1-2 idmap gid = 1-2 winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes recycle:keeptree = yes recycle:versions = yes printing = cups print command = lpq command = %p lprm command = veto oplock files = /*.QBW/*.qbw/*.MDB/*.mdb/ vfs objects = recycle [share specific stuff] -- Daniel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Setting up new Samba domain (again)
Daniel L. Miller wrote: Hi! I'm trying to get a Samba-based domain working properly. The again portion is because I had another Samba server, which I know was BADLY misconfigured and I wanted to start from scratch. So I created a new server, and copied all the entries to create a clean LDAP tree. -- Daniel L. Miller, VP - Engineering AM Fire Electronic Services, Inc. [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba