[Samba] RE: Samba with ADS
Environment: Sun Solaris 9 sparc Software: Samba-3.3.3, KRB5-1.6.3, OpenLDAP-2.4.11 Problem: Am trying to create shares with Samba so that users can map to folders on this server using Active Directory. I am successful in creating a Kerberos ticket; I can join the domain; and wbinfo -u and -g give me users in the AD. However, getent passwd only gives me a list of users on the server and not in the AD. The winbindd.log file has a lot of these lines: [2009/06/15 10:41:59, 0] winbindd/winbindd.c:request_len_recv(616) request_len_recv: Invalid request size received: 2088 (expected 2096) [2009/06/15 10:43:29, 0] winbindd/winbindd.c:request_len_recv(616) request_len_recv: Invalid request size received: 2088 (expected 2096) [2009/06/15 10:47:54, 0] winbindd/winbindd.c:request_len_recv(616) request_len_recv: Invalid request size received: 2088 (expected 2096) [2009/06/15 10:47:54, 0] winbindd/winbindd.c:request_len_recv(616) request_len_recv: Invalid request size received: 2088 (expected 2096) [2009/06/15 10:47:54, 0] winbindd/winbindd.c:request_len_recv(616) request_len_recv: Invalid request size received: 2088 (expected 2096) If you have any advice and/or guidance, I would greatly appreciate it. Thank you! I don't think you need to use winbind. In all of my situations, winbind only got in the way, and I always have more success with winbind disabled. It's been a while since I read what winbind was for - I think it's meant to keep track of UID/username mappings, to ensure consistency among multiple samba servers if you have more than one. For this purpose, I just use the regular passwd files or NIS, both of which I think are more reliable and simpler to manage. Instead of winbind, I just use net join -w DOMAIN -U administrator and use smb.conf like this: [global] workgroup = DOMAIN realm = DOMAIN.COM server string = Samba Server security = DOMAIN log file = /var/samba/log/log.%m max log size = 50 unix extensions = No load printers = No printcap name = /dev/null dns proxy = No wins server = 192.168.x.y ldap ssl = no create mask = 0660 security mask = 0660 directory mask = 0770 directory security mask = 0770 [share] path = /share read only = No -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
RE: [Samba] Permissions of new files on samba with other read on.
I have troubles of global readable bit on new file created on samba. I wish to have a 660 permission on new files, instead i've got 664. Server: Debian Lenny, kernel 2.6.26-2-xen-686, samba 2:3.2.5-4lenny2 Client: Ubuntu Jaunty, kernel 2.6.28-11-generic, smbclient 2:3.3.2- Going linux to linux ... You could try unix extensions = No ... or just set the umask in your client shell environment. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
RE: [Samba] Upgrading from NT to AD
(going from NT to AD server) Assuming you're using Kerberos, my expectation is that you don't need to do anything at all on the samba server. But don't hold me to it. How about if I'm not currently using Kerberos? What else is there? Samba is in domain security mode, right? I'm no expert, but I think that implies Kerberos. And if I'm wrong, I think it implies somehow using RPC in some form ... in which case I expect you to have the same behavior either way. Point is, you're not using some funky ldap or whatever mechanism with any weird schema. You haven't mentioned winbind, so I assume you're not using it. My expectation is smooth sailing - on the samba side - not so much on the NT side. ;-) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] root and/or administrator not allowed
I think I answer more questions than I ask here, but now it's my turn - I can't seem to figure out what I should change here, and it don't make no sense to me . I have a samba fileserver. I am not using winbind. I am using NIS for UID/GID lookup. I am using AD via Kerberos for authentication. Also I used net join so it's all very well integrated with AD. Normal (non-root) users can simply browse to \\filer file:///\\filer and they're automatically authenticated, and all the umasks and UID/GID are handled correctly. However - If Administrator tries to browse to \\filer file:///\\filer , then it prompts for username and pass. I enter any combination of root or administrator or DOMAIN\username or usern...@domain and it will never authenticate as administrator - only normal users can connect. While trying to figure it out, I went as far as assigning a new UID (not zero) to the administrator user, to make the administrator really remarkably similar to a normal user, and still no luck. I also checked . I have not set anything for invalid users or valid users Can't think of anything else to try . Any suggestions? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
RE: [Samba] Upgrading from NT to AD
Could someone point me toward documentation on the impact to Samba of upgrading from an NT domain to Active Directory? I've found docs on Samba with NT domains and docs on Samba with AD, but not so much on the upgrade process. I'd like to know exactly what I'm doing before I do anything that could cut my Windows users off from the file servers. Whether it's as easy as do the upgrade and your Samba servers will automatically make the transition, or I have to set up Kerberos and make changes to smb.conf, I want to be sure I know all the steps involved. I don't know any such documentation (and good luck to you finding it) - I would think maybe you'll find something going from 2003 to 2008 ... but from NT to AD ... phew doggy... Anyway - I do have some advice for you. Find some way to attach a new hard drive to the windows server. Boot from something like centos cd1 in rescue mode. Use dd to backup the OS hard drive to a file on the new HD. If the OS hard drive is software mirrored, make separate dd's for each of the 2 hard drives. That way, you're free to do what you need to do, and you always have a safetynet. Assuming you're using Kerberos, my expectation is that you don't need to do anything at all on the samba server. But don't hold me to it. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
RE: [Samba] can samba keep uid/gid/permission on a per-file-base?
I'd like to use a linux-based NAS to backup loads of files *including their permissions and uid/gid*. The NAS supports NFS (which can do what I want) but the NFS-connections breaks all the time. This is a strangely common question recently. I'll paste here, the response I wrote in some other message. If you're having NFS reliability problems, it's due to misconfigured NFS. Below is the config that I deploy to all the locations where I do their IT, because after zillions of hours of manual reading, testing and usage - it's a tried tested rock solid config for linux-to-linux nfs filesharing. Assuming you're on Linux, I'll suggest the following NFS options in your exports file, and then I think I better butt-out, because this is a samba mailing list: man exports # On a server that has a caching raid controller card, you want sync,no_wdelay # On a server that has a simple disk, you want async (no_wdelay has no effect, so you can omit it.) /share 10.1.100.0/23(sync,no_wdelay,rw,no_root_squash) And I'll suggest the following options on the nfs client: Use automount. Assuming automount 5 you can use auto.direct as below, otherwise create an automount directory as expected in automount 4. /etc/auto.master /- /etc/auto.direct --timeout=1200 /etc/auto.direct /share -fstype=nfs,rw,hard,intr,posix fileserver:/share If you take my advice here, you'll have a NFS hard mount on the client (therefore resilient) combined with interruptable auto dismount (therefore self healing). -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] RE: password authentification
A tough question. I know the pass comes from AD, but what exactly happens. I normally configure my systems to use Kerberos, so users can ssh into the linux machine before I configure samba, and kerberos is doing the authentication to AD; however, when I do the net join it says Kerberos failed and falling back to RPC. I am not sure if there's some authentication protocol that goes across RPC (such as NTLM, or something built into RPC itself) . so it's possible that authentication of my samba server might not be using Kerberos. I'm really not sure. Protocol aside, this much I can say for sure: When you do the net join you must enter a domain administrator password one time. This password is not saved or cached on the samba server anywhere. This process creates a computer object in AD, and incase you didn't know it, a computer object is very similar to a user object. All your computer objects have unique identifiers and keys similar to passwords but more secure. It is, as you know, necessary to join a computer onto the domain before that computer is able to query the domain server for user authentication. Once joined, the computer never needs to rejoin, and there is no further need for the domain admin pass. From now on, the computer can uniquely and securely identify itself to the AD server, and when a user tries to access your samba server, the user's Kerberos keys (or encrypted password) will be presented to the AD server for authentication. From: BeefStu BeefStu [mailto:beefstu...@hotmail.com] Sent: Monday, June 08, 2009 9:25 AM To: Edward Ned Harvey; samba@lists.samba.org Subject: password authentification Ed, Thanks, but I have a few more questions. I took a working example of a smb.conf from another machine and placed this into my smb.cnf (see below in red). This is the only thing I did on the UNIX end. To use AD for password verification, I will follow your directions below, but is there anything else I need to do on the UNIX end? What I am trying to say, is how will samba get the password now if there is no password file. I know it will get it from AD, but can you take me through step by step as to what happens. Lets assume I want to map a drive. By doing a join does samba actually go into AD with my login (it must be cached some how right) and look up my password? Current working version [global] workgroup = hshhp server string = Samba 3.0.4.0 smb passwd file = /var/samba/private/smbpasswd log file = /usr/local/samba/var/log.%m mangle case = Yes New version [global] workgroup = hshhp security = DOMAIN auth methods = ntdomain password server = ttndc3 max xmit = 65535 socket options = TCP_NODELAY IPTOS_LOWDELAY ldap ssl = no oplocks = No For example, I see things like this (see below) do I need all this? The smbpasswd File For security reasons we will place the smbpasswd file in a private directory using the following commands: cd /etc/samba mkdir private cd private touch smbpasswd chmod 600 smbpasswd cd .. chmod 500 private Now we will add a dummy entry to the smbpasswd file. To do this, first create a user account for yourself on the Linux server [unless one already exists], then execute the following commands: cd /etc/samba/private cat /etc/passwd | mksmbpasswd.sh smbpasswd Setting up winbind? _ From: sa...@nedharvey.com To: beefstu...@hotmail.com; samba@lists.samba.org Date: Sat, 6 Jun 2009 07:03:54 -0400 Subject: RE: [Samba] password authentification I am trying to setup samba so that it uses the password from my AD instead of having a password file in SAMBA. Can somebody tell me what I have to do on the windows 2003 side to make this work. I am guessing I have to setup a samaba acct in AD but not to sure. Can somebody please verify and maybe send me a screen print. There are a million and one ways to do what you're trying to do. The simplest way that I know of - you don't need to do anything on the Windows side. You join the domain with the samba server, and that will create a computer account in AD for you, just as if you were joining AD with some windows laptop. Here's how I do that on my systems: I don't mess with the smb.conf file. I admin the whole thing via SWAT, as follows: 1. Enable SWAT. Browse to http://localhost:901 http://localhost:901/ (note: by default in the xinetd.d config, this interface is only enabled for localhost; by default you can't browse to this web interface across the network; you must use localhost or change the xinetd.d config) 2. Go to Wizard. a. Server type: Domain member b. Commit 3. Edit Parameter Values a. Workgroup: MYDOMAIN b. Realm: MYDOMAIN.COM (all caps) c. Commit changes 4. Go to the command prompt. net join -w MYDOMAIN -U administrator (It's normal to get an error, as long as it says joined in the end
RE: [Samba] Make CIFS look like NFS
NFS is a more native network filesystem for unix machines, so it really only makes sense to use samba if you have some compelling reason not to use NFS. Do you have some reason NFS would be bad in this case? I had tried NFS previously - and didn't enjoy it. I had numerous lockups. Samba appeared to provide a much more fault-tolerant environment. I will admit it's possible there were physical connectivity issues that have since been corrected. That sheds a whole new light on it - you're definitely going about this wrong, if you are doing unix-to-unix filesharing and you expect cifs to be better than nfs... You should instead concentrate your effort on configuring NFS right. If it's configured right, NFS is the more resilient protocol. You can even reboot the NFS server in the middle of file operations, and there will be no problem (just a delay) on the client. The reason to use samba is primarily sharing with windows, but to a lesser extent, some other OSes. Samba is after all, reverse-engineered Microsoft cifs. MS created it, and the only reason anyone else uses it is for the sake of MS compatibility. Assuming you're on Linux, I'll suggest the following NFS options in your exports file, and then I think I better butt-out, because this is a samba mailing list: man exports # On a server that has a caching raid controller card, you want sync,no_wdelay # On a server that has a simple disk, you want async (no_wdelay has no effect, so you can omit it.) /share 10.1.100.0/23(sync,no_wdelay,rw,no_root_squash) And I'll suggest the following options on the nfs client: Use automount. Assuming automount 5 you can use auto.direct as below, otherwise create an automount directory as expected in automount 4. /etc/auto.master /- /etc/auto.direct --timeout=1200 /etc/auto.direct /share -fstype=nfs,rw,hard,intr,posix fileserver:/share If you take my advice here, you'll have a NFS hard mount on the client (therefore resilient) combined with interruptable auto dismount (therefore self healing). This is the config that I deploy to all the locations where I do their IT, because after zillions of hours of manual reading, testing and usage - it's a tried tested rock solid config for linux-to-linux filesharing. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
RE: [Samba] Make CIFS look like NFS
protocol. You can even reboot the NFS server in the middle of file operations, and there will be no problem (just a delay) on the client. The same is true of a Samba server, as the clients are usually coded to do reconnects correctly (remember they originally were designed to work only with Windows servers :-). If you're saying that linux cifs clients will gracefully handle server reboots (or interruptions) I believe you - I've never had any reason to do such a thing myself - But I know I've had within the last year, windows xp clients connected via cifs and linux clients connected via nfs to a server which spontaneously rebooted, and all the XP clients were disconnected (some had to reboot to restore connection, while most just needed to manually disconnect/reconnect) and the linux clients all paused for a little while and continued as if nothing happened. Maybe it wasn't nfs vs cifs which saved the day on the linux clients - maybe it was linux vs windows that made the difference. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
RE: [Samba] password authentification
I am trying to setup samba so that it uses the password from my AD instead of having a password file in SAMBA. Can somebody tell me what I have to do on the windows 2003 side to make this work. I am guessing I have to setup a samaba acct in AD but not to sure. Can somebody please verify and maybe send me a screen print. There are a million and one ways to do what you're trying to do. The simplest way that I know of - you don't need to do anything on the Windows side. You join the domain with the samba server, and that will create a computer account in AD for you, just as if you were joining AD with some windows laptop. Here's how I do that on my systems: I don't mess with the smb.conf file. I admin the whole thing via SWAT, as follows: 1. Enable SWAT. Browse to http://localhost:901 (note: by default in the xinetd.d config, this interface is only enabled for localhost; by default you can't browse to this web interface across the network; you must use localhost or change the xinetd.d config) 2. Go to Wizard. a. Server type: Domain member b. Commit 3. Edit Parameter Values a. Workgroup: MYDOMAIN b. Realm: MYDOMAIN.COM (all caps) c. Commit changes 4. Go to the command prompt. net join -w MYDOMAIN -U administrator (It's normal to get an error, as long as it says joined in the end and the computer account was created in AD) 5. Restart samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
RE: [Samba] Make CIFS look like NFS
I'm trying to run an IMAP mail server (Dovecot) in a virtual machine. However, I do not want the messages stored within the virtual disk. So - the question was how the virtual machine could access those files. Dovecot has been setup and tested with NFS. However, when I asked The best answer to this question is exactly what you're doing - testing it will give you results probably more convincing than anything anyone could say to you. That being said ... NFS is a more native network filesystem for unix machines, so it really only makes sense to use samba if you have some compelling reason not to use NFS. Do you have some reason NFS would be bad in this case? There are many differences between samba and nfs, however, there are only two that I think are likely to be true roadblocks for you. File permissions ... In samba you can configure the umask to be whatever you like, but you can't do it on a file-by-file basis. So you're missing granularity there if you need it. And in samba, certain characters (most notably the ':' colon character) are not valid. There may be some difference in the way file locking is handled. This would only matter if you had more than one system accessing the same files at the same time - but I don't think that's the case for you, huh. Because it's an imap server, and you're not going to run two separate imap servers on the same directory. The issue you mentioned with missing tmp files ... sounds bogus to me. I can't think of any way samba could cause that, unless it's just a side-effect of one of the aforementioned possible roadblocks. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
RE: [Samba] password authentification
Hasn't SWAT been deprecated and unsupported for a very long time? If so - I never heard of that - but then again - I don't spend my days reading about the latest developments in samba - I just take the version which shipped with my OS, and configure it to be useful - and most OSes are still shipping with samba 3.0 in which case SWAT is tremendously useful. I've never yet had any inclination to go above samba 3.0, because it's so stable and more usable than anything which doesn't compile or isn't available precompiled or lacks such a critical feature as an admin interface. But mostly because samba 3.0 ships with all the OSes that I use, and thanks to swat, is easily and consistently configurable and stable. (Speaking for RHEL4, RHEL5, (and centos), solaris, and opensolaris). I am aware newer versions of samba come with fedora and ubuntu, but I never use fedora or ubuntu. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] 14.4G samba filesystem limit?
I have a share on a disk with 120G free. But for some reason, all my CIFS clients report only 14.4G empty. Depending on what I'm trying to do with the share, the client may happily ignore the supposed free space limitation, but some programs actually give me a warning and refuse to work, Error, this operation requires 18G but the destination only has 14.4G free... If I force the operation to happen, it will happily write 18G or whatever ... and then it will still report 14.4G free. Anybody have any idea where this 14.4G number is coming from, or how to correct it? My server is the latest release of Solaris (which is 10u6 ( akaSolaris 10 10/08)) running the version of samba that ships with it. (Not the built-in cifs kernel module; I am actually using samba). My clients are Vista 64 and Windows XP Pro 32bit. Please let me know if any further details might be helpful ... Thanks for any pointers... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
