Re: [Samba] Problem with Samba and Windows Terminal Server 2008
Ron Daniel wrote: Hello all, We have a Windows 2008 Terminal Server which people connect into to run their programs. We are getting upwards of 60 people connecting in at any time. We are seeing error messages from the application complaining that it can't access one of the files on one of the shares. I have read that this problem is likely to be due to the fact that we run one machine as a terminal server and there is only one netbios host being used by mutliple people. The paper I have read from HP refers to registry key called MultiUserEnabled on earlier versions of windows terminal server needs to be set to 1 in order for the father smbd process to recognise different sessions connecting from the one host. The paper is at http://www.docs.hp.com/en/12131/Samba-TerminalServer_106.pdf I'll look around this afternoon and see if there are any clues that 2008 has a newly-named mulit-user parm. Eric Roseme Ron - I cannot find any evidence that MultiUserEnabled/EnableMultiUser/MultipleUsersOnConnection has been rolled forward into Windows 2008. It's possible that the functionality was embedded in 2008 - but very unlikely. Can you verify that your 60 TS users are being serviced from one Samba smbd? If you do not have any non-TS users connecting, then that is easy enough by doing a ps -ef | grep smbd and seeing if there are 61 processes or 2. In the whitepaper, there are several workarounds suggested. I'll see if I can find out from MS what the story is about 2008, but for 2000 and 2003 it was a 3-year delay each time, as I recall. Eric Roseme -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problem with Samba and Windows Terminal Server 2008
Ron Daniel wrote: Hello all, We have a Windows 2008 Terminal Server which people connect into to run their programs. We are getting upwards of 60 people connecting in at any time. We are seeing error messages from the application complaining that it can't access one of the files on one of the shares. I have read that this problem is likely to be due to the fact that we run one machine as a terminal server and there is only one netbios host being used by mutliple people. The paper I have read from HP refers to registry key called MultiUserEnabled on earlier versions of windows terminal server needs to be set to 1 in order for the father smbd process to recognise different sessions connecting from the one host. The paper is at http://www.docs.hp.com/en/12131/Samba-TerminalServer_106.pdf Oops - that's my paper. Sorry, I have not looked at 2008 for the parameter yet. FYI - for both 2000 and 2003 Microsoft delayed rolling it forward for a few years. Many customers were left hanging both times. So it is possible that the parm is not on 2008 - I did a quick google and did not get any hits, but they have changed the name for each release, so that is not definitive. I'll look around this afternoon and see if there are any clues that 2008 has a newly-named mulit-user parm. Eric Roseme -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] sambaRefuseMachinePwdChange policy
Frank wrote: Hi, we have a couple of Linux RHEL 5 samba servers in a domain, one as PDC and the other as BDC, and both with LDAP backends samba version is 3.0.28-1 We want pc clients can't change their machine password using sambaRefuseMachinePwdChange policy, so we set it to 1 in LDAP But pc clients still can change their passwords, and we don't see any acces to sambaRefuseMachinePwdChange attribute on LDAP logs. Is it not used in this version yet? Must we do something special to use it? I saw the same thing in August of 2007: http://marc.info/?l=sambam=118772246625319w=2 Which was never replied to. Eric Roseme -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba Password Question.
mpars...@uk.ey.com wrote: Hi David, Its Samba Release 3 on an HP-UX 11.11 machine. We are allowing users to map folders from the unix box as shares on their windows laptops. Mark - I posted this on ITRC too: I assume that you have a Samba PDC (security = user) with a passdb backend of tdbsam or ldapsam. If so, then you set domain policies with pdbedit. I believe that you have to set the user must change password attribute *and* the password age attribute to 0 (for each user) to make it happen at the next logon. Have you already tried this and it did not work? http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/passdb.html#pdbeditthing I think it's: pdbedit -P maximum password age -C value pdbedit -u user --pwd-must-change-time 0 Eric Roseme Hewlett-Packard -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Mapped Network Drive Error
Mike - your Samba server cannot contact a domain controller. From your additional detail on the ITRC users group, it appears that you have changed from security = user to security = domain without actually joining the domain. So you need to net rpc join. Eric Roseme mpars...@uk.ey.com wrote: Hi, I'm getting the following error: The mapped network drive could not be created because the following error has occured - there are currently no logon servers available to service the logon request Any ideas? Kind Regards, Mark Parsons. Ernst Young is proud to bring you Entrepreneur Of The Year - the prestigious global business awards for entrepreneurs. www.eoy.co.uk This e-mail and any attachment are confidential and contain proprietary information, some or all of which may be legally privileged. It is intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient, please notify the author immediately by telephone or by replying to this e-mail, and then delete all copies of the e-mail on your system. If you are not the intended recipient, you must not use, disclose, distribute, copy, print or rely on this e-mail. Whilst we have taken reasonable precautions to ensure that this e-mail and any attachment has been checked for viruses, we cannot guarantee that they are virus free and we cannot accept liability for any damage sustained as a result of software viruses. We would advise that you carry out your own virus checks, especially before opening an attachment. Ernst Young refers to the global organization of member firms of Ernst Young Global Limited, each of which is a separate legal entity. Ernst Young Global Limited, a UK company limited by guarantee, does not provide services to clients. The UK firm Ernst Young LLP is a limited liability partnership registered in England and Wales with registered number OC31 and is a member practice of Ernst Young Global. A list of members' names is available for inspection at 1 More London Place, London, SE1 2AF, the firm's principal place of business and its registered office. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Host with multiple names
I have been able to do this by using ADSIEdit to add the alias service principal to the server computer object in the AD. In my case, I was using the same IP for hostname and alias. I could not get Samba to create a keytab entry for the alias SP, though. I could add a keytab SP with net ads keytab create, but the client could not authenticate using the SP. For non-keytab authentication the alias worked. Eric Roseme Kums wrote: Imho, you can join/authenticate to AD only via single name that is specified in the netbios parameter in smb.conf. If you do not specify anything, the default netbios name of the node is going to be your hostname. If a host has multiple IP address/eth interfaces, then you can access the share using multiple IP addresses (with sinigle host name) unless you did not bind ur SMBD to a particular IP address in smb.conf using interfaces option. Cheers, -Kums On Wed, Jan 14, 2009 at 12:47 PM, Avron Gray ag...@aeso.ca wrote: I should add the following: The host has been joined to ADS with the actual hostname The host is sharing fine via this hostname/IP Attempting to connect via the host's alias / alternate IP address results in the following error message: The trust relationship between this workstation and the primary domain failed. Cheers, - Avron -Original Message- From: samba-bounces+agray=aeso...@lists.samba.org [mailto:samba-bounces+agray samba-bounces%2Bagray=aeso.ca@ lists.samba.org] On Behalf Of Avron Gray Sent: Wednesday, January 14, 2009 12:38 PM To: samba@lists.samba.org Subject: [Samba] Host with multiple names Hi folks, I'm running samba 3.0.33 on Solaris 9 hosts. I have a host that has two hostnames (actual + alias). I would like to be able to connect to this host via either hostname and be able to access this samba data. Note: I would prefer not to run multiple samba instances... Has anyone else experienced this sort of issue, and have you been able to resolve it? - Avron -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] sync always, strict sync, cache question
Chris Fanning wrote: snip But I am worried about the cache that Samba makes use of. We would like samba to write to disk immediately. We've found these two options for smb.conf sync always = yes strict sync = yes I can't quiet see the difference between the two in my case. If I set 'sync always = yes' _or_ 'strict sync = yes', I can copy files at 70MB/s (similar to NFS using async). If I set both options, file transfer speed drops to about 20MB/s Does that mean that I do need to set both options to ensure the cache is written to disk before the server returns the ok to the client? How could I test this? And now while I'm here ;) , does anyone have any other recommendations for this kind of setup? Thanks, Chris. Hi Chris, I did an investigation on this in 2003. Here are the results. Not sure if things have changed since then. --- Samba defaults to asynchronous writes. smbd writes to memory buffer, then returns to processing. Buffer is flushed to disk later. This is the most efficient behavior. Windows CreateFile API has the FILE_FLAG_WRITE_THROUGH flag, which requests synchronous writes. smbd writes to memory buffer, blocks until buffer contents are written to disk, which results in poor performance, but better data integrity. When strict sync = yes (default = no) Samba honors the FILE_FLAG_WRITE_THROUGH flag, and results in synchronous writes when called by the CreateFile API. When sync always = yes (default = no) Samba executes all writes synchronously. This requires that “strict sync = yes”. StrictSync SyncAlways ff_write_through Sync-Writes no no nono yes no nono yes no yes Yes (slow) no yesyes no yes yesyes/noyes (very slow) Eric Roseme -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] HPUX and Samba 3.023 question
Casey Dearcorn wrote: I am sorry if this sounds dumb, but I am sort of a newbie with samba. We have upgraded our active directory domain servers to 2008 and samba 3.07 will not bind to the directory anymore. I have been told that I need to upgrade past 3.022 in order to make it work? First of all is this true? Second, when I went to install it and run it there is an error that it can not find libldap-2.2.so. I am assuming this is for the HPUX IXOPENLDAP, but I am not sure. In either case I can not find this version to install. I don't want to mess my box up, but I would like to get my samba running correctly again. Can anyone give me any advice or information? Hi Casey, Are you using HP CIFS Server or Opensource Samba? I am guessing from the library error that you were using CIFS Server and then tried to install and run Opensource. What HP-UX version are you on? If you are compiling/using Opensource, then you need to update past 3.0.28, so you might as well get 3.0.31. You will also need to install OpenLDAP to get the libraries. Go here and read the README: http://us1.samba.org/samba/ftp/Binary_Packages/hp/samba-3.0.23a/README If you are using HP CIFS Server, then the latest version is based upon Samba 3.0.22a with fixes ported in from later versions up to 3.0.25a. So it does not have the fix for joining a W2008 domain with security = ads. You can join W2008 with security = domain, though. Eric Roseme Hewlett-Packard -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] HPUX and Samba 3.023 question
Ryan Novosielski wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Eric Roseme wrote: Casey Dearcorn wrote: I am sorry if this sounds dumb, but I am sort of a newbie with samba. We have upgraded our active directory domain servers to 2008 and samba 3.07 will not bind to the directory anymore. I have been told that I need to upgrade past 3.022 in order to make it work? First of all is this true? Second, when I went to install it and run it there is an error that it can not find libldap-2.2.so. I am assuming this is for the HPUX IXOPENLDAP, but I am not sure. In either case I can not find this version to install. I don't want to mess my box up, but I would like to get my samba running correctly again. Can anyone give me any advice or information? Hi Casey, Are you using HP CIFS Server or Opensource Samba? I am guessing from the library error that you were using CIFS Server and then tried to install and run Opensource. What HP-UX version are you on? If you are compiling/using Opensource, then you need to update past 3.0.28, so you might as well get 3.0.31. You will also need to install OpenLDAP to get the libraries. Go here and read the README: http://us1.samba.org/samba/ftp/Binary_Packages/hp/samba-3.0.23a/README If you are using HP CIFS Server, then the latest version is based upon Samba 3.0.22a with fixes ported in from later versions up to 3.0.25a. So it does not have the fix for joining a W2008 domain with security = ads. You can join W2008 with security = domain, though. Eric Roseme Hewlett-Packard Eric, Is that also true of A.02.03.04? Looks like it is somewhat newer, but I'm not 100% sure how that affects the domain stuff. http://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B8725AA You probably know better than I, being from HP, but I've spent an inordinate amount of time on this recently, so I have the release notes memorized. :-P PS: utmp = yes causes PANIC's on A.02.03.03 and A.02.03.04. Hi Ryan, Yes - unfortunately, it also holds true of A.02.03.04. Sorry that you spent so much time on it. I can send you a tool that will allow you to write the CIFS/Samba computer object to the W2008 AD and generate a keytab file on the CIFS/Samba server. When you start CIFS/Samba with use kerberos keytab = yes, your users can authenticate to and mount CIFS/Samba shares, but any of the net commands that require auth-n will fail (including join). winbind will not start either. Still working on this as a W/A. I do not have a timeframe for 3.0.28 (or .31) for CIFS yet. PS - the tool is unsupported. Eric -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba / AD integration
Check out this paper: http://www.docs.hp.com/en/7212/ADSJoinMinimumPerms.pdf I wrote it about 3 years ago, so the Samba version was 3.0.7. Things may have changed. It refers to HP-UX CIFS Server but at the time held true for Opensource too. Eric Roseme Brian Foddy wrote: I have a quick question on hooking Samba to a large AD domain. Following the excellent recipe at: http://wiki.samba.org/index.php/Samba__Active_Directory I see it states about half way down to join the machine to AD Now to join your machine to the active directory. You will need the user-name and password to a Domain Administrator account to do this. The command you need to join the domain is net ads join -U sadwrn. This should then ask you for a password, and print a domain join notice. Is this required to use a Domain Administrator account, or can any normal user AD account be used? I know AD doesn't allow anonymous browsing, but can a normal non-admin account be used? As I read through it, I don't see any other special admin access required other the root on the Linux machine. My goal is this... We have a very large AD system, 80.000+ users, and we want to activate Samba on two servers for a very small user group (maybe 12 users) but validate userid/passwords against AD. If Samba can be setup with little or no AD changes, or involvement from the AD administrators, but with some simple config from the UNIX admins, then we have a much better chance of getting this approved. But if it requires a lot of heavy involvement of the AD support group, ongoing maintenance, etc, then the odds are slim. Largely political, the UNIX admins are much more open to open source solutions than the Windows side of the fence. So if this can be sold as just another AD client app not requiring any special AD domain permissions, we have a chance. Thanks for any help/advice. Brian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Slow Samba writes over NFS
Helmut Hullen wrote: Hallo, ashis.v.purbhoo, Du (ashis.v.purbhoo) meintest am 17.07.08: Currently in the process of upgrading Samba v2.0.10 to Samba v3.0.x, while conducting some minimal testing, it turns-out that Samba v3.0.x is performing slower than Samba v2.0.10. Set-ups: A. Samba v3.0.x -- Same PC client is accessing the samba share running on Red Hat 4.5 (64bit, HP DL380) which in turn has an NFS mount coming from another SAN attached Red Hat 4.5 (64bit, HP DL380). B. Samba v2.0.x -- Same PC client is accessing the samba share running on Red Hat 4.5 (32bit, Dell T7400) which in turn has an NFS mount coming from another SAN attached Red Hat 4.5 (64bit, HP DL380). Maybe a change to cifs instead of nfs helps - I have seen that in a school in the neighnourhood. Viele Gruesse! Helmut Samba 2.* default was strict locking = no, and 3.* is strict locking = yes. If you have strict locking set over an NFS mount, it will be very slow. Eric Roseme -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Administrator Maps winbind GID to 100 (sys)
Samba 3.0.22a (with backports from up to 3.0.25) on HP-UX 11iv3 (HP CIFS Server), security=ADS to W2003R2 domain, winbind running with idmap backend = rid:, and root = DOMAIN+Administrator in username.map. From Administrator on a domain Vista client, using Explore to map a share and then set an ACL from Properties/Security/Permissions, I choose a Windows group from the list to add to the directory ACL. The winbind GID is 12011. The correct groupname is displayed in the Explorer window, but when doing a getacl from unix, the GID is 100, or sys - the Administrator home group. So I went to /var/opt/samba/locks and deleted all of the cache files and restarted - same result. If I set the directory to a different owner, and add the same GID with a different client user, then the correct winbind GID is added to the ACL. Any idea why Administrator=root maps the sys GID to a winbind group name? Log entry and smb.conf below. Thanks, Eric Roseme [2008/05/14 09:57:02, 10] passdb/passdb.c:local_sid_to_gid(1318) local_sid_to_gid: Fall back to algorithmic mapping [2008/05/14 09:57:02, 10] passdb/passdb.c:local_sid_to_gid(1325) local_sid_to_gid: mapping: S-1-5-21-463747597-202940698-2940076759-1201 - 100 [2008/05/14 09:57:02, 10] passdb/lookup_sid.c:sid_to_gid(1245) sid_to_gid: S-1-5-21-463747597-202940698-2940076759-1201 - 100 [2008/05/14 09:57:02, 10] smbd/posix_acls.c:create_canon_ace_lists(1453) create_canon_ace_lists: adding dir ACL: canon_ace index 0. Type = allow SID = S-1-5-21-463747597-202940698-2940076759-1201 gid 100 (100) S MB_ACL_GROUP perms r-x [2008/05/14 09:57:02, 10] smbd/posix_acls.c:create_canon_ace_lists(1511) create_canon_ace_lists: adding file ACL: canon_ace index 0. Type = allow SID = S-1-5-21-463747597-202940698-2940076759-1201 gid 100 (100) S MB_ACL_GROUP perms r-x # Samba config file created using SWAT # from 16.93.45.222 (16.93.45.222) # Date: 2006/04/28 10:10:56 # Global parameters [global] workgroup = SNSLATC realm = SNSLATC.HP.COM server string = Samba Server interfaces = xx.xxx.xxx.xx bind interfaces only = Yes netbios name = SERVER14 security = ADS client schannel = No server schannel = No password server = SNSLATC-DC.SNSLATC.HP.COM log level = 10 log file = /var/opt/samba/log.%m username map = /etc/opt/samba/username.map max log size = 1000 machine password timeout = 300 local master = No wins server = xx.xxx.xxx.xx ldap ssl = no idmap uid = 1-2 idmap gid = 1-2 idmap backend = rid:SNSLATC=1-2 template homedir = /home/%U template shell = /usr/bin/sh winbind separator = + winbind use default domain = yes allow trusted domains = no winbind enum users = yes winbind enum groups = yes read only = No short preserve case = No dos filetime resolution = Yes #use kerberos keytab = yes [homes] comment = Home Directories valid users = %S browseable = No [tmp] comment = Temporary file space path = /tmp [sbx_interface] path = /home/sbx_interface -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] (no subject)
Hi Sudheer, Although your particular case is fixed already, I'll reply here for completeness to the list. HP-UX requires a special tweak to the /etc/krb5.conf file in order to create a keytab file - the addition of the WRFILE parameter. This is fully explained in the HP CIFS Server and Kerberos whitepaper, located here: http://www.docs.hp.com/en/7213/HPCIFSKerberosV103.pdf Eric Roseme Radhakrishnan, Sudheer Kumar K. wrote: Hello Samba, We are using Samba/CIFS hp-ux server connecting to Windows ADS and try to create keytab file using net ads create keytab -u Administrator ,but it is unable to create keytab file in the /etc/directory. Please see the attached output file for your reference. Appreciate your help!! Sudheer Radhakrishnan / Capgemini North America PC / East Business Unit Unix Support / Hosting Mobile: 508 769 2371 http://www.capgemini.com/ http://www.capgemini.com/ Fax: 508.229.2013 45 Bartlett Street / Marlborough, Ma 01752 Together: the Collaborative Business Experience This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] krb5.conf file in /var/lib/samba/smb_krb5; Samba 3.0.27a
Hi Alex, The reason that I was looking at this was because although I had MD5 configured in /etc/krb5.conf, Wireshark showed that the AS-REQ/REP, TGS-REQ/REP, and the SMB Session Setup AndX Request and Response were all in RC4. I could not figure out why until I found the Samba krb5.conf. So it appears that Samba supersedes the /etc/krb5.conf enctype and uses RC4. Eric Alex de Vaal wrote: Hello Eric, Thnx for your answer, now I know I couldn't find anything about the subject... ;-) Before I asked the question about the krb5.conf file in /var/lib/samba/smb_krb5 I searched all Samba documentation and googled around, but I didn't find an answer that satisfied me. I already noticed that this file has a link with the gencache.tdb file, I played around with this in my test environment (remove the files and start the daemons and look what is in it with a binary editor). I'd like to understand what the file does, because my Samba domain members in the live environment have no DC's in the same IP net, they are all behind routers. So I want to know how this works, before I use Samba 3.0.27a in my live AD environment. BTW; you can see with netstat -na | grep 445 to which DC the Samba server is talking to... Regards, Alex. On Wed, Feb 27, 2008 at 5:52 PM, Eric Roseme [EMAIL PROTECTED] wrote: I asked a co-worker who attended the Samba workshop last September to pose the following question. The answer follows (maybe it will help): Q1. Will the new (3.0.25b) krb5 code (that creates a Samba-specific krb5.conf file) be documented somewhere? A1. Samba does not have documentation about the Samba-specific krb5.conf that is placed in locking directory. And also, after running kinit to obtain Kerberos ticket, Samba stores the ticket into memory tdb, probbaly gencache.tdb. But Samba doesn't provide a tool to allow users to see which DC Samba is talking to. Currently, we can use klist to see which domain is being used by Samba. Obviously this does not answer your question about how it works, but it might get you closer. Eric Roseme -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] krb5.conf file in /var/lib/samba/smb_krb5; Samba 3.0.27a
I asked a co-worker who attended the Samba workshop last September to pose the following question. The answer follows (maybe it will help): Q1. Will the new (3.0.25b) krb5 code (that creates a Samba-specific krb5.conf file) be documented somewhere? A1. Samba does not have documentation about the Samba-specific krb5.conf that is placed in locking directory. And also, after running kinit to obtain Kerberos ticket, Samba stores the ticket into memory tdb, probbaly gencache.tdb. But Samba doesn't provide a tool to allow users to see which DC Samba is talking to. Currently, we can use klist to see which domain is being used by Samba. Obviously this does not answer your question about how it works, but it might get you closer. Eric Roseme Alex de Vaal wrote: Hello list, I've upgraded from Samba 3.0.14a to 3.0.27a (Samba is a domain member of a W2k3 native AD) and I see that in the /var/lib/samba/smb_krb5 directory a krb5.conf file is created. Is this krb5.conf file extracted from my original /etc/krb5.conf? Or is this file created from the password server = entry in my smb.conf file? My original /etc/krb5.conf contains the DC's in DNS name and the krb5.conffile in /var/lib/samba/smb_krb5 contains DC's on IP address. I noticed also that the krb5.conf file in /var/lib/samba/smb_krb5 is only renewed if /var/lib/samba/gencache.tdb is deleted before winbind is restarted and it also uses the DC that is configured as primary DC in Sites and Services in the Active Directory. Can anyone shed a light how this work? Thnx, Alex. Some info: /etc/samba/smb.conf === password server = adm02.test.com, adm03.test.com /etc/krb5.conf == [libdefaults] default_realm = TEST.COM [realms] TEST.COM = { kdc = adm02.test.com:88 kdc = adm03.test.com:88 kdc = adm01.test.com:88 /etc/hosts 192.168.100.100adm01.test.com 10.0.0.100adm02.test.com 192.168.100.110 nhadm03.test.com /var/lib/samba/smb_krb5/krb5.conf.TEST = [libdefaults] default_realm = TEST.COM [realms] TEST.COM = { kdc = 192.168.100.110 kdc = 10.0.0.100 } -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] SAMBA ADS integration - windows user account rights
Bert Verhaeghe wrote: Hi all, first of all is it possible to join a Linux machine to AD using a windows user account that is not a member of the group Domain Admins? Cause when I do this I get the following error while executing `net ads join -d 3 -U syncuser`: #net ads join -d 3 -U syncuser [2007/12/11 13:47:12, 3] param/loadparm.c:lp_load(4953) lp_load: refreshing parameters [2007/12/11 13:47:12, 3] param/loadparm.c:init_globals(1418) Initialising global parameters [2007/12/11 13:47:12, 3] param/params.c:pm_process(572) params.c:pm_process() - Processing configuration file /etc/samba/smb.conf [2007/12/11 13:47:12, 3] param/loadparm.c:do_section(3695) Processing section [global] [2007/12/11 13:47:12, 2] lib/interface.c:add_interface(81) added interface ip=10.0.0.3 bcast=10.0.0.255 nmask=255.255.255.0 octopussync's password: [2007/12/11 13:47:17, 3] libsmb/namequery.c:get_dc_list(1426) get_dc_list: preferred server list: , DC [2007/12/11 13:47:17, 3] libsmb/namequery.c:resolve_lmhosts(939) resolve_lmhosts: Attempting lmhosts lookup for name DC0x20 [2007/12/11 13:47:17, 3] libsmb/namequery.c:resolve_wins(836) resolve_wins: Attempting wins lookup for name DC0x20 [2007/12/11 13:47:17, 3] libsmb/namequery.c:resolve_wins(839) resolve_wins: WINS server resolution selected and no WINS servers listed. [2007/12/11 13:47:17, 3] libsmb/namequery.c:resolve_hosts(1002) resolve_hosts: Attempting host lookup for name DC0x20 [2007/12/11 13:47:17, 3] libads/ldap.c:ads_connect(287) Connected to LDAP server 10.0.0.1 [2007/12/11 13:47:17, 3] libads/sasl.c:ads_sasl_spnego_bind(210) ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2 [2007/12/11 13:47:17, 3] libads/sasl.c:ads_sasl_spnego_bind(210) ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 [2007/12/11 13:47:17, 3] libads/sasl.c:ads_sasl_spnego_bind(210) ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3 [2007/12/11 13:47:17, 3] libads/sasl.c:ads_sasl_spnego_bind(210) ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10 [2007/12/11 13:47:17, 3] libads/sasl.c:ads_sasl_spnego_bind(219) ads_sasl_spnego_bind: got server principal name [EMAIL PROTECTED] [2007/12/11 13:47:17, 3] libsmb/clikrb5.c:ads_krb5_mk_req(552) ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found) [2007/12/11 13:47:17, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(488) ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration Tue, 11 Dec 2007 23:47:05 UTC [2007/12/11 13:47:17, 3] libsmb/cliconnect.c:cli_start_connection(1426) Connecting to host= DC.domain.local [2007/12/11 13:47:17, 3] lib/util_sock.c:open_socket_out(874) Connecting to 10.0.0.1 at port 445 [2007/12/11 13:47:17, 3] libsmb/cliconnect.c:cli_session_setup_spnego(721) Doing spnego session setup (blob length=107) [2007/12/11 13:47:17, 3] libsmb/cliconnect.c:cli_session_setup_spnego(746) got OID=1 2 840 48018 1 2 2 [2007/12/11 13:47:17, 3] libsmb/cliconnect.c:cli_session_setup_spnego(746) got OID=1 2 840 113554 1 2 2 [2007/12/11 13:47:17, 3] libsmb/cliconnect.c:cli_session_setup_spnego(746) got OID=1 2 840 113554 1 2 2 3 [2007/12/11 13:47:17, 3] libsmb/cliconnect.c:cli_session_setup_spnego(746) got OID=1 3 6 1 4 1 311 2 2 10 [2007/12/11 13:47:17, 3] libsmb/cliconnect.c:cli_session_setup_spnego(754) got principal=dc [EMAIL PROTECTED] [2007/12/11 13:47:17, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(546) Doing kerberos session setup [2007/12/11 13:47:17, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(488) ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect] expiration Tue, 11 Dec 2007 23:47:05 UTC [2007/12/11 13:47:17, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081) rpc_pipe_bind: Remote machine DC.domain.local pipe \lsarpc fnum 0x400c bind request returned ok. [2007/12/11 13:47:17, 3] rpc_parse/parse_lsa.c:lsa_io_sec_qos(224) lsa_io_sec_qos: length c does not match size 8 [2007/12/11 13:47:17, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081) rpc_pipe_bind: Remote machine DC.domain.local pipe \samr fnum 0x400a bind request returned ok. Failed to set password for machine account (NT_STATUS_ACCESS_DENIED) Failed to join domain! [2007/12/11 13:47:17, 2] utils/net.c:main(988) return code = -1 But when the user is added to the Domain Admins group, the join is successful. And if the latter is possible, which permissions should the windows user account have? Thx in advance bert Hi Bert, I do not know about the Domain Admins group angle, but if you want to know what the minimal user rights necessary for a net ads join are, then this whitepaper explains it. It says HP CIFS Server, but holds true for Opensource Samba as well. http://www.docs.hp.com/en/7212/ADSJoinMinimumPerms.pdf Eric Roseme Hewlett-Packard -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Installation problem of SAMBA 3.0.23a on HP-UX 11.23
Ryan is correct for both topics. Go here to get the correct compiler (4.2.2): http://hpux.cs.utah.edu/hppd/hpux/Gnu/gcc-4.2.2/ Also, if you are attempting to compile and install 3.0.23a, you should consider using HP CIFS Server 3.0h, which is Samba 3.0.22 plus fixes from each release through 3.0.25. It's free for HP-UX: http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B8725AA This is an easy download, install and configure. Eric Roseme Hewlett-Packard Ryan Novosielski wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A compile of Samba requires HP's AnsiC (non-bundled) compiler, or GCC. At least, I'm pretty sure that's the case. Anyhow, CIFS/9000 is pretty up-to-date these days. You might consider not bothering and just installing that from HP. =R Béland wrote: To whom it concern, There was no problem at all with the installation of the Depot. Before running the ./configure command I'm setting the following variables like this (as it's mentionned in the README file) : export CFLAGS=-O -DWITH_SYSLOG -DGUEST_ACCOUNT=\\\smbnull\\\ export CPPFLAGS=-I/opt/iexpress/openldap/include export LDFLAGS=-L/opt/iexpress/openldap/lib Here is the 'configure' command that I'm using (as it's mentionned in the README file) ./configure \ --sbindir=\${BINDIR} \ --with-krb5 \ --with-ldap \ --with-ldapsam \ --with-ads \ --with-libiconv=/usr/local \ --with-quotas \ --prefix=/usr/local/samba \ --with-acl-support \ --with-winbind \ --with-pam \ --with-sendfile-support \ --with-shared-modules=idmap_rid \ --disable-pie \ --with-aio-support And here is the output of that command : SAMBA VERSION: 3.0.23a checking for gcc... no checking for cc... cc checking for C compiler default output file name... configure: error: C compiler cannot create executables See `config.log' for more details. And here is the output of the config.log : This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. It was created by configure, which was generated by GNU Autoconf 2.59. Invocation command line was $ ./configure --sbindir=${BINDIR} --with-krb5 --with-ldap --with-ldapsam --wit h-ads --with-libiconv=/usr/local --with-quotas --prefix=/usr/local/samba --with- acl-support --with-winbind --with-pam --with-sendfile-support --with-shared-modu les=idmap_rid --disable-pie --with-aio-support ## - ## ## Platform. ## ## - ## hostname = trsoracle01 uname -m = ia64 uname -r = B.11.23 uname -s = HP-UX uname -v = U /usr/bin/uname -p = unknown /bin/uname -X = unknown /bin/arch = unknown /usr/bin/arch -k = unknown /usr/convex/getsysinfo = unknown hostinfo = unknown /bin/machine = unknown /usr/bin/oslevel = unknown /bin/universe = unknown PATH: /usr/bin PATH: /usr/sbin PATH: /sbin ## --- ## ## Core tests. ## ## --- ## configure:1901: checking for gcc configure:1930: result: no configure:1981: checking for cc configure:1997: found /usr/bin/cc configure:2007: result: cc configure:2171: checking for C compiler version configure:2174: cc --version /dev/null 5 (Bundled) cc: HP aC++/ANSI C B3910B A.05.50 [May 15 2003] configure:2177: $? = 0 configure:2179: cc -v /dev/null 5 configure:2182: $? = 0 configure:2184: cc -V /dev/null 5 (Bundled) cc: HP aC++/ANSI C B3910B A.05.50 [May 15 2003] configure:2187: $? = 0 configure:2210: checking for C compiler default output file name configure:2213: cc -O -DWITH_SYSLOG -DGUEST_ACCOUNT=\smbnull\ -D_SAMBA_BUILD_ -I/opt/iexpress/openldap/include -L/opt/iexpress/openldap/lib conftest.c 5 (Bundled) cc: warning 922: -O is unsupported in the bundled compiler, ignored. Error 100: command line, line 0 # String and character constants cannot span lines. configure:2216: $? = 2 configure: failed program was: | /* confdefs.h. */ | | #define PACKAGE_NAME | #define PACKAGE_TARNAME | #define PACKAGE_VERSION | #define PACKAGE_STRING | #define PACKAGE_BUGREPORT | /* end confdefs.h. */ | | int | main () | { | | ; | return 0; | } configure:2254: error: C compiler cannot create executables See `config.log' for more details. ## ## ## Cache variables. ## ## ## ac_cv_env_CC_set='' ac_cv_env_CC_value='' ac_cv_env_CFLAGS_set=set ac_cv_env_CFLAGS_value='-O -DWITH_SYSLOG -DGUEST_ACCOUNT=\smbnull\' ac_cv_env_CPPFLAGS_set=set ac_cv_env_CPPFLAGS_value=-I/opt/iexpress/openldap/include ac_cv_env_CPP_set='' ac_cv_env_CPP_value='' ac_cv_env_LDFLAGS_set=set ac_cv_env_LDFLAGS_value=-L/opt/iexpress/openldap/lib ac_cv_env_build_alias_set='' ac_cv_env_build_alias_value='' ac_cv_env_host_alias_set='' ac_cv_env_host_alias_value='' ac_cv_env_target_alias_set='' ac_cv_env_target_alias_value='' ac_cv_prog_ac_ct_CC=cc libc_cv_fpie=no ## - ## ## Output variables. ## ## - ## ACL_LIBS='' AR='' AUTH_LIBS='' AUTH_MODULES
Re: [Samba] net ads join must use AD Administrator account ?
Jeff Lee wrote: Hi all, I want to configure a samba server (3.0.25b) with krb5-1.6.2, openldap-2.3.37 and db-4.6.18 for single sign-on purpose. I have some questions. 1. Is the AD Administrator account for Samba to kinit and net join the AD only ? 2. Can I use a common user with Create Computer Objects permission to kinit and net join AD ? 3. I got Failed to join domain: Strong(er) authentication required error message when I run net ads join using non-administrator user account. Is it the error message of using non-administrator account to net ads join ? Can anyone help ? Thanks, Jeff Read this: http://www.docs.hp.com/en/7212/ADSJoinMinimumPerms.pdf I wrote it for HP CIFS Server, but it's the same for Opensource Samba. Eric Roseme Hewlett-Packard -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smbd process per user ( Samba 3 + Terminal server )
I would have asked if you tested on NT4 or W2000, but another Samba lists reader emailed me directly that EnableMultipleUsers is now implemented on W2003. So I configured it on my W2003 PDC (I no longer have any NT4 or W2000) and it works (see below). Both sessions originate from the same Terminal Server, and they start individual smbd daemons on the Samba server. So maybe you do not have the hotfix or servicepack or something. Here is the url to the W2003 instructions: http://support.microsoft.com/kb/913835 I'll edit my paper to include W2003 and re-post it. Eric Roseme Hewlett-Packard emonster-smbstatus Samba version 3.0.22 based HP CIFS Server A.02.03 PID Username Group Machine --- 1441 administ Domain U xx.xxx.208.126 (xx.xxx.208.126) 1369 eroseme Domain U xx.xxx.208.126 (xx.xxx.208.126) Service pid machine Connected at --- eroseme 1369 xx.xxx.208.126 Tue Oct 9 08:59:34 2007 backup 1441 xx.xxx.208.126 Tue Oct 9 09:21:51 2007 Locked files: Pid DenyMode Access R/WOplock SharePath Name 1441 DENY_NONE 0x11RDONLY NONE /backup . Tue Oct 9 09:22:04 2007 1441 DENY_NONE 0x11RDONLY NONE /backup . Tue Oct 9 09:22:04 2007 1369 DENY_NONE 0x11RDONLY NONE /home/eroseme . Tue Oct 9 08:59:48 2007 1369 DENY_NONE 0x11RDONLY NONE /home/eroseme . Tue Oct 9 08:59:48 2007 Stas wrote: Terminal server already configured with EnableMultiUser=1 , but all sessions from Terminal server appears under same PID : file-srv:~ # net status sessions PID Username Group Machine --- 8742 DOMAIN\user1 DOMAIN\domain users 10.163.128.42 (10.163.128.42) 8742 DOMAIN\user2 DOMAIN\domain users 10.163.128.42 (10.163.128.42) 8742 DOMAIN\terminal$ DOMAIN\domain computers 10.163.128.42 (10.163.128.42) So , if i kill PID 8742 all files opened by terminal server users will be closed . Thanks. On 10/8/07, Eric Roseme [EMAIL PROTECTED] wrote: Depends upon your terminal server. NT4 and W2000 - yes. W2003 - no (unless they added the EnableMultipleUsers parameter from W2000). I wrote a kind of wordy paper about this: http://www.docs.hp.com/en/5015/Samba-TerminalServer_104Final.pdf. This paper version does not include the W2000 fix, which is the above parameter and hotfix Q818528. I have not looked to see if Microsoft ever fixed this on W2003. I can send you the whitepaper with the W2000 fix incorporated, if you want it (i never posted the updated version). Eric Roseme Hewlett-Packard Stas wrote: Hello all. It is possible to force Samba 3 server to create smbd process for each user that open file from Terminal Server ? Sometimes I need close files , but can't do that by kill PID since it should close all files that opened by terminal server users .. It any flexible way to manage open files on Samba ? Thanks . -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smbd process per user ( Samba 3 + Terminal server )
Depends upon your terminal server. NT4 and W2000 - yes. W2003 - no (unless they added the EnableMultipleUsers parameter from W2000). I wrote a kind of wordy paper about this: http://www.docs.hp.com/en/5015/Samba-TerminalServer_104Final.pdf. This paper version does not include the W2000 fix, which is the above parameter and hotfix Q818528. I have not looked to see if Microsoft ever fixed this on W2003. I can send you the whitepaper with the W2000 fix incorporated, if you want it (i never posted the updated version). Eric Roseme Hewlett-Packard Stas wrote: Hello all. It is possible to force Samba 3 server to create smbd process for each user that open file from Terminal Server ? Sometimes I need close files , but can't do that by kill PID since it should close all files that opened by terminal server users .. It any flexible way to manage open files on Samba ? Thanks . -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] kinit works, net join ads fails
I know this sounds a little strange, but I was having the same problem on 3.0.25c, but adding the password to the command line solved it. I have no idea why: net ads join -U administrator%password Eric Roseme Peter Baumgartner wrote: I running 3.0.25c on OpenSolaris. I can succesfully do a kinit and see the ticket via klist, but am unable to join the domain. /usr/sfw/sbin/net -d 5 ads join -U [EMAIL PROTECTED] gives the following error... [2007/08/29 15:49:24, 3] libsmb/clikrb5.c:(593) ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache file found) [2007/08/29 15:49:24, 0] libads/kerberos.c:(228) kerberos_kinit_password [EMAIL PROTECTED] failed: Preauthentication failed [2007/08/29 15:49:24, 1] utils/net_ads.c:(1470) error on ads_startup: Preauthentication failed Failed to join domain: Logon failure [2007/08/29 15:49:24, 2] utils/net.c:(1032) I have synced the time on the Samba box with my domain controller. Any thoughts on what is wrong? On 9/3/07, Necos Secon [EMAIL PROTECTED] wrote: So, just a few things to check: 1.) Typo's in the realm name. 2.) Typo's in the krb5.conf file (I use heimdal) 3.) Try running the net ads join with the administrator account (if you're using another account). 4.) Checking the the AD server to make sure that you don't have an old machine account for the Samba machine. I've tried all this and still am having no luck. I don't believe it is an issue in krb5.conf because kinit and smbclient work properly. I just can't join it to the domain. Any other thoughts? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] sambaDomain Policies Implemented?
Are the sambaDomain account policies sambaLogonToChgPwd and sambaRefuseMachinePwdChange implemented on 3.0.22 to 3.0.25b? First, even with passdb backend = ldapsam:ldap://; pdbedit actually edits account_policy.tdb for these two attributes. Second, despite the attribute value (0, 1, or 2 using ldapmodify), XP client (also smbclient) logon behavior is unchanged. I looked through the code in account_pol.c and it does not appear that Samba tests the values for these attributes - like they are not implemented. I am not a coder so I got a second opinion from someone who is. Thanks, Eric Roseme Hewlett-Packard System stuff: HP-UX 11.11 and HP-UX 11.23 Samba 3.0.22 and Samba Opensource 3.0.25b Red Hat Directory Server 7.1 smb.conf [global] workgroup = SAMBAATC netbios name = SAMBAPDC server string = Samba Server interfaces = xx.xx.xx.xxx, 127.0.0.1 bind interfaces only = yes encrypt passwords = Yes passdb backend = ldapsam:ldap://SAMBAPDC.rose.hp.com log level = 10 syslog = 0 log file = /var/opt/samba/log.%m max log size = 1000 domain logons = Yes preferred master = Yes domain master = Yes ldap server = SAMBAPDC.rose.hp.com ldap suffix = dc=rose,dc=hp,dc=com ldap group suffix = ou=Groups ldap user suffix = ou=People ldap admin dn = cn=Directory Manager read only = No short preserve case = No dos filetime resolution = Yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] sambaDomain Policies Implemented?
Are the sambaDomain account policies sambaLogonToChgPwd and sambaRefuseMachinePwdChange implemented on 3.0.22 to 3.0.25b? First, even with passdb backend = ldapsam:ldap://; pdbedit actually edits account_policy.tdb for these two attributes. Second, despite the attribute value (0, 1, or 2 using ldapmodify), XP client (also smbclient) logon behavior is unchanged. I looked through account_pol.c and it does not appear that Samba tests the values for these attributes - like they are not implemented. I double-checked with someone who is much better with the code than I am. HP-UX 11.11 and 11.23 Samba 3.0.22 and (Opensource) 3.0.25b Red Hat Directory Server 7.1 backend smb.conf [global] workgroup = SAMBAATC netbios name = SAMBAPDC server string = Samba Server interfaces = xx.xx.xx.xxx, 127.0.0.1 bind interfaces only = yes encrypt passwords = Yes passdb backend = ldapsam:ldap://sambapdc.rose.hp.com log level = 10 syslog = 0 log file = /var/opt/samba/log.%m max log size = 1000 domain logons = Yes preferred master = Yes domain master = Yes ldap server = sambapdc.rose.hp.com ldap suffix = dc=rose,dc=hp,dc=com ldap group suffix = ou=Groups ldap user suffix = ou=People ldap admin dn = cn=Directory Manager read only = No short preserve case = No dos filetime resolution = Yes Thanks, Eric Roseme Hewlett-Packard -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba errors - No buffer space available
Ryan Novosielski wrote: Allen, Bill wrote: I am new to Samba, having just taken over management of a HPUX system in a mainly Windows environment. The system is running Samba 3.0.7. I am getting the following errors, repeatedly, in my log.smbd. What does it mean? Is this actually a problem or normal chatter for Samba? If it is a problem, what should I do to correct it? [2006/05/03 07:41:38, 0] lib/util_sock.c:set_socket_options(202) Failed to set socket option SO_KEEPALIVE (Error Invalid argument) [2006/05/03 07:41:38, 0] lib/util_sock.c:set_socket_options(202) Failed to set socket option TCP_NODELAY (Error Invalid argument) [2006/05/03 07:41:38, 0] lib/util_sock.c:get_peer_addr(1000) getpeername failed. Error was Invalid argument [2006/05/03 07:41:39, 0] smbd/server.c:open_sockets_smbd(382) open_sockets_smbd: accept: No buffer space available Thanks for any help or advice, Bill When you find out, let me know. :) It's been that way for ages on my system. The two socket option messages are related to header related problems, if I'm not mistaken, but it's really not a big deal. Do you have either of those defined in smb.conf? As far as the buffer thing... this concerned me for along time. I can't remember whether this got any better or worse, but there's a lot wrong with 3.0.7 on HP-UX. I would not run anything earlier than 3.0.14 on an HP-UX system. Are you running Opensource Samba or HP CIFS Server? For HP CIFS, you should not see the socket option errors, but the buffer space log entry could be any number of things. Ryan is correct - you should be up on 3.0.14 (HP CIFS Server A.02.02.01). Make sure that you have your nfiles, nflocks, and nprocs set correctly - see the most recent Admin Guide on page 258 (http://docs.hp.com/en/B8725-90101/B8725-90101.pdf). We may have located a locking problem (!) that could cause the entry, but it is at a site that connects with smbclient. Also, if your users are connecting and disconnecting often (like at a school - everybody disconnects and connects on the hour) then that could do it too. I have not seen a case where the buffer space log entry has accompanied a problem on the server. I enquire about this from every site that reports it, but so far, no one has seen a problem. If you see it differently, then please let me know. Eric Roseme Hewlett-Packard -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] NT logon ok but XP logon very slow
Hi Roel, Try Googling Loading your personal settings. Looks like there is a lot of stuff to try on the client side, and the problem appears to be common regardless of server platform. I am concerned about your No buffer space available log, though. Can you email me the entire logfile? Eric Roseme Hewlett-Packard Roel Slegers wrote: Hi, Our environment: HP-UX 11.00 server / Samba 3.0.21a as PDC / OpenLDAP backend We're developping a migration from AS/U to a Samba PDC. Currently we have following problem: logging onto an NT4 workstation is almost instantaneous, but when logging onto an XP workstation, this happens: (1) We type the user and password in Windows logon. (2) Windows logon immediately accepts user and password, so far so good. (3) Windows says Please wait... Loading your personal settings... and we have to wait about one to two minutes. This is our problem. (4) After these on to two minutes, logon continuous normally, and everything seems fine. Furthermore, during the time that XP locks up, the corresponding smbd process eats up the server's CPU at almost 100%! These are the log.smbd messages during the locking up of XP and smbd: [Fri Apr 21 15:25:29 2006 , 0] rpc_server/srv_netlog_nt.c:_net_sam_logon(665) _net_sam_logon: creds_server_step failed. Rejecting auth request from client RSL4 machine account RSL4$ [Fri Apr 21 15:26:47 2006 , 0] smbd/server.c:open_sockets_smbd(394) open_sockets_smbd: accept: No buffer space available [Fri Apr 21 15:26:50 2006 , 1] smbd/service.c:make_connection_snum(666) rsl4 (10.5.71.168) connect to service netlogon initially as user veron004 (uid =517, gid=20) (pid 11053) And as I already said: logging onto NT works fine. Any ideas? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] configure can't find ldap_initialize on HP-UX 11i
Michael Langas wrote: I'm basically using the instructions found in the HP-UX readme with the exception that I am trying to use the version of openldap that is in iexpress instead of the one from hpux.cs.utah.edu. The recommendations listed in the doc are: HP-UX 11.00 and 11.11: OpenLdap 2.1.3 (http://hpux.cs.utah.edu) OpenSSL 0.9.7d (http://hpux.cs.utah.edu) HP-UX 11.23 only: ixOpenLdapA.04.00-2.2.15.003 (http://software.hp.com http://software.hp.com/ ) I would prefer to use ixOpenLdap from HP if possible. The errors I get from configure are: configure:32100: checking for ldap_initialize configure:32157: gcc -o conftest -O -DWITH_SYSLOG -DGUEST_ACCOUNT=\smbnull\ -D _SAMBA_BUILD_ -I/opt/iexpress/openldap/include -D_HPUX_SOURCE -D_POSIX_SOURCE -D _LARGEFILE64_SOURCE -D_ALIGNMENT_REQUIRED=1 -D_MAX_ALIGNMENT=4 -DMAX_POSITIVE_LO CK_OFFSET=0x1ffLL -DLDAP_DEPRECATED -L/opt/iexpress/openldap/lib conftes t.c -lldap -lsec -lnsl 5 ld: Unsatisfied symbol ldap_initialize in file /var/tmp//ccAi63yk.o 1 errors. collect2: ld returned 1 exit status configure:32163: $? = 1 configure: failed program was: | /* confdefs.h. */ As you can see, the include file location is correct, and ldap_initialize is found in ldap.h so I'm not sure what is causing the unsatisfied symbol error. Any suggestions? Thanks, ML Can you give me a summary of what you are trying to do? It looks like: 1. Pull HP-UX binaries from samba.org 2. Install the .depot, and ignore the pre-compiled binaries 3. untar the source files, and compile your own Samba version 4. Your email topiuc says 11i, but it looks like you want to use the 11iv2 (11.23) IExpress OpenLDAP. 5. In any case - that IE OpenLDAP version you refer to is very old. Try loading the new IE OpenLDAP: 11iv1: http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPUXIEXP 11iv2: http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPUXIEXP1123 Eric Roseme Hewlett-Packard -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problems Compiling samba on HP-UX 11.00
Hi Tony, Sorry for the confusion about the library dependencies. I have edited the README a couple of times, and I have finally gotten it right (the build changed), but it will not get posted until the next version. I'll send you the new README directly. Anyway, although the referenced libraries on the website do not specifically indicate 11.0 support, the 11.11 versions work for 11.0.This is exactly opposite of how the Samba binaries indicate 11.0 support, but they also work for 11.11. So you will be able to use the posted Opensource pre-compiled binaries on 11.0, if they meet your needs. I decided to just paste the new README at the bottom of this post - just scroll down to the bottom. Read it carefully. See you later, Eric Roseme Hewlett-Packard Tony Delov wrote: Eric, I have seen thos pre-compiled version, however the dependencies that are listed in the README are not available for 11.00 anywhere? I would be quite happy to use the pre-compiled ones otherwise. I tried downloading the source, however, I think there may be a bug in the code (well at least a developer that also works with me thinks). We managed to get it compiled without ldap and with a few minor changes to the auth_script.c file. It now seems to run, however we are still experiencing some problems with domain authentication. So far this is the part of the config file that isn't working as expected. [global] workgroup = MELIMAGE security = DOMAIN password server = melpdc,melbdc log level = 3 log file = /var/adm/samba/log.%m preferred master = No local master = No domain master = No wins server = 192.168.5.1 idmap uid = 1-2 idmap gid = 1-2 printing = sysv print command = lp -c -nb -d %p %s lpq command = lpstat %p [labwiztst] path = /mnt/labwiz valid users = +MELIMAGE\Domain Users read only = No create mask = 0766 On Wed, 2006-02-01 at 09:26 -0800, eric roseme wrote: Sorry, can't help with the compile error. But did you know that we have pre-compiled 11.0 binaries for 3.0.21a on samba.org? Look at the README for compile options. If that does not meet your needs, check out the compile data and see if that gives you a clue to your problem. Eric Roseme Hewlett-Packard Tony Delov wrote: Problems Compiling samba (samba-3.0.21a) on HP-UX 11.00 We have been experiencing some problems compiling samba with the config options below. When compiling the auth_script.c make fails. As a fix, we removed the conditional if/else/endif statements on lines 143/149/155 and it now seems to compile. Has anyone else had any similar problem when compiling without the ldap features or similar configure options? $ ./configure --without-ldap --with-winbind --without-ads --without-pam_smbpass --with-included-popt --without-aio-support --with-pam The make error I get Linking bin/smbd /usr/bin/ld: Unsatisfied symbols: auth_script_init (first referenced in auth/auth.o) (code) collect2: ld returned 1 exit status *** Error exit code 1 Regards Tony D Attention: The information contained in this message and or attachments is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any system and destroy any copies. Any views expressed in this message are those of the individual sender and may not necessarily reflect the views of The Gribbles Group. Thank You. Whilst every effort has been made to ensure that this e-mail message and any attachments are free from viruses, you should scan this message and any attachments. Under no circumstances do we accept liability for any loss or damage which may result from your receipt of this message or any attachment. ++= == README: Samba 3.0.21a samba_3.0.21a_B.11.00_9000_01_12_06.depot.gz (valid depot for HP-UX 11.0 and 11iv1 (11.11)) Build system: HPUX_B.11.00_9000 Build date: 01_12_06 = 1. Required libraries. All OS versions: LibIconv 1.9.2 (http://hpux.cs.utah.edu) Note: The above library version may indicate 11.11 on the hpux.cd.utah.edu web page, but they are valid for 11.0 and 11.11 (11iv1). HP-UX 11.00 only: J5849AA PAM Kerberos and KRB5 Dev Tools B.11.00.12 (http://software.hp.com) HP-UX 11.00 and 11.11
Re: [Samba] Problems Compiling samba on HP-UX 11.00
Sorry, can't help with the compile error. But did you know that we have pre-compiled 11.0 binaries for 3.0.21a on samba.org? Look at the README for compile options. If that does not meet your needs, check out the compile data and see if that gives you a clue to your problem. Eric Roseme Hewlett-Packard Tony Delov wrote: Problems Compiling samba (samba-3.0.21a) on HP-UX 11.00 We have been experiencing some problems compiling samba with the config options below. When compiling the auth_script.c make fails. As a fix, we removed the conditional if/else/endif statements on lines 143/149/155 and it now seems to compile. Has anyone else had any similar problem when compiling without the ldap features or similar configure options? $ ./configure --without-ldap --with-winbind --without-ads --without-pam_smbpass --with-included-popt --without-aio-support --with-pam The make error I get Linking bin/smbd /usr/bin/ld: Unsatisfied symbols: auth_script_init (first referenced in auth/auth.o) (code) collect2: ld returned 1 exit status *** Error exit code 1 Regards Tony D Attention: The information contained in this message and or attachments is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any system and destroy any copies. Any views expressed in this message are those of the individual sender and may not necessarily reflect the views of The Gribbles Group. Thank You. Whilst every effort has been made to ensure that this e-mail message and any attachments are free from viruses, you should scan this message and any attachments. Under no circumstances do we accept liability for any loss or damage which may result from your receipt of this message or any attachment. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Samba - joining TO THE DOMAIN
First, this should go to samba@lists.samba.org - not technical. Second - with net join, you are probably in security = domain. So you need to add the computer to the domain using the Users and Computers MMC on the domain controller. Eric Roseme Hewlett-Packard Nagendra KV wrote: HI Help is required! I get following error when joining the domain Samba used: 3.0.10 on HP-UX 11i # net join -I a.b.c.d -U user_name [2006/01/25 20:00:57, 0] rpc_client/cli_netlogon.c:cli_nt_setup_creds(256) cli_nt_setup_creds: request challenge failed Password: [2006/01/25 20:01:21, 0] rpc_client/cli_netlogon.c:cli_nt_setup_creds(256) cli_nt_setup_creds: request challenge failed [2006/01/25 20:01:21, 0] utils/net_rpc_join.c:net_rpc_join_newstyle(319) Error domain join verification (reused connection): NT_STATUS_INVALID_COMPUTER_NAME Unable to join domain domain_name Please help me out to resolve this issue. Thanks Regards Nagendra KV Nagendra KV | Technology (STS) | M P H A S I S Architecting Value | IT SERVICES #139/1, Hosur Road, Koramangala, Bangalore - 560095, | Tel: (80) 25522713/14 Ext-1016| Fax: (80) 25522719| www.mphasis.com http://www.mphasis.com/ Information transmitted by this e-mail is proprietary to MphasiS and/ or its Customers and is intended for use only by the individual or entity to which it is addressed, and may contain information that is privileged, confidential or exempt from disclosure under applicable law. If you are not the intended recipient or it appears that this mail has been forwarded to you without proper authority, you are notified that any use or dissemination of this information in any manner is strictly prohibited. In such cases, please notify us immediately at [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] and delete this mail from your records -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Must you net join for the Samba machine to become a domain member?
Karnowski, David wrote: When you manually add the server to the domain, the problem is that Samba doesn't know what the password is. You can set one with the 'net' command I think, however it's much easier to delete the manually added computer and run 'net join', that way Samba does the adding and you're guaranteed that it will know the machine account credentials. ... It'd strongly recommend doing a 'net join', as the Samba configuration will be metaphorically held together with sticky tape if you don't, and I wouldn't be at all surprised if it failed at a later date for seemingly no reason. Thanks for your help again Adam. The problem on our side is that the Windows world and Unix world are administered by separate departments. They're not going to be sharing administrative passwords with each other. I am still doing that net join but using my own domain account (which is not an administrator) and it seems to be OK provided someone manually added the machine account on the Windows side. I was hoping to have it totally automated (on the Unix side at least) with no hard-coded passwords, but I guess it can't work this way. I'll keep my open for that failing at a later date for seemingly no reason thing :-) thanks again, David David - check this thread out for how to do a net ads join with minumum permissions. Doing it this way bypasses the need to manually add the computer with the UsersComputers MMC. http://marc.theaimsgroup.com/?l=sambam=112681698521084w=2 Eric Roseme Hewlett-Packard -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] 64 bit installable samba for HP-UX 11.11
Shashidhar, SR wrote: Hello All, Happy New Year 2006 ! Currently we are using TAS as an interop tool to access the UNIX file systems on to windows platforms. For some performance/licenses issues, we would like to migrate to SAMBA now. Our Unix file system is available on HP N-class server running HP-UX 11.11 and our requirement is to install samba on this OS with 64bit support. I searched on samba site and also at other sites as well, and couldn't find the SAMBA installable for this OS. Is anyone using 64bit samba on HP-UX ? Can anyone help me on this issue pl. With Kind Regards, Shashi. CIFS/Samba for HP-UX is compiled for 64-bit compatibility, but it is not instrumented for 64-bit. You can go to: http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B8725AA and download the latest HP CIFS Server (Samba 3.0.14a) for 11iv1 64-bit (for free). Or you can go to samba.org and download the pre-compiled Opensource binaries for 3.0.20a. If you have any questions about this, email me off-list. Eric Roseme Hewlett-Packard -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Share Access for SAMBA 2.2.8a on HP-UX 11.11
Michalek, Tom S wrote: Security=server Username map=/etc/opt/samba/username.map All NT ids are mapped to the same unix id via username.map. Some NT id's don't see all the SHARES when they access SAMBA...Not sure why this would be if all NT ids are being translated to the same unix id. Is it just browsing? Can the users mount the unseen shares? If yes, does a net view \\server from the affect client(s) display all shares? A. Is this opensource Samba or HP CIFS Server? B. Either way, you should be on Samba 3 for 11i (2.2 is okay for 11.0) C. You should try to use security = domain - server is not recommended. If you would like to discuss Samba/CIFS versions at Boeing, I am fairly clued-in about that. We can discuss it offline. Eric Roseme Hewlett-Packard -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Why not using the windows configuration wizard (joining a domain) with Samba-3?
John H Terpstra wrote: On Monday 12 December 2005 02:22, Michael Billerbeck wrote: Hi, On Monday 12 Decemver 2005 09:46, John H Terpstra wrote: On Sunday 11 December 2005 15:51, Michael Billerbeck wrote: Hello, in the Samba How-to I've read not to use the configuration wizard with samba-3 when joining a domain. Why that? Is there a problem? Thanks, Michael Please point me at the specific reference in the HOWTO. I need to understand what causes you concern. Please help me to understand your concern. If the documentation is inadequate I must correct of extend it. Thanks. In chapter 8.2.2 Joining a domain: Windows 2000/XP Professional (on page 131) point 4 says: Click the computer name tab. [...] Clicking the Network ID button will launch the configuration wizard. Do not use this with Samba-3. I was asking this because I used it also with Samba-3 and I would like to know if there are some side effects when using it or why it is explicitly mentioned. Joining through use of this tool did not work with early releases of Samba-3. Try it. Let me know if it works now. PS: If you try the NetworkID Wizard, and it fails, reboot the Windows PC before attempting to use the Change button. In the past, a failure when usign the NetworkID wizard would hose up the Windows client so that it then count not resolve the netbios name of the domain controller. - John T. Using the Users and Computers MMC adds the Samba computer object with a different UserAccountControl attribute value than when you use net ads join. It used to be that the (apparent) default value of 4128 would not allow auth-n with MD5. I just tested this (W2003SP1 and 3.0.14a) and it now works with MD5. In other words, using the MMC to add the computer object, then doing a net ads join (Modifying Existing Object), now results in successful client auth-n - at least in this test case. I have heard the same testimony from other sources. I would still recommend adding the object with the net ads join, and the resulting UserAccountControl attribute value of 2166784. Eric Roseme Hewlett-Packard -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Q: concerning user nobody and Samba 3
Frank Schifferstein wrote: hi, we are running several HP-UX 11.23 servers with Samba 2.2.x and are starting a migration to Samba 3 and encounter several problems. As far as I understand this passage: (chapter 24, Upgrading from Samba-2.x to Samba-3.0.20) The following issues are known changes in behavior between Samba-2.2 and Samba-3 that may affect certain installations of Samba. When operating as a member of a Windows domain, Samba-2.2 would map any users authenticated by the remote DC to the guest account if a UID could not be obtained via the getpwnam() call. Samba-3 rejects the connection with the error message NT_STATUS_LOGON_FAILURE. There is no current workaround to re-establish the Samba-2.2 behavior. the user nobody is not used anymore, and there is a need having unixuser account for every windowsuser account. I know, this is a general need, but for differerent purposes we configured guest ok = yes in some shares to allow the guest access to shares where the unixaccount is missung. Is my interpretation of the passage correct ? In case it is, does it refer to security = domain/ads only or is it valid for security = server as well (I know, security = server is not the preferred configuration). regards Frank Schifferstein Hi Frank, Are you using Opensource Samba or HP CIFS Server? HP CIFS Server adds a unix user called smbnull (replacing nobody), and by default guest account = smbnull. You should not have any problem using map to guest = as John suggested. If you are using HP CIFS Server, then there is some support-related information that we should discuss (offline). Eric Roseme Hewlett-Packard -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: samba smbd version 2.2.12 HP CIFS Server A.01.11.04 does hang if start in a HP serviceguard configuration
Belgardt, Wolfgang wrote: Hello all, can somebody say me if it is supported to locate the secrets.tbd on a NFS share, please? I have smbd version 2.2.12 based HP CIFS Server A.01.11.04 in HP ServiceGuard Configuration. If the secrets.tbd is on a local path samba smbd start and run fine, but when secrets.tbd file is locate in a path which is a NFS share smbd hangs. I have traced the samba startup with tusc. Here are the last line: ... ... .. 1126617678.351198 [9241] write(6, m a x c o n n e c t i o n .., 34) = 34 1126617678.351357 [9241] getrlimit64(RLIMIT_NOFILE, 0x7f7f0ca0) = 0 1126617678.351488 [9241] setrlimit64(RLIMIT_NOFILE, 0x7f7f0ca0) = 0 1126617678.351596 [9241] setrlimit64(RLIMIT_NOFILE, 0x7f7f0ca0) = 0 1126617678.351677 [9241] getrlimit64(RLIMIT_NOFILE, 0x7f7f0ca0) = 0 1126617678.352612 [9241] open(/disks/usrd20/samba/secrets.tdb, O_RDWR|O_CREAT|O_LARGEFILE, 0600) = 8 1126617678.352778 [9241] sched_yield() ... = 0 1126617692.906166 [9241] fcntl(8, 0xa, 2139034384) ... [sleeping] Thanks in advance Regards Wolfgang _ Wolfgang Belgardt Systemberater Corporate Account Services Technology Solution Group Hewlett-Packard GmbH Berliner Str. 111 D-40880 Ratingen Phone: +49 (0)2102 90-8469 Fax: +49 (0)2102 90-6300 Mobil: +49 (0) 171 3357 256 E-mail: [EMAIL PROTECTED] http://www.hp.com/de _ - Registrieren Sie sich im ITRC und eröffnen und monitoren Sie Ihre Cases online. http://europe.itrc.hp.com/service/mcm/homepageRequest.do - Informationen zu dem Case können Sie mir auch gerne per eMail senden. mailto:[EMAIL PROTECTED]@hp.com - Besuchen Sie das IT Resource Center und die Foren http://europe.itrc.hp.com http://forums.itrc.hp.com - HP Software Depot http://software.hp.com - Handbücher/Dokumentationen http://docs.hp.com - Instant Support Enterprise Edition (ISEE) bietet Fernüberwachung, Diagnose + Fehlersuche http://www.hp.com/hps/hardware/hw_downloads.html _ Hewlett-Packard GmbH, Herrenberger Str. 140, 71034 Böblingen Geschäftsführer: Hans Ulrich Holdenried (Vorsitzender), Edgar Aschenbrenner, Heiko Meyer, Ernst Reichart, Matthias Schmidt, Regine Stachelhaus, Stephan Wippermann Vorsitzender des Aufsichtsrats: Jörg Menno Harms Sitz der Gesellschaft: Böblingen, Amtsgericht Böblingen HRB 4081 Wolfgang - I am out of the office until Tuesday. Can you look at the log.smbd and see if there is a locking error? (64bit vs 32bit , or something). I am cc-ing this to samba - that's where it should go (not technical). Thanks, Eric Roseme Hewlett-Packard -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Group mapping giving incorrect GIDs
Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Eric Roseme wrote: [EMAIL PROTECTED] wrote: Hi, I think I've narrowed down my problem to the fact that the group mapping is not giving me the same GID for all 'equivalent' groups, as seen here: $ net groupmap list DOMAIN\Group1 (S-1-5-21-620321403-24207062-1845911597-172256) - unixgrp1 $ getent group unixgrp1 unixgrp1:x:203: $ getent group DOMAIN\\Group1 DOMAIN\Group1:x:10001:DOMAIN\User1 This means that the GID of unixgrp1 is 203, however the GID of DOMAIN\Group1 is completely different! Given the group mapping, I was expecting that both groups would be returned with a GID of 203, so that according to the Linux box both those groups are the same. group mapping on domain members is mutually exclusive with running winbindd. Usually that is. If you do not define a idmap uid and idmap gid ranges, then winbindd should fall back to using the group mapping. and you better have mappings for all domain groups. It's an all or none decision. Jerry - just to be clear: you mean that winbindd must not be running (as opposed to just not defining idmap uid/gid ranges). Testing shows that without winbindd running groupmap behaves just like you say - mapped UNIX groups work for domain user access on ugo permissions, and for valid users. With no idmap uid/gid winbindd will not start. JHT - this would be useful in chapter 11 of the howto. I read that chapter about 5 times looking for what I was missing when I could not make groupmapping work with security = ads and winbindd. And I just bought my Second Edition. Boo Hoo. My purpose for testing this was to answer an earlier post about group name length limitations on valid user. Our UNIX group name would only work up to 32 chars, but Windows allows 64 chars. Also the Windows group had special characters that UNIX did not like. I thought I could work around this by mapping the long Windows group to a short Unix group (with security=ads). But it did not work, due to winbindd (as you pointed out). Adam - can you describe your intended use of group mapping? I re-read your original post, and am wondering why you can't just add the winbind-mapped group directly to the folder (directory) ACL (as opposed to mapping a *ix group to the winbind-mapped group, then adding the *ix group to the ACL)? Eric Roseme Hewlett-Packard -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Group mapping giving incorrect GIDs
[EMAIL PROTECTED] wrote: Hi, I think I've narrowed down my problem to the fact that the group mapping is not giving me the same GID for all 'equivalent' groups, as seen here: $ net groupmap list DOMAIN\Group1 (S-1-5-21-620321403-24207062-1845911597-172256) - unixgrp1 $ getent group unixgrp1 unixgrp1:x:203: $ getent group DOMAIN\\Group1 DOMAIN\Group1:x:10001:DOMAIN\User1 This means that the GID of unixgrp1 is 203, however the GID of DOMAIN\Group1 is completely different! Given the group mapping, I was expecting that both groups would be returned with a GID of 203, so that according to the Linux box both those groups are the same. As it stands now, when DOMAIN\User1 connects, it's using a GID of 10001 which has no access to the filesystem. It should be connecting as GID 203, which has the correct filesystem permissions. Is what I'm trying to do even possible? Thanks, Adam. Hi Adam, Just so you do not feel abandoned - I have gotten the same results when trying a similar operation. In my case, I was trying to use a mapped group on valid users = @mapped. That does not work at all. I also could not make it work with ACLs. A co-worked did some additional testing and could get mapped groups to work on ugo permissions, but only with security = user, not security = ads. If my co-worker and I can characterize the behavior more accurately, I'll write up what we find for posterity. Eric Roseme Hewlett-Packard -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ADS Join and Insufficient Access
M Maki wrote: My agency is moving all users and computers to a new domain. Our current domain uses AD and the new domain will use AD. My current samba servers are running 3.0.20a with ADS security with winbind on Debian Stable (Sarge) with no problems. I set up a test samba server using 3.0.20b, the new krb5.conf and smb.conf. kinit works fine. (Authenticated to Kerberos v5) I prestage the server by adding it to my OU with rights to add it to the domain as I have always done. When I go to add it to the domain with net ads join -U [EMAIL PROTECTED] and enter my password I get ads_add_machine_acct: Host account for smbtest already exists - modifying old account (which is normal for prestaged machines) ads_join_realm: ads_add_machine_acct failed (smbtest): Insufficient access ads_join_realm: Insufficient access I have no problem adding Windows workstations with the same account, it's just adding the samba server. What could I be missing? Thanks, Mike Here is my smb.conf: [global] netbios name = smbtest workgroup = NEW realm = NEW.DOMAIN.NET security = ADS password server = 10.0.1.1 log file = /usr/local/samba/var/%m.log preferred master = No local master = No domain master = No idmap uid = 1-4 idmap gid = 1-4 # winbind use default domain = Yes winbind enum users = No winbind enum groups = No winbind nested groups = Yes socket options = TCP_NODELAY socket options = SO_RCVBUF=8192 [test] path = /home read only = No admin users = NEW\mmaki I posted this on 11/01/05 (for the second time), see if it helps: http://marc.theaimsgroup.com/?l=sambam=112681698521084w=2 Eric Roseme Hewlett-Packard -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Join ADS domain - Insufficient Access
http://marc.theaimsgroup.com/?l=sambam=112681698521084w=2 Eric Roseme Mark F wrote: SLES 9 SP2 samba-3.0.14a-0.4 heimdal-lib-0.6.1rc3-55.15 samba-winbind-3.0.14a-0.4 pam-modules-9-18.10 pam_krb5-1.3-201.7 I've been searching for days for a concrete answer to this question: Is it possible to join an ADS domain from a Linux Samba server without having Administrator privileges? Yes or No. If so exactly what are the minimal requirements for joining the Linux box to the domain. I can get a Kerberos ticket, no problem However when I try to join the domain I get: app1:~ # net ads join -S servername -d 3 -w domain -U tester%password [2005/11/01 07:44:58, 3] param/loadparm.c:lp_load(3907) lp_load: refreshing parameters [2005/11/01 07:44:58, 3] param/loadparm.c:init_globals(1321) Initialising global parameters [2005/11/01 07:44:58, 3] param/params.c:pm_process(573) params.c:pm_process() - Processing configuration file /etc/samba/smb.conf [2005/11/01 07:44:58, 3] param/loadparm.c:do_section(3409) Processing section [global] [2005/11/01 07:44:58, 2] lib/interface.c:add_interface(81) added interface ip=IPADDRESS bcast=IPADDRESS nmask=255.255.255.0 [2005/11/01 07:44:58, 3] libads/ldap.c:ads_connect(285) Connected to LDAP server LDAPIPADDRESS [2005/11/01 07:44:58, 3] libads/ldap.c:ads_server_info(2469) got ldap server name [EMAIL PROTECTED], using bind path: dc=SERVER,dc=DOMAIN,dc=GOV [2005/11/01 07:44:58, 3] libads/sasl.c:ads_sasl_spnego_bind(204) ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2 [2005/11/01 07:44:58, 3] libads/sasl.c:ads_sasl_spnego_bind(204) ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 [2005/11/01 07:44:58, 3] libads/sasl.c:ads_sasl_spnego_bind(204) ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3 [2005/11/01 07:44:58, 3] libads/sasl.c:ads_sasl_spnego_bind(204) ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10 [2005/11/01 07:44:58, 3] libads/sasl.c:ads_sasl_spnego_bind(211) ads_sasl_spnego_bind: got server principal name [EMAIL PROTECTED] [2005/11/01 07:44:58, 3] libsmb/clikrb5.c:ads_krb5_mk_req(381) ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory) [2005/11/01 07:44:58, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(318) Ticket in ccache[MEMORY:net_ads] expiration Tue, 01 Nov 2005 17:46:24 GMT [2005/11/01 07:44:58, 0] libads/ldap.c:ads_add_machine_acct(1405) ads_add_machine_acct: Host account for app1 already exists - modifying old account [2005/11/01 07:44:58, 0] libads/ldap.c:ads_join_realm(1763) ads_join_realm: ads_add_machine_acct failed (app1): Insufficient access ads_join_realm: Insufficient access [2005/11/01 07:44:58, 2] utils/net.c:main(902) return code = -1 --- I have no access to the domain but the Domain admin has assured me he has set it up exactly as he would to allow a Windows client to join. Is this correct? Thanks, -Mark -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba-3.0.14a binaries for HP-UX-11.0
Okay, the 11i libraries work for 11.0 with our Opensource 3.0.14a binaries on Samba.org. These are the current versions: OpenLdap 2.2.27 (http://hpux.cs.utah.edu) OpenSSL 0.9.8a (http://hpux.cs.utah.edu) LibIconv 1.10(http://hpux.cs.utah.edu) My text for re-linking is actually for 11i, and thus uses Internet Express and not the libraries above. So you will just need to either cp or mv the files from the new libraries appropriately (ie liblber to liblber.sl.2). Eric Roseme Hewlett-Packard eric roseme wrote: Sorry for the belated reply (out of the office). Use the packages at the listed urls. The 11i versions will work for 11.0. I have installed and tested the listed version numbers on 11.0, however all of the versions have since been rolled. In addition, my 11.0 system has been retired, so I cannot verify the results (from last April). So, I'll reinstall everything and re-verify. If you want to wait, I'll post my results here, but not until Tuesday 10/25 at the earlist. Also, if you have installed HP CIFS Server on the system, you'll need to re-link some stuff. I added the following text to the README of our opensource distribution (on samba.org), but I do not think it made the most recent build. So here is the new text: 6. If your system has HP CIFS Server previously installed, several libraries that are used by Samba may require re-linking. a. if /usr/local/samba/bin/smbd -V /usr/lib/dld.sl: Can't open shared library: /usr/local/lib/libiconv.sl /usr/lib/dld.sl: No such file or directory Abort(coredump) then cp /opt/samba/lib/libiconv.sl /usr/local/lib/ b. if /usr/local/samba/bin/smbd -V /usr/lib/dld.sl: Can't open shared library: /usr/local/lib/liblber.sl.2 /usr/lib/dld.sl: No such file or directory Abort(coredump) then ln -s /opt/iexpress/openldap/lib/liblber-2.2.sl /usr/local/lib/liblber.sl.2 c. if /usr/local/samba/bin/smbd -V /usr/lib/dld.sl: Can't open shared library: /usr/local/lib/libldap.sl.2 /usr/lib/dld.sl: No such file or directory Abort(coredump) then ln -s /opt/iexpress/openldap/lib/libldap-2.2.sl /usr/local/lib/libldap.sl.2 Eric Roseme Hewlett-Packard Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mark Proehl wrote: | Hi, | | im looking for a binary package of samba with a libnss_winbind.1 | for HP-UX-11.0 | | The depot files in | | http://de.samba.org/samba/ftp/Binary_Packages/hp/samba-3.0.14a | | look good, but there are these three requierements: | | OpenLdap 2.1.3 (http://hpux.cs.utah.edu) | OpenSSL 0.9.7d (http://hpux.cs.utah.edu) | LibIconv 1.9.2 (http://hpux.cs.utah.edu) | | I was unable to locate this Packages on the HP site. | | Can anybody point me to a location, where I can | find these required files? Eric, Hate to lean on you again, but do you know of a URL for these packages? If you don't know off the top of your head, I'll ping someone someone in the CIFS/9000 group in Cupertino. cheers, jerry = Alleviating the pain of Windows(tm) --- http://www.samba.org GnuPG Key- http://www.plainjoe.org/gpg_public.asc There's an anonymous coward in all of us. --anonymous -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDWRfXIR7qMdg1EfYRAh2YAKDjZ77g34qwx50vtuuFY7getDgFgACeNRBZ GpOhi9AnUqK9MwCO42krjII= =Khue -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Which Samba (CIFS ?) For HPUX 11.00 ?
Hi Nick, This topic should be on samba@lists.samba.org - not technical. I'll give you a brief overview, and any followup send to me directly. HP-CIFS Server for 11.0 is based upon Samba 2.2.12. Support for 11.0 ends there - at 2.2.12. Go to: http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B8725AA If you want to continue on 11.0, HP posts 3.0.14a Opensource binaries to Samba.org, but they are not supported by HP. The Opensource binaries will eventually be upgraded to 3.0.20a, but we do not guarantee when. Of course, you are free to build your own. Samba binaries for HP-UX can also be loaded from: http://hpux.cs.utah.edu. There was a topic earlier today and last week about 11.0, 3.0.14a, and prerequisite Opensource libraries. See: http://marc.theaimsgroup.com/?l=sambam=113025750223530w=2 HP-UX 11iv1 and 11iv2 are a different story. Email me directly (from cc list) for more information. Eric Roseme Hewlett-Packard Boyce, Nick wrote: [Sorry to bother everyone with this - it just seemed like I probably need to reach any HP staff we have here on the list - everybody else just press Delete] I've just inherited the sysadmin role for an HPUX 11.00 / PA-RISC machine, which is running Samba 2.2.8a (!) but not very well - they want me to sort Samba out and I'm wondering: which is the best Samba for such a system ? The last time I admin'd HPUX was at 10.20, but I'm aware that HP were going to create an official supported product for HPUX 11.x, based on Samba and called CIFS. I've surfed around *.hp.com but all I can find are highly general product descriptions, and faqs - nothing definite about CIFS, or what Samba version it might be based on. I note that http://us4.samba.org/samba/ftp/Binary_Packages/hp/ only has 3.0.14a as the latest binary, and I know you guys have fixed an ocean of things since then. Is CIFS the best Samba for HPUX, or would a vanilla 3.0.20b be better ? If best=CIFS, where can I get it ? Is there a downloadable CIFS that keeps up-to-date with the latest Samba V3 ? Thanks - sorry for the interruption - reply off-list if this is too OT ... or tell me I should use [EMAIL PROTECTED] instead Nick Boyce EDS Central Ireland ADU (UKIA) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba-3.0.14a binaries for HP-UX-11.0
Sorry for the belated reply (out of the office). Use the packages at the listed urls. The 11i versions will work for 11.0. I have installed and tested the listed version numbers on 11.0, however all of the versions have since been rolled. In addition, my 11.0 system has been retired, so I cannot verify the results (from last April). So, I'll reinstall everything and re-verify. If you want to wait, I'll post my results here, but not until Tuesday 10/25 at the earlist. Also, if you have installed HP CIFS Server on the system, you'll need to re-link some stuff. I added the following text to the README of our opensource distribution (on samba.org), but I do not think it made the most recent build. So here is the new text: 6. If your system has HP CIFS Server previously installed, several libraries that are used by Samba may require re-linking. a. if /usr/local/samba/bin/smbd -V /usr/lib/dld.sl: Can't open shared library: /usr/local/lib/libiconv.sl /usr/lib/dld.sl: No such file or directory Abort(coredump) then cp /opt/samba/lib/libiconv.sl /usr/local/lib/ b. if /usr/local/samba/bin/smbd -V /usr/lib/dld.sl: Can't open shared library: /usr/local/lib/liblber.sl.2 /usr/lib/dld.sl: No such file or directory Abort(coredump) then ln -s /opt/iexpress/openldap/lib/liblber-2.2.sl /usr/local/lib/liblber.sl.2 c. if /usr/local/samba/bin/smbd -V /usr/lib/dld.sl: Can't open shared library: /usr/local/lib/libldap.sl.2 /usr/lib/dld.sl: No such file or directory Abort(coredump) then ln -s /opt/iexpress/openldap/lib/libldap-2.2.sl /usr/local/lib/libldap.sl.2 Eric Roseme Hewlett-Packard Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mark Proehl wrote: | Hi, | | im looking for a binary package of samba with a libnss_winbind.1 | for HP-UX-11.0 | | The depot files in | | http://de.samba.org/samba/ftp/Binary_Packages/hp/samba-3.0.14a | | look good, but there are these three requierements: | | OpenLdap 2.1.3 (http://hpux.cs.utah.edu) | OpenSSL 0.9.7d (http://hpux.cs.utah.edu) | LibIconv 1.9.2 (http://hpux.cs.utah.edu) | | I was unable to locate this Packages on the HP site. | | Can anybody point me to a location, where I can | find these required files? Eric, Hate to lean on you again, but do you know of a URL for these packages? If you don't know off the top of your head, I'll ping someone someone in the CIFS/9000 group in Cupertino. cheers, jerry = Alleviating the pain of Windows(tm) --- http://www.samba.org GnuPG Key- http://www.plainjoe.org/gpg_public.asc There's an anonymous coward in all of us. --anonymous -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDWRfXIR7qMdg1EfYRAh2YAKDjZ77g34qwx50vtuuFY7getDgFgACeNRBZ GpOhi9AnUqK9MwCO42krjII= =Khue -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: SOLVED [Samba] problems with samba 3 and termnal server
JHT - Would this topic be worthy of addition to the Howto? I think I sent you a lengthy whitepaper about TS, along with all of the workarounds. You could pull out pertinent passages like the MS Q-article and hotfix verbiage. (if you want to) Eric Roseme Hewlett-Packard Lorenzo Pilotti wrote: thanks fellows, the M$ patch seems to work fine... ya guruz! ;-) loris It's possible to set a registry setting that causes TS to open a new SMB connection for every logged on user, this should help if the problem is requests getting stuck in smbd's single threaded queue. The TS client has some multi-threaded synchronisation problems that Microsoft could only solve by going back to the (sensible) multi-connection model. They only changed to single-connection to screw Samba over in a big account anyway (the honest and sad truth :-). Jeremy. __ Accesso Internet Gratis per utenti Excite! Attivalo subito! http://www.excite.it/hitech/accesso Il Mio Excite. Personalizza la tua Home page Excite come vuoi tu! http://www.excite.it AAA/Relazioni. Sfoglia gli annunci e trova la tua anima gemella http://www.excite.it/relazioni -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Minimum User Rights For net ads join
I have seen a number of cases where unix/linux administrators do not have access to Windows Administrator rights to execute net ads join. Here is the result of testing that I have done to determine what the minimum set of user rights is. Case 1: Adding the object to the domain and joining the domain with net ads join In this case, an ordinary user member of Domain Users can add and join by having an Administrator assign the user special rights to the Computers container (or equivalent). This is done by: 1. Users and Computers MMC, Advanced Features View 2. Right click Computers container and select Properties 3. Choose Security tab, add a new user to the container 4. Click Advanced, select the new user, click Edit 5. Clear all rights, add back only Create Computer Objects 6. OK to exit out The user can now add and join the computer object using net ads join -U username. Case 2: Add object using Users and Computers MMC, join using net ads join. This method is required when a custom schema is used and net ads join cannot find the correct container to add the computer. Note that sometimes the UseraccountControl attribute will populate with a value that denies krb5 authentication, and the attribute must be populated manually. 1. Users and Computers MMC, Advanced Features View 2. Add the computer object using the MMC. Do not select Windows 2000 compatible. 3. Right click on the new computer object (note that this is different from the container in Case 1)and select Properties. 4. Click Advanced, then Add, and add the user to Security Settings. 5. Highlight the username, then select Edit. 7. Select Full Control - this will autoselect all Permissions. 8. Unselect those that we do not need: Full Control Create All Child Objects Delete All Child Objects (all items thru) Delete All Shared Folder Ob 9. OK to exit out. The user can now join and modify the existing computer object using net ads join -U username. Caveats: 1. net ads leave -U username does not work, even with Administrator. 2. Several other net ads commands do not work. 3. The ntSecurityDescriptor is not correctly processed (ldap.c accounts for this and adds the object anyway, and issues a warning) JT - I have written a user's guide for this process. Let me know if you would like to use it however you see fit. Eric Roseme Hewlett-Packard -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Domain Member Server: Group Membership Updates
Hi Thilo, I cannot duplicate your problem on 11i v1 CIFS A.02.01.01. Can you stop winbind and run it manualy with -n to verify that it bypasses the cache? Eric Roseme Hewlett-Packard [EMAIL PROTECTED] wrote: Hi all, I have a problem with my Samba on HPUX (based on Samba 3.07): There is a Windows 2003 Server (DC). The HPUX-Fileserver is configured as a Member of this Domain. I am Using Winbind to map users and groups. Everything works fine, the Users can access there files on the shares on the samba server. The Permissions are set in smb.conf by the domain group names. Now I have a new Group, addes Users to that group and set a new share with permissions for that group. All members of this group cant access the share: # ./wbinfo -g BUILTIN\System Operators BUILTIN\Replicators BUILTIN\Guests BUILTIN\Power Users BUILTIN\Print Operators BUILTIN\Administrators BUILTIN\Account Operators BUILTIN\Backup Operators BUILTIN\Users [...] Testgroup Wbinfo lists the group testgroup I created a folder and set permissions to that group: # ls -lad testshare drwxrwx--- 2 AdministratTestgroup 96 Aug 23 11:26 testshare gid seems to be 20022: # ls -land testshare drwxrwx--- 2 2 20022 96 Aug 23 11:26 testshare But the User t.rees, who is a member of this group on the domain-controller, is not known to be a member of this group by winbind: # /opt/samba/bin/wbinfo -r t.rees 2 20011 20013 Any suggestions? Kind Regards: Thilo Rees -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: RE [Samba] SFU required ?
Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [EMAIL PROTECTED] wrote: Hi, No, for samba ADS member you must just use winbind and idmap mapping. I suggest you to read the samba-howto-collection and the samba by-example book available on samba website. Just as a heads up, Samba 3.0.20 will have support to utilize the SFU schema for winbindd if you want to. It's a new idmap plugin (idmap backend = ad). And you will be able to pull the home directory and shell information as well (winbind nss support = sfu). Another heads up - it looks like W2003 R2 (beta) has the POSIX attributes already integrated into the schema. What is even more noteable, is that my R2 beta version uses the actual RFC 2307 attribute names, as opposed to msSFU-30-XX. So there is good (finally using the correct attributes) and bad (they changed their schema). Eric Roseme Hewlett-Packard -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Mapping HPUX to Windows Shared Directories
Hi Tony, I am not sure that I understand your question, but it may be that you have a share on your W2003 server that you want to map from your HP-UX system. If this is true, then you need to use the HP CIFS Client. If you need help with the CIFS Client, email me off-list and I'll help you out. If I mis-understood your question, then re-state the question to help me out. Thanks, Eric Roseme Hewlett-Packard Tony Gardner wrote: I need to know what the command would be to map an HPUX directory to a Windows shared directory. I am running Samba 3.0.7 on HPUX 11i and have Windows Server 2003. Any help would be greatly appreciated. Regards, Tony Gardner UNIX Contractor Haas Automation, Inc. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] libnss_winbind.so or nss_winbind.1 for HPUX
What HP-UX version? Please describe the problem with nss and trusted system. Also indicate if the problem is with winbind only or other modules too. Eric Roseme Hewlett-Packard Mauro wrote: I was able to produce libnss_windbind.1 object but nss system still has problem with trusted mode system. RGDS Mauro - Original Message - From: Mauro [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, August 01, 2005 2:31 PM Subject: [Samba] libnss_winbind.so or nss_winbind.1 for HPUX I was not able to find in 3.0.14a package for HPUX libraries needed by nsswitch to use winbind. Please could you help me to find them or to compile them directly from sources? In sources I found: /usr/local/samba/src/samba-3.0.14a/source/nsswitch/winbind_nss_linux.h /usr/local/samba/src/samba-3.0.14a/source/nsswitch/winbindd_wins.c /usr/local/samba/src/samba-3.0.14a/source/nsswitch/winbindd_misc.c /usr/local/samba/src/samba-3.0.14a/source/nsswitch/winbind_nss_hpux.h /usr/local/samba/src/samba-3.0.14a/source/nsswitch/winbindd_cm.c /usr/local/samba/src/samba-3.0.14a/source/nsswitch/winbind_nss.h /usr/local/samba/src/samba-3.0.14a/source/nsswitch/winbindd_ads.c /usr/local/samba/src/samba-3.0.14a/source/nsswitch/winbindd_nss.h /usr/local/samba/src/samba-3.0.14a/source/nsswitch/winbind_nss_config.h /usr/local/samba/src/samba-3.0.14a/source/nsswitch/winbindd_util.c /usr/local/samba/src/samba-3.0.14a/source/nsswitch/winbindd_user.c /usr/local/samba/src/samba-3.0.14a/source/nsswitch/winbind_client.h /usr/local/samba/src/samba-3.0.14a/source/nsswitch/winbindd.c /usr/local/samba/src/samba-3.0.14a/source/nsswitch/winbindd_rpc.c /usr/local/samba/src/samba-3.0.14a/source/nsswitch/winbindd_dual.c /usr/local/samba/src/samba-3.0.14a/source/nsswitch/winbindd.h /usr/local/samba/src/samba-3.0.14a/source/nsswitch/winbind_nss_freebsd.c /usr/local/samba/src/samba-3.0.14a/source/nsswitch/winbind_nss_irix.c /usr/local/samba/src/samba-3.0.14a/source/nsswitch/winbind_nss_solaris.c /usr/local/samba/src/samba-3.0.14a/source/nsswitch/winbindd_group.c /usr/local/samba/src/samba-3.0.14a/source/nsswitch/winbind_nss_irix.h /usr/local/samba/src/samba-3.0.14a/source/nsswitch/winbind_nss_solaris.h /usr/local/samba/src/samba-3.0.14a/source/nsswitch/winbind_nss_aix.c /usr/local/samba/src/samba-3.0.14a/source/nsswitch/winbindd_passdb.c /usr/local/samba/src/samba-3.0.14a/source/nsswitch/winbindd_cache.c /usr/local/samba/src/samba-3.0.14a/source/nsswitch/pam_winbind.c /usr/local/samba/src/samba-3.0.14a/source/nsswitch/winbindd_acct.c /usr/local/samba/src/samba-3.0.14a/source/nsswitch/winbind_nss_linux.c /usr/local/samba/src/samba-3.0.14a/source/nsswitch/winbindd_pam.c /usr/local/samba/src/samba-3.0.14a/source/nsswitch/pam_winbind.h /usr/local/samba/src/samba-3.0.14a/source/nsswitch/winbindd_sid.c /usr/local/samba/src/samba-3.0.14a/testsuite/nsswitch/pam_winbind_syms.exp /usr/local/samba/src/samba-3.0.14a/testsuite/nsswitch/pam_winbind_syms.c /usr/local/samba/src/samba-3.0.14a/testsuite/nsswitch/nss_winbind_syms.exp /usr/local/samba/src/samba-3.0.14a/testsuite/nsswitch/nss_winbind_syms.c /usr/local/samba/src/samba-3.0.14a/examples/nss/nss_winbind.h /usr/local/samba/src/samba-3.0.14a/examples/nss/nss_winbind.c -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba 2.2.8a
Sorry for the late reply - I was out last week. You need to increase your nfile and nproc parms (see Admin Guide pg 258 [http://www.docs.hp.com/en/B8725-90074/B8725-90074.pdf]). I delivered a tuning presentation at HPWorld in 2003. If you want a copy, email me off list and I'll send it to you. Also, the version you are running is not supported. You should pull down either the current 3.0 CIFS version, or the supported 2.2 version from: http://www.software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B8725AA Eric Roseme Hewlett-Packard david lawrance wrote: Hello We are facing a problem in samba server running in hpux11.11. version of samba is version: 2.2.8a based HP CIFS Server A.01.10. we are not able to connect more than 18 users concurrently. when we map drive for 19th user it gives me a error network connection not found ,after killing one user it starts mapping. Is there any user restriction or need for kernel parameter change. Regards, Davidlawrance.A - Discover Yahoo! Get on-the-go sports scores, stock quotes, news more. Check it out! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] liblber.sl.2 For HP-UX 11
Are you pulling the pre-compiled binaries from: http://us1.samba.org/samba/ftp/Binary_Packages/hp/samba-3.0.14a/ ? The 11.0 depot works for 11i too. The README says to install OpenLDAP and OpenSSL from http://hpux.cs.utah.edu. However, you can download OpenLDAP for free off the HP Internet Express site at: https://payment.ecommerce.hp.com/portal/swdepot/try.do?productNumber=HPUXIEXP You need OpenSLL too: https://payment.ecommerce.hp.com/portal/swdepot/try.do?productNumber=OPENSSL11I I have written a new README that describes the link changes you need if you have had HP CIFS Server installed previously, but it is not posted to the site yet. Let me know if you need those instructions. In any case, the libraries will be there if you install OpenLDAP and OpenSLL from the HP site. Eric Roseme Hewlett-Packard Joseph Madrinkian wrote: Hello All, When I try to start SAMBA I get an error message saying i'm missing the liblber.sl.2 It says that if I download the libraries for OPENLDAP, this library should be included. But it does not get installed and I cannot find it anywhere. Does anyone have any suggestions. I'm on a HP-UX11 box. Thanks Notice: This transmission is for the sole use of the intended recipient(s) and may contain information that is confidential and/or privileged. If you are not the intended recipient, please delete this transmission and any attachments and notify the sender by return email immediately. Any unauthorized review, use, disclosure or distribution is prohibited. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] CIFS/ACLs
For the no buffer space, verify that you have increased nfile and nproc (see Admin Guid pg 258 [http://www.docs.hp.com/en/B8725-90074/B8725-90074.pdf]). You need 1.2MB memory per client at connect time, in addition to whatever else your system needs. For ACLs, verify that you are using JFS (VxFS) 3.3 or later, and layout 4: rmonster-bdf Filesystem kbytesused avail %used Mounted on /dev/vg00/lvol32097152 77264 20041204% / /dev/vg00/lvol11014648 28336 8848403% /stand /dev/vg00/lvol85242880 182064 50217763% /var /dev/vg00/lvol75242880 1147952 4063024 22% /usr /dev/vg00/lvol62097152 228432 1854184 11% /tmp /dev/vg00/lvol55242880 505264 4700864 10% /opt /dev/vg00/lvol45242880 18008 51841120% /home rmonster-fstyp -v /dev/vg00/lvol4 vxfs version: 4 f_bsize: 8192 f_frsize: 8192 f_blocks: 655360 f_bfree: 653109 f_bavail: 648263 f_files: 155616 f_ffree: 163264 f_favail: 163264 f_fsid: 1073741828 f_basetype: vxfs f_namemax: 254 f_magic: a501fcf5 f_featurebits: 0 f_flag: 16 f_fsindex: 5 f_size: 655360 rmonster- The symptoms that you describe are common for a file system that is not POSIX ACL enabled. Also, the Windows Explorer security screen will be adding windows groups to the ACL, but you have mapped those with net groupmap to your POSIX groups, which display on the getacl. See below (edited for brevity). rmonster-getacl jardin.mpg # file: motocross.mpg # owner: SNSLATC+eroseme # group: SNSLATC+Domain Users user::rwx group::r-- group:vamps:rwx group:scoobs:r-x class:rwx other:r-- rmonster-net groupmap list vampires (S-1-5-21-1681019172-2179928069-728536373-1122) - vamps Domain Users (S-1-5-21-1681019172-2179928069-728536373-513) - -1 scoobies (S-1-5-21-1681019172-2179928069-728536373-1121) - scoobs Users (S-1-5-32-545) - -1 rmonster-wbinfo -g BUILTIN+Users SNSLATC+Domain Admins SNSLATC+Domain Users SNSLATC+Domain Guests SNSLATC+scoobies SNSLATC+vampires SNSLATC+demons SNSLATC+mars SNSLATC+neptune rmonster- If this does not help, email me off-list. Eric Roseme Hewlett-Packard Thilo Rees, Continum wrote: Hi, I am using CIFS 2.01.01 on HPUX11V2. CIFS is running in ADS security-mode. Winbind is used to map the userers from the W2K3-Domain (german) to an tdb-file. The user mapping works fine, but I have problems with the ACLS: setting the ACLS to a file or folder from windows leads in access denied. I'm the owner of the object and have full access. The really crazy thing is, that it works sometimes, but later the ACLs are gone (showing standard permissions) and I can't modify them (Access denied). getacls form Unix side displays the formerly configured ACLS The logfile (loglevel=2) shows: log.smbd: open_sockets_smbd: accept: No buffer space available host.log [2005/05/30 11:22:29, 1] smbd/service.c:make_connection_snum(648) 192.168.200.11 (192.168.200.11) connect to service tmp initially as user FRHAWIN\Administrator (uid=1, gid=1) (pid 9429) [2005/05/30 11:29:37, 1] smbd/service.c:close_cnum(835) 192.168.200.11 (192.168.200.11) closed connection to service tmp [2005/05/30 11:30:17, 2] smbd/server.c:main(893) Changed root to / [2005/05/30 11:30:17, 2] smbd/sesssetup.c:setup_new_vc_session(608) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2005/05/30 11:30:19, 1] smbd/service.c:make_connection_snum(648) 192.168.200.11 (192.168.200.11) connect to service tmp initially as user FRHAWIN\Administrator (uid=1, gid=1) (pid 9553) [2005/05/30 11:30:36, 2] smbd/posix_acls.c:set_canon_ace_list(2422) set_canon_ace_list: sys_acl_set_file type file failed for file ACLStest (Invalid argument). my smb.conf is simple: [global] display charset = UTF-8 workgroup = FRHAWIN realm = Y.Y.YYY netbios name = FSERV0 server string = CIFS_HP_UX security = ADS password server = .x..xxx log level = 2 log file = /var/opt/samba/log.%m max log size = 1000 host msdfs = Yes idmap uid = 1-2 idmap gid = 1-2 winbind use default domain = Yes [tmp] comment = Temporary file space path = /tmp read only = No Any suggestions? Regards: Thilo -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba server suddenly started asking for authentication of the us ers
There is not enough information to make a guess. Send me (off-list) your smb.conf. Also, set your log level to 5 and log file = /var/opt/samba/log.%m, then attempt the share mount, and send me the log file (log.machine name). Whatever the outcome, you will need to upgrade your Samba version. If you are using HP CIFS Server, you can stay on 2.2 - we still supply and support 2.2.12. You can also upgrade to 3.0.8. If you are using opensource, then you should go to 3.0.14a. Eric Roseme Hewlett-Packard [EMAIL PROTECTED] Majid Chavoshi wrote: Samba Server Name: hamilton Samba Server OS: HP-UX 11.11 Samba Version: 2.2.3.a Hi All, I have the same version of Samba running on many of our HP servers with almost identical smb.conf file and configured the same way. No other Samba server seem to be having any problems except this one (hamilton). When a legitimate user tries to access a Samba share from a Windows client, it asks for his/her User name password, and it won't accept the user's current network id password. Can anyone advise as to what might be the problem and how to fix it. Many thanks in advance. Regards, Majid Chavoshi Unix Systems Administrator Belkin Corporation Information Services 310-604-2098 Office 310-604-2022 Fax 310-877-1428 Mobile [EMAIL PROTECTED] www.belkin.com Confidential This e-mail and any files transmitted with it are the property of Belkin Corporation and/or its affiliates, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipients or otherwise have reason to believe that you have received this e-mail in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] high network traffic
I tested W2000 and XP-SP2 on 3.0.8 on HP-UX 11i v1 (HP CIFS Server). All writes from 50KB file-save (notepad) were at MTU size, Samba was actually a little more efficient (than 2003) using about 40 fewer packets for the exchange. Try testing a different app (notepad), to see if it is app-specific. The file size reporting is also unknown (JFS 3.3 layout 4). My server correctly lists file size over a share with XP-SP2. An easy test is to install HP CIFS Server (it can co-exist with Opensource Samba) and either test it, or smbd -b and see how the build differs from yours (and smb.conf defaults). Eric Roseme Hewlett-Packard Thierry ITTY wrote: hello I'm experiencing problems with samba (2.2.7a on linux 3.0.15 on hp-ux) with windows xp (sp2) clients to make it short, an application reads and writes files on a share when the share is on a windows (2003) server, the network traffic is normal when the share is on a samba server, the network traffic is very high and the application response time increases very badly I took some traces (tcpdump, ethereal...) and I see that - when the file is on a windows share, the file is read or written with big blocks sizes (say 1000 bytes), and thus for a 50 KB file I get ca. 100 network frames - when the file is on a samba share, the blocks are as small as 5 bytes (yes, the trace shows read andx 5 bytes at offset 0, then 5 bytes at offset 5, and so on), and the amount of network frames goes up to 20,000 for the same file, with obvious performance degradation I tried various configuration changes (oplocks, raw io, case sensitiveness, and so on), but nothing really helps and more the open process looks the same with both server types : I checked each value and flag in the open request and answer, and only saw that one had the archive flag not set, and that allocation size differs (true file size for windows = 50 K, 1 MB size for hp-ux, may look as some hp filesystem allocation block ???), and I also saw that in both cases an oplock was granted. I have no more idea about what to do and I'd really appreciate any help -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] PANIC: internal error
Hi Mike, You are actually running an unsupported version of HP CIFS Server (Samba). You can upgrade to the current supported version for free from: http://www.software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B8725AA There were definitely winbind problems in the preview version that you are running. If the problem persists after upgrading, email me directly and we'll get to work on solving it. Eric Roseme Hewlett-Packard [EMAIL PROTECTED] Cheatham, Mike Mr KRS wrote: HP UX11i My SA is off island and I am in unfamiliar territory. We are getting an error when trying to start winbindd. === [Thu Apr 28 12:04:49 2005 , 0] lib/util.c:smb_panic2(1398) PANIC: internal error [Thu Apr 28 13:07:20 2005 , 1] nsswitch/winbindd.c:main(843) winbindd version 3.0.5 based HP CIFS Server T.30.PV.02 started. Copyright The Samba Team 2000-2004 [Thu Apr 28 13:07:20 2005 , 1] lib/util_unistr.c:load_case_tables(63) creating lame upcase table [Thu Apr 28 13:07:20 2005 , 1] lib/util_unistr.c:load_case_tables(78) creating lame lowcase table [Thu Apr 28 13:07:20 2005 , 1] nsswitch/winbindd_util.c:add_trusted_domain(178) Added domain SMDCK S-0-0 /usr/lib/dld.sl: Unresolved symbol: sasl_client_init (code) from /usr/lib/libld ap.sl [Thu Apr 28 13:07:20 2005 , 0] lib/fault.c:fault_report(36) === [Thu Apr 28 13:07:20 2005 , 0] lib/fault.c:fault_report(37) INTERNAL ERROR: Signal 6 in pid 26250 (3.0.5 based HP CIFS Server T.30.PV.02) Please read the appendix Bugs of the Samba HOWTO collection [Thu Apr 28 13:07:20 2005 , 0] lib/fault.c:fault_report(39) === [Thu Apr 28 13:07:20 2005 , 0] lib/util.c:smb_panic2(1398) PANIC: internal error I am unable to find the appendix Bugs of the Samba HOWTO collection Mike Cheatham Information Systems and Technology Systems Support Manager Kwajalein Range Services, LLC Kwajalein Marshall Islands (GMT+12) 805-355-2446 Pager 712 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Commercially supported Samba
Greathouse, Sheri L wrote: Does anyone know of a commercially provided and supported version of Samba in the United States? Sheri Greathouse EDS - Software Services - AIX Capabilities MS 2o 1075 W. Entrance Drive Auburn Hills, MI 48326 + mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Hewlett-Packard supports Samba (as HP product HP CIFS Server) on HP-UX 11i v1 and v2, with full Response Center, Expert Center, and factory lab support. I have worked with EDS on HP-UX CIFS-Samba sites in the past. Eric Roseme Hewlett-Packard -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Does SAMBA ever work with 2003 Server native mode ADS?
Dave Rutlidge wrote: I posted a query re a problem I was having getting SAMBA to authenticate using a Windows 2003 Server ADS and got no reply. Also, I've searched the web (before posting) and no one else had a reply to any similar question. Does SAMBA actually work with 2003 ADS at all or am I flogging a dead horse? Getting no reply is a real bummer. At least getting forget it! means I don't waste more time looking for the issue. Has ANYONE got SAMBA to work with 2003 Server in native mode? How? Yes, I just tested it in a 2003 native mode domain. I can net ads join, and auth-n a user using krb5 with MD5. If it doesn't work using Kerberos, is there another way? I recommend to new users to start by configuring Samba with security=domain, to ensure that they get Samba itself working correctly before going to Kerberos. Yes - Samba will work using NTLM in native mode. You might have to change your domain security policy to accept NTLM. You can also just \\ipaddress\sharename when security=ads and it should fall back to NTLM. Assuming your domain add worked okay. Thanks in advance for any pointers. Sorry I will not be around to help, leaving for vacation for 10 days. One very struggling SAMBA mewbie :(( -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Samba - CPU and memory usage - Proposed solution(?)
Mike, Are shortnames still too common to make them optional? It's unfortunate that you incur the overhead of shortname support on all clients when only a small number of scenarios require them. They've been optional in Samba3 for a while (via the mangled names boolean option). Unfortunately disabling them is really just a benchmark hack for now, as the few users of them are quite important. Making cmd.exe not work on a WinXP client would be a pretty serious functionality loss :-) At Microsoft Tech-Ed 2004 they recommended disabling 8.3 name creation for NTFS file server performance. I was quite surprised. Eric Roseme Hewlett-Packard -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Mapping Windows groups to Unix ones on Samba 2.2
Is this Samba Opensource 2.2.12 or HP CIFS Server 2.2.12 (A.01.11.03)? groupname map is not a real Samba feature, I believe. See Jerry's response at: http://marc.theaimsgroup.com/?l=sambam=104302387220719w=2 HP CIFS Server at 2.2 was not enabled for winbind, thus there is no way to do what you want. If you go to HP CIFS Server A.02.01 (3.0.7 and 3.0.8) you get winbind and net groupmap - not the same syntax as below but you can map AD groups. Eric Roseme Hewlett-Packard Laurent Blume wrote: Hi all, Now that I've got Samba 2.2.12 running correctly on that HP-UX box, I need to allow write access to a given AD domain group. What is the right way to do it on Samba 2.2? I added a group.map file in smb.conf, and a line inside that said: unixgroup = AD Domain Group Then in smb.conf, I put in [global]: groupname map = /etc/opt/samba/group.map And in the correct share, I put the following: valid users = @unixgroup read list = @unixgroup write list = @unixgroup I did not restart Samba, but from what I understand, the config file was automatically reloaded. SWAT did display the new values. The users' login were already mapped in the user.map file, and that works fine. However, after doing that, the persons in the AD group still had no access. Putting the unix users directly in the unix group does work, but of course, is a much less clean solution. Any hint or pointer to documentation? I was only able to find some for the 3.0 version, which is quite different for that :-/ TIA! Laurent -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] No locking available. Running Samba would be unsafe
1. What version of HP-UX? 2. What version of Samba (or HP CIFS Server)? 3. What is nflocks set to? 4. Do a testparm | grep lock and send in the results. Eric Roseme Hewlett-Packard Bill S wrote: Hello Samba folks, A couple years ago I installed Samba 2.2.0 on our HP9000 running hpux 10.20. I am now trying to install it on a customer's HP9000 and am getting the error No locking available. Running Samba would be unsafe while executing the configure command. I got that error a couple years ago and resolved it by linking /usr/bin/cc and /opt/ansic/bin/cc but that is not working this time. I also tried linking /usr/bin/cc and /usr/ccs/bin/cc but that did not work either. Any ideas? - Bill -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] No locking available. Running Samba would be unsafe
Hi Bill, I am not sure if this is your problem, but 2.2 will take about 20 locks per client connection, so you will run out of locks at 10 connections with nflocks set at 200. You will need to bump that up, along with nfiles and nproc. Of course, you should not be on 10.20, or 2.2.0, but I suppose you know that. Eric Roseme Hewlett-Packard Bill S wrote: Eric, Thanks for your response. Here are some answers to your questions. 1- HPUX 10.20 2- Samba 2.2.0 3- nflocks = 200 4- There is no testparm command. I checked samba's source/bin directory and the only command there was .cvsignore. On my system the testparm and other commands, like smbd,nmbd and smbclient, were in the bin directory. - Bill -Original Message- From: eric roseme [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 14, 2004 8:27 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [Samba] No locking available. Running Samba would be unsafe 1. What version of HP-UX? 2. What version of Samba (or HP CIFS Server)? 3. What is nflocks set to? 4. Do a testparm | grep lock and send in the results. Eric Roseme Hewlett-Packard Bill S wrote: Hello Samba folks, A couple years ago I installed Samba 2.2.0 on our HP9000 running hpux 10.20. I am now trying to install it on a customer's HP9000 and am getting the error No locking available. Running Samba would be unsafe while executing the configure command. I got that error a couple years ago and resolved it by linking /usr/bin/cc and /opt/ansic/bin/cc but that is not working this time. I also tried linking /usr/bin/cc and /usr/ccs/bin/cc but that did not work either. Any ideas? - Bill -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Performance of samba in linux vs windows
Hi Tim, Just as a sanity check. I did some testing earlier this year to characterize performance differences btw 2.2.8a and 3.0.2a. I tested simple copies of one .5 GB file, and also a directory with 5000 files (with very long names including upper and lower case). As long as I was testing the version deltas, I also compared the tests to a Windows 2003 Server. I do not want to specify the exact results and hardware (since I work for a vendor), but for the single-big-file test Windows 2003 ftp was slower than Samba by a factor of 3. ftp on HP-UX was just slightly faster than Samba. For the 5000-files test, reading from the server was about the same for all SMB server platforms (XP from W2003, 2.2.8a, 3.0.2a). For the 5000-files test, writing to the server was significantly slower on Samba versus Windows. This is well-known behavior for large directories due to name mangling and case sensitivity. I also tested extensively versus NFS (but this was on 2.0.6 - quite a while ago) and the total throughput numbers (MB/s) were almost the same for SMB vs NFS. These were 8-way 4-GbE boxes, though. I cannot claim these results as benchmarks - maybe someday if we get a CIFS benchmark like SPEC then we'll have a level playing field. The point is, that results vary all over the place by environment. (also - turn off strict locking and test again). Go Mustangs! (c/o '80 '88) Eric Roseme Hewlett-Packard Tim Harvey wrote: I'm doing some performance tests on a samba NAS server and I've found some interesting statistics: I'm doing my performance tests in linux using: # time dd if=somelargefileovershare of=/dev/null bs=1M count=100 Then calculating the bandwidth For windows I'm low-tech: stopwatch plus drag-n-drop of a large file (any recommendations on a 'simple' windows program that will tell you how long it took to copy a file, or even calc the BW for you?) Here are my bandwidth results: nfs via linux: 10MB/s smb via linux: 5MB/s smb via win: 8MB/s Questions: - why would I be getting half the performance via nfs vs smb? Is there a lot more overhead with smb vs nfs? - why the large difference between using smb from a linux box vs smb from windows? The windows transfers are much faster... almost 2X I'm just trying to understand my results better. The samba server I'm mounting to is running on a 1.2GHz Celeron, 256MB SDRAM, using a raid5 array with an XFS filesystem on ATA drives with a 100mbps nic. The bottleneck here is the 100mbps nic, which theoretically will give me a max throughput from the server of 12.5MB/sec, so I'm fairly satisfied to see 10MB/sec from the nfs test. Thanks for any assistance in understanding these results, Tim -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] strict locking = yes 3.X Default?
On 3.0.2a and 3.0.5 it appears that strict locking = yes is the default, even though SWAT help says it is strict locking = no, and 2.2 was no. Is this true, and if so, is it intentional? Thanks, Eric Roseme Hewlett-Packard -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba performance issue
Hi Xiaoqin, First, if TCP_NODELAY is not being set, that could be your performance problem right there. I have no idea what the problem is with setting your socket options. I guess that you compile your own Samba version, so maybe it's time to start investigating your build. My version of HP CIFS Server on 3.0.5 does not exhibit any of the symptoms as seen in your logs. You can pull down the latest build of CIFS 3.0.5 (for testing only) from: http://www.software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=CIFSTP3 On 2.2 CIFS and Opensource can co-exist on the same system (only one can run), but I have not tested this on 3.0 yet. So you could test with CIFS for the socket options to see if you have a build problem. Second, if you are running opensource, then you are probably calling pread/pwrite. If you are doing that, then you need phlk_28512. That can slow down reads/writes too. Eric Roseme Hewlett-Packard [EMAIL PROTECTED] wrote: Hi, In the last a couple of weeks, Eric helped me fixed a couple of my new samba 3.0.5 running on HP-UX 11i hang issues. Right now, people still experience slowness when they run some applications on the samba shares OR recursive list directories on the samba shares. There was not a lot of errors in the individual log files. However,there are some errors in log.smbd and log.0.0.0.0 file. 1) what is log.0.0.0.0 file? Is it a problem that it exists? 2) In log.smbd file, I saw the following type of errors: [2004/09/08 09:23:51, 0] lib/util_sock.c:get_peer_addr(978) getpeername failed. Error was Invalid argument [2004/09/08 09:27:52, 0] smbd/server.c:open_sockets_smbd(382) open_sockets_smbd: accept: No buffer space available [2004/09/08 09:30:15, 0] smbd/server.c:open_sockets_smbd(382) open_sockets_smbd: accept: No buffer space available [2004/09/08 09:31:17, 0] lib/util_sock.c:set_socket_options(185) Failed to set socket option SO_KEEPALIVE (Error Invalid argument) [2004/09/08 09:31:17, 0] lib/util_sock.c:set_socket_options(185) Failed to set socket option TCP_NODELAY (Error Invalid argument) [2004/09/08 09:31:17, 0] lib/util_sock.c:get_peer_addr(978) getpeername failed. Error was Invalid argument [2004/09/08 09:33:08, 0] smbd/server.c:open_sockets_smbd(382) open_sockets_smbd: accept: No buffer space available 3) In log.0.0.0.0 file, I saw the following type of errors: [2004/09/08 15:54:22, 0] lib/util_sock.c:get_peer_addr(978) getpeername failed. Error was Invalid argument [2004/09/08 15:54:22, 0] lib/access.c:check_access(326) [2004/09/08 15:54:22, 0] lib/util_sock.c:get_peer_addr(978) getpeername failed. Error was Invalid argument Denied connection from (0.0.0.0) [2004/09/08 15:54:22, 1] smbd/process.c:process_smb(883) [2004/09/08 15:54:22, 0] lib/util_sock.c:get_peer_addr(978) getpeername failed. Error was Invalid argument Connection denied from 0.0.0.0 [2004/09/08 15:54:22, 0] lib/util_sock.c:write_socket_data(413) write_socket_data: write failure. Error = Broken pipe [2004/09/08 15:54:22, 0] lib/util_sock.c:write_socket(437) write_socket: Error writing 5 bytes to socket 23: ERRNO = Broken pipe [2004/09/08 15:54:22, 0] lib/util_sock.c:send_smb(629) Error writing 5 bytes to client. -1. (Broken pipe) Are these real problems and how to get rid of them? BTW, we have the following configuration in smb.conf file: socket options = TCP_NODELAY Thank you very much for your help! Xiaoqin Qiu Agilent Technologies, Inc. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] SAMBA Server and Domain Mismatch Problem
Hi Emil, Two things: 1. If you want to use HP CIFS server with POSIX ACLs, then you will need JFS 3.3 or later with file system layout 4 for your shared directories. 2. On CIFS 2.2.X when you try to add a domain user to the ACL it will not work, because you are trying to add a Windows SID to a POSIX file descriptor. That will not work. Your users must add hostname\username because that is a UID that *can* be added to the POSIX file descriptor. This is all explained in HP CIFS Server Administrator's Guide: http://www.docs.hp.com/hpux/pdf/B8725-90073.pdf Go to page 59 for NT clients, 68 for 2000/XP clients. The instructions are pretty good. The symptom that you are seeing is the same for attempting to add an SID to the POSIC ACL, or for adding a UID to a filesystem that does not support ACLs. Eric Roseme Hewlett-Packard Emil P. Henry wrote: Hello! We are running SAMBA 2.2.8a from HP (CIFS) on a HP-UX (11i) server. It is running great and all that. The only issue is that the users would like to be able to share there shares to other users that they specify through the Windows clients. The problem is that when they look at properties they see the hostname\username under the Group or user name - which is themselves. When we try to do the domain\username it accepts it as valid, but disappears when we try to apply. Please advice. Thanks in advance. Regards, Emil -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Winbindd can't find ldap server
Are you actually storing your mappings on the ADS (instead of default tdb). If so, I am interested to see your ADS schema modifications. I have been wondering if anyone has tried that yet. Otherwise, with security = ads, you do not need the idmap parm, it stores the mappings in the winbindd_idmap.tdb (or the cache). PS - I think it's idmap backend, not idmap_backend. Eric Roseme Hewlett-Packard Tom Skeren wrote: Winbindd is erroring out with can't find ldap server. LDAP is ADS W2K, the samba server is 3.0.5 and net join ads succeded. I have idmap_backend = ldap:ldap://ldap.mydomain.com. What am I missing. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Kerberos issue
Hi Mark, As a start, you can get the new updated version based upon 3.0.5 at: http://www.software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=CIFSTP3 We had some problems with the net command on 3.0.2 when doing the net ads join. It works fine with a W2000 KDC, and a W2003 KDC if you do some extra stuff with enctypes. Eric Roseme Hewlett-Packard Rommel, Mark wrote: I am looking for any assistance on a issue I am currently experience with Samba and Kerberos. We have kerberos and LDAP client software on UNIX (HPUX 11.11), which authenticates with AD (Windows 2000) using SFU 3.0. All samba users are stored on Active Directory. The HP newest version of samba I do believe is 3.0.2 which from HP is a beta version. I have worked with HP for several weeks to get this to work. Basically I can't map any drives to any of our Windows 2000 workstation using the AD for login authentication. Get several different messages with no success every time HP wants me to try something different. Is anyone out having a similar problem and if how did you resolve it. HP has been somewhat helpful so I am looking for any suggestions from others. CONFIDENTIALITY NOTICE: This message (including any attachments) may contain Molex confidential information, protected by law. If this message is confidential, forwarding it to individuals, other than those with a need to know, without the permission of the sender, is prohibited. This message is also intended for a specific individual. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message or taking of any action based upon it, is strictly prohibited. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Exclusive oplock left by process
There are several things to look into: 1. You updated from 2.0.7 to 3.0.5 (quite a jump!). Samba 2.2 and newer use many more locks than 2.0. Make sure that your kernel settings are correct. See http://marc.theaimsgroup.com/?l=sambam=109335467118507w=2 2. My versions of 3.0 actually default to strict locking = yes. Make sure that you have strict locking = no (do a testparm). 3. I interpret your earlier message to mean that your Samba server is an NFS client, and you are sharing NFS mounts. If your application is doing byte range locking (propagating locks over NFS) and strict locking over a WAN, it could be very slow. 4. From your description, it appears that you start an application, then disconnect the share. Look at the log file and make sure that the locks are being cleaned up prior to the disconnect and close. It should say something like posix_locking_close_file: file filename has no outstanding locks. I understand that you want to focus on what changed in 3.0.5. A lot has changed since 2.0.7, and it may take some troubleshooting to track it down. You can install HP CIFS Server 2.2.10 and see if you encounter the same behavior. If you do, then you can enter a Response Center call and have them troubleshoot it for you. Eric Roseme Hewlett-Packard [EMAIL PROTECTED] wrote: Hi Eric, Thank you for your response. I made changes in smb.conf file to disable oplocks. And use default for blocking locks. Now the exlusive oplock left by process error is gone. However, I am still experiencing the same problem that when people try to copy files from directories which were mounted through WAN or running some applications using files under these directories, the windows explorer/application kind of hang and became very slow. And I saw some processes left running on samba server even after user already disconnected the samba shares from windows explorer. The command smbstatus shows the process left running still locks some files, such as: 23933 DENY_NONE 0x20089 RDONLY NONE /disk1/samba/sr/cadence/cadence.log Thu Aug 26 17:33:37 2004 My procedure to produce this problem is that: I removed locking.tdb file after I stopped samba server. Then I start samba server and connect from Windows machine to the share, then tried to click on the file which located in directory mounted through WAN, then run into super slow. Then I disconnected share once I got control of windows explore. But there was/were process(processes) left running on samba server owned by me and they still held locks. In the meantime, the average round-trip ping time for 64 byte packets from the samba server to the NFS server through WAN is 15ms. Is it some kind of bug or is there still some configurations that I can change to make it work? Thank you very much for your help! Xiaoqin Qiu IT Infrastructure Services Organization Agilent Technologies, Inc. [EMAIL PROTECTED] -Original Message- From: eric roseme [mailto:[EMAIL PROTECTED] Sent: Thursday, August 26, 2004 9:04 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [Samba] Exclusive oplock left by process I don't think that blocking locks is your problem. Jeremy just answered the question about releasing locks by clearing the lock files (tdbs), although again, I don't think it will affect your operation. His reply is at: http://marc.theaimsgroup.com/?l=sambam=109270256108878w=2 Eric Roseme Hewlett-Packard [EMAIL PROTECTED] wrote: Hi Eric, Thank you for your response. I will read the white paper that you wrote. I forgot to mention that in my smb.conf file for SAMBA 3.0.5, I have blocking locks = no. Should I set this? Or should I use the default blocking locks = yes? I also curious about if it is safe to remove all files(including locking.tdb, brlok.tdb, etc.) under /var/.../locks directory after I stop samba server? I can see your point to disable oplocks, however, I am still wondering how this upgrade from 2.0.7 (nmbd -V showed 2.0.7, smbd -V showed 2.0.9, NOT 2.2.7) to 3.0.5 introduced oplock problem since we use the default settings for both versions of samba. Thank you very much for your help! Xiaoqin Qiu IT Infrastructure Services Organization Agilent Technologies, Inc. [EMAIL PROTECTED] -Original Message- From: eric roseme [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 25, 2004 3:46 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [Samba] Exclusive oplock left by process Hi Xiaoqin, It appears to me that oplock break wait time = 0 is the default on both 2.2 (2.2.10 for me) and 3.0 (3.0.2a for me). Unless you have a good reason for using oplocks, I suggest turning them off altogether (oplocks = no, level2 oplocks = no - so testparm does not complain that level2 is on when oplocks are off). Also, if you have NFS users accessing the same files that are being oplocked, you could have some data integrity problems. You can look at a whitepaper I did about oplocks at: http
Re: [Samba] Exclusive oplock left by process
I don't think that blocking locks is your problem. Jeremy just answered the question about releasing locks by clearing the lock files (tdbs), although again, I don't think it will affect your operation. His reply is at: http://marc.theaimsgroup.com/?l=sambam=109270256108878w=2 Eric Roseme Hewlett-Packard [EMAIL PROTECTED] wrote: Hi Eric, Thank you for your response. I will read the white paper that you wrote. I forgot to mention that in my smb.conf file for SAMBA 3.0.5, I have blocking locks = no. Should I set this? Or should I use the default blocking locks = yes? I also curious about if it is safe to remove all files(including locking.tdb, brlok.tdb, etc.) under /var/.../locks directory after I stop samba server? I can see your point to disable oplocks, however, I am still wondering how this upgrade from 2.0.7 (nmbd -V showed 2.0.7, smbd -V showed 2.0.9, NOT 2.2.7) to 3.0.5 introduced oplock problem since we use the default settings for both versions of samba. Thank you very much for your help! Xiaoqin Qiu IT Infrastructure Services Organization Agilent Technologies, Inc. [EMAIL PROTECTED] -Original Message- From: eric roseme [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 25, 2004 3:46 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [Samba] Exclusive oplock left by process Hi Xiaoqin, It appears to me that oplock break wait time = 0 is the default on both 2.2 (2.2.10 for me) and 3.0 (3.0.2a for me). Unless you have a good reason for using oplocks, I suggest turning them off altogether (oplocks = no, level2 oplocks = no - so testparm does not complain that level2 is on when oplocks are off). Also, if you have NFS users accessing the same files that are being oplocked, you could have some data integrity problems. You can look at a whitepaper I did about oplocks at: http://www.docs.hp.com/hpux/onlinedocs/4501/CIFS_Oplock_Guideline.pdf Eric Roseme Hewlett-Packard [EMAIL PROTECTED] wrote: Hi all, We have a HP-UX 11i server running as a samba server. Users use Windows 2000 boxes with Service Pack 4 to connect to the samba server. Several days ago, we upgraded samba server from 2.0.7 to 3.0.5, and we started to experience the following problem: The general connection and access to the samba server is ok. However, under the samba share there have been some directories mounted from some other HP-UX 11i servers through WAN. When people try to copy files from these directories or running some applications using files under these directories, the windows explorer/application kind of hang and became very slow. But this type of tasks were successful using samba version 2.0.7. The problem only happened after the upgrade. I looked at the samba log file and found the following errors: [2004/08/24 18:07:51, 0] smbd/oplock.c:request_oplock_break(1023) request_oplock_break: no response received to oplock break request to pid 27458 on port 54926 for dev = 430016a8, inode = 3310429, file_id = 24 [2004/08/24 18:07:51, 0] smbd/open.c:open_mode_check(680) open_mode_check: exlusive oplock left by process 27458 after break ! For file hped/sr/osclib_encode_def.atf, dev = 430016a8, inode = 3310429. Deleting it to continue... [2004/08/24 18:07:51, 0] smbd/open.c:open_mode_check(684) open_mode_check: Existent process 27458 left active oplock. Our WAN connection is pretty fast although it is a lot slower than LAN. And in the meantime, we had no problem accessing these directories using NFS. I read man pages and search the internet. Although there are sevel posts on the internet describing similar problem, I havn't found any solution. From the man page, parameter oplock break wait time caught my eyes. We have been using default value for both 2.0.7 and 3.0.5. However, the default value for this parameter seems getting changed from 10 to 0 (if that was not a typo). And we use default values for all oplock related parameters. Can I change this paramter to 10? The man page kind of made me be afraid of change this value. Will this help? And any suggestion about our problem? Thank you very much for your help! Xiaoqin Qiu IT Infrastructure Services Organization Agilent Technologies, Inc. [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Exclusive oplock left by process
Hi Xiaoqin, It appears to me that oplock break wait time = 0 is the default on both 2.2 (2.2.10 for me) and 3.0 (3.0.2a for me). Unless you have a good reason for using oplocks, I suggest turning them off altogether (oplocks = no, level2 oplocks = no - so testparm does not complain that level2 is on when oplocks are off). Also, if you have NFS users accessing the same files that are being oplocked, you could have some data integrity problems. You can look at a whitepaper I did about oplocks at: http://www.docs.hp.com/hpux/onlinedocs/4501/CIFS_Oplock_Guideline.pdf Eric Roseme Hewlett-Packard [EMAIL PROTECTED] wrote: Hi all, We have a HP-UX 11i server running as a samba server. Users use Windows 2000 boxes with Service Pack 4 to connect to the samba server. Several days ago, we upgraded samba server from 2.0.7 to 3.0.5, and we started to experience the following problem: The general connection and access to the samba server is ok. However, under the samba share there have been some directories mounted from some other HP-UX 11i servers through WAN. When people try to copy files from these directories or running some applications using files under these directories, the windows explorer/application kind of hang and became very slow. But this type of tasks were successful using samba version 2.0.7. The problem only happened after the upgrade. I looked at the samba log file and found the following errors: [2004/08/24 18:07:51, 0] smbd/oplock.c:request_oplock_break(1023) request_oplock_break: no response received to oplock break request to pid 27458 on port 54926 for dev = 430016a8, inode = 3310429, file_id = 24 [2004/08/24 18:07:51, 0] smbd/open.c:open_mode_check(680) open_mode_check: exlusive oplock left by process 27458 after break ! For file hped/sr/osclib_encode_def.atf, dev = 430016a8, inode = 3310429. Deleting it to continue... [2004/08/24 18:07:51, 0] smbd/open.c:open_mode_check(684) open_mode_check: Existent process 27458 left active oplock. Our WAN connection is pretty fast although it is a lot slower than LAN. And in the meantime, we had no problem accessing these directories using NFS. I read man pages and search the internet. Although there are sevel posts on the internet describing similar problem, I havn't found any solution. From the man page, parameter oplock break wait time caught my eyes. We have been using default value for both 2.0.7 and 3.0.5. However, the default value for this parameter seems getting changed from 10 to 0 (if that was not a typo). And we use default values for all oplock related parameters. Can I change this paramter to 10? The man page kind of made me be afraid of change this value. Will this help? And any suggestion about our problem? Thank you very much for your help! Xiaoqin Qiu IT Infrastructure Services Organization Agilent Technologies, Inc. [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] CIFS Server 2.2j Pb with locking : No locks available
You probably did not tune nflocks for Samba. The default kernel variable will be exhausted quickly with Samba due to the extensive tdb locking. As long as you are doing nflocks, you might as well do the other stuff too: nflocks (10*maximum smbd)+(other apps + system) example 1000 connected clients and baseline NFS system (10*1000)+(2048) = 12048 nfile ((23+opens_per_smbd)*maximum smbd)+(other apps+system)) example 1000 connected clients and baseline NFS system ((23+7)*1000)+(8192)=38192 nproc (maximum smbd)+(other apps+system) example 1000 connected clients and baseline NFS system (1000)+(1024)=2024 Eric Roseme Hewlett-Packard Bernard Sagnol wrote: I 've installed Samba on my Hp-Ux station and can access the files with my Windows clients (a hundred client)...but one hour or more later i face a problem : Actual user : oK. New access : Ko. --- Error message in the client logfile 2004/08/23 14:15:39, 0] tdb/tdbutil.c:(531) tdb(/var/opt/samba/locks/connections.tdb): tdb_lock failed on list 91 ltype=2 (No locks available) --- Environnment HP Product : HP CIFS Server 2.2j downloaded from Hp web site. B8725AA A.01.11.02 HP CIFS Server on HP-UX 11.00 -- - Smb conf : [global] security = share [public] browseable = yes path = /public public = yes only guest = yes writable = yes printable = no create mask = 777 --- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Windows 2003 AD/Kerberos Ticket error
If you google for this you'll find a bunch of posts that pretty much explain everything. In short, W2003 krb defaults to rc4-hmac, and does not allow enctypes. So take your enctypes out of krb5.conf and let it do rc4-hmac, or you can read Q833708 and get the hotfix to recognize enctypes. I forget why the kinit works but the client logon does not. Eric Roseme Hewlett-Packard Warbeck, Mark wrote: I'm attempting to configure Samba 3.0.4 to work with Windows 2003 Active Directory, mapping users' home directories automatically. Currently we use this method in production with Windows 2000 but wish to migrate to 2003. The problem seems to be Kerberos related. I was able to join the Linux box (RedHat 9) to the AD. I can do a kinit username successfully. Klist shows a valid ticket. When logging on to the W2K3 domain controller the mapping of the drive fails and the Samba log shows the following: smbd/sesssetup.c:reply_spnego_kerberos(174) Failed to verify incoming ticket! This is my smb.conf file (I've removed comments): Begin File #=== Global Settings [global] workgroup = w2k3 netbios name = file-svr server string = Samba Server log file = /var/log/samba/smbd.log max log size = 50 security = ads realm = W2K3.TEST client signing = Yes server signing = Yes client use spnego = Yes use spnego = Yes encrypt passwords = yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 local master = no dns proxy = no # Share Definitions [homes] comment = Home Directories browseable = no writable = yes End File This is the krb5.conf (again, comments removed): Begin File [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] ticket_lifetime = 24000 default_realm = W2K3.TEST default_tgs_enctypes = des-cbc-crc des-cbc-md5 default_tkt_enctypes = des-cbc-crc des-cbc-md5 forwardable = true proxiable = true [realms] W2K3.TEST = { kdc = test-dc.w2k3.test admin_server = test-dc.w2k3.test default_domain = w2k3.test } [domain_realm] .w2k3.test = W2K3.TEST w2k3.test = W2K3.TEST End File The following packages are installed: samba-3.0.4-1 krb5-libs-1.2.7-14 krb5-workstation-1.2.7-14 krb5-devel-1.60-1 pam_krb5-1.60-1 The DNS servers are Windows 2000 SP4. Thanks for any suggestions. I've set this at maximum points since I really need to get it working. Mark -- Mark Warbeck Systems Engineer Engineering Science and Mechanics Virginia Tech 323A Norris Hall Mail Code 0219 Blacksburg, VA 24061 540.231.7489 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.0.2 on HPUX 11i with winbind; Get_Pwnam_internals didn't find user + NT_STATUS_NO_SUCH_USER
Hi artin, The version that you have does not currently support winbind. I am working on that right now. Eric Roseme Hewlett-Packard [EMAIL PROTECTED] wrote: Hey, I've troubles with a samba-installation ( version 3.0.2, HP-CIFS-Technologie Preview ) on HPUX 11i. I want to setup a fileserver within a customerenvironment connecting into a windows 2000 domain, which contains a lot of trusted domains. I have joined the domain already and wbinfo brings me the list of users and groups. Also within the winbind_imap.tdb I see some entrys which seems to map some windows-ids to unix ids. But when I try to connect to the share I always gets asked for a password and even with the correct pw entered the connection fails. Here are some outputs from the logs Log.%m [Tue Jul 13 16:00:44 2004, 5] lib/username.c:Get_Pwnam_internals(251) Get_Pwnam_internals didn't find user [q904700]! [Tue Jul 13 16:00:44 2004, 0] auth/auth_util.c:make_server_info_info3(1100) make_server_info_info3: pdb_init_sam failed! [Tue Jul 13 16:00:44 2004, 5] auth/auth.c:check_ntlm_password(270) check_ntlm_password: winbind authentication for user [q904700] FAILED with error NT_STATUS_NO_SUCH_USER [Tue Jul 13 16:00:44 2004, 2] auth/auth.c:check_ntlm_password(310) check_ntlm_password: Authentication for user [q904700] - [q904700] FAILED with error NT_STATUS_NO_SUCH_USER log.winbindd [Tue Jul 13 16:00:44 2004, 5] nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(454) NTLM CRAP authentication for user [AUSTRIA]\[q904700] returned NT_STATUS_OK (PAM: 0) [Tue Jul 13 16:00:44 2004, 3] nsswitch/winbindd_acct.c:winbindd_create_user(875) [24834]: create_user: user=(q904700), group=() [Tue Jul 13 16:00:44 2004, 5] nsswitch/winbindd_acct.c:wb_getgrnam(521) wb_getgrnam: Did not find group (nobody) [Tue Jul 13 16:00:44 2004, 5] nsswitch/winbindd.c:winbind_client_read(463) read failed on sock 28, pid 24834: EOF I also found some errors within log.smbd, but that errors are moving from smbd to winbindd, depending which daemon is started first, the second one has that: [Tue Jul 13 16:00:44 2004, 5] tdb/tdbutil.c:tdb_log(724) tdb(unnamed): tdb_brlock failed (fd=14) at offset 4 rw_type=2 lck_type=6: Permission denied Configuration: [global] workgroup = Domainname netbios name = CIFSTEST1 server string = Samba Test server security = DOMAIN encrypt passwords = Yes password server = * log file = /var/opt/samba/log.%m max log size = 20480 load printers = No dns proxy = No wins server = 10.1.20.1 winbind separator = + idmap uid= 5000-65000 idmap gid = 5000-65000 winbind enum users = yes winbind enum groups = yes template shell = /usr/bin/sh guest account = pcguest [shares] Valid users is in format DOMAIN+USERNAME or @DOMAIN+GROUPNAME Is there anybody who has seen this error and knows how to solve it? I also have the complete logs in debug-level 5 and 10 available, if they are usefull. Thx br Martin Schretzmeier -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba-W3K-ADS
My testing has shown that when using security = ads and specifying \\ipaddress\share, Kerberos fails with PRINCIPAL_UNKNOWN and auth then falls through (in my case, either NTLMv1 or NTLMv2 - I have tested with both). So maybe you should try it with your hostname, or hostname.FQDN, and check out what happens with ethereal. Maybe your fall-through auth-n is failing (easy to do with NTLMv2). Of course, these results are specific to my test environment, so maybe this is not pervasive behavior. Eric Roseme Hewlett-Packard Ben Schmaus wrote: Versions: OS: Redhat ES Linux 3.0 Windows OS: Windows 2003 Active Directory Samba: samba-3.0.5rc1-2_rh9.i386.rpm Kerberos: krb5-1.3.4-i686-pc-linux-gnu.tar Using Windbind: Yes Objective: Allow Samba/Linux server to authenticate off of active directory to access Samba shares. Problem: I can get to some shares, but not to the user home shares. When trying to access a user home share I get prompted for a password even though I have already connected to other shares with the same user name. And even if I enter the username and password, access is denied. I am currently trying this by doing a 'net use * \\ip address\home share'. Smb.conf [global] workgroup = DOMAIN netbios name = RCRH03 server string = RCRH03 security = ADS realm = DOMAIN.COM password server = 10.1.1.28 wins server = 10.1.1.28 client use spnego = yes client signing = yes encrypt passwords = yes printcap name = cups disable spoolss = Yes show add printer wizard = No idmap uid = 15000-2 idmap gid = 15000-2 winbind separator = + winbind use default domain = Yes winbind enum users = yes winbind enum groups = yes template homedir = /home/%D/%U template shell = /bin/bash use sendfile = Yes printing = cups ldap suffix = dc=domain, dc=com winbind cache time = 0 log level = 10 log file = /var/log/samba.log max log size = 500 debug timestamp = yes [homes] comment = Home Directories valid users = %U path = /home/%D/%U public = Yes read only = No browseable = No [apps] comment = OSCAR path = /apps valid users = @dev, @REDHAT admin users = @dev, @REDHAT read only = No browseable = Yes [printers] comment = All Printers path = /var/spool/samba printer admin = root create mask = 0600 guest ok = Yes printable = Yes use client driver = Yes browseable = No [public] comment = test path = /spare read only = No browseable = Yes _ This message has been checked for all known viruses by the MessageLabs Virus Scanning Service for Chronimed, Inc. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba problem on HP-UX
You probably have the default HP-UX kernal values for nfiles and nflocks. You need to increase these for connecting more than 10 users. Here are formulas: nflocks (10*maximum smbd)+(other apps + system) example 1000 connected clients and baseline NFS system (10*1000)+(2048) = 12048 nfile ((23+opens_per_smbd)*maximum smbd)+(other apps+system)) example 1000 connected clients and baseline NFS system ((23+7)*1000)+(8192)=38192 Eric Roseme Hewlett-Packard [EMAIL PROTECTED] wrote: Hi All, I am using samba 2.2.8a on HP-UX 11.11 server. The problem i am facing is that after making 10-12 shares, it does not allow new mappings. While trying from smbclient it is saying SMBSERVER failed . Kindly let me know any config options needs to be set in smb.conf Regds/Lalit Kapoor DISCLAIMER: This message is proprietary to Hughes Software Systems Limited (HSS) and is intended solely for the use of the individual to whom it is addressed. It may contain privileged or confidential information and should not be circulated or used for any purpose other than for what it is intended. If you have received this message in error, please notify the originator immediately. If you are not the intended recipient, you are notified that you are strictly prohibited from using, copying, altering, or disclosing the contents of this message. HSS accepts no responsibility for loss or damage arising from the use of the information transmitted by this email including damage from virus. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Tested: W2000 Hotfix (Q818528) with Terminal Server and Samba
I tested the Windows 2000 hotfix from Q818528 with Terminal Server and Samba. The hotfix adds the MultiUserEnabled registry parm which, when set to 1, essentially restores the MultipleUsersOnConnection behavior from NT4. With MultiUserEnabled on the Windows 2000 Terminal Server, Windows will start a new TCP session for each Terminal Server user, and Samba will start a new smbd for each TS user that mounts 1 or more Samba shares. It works as expected. The hotfix does not install on Windows 2003 Servers, though. Don't know about the plans for a 2003 hotfix. Eric Roseme Hewlett-Packard -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Terminal server problem
I could not duplicate this behavior with W2003 Terminal Server and Samba 2.2.8a. Try reading the whitepaper about the differences of Terminal Server on NT4 versus W2000 and 2003, and how Samba is affected. The paper is at: http://swflug.org/modules.php?name=Downloadsd_op=viewdownloadcid=4 Eric Roseme Hewlett-Packard Vadim Fattakhov wrote: Hello We use samba 2.0.7 on Solaris 2.6. After upgrade domain from NT4 to 2003 AD we start to get problem on our terminal server windows 2000. First user connect to samba server and other cannot do it. I tried to use samba 2.2.8 - same problem. Any suggestions? Best regards, Vadim Fattakhov Frontline PCB SolutionsSystem Network Manager Phone: +972-8-9322183 (ext. 130), fax: +972-8-9322186 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and Terminal Server Whitepaper
Sorry about the Terminal Server Whitepaper attachment fiasco. HP will host both the Samba and the HP CIFS Server versions at www.docs.hp.com on January 30th. I'll post the actual url here. The versions are identical except for the nomenclature (hope I spelled that right). One of the list members will host it too - probably sooner. He will send out an announcement. Eric Roseme Hewlett-Packard Tim Potter wrote: On Sat, Jan 24, 2004 at 12:40:00PM -0800, Eric Roseme wrote: Attached is a 500KB read-only .doc file with a Samba and Terminal Server whitepaper. I have tried to hit every known issue and all available workarounds. If anyone has comments or suggestions, let me know. JT has it, so it should end up in the next How-To. Sorry about the file format, but the .pdf was 2.5MB, which I thought was too big to post. Whoops - the attachment was stripped by mailman. Eric, can you post a link to the document? 700KB (base64) is a little bit on the large side for the list. Tim. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] W2K-TERMINAL SERVICES VS SAMBA 3
I have written a wordy whitepaper about Samba and Terminal Server. I'll post it to the list in a separate message. Eric Roseme Hewlett-Packard Andrew Bartlett wrote: On Fri, 2004-01-23 at 03:13, Luis Alberto Reyes R. wrote: At the samba lists, we have found several old questions about problems wit W2K-Terminal Services vs Samba (dated in December 2000). But we can´t get actual information about HOW TODAY (January 2004) the problem is fixed. We have this situacion and we need solve it. There are three main issues to consider regarding terminal services: - As a DC of terminal-services member servers we failed to store the required information. This is fixed for tdbsam and ldapsam in currently rc 3.0.2. - MAX_CONNECTIONS. The issue was that we would only allow 128 connections from a single terminal server. We now allow an unlimited number of shares to be connected, in currently rc 3.0.2 - All connections on the same TCP/IP connection. This is the worst issue, as far as terminal-server users are concerned. Unlike on client PCs, each and every session on a terminal server uses the same connection to Samba. This means that Samba slows down, as it switches between users, and as other delays in the system cause the entire scheme to block. Both problems can be worked around, by making the win2k server think that the samba server has multiple identities. For example, an lmhosts file, or wins-server hacks, can give each user their own 'profile server', for loading their roaming profile and home server from. It's still the same server, but win2k doesn't know that. (you then need to modify each users properties). Andrew Bartlett -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Samba locking database errors : V 2.2.8 a on HP-UX 11i
HP-UX defaults nflocks at 200. At the default, you will run out of locks at about 20 client connections. You will need to bump nflocks and nfiles before trying to run at average usage levels. Eric Roseme Hewlett-Packard Jérôme Fenal wrote: Foster, Ian (LogicaCMG) wrote: We are in the process of commissioning a new HP server (on HP-UX 11i) and have installed Samba which we have configured and used extensively before without major problems (though not this version - 2.2.8.a). Samba ran OK initially, but now we are getting failures with messages of 'smbd[pid] Cannot initialize locking database' and 'no locks available' logged to the syslog and no new connections can be established (can not even browse - get message 'Network name could not be found'). This can only be cleared by restarting the daemons. I have checked our smb.conf file with the testparm utility and this looks ok, and checked the parameters (including the defaults) against the smb.conf man page at samba.org in an attempt to identify any bad config. I have also verified the obvious - that the lock directory exists and the permissions are correct (if they didn't I guess it would fall over straight away). I have attached a dump of our global definitions for inspection. Has anybody any ideas what may be causing this ? I have checked the Samba web pages without success. Is there a bad locking option here - or some other samba / kernel threshold we are hitting ? If I can't resolve this the filestore is going to NT ! Any help very gratefully recieved. Hi, could you send the real smb.conf, since RTF encoded testparm output is bit clumsy to read...? I read in the testparm dump that you are in 'security=server' mode. Do you really need it? Does your server participate in a domain? 2.2.8a can happily participate in a NT4 or an NT4 compat on ADS domain. And could you check with Sam the limits of the HP-UX kernel (number of processes for the system, by user, max number of open files, etc.)? I'll check tomorrow on HP-UX server at work what kernel parameters could hit Samba. Could you also set 'log level=' to a bit more than 1 to see more output in the logs? That would help. Regards, J. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba opens many files.
I agree that it's a silly way to organize things, but there are many CAD customers serving legacy NFS design environments that are experiencing this issue daily. This single problem will cause more migrations from Samba to Windows that any other I have seen - at least for big iron. I have been trying to find ways to mitigate the effect - and certainly turning off mangling helps (I have seen VERYlongFILEname1234.PARTname - and 12,000 of these). Also setting case sensitive = yes helps a little bit. But we can't get past doing what appears to be multiple stats for each object. Any creative suggestions are welcome. Jeremy Allison wrote: On Tue, Nov 18, 2003 at 04:26:19PM +0100, Markus Wenke wrote: Hi, I have a dir with more than 16000 files in it. If I klick with MS-Explorer on this Dir to see which files are in it, smbd opens every file and so it takes some seconds to show this Dir! (and CPU usage is at 100%). the logfile says smbd do this for every file: [2003/11/18 16:06:58, 2] smbd/open.c:open_file(246) USERX opened file /path/to/file.txt read=Yes write=No (numopen=1) Is this behavior normal? Yes. Explorer is reading each file for thumbnail etc. info. Can I avoid this with conf-settings? No. Don't have a directory with more than 16000 files. That's a silly way to organise things. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] netdom secure channel reset
I have been playing with the Windows netdom command to reset the Samba secure channel to the Windows DC: netdom reset sambaserver /domain:windowsdomain Traces and logs show that it sends a bunch of lsarpcs (LSA_QUERYINFOPOLICY) to the Samba server, but I cannot determine what it is actually doing (I assume that it would read or write to secrets.tdb). Has anyone tried this before? Thanks, Eric Roseme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: SV: [Samba] Samba-Citrix compatability
John and/or Andrew, I created some slides diagraming this issue in simplistic terms for Microsoft management when I was attempting to persuede them to uncomment the MultipleUsersOnConnection code from the W2000 redirector (to no avail). If you think that they could be useful for officially documenting the issue, I can email you the pdf directly (I do not want to dump a big file in everyone's inbox). Eric Roseme John H Terpstra wrote: On Tue, 4 Nov 2003 [EMAIL PROTECTED] wrote: I have searched for some FAQ/HOWTO regarding Citrix/Metaframe to no avail. (Like this one http://samba.org/~jht/HOWTO/Samba-HOWTO-Collection.pdf ) What I would like to see in such a FAQ/HOWTO: Are you willing to help write this? You too can make a difference you know! - Compilation issues regarding Citrix/metaframe - - ie the need to increase the MAX_CONNECTION setting before compilation - - ie how to compile samba to a 64 bit application to get more available file descriptors (problem for solaris) - the need to tweak the /etc/system settings (ie set rlim_fd_max = number) - oplocks settings in smb.conf - the single smbd process issue and workaround(s) (wins and DNS-proxy/netbios names?) - the home-share issue and problem All these issues, and probably more, I feel are related to Citrix/metaframe vs. Samba. If I am wrong and somewhere there is a FAQ regarding this then all the better. Just need to find it. ;-) If not then it is most neeeded. Good points! Will you contribute some text that we can add to the HOWTO? Information like this gets documented when someone with your kind of passion writes some basic guidelines and contributes it to the HOWTO. Please do not leave this to others, while the needs are fresh in your mind please write a few paragraphs on each and send them to me for inclusion. Cheers, John T. And Samba4? What is this? :-) Due 2005? Kind regards Per Kjetil Grotnes Some governmental department in Norway Andrew Bartlett Sendt: 4. november 2003 02:20 On Tue, Nov 04, 2003 at 11:55:25AM +1100, DAVIES Rob wrote: G'day, We are having problems when connecting to our Solaris 8 server Zeus from our Windows 2000 Terminal Servers. I think you might be hitting two of the nastiest bugs with that combination. Firstly, there are issues with Solaris 8, and TDB locks, for which there is a solaris kernel patch (it's an fcntl issue). But more importantly, there is an issue caused by the way Windows Terminal Server clients connect - they all use the same smbd. This causes all their operations to be serialised, even worse if something blocks. The best solution is to call your system by as many names as possible. For example, call it by one name per user, particularly for roaming profiles. (So make a user's profile path/homedir \\zeus-username\username or the like). Use DNS (with a samba wins server set to 'dns proxy') or fixed entires in your wins.dat, or an lmhosts file, to force the multiple names. Samba doesn't mind what it gets called. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and MC/Service Guard
I believe that the HP Response Center has taken calls from Wal-Mart on CIFS/9000 Server (HP's supported version of Samba), so I think that at least some Wal-Mart sites are running CIFS/9000. In any case, CIFS/9000 Server has MCSG scripts (.cntl,.conf,.mon) in /opt/samba/HA/ under active_active or active_standby. In addition, there are detailed instructions on how to configure MCSG with the relocatable IP address and NetBIOS alias in the README file. The same instructions are available in the CIFS/9000 Server manual. You can get a copy of the manual at http://www.docs.hp.com/hpux/netcom/index.html#CIFS/9000. You can download CIFS/9000 Server for free from http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=B8725AA. Eric Roseme Hewlett-Packard Dan Doffermyre wrote: Samba friends, I work in Wal-Mart's IT department, specifically with Unix Servers of various flavors, but HP-UX is predominant in our Home Office environment. I recently built an two node HA cluster on HP 11.11 boxes. I want to be able to have Samba use the virtual name of my cluster. Currently Samba is configured to use the hardcoded box name, however if the box happens to go down, we have to go in and reconfigure the clients to point to the secondary box name. Sure would be nice to point everything to the virtual name. So I was wondering if you have any documents that explain how you would go about setting up Samba with HP's MC/Service Guard? Thanks, Dan Doffermyre [EMAIL PROTECTED] 805 Moberly Ln. Bentonville, AR 72716 (479)277-3942 ** This email and any files transmitted with it are confidential and intended solely for the individual or entity to whom they are addressed. If you have received this email in error destroy it immediately. ** Wal-Mart Stores, Inc. Confidential ** -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Any good how tos to configure samba on HPUX?
I have written a brief summary of winbind and a simple cookbook installation guide for winbind on HP-UX 11. This is limited to the pre-compiled binaries that are supplied on samba.org for HP-UX. http://us1.samba.org/samba/ftp/Binary_Packages/hp/ Currently available are 2.2.5 and 2.2.7, with and without winbind. If you would like the winbind document, email me at [EMAIL PROTECTED] From your post it is not clear if you also would like a Samba-on-HPUX configuation guide. There are installation manuals for CIFS/9000 Server (Samba bundled with HP-UX) at: http://www.docs.hp.com/hpux/netcom/index.html#CIFS/9000 Eric Roseme Hewlett-Packard Jennifer Fountain wrote: Does anyone know where I can find a good how to to configure winbind and samba on a HPUX box? Thanks -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba Citrix
I pasted this in from a reply I did on 8/3/2002. It's in the archives: Your problem may be related to the Windows 2000 Terminal Servers. Samba does not work well under heavy loads with Terminal Server on Windows 2000. Microsoft commented out the MultipleUsersOnConnection code from their Windows 2000 redirector. On NT 4.0 Terminal Server, the MultipleUsersOnConnection registry parameter was used to establish a separate VC (TCP connect) for every TS user who opened a share from the TS to a particular Samba server. On Windows 2000 TS - without the MultipleUsersOnConnection registry parameter - only one TCP VC gets established from the TS to a Samba server. Thus, all TS users who mount a Samba share will use the same TCP connection, and thus the same smbd. If you have multiple users from one Windows 2000 TS writing to the Samba server via one smbd, I could see how problems might arise. If you have access to a NT4.0 Terminal Server, you could try testing it with the MultipleUsersOnConnection parameter enabled (see Q190162). Also, you could try testing your DB application against the Samba server without the Terminal Server. Eric Roseme Hewlett-Packard Rory D. Hudson wrote: Hello Everybody, I hope everybody is doing well and that you can help me out as I am approaching my wits end. I am running a Citrix server on a Windows 2000 SP 3 server. One of my published applications on this server needs to access samba for multiple users. So basically every user who logs on to the Citrix server needs to have access to their home directory on our Unix server. Sometimes this works fine and other times it errors out. Once it errors out it does not seem to want to allow access back in for quite some time. Looking at the log for the machine I get this. [2002/11/26 12:23:37, 0] passdb/pdb_smbpasswd.c:(1367) unable to open passdb database. [2002/11/26 12:24:10, 0] passdb/pdb_smbpasswd.c:(1367) unable to open passdb database. [2002/11/26 12:24:10, 0] passdb/pdb_smbpasswd.c:(1367) unable to open passdb database. [2002/11/26 12:24:41, 0] passdb/pdb_smbpasswd.c:(1367) unable to open passdb database. [2002/11/26 12:24:41, 0] passdb/pdb_smbpasswd.c:(1367) unable to open passdb database. Any clues as to what might be happening would be greatly appreciated. Thanks for the help Rory Hudson Information Systems Zumiez, Inc. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] MSVC TerminalServer Speed
As long as I am replying to the other guy about Terminal Server, I'll paste the same replay here. If your Terminal Server is on NT4, set MultipleUsersOnConnection. Here is what I pasted from an earlier post in the archives (8/03/2002): Your problem may be related to the Windows 2000 Terminal Servers. Samba does not work well under heavy loads with Terminal Server on Windows 2000. Microsoft commented out the MultipleUsersOnConnection code from their Windows 2000 redirector. On NT 4.0 Terminal Server, the MultipleUsersOnConnection registry parameter was used to establish a separate VC (TCP connect) for every TS user who opened a share from the TS to a particular Samba server. On Windows 2000 TS - without the MultipleUsersOnConnection registry parameter - only one TCP VC gets established from the TS to a Samba server. Thus, all TS users who mount a Samba share will use the same TCP connection, and thus the same smbd. If you have multiple users from one Windows 2000 TS writing to the Samba server via one smbd, I could see how problems might arise. If you have access to a NT4.0 Terminal Server, you could try testing it with the MultipleUsersOnConnection parameter enabled (see Q190162). Also, you could try testing your DB application against the Samba server without the Terminal Server. Eric Roseme Hewlett-Packard Marris, Dunstan wrote: Hi, Back in 1997 the list was full of tips on making Microsoft Visual C++ Studio (v6) use files over Samba (v2.2.2 on Solaris). Could someone please point me to the definitive answers... (beyond speed.txt?) and their current status. We have an added complication of having 5 developers using each NT4 box over citrix/Terminalserver. Some days we are fine, but some days we slow to a crawl of over a minute to open each small text file... Meanwhile the NT box has minimal CPU used, the file server is large, fast and happy, and the number of Samba cached files is reasonably low. Thanks for any help you can suggest, Dunstan -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Oplock Usage Recommendations Whitepaper
I have written a whitepaper for CIFS/9000 Server (Samba on HP-UX) that discusses some rudimentry usage recommendations for oplocks. Due to the recent discussion about oplocks on the list, I have edited the paper to be more generic for Samba on HP-UX and converted it to plain text. It's still 7 pages long, so it may be inappropriate to paste into an email. If there is any interest in it, I can distribute it to the list, either as embedded text, an attachment, or maybe on the website. Let me know what method is best (if any). Eric Roseme Hewlett-Packard -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Oplocks Usage Recommendations Whitepaper (with attachment)
Here is Oplocks Usage Recommendations Whitepaper for Samba on HP-UX (originally was written for CIFS/9000 Server on HP-UX). Note that the intended audience is/are HP-UX customers who have questions and concerns about when to configure oplocks. This is intended as a rudimentry guide to help avoid the most obvious oplock pitfalls. Hopefully the plain text alignments hold up well for most editors. Word messes things up. Thanks, Eric Roseme Hewlett-Packard HP-UX Samba Opportunistic Locking Usage Recommendations Eric Roseme, Hewlett-Packard October, 2002 Contents Legal Notices 2 Chapter 1 Introduction 4 Chapter 2 Opportunistic Locking Overview 5 Chapter 3 Samba Oplock Configuration 7 Chapter 4 Opportunistic Locking Recommendations 9 4.1 Exclusively Accessed Shares9 4.2 Multiple-Accessed Shares or Files 9 4.3 Unix or NFS Client Accessed Files 10 4.4 Slow and/or Unreliable Networks10 4.5 Multi-User Databases 10 4.6 PDM Data Shares10 4.7 Force User 10 4.8 Advanced Samba Opportunistic Locking Parameters11 4.9 Mission Critical High Availability 11 Chapter 5 Summary12 Chapter 1 Introduction Samba on HP-UX manages file access among Windows clients with Windows style file locking. It applies a very effective set of file locking features that are managed by the user-space client processes on the server, and provides excellent data security and integrity in a multi-user environment. Samba also integrates some Windows locking protocols with the underlying HP-UX operating system locking protocols, and therefore provides some interoperability with UNIX and NFS style file locking. Opportunistic Locking is a unique Windows file locking feature. It is not really file locking, but is included in most discussions of Windows file locking, so is considered a defacto locking feature. Opportunistic Locking is actually part of the Windows client file caching mechanism. It is not a particularly robust or reliable feature when implemented on the variety of customized networks that exist in enterprise computing, but can be effective in providing modest perceived performance optimization. Like Windows, Samba implements Opportunistic Locking as a server-side component of the client caching mechanism. Because of the lightweight nature of the Windows feature design, effective configuration of Opportunistic Locking requires a good understanding of its limitations, and then applying that understanding when configuring data access for each particular customized network and client usage state. Chapter 2 Opportunistic Locking Overview OPPORTUNISTIC LOCKING (Oplocks) is invoked by the Windows file system (as opposed to an API) via registry entries (on the server AND client) for the purpose of enhancing network performance when accessing a file residing on a server. Performance is enhanced by caching the file locally on the client which allows: Read-ahead: The client reads the local copy of the file, eliminating network latency Write caching: The client writes to the local copy of the file, eliminating network latency Lock caching: The client caches application locks locally, eliminating network latency The performance enhancement of oplocks is due to the opportunity of exclusive access to the file - even if it is opened with deny-none - because Windows monitors the file's status for concurrent access from other processes. Windows defines 4 kinds of Oplocks: Level1 Oplock - The redirector sees that the file was opened with deny none (allowing concurrent access), verifies that no other process is accessing the file, checks that oplocks are enabled, then grants deny-all/read-write/ex- clusive access to the file. The client now performs operations on the cached local file. If a second process attempts to open the file, the open is deferred while the redirector breaks the original oplock. The oplock break signals the caching client to write the local file back to the server, flush the local locks, and discard read-ahead data. The break is then complete, the deferred open is granted
Oplocks Usage Recommendations Whitepaper (with attachment)
Here is Oplocks Usage Recommendations Whitepaper for Samba on HP-UX (originally was written for CIFS/9000 Server on HP-UX). Note that the intended audience is/are HP-UX customers who have questions and concerns about when to configure oplocks. This is intended as a rudimentry guide to help avoid the most obvious oplock pitfalls. Hopefully the plain text alignments hold up well for most editors. Word messes things up. Thanks, Eric Roseme Hewlett-Packard HP-UX Samba Opportunistic Locking Usage Recommendations Eric Roseme, Hewlett-Packard October, 2002 Contents Legal Notices 2 Chapter 1 Introduction 4 Chapter 2 Opportunistic Locking Overview 5 Chapter 3 Samba Oplock Configuration 7 Chapter 4 Opportunistic Locking Recommendations 9 4.1 Exclusively Accessed Shares9 4.2 Multiple-Accessed Shares or Files 9 4.3 Unix or NFS Client Accessed Files 10 4.4 Slow and/or Unreliable Networks10 4.5 Multi-User Databases 10 4.6 PDM Data Shares10 4.7 Force User 10 4.8 Advanced Samba Opportunistic Locking Parameters11 4.9 Mission Critical High Availability 11 Chapter 5 Summary12 Chapter 1 Introduction Samba on HP-UX manages file access among Windows clients with Windows style file locking. It applies a very effective set of file locking features that are managed by the user-space client processes on the server, and provides excellent data security and integrity in a multi-user environment. Samba also integrates some Windows locking protocols with the underlying HP-UX operating system locking protocols, and therefore provides some interoperability with UNIX and NFS style file locking. Opportunistic Locking is a unique Windows file locking feature. It is not really file locking, but is included in most discussions of Windows file locking, so is considered a defacto locking feature. Opportunistic Locking is actually part of the Windows client file caching mechanism. It is not a particularly robust or reliable feature when implemented on the variety of customized networks that exist in enterprise computing, but can be effective in providing modest perceived performance optimization. Like Windows, Samba implements Opportunistic Locking as a server-side component of the client caching mechanism. Because of the lightweight nature of the Windows feature design, effective configuration of Opportunistic Locking requires a good understanding of its limitations, and then applying that understanding when configuring data access for each particular customized network and client usage state. Chapter 2 Opportunistic Locking Overview OPPORTUNISTIC LOCKING (Oplocks) is invoked by the Windows file system (as opposed to an API) via registry entries (on the server AND client) for the purpose of enhancing network performance when accessing a file residing on a server. Performance is enhanced by caching the file locally on the client which allows: Read-ahead: The client reads the local copy of the file, eliminating network latency Write caching: The client writes to the local copy of the file, eliminating network latency Lock caching: The client caches application locks locally, eliminating network latency The performance enhancement of oplocks is due to the opportunity of exclusive access to the file - even if it is opened with deny-none - because Windows monitors the file's status for concurrent access from other processes. Windows defines 4 kinds of Oplocks: Level1 Oplock - The redirector sees that the file was opened with deny none (allowing concurrent access), verifies that no other process is accessing the file, checks that oplocks are enabled, then grants deny-all/read-write/ex- clusive access to the file. The client now performs operations on the cached local file. If a second process attempts to open the file, the open is deferred while the redirector breaks the original oplock. The oplock break signals the caching client to write the local file back to the server, flush the local locks, and discard read-ahead data. The break is then complete, the deferred open is granted
Re: [Samba] Tuning SaMBa in HP/UX 10.20 (200 Users)...
Our tests with CIFS/9000 Server on HP-UX 11.x have shown that on 2.2.3a an smbd is allocated about 1Mb at start-up. Extensive name mangling can cause memory usage to increase to 2.5Mb per smbd if the connection is active for an extended period of time. Also, with 2.2.3a you should adjust your HP-UX kernel variables NFILES and NFLOCKS. Do a search in the archive to see previous messages about these parms. Eric Roseme Info - Demerson wrote: Hullo All, I'm planning to build a SaMBa Server in HP/UX 10.20, just for sharing some stuff to at least 200 users. Well, I have SaMBa running in HP/UX machines and according to top, each SaMBa process (smbd) takes about 2,1Mb of total memory. I wonder if there's some clue to reduce the amount of memory per smbd... Anybody knows that? Thanks in advance... __ Demerson Zounar Analista de Suporte [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Secondary WINS Enhancement
Did the secondary WINS server config enhancement go into 3.0? The original was submitted by Dave Olker of HP about 2 years ago, then Chris Hertel picked it up and was re-designing it. What is the current status? Note that this is *not* redundant WINS or WINS sync. This is to be able to configure a secondary MS WINS server in smb.conf. Thanks, Eric Roseme Hewlett-Packard