Re: [Samba] write problem from mac osx 10.8.5 clients to samba 4
Hey Athan, in order to do what you want this is what I would do in my environment; I would create the share in my smb.conf. Then create the directory on the server. I would populate a group for using the share, either on the server using samba-tool or using the snap-in. Then jump over to my Windows 7 machine, go to \\MY_SERVER, right-click my share, tabsecurity, and set full control permissions to CREATOR OWNER, SYSTEM, Domain Admins, and the group that's been created for this share. I would then instruct the people in that group that in order to access the share they need to open a finder, click GO Connect to Server. Then they would need to mount the share using smb://MY_SERVER/SHARE ...they may need to enter their AD credentials at this point. I have no idea what the map UID, GUID implications are in directory utility, sorry! Good luck! On Fri, Oct 4, 2013 at 10:02 AM, Athan DE JONG athan.dej...@yahoo.frwrote: Hi Jason Thanks for your answer ! sorry for the delay of my reply i'm very busy this times. glad to hear that you was able to deploy OSX in samba ! so your mac osx is bind-ed and you can read/write to your home directory on the server ? can you read/write to another samba share ? My problem is a little different as i'm not using roaming profiles. The choice of samab 4 was that we later have to setup mail service on the same server and so we will be able to use the AD for this later. My goal for the moment is to share a public folder for a specific group of users ! my mac osx is bind-ed to AD i am able to read and delete files but not to write files to the samba share My mac user has full acl and posix righs for the test and the message from finder is that i dont have access to some of the items. As i'm really not a mac specialist i was asking my self what about the map UID,GUID options in the Directory utility advanced options ? Thanks again for your detailed answer, may you can give me another hint :) Kind regards, Athan -- *De :* Jason MacChesney jason.macches...@ecacs16.ab.ca *À :* Athan DE JONG athan.dej...@yahoo.fr *Cc :* samba@lists.samba.org samba@lists.samba.org *Envoyé le :* Jeudi 3 octobre 2013 16h40 *Objet :* Re: [Samba] write problem from mac osx 10.8.5 clients to samba 4 Hey Athan, I was able to deploy OSX in a samba4 environment. Here is my procedure: go to System Preferences User and Groups and create a new account with admin privileges. This will be developed into a default profile for domain users. Log out and in with the user. Open Keychain Access and delete Login Spend some time opening all the applications on the operating system, registering all welcome prompts, and performing all necessary updates/changes. ***THIS MAY BE WHAT YOU'RE LOOKING FOR*** Go back to System Preferences User and Groups. Right-click the appropriate account Advanced Options: set the Home Directory to smb://[REALM_OF_DC]/$USER Open a terminal: sudo rm /Users/[new_default_account]/Library/Caches/* sudo rm -rf /System/Library/User\ Template/English.lproj/* cd /System/Library/User\ Template/English.lproj/ sudo rsync -rav /Users/[new_default_account]/ . (that's a period, so you're copying into the present working directory above) Apple Recent items Clear Menu Reboot into your normal Admin account. Disk utility repair disk permissions Delete the account that's been set up. As Admin, let's bind to the domain controller. Head back to Users and Groups and head to Login Options. Edit Network Account Server Open Directory Utility Active Directory Bind to your active directory FQDN. Under User Experience, uncheck both Create mobile account at login and Force local home directory on startup disk. The one other clincher, I think, was going to the ADUC snap-in and mapping the home directory for all users. On Thu, Oct 3, 2013 at 6:04 AM, Athan DE JONG athan.dej...@yahoo.frwrote: Hi I have setup a samba 4 DC with mixed client environment. My problem is that the mac osx client are unable to write to a samba 4 share. I tested mac osx clients on a normal windows 7 share and it works fine I tested mac osx clients on a samba 3.5 .. share and everything works fine. As i am in a professional environment and all the windows clients are already binded to the samba 4 domain i can not step back to samba3. My mac osx clients are binded and im able to view/edit active directory from the mac. My only issue is that i can not write to the samba 4 shares. i have verified all about permissions, and my thought is that mac osx confuses unix and acl rights. Is there a workaround or a special thing to do regarding UID map GUID map please be aware that i'm not a mac specialist, but have to handlwith it because of professional reasons. i am searching a solution for weeks now and really need some help ! Kind regards -- To unsubscribe from this list go to the following URL and read
Re: [Samba] write problem from mac osx 10.8.5 clients to samba 4
Hey Athan, I was able to deploy OSX in a samba4 environment. Here is my procedure: go to System Preferences User and Groups and create a new account with admin privileges. This will be developed into a default profile for domain users. Log out and in with the user. Open Keychain Access and delete Login Spend some time opening all the applications on the operating system, registering all welcome prompts, and performing all necessary updates/changes. ***THIS MAY BE WHAT YOU'RE LOOKING FOR*** Go back to System Preferences User and Groups. Right-click the appropriate account Advanced Options: set the Home Directory to smb://[REALM_OF_DC]/$USER Open a terminal: sudo rm /Users/[new_default_account]/Library/Caches/* sudo rm -rf /System/Library/User\ Template/English.lproj/* cd /System/Library/User\ Template/English.lproj/ sudo rsync -rav /Users/[new_default_account]/ . (that's a period, so you're copying into the present working directory above) Apple Recent items Clear Menu Reboot into your normal Admin account. Disk utility repair disk permissions Delete the account that's been set up. As Admin, let's bind to the domain controller. Head back to Users and Groups and head to Login Options. Edit Network Account Server Open Directory Utility Active Directory Bind to your active directory FQDN. Under User Experience, uncheck both Create mobile account at login and Force local home directory on startup disk. The one other clincher, I think, was going to the ADUC snap-in and mapping the home directory for all users. On Thu, Oct 3, 2013 at 6:04 AM, Athan DE JONG athan.dej...@yahoo.fr wrote: Hi I have setup a samba 4 DC with mixed client environment. My problem is that the mac osx client are unable to write to a samba 4 share. I tested mac osx clients on a normal windows 7 share and it works fine I tested mac osx clients on a samba 3.5 .. share and everything works fine. As i am in a professional environment and all the windows clients are already binded to the samba 4 domain i can not step back to samba3. My mac osx clients are binded and im able to view/edit active directory from the mac. My only issue is that i can not write to the samba 4 shares. i have verified all about permissions, and my thought is that mac osx confuses unix and acl rights. Is there a workaround or a special thing to do regarding UID map GUID map please be aware that i'm not a mac specialist, but have to handlwith it because of professional reasons. i am searching a solution for weeks now and really need some help ! Kind regards -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Classic Upgrade: Unable to enumerate group memberships
Hello. I'm using Version 4.0.8-SerNet-Ubuntu-5.precise (Also, a heads up on this release; the folder /var/run/samba must be created upon reboot. When starting Samba I get this error: ERROR: can't open /var/run/samba/samba.pid: Error was No such file or directory) So anyway, when trying to do a classic upgrade/migration in order to preserve authentication information on a new domain. After rsyncing the required files over and downloading samba4, I execute this command: samba-tool domain classicupgrade --dbdir=samba --use-xattrs=yes --realm=[domain_name_of_samba3] smb.conf Reading smb.conf Provisioning Exporting account policy Exporting groups Ignoring group 'Domain Admins' S-1-5-21-2050790810-484269470-3964389469-1001 listed but then not found: Unable to enumerate group members, (-1073741722,No such group) Ignoring group 'Students' S-1-5-21-2050790810-484269470-3964389469-1045 listed but then not found: Unable to enumerate group members, (-1073741722,No such group) Ignoring group 'exams' S-1-5-21-2050790810-484269470-3964389469-1374 listed but then not found: Unable to enumerate group members, (-1073741722,No such group) Ignoring group 'Teachers' S-1-5-21-2050790810-484269470-3964389469-1046 listed but then not found: Unable to enumerate group members, (-1073741722,No such group) Exporting users Ignoring group memberships of 'PORTAGE-E49E7EA$' S-1-5-21-2050790810-484269470-3964389469-1158: Unable to enumerate group memberships, (-1073741724,No such user) Ignoring group memberships of 'OUTREACH-04$' S-1-5-21-2050790810-484269470-3964389469-1036: Unable to enumerate group memberships, (-1073741724,No such user) ...over and over for each user. Then the usual provisioning info displays and the AD is up and running, then this message: DOMAIN SID:S-1-5-21-2050790810-484269470-3964389469 Importing WINS database ERROR(ldb): uncaught exception - Entry name=OUTREACHLAB-07,type=0x20 already exists File /usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py, line 175, in _run return self.run(*args, **kwargs) File /usr/lib/python2.7/dist-packages/samba/netcmd/domain.py, line 1318, in run useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs) File /usr/lib/python2.7/dist-packages/samba/upgrade.py, line 860, in upgrade_from_samba3 import_wins(Ldb(result.paths.winsdb), samba3_winsdb) File /usr/lib/python2.7/dist-packages/samba/upgrade.py, line 365, in import_wins address: ips}) I've tried migrating the groups before/after/inbetween, according to this: https://wiki.samba.org/index.php/Samba4/samba-tool/domain/classicupgrade/HOWTO#Migrating_Groups Samba-tool seemed to be inconsistent in this regard, sometimes adding a group without issue, sometimes failing due to a bad dn (possibly, I forget the error.) Regardless, the users would never add to AD. So any direction would be valued at this point. Thanks! (Here's the smb.conf I'm working with:) [global] ## Browsing/Identification ### netbios name = PROTEUS # Change this to the workgroup/NT-domain name your Samba server will part of workgroup = BSO # server string is the equivalent of the NT Description field server string = %h server # This gets rid of a bunch of stupid error messages in the logs smb ports = 139 # Act as a time server time server = yes wins support = yes # WINS Server - Tells the NMBD components of Samba to be a WINS Client # Note: Samba can be either a WINS Server, or a WINS Client, but NOT both ; wins server = w.x.y.z # This will prevent nmbd to search for NetBIOS names through DNS. dns proxy = no # What naming service and in what order should we use to resolve host names # to IP addresses ; name resolve order = lmhosts host wins bcast Networking # The specific set of interfaces / networks to bind to # This can be either the interface name or an IP address/netmask; # interface names are normally preferred ; interfaces = 127.0.0.0/8 eth0 # Only bind to the named interfaces and/or networks; you must use the # 'interfaces' option above to use this. # It is recommended that you enable this feature if your Samba machine is # not protected by a firewall or is a firewall itself. However, this # option cannot handle dynamic or non-broadcast interfaces correctly. ; bind interfaces only = yes Debugging/Accounting log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 # Do something sensible when Samba crashes: mail the admin a backtrace panic action = /usr/share/samba/panic-action %d ### Authentication ### security = user encrypt passwords = true passdb backend = tdbsam obey pam restrictions = yes unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . pam password change = yes map to guest = bad user server signing = auto ## Domains ### domain logons =
Re: [Samba] Correct NTP Settings for Samba 4.0.6?
Hi Andrew, I've been struggling silently with this for quite awhile. With pretty much an identical set-up (save for my W7 machines being handled by Virtual Box) I'm at my wit's end. A tcpdump initially revealed that the server with Samba4(.0.7) and NTP was being sent packets, but never returning them. Similarly, a Linux box was caught in stratum 16. Both of these problems were resolved after amending the ntp.conf file to allow IP's from a specified subnet. So in my case: restrict 192.168.1.128 mask 255.255.255.128 nomodify notrap nopeer Now I get this: C:\Users\administratorw32tm /monitor sambaf.sambafour. http://sambaf.sambafour.co.ecacs16.ab.ca/LOCAL *** PDC ***[192.168.1.131:123]: ICMP: 0ms delay NTP: +0.000s offset from sambaf.sambafour.http://sambaf.sambafour.co.ecacs16.ab.ca/ LOCAL RefID: mx2.trentu.ca [192.75.12.11] Stratum: 3 Warning: Reverse name resolution is best effort. It may not be correct since RefID field in time packets differs across NTP implementations and may not be using IP addresses. BUT, I still get this: C:\Users\administratorw32tm /resync /rediscover Sending resync command to local computer The computer did not resync because no time data was available. C:\Users\administratorw32tm /config /syncfromflags:DOMHIER /update The command completed successfully. C:\Users\administratorw32tm /query /source Local CMOS Clock Tried it all. Disabled Windows firewalls, set iptables, net stop/start, register/unregister, included the signdsocket directory in both the smb and ntp configuration files. I'm really surprised to hear that you received mixed results based on how you launched the ntp service. I've had no such luck. So I'm pretty baffled. Time drift is potentially a massive issue where we deploy machines due to PEBKAC. I hate to piggyback on an issue, but any insight anyone might have would be appreciated. On Sat, Jul 27, 2013 at 10:43 PM, Andrew Martin amar...@xes-inc.com wrote: - Original Message - From: Thomas Simmons twsn...@gmail.com To: Andrew Martin amar...@xes-inc.com Cc: samba@lists.samba.org Sent: Saturday, July 27, 2013 7:07:59 PM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? Your Windows client is not able to access the NTP server, which is why w32tm /resync fails and the reason for the NTP: ERROR_TIMEOUT - no response from server in 1000ms error when running w32tm /monitor. Why? I can't say. Can you setup a Linux box to use this server for NTP and run ntpdate as a test? I've seen this when there is a flaky network connection (traffic, wifi, or when the DC is a VMware VM under certain situations). Your DC is not a VM is it? On Sat, Jul 27, 2013 at 4:15 PM, Andrew Martin amar...@xes-inc.com wrote: - Original Message - From: Andrew Martin amar...@xes-inc.com To: Thomas Simmons twsn...@gmail.com Cc: samba@lists.samba.org Sent: Saturday, July 27, 2013 2:31:21 PM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? - Original Message - From: Thomas Simmons twsn...@gmail.com To: Andrew Martin amar...@xes-inc.com Cc: samba@lists.samba.org Sent: Saturday, July 27, 2013 12:26:57 PM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? Running w32tm /config /update /syncfromflags:DOMHIER net stop w32time net start w32time should make the client query the directory for it's time server. You can verify the configuration with w32tm /query /configuration and look for the Type to be NT5DS. This means it's using AD. You can also run w32tm /monitor and the Windows time service will go through the processes of querying the directory to find a time server, then verify it's accessible. If that works, all is working. I found w32tm /monitor will fail if you have your domain functional level at 2008 or 2008_R2. I don't know if this is a bug in Samba as I haven't had time to test against a real 2008+ server. Just know it's to be expected. On Sat, Jul 27, 2013 at 12:58 PM, Andrew Martin amar...@xes-inc.com wrote: - Original Message - From: Thomas Simmons twsn...@gmail.com To: Andrew Martin amar...@xes-inc.com Cc: samba@lists.samba.org Sent: Saturday, July 27, 2013 11:03:49 AM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? The ls -l command you ran shows the ntp_signd directory is empty, so it looks like samba is not creating the socket (at least in that location). Do you have the ntp signd socket directory option in your smb.conf? If not, try manually it to smb.conf: ntp signd socket directory = /var/run/samba/ntp_signd Apart from that, my suggestion would be to stop