Re: [Samba] setfacl:operation not supported
Kernel 2.4 can support ACLs, it's more a question of the FS you are using (ext2 is ok if acl is properly installed). Did you remount with root? Otherwise use sudo. Perhaps you could post your mount-output. By the way: use some other partition then / for testing, otherwise you could end up in a mess!!! Next question: /ide2 sounds like a mountpoint itself - check and remount with acl-enabled. Perhaps you could post ls -al / Kind regards, Jens himmat baldaniya schrieb: Hi all from last few days i got struct in problem.when i try to use setfacl command setfacl -m u:himmat:r-- /ide2/asd i get the error setfacl : /ide2/asd : operation not supported i also has mounted acl using -: mount -f -o remount,acl / Note: -f option is for force i am using red hat kernel 2.4.20-8 and acl-2.2.3-1 One more thing i have to ask whether acl utility supports Samba version-2.2.7a plz help .. I want to know ur valuable suggestions thankyou _ New Windows 7: Find the right PC for you. Learn more. http://windows.microsoft.com/shop -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Source Download broken for 3.0.36
The source file http://download.samba.org/samba/ftp/stable/samba-3.0.36.tar.gz is invalid (checksum error). Could you please reinstall this file? Kind regards, Jens -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Wiki with strange announcement
According to Samba Homepage, Samba 3.0 is the only recommended stable release. All other versions are only for evaluation purpose (see http://us1.samba.org/samba/docs/FAQ/). Now the Wiki announces (http://wiki.samba.org/index.php/Release_Planning_for_Samba_3.0), that Samba 3.0 [is] turned into maintainance mode. Does this mean, we have no stable supported Samba anymore? -- Pt! Schon das coole Video vom GMX MultiMessenger gesehen? Der Eine für Alle: http://www.gmx.net/de/go/messenger03 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Winbind panic - bug #5551 not completely solved in version 3.0.31?
I tried to reproduce the situation with debug-level 10, but I wasn't successful. I will try in the next week again! Volker Lendecke schrieb: On Tue, Jul 22, 2008 at 04:10:15PM +0200, Jens Nissen wrote: [2008/07/22 14:22:01, 0] lib/fault.c:fault_report(41) === [2008/07/22 14:22:01, 0] lib/fault.c:fault_report(42) INTERNAL ERROR: Signal 6 in pid 17485 (3.0.31) Please read the Trouble-Shooting section of the Samba3-HOWTO [2008/07/22 14:22:01, 0] lib/fault.c:fault_report(44) From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf [2008/07/22 14:22:01, 0] lib/fault.c:fault_report(45) === [2008/07/22 14:22:01, 0] lib/util.c:smb_panic(1633) PANIC (pid 17485): internal error [2008/07/22 14:22:01, 0] lib/util.c:log_stack_trace(1737) BACKTRACE: 1 stack frames: #0 /boot/usr/local/adsamba/bin/winbindd(log_stack_trace+0x20) [0xce48c] Can we get a debug level 10 log of this? Thanks, Volker -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind looses connection to DC in 3.0.30
Thanks Volker, I think, we can close at least this thread for version 3.0.30 as I could not reproduce the effect on 3.0.31. I will continue with testing on 3.0.31 and post the issues found on a new thread. Kind regards, Jens Volker Lendecke wrote: On Fri, Jul 18, 2008 at 04:39:27PM +0200, Jens Nissen wrote: Hello Volker, please find attached the log file for the whole session. As 300K compressed is a bit large, I am not posting to the group. I didn't cut anything from the files, as I am not sure, what the the important moment is. What I did to reproduce: 1) I started Samba close to 16:00 with fresh log files, so you can see the complete startup. 2) The Samba-Server is attached to my virtual Windows SBS Server 2000, so to accelerate the issue, after testing some access to shares from the CANDEO\\Administrator account (which was ok), I simply stopped the virtual server. 3) At 16:27, I restarted the virtual server and tried to access my shares several times - without success. I then logged out and back into the Windows account (as this sometimes solves problems), but to no avail. 4) I then stopped Samba and got the whole bunch of log files! This is a bug that winbind tries to connect to itself. Jeremy Allison has done some work that went into 3.0.31 which attempts to resolve this. The history of this is visible in https://bugzilla.samba.org/show_bug.cgi?id=5551. Before I try to solve a potentially already solved problem within 3.0.30, I would appreciate if you could try to reproduce it with 3.0.31. Thanks, Volker -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Winbind panic - bug #5551 not completely solved in version 3.0.31?
I started my AD-member server with the DC not being present. Afterwards, I executed the good practice sequence from the howtos for testing a installation: testparm ... nmblookup -d ... nmblookup -M ... nmblookup __SAMBA__ ... smbclient -L ... And some domain tests: net ads testjoin net ads lookup wbinfo -D getent passwd getent group wbinfo -t What was strange: wbinfo -D returned Active Directory: No I then started my DC and tried to connect to a share. That was the point where I noticed, that winbind had a panic! Due to issue #5625 I had set my debug level to 0, so a have only limited information from the logs. Below are the complete logs. It looks, like winbind is still trying to connect to 0.0.0.0, that's why I think, that #5551 is not completely resolved. I have a core-dump (arm9-cpu), would this help? After restarting the daemons (with the DC being online), no further problems appeared. - smblog.ad - [2008/07/22 14:16:30, 0] printing/nt_printing.c:nt_printing_init(659) nt_printing_init: error checking published printers: WERR_ACCESS_DENIED [2008/07/22 14:20:49, 0] nsswitch/winbindd_group.c:winbindd_getgrent(1110) could not lookup domain group DOMAIN\domänencomputer [2008/07/22 14:20:49, 0] nsswitch/winbindd_group.c:winbindd_getgrent(1110) could not lookup domain group DOMAIN\domänencontroller [2008/07/22 14:20:49, 0] nsswitch/winbindd_group.c:winbindd_getgrent(1110) could not lookup domain group DOMAIN\schema-admins [2008/07/22 14:20:49, 0] nsswitch/winbindd_group.c:winbindd_getgrent(1110) could not lookup domain group DOMAIN\organisations-admins [2008/07/22 14:20:49, 0] nsswitch/winbindd_group.c:winbindd_getgrent(1110) could not lookup domain group DOMAIN\zertifikatherausgeber [2008/07/22 14:20:49, 0] nsswitch/winbindd_group.c:winbindd_getgrent(1110) could not lookup domain group DOMAIN\domänen-admins [2008/07/22 14:20:49, 0] nsswitch/winbindd_group.c:winbindd_getgrent(1110) could not lookup domain group DOMAIN\domänen-gäste [2008/07/22 14:20:49, 0] nsswitch/winbindd_group.c:winbindd_getgrent(1110) could not lookup domain group DOMAIN\richtlinien-ersteller-besitzer [2008/07/22 14:20:49, 0] nsswitch/winbindd_group.c:winbindd_getgrent(1110) could not lookup domain group DOMAIN\dnsupdateproxy [2008/07/22 14:20:49, 0] nsswitch/winbindd_group.c:winbindd_getgrent(1110) could not lookup domain group DOMAIN\backoffice template users [2008/07/22 14:20:49, 0] nsswitch/winbindd_group.c:winbindd_getgrent(1110) could not lookup domain group DOMAIN\backoffice folder operators [2008/07/22 14:20:49, 0] nsswitch/winbindd_group.c:winbindd_getgrent(1110) could not lookup domain group DOMAIN\backoffice mail operators [2008/07/22 14:20:49, 0] nsswitch/winbindd_group.c:winbindd_getgrent(1110) could not lookup domain group DOMAIN\backoffice remote operators [2008/07/22 14:20:49, 0] nsswitch/winbindd_group.c:winbindd_getgrent(1110) could not lookup domain group DOMAIN\nasdriveuser [2008/07/22 14:22:01, 0] lib/fault.c:fault_report(41) === [2008/07/22 14:22:01, 0] lib/fault.c:fault_report(42) INTERNAL ERROR: Signal 6 in pid 17485 (3.0.31) Please read the Trouble-Shooting section of the Samba3-HOWTO [2008/07/22 14:22:01, 0] lib/fault.c:fault_report(44) From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf [2008/07/22 14:22:01, 0] lib/fault.c:fault_report(45) === [2008/07/22 14:22:01, 0] lib/util.c:smb_panic(1633) PANIC (pid 17485): internal error [2008/07/22 14:22:01, 0] lib/util.c:log_stack_trace(1737) BACKTRACE: 1 stack frames: #0 /boot/usr/local/adsamba/bin/winbindd(log_stack_trace+0x20) [0xce48c] [2008/07/22 14:22:01, 0] lib/fault.c:dump_core(181) dumping core in /var/log/adsamba/cores/winbindd [2008/07/22 14:22:42, 0] lib/util_sock.c:get_peer_addr(1224) getpeername failed. Error was Transport endpoint is not connected [2008/07/22 14:22:42, 0] lib/util_sock.c:get_peer_addr(1224) getpeername failed. Error was Transport endpoint is not connected [2008/07/22 14:22:42, 0] lib/util_sock.c:read_data(534) read_data: read failure for 4 bytes to client 0.0.0.0. Error = Connection reset by peer - wb-BUILTIN.log - [2008/07/22 14:21:54, 0] nsswitch/winbindd_dual.c:async_request_timeout_handler(181) async_request_timeout_handler: child pid 17541 is not responding. Closing connection to it. - winbind-idmap.log - [2008/07/22 14:21:17, 0] nsswitch/winbindd_dual.c:async_request_timeout_handler(181)
[Samba] smbcontrol 3.0.30 looks for pidfile in the wrong place
Version 3.0.30 smbcontrol fails to find the pid-file when called like this: smbcontrol -s /mydict/myconf winbindd whatever The correct location is /var/run/winbindd-myconf.pid which is the pid-file since Samba 3.0.23 or something like that. It seems as though it is looking for /var/run/winbindd.pid which is definitely wrong. Could this be fixed, please? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] winbind looses connection to DC in 3.0.30
I have successfully joined a domain with Samba 3.0.30 But after approx. one or two hours, winbind looses connection to the domain controller and users are not allowed to connect shares. After a 'killall winbindd' and restarting of winbind, the users can connect to the shares again. How can I work around this bug? Configuration looks like this: [global] dos charset = ISO-8859-1 unix charset = ISO-8859-1 display charset = ISO-8859-1 workgroup = DOMAIN realm = DOMAIN.TEST server string = myserver interfaces = ixp0 security = ADS allow trusted domains = No password server = sbs2000.domain.test private dir = /var/lib/adsamba/private passdb backend = tdbsam guest account = samba log level = 6 log file = /var/log/adsamba/smblog.ad max log size = 0 name resolve order = wins bcast host socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=8192 SO_SNDBUF=8192 load printers = No show add printer wizard = No preferred master = No local master = No domain master = No wins server = 192.168.1.4 idmap uid = 1000-6 idmap gid = 1000-6 winbind enum users = Yes winbind enum groups = Yes winbind offline logon = Yes admin users = DOMAIN\\Administrator ea support = Yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba 3.0.31 logs to wrong file
I have configured Samba 3.0.31 to log into one specific file. What I get is that each process logs into its own file, which is extremely annoying. Could this please be turned back to the logging like in 3.0.2x versions?? It was annoying enough that each process began its own log file, but I could handle this by removing the file with a timeout after starting SAMBA, but with 3.0.31, the logging into the separate files does not stop anymore. From the configuration: # cat /etc/cfg_user/smb.conf.ads | grep log winbind offline logon=True log file=/var/log/adsamba/smblog.ad log level=6 max log size=0 # ls /var/log/adsamba/ cores log.wb-DOMAIN smblog.ad log.nmbdlog.winbindd log.smbdlog.winbindd-idmap -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] AD-Shares not accessible with 3.0.31
Starting with version 3.0.31, it is not possible to access shares on a Windows Server 2000 SP4, even though it is possible to join the domain controlled by that Server. The same configuration worked fine (for one hour) with 3.0.30. What has changed? What do I need to configure or compile differently to get back to 3.0.2x behaviour? The commands # wbinfo -u # wbinfo -g # wbinfo -a DOMAIN\\Administrator%PASS # wbinfo -t # net ads testjoin -s /path_to_config all work fine. Replacing the 3.0.31 files one by one with 3.0.30 files again gives me a somewhat working system, so it it must be something with 3.0.31. Not my day :-( The error log looks like this: [2008/07/18 15:34:43, 10] smbd/sesssetup.c:reply_spnego_kerberos(364) Mapped to [DOMAIN] (using PAC) [2008/07/18 15:34:43, 5] lib/username.c:Get_Pwnam_alloc(131) Finding user DOMAIN\Administrator [2008/07/18 15:34:43, 5] lib/username.c:Get_Pwnam_internals(75) Trying _Get_Pwnam(), username as lowercase is candeo\administrator [2008/07/18 15:34:43, 5] lib/username.c:Get_Pwnam_internals(83) Trying _Get_Pwnam(), username as given is DOMAIN\Administrator [2008/07/18 15:34:43, 5] lib/username.c:Get_Pwnam_internals(93) Trying _Get_Pwnam(), username as uppercase is DOMAIN\ADMINISTRATOR [2008/07/18 15:34:43, 5] lib/username.c:Get_Pwnam_internals(102) Checking combinations of 0 uppercase letters in candeo\administrator [2008/07/18 15:34:43, 5] lib/username.c:Get_Pwnam_internals(108) Get_Pwnam_internals didn't find user [DOMAIN\Administrator]! [2008/07/18 15:34:43, 5] lib/username.c:Get_Pwnam_alloc(131) Finding user Administrator [2008/07/18 15:34:43, 5] lib/username.c:Get_Pwnam_internals(75) Trying _Get_Pwnam(), username as lowercase is administrator [2008/07/18 15:34:43, 5] lib/username.c:Get_Pwnam_internals(83) Trying _Get_Pwnam(), username as given is Administrator [2008/07/18 15:34:43, 5] lib/username.c:Get_Pwnam_internals(93) Trying _Get_Pwnam(), username as uppercase is ADMINISTRATOR [2008/07/18 15:34:43, 5] lib/username.c:Get_Pwnam_internals(102) Checking combinations of 0 uppercase letters in administrator [2008/07/18 15:34:43, 5] lib/username.c:Get_Pwnam_internals(108) Get_Pwnam_internals didn't find user [Administrator]! [2008/07/18 15:34:43, 10] nsswitch/winbindd.c:process_request(321) process_request: request fn PING [2008/07/18 15:34:43, 3] nsswitch/winbindd_misc.c:winbindd_ping(470) [ 2360]: ping [2008/07/18 15:34:43, 1] smbd/sesssetup.c:reply_spnego_kerberos(439) Username DOMAIN\Administrator is invalid on this system [2008/07/18 15:34:43, 3] smbd/error.c:error_packet_set(106) error packet at smbd/sesssetup.c(444) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE [2008/07/18 15:34:43, 5] lib/util.c:show_msg(484) [2008/07/18 15:34:43, 5] lib/util.c:show_msg(494) size=35 smb_com=0x73 smb_rcls=109 smb_reh=0 smb_err=49152 smb_flg=136 smb_flg2=51201 smb_tid=0 smb_pid=65279 smb_uid=101 smb_mid=33152 smt_wct=0 smb_bcc=0 [global] dos charset = ISO-8859-1 unix charset = ISO-8859-1 display charset = ISO-8859-1 workgroup = DOMAIN realm = DOMAIN.TEST server string = intradisk NASdrive (IP:%$(IPADDR)) interfaces = ixp0 security = ADS allow trusted domains = No password server = sbs2000.candeo.test private dir = /var/lib/adsamba/private passdb backend = tdbsam guest account = samba log level = 6 log file = /var/log/adsamba/smblog.ad max log size = 0 name resolve order = wins bcast host socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=8192 SO_SNDBUF=8192 load printers = No show add printer wizard = No preferred master = No local master = No domain master = No wins server = 192.168.1.4 idmap uid = 1000-6 idmap gid = 1000-6 winbind enum users = Yes winbind enum groups = Yes winbind offline logon = Yes admin users = DOMAIN\\Administrator ea support = Yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] AD-Shares not accessible with 3.0.31
Oops, something similar: I refreshed the ld.so.cache, now things work fine. Version 3.0.31 is even able to do a trick, none of the predecessors could do: If Samba started while the DC was down, it was not possible to connect to the Samba shares without restarting Samba when the DC was online. 3.0.31 solves this extremely ancient issue - I'm completely enthusiastic (for the moment)!! Many thanks, Jens Volker Lendecke wrote: On Fri, Jul 18, 2008 at 03:50:21PM +0200, Jens Nissen wrote: Starting with version 3.0.31, it is not possible to access shares on a Windows Server 2000 SP4, even though it is possible to join the domain controlled by that Server. The same configuration worked fine (for one hour) with 3.0.30. What has changed? What do I need to configure or compile differently to get back to 3.0.2x behaviour? Is it possible that you did not exchange libnss_winbind.so in /lib? Volker -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] FreeBSD, Samba 3.0.28a joined to AD domain but prompts for login
In addition to what Jason writes: It is good practice to start with a share like shared in /export/shared and not with the /homes folder, as the home-shares pose additional problems (like access rights). If the user accounts are already created as Unix local acounts, the domain users might not be able to access them. Make the /export/shared folder 777 and if this works continue towards the home shares. Important: Jason already indicated, that the valid users should be empty, when this works, make valid users something like MYDOMAIN\%S and see if you can make progress. Have fun with Samba, Jens Original-Nachricht Datum: Tue, 01 Jul 2008 12:04:41 +1200 Von: Jason Haar [EMAIL PROTECTED] An: Samba Questions samba@lists.samba.org Betreff: Re: [Samba] FreeBSD, Samba 3.0.28a joined to AD domain but prompts for login Mike Galvez wrote: Hi, I am trying to connect a FreeBSD server running 7.0 Release and Samba 3.0.28a to a Windows 2003 AD Domain Controller. Has anyone had success with this combo? I have joined the domain and I can enumerate users, groups, etc.. Are you referring to Vista as the client? If so, upgrade to 3.0.30 as Vista SP1 brought in a bunch of changes that broke Samba (and probably a bunch of other things too... ;-) Secondly, I see you have a valid users variable under [homes], do you explicitly need it? Try removing it and see if the problem disappears. -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- Der GMX SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen! Ideal für Modem und ISDN: http://www.gmx.net/de/go/smartsurfer -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Can't join AD anymore after migration to 3.0.30
Thanks Guenther, that is exactly the patch I needed to join my AD-Member back into my Windows 2000-SP4 domain! Jens Guenther Deschner wrote: Jens Nissen wrote: I doff my hat, indeed, my SBS200 is running SP1. (Microsoft never provided updates for SBS2000 beyond SP1, there were individual updates for Windows, Exchange, SQL, IIE ... but they were partially incompatible with SBS2000, so there might be more machines out there!!) I updated to SP4, now I get the next error: NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT Is it possible, that this is already a known issue in Samba 3.2.0 and needs to be back-ported to Samba 3.0.30? See http://lists-archives.org/samba/34051-net-ads-join-fails-with-nt_status_nologon_workstation_trust_account.html Yeah, it's a known issue. Can you please try attached patch? Thanks, Guenther -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Can't join AD anymore after migration to 3.0.30
I doff my hat, indeed, my SBS200 is running SP1. (Microsoft never provided updates for SBS2000 beyond SP1, there were individual updates for Windows, Exchange, SQL, IIE ... but they were partially incompatible with SBS2000, so there might be more machines out there!!) I updated to SP4, now I get the next error: NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT Is it possible, that this is already a known issue in Samba 3.2.0 and needs to be back-ported to Samba 3.0.30? See http://lists-archives.org/samba/34051-net-ads-join-fails-with-nt_status_nologon_workstation_trust_account.html Kind regards and many thanks already! Jens P.S: Error details - configuration as before: [2008/06/05 14:55:22, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(1018) Got challenge flags: [2008/06/05 14:55:22, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63) Got NTLMSSP neg_flags=0x60898215 [2008/06/05 14:55:22, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(1040) NTLMSSP: Set final flags: [2008/06/05 14:55:22, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63) Got NTLMSSP neg_flags=0x60088215 [2008/06/05 14:55:22, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(338) NTLMSSP Sign/Seal - Initialising with flags: [2008/06/05 14:55:22, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63) Got NTLMSSP neg_flags=0x60088215 [2008/06/05 14:55:22, 3] libsmb/cliconnect.c:cli_session_setup(1014) SPNEGO login failed: No logon workstation trust account [2008/06/05 14:55:22, 1] libsmb/cliconnect.c:cli_full_connection(1658) failed session setup with NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT Could not connect to server sbs2000.candeo.test Connection failed: NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT Failed to verify membership in domain! [2008/06/05 14:55:22, 2] utils/net.c:main(1066) return code = -1 Guenther Deschner wrote: Guenther Deschner wrote: Jens Nissen wrote: After migrating from 3.0.26a to 3.0.30 I cannot join my AD member server to the domain anymore: I get a DCERPC_FAULT_INVALID_TAG. As I didn't change my Windows 2000 SBS Server, this looks like a new feature in Samba 3.0.30. You're probably not running the latest SP on the SBS server. I could only reproduce your problem with Windows 2000 GA version (no SPs installed at all). We'll add fallback code for the next release, but you should really consider upgrading to the lastest SP. Ok, In v3-0-test I added code that should resolve your issue. Will be in the next 3.0 release (out really soon). Guenther -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Can't join AD anymore after migration to 3.0.30
After migrating from 3.0.26a to 3.0.30 I cannot join my AD member server to the domain anymore: I get a DCERPC_FAULT_INVALID_TAG. As I didn't change my Windows 2000 SBS Server, this looks like a new feature in Samba 3.0.30. Do I have to also migrate my Heimdal - if so, which version is required? Kind regards, Jens P.S: Is there a way to find out the code changes in Samba 3.0.30? I didn't find a 3.0.30 tag in the tags nor in the branches. The latest tag is 3.0.26a. This makes it somewhat difficult to figure out, what could be different. Or am I looking in the wrong places in the repository? Updating http://www.samba.org/samba/subversion.html would be nice, as the major current branches indicated there do not exist. P.P.S: Log and Configuration: - Log on level 10 looks like this: net ads join -d 10 -w $WORKGROUP -U$Administrator$password -s /etc/config/smb.conf - [2008/06/04 15:16:13, 10] lib/util.c:dump_data(2264) [000] 00 05 00 03 03 10 00 00 00 20 00 00 00 0B 00 00 . .. [010] 00 00 00 00 00 00 00 00 00 06 00 00 1C 00 00 00 [020] 00. [2008/06/04 15:16:13, 5] rpc_parse/parse_prs.c:prs_debug(84) 00 smb_io_rpc_hdr rpc_hdr [2008/06/04 15:16:13, 5] rpc_parse/parse_prs.c:prs_uint8(616) major : 05 [2008/06/04 15:16:13, 5] rpc_parse/parse_prs.c:prs_uint8(616) 0001 minor : 00 [2008/06/04 15:16:13, 5] rpc_parse/parse_prs.c:prs_uint8(616) 0002 pkt_type : 03 [2008/06/04 15:16:13, 5] rpc_parse/parse_prs.c:prs_uint8(616) 0003 flags : 03 [2008/06/04 15:16:13, 5] rpc_parse/parse_prs.c:prs_uint8(616) 0004 pack_type0: 10 [2008/06/04 15:16:13, 5] rpc_parse/parse_prs.c:prs_uint8(616) 0005 pack_type1: 00 [2008/06/04 15:16:13, 5] rpc_parse/parse_prs.c:prs_uint8(616) 0006 pack_type2: 00 [2008/06/04 15:16:13, 5] rpc_parse/parse_prs.c:prs_uint8(616) 0007 pack_type3: 00 [2008/06/04 15:16:13, 5] rpc_parse/parse_prs.c:prs_uint16(681) 0008 frag_len : 0020 [2008/06/04 15:16:13, 5] rpc_parse/parse_prs.c:prs_uint16(681) 000a auth_len : [2008/06/04 15:16:13, 5] rpc_parse/parse_prs.c:prs_uint32(710) 000c call_id : 000b [2008/06/04 15:16:13, 5] rpc_parse/parse_prs.c:prs_debug(84) 10 smb_io_rpc_hdr_resp rpc_hdr_resp [2008/06/04 15:16:13, 5] rpc_parse/parse_prs.c:prs_uint32(710) 0010 alloc_hint: [2008/06/04 15:16:13, 5] rpc_parse/parse_prs.c:prs_uint16(681) 0014 context_id: [2008/06/04 15:16:13, 5] rpc_parse/parse_prs.c:prs_uint8(616) 0016 cancel_ct : 00 [2008/06/04 15:16:13, 5] rpc_parse/parse_prs.c:prs_uint8(616) 0017 reserved : 00 [2008/06/04 15:16:13, 5] rpc_parse/parse_prs.c:prs_debug(84) 18 smb_io_rpc_hdr_fault fault [2008/06/04 15:16:13, 5] rpc_parse/parse_prs.c:prs_dcerpc_status(799) 0018 status : DCERPC_FAULT_INVALID_TAG [2008/06/04 15:16:13, 5] rpc_parse/parse_prs.c:prs_uint32(710) 001c reserved: [2008/06/04 15:16:13, 1] rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(625) cli_pipe_validate_current_pdu: RPC fault code DCERPC_FAULT_INVALID_TAG received from remote machine sbs2000.domain. test pipe \samr fnum 0x4005! [2008/06/04 15:16:13, 10] rpc_client/cli_pipe.c:rpc_api_pipe(843) rpc_api_pipe: got PDU len of 32 at offset 0 [2008/06/04 15:16:13, 10] intl/lang_tdb.c:lang_tdb_init(138) lang_tdb_init: /lib/de_DE.msg: No such file or directory Failed to set password for machine account (NT code 0x1c06) [2008/06/04 15:16:13, 6] libsmb/clientgen.c:write_socket(152) write_socket(7,45) [2008/06/04 15:16:13, 6] libsmb/clientgen.c:write_socket(155) write_socket(7,45) wrote 45 [2008/06/04 15:16:13, 10] lib/util_sock.c:read_smb_length_return_keepalive(623) got smb length of 35 [2008/06/04 15:16:13, 5] lib/util.c:show_msg(484) [2008/06/04 15:16:13, 5] lib/util.c:show_msg(494) size=35 smb_com=0x4 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51201 smb_tid=18439 smb_pid=6300 smb_uid=32770 smb_mid=18 smt_wct=0 smb_bcc=0 [2008/06/04 15:16:13, 10] libsmb/clientgen.c:cli_rpc_pipe_close(394) cli_rpc_pipe_close: closed pipe \samr to machine sbs2000.domain.test [2008/06/04 15:16:13, 6] libsmb/clientgen.c:write_socket(152) write_socket(7,39) [2008/06/04 15:16:13, 6] libsmb/clientgen.c:write_socket(155) write_socket(7,39) wrote 39 [2008/06/04 15:16:13, 10] lib/util_sock.c:read_smb_length_return_keepalive(623) got smb length of 35 [2008/06/04 15:16:13, 5] lib/util.c:show_msg(484) [2008/06/04 15:16:13, 5] lib/util.c:show_msg(494) size=35 smb_com=0x71 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51201 smb_tid=18439 smb_pid=6300 smb_uid=32770 smb_mid=19 smt_wct=0 smb_bcc=0 [2008/06/04 15:16:13, 1] utils/net_ads.c:net_ads_join(1548) call of
[Samba] Issues with migration from default mapping to idmap_rid in 3.0.26a
What I want to do: I have a lot of Samba AD member server which all should have the same mapping of Domain Users (SIDs) to local UID/GID, so files with ACLs can be moved from one machine to another and still grant the access rights to the same users as on the other machine. What I have: idmap uid=1000-6 idmap gid=1000-6 winbind use default domain=no winbind enum users=Yes winbind enum groups=Yes winbind nested groups=Yes winbind nss info=template winbind offline logon=True security=Ads passdb backend=tdbsam This is working fine, but (of course) leads to indeterministic UID/GID mappings. So I want to change to RID - this is all I changed: #idmap uid=1000-6 #idmap gid=1000-6 idmap domains=MYDOMAIN idmap config MYDOMAIN:backend=rid idmap config MYDOMAIN:base_rid=1000 idmap config MYDOMAIN:range=998 - 6 (I have two manually mapped groups, thus starting the allowed range at 998) I clear all TDB files and join the server from scratch to the domain. This still works. Then I look at wbinfo -u which shows all Domain users correctly. Trouble already starts with wbinfo -i MYDOMAIN\\dagobert Could not get info for user MYDOMAIN\\dagobert The Domain Administrator can actually connect to the Samba server, but no other user can. From the log, I retrieve a lot like this: Could not query gid for user MYDOMAIN\dagobert [2008/04/08 11:12:34, 5] lib/username.c:Get_Pwnam_internals(83) Trying _Get_Pwnam(), username as given is MYDOMAIN\dagobert [2008/04/08 11:12:34, 10] nsswitch/winbindd.c:process_request(314) process_request: request fn GETPWNAM [2008/04/08 11:12:34, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(346) [20573]: getpwnam MYDOMAIN\dagobert [2008/04/08 11:12:34, 10] nsswitch/winbindd_cache.c:cache_retrieve_response(2300) Retrieving response for pid 15771 [2008/04/08 11:12:34, 10] nsswitch/winbindd_cache.c:cache_retrieve_response(2300) Retrieving response for pid 15771 [2008/04/08 11:12:34, 10] nsswitch/winbindd_cache.c:cache_retrieve_response(2300) Retrieving response for pid 15786 [2008/04/08 11:12:34, 7] nsswitch/winbindd_async.c:winbindd_sid2gid_async(545) winbindd_sid2gid_async: Resolving S-1-5-21-1214440339-113007714-839522115-513 to a gid [2008/04/08 11:12:34, 10] nsswitch/winbindd_cache.c:cache_retrieve_response(2300) Retrieving response for pid 15786 [2008/04/08 11:12:34, 5] nsswitch/winbindd_async.c:winbindd_sid2gid_recv(527) sid2gid returned an error It looks as though conversion of SIDs to IDs is not correctly working. # wbinfo -G 1000 S-1-5-21-1214440339-113007714-839522115-1002 # wbinfo -S S-1-5-21-1214440339-113007714-839522115-1002 Could not convert sid S-1-5-21-1214440339-113007714-839522115-1002 to uid # wbinfo -Y S-1-5-21-1214440339-113007714-839522115-1002 Could not convert sid S-1-5-21-1214440339-113007714-839522115-1002 to gid # wbinfo -R 1000 Domain: MYDOMAIN 1000: TsInternetUser (User) Manually added SIDs are actually working, so winbind is operational: # wbinfo -Y S-1-5-13 998 So my questions are: (1) Is idmap_rid suitable for what I want? (2) Is idmap_rid working 3.0.26a , is there someone who got this working? (3) Is there anything else I need to change in smb.conf when migrating as above? (4) Is there some trick with compilation/configuration necessary? I have an Intel ARM Big Endian architecture and have the RID module statically linked (dynamic loading does not work on this architecture). Kind regards and thanks for any advice or help, Jens P.S testparm of smb.conf [global] dos charset = ISO-8859-1 unix charset = ISO-8859-1 display charset = ISO-8859-1 workgroup = MYDOMAIN realm = MYDOMAIN.TEST server string = myserver interfaces = ixp0 security = ADS allow trusted domains = No password server = sbs2000.mydomain.test private dir = /var/lib/adsamba/private passdb backend = tdbsam guest account = samba username map = /etc/cfg_user/usermap.ads log level = 6 winbind:10 log file = /export/log/smblog.ad max log size = 0 name resolve order = wins bcast host socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=8192 SO_SNDBUF=8192 load printers = No show add printer wizard = No preferred master = No local master = No domain master = No wins server = 192.168.1.4 lock directory = /var/lib/adsamba idmap domains = MYDOMAIN winbind enum users = Yes winbind enum groups = Yes winbind offline logon = Yes ldapsam:trusted = No idmap config MYDOMAIN:range = 998 - 6 idmap config MYDOMAIN:base_rid = 1000 idmap config MYDOMAIN:backend = rid ea support = Yes [shared] comment = ACL shared folder path = /export/shared read only = No create mask = 0777 directory mask = 0777 inherit
Re: [Samba] Question on number of winbindd demons
I forgot to mention: Samba Version is 3.026a! Original-Nachricht Datum: Fri, 23 Nov 2007 14:28:41 +0100 Von: Jens Nissen [EMAIL PROTECTED] An: samba@lists.samba.org Betreff: [Samba] Question on number of winbindd demons Winbindd is supposed to have 2 processes running according to the documentation. When I start my samba server (security=ADS), I can see at least 4 Winbindd demons? (A) Is this intended? (B) How can I limit the number of winbindd processes? Kind regards, Jens -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- Der GMX SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen! Ideal für Modem und ISDN: http://www.gmx.net/de/go/smartsurfer -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Strange Inheritance of folder rights in Version 3.026a
Assume folder hierarchy /service/f1/f2/f3. I have initially disabled acl inheritance in smb.conf for service. Neither folder service,f1,f2,f3 has the right Inherit rights from parent set. (I had to translate the Windows-check-boxes' texts, I hope that it is possible to follow my actions) (A) Now I apply the property Inherit rights from parent to folder f2. Once I press OK, the right disappears again. Obviously, the right was set, then the right to inherit the right was inherited from folder f1 and thus finally deleted again from folder f2. (B) Now I fool Samba by setting the advanced rights Inherit rights from parent and Propagate rights to contained folders to folder f2. This sets the right Inherit rights from parent to folder **f3** (only). Again, it looks as though the right is first set on f2, then propagated to f3, afterwards inherited from f1 and thus finally deleted from f2. All this is very different from Windows and User expectation. IMHO, the right to inherit a right from the parent should not be inherited from the parent itself! Could you fix this, please? Kind regards, Jens P.S: This seems related to https://bugzilla.samba.org/show_bug.cgi?id=4955 P.P.S: From my smb.conf [global] security=Ads nt acl support=Yes ea support=Yes ... [smbtest] available=Yes browseable=Yes comment=SMB Torture Folder create mask=0777 directory mask=0777 dos filemode=Yes guest ok=No hosts allow= hosts deny= inherit acls=No inherit owner=No inherit permissions=No invalid users= map acl inherit=Yes map archive=No map hidden=No map read only=No map system=No path=/export/smbtest read only=No store dos attributes=Yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Question on number of winbindd demons
Winbindd is supposed to have 2 processes running according to the documentation. When I start my samba server (security=ADS), I can see at least 4 Winbindd demons? (A) Is this intended? (B) How can I limit the number of winbindd processes? Kind regards, Jens -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Strange folder smb_krb5 in lock directory of version 3.026a
I found a strange folder smb_krb5 in my samba lock directory. Inside, there is something that looks like a Kerberos Configuration, but the content is different from my /etc/krb5.conf (A) Does Samba correctly use my /etc/krb5.conf as before in version 3.023? (B) What is the smb_krb5-folder good for, where does it come from? (C) Can it be deleted safely or does it have to be backed up together with the important tdb-files? Kind regards, Jens -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Winbind crashes in 3.026a using rid
Winbind 3.026a crashes when reading out user information with wbinfo using the idmap/rid module. The tdb module works without crash (tested by exchanging the uncommented and commented lines in the following fragment from smb.conf). I configured rid as follows: [global] # idmap uid=1000-6 # idmap gid=1000-6 idmap domains=TRUSTEDDOMAINS idmap config TRUSTEDDOMAINS:readonly=yes idmap config TRUSTEDDOMAINS:backend=rid idmap config TRUSTEDDOMAINS:default=yes idmap config TRUSTEDDOMAINS:base rid=1000 idmap config TRUSTEDDOMAINS:range=1000 - 6 In the log (level 10) I find the last lines before winbindd dies: [2007/10/26 12:50:27, 10] nsswitch/winbindd_cache.c:wcache_save_user(867) wcache_save_user: S-1-5-21-1214440339-113007714-839522115-2111 (acct_name vx889) [2007/10/26 12:50:27, 10] nsswitch/idmap_util.c:idmap_sid_to_uid(105) idmap_sid_to_uid: sid = [S-1-5-21-1214440339-113007714-839522115-3222] [2007/10/26 12:50:28, 5] nsswitch/idmap.c:smb_register_idmap_alloc(216) Successfully added idmap alloc backend 'ldap' [2007/10/26 12:50:28, 5] nsswitch/idmap.c:smb_register_idmap(163) Successfully added idmap backend 'ldap' [2007/10/26 12:50:28, 5] nsswitch/idmap.c:smb_register_idmap_alloc(216) Successfully added idmap alloc backend 'tdb' [2007/10/26 12:50:28, 5] nsswitch/idmap.c:smb_register_idmap(163) Successfully added idmap backend 'tdb' [2007/10/26 12:50:28, 5] nsswitch/idmap.c:smb_register_idmap(163) Successfully added idmap backend 'passdb' [2007/10/26 12:50:28, 5] nsswitch/idmap.c:smb_register_idmap(163) Successfully added idmap backend 'nss' [2007/10/26 12:50:28, 1] nsswitch/idmap.c:idmap_init(365) Initializing idmap domains [2007/10/26 12:50:28, 5] lib/module.c:smb_probe_module(108) Probing module 'rid' [2007/10/26 12:50:28, 5] lib/module.c:smb_probe_module(119) Probing module 'rid': Trying to load from /lib/idmap/rid.so /sbin/winbindd: symbol lookup error: /lib/libdl.so.2: undefined symbol: _dl_catch_error # ls -Al /lib/idmap/rid.so -rwxr-xr-x1 root root12185 Oct 26 11:22 /lib/idmap/rid.so What is additionally strange and annoying: I had to compile rid manually (with 'make lib/rid.so'), the build process simply forgets to compile or install rid.so. Are there any other shared libraries which I have to compile and install manually? I could not find any documentation about this. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Pre-3.023d-Bug in ACL-handling reappears in 3.026a
# wbinfo -Y S-1-5-11 Could not convert sid S-1-5-11 to gid # wbinfo -Y S-1-5-13 Could not convert sid S-1-5-13 to gid (S-1-5-11 are the Authenticated Users, S-1-5-13 are the Terminal Server Users.) This bug was finally solved in release 3.023d. Now it is back again. How can I get this working? I'm using idmap/tdb - would another idmap-module solve this issue? The winbind log looks like this: [2007/10/26 13:06:09, 6] nsswitch/winbindd.c:new_connection(628) accepted socket 18 [2007/10/26 13:06:09, 10] nsswitch/winbindd.c:process_request(314) process_request: request fn INTERFACE_VERSION [2007/10/26 13:06:09, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(491) [20989]: request interface version [2007/10/26 13:06:09, 10] nsswitch/winbindd.c:process_request(314) process_request: request fn WINBINDD_PRIV_PIPE_DIR [2007/10/26 13:06:09, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(524) [20989]: request location of privileged pipe [2007/10/26 13:06:09, 6] nsswitch/winbindd.c:new_connection(628) accepted socket 19 [2007/10/26 13:06:09, 10] nsswitch/winbindd.c:process_request(314) process_request: request fn SID_TO_GID [2007/10/26 13:06:09, 3] nsswitch/winbindd_sid.c:winbindd_sid_to_gid(308) [20989]: sid to gid S-1-5-13 [2007/10/26 13:06:09, 10] nsswitch/winbindd_util.c:find_lookup_domain_from_sid(679) find_lookup_domain_from_sid(S-1-5-13) [2007/10/26 13:06:09, 10] nsswitch/winbindd_util.c:find_lookup_domain_from_sid(689) calling find_our_domain [2007/10/26 13:06:09, 10] lib/events.c:event_add_timed(129) Added timed event async_request_timeout: 2aacfbe0 [2007/10/26 13:06:09, 10] lib/events.c:get_timed_events_timeout(295) timed_events_timeout: 299/999509 [2007/10/26 13:06:09, 10] lib/events.c:timed_event_destructor(66) Destroying timed event 2aacfbe0 async_request_timeout [2007/10/26 13:06:09, 10] nsswitch/winbindd_cache.c:cache_retrieve_response(2300) Retrieving response for pid 20667 [2007/10/26 13:06:09, 7] nsswitch/winbindd_async.c:winbindd_sid2gid_async(545) winbindd_sid2gid_async: Resolving S-1-5-13 to a gid [2007/10/26 13:06:09, 10] lib/events.c:event_add_timed(129) Added timed event async_request_timeout: 2aacfbe0 [2007/10/26 13:06:09, 10] lib/events.c:get_timed_events_timeout(295) timed_events_timeout: 299/999483 [2007/10/26 13:06:09, 10] lib/events.c:timed_event_destructor(66) Destroying timed event 2aacfbe0 async_request_timeout [2007/10/26 13:06:09, 10] nsswitch/winbindd_cache.c:cache_retrieve_response(2300) Retrieving response for pid 20684 [2007/10/26 13:06:09, 5] nsswitch/winbindd_async.c:winbindd_sid2gid_recv(527) sid2gid returned an error [2007/10/26 13:06:09, 5] nsswitch/winbindd_sid.c:sid2gid_recv(254) Could not convert sid S-1-5-13 The log for my domain looks like this: [2007/10/26 13:06:09, 4] nsswitch/winbindd_dual.c:fork_domain_child(1054) child daemon request 20 [2007/10/26 13:06:09, 10] nsswitch/winbindd_dual.c:child_process_request(479) process_request: request fn LOOKUPSID [2007/10/26 13:06:09, 3] nsswitch/winbindd_async.c:winbindd_dual_lookupsid(754) [20666]: lookupsid S-1-5-13 [2007/10/26 13:06:09, 10] nsswitch/winbindd_util.c:find_lookup_domain_from_sid(679) find_lookup_domain_from_sid(S-1-5-13) [2007/10/26 13:06:09, 10] nsswitch/winbindd_util.c:find_lookup_domain_from_sid(689) calling find_our_domain [2007/10/26 13:06:09, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(465) refresh_sequence_number: MYDOMAIN time ok [2007/10/26 13:06:09, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(499) refresh_sequence_number: MYDOMAIN seq number is now 22411 [2007/10/26 13:06:09, 10] nsswitch/winbindd_cache.c:centry_expired(539) centry_expired: Key SN/S-1-5-13 for domain MYDOMAIN is good. [2007/10/26 13:06:09, 10] nsswitch/winbindd_cache.c:wcache_fetch(624) wcache_fetch: returning entry SN/S-1-5-13 for domain MYDOMAIN [2007/10/26 13:06:09, 10] nsswitch/winbindd_cache.c:sid_to_name(1436) sid_to_name: [Cached] - cached name for domain MYDOMAIN status: NT_STATUS_OK [2007/10/26 13:06:09, 10] nsswitch/winbindd_cache.c:cache_store_response(2260) Storing response for pid 20667, len 3240 [2007/10/26 13:06:09, 10] lib/events.c:get_timed_events_timeout(295) timed_events_timeout: 3520/681041 The idmap-log looks like this: [2007/10/26 13:06:09, 4] nsswitch/winbindd_dual.c:fork_domain_child(1054) child daemon request 49 [2007/10/26 13:06:09, 10] nsswitch/winbindd_dual.c:child_process_request(479) process_request: request fn DUAL_SID2GID [2007/10/26 13:06:09, 3] nsswitch/winbindd_async.c:winbindd_dual_sid2gid(558) [20666]: sid to gid S-1-5-13 [2007/10/26 13:06:09, 10] nsswitch/idmap_util.c:idmap_sid_to_gid(145) idmap_sid_to_gid: sid = [S-1-5-13] [2007/10/26 13:06:09, 10] nsswitch/idmap_util.c:idmap_sid_to_gid(165) sid [S-1-5-13] not mapped to an gid [2,2,2439960] [2007/10/26 13:06:09, 10] nsswitch/winbindd_async.c:winbindd_dual_sid2gid(570) winbindd_dual_sid2gid: 0xc073 - S-1-5-13 - 0 [2007/10/26
[Samba] Performance Issue on Samba 3.023d with many small files
I am transmitting many small files from Windows 2000 to Samba as AD-Member Server with a Gigabit LAN Adapter. Transmitting a large number of small files brings performance down below 80 Kbyte/s. How can I work around this? How can I identify what makes Samba so slow (and set-up Samba parameters better if it is a configuration issue?) Has there been some performance boost in some later release than 3.023d? - I'm using a ACL-patched 2.4 Kernel - I'm using filesystem ext3, but there is no difference with XFS. - I have a Gigabit LAN and I'm able to transmit TCP about 22 Mbyte/s (tested with iperf between client and server) (UDP performance is worse). - I have a Windows Server (2000) in the same network as I am using AD: While transmitting large files from Windows Client to Windows Server or Samba Member Server allows approx. the same data rate, my test set of 3 GB (with the small files) takes about twice the time to transmit to the Samba Server than to the Windows Server). So it's not that my Samba Server is generally slow, only small files cause trouble. Kind regards, Jens -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Cannot set ACL rights for group Authenticated Users (SID S-1-5-11)\ Two bugs in change svn-22481
Thanks Jeremy for the ACL-fix (svn-Revision 22481). It points out the way to go, even though I think, you had a bad day: IMHO, There are two bugs: (a) A minor bug in your util_sid.c - change. The additional test if (sid_equal(sid, global_sid_System)) return True; is superfluous, as the global_sid_System is part of NT-Authority which is lateron tested with if (sid_equal(dom, global_sid_NT_Authority)) return True; I recommend reverting util_sic.c to revision 22480. (b) A severe bug in your change to posix_acls.c You have moved the test for non-mappable SIDs from a point BEFORE SMB_MALLOC_P to a point beyond the call current_ace = SMB_MALLOC_P(---). Thus your fix leaks memory of size canon_ace each time a non-mappable SID is called. The correct code in create_canon_ace_lists should look like this: /* * Silently ignore map failures in non-mappable SIDs (NT Authority, BUILTIN etc). */ if (non_mappable_sid(psa-trustee)) { DEBUG(10,(create_canon_ace_lists: ignoring non-mappable SID %s\n, sid_to_string(str, psa-trustee) )); SAFE_FREE(current_ace); continue; } I hope, I didn't miss a point in my analysis. Kind regards, Jens Nissen Jeremy Allison wrote: On Thu, Apr 12, 2007 at 08:06:21PM +0200, Jens Nissen wrote: I cannot set rights on a arbitrary file or folder for the Windows predefined group Authenticated Users (which has SID S-1-5-11) via SAMBA 3.0.23d and the standard Windows 2000 File Attribute Dialog. Everything else works: - I can set rights for any other domain group. - I can read the ACL entry for Authenticated Users in the Windows 2000 File Attribute Dialog if I set it manually with setfacl before - I am using tdbsam and the SID S-1-5-11 is mapped to GID 1018 (checked with wbinfo -Y), so SAMBA and Windows both seem to agree on the existence of this predefined group. What am I doing wrong? Is this supposed to work? Is there a workaround or any other suitable mapping for this group? In the Unofficial Samba + ACL Howto, there is a reference (chapter 3.1.4) that this might not work, but that was back in 2003 and 4 years have passed since then. What fails ? Selecting the user in the GUI ? More info on exactly what isn't working would be good. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Cannot set ACL rights for group Authenticated Users (SID S-1-5-11)\
Gerald (Jerry) Carter wrote: Jens Nissen wrote: SID S-1-5-11 (Authenticated Users) is part of the NT Authority. Why should this SID be non-mappable? It's not mappable to a gid. Can I simply comment the lines out? What will happen afterwards? Nope. All SIDs have to be converted to a gid. Thanks, Jerry. But I have 4 comments (+1 extra): 1) wbinfo -Y S-1-5-11 - 1018, which means, S-1-5-11 is mapped to GID 1018, contradicting that S-1-5-11 is not mapped. 2) If I set (with setfacl) proper rights to a folder for this group 1018 and I set inherit permissions for the whole share, Samba nicely copies the corresponding rights into any subfolder I create with Samba and Windows Explorer. So Authenticated Users becomes visible to Windows Clients on a Samba share. 3) Group S-1-5-11 does not make sense to Samba, but Windows can use it. Why is there a difference? Why can't Samba emulate Windows here? 4) Even if Samba can't make sense of S-1-5-11, others can. Think of the following scenario: Server A from domain A-Domain supplies Updates to Samba Server S (e.g. by using xcopy). Server B (which is a PDC in B-Domain) pulls this update from S (again by using xcopy) Clients X (from B-Domain) access the file on Server B. If the chain A-S-B maintains the proper rights for S-1-5-11, then X can access it, provided it can authenticate with B. This last scenario is what our customers would like to do and what they already do using a Windows Server in place S (which I would like to replace with a wonderful Unix server) Do you see any reasonable way to achieve this or something similar? Kind regards, Jens (/* very humble (I admit I do not see all the consequences using S-1-5-11 has) */) P.S: IMHO, deleting ACLs which Samba cannot map, probably is a bug. Think of a file, which is shared between two different domains, e.g., two different Samba processes. If one process deletes EXISTING ACLs of the other process simply because it cannot map them, this can be extremely annoying. ( Something like that: Samba Process (configuration) A - GIDs from 1000-1999 Samba Process (configuration) B - GIDs from 2000-2999 File X has ACL user:1500:RW- (via Samba Process A) Now a user of process (domain) B adds ACL user:2500:RWX to file X. Does Samba Process B automatically delete user:1500:RW- thus making the file unaccessible from A??? IMO, it should not be allowed to do this! BTW: The processes don't run concurrently at the same time, B is a kind of fallback domain in case the domain server from A fails. ) Thanks for your patience -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Cannot set ACL rights for group Authenticated Users (SID S-1-5-11)\
Reading the code, I located the bug in smbd/posix_acls.c:create_canon_ace_lists, but I do need advice of someone who knows what is going on and what to do. The source code says: /// /* * Ignore non-mappable SIDs (NT Authority, BUILTIN etc). */ if (non_mappable_sid(psa-trustee)) { fstring str; DEBUG(10,(create_canon_ace_lists: ignoring non-mappable SID %s\n, sid_to_string(str, psa-trustee) )); continue; } /// SID S-1-5-11 (Authenticated Users) is part of the NT Authority. Why should this SID be non-mappable? Windows Servers do allow setting this SID so I expect Samba Servers to do simply the same as the Windows Servers! Can I simply comment the lines out? What will happen afterwards? a) Does Samba correctly behave in case this SID is set? Will it allow reading the ACL in call cases? (It looks as if Samba displays it correctly, tested with setfacl on a small file) b) Does Samba correctly interpret the rights if they are set? Authenticated Users are simply defined as /// Quote from http://technet2.microsoft.com/WindowsServer/en/library/86cf2457-4f17-43f8-a2ab-7f4e2e5659091033.mspx?mfr=true /// Includes all users and computers whose identities have been authenticated. Authenticated Users does not include Guest even if the Guest account has a password. /// /// So Samba should know what to do. c) Does it make sense to file a bug in bugzilla? Jens -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Cannot set ACL rights for group Authenticated Users (SID S-1-5-11)\
Very embarassing indeed :-() What I do: Put the Authenticated Users to the list of users already having access. I then assign some rights (let's say Read and Write) and then I press OK. What I see: After reopening the GUI (or pressing Update), the entry has simply vanished. Checking with getfacl shows, that Authenticated Users have received no ACL entry. What is even stranger: I set the permissions for Authenticated Users with setfacl and edit a completely different domain user ACL entry and press OK again. What I see: The ACL entry for Authenticated Users has gone. The ACL entry for the domain user is perfectly oK. Again, I checked with getfacl that what the GUI shows indeed is correct. I'm using security=ADS - may this have an impact? Jens Jeremy Allison wrote: On Thu, Apr 12, 2007 at 08:06:21PM +0200, Jens Nissen wrote: I cannot set rights on a arbitrary file or folder for the Windows predefined group Authenticated Users (which has SID S-1-5-11) via SAMBA 3.0.23d and the standard Windows 2000 File Attribute Dialog. Everything else works: - I can set rights for any other domain group. - I can read the ACL entry for Authenticated Users in the Windows 2000 File Attribute Dialog if I set it manually with setfacl before - I am using tdbsam and the SID S-1-5-11 is mapped to GID 1018 (checked with wbinfo -Y), so SAMBA and Windows both seem to agree on the existence of this predefined group. What am I doing wrong? Is this supposed to work? Is there a workaround or any other suitable mapping for this group? In the Unofficial Samba + ACL Howto, there is a reference (chapter 3.1.4) that this might not work, but that was back in 2003 and 4 years have passed since then. What fails ? Selecting the user in the GUI ? More info on exactly what isn't working would be good. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Cannot set ACL rights for group Authenticated Users (SID S-1-5-11)
I cannot set rights on a arbitrary file or folder for the Windows predefined group Authenticated Users (which has SID S-1-5-11) via SAMBA 3.0.23d and the standard Windows 2000 File Attribute Dialog. Everything else works: - I can set rights for any other domain group. - I can read the ACL entry for Authenticated Users in the Windows 2000 File Attribute Dialog if I set it manually with setfacl before - I am using tdbsam and the SID S-1-5-11 is mapped to GID 1018 (checked with wbinfo -Y), so SAMBA and Windows both seem to agree on the existence of this predefined group. What am I doing wrong? Is this supposed to work? Is there a workaround or any other suitable mapping for this group? In the Unofficial Samba + ACL Howto, there is a reference (chapter 3.1.4) that this might not work, but that was back in 2003 and 4 years have passed since then. Kind regards for any hint, Jens P.S: smb.conf output from testparm, nt acl support = Yes is also set (testparm does not show it) [global] dos charset = ISO-8859-1 unix charset = ISO-8859-1 display charset = ISO-8859-1 workgroup = XXX realm = XXX.TEST security = ADS password server = xxx.xxx.test passdb backend = tdbsam guest account = samba name resolve order = host wins bcast idmap uid = 1000-6 idmap gid = 1000-6 winbind enum users = Yes winbind enum groups = Yes winbind nss info = rfc2307 ldapsam:trusted = Yes admin users = XXX\\Administrator ea support = Yes map acl inherit = Yes hide dot files = No map hidden = Yes map readonly = permissions dos filemode = Yes [homes] comment = Home Directories read only = No browseable = No preexec = mkdir -m 700 %P [shared] comment = ACL shared folder path = /export/shared read only = No create mask = 0777 directory mask = 0777 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] ENOATTR and extended attributes
I found a lot of stuff about ENOATTR. Can somebody point me to the correct way of handling ENOATTR with Samba 3.0.23d? To start with: I have trouble getting smbtorture EATEST to work. smbtorture assumes in limsbclient.h that unless ENOATTR is defined, ENOATTTR should be ENOENT (which is defined to be 2 in /usr/include/linux/errno.h). My ext3-ATTR(attr-2.4.32 + patches 0.8.73 I think it was) implementation does something similar: in absence of ENOATTR it returns ENODATA (which is 61). posix_acls.c and other smbd-components do something similar wrong (using ENOSYS which is 38). How do I fix the inconsistency best: - Patch Samba smbd and torture? - Patch linux/errno.h and recompile everything? What value should ENOATTR have in this case? - Patch attr-2.4 manually? Kind regards, Jens -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ACLs fail in 3.0.23d
OK - I managed to track down the bug inside Samba, but I have no easy way to work around it. The dynamic mapping of vfs acls inside Samba does not seem to work. See the following sequence in posix_acls.c in function get_nt_acl: /* * Get the ACL from the path. */ posix_acl = SMB_VFS_SYS_ACL_GET_FILE(conn, fsp-fsp_name, SMB_ACL_TYPE_ACCESS); /// My Workaround /// posix_acl equals 0 here if (!posix_acl) { posix_acl=acl_get_file(fsp-fsp_name, SMB_ACL_TYPE_ACCESS); } /// posix_acl is something else than 0 here /// End My Workaround While SMB_VFS_SYS_ACL_GET_FILE returns a Null-Pointer, the call afterwards to acl_get_file does return a ACL description which is non-zero. So the vfs-wrapper code fails, even though smbd is obviously linked to the correct ACL 1.0 library (as acl_get_file can be found inside libacl). How can I work around this? It would be horrible, if I had to find all wrapped library code and replace it by something hard-wired. Kind regards, Jens Nissen Original-Nachricht Datum: Tue, 30 Jan 2007 11:44:18 +0100 (MET) Von: Jan Engelhardt [EMAIL PROTECTED] An: Jens Nissen [EMAIL PROTECTED] Betreff: Re: [Samba] ACLs fail in 3.0.23d One question: how does Samba find out, that ACLs are activated? I suppose the only sane way is to try calling functions from libacl. If they fail unreasonably, then the fs does not support ACLs. Whenever I try to read or modify ACLs from my Windows 2000 PDC, my Samba Domain Member Server (Security = ADS) does not allow setting ACLs, nor does it display the existing ACLs. Does it at least enforce them? What does enforce mean? chmod 600 file setfacl -m u:otheruser:rwx file should give otheruser write permissions on the file, even if Windows does not get ACLs right (e.g. W98, which does not know ACLs at all). But I am missing something like --WITH-ACL: smbd -b shows defines, not configure options. Jan -- ft: http://freshmeat.net/p/chaostables/ -- Der GMX SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen! Ideal für Modem und ISDN: http://www.gmx.net/de/go/smartsurfer -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] smbtorture NEGNOWAIT makes 3.023d dump core
smbtorture NEGNOWAIT causes a core dump with a message Abnormal server exit: multiple negprot's are not permitted. Is that truely by design?? I am running Samba 3.0.23d as AD member server and have smbtorture running on the same machine. Kind regards, Jens Appended: The final second of the smbd... [2007/01/30 16:48:38, 3] smbd/oplock_linux.c:linux_init_kernel_oplocks(260) Linux kernel oplocks enabled [2007/01/30 16:48:38, 3] smbd/process.c:process_smb(1110) Transaction 0 of length 183 [2007/01/30 16:48:38, 3] smbd/process.c:switch_message(914) switch message SMBnegprot (pid 12385) conn 0x0 [2007/01/30 16:48:38, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2007/01/30 16:48:38, 3] smbd/negprot.c:reply_negprot(487) Requested protocol [PC NETWORK PROGRAM 1.0] [2007/01/30 16:48:38, 3] smbd/negprot.c:reply_negprot(487) Requested protocol [MICROSOFT NETWORKS 1.03] [2007/01/30 16:48:38, 3] smbd/negprot.c:reply_negprot(487) Requested protocol [MICROSOFT NETWORKS 3.0] [2007/01/30 16:48:38, 3] smbd/negprot.c:reply_negprot(487) Requested protocol [LANMAN1.0] [2007/01/30 16:48:38, 3] smbd/negprot.c:reply_negprot(487) Requested protocol [LM1.2X002] [2007/01/30 16:48:38, 3] smbd/negprot.c:reply_negprot(487) Requested protocol [DOS LANMAN2.1] [2007/01/30 16:48:38, 3] smbd/negprot.c:reply_negprot(487) Requested protocol [Samba] [2007/01/30 16:48:38, 3] smbd/negprot.c:reply_nt1(357) using SPNEGO [2007/01/30 16:48:38, 3] smbd/negprot.c:reply_negprot(580) Selected protocol NT LANMAN 1.0 [2007/01/30 16:48:38, 3] smbd/process.c:process_smb(1110) Transaction 1 of length 183 [2007/01/30 16:48:38, 3] smbd/process.c:switch_message(914) switch message SMBnegprot (pid 12385) conn 0x0 [2007/01/30 16:48:38, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2007/01/30 16:48:38, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2007/01/30 16:48:38, 3] smbd/connection.c:yield_connection(69) Yielding connection to [2007/01/30 16:48:38, 0] smbd/server.c:exit_server_common(657) === [2007/01/30 16:48:38, 0] smbd/server.c:exit_server_common(659) Abnormal server exit: multiple negprot's are not permitted [2007/01/30 16:48:38, 0] smbd/server.c:exit_server_common(660) === -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ACLs fail in 3.0.23d
I have an extf3-filesystem and I am absolutely sure, that Samba is correctly compiled - see the following line from the map-file: 0x00041b24acl_get_fd@@ACL_1.0 ... 0x00041d7cacl_get_file@@ACL_1.0 As mentioned before: # /bin/smbd -b | grep -i ACL HAVE_SYS_ACL_H HAVE_POSIX_ACLS And in addition: if I call directly acl_get_file from Samba, I get a POSIX ACE!!! This shows IMHO: - smbd is linked against / loads /boot/lib/libacl.so.1 - the file system has ACLs / ACEs available (also controlled with getfacl / chacl /setfacl) I traced the log-file for the string vfs hooks. There are two places in vfs.c where this string can come from: - Initialising default vfs hooks - Initialising custom vfs hooks from [%s] I only get the first string. So the vfs_wrapper is initialised by default which (??) is the posix_ace module??? (Can someone confirm this?). If that is the case, there are a few ways, the wrapper could give wrong results. One is, that a thread is forked and the initializing code is not called. In this case, acl_get_file would not get called. One other reason could be, that some other function gets called as the table is wrong. I cannot really tell, as I do not have a gdb on the system running (and I do not really know how to use it as a matter of fact :-( ) Kind regards and thanks for all kinds of help in advance!!! Jens Original-Nachricht Datum: Tue, 30 Jan 2007 10:11:13 -0600 Von: Gerald (Jerry) Carter [EMAIL PROTECTED] An: Jens Nissen [EMAIL PROTECTED] Betreff: Re: [Samba] ACLs fail in 3.0.23d -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jens Nissen wrote: OK - I managed to track down the bug inside Samba, but I have no easy way to work around it. The dynamic mapping of vfs acls inside Samba does not seem to work. See the following sequence in posix_acls.c in function get_nt_acl: /* * Get the ACL from the path. */ posix_acl = SMB_VFS_SYS_ACL_GET_FILE(conn, fsp-fsp_name, SMB_ACL_TYPE_ACCESS); /// My Workaround /// posix_acl equals 0 here if (!posix_acl) { posix_acl=acl_get_file(fsp-fsp_name, SMB_ACL_TYPE_ACCESS); } /// posix_acl is something else than 0 here /// End My Workaround While SMB_VFS_SYS_ACL_GET_FILE returns a Null-Pointer, the call afterwards to acl_get_file does return a ACL description which is non-zero. Are you absolutely sure you built with ACL support? (--with-acl-support) and that `smbd -b | grep ACL` returns the expected result for your platform? Also what file system is this? cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFv24hIR7qMdg1EfYRAn5AAJ4g43TpD6kfSxk1wgQZnEm1zU/n7QCfRpvT DVt4OvndKTXOiVSYUG0FXWg= =93u5 -END PGP SIGNATURE- -- Der GMX SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen! Ideal für Modem und ISDN: http://www.gmx.net/de/go/smartsurfer -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] ACLs fail in 3.0.23d
Whenever I try to read or modify ACLs from my Windows 2000 PDC, my Samba Domain Member Server (Security = ADS) does not allow setting ACLs, nor does it display the existing ACLs. - I have setup ACLs in my Kernel - I have translated and installed libacl and libattr - I can see and modify ACLs with getfacl and setfacl. - I have translated Samba 3.0.23d with --with-acl-support=yes - I have enabled ACLs on my share with nt acl support = yes Still ACLs do not show up, neither for files nor for directories. (A) Strange thing - a bug in smbd??: even though smbd is dynamically linked to libacl and libattr (I checked this with ldd), smbd -b | grep acl is empty. Can someone please confirm this?! (B) I tried smbtorture: OPENATTR and EATEST fail. Does this have something to do with my ACL problem? (C) Log excerpt when trying to set ACL: I get convert_canon_ace_to_posix_perms: Too many ACE entries error. I could not find an explanation for this on the net. [2007/01/29 12:23:17, 3] smbd/dosmode.c:unix_mode(147) unix_mode(acl2.test) returning 0744 [2007/01/29 12:23:17, 3] smbd/posix_acls.c:convert_canon_ace_to_posix_perms(2579) convert_canon_ace_to_posix_perms: Too many ACE entries for file acl2.test to convert to posix perms. [2007/01/29 12:23:17, 3] smbd/posix_acls.c:set_nt_acl(3269) set_nt_acl: failed to convert file acl to posix permissions for file acl2.test. (D) What am I missing - how can I approach the issue and find out, why ACLs do not work on my system? Kind regards, Jens -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ACLs fail in 3.0.23d
Thanks for your fast reply! I forgot to mention: I am using ext3. # mount | grep export /dev/hda4 on /export type ext3 (acl,user_xattr) One question: how does Samba find out, that ACLs are activated? Does it use the /proc filesystem? This would cause trouble, see the following: # cat /proc/mounts | grep export /dev/hda4 /export ext3 rw 0 0 The latter information (which results from /etc/fstab) is not conformant with the result from above mount-query!! I am remounting my /export - filesystem right before starting smbd and my SAMBA share (export/shared) resides in /export! Jan Engelhardt wrote: On Jan 29 2007 12:45, Jens Nissen wrote: Whenever I try to read or modify ACLs from my Windows 2000 PDC, my Samba Domain Member Server (Security = ADS) does not allow setting ACLs, nor does it display the existing ACLs. Does it at least enforce them? What does enforce mean? (A) Strange thing - a bug in smbd??: even though smbd is dynamically linked to libacl and libattr (I checked this with ldd), smbd -b | grep acl is empty. Can someone please confirm this?! Use grep -i. Stupid me! # /bin/smbd -b | grep -i acl HAVE_SYS_ACL_H HAVE_POSIX_ACLS But I am missing something like --WITH-ACL: # /bin/smbd -b | grep -i WITH WITH_UTMP --with Options: WITH_ADS WITH_CIFSMOUNT WITH_QUOTAS WITH_SENDFILE WITH_SMBMOUNT WITH_UTMP WITH_WINBIND TIME_WITH_SYS_TIME WITH_ADS WITH_CIFSMOUNT WITH_QUOTAS WITH_SENDFILE WITH_SMBMOUNT WITH_WINBIND [2007/01/29 12:23:17, 3] smbd/posix_acls.c:convert_canon_ace_to_posix_perms(2579) convert_canon_ace_to_posix_perms: Too many ACE entries for file acl2.test to convert to posix perms. Filesystems limit the number of ACLs. For XFS, I think it is 25 entries. [2007/01/29 12:23:17, 3] smbd/posix_acls.c:set_nt_acl(3269) set_nt_acl: failed to convert file acl to posix permissions for file acl2.test. -`J' I'm not exceeding limits, I think: # getfacl /export/shared/acl.test getfacl: Removing leading '/' from absolute path names # file: export/shared/acl.test # owner: root # group: root user::rw- user:Schnuffi:r-x user:CANDEO\134administrator:r-x user:CANDEO\134vx778:r-x group::r-- mask::r-x other::r-- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] NT_STATUS_NO_LOGON_SERVERS if Domain Controller is absent
I have my Samba 3.0.21c Linux Server as Domain member (security=ADS) so that domain users can use the Samba Server as shared file server. Everything works nice if the domain controller is present, e.g. wbinfo -a DOMAIN\\donald%donald plaintext password authentication succeeded challenge/response password authentication succeeded (this just simulates a Windows 2000 Client using the share which works equally well) Now I disconnect the domain controller and try the same: wbinfo -a DOMAIN\\donald%donald plaintext password authentication failed error code was NT_STATUS_NO_LOGON_SERVERS (0xc05e) error messsage was: No logon servers Could not authenticate user DOMAIN\donald%donald with plaintext password challenge/response password authentication failed error code was NT_STATUS_NO_LOGON_SERVERS (0xc05e) error messsage was: No logon servers Could not authenticate user DOMAIN\donald with challenge/response (this just simulates a Windows 2000 Client using the share which also does not work with nearly the same error message on the Windows 2000 Client) I have set-up winbind and kerberos in proper fashion (I hope), so what else is wrong here or is it a bug in winbind? I think that security=ADS is especially designed for my intended use (backup file share if the domain controller is down). Or do I misunderstand the Samba concept? Note: I'm using passdb backend = tdbsam. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba