[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via f30a79d7f23 python: Generate HRESULT definitions automatically via 5199d788f45 s4:scripting: Remove obsolete references to function prototypes via 16e55406e97 s4:scripting: Remove trailing whitespace via cce290e8f58 s4:scripting: Generate HRESULT definitions as part of the build process via 2e82159d0f6 s4:scripting: Ensure generated error definition files are closed after use via edff07c7d6a s4:scripting: Remove global list of errors via a846ebb4438 s4:scripting: Use common function to parse error descriptions via 6b446b5119c s4:scripting: Remove blank line via b70f4b0d9f3 s4:scripting: Correctly report number of parsed lines via 484a1a301aa s4:scripting: Let error definition generation scripts tolerate empty lines via a1bf1b22893 s4:scripting: Initialize line number to (possibly) more appropriate value via 575a70100f5 s4:scripting: Initialize ‘isWinError’ in constructor via da545372022 libcli:util: Update NTSTATUS definitions via 446ef0aa8c8 libcli:util: Update HRESULT definitions via 71f1aee6cae s4:scripting: Align integer types from 9ea124e29e3 docs: Update idmap_ad.8 that rfc2307 is the default https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit f30a79d7f23565d9bab3ce6f44c307d858fe6f56 Author: Joseph Sutton Date: Thu Jan 11 16:23:55 2024 +1300 python: Generate HRESULT definitions automatically Signed-off-by: Joseph Sutton Reviewed-by: Douglas Bagnall Autobuild-User(master): Joseph Sutton Autobuild-Date(master): Mon Jan 15 01:56:53 UTC 2024 on atb-devel-224 commit 5199d788f45579093a0e61dd73865f20b75c3fc2 Author: Joseph Sutton Date: Fri Jan 12 09:56:29 2024 +1300 s4:scripting: Remove obsolete references to function prototypes These prototypes were removed in commit 0ffe030c0dcd46b51ffb2f11c03d5b48e93d32b9. Signed-off-by: Joseph Sutton Reviewed-by: Douglas Bagnall commit 16e55406e97d0edf5816887c63eb789998d3c0a3 Author: Joseph Sutton Date: Fri Jan 12 09:57:54 2024 +1300 s4:scripting: Remove trailing whitespace Signed-off-by: Joseph Sutton Reviewed-by: Douglas Bagnall commit cce290e8f58e0e21713d4c9d69ad73d497bdca83 Author: Joseph Sutton Date: Thu Jan 11 11:25:53 2024 +1300 s4:scripting: Generate HRESULT definitions as part of the build process Signed-off-by: Joseph Sutton Reviewed-by: Douglas Bagnall commit 2e82159d0f65087af861027bf35544a1e26454ab Author: Joseph Sutton Date: Thu Jan 11 11:23:53 2024 +1300 s4:scripting: Ensure generated error definition files are closed after use This helps to avoid warnings like this one: /data/samba/source4/scripting/bin/gen_hresult.py:178: ResourceWarning: unclosed file <_io.TextIOWrapper name='/data/samba/bin/default/libcli/util/hresult.c' mode='w' encoding='UTF-8'> main() ResourceWarning: Enable tracemalloc to get the object allocation traceback Signed-off-by: Joseph Sutton Reviewed-by: Douglas Bagnall commit edff07c7d6af8c6e5276198adad1ae14fef76506 Author: Joseph Sutton Date: Thu Jan 11 11:20:59 2024 +1300 s4:scripting: Remove global list of errors Signed-off-by: Joseph Sutton Reviewed-by: Douglas Bagnall commit a846ebb443844193943c35adc3b73a52afc9beac Author: Joseph Sutton Date: Thu Jan 11 11:19:22 2024 +1300 s4:scripting: Use common function to parse error descriptions The version of parseErrorDescriptions() from gen_error_common is almost the same as the one we’ve been using. One minor difference is that ErrorDef.error_code is now an integer rather than a string. Signed-off-by: Joseph Sutton Reviewed-by: Douglas Bagnall commit 6b446b5119cabcb1c7fd35481f3313b64ada098e Author: Joseph Sutton Date: Thu Jan 11 11:14:27 2024 +1300 s4:scripting: Remove blank line Signed-off-by: Joseph Sutton Reviewed-by: Douglas Bagnall commit b70f4b0d9f3ba145b66623ced8c9334f2ca55a09 Author: Joseph Sutton Date: Thu Jan 11 11:13:33 2024 +1300 s4:scripting: Correctly report number of parsed lines Signed-off-by: Joseph Sutton Reviewed-by: Douglas Bagnall commit 484a1a301aa5bab600306bea0170b1464beb9660 Author: Joseph Sutton Date: Thu Jan 11 11:12:21 2024 +1300 s4:scripting: Let error definition generation scripts tolerate empty lines Commit beb99b80612556bc47e72a63f89fca75839d91d4 add a similar check just for gen_hresult.py. Signed-off-by: Joseph Sutton Reviewed-by: Douglas Bagnall commit a1bf1b2289333d6811f4f18373b050d5706785b7 Author: Joseph Sutton Date: Thu Jan 11 11:11:15 2024 +1300 s4:scripting: Initialize line number to (possibly) more appropriate value Signed-off-by: Joseph Sutton Re
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 7b6c17359ba tests/krb5: Test that the correct Asserted Identity SID is added when inner FX‐FAST padata is used via 77b35c423ee s4:kdc: Make use of ‘samba_kdc_entry_pac’ wrapper type via bad7a3fcead s4:kdc: Add function to get device PAC entry from Heimdal request structure via 79b33eeaccb s4:kdc: Add function to determine whether a KDC entry represents a trust via 1ea4b271628 s4:kdc: Fix indentation via 45e8e197198 s4:kdc: Remove unused declaration via 1c456912a13 s4:kdc: Add ‘samba_kdc_entry_pac’ wrapper type via 0633e78b57e third_party/heimdal_build: Define HAVE_KRB5_PAC_IS_TRUSTED when using embedded Heimdal via 46c08652f81 tests/krb5: Add Device Restriction tests for silos and authentication policies in the KDC via 321e0ed675b s4:kdc: Remove unused parameters from samba_kdc_verify_pac() via 3358b04a589 s4:kdc: Remove device PAC validation via 989fb009852 tests/krb5: Add tests performing AS‐REQs armored with unacceptable tickets via 849ee959845 tests/krb5: Add method to perform an armored AS‐REQ via eba1ab0c840 tests/krb5: Initialize variable via 68dc69d86f1 s4:kdc: Remove ‘asserted_identity’ parameter from samba_kdc_get_user_info_dc() via 3c480886ade s4:kdc: Have callers of samba_kdc_get_user_info_dc() themselves add an Asserted Identity SID via f250a24e922 s4:kdc: Remove ‘claims_valid’ parameter from samba_kdc_get_user_info_dc() via cfeb3d75cb3 s4:kdc: Have callers of samba_kdc_get_user_info_dc() themselves add the Claims Valid SID via e0a3dd54992 s4:kdc: Remove ‘compounded_auth’ parameter from samba_kdc_get_user_info_dc() via 41527cfaf93 s4:kdc: Remove unused memory context from samba_kdc_lookup_realm() via 2f9d2ff8952 s4:kdc: Add parameters for claims and device info to authn_policy_authenticate_to_service() via 3ae75998307 s4:kdc: Add claims parameter to authn_policy_authenticate_from_device() via 54cd7f4f804 s4:kdc: Add parameters for claims and device info to authn_policy_access_check() via 8a5921d9747 s4:auth: Add parameters for claims and device info to auth_generate_security_token() via a3a489fa537 s4:kdc: Reformat function call via a2b6c2199fd s4:auth: Reformat function calls via 4f0ba2b0bf2 s4:auth: Rename parameter to match function implementation via a621e9ab991 s4:dsdb: Add session info flag to indicate authentication with a device via c829dd1ba84 s4:dsdb: Add parameters for claims and device SIDs to security_token_create() via 773c36baa0d pidl: Parenthesize expression to be cast via 26e40717aa0 ndr: Parenthesize expressions to be cast via c45a24cc417 s4:kdc: Initialize pointer to NULL via 7587532292c s4:kdc: Remove unnecessary assignments via af22a6552df s4:kdc: Check that principal being copied is not NULL via 452aeb218d9 s4:kdc: Prefer explicit initialization to ZERO_STRUCTP() via fff9b71b847 .gitattributes: Mark large data file as binary via da202eb2092 lib:krb5_wrap: Include missing headers via d30a6124101 s4:auth: Ensure that some parameters are not NULL via bbb259e1d06 libcli/security: Handle new ACE types with sec_ace_object() via 4437eb149e3 libcli/security: Have security_ace_equal() handle callback and resource ACEs via e4d45d4103f libcli/security: Parenthesize macro parameter via 9ecd17c84b0 libcli/security: Conform to Samba’s brace style via bc680b6f4a0 s4:torture: Fix building with FORTIFY_SOURCE=2 via c2f55b061f8 s4:ntvfs: Fix building with FORTIFY_SOURCE=2 via c3eaa285d81 s3:smbd: Fix building with FORTIFY_SOURCE=2 via b33a486e657 s3:rpc_server: Fix building with FORTIFY_SOURCE=2 via 10726fb347a s3:libads: Fix building with FORTIFY_SOURCE=2 via 184a48d6577 s3:libads: Don’t do first loop iteration if ‘attr’ is NULL via 1f92b5f1501 lib/util: Fix building with FORTIFY_SOURCE=2 via a77b90d8085 ldb: Fix building with FORTIFY_SOURCE=2 via 50c208fc536 lib/ldb-samba: Fix building with FORTIFY_SOURCE=2 via e961783add9 lib:compression: Fix building with FORTIFY_SOURCE=2 from 90ba53eee4a samba-tool: Fix for gpo restore not working without --tmpdir https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 7b6c17359ba4f264e4f84e5495c79c62a3e9bb89 Author: Joseph Sutton Date: Thu Sep 28 12:47:49 2023 +1300 tests/krb5: Test that the correct Asserted Identity SID is added when inner FX‐FAST padata is used BUG: https://bugzilla.samba.org/show_bug.cgi?id=15477 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Joseph Sutton Autobuild-Date(master): Sun Oct 1
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 06d673a1a0c third_party/heimdal: Import lorikeet-heimdal-202308030152 (commit 2a036a6fd80833799316b8a85623cdea3a1135df) from 00316255984 dsdb: Make a shallow copy of ldb_parse_tree in operational module https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 06d673a1a0c54e78773cc951124486b547ca880d Author: Joseph Sutton Date: Thu Aug 3 13:57:20 2023 +1200 third_party/heimdal: Import lorikeet-heimdal-202308030152 (commit 2a036a6fd80833799316b8a85623cdea3a1135df) This import fixes the build on 32-bit FreeBSD. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15443 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Joseph Sutton Autobuild-Date(master): Thu Aug 3 05:40:28 UTC 2023 on atb-devel-224 --- Summary of changes: third_party/heimdal/kdc/pkinit.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/third_party/heimdal/kdc/pkinit.c b/third_party/heimdal/kdc/pkinit.c index 080ead541b4..495dfa7a7e5 100644 --- a/third_party/heimdal/kdc/pkinit.c +++ b/third_party/heimdal/kdc/pkinit.c @@ -1978,10 +1978,10 @@ _kdc_pk_validate_freshness_token(astgs_request_t r, token_time, sizeof(token_time), TRUE); kdc_log(r->context, r->config, 4, "Freshness token has too large time skew: " - "time in token %s is out by %ld > %ld seconds — %s", + "time in token %s is out by %ld > %jd seconds — %s", token_time, time_diff, - r->context->max_skew, + (intmax_t)(r->context->max_skew), r->cname); r->e_text = NULL; -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via d9c192546fa lib/compression/lzxpress: fix our slow compression via caa643e36e6 lib/compression/lzxpress: shift encoding into helper functions via fb35cf29a42 lib/compression/lzxpress compression: use a write context struct via e4066b2be6d lib/compression: more tests for lzxpress plain compression via c0f28d71858 lib/compression: add test data for lzxpress plain compression via ce7ea07d073 testdata: move compression examples to re-use with lzxpress plain via 9589f5282b9 lib/compression/lzx-plain: relax size requirements on long file via c2db7fda4e3 lib/comression: convert test_lzxpress_plain to cmocka via 1f0aea77f5c selftest: be less confident in commending st/summary via e5f9deed0d5 lib/compression: add test scripts README via 1a3d8da7313 lib/compression: test util to generate fuzzing seeds via 6a7c0ca23c6 lib/compression: Windows utility to generate test vectors via 7804570a379 lib/compression: script to test 3 byte hash via dadecede544 lib/compression: helper script to make unbalanced data via bce33816ec9 lib/compression: add a debug script to describe headers via e58e9935047 fuzz: add fuzz_lzxpress_huffman_round_trip via 307aded670c fuzz: add fuzz_lzxpress_huffman_compress via cda3c1a2270 fuzz: add fuzz_lzxpress_huffman_decompress via e795985067e lib/compression/tests: add lzhuffman timer functions via 77048aaa61e lib/compression: debug routines for lzxpress-huffman via 955214ef6ec lib/compression/lzhuff: add debug flag to skip LZ77 via d4e3f0c88ef lib/compression: LZ77 + Huffman compression via f86035c65bf lib/compression: add LZ77 + Huffman decompression via bd35feaf7ed testdata: add test vectors for LZ77+Huffman [de-]compression via 7cff3ce2843 test/source_chars: ignore testdata/compression via f6cda06dfb7 lib/compression: move lzxpress_plain test into tests/ via e24efb88ef5 fuzz: add fuzzers for stable_sort via 4e18e923999 util: add stable sort functions from 39df9f4a593 s3: smbd: Fix schedule_smb2_aio_read() to allow the last read in a compound to go async. https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit d9c192546faca3b4b692738249f552b78e72d83a Author: Douglas Bagnall Date: Fri Nov 25 12:46:08 2022 +1300 lib/compression/lzxpress: fix our slow compression This uses the same hash table method as lzxpress_huffman, though the code can't be directly reused as the sizes of the offsets is different, and there is not a block processing step here. This will worsen the compression ratio compared to the exhaustive search we previously used, though we still perform better than Windows. To put numbers on it, the test files used to compress to 0.91 of Windows' compression size, and now they compress to 0.96. On the other hand this is many orders of magnitude faster. It is difficult to say exactly how much faster -- while the testsuite time has only improved 200-fold (from 7 minutes to 2 seconds), most of the remaining 2 seconds is used in data generation and management, not compression. OSSFuzz consistently finds new vectors that time out after a minute; on these we'll see nearly an order of magnitude of orders of magnitude inprovement. Signed-off-by: Douglas Bagnall Reviewed-by: Joseph Sutton Autobuild-User(master): Joseph Sutton Autobuild-Date(master): Fri Dec 2 00:00:04 UTC 2022 on sn-devel-184 commit caa643e36e671be9cb446afc99dfae3003aa8c6e Author: Douglas Bagnall Date: Fri Nov 25 12:38:11 2022 +1300 lib/compression/lzxpress: shift encoding into helper functions This makes it easier to rework the encoding decision to depend on a hash table match rather than the current exhaustive search. Signed-off-by: Douglas Bagnall Reviewed-by: Joseph Sutton commit fb35cf29a426ee2cb0ee280e147627fd3e84a71d Author: Douglas Bagnall Date: Thu Nov 17 16:15:00 2022 +1300 lib/compression/lzxpress compression: use a write context struct This will make it possible to move encoding operations into helper functions, which will make it easier to restructure the code to use a hash table for faster matching. Signed-off-by: Douglas Bagnall Reviewed-by: Joseph Sutton commit e4066b2be6d87cae130f40e3faf3a0c8815389f8 Author: Douglas Bagnall Date: Thu Nov 24 11:44:35 2022 +1300 lib/compression: more tests for lzxpress plain compression These are based on (i.e. copied and pasted from) the LZ77 + Huffman tests. Signed-off-by: Douglas Bagnall Reviewed-by: Joseph Sutton commit c0f28d71858a0fd3035971ca4f2f5a6af6d450b6 Author: Douglas Bagnall Date: Thu Nov 24
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via c91af5f1a8b tests/krb5: Simplify logic via a9025b68b24 tests/krb5: Improve mock RODC creation via e729606631b selftest: Simplify krb5 test environments via 80b22a7869f python: Restore SDDL abbreviations for SIDs via 1137ebc654e sddl: Remove SDDL SID strings unsupported by Windows via 732d17a129a sddl: Add new SDDL SID strings via e61fa573fe1 sddl: Fix incorrect SDDL SID strings via 9b913fcb0f4 s4:rpc_server/lsa: Use explicit SID instead of SDDL abbreviation via d55b717fd62 python: Use explicit SIDs instead of SDDL abbreviations via c26ee3ba966 python:tests: Add tests for SDDL SID strings from ef1dbcdc6cb torture: Allow Samba as an AD DC to use zeros for LM key https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit c91af5f1a8b666cdd305165937bf28c551b88134 Author: Joseph Sutton Date: Mon Mar 7 17:07:48 2022 +1300 tests/krb5: Simplify logic This code can be made part of the previous 'else' branch. Signed-off-by: Joseph Sutton Reviewed-by: Andreas Schneider Autobuild-User(master): Joseph Sutton Autobuild-Date(master): Fri Mar 18 00:11:25 UTC 2022 on sn-devel-184 commit a9025b68b24956bf543ef85c96a7a8fe91784630 Author: Joseph Sutton Date: Mon Mar 7 17:01:40 2022 +1300 tests/krb5: Improve mock RODC creation Use a unique name for the mock RODC. Don't assign to _rodc_ctx until the RODC has been created, so we don't try to use a mock RODC that failed to create. Signed-off-by: Joseph Sutton Reviewed-by: Andreas Schneider commit e729606631b5bfaf7c4ad8c1e70697adf8274777 Author: Joseph Sutton Date: Fri Mar 4 16:57:27 2022 +1300 selftest: Simplify krb5 test environments It's not necessary to repeat the required environment variables for every test. Signed-off-by: Joseph Sutton Reviewed-by: Andreas Schneider commit 80b22a7869f4ec8320a634810a10d3f058526aa7 Author: Joseph Sutton Date: Tue Mar 15 10:20:59 2022 +1300 python: Restore SDDL abbreviations for SIDs This time we use the correct values. Signed-off-by: Joseph Sutton Reviewed-by: Stefan Metzmacher commit 1137ebc654e4dfd91601abd20262024063a495c8 Author: Joseph Sutton Date: Mon Mar 14 18:18:39 2022 +1300 sddl: Remove SDDL SID strings unsupported by Windows Signed-off-by: Joseph Sutton Reviewed-by: Stefan Metzmacher commit 732d17a129ab0f48d0025f5992af38d442b1fc6a Author: Joseph Sutton Date: Mon Mar 14 18:18:09 2022 +1300 sddl: Add new SDDL SID strings Signed-off-by: Joseph Sutton Reviewed-by: Stefan Metzmacher commit e61fa573fe1a911460cfb3b64ba05b031d124256 Author: Joseph Sutton Date: Mon Mar 14 18:14:15 2022 +1300 sddl: Fix incorrect SDDL SID strings Change the values to match those used by Windows. Verified with PowerShell commands of the form: New-Object Security.Principal.SecurityIdentifier ER Signed-off-by: Joseph Sutton Reviewed-by: Stefan Metzmacher commit 9b913fcb0f4e69b9fd7db1c974d7534ef356a318 Author: Joseph Sutton Date: Mon Mar 14 19:40:45 2022 +1300 s4:rpc_server/lsa: Use explicit SID instead of SDDL abbreviation This is to prepare for the SDDL string being removed. Signed-off-by: Joseph Sutton Reviewed-by: Stefan Metzmacher commit d55b717fd62a17b424400af0de2bac41c3ae80f5 Author: Joseph Sutton Date: Mon Mar 14 19:40:16 2022 +1300 python: Use explicit SIDs instead of SDDL abbreviations This is to prepare for changing the SDDL string values. Signed-off-by: Joseph Sutton Reviewed-by: Stefan Metzmacher commit c26ee3ba9662d03f0c32ee518d7a0a69d3bc8401 Author: Joseph Sutton Date: Tue Mar 15 19:24:38 2022 +1300 python:tests: Add tests for SDDL SID strings We get the server to decode the SDDL by putting the SID strings in the defaultSecurityDescriptor of a new class and making an object of that class. We then check that the resulting SID is what we expect. Signed-off-by: Joseph Sutton Reviewed-by: Stefan Metzmacher --- Summary of changes: libcli/security/sddl.c | 43 +- librpc/idl/security.idl | 30 python/samba/descriptor.py | 16 +- python/samba/schema.py | 6 +- python/samba/tests/krb5/kdc_base_test.py | 20 +-- python/samba/tests/krb5/raw_testcase.py | 10 +- python/samba/tests/sid_strings.py| 235 ++ selftest/knownfail.d/sid-strings | 3 + source4/rpc_server/lsa/lsa_init.c| 2 +- source4/selftest/tests.py| 241 +-- 10 files changed, 373 insertions(+), 233
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 791be84c3ee s4:kdc: hdb_samba4_audit() is only called once per request via c9b0b4bfc4e s4-kdc: Adapt to move from HDB auditing to KDC auditing constants via 9399a15fabb s4:kdc: Adapt to removal of publicly accessible request structure members via 94d387abd50 s4:kdc: Adapt to hdb_entry_ex removal via 068f2bf117a s4:kdc: Increment plugin minor version via 7cb68fdba75 third_party/heimdal_build: Don't generate .x source files via 675f913e54d s4:kdc: Explicitly set plugin minor version via b9f4ea8bdb7 third_party/heimdal_build: Add SFU source file via f234361abea s4:kdc: Adapt to removal of auth audit event types via 83586e8f584 s4:kdc: Rename windc to kdc plugin via a5799cea037 s4:kdc: Add referral policy callback via 0d37a192810 s4:kdc: Add 'not authorised' auth events via 7989ef0aa7b s4:kdc: Adapt to removal of auth event details via a2f7987d583 s4:kdc: Refactor HDB API via f2ca9c5db7e third_party/heimdal_build: Add source files to build via 51569b3152a third_party/heimdal: import lorikeet-heimdal-202203010107 (commit 0e7a12404c388e831fe6933fcc3c86e7eb334825) via fccf9859786 third_party/heimdal_build: Define fallthrough macro for switch statements from 8c97743511e smbd: Fix a use-after-free https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 791be84c3eecb95e03611458e2305bae272ba267 Author: Stefan Metzmacher Date: Wed Mar 2 10:10:08 2022 +1300 s4:kdc: hdb_samba4_audit() is only called once per request So we need to restructure the logic a bit. NOTE: This commit finally works again! BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Autobuild-User(master): Joseph Sutton Autobuild-Date(master): Tue Mar 1 23:28:22 UTC 2022 on sn-devel-184 commit c9b0b4bfc4e2e0b08b21f39bf56fd5395d66d66f Author: Andrew Bartlett Date: Wed Mar 2 10:00:17 2022 +1300 s4-kdc: Adapt to move from HDB auditing to KDC auditing constants This is to adapt to: commit 6530021f09a5cab631be19a1b5898a0ba6b32f16 Author: Luke Howard Date: Thu Jan 13 14:37:29 2022 +1100 kdc: move auth event definitions into KDC header Move KDC auth event macro definitions out of hdb.h and into a new KDC header, kdc-audit.h. NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN! BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995 Signed-off-by: Andrew Bartlett Reviewed-by: Joseph Sutton commit 9399a15fabb5a1b8470b1069a098132e2fdb7f0f Author: Joseph Sutton Date: Wed Feb 23 09:53:27 2022 +1300 s4:kdc: Adapt to removal of publicly accessible request structure members We now have to use the accessor functions instead. This is an adaptation to Heimdal: commit ec24edf7005c340018450a202d27ca75fcf322d4 Author: Luke Howard Date: Thu Jan 20 09:15:24 2022 +1100 kdc: add accessor functions for KDC request structure Add accessor functions for use by Samba and other plugin developers. Documentation is in kdc/kdc-accessors.h. NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN! BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995 Signed-off-by: Joseph Sutton Reviewed-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 94d387abd5031c12989f925ee5eb733432402d1d Author: Joseph Sutton Date: Tue Feb 22 19:41:14 2022 +1300 s4:kdc: Adapt to hdb_entry_ex removal Rather than having a 'free_entry' member that can be called to free an hdb_entry, we now implement the free function in HDB. We perform the free only if the context pointer is non-NULL. We also remove the ZERO_STRUCTP() in sdb_entry_to_hdb_entry(), as the context pointer is now part of the 'hdb_entry' structure itself, and this would undesirably zero it out. This is an adaptation to Heimdal commits: commit c5551775e204d00c7ee8055ab6ddbba7e0590584 Author: Luke Howard Date: Fri Jan 7 12:15:55 2022 +1100 hdb: decorate HDB_entry with context member Decorate HDB_entry with context and move free_entry callback into HDB structure itself. Requires updating hdb_free_entry() signature to include HDB parameter. A follow-up commit will consolidate hdb_entry_ex (which has a single hdb_entry member) into hdb_entry. commit 0e8c4ccc6ee0123ea39e53e8917fc3f6bb74e8c8 Author: Luke Howard Date: Fri Jan 7 12:54:40 2022 +1100 hdb: eliminate hdb_entry_ex Remove hdb_entry_ex and revert to the original design of hdb_entry (except
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 19d9504b1b3 s4:kdc: improve DEBUG messages in samba_wdc_reget_pac2() via 84b76270ceb s4:auth: debug make_user_info_dc_pac() failures in kerberos_pac_to_user_info_dc() via 879eba2740a s4:torture: check for pac_blob==NULL in test_generate_session_info_pac() functions via 12154b981c4 s4:heimdal_build: make version_script optional to HEIMDAL_LIBRARY() via 6fc5f22978b kdc: Fix leak via e9caa1edef8 tests/krb5: Update supported enctype checking via 775bfc72509 tests/krb5: Add AS-REQ PAC tests via f94bdb41fcc tests/krb5: Check encrypted-pa-data if present via 48362a706f8 tests/krb5: Add FAST enc-pa-rep tests via c51805f90c0 tests/krb5: Adjust expected error codes via a107bb8b0d4 tests/krb5: Generate unique UPNs for AS-REQ enterprise tests via 492d9f083dc s4:torture: Remove netbios realm and lowercase realm tests via 3b26c714d42 s4:torture: Make etype list variables static from 493fe1a4315 build: reduce printf() calls in generated build_options.c https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 19d9504b1b34ec7c52eaaf663d5ecf4f05066b6d Author: Stefan Metzmacher Date: Thu Dec 23 22:44:10 2021 +0100 s4:kdc: improve DEBUG messages in samba_wdc_reget_pac2() Signed-off-by: Stefan Metzmacher Reviewed-by: Joseph Sutton Autobuild-User(master): Joseph Sutton Autobuild-Date(master): Mon Jan 17 20:55:41 UTC 2022 on sn-devel-184 commit 84b76270ceb38cbb0263f415f4089bafa751b3a3 Author: Stefan Metzmacher Date: Thu Dec 23 22:53:13 2021 +0100 s4:auth: debug make_user_info_dc_pac() failures in kerberos_pac_to_user_info_dc() Signed-off-by: Stefan Metzmacher Reviewed-by: Joseph Sutton commit 879eba2740ac5e5f456b93a3b47e9a6b70355415 Author: Stefan Metzmacher Date: Fri Dec 24 15:21:21 2021 +0100 s4:torture: check for pac_blob==NULL in test_generate_session_info_pac() functions We should return an error instead of crashing for tickets without a PAC. Signed-off-by: Stefan Metzmacher Reviewed-by: Joseph Sutton commit 12154b981c40d619e4ddb53aceee9f86368a75fb Author: Stefan Metzmacher Date: Thu Dec 23 19:29:06 2021 +0100 s4:heimdal_build: make version_script optional to HEIMDAL_LIBRARY() Signed-off-by: Stefan Metzmacher Reviewed-by: Joseph Sutton commit 6fc5f22978bd77e4775856359d116492eccc9be6 Author: Joseph Sutton Date: Thu Dec 30 16:20:46 2021 +1300 kdc: Fix leak Signed-off-by: Joseph Sutton Reviewed-by: Stefan Metzmacher commit e9caa1edef846cdea2a719976ee0fd5bd8531048 Author: Joseph Sutton Date: Thu Dec 23 15:59:21 2021 +1300 tests/krb5: Update supported enctype checking We now do not expect the claims or compound ID bits to be set unless explicitly specified, nor the DES bits. Signed-off-by: Joseph Sutton Reviewed-by: Stefan Metzmacher commit 775bfc72509bf98f3c637ca22cc5edf0e7fae794 Author: Joseph Sutton Date: Wed Dec 29 17:35:09 2021 +1300 tests/krb5: Add AS-REQ PAC tests Signed-off-by: Joseph Sutton Reviewed-by: Stefan Metzmacher commit f94bdb41fccdb085d8f8f5a1a5e4a56581839e8e Author: Joseph Sutton Date: Tue Nov 30 09:45:13 2021 +1300 tests/krb5: Check encrypted-pa-data if present Signed-off-by: Joseph Sutton Reviewed-by: Stefan Metzmacher commit 48362a706f8a6c35a17ecbf625bbf29802143185 Author: Joseph Sutton Date: Tue Nov 30 09:42:10 2021 +1300 tests/krb5: Add FAST enc-pa-rep tests Signed-off-by: Joseph Sutton Reviewed-by: Stefan Metzmacher commit c51805f90c09b40236765c9594693fcb66a55715 Author: Joseph Sutton Date: Thu Dec 16 14:21:18 2021 +1300 tests/krb5: Adjust expected error codes Signed-off-by: Joseph Sutton Reviewed-by: Stefan Metzmacher commit a107bb8b0d424bb1f8ee6df34e8f8e81dd499333 Author: Joseph Sutton Date: Thu Dec 16 10:18:42 2021 +1300 tests/krb5: Generate unique UPNs for AS-REQ enterprise tests This helps to avoid problems with account creation due to UPN uniqueness constraints. Signed-off-by: Joseph Sutton Reviewed-by: Stefan Metzmacher commit 492d9f083dc23aff2c1fa12e21765861df1c1b38 Author: Joseph Sutton Date: Wed Dec 22 16:08:43 2021 +1300 s4:torture: Remove netbios realm and lowercase realm tests Tests for these are already present in samba.tests.krb5.as_canonicalization_tests. These tests cause problems with an upgraded Heimdal version, and we want to stop supporting non-canonical realm names, so this commit removes them. Signed-off-by: Joseph Sutton Reviewed-by: Stefan Metzmacher commit 3b26c714d42fc5e4ab7d4138db987171edda6463 Author: Joseph Sutton Date: Thu Dec 16 21:06:55 2021 +1300 s4:torture: Make etype list
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 9a68025ad39 s4:rpc_server/netlogon: adjust the valid_flags based on
dsdb_dc_functional_level()
via d9abd7fff58 s4:rpc_server/netlogon: adjust the flags logic to
MS-NRPC 3.5.4.3.1 DsrGetDcNameEx2
via 55948433135 dsdb/netlogon: Indicate DC functional level support in
samlogon response
via 0e515b3309d dsdb/netlogon: make use of dsdb_dc_functional_level()
in fill_netlogon_samlogon_response()
via e0b47257d9f dsgetdcname: Display new flags in debug output
via 454e46c467f netlogon.idl: Add flags for indicating directory
service versions
via 2926cfb299c s4:rpc_server/dnsserver: make use of
dsdb_dc_functional_level()
via b5f71e25d49 dsdb/common: add dsdb_dc_functional_level() helper
from 2da538a4585 python:tests: Don't require an emtpy
'authorization-data' to be present
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 9a68025ad391b148166c25b7dec06a7ce12fe4a6
Author: Stefan Metzmacher
Date: Thu Dec 23 18:32:44 2021 +0100
s4:rpc_server/netlogon: adjust the valid_flags based on
dsdb_dc_functional_level()
This allows us to let DS_DIRECTORY_SERVICE_{8,9,10}_REQUIRED through
based on the manual changed msDS-Behavior-Version of our NTDSA object.
We still need to have tests depending on the msDS-Behavior-Version
value if the DSGETDC_VALID_FLAGS is really correct at all.
But for now this allows us to test krb5 FAST from Windows clients.
Signed-off-by: Stefan Metzmacher
Reviewed-by: Joseph Sutton
Autobuild-User(master): Joseph Sutton
Autobuild-Date(master): Fri Dec 24 03:03:50 UTC 2021 on sn-devel-184
commit d9abd7fff58970725fa1375bf0ed210602e45d27
Author: Joseph Sutton
Date: Wed Dec 22 14:41:50 2021 +1300
s4:rpc_server/netlogon: adjust the flags logic to MS-NRPC 3.5.4.3.1
DsrGetDcNameEx2
Note that this doesn't change the logic as we still reject
DS_DIRECTORY_SERVICE_{8,9,10}_REQUIRED via the initial DSGETDC_VALID_FLAGS
check. The may change that in future, but may need some tests for it.
Pair-Programmed-With: Stefan Metzmacher
Signed-off-by: Joseph Sutton
Signed-off-by: Stefan Metzmacher
commit 55948433135929488fa8370f826afdc02db1bf2a
Author: Joseph Sutton
Date: Wed Dec 22 14:51:08 2021 +1300
dsdb/netlogon: Indicate DC functional level support in samlogon response
The DS_SERVER_DS_8 flag is necessary for Windows to detect FAST support.
Note for know we only ever have DS_DOMAIN_FUNCTION_2008_R2 (4) in the
msDS-Behavior-Version attribute of our own NTDSA object. So
for now this is only for manual testing. In future we most likely
want to extend 'samba-tool domain level' to raise the dc level
manually or let 'samba' autoupgrade the value.
Pair-Programmed-With: Stefan Metzmacher
Signed-off-by: Joseph Sutton
Signed-off-by: Stefan Metzmacher
commit 0e515b3309d0c3bbb63447fb712df2279f071551
Author: Stefan Metzmacher
Date: Thu Dec 23 11:40:58 2021 +0100
dsdb/netlogon: make use of dsdb_dc_functional_level() in
fill_netlogon_samlogon_response()
[MS-ADTS] 6.3.3.2 "Domain Controller Response to an LDAP Ping" indicates
that the resulting flags depend on the server software (behavior)
and not the domain wide functional level.
Signed-off-by: Stefan Metzmacher
Reviewed-by: Joseph Sutton
commit e0b47257d9f004e943da78dcb84f9a4a15552cef
Author: Joseph Sutton
Date: Wed Dec 22 14:53:44 2021 +1300
dsgetdcname: Display new flags in debug output
Signed-off-by: Joseph Sutton
Reviewed-by: Stefan Metzmacher
commit 454e46c467fbba9814c03c7200c58efb269c326d
Author: Joseph Sutton
Date: Thu Dec 23 10:57:50 2021 +1300
netlogon.idl: Add flags for indicating directory service versions
Pair-Programmed-With: Stefan Metzmacher
Signed-off-by: Joseph Sutton
Signed-off-by: Stefan Metzmacher
commit 2926cfb299c14a6d80c32059377833d41fd7a32a
Author: Stefan Metzmacher
Date: Thu Dec 23 11:34:25 2021 +0100
s4:rpc_server/dnsserver: make use of dsdb_dc_functional_level()
Signed-off-by: Stefan Metzmacher
Reviewed-by: Joseph Sutton
commit b5f71e25d49cff27a7f9c48b60a1a0eb70adfeec
Author: Stefan Metzmacher
Date: Thu Dec 23 11:34:02 2021 +0100
dsdb/common: add dsdb_dc_functional_level() helper
Signed-off-by: Stefan Metzmacher
Reviewed-by: Joseph Sutton
---
Summary of changes:
librpc/idl/netlogon.idl | 20 -
source3/libsmb/dsgetdcname.c | 24 +++---
source4/dsdb/common/util.c| 15
source4/dsdb/samdb/ldb_modules/netlogon.c | 16 +++-
source4/rpc_server/dnsserver/dnsutils.c | 2 +
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 36325f1ee90 python:tests: Don't require an emtpy 'authorization-data' to be present from 5fa7f73b147 s3: smbd: In setup_close_full_information(), remove unneeded vfs_stat(). https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 36325f1ee907d38c978229da67de3844f969cd33 Author: Andreas Schneider Date: Thu Dec 16 07:24:58 2021 +0100 python:tests: Don't require an emtpy 'authorization-data' to be present Signed-off-by: Andreas Schneider Reviewed-by: Joseph Sutton Autobuild-User(master): Joseph Sutton Autobuild-Date(master): Mon Dec 20 08:26:45 UTC 2021 on sn-devel-184 --- Summary of changes: python/samba/tests/krb5/raw_testcase.py | 15 +-- 1 file changed, 13 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index d11f628d7b6..8b6eec3c40d 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -2490,8 +2490,19 @@ class RawKerberosTest(TestCaseInTempDir): if self.strict_checking: self.assertElementEqual(ticket_private, 'caddr', []) if expect_pac is not None: -self.assertElementPresent(ticket_private, 'authorization-data', - expect_empty=not expect_pac) +if expect_pac: +self.assertElementPresent(ticket_private, + 'authorization-data', + expect_empty=not expect_pac) +else: +# It is more correct to not have an authorization-data +# present than an empty one. +# +# https://github.com/krb5/krb5/pull/1225#issuecomment-995104193 +v = self.getElementValue(ticket_private, + 'authorization-data') +if v is not None: +self.assertEqual(0, len(v)) encpart_session_key = None if encpart_private is not None: -- Samba Shared Repository
[Samba] SAMBA bringing NFS server to a halt
Hello, We have a Red Hat 5.3 SAMBA 3.0.33-3.7 Server that shares a few directories to 4 other servers. The other servers are Red Hat 5.3 and one Solaris 10 server. I configured SAMBA to do the following for each share; Force User: User1 Force Group: Group1 Create Mask: 02770 Security Mask: 02770 Directory Mask: 02770 Directory Security Mask: 02770 Inherit Permissions: Yes Inherit ACLS: Yes Inherit Owner: Yes Guest Okay: Yes When the other servers mount the SAMBA shares they work fine until someone starts using SVN or Eclipse. This brings the SAMBA server to basically a halt. Looking at the processes I see about 15000 instances of SMB running. I try running top to see a list of processes but it takes about 10 minutes for it to start and then it will hang when it tries to do its first refresh. Looking at the logs I don't see anything that really stands out on why it is slowing down. Is there something I'm doing wrong in this configuration? Thanks. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] EXTERNAL: Re: SAMBA bringing NFS server to a halt
Hello JAB, Thank you for taking the time to respond to this in a very helpful manner... If the SAMBA community does not care about helping someone with a wildly out of date server then they should state that before letting someone join the mailing list. This is a production server on a closed LAN which we don't have the option of upgrading it to RHEL 5.9 or greater in the near future. So with that being said, anyone have any experience with what I am dealing with? Thanks -Original Message- From: Jonathan Buzzard [mailto:jonat...@buzzard.me.uk] Sent: Wednesday, March 06, 2013 9:03 AM To: Joseph, Matthew (EXP) Cc: samba@lists.samba.org Subject: EXTERNAL: Re: [Samba] SAMBA bringing NFS server to a halt On Wed, 2013-03-06 at 06:33 -0500, Joseph, Matthew (EXP) wrote: Hello, We have a Red Hat 5.3 SAMBA 3.0.33-3.7 Server that shares a few directories to 4 other servers. The other servers are Red Hat 5.3 and one Solaris 10 server. Stop right there. Nobody here could care less about someone running a wildly out of date server. There are numerous NFS and Samba fixes in RHEL 5.9 over 5.3 some of which are critical bugs, performance issues and others are ones that make your box open to remote root compromises. Upgrade to RHEL 5.9 and get back if you still have a problem. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] EXTERNAL: Re: SAMBA bringing NFS server to a halt
My apologizes Simo, I did not intend with that comment to put down the Samba community as a whole I was just trying to point out a fault with a certain user. I will try fooling around with those options that you listed below and see if any of them remedy my issue. Thanks for taking the time and effort on this issue. Matt -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Simo Sent: Wednesday, March 06, 2013 9:47 AM To: samba@lists.samba.org Subject: Re: [Samba] EXTERNAL: Re: SAMBA bringing NFS server to a halt On 03/06/2013 08:28 AM, Joseph, Matthew (EXP) wrote: Hello JAB, Thank you for taking the time to respond to this in a very helpful manner... If the SAMBA community does not care about helping someone with a wildly out of date server then they should state that before letting someone join the mailing list. Do not ascribe to the whole community the shortcomings of an individuals the volunteers 'his' opinion please. This is a production server on a closed LAN which we don't have the option of upgrading it to RHEL 5.9 or greater in the near future. So with that being said, anyone have any experience with what I am dealing with? Unless you have 15000 servers connected the fact you have that many processes indicates a serious issue with the server or at least one of the clients. Samba creates just 1 single process per client and all its requests are served by that process. If you are seeing multiple processes it means the client is opening multiple connections. That is wrong and indicate there is probably a bug with either server processes crashing, becoming unresponsive or both, or the client misbehaving.. You may want to consider trying playing with the following parameters on your samba server: - deadtime - max connections - keepalive - reset on zero vc You may also want to prevent samba from dumping core if that is activated as it could put pressure on disks and the kernel if too many processes core all at once. HTH, Simo. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] EXTERNAL: Re: SAMBA bringing NFS server to a halt
Hello JAB, You need to understand that installing patches and upgrading servers is not a simple task when it comes to my situation. My first step is to try to figure out if it's a OS fault or if it can be fixed with modifying configurations of the OS or in this case Samba (or my configuration of Samba). You are making a lot of assumptions which is fine if that is what you choose to believe. It is a completely closed LAN with multiple layers of security so let's leave it at that. If the solution is to install patches then it is something I will look into but again that is a long process that I would prefer not to go into if it is not needed for this situation. -Original Message- From: Jonathan Buzzard [mailto:jonat...@buzzard.me.uk] Sent: Wednesday, March 06, 2013 10:12 AM To: Joseph, Matthew (EXP) Cc: samba@lists.samba.org Subject: RE: EXTERNAL: Re: [Samba] SAMBA bringing NFS server to a halt On Wed, 2013-03-06 at 08:28 -0500, Joseph, Matthew (EXP) wrote: Hello JAB, Thank you for taking the time to respond to this in a very helpful manner... If the SAMBA community does not care about helping someone with a wildly out of date server then they should state that before letting someone join the mailing list. Given you are running RHEL, you should have been over the last four years been reading the security bulletins for RHEL and responding to them appropriately. It should be apparent to any sensible person that the first step would be to check that my distribution does not have fixes for the problems that I am seeing. (hint I am 99% certain it does). This is a production server on a closed LAN which we don't have the option of upgrading it to RHEL 5.9 or greater in the near future. No lan is that closed. That you have no procedure for upgrading the OS on your server which suffers from a number of remote root security holes that require nothing more than a connection to your network is very bad practice. So with that being said, anyone have any experience with what I am dealing with? Read your distro release and security notes. I am 99% certain that this is a known problem that can be fixed by upgrading. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] EXTERNAL: Re: SAMBA bringing NFS server to a halt
Hey Simo, I modified the entries you listed below and started running a few instances of SVN on the shares and it seems to be holding steady. I'm going to continue testing during the day to see how it does. Looking back on the issue I never noticed the date in which the files were accessed. The Samba clients would be done with a file but the server never clicked in that it should release the files. Like I said I'm going to continue the testing on this to make sure it stays consistent with the current results. Thank you very much for the suggestion. Matt -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Simo Sent: Wednesday, March 06, 2013 9:47 AM To: samba@lists.samba.org Subject: Re: [Samba] EXTERNAL: Re: SAMBA bringing NFS server to a halt On 03/06/2013 08:28 AM, Joseph, Matthew (EXP) wrote: Hello JAB, Thank you for taking the time to respond to this in a very helpful manner... If the SAMBA community does not care about helping someone with a wildly out of date server then they should state that before letting someone join the mailing list. Do not ascribe to the whole community the shortcomings of an individuals the volunteers 'his' opinion please. This is a production server on a closed LAN which we don't have the option of upgrading it to RHEL 5.9 or greater in the near future. So with that being said, anyone have any experience with what I am dealing with? Unless you have 15000 servers connected the fact you have that many processes indicates a serious issue with the server or at least one of the clients. Samba creates just 1 single process per client and all its requests are served by that process. If you are seeing multiple processes it means the client is opening multiple connections. That is wrong and indicate there is probably a bug with either server processes crashing, becoming unresponsive or both, or the client misbehaving.. You may want to consider trying playing with the following parameters on your samba server: - deadtime - max connections - keepalive - reset on zero vc You may also want to prevent samba from dumping core if that is activated as it could put pressure on disks and the kernel if too many processes core all at once. HTH, Simo. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] SAMBA Slow down on clients?
Hello, I have a Red Hat 5.3 NFS server that I started using Samba version 3.0.33-3.7 on it for network file sharing. I use to use the basic file sharing with no issues other than permissions so I wanted to use Samba for easy permission management. This server is sharing 4 different mount points. I switched over my 4 clients to mount the Samba mount points. After I did this one server (which runs svn) started to slow down to a near halt (ps -ef would take 5+ minutes to print). The other 3 servers are running a bit slower but nothing compared to the other server. I ran top and the system resources are fine. The NFS server is also having no issues at all. I reverted back to the original way I was sharing files and now everything is working fine again. Has anyone had any issues with Samba like this? Any suggestions? Thanks. Matt -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba Active Directory w/ Kerberos Trust
Hi Andrew, thanks for the reply. Presently, my configuration (as shown) works great for user accounts with known passwords within the active directory domain (very few of these - mostly admin, service, test accounts). The issue lies when trying to use upn-mapped user accounts. Active directory is not supposed to be the authentication authority for those accounts, so when they're created (via some script - not in my control), the passwords are long randomly-generated strings. However, because of the Kerberos trust and UPN mapping, a user can masq as that AD user with a valid TGT from the trusted realm. Trying to login as one of the mapped users: NT_STATUS_LOGON_FAILURE Regarding the PAC: the trusted realm is MIT Kerberos. I think there are plans to mirror this in an AD domain somewhere, but I haven't heard anything more on this. Cheers, --Joseph On Nov 4, 2012, at 9:39 PM, Andrew Bartlett abart...@samba.org wrote: On Thu, 2012-11-01 at 15:00 +, Rafferty, Joseph wrote: Hello, I'm having some difficulty understanding the best approach to setting up a samba fileserver in our environment. We have an active directory domain (2008) that has account stubs that we use for security and authorization (the passwords are unknown/random). This domain has a one-way Kerberos trust to an MIT Kerberos realm that we use for authentication. The user accounts are name-mapped to the corresponding principal name in the kerberos/authentication realm. I had planned to net join the server to the active directory realm for user and group resolution, but configure PAM to use pam_krb5 for authentication instead of winbind. However, it appears to me that, by design, Samba is not able to authenticate and authorize in two different realms this way for the following reason: Samba always ignores PAM for authentication in the case of encrypt passwords = yeshttp://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/smb.conf.5.html#ENCRYPTPASSWORDS http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/pam.html Setting encrypt passwords = no results in the following testparm error: ERROR: in 'security=domain' mode the 'encrypt passwords' parameter must always be set to 'true'. Anyone successfully authenticating this way? Thanks for the help! -Joseph smb.conf: [global] log file = /var/log/samba/log.%m log level = auth:3 max log size = 50 security = ads netbios name = SERVERNAME realm = AD.DOMAIN.EDUhttp://ad.domain.edu/ password server = dc.ad.domain.eduhttp://dc.ad.domain.edu/ workgroup = AD idmap uid = 1-500 idmap gid = 1-500 winbind separator = + winbind enum users = no winbind enum groups = no winbind use default domain = yes obey pam restrictions = yes What error do you get when you use *just* what you have above? You should run winbind, and accept kerberos logins from your clients. We need to be joined to the AD domain. As long as the tickets contain a PAC, we really don't mind where they came from. Don't try and involve PAM or turn off encrypted passwords, because we never get a plaintext password from modern clients anyway. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba Active Directory w/ Kerberos Trust
For the user continuum\jrafferty (continuum is the AD realm): http://pastebin.com/DJ3xShTr Using the user principal name, jraffe...@tamu.edu http://pastebin.com/34VXJuAc Using just jrafferty http://pastebin.com/ZF7EE2n7 Interestingly, I emailed our AD admins on the status of that AD trust, and was told that it is in place and in production (realm is AUTH). If I try a different user, auth\jrafferty: http://pastebin.com/aZX6zxGY --- So, it seems now I just need to research how to modify smb.conf to make AUTH my primary domain, since it seems 'winbind use default domain' isn't working correctly, even for CONTINUUM (see [MYGROUP]\ in the above examples). -Joseph On Nov 5, 2012, at 2:09 PM, Andrew Bartlett abart...@samba.org wrote: On Mon, 2012-11-05 at 19:58 +, Rafferty, Joseph wrote: Hi Andrew, thanks for the reply. Presently, my configuration (as shown) works great for user accounts with known passwords within the active directory domain (very few of these - mostly admin, service, test accounts). The issue lies when trying to use upn-mapped user accounts. Active directory is not supposed to be the authentication authority for those accounts, so when they're created (via some script - not in my control), the passwords are long randomly-generated strings. However, because of the Kerberos trust and UPN mapping, a user can masq as that AD user with a valid TGT from the trusted realm. Trying to login as one of the mapped users: NT_STATUS_LOGON_FAILURE Regarding the PAC: the trusted realm is MIT Kerberos. I think there are plans to mirror this in an AD domain somewhere, but I haven't heard anything more on this. I *think* the idea with this kind of trust/mapping thing is that 'AD' servers (like Samba) get a ticket that includes the PAC, even if the initial user came from MIT. That's pretty much the only way we can work, if we are to get the windows groups etc. You will need to dig in further into why we return LOGON_FAILURE with a higher log level and our debug logs. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] win7 client cannot join samba4 AD DC
I want to communicate my experience with samba4 version 4.1.0prel-GIT-1f55865. System Fedora 17 I followed the samba 4 Howto Download, configure, compile, install, provision work fine. Server starts, DNS and Kerberos tests ok. I can create test share, join it from server and linux client Join of windows 7 client fails with error 'The specified network name is no longer available' Any hints? Regards J. Kuehner -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba Active Directory w/ Kerberos Trust
Hello, I'm having some difficulty understanding the best approach to setting up a samba fileserver in our environment. We have an active directory domain (2008) that has account stubs that we use for security and authorization (the passwords are unknown/random). This domain has a one-way Kerberos trust to an MIT Kerberos realm that we use for authentication. The user accounts are name-mapped to the corresponding principal name in the kerberos/authentication realm. I had planned to net join the server to the active directory realm for user and group resolution, but configure PAM to use pam_krb5 for authentication instead of winbind. However, it appears to me that, by design, Samba is not able to authenticate and authorize in two different realms this way for the following reason: Samba always ignores PAM for authentication in the case of encrypt passwords = yeshttp://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/smb.conf.5.html#ENCRYPTPASSWORDS http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/pam.html Setting encrypt passwords = no results in the following testparm error: ERROR: in 'security=domain' mode the 'encrypt passwords' parameter must always be set to 'true'. Anyone successfully authenticating this way? Thanks for the help! -Joseph smb.conf: [global] log file = /var/log/samba/log.%m log level = auth:3 max log size = 50 security = ads netbios name = SERVERNAME realm = AD.DOMAIN.EDUhttp://ad.domain.edu/ password server = dc.ad.domain.eduhttp://dc.ad.domain.edu/ workgroup = AD idmap uid = 1-500 idmap gid = 1-500 winbind separator = + winbind enum users = no winbind enum groups = no winbind use default domain = yes obey pam restrictions = yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] version 'SAMBA_4.0.0ALPHA18_DEVELOPERBUILD' not found
After sucessfull install I got a provision error: version 'SAMBA_4.0.0ALPHA18_DEVELOPERBUILD' not found 1. Download samba4 with git o.k 2. ./configure.developer --enable-fhs --prefix=/usr --sysconfigdir=/etc --localstatedir=/var o.k 3. make o.k 4. make install o.k 5. ./source4/setup/provision --realm=sideris.heroes.org --domain=HEROES --adminpass= --server-role='domain controler' error 'SAMBA_4.0.0ALPHA18_DEVELOPERBUILD' not found stdout and stderr in attached file (Hope this fits list policy) Regards Joseph Kuehner -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Basic network discovery on a microcontroller?
Hi, I have a general Samba question I'm hoping someone can help me with. I'm working on a network device which I would like to make network discoverable, so that you can open up Network Places on Windows and see the device there. The project has a microcontroller with a full TCP/IP stack, but no SMB/CIFS library. I'm guessing I only need a small subset of this functionality to send out a discovery broadcast--can anyone give me any pointers on whether this is possible or where I could get started? Best, Tom McLaughlin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
PC user to OpenVMS share question...
Hello, I've install CIFS/Samba on an OpenVMS Itanium v8.4 system. After adding myself into the database, I can map a drive on my PC from my VMS system to my account there, move files between the share and my PC with no problems. If I remove myself, it gives me permission denied as it should. I add myself back in and all works fine again. So I add another user into the database the exact way I added myself but that user cannot map a drive. The account in question is almost identical to mine other than the account name, directory and UIC. He keeps getting prompted for an account/password and no matter what he puts in, it just keeps prompting him. I don't recall doing anything different than when I added my account. Anyone have any ideas on what I'm missing? Thanks, Joe PLEASE READ THIS IMPORTANT ETIQUETTE MESSAGE BEFORE POSTING: http://www.catb.org/~esr/faqs/smart-questions.html
Re: [Samba] Winbind not starting in AD member(samba joining domain)configuration.
t...@tms3.com wrote: --- Original message --- Subject: Re: [Samba] Winbind not starting in AD member(samba joining domain)configuration. From: justin joseph jus...@elinanetworks.com To: t...@tms3.com Date: Monday, 14/06/2010 6:21 AM t...@tms3.com wrote: SNIP Facing an issue with winbind not starting with below error log(taken from /var/log/syslog): Jun 14 15:48:33 enpaq winbindd[15941]: [2010/06/14 15:48:33, 0] param/loadparm.c:6767(service_ok) Jun 14 15:48:33 enpaq winbindd[15941]: WARNING: No path in service printers - making it unavailable! Jun 14 15:48:33 enpaq winbindd[15942]: [2010/06/14 15:48:33, 0] winbindd/winbindd_cache.c:2578(initialize_winbindd_cache) Jun 14 15:48:33 enpaq winbindd[15942]: initialize_winbindd_cache: clearing cache and re-creating with version number 1 Jun 14 15:48:33 enpaq winbindd[15942]: [2010/06/14 15:48:33, 0] winbindd/winbindd_util.c:782(init_domain_list) Jun 14 15:48:33 enpaq winbindd[15942]: Could not fetch our SID - did we join? SNIP What does net ads testjoin say? I get the below pasted response: r...@enpaqadserver.com:/etc/samba# net ads testjoin Enter enp...@enpaqadserver.com's password: [2010/06/14 18:47:09, 0] libads/kerberos.c:333(ads_kinit_password) kerberos_kinit_password enp...@enpaqadserver.com failed: Clients credentials have been revoked Join to domain is not valid: Access denied r...@enpaqadserver.com:/etc/samba# Rejoin the domain. I am unable to join the domain. I thought the service winbind had to start before one can join, is it not right? r...@enpaqadserver.com:/etc/samba# net ads join -S enpaqadserver.com -U Administrator Enter Administrator's password: [2010/06/15 13:17:14, 0] libnet/libnet_join.c:1062(libnet_join_ok) libnet_join_ok: failed to get schannel session key from server enpaqadserver.com for domain ENPAQADSERVER. Error was NT_STATUS_INVALID_COMPUTER_NAME Failed to join domain: failed to verify domain membership after joining: Invalid computer name r...@enpaqadserver.com:/etc/samba# Cheers, Cheers, -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Winbind not starting in AD member(samba joining domain) configuration.
Hello
Facing an issue with winbind not starting with below error log(taken
from /var/log/syslog):
Jun 14 15:48:33 enpaq winbindd[15941]: [2010/06/14 15:48:33, 0]
param/loadparm.c:6767(service_ok)
Jun 14 15:48:33 enpaq winbindd[15941]: WARNING: No path in service
printers - making it unavailable!
Jun 14 15:48:33 enpaq winbindd[15942]: [2010/06/14 15:48:33, 0]
winbindd/winbindd_cache.c:2578(initialize_winbindd_cache)
Jun 14 15:48:33 enpaq winbindd[15942]: initialize_winbindd_cache:
clearing cache and re-creating with version number 1
Jun 14 15:48:33 enpaq winbindd[15942]: [2010/06/14 15:48:33, 0]
winbindd/winbindd_util.c:782(init_domain_list)
Jun 14 15:48:33 enpaq winbindd[15942]: Could not fetch our SID - did
we join?
Jun 14 15:48:33 enpaq winbindd[15942]: [2010/06/14 15:48:33, 0]
winbindd/winbindd.c:1393(main)
Jun 14 15:48:33 enpaq winbindd[15942]: unable to initialize domain list
the version installed is Version 3.4.7(lucid packages), the
configuration files (given below) were working
as is on Ubundy hardy, the winbind issue started only when I migrated to
lucid.
knit works and smbd and nmbd processes starts up as well:
r...@enpaqadserver.com:/etc/samba# kinit administra...@enpaqadserver.com
Password for administra...@enpaqadserver.com:
r...@enpaqadserver.com:/etc/samba# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administra...@enpaqadserver.com
Valid starting ExpiresService principal
06/14/10 16:01:11 06/15/10 01:59:00
krbtgt/enpaqadserver@enpaqadserver.com
renew until 06/15/10 16:01:11, Etype (skey, tkt): ArcFour with
HMAC/md5, ArcFour with HMAC/md5
r...@enpaqadserver.com:/etc/samba#
Configurations files below:
r...@enpaqadserver.com:/etc/samba# cat /etc/krb5.conf
[libdefaults]
default_realm = ENPAQADSERVER.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
[realms]
ENPAQADSERVER.COM = {
kdc = winserver.enpaqadserver.com:88
admin_server = winserver.enpaqadserver.com:749
default_domain = enpaqadserver.com
}
[domain_realm]
.enpaqadserver.com = ENPAQADSERVER.COM
enpaqadserver.com = ENPAQADSERVER.COM
r...@enpaqadserver.com:/etc/samba# cat smb.conf
# Global parameters
[global]
workgroup = ENPAQADSERVER
realm = ENPAQADSERVER.COM
password server = ENPAQADSERVER.COM
preferred master = no
domain master = false
local master = no
server string = Samba file and print server
security = ADS
encrypt passwords = true
log level = 3
log file = /var/log/samba/%m
max log size = 50
winbind separator = /
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
printcap name = cups
printing = cups
idmap uid = 1-2
idmap gid = 1-2
[homes]
comment = Home Directories
path= /opt/samba/data/share
valid users = %S
read only = No
browseable = No
[printers]
comment = All Printers
browseable = no
printable = yes
guest ok = yes
The same adserver and these same configuration files, including the same
DNS settings on
the samba machine works fine when I were using Ubuntu hardy
distribution. I tried googling
for this issue and tried on my own but could not resolve this.
Thanks in advance
justin
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind not starting in AD member(samba joining domain)configuration.
t...@tms3.com wrote: SNIP Facing an issue with winbind not starting with below error log(taken from /var/log/syslog): Jun 14 15:48:33 enpaq winbindd[15941]: [2010/06/14 15:48:33, 0] param/loadparm.c:6767(service_ok) Jun 14 15:48:33 enpaq winbindd[15941]: WARNING: No path in service printers - making it unavailable! Jun 14 15:48:33 enpaq winbindd[15942]: [2010/06/14 15:48:33, 0] winbindd/winbindd_cache.c:2578(initialize_winbindd_cache) Jun 14 15:48:33 enpaq winbindd[15942]: initialize_winbindd_cache: clearing cache and re-creating with version number 1 Jun 14 15:48:33 enpaq winbindd[15942]: [2010/06/14 15:48:33, 0] winbindd/winbindd_util.c:782(init_domain_list) Jun 14 15:48:33 enpaq winbindd[15942]: Could not fetch our SID - did we join? SNIP What does net ads testjoin say? I get the below pasted response: r...@enpaqadserver.com:/etc/samba# net ads testjoin Enter enp...@enpaqadserver.com's password: [2010/06/14 18:47:09, 0] libads/kerberos.c:333(ads_kinit_password) kerberos_kinit_password enp...@enpaqadserver.com failed: Clients credentials have been revoked Join to domain is not valid: Access denied r...@enpaqadserver.com:/etc/samba# ps: sorry, replied to reponder without CC-ing list. Posting once more. Cheers, -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] pdbedit: unable to delete machine
Hi, i am unable to delete a machine account: pdbedit -x -m myMachine$ unable to delete machine myMachine$ there is still an account in /etc/passwd for this machine. pdbedit -L | grep myMachine does not find the account but pdbedit -Lv myMachine$ Unix username:myMachine$ NT username: Account Flags:[W ] User SID: S-1-5-21-3806833646-4237951892-2933512824-23108 Primary Group SID:S-1-5-21-3806833646-4237951892-2933512824-513 Full Name:Machine Home Directory: \\serv-01\profiles\myMachine_\Eigene Dateien HomeDir Drive:H: Logon Script: myMachine_.cmd Profile Path: \\serv-01\profiles\myMachine_ Domain: XYZ Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: Sun, 07 Feb 2106 07:28:15 CET Kickoff time: Sun, 07 Feb 2106 07:28:15 CET Password last set:Thu, 18 Jun 2009 13:48:49 CEST Password can change: Thu, 18 Jun 2009 13:48:49 CEST Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FF is the passdb.tbd corrupt, or did I miss something Using Samba 3.2.5 on debian lenny joseph -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Share create modes
I am reading the smb.conf man page and am a little unclear the difference between create mode with and without force? What exactly happens when force is used, or more precisely what situation can arise when not using force, that force fixes? Thanks! jlc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Simple Permission Issue
I haven't really done a lot with file sharing in Samba and seem to be missing something here. I have a folder, /Share that has [r...@host ~]# getfacl /Share / getfacl: Removing leading '/' from absolute path names # file: Share # owner: root # group: ad\040sec\040group user::rwx group::rwx other::--- It is also a mount point for a partition, so it has a lost+found that is set 700 root:root. The share perms are: [Share] comment = ... path = /Share browseable = no writable = no guest ok = no printable = no write list = @DOMAIN+Domain Admins,@DOMAIN+ad sec group Why can users other than root manipulate the name of lost+found but obviously not execute it, and enter it? Same if root makes a test directory under /Share and sets it 700, users connected to the share cannot access it, but can modify its name and/or delete it? Thanks! jlc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba Print Server problem
I have CentOS 5 machine with Samba sharing 5 cups printers. The two Canon iR's have no issues, I used the rpcclient method to add print drivers and this works flawlessly. However, the HP 2430N's that I setup work fine as raw cups printers, and I added the drivers the exact same way but when a windows client connects they are promoted for drivers (and they want the compressed files as well, *.dl_ which were never added??) and more often than not a client's explorer will crash if they access those printers? The HP drivers come as an install program and cab files, where as most others are simply dll's etc. Any ideas how to remedy this? Thanks! jlc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Printer permissions
I have been reading through the Samba docs and have successfully setup cups for our Canon and HP printers, I have Samba sharing out all the cups printers and have also setup the print$ share and used rpcclient to add the drivers. This is working fine and the Windows clients can successfully connect and download the drivers. However, I cannot seem to find out how to specifically setup access to each printer so only certain users have access to print and most specifically set it up such that all users have the required permissions to change print settings like choose paper type and saddle stitch. Any pointers to this aspect would be appreciated! Thanks, jlc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] User Authentication and Username Map
On Sunday 23 November 2008 10:07:00 pm Richard Nelson wrote: Greetings, Do you have entries in smbpasswd file for these users with the correct password? Thanks. Yup I have those on the password file.. I'm able to logon from a Linux client when the username is either 'agi', 'Alec' or 'Alec Joseph'. On the Windows client, however, only the 'agi' (which is the Unix username) will work. I stumbled upon this only because 'wing' asked me if she can use 'Jo Annelyn' instead. I thought I would be straightforward to use the username mapping because on the Linux workstation it just works... I'm clearly missing something... Thanks. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] User Authentication and Username Map
Hi to all.. I've setup a Samba domain and now having a hard time setting up Unix to Windows user mapping. As an example on the server, user is 'agi', and at the workstation I want an 'Alec Joseph' as the user name. If I log on from a Linux desktop using the alias connection goes through: # sudo tail -f /usr/local/samba/var/log.smbd | grep 'Alec Joseph' Got user=[Alec Joseph] domain=[RIVERA-HOME] workstation=[THREEPIO] len1=24 len2=24 Mapped user Alec Joseph to agi check_ntlm_password: Checking password for unmapped user [RIVERA-HOME]\[Alec [EMAIL PROTECTED] with the new password interface check_ntlm_password: sam authentication for user [Alec Joseph] succeeded check_ntlm_password: authentication for user [Alec Joseph] - [agi] - [agi] succeeded register_existing_vuid: User name: agiReal name: Alec Joseph Rivera,,, However, on a Windows workstation, I can not log on and getting these on the log: SAM Logon (Interactive). Domain:[RIVERA-HOME]. User:[Alec [EMAIL PROTECTED] Requested Domain:[RIVERA-HOME] check_ntlm_password: Checking password for unmapped user [RIVERA-HOME]\[Alec [EMAIL PROTECTED] with the new password interface check_ntlm_password: mapped user is: [RIVERA-HOME]\[Alec [EMAIL PROTECTED] check_sam_security: Couldn't find user 'Alec Joseph' in passdb. check_ntlm_password: Authentication for user [Alec Joseph] - [Alec Joseph] FAILED with error NT_STATUS_NO_SUCH_USER From what I understand, the Windows workstation is forcing a lookup on the tdbsamdb backend right? On the manuals I've read that the mapping is done after the authentication... How can I get the same behavior as from a Linux workstation? Also I can see on the logs a Error permission denied on the username map file, is this in a way related? Thanks... Ohayou gozaimas, Agi -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] User Authentication and Username Map
On Sunday 23 November 2008 1:26:48 am Richard Nelson wrote: Greetings, Might be nice to see your smb.conf file, less anything that might be a security issue. Here's my smb.conf and the username map file. Do you think there might be an configuration somewhere in windows that maybe is related to this, like use an NTLM auth or something? Thanks Richard. -- smb.conf [global] # Domain/Workgroup and Host identification workgroup = rivera-home netbios name = obiwan server string = Rivera Home LAN Primary Server # Browsing options os level = 40 domain master = yes local master = yes preferred master = yes # WINS options wins support = yes name resolve order = wins lmhosts hosts bcast # Security options security = user domain logons = yes # Common services logon script = logon-%U.bat logon path = \\obiwan\profiles\%U auto services = %U # Optimizations socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=65536 SO_RCVBUF=65536 max xmit = 2048 log level = 3 username map = /usr/local/samba/lib/usrmap [netlogon] comment = Rivera Home LAN Logon Service path = /var/export/samba/netlogon browseable = no [profiles] comment = Rivera Home LAN User Profiles path = /var/export/samba/profiles read only = no browseable = no create mode = 0600 directory mode = 0700 [homes] comment = %U's Home Folder read only = no browseable = no [public] comment = Rivera Home LAN Public Zone path = /var/export/samba/public ;read list = write list = agi, joy, wing [images] comment = Pictures, Clip Arts and Various Images path = /var/export/samba/images ;read list = write list = agi, joy, wing [tv] comment = TV Shows path = /var/export/samba/tv read list = agi, joy, wing write list = agi [music] comment = Music Library path = /var/export/samba/music read list = agi, joy, wing write list = agi -- usrmap agi = Alec Alec Joseph wing = Jo Annelyn joy = Jo Angela -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] SAMBA: how do I tell SAMBA to not prompt for id/passwords when connecting from windows (vista)
I have a linux box on my home network and it also has xp and win viata on the same network. It is all friendly - how do I drop the need for Id/pw (if I can't, how do I set the id/pw so what I type in win vista gets passed to samba cleanly and thus I get in. I have tried many things in smb.conf and cannot figure it out TIA, Joe _ You live life beyond your PC. So now Windows goes beyond your PC. http://clk.atdmt.com/MRT/go/115298556/direct/01/-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Hosts Allow/Deny
I am running CentOS 5.2 w/ Samba 3.0.28 and have a basic user level setup and am trying to use hosts allow and deny but it does not have an effect? I have specified them in the share level of the config. I have tried: hosts allow = 192.168.0.72/32 hosts deny = 0.0.0.0/0 Also: ; hosts allow = 192.168.0.72/32 hosts deny = 0.0.0.0/0 except 192.168.0.72/32 Still, any hosts can gain access? Can anyone shed some light on this? Thanks, jlc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] invalid username error when accessing a share causes delay (but works...)
Hi, (thanks to V. Lendecke and W. Ratzka who helped me with my previous question) I've decided to set-up Samba using ADS security and it works fine. The only thing is I have a 5-6 seconds delay when I access a share the first time after I login. The delay occurs again if I've been logged in for a while but haven't gone to to the share and then try to access it. Everytime this delay occurs I get this message in a file named SERVER_NAME.log under the Samba log folder Username REALM\SERVER_NAME$ is invalid on this system where SERVER_NAME$ is the name of the server from which a user is connecting to the shared folder and REALM is my realm specified in the smb.conf file and my krb5.conf file. I've googled this but only found the information below: This usually happens when a non unix-enabled account performs a network browse. It is often a workstation account, appearing as DOMAIN\HOST$. The account successfully authenticates itself to the samba server, but there is no UID associated with it (as it's not VAS-enabled). The messages are harmless, and indicate that some of your shares can't be accessed by non-unix enabled users. To remove these messages, do ONE of the following: 1 - specify log level = 0 in smb.conf. This will hide those messages. However, I'm worried setting log level = 0 will prevent useful messages from appearing in my logs. Does someone have any idea of what the best course of action is? Let me know if you need any config info. Thanks! FJ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Which security to use? Domain or ADS?
Hi, I've got a working scenario of samba in server security. I need to replace the server used to authenticate so I'd like to use the momentum and switch the security method to something better (domain or ads). I want to avoid having my SAMBA server join my (Active Directory) domain if at all possible. Am I asking the impossible? Can someone recommend the best or most appropriate method to use? I've tried the domain security without success so far. I've also looked at the ADS security but the doc I'm seeing includes joining my server in the domain for it to work... Thanks! FJ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Nessus test issues with open shares
Hi, My name is Joseph Villa, I'm new to the message boards and I'm also new to Samba. I just got an e-mail back on our Nessus scans.. Here are the 2 that are relivant.. 1.) The remote host has accessible LOGS$ share. ScriptLogic creates this share to store the logs, but does not properly set the permissions on it. As a result, anyone can use it to read the remote logs. Solution: Limit access to this share to the backup account and the Domain Administrator. 2.) Backup share can be accessed without authentication. The remote host has an accessible ARCSERVE$ share. Several versions of ARCserve store the backup agent username and password in cleartext in this share., An attacker may use this flaw to obtain the password file of the remote backup agent and use it to gain privilages on the host. Solution is to limit the access to this share to backup account and domain administrator. Both of these are off of our Sun server running Solaris 10 as the OS. I'm thinking both directories are being shared via Samba. Although there is much I don't know about this system. Has anyone out there run into the same issue? Thanks, Joseph P Villa, IT Services USGS Mounds View, MN -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Nessus test issues with open shares
password server = igsbccidc01 * wins server = # allow hosts = .gs.doi.net .usgs.gov ## ## Disable Browsing Services os level = 0 preferred master = no domain master = no # Samba 3.0.23C Global prameters 09/26/06 # WINBIND removed [global] ## Configured with /usr/local/samba/bin/config_samba workgroup = GS security = domain encrypt passwords = yes password server = # wins server = # allow hosts = .gs.doi.net .usgs.gov ## ## Disable Browsing Services os level = 0 preferred master = no domain master = no local master = no ## Please set netbios name to GS naming standard ## example: netbios name = IGSKIACIFS001 ## Pre-stage (create) this computer account in Active Directory before ## joining to domain netbios name = igs### ## server string = NAME username map = /usr/local/samba/lib/users.map password level = 2 printcap name = /usr/local/samba/lib/printers preload = homes printers default service = tmp message command = csh -c 'xedit %s;rm %s' NIS homedir = Yes print command = lp -c -o nobanner -d%p %s; rm %s ## Use a separate log file for each machine log file = /usr/local/samba/var/log.smbd ## Put a cap on the size of the log files (in Kb). max log size = 50 map archive = no ## Performance Parameters log level = 1 socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=16834 SO_RCVBUF=16 834 SO_KEEPALIVE read raw = yes write raw = yes max xmit = 65535 getwd cache = yes ## Recommended Security Setting Restrict anonymous = yes allow trusted domains = no client use spnego = yes client NTLMv2 auth = yes client lanman auth = no client plaintext auth = no ldap ssl = no ## File Oplock Settings can be set globally although should be set a the ## share level depending if you are having problems with Excel or other ## applications not saving properly. ## oplocks = no ## level 2 oplocks = no # Home Section Samba User home directories are automatically mapped [homes] comment = Home Directories path = %H read only = No create mask = 0664 directory mask = 0775 hide dot files = No ## File Oplock Settings oplocks = no level 2 oplocks = no # Printer Section used to list available UNIX printers [printers] comment = All Printers path = /tmp username = %U create mask = 0700 guest ok = Yes print ok = Yes Joseph P Villa, IT Services USGS Mounds View, MN Jeremy Allison [EMAIL PROTECTED] 05/28/2008 12:39 PM Please respond to Jeremy Allison [EMAIL PROTECTED] To Joseph P Villa [EMAIL PROTECTED] cc samba@lists.samba.org Subject Re: [Samba] Nessus test issues with open shares On Wed, May 28, 2008 at 12:58:12PM -0400, Joseph P Villa wrote: Hi, My name is Joseph Villa, I'm new to the message boards and I'm also new to Samba. I just got an e-mail back on our Nessus scans.. Here are the 2 that are relivant.. 1.) The remote host has accessible LOGS$ share. ScriptLogic creates this share to store the logs, but does not properly set the permissions on it. As a result, anyone can use it to read the remote logs. Solution: Limit access to this share to the backup account and the Domain Administrator. 2.) Backup share can be accessed without authentication. The remote host has an accessible ARCSERVE$ share. Several versions of ARCserve store the backup agent username and password in cleartext in this share., An attacker may use this flaw to obtain the password file of the remote backup agent and use it to gain privilages on the host. Solution is to limit the access to this share to backup account and domain administrator. Both of these are off of our Sun server running Solaris 10 as the OS. I'm thinking both directories are being shared via Samba. Although there is much I don't know about this system. Has anyone out there run into the same issue? Post your smb.conf so we can see what shares you have defiend. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba on Virtual Machines
I have isolated the problem I have been experiencing to RHEL5/autofs. The problem does not present itself when I run the same configuration with RHEL4. I will be posting a bug with Redhat. -- Joe Mervini Scientific Applications and User Support Sandia National Laboratories Department 09326 MS-0823 PO Box 5800 Albuquerque, NM 87120 (505) 844.6770 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mervini, Joseph A Sent: Monday, May 12, 2008 3:42 PM To: 'Rune Tønnesen'; samba@lists.samba.org Subject: RE: [Samba] Samba on Virtual Machines Hi, After a lot more investigation and testing (as well as identifying a error in my set up) I have determined the problem that I am having is related to the way that Windows handles mount to a samba share that is getting it's share via nfs through automounting. My configuration is a system running RHEL5 and either the stock samba with the release or 3.0.28a compiled from source. User home directories are accessed via automounting using NIS; auto.home is pointed to the NIS map. I have been able to prove that it is a auto.home indirect mount problem only. I have set up a test share using the /net indirect mount (i.e., path = /net/machine namedevicedirectory) and it works perfectly. However, when I mount the share via the auto.home, the explorer window comes up showing the files but any attempt to read/write/properties/etc. hangs and eventually times out. I have spent many hours trying many different configurations to make the work but have had absolutely no luck. And unfortunately the log messages (samba side) do not give any indication of a failure. My system configuration is RHEL Client release 5.1 (basically everything), samba 3.0.28a, automount 5.0.1-0.rc2-55-el5.3. My samba configuration is below. workgroup = testgroup server string = Samba Server log level = 2 log file = /var/log/samba/log.%m max log size = 1 security = server password server = passwdserver encrypt passwords = yes client ntlmv2 auth = yes client lanman auth = no max protocol = lanman2.0 map to guest = Bad User load printers = yes socket options = TCP_NODELAY bind interfaces only = True use kerberos keytab = yes local master = no domain master = no preferred master = no wins support = no wins server = winserver wins proxy = no dns proxy = no preserve case = yes short preserve case = yes default case = lower case sensitive = no strict locking = no # Share Definitions == [Home] comment = User Files path = /home/%u browseable = no writable = yes # Test net access [Test] comment = Net Test path = /net/sass4001/u74/%u browseable = no writable = yes Any help would be greatly appreciated. Thanks, Joe -- Joe Mervini Scientific Applications and User Support Sandia National Laboratories Department 09326 MS-0823 PO Box 5800 Albuquerque, NM 87120 (505) 844.6770 -Original Message- From: Rune Tønnesen [mailto:[EMAIL PROTECTED] Sent: Monday, May 05, 2008 9:27 AM To: Mervini, Joseph A; samba@lists.samba.org Subject: Re: [Samba] Samba on Virtual Machines Hi Joseph It sounds more like a vmware problem. How is the network configurated on your vmware machine? Best Regards Rune Tønnesen Den 5/5/2008, skrev Mervini, Joseph A [EMAIL PROTECTED]: Hi, We have deployed Samba on VMware (ESX) on IBM Bladecenter H. I am having a serious problem with Samba related to Window client access. I can mount the samba share with no problem whatsoever and see all the files that exist within that share. However, when I try to open/write/copy/get properties on any file in either direction the operation stalls and eventually I will get a message similar to Cannot copy file: The specified network name is no longer available. on the Windows client. We are running stock RHEL5 workstatiom with most packages installed (sound/telephony excluded). Our samba security is set to domain but this has also been tested with security set to user. I have an identical samba server (except IP/hostname, etc.) on a standalone blade that works flawlessly. I have scoured the web looking for answers but have come up empty. Has anyone on this list ever had a similar problem that might be able to share some insight? Thanks in advance. -- Joe Mervini Scientific Applications and User Support Sandia National Laboratories Department 09326 MS-0823 PO Box 5800 Albuquerque, NM 87120 (505) 844.6770 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba on Virtual Machines
Hi, After a lot more investigation and testing (as well as identifying a error in my set up) I have determined the problem that I am having is related to the way that Windows handles mount to a samba share that is getting it's share via nfs through automounting. My configuration is a system running RHEL5 and either the stock samba with the release or 3.0.28a compiled from source. User home directories are accessed via automounting using NIS; auto.home is pointed to the NIS map. I have been able to prove that it is a auto.home indirect mount problem only. I have set up a test share using the /net indirect mount (i.e., path = /net/machine namedevicedirectory) and it works perfectly. However, when I mount the share via the auto.home, the explorer window comes up showing the files but any attempt to read/write/properties/etc. hangs and eventually times out. I have spent many hours trying many different configurations to make the work but have had absolutely no luck. And unfortunately the log messages (samba side) do not give any indication of a failure. My system configuration is RHEL Client release 5.1 (basically everything), samba 3.0.28a, automount 5.0.1-0.rc2-55-el5.3. My samba configuration is below. workgroup = testgroup server string = Samba Server log level = 2 log file = /var/log/samba/log.%m max log size = 1 security = server password server = passwdserver encrypt passwords = yes client ntlmv2 auth = yes client lanman auth = no max protocol = lanman2.0 map to guest = Bad User load printers = yes socket options = TCP_NODELAY bind interfaces only = True use kerberos keytab = yes local master = no domain master = no preferred master = no wins support = no wins server = winserver wins proxy = no dns proxy = no preserve case = yes short preserve case = yes default case = lower case sensitive = no strict locking = no # Share Definitions == [Home] comment = User Files path = /home/%u browseable = no writable = yes # Test net access [Test] comment = Net Test path = /net/sass4001/u74/%u browseable = no writable = yes Any help would be greatly appreciated. Thanks, Joe -- Joe Mervini Scientific Applications and User Support Sandia National Laboratories Department 09326 MS-0823 PO Box 5800 Albuquerque, NM 87120 (505) 844.6770 -Original Message- From: Rune Tønnesen [mailto:[EMAIL PROTECTED] Sent: Monday, May 05, 2008 9:27 AM To: Mervini, Joseph A; samba@lists.samba.org Subject: Re: [Samba] Samba on Virtual Machines Hi Joseph It sounds more like a vmware problem. How is the network configurated on your vmware machine? Best Regards Rune Tønnesen Den 5/5/2008, skrev Mervini, Joseph A [EMAIL PROTECTED]: Hi, We have deployed Samba on VMware (ESX) on IBM Bladecenter H. I am having a serious problem with Samba related to Window client access. I can mount the samba share with no problem whatsoever and see all the files that exist within that share. However, when I try to open/write/copy/get properties on any file in either direction the operation stalls and eventually I will get a message similar to Cannot copy file: The specified network name is no longer available. on the Windows client. We are running stock RHEL5 workstatiom with most packages installed (sound/telephony excluded). Our samba security is set to domain but this has also been tested with security set to user. I have an identical samba server (except IP/hostname, etc.) on a standalone blade that works flawlessly. I have scoured the web looking for answers but have come up empty. Has anyone on this list ever had a similar problem that might be able to share some insight? Thanks in advance. -- Joe Mervini Scientific Applications and User Support Sandia National Laboratories Department 09326 MS-0823 PO Box 5800 Albuquerque, NM 87120 (505) 844.6770 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba on Virtual Machines
Hi, We have deployed Samba on VMware (ESX) on IBM Bladecenter H. I am having a serious problem with Samba related to Window client access. I can mount the samba share with no problem whatsoever and see all the files that exist within that share. However, when I try to open/write/copy/get properties on any file in either direction the operation stalls and eventually I will get a message similar to Cannot copy file: The specified network name is no longer available. on the Windows client. We are running stock RHEL5 workstatiom with most packages installed (sound/telephony excluded). Our samba security is set to domain but this has also been tested with security set to user. I have an identical samba server (except IP/hostname, etc.) on a standalone blade that works flawlessly. I have scoured the web looking for answers but have come up empty. Has anyone on this list ever had a similar problem that might be able to share some insight? Thanks in advance. -- Joe Mervini Scientific Applications and User Support Sandia National Laboratories Department 09326 MS-0823 PO Box 5800 Albuquerque, NM 87120 (505) 844.6770 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Can't login from my PC.
Please help. I'm not new to Linux or Unix, but I am new to Samba and PAM. A few weeks ago, I upgraded to SuSE Linux 10.3. I attempted to install and configure Samba last weekend, for the first time. I want to create 3 specific mount points under Samba, each with different permissions as to who can access them. Initially, I was able to mount the filesystem with the least amount of restrictions, but could not seem to mount the other two filesystems. I found several different documents on-line to aid in configuring the smb.conf file. After playing around for several days, I now can no longer mount any of the three filesystems. Currently, when I bring up my Windows Explorer session, I can see the Workgroup, and the Samba server, but I can not see any of the mount points on that server. When I click on the server (Samba 3.0.26a-3-1478-SUSE-SL10.3 (Jflinuxpc), I get the following error: # \\Jflinuxpc is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions. There are currently no logon servers available to service the logon request. # When I click on Map Network Drive and type in \\Jflinuxpc\family_photos, I get the following error message: # The mapped network drive could not be created because the following error has occurred: There are currently no logon servers available to service the logon request. # To start, it appears as if I've activated some type of special logon server un-knowingly... Can anyone give me a hint as to what it might be? I can telnet to the Linux server just fine from all of my laptops and PCs. The login ID that I'm using is good from a Linux / Unix / OS perspective. Any ideas or help would be greatly appreciated. Thanks in advance, and have a great week. JoeF... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Can't logon to Samba server
I'm re-posting this thread / request for help. This is the first time I've ever used a list, and the first time I've ever sent a request for help to a list. In my first message, I had unknowingly replied to another thread, when I wiped out the old subject and body. I was simply trying to send my new thread to the samba list. If I offended anyone, I apologize, as it was not intentional. The only response that I received to my post, was one that told me I had hijacked someone else's thread. So, I'll try again, this time with a brand new message... Maybe I'll get a response to my problem this time. JCF ### Please help. I'm not new to Linux or Unix, but I am new to Samba, PAM and Lists. A few weeks ago, I upgraded to SuSE Linux 10.3. I attempted to install and configure Samba last weekend, for the first time. I want to create 3 specific mount points under Samba, each with different permissions as to who can access them. Initially, I was able to mount the filesystem with the least amount of restrictions, but could not seem to mount the other two filesystems. I found several different documents on-line to aid in configuring the smb.conf file. After playing around for several days, I now can no longer mount any of the three filesystems. Currently, when I bring up my Windows Explorer session, I can see the Workgroup, and the Samba server, but I can not see any of the mount points on that server. When I click on the server (Samba 3.0.26a-3-1478-SUSE-SL10.3 (Jflinuxpc), I get the following error: # \\Jflinuxpc is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions. There are currently no logon servers available to service the logon request. # When I click on Map Network Drive and type in \\Jflinuxpc\family_photos, I get the following error message: # The mapped network drive could not be created because the following error has occurred: There are currently no logon servers available to service the logon request. # To start, it appears as if I've activated some type of special logon, or authentication server un-knowingly... Can anyone give me a hint as to what it might be? I can telnet to the Linux server just fine from all of my laptops and PCs. The login ID that I'm using is good from a Linux / Unix / OS perspective. Any ideas or help would be greatly appreciated. Thanks in advance, and have a great week. JoeF... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Can't logon to Samba server
Sure... Here it is: [global] workgroup = THEKEY interfaces = eth0, lo socket options = TCP_NODELAY browseable = Yes case sensitive = Yes security = domain log level = 1 syslog = 0 log file = /var/log/samba/log.%m max log size = 100 smb ports = 139 utmp = Yes map acl inherit = Yes usershare max shares = 5 winbind gid = 1000-2 winbind uid = 1000-2 idmap gid = 1000-2 idmap uid = 1000-2 usershare allow guests = Yes [user1] comment = /home/user1/Personal path = /home/user1/Personal read only = No inherit acls = Yes browseable = yes valid users = user1 hosts allow = USR1 public = yes guest ok = No invalid users = user2 [family_photos] comment = Family Photos writeable = Yes path = /Family_Photos force directory mode = 770 force group = Family force create mode = 770 hosts allow = USR1 USR2 valid users = @Family create mode = 770 hide unreadable = Yes max connections = 5 That's pretty much it! Thanks in advance, and have a great week. JOEF... -Original Message- From: John Drescher [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 28, 2007 10:10 PM To: Joseph C. Fisher Cc: [EMAIL PROTECTED] Samba. Org Subject: Re: [Samba] Can't logon to Samba server # \\Jflinuxpc is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions. There are currently no logon servers available to service the logon request. Can you post your smb.conf file if it is not huge. Otherwise the global section should help. John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Why doesn't getent passwd work for me?
I've attached a samba 3 (3.023c-2.el5.2.0.2) server to my windows 2003 domain. The domain's functional level is Windows 2000 Native. The server is running Centos 5. This configuration worked before I rebuild the server from Fedora Core 4 what ever version of samba it had. -- smb.conf -- [global] workgroup = mydomain netbios name = samba security = domain server string = Samba Server password server = passwd.server.edu encrypt passwords = yes wins server = 192.168.0.10 interfaces = eth0 lo idmap uid = 15000-2 idmap gid = 15000-2 winbind use default domain = Yes printing = cup wins support = yes log level = 10 (IP addresses and names have been altered) I ran the command net rpc join -Uadministrator%mypassword It replied Joined domain mydomain. wbinfo -u and wbinfo -g returns the user and group list I expected. wbinfo --authenticate=name%password returns plaintext password authentication succeeded challenge/response password authentication succeeded This concerns me, shouldn't the password be encrypted? getent passwd name returns nothing. getent passwd returns a list of local accounts. Also, why would I need to have a krb5.conf file in my /etc directory. I didn't think I was running KRB. When the default krb5.conf is there wbinfo -u doesn't work, if I remove it wbinfo -u starts working after I restart winbindd and smbd. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Writing files 2GB from Windows
AndyLiebman wrote: [EMAIL PROTECTED] wrote: Can these applications write large files to the local disk? It could be the fault of the application and not of samba. Yes, you might have missed that I mentioned this below. The applications have no trouble writing big files ( 4 GB) to a local disk. I will also reiterate, I have a case in which the very same application only has trouble under specific circumstances. I am talking about a Video Editing application. The application can capture most formats of video to the Samba share and produce single files that are 20, 40, 80 GBs in size. But when capturing in a couple of specific formats, the capture stops when the file reaches 2 GBs with the message maximum file size reached. There is no such limit when capturing to a local drive. Similarly, when importing certain formats of video, we see that the import stops at 4 GBs with a similar error. Andrew - Original Message - From: AndyLiebman [EMAIL PROTECTED] To: samba samba@lists.samba.org Sent: Friday, May 11, 2007 12:21 PM Subject: [Samba] Writing files 2GB from Windows Can anybody explain why SOME Windows XP applications have trouble writing files larger than 2 GB (or sometimes larger than 4 GB) to Linux Samba shares, when OTHER Windows applications on the same machine do not have difficulty writing large files to the same Samba share? And when the underlying Linux filesystem supports very large files? I have sometimes even found that a SINGLE Windows application can write files larger than 4 GBs while performing SOME operations, but while performing OTHER operations, when a file gets to 2GB or 4GB, you get back a message saying reached file size limit or something similar. And those same operations don't cause any trouble when writing 4GB files to a local hard drive. Is there a setting in smb.conf that can communicate better to Windows applications that large file sizes are supported? Likewise, is there a Windows XP registry setting that can make sure that applications know they can write large files to a Samba share? Help and insight would be appreciated. Andy Liebman This may be dumb, what is file system you are exporting with samba. If you are using ext2, I think there is a 2 GByte limit. -- Joseph Loo [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] BLOATED LDAP Traffic from Samba
Hello All, I am having an issue with a samba 3.0.21a with LDAP backened installation. My Samba PDC is sending tons of traffic my ldapserver(iplanet) and is causing the ldap server load to peak consitently over a ridiculous 91%. Logons come to a crawl because the ldap load is so high. I don't not have roaming profiles enabled. Here is an excerpt from a logfile (log level=2): [2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: tua19847 [2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: tua05996 [2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: tua68562 [2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: dhs [2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: tua05938 [2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: tua15265 [2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: tua18897 [2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: tua03367 [2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: tmarti03 [2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: tua61714 [2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: tua40746 [2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: tua05048 [2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: tua10708 [2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: koldacre [2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: tua01257 [2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: tua56483 [2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: tua43553 [2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: aseward [2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: ironman8 [2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: tua51360 [2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: ehlee [2007/04/24 17:23:56, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: tua37090 When users log onto SAMBA domain, Samba queries ldap for the user authentication credentials, if the user and passwords match, the users are then able to log onto the client. A registry value is then entered in HKLM\Software\Microsoft\Windows\Windows NT\CurrentVersion\ProfileList\S-1-21-DOMAIN SIDS-other values\tua. The registry entry is expected and normal and all authenticated domain users will have an registry entry on any machine they use. the SAMBA request traffic was enough to increase the LDAP system load and force me to redreict request from SAMBA from the production LDAP servers to an offsite LDAP server, and then eventually to my own slave ldap server. This move was necessary so that other university distributed systems would not be adversely affected. The queries that SAMBA is requesting from LDAP are for all domain users that have an registry entry in the aforementioned hive location. Please bare in mind that this enumeration occurs in the background whether or not the XP systems are: 1. at the logon screen 2. after a user has successfully authenticated (the request will occur for the current logon user and enumerate for ALL domain users in the hive). During my testing,tuning, and log observation, I have noticed that the request do not happen at any specific interval for a specific client, rather they just occur often enough to cause too much load on the LDAP servers. How can I get this to stop? Is this normal behaviour? In my research I noticed a smb.conf parameter setting of winbind enum group and winbind enum users. I am not using windbind, so this will not work for me. I've manually deleted the domain users that exists in the HKLM reg hive I mentioned above and that stops the traffic request from samba to ldap. However each new user of a particular workstation will continue to have an entry cached in this hive. I've looked for a way to stop the caching using regedit and gpedit.mscbut wasn't
[Samba] unsuccessful Samba install on AIX 4.3.3.
Hello all... anyone got any ideas how to fix this... When I run the testparm program to test the smb.conf file it processes all of the sections I have configured and then does a Segmentation fault(coredump). This is for AIX 4.3.3. Also, when I try and start the smbd process it hangs and then when I go and look at the log.smbd file here is the results and where it is hanging: [2006/09/05 16:49:10, 5] lib/iconv.c:smb_register_charset(105) Attempting to register new charset ISO-8859-1 [2006/09/05 16:49:10, 5] lib/iconv.c:smb_register_charset(113) Registered charset ISO-8859-1 [2006/09/05 16:49:10, 5] lib/iconv.c:smb_register_charset(105) Attempting to register new charset UCS2-HEX [2006/09/05 16:49:10, 5] lib/iconv.c:smb_register_charset(113) Registered charset UCS2-HEX [2006/09/05 16:49:10, 5] lib/charcnv.c:charset_name(81) Substituting charset 'ISO8859-1' for LOCALE This is the last line in the log file. It worked on 10 other servers and is failing on two of them. No obvious differences between the sets. Any ideas? Thank you, Joe Murphy AIX, pSeries, RS/6000 HACMP IT Specialist pSeries FTSS - New England IBM Sales and Distribution Bedford, NH email: [EMAIL PROTECTED] phone:(603) 472-4179 cell: (603) 321-7977 AOL IM: jmurphyibm -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] winbind auth against ads not working via remote login-solaris 10. - Success!!
Update: Success The corrective action was to move the below pam.conf settings to the top of each section. auth sufficient /usr/lib/security/pam_winbind.so try_first_pass account sufficient /usr/lib/security/pam_winbind.so try_first_pass session sufficient /usr/lib/security/pam_winbind.so try_first_pass -Original Message- From: Garrett, Joseph Sent: Thursday, August 31, 2006 8:40 AM To: samba@lists.samba.org Subject: RE: [Samba] winbind auth against ads not working via remote login-solaris 10. update: OS not allowing a winbind auth on Solaris 10 console. I added the below winbind options(see smb.conf). I now get NT_STATUS_OS for the user(see winbind log) as I try to login but Solaris 10 still reports a Login Incorrect. What other OS configure am I missing? Does the nss_winbind.so libraries need to be copied anywhere else? I copied the libnss_winbind.so to /lib and /usr/lib and made the below links. /lib/nss_winbind.so /lib/nss_winbind.so.1 Nsswitch.conf is using file nis winbind . See pam.conf below. Thanks and God bless! Winbind Log:-- [2006/08/31 08:17:43, 5] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth(445) Plain-text authentication for user jgarrett returned NT_STATUS_OK (PAM: 0) Smb.conf # cat smb.conf # Global parameters [global] workgroup = MYDOMAIN server string = Samba Server pdtsun03 password server = MYPWDSERVERS encrypt passwords = yes log level = 10 log file = /usr/local/samba/var/log.%m max log size = 50 dns proxy = No guest account = visitor realm = MYREALM security = ads ldap ssl = no idmap uid = 1-2 idmap gid = 1-2 winbind cache time = 2 winbind use default domain = Yes winbind trusted domains only = Yes winbind nested groups = Yes winbind uid = 20001-4 winbind gid = 20001-4 # allow enumeration of winbind users and groups winbind enum users = yes winbind enum groups = yes # give winbind users a real shell (only needed if they have telnet access) Pam.conf-- # cat /etc/pam.conf # #ident @(#)pam.conf 1.2804/04/21 SMI # # Copyright 2004 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # # PAM configuration # # Unless explicitly defined, all services use the modules # defined in the other section. # # Modules are defined with relative pathnames, i.e., they are # relative to /usr/lib/security/$ISA. Absolute path names, as # present in this file in previous releases are still acceptable. # # Authentication management # # login service (explicit because of pam_dial_auth) # login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_unix_cred.so.1 login auth required pam_unix_auth.so.1 login auth required pam_dial_auth.so.1 login auth sufficient /usr/lib/security/pam_winbind.so try_first_pass debug # # rlogin service (explicit because of pam_rhost_auth) # rlogin auth sufficient pam_rhosts_auth.so.1 rlogin auth requisite pam_authtok_get.so.1 rlogin auth required pam_dhkeys.so.1 rlogin auth required pam_unix_cred.so.1 rlogin auth required pam_unix_auth.so.1 rlogin auth sufficient /usr/lib/security/pam_winbind.so try_first_pass debug # # Kerberized rlogin service # krlogin auth required pam_unix_cred.so.1 krlogin auth bindingpam_krb5.so.1 krlogin auth required pam_unix_auth.so.1 krlogin auth sufficient /usr/lib/security/pam_winbind.so try_first_pass debug # # rsh service (explicit because of pam_rhost_auth, # and pam_unix_auth for meaningful pam_setcred) # rsh auth sufficient pam_rhosts_auth.so.1 rsh auth required pam_unix_cred.so.1 rsh auth sufficient /usr/lib/security/pam_winbind.so try_first_pass debug # # Kerberized rsh service # krshauth required pam_unix_cred.so.1 krshauth bindingpam_krb5.so.1 krshauth required pam_unix_auth.so.1 krshauth sufficient /usr/lib/security/pam_winbind.so try_first_pass debug # # Kerberized telnet service # ktelnet auth required pam_unix_cred.so.1 ktelnet auth bindingpam_krb5.so.1 ktelnet auth required pam_unix_auth.so.1 ktelnet auth sufficient /usr/lib/security/pam_winbind.so try_first_pass debug # # PPP service (explicit because of pam_dial_auth) # ppp auth requisite pam_authtok_get.so.1 ppp auth required pam_dhkeys.so.1 ppp auth required pam_unix_cred.so.1 ppp auth required pam_unix_auth.so.1 ppp auth required pam_dial_auth.so.1 ppp auth sufficient /usr/lib/security/pam_winbind.so try_first_pass debug # # Default definitions for Authentication management # Used when service name is not explicitly mentioned
RE: [Samba] winbind auth against ads not working via remote login-solaris 10.
# # cron service (explicit because of non-usage of pam_roles.so.1) # cronaccount requiredpam_unix_account.so.1 # # Default definition for Account management # Used when service name is not explicitly mentioned for account management # other account requisite pam_roles.so.1 other account requiredpam_unix_account.so.1 other account sufficient /usr/lib/security/pam_winbind.so try_first_pass debug # # Default definition for Session management # Used when service name is not explicitly mentioned for session management # other session requiredpam_unix_session.so.1 other session sufficient /usr/lib/security/pam_winbind.so try_first_pass debug # # Default definition for Password management # Used when service name is not explicitly mentioned for password management # other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 other password required pam_authtok_store.so.1 other password sufficient /usr/lib/security/pam_winbind.so try_first_pass use_authtok debug # # Support for Kerberos V5 authentication and example configurations can # be found in the pam_krb5(5) man page under the EXAMPLES section. # -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Garrett, Joseph Sent: Tuesday, August 29, 2006 2:56 PM To: samba@lists.samba.org Subject: [Samba] winbind auth against ads not working via remote login -solaris 10. I am attempting to use winbind for Telnet authentication but winbind pam doesn't recognize ads realm or smb.conf workgroup..see error snapshot. pdtsun03 is hostname of solaris 10 ADS domain member running samba 3.0.11. net ads join worked...net ads user returns all MYADSDOMAIN users and samba shares work from both unix and NT side. one note..After make install, I had to manually copy compiled nsswitch/pam_winbind.so file to /usr/lib/security. thanks for the help samba configured args: ./configure --with-ads --with-winbind --with-krb5=/usr/local --with-pam - error snapshot: [2006/08/29 14:31:49, 8] lib/util.c:is_myname(1810) is_myname(PDTSUN03) returns 1 [2006/08/29 14:31:49, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth(259) Authentication for domain PDTSUN03 (local domain to this server) not supported at this stage [2006/08/29 14:31:49, 2] nsswitch/winbindd_pam.c:winbindd_pam_auth(361) Plain-text authentication for user jgarrett returned NT_STATUS_NO_SUCH_USER (PAM: 13) [2006/08/29 14:31:49, 10] nsswitch/winbindd.c:client_write(524) - smb.conf # Global parameters [global] workgroup = MYADSDOMAIN server string = Samba Server pdtsun03 password server = MYPWDSERVER(s) encrypt passwords = yes log level = 10 log file = /usr/local/samba/var/log.%m max log size = 50 dns proxy = No guest account = visitor realm = MYREALM.COM security = ads ldap ssl = no idmap uid = 1-2 idmap gid = 1-2 [homes] comment = Home Directories read only = No browseable = No [tmp] comment = Temporary file space path = /tmp read only = No --- detail error - with debug level at 10: [2006/08/29 14:31:49, 6] nsswitch/winbindd.c:new_connection(356) accepted socket 19 [2006/08/29 14:31:49, 10] nsswitch/winbindd.c:winbind_client_read(470) client_read: read 1824 bytes. Need 0 more for a full request. [2006/08/29 14:31:49, 10] nsswitch/winbindd.c:process_request(321) process_request: request fn INTERFACE_VERSION [2006/08/29 14:31:49, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(261) [19587]: request interface version [2006/08/29 14:31:49, 10] nsswitch/winbindd.c:client_write(524) client_write: wrote 1300 bytes. [2006/08/29 14:31:49, 10] nsswitch/winbindd.c:winbind_client_read(470) client_read: read 1824 bytes. Need 0 more for a full request. [2006/08/29 14:31:49, 10] nsswitch/winbindd.c:process_request(321) process_request: request fn WINBINDD_PRIV_PIPE_DIR [2006/08/29 14:31:49, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297) [19587]: request location of privileged pipe [2006/08/29 14:31:49, 10] nsswitch/winbindd.c:client_write(524) client_write: wrote 1300 bytes. [2006/08/29 14:31:49, 10] nsswitch/winbindd.c:client_write(569) client_write: need to write 47 extra data bytes. [2006/08/29 14:31:49, 10] nsswitch/winbindd.c:client_write(524) client_write: wrote 47 bytes. [2006/08/29 14:31:49, 10] nsswitch/winbindd.c:client_write(558) client_write: client_write: complete response written. [2006/08/29 14:31:49, 6] nsswitch/winbindd.c:new_connection(356) accepted socket 20 [2006/08/29 14:31:49, 10] nsswitch/winbindd.c:winbind_client_read(470) client_read: read 1824 bytes. Need 0 more for a full request. [2006/08/29 14:31:49, 10] nsswitch
[Samba] winbind auth against ads not working via remote login - solaris 10.
I am attempting to use winbind for Telnet authentication but winbind pam doesn't recognize ads realm or smb.conf workgroup..see error snapshot. pdtsun03 is hostname of solaris 10 ADS domain member running samba 3.0.11. net ads join worked...net ads user returns all MYADSDOMAIN users and samba shares work from both unix and NT side. one note..After make install, I had to manually copy compiled nsswitch/pam_winbind.so file to /usr/lib/security. thanks for the help samba configured args: ./configure --with-ads --with-winbind --with-krb5=/usr/local --with-pam - error snapshot: [2006/08/29 14:31:49, 8] lib/util.c:is_myname(1810) is_myname(PDTSUN03) returns 1 [2006/08/29 14:31:49, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth(259) Authentication for domain PDTSUN03 (local domain to this server) not supported at this stage [2006/08/29 14:31:49, 2] nsswitch/winbindd_pam.c:winbindd_pam_auth(361) Plain-text authentication for user jgarrett returned NT_STATUS_NO_SUCH_USER (PAM: 13) [2006/08/29 14:31:49, 10] nsswitch/winbindd.c:client_write(524) - smb.conf # Global parameters [global] workgroup = MYADSDOMAIN server string = Samba Server pdtsun03 password server = MYPWDSERVER(s) encrypt passwords = yes log level = 10 log file = /usr/local/samba/var/log.%m max log size = 50 dns proxy = No guest account = visitor realm = MYREALM.COM security = ads ldap ssl = no idmap uid = 1-2 idmap gid = 1-2 [homes] comment = Home Directories read only = No browseable = No [tmp] comment = Temporary file space path = /tmp read only = No --- detail error - with debug level at 10: [2006/08/29 14:31:49, 6] nsswitch/winbindd.c:new_connection(356) accepted socket 19 [2006/08/29 14:31:49, 10] nsswitch/winbindd.c:winbind_client_read(470) client_read: read 1824 bytes. Need 0 more for a full request. [2006/08/29 14:31:49, 10] nsswitch/winbindd.c:process_request(321) process_request: request fn INTERFACE_VERSION [2006/08/29 14:31:49, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(261) [19587]: request interface version [2006/08/29 14:31:49, 10] nsswitch/winbindd.c:client_write(524) client_write: wrote 1300 bytes. [2006/08/29 14:31:49, 10] nsswitch/winbindd.c:winbind_client_read(470) client_read: read 1824 bytes. Need 0 more for a full request. [2006/08/29 14:31:49, 10] nsswitch/winbindd.c:process_request(321) process_request: request fn WINBINDD_PRIV_PIPE_DIR [2006/08/29 14:31:49, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297) [19587]: request location of privileged pipe [2006/08/29 14:31:49, 10] nsswitch/winbindd.c:client_write(524) client_write: wrote 1300 bytes. [2006/08/29 14:31:49, 10] nsswitch/winbindd.c:client_write(569) client_write: need to write 47 extra data bytes. [2006/08/29 14:31:49, 10] nsswitch/winbindd.c:client_write(524) client_write: wrote 47 bytes. [2006/08/29 14:31:49, 10] nsswitch/winbindd.c:client_write(558) client_write: client_write: complete response written. [2006/08/29 14:31:49, 6] nsswitch/winbindd.c:new_connection(356) accepted socket 20 [2006/08/29 14:31:49, 10] nsswitch/winbindd.c:winbind_client_read(470) client_read: read 1824 bytes. Need 0 more for a full request. [2006/08/29 14:31:49, 10] nsswitch/winbindd.c:process_request(321) process_request: request fn PAM_AUTH [2006/08/29 14:31:49, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth(179) [19587]: pam auth jgarrett [2006/08/29 14:31:49, 8] lib/util.c:is_myname(1810) is_myname(PDTSUN03) returns 1 [2006/08/29 14:31:49, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth(259) Authentication for domain PDTSUN03 (local domain to this server) not supported at this stage [2006/08/29 14:31:49, 2] nsswitch/winbindd_pam.c:winbindd_pam_auth(361) Plain-text authentication for user jgarrett returned NT_STATUS_NO_SUCH_USER (PAM: 13) [2006/08/29 14:31:49, 10] nsswitch/winbindd.c:client_write(524) client_write: wrote 1300 bytes. [2006/08/29 14:31:49, 10] nsswitch/winbindd.c:winbind_client_read(470) client_read: read 0 bytes. Need 1824 more for a full request. [2006/08/29 14:31:49, 5] nsswitch/winbindd.c:winbind_client_read(477) read failed on sock 19, pid 19587: EOF [2006/08/29 14:31:49, 10] nsswitch/winbindd.c:winbind_client_read(470) client_read: read 0 bytes. Need 1824 more for a full request. [2006/08/29 14:31:49, 5] nsswitch/winbindd.c:winbind_client_read(477) read failed on sock 20, pid 19587: EOF -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Account Flag X -Password Never Expires Problem
I am currently running the latest build of samba-3.0.23a with a tdbsam backend. I have noticed for sometime now when I use pdbedit -c [X] username it sets the Account Flag X for password never expires but does not modify the Password must change for the user. Therefore even though the account flag is set the password still expires. Any thoughts would be greatly appreciated. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: samba domain controller
Hi Ivan, i think the problem may be related to your allow and deny ip address range. 1, in the address range 192.168.1.0 subnet, i think it should be use 192.168.1.0 in your config file. try to change it to see if it can solve the problem. 2, try to remove the deny address range and test if the problem is casused from this line. hope this help. Joseph -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Performace problems
I have Samba 2.2 running on a SCO UNIX 5.0.7 My Problem: The file transfer performance is slow and gets worse as more users log in. At times, if two users open the same file at the same time they may get hang. AS follows is the configuration of the smb.conf file Any help will be greatly appreciated. Thanks [global] workgroup = HOMECARE netbios name = NEWSYS server string = Samba Server ; hosts allow = 192.168.1. 192.168.2. 127. printcap name = lpstat load printers = yes printing = sysv guest account = pcguest log file = /var/log/samba.d/log.%m max log size = 50 security = share encrypt passwords = yes smb passwd file = /etc/smbpasswd socket options = IPTOS_LOWDELAY TCP_NODELAY SO_RCVBUF=20480 SO_SNDBUF=20480 read raw = no write raw = yes interfaces = net0 os level = 20 wins server = 64.89.70.2 dns proxy = no debuglevel = 1 # Share Definitions == [homes] comment = Home Directories browseable = no writable = yes [printers] comment = All Printers path = /var/spool/samba browseable = no guest ok = yes writable = no printable = yes [guishare] comment = development share path = /hcrigui public = yes writable = yes printable = no [binshare] comment = bin share path = /usr/bin public = yes writable = yes printable = no [ushare] comment = /u share path = /u public = yes writable = yes printable = no [usrshare] comment = /usr share path = /usr public = yes writable = yes printable = no [ClientTracking] comment = Share for the tracking system path = /ClientTracking public = yes writable = yes printable = no oplocks = yes level2 oplocks = yes [techsheets] comment = Tech Sheets path = /usr/local/techsheet public = yes guest only = yes writable = yes printable = no [Rolodex] comment = Rolodex program to keep address path = /usr/local/solodex public = yes guest only = yes writable = yes printable = no Joseph L. Marnett Director of MIS Home Care Software Solutions, Inc. 9500 S. Dadeland Blvd. Miami, FL 33156 Ph: 786.433.4700 Fax: 786.433.4711 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba appears to be slow
I am fairly new to Samba. My set up is as follows: SCO UNIX 5.0.7 running Samba 2.2 Problem: I have a couple of Windows application running in the above Samba server. I have notice that as more user log in and start using the applications, it may take up to 15 seconds to display a listing containing about 3,000 records. The more record the slower it gets, the more users the slower it gets. If there a way to resolve this issue? Thanks for any help Joseph L. Marnett Director of MIS Home Care Software Solutions, Inc. 9500 S. Dadeland Blvd. Miami, FL 33156 Ph: 786.433.4700 Fax: 786.433.4711 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] BINGO - bug - 3.0.14, 3.0.21 intractable browsing problems
Okay, folks -- we've found the cause of the problem. To recap: With our Samba server as the master browser, the domain window in My Network Places is totally empty, irrespective of what client we use (Windows 98, 2000, XP). When Samba is not the master browser (i.e., another workstation is acting as the master browser), hosts are visible. When Samba is the master browser, the browse.dat and wins.dat files are populated correctly with the hosts on the network. Our browse.dat and wins.dat files are stored in /var/cache/samba. The directory had permissions of 744. With the permission set as 744, no worky. With the permissions set at 755, tada -- suddenly it works. A whole host of problems are resolved. A permissions problem (what we initially suspected) but not one that was simple to devine. The browse connections are made by an unprivileged user, and with permissions of 744, that user cannot enter the directory, even if the files are readable. This is the sort of problem that a perusal of the nmbd log should have made immediately obvious. If Samba can't read a vital file, shouldn't it be reporting that in the logs? We've reproduced the problem with the log level set at 9; though nmbd reports that the browse.dat file is being written to, it never says anything about being unable to read it or unable to enter the cache directory. If it had, we would have taken three minutes to fix this problem instead of three weeks. We didn't see an error to this effect in the session logs, either. Perhaps there's something misconfigured with our logging -- but it seems just as likely that Samba isn't reporting a failure to read the browse.dat and wins.dat files to the logs. -Stephen- stephen, i'm glad you found the answer. i'm afraid i wasn't much help at all now. -anthony -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba LDAP caching when LDAP server unavailable - possible?
i guess the real question here is what is your interest? are you more interested in having the login functionality when the network link is down or are you more interested in toying with the notion of having samba run on a mini box? i can certainly help you with the former if you wish. i have set up an old linux box as a bdc at a remote location (my parent's house) to allow them all functionality of being in the domain even when their crappy dsl goes down and we lose the vpn link betweeen us. it works like a charm. My Website: http://messinet.com My Online Gallery: http://messinet.com/modules.php?name=Web_Linksl_op=visitlid=3 Michael Gasch wrote: It's a solution for a small office. this solution also applies to a small office :) i know, you´re looking for caching, but as long as there´s no productive way with samba and caching (creds) you should go for a BDC greez -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba LDAP caching when LDAP server unavailable - possible?
ok, i'll go with you on this. so this mini-router, does it have a hard drive or a place that it could dynamically write data, because it seems to me that samba will need to write data at will and for sure, ldap with syncrepl or any caching program will need to write new data that is not static to someplace. what are the true capabilities of this router? the cheapy routers that use firmware woun't be able to dynamically write this data would they. any change to data would require a firmware upgrade. also, how would you manage the router remotely? ssh? a web interface? how would you alter any smb.conf settings? i agree your router would be a cool thing, but you have very little admin functionality. another option may be a refurb cheap computer with a cheap network card which would do the same thing, but give you total functionality. this is what i did for the bds at my parent's house. i got a dell outlet refurb for $240, installed fc4 and away we went. i do still like the idea though of a plug it in and it works system for stuff like this. My Website: http://messinet.com My Online Gallery: http://messinet.com/modules.php?name=Web_Linksl_op=visitlid=3 Tomasz Chmielewski wrote: ANTHONY JOSEPH MESSINA schrieb: i guess the real question here is what is your interest? are you more interested in having the login functionality when the network link is down or are you more interested in toying with the notion of having samba run on a mini box? Of course, being able to login at all times is one of the most important factors. Well, there are many factors; in the end I would like it to be a cheap and reliable domain controller for small offices: - cost - this mini router (it even has wireless) + USB stick cost less than a PC - it's small and compact - stability - there is no fan, no hard disk, no moving parts that can break - ease of (remote) management (when it's set up properly) - in case of any trouble, someone just turns the device off and on, it'll be up again in a matter of seconds - it's fun to do something new :) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba LDAP caching when LDAP server unavailable - possible?
could you set up a small instance of an ldap server along with samba on this small box and have it act like a bdc? you could set up openldap to do syncrepl and have a full copy of your samba domain stuff that's in ldap. if the connection goes down, the ldap stuff is there and if you have it set up like a bdc, you can still login, etc. just a thought, i'm fairly new at all this stuff. -anthony My Website: http://messinet.com My Online Gallery: http://messinet.com/modules.php?name=Web_Linksl_op=visitlid=3 Tomasz Chmielewski wrote: I've been using Samba with OpenLDAP with great success on normal servers. Recently however, it appeared to us that for remote locations it is more economically viable to replace Samba servers with Samba running on little routers like ASUS WL-500g with openwrt firmware/software. It has a broadcom/mipsel CPU, and thanks to openwrt (http://openwrt.org), it is possible to run lots of software on it. Pretty nice for small offices - small, no fan, no hard disk etc. other moving parts (you can connect a USB stick to it if you want to store files/profiles). There is one glitch however - no OpenLDAP port. So a Samba domain controller running on these tiny routers would have to authenticate users users against an external OpenLDAP server (probably in the company headquaters). My experience shows that a company with several branches located throughout the city/country/world have connectivity problems from time to time (especiall when there is no IT staff in the branches). With no local LDAP server this would mean users not able to work (as they can't authenticate). Is it possible to set up Samba to cache credentials retrieved from the LDAP, and when LDAP is unavailable, to use these cached credentials? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Bind to eth1 only problem
top part of my smb.conf now looks like: [global] bind interfaces only = yes interfaces = 176.16.0.1/23 and i get the following results (and lazy so here are my ip addresses ;p) --- mpk:/etc/samba# nmap -sSU 128.193.161.23 Starting nmap 3.93 ( http://www.insecure.org/nmap/ ) at 2005-11-03 10:33 PST Interesting ports on mpk.scf.oregonstate.edu (128.193.161.23): (The 3141 ports scanned but not shown below are in state: closed) PORTSTATE SERVICE 22/tcp open ssh 68/udp open|filtered dhcpclient 80/tcp open http 137/udp open|filtered netbios-ns 138/udp open|filtered netbios-dgm 631/tcp open ipp 631/udp open|filtered unknown Nmap finished: 1 IP address (1 host up) scanned in 1.515 seconds mpk:/etc/samba# nmap -sSU 172.16.0.1 Starting nmap 3.93 ( http://www.insecure.org/nmap/ ) at 2005-11-03 10:33 PST Interesting ports on mpk.ts.scf.oregonstate.edu (172.16.0.1): (The 3139 ports scanned but not shown below are in state: closed) PORTSTATE SERVICE 22/tcp open ssh 68/udp open|filtered dhcpclient 80/tcp open http 137/udp open|filtered netbios-ns 138/udp open|filtered netbios-dgm 139/tcp open netbios-ssn 445/tcp open microsoft-ds 631/tcp open ipp 631/udp open|filtered unknown Nmap finished: 1 IP address (1 host up) scanned in 1.519 seconds - as you can see samba is still binding netbios-ns and netbios-dgm to both interfaces(local loop back interface as well) :/ but not netbios-ssn or microsoft-ds maybe i should grab a clean copy of the source and build it myself and see if i get better results. any other ideas? _ Info: Email: Joseph T. Duncan work: [EMAIL PROTECTED] Student Computing Facilities Home: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Bind to eth1 only problem
from the man page: bind interfaces only (G) --snip-- nmbd also binds to the all addresses interface (0.0.0.0) on ports 137 and 138 for the purposes of reading broadcast messages. --snip-- so i guess its not a bug but expected behavour... kinda dumb, would expect to be able to bind it to a specific interface only. :/ as I don't care about broadcast messages on any other interfaces that may be present. I can see how it would be useful in some envirnments, but its not right for all environments, and should have a method for stopping it from doing that with out having to resort to some other method like iptables to stop the undesired behavior. Info: Email: Joseph T. Duncan work: [EMAIL PROTECTED] Student Computing Facilities Home: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Bind to eth1 only problem
Hello, I am trying to setup a samba server as a pdc bound to eth1 only (testing network). however I still seeing samba bind to eth0. I am running a debian unstable box... any ideas? do you need anything more to go on? (see attachments) I am starting smbd and nmbd up using a startup script out of /etc/init.d with the options: --exec /usr/sbin/nmbd -- -s /etc/samba/smb.ts.conf -D; --exec /usr/sbin/smbd -- -s /etc/samba/smb.ts.conf -D; Linux version 2.6.13 ([EMAIL PROTECTED]) (gcc version 4.0.2 20050917 (prerelease) (Debian 4.0.1-8)) #1 SMP Fri Sep 23 12:45:10 PDT 2005 version.txt version of samba nmap.eth0.txt nmap output of public network (the one smb should NOT bind to) nmap.eth1.txt nmap output of internal network (the one smb should bind to) smb.ts.conf my samba config testperm.txtoutput of testperm against my samba config any help or ideas how to get this to bind only to eth1 would be great! _ Info: Email: Joseph T. Duncan work: [EMAIL PROTECTED] Student Computing Facilities Home: [EMAIL PROTECTED]mpk:/etc/samba# smbd --version Version 3.0.20b-Debian mpk:/etc/samba# nmap -sSU external.ip.address Starting nmap 3.93 ( http://www.insecure.org/nmap/ ) at 2005-11-02 15:38 PST Interesting ports on hostname.external.foo.bar (external.ip.address): (The 3141 ports scanned but not shown below are in state: closed) PORTSTATE SERVICE 22/tcp open ssh 68/udp open|filtered dhcpclient 80/tcp open http 137/udp open|filtered netbios-ns 138/udp open|filtered netbios-dgm 631/tcp open ipp 631/udp open|filtered unknown Nmap finished: 1 IP address (1 host up) scanned in 1.546 seconds mpk:/etc/samba# nmap -sSU 172.16.0.1 Starting nmap 3.93 ( http://www.insecure.org/nmap/ ) at 2005-11-02 15:39 PST Interesting ports on mpk.ts.testnetwork (172.16.0.1): (The 3139 ports scanned but not shown below are in state: closed) PORTSTATE SERVICE 22/tcp open ssh 68/udp open|filtered dhcpclient 80/tcp open http 137/udp open|filtered netbios-ns 138/udp open|filtered netbios-dgm 139/tcp open netbios-ssn 445/tcp open microsoft-ds 631/tcp open ipp 631/udp open|filtered unknown Nmap finished: 1 IP address (1 host up) scanned in 1.564 seconds ## Bind to external interface only interfaces = eth1 bind interfaces only = yes [global] workgroup = TsNLB netbios name = MPK server string = %h dc (Samba %v) wins support = yes dns proxy = no name resolve order = host lmhosts wins bcast log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 panic action = /usr/share/samba/panic-action %d encrypt passwords = true passdb backend = tdbsam guest obey pam restrictions = yes invalid users = root passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n . socket options = TCP_NODELAY domain master = yes domain logons = yes os level = 33 idmap uid = 1-2 idmap gid = 1-2 add user script = /usr/sbin/useradd -m '%u' delete user script = /usr/sbin/userdel -r '%u' add group script = /usr/sbin/groupadd '%g' delete group script = /usr/sbin/groupdel '%g' add user to group script = /usr/sbin/usermod -G '%g' '%u' add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null '%u' [homes] comment = Home Directories browseable = no writable = no create mask = 0700 directory mask = 0700 [netlogon] comment = Network Logon Service path = /home/samba/netlogon guest ok = yes writable = no share modes = no [printers] comment = All Printers browseable = no path = /tmp printable = yes public = no writable = no create mode = 0700 [print$] comment = Printer Drivers path = /var/lib/samba/printers browseable = yes read only = yes guest ok = no mpk:/etc/samba# testparm smb.ts.conf Load smb config files from smb.ts.conf Processing section [homes] Processing section [netlogon] Processing section [printers] Processing section [print$] Loaded services file OK. Server role: ROLE_DOMAIN_PDC Press enter to see a dump of your service definitions [global] workgroup = TSNLB server string = %h dc (Samba %v) interfaces = eth1 bind interfaces only = Yes obey pam restrictions = Yes passdb backend = tdbsam, guest passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n . syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 name resolve order = host lmhosts wins bcast add user script = /usr/sbin/useradd -m '%u' delete user script = /usr/sbin/userdel -r '%u' add group script = /usr/sbin/groupadd '%g' delete
[Samba] Where Can I get Samba for AIX 4.3.3
Whare can I go to download a bianry for Samba AIX V4.3.3? Notice: This transmission is for the sole use of the intended recipient(s) and may contain information that is confidential and/or privileged. If you are not the intended recipient, please delete this transmission and any attachments and notify the sender by return email immediately. Any unauthorized review, use, disclosure or distribution is prohibited. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba Instalation Error AIX 4.3
Im trying to install SAMBA on AIX 4.3. When I run the SMIT INSTALL, the installation goes well but then I get an error message: The installation has FAILED for the usr part of the following filesets: freeware.samba-ads.rte 3.0.4.0 Does anyone have any idea what might be causing this error? Notice: This transmission is for the sole use of the intended recipient(s) and may contain information that is confidential and/or privileged. If you are not the intended recipient, please delete this transmission and any attachments and notify the sender by return email immediately. Any unauthorized review, use, disclosure or distribution is prohibited. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba AIX libldap.a
I just installed Samba 3.0.40 on AIX 5.1 and when I try to start SMBD I get the error message Cannot load module libldap.a(libldap.so.2) Does anyone know what I need to do? Thanks Notice: This transmission is for the sole use of the intended recipient(s) and may contain information that is confidential and/or privileged. If you are not the intended recipient, please delete this transmission and any attachments and notify the sender by return email immediately. Any unauthorized review, use, disclosure or distribution is prohibited. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] AIX 5.1 Samba libiconv.so.2
I try starting Samba but I get the error message Dependant Module /usr/local/lib/libiconv.a(libiconv.so.2) could not be loaded. Member libiconv.so.2 could not be found in the archive I have the library file lbiconv.a I tried doing an: ar a libiconv.a libiconv.so.2 The member libiconv.so.2 is not being added to the library file. Any help would be appreciated. Thanks Notice: This transmission is for the sole use of the intended recipient(s) and may contain information that is confidential and/or privileged. If you are not the intended recipient, please delete this transmission and any attachments and notify the sender by return email immediately. Any unauthorized review, use, disclosure or distribution is prohibited. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Installing Samba on AIX V5.1
I'm trying to install on an AIX box V5.1. I downloaded the Samba version for 5.1 and ran the executable. But the install fails. I got the file from www.bullfreeware.com http://www.bullfreeware.com/ Does anyone have any idea why the install would fail? Thanks Joe Joseph Madrinkian Consultant, Professional Services - Speedware Speedware Division of Activant Solutions Inc. 6380 Cote de Liesse Rd., Suite 110 St. Laurent, Quebec Canada H4T 1E3 T: 514.747.7007 ext. 8334 F: 514.747.3380 M: 514.249.9433 E-mail: [EMAIL PROTECTED]mailto:[EMAIL PROTECTED] Web site: www.speedware.com file:///C:\Documents%20and%20Settings\joseph.madrinkian\Application%20D ata\Microsoft\Signatures\www.speedware.com http://www.speedware.com http://www.speedware.com/ Notice: This transmission is for the sole use of the intended recipient(s) and may contain information that is confidential and/or privileged. If you are not the intended recipient, please delete this transmission and any attachments and notify the sender by return email immediately. Any unauthorized review, use, disclosure or distribution is prohibited. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Installing Samba on AIX V5.1...More Info
I'm trying to install on an AIX box V5.1. I downloaded the Samba version for 5.1 and ran the executable. But the install fails. I got the file from www.bullfreeware.com http://www.bullfreeware.com/ The installation error message I get is Installation failed for the user part Does anyone have any idea why the install would fail? Notice: This transmission is for the sole use of the intended recipient(s) and may contain information that is confidential and/or privileged. If you are not the intended recipient, please delete this transmission and any attachments and notify the sender by return email immediately. Any unauthorized review, use, disclosure or distribution is prohibited. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Installing Sanba in SCO
I have several SCO UNIX system were I would like to install Samba. Some of these machines are running SCO 5.0.7 which comes with a Samba version 2.2, the other machines running SCO 5.0.6 do not have Samba. I would like to upgrade the Samba to V.3 on the newer machines and to be able to install it on the older systems, but I am unable to find out a download from Samba.org for SCO. Could some one tell me which version of Samba I can download that is compatible with SCO 5.0.6 and 5.0.7? Thanks Joe -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Windows 2003 AD users not found
I implemented the change to my smb.conf last night and it is now lunch time and I have to get any phone calls complaining about server being unaccessable which means the problem has been fixed. Thank you very much. -Original Message- From: Kyle Johnson [mailto:[EMAIL PROTECTED] Sent: Wed 6/22/2005 5:58 PM To: Herb Lewis Cc: Joseph Preston Schmigel (RIT Student); samba@lists.samba.org Subject: Re: [Samba] Windows 2003 AD users not found Herb Lewis wrote: try setting the following in your smb.conf file - it made wbinfo behave for me client schannel = No Kyle Johnson wrote: Joseph Preston Schmigel (RIT Student) wrote: I recently changed from Windows 2000 native active directory mode to Windows 2003 active directory mode. When I did that, users could no long connect to any of the Samba shares. They were prompted for a username and password. The following error was logged in the winbind log: [2005/06/22 14:38:46, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(161) user 'John' does not exist The user John does exist in the active directory. I ran getent passwd to see if the user John was listed and indeed he was. I then tried accessing the share again and it worked fine. A little bit later, it stopped working again. I found out that by running getent passwd, shares are accessaable for a short period of time but then the users are not found again by Samba until I run getent passwd again. Version Info: krb5: 1.2.7 samba: 3.0.9 smb.conf: [global] workgroup = 40SERVER1 realm = ascad.insideasc.com password server = bethe.ascad.insideasc.com server string = security = ADS encrypt passwords = yes log file = /var/log/samba/%m.log dns proxy = no wins server = 10.0.0.53 10.0.0.62 idmap uid = 1-2 idmap gid = 1-2 winbind separator = # #shares... I appreciate any help. Thank you. I have the same problem. I have a Windows 2003 ADS as well. I run getent passwd every minute from a cron job. It works OK . RHEL 4 ES 64bit samba 3.0.10-1.4E krb5 1.3.4-12 Kyle . I made the change and restarted Samba and Winbind. I have not had a problem since. Thanks for the help Kyle -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba AIX Installation
I installed Samba 3.04 on AIX v5.3 but there is only one directory that has some readme files in it. I cant find the smb.conf file. I am new at AIX so I dont know if I did something wrong? Can anyone help? Thanks Notice: This transmission is for the sole use of the intended recipient(s) and may contain information that is confidential and/or privileged. If you are not the intended recipient, please delete this transmission and any attachments and notify the sender by return email immediately. Any unauthorized review, use, disclosure or distribution is prohibited. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] AIX Samba libldap
I just installed Samba and when I try to start the smbd I get an error message Cannot load module libldap.alibldap.so.2 Is there anything else I need ti install on top of Samba like openldap and openssl? Thanks Notice: This transmission is for the sole use of the intended recipient(s) and may contain information that is confidential and/or privileged. If you are not the intended recipient, please delete this transmission and any attachments and notify the sender by return email immediately. Any unauthorized review, use, disclosure or distribution is prohibited. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] AIX Samba libldap
What directory does the libldap.a have to be for smbd to run. I get an error message when I starting the service that this file does not exist Notice: This transmission is for the sole use of the intended recipient(s) and may contain information that is confidential and/or privileged. If you are not the intended recipient, please delete this transmission and any attachments and notify the sender by return email immediately. Any unauthorized review, use, disclosure or distribution is prohibited. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba AIX
Where can I get a version of SAMBA for AIX V5.3 An installation that does not need LDAP Thanks Notice: This transmission is for the sole use of the intended recipient(s) and may contain information that is confidential and/or privileged. If you are not the intended recipient, please delete this transmission and any attachments and notify the sender by return email immediately. Any unauthorized review, use, disclosure or distribution is prohibited. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Windows 2003 AD users not found
I recently changed from Windows 2000 native active directory mode to Windows 2003 active directory mode. When I did that, users could no long connect to any of the Samba shares. They were prompted for a username and password. The following error was logged in the winbind log: [2005/06/22 14:38:46, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(161) user 'John' does not exist The user John does exist in the active directory. I ran getent passwd to see if the user John was listed and indeed he was. I then tried accessing the share again and it worked fine. A little bit later, it stopped working again. I found out that by running getent passwd, shares are accessaable for a short period of time but then the users are not found again by Samba until I run getent passwd again. Version Info: krb5: 1.2.7 samba: 3.0.9 smb.conf: [global] workgroup = 40SERVER1 realm = ascad.insideasc.com password server = bethe.ascad.insideasc.com server string = security = ADS encrypt passwords = yes log file = /var/log/samba/%m.log dns proxy = no wins server = 10.0.0.53 10.0.0.62 idmap uid = 1-2 idmap gid = 1-2 winbind separator = # #shares... I appreciate any help. Thank you. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Fedora
When Installing version 3 of Samba on Fedora it tell me I need the library liblber-2.2.so.7 Is this the OpenLDAP libraries? And if it is what version and from where can I get this for Fedora? Notice: This transmission is for the sole use of the intended recipient(s) and may contain information that is confidential and/or privileged. If you are not the intended recipient, please delete this transmission and any attachments and notify the sender by return email immediately. Any unauthorized review, use, disclosure or distribution is prohibited. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] liblber.sl.2 For HP-UX 11
Hi Eric, Thanks for the info. But when I downloaded the openLDAP from HP I cant install because the install tells me the depot is not comaptible with the target. Any other suggestions? This is the version I have B.11.00 U 9000/801 2015944574 Thanks Joe -Original Message- From: eric roseme [mailto:[EMAIL PROTECTED] Sent: Friday, June 03, 2005 5:02 PM To: Joseph Madrinkian Cc: samba@lists.samba.org Subject: Re: [Samba] liblber.sl.2 For HP-UX 11 Are you pulling the pre-compiled binaries from: http://us1.samba.org/samba/ftp/Binary_Packages/hp/samba-3.0.14a/ ? The 11.0 depot works for 11i too. The README says to install OpenLDAP and OpenSSL from http://hpux.cs.utah.edu. However, you can download OpenLDAP for free off the HP Internet Express site at: https://payment.ecommerce.hp.com/portal/swdepot/try.do?productNumber=HPUXIEXP You need OpenSLL too: https://payment.ecommerce.hp.com/portal/swdepot/try.do?productNumber=OPENSSL11I I have written a new README that describes the link changes you need if you have had HP CIFS Server installed previously, but it is not posted to the site yet. Let me know if you need those instructions. In any case, the libraries will be there if you install OpenLDAP and OpenSLL from the HP site. Eric Roseme Hewlett-Packard Joseph Madrinkian wrote: Hello All, When I try to start SAMBA I get an error message saying i'm missing the liblber.sl.2 It says that if I download the libraries for OPENLDAP, this library should be included. But it does not get installed and I cannot find it anywhere. Does anyone have any suggestions. I'm on a HP-UX11 box. Thanks Notice: This transmission is for the sole use of the intended recipient(s) and may contain information that is confidential and/or privileged. If you are not the intended recipient, please delete this transmission and any attachments and notify the sender by return email immediately. Any unauthorized review, use, disclosure or distribution is prohibited. Notice: This transmission is for the sole use of the intended recipient(s) and may contain information that is confidential and/or privileged. If you are not the intended recipient, please delete this transmission and any attachments and notify the sender by return email immediately. Any unauthorized review, use, disclosure or distribution is prohibited. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] liblber.sl.2 For HP-UX 11
Hello All, When I try to start SAMBA I get an error message saying i'm missing the liblber.sl.2 It says that if I download the libraries for OPENLDAP, this library should be included. But it does not get installed and I cannot find it anywhere. Does anyone have any suggestions. I'm on a HP-UX11 box. Thanks Notice: This transmission is for the sole use of the intended recipient(s) and may contain information that is confidential and/or privileged. If you are not the intended recipient, please delete this transmission and any attachments and notify the sender by return email immediately. Any unauthorized review, use, disclosure or distribution is prohibited. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Career Opportunity
wow, that's amazing that you found me i am a network administrator and video producer happily living in north carolina, how did you know that i DREAM of doing QA in CHICAGO??? i wonder if i wil be lucky enough to be selected as an interviewee from your small batch of carefully hand-picked highly qualified folks who you emailed. (appologies to the rest of the samba list for cluttering up your inboxes, but i couldn't resist) john On 5/25/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I saw your information on the internet and I have multiple opportunities available for QA Analysts. The opportunities are available in the Chicago area. A description of the opportunities can be viewed at www.parallelpartners.com. If you or someone you know is interested, please email me a copy of your resume. Thank you Raul Garcia Administrative Manager Parallel Partners 20 N. Wacker Drive, Suite 770 Chicago, IL 60606 312-251-1865phone 312-251-1868fax [EMAIL PROTECTED] email -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] client mysteriously restricted to read-only
We have a linux samba server running 3.014a. A windows xp machine sometimes experiences a state where it can only read the shares, and not write to them. This happens at seemingly arbitrary times. The machine will go for days at a time functioning normally, and then suddenly is only allowed read access. Furthermore, there is no consistent solution. Even a full reboot of both the Samba machine and the windows machine sometimes does not allow write access. Below is the output of testparm, and attached is the configuration file. Anyway ideas would be greatly appreciated. Thanks, John Load smb config files from /usr/lib/smb.conf Processing section [clp] Processing section [managers] Loaded services file OK. Server role: ROLE_STANDALONE Press enter to see a dump of your service definitions # Global parameters [global] workgroup = CLPMAIN server string = samba server log file = /var/log/samba/%m.log max log size = 50 keepalive = 0 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 printcap name = /etc/printcap dns proxy = No hosts allow = 192.168.1., 192.168.2., 127. hide files = /._*/.DS_Store/ veto oplock files = /*.xls/ [clp] comment = CLP Home path = /home/clpmain valid users = clp, managers read only = No guest ok = Yes [managers] comment = CLP Managers path = /home/managers valid users = managers read only = No -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Can SAMBA be useful for me ?
I am planning to set up a small compute farm consisting of x86 notebooks on a switched ethernet lan. These only have one nic and limited disk, so that I need to import a data partition from an external file server. For this purpose I'd like to use a w98 PC that has access to internet over dsl. I envisage connecting all machines to the ethernet switch using 10/100 links. The ip addresses would be (i) the DHCP-assigned address for the w98 machine, and (ii) local addresses for the linux machines, such as 10.0.0.* Can I use SAMBA to turn the w98 box into a file-server and use the linux notebooks as SAMBA-clients? Any links to good how-to sites, cookbooks and the like would be greatly appreciated. Thanks, Joseph -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Printing only works sometimes
Tks Guys, I shall do some digging. I already have the chaps at SCO scratching themselves bald. So hopefully I shall get things going some day Meanwhile I shall try out all your suggestions and see what happens. Rgds Joe Carri -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Printing only works sometimes
Jeremy Allison jra at samba.org writes: The problem seems to be with the lp subsystem on the SCO OpenServer box. Probably the reason you're not getting much help is due to the fact you're running on an *extremely* (to say the least unpopular platform. I have a feeling people may be much more willing to help if you were running on any other system than SCO. SCO have not gone out of their way to make themselves popular with the Free Software/Open Source communities due to their legal activities. Would it be possible to migrate your applications onto a Linux varient instead ? They are known to be much better integrated with Samba into a Windows printing network (it works out of the box on my Red Hat Fedora test machines). Cheers, Jeremy. Hi, Thanks for the suggestion Jeremy, I do understand that SCO is no longer popular, specially now that there's a very satisfactory alternative in the various forms of Linux. However, I'm afraid that that's impossible. You see the two UNIX machines are what the entire firms MIS system runs on. The MIS system has been implemented and has grown and accreted over the years (since 1994) and is now a real behemoth. To port it to another OS will be a major job. In fact the reason I need to get the printing operational is for printing MIS reports and other documents at the outlying locations. Could you give me an idea of what lp could do wrong to cause samba to time out. I'm pretty sure I could fool around with lp and get it to behave. the SCO lp is a very stable and reliable animal, and I've never had problems with it over the years, but there's always a first time ... Rgds, Joe Carri -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Printing only works sometimes
I posted the message below, on the gmane.network.samba.general newsgroup some days ago, and haven't got any replies yet. If anyone has any suggestions as to what can be done, please let me know. I have been trying to use Samba 2.2.6 to print from two SCO Openserver 5.0.7 servers (VDOHOM VDOHOM2, IP addresses 192.168.1.121 192.168.1.122) on a WAN consisting of networks 192.168.1.0, 192.168.11.0 192.168.21.0, interconnected by ISDN leased lines using CISCO 805 routers. The WAN has been up and running for months and there are no communications problems. Users have been runing various Oracle applications on Win2K servers, connecting to the internet through another Win2k server and a firewall, and connecting to the Unix servers with Telnet. I installed and configured Samba to print to printers attached to the WIN 2003 Servers JUMBOSRV1 MSTSVR on 192.168.11.200 192.168.21.200 respectively, using smbprint.sysv. All Samba parameters are at default value. The WIN 2000 Server (W2k-SVR, 192.168.1.1) is the PDC WINS Server for the entire domain, consisting of all three LANS. Printing from any Windows workstation to any of teh printers functions correctly. I have created a user called samba on the two Openserver machines as well as on the Windows Domain. The user was added with with useradd smbpasswd. I do not have any problem accessing or browsing test shares on the UNIX machines. I am currently trying to set up the printing from the UNIX servers to the WIN 2003 Server jumbosvr1. I intend to set up a similar print facility on mstsvr after this. My problem is this. Some of the time, I can print from either Unix server without any problems at all. However, about half the time, lpstat claims the document has been printed, but nothing in fact is printed. The Win 2003 servers do not show any queued documents. When a document prints correctly the arguments (passed by lp -d jumbo -ob filename) to smbrpint.sysv (redirected to a log file) are: Arguments = jumbo-3 root 1 b /SPARE/APPLICATION/LOCATIONS/invt/mkt/x And the smbclient message (I have redirected output to a log file) is: added interface ip=192.168.1.122 bcast=192.168.1.255 nmask=255.255.255.0 Domain=[DOMAIN] OS=[Windows Server 2003 3790] Server=[Windows Server 2003 5.2] smb: \ CR/LF-LF and print text translation now on smb: \ putting file - as stdin-27268 (14.1 kb/s) (average 14.1 kb/s) When a document fails to print, smbclient produces the arguments passed to smbprint.sysv are: Arguments = jumbo-38110 root 1 b /SPARE/APPLICATION/LOCATIONS/invt/mkt/1S20050213455463 Output from smbclient: added interface ip=192.168.1.122 bcast=192.168.1.255 nmask=255.255.255.0 session setup failed: Call timed out: server did not respond after 2 milliseconds My reasoning so far is this: 1. Since I can print half the time, there is nothing wrong with the networking or name resolution. 2. Since I can print some of the time SMB printing is set up correctly. 3. Would it help if I increase the timeout period for setting up NETBIOS Sessions, how can I do this? What could cause the session setup to fail sometimes? Can you suggest possible causes and remedies please? Will my increasing the time out period help? Please post any replies to the above newsgroup, or send them to me at this address. Tks Rgds, Joseph Carri __ Do you Yahoo!? Yahoo! Sports - Sign up for Fantasy Baseball. http://baseball.fantasysports.yahoo.com/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] How Can I Increase Session Setup Timeout Period - Help!!
I posted the message below, some time ago, and haven't got any suggestions yet. I would be most grateful if anyone could tell me how I can increase the timeout period for setting up NETBIOS Sessions for smbclient, as this would perhaps solve the problem. By the way, there is no problem when printing from any Windows machine. PREVIOUS MESSAGE FOLLOWS I have been trying to use Samba 2.2.6 to permit printing from two SCO Openserver 5.0.7 servers (VDOHOM VDOHOM2) on the WAN consisting of networks 192.168.1.0, 192.168.11.0 192.168.21.0, interconnected by ISDN leased lines using CISCO 805 routers. The network has been up and running for months and there are no communications problems. Users have been runing various Oracle applications on Win2K servers, connecting to the internet through another Win2k server and a firewall, and connecting to the Unix servers with Telnet. I installed and configured Samba to print to printers attached to the WIN 2003 Servers JUMBOSRV1 MSTSVR on 192.168.11.200 192.168.21.200 respectively, using smbprint.sysv. All Samba parameters are at default value. The WIN 2000 Server (W2k-SVR, 192.168.1.1) is the PDC WINS Server for the entire domain, consisting of all three LANS. Printing from any Windows workstation to any of teh printers functions correctly. I have created a user called samba on the two Openserver machines as well as on the Windows Domain. The user was added with with useradd smbpasswd. I do not have any problem accessing or browsing test shares on the UNIX machines. I am currently trying to set up the printing from the UNIX servers to the WIN 2003 Server jumbosvr1. I intend to set up a similar print facility on mstsvr after this. My problem is this. Some of the time, I can print from either Unix server without any problems at all. However, about half the time, lpstat claims the document has been printed, but nothing in fact is printed. The Win 2003 servers do not show any queued documents. When a document prints correctly the arguments (passed by lp -d jumbo -ob filename) to smbrpint.sysv (redirected to a log file) are: Arguments = jumbo-3 root 1 b /SPARE/APPLICATION/LOCATIONS/invt/mkt/x And the smbclient message (I have redirected output to a log file) is: added interface ip=192.168.1.122 bcast=192.168.1.255 nmask=255.255.255.0 Domain=[DOMAIN] OS=[Windows Server 2003 3790] Server=[Windows Server 2003 5.2] smb: \ CR/LF-LF and print text translation now on smb: \ putting file - as stdin-27268 (14.1 kb/s) (average 14.1 kb/s) When a document fails to print, smbclient produces the arguments passed to smbprint.sysv are: Arguments = jumbo-38110 root 1 b /SPARE/APPLICATION/LOCATIONS/invt/mkt/1S20050213455463 Output from smbclient: added interface ip=192.168.1.122 bcast=192.168.1.255 nmask=255.255.255.0 session setup failed: Call timed out: server did not respond after 2 milliseconds My reasoning so far is this: 1. Since I can print half the time, there is nothing wrong with the networking or name resolution. 2. Since I can print some of the time SMB printing is set up correctly. What could cause the session setup to fail sometimes? Can you suggest possible causes and remedies please? Will my increasing the time out period help? How can I do this? Tks Rgds, Joseph Carri -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Unreliable Printing -- Samba To Win 2003 Printer
Hi, I have installed Samba 2.2.6 on a SCO Openserver 5.0.7 System connected in a WAN. The WAN has includes three networks (192.168.1.0, 192.68.11.0, 192.168.21.0) connected by ISDN leased lines and CISCO 805 routers. I have no problem with the network, and all Windows users as well as (telnet) UNIX users have been using the setup for several months. I need to print from the UNIX machine on 192.168.1.0 to a printer connected to a W2003 server on 192.168.11.0 I have set up Samba with smbprint.sysv and have none of the usual problems. The hassle I have run into is this. When I give a print from the UNIX machine, some of the time it prints fine on the target printer. Sometimes, however, nothing gets printed, and the target machines spooler does not even get the print file. *** When a document prints correctly the arguments (passed by lp -d jumbo -ob filename) to smbrpint.sysv are: Arguments = jumbo-3 root 1 b /SPARE/APPLICATION/LOCATIONS/invt/mkt/x And the smbclient message (I have redirected output to a log file) is: added interface ip=192.168.1.122 bcast=192.168.1.255 nmask=255.255.255.0 Domain=[DOMAIN] OS=[Windows Server 2003 3790] Server=[Windows Server 2003 5.2] smb: \ CR/LF-LF and print text translation now on smb: \ putting file - as stdin-27268 (14.1 kb/s) (average 14.1 kb/s) When a document fails to print, smbclient produces the arguments passed to smbprint.sysv are: Arguments = jumbo-38110 root 1 b /SPARE/APPLICATION/LOCATIONS/invt/mkt/1S20050213455463 Output from smbclient: added interface ip=192.168.1.122 bcast=192.168.1.255 nmask=255.255.255.0 session setup failed: Call timed out: server did not respond after 2 milliseconds * My reasoning so far is this: 1. Since I can print half the time, there is nothing wrong with the networking or name resolution. 2. Since I can print some of the time SMB printing is set up correctly. What could cause the session setup to fail intermittently? Can anyone suggest possible causes and remedies please? Rgds, Joseph Carri -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Compiling samba on Solaris 8 --with-ads
You need v1.3.4 of MIT Kerberos compiled from source. I've done about 5 installs on Solaris 8 with ADS support and it works fine. I used: MIT Kerberos 1.3.4 OpenSSL 0.9.7d OpenLdap 2.2.14 Samba 3.0.7 all compiled from source. Do not use the Sunfreeware supplied packages as the libraries will not work. Also, installed ncurses, popt, libiconv from Sunfreeware. ...Joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Imed Ben Aleya Sent: Wednesday, December 15, 2004 11:48 AM To: [EMAIL PROTECTED] Subject: [Samba] Compiling samba on Solaris 8 --with-ads Hello, I'm trying to Compile Samba with ADS support on Solaris 8. I have installed without any problems: /opt/cifs/bdb - .bdb-4.2.52 /opt/cifs/heimdal - .heimdal-0.6.3 /opt/cifs/openldap - .openldap-2.1.25 /opt/cifs/openssl - .openssl-0.9.7e /opt/cifs/samba - .samba-3.0.9 and I'm configuring samba with: LDFLAGS=-L/opt/cifs/openldap/lib -L/opt/cifs/heimdal/lib export LDFLAGS CPPFLAGS=-I/opt/cifs/openldap/include -I/opt/cifs/heimdal/include export CPPFLAGS ./configure \ --prefix=/opt/cifs/.samba-3.0.9 \ --with-krb5=/opt/cifs/heimdal \ --with-ads but I'm getting the following error message von the configure script: ... checking for krb5_c_enctype_compare... no checking for krb5_enctypes_compatible_keys... no checking for krb5_encrypt_block type... no checking for addrtype in krb5_address... no checking for addr_type in krb5_address... yes checking for enc_part2 in krb5_ticket... no checking for keyblock in krb5_creds... no checking for session in krb5_creds... yes checking for keyvalue in krb5_keyblock... yes checking for ENCTYPE_ARCFOUR_HMAC_MD5... yes checking for KEYTYPE_ARCFOUR_56... yes checking for AP_OPTS_USE_SUBKEY... yes checking for KV5M_KEYTAB... no checking for the krb5_princ_component macro... no checking for key in krb5_keytab_entry... no checking for keyblock in krb5_keytab_entry... yes configure: error: libkrb5 is needed for Active Directory support Can anyone help? Thanks in Advance! Imed -- GMX ProMail mit bestem Virenschutz http://www.gmx.net/de/go/mail +++ Empfehlung der Redaktion +++ Internet Professionell 10/04 +++ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] A couple of questions.
Hello Samba Folks, Two things. 1. With winbind, is there a way to specify more then one type of shell with the template shell directive? I'm thinking of doing common logins between Solaris and Active Directory, but, my users use various shells. Tcsh, csh, bash, ksh. I'd like to be able to specify shells based on userid if I could. 2. Organizational Units. When I first joined my Solaris Samba servers to our AD structure, I used a specific OU. The AD supporters (3rd party company) tell me this OU will change in the near future. Will I have to re-join my servers when this happens? Will communications between Samba and AD stop when they change the OU structure? I would test this but I don't have the environment to test with. Thanks! ...Joe Joseph A. Gaude' Systems Engineer - CSM General Dynamics Advanced Information Systems IES -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Can't view Windows shares
All, I can view the Samba shares on any Windows system. I can not view Windows files on my Linux system. Below is my config file. Thanks in advance, Jearl # Global parameters [global] workgroup = DLSMIS server string = Joe's Place password server = None username map = /etc/samba/smbusers log file = /var/log/samba/%m.log max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 os level = 65 preferred master = No domain master = No dns proxy = No wins server = 180.0.70.41 ldap ssl = no idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 valid users = jearl, @jearl write list = jearl, @jearl read only = No [homes] comment = Home Directories browseable = No [printers] comment = All Printers path = /var/spool/samba printable = Yes browseable = No [jearl] path = /home/jearl -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Accessing Samba shared files causes Windows programs to lock up.
On Sat, Sep 25, 2004 at 01:43:37PM +0100, BigglesZX wrote: What would you recommend I do to solve this problem? Is the problem recognized, or could it just be an isolated case (i.e. just me)? I don't think it is an isolated case, I seem to be seeing the same thing here, but I havent had a chance to isolate the problem. (I made a number of changes to the network between apt-get upgrading and noticing) Based on having the same packages in common and it starting after you upgraded, my guess is it is with the debian packages. Might be worth trying some of the debian mailing lists as well. Joe -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Accessing Samba shared files causes Windows programs to lock up.
On Sat, Sep 25, 2004 at 01:43:37PM +0100, BigglesZX wrote: Hi all, Now, the problem: I'm having some freeze/lockup issues in Windows Explorer when trying to access files on Samba shares, but only since I upgraded Samba this morning (with an `apt-get dist-upgrade'). Before I upgraded I was using a ~3-month old version which worked fine. Now when any of my Windows applications try to access Samba shared files, they stop responding, and have to be killed. I have heard this is also happening with XP. What would you recommend I do to solve this problem? Is the problem recognized, or could it just be an isolated case (i.e. just me)? you could try putting: use sendfile = no into the global section. This seems to have fixed it for me. See http://lists.debian.org/debian-user/2004/09/msg01016.html for more info. Hope this helps, Joe -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Winbind uid/gid issue.
Hello All, I've got Samba 3.0.4 running under Solaris 8 with AD support/Winbind... One issue I'm having that I need to fix is, all the files on the Solaris box are owned by uid's and gid's from my nis files... Now that winbind is running, when a user modifies a file, it is now owned by DOMAIN+AD-USERID and the same for the group... Then a lot of other people can't access those files. I'd like to have the files owned by the UNIX uid/gid and not the AD uid/gid Can I do this? I'd do something with the AD groups but unfortunately, I don't have any control or influence on the AD admin side of things. I haven't poured through the docs yet because I need to get this resolved fast... Thanks! ...Joe -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] kinit username@REALM
Hello list: Do I need to do the command kinit [EMAIL PROTECTED] every single time I boot up my system? Also, why does the kinit username not accept the winbind separator +? For example: kinit [EMAIL PROTECTED] instead of just [EMAIL PROTECTED]. I have my system setup to login via gdm with my domain user account (which uses the winbind separator domain+user), so why can't kinit login at that time? This would make it seamless, instead of having to open a command line each time the system boots and manually running the kinit command. Thanks. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Username mapping.
Hello Everyone, I've got Samba 3.0.4 running under Solaris 8 with ADS support... Doing the authentication on the ADS server works, access to the defines shares work... What doesn't work is my username mapping. My Unix usernames are in the form of gaudej and our AD names are in the form of joseph.gaude. My username.map file has gaudej = joseph.gaude and when I have the [home] share loaded up, samba is not doing the username map... I've read most the docs and can't make this work. My home directories under Solaris are controlled by NIS... Here are snippets of my smb.conf: # Date: 2004/07/21 16:20:13 # Global parameters [global] workgroup = GDAIS netbios name = athena realm = AD.GD-AIS.COM password server = 156.23.150.85 server string = Athena Samba Server security = ads encrypt passwords = yes username map = /usr/local/samba/lib/username.map # log level = 10 # max log size = 1000 # message command = sh -c `(echo WinPopup\ message\ from\ %f | cat %s) / dev/console` winbind separator = + idmap uid = 1-4 idmap gid = 1-4 winbind enum users = yes winbind enum groups = yes template homedir = /home/%D/%U template shell = /bin/tcsh [homes] guest ok = no read only = no So everything works but the user mapping... I'm still coming accross as GDAIS+joseph.gaude and I need gaudej. Can anyone tell me how to pull this off? Thanks!! ...Joe Joseph A. Gaude' Systems Engineer - CSM General Dynamics Advanced Information Systems IES -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Roaming profile, esp. laptops
You could use mandatory profiles. If your using XP on the laptop it will use the cached version of the profile when the user logs onto the domain and then will send the changes back to the server when he logs off again. Paul Gienger wrote: Here's an issue I don't think I've seen come up since I've been trolling that is going to be a headache for me: Say I have a user on a laptop, when he is constantly on the network, everything is happy. Say the user goes home, does some work, monkeys around with his settings, and comes back. As soon as said user logs on he gets the copy of his profile from the last time he logged off. Does anyone else see the problem here? I would like to know what creative solutions people have come up with to get around the issue. We currently use 2.2.8 but I'm going to push 3.0.x out Real Soon Now (TM), so if some negotiation has somehow been done in 3 to make this work better I'll shut up and go back to my hole. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Active Directory - Samba 3.0.4
Hello Everyone, I'm trying to get Samba 3.0.4 under Solaris 8 to join a Windows AD domain. I've compiled and configured all the required code.. and all works so far. I can do a kinit [EMAIL PROTECTED] and get a ticket from the AD server... Samba's smbd and nmbd run, winbind complains about credentials. Here's my issue. I don't have any control over the AD server. We have a 3rd party IT support group. And I'm not sure they are adding the samba server in the AD tree correctly My problem is, our 3rd party IT guys said he added my machine to the ad domain, but, I can't join, nor is the machine searchable through MS networking, so, I don't think he added it right. My question is: Is there any way to join an AD domain without having to know the administrators password? If so, how? Thanks!!! ...Joe -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Workstation service failing
I am having the same problem with one of my xp boxes. The only solution i have found is that when the machine boots you must first login to the Local Administrator Account not the domain. then you can log out and log onto the domain as a normal user. In my investigation i have found that the Computer Browser service is failing, One sugestion i have gotten is to set that service to logon to the locol administrator account. Havent tried this as of yet, I'll let you know how it works. This is a strange error because i have 2 other XP boxes running identicle copies of XP with no problems Terry Wood wrote: Greetings all, Has anyone had any problems with the workstation service failing on Windows XP boxes? My samba server is running Fedora Core 2 w/ kernel 2.6.5-1.358. Samba version is 3.0.3-5 using openldap 2.1.29-1 for authentication and roaming profiles. The workstation service dies after authentication, although authentication works. On the XP boxes, I can start the workstation service manually, log off and log back in and everythings works perfect until reboot. Any ideas? This seems to fail only on newer versions of XP... Thanks for any ideas or help Terry Wood -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] User Cant Change Password from Windows XP
Ok I have searched the archives and have tried several different options but cant seem to get this to work. When users try and change their password from windows they get an error saying they do not have permission to change their password. any help wourld be appreciated. I am running Samba3 with an ldap backend. Here is my smb.conf file: [global] workgroup = HGW netbios name = LUCIFER server string = Lucifer PDC interfaces = eth0, lo security = user bind interfaces only = YES encrypt passwords = yes unix password sync = yes pam password change = yes passwd program = /usr/bin/passwd %u ldap password change = yes passwd program = /usr/bin/passwd %u passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *passwd:*all*authentication*tokens*updated*successfully* passdb backend = ldapsam:ldap://127.0.0.1 username map = /etc/samba/smbusers log level = 1 syslog = 0 log file = /var/log/samba/%m max log size = 50 smb ports = 139 445 name resolve order = wins bcast hosts time server = yes printcap name = CUPS show add printer wizard = no add user script = /var/lib/samba/sbin/smbldap-useradd.pl -a -m '%u' delete user script = /var/lib/samba/sbin/smbldap-userdel.pl %u add group script = /var/lib/samba/sbin/smbldap-groupadd.pl -p '%g' delete user script = /var/lib/samba/sbin/smbldap-groupdel.pl '%g' add user to group script = /var/lib/samba/sbin/smbldap-groupmod.pl -m '%u' '%g' delete user from group script = /var/lib/samba/sbin/smbldap-groupmod.pl -x '%u' '%g' set primary group script = /var/lib/samba/sbin/smbldap-usermod.pl -g '%g' '%u' add machine script = /var/lib/samba/sbin/smbldap-useradd.pl -w '%u' logon home = \\%L\%U logon script = %U.bat logon path = \\%L\profiles\%U logon drive = U: domain logons = Yes preferred master = Yes wins support = Yes ldap suffix = dc=hosgonewhack, dc=com ldap machine suffix = ou=People ldap user suffix = ou=People ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap sample entry from ldap: dn: uid=jwerle, ou=People, dc=hosgonewhack,dc=com sambaPrimaryGroupSID: EDIT sambaLMPassword: EDIT displayName: System User sambaLogonScript: jwerle.cmd objectClass: top objectClass: inetOrgPerson objectClass: posixAccount objectClass: sambaSamAccount userPassword:: EDIT sambaLogonTime: 0 sambaHomeDrive: U: uid: jwerle uidNumber: 1000 cn: jwerle sambaLogoffTime: 2147483647 sambaPwdLastSet: 1090989705 sambaAcctFlags: [U] loginShell: /bin/bash sambaProfilePath: \\LUCIFER\profiles\jwerle gidNumber: 512 sambaPwdMustChange: 1094877705 sambaPwdCanChange: 0 sambaNTPassword: EDIT gecos: System User sambaSID: EDIT description: System User homeDirectory: /home/jwerle sambaKickoffTime: 0 sn: jwerle sambaHomePath: \\LUCIFER\homes -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] User Cant Change Password from Windows XP
I am using samba 3.0.4-1 redhat rpm I was able to get the password to change by chaning the passwd program to passwd program = /var/lib/samba/sbin/smbldap-passwd.pl But now when the users change their passwords it gives them an error that the old password is incorrect but still changes it. Any thoughts Joe Werle Paul Gienger wrote: What version of samba are you running? There was a 'bug' related to changing passwords failing after the clients downloaded a certain update from windowsupdate. I believe the fix was in 3.0.4??? Joseph E. Werle wrote: Ok I have searched the archives and have tried several different options but cant seem to get this to work. When users try and change their password from windows they get an error saying they do not have permission to change their password. any help wourld be appreciated. I am running Samba3 with an ldap backend. Here is my smb.conf file: [global] workgroup = HGW netbios name = LUCIFER server string = Lucifer PDC interfaces = eth0, lo security = user bind interfaces only = YES encrypt passwords = yes unix password sync = yes pam password change = yes passwd program = /usr/bin/passwd %u ldap password change = yes passwd program = /usr/bin/passwd %u passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *passwd:*all*authentication*tokens*updated*successfully* passdb backend = ldapsam:ldap://127.0.0.1 username map = /etc/samba/smbusers log level = 1 syslog = 0 log file = /var/log/samba/%m max log size = 50 smb ports = 139 445 name resolve order = wins bcast hosts time server = yes printcap name = CUPS show add printer wizard = no add user script = /var/lib/samba/sbin/smbldap-useradd.pl -a -m '%u' delete user script = /var/lib/samba/sbin/smbldap-userdel.pl %u add group script = /var/lib/samba/sbin/smbldap-groupadd.pl -p '%g' delete user script = /var/lib/samba/sbin/smbldap-groupdel.pl '%g' add user to group script = /var/lib/samba/sbin/smbldap-groupmod.pl -m '%u' '%g' delete user from group script = /var/lib/samba/sbin/smbldap-groupmod.pl -x '%u' '%g' set primary group script = /var/lib/samba/sbin/smbldap-usermod.pl -g '%g' '%u' add machine script = /var/lib/samba/sbin/smbldap-useradd.pl -w '%u' logon home = \\%L\%U logon script = %U.bat logon path = \\%L\profiles\%U logon drive = U: domain logons = Yes preferred master = Yes wins support = Yes ldap suffix = dc=hosgonewhack, dc=com ldap machine suffix = ou=People ldap user suffix = ou=People ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap sample entry from ldap: dn: uid=jwerle, ou=People, dc=hosgonewhack,dc=com sambaPrimaryGroupSID: EDIT sambaLMPassword: EDIT displayName: System User sambaLogonScript: jwerle.cmd objectClass: top objectClass: inetOrgPerson objectClass: posixAccount objectClass: sambaSamAccount userPassword:: EDIT sambaLogonTime: 0 sambaHomeDrive: U: uid: jwerle uidNumber: 1000 cn: jwerle sambaLogoffTime: 2147483647 sambaPwdLastSet: 1090989705 sambaAcctFlags: [U] loginShell: /bin/bash sambaProfilePath: \\LUCIFER\profiles\jwerle gidNumber: 512 sambaPwdMustChange: 1094877705 sambaPwdCanChange: 0 sambaNTPassword: EDIT gecos: System User sambaSID: EDIT description: System User homeDirectory: /home/jwerle sambaKickoffTime: 0 sn: jwerle sambaHomePath: \\LUCIFER\homes -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
