[Samba] mount.cifs doesn't set uid/gid when mounting a Samba share
Hello, So far, I was using the following command to mount a Samba share on my Fedora-powwered computer UID=`whoami` GID=`id -g ${UID}` sudo mount.cifs sharename mount \ -o rw,domain=DOMAIN,user=${UID},uid=${UID},gid=${GID},file_mode=0644,dir_mode=0755 and everything worked until I installed Fedora 16 with Samba client version 3.6.1. Now the uid/gid are ignored, all the objects in the mounted share belong to root:root. The same problem was confirmed for Samba 3.5.11. The server Samba version remained the same and is 3.5.6 Is this problem known and if yes, how to handle it? Adding forceuid and/or forcegid options doesn't help. Thanks. Sincerely, Konstantin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Problem: how to make users use unique passwords
Hello, To harden security, I've modified the smbldap-passwd script so that it update sambaPwdMustChange, sambaKickoffTime and shadowExpire fields; also, a simple script notifying users with expiration date approaching has been set up. I have also added a call to cracklib to check password strength prior to applying it. It all works well, but the task it to force users to use unique password every time they have to change it. A typical scenario I must prevent is this: user change the password for anything temporary, then changes it back to the one it used (or to a password slightly different from the one having been used). Could someone suggest an existing tool to integrate into smbldap-passwd to prevent using similar or the same passwords? I can store password hashes somewhere, but it won't prevent me from the problem when passwords differ just a little. Any suggestions? Thanks in advance! Sincerely, Konstantin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] smbldap-tools security: how to keep passwords in smbldap_bind.conf secure?
01/12/2011 09:56 PM, TAKAHASHI Motonobu пишет: > 2011/1/12 Konstantin Boyandin : >> smbldap-passwd may be called by non-root; thus, >> /etc/smbldap-tools/smbldap_bind>conf >> must be world-readable, and it keeps the passwords as plain text. > > smbldap-passwd accesses to LDAP as a user who invoked itself. > > This behavior is different from Samba itself as always accesses as > a user defined with "ldap admin dn". > > So simply set 600 to smbldap_bind.conf will solve the problem. Yes, that did the trick, thank you! I thought the bind configuration should also be world readable. > Also you need to add "by self write" to both sambaLMPassword > and sambaNTPassword. Yes, that has been set up and tested before I posted the question. Sincerely, Konstantin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] smbldap-tools security: how to keep passwords in smbldap_bind.conf secure?
Hello Daniel, I don't talk about Windows users. I talk about Unix (Linux) users that have shell access to the server where they can run smbldap-passwd. I am afraid you answered the wrong question. I ask how to prevent users with shell access to where smnldap-passwd is installed from viewing the file smbldap_bind.conf. Revoking shell access/setting smbldap-passwd as shell is out of question. Sincerely, Konstantin 12.01.2011 14:29, Daniel Müller пишет: > > On your windows client strg+alt+entf > Change password. > The users will never see this password in smbldap_bind.conf. > > > > --- > EDV Daniel Müller > > Leitung EDV > Tropenklinik Paul-Lechler-Krankenhaus > Paul-Lechler-Str. 24 > 72076 Tübingen > > Tel.: 07071/206-463, Fax: 07071/206-499 > eMail: muel...@tropenklinik.de > Internet: www.tropenklinik.de > --- > > -Ursprüngliche Nachricht- > Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im > Auftrag von Konstantin Boyandin > Gesendet: Mittwoch, 12. Januar 2011 08:50 > An: samba@lists.samba.org > Betreff: [Samba] smbldap-tools security: how to keep passwords in > smbldap_bind.conf secure? > > Hello, > > On > http://wiki.samba.org/index.php/4.0:_User_Management > it is described how to set up and use smbldap-tools package. The > question is, how to hide master passwords in such a case? > > smbldap-passwd may be called by non-root; thus, > /etc/smbldap-tools/smbldap_bind>conf > must be world-readable, and it keeps the passwords as plain text. > > How can I allow users to change their passwords with smbldap-passwd > without compromising the security? > > Thanks. > Sincerely, > Konstantin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] smbldap-tools security: how to keep passwords in smbldap_bind.conf secure?
Hello, On http://wiki.samba.org/index.php/4.0:_User_Management it is described how to set up and use smbldap-tools package. The question is, how to hide master passwords in such a case? smbldap-passwd may be called by non-root; thus, /etc/smbldap-tools/smbldap_bind>conf must be world-readable, and it keeps the passwords as plain text. How can I allow users to change their passwords with smbldap-passwd without compromising the security? Thanks. Sincerely, Konstantin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] PDC (CentOS 5.5, Samba 3.5.6): no domain group names sent to Windows 2003 members
Hello Denis, Switching (in fact, downgrading a bit) to SerNet and/or other distros will be the last resort. So far, Samba 3.5.6 domain works quite reliably, but certain behaviour patterns like the mentioned 'groups forgetting' are quite annoying. I'd be glad to hear about how to handle this on permanent basis; periodic Samba service restarts are but the temporary solution. I will put SerNet Samba packages to test on a 'sandbox domain', but downgrading is always undesirable path. Thanks. Sincerely, Konstantin 13.12.2010 12:14, Denis Fateyev пишет: > Hello, > > Have you tried the build from SerNet? > > --- > wbr, Denis. > > > On Mon, Dec 13, 2010 at 11:43 AM, Konstantin Boyandin > mailto:temmo...@gmail.com>> wrote: > > Hello, > > After setting up Samba 3.5.6 on CentOS 5.5 (built from sources) I have > noticed a strange problem. > > Windows 2003 servers participating in this Samba domain do not receive > domain groups list when I, say, try to assign security credentials for a > file/folder. When I choose domain as source, search reveals only > technical group names and individual domain users names. No domain group > names at all. > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] PDC (CentOS 5.5, Samba 3.5.6): no domain group names sent to Windows 2003 members
Hello, After setting up Samba 3.5.6 on CentOS 5.5 (built from sources) I have noticed a strange problem. Windows 2003 servers participating in this Samba domain do not receive domain groups list when I, say, try to assign security credentials for a file/folder. When I choose domain as source, search reveals only technical group names and individual domain users names. No domain group names at all. However, if I type domain group name manually (i.e. "DOMAIN\Domain Admins"), it is recognized and displayed correctly in security credentials. May I ask for hints on wherethe source of this problem can be and how to fix it? The PDC of smb.conf follows. == PDC smb.conf below [global] unix charset = UTF8 workgroup = DOMAIN netbios name = PDC server string = Samba PDC passdb backend =ldapsam:"ldap://10.10.10.1 ldap://10.10.10.10"; username map = /etc/samba/smbusers interfaces = eth0 lo bind interfaces only = yes log level = 1 syslog = 0 log file = /var/log/samba/%m max log size = 0 name resolve order = wins bcast hosts time server = Yes printcap name = CUPS add user script = /usr/sbin/smbldap-useradd -m '%u' delete user script = /usr/sbin/smbldap-userdel '%u' add group script = /usr/sbin/smbldap-groupadd -p '%g' delete group script = /usr/sbin/smbldap-groupdel '%g' add user to group script = /usr/sbin/smbldap-groupmod -m '%g' '%u' delete user from group script = /usr/sbin/smbldap-groupmod -x '%g' '%u' set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' add machine script = /usr/sbin/smbldap-useradd -w '%u' shutdown script = /var/lib/samba/scripts/shutdown.sh abort shutdown script = /sbin/shutdown -c logon script = %u.bat logon drive = W: logon home = \\%L\%u logon path = \\%L\profiles\%u domain logons = Yes domain master = Yes wins support = Yes # peformance optimization all users stored in ldap ldapsam:trusted = yes ldap ssl = off ldap suffix = dc=itelsib,dc=com ldap machine suffix = ou=Computers ldap user suffix = ou=Users ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap admin dn = cn=sambaadmin,dc=itelsib,dc=com idmap backend = ldap://10.10.10.1 idmap uid = 1-2 idmap gid = 1-2 printer admin = root printing = cups == PDC smb.conf above Sincerely, Konstantin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] PDC (CentOS 5.5, Samba 3.5.6): no domain group names sent to Windows 2003 members
Hello, After setting up Samba 3.5.6 on CentOS 5.5 (built from sources) I have noticed a strange problem. Windows 2003 servers participating in this Samba domain do not receive domain groups list when I, say, try to assign security credentials for a file/folder. When I choose domain as source, search reveals only technical group names and individual domain users names. No domain group names at all. However, if I type domain group name manually (i.e. "DOMAIN\Domain Admins"), it is recognized and displayed correctly in security credentials. May I ask for hints on wherethe source of this problem can be and how to fix it? The PDC of smb.conf follows. == PDC smb.conf below [global] unix charset = UTF8 workgroup = DOMAIN netbios name = PDC server string = Samba PDC passdb backend =ldapsam:"ldap://10.10.10.1 ldap://10.10.10.10"; username map = /etc/samba/smbusers interfaces = eth0 lo bind interfaces only = yes log level = 1 syslog = 0 log file = /var/log/samba/%m max log size = 0 name resolve order = wins bcast hosts time server = Yes printcap name = CUPS add user script = /usr/sbin/smbldap-useradd -m '%u' delete user script = /usr/sbin/smbldap-userdel '%u' add group script = /usr/sbin/smbldap-groupadd -p '%g' delete group script = /usr/sbin/smbldap-groupdel '%g' add user to group script = /usr/sbin/smbldap-groupmod -m '%g' '%u' delete user from group script = /usr/sbin/smbldap-groupmod -x '%g' '%u' set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' add machine script = /usr/sbin/smbldap-useradd -w '%u' shutdown script = /var/lib/samba/scripts/shutdown.sh abort shutdown script = /sbin/shutdown -c logon script = %u.bat logon drive = W: logon home = \\%L\%u logon path = \\%L\profiles\%u domain logons = Yes domain master = Yes wins support = Yes # peformance optimization all users stored in ldap ldapsam:trusted = yes ldap ssl = off ldap suffix = dc=itelsib,dc=com ldap machine suffix = ou=Computers ldap user suffix = ou=Users ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap admin dn = cn=sambaadmin,dc=itelsib,dc=com idmap backend = ldap://10.10.10.1 idmap uid = 1-2 idmap gid = 1-2 printer admin = root printing = cups == PDC smb.conf above Sincerely, Konstantin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] The least possible Samba client version able to work with Samba 3.5.6 server
Hello, We have to work with a number of old OS; the problem is to find out what minimal Samba version is required to make a client work with a server running Samba 3.5.6. In my experiments I had to use at least Samba 3.3.*, but if there are use cases for much earlier versions, I'd be glad to know of them. Thanks in advance. Sincerely, Konstantin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba domain member (re)creates sambaDomainName record in LDAP on PDC
Hello, I have followed the steps mentioned in http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#sdcsdmldap and used the proposed smb.conf template (replacing only the actual redentials/LDAP names) to join a Linux workstation as a domain member. Everything went OK, but I noticed that a record like sambaDomainName=MEMBERNAME,dc=example,dc=com where MEMBERNAME is the netbios name of a domain member keeps being created in PDC LDAP DB, even if I delete it. Is it the expected behavior? Thanks. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba on domain member refuses to work after certain time has passed
Hello, The configuration files for PDC and the server in question are below. Both have Samba 3.5.6 installed, firewalls pass all smb/nmb traffic, CentOS 5.5.x86_64 runs on both. The situation: after the server (DEVSERV in the example below) starts its Samba, it works fine for approx 1-1.5 days. After that it abruptly stops servicing any shared resources. The only cure is to stop Samba, erase *.tdb files from /etc/samba and /var/lib/samba, join the domain anew - net rpc join -SPDC -Uroot and restart the Samba. After that, it works perfectly for 1-1.5 days again. I have noticed the following lines today in the DEVSERV's /var/log/samba/log.nmbd: [2010/11/11 15:42:45.748362, 0] nmbd/nmbd_nameregister.c:137(register_name_response) register_name_response: WINS server at IP 10.1.0.10 rejected our name registration of DEVEL<00> IP 10.1.0.12 with error code 5. [2010/11/11 15:42:45.748439, 0] nmbd/nmbd_namelistdb.c:307(standard_fail_register) standard_fail_register: Failed to register/refresh name DEVEL<00> on subnet UNICAST_SUBNET May I ask for suggestions on what's to correct? Thanks. Configuration files: PDC, IP 10.11.12.10 eth0's net is 10.11.12.0/24 There are eth0:0, eth0:1, eth:2 I do nto wish to use for Samba (this is why interfaces are mentioned) -- PDC smb.conf below -- [global] unix charset = UTF8 workgroup = MYDOMAIN netbios name = PDC server string = PDC for MYDOMAIN passdb backend =ldapsam:"ldap://10.11.12.1 ldap://10.11.12.10"; username map = /etc/samba/smbusers interfaces = eth0 lo bind interfaces only = yes log level = 1 syslog = 0 log file = /var/log/samba/%m max log size = 0 name resolve order = wins bcast hosts time server = Yes printcap name = CUPS add user script = /usr/sbin/smbldap-useradd -m '%u' delete user script = /usr/sbin/smbldap-userdel '%u' add group script = /usr/sbin/smbldap-groupadd -p '%g' delete group script = /usr/sbin/smbldap-groupdel '%g' add user to group script = /usr/sbin/smbldap-groupmod -m '%g' '%u' delete user from group script = /usr/sbin/smbldap-groupmod -x '%g' '%u' set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' add machine script = /usr/sbin/smbldap-useradd -w '%u' shutdown script = /var/lib/samba/scripts/shutdown.sh abort shutdown script = /sbin/shutdown -c logon script = %u.bat logon drive = W: logon home = \\%L\%u logon path = \\%L\profiles\%u domain logons = Yes domain master = Yes wins support = Yes ldapsam:trusted = yes ldap ssl = off ldap suffix = dc=example,dc=com ldap machine suffix = ou=Computers ldap user suffix = ou=Users ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap admin dn = cn=sambaadmin,dc=example,dc=com idmap backend = ldap://10.11.12.1 idmap uid = 1-2 idmap gid = 1-2 printer admin = root printing = cups -- PDC smb.conf above -- DEVSERV, IP 10.11.12.12 -- DEVSERV smb.conf below -- [global] workgroup = MYDOMAIN server string = DEVSERV server` netbios name = DEVSERV log file = /var/log/samba/log.%m max log size = 50 unix extensions = no security = domain password server = 10.11.12.1 local master = no os level = 33 preferred master = no wins server = 10.11.12.10 dns proxy = yes load printers = yes cups options = raw -- DEVSERV smb.conf above -- Sincerely, Konstantin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 3.5.6: can't follow symlinks on shares
Hi Andy, 08.11.2010 17:27, Andy Liebman writes: The problem: I have a share with symlinks leading outside the share. After mounting the shared resource (cifs), I can't proceed through symlinks (permission denied). Setting options follow symlinks = yes wide links = yes for the share doesn't change Samba behaviour. ... Do not use symlinks, rather use bind mounts. The idea is to make the navigation through symlinks uniform, both in ssh shell and via Samba share, without breaking anything that works on the shared directories and relies on symlinks existence.. ... I sounds like maybe you need to your [General] section the following line: unix extensions = no That will make Samba resolve the symlinks on the server side. In my case the section was named [global]. Thank you very much, that did the trick! Sincerely, Konstantin Boyandin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 3.5.6: can't follow symlinks on shares
08.11.2010 11:11, John H Terpstra writes: On 11/07/2010 10:53 PM, Konstantin Boyandin wrote: Samba version: 3.5.6, OS CentOS 5.5 64-bit. The problem: I have a share with symlinks leading outside the share. After mounting the shared resource (cifs), I can't proceed through symlinks (permission denied). Setting options follow symlinks = yes wide links = yes for the share doesn't change Samba behaviour. Could someone enlighten me on how to handle this? Do not use symlinks, rather use bind mounts. The idea is to make the navigation through symlinks uniform, both in ssh shell and via Samba share, without breaking anything that works on the shared directories and relies on symlinks existence.. Correct me if I am wrong, you propose changing all the symlinks to 'mount -o bind' mounts? Is there documented way to traverse symlinks on share? Thanks. Sincerely, Konstantin Boyandin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 3.5.6: can't follow symlinks on shares
Hello, Samba version: 3.5.6, OS CentOS 5.5 64-bit. The problem: I have a share with symlinks leading outside the share. After mounting the shared resource (cifs), I can't proceed through symlinks (permission denied). Setting options follow symlinks = yes wide links = yes for the share doesn't change Samba behaviour. Could someone enlighten me on how to handle this? Thanks. Sincerely, Konstantin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba