Re: [Samba] valid users = +group doesn't work
Hi Jerry, I guess my question now boils down to the following: when I access a share as domain user DOMAIN\lz, is there a way to apply valid users check based on the Unix group membership of the Unix user lz. From what you are saying I am getting the impression that the asnwer is no; is this really so? If you setup a username map and define lz = DOMAIN\lz, then when you login as DOMAIN\lz you should only be assigned the groups belonging to the local user lz. But you will not get the domain user's group membership. This doesn't seem to work. The log shows: [2008/04/22 15:51:38, 5] auth/auth_util.c:debug_nt_user_token(454) NT user token of user S-1-5-21-3395643079-1670520419-2869919353-501 contains 4 SIDs SID[ 0]: S-1-5-21-3395643079-1670520419-2869919353-501 SID[ 1]: S-1-1-0 SID[ 2]: S-1-5-2 SID[ 3]: S-1-5-32-546 SE_PRIV 0x0 0x0 0x0 0x0 [2008/04/22 15:51:38, 5] auth/auth_util.c:debug_unix_user_token(474) UNIX token of user 99 Primary group is 99 and contains 0 supplementary groups The SID and uid 99 correspond to user nobody. BTW, I am using idmap backend = nss. Actually, even if this works, it would be inconvenient to map every user that needs to access the share. I hoped Samba would treat local Unix group similar to how Windows treat local groups. I wouldn't mind if a Unix group needed some blessing before Samba uses it (i.e. a SID is somehow created for it). Is it not possible? Thanks, Leonid cheers, jerry - -- = Samba--- http://www.samba.org Likewise Software - http://www.likewisesoftware.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIDdvAIR7qMdg1EfYRAsudAJ0QyxaRDc+lnJH6VdOtPNmPszKSgwCgzbE/ u8DONjtZc1zf+wXNTuCFHgM= =ti50 -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] valid users = +group doesn't work
Hi Jerry, Please see below. The supplementary groups are determined by mapping the Windows group to a gid. I'm having to remember what we already convered so apoligies fotr asking again. Are you running winbindd? or just manually mapping groups to SIDs ? Seems to be the former. Winbind is running, yes. I see. But it appears to me (correct me if I'm wrong) that if a local Unix group is mapped with net sam mapunixgroup, then it becomes a local nested group and Samba could use it in valid users - but apparently it doesn't, which confuses me. No. The nested group functionality is only served by Winbind. I guess my question now boils down to the following: when I access a share as domain user DOMAIN\lz, is there a way to apply valid users check based on the Unix group membership of the Unix user lz. From what you are saying I am getting the impression that the asnwer is no; is this really so? Thanks, Leonid cheers, jerry - -- = Samba--- http://www.samba.org Likewise Software - http://www.likewisesoftware.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIDKAIIR7qMdg1EfYRAk+fAJ4zn2iWrkmyVMcfXv9O09rRGWAzPgCcDkA8 E1O1kHw1lM1LDcE2xRcJfWY= =ch5e -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] valid users = +group doesn't work
Hi Jerry, Please see below. -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Leonid Zeitlin wrote: Is webdev in the local gtroup mapping table ? If I understand your question correctly, initally it wasn't. Then I did net sam mapunixgroup webdev, but this didn't seem to have any effect. Correct. That was my question. In 3.0.23 and later Samba converts the name to a SID internally and then compares for that SID in the user's NT token. See below for why this matters. Got you on this one, thanks. Interestingly, if I specify valid users = +DOMAIN\windows_group, it works. Maybe I need to configure something? Can I have valid users accept UNIX groups? yes. But there's some missing details in your original post. Sounds like your server is configured as a domain member server. is the user logging as a domain user ? Or a local user? I suppose as domain user. I am sitting at my Windows computer, logged in to domain as DOMAIN\lz and connecting to a share at the Unix computer. The user named lz also exists on the Unix computer. I was thinking that Samba would map DOMAIN\lz the Windows user to lz the Unix user and use this user's group membership. DOMAIN\lz has a different SID and token than the local user lz. Therefore the search for the local group SID of webdev will not be found in the domain user's (DOMAIN\lz) token. You can view the user's complete list of SIDs in the NT token in a level 10 smbd debug log. I see. I observe an interesting picture here. If I specify valid users = +DOMAIN\windows_group, then I am able to access the share, and in this case I see the following in the log: [2008/04/17 13:39:56, 5] auth/auth_util.c:debug_nt_user_token(454) NT user token of user S-1-5-21-800801294-1190493330-1361462980-1010 contains 19 SIDs SID[ 0]: S-1-5-21-800801294-1190493330-1361462980-1010 (... 18 more SIDs follow ... ) SE_PRIV 0x0 0x0 0x0 0x0 [2008/04/17 13:39:56, 5] auth/auth_util.c:debug_unix_user_token(474) UNIX token of user 500 Primary group is 500 and contains 0 supplementary groups [2008/04/17 13:39:56, 5] smbd/uid.c:change_to_user(273) change_to_user uid=(500,500) gid=(0,500) The list of SIDs actually includes the SID to which the local group webdev was mapped with net sam mapunixgroup! The only thing that is somewhat strange here is contains 0 supplementary groups, since my user actually has a number of supplementary groups, however, so far so good. Now, if I specify valid users = +webdev, I cannot access the share and when I try the log has something quite different: [2008/04/17 13:39:56, 5] auth/auth_util.c:debug_nt_user_token(448) NT user token: (NULL) [2008/04/17 13:39:56, 5] auth/auth_util.c:debug_unix_user_token(474) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2008/04/17 13:39:56, 5] smbd/uid.c:change_to_root_user(288) change_to_root_user: now uid=(0,0) gid=(0,0) Maybe I'm off base here, and this is normal, but this looks strange: apparently Samba knows my user is a member of local webdev group, yet it won't let me in based on this membership. The domain user will only get domain groups (and possible local nested groups from winbindd) unless you explicitly map the domain\user account to a specific local Unix account. I guess I am getting confused here. Are local nested groups from winbindd the Unix local groups? If yes, this is what I need, but I'm failing to grasp how to make them work. No. See the winbind nested groups option for more details on local nested groups. These are the equivalent of Windows NT 4.0 local machine groups. I see. But it appears to me (correct me if I'm wrong) that if a local Unix group is mapped with net sam mapunixgroup, then it becomes a local nested group and Samba could use it in valid users - but apparently it doesn't, which confuses me. BTW, I didn't mention this before, maybe it is relevant: I am using NIS on the Samba machine. So, local user lz and group webdev are not in local passwd and group files, but come from NIS. I don't expect it to make a difference, but mentioning this just in case. Thanks a lot, Leonid -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] valid users = +group doesn't work
Hi Jerry, Thanks a lot for your quick reply. Please see below. Hi all, I seem to be having a problem identical to this bug: https://bugzilla.samba.org/show_bug.cgi?id=3940 in Samba 3.0.28, however the bug is supposed to be fixed by now. I have a Fedora 7 box joined as a member to Windows 2003 domain. All my Windows users have accounts on the Samba machine, with the same user name in Windows and in Unix. I have a share with valid users = +group, where group is a Unix group. Yet, when a user who is a member of that Unix group connects, access is denied. The messages in the log are as follows: [2008/04/16 15:09:07, 5] smbd/service.c:make_connection(1205) making a connection to 'normal' service www [2008/04/16 15:09:07, 3] lib/util_sid.c:string_to_sid(223) string_to_sid: Sid +webdev does not start with 'S-'. [2008/04/16 15:09:07, 10] passdb/lookup_sid.c:lookup_name(64) lookup_name: UNIXBOX\webdev = UNIXBOX (domain), webdev (name) Is webdev in the local gtroup mapping table ? If I understand your question correctly, initally it wasn't. Then I did net sam mapunixgroup webdev, but this didn't seem to have any effect. [2008/04/16 15:09:07, 3] smbd/sec_ctx.c:push_sec_ctx(208) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2008/04/16 15:09:07, 3] smbd/uid.c:push_conn_ctx(358) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2008/04/16 15:09:07, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2008/04/16 15:09:07, 5] auth/auth_util.c:debug_nt_user_token(448) NT user token: (NULL) [2008/04/16 15:09:07, 5] auth/auth_util.c:debug_unix_user_token(474) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2008/04/16 15:09:07, 3] smbd/sec_ctx.c:pop_sec_ctx(356) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2008/04/16 15:09:07, 10] smbd/share_access.c:user_ok_token(211) User lz not in 'valid users' [2008/04/16 15:09:07, 2] smbd/service.c:make_connection_snum(616) user 'lz' (from session setup) not permitted to access this share (www) Interestingly, if I specify valid users = +DOMAIN\windows_group, it works. Maybe I need to configure something? Can I have valid users accept UNIX groups? yes. But there's some missing details in your original post. Sounds like your server is configured as a domain member server. is the user logging as a domain user ? Or a local user? I suppose as domain user. I am sitting at my Windows computer, logged in to domain as DOMAIN\lz and connecting to a share at the Unix computer. The user named lz also exists on the Unix computer. I was thinking that Samba would map DOMAIN\lz the Windows user to lz the Unix user and use this user's group membership. The domain user will only get domain groups (and possible local nested groups from winbindd) unless you explicitly map the domain\user account to a specific local Unix account. I guess I am getting confused here. Are local nested groups from winbindd the Unix local groups? If yes, this is what I need, but I'm failing to grasp how to make them work. Thanks, Leonid cheers, jerry - -- = Samba--- http://www.samba.org Likewise Software - http://www.likewisesoftware.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIBfPuIR7qMdg1EfYRAhQyAJ4k+OEz7EaNr4P1K/L6E6GLg0TafgCeJubR ETDDOlBflWi7oonxqQ2ptro= =35qf -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Can connect directly, but not browse samba server from Windows Workgroup network
Konstantin, Just in case, check that nmbd is running. Thanks, Leonid Konstantin Gredeskoul [EMAIL PROTECTED] ???/ ? ?: news:[EMAIL PROTECTED] Dear Samba gurus, I have a Fedora 8 linux server, running samba 3.0.28a-0.fc8. I am doing the simplest thing of all - exposing a public read-only share within MS Workgroup environment. My server has a fixed local IP address (192.168.1.200) and it's on the same subnet as the rest of the machines. The server and machines are connected to a 24 port CISCO switch. My problem is that I can connect to my samba share from any windows computer, by typing it's IP address: \\192.168.1.200\share - and this works perfectly. But I do not see my samba server when I browser the workgroup from a windows machine. I would like to set it up so that the users don't need to type the IP address when they connect, and rather see the server in their network neighborhood. But no matter what I do, I can not see the server listed. Here's my /etc/samba/smb.conf: [global] security = share workgroup = MYGROUP server string = Samba Server netbios name = MYSERVER comment = My Server dns proxy = no load printers = no [share] path = /data read only = Yes browseable = Yes public = Yes guest ok = yes The samba server does not show up in the nmblookup either, but all other machines do: nmblookup MYGROUP querying MYGROUP on 192.168.1.255 192.168.1.118 MYGROUP 00 192.168.1.107 MYGROUP 00 192.168.1.101 MYGROUP 00 192.168.1.104 MYGROUP 00 192.168.1.105 MYGROUP 00 192.168.1.112 MYGROUP 00 192.168.1.109 MYGROUP 00 192.168.1.111 MYGROUP 00 192.168.1.110 MYGROUP 00 192.168.1.117 MYGROUP 00 192.168.1.115 MYGROUP 00 192.168.1.106 MYGROUP 00 Also, running smbclient against my server shows expected output: [EMAIL PROTECTED] tmp]$ smbclient -L 192.168.1.200 Password: Domain=[MYGROUP] OS=[Unix] Server=[Samba 3.0.28a-0.fc8] Sharename Type Comment - --- Share Disk My Server IPC$IPC IPC Service (Samba Server) Domain=[MYGROUP] OS=[Unix] Server=[Samba 3.0.28a-0.fc8] Server Comment ---- MYSEVER My Server WorkgroupMaster ---- MYGROUPMYSERVER MYSERVER KASUGAI Any idea what could be happening here? Is there some UDP blocking going on? -- Thanks Konstantin blog » http://tektastic.com music » http://polygroovers.com gtalk » kigster -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] valid users = +group doesn't work
Hi all, I seem to be having a problem identical to this bug: https://bugzilla.samba.org/show_bug.cgi?id=3940 in Samba 3.0.28, however the bug is supposed to be fixed by now. I have a Fedora 7 box joined as a member to Windows 2003 domain. All my Windows users have accounts on the Samba machine, with the same user name in Windows and in Unix. I have a share with valid users = +group, where group is a Unix group. Yet, when a user who is a member of that Unix group connects, access is denied. The messages in the log are as follows: [2008/04/16 15:09:07, 5] smbd/service.c:make_connection(1205) making a connection to 'normal' service www [2008/04/16 15:09:07, 3] lib/util_sid.c:string_to_sid(223) string_to_sid: Sid +webdev does not start with 'S-'. [2008/04/16 15:09:07, 10] passdb/lookup_sid.c:lookup_name(64) lookup_name: UNIXBOX\webdev = UNIXBOX (domain), webdev (name) [2008/04/16 15:09:07, 3] smbd/sec_ctx.c:push_sec_ctx(208) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2008/04/16 15:09:07, 3] smbd/uid.c:push_conn_ctx(358) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2008/04/16 15:09:07, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2008/04/16 15:09:07, 5] auth/auth_util.c:debug_nt_user_token(448) NT user token: (NULL) [2008/04/16 15:09:07, 5] auth/auth_util.c:debug_unix_user_token(474) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2008/04/16 15:09:07, 3] smbd/sec_ctx.c:pop_sec_ctx(356) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2008/04/16 15:09:07, 10] smbd/share_access.c:user_ok_token(211) User lz not in 'valid users' [2008/04/16 15:09:07, 2] smbd/service.c:make_connection_snum(616) user 'lz' (from session setup) not permitted to access this share (www) Interestingly, if I specify valid users = +DOMAIN\windows_group, it works. Maybe I need to configure something? Can I have valid users accept UNIX groups? Thanks, Leonid -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: valid users = +group doesn't work
Hi Jerry, Thanks a lot for your quick reply. Please see below. Hi all, I seem to be having a problem identical to this bug: https://bugzilla.samba.org/show_bug.cgi?id=3940 in Samba 3.0.28, however the bug is supposed to be fixed by now. I have a Fedora 7 box joined as a member to Windows 2003 domain. All my Windows users have accounts on the Samba machine, with the same user name in Windows and in Unix. I have a share with valid users = +group, where group is a Unix group. Yet, when a user who is a member of that Unix group connects, access is denied. The messages in the log are as follows: [2008/04/16 15:09:07, 5] smbd/service.c:make_connection(1205) making a connection to 'normal' service www [2008/04/16 15:09:07, 3] lib/util_sid.c:string_to_sid(223) string_to_sid: Sid +webdev does not start with 'S-'. [2008/04/16 15:09:07, 10] passdb/lookup_sid.c:lookup_name(64) lookup_name: UNIXBOX\webdev = UNIXBOX (domain), webdev (name) Is webdev in the local gtroup mapping table ? If I understand your question correctly, initally it wasn't. Then I did net sam mapunixgroup webdev, but this didn't seem to have any effect. [2008/04/16 15:09:07, 3] smbd/sec_ctx.c:push_sec_ctx(208) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2008/04/16 15:09:07, 3] smbd/uid.c:push_conn_ctx(358) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2008/04/16 15:09:07, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2008/04/16 15:09:07, 5] auth/auth_util.c:debug_nt_user_token(448) NT user token: (NULL) [2008/04/16 15:09:07, 5] auth/auth_util.c:debug_unix_user_token(474) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2008/04/16 15:09:07, 3] smbd/sec_ctx.c:pop_sec_ctx(356) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2008/04/16 15:09:07, 10] smbd/share_access.c:user_ok_token(211) User lz not in 'valid users' [2008/04/16 15:09:07, 2] smbd/service.c:make_connection_snum(616) user 'lz' (from session setup) not permitted to access this share (www) Interestingly, if I specify valid users = +DOMAIN\windows_group, it works. Maybe I need to configure something? Can I have valid users accept UNIX groups? yes. But there's some missing details in your original post. Sounds like your server is configured as a domain member server. is the user logging as a domain user ? Or a local user? I suppose as domain user. I am sitting at my Windows computer, logged in to domain as DOMAIN\lz and connecting to a share at the Unix computer. The user named lz also exists on the Unix computer. I was thinking that Samba would map DOMAIN\lz the Windows user to lz the Unix user and use this user's group membership. The domain user will only get domain groups (and possible local nested groups from winbindd) unless you explicitly map the domain\user account to a specific local Unix account. I guess I am getting confused here. Are local nested groups from winbindd the Unix local groups? If yes, this is what I need, but I'm failing to grasp how to make them work. Thanks, Leonid cheers, jerry - -- = Samba--- http://www.samba.org Likewise Software - http://www.likewisesoftware.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIBfPuIR7qMdg1EfYRAhQyAJ4k+OEz7EaNr4P1K/L6E6GLg0TafgCeJubR ETDDOlBflWi7oonxqQ2ptro= =35qf -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: FC5. Samba 3.0.23a Win XP Pro SP2. Cannot logon from XP tosamba on Fedora
Hi, I had similar problems upgrading from 3.0.22 to 3.0.23a. Try rebooting your client machines, in my case Windows clients could connect to Samba again after a reboot. Later I returned to 3.0.22 due to various issues with 3.0.23a. Recently I did upgrade to 3.0.23c and it seems to work well. My advise, don't use 3.0.23a (at least on Fedora), either stay with 3.0.22 or go for 3.0.23c. Thanks, Leonid Clive at Rational [EMAIL PROTECTED] wrote: news:[EMAIL PROTECTED] Hello, I have just performed a yum update on my Fedora 5 machine, which I think included a samba update, and I cannot connect from WinXP to the shares defined on Fedora. When I select the samba server from WIndowsXP, a dialog box prompts for the userid and password. When userid and password are entered the dialog box just redisplays and I am not logged on, no matter how many time I try. I have tried rolling back to samba 3.0.10 but there are too many dependencies of samba on other products to do that reliably. I include below my yum.log messages, smb.conf file and the client.log messages Sep 22 20:18:38 Updated: samba-common.i386 3.0.23a-1.fc5.1 Sep 22 20:18:54 Installed: samba.i386 3.0.23a-1.fc5.1 Sep 22 20:18:58 Updated: samba-client.i386 3.0.23a-1.fc5.1 # This is the main Samba configuration file. You should read the # smb.conf(5) manual page in order to understand the options listed # here. Samba has a huge number of configurable options (perhaps too # many!) most of which are not shown in this example # # For a step to step guide on installing, configuring and using samba, # read the Samba-HOWTO-Collection. This may be obtained from: # http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf # # Many working examples of smb.conf files can be found in the # Samba-Guide which is generated daily and can be downloaded from: # http://www.samba.org/samba/docs/Samba-Guide.pdf # # Any line which starts with a ; (semi-colon) or a # (hash) # is a comment and is ignored. In this example we will use a # # for commentry and a ; for parts of the config file that you # may wish to enable # # NOTE: Whenever you modify this file you should run the command testparm # to check that you have not made any basic syntactic errors. # #=== Global Settings = [global] log file = /var/log/samba/%m.log dns proxy = no guest account = smbuser load printers = yes cups options = raw server string = Samba Server workgroup = CRLGROUP os level = 20 public = yes security = user max log size = 50 # Share Definitions == [homes] comment = Home Directories browseable = no writable = yes # NOTE: If you have a BSD-style print system there is no need to # specifically define each individual printer [printers] comment = All Printers path = /usr/spool/samba browseable = no # Set public = yes to allow user 'guest account' to print guest ok = no writable = no printable = yes [Winsamba] writeable = yes create mode = 777 path = /Winsamba-v2 ** lib/util_sock.c:read_data(534) read_data: read failure for 4 bytes to client 192.168.0.2. Error = Connection reset by peer -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Re: can't access Samba share when clocks skew is too great
Hi Danilo, This is interesting. From what you are saying, it seems that it's up to the _client_ to re-issue the auth request. Therefore it's a feature of Windows client rather than server. Why would then my client not reissue the request to the Samba server? I'm just trying to understand. I have just discovered something else interesting. I have set up a testing Samba servert with exactly the same configuration as my production server. I've noticed that clients with clock skew can connect to it. As far as I can see from the logs, the client doesn't even attempt Kerberos auth with this server, and does NTLM auth instead. Can anyone please help me understand why Kerberos is not attempted? Thanks, Leonid Danilo Almeida [EMAIL PROTECTED] ???/ ? ?: news:[EMAIL PROTECTED] This is an area where Samba does not emulate Windows very well. See http://mailman.mit.edu/pipermail/kerberos/2006-September/010482.html. This is the basic idea: MS Kerberos servers return the time skew error along with the server time. Then the client can re-issue the auth request using the server's time info (generating a new authenticator using the timestamp). The time in this context is used to control replay attacks. - Danilo -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Kincer Sent: Friday, September 22, 2006 7:34 AM To: Leonid Zeitlin Cc: samba@lists.samba.org Subject: Re: [Samba] Re: can't access Samba share when clocks skew is too great Actually, now that you mention it and I've got more caffeine in the veins, I would throw the theory out that the Samba server-side authentication is being more proactive than AD would be. In other words, AD says You got the right password? Come on in! whereas Samba says You got the right password? That's great, but our time is out of sync and that's a problem. This session has timed out. This is just a guess, more or less. Feel free to email me directly with your questions about GPOs if you want to take it off-list. Aaron Leonid Zeitlin wrote: Hi Aaron, Thanks, I understand. As a matter of fact, yes, I do need help with GPOs (not NTP on Samba server - thanks, that's clear to me), so if you can offer a suggestion, I'd appreciate (I understand this is off topic on the Samba list). At the same time, as I mentioned in the previous post, I'm trying to understand why clients with incorrect clock can connect to Windows servers and can't connect to Samba. I thought Samba tried to emulate Windows file server as close as possible. In this particular case I thought Samba would fall back to NTLM auth. Maybe I misunderstand something. Thanks, Leonid Aaron Kincer [EMAIL PROTECTED] ???/ ? ?: news:[EMAIL PROTECTED] It is pretty standard behavior for encrypted authentication schemes to reject authentication requests when the time deviation between the client and server are too far apart. This is by design. It is basically a timeout from Active Directory's perspective. You can use Active Directory GPOs to configure clients to use NTP and you can also configure NTP on your Samba server (use cron to sync time hourly if you must). This should fix your authentication issue. If you need help with GPOs or configuring NTP on your Samba server, let me know. Bruno Rodrigues Neves wrote: Hi Leonid, I don´t know the cause of this problem, but if you try add into your netlogon script a line such as a set time in order to set the clock to the same from the server? Regards! -- Bruno On 9/22/06, Leonid Zeitlin [EMAIL PROTECTED] wrote: Hi all, I have a Samba 3.0.23c server joined to an Windows 2003 AD domain. Users access it from Windows workstations (XP, 2000). The problem is that if a workstation has its time off by more than 5 minutes, Samba server cannot be accessed. I understand that Kerberos cannot authenticate the clients due to clock skew; however, I thought that in such case Samba could falls back to NTLM auth. At least, the workstations with the wrong clock can access Windows file servers, but not Samba. Is Samba's behavior in this case intentional? Is this supposed to work? How can I help or debug this situation? Any help is appreciated. Thanks, Leonid -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] can't access Samba share when clocks skew is too great
Hi all, I have a Samba 3.0.23c server joined to an Windows 2003 AD domain. Users access it from Windows workstations (XP, 2000). The problem is that if a workstation has its time off by more than 5 minutes, Samba server cannot be accessed. I understand that Kerberos cannot authenticate the clients due to clock skew; however, I thought that in such case Samba could falls back to NTLM auth. At least, the workstations with the wrong clock can access Windows file servers, but not Samba. Is Samba's behavior in this case intentional? Is this supposed to work? How can I help or debug this situation? Any help is appreciated. Thanks, Leonid -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Unable to connect samba server using hostname [2]
Hi David, Don't know if this helps you, but I am having such problems with client machines that have their clock off. Correcting the time fixes the issue. You wrote that Samba uses Windows 2003 server as NTP server, but you didn't mention if your client machines do the same. Try running net time /set /yes on a client machine (this synchronizes the time with the domain controller) and see if it helps. Thanks, Leonid DavidDST [EMAIL PROTECTED] ???/ ? ?: news:[EMAIL PROTECTED] Hi, I've got th same problem than in this tread (no solution found) : http://lists.samba.org/archive/samba/2005-November/113914.html except I've got the problem on all stations. I am unable to connect to samba server using it's hostname, whereas it's work with IP address. When I use the hostname, Samba always request for login/password. [2006/09/21 12:59:04, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(500) NativeOS=[Windows Server 2003 3790 Service Pack 1] NativeLanMan=[] [2006/09/21 12:59:04, 3] smbd/sesssetup.c:reply_spnego_negotiate(385) Got OID 1 2 840 48018 1 2 2 [2006/09/21 12:59:04, 3] smbd/sesssetup.c:reply_spnego_negotiate(385) Got OID 1 2 840 113554 1 2 2 [2006/09/21 12:59:04, 3] smbd/sesssetup.c:reply_spnego_negotiate(385) Got OID 1 3 6 1 4 1 311 2 2 10 [2006/09/21 12:59:04, 3] smbd/sesssetup.c:reply_spnego_negotiate(388) Got secblob of size 1201 [2006/09/21 12:59:04, 10] passdb/secrets.c:secrets_named_mutex(697) secrets_named_mutex: got mutex for replay cache mutex [2006/09/21 12:59:04, 10] libads/kerberos_verify.c:ads_verify_ticket(310) ads_verify_ticket: enc type [16] failed to decrypt with error Bad encryption type [2006/09/21 12:59:04, 3] libads/kerberos_verify.c:ads_verify_ticket(310) ads_verify_ticket: enc type [3] failed to decrypt with error Decrypt integrity check failed [2006/09/21 12:59:04, 10] libads/kerberos_verify.c:ads_verify_ticket(310) ads_verify_ticket: enc type [1] failed to decrypt with error Bad encryption type [2006/09/21 12:59:04, 10] passdb/secrets.c:secrets_named_mutex_release(709) secrets_named_mutex: released mutex for replay cache mutex [2006/09/21 12:59:04, 3] libads/kerberos_verify.c:ads_verify_ticket(317) ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type) [2006/09/21 12:59:04, 1] smbd/sesssetup.c:reply_spnego_kerberos(172) Failed to verify incoming ticket! Samba has been correctly register in the domain. Samba use Windows 2003 server as NTP server. I could obtain user list and group list from winbind. I could resolve workstations name from Samba server. There is no IP restriction on Samba server. When I use IP address, log is different : [2006/09/21 13:04:23, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(500) NativeOS=[Windows 2002 Service Pack 2 2600] NativeLanMan=[Windows 2002 5.1] [2006/09/21 13:04:23, 3] smbd/sesssetup.c:reply_spnego_negotiate(385) Got OID 1 3 6 1 4 1 311 2 2 10 [2006/09/21 13:04:23, 3] smbd/sesssetup.c:reply_spnego_negotiate(388) Got secblob of size 40 [2006/09/21 13:04:23, 5] auth/auth.c:make_auth_context_subsystem(484) Making default auth method list for security=ADS [...] I've got something like auth/auth.c:make_auth_context_subsystem with IP and passdb/secrets.c:secrets_named_mutex with hostname. Any ideas ? Kindest regards, David. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: can't access Samba share when clocks skew is too great
Hi Bruno, Thanks, I understand that. Still, I'm not sure why Samba wouldn't use NTLM auth if Kerberos fails. It appears that Windows file servers do exactly that, since clients with incorrect clock can connect to Windows servers and are telling me that Samba is not working for them, while Windows is. Thanks, Leonid Bruno Rodrigues Neves [EMAIL PROTECTED] ???/ ? ?: news:[EMAIL PROTECTED] Hi Leonid, I don´t know the cause of this problem, but if you try add into your netlogon script a line such as a set time in order to set the clock to the same from the server? Regards! -- Bruno On 9/22/06, Leonid Zeitlin [EMAIL PROTECTED] wrote: Hi all, I have a Samba 3.0.23c server joined to an Windows 2003 AD domain. Users access it from Windows workstations (XP, 2000). The problem is that if a workstation has its time off by more than 5 minutes, Samba server cannot be accessed. I understand that Kerberos cannot authenticate the clients due to clock skew; however, I thought that in such case Samba could falls back to NTLM auth. At least, the workstations with the wrong clock can access Windows file servers, but not Samba. Is Samba's behavior in this case intentional? Is this supposed to work? How can I help or debug this situation? Any help is appreciated. Thanks, Leonid -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: can't access Samba share when clocks skew is too great
Hi Aaron, Thanks, I understand. As a matter of fact, yes, I do need help with GPOs (not NTP on Samba server - thanks, that's clear to me), so if you can offer a suggestion, I'd appreciate (I understand this is off topic on the Samba list). At the same time, as I mentioned in the previous post, I'm trying to understand why clients with incorrect clock can connect to Windows servers and can't connect to Samba. I thought Samba tried to emulate Windows file server as close as possible. In this particular case I thought Samba would fall back to NTLM auth. Maybe I misunderstand something. Thanks, Leonid Aaron Kincer [EMAIL PROTECTED] ???/ ? ?: news:[EMAIL PROTECTED] It is pretty standard behavior for encrypted authentication schemes to reject authentication requests when the time deviation between the client and server are too far apart. This is by design. It is basically a timeout from Active Directory's perspective. You can use Active Directory GPOs to configure clients to use NTP and you can also configure NTP on your Samba server (use cron to sync time hourly if you must). This should fix your authentication issue. If you need help with GPOs or configuring NTP on your Samba server, let me know. Bruno Rodrigues Neves wrote: Hi Leonid, I don´t know the cause of this problem, but if you try add into your netlogon script a line such as a set time in order to set the clock to the same from the server? Regards! -- Bruno On 9/22/06, Leonid Zeitlin [EMAIL PROTECTED] wrote: Hi all, I have a Samba 3.0.23c server joined to an Windows 2003 AD domain. Users access it from Windows workstations (XP, 2000). The problem is that if a workstation has its time off by more than 5 minutes, Samba server cannot be accessed. I understand that Kerberos cannot authenticate the clients due to clock skew; however, I thought that in such case Samba could falls back to NTLM auth. At least, the workstations with the wrong clock can access Windows file servers, but not Samba. Is Samba's behavior in this case intentional? Is this supposed to work? How can I help or debug this situation? Any help is appreciated. Thanks, Leonid -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Re: smbd/oplock.c:oplock_timeout_handler(375) aftersambaupgrade
Jeremy Allison [EMAIL PROTECTED] ???/ ? ?: news:[EMAIL PROTECTED] On Tue, Apr 25, 2006 at 08:08:20PM +0300, Leonid Zeitlin wrote: Hi all, I have the same problem with Samba 3.0.22 on Fedora Core 5. In my case the users are getting timeouts when checking out files from a Visual Source Safe database located on a Samba share. The messages in /var/log/messages are the same: Apr 25 19:45:34 elephantb smbd[5155]: [2006/04/25 19:45:34, 0] smbd/oplock.c:oplock_timeout_handler(366) Apr 25 19:45:34 elephantb smbd[5155]: Oplock break failed for file B2/data/z/zpag -- replying anyway I have oplocks and kernel oplocks parameters turned on. Is there any way to help this problem? Check into your network hardware/hubs/routers etc. This is a common symptom of a network problem. Jeremy. Hi Jeremy, Thanks a lot for your reply. Testing shows no network connection problem so far, so I think it's unlikely. A new observation: turning kernel oplocks off (while still keeping oplocks on) seems to resolve the problem. Can this give a clue to the problem's source? Thanks, Leonid -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Re: Re: smbd/oplock.c:oplock_timeout_handler(375)aftersambaupgrade
Jeremy Allison [EMAIL PROTECTED] ???/ ? ?: news:[EMAIL PROTECTED] On Wed, Apr 26, 2006 at 12:32:43PM +0300, Leonid Zeitlin wrote: Jeremy Allison [EMAIL PROTECTED] ???/ ? ?: news:[EMAIL PROTECTED] On Tue, Apr 25, 2006 at 08:08:20PM +0300, Leonid Zeitlin wrote: Hi all, I have the same problem with Samba 3.0.22 on Fedora Core 5. In my case the users are getting timeouts when checking out files from a Visual Source Safe database located on a Samba share. The messages in /var/log/messages are the same: Apr 25 19:45:34 elephantb smbd[5155]: [2006/04/25 19:45:34, 0] smbd/oplock.c:oplock_timeout_handler(366) Apr 25 19:45:34 elephantb smbd[5155]: Oplock break failed for file B2/data/z/zpag -- replying anyway I have oplocks and kernel oplocks parameters turned on. Is there any way to help this problem? Check into your network hardware/hubs/routers etc. This is a common symptom of a network problem. Jeremy. Hi Jeremy, Thanks a lot for your reply. Testing shows no network connection problem so far, so I think it's unlikely. A new observation: turning kernel oplocks off (while still keeping oplocks on) seems to resolve the problem. Can this give a clue to the problem's source? Yes, that's a kernel bug. If a bug appears with kernel oplocks on and doesn't with kernel oplocks off then it looks like file leasing is broken in the FC5 kernel. What kernel version ID does it report. Jeremy. I see. The kernel verrsion is 2.6.16-1.2096_FC5, supposedly it's based on 2.6.16.9 with some security patches. Do you think I can file a kernel bug report? Thanks, Leonid -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: ACL not working
Travis Bullock [EMAIL PROTECTED] ???/ ? ?: news:[EMAIL PROTECTED] Has anyone seen this when they do a getfacl on a samba share? [EMAIL PROTECTED] GFM_Shares]# getfacl Installpoint/ # file: Installpoint # owner: root # group: AVMAX+domainadmins user::rwx group::rwx group:AVMAX+domain\040users:r-x mask::rwx other::--- default:user::rwx default:group::rwx default:group:AVMAX+domain\040users:r-x default:mask::rwx default:other::--- Notice the AVMAX+domain\040users anomaly. I have another Samba/Winbind server on the same domain and I do not get that when I apply ACL's. Hi Travis, What exactly are you concerned about? If it's the + sign, probably you have winbind separator set to + in smb.conf. If it's the \040 sequence, it just denotes space. Regards, Leonid -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Re: ACL not working
Hi Travis, I see Domain\040Users on my Samba server, so this should be fine. Are you sure that Domain Users group can access the entire path to the share, including all parent directories? If you log in as one of such users (or su to it), can you cd to the share directory? Regards, Leonid Travis Bullock [EMAIL PROTECTED] news:[EMAIL PROTECTED] It was the 040 that was concerning me. I do not see that on my other Samba server so I thought it may be the cause of the problem. The problem I am having is that only an account belonging to the owner's group, in this case Domain Admins, can access my Samba shares on this server. If a member of the Domain Users group, applied through ACL, attempts to access shares on this server the Network Path is not Found. When I check the smbd log, when attempting to connect to GF_Scans, for example, is see this: [2006/04/26 08:16:26, 2] smbd/sesssetup.c:setup_new_vc_session(608) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2006/04/26 08:16:26, 2] auth/auth.c:check_ntlm_password(305) check_ntlm_password: authentication for user [AVTrain] - [AVTrain] - [AVMAX+avtrain] succeeded [2006/04/26 08:16:26, 2] lib/access.c:check_access(324) Allowed connection from (10.4.8.244) [2006/04/26 08:16:26, 0] smbd/service.c:make_connection_snum(615) '/usr/GFM_Shares/GF_Scans' does not exist or is not a directory, when connecting to [GF_Scans] Here is the ACL on GF_Scans: [EMAIL PROTECTED] GFM_Shares]# getfacl GF_Scans/ # file: GF_Scans # owner: root # group: AVMAX+domainadmins user::rwx group::rwx group:AVMAX+gf_users:rwx mask::rwx other::--- default:user::rwx default:group::rwx default:group:AVMAX+gf_users:rwx default:mask::rwx default:other::--- So a member of the Domain Admins can access no problem. A member of GF_Users, gets the error in smbd log. Cheers, Travis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Leonid Zeitlin Sent: April 26, 2006 7:45 AM To: samba@lists.samba.org Subject: [Samba] Re: ACL not working Travis Bullock [EMAIL PROTECTED] ???/ ? ?: news:[EMAIL PROTECTED] Has anyone seen this when they do a getfacl on a samba share? [EMAIL PROTECTED] GFM_Shares]# getfacl Installpoint/ # file: Installpoint # owner: root # group: AVMAX+domainadmins user::rwx group::rwx group:AVMAX+domain\040users:r-x mask::rwx other::--- default:user::rwx default:group::rwx default:group:AVMAX+domain\040users:r-x default:mask::rwx default:other::--- Notice the AVMAX+domain\040users anomaly. I have another Samba/Winbind server on the same domain and I do not get that when I apply ACL's. Hi Travis, What exactly are you concerned about? If it's the + sign, probably you have winbind separator set to + in smb.conf. If it's the \040 sequence, it just denotes space. Regards, Leonid -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Re: Re: ACL not working
You are welcome, Travis :-) Travis Bullock [EMAIL PROTECTED] news:[EMAIL PROTECTED] Damn Leonid...what a brainfart that was...lol Thanks for pointing me in the right direction man! Cheers, Travis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Leonid Zeitlin Sent: April 26, 2006 9:43 AM To: samba@lists.samba.org Subject: [Samba] Re: Re: ACL not working Hi Travis, I see Domain\040Users on my Samba server, so this should be fine. Are you sure that Domain Users group can access the entire path to the share, including all parent directories? If you log in as one of such users (or su to it), can you cd to the share directory? Regards, Leonid Travis Bullock [EMAIL PROTECTED] news:[EMAIL PROTECTED] It was the 040 that was concerning me. I do not see that on my other Samba server so I thought it may be the cause of the problem. The problem I am having is that only an account belonging to the owner's group, in this case Domain Admins, can access my Samba shares on this server. If a member of the Domain Users group, applied through ACL, attempts to access shares on this server the Network Path is not Found. When I check the smbd log, when attempting to connect to GF_Scans, for example, is see this: [2006/04/26 08:16:26, 2] smbd/sesssetup.c:setup_new_vc_session(608) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2006/04/26 08:16:26, 2] auth/auth.c:check_ntlm_password(305) check_ntlm_password: authentication for user [AVTrain] - [AVTrain] - [AVMAX+avtrain] succeeded [2006/04/26 08:16:26, 2] lib/access.c:check_access(324) Allowed connection from (10.4.8.244) [2006/04/26 08:16:26, 0] smbd/service.c:make_connection_snum(615) '/usr/GFM_Shares/GF_Scans' does not exist or is not a directory, when connecting to [GF_Scans] Here is the ACL on GF_Scans: [EMAIL PROTECTED] GFM_Shares]# getfacl GF_Scans/ # file: GF_Scans # owner: root # group: AVMAX+domainadmins user::rwx group::rwx group:AVMAX+gf_users:rwx mask::rwx other::--- default:user::rwx default:group::rwx default:group:AVMAX+gf_users:rwx default:mask::rwx default:other::--- So a member of the Domain Admins can access no problem. A member of GF_Users, gets the error in smbd log. Cheers, Travis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Leonid Zeitlin Sent: April 26, 2006 7:45 AM To: samba@lists.samba.org Subject: [Samba] Re: ACL not working Travis Bullock [EMAIL PROTECTED] ???/ ? ?: news:[EMAIL PROTECTED] Has anyone seen this when they do a getfacl on a samba share? [EMAIL PROTECTED] GFM_Shares]# getfacl Installpoint/ # file: Installpoint # owner: root # group: AVMAX+domainadmins user::rwx group::rwx group:AVMAX+domain\040users:r-x mask::rwx other::--- default:user::rwx default:group::rwx default:group:AVMAX+domain\040users:r-x default:mask::rwx default:other::--- Notice the AVMAX+domain\040users anomaly. I have another Samba/Winbind server on the same domain and I do not get that when I apply ACL's. Hi Travis, What exactly are you concerned about? If it's the + sign, probably you have winbind separator set to + in smb.conf. If it's the \040 sequence, it just denotes space. Regards, Leonid -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: smbd/oplock.c:oplock_timeout_handler(375) after sambaupgrade
Hi all, I have the same problem with Samba 3.0.22 on Fedora Core 5. In my case the users are getting timeouts when checking out files from a Visual Source Safe database located on a Samba share. The messages in /var/log/messages are the same: Apr 25 19:45:34 elephantb smbd[5155]: [2006/04/25 19:45:34, 0] smbd/oplock.c:oplock_timeout_handler(366) Apr 25 19:45:34 elephantb smbd[5155]: Oplock break failed for file B2/data/z/zpag -- replying anyway I have oplocks and kernel oplocks parameters turned on. Is there any way to help this problem? Thanks, Leonid Jeremy Allison [EMAIL PROTECTED] ???/ ? ?: news:[EMAIL PROTECTED] On Mon, Apr 24, 2006 at 05:14:14PM -0400, [EMAIL PROTECTED] wrote: I recently upgraded from samba 3.0.10-1.fc3 to 3.0.21b-2 running on FC5. Today was the first day of a typing class which uses the network version of Mavis Beacon Typing which depends on file sharing. The users are hanging and then getting an error message during logging into the product. In /var/log/message, I can see the following message for each user similar to: [2006/04/24 09:45:24.177906, 0] smbd/oplock.c:oplock_timeout_handler(375) Oplock break failed for file mavis/Mavis15EEVNet/Mav15UserData/Ali Johnson.rec -- replying anyway Each user has a different filename for the above message. Below is the smb.conf share. Note the force user. I would suggest upgrading to 3.0.22 as there were some fixes in this area. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
