[Samba] Slower performance on oplock
Hi Volker, Thanks for your response. > No idea. A signal sometimes not delivered? No. If that signal was received, there was no delay. If it's not received, the delay occurred. Look at the message from a client log file. [2008/01/31 11:58:41, 3] smbd/open.c:delay_for_oplocks(683) Sending break request to PID 24330 [2008/01/31 11:58:41, 3] smbd/open.c:defer_open(741) defer_open_sharing_error: time [1201809521.237026] adding deferred open entry for mid 6 5344 [2008/01/31 11:58:41, 3] smbd/process.c:push_deferred_smb_message(220) push_deferred_open_smb_message: pushing message len 148 mid 65344 timeout time [1201809 581.237026] [2008/01/31 11:58:41, 3] smbd/process.c:push_queued_message(113) push_message: pushed message length 148 on deferred_open_queue [2008/01/31 11:58:41, 3] smbd/process.c:open_was_deferred(179) open_was_deferred [*** a delay for the time OPLOCK_TIMEOUT*2 ***] [2008/01/31 11:59:41, 3] smbd/process.c:switch_message(1010) switch message SMBntcreateX (pid 25366) conn 0x8b2a10 > Does the message end up in messages.tdb? How to check out if it's end up. I use tdbdump on messages.tdb. Looks like ending up. Just a huge data with 8192bytes presented on the entry for that pid. I'm wondering whether there was possibility of msgbuf overflow because its length is 1600 in message.c. key(10) = "PID/24330\00" data(2992) = "" I'm looking for what reason to cause the signal missing. Thanks. -Ying -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Slower performance on oplock
Hello, We are running into the problem in slower performance on oplock. Here is the oplock scenario. - We are using 3.0.22. - Kernel oplock has been implemented on hp-ux 11v3. - smb.conf kernel oplocks = Yes oplock break wait time = 0 fake oplocks = No locking = Yes oplocks = Yes level2 oplocks = Yes oplock contention limit = 2 posix locking = Yes - Running a Windows application that have to access to data on Samba share. - Read data is ok. - A single user to write data is ok. - Multiple users to write data experience oplock delay. For example, two clients tried to edit data at the same time in the application, there are following processing from my observation: * The first open on a file with an exclusive oplock. * The second open on the same file needs to call defer_open() and send oplock break msg to itself. * Most of time, the msg can be received. Performance is OK. But sometimes for some reason, the msg couldn't be received. I don't know why. So there was a delay(probably 60s) after open_was_deferred(). After this, Windows client tried to send SMBntcreate to open it again. This time still failed. Since we have "Trying to delay for oplocks twice" in open_file_ntcreate(), it leaded to close the connection. - Whether IS the defer_open on the second open necessary? Because this is the same process, and the same file. - What kind of reasons to cause the smbd did not receive the break msg? - Is there any way to remove the delay, or a specific fix around this? Any help greatly appreciated. Thanks very much. -Ying -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Possible memory leaks on lookup_sids()?
Seems that there are some memory leaks on the variables names[j], names and domain_name in passdb/lookup_sid.c:lookup_sids(). After transferring names[j] to name_infos in that nested for loop, probably need to free names[j] content. Before the end of the outside for loop, the variables domain_name and names need to be released too. Could somebody look at the line 828-881 in lookup_sids() for 3.2.0pre1? Thanks. -Ying -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Performance Problem / failed to verify PAC server signature
Hello, We are experiencing ADS lower performance on Samba-3.0.22 for HPUX. I did Google search, and find out one message posted at http://lists.samba.org/archive/samba/2005-November/114231.html at the earlier time. >From my observation, it seems there was a spin on reply_spnego_negotiate()/ reply_spnego_kerberos() calls that invokes register_vuid() to register uvid with different vuid# for a logon user or a client. Finally, kill the intermediate vuid by invalidate_vuid(vuid). This caused too many SMB calls on the wire(more than hundreds of SMB calls, including SMBsesssetup,SMBtcon,SMBtdis,SMBclose,SMBulogoff), but do nothing. [2007/08/14 12:01:03, 10] libads/kerberos_verify.c:ads_secrets_verify_ticket(251) ads_secrets_verify_ticket: enc type [18] failed to decrypt with error Bad encryption type [2007/08/14 12:01:03, 10] libads/kerberos_verify.c:ads_secrets_verify_ticket(251) ads_secrets_verify_ticket: enc type [17] failed to decrypt with error Bad encryption type [2007/08/14 12:01:03, 10] libads/kerberos_verify.c:ads_secrets_verify_ticket(251) ads_secrets_verify_ticket: enc type [16] failed to decrypt with error Bad encryption type [2007/08/14 12:01:03, 10] libads/kerberos_verify.c:ads_secrets_verify_ticket(251) ads_secrets_verify_ticket: enc type [23] failed to decrypt with error Bad encryption type [2007/08/14 12:01:03, 10] libads/kerberos_verify.c:ads_secrets_verify_ticket(251) ads_secrets_verify_ticket: enc type [1] failed to decrypt with error Bad encryption type [2007/08/14 12:01:03, 10] libads/kerberos_verify.c:ads_secrets_verify_ticket(243) ads_secrets_verify_ticket: enc type [3] decrypted message ! .. [2007/08/13 17:52:01, 3] libsmb/clikrb5.c:smb_krb5_verify_checksum(697) smb_krb5_verify_checksum: krb5_c_verify_checksum() failed: Bad encryption type [2007/08/13 17:52:01, 2] libads/authdata.c:check_pac_checksum(659) check_pac_checksum: PAC Verification failed: Bad encryption type (-1765328196) [2007/08/13 17:52:01, 0] libads/authdata.c:decode_pac_data(870) decode_pac_data: failed to verify PAC server signature [2007/08/13 17:52:01, 3] libads/kerberos_verify.c:ads_verify_ticket(416) ads_verify_ticket: failed to decode PAC_DATA: NT_STATUS_ACCESS_DENIED .. [2007/08/14 12:01:05, 3] smbd/error.c:error_packet(142) error packet at smbd/sesssetup.c(318) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE [2007/08/14 12:01:05, 3] smbd/sesssetup.c:reply_spnego_negotiate(558) reply_spnego_negotiate, invalidate_vuid I'm wondering whether it's an abnormal behavior, or there is a specific fix to improve performance. Could somebody look at this and help me out? Thanks. -Ying -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Help for ber_printf(ber, "N}" in pdb_ldap.c
Thanks a lot.
-Ying
> -Original Message-
> From: Volker Lendecke [mailto:[EMAIL PROTECTED]
> Sent: Monday, June 04, 2007 11:01 PM
> To: Li, Ying (ESG)
> Cc: samba@lists.samba.org
> Subject: Re: [Samba] Help for ber_printf(ber, "N}" in pdb_ldap.c
>
> On Mon, Jun 04, 2007 at 09:14:24PM -, Li, Ying (ESG) wrote:
> > definition of the "N" format character either. I only saw the lower
> > case format character "n"(Null). Therefore, I'd like to
> know what is
> > the meaning of the encoding format character "N".
> >
> > ber_printf( ber, "N}" );
> >
> > Could somebody run into the problem, or can help me?
>
> From encode.c:
>
> /* N tag */
> static ber_tag_t lber_int_null = 0;
>
>
>
> case 'n': /* null */
> rc = ber_put_null( ber, ber->ber_tag);
> break;
>
> case 'N': /* Debug NULL */
> if( lber_int_null != 0 ) {
> /* Insert NULL to ensure *
> peer ignores unknown tags */
> rc = ber_put_null( ber,
> lber_int_null );
> } else {
> rc = 0;
> }
> break;
>
> So it seems this is just something to confuse readers in this case...
>
> Volker
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Help for ber_printf(ber, "N}" in pdb_ldap.c
Hello, When the option "ldap passwd sync = yes" was used in smb.conf, we got an error with "Unknown format" on ber_prinf(ber, "N}" in passdb/pdb_ldap.c for Netscape LDAP SDK. This would block password change. By checking Openldap manpage at http://www.openldap.org/software/man.cgi?query=ber_printf&apropos=0&sekt ion=0&manpath=OpenLDAP+2.3-Release&format=html, I didn't see the definition of the "N" format character either. I only saw the lower case format character "n"(Null). Therefore, I'd like to know what is the meaning of the encoding format character "N". ber_printf( ber, "N}" ); Could somebody run into the problem, or can help me? Thanks in advance. -Ying -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Idmap back compatible issue
Sorry, I missed a checking condition for dom_list. Attached is a new version of the patch. Thanks. -Ying -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Idmap back compatible issue
I ran into a problem on idmap backend.
In previous Samba releases, there are two kinds of scenarios on idmap
backend.
1) No explicit idmap backend option presented in smb.conf. But imply
using default tdb idmap backend
idmap uid = low - high
idmap gid = low - high
2) idmap backend option exists in smb.conf
idmap uid = low - high
idmap gid = low - high
idmap backend = tdb [or ldap:ldap://ldapserver.com]
In 3.0.25pre2, 2) works to me. But 1) didn't. It looks the new idmap
only considers the second scenarios as back compatibility. It didn't
consider the first to be back compatible. Therefore, when using implied
idmap backend(without idmap backend option in smb.conf), winbind won't
work. When dom_list is empty after dom_list = lp_idmap_backend(), the
variable compat didn't assign to 1.
I believe that many users take the default setting without specific
idmap backend option, if there is no particular idmap requirement. I'd
like to recommend considering the first situation as back compatible
issue. At lease let it takes the default tdb backend when no idmap
domains presented, no idmap backend in smb.conf.
Here is a patch for this. Could somebody look at it?
# diff -U 3 idmap.c idmap.c_my
--- idmap.c 2007-04-12 11:52:07.0 -0700
+++ idmap.c_my 2007-04-12 11:51:49.0 -0700
@@ -321,6 +321,14 @@
*p = '\0';
compat_params = p + 1;
}
+ } else {
+ /* Back compatible: without idmap domains and explicit
idmap backend
+* Taking default idmap backend: tdb
+*/
+ DEBUG(3, ("idmap_init: No idmap domains, No idmap
backend dom_list=%s\n", *dom_list));
+ compat = 1;
+ compat_backend = talloc_strdup( idmap_ctx, "tdb");
+ compat_params = compat_backend;
}
if ( ! dom_list) {
Thanks.
-Ying
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Possible bug on net rpc trustdom establish
Hello,
When running net rpc trustdom establish command for PDC trusts, I got
the following error with a core dump in 3.0.21c, on HP-UX and
3.0.21c-7.1.5-SUSE-SL10.0.
Couldn't connect to domain MY_DOM controller. Error was
NT_STATUS_ACCESS_DENIED.
bt
#0 0xc016f4d4 in memset () from /usr/lib/libc.2
#1 0x89ab8 in cli_send_trans ()
#2 0x83b0c in cli_api ()
#3 0x9715c in cli_get_pdc_name ()
#4 0x4e908 in rpc_trustdom_establish ()
#5 0x3c6d8 in net_run_function ()
#6 0x50760 in rpc_trustdom ()
#7 0x3c6d8 in net_run_function ()
#8 0x51188 in net_rpc ()
#9 0x3c6d8 in net_run_function ()
#10 0x3e15c in main ()
Look at the code in rpc_trustdom_establish() call in utils/net_rpc.c.
nt_status = connect_to_ipc_anonymous(&cli, &server_ip,
(char*)pdc_name);
if (NT_STATUS_IS_ERR(nt_status)) {
DEBUG(0, ("Couldn't connect to domain %s controller.
Error was %s.\n",
domain_name, nt_errstr(nt_status)));
}
/*
* Use NetServerEnum2 to make sure we're talking to a proper
server
*/
if (!cli_get_pdc_name(cli, domain_name, (char*)pdc_name)) {
DEBUG(0, ("NetServerEnum2 error: Couldn't find primary
domain controller\
for domain %s\n", domain_name));
}
During connect_to_ipc_anonymous() if cli_session_setup() failed, or
cli_send_tconX() failed, cli_full_connection() returned an error, and
executed cli_shuwdown(). Meanwhile, after connect_to_ipc_anonymous(),
only check/report error message, and pass cli into cli_get_pdc_name().
Here cli=NULL pointer. So I'm wondering why not to check cli pointer
before doing cli_get_pdc_name(). If executing the check on cli such as,
if (NT_STATUS_IS_ERR(nt_status)) {
DEBUG(0, ("Couldn't connect to domain %s controller.
Error was %s.\n",
domain_name, nt_errstr(nt_status)));
+ if (!cli) {
+ return False;
+ }
}
before doing cli_get_pdc_name(), the core dump may be avoided. But I'm
unsure it's safe for others.
Could somebody please help me, or advise any thoughts on how to fix
this?
Best Regards.
-Ying Li
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] 3.0.23pre1 trusted domain failed
Hi, Recently, upgrade samba from 3.0.14a to 3.0.23pre1. And found trusted domain user couldn't logon to Samba share. The command nsquery to query a user from trusted domain failed also. For example: parent.com Win2003 DC |---Child1.parent.com Win2003 DC |---Child2.parent.com Win2003 DC Kinit OK. Net ads join to Child1 OK. Restart the server with winbindd. Wbinfo -m can display trusted domain Parent and Child2. Wbinfo -n child1\\user OK. Wbinfo -n child2\\user OK. nsquery Child1\\user OK. nsquery Child2\\user failed. Smb.conf security = ADS realm=CHILD1.PARENT.COM idmap uid = 4-6 idmap gid = 4-6 allow trusted domains = yes I need help to understand why this happened. Somebody can give me more explaination about this? If need, I can send you log files with 10 level. Thanks very much for any help. -Ying -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Password change caused lose X flag
Hello, I have a question with password never expired flag during changing password. If X flag for password never expired has been set in account flags for a user, password change would cause to lose the X flags. By taking a look at the code of the line 993 in passdb/passdb.c, it said all other acb flags will be inherited from current existing account ctrl bit, except for (ACB_WSTRUST|ACB_DOMTRUST|ACB_SVRTRUST|ACB_NORMAL). So I assume the attribute ACB_PWNOEXP should present during changing password. However, actually, when a password is changed, the attribute disappears, so that administrator have to reset the attribute for all users. I just want to know this behavior is a bug or by design. Thanks in advance. -Ying -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Wbinfo -Y couldn't work with idmap_rid for BUILTIN groups
A bug #3056 has been filed. Thanks. -Ying > -Original Message- > From: Gerald (Jerry) Carter [mailto:[EMAIL PROTECTED] > Sent: Thursday, September 01, 2005 7:18 AM > To: Li, Ying (ESG) > Cc: samba@lists.samba.org > Subject: Re: [Samba] Wbinfo -Y couldn't work with idmap_rid > for BUILTIN groups > > -BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Li, Ying (ESG) wrote: > | By the way, without idmap_rid, BUILTIN group's gid can be displayed > | when 'winbind nested groups = No' > > Ying, > > Would you file a bug report for me at https://bugzilla.samba.org? > That way the issue won't get lost in my inbox :-) > > Thanks. > > > > > cheers, jerry > > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.0 (GNU/Linux) > Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org > > iD8DBQFDFw2CIR7qMdg1EfYRAl/TAKDksTXV150X3RN1YtEAev17A1BtBgCfeR61 > o5NhLBjZ44C+If2fcSkxnNc= > =LyFf > -END PGP SIGNATURE- > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Wbinfo -Y couldn't work with idmap_rid for BUILTIN groups
By the way, without idmap_rid, BUILTIN group's gid can be displayed when 'winbind nested groups = No' > -Original Message- > From: Li, Ying (ESG) > Sent: Wednesday, August 31, 2005 10:43 AM > To: 'Gerald (Jerry) Carter' > Cc: samba@lists.samba.org > Subject: RE: [Samba] Wbinfo -Y couldn't work with idmap_rid > for BUILTIN groups > > Hi Jerry, > > When winbind nested groups is enabled, it works for ADS and > Domain level. Actually, it seems we don't need to turn on the > option on ADS. Why should it be turned on for DOMAIN? > > Thanks. > -Ying > > > -Original Message- > > From: Gerald (Jerry) Carter [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, August 31, 2005 10:04 AM > > To: Li, Ying (ESG) > > Cc: samba@lists.samba.org > > Subject: Re: [Samba] Wbinfo -Y couldn't work with idmap_rid for > > BUILTIN groups > > > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA1 > > > > Li, Ying (ESG) wrote: > > | Here is a patch for BUILTIN group sid/gid mapping in > idmap_rid. It > > | works to me. > > > > Could you just try setting 'winbind nested groups = yes' > > in smb.conf and retest without this patch? Thanks. > > > > > > > > > > > > cheers, jerry > > -BEGIN PGP SIGNATURE- > > Version: GnuPG v1.4.0 (GNU/Linux) > > Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org > > > > iD8DBQFDFeLkIR7qMdg1EfYRAnR4AKCxDrtV17O4Aiyvb7hknhsCj0uCgQCfTolX > > H2KPsCVALhQxDUAJdkpomJ4= > > =7wvw > > -END PGP SIGNATURE- > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Wbinfo -Y couldn't work with idmap_rid for BUILTIN groups
Hi Jerry, When winbind nested groups is enabled, it works for ADS and Domain level. Accually, it seems we don't need to turn on the option on ADS. Why should it be turned on for DOMAIN? Thanks. -Ying > -Original Message- > From: Gerald (Jerry) Carter [mailto:[EMAIL PROTECTED] > Sent: Wednesday, August 31, 2005 10:04 AM > To: Li, Ying (ESG) > Cc: samba@lists.samba.org > Subject: Re: [Samba] Wbinfo -Y couldn't work with idmap_rid > for BUILTIN groups > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Li, Ying (ESG) wrote: > | Here is a patch for BUILTIN group sid/gid mapping in idmap_rid. It > | works to me. > > Could you just try setting 'winbind nested groups = yes' > in smb.conf and retest without this patch? Thanks. > > > > > > cheers, jerry > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.0 (GNU/Linux) > Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org > > iD8DBQFDFeLkIR7qMdg1EfYRAnR4AKCxDrtV17O4Aiyvb7hknhsCj0uCgQCfTolX > H2KPsCVALhQxDUAJdkpomJ4= > =7wvw > -END PGP SIGNATURE- > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Wbinfo -Y couldn't work with idmap_rid for BUILTIN groups
Here is a patch for BUILTIN group sid/gid mapping in idmap_rid. It works to me. #>cd samba-3.0.14a/source/sam #>diff -C3 idmap_rid.c idmap_rid.c_new *** idmap_rid.c Fri Mar 11 05:47:05 2005 --- idmap_rid.c_new Mon Aug 29 15:42:50 2005 *** *** 459,466 fstring sid_string; int i; uint32 rid; ! DOM_SID sidstr; /* check if we have a mapping for the sid */ for (i=0; ihttps://lists.samba.org/mailman/listinfo/samba
[Samba] Wbinfo -Y couldn't work with idmap_rid for BUILTIN groups
Hi,
wbinfo -Y BUILTIN\group can work without idmap_rid in Samba-3.0.14a. But
I'm experiencing wbinfo -Y with idmap_rid failed for SID to GID
conversion of BUILTIN groups.
Since idmap_rid only works in a single domain, and captures workgroup's
domain sid as a real domain sid in rid_idmap_get_domains(), when running
"wbinfo -Y BUILTIN/System Operators", the function
rid_idmap_get_id_from_sid() checks if incoming sid is same with
workgroup domain sid by following comparison:
470 if ( sid_compare_domain(sid, &sidstr) == 0 )
This would let the first "for" loop continue to go to the end, and make
the loop variable i equal to trust.number(=1). And the code after the
loop
474if (i == trust.number) {
475DEBUG(0,("rid_idmap_get_id_from_sid: no suitable
range available for sid: %s\n",
476sid_string_static(sid)));
477return NT_STATUS_INVALID_PARAMETER;
478}
leads to generate an error with "no suitable range available for sid:",
even if both
idmap uid range and idmap gid range are exactly equal to idmap_rid range
in smb.conf.
So I'm wondering idmap_rid capability. I'd like to ask somebody if
idmap_rid can work with BUILTIN group. If the answer is yes, How do we
get Samba BUILTIN groups' SID? If the answer is no, I want to know if
there is a possible solution to resolve sid to gid conversion for samba
builtin groups by winbind with idmap_rid.
smb.conf
[global]
workgroup = MYDOMAIN
security = ads or domain
allow trust domains = no
idmap backend = idmap_rid:"MYDOMAIN=5-6"
idmap uid = 5-6
idmap gid = 5-6
..
Any information is really appreciated.
-Ying
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Roaming profiles in domain level
I've finally found out how to use roaming profiles in domain level. Samba2.2 and 3.0 always checks owner's ACL for profile directories. But Samba returns correct owner ACL in a little bit different format with Windows. For example: Samba as profiles resource responses owner ACL for profile directory: Owner: S-1-5-21-2951980089-3660375505-290094901-1224 Revision: 1 Num Auth: 5 Authority: 5 Sub-authorities: 21-2951980089-3660375505-290094901 RID: 1224 Windows as profiles resource responses owner ACL for profile directory: Owner: S-1-5-21-2951980089 Revision: 1 Num Auth: 5 Authority: 5 Sub-authorities: 21-2951980089 Even profile's owner is a valid domain user with accessible permissions on all files/directories in profile directory, Windows clients would disallow to access to profiles, and terminate to send incoming requests for loading profiles. Since Windows 2K/XP clients have a registry value to control if to check owner ACL for profile directories. I used it to not check ownership. Go to Group policy/Local Computer Configuration/Administrative templates/System/Logon for Windows 2K/XP, and enable "Do not Check for User Ownership of Roaming Profiles Folders". The default value is "Not configured". This works to me. Thanks. -Ying -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Roaming profiles in domain level
Hi, In my case, profile directory was already owned by a domain user who has a local account for Samba. I can see the profile directory can be successfully opened and accessed from the log file. The problem seems Samba handled security descriptor request in different way with Windows. For example: 1) security_desc response is different with Windows. Flags:Canonicalized pathnames bit is not set. But Windows did. Flags2: unicode string bit, Error code type bit, Security Signatures, Extended Attributes are not set in Samba. But Windows did. In Secruity Descriptor, Samba responsed owner ACL and group ACL as well as NT User ACL. But Windows only simply responsed a ACL only for owner. 2) incoming requests after NT_QUERY_SECERITY_DESC request are different with Windows. If profiles are stored in a Windows domain member, incoming requests are close/NT_Create_AndXs/ReadAndXs for loading a profile. If profiles are stored to Samba. I only can see Close/Logoff/TreeDisconnect Requests. No loading profiles requests occurred from Windows client. So my case doesn't looks like profile owner issue. Could I ask you if you successfully use roaming profiles in Samba domain level? Is it 2.2 or 3.0? Thanks for your response. -Ying > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > Sent: Thursday, April 28, 2005 10:50 PM > To: Li, Ying (ESG); samba@lists.samba.org > Subject: RE: [Samba] Roaming profiles in domain level > > Hi, > > Windows checks the security acl of a profile. > The user must be owner! > > Mit freundlichem Gruß, > > > > Dirk Laurenz > Systems Engineer > > Fujitsu Siemens Computers > S CE DE SE PS N/O > Sales Central Europe Deutschland > Professional Service Nord / Ost > > Hildesheimer Strasse 25 > 30880 Laatzen > Germany > > Telephone:+49 (511) 84 89 - 18 08 > Telefax: +49 (511) 84 89 - 25 18 08 > Mobile: +49 (170) 22 10 781 > Email:mailto:[EMAIL PROTECTED] > Internet: http://www.fujitsu-siemens.com > http://www.fujitsu-siemens.de/services/index.html > ** > * > > > -| -Original Message----- > -| From: > -| [EMAIL PROTECTED] > -| rg > -| [mailto:[EMAIL PROTECTED] > -| .samba.org] On Behalf Of Li, Ying (ESG) > -| Sent: Friday, April 29, 2005 12:27 AM > -| To: samba@lists.samba.org > -| Subject: [Samba] Roaming profiles in domain level > -| > -| Hi Everyone, > -| > -| Does anybody use roaming profiles in domain level? > -| > -| I'm looking for helps for setting up Samba as a NT4 > domain member to > -| support roaming profiles for sharing during domain logon > of Windows > -| clients. I ran into the problems. log files couldn't show > specified > -| messages, except for BUFFER_TOO_SMALL. > -| > -| If a profile share directory is mounted on a Windows NT DC or a > -| Windows domain member, all Windows clients can successfully use > -| roaming profiles in that share during domain logon. If > the profile > -| share is mounted on a Samba server that is a NT4 domain > member, and > -| successfully joined to the domain, then all Windows > client can save > -| profiles to the share. But only Windows NT clients can > load roaming > -| profiles from Samba. > -| WinXP(SP1/SP2 > -| and Win2K(SP4) couldn't download roaming profiles from Samba > -| profiles share. > -| > -| I captured network traffics of domain logon for profiles > stored on > -| both Windows and Samba domain members. By comparing > behaviors, it > -| looks Samba couldn't handle the case well. I've tried both > -| Samba2.2.12 and samba3.0.7. All have the same problem. So I'm > -| looking for others' experiences, and see if Samba has > capability to > -| provide roaming profiles in domain level. > -| > -| I have all log files or ethereal log files. If needed, I > can send > -| to you as reference. Any hints or helps, it would be greatly > -| appreciated. > -| > -| Thanks in advance. > -| -Ying Li > -| > -| smb.conf > -| [global] > -| server string = Samba Serves as Roaming profiles > -| security = DOMAIN > -| workgroup = NT4_DOMAIN_NAME > -| password server = * > -| encrypt passwords = yes > -| log level = 10 > -| log file = /var/opt/samba/log.%m # followings for > Samba3.0 only > -| idmap uid = 1-2 > -| idmap gid = 1-2 > -| winbind use default domain = yes > -| winbind enum users = yes > -| winbind enum g
[Samba] Roaming profiles in domain level
Hi Everyone, Does anybody use roaming profiles in domain level? I'm looking for helps for setting up Samba as a NT4 domain member to support roaming profiles for sharing during domain logon of Windows clients. I ran into the problems. log files couldn't show specified messages, except for BUFFER_TOO_SMALL. If a profile share directory is mounted on a Windows NT DC or a Windows domain member, all Windows clients can successfully use roaming profiles in that share during domain logon. If the profile share is mounted on a Samba server that is a NT4 domain member, and successfully joined to the domain, then all Windows client can save profiles to the share. But only Windows NT clients can load roaming profiles from Samba. WinXP(SP1/SP2 and Win2K(SP4) couldn't download roaming profiles from Samba profiles share. I captured network traffics of domain logon for profiles stored on both Windows and Samba domain members. By comparing behaviors, it looks Samba couldn't handle the case well. I've tried both Samba2.2.12 and samba3.0.7. All have the same problem. So I'm looking for others' experiences, and see if Samba has capability to provide roaming profiles in domain level. I have all log files or ethereal log files. If needed, I can send to you as reference. Any hints or helps, it would be greatly appreciated. Thanks in advance. -Ying Li smb.conf [global] server string = Samba Serves as Roaming profiles security = DOMAIN workgroup = NT4_DOMAIN_NAME password server = * encrypt passwords = yes log level = 10 log file = /var/opt/samba/log.%m # followings for Samba3.0 only idmap uid = 1-2 idmap gid = 1-2 winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind separator = ; [profiles] path = /profiles browseable = no guest ok = yes The directory /profiles is owned by root with 777 permission, and includes all directories for a profile saved by Windows. On Windows DC, setup profile path to \\sambaserver\profiles\username for all domain users. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
