Re: [Samba] Updating Samba
On 12/23/2012 10:40 AM, Zane Zakraisek wrote: I'm pretty new to compiling software, although I would rather compile my own Samba 4.0.0 server rather than wait for it to become available in the repositories of my distribution. How do you update compiled software. Like if I compile and install Samba 4.0.0, and then 4.0.1 comes out, Is there a way to update to that without starting from scratch and having to rebuild my domain? Thanks can I simply update my Git tree and then compile again, or will that delete everything There are multiple ways that you can do it. What I do is I download the new release and configure/build/install it precisely the same as the previous one, of course adhering to any special instructions in the release notes for upgrading. You can (and should) learn how to package software for your distribution, or at the very least, make binary tarballs that are suitable for keeping, which gives you the ability to roll back. I keep my custom-built software in /opt; my production Samba 4 systems are rooted in /opt/samba4. Of course, shutdown your old Samba, back it up, and then do the upgrade process. The Active Directory databases and the like, are, as I understand it, in the install root. At least some database files, as well as the SYSVOL and NETLOGON shares are definitely there (in ${PREFIX}/var/locks/). --- Mike -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Remote Desktop Assistance / Take over session w/ Samba 4
The short question: Is there a means for this to work? The longer question follows. I've seen Windows networks (with Windows servers, of course) where an administrator could modify some settings in AD and then be able to break in to a user session on a domain member workstation to be able to fix things. I'd like that functionality, too, but I'm not sure if it is possible with Samba 4 being the AD DC. There seem to be settings in the LDAP entries, but I don't know how to use them or even if they're honored. Does anyone know how this works, and if it is possible to do with a S4 DC? Additionally, would I have to have a Windows workstation to manage the user workstations in this way, or could I use the RDP client e.g., in Fedora to do it? Thanks! Happy Holidays, Mike -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Permissions problem
On 12/20/2012 10:05 AM, Bruno MACADRE wrote: If I copy this file in command line the mode is 660 as expected, If I want to simulate the file explorer behaviour I must do a 'cp --preserve=mode' copy. Is there a way to forbid this behaviour ? Or is there something wrong in my configuration ? The only way that I could think of would be to write a Samba VFS module that prevented invocation of the chown(2) and chmod(2) system calls (and friends). Such a VFS module would need to return a suitable error code, which would more than likely then be passed back to the client. Or you could simply stub the chown/chmod (and friends!) system calls such that they return success but are effectively no-ops. Someone else with more intimate experience with Samba's code may have a better option, but that's the only one I can think of at the moment. HTH, Mike -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] (S4) Neither AXFR nor authoritative nameserving available?
On 12/22/2012 05:44 AM, Andrew Bartlett wrote: On Tue, 2012-12-18 at 11:58 -0500, Michael B. Trausch wrote: Hello all, I'd like to have redundant DNS in our setup. But it seems that Samba 4 does not yet support AXFR with its internal DNS server. Alright, that's fine, so I figured I'd configure the system such that at the very least, a caching nameserver was sitting in front of it. However, that doesn't work; the caching nameserver (BIND 9) returns SERVFAIL, apparently because Samba 4 isn't setting the authoritative bit on its DNS responses. That's odd. Please file a bug, so Kai can look into it. Well, I finally got it working, after an update. Yay. :) I still don't have the ability for AXFR, though, it seems. Is that supported, or in-the-works? Is this a known issue, a configuration error on my part, or something entirely different altogether? You could run another Samba DC to get the redundant DNS. I _could_... but I'm not there yet, and Samba seems to drop queries a fair bit on a lightly-loaded (about 1 QPS) network; what I mean there is that we've observed failure-to-resolve several times a day. This seems to have gone away now that we've turned off the forwarding option, and are using BIND in front of Samba 4 as a caching/forwarding nameserver. I'll know more as the week goes by. Another option is to run the bind9 server and the dlz plugin. I'd opted to not set this domain up that way because I figured it'd be easier to manage if Samba handled the domain itself. We could switch to BIND for the server, but I have three questions there: 1. Can we switch from Samba 4 - BIND without reprovisioning? 2. Is there any loss of client-side functionality (e.g., the Microsoft DNS tool)? 3. Are there any other downsides to using BIND over the internal Samba4 DNS? --- Mike -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] (S4) Neither AXFR nor authoritative nameserving available?
Hello all, I'd like to have redundant DNS in our setup. But it seems that Samba 4 does not yet support AXFR with its internal DNS server. Alright, that's fine, so I figured I'd configure the system such that at the very least, a caching nameserver was sitting in front of it. However, that doesn't work; the caching nameserver (BIND 9) returns SERVFAIL, apparently because Samba 4 isn't setting the authoritative bit on its DNS responses. Is this a known issue, a configuration error on my part, or something entirely different altogether? Thanks, Mike -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 DNS: recursion requested but not available
On 12/09/2012 02:57 PM, Kai Blin wrote: This clearly is a bug in the DNS server. Attached is a patch that should fix MX queries for both the 4.0 release branch and master. I'm afraid we just missed the window for the 4.0.0 release, but I've opened bug #9485 in Samba Bugzilla to track this bug and get it in for the next bugfix release. Thanks for the patch; I will apply it tonight and let you know. Irony is that this was found when I set up a lab environment; my production environment doesn't have MX records in the Samba server! :) Thanks for the catch and sorry for any inconvenience. No worries. Bugs happen, it's how they're dealt with that matters. Thanks! --- Mike -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba4 DNS: recursion requested but not available
Hello all, This is with Samba 4.0.0rc6 with the built-in DNS server. Found the problem in Samba 4.0.0rc5 originally, then updated to see if bug had been fixed between rc5 and rc6. I am trying to get mail working for a subdomain that is being managed by Samba 4. I added an MX record, but the problem here is that the Samba 4 DNS server isn't replying with the record: = [mbt@aloe ~]$ dig -t MX nautest.naunetcorp.com @s4.nautest.naunetcorp.com ; DiG 9.9.2-P1-RedHat-9.9.2-5.P1.fc18 -t MX nautest.naunetcorp.com @s4.nautest.naunetcorp.com ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOTIMP, id: 5782 ;; flags: qr rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;nautest.naunetcorp.com.IN MX ;; Query time: 2 msec ;; SERVER: 2001:470:c0a7:6::2#53(2001:470:c0a7:6::2) ;; WHEN: Sat Dec 8 16:21:38 2012 ;; MSG SIZE rcvd: 51 = The query should return the name and priority of the MX server that I have defined. The MX shows up in the samba-tool dns query output, so it's just the DNS server that isn't responding correctly. Is this a bug, or is this the result of something I've done wrong? Thanks, Mike -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Trouble with file shares on Samba 4
Hello all, I have a Samba 4 system setup with 4.0.0-rc5 working as an Active Directory controller for a set of seven Win7 computers, and most things are working. However, file shares are not. In all cases, if I add users to Domain Admins, they can access the shares. In all cases, if users are not in Domain Admins, they cannot access the shares. I've added users to groups that (according to Windows) are allowed to read and write the shares. However, the users themselves get zero permissions unless they're in Domain Admins. I've even tried adding users *directly* to the ACLs for the shares, thinking that surely if they appear in the list directly, they will be able to access the shares. This is not, however, the case. Any assistance or advice on what to look for would be awesome. Thanks, Mike -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Trouble with file shares on Samba 4
On 11/26/2012 11:07 AM, Michael B. Trausch wrote: Any assistance or advice on what to look for would be awesome. One additional note that I've been able to put together. Windows reports that the permissions that I've set on the server match my expectations of what Windows thinks the permissions should be. That is, I added ACLs to allow user X to access the share with Full Control, and Windows see this. Windows attempts to access the share, but then says that access is denied. Windows won't even show space utilization on the share, though Windows *can* see the ACLs and, again, they match what we think they should be. I am _not_ an expert on Samba 4. I do know that this functionality worked in a beta release, though I don't recall which one. I'm actually in the process of setting up a test network to replicate the problem, as I cannot officially submit a bug report based on the network I'm discussing at present. I fully expect to be able to have enough information within 24 hours to create a bug report. I also plan on testing with git master to see if anything changed since rc5 that might fix the problem, but it essentially seems that while the permissions are correct, they're not being correctly interpreted or honored. --- MIke -- Michael B. Trausch President, Naunet Corporation Web: https://www.naunetcorp.com Telephone: +1-678-287-0693 signature.asc Description: OpenPGP digital signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] 'x' bit always set?
On 08/01/2012 03:59 AM, NdK wrote: Il 30/07/2012 09:40, NdK ha scritto: Seems I can't find the root cause of $subj. When I store a file on my home, it gets chmodded ugo+x ... Any hints? See the documentation for map archive.[0] Essentially, the DOS/Windows archive bit is mapped to the POSIX user execute bit. This makes it possible for DOS/Windows backup software to be able to use the archive bit. It might behoove Samba to implement DOS/Windows file attributes in user extended attributes, or in a database file, as opposed to (ab)using the owner execute bit for this purpose. However, it has been this way for a long time, and I would expect that inertia will overcome the desire for change here. I could be (and hopefully am) wrong. Personally, I would not mind seeing Samba use extended attributes for storing file attributes that do not logically map onto POSIX. --- Mike [0] http://is.gd/dQSeGw [www.samba.org] -- Michael B. Trausch President, Naunet Corporation Web: https://www.naunetcorp.com/ Phone: +1-(470)-201-5738 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] 'x' bit always set?
On 08/01/2012 10:07 AM, Jonathan Buzzard wrote: On 01/08/12 14:54, Michael B. Trausch wrote: It might behoove Samba to implement DOS/Windows file attributes in user extended attributes, or in a database file, as opposed to (ab)using the owner execute bit for this purpose. However, it has been this way for a long time, and I would expect that inertia will overcome the desire for change here. I could be (and hopefully am) wrong. You are wrong, mount your file system with extended attributes enabled and then add the following to your smb.conf # store DOS attributes in extended attributes ea support = yes store dos attributes = yes map readonly = no map archive = no map system = no Rarely am I happy to be wrong. :-) I assume that (somewhat counter-intuitively) setting map {readonly,archive,system} = no means not to use the classic mapping, and store doss attributes = yes replaces all of those in a form which can be used in EAs? Thanks! --- Mike -- Michael B. Trausch President, Naunet Corporation Web: https://www.naunetcorp.com/ Phone: +1-(470)-201-5738 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] User can only login as admin, group policy fails the logon otherwise
I have a Samba 3.5 server that services seven Windows 7 computers. When the setup was originally installed, all workstations were independent systems and so all users had local administrative privilege. I have removed admin rights from all users but one. This user has a problem. We'll call the user 'dmc' though that isn't his real username. In any event, dmc is a member of the local Administrators group on his assigned workstation. I've tried a few times in the past to remove his admin rights, but when I do so, he is unable to login with an error about Group Policy failing the logon, access is denied. If I restore the admin rights, the user can logon successfully. The user cannot logon to any other workstation on the network. I did not encounter this problem with any other user, so this is definitely unique to dmc. According to everything that I can find via Google, the generally accepted solution is to delete the user's cached version of his roaming profile and then delete his profile on the server. I can't accept this, as this would mean that the user would virtually have to start from scratch. We are using folder redirection, so some information would be relatively easily retained, but the problem is that I'd like to find some way to figure out what's going on and to fix it. I realize that this may not exactly be a Samba question: I am 99% certain that the problem is caused by something in the user's NTUSER.DAT file stored within his roaming profile that the Group Policy Client does not like. The problem that I am having is that I don't know how to determine what that is. The user's hive is large and therefore impractical to go through by hand without some notion of what to look for. Can anyone offer any suggestions other than deleting the user's profile and effectively starting from scratch? Would anything in the Control Panel key in the user's NTUSER.DAT cause this? Is there some way to configure either Windows or Samba to log any additional information that can help me narrow down the problem so that I am able to at least identify the cause? If I can just find the cause, I'm confident that I can fix it without blowing the user's profile away entirely. Also, there are no customizations to group policy on any of the workstations in this domain. Much appreciated, Michael Trausch -- Michael B. Trausch President, Naunet Corporation Web: https://www.naunetcorp.com/ Phone: +1-(470)-201-5738 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] User can only login as admin, group policy fails the logon otherwise
On 06/02/2012 03:50 PM, Gaiseric Vandal wrote: Can you clarify a few things: - Are the machines now members of a domain? Yes, the NT 4 domain that is in place and managed by Samba 3.5. - Is the dmc user a domain user or a local user only? If he is a domain user, how did you migrate him from a local to a domain user account? Does he have the appropriate file permissions to the local profile? When you move someone from a local to a domain user account you need to make sure the profile permissions are updated. There is a Microsoft tool to help move a cache in these cases. The user is a domain user. When the system was implemented, all users were required to start from scratch WRT profiles and settings; documents and so forth were moved from the local users' drives to their UNIX homes in a location that is pointed to by Windows' folder redirection. - Assuming he is a domain user, is he unable to login on other computers by design? No, he is unable to logon to other computers because of the same problem described in my OP. The only reason the user is allowed to logon to his assigned workstation is because for the moment he is a member of the workstation's administrators group. - Is this a desktop or a laptop? Desktop. All workstations on this network are attached to the domain and are identical systems. They are not mobile. --- Mike -- Michael B. Trausch President, Naunet Corporation Web: https://www.naunetcorp.com/ Phone: +1-(470)-201-5738 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Strange share behavior
On 03/11/2010 09:28 AM, Matthew Daubenspeck wrote: Hide unreadable works great, users cannot see any directories that they do not have access to. However, they can still create folders in the root of the share (/home/samba/share). I've even changed the perms of that directory to 000, and still users can create directories there. Am I missing something? Have you patched your Samba 3.5.0 with the patch for CVE-2010-0728 yet? See http://samba.org/samba/history/security.html for info; essentially the problem was that Samba 3.5.0 (and 3.4.6, and 3.3.11) would ignore permissions for various things. I know that I had setup a Samba 3.5.0 PDC for a client of mine, and thought that I had it setup correctly, but they were able to perform actions that they did not have proper permission to do. When I applied the patch for CVE-2010-0728, I had to do some reconfiguration to grant them access to some shares and files that they then no longer had access to. --- Mike -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Your password expires today problem
On 03/11/2010 02:04 AM, Richard Lamboj wrote: i got this Problem with Samba 3.4.6 and 3.5.1 and yes i know there is already a bug report. Your workaround doesn't work for me. Is there another solution? This don't work: pdbedit -P maximum password age -C 4294967294 I'am using LDAP. We have Upgraded from 3.2.14. The LDAP Schema Files don't have changed, or? I was told on IRC not to use pdbedit for changing the password aging information in Samba, but to instead use net sam to set policy. You should be able to set the maximum password age using the following command: # net sam policy set maximum password age 4294967294 You can set the following policy attributes this way (this is output from net sam policy list): min password length password history user must logon to change password maximum password age minimum password age lockout duration reset count minutes bad lockout attempt disconnect time refuse machine password change HTH, Mike -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Your password expires today problem
On 03/11/2010 03:52 PM, Richard Lamboj wrote: Hello, server-p:/# net sam policy set maximum password age 4294967294 Account policy maximum password age value was: -2 Account policy maximum password age value is now: -2 Is that Output Normal? Looks like there is some wrapping going on there. Try: # net sam policy set maximum password age 4294967291 That said, I don't know why there would be wrapping. An unsigned 32-bit integer's maximum value is 4294967295, so 4294967294 (the value that you used) should be something that would fit. I don't know what would cause that to happen that way. --- Mike -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba