Re: [Samba] Mutli-Homed Subnetting - Advice please
[EMAIL PROTECTED] wrote: 2) I plan to have a server on each subnet that will hold the static data and act as BDCs relieving the load on the PDC. Effectively, the content will be identical but as staff update data on one, is there a way of binding the server shares together so one updates the other. I know you can bind two drives on a unix box together with mount --bind. Has anyone tried binding two samba shares together? Is it easier to script an rsync -u . the simple and low-end way is if you use rsync or something like that to synchronize the data on both servers, and keep the data on both servers local. Use one of them as master (writable for your staff) and the other one as read-only slave. the high-end (high budget) way of doing this is to use storage that can be shared between multiple servers (for example a SAS or SCSI connected box) and use a cluster filesystem such as GFS or OCFS2 (and ideally use samba CTDB, then you have a real high performance, high availability samba cluster). regards, Olivier -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Kerberos authentication for non-windows KDCs
Jeremy Allison wrote: That's just not true. Many people are successfully using Samba3 to authenticate with tokens from MIT or Heimdal kerberos servers. The problem is getting the Windows clients to *get* these tickets, not in Samba interpreting them. Is 'getting' or 'using' the kerberos ticket the problem? One can install MIT kerberos on windows, and I suppose getting the tickets from an MIT KDC should be possible then, but will the cifs stack in windows actually use those tickets? regards, Olivier Sessink -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] samba cluster on multi tiered storage / hierarchial storage management
Hi all, we're looking at future storage technologies and possibilities to use open source software. One thing that looks very promising already is samba clustering with ctdb. However, if we replace all file servers with a single samba cluster, that cluster needs a lot of storage space. A large SAN would do, but using fast disks for all of the storage is quite expensive. Using a mix of cheap (slow) storage and fast (expensive) storage would satisfy the needs much better. Some of the data is used frequently, and some of the data is not used frequently. A policy driven hierarchial storage management solution for the samba ctdb cluster would be great. Keeping often-used blocks on a SAN with fast storage, and using cheaper storage for data that hasn't been used recently. What are good solutions in combination with samba, or should we look at something completely different ? regards, Olivier -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] samba anti virus vfs module: scannedonly-0.11
Dear all, Scannedonly 0.11 has been released. Scannedonly is a samba VFS module that ensures that only files that have been scanned for viruses are visible and accessible to the end user. The vfs module has a few new options to simulate on-access scanning for small (fast scanned) files. The clamAV daemon now has automatic database reloading. Documentation and downloads can be found at http://olivier.sessink.nl/scannedonly/ There is also a patch against samba 3.2 (git) that includes the vfs module into the samba source tree: http://olivier.sessink.nl/scannedonly/scannedonly-0.11_git.patch.gz regards, Olivier Sessink -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: scannedonly samba anti-virus vfs module
Olivier Sessink wrote: > Brian May wrote: [..] >> Maybe it would be better to list the file in the directory listing >> still, but prevent it from being opened for reading? > > I can make that configurable. Something like > > scannedonly: hide_nonscanned_files = False done, it will be part of the 0.11 release of the vfs module. There are also some changes to delay samba for some milliseconds (configurable) to allow the anti-virus scanner to scan the files. For small files this works almost like 'on-access' scanning. For larger not-scanned files this still means the user will get an 'access denied' until the file is found to be clean by the virus scanner. recheck http://olivier.sessink.nl/scannedonly/ in a few days, I'll try to put it up there. regards, Olivier -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: scannedonly samba anti-virus vfs module
Brian May wrote: >>>>>> "Olivier" == Olivier Sessink <[EMAIL PROTECTED]> writes: > > Olivier> user. If this is not the case, the file is not returned > Olivier> in any directory listing, and cannot be opened. The samba > Olivier> vfs module will also tell the daemon to scan this file. > > I can't help but think this might be confusing to the user, if the > file unexpectedly disappears after it is created or updated. If might > also confuse some programs that expect the file to exist immediately > after it is created. true. What I've been thinking about (not yet implemented) is to make some kind of 'timeout' option. When server loads are not too high files are scanned very quick. So in such a case we could 'hold' the request for half a second, and check again if the file is scanned already. something like: scannedonly: recheck_nonscanned_ms = 500 to hold 500ms and recheck the file > Maybe it would be better to list the file in the directory listing > still, but prevent it from being opened for reading? I can make that configurable. Something like scannedonly: hide_nonscanned_files = False > Write-only opens should be OK I think. Currently write-only is always granted. Read+write needs a scanned file and read needs a scanned file. regards, Olivier -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] scannedonly samba anti-virus vfs module
James R Grinter wrote: > On Sun, Dec 09, 2007 at 11:28:36AM +0100, Olivier Sessink wrote: >> daemons. The daemon scans files. If a certain file is clean, a second >> file is created with prefix .scanned:. The samba module simply looks if >> such a .scanned: file exists, and is newer than the pertinent file. If >> this is the case, the file is shown to the user. If this is not the > > I have a suggestion for extending this idea. There should be a mechanism > to allow the file to be rescanned again whenever the pattern file is updated. it's possible. But realize that this happens fairly often (the clamAV database, for example, changes about 3 times each day). If your samba server has several terabytes of data, it will be continuously scanning. Before the scanning is finished, the database would be renewed already. So I'm not sure if this is a very realistic option to deploy. Can you give some examples from situations in which you would deploy this option? To implement this, the tricky thing is to tell the vfs module what the most recent database is. Currently all communucation is one-way. The vfs module tells the AV-daemon only if it hits a file that has not been scanned yet. So if the AV-daemon is offline, most of the data on the samba server is still available. If the module has to check if the scanning time is older than the AV-database, it becomes quite dependent on the AV-daemon. regards, Olivier -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: scannedonly samba anti-virus vfs module
Peter Eser wrote: > Hi, > > only a feature suggestion: > I tried something similar as your VFS Module but never completed it. > I didn't create a second file (.scanned) for marking, but set an extended > file attribute > (getfattr, setfattr). > I also marked the unscanned files, not the scanned, so that a completely > scanned > directory is plain from any extras (nicer for backups). > I think for many files in the share the .scanned extra files can lead to > problems what kind of problems do you expect, can you give some more comments on that? > and you have always to hide them. true, but the module does this in the same way as non-scanned files are hidden, so there is no extra code involved. > Not all file systems have extended attributes (the most important have), so > a configuration switch would be nice. > > As said, only a feature request. > Besides your module is much appreciated. Connecting any virus scanner (or > other tools) to samba shares is needed. I might need some help to do that. I have never worked with attributes. Furthermore, right now the module is stackable (the underlying filesystem can be another samba vfs module). I don't know if samba features the getfattr and setfattr calls in the VFS layer, and it would be great to keep the module stackable. thanks for your comments, Olivier -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] scannedonly samba anti-virus vfs module
Volker Lendecke wrote: > On Mon, Dec 10, 2007 at 06:54:46PM +0100, Olivier Sessink wrote: >>> What is the best way to keep you informed as we modify the >>> VFS layer ? >> I was hoping that somewhere in the future the vfs module part of the >> code could be included in the samba source. I'm not sure what the >> requirements are for that. But it would make things very easy for >> end-users (end-administrators). Compiling the vfs module is right >> now a bit of a hassle for users that don't compile samba from source >> themselves. > > Can you post a patch against the git repo v3-2-test branch > that adds your module? I'll have to dive into GIT then first (I've never left good old cvs up til now), but I'll see what I can do. is it a good idea if somebody would first give a review of the code before merging it? Changing code after the merge is probably more difficult (sending a patch to a maintainer, the maintainer merging the code, etc.). regards, Olivier -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] scannedonly samba anti-virus vfs module
forgot to hit 'reply all', this time post to the list: Jeremy Allison wrote: >> Scannedonly is a samba VFS module that ensures that only files that have >> been scanned for viruses are visible and accessible to the end user. [..] >> More information can be found at http://olivier.sessink.nl/scannedonly/ > > Congratulations and thanks for this ! I'd like to make sure > this is kept in sync as we have to make changes to the Samba > VFS going forward to add more features (NT Streams etc.). > > What is the best way to keep you informed as we modify the > VFS layer ? I was hoping that somewhere in the future the vfs module part of the code could be included in the samba source. I'm not sure what the requirements are for that. But it would make things very easy for end-users (end-administrators). Compiling the vfs module is right now a bit of a hassle for users that don't compile samba from source themselves. regards, Olivier -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] scannedonly samba anti-virus vfs module
Dear all, this is the first public announcement of scannedonly. Scannedonly is a samba VFS module that ensures that only files that have been scanned for viruses are visible and accessible to the end user. Scannedonly was developed because of scalability problems with samba-vscan: high server loads when (the same) files were requested often, and timeouts when large zip files were requested. Scannedonly comes in two parts: a samba vfs module and (one or more) daemons. The daemon scans files. If a certain file is clean, a second file is created with prefix .scanned:. The samba module simply looks if such a .scanned: file exists, and is newer than the pertinent file. If this is the case, the file is shown to the user. If this is not the case, the file is not returned in any directory listing, and cannot be opened. The samba vfs module will also tell the daemon to scan this file. More information can be found at http://olivier.sessink.nl/scannedonly/ regards, Olivier Sessink -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba