[Samba] Delete permission question
Hi all I have been trying to figure this out but have decided to give in and ask the list. I am setting up a samba share that is writeable by numerous users. This is no problem - put them in the necessary group and chmod g+w that directory. The problem is that only the user who owns the parent directory is able to delete files from it. I know that dir permissions govern who can and can't delete files on Unix, but I'd like anyone to be able to delete any file within that directory structure. I am not using any ACLs, nor am I using any special entries in the service definition of my smb.conf. [infoshare] path = /var/www/infoshare writable = yes force group = folder-infoshare-modify ls -l /var/www/ drwxrwx---+ 6 root folder-infoshare-modify 4096 infoshare In this case, my users belong to the correct group (folder-infoshare-modify) so they can write to the share without problem. However, unless their username is root, none of these users will be able to delete any file they save. Is there a way to do this? I hope I have made this clear enough. If anyone can assist, I'd appreciate it. Regards Richard -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Winbind mappings change over time
simo wrote: On Wed, 2006-11-01 at 08:52 +1300, Richard Greaney wrote: Hi Simo Thanks for your reply. I might have made things a little hazy in my initial post. The 40-odd servers I mentioned are all on remote client sites and each has it's own corresponding Windows server. Effectively, I have the same problem on all sites at one time or another. My issue isn't with the order of winbind mapping, but more with the fact that the SID to UID mapping appears to change over time. This can happen only if you delete winbind_idmap.tdb Mappings cannot change otherwise. Make sure you backup that file so that you can restore it in case you need. I will take a look for information about idmap_ldap as a backend to see if it is going to work with my setup. idmap_ldap is useful if you need to share mappings, otherwise it is less ideal for reliability and performance reasons (you start needing ldap replicas and manage them). Simo. What about idmap_rid (or just rid as it's called these days)? You mentioned this in an earlier email but I read it as idmap_ldap. Obviously it doesn't work on trusted domains, but apart from that would this be the best option for use in <1000 user sites? -- Richard Greaney Senior Technician NET Solutions Massey University College of Education Palmerston North e-mail: [EMAIL PROTECTED] Phone: 06 351 3323 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Winbind mappings change over time
simo wrote: On Tue, 2006-10-31 at 15:52 +1300, Richard Greaney wrote: Hi all I have a peculiar problem that has been ongoing over the last few years. I have a mail server which is running winbind and giving distributed authentication from a Windows server. Winbind UID mapping is in the typical 1-2 range. Everything works fine... for the first little while at least anyway. From what I can tell, when winbind is first set up it allocates UIDs for all existing Windows users, in order of their SID on the Windows server (eg, the lowest SID on the Windows server gets the UID of 1, the next gets 10001 and so on). Again, this works fine. However, this is where things start to get messy. The problem I'm getting is that over time, these Windows - Unix ID maps get muddled up. I've deployed some 40 odd Linux servers, some talking to AD, some talking to Windows NT, some using Postfix for mail, some using Exim. In all cases, this problem comes up at one time or another. You notice it because the mailboxes (/var/mail/username) start having different owners. This effectively kills a particular person's mail. For example, the user 'jsmith' should have 'jsmith' as the mailbox owner, but they might have 'jbloggs' as the owner. This is because the UID that was assigned to jsmith has now been assigned to jbloggs. And yet there was never any change to the jsmith or jbloggs account on the Windows server. Has anybody else had this problem? I'm using a range of samba builds up to 3.0.14a which, I realise is rather old. However I'm loathed to upgrade when this is the only problem I'm getting, if the problem isn't fixed in later versions. I've tried a search in bugzilla but couldn't seem to come up with a query that returned less than 200 bugs. Richard, the allocation order is not guaranteed at all. Winbindd works on a first come first serve basis, it is only a case that most of the time it will get you the same order on new server for most users. If you need to keep the same mapping for more than one server then you need to share the mapping between them. The only backend that supports shared mapping out of the box at this time is imdap_ldap. idmap_rid instead uses an algorithmic mapping and does not need synchronization, but it is somewhat limited (no trusted domain except by recompiling it with experimental options). Simo. Hi Simo Thanks for your reply. I might have made things a little hazy in my initial post. The 40-odd servers I mentioned are all on remote client sites and each has it's own corresponding Windows server. Effectively, I have the same problem on all sites at one time or another. My issue isn't with the order of winbind mapping, but more with the fact that the SID to UID mapping appears to change over time. I will take a look for information about idmap_ldap as a backend to see if it is going to work with my setup. Richard -- Richard Greaney Senior Technician NET Solutions Massey University College of Education Palmerston North e-mail: [EMAIL PROTECTED] Phone: 06 351 3323 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Winbind mappings change over time
Hi all I have a peculiar problem that has been ongoing over the last few years. I have a mail server which is running winbind and giving distributed authentication from a Windows server. Winbind UID mapping is in the typical 1-2 range. Everything works fine... for the first little while at least anyway. From what I can tell, when winbind is first set up it allocates UIDs for all existing Windows users, in order of their SID on the Windows server (eg, the lowest SID on the Windows server gets the UID of 1, the next gets 10001 and so on). Again, this works fine. However, this is where things start to get messy. The problem I'm getting is that over time, these Windows - Unix ID maps get muddled up. I've deployed some 40 odd Linux servers, some talking to AD, some talking to Windows NT, some using Postfix for mail, some using Exim. In all cases, this problem comes up at one time or another. You notice it because the mailboxes (/var/mail/username) start having different owners. This effectively kills a particular person's mail. For example, the user 'jsmith' should have 'jsmith' as the mailbox owner, but they might have 'jbloggs' as the owner. This is because the UID that was assigned to jsmith has now been assigned to jbloggs. And yet there was never any change to the jsmith or jbloggs account on the Windows server. Has anybody else had this problem? I'm using a range of samba builds up to 3.0.14a which, I realise is rather old. However I'm loathed to upgrade when this is the only problem I'm getting, if the problem isn't fixed in later versions. I've tried a search in bugzilla but couldn't seem to come up with a query that returned less than 200 bugs. relevant part of smb.conf: winbind separator = ~ winbind uid = 1-2 winbind gid = 1-2 winbind cache time = 15 winbind enum users = yes winbind enum groups = yes template homedir = /home/%U template shell = /bin/false winbind use default domain = yes Thanks in advance Richard -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Not all users correctly winbind-ing on Server 2003 SP1 with 3.0.20b
Hi all This one has me baffled - leading me to beleive it could be a bug similar to https://bugzilla.samba.org/show_bug.cgi?id=2695 I am running samba 3.0.20b on debian unstable and am having problems with some users not resolving properly using winbind. wbinfo -u shows all users on the system, no problem wbinfo -a user%password works for any user getent passwd shows most but not all users For a user who isn't shown with getent, wbinfo -n will give me their sid, but wbinfo -S {sid} returns "Could not convert sid S-1-5-21-997653320-332963777-2638616180-1106 to uid" I have 100 users on the Windows server. Only 81 are being correctly resolved. I have tried removing the winbind_idmap.tdb file and getting winbindd to rebuild it, but this makes no difference. Here is a log of what I get when I run winbindd -SFi -d3 then getent passwd: ads_sasl_spnego_bind: got server principal name [EMAIL PROTECTED] ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found) Ticket in ccache[MEMORY:winbind_ccache] expiration Mon, 31 Oct 2005 23:47:43 GMT ads: query_user_list ads query_user_list gave 100 entries tdb(/var/lib/samba/winbindd_idmap.tdb): rec_read bad magic 0x42424242 at offset= 59948 error getting user id for sid S-1-5-21-997653320-332963777-2638616180-1106 could not lookup domain user IWAM_DC1 tdb(/var/lib/samba/winbindd_idmap.tdb): rec_read bad magic 0x42424242 at offset= 59948 tdb(/var/lib/samba/winbindd_idmap.tdb): rec_free_read bad magic 0x42424242 at of fset=60200 error getting user id for sid S-1-5-21-997653320-332963777-2638616180-1107 could not lookup domain user cba_anonymous tdb(/var/lib/samba/winbindd_idmap.tdb): rec_read bad magic 0x42424242 at offset= 59864 error getting user id for sid S-1-5-21-997653320-332963777-2638616180-1185 could not lookup domain user WS0012$ tdb(/var/lib/samba/winbindd_idmap.tdb): rec_read bad magic 0x42424242 at offset= 60116 tdb(/var/lib/samba/winbindd_idmap.tdb): rec_free_read bad magic 0x42424242 at of fset=60200 error getting user id for sid S-1-5-21-997653320-332963777-2638616180-1189 could not lookup domain user Room3 tdb(/var/lib/samba/winbindd_idmap.tdb): rec_read bad magic 0x42424242 at offset= 60032 tdb(/var/lib/samba/winbindd_idmap.tdb): rec_free_read bad magic 0x42424242 at of fset=60200 error getting user id for sid S-1-5-21-997653320-332963777-2638616180-1195 could not lookup domain user Room9 tdb(/var/lib/samba/winbindd_idmap.tdb): rec_read bad magic 0x42424242 at offset= 59780 error getting user id for sid S-1-5-21-997653320-332963777-2638616180-1209 could not lookup domain user WS0022$ tdb(/var/lib/samba/winbindd_idmap.tdb): rec_read bad magic 0x42424242 at offset= 60116 tdb(/var/lib/samba/winbindd_idmap.tdb): rec_free_read bad magic 0x42424242 at of fset=60200 error getting user id for sid S-1-5-21-997653320-332963777-2638616180-1239 could not lookup domain user LMarychurch tdb(/var/lib/samba/winbindd_idmap.tdb): rec_read bad magic 0x42424242 at offset= 59780 tdb(/var/lib/samba/winbindd_idmap.tdb): rec_free_read bad magic 0x42424242 at of fset=60200 error getting user id for sid S-1-5-21-997653320-332963777-2638616180-1241 could not lookup domain user MWiggins tdb(/var/lib/samba/winbindd_idmap.tdb): rec_read bad magic 0x42424242 at offset= 60116 error getting user id for sid S-1-5-21-997653320-332963777-2638616180-1242 could not lookup domain user LBurgess tdb(/var/lib/samba/winbindd_idmap.tdb): rec_free_read bad magic 0x42424242 at of fset=60200 error getting user id for sid S-1-5-21-997653320-332963777-2638616180-1249 could not lookup domain user LT0006$ tdb(/var/lib/samba/winbindd_idmap.tdb): rec_read bad magic 0x42424242 at offset= 59948 tdb(/var/lib/samba/winbindd_idmap.tdb): rec_free_read bad magic 0x42424242 at of fset=60200 error getting user id for sid S-1-5-21-997653320-332963777-2638616180-1252 could not lookup domain user LT0008$ tdb(/var/lib/samba/winbindd_idmap.tdb): rec_free_read bad magic 0x42424242 at of fset=60200 error getting user id for sid S-1-5-21-997653320-332963777-2638616180-1256 could not lookup domain user LT0010$ tdb(/var/lib/samba/winbindd_idmap.tdb): rec_read bad magic 0x42424242 at offset= 59780 tdb(/var/lib/samba/winbindd_idmap.tdb): rec_free_read bad magic 0x42424242 at of fset=60200 error getting user id for sid S-1-5-21-997653320-332963777-2638616180-1258 could not lookup domain user LT0012$ tdb(/var/lib/samba/winbindd_idmap.tdb): rec_free_read bad magic 0x42424242 at of fset=60200 error getting user id for sid S-1-5-21-997653320-332963777-2638616180-1261 could not lookup domain user issue tdb(/var/lib/samba/winbindd_idmap.tdb): rec_free_read bad magic 0x42424242 at of fset=60200 error getting user id for sid S-1-5-21-997653320-332963777-2638616180-1262 could not lookup domain user Search tdb(/var/lib/samba/winbindd_idmap.tdb): rec_free_read bad magic 0x42424242 at of fset=60200 error getting user id for sid S-1-5-21-997653320-332963777-2638616
[Samba] PAM Error 9
Hi all I have set my Samba server up to join an AD realm. Winbind is working fine and I am able to use it for authentication as needed. When I try to connect to one of my shares via a Windows client, I get the following error: [2004/11/04 11:57:54, 0] auth/pampass.c:smb_pam_account(573) smb_pam_account: PAM: UNKNOWN PAM ERROR (9) during Account Management for User: MYDOMAIN+room1 [2004/11/04 11:57:54, 2] auth/pampass.c:smb_pam_error_handler(73) smb_pam_error_handler: PAM: Account Check Failed : Authentication service cannot retrieve authentication info. [2004/11/04 11:57:54, 0] auth/pampass.c:smb_pam_accountcheck(781) smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User MYDOMAIN+room1! [2004/11/04 11:57:54, 2] auth/auth.c:check_ntlm_password(312) check_ntlm_password: Authentication for user [room1] -> [room1] FAILED with error NT_STATUS_LOGON_FAILURE My smb.conf file looks something like this: [global] winbind separator = + winbind uid = 1-2 winbind gid = 1-2 winbind cache time = 15 winbind enum users = yes winbind enum groups = yes template homedir = /home/%U template shell = /bin/false winbind use default domain = yes panic action = /usr/share/samba/panic-action %d # passwd program = /usr/bin/passwd %u printing = bsd netbios name = proxy dns proxy = no syslog only = no name resolve order = lmhosts host wins bcast encrypt passwords = true # passdb backend = smbpasswd guest socket options = IPTOS_LOWDELAY TCP_NODELAY SO_SNDBUF=4096 SO_RCVBUF=4096 short preserve case = yes printcap name = /etc/printcap invalid users = root max log size = 1000 obey pam restrictions = yes # passwd chat = *Enter\snew\sUNIX\spassword:* %n\n Retype\snew\sUNIX\spassword:* %n\n . security = ads password server = DC1 realm = MYDOMAIN.BLAH preserve case = yes unix password sync = false workgroup = MYDOMAIN server string = %h server (Samba %v) syslog = 0; guest account = nobody load printers = yes For what it's worth, my /etc/pam.d/samba file is as follows: authrequired /lib/security/pam_env.so authsufficient/lib/security/pam_unix.so likeauth nullok authsufficient/lib/security/pam_winbind.so use_first_pass authrequired /lib/security/pam_deny.so account required /lib/security/pam_unix.so account sufficient/lib/security/pam_winbind.so use_first_pass passwordrequired /lib/security/pam_cracklib.so retry=3 type= # Note: The above line is complete. There is nothing following the '=' passwordsufficient/lib/security/pam_unix.so \ nullok use_authtok md5 shadow passwordsufficient/lib/security/pam_winbind.so use_first_pass passwordrequired /lib/security/pam_deny.so session required /lib/security/pam_limits.so session sufficient/lib/security/pam_unix.so session sufficient/lib/security/pam_winbind.so use_first_pass` Interestingly enough, if I connect using smbclient and force it to use kerberos with the -k option, I am able to connect. It's not until I try to use NTLM that I receive the error. Any suggestions? Cheers Richard -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba as BDC to AD Server
(Written as standalone message and not reply this time!!) Hi all This one has been puzzling me for quite a while now. I have been able to set up Samba 3 as an NT4 DC replacement, using the passdb backend. For other applications, I have run Samba and Winbind alongside a Windows Server 2003 Domain Controller and used distributed authentication across the two platforms. What I would like to do now is to use Samba in what is effectively a BDC-type role. I have read a few resources, in particular the Samba Howto Collection, which mention that this is not possible. However, I'm not giving up hope yet. If I am running Winbind successfully, I can set a Windows domain user/group as the owner of a file. If I add POSIX ACL support, then I also gain the ability to extend permissions in a Windows-ish manner. What's missing, then, is an authentication medium. In short, the Samba passdb backend is the hurdle. Am I correct in this assumption? If so, then why can we not run Samba in backend-less mode? As the user database is already distributed across onto the Samba server (by correct setup of winbind) I don't see why we need another backend at all. Sure, grab the username and password from the clients, but PAM-ify the authentication medium so we use the database already in existence. Is it possible to run Samba in this mode? Hoping someone can help. I may be totally ambitious too, I realise :) Cheers Richard -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba Server inside AD Realm
This one has been puzzling me for quite a while now. I have been able to set up Samba 3 as an NT4 DC replacement, using the passdb backend. For other applications, I have run Samba and Winbind alongside a Windows Server 2003 Domain Controller and used distributed authentication across the two platforms. What I would like to do now is to use Samba in what is effectively a BDC-type role. I have read a few resources, in particular the Samba Howto Collection, which mention that this is not possible. However, I'm not giving up hope yet. If I am running Winbind successfully, I can set a Windows domain user/group as the owner of a file. If I add POSIX ACL support, then I also gain the ability to extend permissions in a Windows-ish manner. What's missing, then, is an authentication medium. In short, the Samba passdb backend is the hurdle. Am I correct in this assumption? If so, then why can we not run Samba in backend-less mode? As the user database is already distributed across onto the Samba server (by correct setup of winbind) I don't see why we need another backend at all. Sure, grab the username and password from the clients, but PAM-ify the authentication medium so we use the database already in existence. Is it possible to run Samba in this mode? Hoping someone can help. I may be totally ambitious too, I realise :) Cheers Richard -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba