[Samba] Vista, %H, booting up

[Stewart, Eric]

I have a RHEL 5 server using Samba (but not Winbind, reporting the
version as 3.0.25b-1.el5_1.4) serving profiles via:

 

[profile]

   comment = Profile directory - special share

   invalid users = nobody

   browseable = yes

   guest ok = no

   read only = no

   force directory mode = 0700

   csc policy = disable

   force create mode = 0600

   create mask = 0600

   directory mask = 0700

   locking = no

   profile acls = yes

   path = %H/profile

 

Vista workstations can map the share *after* they are fully logged in.
However, during the login process, normal logging reports:

 

[2008/04/03 06:51:26, 0] smbd/service.c:make_connection(1191)

  c-vista (131.247.112.205) couldn't find service profile.v2

[2008/04/03 06:51:27, 0] smbd/service.c:make_connection(1191)

  c-vista (131.247.112.205) couldn't find service profile.v2

 

And the station reports that the profile was not loaded.  The Windows
error log on the client reports something along the lines of "file not
found".

 

If you'd like to see additional logging, let me know.

 

XP workstations have no problem getting profiles, nor does the Vista
station have any problems (now, after forcing NTLMv2 and switching to
ADS security from Domain - I had had problems getting ADS to work
originally) mapping shares once it's up and running.

 

Just hoping someone has a quick "add this line to the share config"
suggestion.

 

Winbind is not used on this station for legacy reasons - and because
(though I haven't seen it recently) Winbind used to occasionally lose
its mappings and give everyone new IDs.

 

Thanks!

 

Eric Stewart
Network Administrator, Tampa Library
University of South Florida
Email: [EMAIL PROTECTED]
http://www.lib.usf.edu/  

SCUBA Diving since 1999 - http://ericdives.com/ 


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] 3.0.23 and group behavior

[Stewart, Eric]

Well, I just did a fresh compile and install of 3.0.23a on a
test machine and am experiencing the same behavior.  In this case,
winbind is up and running, and I can chown/chgrp directories as Windows
users/groups.  I am able to connect when "valid users" expressly lists
my username, but not when it specifies a group I am in.  Config:

[global]
   load printers = no
   guest account = nobody
   hosts allow = 
   workgroup = MYDOM
   security = ADS
   realm = MY.REALM
   password server = *
   client schannel = no
   client use spnego = yes
   encrypt passwords = yes
   local master = no
   os level = 1
   wins server = 
   preserve case = yes
   invalid users = root mail daemon
   log level = 10
   max log size = 0
   debug uid = yes
   debug pid = yes
   log file = /usr/local/samba/var/log.%m
   lock directory = /usr/local/samba/var/locks
   share modes = yes
   allow trusted domains = no
   winbind separator = +
   winbind uid = 12500-1
   winbind gid = 12500-1
   winbind enum users = yes
   winbind enum groups = yes
   winbind use default domain = no
   template homedir = /dev/null

[testshare1] ; this I can connect to
   browseable = yes
   force create mode = 0664
   force directory mode = 0775
   force group = web
   path = 
   read only = no
   valid users = MYDOM+eric

[testshare2] ; Here I get prompted for username and password, and denied
   browseable = yes
   force create mode = 0664
   force directory mode = 0775
   force group = MYDOM+mygroup
   follow symlinks = no
   path = 
   valid users = @MYDOM+mygroup
   read only = no

[testshare3] ; haven't gotten this far yet
   browseable = yes
   force create mode = 0664
   force directory mode = 0775
   follow symlinks = no
   force group = unixgroup
   path = 
   valid users = @MYDOM+othergroup, MYDOM+otheruser
   read only = no

Some log file lines I see (not posted cause it would take a
while to sanitize - let me know if I need to sanitize them and post them
to the group, or if you want them sent direct to someone):

  winbind_lookup_sid: SUCCESS: SID
S-1-5-21-1409082233-1202660629-1343024091-5626 -> MYDOM mygroup
  string_to_sid: Sid @MYDOM+mygroup does not start with 'S-'.

This is a test box mind you - my original query was about one of
two production boxes I have running Samba (one uses Winbind, the other
does not, and it was the one I was querying about).

> -Original Message-
> From: Gerald (Jerry) Carter [mailto:[EMAIL PROTECTED] 
> Sent: Monday, July 17, 2006 11:00 AM
> To: Stewart, Eric
> Cc: samba@lists.samba.org
> Subject: Re: [Samba] 3.0.23 and group behavior
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> Stewart, Eric wrote:
> > Okay, first the admisssions:
> 
> Fixed in 3.0.23a due out in the next 24 - 48 hours.
> 
> 
> 
> 
> 
> 
> jerry
> =
> Samba--- http://www.samba.org
> Centeris ---  http://www.centeris.com
> "What man is a man who does not make the world better?"  --Balian
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.2 (GNU/Linux)
> Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org
> 
> iD8DBQFEu6XgIR7qMdg1EfYRAs27AKCAOAsE3ifK9graUN8MlNAyuPxOPwCgjVjC
> mmBFW4oI18smyBC8HPl7fAs=
> =wNMw
> -END PGP SIGNATURE-
> 
> 
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] 3.0.23 and group behavior

[Stewart, Eric]

Okay, first the admisssions:
I'll admit that I haven't been following the development as
closely as I probably should have.  And I'll admit in this case I might
not be using Samba in the most efficient way possible.  Also, I'm not
100% sure if I'm encountering a bug or just a seriously stupid
misconfiguration issue.  And I'm still collecting data on exactly what
happened.  Finally, I've read the release notes but I'm wondering if I'm
"just not getting it".

The whys and hows, and setups:

Currently using samba on a file server to server home and shared
directories.
Domain is W2K3 AD.
Server is RHEL4, and Samba was upgraded from 3.0.22 (works) to
3.0.23 (had an issue).
Winbind is not used, mainly because I'm not comfortable with the
mapping situation of Windows to Unix and how the Ids can change.  So,
every valid user has both an AD account and a Unix account.
Group access to multiuser shares is controlled using Unix
groups.

Pertinent config info:

[global]
   guest account = nobody
   hosts allow = 
   workgroup = 
   realm = 
   use kerberos keytab = true
   client use spnego = yes
   security = ADS
   encrypt passwords = yes
   password server = *
   browseable = no
   local master = no
   os level = 1
   wins server = 
   preserve case = yes
   log level = 3 ; 
   invalid users = root mail daemon
;  This next option sets a separate log file for each client. Remove
;  it if you want a combined log file.
   log file = /usr/local/samba/var/log.%m
   lock directory = /usr/local/samba/var/locks
   share modes = yes
   allow trusted domains = no
   max log size = 0

  [cats]
   comment = Share directory for cats (T:\)
   browseable = yes
   path = /home/dudley/cats/CATS
   read only = no
   valid users = +cats, @ldc, @staff
   force group = cats
   force create mode = 0660
   create mask = 0660
   directory mask = 0770
   force directory mode = 0770
   veto oplock files = /*.mdb/*.MDB/*.xls/*.XLS/

Okay, that should all be fairly straight forward, yes?  But with
3.0.23, folks in the cats unix group (which prior to troubleshooting the
problem, was specified as @cats, but both @cats and +cats had problems)
were not allowed access to or even able to map the share.
Finally, here's a bit of debugging info from a log file; I'm
sure you probably want more than this but I don't want to spam the list
too hard, so if you want a more full log sent here or to another
address, let me know:

[2006/07/17 08:16:30, 3] smbd/process.c:process_smb(1110)
  Transaction 34 of length 80
[2006/07/17 08:16:30, 3] smbd/process.c:switch_message(914)
  switch message SMBtrans2 (pid 8392) conn 0x8979958
[2006/07/17 08:16:30, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (10119, 1010) - sec_ctx_stack_ndx = 0
[2006/07/17 08:16:30, 3] smbd/trans2.c:call_trans2qfilepathinfo(2908)
  call_trans2qfilepathinfo: TRANSACT2_QPATHINFO: level = 1004
[2006/07/17 08:16:30, 3] smbd/trans2.c:call_trans2qfilepathinfo(2959)
  call_trans2qfilepathinfo . (fnum = -1) level=1004 call=5 total_data=0
[2006/07/17 08:16:30, 3] smbd/process.c:process_smb(1110)
  Transaction 35 of length 74
[2006/07/17 08:16:30, 3] smbd/process.c:switch_message(914)
  switch message SMBtrans2 (pid 8392) conn 0x8979958
[2006/07/17 08:16:30, 3] smbd/trans2.c:call_trans2qfsinfo(2167)
  call_trans2qfsinfo: level = 258
[2006/07/17 08:16:30, 3] smbd/process.c:process_smb(1110)
  Transaction 36 of length 74
[2006/07/17 08:16:30, 3] smbd/process.c:switch_message(914)
  switch message SMBtrans2 (pid 8392) conn 0x8979958
[2006/07/17 08:16:30, 3] smbd/trans2.c:call_trans2qfsinfo(2167)
  call_trans2qfsinfo: level = 261
[2006/07/17 08:16:30, 3] smbd/process.c:process_smb(1110)
  Transaction 37 of length 74
[2006/07/17 08:16:30, 3] smbd/process.c:switch_message(914)
  switch message SMBtrans2 (pid 8392) conn 0x8979958
[2006/07/17 08:16:30, 3] smbd/trans2.c:call_trans2qfsinfo(2167)
  call_trans2qfsinfo: level = 261
[2006/07/17 08:16:31, 3] smbd/process.c:process_smb(1110)
  Transaction 38 of length 82
[2006/07/17 08:16:31, 3] smbd/process.c:switch_message(914)
  switch message SMBtconX (pid 8392) conn 0x0
[2006/07/17 08:16:31, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/07/17 08:16:31, 3] lib/access.c:check_access(313)
  check_access: no hostnames in host allow/deny list.
[2006/07/17 08:16:31, 2] lib/access.c:check_access(324)
  Allowed connection from  (131.247.112.9)
[2006/07/17 08:16:31, 3] lib/util_sid.c:string_to_sid(223)
  string_to_sid: Sid root does not start with 'S-'.
[2006/07/17 08:16:31, 3] smbd/sec_ctx.c:push_sec_ctx(208)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2006/07/17 08:16:31, 3] smbd/uid.c:push_conn_ctx(345)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2006/07/17 08:16:31, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2006/07/17 08:16:31, 3] smbd/sec_ctx.c:pop_sec_ctx(339)
  pop_sec_ctx (0, 0) - sec_ctx

RE: [Samba] still ACL bug in 3.0.14a

[Stewart, Eric]

This patch appears to have done the trick for me.
Thanks Jeremy - personally I think you've gone above and beyond
(it's still the weekend!)
I guess we'll see this in 3.0.15? ;)

> -Original Message-
> From: Jeremy Allison [mailto:[EMAIL PROTECTED] 
> Sent: Sunday, April 17, 2005 3:54 AM
> To: Stewart, Eric
> Cc: samba@lists.samba.org
> Subject: Re: [Samba] still ACL bug in 3.0.14a
> 
> On Sat, Apr 16, 2005 at 11:42:33PM -0400, Stewart, Eric wrote:
> > If someone has this working on Red Hat Enterprise Linux 3, I'd
> > like a few pointers.
> > I've changed "defaults" in /etc/fstab for the affected partition
> > to "defaults,acl,user_xattr" and rebooted the box.  I've 
> gone so far as
> > to make sure all processes were killed, remove the samba 
> sbin, bin, lib,
> > and include directories, checked to make sure ACL support is being
> > compiled in (ldd even shows libacl.so.1 linked).  I've even gotten
> > desperate and and added "delete readonly = yes" and even 
> "nt acl support
> > = no" (in all sorts of combinations) to the junk share in the config
> > below, and yet I still get access denied when attempting to delete a
> > file.  ls -laF shows:
> > 
> > : ls -laF /usr/local/samba/junk
> > total 5608
> > drwxrwxr-x2 bb   mysql4096 Apr 16 00:44 ./
> > drwxr-xr-x   11 root root 4096 Apr 16 23:20 ../
> > -rwxrw-r--1 LIB+eric mysql   46080 Mar 31  2000
> > annualreport99.doc*
> > -rwxrw-r--1 LIB+eric mysql 5668947 Mar 25 09:11
> > HPLJ4250-070323-ILLiad.pdf*
> > 
> > With the "force group =" set, anyone who qualifies as a valid
> > user should be able to delete the file.  But I can't.
> 
> Ok, I think I see the bug you're encountering I don't 
> think force group
> was considered in the posix_acl code - that changes current_user.gid
> without changing it in the group array in current_user.
> 
> Can you try this patch please ?
> 
> Jeremy.
> 
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] still ACL bug in 3.0.14a

[Stewart, Eric]

If someone has this working on Red Hat Enterprise Linux 3, I'd
like a few pointers.
I've changed "defaults" in /etc/fstab for the affected partition
to "defaults,acl,user_xattr" and rebooted the box.  I've gone so far as
to make sure all processes were killed, remove the samba sbin, bin, lib,
and include directories, checked to make sure ACL support is being
compiled in (ldd even shows libacl.so.1 linked).  I've even gotten
desperate and and added "delete readonly = yes" and even "nt acl support
= no" (in all sorts of combinations) to the junk share in the config
below, and yet I still get access denied when attempting to delete a
file.  ls -laF shows:

: ls -laF /usr/local/samba/junk
total 5608
drwxrwxr-x2 bb   mysql4096 Apr 16 00:44 ./
drwxr-xr-x   11 root root 4096 Apr 16 23:20 ../
-rwxrw-r--1 LIB+eric mysql   46080 Mar 31  2000
annualreport99.doc*
-rwxrw-r--1 LIB+eric mysql 5668947 Mar 25 09:11
HPLJ4250-070323-ILLiad.pdf*

With the "force group =" set, anyone who qualifies as a valid
user should be able to delete the file.  But I can't.

[global]
   load printers = no
   guest account = nobody
   hosts allow = 131.247.112., 131.247.113.
   workgroup = LIB
   security = domain
   password server = *
   client schannel = no
   encrypt passwords = yes
   local master = no
   os level = 1
   wins server = 131.247.112.6
   server string = LIB208 Samba Test
   preserve case = yes
   invalid users = root mail daemon
   log level = 10
   debug uid = yes
   debug pid = yes
   log file = /usr/local/samba/var/log.%m
   lock directory = /usr/local/samba/var/locks
   share modes = yes
   allow trusted domains = no
   winbind separator = +
   winbind uid = 12500-1
   winbind gid = 12500-1
   winbind enum users = yes
   winbind enum groups = yes
   winbind use default domain = no
   template homedir = /dev/null

[junk]
   comment = junk test
   browseable = yes
   force create mode = 0664
   force directory mode = 0775
   force group = mysql
   follow symlinks = no
   path = /usr/local/samba/junk
   valid users = @LIB+Technology
   read only = no

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On 
> Behalf Of Jeremy Allison
> Sent: Saturday, April 16, 2005 9:59 PM
> To: Schaefer Jr, Thomas R.
> Cc: samba@lists.samba.org; Jeremy Allison
> Subject: Re: [Samba] still ACL bug in 3.0.14a
> 
> On Sat, Apr 16, 2005 at 08:29:31PM -0500, Schaefer Jr, Thomas 
> R. wrote:
> > I'm modifying what I wrote this morning.  Compiling 
> --with-acl-support DOES fix the problem on Linux.  Jeremy is 
> right.  Although I had compiled it that way this morning I 
> was accidentally running one of my earlier compiles.  Sorry.
> 
> I have email access now, but not much of a test environment yet.
> 
> This happens a *lot*. People, if you reconfigure and try 
> again and it still doesn't seem to fix the problem please try 
> and ensure that you're running your new binaries. This seems 
> to be a common failure.
> 
> > Unfortunately for me, the fact that I've got it functioning 
> properly on Linux is worthless to me.  All my servers are 
> Solaris / sparc.  The Linux thing was just an exercise to see 
> if it could be narrowed to a Solaris specific problem.  At 
> this moment, for me, it is a Solaris specific problem as I 
> have yet to get it to function properly on Solaris.  I'm 
> hoping the concensus here isn't that I now need to go talk to 
> Sun Microsystems because somehow I'm guessing that avenue 
> isn't going to get me very far.
> 
> Debug level 10 log from Solaris please.
> 
> Jeremy
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] still ACL bug in 3.0.14a

[Stewart, Eric]

RHEL 3 AS here - test box (via VPN - I'm so interested in this
issue that I'm working on it from home) gave same behavior.
Jeremy got an email from me this morning with log files,
configuration file, getfacl's, ls -la, and an ldd of smbd showing that
the ACL lib was compiled in.  Tripwire screamed bloody murder this
morning as well on the box since I added acl to the /etc/fstab of the
partition where the smb share is and rebooted yesterday, noting there
were no ACLs before and now they are there.
So near as I know I have everything compiled/configured right
(Jeremy will have to confirm this, but it wouldn't surprise me if he
said I was missing something) and I'm running into the can't delete
thing.
Of course, he is at a conference so we probably won't be hearing
back until he gets back ...

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On 
> Behalf Of Schaefer Jr, Thomas R.
> Sent: Saturday, April 16, 2005 11:00 AM
> To: Jeremy Allison
> Cc: samba@lists.samba.org
> Subject: RE: [Samba] still ACL bug in 3.0.14a
> 
> > Just making sure everyone knows before I get on the plane :-).
> > 
> > You *must* have configured with --with-acl-support for this to 
> > successfully work with ACLs on 3.0.14a.
> > 
> > If you don't you get the symptoms you're reporting.
> > 
> > Jeremy.
> 
> Aaarrrggghhh!!
>  
> No no no, I can hardly believe this.  I've continued to fight 
> with this from home last evening and this morning.  I have 
> recompiled 3.0.14a on Solaris in a brand new fresh extract of 
> the source code from the tar.gz distribution file.  smbd -b | 
> grep -i acl run against the ealier samba's I was producing 
> where I did not specify --with-acl-support shows this..
>  
>HAVE_SYS_ACL_H
>HAVE_NO_ACLS
>HAVE__ACL
>HAVE__FACL
>  
> The same with my new smbd configured --with-acl-support shows..
>  
>HAVE_SYS_ACL_H
>HAVE_SOLARIS_ACLS
>HAVE__ACL
>HAVE__FACL
>  
> So the configure option seems to be "taking".  Guess what??  
> No difference in the end.  Same same same behaviour.  Can 
> create or modify files but not delete or rename them.
>  
> I recompiled on the RedHat Linux box this morning.  Where 
> smbd -b | grep -i acl against the binary I made yesterday yields..
>  
>HAVE_SYS_ACL_H
>HAVE_NO_ACLS
>  
> Today, after reconfiguring and recompiling, smbd -b | grep -i 
> acl yields..
>  
>HAVE_SYS_ACL_H
>HAVE_POSIX_ACLS
>  
> So the configure option seems to be "taking".  So, I tried 
> it.  Guess what??  NO DIFFERENCE (I'm not shouting at anyone 
> just shouting).  Like on the Solaris box, in the interest of 
> saving time I had just done a reconfigure and recompile of 
> the same source I had been using yesterday.  So, in the 
> interest of being thorough, like on the Solaris box, I 
> started over yet again, completely from scratch using a brand 
> new extract of the samba distribution.  Still no dice.  After 
> Jeremy's confidence yesterday I thought for sure it was going 
> to work on the Linux box.
>  
> I can hardly believe it.  I'm eagerly awaiting the results 
> some of the rest of you get when configuring 
> --with-acl-support and recompiling.
>  
> Tom Schaefer
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
> 
> 
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] still ACL bug in 3.0.14a

[Stewart, Eric]

Ah ha!  Okay it turns out libacl-devel wasn't installed on my
system.  And Red Hat says you need to add acl to /etc/fstab.
Well, I can get the compile done but I can't (well, won't) test
from home.  If it doesn't work Monday and I can't figure it out, you'll
get another annoying message from me.

> -Original Message-
> From: Jeremy Allison [mailto:[EMAIL PROTECTED] 
> Sent: Friday, April 15, 2005 6:28 PM
> To: Stewart, Eric
> Cc: samba@lists.samba.org
> Subject: Re: [Samba] still ACL bug in 3.0.14a
> 
> On Fri, Apr 15, 2005 at 03:49:47PM -0400, Stewart, Eric wrote:
> > 
> > Ignoring the minor issue of the created files perms not 
> matching the 
> > force create mode (I know it's now an OR thing that I can fix), I 
> > should still be able to delete this file, as I've been 
> forced to the 
> > mysql group properly (as evidenced by the fact that the 
> file was given 
> > that group).
> > 
> > But I can't.
> 
> Ensure you've compiled with --with-acl-support. That will fix it.
> 
> Jeremy.
> 
> 
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] still ACL bug in 3.0.14a

[Stewart, Eric]

 I could swear I did - and according to the config.log in the
source directory, I did.  However, it looks like it may have failed to
find a required lib ... I'll look at it Monday.

-Original Message-
From: Jeremy Allison [mailto:[EMAIL PROTECTED] 
Sent: Friday, April 15, 2005 6:28 PM
To: Stewart, Eric
Cc: samba@lists.samba.org
Subject: Re: [Samba] still ACL bug in 3.0.14a

On Fri, Apr 15, 2005 at 03:49:47PM -0400, Stewart, Eric wrote:
> 
>   Ignoring the minor issue of the created files perms not matching
the 
> force create mode (I know it's now an OR thing that I can fix), I 
> should still be able to delete this file, as I've been forced to the 
> mysql group properly (as evidenced by the fact that the file was given

> that group).
> 
>   But I can't.

Ensure you've compiled with --with-acl-support. That will fix it.

Jeremy.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] still ACL bug in 3.0.14a

[Stewart, Eric]

Okay:
3.0.14a RHEL 3, client is a Windows 2003 Server SP 1.  Simple
(minimally sanitized) configuration using Winbind and Samba:
= Begin Config =
[global]
   load printers = no
   guest account = nobody
   hosts allow = (our local ranges)
   workgroup = (our domain)
   security = domain
   password server = *
   client schannel = no
   encrypt passwords = yes
   local master = no
   os level = 1
   wins server = (the wins server IP)
   preserve case = yes
   invalid users = root mail daemon
   log level = 10
   debug uid = yes
   debug pid = yes
   log file = /usr/local/samba/var/log.%m
   lock directory = /usr/local/samba/var/locks
   share modes = yes
   allow trusted domains = no
   winbind separator = +
   winbind uid = 12500-1
   winbind gid = 12500-1
   winbind enum users = yes
   winbind enum groups = yes
   winbind use default domain = no
   template homedir = /dev/null

[junk]
   comment = junk test
   browseable = yes
   force create mode = 0664
   force directory mode = 0775
   force group = mysql# a linux group that group owns junk
   follow symlinks = no
   path = /usr/local/samba/junk
   valid users = @(winbind enumerated group)
   read only = no
== End Config ==

Taking a file as a valid user and copying it to the destination
succeeds.  Here's the long ls of the junk dir:

# l junk
total 5560
drwxrwxr-x2 bb   mysql4096 Apr 15 15:32 ./
drwxr-xr-x   11 root root 4096 Apr 15 15:21 ../
-rwxrw-r--1 LIB+eric mysql 5668947 Mar 25 09:11
HPLJ4250-070323-ILLiad.pdf*

Ignoring the minor issue of the created files perms not matching
the force create mode (I know it's now an OR thing that I can fix), I
should still be able to delete this file, as I've been forced to the
mysql group properly (as evidenced by the fact that the file was given
that group).

But I can't.

Jeremy: if you want the logs from this box, let me know -
they'll be about 4-5 MB.

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On 
> Behalf Of Peter Kruse
> Sent: Friday, April 15, 2005 3:30 PM
> To: Tom Schaefer
> Cc: samba@lists.samba.org; [EMAIL PROTECTED]
> Subject: Re: [Samba] still ACL bug in 3.0.14a
> 
> Tom Schaefer wrote:
> > Sigh.  Good catch Peter but I set up my test environment 
> (Sparc Solaris 8,
> > UFS filesystem) to match what Jeremy used and still have the same
> > problem.
> 
> but what permissions do the _files_ have that you can no 
> longer modify?
> 
> > 
> > User schaefer still can't rename or delete files in the 
> crap directory.
> > 
> > How frustrating.  Jeremy we don't do a lot of Linux around 
> here but yes I
> > should be able to cobble a test together.
> > 
> > Also, Peter, I know you use Linux and have been seeing 
> these exact same
> > symptoms, but have you actually tried it against 3.0.14a yet?
> > 
> 
> to be honest - no.  If you cannot reproduce it, Jeremy, then 
> I will try
> 3.0.14a.
> 
>   Peter
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
> 
> 
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] still ACL bug in 3.0.14a

[Stewart, Eric]

I'm pretty sure I did (though it's Friday and I have a
significantly shorter attention span/less attention for detail) and I
sent you (JRA directly) logfiles and a configuration file for a 3.0.14a
test on RHEL 3.

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On 
> Behalf Of Jeremy Allison
> Sent: Friday, April 15, 2005 2:29 PM
> To: Tom Schaefer
> Cc: samba@lists.samba.org
> Subject: Re: [Samba] still ACL bug in 3.0.14a
> 
> On Fri, Apr 15, 2005 at 12:03:06PM -0500, Tom Schaefer wrote:
> > 
> > The problem is totally reproducible across different boxes 
> here and even
> > using the most very basic of a smb.conf.  User schaefer 
> should be able to
> > connect to his home share, go into his tmp/crap/ folder and create,
> > modify, and delete files as he pleases.  In any Samba 
> 3.0.11 or prior he
> > can.  Haven't tried 3.0.12.  3.0.13 and 3.0.14a he can't...
> > 
> > [EMAIL PROTECTED]:/accounts/staff/schaefer/tmp bash# ls -ld crap
> > d-+  2 root root 512 Apr 15 11:15 crap/
> > 
> > [EMAIL PROTECTED]:/accounts/staff/schaefer/tmp bash# getfacl crap
> > 
> > # file: crap
> > # owner: root
> > # group: root
> > user::---
> > group::---  #effective:---
> > group:203:rwx   #effective:rwx
> > group:cfusion:rwx   #effective:rwx
> > mask:rwx
> > other:---
> > 
> > [EMAIL PROTECTED]:/accounts/staff/schaefer/tmp bash# id schaefer
> > uid=241(schaefer) gid=60003(cfusion)
> 
> Ok, I'm trying to reproduce this here with a Windows XP 
> Professional SP2
> box and Linux ext3+ea+acl filesystem and I can't.
> 
> Here is my test setup :
> 
> # ls -ld /tmp/crap
> d---rwx---+ 2 root root 4096 Apr 15 11:05 /tmp/crap
> 
> # getfacl crap
> 
> # file: crap
> # owner: root
> # group: root
> user::---
> user:jeremy:rwx
> group::---
> group:jeremy:rwx
> mask::rwx
> other::---
> 
> User jeremy can create/delete and modify files from a cmd.exe shell
> and Windows explorer to his hearts content, no problems.
> 
> It's possible this is a Solaris specific issue. Can you reproduce
> the problem with 3.0.14a on a Linux box ?
> 
> Jeremy.
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
> 
> 
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] ACL and delete files

[Stewart, Eric]

This sounds like the problem I was having as touched upon in my
thread:

Samba 3.0.13 and deleting files

I sent JRA a set of log level 10 logs (all 10 MB worth for a
short test, so they wouldn't go through to this list).  Mind you he's a
busy guy and may not have even gotten to them yet.  I'm fairly certain
this bug existed in the original 3.0.14 release as well, but I only
tested it briefly and have no "testbed" box to toss it on.  I was going
to wait for 3.0.15 or something from Jeremy that said "do this".
I'll admit that's probably something I neglected to mention in
my original posts - that group permissions say write but the user of the
dir is different from the user creating the files.

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On 
> Behalf Of Peter Kruse
> Sent: Friday, April 15, 2005 6:15 AM
> To: Jacob Nielsen
> Cc: samba@lists.samba.org
> Subject: Re: [Samba] ACL and delete files
> 
> Hello,
> 
> Jacob Nielsen wrote:
> > Hello list
> > 
> > I have the same problem with my Samba-3.0.13. This problem 
> started after
> > upgrading from 3.0.11.
> > 
> > I have a rather huge fileserver with 300.000+ files, so 
> this is kindda a
> > big issue for me.
> > 
> > Problem is when rename/deleting files, which is basicly not 
> possible.
> > Copying a new file to the same directory is not a problem. Not
> > changeable thou. If you open the file in an editor and save 
> it, it's not
> > a problem either. Very strange.
> 
> Thanks for sharing this.  I can confirm that this problem exists in
> 3.0.13.  There has been a bug report #2521 which was closed although
> there was still one report saying the bug still was there.
> I have several reports of this same behaviour: creating of files work
> but modify/delete doesn't.  Is it true the the directory in question
> does not give write permission to the user account but only the
> group the user belongs to?
> 
> Regards,
> 
>   Peter
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
> 
> 
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Daylight saving time problem.

[Stewart, Eric]

Tripwire seems to freak out a bit during DST changes on my
Windows boxes; the timestamps on a lot of the files change by an hour
one way or the other (depending on which switch of DST it is).
So it's a Windows problem as far as I know, but I don't know of
a fix.

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On 
> Behalf Of Fred Hebert
> Sent: Monday, April 11, 2005 9:55 AM
> To: samba@lists.samba.org
> Subject: [Samba] Daylight saving time problem.
> 
> I have a small home LAN consisting of a Linux/SAMBA server 
> and 3 XP PRO
> workstations.  I use an external USB hard drive, attached to 
> my workstation,
> to backup the shared data.  The backup utility uses the DOS 
> file timestamp
> to determine which files have changed and need to be backed up.
> 
> Normally the backup takes a minute or less and only backs up 
> a few files,
> but when we go on or off of daylight saving time, the backup backs up
> everything which takes about 5 hours.
> 
> I also have some problems with my source code control system.
> 
> At work we use all Windows stuff and don't have a problem.
> 
> What's weird is that both Linux and XP have the correct times 
> before and
> after DST, but the file times on the shares seem to change 
> and are off by an
> hour.
> 
> I am not sure whether it is a Windows or a Linux/SAMBA 
> problem, I am just
> hoping someone has a fix.
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
> 
> 
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Samba 3.0.13 and deleting files

[Stewart, Eric]

I haven't seen a solution yet, but here's what I'm running into:

3.0.13 with Winbind on Redhat Enterprise Linux 3, compiled with
--with-pam as well as attempts with that and --with-acl-support - note
that though the samba server is a member of a 2003 AD but not using "net
ads" but "net rpc", everything works as desired on 3.0.11 (which I went
back to to get this working)

I can create a file on a drive mapped to a samba share just
fine, but when I try to delete that file, Windows (in the case I witness
directly, Server 2003) reports "Cannot delete : Access is denied".  Relevant smb.conf areas follows:

[global]
   load printers = no
   guest account = nobody
   hosts allow = 
   workgroup = 
   security = domain
#password server = *
   password server = 
# The above change is due to issues with 2003 SP1 - see my earlier email
   encrypt passwords = yes
   local master = no
   os level = 1
   wins server = 
   preserve case = yes
   invalid users = root mail daemon
   log level = 0# I occasionally up the log level a bit
   debug uid = yes
   debug pid = yes
   log file = /usr/local/samba/var/log.%m
   lock directory = /usr/local/samba/var/locks
   share modes = yes
   allow trusted domains = no
   winbind separator = +
   winbind uid = 12500-1
   winbind gid = 12500-1
   winbind enum users = yes
   winbind enum groups = yes
   winbind use default domain = no
   template homedir = /dev/null

[ASHARE]
   comment = A COMMENT
   browseable = yes
   force create mode = 0664
   force directory mode = 0775
   force group = 
   follow symlinks = no
   path = 
   valid users = 
   read only = no

Eric Stewart - Network Admin, USF Tampa Library - [EMAIL PROTECTED]
Managing sysadmins is like leading a neighborhood gang of neurotic pumas
   on jet-powered hoverbikes with nasty smack habits and opposable
   thumbs. - Feen, Benjy: Pumas on Hoverbikes: Sysadmin Management,
   http://www.monkeybagel.com/pumas.html
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Windows Server 2003 SP 1

[Stewart, Eric]

Samba 3.0.11 with Winbind running on Redhat Enterprise Linux 3,
compiled with --with-pam (possibly another argument that I can't
remember at this second).

I applied it to my DC that is playing the PDC role today and all
of a sudden Winbind could not enumerate any Active Directory
information.  Mind you, I'm not joined to the domain using Kerberos/ADS;
the libs that come with RHEL3 are slightly out of date for Kerberos.
RPC was working fine, and appears to work when the PDC role is moved to
a 2003 DC that does not have SP 1 (however, I ran into other issues that
will be dealt with in later messages - note that this issue does seem to
rear it's ugly head even with 3.0.13, so yes, I did try upgrading
Samba).
Now, this isn't so much a cry for help, as, in the long run, I
plan on upgrading (along with a hardware upgrade) to Redhat Enterprise
Linux 4, which has more up to date Kerberos libs (as I'm guessing it
could be a "security feature" in SP1), so that I can have my Samba
server "more properly" a member of the ADS.  But if anyone knows what's
up, or is willing to ask for more info (I might be able to provide it),
well, go ahead and ask.

Eric Stewart - Network Admin, USF Tampa Library - [EMAIL PROTECTED]
Managing sysadmins is like leading a neighborhood gang of neurotic pumas
   on jet-powered hoverbikes with nasty smack habits and opposable
   thumbs. - Feen, Benjy: Pumas on Hoverbikes: Sysadmin Management,
   http://www.monkeybagel.com/pumas.html
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] 3.0.2a Windows XP can't find homes

[Stewart, Eric]

Clients are Windows 2000; server is running Samba version
3.0.2a.  We've been a W2K shop for some time but have started to get in
a few Windows XP systems (principally laptops).  The issue we're
experiencing with the Win XP machines is that they can't map the homes
share, either through a VPN or when connected directly to the network
the samba server is on.  All other shares remain accessable, including,
apparently, the "profile" share which is inside the home directory.

Yes, this is a second post regarding the "homes" share -
however, the first post deals specifically with W2K machines that are
accessing the homes share, but the homes share disappears somewhere
along the line.  This email/thread deals specifically with Windows XP
*never* finding the homes share.
If the issues are related, great; if not, I didn't want to post
two different problems in one message.

I have gone through much documentation (though it wouldn't
surprise me if I missed something) and groups.google.com searches didn't
result in a solution (and only a couple of close "I'm having this
problem" matches).

==
[global]
   guest account = nobody
   workgroup = 
   security = domain
   encrypt passwords = yes
   password server = *
   browseable = no
   local master = no
   os level = 1
   wins server = 
   preserve case = yes
   invalid users = root mail daemon
   log file = /usr/local/samba/var/log.%m
   lock directory = /usr/local/samba/var/locks
   share modes = yes
   allow trusted domains = no

[homes]
   comment = Home Directories
   browseable = yes
   guest ok = no
   read only = no
   force directory mode = 0700
   force create mode = 0600
   locking = no
   nt acl support = no

[profile]
   comment = Profile directory - special share
   invalid users = nobody refdesk
   browseable = yes
   guest ok = no
   read only = no
   force directory mode = 0700
   force create mode = 0600
   locking = no
   profile acls = yes
   path = %H/profile

  [dos]
   comment = /samba/dos on Dudley
   browseable = yes
   path = /samba/dos
   read only = yes
   create mode = 0755
   locking = no

  [staff]
   comment = Share directory for staff (T:\)
   browseable = yes
   path = /home/dudley/staff/share
   read only = no
   valid users = @staff
   force group = staff
   force create mode = 0660
   force directory mode = 0770

Eric Stewart - Network Admin, USF Tampa Library - [EMAIL PROTECTED]
Managing sysadmins is like leading a neighborhood gang of neurotic pumas
   on jet-powered hoverbikes with nasty smack habits and opposable
   thumbs. - Feen, Benjy: Pumas on Hoverbikes: Sysadmin Management,
   http://www.monkeybagel.com/pumas.html
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] 3.0.2a - homes occasionally missing

[Stewart, Eric]

Clients are Windows 2000; server is running Samba version
3.0.2a.  We're experiencing a sporadic issue with the homes share
occasionally coming up missing.  All other shares remain mappable and
accessable.  If the workstation is rebooted, it can once again access
the share.
This is new behavior; 2.2.8a did not have this problem.  As of
yet I haven't been able to figure out what circumstances might trigger
the homes share disappearing.
Relevant sections of my smb.conf are reproduced below.

I have gone through much documentation (though it wouldn't
surprise me if I missed something) and groups.google.com searches didn't
result in a solution (and only one dead on "I'm having this problem"
match).

==
[global]
   guest account = nobody
   workgroup = 
   security = domain
   encrypt passwords = yes
   password server = *
   browseable = no
   local master = no
   os level = 1
   wins server = 
   preserve case = yes
   invalid users = root mail daemon
   log file = /usr/local/samba/var/log.%m
   lock directory = /usr/local/samba/var/locks
   share modes = yes
   allow trusted domains = no

[homes]
   comment = Home Directories
   browseable = yes
   guest ok = no
   read only = no
   force directory mode = 0700
   force create mode = 0600
   locking = no
   nt acl support = no

[profile]
   comment = Profile directory - special share
   invalid users = nobody refdesk
   browseable = yes
   guest ok = no
   read only = no
   force directory mode = 0700
   force create mode = 0600
   locking = no
   profile acls = yes
   path = %H/profile

  [dos]
   comment = /samba/dos on Dudley
   browseable = yes
   path = /samba/dos
   read only = yes
   create mode = 0755
   locking = no

  [staff]
   comment = Share directory for staff (T:\)
   browseable = yes
   path = /home/dudley/staff/share
   read only = no
   valid users = @staff
   force group = staff
   force create mode = 0660
   force directory mode = 0770

Eric Stewart - Network Admin, USF Tampa Library - [EMAIL PROTECTED]
Managing sysadmins is like leading a neighborhood gang of neurotic pumas
   on jet-powered hoverbikes with nasty smack habits and opposable
   thumbs. - Feen, Benjy: Pumas on Hoverbikes: Sysadmin Management,
   http://www.monkeybagel.com/pumas.html
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Samba 2.2.8a/winbindd - 2K Domain users passwordchallenged

[Stewart, Eric]

Okay okay - forgive me for being a whiney itchbay.  But the fix was (when 
discussing *nix systems) quite counter intuitive ...
I noticed that, even after using chmod #uid file, that the system was not 
returning the string name for the appropriate numerical uid.  So, since I was headed 
out to lunch, I went ahead and rebooted the server.

Lo and behold it all appears to work now.  Correctly even.

I'm guessing that changes to /etc/nsswitch.conf may not necessarily register 
immediately and that's where I was running into trouble.  That or something to do with 
files moving into place (like /lib/libnss_winbind.so) and not being "seen".
Now if I could only be sure of what service it was that need restarting ...

Eric Stewart - Network Admin - USF Tampa Library - [EMAIL PROTECTED]
SCUBA Diver: 220 Dives  Most Recent: 05/10/03 Chankanaab Park, Cozumel
GeoCacher:58 Found  Most Recent: 07/04/03 GCGBHE - Fun in the Sun
http://www.scubadiving.com/talk/ and http://www.geocaching.com/

> -Original Message-
> From: Stewart, Eric 
> Sent: Thursday, July 17, 2003 10:42 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [Samba] Samba 2.2.8a/winbindd - 2K Domain users
> passwordchallenged
> 
> 
>   I know it's been less than a day but I'm kind of 
> surprised that I
> haven't gotten an answer on this one way or the other ... so 
> let me ask a
> simpler question:
> 
>   Are winbind served users of a Linux machine supposed to 
> have access
> to the samba shares served by that Linux machine?  If so, 
> please provide
> sample smb.conf's (if they differ from mine below) and 
> pam.d/* files.  As
> my users only need access to the samba shares, and not login 
> access, I'm
> hesitant to change any /etc/pam.d/ file aside from 
> /etc/pam.d/samba ...
> 
>   A bit of further testing has shown that at the very least, samba
> continues to attempt to look for "user" instead of "DOM+user" 
> when trying
> to validate.  Please!  This is the last step I *must* get 
> past before I
> can move mission critical services from a Sun Solaris 8 box 
> to this Redhat
> Linux 9 machine ...
> 
> Eric Stewart - Network Admin - USF Tampa Library - [EMAIL PROTECTED]
> SCUBA Diver: 220 Dives  Most Recent: 05/10/03 Chankanaab Park, Cozumel
> GeoCacher:    58 Found  Most Recent: 07/04/03 GCGBHE - Fun in the Sun
> http://www.scubadiving.com/talk/ and http://www.geocaching.com/
> 
> > -Original Message-
> > From: Stewart, Eric 
> > Sent: Wednesday, July 16, 2003 3:21 PM
> > To: [EMAIL PROTECTED]
> > Subject: [Samba] Samba 2.2.8a/winbindd - 2K Domain users password
> > challenged
> > 
> > 
> > I have a RedHat Linux 9 server that I would like to 
> > allow users in my Windows 2000 domain to be able to map 
> > shares from without actually having an account on the system. 
> >  Compiled samba, configured with "./configure --with-pam".  
> > Got the server into the domain, and regular "security = 
> > domain" seems to be working appropriately - providing there's 
> > a local account with the same username as the 2K Domain user.
> > winbind appears to be providing the accounts 
> > appropriately - both wbinfo and getent return what you'd 
> > expect them to; a wbinfo -a with a user on the domain (the 
> > one trying to connect, in fact) gets:
> > 
> > plaintext password authentication succeeded
> > 
> > It simply appears as if, when a user attempts to 
> > connect to the share, it fails to try to match the W2K 
> > account (IE, DOM\user) to the winbind account (DOM+user) and 
> > near as I can tell, fails since there isn't an account on the 
> > system under "user".
> > Here are the relevant smb.conf lines:
> > 
> > [global]
> >netbios name = newweb
> >load printers = no
> >guest account = nobody
> >workgroup = LIB
> >security = domain
> >password server = *
> >encrypt passwords = yes
> >local master = no
> >os level = 1
> >wins server = 131.247.112.6
> >server string = LIB309 -Sys-Library Web Server
> >preserve case = yes
> >invalid users = root mail daemon
> >log level = 3
> >debug uid = yes
> >debug pid = yes
> >log file = /usr/local/samba/logs/log.%m
> >lock directory = /usr/local/samba/var/locks
> >share modes = yes
> >winbind separator = +
> >winbind uid = 12500-1
> >winbind gid = 12500-1
> >winbind enum users = yes
> >w

RE: [Samba] Samba 2.2.8a/winbindd - 2K Domain users passwordchallenged

[Stewart, Eric]

I know it's been less than a day but I'm kind of surprised that I
haven't gotten an answer on this one way or the other ... so let me ask a
simpler question:

Are winbind served users of a Linux machine supposed to have access
to the samba shares served by that Linux machine?  If so, please provide
sample smb.conf's (if they differ from mine below) and pam.d/* files.  As
my users only need access to the samba shares, and not login access, I'm
hesitant to change any /etc/pam.d/ file aside from /etc/pam.d/samba ...

A bit of further testing has shown that at the very least, samba
continues to attempt to look for "user" instead of "DOM+user" when trying
to validate.  Please!  This is the last step I *must* get past before I
can move mission critical services from a Sun Solaris 8 box to this Redhat
Linux 9 machine ...

Eric Stewart - Network Admin - USF Tampa Library - [EMAIL PROTECTED]
SCUBA Diver: 220 Dives  Most Recent: 05/10/03 Chankanaab Park, Cozumel
GeoCacher:58 Found  Most Recent: 07/04/03 GCGBHE - Fun in the Sun
http://www.scubadiving.com/talk/ and http://www.geocaching.com/

> -Original Message-
> From: Stewart, Eric 
> Sent: Wednesday, July 16, 2003 3:21 PM
> To: [EMAIL PROTECTED]
> Subject: [Samba] Samba 2.2.8a/winbindd - 2K Domain users password
> challenged
> 
> 
>   I have a RedHat Linux 9 server that I would like to 
> allow users in my Windows 2000 domain to be able to map 
> shares from without actually having an account on the system. 
>  Compiled samba, configured with "./configure --with-pam".  
> Got the server into the domain, and regular "security = 
> domain" seems to be working appropriately - providing there's 
> a local account with the same username as the 2K Domain user.
>   winbind appears to be providing the accounts 
> appropriately - both wbinfo and getent return what you'd 
> expect them to; a wbinfo -a with a user on the domain (the 
> one trying to connect, in fact) gets:
> 
> plaintext password authentication succeeded
> 
>   It simply appears as if, when a user attempts to 
> connect to the share, it fails to try to match the W2K 
> account (IE, DOM\user) to the winbind account (DOM+user) and 
> near as I can tell, fails since there isn't an account on the 
> system under "user".
>   Here are the relevant smb.conf lines:
> 
> [global]
>netbios name = newweb
>load printers = no
>guest account = nobody
>workgroup = LIB
>security = domain
>password server = *
>encrypt passwords = yes
>local master = no
>os level = 1
>wins server = 131.247.112.6
>server string = LIB309 -Sys-Library Web Server
>preserve case = yes
>invalid users = root mail daemon
>log level = 3
>debug uid = yes
>debug pid = yes
>log file = /usr/local/samba/logs/log.%m
>lock directory = /usr/local/samba/var/locks
>share modes = yes
>winbind separator = +
>winbind uid = 12500-1
>winbind gid = 12500-1
>winbind enum users = yes
>winbind enum groups = yes
>template homedir = /dev/null
> 
> [webdocs]
>comment = Webdocs Share
>browseable = yes
>force create mode = 0664
>force directory mode = 0775
>path = /data1/webdocs
>valid users = @web,@wheel,@LIB+Technology
>read only = yes
>locking = no
> 
>   Not sure that this is set up right, or that I might be 
> missing something else:
> 
> /etc/pam.d/samba
> authsufficient  /lib/security/pam_winbind.so
> authrequired/lib/security/pam_pwdb.so 
> use_first_pass
> shadow nullok
> account required/lib/security/pam_winbind.so
> session required/lib/security/pam_pwdb.so
> passwordrequired/lib/security/pam_pwdb.so # shadow md5
> nullok audit
> 
>   When a user that doesn't have a matching Linux account 
> tries to access the share, they get challenged.
>   Please let me know what I'm missing - either in my 
> Samba configuration or in the information I've attempted to 
> provide to you.`
>   Thanks muchly in advance for your assistance.
> 
> Eric Stewart - Network Admin - USF Tampa Library - [EMAIL PROTECTED]
> SCUBA Diver: 220 Dives  Most Recent: 05/10/03 Chankanaab Park, Cozumel
> GeoCacher:58 Found  Most Recent: 07/04/03 GCGBHE - Fun in the Sun
> http://www.scubadiving.com/talk/ and http://www.geocaching.com/
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
> 
> 
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Samba 2.2.8a/winbindd - 2K Domain users password challenged

[Stewart, Eric]

I have a RedHat Linux 9 server that I would like to allow users in my Windows 
2000 domain to be able to map shares from without actually having an account on the 
system.  Compiled samba, configured with "./configure --with-pam".  Got the server 
into the domain, and regular "security = domain" seems to be working appropriately - 
providing there's a local account with the same username as the 2K Domain user.
winbind appears to be providing the accounts appropriately - both wbinfo and 
getent return what you'd expect them to; a wbinfo -a with a user on the domain (the 
one trying to connect, in fact) gets:

plaintext password authentication succeeded

It simply appears as if, when a user attempts to connect to the share, it 
fails to try to match the W2K account (IE, DOM\user) to the winbind account (DOM+user) 
and near as I can tell, fails since there isn't an account on the system under "user".
Here are the relevant smb.conf lines:

[global]
   netbios name = newweb
   load printers = no
   guest account = nobody
   workgroup = LIB
   security = domain
   password server = *
   encrypt passwords = yes
   local master = no
   os level = 1
   wins server = 131.247.112.6
   server string = LIB309 -Sys-Library Web Server
   preserve case = yes
   invalid users = root mail daemon
   log level = 3
   debug uid = yes
   debug pid = yes
   log file = /usr/local/samba/logs/log.%m
   lock directory = /usr/local/samba/var/locks
   share modes = yes
   winbind separator = +
   winbind uid = 12500-1
   winbind gid = 12500-1
   winbind enum users = yes
   winbind enum groups = yes
   template homedir = /dev/null

[webdocs]
   comment = Webdocs Share
   browseable = yes
   force create mode = 0664
   force directory mode = 0775
   path = /data1/webdocs
   valid users = @web,@wheel,@LIB+Technology
   read only = yes
   locking = no

Not sure that this is set up right, or that I might be missing something else:

/etc/pam.d/samba
authsufficient  /lib/security/pam_winbind.so
authrequired/lib/security/pam_pwdb.so use_first_pass
shadow nullok
account required/lib/security/pam_winbind.so
session required/lib/security/pam_pwdb.so
passwordrequired/lib/security/pam_pwdb.so # shadow md5
nullok audit

When a user that doesn't have a matching Linux account tries to access the 
share, they get challenged.
Please let me know what I'm missing - either in my Samba configuration or in 
the information I've attempted to provide to you.`
Thanks muchly in advance for your assistance.

Eric Stewart - Network Admin - USF Tampa Library - [EMAIL PROTECTED]
SCUBA Diver: 220 Dives  Most Recent: 05/10/03 Chankanaab Park, Cozumel
GeoCacher:58 Found  Most Recent: 07/04/03 GCGBHE - Fun in the Sun
http://www.scubadiving.com/talk/ and http://www.geocaching.com/
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Windows 2000 Domain Controller Security Setting

[Stewart, Eric]

Title: Windows 2000 Domain Controller Security Setting





    I sent an email last night regarding a security issue we were having with our Windows 2000 domain controllers and Samba's interaction with them.

    It turns out part of the issue is that security settings don't propagate to the domain controllers without rebooting them all.

    But, slightly contrary to my previous email:


The application to view these settings is (on a domain controller):


"Start" -> "Program Files" -> "Administrative Tools" ->
    "Domain Controller Security Policy"


The settings in question are:


(1) "Windows Settings" - "Security Settings" - "Account Policies" -
    "Kerberos Policy" -> "Enforce user logon restrictions"


and 


(2) "Windows Settings" - "Security Settings" - "Local Policies" -
    "Security Options" ->
    "Additional restrictions for anonymous connections"


    Now, contrary to my previous email, (1) actually appears to have *nothing* to do with the issues (drives not wanting to be mapped from a Samba server).

    (2) However, appears to be the key.  There are three possible settings for this:


(A) "None.  Rely on default permissions"
(B) "Do not allow enumeration of SAM accounts and shares"
(C) "No access without explicit anonymous permissions"


    In our testing this morning (because the problem reoccured), we've discovered that (A) and (B) don't cause a problem (though I've heard that there is evidence that (B) doesn't do what it says it does).  When (C) is selected (and the domain controllers are rebooted to put it into effect), Samba servers using "security = domain" will not be able to pass through the authentication, and hence, won't allow shares to be accessed.

    However, in Samba's defense on this issue, Windows NT 4.0 Workstations don't even let people log on with (C) set.  And yes, we still run a few of those.

    So, in summary:
    (C) is a desired setting for (2), to stop people from getting a list of Domain usernames from Domain Controllers.  Once that list is obtained, some tools apparently throw the dictionary at accounts.  If account lockout policies have been defined, accounts start getting locked out when the dictionary attacks are attempted.  However, with these settings, NT 4.0 Workstations cannot be logged in (not your problem), and Samba servers will not allow shares to be mapped when "security = domain" (not really a problem I guess, but if it's fixable, it would be a big "plus" in Samba's court).

    Unless you know of some way to tell 2000 DC's to explicitly allow Samba servers to have anonymous access, this is an (admittedly minor) issue that might be worth looking at.

Eric Stewart - Network Admin, USF Tampa Campus Library - [EMAIL PROTECTED]
   Sysadmins are like epic heroes invested with supreme powers and arcane
   lore, duty-bound to protect their users from villains, fires, and
   themselves. - Feen, Benjy: Origin of Sysadmins,
   http://www.monkeybagel.com/sysadmin.html