Re: [Samba] Samba instead of SBS2k+3
On Sat, 19 Aug 2006, Henrik Zagerholm wrote: Przemyslaw Adam Smiejek wrote: Hi, I'm a teacher and I have got 20 computers with Windows XP and server Windows SBS 2003 with Active Directory. I use AD to set policy tu WinXP and to authorize users. Yes, you can use samba as a PDC. Pleaes read the following http://us1.samba.org/samba/docs/man/Samba-Guide/ He's using AD to push group policy. He can't do that with Samba 3 (at least without third party software that probably defeats his probable desire to do this cheaply). -- Thomas Boutell Boutell.Com, Inc. http://www.boutell.com/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Little help on PDC and BDC needed
On Tue, 28 Mar 2006, Daniel Wilson wrote: just copy your smb.conf to the BDC but change these lines to be "no" preferred master = no domain master = no local master = no That's not going to be enough. Samba 3 doesn't support the Windows protocols for synchronization among DCs, so the BDCs won't have any idea what the valid accounts are, etc. See: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/FastStart.html The PDC needs to use an LDAP back end, and the BDCs can consult that same back end or have their own backup LDAP servers to make it easier to turn one of them into a real PDC. -- Thomas Boutell Boutell.Com, Inc. http://www.boutell.com/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Join samba to existing Windows domain
On Thu, 23 Mar 2006, Jeffrey wrote: Hi, I am running samba 3.0.14a on FreeBSD 6 box. I need this box to join to existing Windows 2003 domain to act as a file server to serve Windows XP clients. In the book "using samba" says to use "smbpasswd -j ..." to join the domain. But the -j option seems didn't existing. Anyone would be able to tell me what is the best way to make samba to join the domain? net join -U administrator [enter password when prompted] Your smb.conf must already be set up correctly at this step, and you want to use the active directory security type. -- Thomas Boutell Boutell.Com, Inc. http://www.boutell.com/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Understanding Samba 4's features and goals
Hi folks, I'm the co-author of "Windows and Linux Integration," a recent Sybex/Wiley title. So I'm very much interested in what's coming next in the Samba world. And I've been watching the Samba 4 'technology releases" with interest. One nifty feature that I like a lot: the old options that specified many confusing types of server behavior have been replaced with a "role" option. That makes total sense to me. Here's what doesn't make sense to me, though: this option has "PDC" and "BDC" settings, among others. But my understanding of the Active Directory world is that it is a "multimastering" environment, in which updates can be made on *any* DC and will be replicated correctly to the other DCs in the domain. There is therefore no PDC/BDC distinction. So, the big questions: 1. Will Samba 4 support multimastering, AD-style, with no BDCs? 2. Can the other masters run Windows AD, or must they also run Samba 4? 3. If not, what is offered in place of these features? Thanks for any light you can shed on the matter. And thanks, as always, for a fantastic set of tools. -- Thomas Boutell Boutell.Com, Inc. http://www.boutell.com/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] To anyone successfully using NT ACLs with Samba
On Thu, 10 Mar 2005 [EMAIL PROTECTED] wrote: Hi Thomas, Do you have winbind in the nsswitch? Alan Yes. To be clear, my Windows-client-made ACL settings work. And they look great in getfacl. The place they don't look great is on an actual Windows client when reopened. the settings are right but the names of the groups are replaced by ugly-lookin' SIDs. -- Thomas Boutell Boutell.Com, Inc. http://www.boutell.com/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Unable to set ACLs with Samba 3.0.11, near publication deadline
On Thu, 10 Mar 2005, David Sonenberg wrote: I tried adding writable = yes. I can now view and modify ACL's for files but not directories. I'm definitely setting ACLs on directories... bear in mind that Unix rules still apply, only the owner of the file or dirctory and administrator (or whoever maps to root) have the privilege of setting and changing ACLs. Would still love to know why I see raw SIDs when I reopen the ACLs in Windows, though. -- Thomas Boutell Boutell.Com, Inc. http://www.boutell.com/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] To anyone successfully using NT ACLs with Samba
When you re-open the properties of an existing file or directory with ACLs set on it from a Windows workstation, do you see the usernames and group names properly? Or do you see SIDs in the dialog box as I do? Just gathering data. If you are seeing usernames and group names properly I'd love to see your smb.conf file. In my case, the Samba server is an AD domain member. -- Thomas Boutell Boutell.Com, Inc. http://www.boutell.com/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Domain Control
On Wed, 9 Mar 2005, IslandBwoy wrote: Yeah. Thats what i've been doing. The problem is that if i leave it like this i'm affraid that as time goes more and more machines will try to authenticate through this server and eventually cause problems on our network. Either way, just to be sure, I'm going to my realm in my active directory tree and searching for the machine name. Then deleting it from there. Is there something i can do to assure there is no stail information being used? Yes, deleting the machine from the active directory users and groups tool is what you need to do. Might help to turn off samba while you're doing that. If there are any other AD domain controllers make sure they all see the change. -- Thomas Boutell Boutell.Com, Inc. http://www.boutell.com/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Domain Control
You definitely don't have to stop using security = ads to make this work. I suggest that you delete the machine account for this server on the Active Directory domain controller via Active Directory Users and Groups. I think there's some stale information there about the role of the sever. Then join the domain again. Good luck! -- Thomas Boutell Boutell.Com, Inc. http://www.boutell.com/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Can set ACLs great from Windows, but see only SIDs when i reopen them
Good morning, Samba List,
I'm setting ACLs from the security tab of the properties window of a folder
via a Windows XP SP2 client. The Samba share in question is running on
3.0.11 with an ext3 file system and Fedora Core 3 underneath. All this
works great -- I can set up ACLs beautifully from Windows and when I check
them out with getfacl on the Linux side, the results make sense to me.
However, when I close and re-open the properties window, the two
groups I've set up ACLs for -- AD\salesgroup and AD\marketinggroup --
show up only as SIDs (S-bignumber-with-hyphens). Which, of course,
is confusing.
I've appended the output of getfacl, the relevant part of "getent group",
and my smb.conf file. Thanks for any thoughts on this. I could certainly
just write this up as a frustrating quirk that will "hopefully be fixed soon,"
but of course I'd rather present the fix!
Is there some way in which Samba might not be correctly mapping SIDs back to
names upon request from the client?
Thanks again!
GETFACL OUTPUT:
[EMAIL PROTECTED] ~]# getfacl /research
# file: research
# owner: AD\134salesperson1
# group: root
user::rwx
group::---
group:10012:rwx
group:10015:r-x
mask::rwx
other::---
default:user::rwx
default:group::---
default:group:10012:rwx
default:group:10015:r-x
default:mask::rwx
default:other::---
GETENT GROUP OUTPUT:
AD\domain computers:x:10003:
AD\domain controllers:x:10002:
AD\schema admins:x:10005:AD\administrator
AD\enterprise admins:x:10006:AD\administrator
AD\domain admins:x:10007:AD\administrator
AD\domain users:x:1:
AD\domain guests:x:10001:
AD\group policy creator owners:x:10004:AD\administrator
AD\dnsupdateproxy:x:10013:
AD\cheaters:x:10014:
AD\salesgroup:x:10012:AD\salesperson2,AD\salesperson1
AD\marketinggroup:x:10015:AD\marketperson2,AD\marketperson1
AD\hrgroup:x:10016:AD\hrperson2,AD\hrperson1
MY SMB.CONF FILE:
[global]
log level = 3
log file = /var/log/samba/%m.log
# Use CUPS for all back end printing chores
printing = cups
printcap = cups
load printers = yes
idmap gid = 1-2
map acl inherit = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
admin users = AD\Administrator
printer admin = AD\Administrator
# winbind trusted domains only = yes
encrypt passwords = YES
realm = AD.CORP.COM
template shell = /bin/bash
dns proxy = no
cups options = raw
server string = Samba Server
idmap uid = 1-2
workgroup = AD
printcap name = /etc/printcap
security = ads
max log size = 50
winbind use default domain = no
password server = windc1.ad.corp.com
[homes]
comment = Home Directories
browseable = no
writable = yes
[printers]
guest ok = no
comment = All Printers
printable = yes
writable = no
path = /var/spool/samba
[research]
comment = Research Files, Sales Writes, Marketing Reads
writeable = yes
path = /research
[print$]
comment = Printer Drivers for Windows
path = /usr/local/samba/windrivers
write list = AD\administrator
--
Thomas Boutell
Boutell.Com, Inc.
http://www.boutell.com/
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Unable to set ACLs with Samba 3.0.11, near publication deadline
Anybody have a roadkill cookbook? Because I have some crow to eat, and I'm not sure how best to prepare it. Sigh. I didn't have writable = yes set on the share. The fact that smbcacls didn't work (and still doesn't work!) blinded me to this more obvious issue. Once I set writable = yes, of course, I was able to change acls from a true Windows client... which was of course my actual goal. I'd created my test files in advance on the Linux side, so the no-write-permissions-at-all issue wasn't obvious at any other time. Thanks for the attention you gave to the matter. Next time, if I'm not able to spot the issue myself, I'll be sure to include my *entire* smb.conf in the report. -- Thomas Boutell Boutell.Com, Inc. http://www.boutell.com/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Unable to set ACLs with Samba 3.0.11, near publication deadline
Hello, Jeremy and Jerry, I met both of you at LinuxWorld in Boston, where I learned tons and tons of great stuff from your presentations. I'm writing on deadline for publication and would really, really, really like to show off Samba's ability to map NT ACLs to POSIX ACLs. But right now, I can't make them work. I've spent some time on the Samba list trying to make this work, but haven't received much of a response. I'm also CC'ing David Sonenberg who has reported the same or a similar problem in well documented emails to the samba list. I've made the effort to pull together as much information about my configuration as possible in the hopes that we can nail down this bug, or user error, or whatever it turns out to be in time to write great things about Samba's abilities in this area. Thank you! * * * So, here's the configuration: * Samba 3.0.11, from the samba.org Fedora Core 3 RPMs * Fedora Core 3 * ext3 fs mounted with acls on, setfacls and getfacls work great * winbind in use in nsswitch.conf * The server is a member of a Windows 2003 Active Directory domain The share in question looks like this on the server: [EMAIL PROTECTED] samba]# !ls ls -l /research total 16 -rw-r--r-- 1 AD\marketperson1 10003 33 Feb 21 21:16 research1.txt -rw-r--r-- 1 AD\marketperson1 10003 34 Feb 21 21:16 research2.txt I can reproduce the problem using the smbcacls tool. There's quite a bit of debugging information included below. At the end of this message you will also find: * The relevant part of "getent passwd" * The relevant part of "getent group" If you need any further information or assistance from me to resolve this please don't hesitate to ask. Thank you very much! * * * [EMAIL PROTECTED] samba]# !smbc smbcacls //localhost/research research1.txt -a ACL:AD\\marketinggroup:ALLOWED/0/RWX -U AD\\marketperson1 added interface ip=192.168.2.211 bcast=192.168.2.255 nmask=255.255.255.0 Password: Connecting to host=localhost Connecting to 127.0.0.1 at port 445 Doing spnego session setup (blob length=99) got OID=1 2 840 113554 1 2 2 got OID=1 2 840 48018 1 2 2 got OID=1 3 6 1 4 1 311 2 2 10 got [EMAIL PROTECTED] Got challenge flags: Got NTLMSSP neg_flags=0x60890215 NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x60080215 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x60080215 Connecting to host=localhost Connecting to 127.0.0.1 at port 445 Doing spnego session setup (blob length=99) got OID=1 2 840 113554 1 2 2 got OID=1 2 840 48018 1 2 2 got OID=1 3 6 1 4 1 311 2 2 10 got [EMAIL PROTECTED] Got challenge flags: Got NTLMSSP neg_flags=0x60890215 NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x60080215 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x60080215 lsa_io_sec_qos: length c does not match size 8 Failed to parse ACL ACL:AD\marketinggroup * * * getent passwd | grep marketperson1 AD\marketperson1:x:10021:1:Marketperson1:/home/AD/marketperson1:/bin/bash * * * getent group | grep marketperson1 AD\marketinggroup:x:10015:AD\marketperson2,AD\marketperson1 -- Thomas Boutell Boutell.Com, Inc. http://www.boutell.com/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ACL Question [Repost]
On Thu, 3 Mar 2005, David Sonenberg wrote: First off I'm talking about through the windows interface, or using smbcacl. Second let me rephrase my question. Shouldn't non-privileged users be able to modify ACL's for files that they own? Still having this same issue. -- Thomas Boutell Boutell.Com, Inc. http://www.boutell.com/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Can't see my Samba server into the A.D. Domain
On Thu, 3 Mar 2005, Saliou, Gilbert wrote: Samba server: SUN/Solaris 8 Samba version 3.0.10 Domain: Active Directory with a W2K PDC My Samba server is a Domain Member Server, connected to the Active Directory Domain with the "net rpc join" unix command. All the MS-Windows SMB client from the Domain can connect an use, without any problem, the shares of the Samba server. Shouldn't this be "net ads join"? There is a difference, no? -- Thomas Boutell Boutell.Com, Inc. http://www.boutell.com/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ACL Question [Repost]
I experience similar symptoms with both 3.0.10-as-found-in-fedora-core-3 and samba-3.0.11. One difference is that I haven't been able to make smbcacls get as far as denying permission. Shouldn't this command work? smbcacls //localhost/research research1.txt -a ACL:AD\\MarketingGroup:ALLOWED/0/RWX -U AD\\administrator Password: Failed to parse ACL ACL:AD\MarketingGroup Note that when I remove the -a to just list ACLs, it works fine, so a parsing error doesn't make much sense here: [EMAIL PROTECTED] ~]# smbcacls //localhost/research research1.txt ACL:AD\\MarketingGroup:ALLOWED/0/RWX -U AD\\administrator Password: REVISION:1 OWNER:AD\salesperson1 GROUP:S-1-5-21-875667829-2241442456-3328505926-1130 ACL:AD\salesperson1:ALLOWED/0/RW ACL:S-1-5-21-875667829-2241442456-3328505926-1130:ALLOWED/0/R ACL:\Everyone:ALLOWED/0/R Yes, I can use getfacl and setfacl successfully and yes, ACLs are enabled in Samba and on the ext3 file system in question (POSIX ACLs). Thanks for any information. On Mon, 28 Feb 2005, David Sonenberg wrote: OK so I've got samba-3.0.11 compiled with ACL support. I've running 2.4.25 with the ACL/ATTR patch applied. I can read and set ACLS's using the getfacl/setfacl programs. ldd /usr/sbin/smbd shows it's linked to libattr.so.1 and libacl.so.1. I can read ACL with the smbcacls program, but when I try to set them I get: ERROR: Unable to open credentials file! Also from the windows side, in the properties of a file in it show the users and groups for that file but it lists the perms is all blank, and when I try to change the perms I get a window labeled 'Security' with the message: Unable to save premission changes on . Access is denied. -- David Sonenberg Systems / Network Administrator Stroz Friedberg, LLC 15 Maiden Lane 15th Floor New York, NY 10038 Tel 212.981.6527 Fax 917.495.4918 This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No right to confidential or privileged treatment of this message is waived or lost by any error in transmission. If you have received this message in error, please immediately notify the sender by e-mail or by telephone at 212.981.6540, delete the message and all copies from your system and destroy any hard copies. You must not, directly or indirectly, use, disclose, distribute, print or copy any part of this message if you are not the intended recipient. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- Thomas Boutell Boutell.Com, Inc. http://www.boutell.com/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
