RE: [Samba] Passing domain name to PPP
I should probably add some clarifications here. First, since we have over 200 users, we would like to not have to add the users anywhere. It seems like the tweak would have to take place in PAM. What we'd really like to do is find a friendly way where PAM can be configured to maybe try both (username, domain+username). Again, any help would be greatly appreciated. Tom > -Original Message- > From: Deryk Robosson [mailto:[EMAIL PROTECTED] > Sent: Wednesday, May 28, 2003 1:01 PM > To: [EMAIL PROTECTED] > Subject: Re: [Samba] Passing domain name to PPP > > > On Thu, 29 May 2003 12:23 am, Tom Hallewell wrote: > > Hi- > > Our PPP RAS server is running Samba 2.2.8a and winbind. We want to > > authenticate dialup users through the PDC (Win NT 4 SP6). However, in > > order to do so, the dommainname needs to be prepended to the > username, ie, > > DOMAIN+USERNAME. > > We don't want to have to teach all our dialup users to add the > domainname > > when they login to RAS, so we are looking for a way to script this. > > Has anyone tweaked PPP/CHAP to automatically prepend the domain to the > > username? > > Thanks for any help, > > Tom > > I've got some l2tp/ipsec roadwarriors that login using just that > method to a > server. It's already supplied by the client (win2k/xp) if the client is > setup to login to the domain for that connection. This also > works with pptp > as well. Depending on your authentication method, you'd add the users as > WORKGROUP\\username * secret * to either chap-secrets or pap-secrets. > > -- > Regards, > Deryk Robosson > > Robosson Business Services > 22 Flemington Street > Albany, WA 6330 > ABN: 56 728 377 499 > Phone: +61 4 0842 9835 Email: [EMAIL PROTECTED] > -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Passing domain name to PPP
Hi- Our PPP RAS server is running Samba 2.2.8a and winbind. We want to authenticate dialup users through the PDC (Win NT 4 SP6). However, in order to do so, the dommainname needs to be prepended to the username, ie, DOMAIN+USERNAME. We don't want to have to teach all our dialup users to add the domainname when they login to RAS, so we are looking for a way to script this. Has anyone tweaked PPP/CHAP to automatically prepend the domain to the username? Thanks for any help, Tom -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: CUPS permissions issues
That looks like it did the trick! Thanks much. Tom Tom Hallewell <[EMAIL PROTECTED]> wrote on Samba-digest > Fri Dec 27 16:04:00 2002 > > Hello- > I am running Debian Woody, Samba 2.2.7, and Cups 1.1.14-3. > I can print as any local Linux client, but there is a permissions issue when > I try to print from Windows 2000. > My spool directory is /var/spool/cups, I hope you didn't set the *Samba* spool directory the same as the *CUPS* spool directory?? > the permissions are set 700 to user > lp and group sys. If I chmod the directory to 777, printing works fine, but > when I restart cupsd, the permissions revert back to 700. > I am running Domain-level security, as well as ACLs and winbindd, not sure > if this matters. > It seems like I am missing something really simple, so am giving a simple > description now, but I can supply much more detail if needed. > > Here is the relevant stuff from smb.conf: > load printers = yes > printcap name = cups > printing = cups > > [printers] >comment = All Printers >path = /var/spool/cups Ah, yes, it seems you did. You need to understand: Samba spooling and CUPS (or any other "real" print subsystem in Unix) spooling are two different kinds of birds and need to be kept separate. When you print to Samba from a Windows client, the printfile goes to the Samba (spool) path specified in your smb.conf first, and is under control of smbd. Then, smbd, hands this file to the print daemon (here: "cupsd"), and the file moves to the spool directory of that print daemon (as determined in cupsd.conf; most likely it is also "/var/spool/cups/"). Change your [printers] entry to "path = /var/spool/samba" (and make sure this exists) and your problem will be gone. The permissions change back when cupsd is re-started, because cupsd claims an exclusive right to "its" spool directory. >writable = no >printable = yes >create mode = 0777 >use client driver = yes -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] CUPS permissions issues
Hello- I am running Debian Woody, Samba 2.2.7, and Cups 1.1.14-3. I can print as any local Linux client, but there is a permissions issue when I try to print from Windows 2000. My spool directory is /var/spool/cups, the permissions are set 700 to user lp and group sys. If I chmod the directory to 777, printing works fine, but when I restart cupsd, the permissions revert back to 700. I am running Domain-level security, as well as ACLs and winbindd, not sure if this matters. It seems like I am missing something really simple, so am giving a simple description now, but I can supply much more detail if needed. Here is the relevant stuff from smb.conf: load printers = yes printcap name = cups printing = cups [printers] comment = All Printers path = /var/spool/cups writable = no printable = yes create mode = 0777 use client driver = yes Any help would be much appreciated. Tom Hallewell -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: ACL issues still unresolved (Andrew Furey)
It sounds like smbd isn't linking to the acl libs-have you run ldd against winbindd to see if it is linking to libacl.so.1? I recently had very similar symptoms running 2.2.7 under Debian and I found that I wasn't compiling against the acl libs. Make sure you have the line (this might work best if you put this line before --with-msdfs) --with-acl-support in debian/rules, Plus you have to vi debian/config.cache --> replace "ac_cv_header_sys_acl_h=${ac_cv_header_sys_acl_h=no}" with "ac_cv_header_sys_acl_h=${ac_cv_header_sys_acl_h=yes}" I got this info from Max-http://homex.subnet.at/~max/comp-12_xfs.php Good luck. Tom Hallewell Radio Free Asia Washington DC, USA > > >>(b) In said ACL properties dialog, the usernames displayed > >>are the UNIX ones, not the ones converted with the username > >>map option. > > > > Why not use original Windows names and take users map out of the loop? > > > > While a blank in user's name is strictly a no-no and all lower case is > > preferable, most *nices can deal with names longer than 8 chars, > > although "ls -l"-listings may appear messy. > > > > As for your (a) question, should we chase back your previous mails > > to find out exactly what samba version on which platform you are > > using, or can you discretely include that info in a mail? > > Sorry, I should have specified - Samba 2.2.7 manually compiled with > ACLs, on Debian unstable. > > > However, I have just this morning worked out both of those problems. For > all the future Googlers out there who are banging their heads against > the wall as much as I have been: > > IF IN DOUBT, USE WINBIND. > > Setting up winbind with the nsswitch.conf stuff works perfectly (as far > as those two problems go). > > Only problem I have now is working out how to preserve the ACLs on files > I copy from the W2k to the Samba machine. xcopy /o seems to be it, but > it comes up with "access denied" and the file is empty, as well as > having the default permissions (copying person is owner, etc). More > Googling needed... > > Thanks for your help, everyone. > > -- > ANDREW FUREY <[EMAIL PROTECTED]> - Sysadmin/developer for Terminus. > Providing online networks of Australian lawyers (http://www.ilaw.com.au) > and Linux experts (http://www.linuxconsultants.com.au) for instant help! > Disclaimer: http://www.terminus.net.au/disclaimer.html. GCS L+++ P++ t++ > -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] winbind
It sounds like you want to include ACL Support, which I don't believe is the default in most samba packages. As ACL support is still an experimental kernel feature, you will need to patch your kernel, and install Extended Attribute, ACL support and a modified e2fsprogs so that ls, chmod, etc. work properly. These, along with very good installation instructions, can be found at http://www.acl.bestbits.at . We set it up on a Debian machine with minimal headaches, the RPM packages should make it a no-brainer on Redhat. Then you will need to build a new samba rpm --with-acl-support to enable the ability for granular permissions. Good luck! Tom Hallewell Network and Information Services Department Radio Free Asia Washington, DC Message: 11 Date: Tue, 03 Dec 2002 10:43:25 +0400 From: "Yousef I. Adan" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: [Samba] winbind > We are in the process of implementing Linux-cum-samba in our NT > environment. We are trying to integrate the security with > winbind. Joined the NT domain, no problem. Can list the users and > groups thru wbinbfo. Gave a uid and gid range to the nt users in > smb.conf. made couple of changes in nsswitch as suggested by the > documentation, password: files winbind and groups: files winbind. > It seems that this version of samba had already winbind > integrated so that we didn't have to compile it again and we > didn't do anything in the PAM area. > > The permissions on the linux box map to:owner, group and everyone > only. No more users/groups can be added but it seems you can > amend this three entries. How can we implement the file and > directory permissions with the same granularity as the NT, using > samba and winbind, since there is no concept of local and global > groups on the linux box? I am not a linux or unix expert, so any > seemingly simple stuff could help in my case. > > Any help is appreciated. > > Yousef > > PS: We have downloaded all the relevant documentation, but they > seem to be for earlier versions of linux and samba such as 7.1. > Nothing specifically written for Linux 8.0 and samba 2.2.7. > -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] RE: samba digest, Vol 1 #1918 - 24 msgs
You should be able to find the server in W2K's server manager and confirm that it is a trusted member of the Domain. It sounds like smbd isn't linking to the acl libs-have you run ldd to see if you are linking to libacl.so.1? My recent problem was similar and I found that I wasn't compiling against the acl libs. Make sure you have the line (Max said you should have this before --with-msdfs) --with-acl-support in debian/rules, Plus you have to vi debian/config.cache --> replace "ac_cv_header_sys_acl_h=${ac_cv_header_sys_acl_h=no}" with "ac_cv_header_sys_acl_h=${ac_cv_header_sys_acl_h=yes}" Good luck-it's well worth it once it works! Tom Hallewell Radio Free Asia Washington DC, USA > > Hmm. > > I don't have a third machine to be a W2k client here (the real setup > will have several hundred, both 2k and NT4, but I'm testing at present). > Hence I have two machines: > > * a W2k server which is acting as PDC > * a Samba server which is authenticating to the PDC but providing file > services > > and I'm reusing the W2k server as a client - ie. trying to access files > on the Samba server from the W2k box. > > As far as I can tell the Samba machine has already joined - password > authentication doesn't work if it doesn't join. > > -- > ANDREW FUREY <[EMAIL PROTECTED]> - Sysadmin/developer for Terminus. > Providing online networks of Australian lawyers (http://www.ilaw.com.au) > and Linux experts (http://www.linuxconsultants.com.au) for instant help! > Disclaimer: http://www.terminus.net.au/disclaimer.html. GCS L+++ P++ t++ > -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: 2.2.7 compile error using --with-acl-support
If you are using the debian/rules from apt-get or the source tarball, you need to not only include --with-acl-support in debian/rules, you also need to vi debian/config.cache --> replace "ac_cv_header_sys_acl_h=${ac_cv_header_sys_acl_h=no}" with "ac_cv_header_sys_acl_h=${ac_cv_header_sys_acl_h=yes}" This will allow it to compile. Unfortunately, for me, anyway, smbd,nmbd and winbindd are still not linking to libacl.so (according to ldd). The output is below. If you have any luck actually getting this to work once you have successfully compiled, please let me know. PS-thanks to Max for the link to his page http://homex.subnet.at/~max/comp-12_xfs.php Tom Hallewell Radio Free Asia Washington, DC USA obelyx:/tmp# ldd /usr/sbin/nmbd libssl.so.0.9.6 => /usr/lib/libssl.so.0.9.6 (0x40017000) libcrypto.so.0.9.6 => /usr/lib/libcrypto.so.0.9.6 (0x40044000) libcups.so.2 => /usr/lib/libcups.so.2 (0x40105000) libnsl.so.1 => /lib/libnsl.so.1 (0x4011d000) libcrypt.so.1 => /lib/libcrypt.so.1 (0x40131000) libdl.so.2 => /lib/libdl.so.2 (0x4015e000) libpam.so.0 => /lib/libpam.so.0 (0x40161000) libc.so.6 => /lib/libc.so.6 (0x40169000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x4000) obelyx:/tmp# ldd /usr/sbin/winbindd libssl.so.0.9.6 => /usr/lib/libssl.so.0.9.6 (0x40017000) libcrypto.so.0.9.6 => /usr/lib/libcrypto.so.0.9.6 (0x40044000) libcups.so.2 => /usr/lib/libcups.so.2 (0x40105000) libnsl.so.1 => /lib/libnsl.so.1 (0x4011d000) libcrypt.so.1 => /lib/libcrypt.so.1 (0x40131000) libdl.so.2 => /lib/libdl.so.2 (0x4015e000) libpam.so.0 => /lib/libpam.so.0 (0x40161000) libc.so.6 => /lib/libc.so.6 (0x40169000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x4000) obelyx:/tmp# ldd /usr/sbin/smbd libssl.so.0.9.6 => /usr/lib/libssl.so.0.9.6 (0x40017000) libcrypto.so.0.9.6 => /usr/lib/libcrypto.so.0.9.6 (0x40044000) libcups.so.2 => /usr/lib/libcups.so.2 (0x40105000) libnsl.so.1 => /lib/libnsl.so.1 (0x4011d000) libcrypt.so.1 => /lib/libcrypt.so.1 (0x40131000) libdl.so.2 => /lib/libdl.so.2 (0x4015e000) libpam.so.0 => /lib/libpam.so.0 (0x40161000) libc.so.6 => /lib/libc.so.6 (0x40169000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x4000) > --__--__-- > > Message: 1 > Subject: Re: [Samba] 2.2.7 compile error using --with-acl-support > on debian > From: Francesco Mosca <[EMAIL PROTECTED]> > To: Frank =?ISO-8859-1?Q?Matthie=DF?= <[EMAIL PROTECTED]> > Cc: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> > Organization: > Date: 26 Nov 2002 17:17:20 +0100 > > Il mar, 2002-11-26 alle 13:44, Frank Matthieß ha scritto: > > On Sat, Nov 23, 2002 at 11:45:17AM +0100, Francesco Mosca wrote: > > > hi, i'm trying to package samba2.2.7 on a debian woody, using > > > --with-acl-support. the configure part seems ok, but when the compile > > > starts i get a lot of errors.. what's wrong? attached the > sensitive part > > > of the dpkg-buildpackage output. > > > thanks > > > > You have installed "libacl1" and "libacl1-dev" on compile system? > > > > libacl1-dev is not in woody yet, i was using acl-dev instead. anyway, i > just installed libacl1 and libacl1-dev from sid, but, even if this time > (i noticed) the configure says "Using posix ACLs", i got the same errors > at compile time... > > -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] ACLs with samba
You were right on the --with-acl not being compiled. The problem now is that once we got acl-dev installed, samba won't compile at all. Is there anyone out there using ACLs under Debian Woody and if so, would you please tell us what versions of the various ACL/ATTR/fileutils packages you are using? We have tried with the woody versions of attr/acl (2.0.8) and also rolling our own packages from the latest greatest at bestbits. When trying to compile using the woody versions, configure would not detect the acl binaries, when compiling from the latest bestbits, we got a bunch of ugly stuff like this: include/vfs.h:111: parse error before "acl_t" include/vfs.h:112: parse error before "acl_entry_t" include/vfs.h:113: parse error before "acl_entry_t" include/vfs.h:114: parse error before "acl_entry_t" include/vfs.h:115: warning: no semicolon at end of struct or union include/vfs.h:116: parse error before '*' token Any input would be greatly appreciated-we have tried both samba 2.2.6 and 2.2.7 and are running out of ideas... Tom > > > On Thu, 21 Nov 2002 16:07:08 -0500 > "Tom Hallewell" <[EMAIL PROTECTED]> wrote: > > > 1. I am unable to alter permissions from Win2K clients using the > > Properties->Security interface. Is this normal? I get the "Unable to > > save Permission Changes on new Folder. Access is denied." message. > > This occurs with all accounts, both privileged and unprivileged. > > Are you sure you compiled Samba with ACL support? > `ldd /path-to-your/smbd` should show "libacl.so.1" in it's list. > > Even when giving the option "--with-acl" it's possible it didn't compile > with ACL support due to the perhaps not installed dev-package "acl-dev" > (which is available as DEB-package). > > So long, > Max > > -- > The first time any man's freedom is trodden on, we're all damaged. > > > http://homex.subnet.at/~max/ > -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] ACLs with samba
Hi- I am experiencing some odd behavior with ACLs with winbindd using Samba 2.6 on Debian Woody (kernel version 2.4.18). 1. I am unable to alter permissions from Win2K clients using the Properties->Security interface. Is this normal? I get the "Unable to save Permission Changes on new Folder. Access is denied." message. This occurs with all accounts, both privileged and unprivileged. 2. Permissions set using setfacl -m u:DOMAIN\USER:rwx alter the permissions just fine, but do not show up in the Properties->Security interface. If I run chmod DOMAIN\USER.DOMAIN\USER it shows up. The permissions show up correctly if a file or directory is created on the share from a Win client, but cannot be modified once created, and the ACL info is not seen. Is this behavior normal, or am I doing something wrong? Here is the relevant section of smb.conf: [SHARE] comment = Blah blah path = /usr/tmp/share valid users = @DOMAIN\Group1 @DOMAIN\Group2 public = no writable = yes printable = no create mask = 0770 directory mode = 0770 force create mode = 0770 force directory mode = 0770 Here is the output from getfacl /usr/tmp/share getfacl: Removing leading '/' from absolute path names # file: usr/tmp/BUR # owner: mpgmover # group: mpgmover user::rwx group::rwx group:DOMAIN\Group1:rwx group:DOMAIN\Group2:rwx mask::rwx other::--- Any input would be appreciated. Thanks Tom Hallewell Radio Free Asia Washington DC -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba