Re: [Samba] Samba 4.0 released - The First Free Software Active Directory Compatible Server is now available !
On 12/11/2012 10:32 AM, Jeremy Allison wrote: > Samba Team Releases Samba 4.0 > = > > December 11th 2012. > > The Samba Team is proud to announce the release of Samba 4.0, a major > new release of the award-winning Free Software file, print and > authentication server suite for Microsoft Windows clients. > This is fantastic news. I do have a question that many who are/were using beta/RC releases may have: Besides doing "/usr/local/samba/bin/samba-tool ntacl sysvolreset" is there anything else that needs to be redone? I noticed that several patches in the last RC releases for fixing AD acls (I assume these are LDAP). How are these to be reset? Is it recommended to do things manually, or should domains be recreated from scratch if possible (although a huge pain)? Thank you, Trever signature.asc Description: OpenPGP digital signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 samba-tool dns question
Thank you kindly! -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. Amitay Isaacs wrote: On Wed, Jun 13, 2012 at 8:45 PM, Kai Blin wrote: > On 2012-06-13 11:21, Trever L. Adams wrote: > > Hi Trever, > >> /usr/local/samba/bin/samba-tool dns add s4server.example.org example.org >> example.org TXT "v=spf1 mx -all" >> >> I am not sure it is because it is showing up with dig as "v=spf1" "mx" >> "-all" where it should be all one string, I believe. > > Well, this is how the current code is set up, Amitay added this behavior > to the DLZ backend recently, and I followed along for the internal > server. I'm not aware of how the string tokenization is actually > described in the standard. I'm also not sure if the issue actually is > that samba-tool doesn't preserve the quotes around the string, so the > data is tokenized when added to the AD record. > > Amitay, any insights on that one? > > Cheers, > Kai Hi Trever/Kai, The tokenization changes were added to support multiple strings in txt record. If you want to use a single string with spaces in it as a txt record, you have to quote it twice. samba-tool dns add s4server example.org example.org TXT "'v=spf1 mx -all'" If you are using nsupdate to add the record, then make sure to quote it as follows: server s4server update add example.org 3600 IN TXT "v=spf1 mx -all" send That should get you the desired result. Amitay. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 4 samba-tool dns question
Hello Everyone, I am used to messing with bind zones directly. With samba 4, I cannot do that. Is the following the correct way to add a TXT record for SPF to the zone using samba-tool? /usr/local/samba/bin/samba-tool dns add s4server.example.org example.org example.org TXT "v=spf1 mx -all" I am not sure it is because it is showing up with dig as "v=spf1" "mx" "-all" where it should be all one string, I believe. Thank you for any help, Trever -- "Life is a comedy for those who think and a tragedy for those who feel." -- Unknown signature.asc Description: OpenPGP digital signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Time sync in Samba4
On 5/1/2011 6:03 AM, Andrew Bartlett wrote: > > ntpd needs to be configured to talk to Samba4. This looks like an > accurate guide: > http://www.whitemiceconsulting.com/2010/12/configuration-of-ntp-for-samba4.html > Thank you. I have been trying to solve this as well. Trever signature.asc Description: OpenPGP digital signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Disk full message with non full disk
On 08/24/2010 05:36 AM, rpere...@lavabit.com wrote: > Hello > > I'm having some disk full messages in several windows xp clients.The disk > have a lot space free. > > I'm using Centos 5.5 with the samba centos official package. > > samba-3.0.33-3.29 > > Maybe a samba bug ? Any advice ? > > Thanks a lot for any help > > regards > > roberto I saw this with one account with Samba 4 recently from a Vista machine. My problem was that there were problems syncing the profile for that user (network problems from resume after sleep w/ one mother board). After a few of those in a row I started seeing that message. I looked at the event logs on the windows machine, found out what files were the problem, erased them on client and server. The problem went completely away. Hope this helps. Trever -- "All our dreams can come true - if we have the courage to pursue them" -- Walt Disney signature.asc Description: OpenPGP digital signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Bug in Samba4? (idmap Domain Users
I am working with Samba 4. I think I have found a bug. It would only be a problem in the event that Samba4 starts doing inter-domain, forest level, and cross forest trusts. Domain Users is 100 on a setup that is provisioned to have the range 300, 400. This maps the local gid for users. This seems to be a bug to me. Shouldn't Domain Users be within the range and not be the same as the local unix group users? All other domain groups are in the appropriate range. Thank you, Trever signature.asc Description: OpenPGP digital signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 questions (idmap, forest, inter-domain trust)
On 08/07/2010 01:57 PM, Trever L. Adams wrote: Q1: How do I set the Unix uid/gid range in Samba4 for the local domain? Is it possible before the first user is created? Thank you, Trever Adams Answering myself, to help others. I cannot answer any of the other questions, but this one is easy. Edit the following entries: lowerBound: 300 upperBound: 400 They are found in samba-master/source4/setup/idmap_init.ldif If these are not done before provision, it is a pain to do afterward. Trever -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba4 questions (idmap, forest, inter-domain trust)
Hello everyone, I am trying to go after learning Samba4 from two directions. Code and implementing it. (If you know Samba4, please help me answer the questions after the brief explanation.) I have used the following scenario before, it is real and a way for me to learn things: My siblings and I are setting up some family services (over VPN, etc.). There are X of us, including 1 being parents. So, we have X families. We are wanting these to do inter-domain trusts, or just forest level trust. Family1 ... Family X Should all trust one another. Q1: How do I set the Unix uid/gid range in Samba4 for the local domain? Is it possible before the first user is created? Q2: As I understand it, there are no inter-domain trusts yet with Samba4, is this accurate? Is it planned? Q3: As I understand it, Samba4 doesn't do forests yet. Is this accurate? Is it planned? Q4: If I setup the domains now with Samba4, can they be converted to a forest or setup with trusts later when it is supported? Thank you, Trever Adams -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Anyone had success: Samba4, idmap_ldap (alloc only), idmap_adex
After spending some time trying to figure out how to merge the allocating backend from idmap_ldap and the rest of idmap_adex, I have found that it may not be worth the effort to avoid having to configure idmap_ldap. Has anyone had success with idmap_ldap as the uid/gid allocator and idmap_adex in Samba4? I haven't done much with ldap, so any instructions on how to add schema info needed for idmap_ldap (if any) to Samba4 and an example configuration would be greatly appreciated. Thank you, Trever Adams -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Possible to use idmap hash with nss info adex (and have them cooperate not just coexist)
I am wanting the auto uid/gid mapping of idmap hash, but the rest of the functionality of idmap/nss info adex. I do not know if this is possible. Below are my questions. A few questions about idmap and nss info. I like the idea of idmap_hash. I want to us it. However, I would like to use nss info adex. Can these two be used together? Or do they conflict somehow? Also, if I have six domains (DOM1-DOM7 for simplicity), and they all trust each other. Given the definition for the local domain (all 7 on their machines) as: idmap backend = hash idmap uid = 1000-40 idmap gid = 1000-40 winbind nss info = adex winbind normalize names = yes Would I then do: idmap config DOM# : backend = ad idmap config DOM# : range = 1000-40 Or: idmap config DOM# : backend = hash idmap config DOM# : range = 1000-40 If the answer is that I must create an idmap_adex_hash, is anyone else interested in such a hybrid? Thank you, Trever Adams -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Forests, Domain Trusts, idmap (an idea for S4)
Hello all, I have largely only used samba in my home. I have several large projects I see coming for me that require domain trusts, forests and Samba 4. As I have been reading up on Samba 4, I have found several things people have mentioned that are being worked on or need to be worked on. One of which is uid/gid <-> rid mapping and work for inter-domain trusts. I think I may have found a solution. I do not know if it will work in Forests, nor do I know how cleanly it can be implemented. As I understand it, for domain trusts (at least out of a forest), you must have a user in each domain that is the trust user. We use the uid/gid in RFC2307 or SFU to store some magic values. Each domain is then free to have user/group ids in the (based on Samba 3.3.0 release notes) in bits 0-19 based on whatever algorithm they chose. 20-30 are locally a hash of the domain SID. The uid in the trust user becomes the the domain SID hash (20-30) with the rest of the bits 0. If there is a collision between SID hashes, then we locally store a free hash (+1 from the collision until we find a free one, making sure to stay only in bits 20-30). We then mask any uid/gid information returned by the trusted domain and or it with our local version of the trusted domain's SID hash, giving us a stable UID/GID which is guaranteed unique. On replicating/adding a new user, we check the uid/gid, if empty, we set it based on idhash_map's idea of what it should be, of course +1 until we have a free hash, staying in bits 0-19 only for the +1. This likely will require some hooks or other things in replication code. Or, for those who hate the hash way, simply find highest value and add 1 until we find a free hash. Now, I said gid of trust user for trusted domain would be used for some magic. If people know how many domains they will trust (as an upper bound), you can use GID for a mask for the domain part. Each trust user/trusted domain would have to have the same GID, since they would all have to be masked the same. The uid would then, on replication/new user, would have to be within whatever 0 part of the mask. Of course, this requires manual setting of the UID for the trust user. You could combine the two so that the hash version described here would have selectable bits for (or number of maximum trusted domains in power of two or progmatically handled) which would adjust automatically so the user hash would take up all but the domain SID hash part (which would be no more than 10 bits and no less than 4). So, User RID hash would be bits 0-19 on up to 0-26. This would require agreement on # of bits used for SID part of the hash between domains (human decisions), but that is rather simple, I think. If we did the paragraph above, the gid would not be magic on trust users. Only the uid. Or, vice versa. It would store only the domain SID hash part of the full user id, and mixed with the bit count, would function as a masking and oring to make the full user id that we can trust as non-colliding. Pardon me, please, if my idea above is foolish or naive. I have just been thinking about it a few days and am completely unfamiliar with the samba code base. One question which I haven't answered is why store the uid/gid in AD instead of just compute like idmap_hash, the answer is it allows us to deal with collisions, both in the rid and sid part of the hash. I think it may also make all of the normal authentication/identification stuff go a bit faster, but I could be wrong. Thank you, Trever Adams signature.asc Description: OpenPGP digital signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Is Samba 3.5 Franky?
On 10/01/2009 09:40 AM, Jeremy Allison wrote: > Actually we hatched a plan for shipping 4.0 at the last > CIFS conference. It'll be a hybrid system, like Franky, > with some renaming. I'll try and go into it more in the > next Samba Team blog entry. > > Jeremy. > Thank you for responding. I am assuming this means that it would be released in the spring? Thanks again, Trever -- "The secret of being miserable is to have leisure to bother about whether you are happy or not. The cure for it is occupation." -- George Bernard Shaw (1856-1950) signature.asc Description: OpenPGP digital signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Is Samba 3.5 Franky?
I know 3.5 isn't done yet, but is it going to be the Franky 3/4 AD DC capable system that people have hoped for and Samba.org still suggests (but the initial branching response suggests maybe it isn't). Thank you, Trever signature.asc Description: OpenPGP digital signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4, multi-domain Forest and Unix ID mapping
Charlie wrote: When you say "forest" are you referring to a user authentication database implementing multiple linked lists that do not share a common root? First, thank you for responding. I must also say I have been out of Windows land for some time. I last really messed with Windows Networking around NT 4.0. By Forest, I mean: "At the top of the structure is the Forest - the collection of every object, its attributes, and rules (attribute syntax) in the AD. The forest holds one or more transitive, trust-linked Trees. A tree holds one or more Domains and domain trees, again linked in a transitive trust hierarchy. Domains are identified by their DNS name structure, the namespace." (http://en.wikipedia.org/wiki/Active_Directory#Forests.2C_trees.2C_and_domains) So, I am looking for something like: family1.example.com (uids=1000.1999, for example) family2.example.com (uids=2000.2999) family3.example.com (uids=3000.3999) family4.example.com (uids=4000.4999) family5.example.com (uids=5000.5999) family6.example.com (uids=6000.6999) Where each is a separate domain that trusts the other, and is within one forest/tree. Also, they must use something like idmap_ldap (or the equivalent) in Samba4 and that mapping must be valid and usable so that people in each domain can log in on boxes in the other domains as Linux and Windows users and share files and printers without uid collisions or other such problems. The only exception is root (uid=0) as each family may or may not want root to be shared. Again, I am using the family example as it fits even the business cases. I am hoping that Linux users can login doing something like windows ([EMAIL PROTECTED] or domain\user). Samba 3 & 4 do indeed incorporate "idmapping" which works pretty much as you describe. The command syntax has grown a lot recently and has not yet been fully documented, but I'd say it's quite powerful. If you can get your interdomain trusts set up right I think you can do what you want, but it's probably going to be dependent on how well you can control access to your directory backend. Well, I once read that, at least at one point, idmap didn't work in this setup. I was wondering if it has changed (as I can no longer find the reference). Also, yes, these will all be Samba based domains (Active Directory style). All clients will likely be Vista Business or Ultimate. You haven't specified what directory backend you are running... Microsoft AD? Novell eDirectory? OpenLDAP? Sun? IBM? Fedora DS? There are lots... --Charlie Well, Samba 4 so, if it has an internal (I think that has been abandoned, but not certain) then that, OpenLDAP or Fedora DS will be the backend. I am leaning toward Fedora DS, but I am not certain and will accept suggestions. I hope this corrects and clarifies my question enough that I can get an accurate response. This is a forward looking query and I am only interested in Samba 4 as it must be Active Directory and Windows server free. Thank you, Trever Adams On Wed, Jun 11, 2008 at 3:33 AM, Trever L. Adams <[EMAIL PROTECTED]> wrote: Good day, I wasn't sure whether this should go to the user list or the samba-technical list. I chose here based on the descriptions of the list. Forgive me if my understanding of the naming is inaccurate. It is my understanding that Samba3 (and I believe 4, as well) has a very powerful SID<->UID mapping mechanism which will auto create the UID in a range. This is what I mean by Unix ID mapping. I have read that this as of yet won't work in a forest, even if the organization is only one organization. I am hoping this isn't true. I am beginning to look at Samba4 for future implementations within organizations I do work for. However, it appears I will need multiple domain in one forest functionality. Is this implemented or at least planned? If it is implemented/planned is it possible to do the automatic Unix ID mapping per above? If it is all one domain, is it possible to do this if all the domain controllers/active directory machines are Samba 4? Basically, can each domain have its own UID mapping setup and they will work in the forest IF, and ONLY IF, the UID mapping doesn't overlap? The exact mechanism my questions may bring into mind may be bad. Here is the situation, explained in the context of an extended family network: Each family has its own domain (Windows and DNS), policies, etc. Each has its own file servers, mail domains (DNS), etc. Each may share file and printers with other families. This needs to work in Windows and Linux. However, here is the killer, root access to Linux machines is not shared across domains. Nor should Windows system/net/domain admin abilities. However, guests from other families (within the extended family) need to be able to view the shared files as well as login (without administrative privileges) on computer
[Samba] Samba4, multi-domain Forest and Unix ID mapping
Good day, I wasn't sure whether this should go to the user list or the samba-technical list. I chose here based on the descriptions of the list. Forgive me if my understanding of the naming is inaccurate. It is my understanding that Samba3 (and I believe 4, as well) has a very powerful SID<->UID mapping mechanism which will auto create the UID in a range. This is what I mean by Unix ID mapping. I have read that this as of yet won't work in a forest, even if the organization is only one organization. I am hoping this isn't true. I am beginning to look at Samba4 for future implementations within organizations I do work for. However, it appears I will need multiple domain in one forest functionality. Is this implemented or at least planned? If it is implemented/planned is it possible to do the automatic Unix ID mapping per above? If it is all one domain, is it possible to do this if all the domain controllers/active directory machines are Samba 4? Basically, can each domain have its own UID mapping setup and they will work in the forest IF, and ONLY IF, the UID mapping doesn't overlap? The exact mechanism my questions may bring into mind may be bad. Here is the situation, explained in the context of an extended family network: Each family has its own domain (Windows and DNS), policies, etc. Each has its own file servers, mail domains (DNS), etc. Each may share file and printers with other families. This needs to work in Windows and Linux. However, here is the killer, root access to Linux machines is not shared across domains. Nor should Windows system/net/domain admin abilities. However, guests from other families (within the extended family) need to be able to view the shared files as well as login (without administrative privileges) on computers in the other domains (think visiting family). To do this, auto SID<->UID maps are a must. Domains within the forest will start at 6 at least and grow from there. (This is example isn't far from the kinds of things businesses and families ask me to do.) Is all of this possible, planned, or just out there? Thank you, Trever Adams P.S. Please, reply directly as well as to the list as I am not on the list and only keep up from time to time. signature.asc Description: OpenPGP digital signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba