Re: [Samba] Looking for a set of definitive answers (long)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Avery Payne wrote: > Question: > > - File permissions do not behave as expected (from the viewpoint of other > staff working with the server). > > The *nix permission bits cause a user, group, and "Everyone" entry to > become permanent and persistent. There was some initial grousing over > this fact as our long-time Windows admin scratched his head over why he > couldn't remove these entries as he saw fit. After explaining that there > would always be three settings no matter what, that they could never be > deleted, and that they represented actual filesystem-level bits that > wouldn't go away, it was accepted. I didn't notice if this was in the > docs or not, but I certainly didn't find it. It also meant enabling ACLs > on all of the filesystems and doing some creative thinking with the > permissions. The closest I could do was to map all files as owner root, > group set to Domain Admins, and Everyone set to disallowed; members of > the IT staff would be mapped with the "admin users" parameter; from > there, any additional permissions would be mapped via ACLs. We've found > that this method has the closest behavior to a "real" Windows server and > has satisfied everyone. that's expected behaviour ;-) As you might now, things may even get more complicated if you have "dos filemode = yes" and maybe "map system/hidden/archive = yes" ... > - Permissions don't propigate through the filesystem. > > On a Real Windows Box(tm) you would be able to set permissions at the > parent level of a directory and have them show up for each child object. > Because the filesystem semantics are not the same in *nix-land, you need > to go into the directly and manually propigate the permissions, or if > you're stuck trying to administer permissions through a windows session > (like the other IT staffers in my department), using the Advanced setting > to force-reset all permissions on all child objects. This has also > caused a bit of grousing as we have several nested directories with a > heiarchy of permissions; getting one parent directory wrong means > rebuilding permissions for several child directories as well. I have > never been able to get a satisfactory answer as to how to resolve this > issue, other than the process I described above (which I had to resolve > for myself without documentation). do you have "inherit acls = yes" and "map acl inherit = yes" in your smb.conf? that usually does the trick ... > - The vendor initially set up our authentication via tdb files and > Winbind. We have been using this combination succesfully for some time, > but in the Official Samba Guide it talks about regular maintenance of the > tdb files via tdbbackup. The department head has asked that I find the > definitive answer on how to do this, as we cannot afford more than a few > minutes of scheduled downtime. The vendor's response was that tdb files > should not be used because they can be corrupted when applying tdbbackup > to them (despite the fact that it was the vendor that set us up to use > them to begin with - go figure). This has caused even more concern - > millions of dollars in business and 50+ users are supported by this > server, running 24/7/365. So, if we were to loose our file server > tomorrow, and had to activate the backup server (which we would do by > plugging in the eSATA array into the new units and starting up the > system), how could we guarantee that the GUIDs, etc. would be consistent > and we wouldn't have a complete mess on our hands? I have seen someone > else recently mention that they should be using an LDAP authentication > backend. So who's correct, the vendor's original setup which uses tdb > files, or the 2nd vendor response which says don't use them, or should we > be on LDAP authentication connected to our Win2k3 domain controllers? well, I have to agree with the second response you got. LDAP or let's say "any" replicable & (load) balancable database storage is far better than a local file based storage. I've done many installations and even for the smallest ones I used LDAP, slapd for true samba PDC installations or of course the nice ADS(=LDAP) features any >= w2k PDC provides. BTW, providing your smb.conf or actually the output of testparm would be a good start point to get better feedback on what goes wrong with your installation. - -- Udo Rader http://www.bestsolution.at -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mandriva - http://enigmail.mozdev.org iEYEARECAAYFAkg3TIwACgkQJkMMup66A9wXxgCgltybmy/83SPzFX0zgDwN/vPN ObsAnRYWzgnb7EsD/1eOqovrztDeAZjI =j5As -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Help: justification for Linux PDC vs Windows...
On Thu, 2008-04-10 at 13:08 -0400, Adam Tauno Williams wrote: > Now I realize I'll get tarred-n-feather for this, but... of course you'll be :-) > > > My IT department has implemented a samba PDC and now we are taking flack > > > for it. Can anyone help me out with some good justifications for doing > > > it this way vs the Microsoft way? Have a meeting about it in a short > > > while... > > > We wanted to do it because Linux is more secure and more stable. But > > > there may be other good reasons and it would be good to know them. Or > > > maybe it would be better to go with the Microsoft solutions? > > This is almost a troll question. what is better, beer or whine ... > > * samba is open source = support for any version of will will continue > > as long as _you_ resp. your company are willing to support it > > Or as long as clients will continue to operate effectively in a NT4 > domain; a window with is rapidly closing, IMO. Show evidence for that. I know many big companies (airlines, yes airlines) that still operate on WINNT (or alike => samba) based server infrastructure. > > * beware that samba PDC == winnt PDC, no ADS PDC yet > > Yep - which is why I think your bosses are correct. Deploying a *new* > NT4 domain in 2008 is just nuts. When most clients are XP or Vista and > many applications have integration with AD. You can always migrate to > Samba4 if that ever becomes a viable DC option. I've known of many > SambaPDC+LDAP sites in my area and I believe we have one the last > remaining; just about everyone from my old LUG and other acquaintances > have tossed in the towel due to policy implementation and application > issues [and gone over to AD]. I agree. Policies coming with ADS are a true benefit for anybody operating even mid sized networks. Samba4 for sure is desperately awaited by many people :-) > > * samba let's you control/configure much more things you could ever > > configure in a windows PDC > > * all components of a samba PDC are well documented (like openldap etc.) > > This is *very* debatable. Basic setup is well documented. Implementing > things like effective security policies (password requirements, etc...) > is downright dodgy, and very possible just not possible [see the recent > ppolicy related thread]. Making use of technologies like Kerberos is > really awkward. I disagree. The only problem ie. with Kerberos is that there are so many weird and misleading so called "HOWTOs" on the net (that should rather be called "HOWNOTTOs") so that it seems to be "badly" documented. But as usual, google/your local LUG/a "good" server distribution are your friends. -- Udo Rader bestsolution.at EDV Systemhaus GmbH http://www.bestsolution.at signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Password sync problem from unix to windows
On Wed, 2008-04-09 at 15:52 -0600, SoUnD WrEcK wrote: > I have searched the list and have been unable to find a definitive answer to > this problem. > > I am using Samba 3.0.2xx as a PDC. The server that runs this also happens > to be a NIS master (not sure if this complicates matters or not). > > When a user's password is changed within a windows client that is part of > this domain (i.e. using ctrl-alt-del), the password change correctly > propagates to the unix side. > > However, if a user's password is changed from the unix side (i.e. using > /usr/bin/passwd), this does not propagate correctly to the windows side. > This appears to be some sort of Samba password syncing problem. > > Here are some relevant lines from my smb.conf (NOTE: The encrypt passwords > line is commented out and not exactly sure why that's there or if this is my > problem.) > > - >;encrypt passwords = no > >unix password sync = yes >passwd program = /usr/bin/passwd %u >passwd chat = *New*password:* %n\n\ > *Re-enter*new*password:* %n\n\ > *passwd:*password*successfully*changed*for* %u > - > > My main question here is whether or not this can be done- can I sync > passwords if the password was changed from the unix side? > > One thing I read was that user's must use the smbpasswd command instead of > passwd. Would this be an acceptable solution? If so, could I reroute > (symlink) /usr/bin/passwd to smbpasswd so that users would be forced to use > smbpasswd? I'm not really sure of another way to enforce this.. You basically have two options: #1 as said, use smbpasswd instead of passwd #2 use the pam_smbpass module provided by your vendor the latter one being probably the best method. -- Udo Rader bestsolution.at EDV Systemhaus GmbH http://www.bestsolution.at signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Help: justification for Linux PDC vs Windows...
On Wed, 2008-04-09 at 13:40 -0700, JJB wrote: > Hello, > > My IT department has implemented a samba PDC and now we are taking flack > for it. Can anyone help me out with some good justifications for doing > it this way vs the Microsoft way? Have a meeting about it in a short > while... > > We wanted to do it because Linux is more secure and more stable. But > there may be other good reasons and it would be good to know them. Or > maybe it would be better to go with the Microsoft solutions? This is almost a troll question. what is better, beer or whine ... But let's try anyway: * samba is faster (ie. network performance) * samba deals better with load (scalability) * samba provides an additional security level by having linux accounts in place * samba is open source = support for any version of will will continue as long as _you_ resp. your company are willing to support it * beware that samba PDC == winnt PDC, no ADS PDC yet * samba let's you control/configure much more things you could ever configure in a windows PDC * all components of a samba PDC are well documented (like openldap etc.) * samba is - of course - muchmuch cheaper due to the lack of license costs just some initial thoughts ... For more technical information check the samba HP and/or one of the many comparisons you will find on the net. -- Udo Rader bestsolution.at EDV Systemhaus GmbH http://www.bestsolution.at signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Domain Member Server /home/user creation - help needed
On Mon, 2008-04-07 at 11:00 -0400, [EMAIL PROTECTED] wrote: > For almost 10 years our school has been using samba as a PDC to provide a > network drive for each of our students,. Now I need to install a domain > member server (DMS) to share the load. I am running samba 3.0.28 on > Fedora 7 using the tdbsam backend on the PDC. I have successfully brought > up a samba DMS using winbind and the idmap_rid backend. > > I want to have all new students use the DMS for their roaming profiles and > for their network drive. Upon first logon of a new user, a directory is > automatically created for the user in the profile share on the DMS. > However, I don’t know how to cause the home directory to be created on the > DMS for the network drive. On XP Pro, the user home share shows up on the > DMS, but is not accessible because the directory does not exist. > > If at this point, I copy the roaming profile directory for the user (which > is empty) to the home directory, then the home directory is now present > with the proper ownership and the home drive is now usable by the user. > > e.g. on the DMS, with userid “mark” > > cp –a /var/samba/profiles/mark /home > > The [homes] share on the DMS is > > [homes] > Path = /home/%U > comment = Home Directories > browseable = no > writable = yes > available = yes > public = no > > So my question is how can I get the home directory for a user created with > the proper ownership the first time the user signs in? Is there any kind > of script that can be invoked on the DMS? Is there any way winbind can > create the home directory when it creates the UID/GID for the user? use pam_mkhomedir for that purpose: ftp://ftp.eu.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-pam_mkhomedir.html -- Udo Rader bestsolution.at EDV Systemhaus GmbH http://www.bestsolution.at signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba Share Mounts with Java
On Thu, 2008-03-27 at 12:66 -0600, [EMAIL PROTECTED] wrote: > > >>> Udo Rader <[EMAIL PROTECTED]> 03/27/08 8:37 AM >>> > On Thu, 2008-03-27 at 08:05 -0600, [EMAIL PROTECTED] wrote: > > Hello, > > > > I am developing a Java application that requires me to read > from > > and write to a samba share. When developing in a windows > environment > > this was not a problem. I mounted the share as "M:/", built a path > to > > a file, checked if the file exists using the Java function > > file.exists(), and went on my merry way. Now I am developing in a > > Linux environment(SuSE 10). I mount the samba share to a folder and > > when I build the path it will find and display the image, however > the > > check in Java(file.exists()) does not function properly. I ALWAYS > get > > a return value of false. Any help with this issue would be > > appreciated. Thanks!!! > Udo, > > Thanks for taking a look at my issue. I used the following command to > mount the share... > > mount -t smbfs -o username=mediauser,password-med08cis > //132.32.43.11/media > /home/josgreen/tools/jakarto-tomcat-5.0.19/webapps/associate/media > > file.getAbsolutePath - /media/associate/9782/facial/9782_f.jpg > file.getPath - /media/associate/9782/facial/9782_f.jpg > > As just another FYI I should also mention that I am running tomcat as > my application server. Thanks again! Hmm, your samba mount is in /home/josgreen/tools/jakarto-tomcat-5.0.19/webapps/associate/media but the file you are looking for is in /media/associate/9782/facial/9782_f.jpg so that cannot work at all. Either mount your samba share like this % mount -t smbfs -o username=mediauser,password-med08cis //132.32.43.11/media /media or correct the path of your file object or maybe symlink the directory like this: % ln -s /home/josgreen/tools/jakarto-tomcat-5.0.19/webapps/associate/media /media This is by no means a samba problem :-) Please update your samba password now, because everybody on this list knows it now :-) -- Udo Rader bestsolution.at EDV Systemhaus GmbH http://www.bestsolution.at signature.asc Description: Dies ist ein digital signierter Nachrichtenteil -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba Share Mounts with Java
On Thu, 2008-03-27 at 08:05 -0600, [EMAIL PROTECTED] wrote: > Hello, > > I am developing a Java application that requires me to read from > and write to a samba share. When developing in a windows environment > this was not a problem. I mounted the share as "M:/", built a path to > a file, checked if the file exists using the Java function > file.exists(), and went on my merry way. Now I am developing in a > Linux environment(SuSE 10). I mount the samba share to a folder and > when I build the path it will find and display the image, however the > check in Java(file.exists()) does not function properly. I ALWAYS get > a return value of false. Any help with this issue would be > appreciated. Thanks!!! please show the contents of file.getAbsolutePath() resp. file.getRelativePath() and how you mounted the share (mount options). What I could think of are two things: 1. upper/lowercasing problem --- eg. when you told samba to ignore the case, but (maybe) Java doesn't handle it correctly when using file.exists() 2. wrong path separators --- What kind of path separators do you use (backslash vs. forwardslash)? -- Udo Rader bestsolution.at EDV Systemhaus GmbH http://www.bestsolution.at signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] wrong ELF class error
Am Mittwoch, den 26.03.2008, 14:45 -0400 schrieb Daulton Theodore: > I am trying to configure samba on a Sunfire V125 with Solaris 9 using: > - openldap-2.3.22 > - libiconv-1.9.1 > - samba-3.0.23a > - krb5-1.6.3 (the previous build used krb5-1.5.1 > > Kereberos, openldap and libiconv are all installed but the samba build > generates an error. > > The following works: > ./configure --prefix=/usr/local/samba \ > --with-ldap \ > --with-ads \ > --with-krb5 \ > --with-pam \ > --with-winbind > > I then set LD_PRELOAD: > # export LD_PRELOAD=/usr/local/lib/libiconv_plug.so > > However when I run 'make' I get the following output: > # make > Using FLAGS = -I/usr/local/include -O -D_SAMBA_BUILD_ > -I/lib001/samba_binaries/samba-3.0.23a/source/popt > -I/lib001/samba_binaries/samba-3.0.23a/source/iniparser/src -Iinclude > -I/lib001/samba_binaries/samba-3.0.23a/source/include > -I/lib001/samba_binaries/samba-3.0.23a/source/tdb -I. -DHAVE_CONFIG_H > -I/usr/local/include -D_LARGEFILE_SOURCE -D_REENTRANT -D_FILE_OFFSET_BITS=64 > -DLDAP_DEPRECATED -DSUNOS5 -I/lib001/samba_binaries/samba-3.0.23a/source > -D_SAMBA_BUILD_ > LIBS = -lsendfile -lresolv -lnsl -lsocket -ldl -liconv > LDSHFLAGS = -G -L/usr/local/lib -R/usr/local/lib -lthread > LDFLAGS = -L/usr/local/lib -R/usr/local/lib -lthread > PIE_CFLAGS = > PIE_LDFLAGS = > Generating smbd/build_options.c > Building include/proto.h > ld.so.1: sort: fatal: /usr/local/lib/libiconv_plug.so: wrong ELF class: > ELFCLASS32 > creating /lib001/samba_binaries/samba-3.0.23a/source/include/proto.h > > <> > and it just sits there until I break out of it > > Has anyone encountered this? Any idea what this 'wrong ELF class' means? I > am hoping someone will have come across this and offer some suggestion as > to how to get past this point. I cannot help you much with solaris, but on linux "wrong ELF class" is an indication that you try to use/run a pice of software not fitting the processor architecture. "wrong ELF class: ELFCLASS32" means 32bit software, so my best guess would be that you try to run 32bit software on a non 32bit system. In your case it appears that /usr/local/lib/libiconv_plug.so has been compiled for a different arcitecture. Try % file /usr/local/lib/libiconv_plug.so and % uname -m and tell us what you get. -- Udo Rader bestsolution.at EDV Systemhaus GmbH http://www.bestsolution.at signature.asc Description: Dies ist ein digital signierter Nachrichtenteil -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] new to samba, pointers/guidance needed
On Wed, 2008-03-26 at 09:27 -0400, Ray Leventhal wrote: > followup: > > I'm guessing it's the passwd backend parameter that I've got wrong. > What's the right setting to use /etc/passwd || /etc/shadow for > authentication? (Using webmin, I've managed to sync the Unix users and > samba users) two pointers: 1. % man smb.conf 2. passdb backend = guest how come you set this to "guest"? according to the man page, "passdb backend" can either be: CUT- * smbpasswd - The default smbpasswd backend. Takes a path to the smbpasswd file as an optional argument. * tdbsam - The TDB based password storage backend. Takes a path to the TDB as an optional argument (defaults to passdb.tdb in the private dir directory. * ldapsam - The LDAP based passdb backend. Takes an LDAP URL as an optional argument (defaults to ldap://localhost) LDAP connections should be secured where possible. This may be done using either Start-TLS (see ldap ssl) or by specifying ldaps:// in the URL argument. Multiple servers may also be specified in double-quotes, if your LDAP libraries supports the LDAP URL notation. (OpenLDAP does). CUT- you cannot simply use /etc/passwd and /etc/shadow for Samba. Samba needs its own password store unless you use LDAP (ldapsam). You should also read the extensive documentation (HOWTOs) on www.samba.org, eg. you could start with http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/install.html -- Udo Rader bestsolution.at EDV Systemhaus GmbH http://www.bestsolution.at signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Poor performance on open/copy/close/rename file operations via remote/VPN connection
On Wed, 2008-03-26 at 10:47 +0100, gianfranco pra floriani wrote: > > Udo Rader wrote: > > On Mon, 2008-03-24 at 22:30 +0100, gianfranco pra floriani wrote: > > > >> Hello, > >> I have Samba version 3.0.24 running on a 2.6.14-gentoo-r5 x86 kernel > >> (xeon 3ghz, 1gb ram raid 5). > >> All clients accessing samba shares via LAN have no problems. Samba > >> server works perfectly and fast. > >> We are instead experiencing serious performance issues when accessing > >> samba shares from remote clients (WAN), via VPN. > >> Simple operations like "open a file", "copy & paste a file", "save a > >> file" from Windows XP SP2 clients are incredibly slow. It may take 10 > >> seconds to open a "save as" dialog box, and maybe 15 more seconds to > >> save a "hello world" txt file from Notepad. > >> Other services using the VPN such as SCP, SSH, HTTP, FTP work very > >> good > >> on the same connection, with no slow issues at all. I tried 2 kinds > >> of > >> VPN connections (OpenVPN and a router-proprietary VPN > >> gateway-to-client), and both have the same issue, both only with > >> Samba. > >> I wonder if there is something I'm missing in client or server > >> configuration that makes Samba talking very slow when connections are > >> not coming from the LAN. The file transfer process works fine: once > >> the > >> "saving file" or "copying file" process has begun, it takes the same > >> amount of time needed by a SCP or a FTP transfer command using the > >> same > >> VPN connection. I tried to copy a 2MB file from client to server and > >> the > >> time needed using SCP and using SAMBA (once the copy process was > >> started) was the same. > >> I tried to add some "socket options = TCP_NODELAY SO_SNDBUF=8192 > >> SO_RCVBUF=8192" in smb.conf with no results. > >> The problem is the same using "explorer", command prompt, or any > >> program > >> in the client. We currently use all XP SP2 clients. > >> It looks like the initial and final talking acknowledgement between > >> client and server for any kind of operation is unacceptably slow, > >> while the file transfer process seems not to be involved in this > >> problem. > >> > > > > This is quite common with VPN connections. What response time do you get > > from a ping (LAN vs. VPN)? > > > > > Hello Udo, > this is a ping from the server to a client: > PING 10.0.0.190 (10.0.0.190) 56(84) bytes of data. > 64 bytes from 10.0.0.190: icmp_seq=1 ttl=128 time=52.7 ms > 64 bytes from 10.0.0.190: icmp_seq=2 ttl=128 time=48.9 ms > 64 bytes from 10.0.0.190: icmp_seq=3 ttl=128 time=49.2 ms > from client to server the ping time is the same. doesn't look too bad. > > A major network performance for VPN clients is the correct configuration > > of various networking parameters (such as MTU, window size, etc. - all > > depending on the type of internet connection you have). > > > > And finally, what type of VPN are you using? > > > > > we have ssh, scp, ftp and http services running on the same VPN > (OpenVPN 2.0.6 i686-pc-linux-gnu), and all services are running fine, no > delays, no bottlenecks. Samba is the only service having problems. Are you sure that it is a samba problem? Try to create a share on a WXP LAN box and try to access it from a remote box. Your problem is very likely a SMB (and not samba) problem. And what type of OpenVPN adapter do you use? tun or tap? -- Udo Rader bestsolution.at EDV Systemhaus GmbH http://www.bestsolution.at signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Poor performance on open/copy/close/rename file operations via remote/VPN connection
On Mon, 2008-03-24 at 22:30 +0100, gianfranco pra floriani wrote: > Hello, > I have Samba version 3.0.24 running on a 2.6.14-gentoo-r5 x86 kernel > (xeon 3ghz, 1gb ram raid 5). > All clients accessing samba shares via LAN have no problems. Samba > server works perfectly and fast. > We are instead experiencing serious performance issues when accessing > samba shares from remote clients (WAN), via VPN. > Simple operations like "open a file", "copy & paste a file", "save a > file" from Windows XP SP2 clients are incredibly slow. It may take 10 > seconds to open a "save as" dialog box, and maybe 15 more seconds to > save a "hello world" txt file from Notepad. > Other services using the VPN such as SCP, SSH, HTTP, FTP work very > good > on the same connection, with no slow issues at all. I tried 2 kinds > of > VPN connections (OpenVPN and a router-proprietary VPN > gateway-to-client), and both have the same issue, both only with > Samba. > I wonder if there is something I'm missing in client or server > configuration that makes Samba talking very slow when connections are > not coming from the LAN. The file transfer process works fine: once > the > "saving file" or "copying file" process has begun, it takes the same > amount of time needed by a SCP or a FTP transfer command using the > same > VPN connection. I tried to copy a 2MB file from client to server and > the > time needed using SCP and using SAMBA (once the copy process was > started) was the same. > I tried to add some "socket options = TCP_NODELAY SO_SNDBUF=8192 > SO_RCVBUF=8192" in smb.conf with no results. > The problem is the same using "explorer", command prompt, or any > program > in the client. We currently use all XP SP2 clients. > It looks like the initial and final talking acknowledgement between > client and server for any kind of operation is unacceptably slow, > while the file transfer process seems not to be involved in this > problem. This is quite common with VPN connections. What response time do you get from a ping (LAN vs. VPN)? A major network performance for VPN clients is the correct configuration of various networking parameters (such as MTU, window size, etc. - all depending on the type of internet connection you have). And finally, what type of VPN are you using? Very probably you cannot do much about it from the samba side. -- Udo Rader bestsolution.at EDV Systemhaus GmbH http://www.bestsolution.at signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Setting up ADS in Samba with MIT kerberos mapping/backend
On Wed, 2008-03-19 at 08:43 -0500, Pat Riehecky wrote: > Don't use NFS. It is trivial to compromise the security of NFS - you > simply need root on something, set your IP and su as needed. If the > tactic is not clear poke me off list. NFS is never the answer outside > of the data center. Huh? NFS has and strong security support (including kerberos) since 2000, so what are you talking about? > On Wed, 2008-03-19 at 08:23 -0400, James Pulver wrote: > > Speaking to the kinit, maybe there's a free file manager for windows > > that would interop with MIT Leash for passing the ticket to samba? > I'm > > able to get putty and WinSCP for instance to work with the Network > > Identity Manager... > > > > I'm debating dropping samba, and trying again for either a different > > file system (AFS or NFS on windows) or having to switch around to > using > > AD as central authentication (which I'd rather not do). > > -- > > James Pulver > > Information Technology Area Supervisor > > LEPP Computer Group > > Cornell University > > > > > > > > Steve Harper wrote: > > > We here at the University of Utah have a similar setup that we > are > > > trying to get work. We have set up a cross-realm trust between > our MIT > > > Kerberos server and our Windows AD Domain, and all the user > accounts > > > altSecurityIdentities map the AD users to our MIT style kerberos > realm. > > > AD passwords are set to long random strings. > > > > > > So far we have followed the guide below on the Samba wiki, with > some > > > success but there are a few things that still do not work. > > > > > > http://wiki.samba.org/index.php/Samba_%26_Active_Directory > > > > > > On linux and mac workstations we can map shares on our samba > server once > > > we have done a kinit against our kerberos realm. > > > > > > kinit [EMAIL PROTECTED] > > > smbclient \\sambaserver.utah.edu\SHARENAME -k > > > > > > Smb shares initiated from the GUI on the Mac work ok on the Tiger > > > release of Mac OS X, but seem to fail on Leopard. > > > > > > Other than that, it all works fine on these clients. > > > > > > The problem is with the windows workstations. Workstations that > are > > > members of the domain can logon with their MIT passwords, > specifying the > > > kerberos realm in the GINA. Once there they can seamlessly map > drives > > > iff they specify their (usually set to garbage) local AD > passwords. All > > > other permutations to let the samba or windows server know that we > want > > > to use our cross-realm trust credentials have been unsucessful > thus far. > > > Ideally we would like to be able to map drives to these shares > from > > > windows machines that are not even members of our AD domain. > > > > > > A new option I saw that I have not had time to try out yet for > the > > > smb.conf is > > > use kerberos keytab = yes > > > > > > This might help the clients to succeed, or it might be useful in > getting > > > Samba to attempt to authenticate users directly against our MIT > Kerberos > > > server. I've still got a lot of reading and experimenting to do > to see > > > if we can pull this together. Hopefully somebody else on this > list has > > > already fought such a battle and emerged triumphant. But in > perusing > > > the list archives for a few hours I have yet to see something like > this. > > > > > > Thanks, > > > Steve Harper > > > Center for High Performance Computing > > > University of Utah. > > > > > > James Pulver wrote: > > >> So, I'm trying to figure out how to get Samba to work in this > way. > > >> Specifically, I have a 2003 R2 AD in 2003 functional level. All > user > > >> accounts are mapped to the same user account name @ our MIT > Kerberos > > >> server. Users do not know their AD password. > > >> > > >> Can Samba authenticate users with their Kerberos realm passwords, > and > > >> know to use the same user name so the UIDs match for both > platforms + > > >> permissions? > > >> > > >> If it can, what should the smb.conf look like? > > >> -- > > >> James Pulver > > >> Information Technology Area Supervisor > > >> LEPP Computer Group > > >> Cornell University > > >> > > -- Udo Rader bestsolution.at EDV Systemhaus GmbH http://www.bestsolution.at signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] a bit OT: Windows XP clients & performance
Hi, I am just setting up a samba installation that will finally be utilized by approx. 150 workstations, most of them WXP. Now after successfully installing & integrating samba into the existing W2K3 ADS structure, we started tuning the server by for example measuring network load. What currently puzzles us is that Windows XP clients never seem to get over 85 to 90Mbit, eg. when copying large files from/to the server (from/to does not make a difference). Using FTP we can easily reach rates just below 100Mbit and copying files locally on the samba server using smbclient gives us > 2Gbits, so it is apparently no samba problem. For testing purposes we even put all the boxes involved on a seperate switch, but that did not change anything ... So I have 2 questions: 1. has someone else seen the same? 2. can this be circumvented (if not on the samba side, maybe on the client side?) TIA! -- Udo Rader bestsolution.at EDV Systemhaus GmbH http://www.bestsolution.at signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] samba forgetting printers
hi, I've a debian sid based samba 3.0.2a-1 installation running on one of our customers' servers. Everything works nicely (samba 3 & LDAP rocks), except for the printers. Upon each start, samba has all printers visible and ready. smbclient -L localhost shows the printer shares and all windoze clients can print to them. However, after some time (a day or so), samba simply forgets the printers. No log message, no nothing. smbclient -L localhost on the server really shows, that there are no more printers there and nobody can print from windoze anymore. Only when I restart samba, the printers appear again. the printer side is handled by cups 1.1.20final+cvs20040330-1. Any ideas? happy hacking Udo Rader -- b e s t s o l u t i o n . a tEDV Systemhaus GmbH -------- udo rader technischer leiter/CEM mobile ++43 660 5263642 eduard-bodem-gasse 8/3A-6020 innsbruck fax ++43 512 935833 http://www.bestsolution.at phone++43 512 935834 signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
