[Samba] user can't access subdirectories on share using Win7
Hello, I have samba 3.5.6 PDC and BDC on debian squeeze with openldap backend and couple samba member servers based on samba 3.5.15 and 3.6.6 on solaris 11 delivering shares to windows and linux users. recently we moved from samba 3.0.24 on solaris to above verions and we stuck with a problem on windows 7 machines. on solaris zfs filsystem mounted with these settings: drwxrws--t 20 root dnateam 22 Dec 7 11:48 sample_tracking and exported with samba: [sample_tracking] path = /dataPool/samples/sample_tracking force group = dnateam force create mode = 0770 force directory mode = 0770 browsable = yes read only = yes veto oplock files = /*.mdb/*.MDB/ write list = @"DIL_\informatics" valid users = @"DIL_\dnateam" @"DIL_\informatics" in sample tracking directory there are subdirectories with files and projects ex. drwxrws--- 59 mattwinformatics 61 Dec 14 17:37 projects When I mount this share on windows XP or servr 2003 on my account groups wojciech informatics sample_management dnateam sampleinf I have access to sample tracking projects and all subdirectories but when I mount it on Win7 or server 2008 have an access to sample tracking (can create files directories) but can't enter projects directory. (access denied). when i add o+rx on projects problem moves one level deeper. I was checking logs while I try accessing projects no information appeared in logs (not event connections). logleve is 5. it looks like windows 7 gives access denied without connection to samba server. What might be a problem? win 7 security setting ? Win7 has all these setting: Network security: LAN Manager authentication level Send LM & NTLM responses Minimum session security for NTLM SSP Disable Require 128-bit encryption thanks Wojciech -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Does not belong to our domain - messages
Hello, I have samba 3.4.8 sernet PDC and BDC with ldap backend on debian lenny. I have joined a while ago two samba member server on opensolaris (3.0.37 and 3.0.34). Everything worked fine even now is working but from last week after reboot of both samba members in winbind logs appear these messages after invoking wbinfo -u: # wbinfo -u root nobody daniel wojciech chris jan ... # tail /varlog/samba/winbind.log [2010/10/18 09:53:25, 0] passdb/pdb_ldap.c:(4216) sid S-1-5-21-2622244236-1008294448-3155893552-101348 does not belong to our domain [2010/10/18 09:53:25, 0] passdb/pdb_ldap.c:(4216) sid S-1-5-21-2622244236-1008294448-3155893552-103006 does not belong to our domain [2010/10/18 09:53:25, 0] passdb/pdb_ldap.c:(4216) sid S-1-5-21-2622244236-1008294448-3155893552-103004 does not belong to our domain What might be a problem? thanks in advance. My member server smb.conf [global] workgroup = TEST netbios name = THOR server string = Samba Member Server v.%v enable privileges = yes username map = /etc/sfw/smbusers name resolve order = wins hosts bcast dns proxy = yes log file = /var/log/samba/%m.log max log size = 50 syslog = 0 log level = 1 utmp = Yes security = domain encrypt passwords = true interfaces = aggr0, lo keep alive = 60 wins server = 192.168.1.3 winbind trusted domains only = yes allow trusted domains = yes passdb backend = ldapsam:"ldap://ravenfield.test.local ldap://ravenhill.test.local"; ldap suffix = dc=dil,dc=edu ldap user suffix = ou=People ldap group suffix = ou=Groups ldap machine suffix = ou=Computers ldap idmap suffix = ou=Idmap ldap admin dn = uid=samba,ou=DSA,dc=dil,dc=edu idmap backend = ldap:"ldap://ravenfield.test.local ldap://ravenhill.test.local"; idmap uid = 1-2 idmap gid = 1-2 acl check permissions = false map read only = yes map archive = no map system = no nt acl support = true create mask = 0700 directory mask = 0700 unix charset = LOCALE display charset = LOCALE [homes] comment = Home Directories path = /home/%U read only = no browsable = no hide files = /*.ini/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Truncated Directories
Hi, I have running samba PDC/BDC with ldap backend on debian and external home directory server (samba member server) on solaris. I'm using zfs as a file system for home directories. When I access home directory on windows some directories are truncated to old dos name length. main problem is with snapshotting directory where unix name is ex. "zfs-auto-snap:hourly-2010-06-28-11:00" under Windows: ZYV2FC~H what samba options should I add to my smb.conf to avoid such behavior. thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] (no subject)
Hi, I have running samba PDC/BDC with ldap backend on debian and external home directory server (samba member server) on solaris. I'm using zfs as a file system for home directories. When I access home directory on windows some directories are truncated to old dos name length. main problem is with snapshotting directory where unix name is ex. "zfs-auto-snap:hourly-2010-06-28-11:00" under Windows: ZYV2FC~H what samba options should I add to my smb.conf to avoid such behavior. thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] user's profiles relating to each version of Windows
On Monday 26 April 2010 18:33:57 you wrote: > Example given here: > http://lists.samba.org/archive/samba-technical/2007-April/053054.html > > Dale > > On 04/26/2010 11:45 AM, Wojciech Giel wrote: > > Hi > > > > I have samba 3.4.3 PDC/LDAP server with roaming profiles. Unfortunatelly > > I have to add to domain windows 7 and vista so I thought that it would be > > good if I separate profiles based on Windows version. So i Have added > > this to my smb.conf: > > > > logon script = scripts\logon.bat > > logon home = \\THOR\%U\windows > > logon path = \\THOR\%U\windows\.profiles\%a > > logon drive = H: > > > > I'm adding users with smbldap-tools. I have changed also smbldap.conf to > > this: > > > > userProfile="\\THOR\%U\windows\.profiles\%a" > > > > pdbedit -L -v > > > > > > Home Directory: \\THOR\user\windows > > HomeDir Drive: H: > > Logon Script: scripts\logon.bat > > Profile Path: \\THOR\user\windows\.profiles\%a > > > > > > > > but when i logout instead of creating WinXP or win2k3 etc. samba creates > > '%a' directory. > > > > what is wrong with this configuration I can't find any usefull > > information to fix it? > > > > thanks > > Wojciech Thanks. the only wrinkle is that home directories and user profiles are stored on external storage (member server ). and I don't have [profile] share on PDC as I understood from smb.conf manpage that setting in [profile] like path etc. concerns local os path not on external server - storage. So will this settings work on member server ? Wojciech -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] user's profiles relating to each version of Windows
Hi I have samba 3.4.3 PDC/LDAP server with roaming profiles. Unfortunatelly I have to add to domain windows 7 and vista so I thought that it would be good if I separate profiles based on Windows version. So i Have added this to my smb.conf: logon script = scripts\logon.bat logon home = \\THOR\%U\windows logon path = \\THOR\%U\windows\.profiles\%a logon drive = H: I'm adding users with smbldap-tools. I have changed also smbldap.conf to this: userProfile="\\THOR\%U\windows\.profiles\%a" pdbedit -L -v Home Directory: \\THOR\user\windows HomeDir Drive: H: Logon Script: scripts\logon.bat Profile Path: \\THOR\user\windows\.profiles\%a but when i logout instead of creating WinXP or win2k3 etc. samba creates '%a' directory. what is wrong with this configuration I can't find any usefull information to fix it? thanks Wojciech -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] roaming profiles
Gary Dale wrote: >The netlogon share is, AFAIK, used if you want to provide scripts to be >run at logon. It's not essential for roaming profiles but it's also >probably not large so there is no point in not having one. Corporate >types love being able to control end user's using netlogon scripts. >Profiles are a copy of your Windows account profile that gets synched >when you log on or off a Windows computer. The problem is, if you have >lots of files in My Documents, it can get large and synching can take a >long time. >AFAIK there is no need for them both to be on the same machine but I've >never tried doing it any other way. Not sure how to specify them on >different machines. You can put your netlogon and profiles anywhere. But can I stay only with this entries in smb.conf [global] . logon script = scripts\logon.bat logon home = \\OXHILL\%U logon path = \\OXHILL\%U\.profiles logon drive = H: and get rid of [profile] share at all on pdc or member. >The path you specify in your smb.conf above puts it in a hidden (.profile) >directory in a user's Unix home folder. However, they may not have one. it is created automatically by scripts. But I only need to configure samba to work correctly in this layout. >I keep mine in >/home/samba/netlogon and /home/samba/profiles/%U myself. You can still >share that for each user but it keeps your /home directory smaller - >only Unix accounts & samba show up directly in /home. thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] roaming profiles
Hi I trying to configure Samba PDC/BDC with LDAP master/slave backend and file server as a Member serwer. PDC/BDC with ldap is working. But now I 'm in the middle of configuring roaming profiles but I don't understand some issues. Samba PDC/BDC with ldap's is on ubuntu server whereas samba member server is on opensolaris with zfs based storage. users Home directories will be on Samba Member server(OXHILL), and inside these directories will be roaming profiles directory and redirected folders. I dont understand roaming profiles topic could some one explain it is in a simple way. As I understand on PDC in order to have roaming profiles I have to add [global] . logon script = scripts\logon.bat logon home = \\OXHILL\%U logon path = \\OXHILL\%U\.profiles logon drive = H: [homes] comment = Home Directories valid users = %S read only = no browsable = no [netlogon] comment = Network Logon Service path = /var/lib/samba/netlogon browseable = no read only = yes guest ok = yes locking = no [profile] comment = Profile Share path = /home/%U/.profiles read only = no profile acls = yes so home directory is on OXHILL and profile directory is inside that directory. But should netlogon share be on that machine too? What for is this profile share is it necessary if I have logon path? on Samba member (OXHILL) [homes] comment = Home Directories path = /home/%U read only = no browsable = no root preexec = /usr/bin/homecreate '%U' should I add profile and net logon share? Please somebody help me to understand relation ship between logon path and netlogon profiles, and how to do it correctly. thanks for any help -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Smbd startup failure caused by a failure to create an NT token for the guest account
Binary package hint: samba Hi I've just intalled Ubuntu Server 8.04 LTS in order to run Samba/Ldap PDC but I,ve encountered an error which looks like a bug 3905 that was fixed in samba 3.0.23 according to changelog. I tried two different configuration both ends in the same moment with an error. first one is exact copy of solution from chapter 5 from "Samba3 by example". Second one based on SAMBA-LDAP Howto from smbldap-tools. Slapd is empty but working gives correct DSE responses. but when I lunch samba smbd crashes with this information in logs: [2009/05/30 20:44:57, 10] lib/smbldap.c:smbldap_search_ext(1246) Failed search for base: ou=Groups,dc=dil,dc=edu, error: 32 (No such object) (unknown) [2009/05/30 20:44:57, 10] auth/auth_util.c:add_aliases(656) pdb_enum_alias_memberships failed: NT_STATUS_UNSUCCESSFUL [2009/05/30 20:44:57, 3] smbd/sec_ctx.c:pop_sec_ctx(356) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2009/05/30 20:44:57, 10] auth/auth_util.c:make_new_server_info_guest(1508) create_local_token failed: NT_STATUS_NO_SUCH_USER [2009/05/30 20:44:57, 0] smbd/server.c:main(1059) ERROR: failed to setup guest info. if I run: smbd -d 10 -i Primary group is 0 and contains 0 supplementary groups smbldap_search_ext: base => [ou=Groups,dc=dil,dc=edu], filter => [(&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-32-545))], scope => [2] Failed search for base: ou=Groups,dc=dil,dc=edu, error: 32 (No such object) (unknown) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 LEGACY: mapping failed for sid S-1-5-32-545 push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 push_conn_ctx(0) : conn_ctx_stack_ndx = 0 setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 NT user token: (NULL) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups smbldap_search_ext: base => [ou=Groups,dc=dil,dc=edu], filter => [(&(| (objectclass=sambaGroupMapping)(sambaGroupType=4))(| (sambaSIDList=S-1-5-21-1900305026-286758470-1266315604-501) (sambaSIDList=S-1-22-2-65534)(sambaSIDList=S-1-1-0)(sambaSIDList=S-1-5-2) (sambaSIDList=S-1-5-32-546)))], scope => [2] Failed search for base: ou=Groups,dc=dil,dc=edu, error: 32 (No such object) (unknown) pdb_enum_alias_memberships failed: NT_STATUS_UNSUCCESSFUL pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 create_local_token failed: NT_STATUS_NO_SUCH_USER ERROR: failed to setup guest info. talloc report on 'null_context' (total 4427 bytes in 228 blocks) auth_serversupplied_info contains 219 bytes in 3 blocks (ref 0) 0xa8dde0 struct passwd * contains 117 bytes in 7 blocks (ref 0) 0xa8ebd0 struct samu contains 582 bytes in 14 blocks (ref 0) 0xa8f8c0 main loop talloc (mainly parse_misc) contains 573 bytes in 7 blocks (ref 0) 0xa8e100 SORTED_TREE contains 915 bytes in 44 blocks (ref 0) 0xa8bb60 struct pdb_methods contains 704 bytes in 5 blocks (ref 0) 0xa81a30 lp_talloc contains 1317 bytes in 147 blocks (ref 0) 0x9da440 if I add winbind nested groups = no I can start smbd daemon but it is workaround not proper solution for server. The same configuration on US 9.04 works without problems. Does anybody meet this error. ## Global ## include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/samba.schema include /etc/ldap/schema/autofs.schema pidfile /var/run/slapd/slapd.pid argsfile/var/run/slapd/slapd.args loglevel256 modulepath /usr/lib/ldap moduleload back_hdb backend hdb ## Database Configuration ## databasehdb suffix "dc=dil,dc=edu" rootdn "cn=admin,dc=dil,dc=edu" rootpw {SSHA}0cp6jXILNJnHBSYUAaLH5nfLk/QKm+KV directory "/var/lib/ldap" # DB Settings # # The dbconfig settings are used to generate a DB_CONFIG file the first# # time slapd starts. They do NOT override existing an existing DB_CONFIG # # file. You should therefore change these settings in DB_CONFIG directly # # or remove DB_CONFIG and restart slapd for changes to take effect.# # For the Debian package we use 2MB as default but be sure to update this # # value if you have plenty of RAM # dbconfig set_cachesize 0 2097152 0 # Sven Hartge reported that he had to set this value incredibly high # # to get slapd running at all. See http://bugs.debian.org/303057 for more # # information. # # Number of objects that can be locked at the same time. # dbconfig set_lk_max_objects 1500 # Number of locks (both requested and granted) # dbconfig set_lk_max_locks 150
Re: [Samba] Adding additional groups to a file.
Thanks it works well. Wojciech On Tuesday 31 March 2009 21:55:11 you wrote: > You'll need to enable ACLs. I use Ubuntu but I used this guide to set up > ACLs on my particular setup. > > http://aisalen.wordpress.com/2007/08/10/acls-on-samba/ > > -Original Message- > From: samba-bounces+masaog=fshac@lists.samba.org > [mailto:samba-bounces+masaog=fshac@lists.samba.org] On Behalf Of > Wojciech Giel > Sent: Tuesday, March 31, 2009 3:24 PM > To: samba@lists.samba.org > Subject: [Samba] Adding additional groups to a file. > > Hi, > I have installed and configured Samba as PDC with Heimdal kerberos and > openLDAP as backend for both on debian lenny. But i stuck on groups. > I have created a file in my home directory mapped to my documents. I can > change rwx permission on linux and windows and it works perfectly. but this > file has as a group my default group. this file should be read by users > from > > accounting and managers group too. but when i want to add additional group > in security tab i get access denied. What should I do to be able to add > additional groups. > thanx, > Wojciech > > my > smb.conf > workgroup = EXAMPLE > netbios name = cannibal > server string = Linux PDC/KDC (Samba %v) > realm = EXAMPLE.COM > use kerberos keytab = yes > use spnego = yes > > log file = /var/log/samba/%m.log > max log size = 1000 > syslog = 1 > log level = 4 > utmp = Yes > > guest account = nobody > map to guest = Never > admin users = root addmachine vin @"Domain Admins" > enable privileges = yes > > security = user > encrypt passwords = true > os level = 255 > local master = yes > domain master = yes > preferred master = yes > domain logons = yes > > keepalive = 30 > time server = yes > preserve case = yes > short preserve case = yes > case sensitive = no > null passwords = no > > logon script = %U.bat > logon path = \\cannibal\profiles$\%U\%a > logon drive = G: > logon home = \\cannibal\%U > >bind interfaces only = yes > interfaces = eth0, lo > hosts allow = 10.10.10. 127. > wins support = yes > dns proxy = yes > > passdb backend = ldapsam:ldaps://cannibal.example.com/ > ldap admin dn = > cn=ldapmaster/ad...@example.com,ou=KerberosPrincipals,dc=example,dc=com > ldap suffix = dc=hogwarth,dc=edu > ldap group suffix = ou=groups > ldap user suffix = ou=KerberosPrincipals > ldap machine suffix = ou=computers > ldap idmap suffix = sambaDomainName=EXAMPLE > ldap ssl = On > ldap delete dn = Yes > idmap backend = ldap:ldaps://cannibal.example.com/ > idmap uid = 1-25000 > idmap gid = 1-25000 > Pam password change = yes > > ldap passwd sync = yes >unix password sync = no > passwd program = /usr/sbin/smbldap-passwd -u %u > > passwd chat = *New*password* %n *Retype*new*password* %n > socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192 > SO_SNDBUF=8192 >add machine script = /usr/sbin/smbldap-useradd -w "%u" > add user script = /usr/sbin/smbldap-useradd -m -a "%u" > delete user script = /usr/sbin/smbldap-userdel "%u" > add group script = /usr/sbin/smbldap-groupadd -p "%g" > delete group script = /usr/sbin/smbldap-groupdel "%g" > add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" > delete user from group script > = /usr/sbin/smbldap-groupmod -x "%u" "%g" > set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u" > > dos charset = cp852 > unix charset = iso8859-2 > display charset = LOCALE > restrict anonymous = 0 > > [homes] > comment = Home Directories > valid users = %S > browseable = no > writable = yes > admin users = %u > write list = %u > read list = %u > create mask = 0644 > directory mask = 0755 > > [netlogon] > path = /samba/netlogon > writable = no > browseable = no > share modes = no > admin users = @"Domain Admins" > > [profiles] > path = /samba/profiles > valid users = %U, "@Domain Admins" > writeable = yes > inherit permissions = yes > create mask = 0644 > directory mask = 0755 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Adding additional groups to a file.
Hi, I have installed and configured Samba as PDC with Heimdal kerberos and openLDAP as backend for both on debian lenny. But i stuck on groups. I have created a file in my home directory mapped to my documents. I can change rwx permission on linux and windows and it works perfectly. but this file has as a group my default group. this file should be read by users from accounting and managers group too. but when i want to add additional group in security tab i get access denied. What should I do to be able to add additional groups. thanx, Wojciech my smb.conf workgroup = EXAMPLE netbios name = cannibal server string = Linux PDC/KDC (Samba %v) realm = EXAMPLE.COM use kerberos keytab = yes use spnego = yes log file = /var/log/samba/%m.log max log size = 1000 syslog = 1 log level = 4 utmp = Yes guest account = nobody map to guest = Never admin users = root addmachine vin @"Domain Admins" enable privileges = yes security = user encrypt passwords = true os level = 255 local master = yes domain master = yes preferred master = yes domain logons = yes keepalive = 30 time server = yes preserve case = yes short preserve case = yes case sensitive = no null passwords = no logon script = %U.bat logon path = \\cannibal\profiles$\%U\%a logon drive = G: logon home = \\cannibal\%U bind interfaces only = yes interfaces = eth0, lo hosts allow = 10.10.10. 127. wins support = yes dns proxy = yes passdb backend = ldapsam:ldaps://cannibal.example.com/ ldap admin dn = cn=ldapmaster/ad...@example.com,ou=KerberosPrincipals,dc=example,dc=com ldap suffix = dc=hogwarth,dc=edu ldap group suffix = ou=groups ldap user suffix = ou=KerberosPrincipals ldap machine suffix = ou=computers ldap idmap suffix = sambaDomainName=EXAMPLE ldap ssl = On ldap delete dn = Yes idmap backend = ldap:ldaps://cannibal.example.com/ idmap uid = 1-25000 idmap gid = 1-25000 Pam password change = yes ldap passwd sync = yes unix password sync = no passwd program = /usr/sbin/smbldap-passwd -u %u passwd chat = *New*password* %n *Retype*new*password* %n socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192 SO_SNDBUF=8192 add machine script = /usr/sbin/smbldap-useradd -w "%u" add user script = /usr/sbin/smbldap-useradd -m -a "%u" delete user script = /usr/sbin/smbldap-userdel "%u" add group script = /usr/sbin/smbldap-groupadd -p "%g" delete group script = /usr/sbin/smbldap-groupdel "%g" add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g" set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u" dos charset = cp852 unix charset = iso8859-2 display charset = LOCALE restrict anonymous = 0 [homes] comment = Home Directories valid users = %S browseable = no writable = yes admin users = %u write list = %u read list = %u create mask = 0644 directory mask = 0755 [netlogon] path = /samba/netlogon writable = no browseable = no share modes = no admin users = @"Domain Admins" [profiles] path = /samba/profiles valid users = %U, �...@domain Admins” writeable = yes inherit permissions = yes create mask = 0644 directory mask = 0755 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba