[Samba] Samba 4 install packages for Ubuntu 10

2013-10-03 Thread Derek Lewis
Hello,

I want to upgrade my current samba 3.7 that I compiled, to samba 4, and 
wondered if I can get binaries compatible with Ubuntu 10?

Sent from my iPhone
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


[Samba] Unable to access Samba 3.6.6 shares

2012-07-27 Thread Derek Lewis
Hello,

I compiled and installed v3.6.6 from source on my ubuntu 10.04 server though I 
am unable to access my shares from my client windows machines; the error 
message indicates that I don't have permissions.

I am using the same user/passwords and shares as with the previous v3.5.7 Samba.

>From console I can access the shares with smbclient.

I checked the path to my Samba commands and config files and everything looks 
correct.

I recreated my Samba users under the new Samba 3.6.6 install.

The problem may be with the password database though not sure how to proceed.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


[Samba] Samba share access problems

2012-07-02 Thread Derek Lewis
Hello,

I have Samba 3.6.6 compiled and running under Ubuntu 10.04 server, I
upgraded from 3.5.x and used the same share and configuration file.

I have access problems from my Windows machines "network path not found"
that I am trying to diagnose via smbclient from the server console: with
smbclient...

When I run, smblcient -L wen-chang\,. For any of my users, I see the
error message "Error returning browse list: NT STATUS OK".

The shares are browseable=yes, so I think this is a permissions problem or
an issue with the way I created my Samba users.

Suggestions on additional tests to locate the problem?
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


[Samba] Samba 3.6.6 error loading shared libraries

2012-06-17 Thread Derek Lewis
Hello,

I have compiled Samba 3.6.6 from the git branch 3-6-stable for my
Ubuntu 10.04 system.  Configure and make completed successfully though
I get the error:

"error while loading shared libraries: libwbclient.so.0: cannot open
shared object fie: No such file or directory"

This seems like a missing file, though I updated my Debian packages
according to the dependencies before compiling.

Also, would it be wise to use another branch?
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] Samba build errors (Derek Lewis)

2012-06-06 Thread Derek Lewis
Jorell,

I installed the packages from your list and attempted to build with your 
configuration.  I still get errors during build referring to swrap_close or 
nwrap_getgrnam.

Also I did not use. /autogen.she, just config and make.

Derek

Derek
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] Samba build errors

2012-06-05 Thread Derek Lewis
Jorell,

Thanks for the config info, I will try it when I get back from travel.

How do you test your Samba install after compiling?
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] Samba build errors

2012-06-03 Thread Derek Lewis
Jorell,

Thanks for the build info, I am on travel now but try it out when I get
home.

Also, how do you test your Samba install to make sure it functions as
expected?

On Saturday, June 2, 2012,   wrote:
> Send samba mailing list submissions to
>samba@lists.samba.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>https://lists.samba.org/mailman/listinfo/samba
> or, via email, send a message with subject or body 'help' to
>samba-requ...@lists.samba.org
>
> You can reach the person managing the list at
>samba-ow...@lists.samba.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of samba digest..."
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


[Samba] Samba 3.6.5 build errors

2012-06-02 Thread Derek Lewis
Hello,

I am rebuilding my Ubuntu 10.04 NAS to use Samba 3.6.5 for file sharing.
 Starting from the current stable tar file, I was able to configure
although ran into problems when building.  I get a list of error messages
of the form "undefined reference":

Do I need to wait for a patch or am I missing some libraries?

Also, is there a list of the dependencies and their sources?  Would prefer
Debian packages if at all possible instead another source compile.

Thank you,

Derek
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


[Samba] errors during samba 3.6.5 compile

2012-05-25 Thread Derek Lewis
Hello,

I am trying to compile Samba 3.6.5 from the official tarball, I am
following the how-to from samba.org and run into several errors like the
following example when I try to run configure from the source3 directory:
configure: failed program was:
| /* confdefs.h */

I am running Ubuntu 10.04 LTS server edition.

I have compiled a previous version and ran into a similar problem, I
suspect I am missing some libraries.

Derek
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


[Samba] Maintain file ownership when writing to share with different owner

2011-11-27 Thread Derek Lewis
Hello,

I have a question regarding control of file ownership: I have shares accessed 
by several users belonging to a group though the share is owned by only one of 
the users. I can force the group id for files written to the share to match the 
share group though I wondered if I can preserve the file's original owner id 
(one of the users in the group) if a file is copied from another location?

Related to this question: I am looking for an up to date source of information 
on using acls.

I have implemented acl and extended attribute support for storing dos file 
attributes and metadata.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] NT4 SP3 PDC with MS Exchange 5.5 to Samba 3.x ldapbac ked PDC and MS Exchange 5.5 still

2011-10-28 Thread Derek Werthmuller
Thanks for the advice - Good to know not to go down the trust relationship
path.  A seperate domain does sound like a good path.  Leave the existing
nt/exchange setup as just an email platform.  Users are likely to need to
login again once we move that email/calendar/contacts funtion to the cloud
anyway.

Gives a nice clean migration path - here is your new win7 pc and your new
login for it.

Though I've also considered not making the new win7 domain members anyway.
They are all going laptops and staff are somewhat mobile to highly mobile.
When the domain is not avilable because of poor network link quality or no
network at all laptop performance suffers.  I know this to be the case with
XP, I have no indication that its
any different with Win7.  

Thanks
    Derek

-Original Message-
From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org]
On Behalf Of Gaiseric Vandal
Sent: Friday, October 28, 2011 11:05 AM
To: samba@lists.samba.org
Subject: Re: [Samba] NT4 SP3 PDC with MS Exchange 5.5 to Samba 3.x
ldapbacked PDC and MS Exchange 5.5 still

If you are getting rid of the exchange server it seems a lot of work to do
the trusts thing.  Having outlook remember your password isn't a major
problem.  Except of course then people are pretty likely to have forgotten
their e-mail password if they ever use another PC.


I have found Samba trusts to be fairly painful.  I had a Samba 3.0.x PDC
(LDAP backend) which I tried having a trust with a Windows 2003 
domain.In order for trusts to work, the Samba machine uses Idmap to 
create a range of unix uid's and gid's for the trusted Windows users.
With Samba 3.0.x, these idmap entries were created but would stop 
working after the cache period expired.I don't know why.  When I 
moved to Samba 3.4.x, the expiration issue went away but then idmap 
entries were not automatically.   We didn't have many people in the 
Windows 2003 domain so I can manually create idmap entries as needed.

My gut feeling is that any changes you make to support Windows 7 machines
will break compatibility with legacy machines  (e.g. NT4) or the domain
trusts-  altho installing the latest NT4 SP pack (6a?) may help.

Could you make migrate the PDC role from your NT server to a samba 3.4.x 
or 3.5.x server?   I don't think Exchange 5.5 has to be on the domain 
controller.

At my work we have a Samba domain for most of the users and computers.  
We also have a separate untrusted  Win 2008 domain just to support our 
Exchange 2007 server.It would be nice if we could consolidate to a 
single domain (or at least a single Active Directory tree) but for the
moment people have to maintain separate e-mail accounts.

FYI-  I had a look at the latest version of Zimbra- it looks like a pretty
nice product for a small business, if you decide not to go with 
the hosting route.I do like Exchange 2007 but it can be a big 
challenge to set up and maintain, and you really have to have a 
background with Active Directory and Exchange.Not what I would use 
for a really small site.





On 10/28/2011 10:34 AM, Derek Werthmuller wrote:
> Looking to make some changes to an old but working LAN, that has about 10
> samba servers serving printers and network shares and a NT 4 PDC server
with
> Exchange 5.5 on it.  The samba servers are members of the nt4 domain, XP
> systems are members of the nt 4 domain also.  Samba servers are
ldapbacked.
> We use the ldap component directly to login to the Linux servers.
>
> I'd like to be able to support windows 7 clients as domain members, right
> now the clients are all XP.  The plan I'm considering is building a new
> domain with the latest version of samba 3.x stable series for my RHEL6
> servers, join my new windows clients to that domain and create a trust
> relationship to the NT 4 domain.  The existing samba servers can be joined
> to the new domain so that only the email server will be in the old domain.
> The idea behind the trust
> relationship is so that entering email for my users can be just a click
and
> won't have to login again.  We'd want to keep the ldap backend capability
> too.
>
> Keeping the exchange is really a stop gap till we can move that function
to
> the cloud.
>
> Have others done similar upgrades successfully?  Does this sound
reasonable?
>
> Is the trust relationship overkill and likely to cause problems? (tell
users
> to cache the outlook login and be done)
>
> Thanks
>   Derek
>
> Derek Werthmuller
> Director of Technology Innovation and Services
> Center for Technology in Government
> 518.442.3892
> www.ctg.albany.edu
>
>
>
>
>
>
>

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] NT4 SP3 PDC with MS Exchange 5.5 to Samba 3.x ldapbac ked PDC and MS Exchange 5.5 still

2011-10-28 Thread Derek Werthmuller
 >>I have a client in a similar situation. NT4 PDC w/Exchange 5.5 and Samba
member servers. Main problem is that >>they're running an old custom
Outlook/Exchange workflow app which locks them in until it can be replaced.

Similar situation - though we've been able to replicate it fairly easily in
google apps.

>>As you're aware newer then XP cannot join an NT4 domain but can join a
Samba domain - and they will eventually >>need some new desktops. So my
thoughts have been running along the lines of demoting the NT4 PDC and
having a >>Samba server take over those duties. Problem's are the NT4 PDC is
not a supported task, and even if a registry >>hack can accomplish it
(according to an old post by Minasi it should) but the effect on Exchange
after this is >>apparently unknown. Also a test attempt to vampire the PDC
did not work due to capitalization problems (if the >>vampire script did a
lower case conversion this might have been a big start).

I did consider this, though the issue is what do I do with the existing NT4
PDC - I can demote this to BDC but from the samba docs samba PDC and Windows
BDC is not supported.  And I don't think it can demote the PDC to server
role.
I'm also trying to be very careful not to make substantial changes to the
exchange host - I need that working for a short while longer.

Thanks
Derek


-Original Message-
From: Chris Smith [mailto:smb...@chrissmith.org] 
Sent: Friday, October 28, 2011 12:07 PM
To: Derek Werthmuller
Cc: samba@lists.samba.org
Subject: Re: [Samba] NT4 SP3 PDC with MS Exchange 5.5 to Samba 3.x
ldapbacked PDC and MS Exchange 5.5 still

On Fri, Oct 28, 2011 at 10:34 AM, Derek Werthmuller
 wrote:
> Looking to make some changes to an old but working LAN, that has about 
> 10 samba servers serving printers and network shares and a NT 4 PDC 
> server with Exchange 5.5 on it.  The samba servers are members of the 
> nt4 domain, XP systems are members of the nt 4 domain also.
>
> I'd like to be able to support windows 7 clients as domain members, 
> right now the clients are all XP.
>
> Keeping the exchange is really a stop gap till we can move that 
> function to the cloud.
>
> Have others done similar upgrades successfully?  Does this sound
reasonable?



All services except for PDC, WINS and Exchange have been moved from the NT4
box. Outside email is handled by Google Apps. DNS, NTP, file and print
services, etc. all handled by Linux servers, firewall is OpenBSD/PF. Also to
protect from failure of the old hardware the PDC has been virtrualized and
running under VirtualBox where regular snapshots can be taken.

The virtualization of the NT4 PDC also provides an opportunity to experiment
with copies/snapshots so I hope to tackle this a bit more in depth when time
permits. Of course any clues, hints, experience to be shared in this area
are very welcome. I will gladly provide anything I find out that may be
useful.

Chris
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


[Samba] NT4 SP3 PDC with MS Exchange 5.5 to Samba 3.x ldapbacked PDC and MS Exchange 5.5 still

2011-10-28 Thread Derek Werthmuller
Looking to make some changes to an old but working LAN, that has about 10
samba servers serving printers and network shares and a NT 4 PDC server with
Exchange 5.5 on it.  The samba servers are members of the nt4 domain, XP
systems are members of the nt 4 domain also.  Samba servers are ldapbacked.
We use the ldap component directly to login to the Linux servers.

I'd like to be able to support windows 7 clients as domain members, right
now the clients are all XP.  The plan I'm considering is building a new
domain with the latest version of samba 3.x stable series for my RHEL6
servers, join my new windows clients to that domain and create a trust
relationship to the NT 4 domain.  The existing samba servers can be joined
to the new domain so that only the email server will be in the old domain.
The idea behind the trust
relationship is so that entering email for my users can be just a click and
won't have to login again.  We'd want to keep the ldap backend capability
too.

Keeping the exchange is really a stop gap till we can move that function to
the cloud.

Have others done similar upgrades successfully?  Does this sound reasonable?

Is the trust relationship overkill and likely to cause problems? (tell users
to cache the outlook login and be done)

Thanks
Derek

Derek Werthmuller
Director of Technology Innovation and Services
Center for Technology in Government
518.442.3892
www.ctg.albany.edu  







-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


[Samba] Auto creation of home directories on Samba-3.5.4(CentOS 6) using PAM authenticating via ADS

2011-08-31 Thread Derek Cordeiro
Hi,

I have installed samba 3.5.4 on Centos 6 and have set it up to
authenticate to a Windows 2008 Domain Controller. When I do a "su -
some-domain-user", the home directory gets created. However, I want
the home directory to be created when a user accesses the samba
shares(no shell access). Following are the relevant configurations.
What are the PAM changes I need to make? Help is much appreciated.

==smb.conf==
[global]
   workgroup = RADON
   realm = RADON.LAB
   security = ads
   idmap uid = 16777216-33554431
   idmap gid = 16777216-33554431
   template shell = /sbin/nologin
   winbind use default domain = true
   winbind offline logon = false
   domain master = no
   obey pam restrictions = yes

server string = Samba Server Version %v
log file = /var/log/samba/log.%m
max log size = 50
passdb backend = tdbsam

[homes]
comment = Home Directories
browseable = no
writable = yes

[public]
comment = Public Stuff
path = /home/shared
public = yes
writable = yes
printable = no

==/etc/pam.d/samba==
#%PAM-1.0
auth   required pam_nologin.so
auth   include  password-auth
accountinclude  password-auth
sessioninclude  password-auth
password   include  password-auth

==/etc/pam.d/password-auth==
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
authrequired  pam_env.so
authsufficientpam_unix.so nullok try_first_pass
authrequisite pam_succeed_if.so uid >= 500 quiet
authsufficientpam_krb5.so use_first_pass
authsufficientpam_winbind.so use_first_pass
authrequired  pam_deny.so

account required  pam_unix.so broken_shadow
account sufficientpam_localuser.so
account sufficientpam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
account [default=bad success=ok user_unknown=ignore] pam_winbind.so
account required  pam_permit.so

passwordrequisite pam_cracklib.so try_first_pass retry=3 type=
passwordsufficientpam_unix.so sha512 shadow nullok
try_first_pass use_authtok
passwordsufficientpam_krb5.so use_authtok
passwordsufficientpam_winbind.so use_authtok
passwordrequired  pam_deny.so

session optional  pam_mkhomedir.so
session optional  pam_keyinit.so revoke
session required  pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session required  pam_unix.so
session optional  pam_krb5.so
----

Regards,
Derek
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] CentOS 5.6 X86_64 install problem

2011-05-17 Thread derek

John

Thank you for the quick reply on this trying that now

here is what I have tried ./configure.developer --disable-s3build

returns

waf [command] [options]

Main commands (example: ./waf build -j4)
  build   : build all targets
  clean   : removes the build files
  configure   : configures the project
  ctags   : build 'tags' file using ctags
  dist: makes a tarball for distribution
  distcheck   : test that distribution tarball builds and installs
  distclean   : removes the build directory
  etags   : build TAGS file using etags
  install : installs the build files
  pydoctor: build python apidocs
  reconfigure : reconfigure if config scripts have changed
  test: Run the test suite (see test options below)
  testonly: run tests without doing a build first
  uninstall   : removes the installed files
  wafdocs : build wafsamba apidocs
  wildcard_cmd: called on a unknown command

waf: error: no such option: --disable-s3build

next I tried running ./configure.developer then make --disable-s3build 
this also fails with make: unrecognized option `--disable-s3build'



Looked around on the internet and found this information

--- script/installsamba4.sh (revision 2813)
+++ script/installsamba4.sh (working copy)
@@ -280,17 +280,8 @@
 pushd samba4
 error_check $? "samba4 setup"

# this is a temporary hack while we try to support both git and 
samba

# alpha 15 tarball. the tarball doesn't know --disable-s3build and
# samba git won't currently build without --disable-s3build because 
of

# https://bugzilla.samba.org/show_bug.cgi?id=8113
if test -z "$TARPATH"; then
./configure.developer -C --prefix=$SAMBA_PREFIX 
--disable-s3build

error_check $? "samba4 git configure"
else
./configure.developer -C --prefix=$SAMBA_PREFIX
error_check $? "samba4 configure"
fi
./configure.developer -C --prefix=$SAMBA_PREFIX
error_check $? "samba4 git configure"

 echo "Step2: Compile Samba4 (Source)"
 $MAKE -j

this ran fine on system but same results it is still trying to compile 
samba3 code.


Can you think of anything I can try right now I am currently 
downloading the rsync of samba4 just to see if that makes any difference 
from the git source I have



Derek

On Tue, 17 May 2011 16:23:40 -0500, Taylor, Jonn wrote:
By default samba 3 and samba 4 are built. Use --disable-s3build to 
only
build samba 4. There is also a how to that someone did for CentOS, 
just

search the archives for it.

Jonn

On 05/17/2011 03:46 PM, de...@podoll.com wrote:
I am trying to install samba 4 on a CentOS 5.6 X86_64 with all 
update

installed following the directions from
http://wiki.samba.org/index.php/Samba4/HOWTO


Installed git and am able to use that to pull down latest version of
samba source code

ran ./configure.developer (can post output from this long file if 
needed)


Once that was done I ran the make command and got this at the end

[3364/3441] Linking default/source3/smbd/smbd
default/source3/libsamba3core.so: undefined reference to `cap_free'
default/source3/libsamba3core.so: undefined reference to 
`cap_set_flag'
default/source3/libsamba3core.so: undefined reference to 
`cap_get_proc'
default/source3/libsamba3core.so: undefined reference to 
`cap_set_proc'

collect2: ld returned 1 exit status
Waf: Leaving directory `/samba-master/bin'
Build failed:  -> task failed (err #1):
{task: cc_link epmd_7.o,server_98.o,msg_idmap_98.o -> smbd}
make: *** [all] Error 1

I can provide a full output of the make if required also

I was able to install samba 4 following the same directions on this
system around a month or so ago but I am reinstalling to because I
wanted to get a clean version and make this one the PDC on the 
network

because it is a physical system not virtual like the current samba 4
PDC I have running right now.



Derek


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


[Samba] CentOS 5.6 X86_64 install problem

2011-05-17 Thread derek
I am trying to install samba 4 on a CentOS 5.6 X86_64 with all update 
installed following the directions from 
http://wiki.samba.org/index.php/Samba4/HOWTO



Installed git and am able to use that to pull down latest version of 
samba source code


ran ./configure.developer (can post output from this long file if 
needed)


Once that was done I ran the make command and got this at the end

[3364/3441] Linking default/source3/smbd/smbd
default/source3/libsamba3core.so: undefined reference to `cap_free'
default/source3/libsamba3core.so: undefined reference to `cap_set_flag'
default/source3/libsamba3core.so: undefined reference to `cap_get_proc'
default/source3/libsamba3core.so: undefined reference to `cap_set_proc'
collect2: ld returned 1 exit status
Waf: Leaving directory `/samba-master/bin'
Build failed:  -> task failed (err #1):
{task: cc_link epmd_7.o,server_98.o,msg_idmap_98.o -> smbd}
make: *** [all] Error 1

I can provide a full output of the make if required also

I was able to install samba 4 following the same directions on this 
system around a month or so ago but I am reinstalling to because I 
wanted to get a clean version and make this one the PDC on the network 
because it is a physical system not virtual like the current samba 4 PDC 
I have running right now.




Derek
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] upgrade samba4 install

2011-05-17 Thread derek
Thank you for the replies to my question I asked about upgrading samba4 
I am having a new problem and will post a new thread on it.



On Wed, 11 May 2011 12:02:00 +0400, Matthieu Patou wrote:

Hello,

On 09/05/2011 19:52, de...@podoll.com wrote:
I have a install of samba4 that I have been using on my home network 
for testing with one PDC and BDC on the local network and a 3rd BDC 
located on another network with IPSEC tunnel between the two networks. 
The problem I have is all 3 servers are running different versions on 
the samba4 code I would like to get all the system on the same code 
level.  Do any of you know an easy way to do this so I do not loose 
all the account and policy information in the PDC when I update it?  
either that or is there a backup method anyone would recommend before 
trying it preform any updates.



So depending on your version of samba you'll have to update just the
binaries or also to update the structure and the content of the
database.

Best is to first know the version.

Upgrading the binaries is ok there is nothing to do apart from
make;make install , to update the structure we have a tool but for 
the
moment it's limited to 1 DC (so you have to demote your other 
server).

In theory we could support multi DC upgrade, but I have a bit of work
to do but it shouldn't be too hard.


Matthieu.

--
Matthieu Patou
Samba Teamhttp://samba.org
Private repohttp://git.samba.org/?p=mat/samba.git;a=summary


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


[Samba] upgrade samba4 install

2011-05-09 Thread derek
I have a install of samba4 that I have been using on my home network 
for testing with one PDC and BDC on the local network and a 3rd BDC 
located on another network with IPSEC tunnel between the two networks.  
The problem I have is all 3 servers are running different versions on 
the samba4 code I would like to get all the system on the same code 
level.  Do any of you know an easy way to do this so I do not loose all 
the account and policy information in the PDC when I update it?  either 
that or is there a backup method anyone would recommend before trying it 
preform any updates.



System info below

OS Centos 5.5 on all systems with bind installed to support dynamic 
updates
Hardware local PDC and BDC run off of XENSERVER virtual machines from 
two different xenserver platforms

Hardware offsite HP server
Network connection between servers IPV6 with IPSEC tunnel running over 
internet using IPV6



Thank you for any help
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


[Samba] corrupt security data warning and Samba 3.5.6

2010-12-09 Thread Derek Lewis
I creating an archive of files stored on a share with WinRAR and I get an
error message indicating that the security information is missing or
corrupt.  I can create an archive with the same files on the PC local drive,
but not on the Samba share.  Could this be caused by ACL configuration
problems?

 

Derek

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


[Samba] Samba 3.5.6 file error/no disk space message

2010-12-07 Thread Derek Lewis
I have Samba 3.5.6 with the ACL patch running and I was in the process of 
creating a large ~80GB RAR file on the share from my PC, when I encountered 
several messages near the end of the write.  The messages indicated by WinRAR 
were: no disk space remaining or write error.  The computer and share 
connection were active for a long period of time (~1 day) which may have 
contributed to the problem.

I will be checking my Samba logs tonight, though I am interested in other 
debugging steps and whether I should configure my network/Samba differently for 
more stable sessions.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] Samba 3.5.6 and ACL patch

2010-11-23 Thread Derek Lewis
I thought this indicated a problem in the mapping since these ids donot
correspond to the users on the PC.

-Original Message-
From: Jeremy Allison [mailto:j...@samba.org] 
Sent: Tuesday, November 23, 2010 4:53 PM
To: Derek Lewis
Cc: samba@lists.samba.org
Subject: Re: [Samba] Samba 3.5.6 and ACL patch

On Thu, Nov 18, 2010 at 01:07:48AM -0800, Derek Lewis wrote:
> I have Samba 3.5.6 running patched with the ACL jumbo patch.  When
checking
> the properties of directories under a Samba share, I do not see
differences
> in the mapping of users and permissions for directories from the
un-patched
> version.  I still get "CREATOR OWNER" and "CREATOR GROUP" showing up in
the
> security tab under properties.

What are you expecting ? We'll display "CREATOR OWNER" and "CREATOR GROUP"
when creating a mapping for the default POSIX ACL on a directory.

Jeremy.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


[Samba] Samba 3.5.6 and ACL patch

2010-11-18 Thread Derek Lewis
I have Samba 3.5.6 running patched with the ACL jumbo patch.  When checking
the properties of directories under a Samba share, I do not see differences
in the mapping of users and permissions for directories from the un-patched
version.  I still get "CREATOR OWNER" and "CREATOR GROUP" showing up in the
security tab under properties.

 

This could be an install/configuration problem on my server, though I wanted
to ask and see if anyone has had the same experience.

 

Would I be able to work around this problem with explicit user/permission
mapping between PC and Samba server?

 

Derek

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


[Samba] robust file transfers in Samba

2010-11-18 Thread Derek Lewis
I have Samba 3.5.6 working, now I am interested in ensuring that the file
transfers to/from my server are robust.  I have seen some threads on file
corruption and I wondered if there are recommended setups for Samba and the
server to make the file transfers as reliable as possible; cache flushing
and op-locks?

 

This may be unnecessary, though I wanted to look into this question before I
start moving a lot of data to the server.

 

On a related note, when I un-map my connection to Samba, Windows XP pops up
a window warning that there are files still open.  I have closed the
relevant applications and files but the message persists.  This is a windows
issue but I wanted to ask if anyone else has seen this while connecting to a
Samba share.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] Problems with ACL jumbo patch

2010-11-14 Thread Derek Lewis
I installed Samba 3.5.6 and started testing the directory ACLs.  So far the
behavior is the same as my previous build, with the CREATOR USER and CREATOR
GROUP entries showing up in the directory ACLs.

I checked that the patch was applied with git log --pretty=fuller -1.

-Original Message-
From: Michael Wood [mailto:esiot...@gmail.com] 
Sent: Saturday, November 13, 2010 12:43 PM
To: Derek Lewis
Cc: samba@lists.samba.org; Jeremy Allison; samba-techni...@lists.samba.org
Subject: Re: [Samba] Problems with ACL jumbo patch

Hi

On 10 November 2010 10:22, Derek Lewis  wrote:
> Okay, I search the apt repositories and found three Kerberos libraries:
> libpam-krb5, krb5-auth-dialog and libkrb5-dev.

libkrb5-dev is the one you want.

> After installing, I configured my build with autogen and
configure.developer
> as before.  Attempting to make the binaries resulted in the same
> cli_krb5_get_ticket' error as before.

Try making sure you're starting from a clean checkout.  i.e. get rid
of any previous build attempts.  The following should work assuming
you're in the checked out directory and on the right branch:

$ git reset --hard HEAD
$ git clean -dxf

Then do the autogen and configure again.

After running configure.developer, do this (from the source3 directory):

$ grep 'HAVE_KRB5\>' include/config.h

It should print out:

#define HAVE_KRB5 1

since you now have the libkrb5-dev package installed.

> I looked through the options for configure.developer, can I disable
Kerberos
> in the configure step and bypass the problem?

I don't know.

Jeremy, any idea why Derek is getting link errors with your ACL jumbo
patch for 3.5.x despite the HAVE_KRB5 check in
source3/libsmb/clikrb5.c?

> -Original Message-
> From: Michael Wood [mailto:esiot...@gmail.com]
> Sent: Tuesday, November 09, 2010 3:52 AM
> To: Derek Lewis
> Cc: Miguel Medalha; samba@lists.samba.org; Jeremy Allison
> Subject: Re: [Samba] Problems with ACL jumbo patch
>
> On 9 November 2010 11:20, Derek Lewis  wrote:
>> I have attached the config.log file, and a capture of the messages from
>> making that I called make.log.
>
> OK, then it does seem to have something to do with Kerberos.
>
> The cli_krb5_get_ticket function is defined in
> source3/libsmb/clikrb5.c and if you don't have HAVE_KRB5 defined, then
> it's supposed to do this:
>
>  /* this saves a few linking headaches */
>  int cli_krb5_get_ticket(const char *principal, time_t time_offset,
>                        DATA_BLOB *ticket, DATA_BLOB *session_key_krb5,
> uint32 extra_ap_opts,
>                        const char *ccname, time_t *tgs_expire,
>                        const char *impersonate_princ_s)
> {
>         DEBUG(0,("NO KERBEROS SUPPORT\n"));
>         return 1;
> }
>
> but for some reason that's not happening for you, so you get link errors.
>
> The solution to your problem is, of course, to install the Kerberos
> libs (either MIT or Heimdal).
>
> Try "apt-get install libkrb5-dev".

-- 
Michael Wood 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] Problems with ACL jumbo patch

2010-11-13 Thread Derek Lewis
So far so good...I wanted to thank you, Miguel and the Samba team for all of
the help.

The krb5 test was successful.

The hard reset and make of Samba 3.5.6 was successful though I have not
completed the install yet.

I have a question, does the git reset/clean commands remove the acl patch?
Can I confirm that the patch files were included into the build?

>From the Samba side, how would I test the patch viability?

Derek

-Original Message-
From: Michael Wood [mailto:esiot...@gmail.com] 
Sent: Saturday, November 13, 2010 12:43 PM
To: Derek Lewis
Cc: samba@lists.samba.org; Jeremy Allison; samba-techni...@lists.samba.org
Subject: Re: [Samba] Problems with ACL jumbo patch

Hi

On 10 November 2010 10:22, Derek Lewis  wrote:
> Okay, I search the apt repositories and found three Kerberos libraries:
> libpam-krb5, krb5-auth-dialog and libkrb5-dev.

libkrb5-dev is the one you want.

> After installing, I configured my build with autogen and
configure.developer
> as before.  Attempting to make the binaries resulted in the same
> cli_krb5_get_ticket' error as before.

Try making sure you're starting from a clean checkout.  i.e. get rid
of any previous build attempts.  The following should work assuming
you're in the checked out directory and on the right branch:

$ git reset --hard HEAD
$ git clean -dxf

Then do the autogen and configure again.

After running configure.developer, do this (from the source3 directory):

$ grep 'HAVE_KRB5\>' include/config.h

It should print out:

#define HAVE_KRB5 1

since you now have the libkrb5-dev package installed.

> I looked through the options for configure.developer, can I disable
Kerberos
> in the configure step and bypass the problem?

I don't know.

Jeremy, any idea why Derek is getting link errors with your ACL jumbo
patch for 3.5.x despite the HAVE_KRB5 check in
source3/libsmb/clikrb5.c?

> -Original Message-
> From: Michael Wood [mailto:esiot...@gmail.com]
> Sent: Tuesday, November 09, 2010 3:52 AM
> To: Derek Lewis
> Cc: Miguel Medalha; samba@lists.samba.org; Jeremy Allison
> Subject: Re: [Samba] Problems with ACL jumbo patch
>
> On 9 November 2010 11:20, Derek Lewis  wrote:
>> I have attached the config.log file, and a capture of the messages from
>> making that I called make.log.
>
> OK, then it does seem to have something to do with Kerberos.
>
> The cli_krb5_get_ticket function is defined in
> source3/libsmb/clikrb5.c and if you don't have HAVE_KRB5 defined, then
> it's supposed to do this:
>
>  /* this saves a few linking headaches */
>  int cli_krb5_get_ticket(const char *principal, time_t time_offset,
>                        DATA_BLOB *ticket, DATA_BLOB *session_key_krb5,
> uint32 extra_ap_opts,
>                        const char *ccname, time_t *tgs_expire,
>                        const char *impersonate_princ_s)
> {
>         DEBUG(0,("NO KERBEROS SUPPORT\n"));
>         return 1;
> }
>
> but for some reason that's not happening for you, so you get link errors.
>
> The solution to your problem is, of course, to install the Kerberos
> libs (either MIT or Heimdal).
>
> Try "apt-get install libkrb5-dev".

-- 
Michael Wood 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] Problems with ACL jumbo patch

2010-11-13 Thread Derek Lewis
I have attached the config.log file, and a capture of the messages from
making that I called make.log.

I have been able to build working binaries from the git, though I run into
problems when I tried to patch git branch and compile.

-Original Message-
From: Michael Wood [mailto:esiot...@gmail.com] 
Sent: Monday, November 08, 2010 3:35 AM
To: Derek Lewis
Cc: Miguel Medalha; samba@lists.samba.org
Subject: Re: [Samba] Problems with ACL jumbo patch

On 8 November 2010 10:31, Derek Lewis  wrote:
> I have been able to get the unpatched versions to compile from git
> successfully, though not with the patch implemented.
>
> I followed these steps to compile Samba 3.5.6 with the patch:
>
> 1. sudo git clone git://git.samba.org/samba.git samba102510
> 2. sudo wget http://samba.org/~jra/samba-3-5-x-acl-jumbo-patch.tgz
> 3. sudo tar -xvf samba-3-5-x-acl-jumbo-patch.tgz
> 4. cd samba102510
> 5. sudo git checkout -b my_branch release-3-5-6
> 6. sudo git am -3 ../samba_patches/samba-3-5-x-acl-jumbo-patch/*.patch
> 7. cd source3
> 8. sudo ./autogen.sh
> 9. sudo ./configure.developer --prefix=/usr/local/samba35
> 10. sudo make [The build failed on the error 'cli_krb5_get_ticket', in the
> function 'spnego_gen_negTokenTarg'. Make: *** [libsmb/clispnego.o] Error
1]

You should generally not compile things as root.  You do not need the
"sudo"s above.  Only when you "make install" should you need it,
because then it will need to write to /usr/local/samba35 where a
normal user would not have write access.  This is, however, not the
cause of your problems.

I have just tried the above and it compiled successfully for me.  What
is the full output of the errors you get?  It should provide more
information than you have quoted above.

> I am still learning how to use git, I wondered if the error messages are
the
> result of missing a step.  I did not explicitly commit the changes, do I
> need to update the index or pull in remote files?

What you have above should work.  "git am" automatically commits the
patches.

> I am searching for references to this make error though I have not found
> much, except the library: libldap2-dev.  I installed it and the problem
> persists.
>
> Could you recommend other debug options?

Post the full error and maybe someone will be able to figure out what
the problem is.  Are you able to build 3.5.6 without the patches
applied?

-- 
Michael Wood 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Problems with ACL jumbo patch

2010-11-10 Thread Derek Lewis
Okay, I search the apt repositories and found three Kerberos libraries:
libpam-krb5, krb5-auth-dialog and libkrb5-dev.

After installing, I configured my build with autogen and configure.developer
as before.  Attempting to make the binaries resulted in the same
cli_krb5_get_ticket' error as before.

I looked through the options for configure.developer, can I disable Kerberos
in the configure step and bypass the problem?

-Original Message-
From: Michael Wood [mailto:esiot...@gmail.com] 
Sent: Tuesday, November 09, 2010 3:52 AM
To: Derek Lewis
Cc: Miguel Medalha; samba@lists.samba.org; Jeremy Allison
Subject: Re: [Samba] Problems with ACL jumbo patch

On 9 November 2010 11:20, Derek Lewis  wrote:
> I have attached the config.log file, and a capture of the messages from
> making that I called make.log.

OK, then it does seem to have something to do with Kerberos.

The cli_krb5_get_ticket function is defined in
source3/libsmb/clikrb5.c and if you don't have HAVE_KRB5 defined, then
it's supposed to do this:

 /* this saves a few linking headaches */
 int cli_krb5_get_ticket(const char *principal, time_t time_offset,
DATA_BLOB *ticket, DATA_BLOB *session_key_krb5,
uint32 extra_ap_opts,
const char *ccname, time_t *tgs_expire,
const char *impersonate_princ_s)
{
 DEBUG(0,("NO KERBEROS SUPPORT\n"));
 return 1;
}

but for some reason that's not happening for you, so you get link errors.

The solution to your problem is, of course, to install the Kerberos
libs (either MIT or Heimdal).

Try "apt-get install libkrb5-dev".

-- 
Michael Wood 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] Problems with ACL jumbo patch

2010-11-09 Thread Derek Lewis
I have found the equivalent entries with apt-get search krb5. Though for
only a few of the files sofar.

I will try again to build the binaries.

Derek

-Original Message-
From: Miguel Medalha [mailto:miguelmeda...@sapo.pt] 
Sent: Monday, November 08, 2010 6:21 AM
To: Derek Lewis
Cc: samba@lists.samba.org
Subject: Re: [Samba] Problems with ACL jumbo patch


> I have been able to get the unpatched versions to compile from git
> successfully, though not with the patch implemented.

I just reproduced all your steps and it went well, without any glitch. I 
am on CentOS 5.5. All the patches were applied correctly. Maybe you have 
a path problem here?

> 6. sudo git am -3 ../samba_patches/samba-3-5-x-acl-jumbo-patch/*.patch
>

I adapted your line to my own path (without the "/samba_patches" part) 
and all went well...

> 10. sudo make [The build failed on the error 'cli_krb5_get_ticket', in the
> function 'spnego_gen_negTokenTarg'. Make: *** [libsmb/clispnego.o] Error
1]

Maybe you have some missing dependency here, related to kerberos...

rpm -qa | grep krb5 gives me the following:

pam_krb5-2.2.14-15.x86_64
krb5-libs-1.6.1-36.el5_5.5.x86_64
krb5-workstation-1.6.1-36.el5_5.5.x86_64
krb5-auth-dialog-0.7-1.x86_64
krb5-devel-1.6.1-36.el5_5.5.x86_64
krb5-server-1.6.1-36.el5_5.5.x86_64



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] Problems with ACL jumbo patch

2010-11-08 Thread Derek Lewis
I am looking into the dependency issue now and will add the packages and try 
again.

I am running on Ubuntu 10.04 server.
- Original Message -
From: Miguel Medalha 
To: Derek Lewis 
Cc: samba@lists.samba.org
Sent: Mon, 8 Nov 2010 09:21:21 -0500 (EST)
Subject: Re: [Samba] Problems with ACL jumbo patch


> I have been able to get the unpatched versions to compile from git
> successfully, though not with the patch implemented.

I just reproduced all your steps and it went well, without any glitch. I 
am on CentOS 5.5. All the patches were applied correctly. Maybe you have 
a path problem here?

> 6. sudo git am -3 ../samba_patches/samba-3-5-x-acl-jumbo-patch/*.patch
>

I adapted your line to my own path (without the "/samba_patches" part) 
and all went well...

> 10. sudo make [The build failed on the error 'cli_krb5_get_ticket', in the
> function 'spnego_gen_negTokenTarg'. Make: *** [libsmb/clispnego.o] Error 1]

Maybe you have some missing dependency here, related to kerberos...

rpm -qa | grep krb5 gives me the following:

pam_krb5-2.2.14-15.x86_64
krb5-libs-1.6.1-36.el5_5.5.x86_64
krb5-workstation-1.6.1-36.el5_5.5.x86_64
krb5-auth-dialog-0.7-1.x86_64
krb5-devel-1.6.1-36.el5_5.5.x86_64
krb5-server-1.6.1-36.el5_5.5.x86_64



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] Problems with ACL jumbo patch

2010-11-08 Thread Derek Lewis
Yes, I have been able to build samba 3.5.6 and 3-5-test versions without 
problems up through the "make" command.

I will get the log of the build out today.
- Original Message -
From: Michael Wood 
To: Derek Lewis 
Cc: Miguel Medalha , samba@lists.samba.org
Sent: Mon, 8 Nov 2010 06:35:28 -0500 (EST)
Subject: Re: [Samba] Problems with ACL jumbo patch

On 8 November 2010 10:31, Derek Lewis  wrote:
> I have been able to get the unpatched versions to compile from git
> successfully, though not with the patch implemented.
>
> I followed these steps to compile Samba 3.5.6 with the patch:
>
> 1. sudo git clone git://git.samba.org/samba.git samba102510
> 2. sudo wget http://samba.org/~jra/samba-3-5-x-acl-jumbo-patch.tgz
> 3. sudo tar -xvf samba-3-5-x-acl-jumbo-patch.tgz
> 4. cd samba102510
> 5. sudo git checkout -b my_branch release-3-5-6
> 6. sudo git am -3 ../samba_patches/samba-3-5-x-acl-jumbo-patch/*.patch
> 7. cd source3
> 8. sudo ./autogen.sh
> 9. sudo ./configure.developer --prefix=/usr/local/samba35
> 10. sudo make [The build failed on the error 'cli_krb5_get_ticket', in the
> function 'spnego_gen_negTokenTarg'. Make: *** [libsmb/clispnego.o] Error 1]

You should generally not compile things as root.  You do not need the
"sudo"s above.  Only when you "make install" should you need it,
because then it will need to write to /usr/local/samba35 where a
normal user would not have write access.  This is, however, not the
cause of your problems.

I have just tried the above and it compiled successfully for me.  What
is the full output of the errors you get?  It should provide more
information than you have quoted above.

> I am still learning how to use git, I wondered if the error messages are the
> result of missing a step.  I did not explicitly commit the changes, do I
> need to update the index or pull in remote files?

What you have above should work.  "git am" automatically commits the patches.

> I am searching for references to this make error though I have not found
> much, except the library: libldap2-dev.  I installed it and the problem
> persists.
>
> Could you recommend other debug options?

Post the full error and maybe someone will be able to figure out what
the problem is.  Are you able to build 3.5.6 without the patches
applied?

-- 
Michael Wood 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Problems with ACL jumbo patch

2010-11-08 Thread Derek Lewis
I have been able to get the unpatched versions to compile from git
successfully, though not with the patch implemented.

I followed these steps to compile Samba 3.5.6 with the patch:

1. sudo git clone git://git.samba.org/samba.git samba102510
2. sudo wget http://samba.org/~jra/samba-3-5-x-acl-jumbo-patch.tgz
3. sudo tar -xvf samba-3-5-x-acl-jumbo-patch.tgz
4. cd samba102510
5. sudo git checkout -b my_branch release-3-5-6
6. sudo git am -3 ../samba_patches/samba-3-5-x-acl-jumbo-patch/*.patch
7. cd source3
8. sudo ./autogen.sh
9. sudo ./configure.developer --prefix=/usr/local/samba35
10. sudo make [The build failed on the error 'cli_krb5_get_ticket', in the
function 'spnego_gen_negTokenTarg'. Make: *** [libsmb/clispnego.o] Error 1]

I am still learning how to use git, I wondered if the error messages are the
result of missing a step.  I did not explicitly commit the changes, do I
need to update the index or pull in remote files?

I am searching for references to this make error though I have not found
much, except the library: libldap2-dev.  I installed it and the problem
persists.

Could you recommend other debug options?

-Original Message-
From: Miguel Medalha [mailto:miguelmeda...@sapo.pt] 
Sent: Friday, November 05, 2010 2:31 AM
To: Derek Lewis
Cc: samba@lists.samba.org
Subject: Re: [Samba] Problems with ACL jumbo patch


> I still cannot get a successful build with either the original set of
patch
> files or the diff file.  Although I can compile samba without the patch,
> could I this be dependency problem or an out of date git version?

It worked for me in both cases. I did it from the sources for 3.5.6 
available from the Samba site:

www.samba.org

The only problems I found were some glitches in the RPM spec file when 
building RPMs for RHEL/CentOS, but those were easily corrected.


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] Problems with ACL jumbo patch

2010-11-06 Thread Derek Lewis
I could still be missing a dependency.

Most likely, I am not patching and compiling correctly.

-Original Message-
From: Miguel Medalha [mailto:miguelmeda...@sapo.pt] 
Sent: Friday, November 05, 2010 2:31 AM
To: Derek Lewis
Cc: samba@lists.samba.org
Subject: Re: [Samba] Problems with ACL jumbo patch


> I still cannot get a successful build with either the original set of
patch
> files or the diff file.  Although I can compile samba without the patch,
> could I this be dependency problem or an out of date git version?

It worked for me in both cases. I did it from the sources for 3.5.6 
available from the Samba site:

www.samba.org

The only problems I found were some glitches in the RPM spec file when 
building RPMs for RHEL/CentOS, but those were easily corrected.


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


[Samba] Problems with ACL jumbo patch

2010-11-05 Thread Derek Lewis
I still cannot get a successful build with either the original set of patch
files or the diff file.  Although I can compile samba without the patch,
could I this be dependency problem or an out of date git version?

 

Derek

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


[Samba] Diff patch for Samba 3.5.6

2010-11-03 Thread Derek Lewis
Okay, I selected the release-3-5-6 branch and applied the patch, then
attempted to build.  No errors so far.  

 

First question,  how can I confirm that the patch was integrated with the
branch?

 

Second question, will this patch make all the updates that the original
jumbo patch set was to?

 

The patch/compile problems I am having are due to lack of knowledge.  Not
sure what the best forum would be for further git usage questions.

 

Regards,

 

Derek

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] Samba 3.5.6 jumbo patch

2010-10-30 Thread Derek Lewis
Update,

I was able to configure samba 3-5-test with the patch, though make fails
when I use source3. Make fails with the error 'cli_krb5_get_ticket'.

Derek

-Original Message-
From: Volker Lendecke [mailto:volker.lende...@sernet.de] 
Sent: Friday, October 29, 2010 1:28 AM
To: Derek Lewis
Cc: 'Jeremy Allison'; samba@lists.samba.org
Subject: Re: [Samba] Samba 3.5.6 jumbo patch

On Fri, Oct 29, 2010 at 01:17:30AM -0700, Derek Lewis wrote:
> I selected the origin/v3-5-test and tested the patch with git apply
--check.
> I see the same error message as before.  I also confirmed that the new
> branch I created for the build is the current branch via git branch.

Just tried the following

git am -3 /tmp/samba-3-5-x-acl-jumbo-patch/*

in a git checkout of v3-5-test. Works fine. I've also
uploaded a summary patch against 3.5.6 at

http://www.samba.org/~vlendec/jumbo-patch-3-5-6.diff

that you should be able to apply with 

patch -p1 < jumbo-patch-3-5-6.diff

Hope that helps.

Volker

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] Samba 3.5.6 jumbo patch

2010-10-29 Thread Derek Lewis
Okay,

I selected the origin/v3-5-test and tested the patch with git apply --check.
I see the same error message as before.  I also confirmed that the new
branch I created for the build is the current branch via git branch.

Derek

-Original Message-
From: Jeremy Allison [mailto:j...@samba.org] 
Sent: Thursday, October 28, 2010 10:26 AM
To: Derek Lewis
Cc: samba@lists.samba.org
Subject: Re: [Samba] Samba 3.5.6 jumbo patch

On Wed, Oct 27, 2010 at 10:14:48PM -0700, Derek Lewis wrote:
> I have cloned the samba git file and selected the version with the tag:
> release-3-5-6.  I tested the patch with git apply -check, and I get the
> following error:
> 
> Error: patch failed: source3/smbd/posix_acls.c:3856
> 
> Error: source3/smbd/posix_acls.c: patch does not apply.

Hmmm. Try "v3-5-test", not the release branch. The v3-5-test
branch is what becomes the next release.

Jeremy.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


[Samba] Samba 3.5.6 jumbo patch

2010-10-27 Thread Derek Lewis
I have cloned the samba git file and selected the version with the tag:
release-3-5-6.  I tested the patch with git apply -check, and I get the
following error:

Error: patch failed: source3/smbd/posix_acls.c:3856

Error: source3/smbd/posix_acls.c: patch does not apply.

 

I am new to compiling source for packages, so this may not be a real
problem.  I wanted to make I have a samba version with extended attributes
and ACL operational.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


[Samba] Folder ACLs

2010-10-25 Thread Derek Lewis
I am running Samba 3.6 and I have implemented extended attributes and acls
for my shares.  I want to make directory behavior as similar as possible to
client Windows XP.

 

When I open the properties tab on a directory in a share, under user names I
see two additional users: CREATOR GROUP and CREATOR OWNER.  This seems to be
a consequence of the ACL translation, as copying or moving this directory
back to the PC results in the user list to the same users as the directories
on the PC.  The inherit permissions flag is not set on the share folder
although it is set on the PC.

 

I have tried to edit the folder permissions from the Windows property menu
for both the file owner as well as the CREATOR OWNER user above, and the
making a change as deselecting full control flag, reverts back to the
original state. 

 

I can post my configuration if required, I intended to map permissions as
directly as possible, though leave them flexible so that I can edit them
later if required.

 

I saw the posting earlier regarding an experimental patch for Samba 3.6 ACL
handling.  Are these changes already included in the next version of 3.x
Samba?

 

Derek

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


[Samba] Samba 3.6 and server string formatting

2010-10-24 Thread Derek Lewis
I am Samba 3.6 up and running and I have a question on the implementation of
the server string command.  Specifically, I wanted to use this string to
identify the share window on the PC side.  I have tried to use: server
string = %S on server %L, to display the share name and server name.  Though
I cannot seem to get the option to work with anything other than %h.

 

Derek

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] samba Digest, Vol 94, Issue 18

2010-10-17 Thread Derek Lewis
When I built and compiled Samba, I set a path for installing Samba to:
/usr/local/samba, in order to keep the installation separate from my current
Samba 3.4.7 installation while testing.

I left all other options on their defaults.

Derek

-Original Message-
From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org]
On Behalf Of samba-requ...@lists.samba.org
Sent: Sunday, October 17, 2010 11:00 AM
To: samba@lists.samba.org
Subject: samba Digest, Vol 94, Issue 18

Send samba mailing list submissions to
samba@lists.samba.org

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.samba.org/mailman/listinfo/samba
or, via email, send a message with subject or body 'help' to
samba-requ...@lists.samba.org

You can reach the person managing the list at
samba-ow...@lists.samba.org

When replying, please edit your Subject line so it is more specific than
"Re: Contents of samba digest..."

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


[Samba] Samba 3.6 directory ACLs

2010-10-17 Thread Derek Lewis
I have ACLs working for files with the following set in my share
definitions:

inherit permissions = yes

inherit acls=yes

map acl inherit=yes

vfs_objects = acl_tdb

 

While testing my Samba configuration, I found that permissions are being set
to 'special' for directories being copied from Windows instead of the ACL
being fully populated.  Does Samba 3.6 fully implement ACLS, or are there
further configuration steps for storing the ACL information for directories?

 

Note, I have used a TDB for ACLs since I have extended attributes enabled on
the file system level to store timestamp information.

 

Derek

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


[Samba] Samba 3.6 startup configuration

2010-10-17 Thread Derek Lewis
I have compiled and installed Samba 3.6 from git to a separate directory for
testing.  Now that everything is operating, I would like to start Samba at
the boot-up of the server.  The installation did not configure Samba to
start automatically, and I wondered if there is a startup script I could
use.  I thought that the build/compile process would generate the required
scripts but I have not found them.

 

Derek

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


[Samba] Browsing shares

2010-10-13 Thread Derek Lewis
I have a question regarding firewall settings and share browsing.  I have
set-up my firewall to allow the usual ports for Samba to work and I would
like to control the connections used for providing Windows with share
browsing.

 

I currently have a range of ports opened to allow browsing as described in
the documentation, and Samba shares are browseable and accessable.  Can I
restrict/specify the port to a small range or single port?  Would this just
be a matter of a hosts allow (with ports) added to the $IPC share?

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


[Samba] Error message on disconnecting (Samba) network drive

2010-10-12 Thread Derek Lewis
I have Samba 3.6 up and running with my Windows XP machine and connect
easily with Map Network Drive, though I get a warning message upon
disconnecting the share.  The warning message indicates that files or
folders are still open and requests confirmation to disconnect the share.

 

This seems more a Windows issue, though I wanted to eliminate Samba
configuration as the problem.

 

I made sure to close all files before attempting disconnect.  I wonder what
Windows detected that would raise this warning?

 

I should also note I have seen a similar error with Samba 3.0 as well.

 

Derek

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


[Samba] Samba 3.6 and extended attributes

2010-10-07 Thread Derek Lewis
I have extended user attributes enabled for my Samba drive (ext4) and
configured within Samba for storing timestamps.  I have added acl support to
the drive mount point to store permissions information, although this change
appears to have broken the extended user attributes.

 

I have not modified my smb.conf since adding extended attributes support.

 

Can I my ext4 drive be modified to store both attribute sets or do I have to
use a tdb database?

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


[Samba] Preserve Windows File permissions with extended attributes under Samba 3.6

2010-10-05 Thread Derek Lewis
I have successfully compiled and installed Samba 3.6 with extended
attributes enabled (ext4 partition) to preserve the Windows XP file
create/modified dates.

 

With that problem solved, I want to control the file permissions in order to
preserve Windows file access controls when copied to the Samba share.

 

With extended attributes enabled as described above, can I also store the
permissions information?

 

What is a good reference for ACL manipulation?

 

On a related note, how should fstab be configured to preserve the user
permission on files copied to the share?

 

I can provide my current fstab and Samba configuration if it would help.
Though it is fairly basic.

 

Derek

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


[Samba] fstab configuration for extended attributes

2010-09-28 Thread Derek Lewis
I have extended attributes in my fstab set with the following options:
/dv/md0 /mnt/raid ext4 auto,errors=remount-ro,user_xattr 0 2

 

Aside from the "user_xattr" flag, do I have to set any other options to save
extended attribute or file permissions information correctly to my share?  I
am running Samba 3.4.7 under Ubuntu 10.04 server.

 

Derek

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] Samba 4 compile instructions

2010-09-23 Thread Derek Lewis
Sorry for the delay...

I downloaded the latest stable Samba v4.0 via git and prepared a branch to work 
with locally.  I was able to configure and perform make quicktest without 
error.  I then tried to create the binaries with sudo make, which reported the 
build finished successfully.

When I configured samba 4 I set prefix=/usr/local/samba4 in order to 
install/test without removing my current samba 3.4.7.

Can I keep my current Samba installed but disabled while testing samba4?

Derek

-Original Message-
From: Andrew Bartlett [mailto:abart...@samba.org] 
Sent: Wednesday, September 08, 2010 9:56 PM
To: Derek Lewis
Cc: samba@lists.samba.org
Subject: Re: [Samba] Samba 4 compile instructions

On Mon, 2010-09-06 at 23:33 -0700, Derek Lewis wrote:
> I am interested in compiling Samba 4 and trying the advanced features.  
> I followed the instructions on samba.org to build and compile, though 
> I get the error: failed program.confdefs.h.  I have run into this 
> error before, and looking over config log, I see that the build does 
> not see many of the dependencies.
> 
>  
> 
> 
> 
> 
> 
> Can I modify the build to point to the required files, or at least 
> trace the source of the problem?

Are you running the current version from GIT?

We are long overdue with making another Samba4 release, and the last alpha is 
quite old now.  Please try again with the current version in our GIT tree.

Andrew Bartlett

-- 
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org
Samba Developer, Cisco Inc.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


[Samba] Samba 4 compile instructions

2010-09-06 Thread Derek Lewis
I am interested in compiling Samba 4 and trying the advanced features.  I
followed the instructions on samba.org to build and compile, though I get
the error: failed program.confdefs.h.  I have run into this error before,
and looking over config log, I see that the build does not see many of the
dependencies.

 

 

 

Can I modify the build to point to the required files, or at least trace the
source of the problem?

 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


[Samba] preserve windows create/modify dates

2010-09-06 Thread Derek Lewis
I have Samba 3.4.7 installed and running though I cannot get extended
attributes to work completely.

 

If this version of Samba will support it, I want to configure my shares to
preserve the create and modified date information for my Windows files.  At
present, create date is set to the modified; though the accessed date is
correct.

 

I have formatted my RAID in ext4 and enabled extended user attributes.  I
have checked the extended attribute functions with getattr and setattr
commands.

 

In the global section of my smb.conf file, I have the following set:

 

ea support = yes

store dos attributes = yes

map readonly = no

map archive = no

map system = no

map hidden = no

 

When I run testparm, only the map archive, and map readonly are listed for
some reason.

 

I have searched through numerous threads looking for a solution, and it
seemed this was not commonly used feature.

 

If there are workarounds, I would entertain them.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


[Samba] Samba compile docs

2010-09-06 Thread Derek Lewis
I am interested in compiling Samba 4 and trying the advanced features.  I
followed the instructions on samba.org to build and compile, though I get
the error: failed program.confdefs.h.  I have run into this error before,
and looking over config log, I see that the build does not see many of the
dependencies.

 

Can I modify the build to point to the required files, or at least trace the
source of the problem?

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


[Samba] Samba 3.5.4 dependencies

2010-07-25 Thread Derek Lewis
I am trying to compile the latest Samba from source and I am getting an
error that the build is failing due to: confdefs.h.  What are the
dependencies for compiling Samba?

 

Derek

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


[Samba] Compiling and installing Samba 4

2010-07-18 Thread Derek Lewis
I have Samba 3.4.7 configured and running, though I am interested in trying
Samba 4.  How can I find dependency information for compiling the code?

 

Also, can I install Samba 4 and leave v3.4.7 intact while I evaluate it?

 

Derek

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


[Samba] Preserve create/modify dates in Samba 3.4.7

2010-07-11 Thread Derek Lewis
I have configured Samba 3.4.7 with extended attributes enabled to preserve
file create/modify dates.

 

In the [global] section of smb.conf:

ea support =yes

store dos attributes =yes

map archive = no

map readonly =no

 

The map hidden and map system are ignored when I check with testparm.

 

In the share section I have:

create mask =0771

directory mask =0771

 

I also checked the share directory and applied chmod 771 to match the
directory permissions to Samba settings and allow the minimal permissions
for the attributes mapping.

 

I went ahead and tried to map a network drive, and successfully copied a
file over to samba, though the create date is set to the modified date on
the copy.

 

When I check the extended attributes of the file I copied over with:

sudo getfattr -d -encoding=text [share directory]

 

I see one attribute: user.DOSATTRIB

 

For my /etc/fstab, I have set the following options set for a ext4
filesystem: auto,relatime,errors=remount-ro,user_xattr

 

 

Is there a way to check the contents of user.DOSATTRIB?

 

I am not seeing any obvious error messages in the samba log file, do I need
to patch the Ubuntu 10.04 kernel or switch to Samba 3.4.7 to store file
create/modify information?

 

Derek

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


[Samba] Preserve create/modify dates and attributes in samba

2010-07-05 Thread Derek Lewis
I have configured Samba 3.4.7 with extended attributes enabled to preserve
file create/modify dates.

 

I went ahead and tried to map a network drive, and successfully copied a
file over to samba, though the create date is set to the modified date on
the copy.

 

For my /etc/fstab, I have set the following options set for a ext4
filesystem: auto,relatime,errors=remount-ro,user_xattr

 

Do I have to change the default kernel configuration for Ubuntu 10.04 or
apply a patch to the filesystem to get extended attributes to work?  Do I
have to upgrade to Samba 3.5?

 

Derek

 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


[Samba] Preserve create/modify dates and attributes in samba

2010-06-17 Thread Derek Lewis
I have Samba 3.4.7 running with basic shares under Ubuntu 10.04, though I am 
interested in configuring Samba to store the Windows file attributes and 
create/modify dates.  I have found some hints to this being done though no 
details.  I have experimented with NTFS and found that most of the attributes 
and modified/accessed dates are preserved.

If Samba 3.4.x will not store the file information, will Samba 3.5?
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


[Samba] Samba 3.5 dependencies

2010-06-01 Thread Derek Lewis
I am interested in trying Samba 3.5.x, how can I check on library dependencies 
before I compile?
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


[Samba] Samba and Windows file timestamps

2010-06-01 Thread Derek Lewis
I have setup Samba 3.4.7 as a network file server for a Windows XP machine and 
have the basic sharing working.  For my Windows files, I would like to preserve 
the attributes and create/modify dates and my searches have found some mention 
of modifying Samba to accomplish this.  Has anyone made this work with the 
current Samba package?  Does Samba 3.5.x support this natively?
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] setuids mount option broke

2010-05-29 Thread Derek Simkowiak

> /Does it work if you change 'setuids' to 'suid'?/

   No.  Using "suid", the behavior is identical as "setuids".

   I was hoping to use either Samba over SSH, or else sshfs (Fuse), for 
mounting these remote home dirs using SSH.  But Samba's "setuids" option 
is broke, and sshfs doesn't even have that option.  Thus, I was forced 
to set up an OpenVPN server and mount the homes with NFS over OpenVPN.  
NFS sucks, and I hope the setuids option comes back. 

   Getting offtopic, but for the archives: I had to use the NFS mount 
options "soft,udp,retrans=0" so that I could log in if the VPN went 
down.  With those options, there's only a ~4 second delay before the NFS 
gives up with an error.  If you leave set it to "tcp", your SSH shell 
will lock up for 5 minutes (when you log in and it tries to read 
~/.bashrc), another 5 minutes if you accidentally type "ls", and another 
5 minutes if you hit [TAB] and it tries to do command-line completion 
for you.  You can tweak your TCP timeouts, but do you really want to 
tweak TCP settings just to make NFS fail in a reasonable fashion (and 
thus possibly break everything else)?  And if you leave it at the 
default "hard" instead of "soft", the system will lock up indefinitely 
when you log in (trying to read ~/.bashrc).


   I love OpenVPN, but installing, configuring, generating certs, 
copying certs to the client, testing, setting up monitoring, etc. was a 
couple hours of work, compared to 5 minutes setting up an SSH tunnel 
with my pre-existing key... and yet, OpenVPN was still less work than 
trying to tunnel NFS over SSH (thanks to dynamic RPC ports, lockd, etc.).



Thanks,
Derek

On 05/29/2010 05:11 AM, Scott Lovenberg wrote:



On Fri, May 28, 2010 at 4:12 PM, Derek Simkowiak <mailto:der...@realloc.net>> wrote:


  I can mount it using these options in /etc/fstab... note the use
of "setuids" here:

//cst6/testhome /testhome cifs
iocharset=utf8,credentials=/root/cst6_password.txt,setuids 0 0

Does it work if you change 'setuids' to 'suid'?

  Is there anything else I can try?  Looking at this earlier post,
it seems like maybe "setuids" is not even a supported option
anymore...?

http://lists.samba.org/archive/linux-cifs-client/2010-March/005600.html

The client code has been moved out of the samba package recently.  In 
the current release of the client (the client is now released 
separately from the samba suite, but the two aren't in sync yet) the 
setuid functionality is deprecated (but can still be enabled at 
compile time).  At the moment the option is being called 'legacy'; I 
don't know if the functionality is being dropped or 
upgraded/redesigned, though.



--
Peace and Blessings,
-Scott.



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


[Samba] setuids mount option broke

2010-05-28 Thread Derek Simkowiak

   Hello,
   I'm trying to export a /home/ partition for multiple users, using 
Samba and the setuids option.  My goal is to deliver emails into 
$HOME/.Maildir/ for each user.  So I mount the share as user "root", 
hoping that each user will be able to use their own home directory (just 
like an NFS /home/ mount).  (This feature depends on the Unix extensions.)


   I have the following share configured in smb.conf:

[testhome]
  comment = Root-mounted Home Dir
  browseable = no
  writable = yes
  valid user = root
  path = /home

   I can mount it using these options in /etc/fstab... note the use of 
"setuids" here:


//cst6/testhome /testhome cifs 
iocharset=utf8,credentials=/root/cst6_password.txt,setuids 0 0


   But setuids seems to be broken, either in the server, or in the 
client, or both.


   With an Ubuntu 9.10 or 10.4 client (Samba 3.4.0 or 3.4.7), it's 
completely broke.  If I try to create a file as a regular user, it does 
create the file (as root) but then fails when it goes to set the 
ownership.  Note the "Permission denied" error below, after the file was 
successfully created:


r...@cst5:/testhome# mkdir test
r...@cst5:/testhome# chmod 777 test
r...@cst5:/testhome# su - ubuntu
ubu...@cst5:~$ cd /testhome/test/
ubu...@cst5:/testhome/test$ touch file_test1.txt
touch: cannot touch `file_test1.txt': Permission denied
ubu...@cst5:/testhome/test$ mkdir dir_test1.d
ubu...@cst5:/testhome/test$ ls -la
total 0
drwxrwxrwx 3 root root 0 2010-05-28 12:58 .
drwxr-xr-x 7 root root 0 2010-05-28 12:57 ..
drwxr-xr-x 2 root root 0 2010-05-28 12:58 dir_test1.d
-rw-r--r-- 1 root root 0 2010-05-28 12:58 file_test1.txt
ubu...@cst5:/testhome/test$

   The "Permission denied" error indicates that it is trying to set the 
UID, but failing.


   But using an ebox client (Samba 3.4.5), it *almost* works.  
Newly-created files have the correct UID, but new directories are still 
owned by root (with no error message printed):


r...@ebox:/testhome# mkdir test
r...@ebox:/testhome# chmod 777 test
r...@ebox:/testhome# su - ubuntu
ubu...@ebox:~$ cd /testhome/test
ubu...@ebox:/testhome/test$ touch file_test1.txt
ubu...@ebox:/testhome/test$ mkdir dir_test1.d
ubu...@ebox:/testhome/test$ ls -la
total 0
drwxrwxrwx 3 root   root   0 2010-05-28 12:51 .
drwxr-xr-x 7 root   root   0 2010-05-28 12:50 ..
drwxr-xr-x 2 root   root   0 2010-05-28 12:51 dir_test1.d
-rw-r--r-- 1 ubuntu ubuntu 0 2010-05-28 12:50 file_test1.txt
ubu...@ebox:/testhome/test$

   Based on this testing, it looks like setuids works for files, but 
only for Samba client 3.4.5.  Using setuids for directories fails 
completely.  Since there is no error message printed, it looks like the 
client is not even trying to set the directory UID.


   These results are the same regardless of the Samba server version.  
I tried it with an Ubuntu 9.10 server (Samba 3.4.0) and Ubuntu 10.4 
server (Samba 3.4.7).  All the pre-existing UIDs and GIDs seem to be 
recognized correctly on the share, so I think the Unix extensions are 
working correctly.


   Is there anything else I can try?  Looking at this earlier post, it 
seems like maybe "setuids" is not even a supported option anymore...?


http://lists.samba.org/archive/linux-cifs-client/2010-March/005600.html


Thanks,
Derek

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] Password Change from Windows machines ("You do not have permission to change your password")

2009-12-01 Thread Derek Simkowiak
   For anyone else trying to get this to work, I should also add that a 
problem in the Ubuntu auth-client-config package was also giving me the 
same (misleading) error message.


   In /etc/pam.d/common-password, you must remove the "use_authtok" 
option on the pam_ldap.so line:


_Wrong:_
password[success=1 user_unknown=ignore default=die] 
pam_ldap.so use_authtok try_first_pass


_Correct:_
password[success=1 user_unknown=ignore default=die] 
pam_ldap.so try_first_pass



   This problem also resulted in the misleading "You do not have 
permission to change your password" error message.  Between this and the 
problem below, I was pulling my hair out...



Thanks,
Derek


On 12/01/2009 12:26 AM, Derek Simkowiak wrote:

   Hello,
   I just wasted several hours trying to figure out why I could not 
change Samba passwords from Windows XP computers.  I'm posting here so 
that there is some form of documentation about this on the web.


   My setup is basically this:

- Samba 3.3.2  (running under Ubuntu 9.04)
- OpenLDAP user database
- Full O.S. support for OpenLDAP auth, using nsswitch and PAM.(My 
client LDAP config was installed using *auth-client-config *as per 
https://help.ubuntu.com/9.04/serverguide/C/openldap-server.html, plus 
some tweaking in /etc/smbldap-tools/. )


   I can ssh into the box as a system user that exists only in LDAP 
(and not in /etc/passwd).  I can also change my LDAP password at the 
bash prompt by typing "passwd" (via PAM), or smbldap-passwd, or 
smbpasswd.  That all works as per the documentation.


   The problem: I could not change my password from Windows boxen.  
They kept giving me "You do not have permission to change your password."


   I found the solution by cranking up the log level to 10.  I 
eventually found this golden snippet in all the noise:


[2009/11/30 23:23:37,  4] auth/pampass.c:smb_pam_chauthtok(670)
 smb_pam_chauthtok: PAM: Password Change for User: dereks
[2009/11/30 23:23:37, 10] auth/pampass.c:smb_pam_passchange_conv(284)
 smb_pam_passchange_conv: starting converstation for 1 messages
[2009/11/30 23:23:37, 10] auth/pampass.c:smb_pam_passchange_conv(312)
 smb_pam_passchange_conv: Processing message 0
[2009/11/30 23:23:37, 10] auth/pampass.c:smb_pam_passchange_conv(346)
 smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: PAM said: New password:
[2009/11/30 23:23:37, 10] auth/pampass.c:smb_pam_passchange_conv(352)
 smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: trying to match |*enter 
new * password:*| to |New password:|

[2009/11/30 23:23:37, 10] auth/pampass.c:smb_pam_passchange_conv(352)
 smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: trying to match 
|*retype new * password:*| to |New password:|

[2009/11/30 23:23:37, 10] auth/pampass.c:smb_pam_passchange_conv(352)
 smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: trying to match 
|*password updated successfully*| to |New password:|

[2009/11/30 23:23:37, 10] auth/pampass.c:smb_pam_passchange_conv(352)
 smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: trying to match || to 
|New password:|

[2009/11/30 23:23:37,  3] auth/pampass.c:smb_pam_passchange_conv(370)
 smb_pam_passchange_conv: Could not find reply for PAM prompt: New 
password:

[2009/11/30 23:23:37,  0] auth/pampass.c:smb_pam_chauthtok(699)
 PAM: User not known to PAM
[2009/11/30 23:23:37,  2] auth/pampass.c:smb_pam_error_handler(77)
 smb_pam_error_handler: PAM: Password Change Failed : User not known 
to the underlying authentication module

[2009/11/30 23:23:37,  0] auth/pampass.c:smb_pam_passchange(861)
 smb_pam_passchange: PAM: Password Change Failed for user dereks!
[2009/11/30 23:23:37,  4] auth/pampass.c:smb_pam_end(450)
 smb_pam_end: PAM: PAM_END OK.
[2009/11/30 23:23:37,  3] smbd/sec_ctx.c:pop_sec_ctx(432)
 pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 2
[2009/11/30 23:23:37,  3] smbd/sec_ctx.c:pop_sec_ctx(432)
 pop_sec_ctx (4202, 513) - sec_ctx_stack_ndx = 1
[2009/11/30 23:23:37,  5] 
rpc_server/srv_samr_nt.c:_samr_ChangePasswordUser2(1907)

 _samr_ChangePasswordUser2: 1907
 samr_ChangePasswordUser2: struct samr_ChangePasswordUser2
 out: struct samr_ChangePasswordUser2
 result   : NT_STATUS_ACCESS_DENIED


   Here you can see that the "password chat" was attempting to 
communicate with PAM in a fashion similar to 'expect'.  My "passwd 
chat" setting in /etc/samba/smb.conf was not correct, so the password 
change failed.  The resulting error code "NT_STATUS_ACCESS_DENIED" 
caused Windows to print that useless "You do not have permission to 
change your password" dialog box, and sent me on a wild goose chase.


   The comments in the smb.conf that come with Ubuntu say this:

# For Unix password sync to work on a Debian GNU/Linux system, the 
following
# parameters must be set (thanks to Ian Kahan 
< for
# sending the correct chat script for the passwd program in Debian 
Sarge).

  p

[Samba] Password Change from Windows machines ("You do not have permission to change your password")

2009-12-01 Thread Derek Simkowiak
docs and forum postings I found online.


   But, as shown in the logs above, the correct answer was "pam 
password change = yes" with a corrected "passwd chat" setting.  Here is 
a setting that works for me on Ubuntu 9.04:


passwd program = /usr/bin/passwd %u
passwd chat = *New\spassword:* %n\n *New\spassword:* %n\n 
*password\supdated\ssuccessfully* .

pam password change = yes

   I deduced that customized chat script by running "/usr/bin/passwd 
username" at the bash prompt to see what happens. 

   Alternatively, I now know that the default setting for "passwd chat" 
setting will work with PAM, if I comment out the broken one that comes 
with the Ubuntu (and Debian?) smb.conf file and also comment out the 
"passwd program = ..." line. 

   In short, the combination of these issues made troubleshooting time 
consuming and difficult:


- Misleading error message ("You do not have permission to change your 
password.")
- Misleading docs that imply EITHER "pam password change = yes" OR 
"passwd program" with "passwd chat"
- An outdated, incorrect setting for "passwd chat" in the Debian and 
Ubuntu smb.conf file that does not work with /usr/bin/passwd
- Missing Samba docs to explain "passwd chat" might be used, even in the 
case of "pam password change = yes"
- Missing Samba docs to explain the default setting for "passwd chat" 
will work with PAM, in the case of "pam password change"



   Hopefully this will help somebody else avoid the same mistake.


Thank You,
Derek Simkowiak

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


[Samba] Is the net rpc vampire at all destructive to a NT4 PDC?

2009-03-24 Thread Derek Werthmuller
Reading through the Samba3 -By Example guide and I'm confused with the
statement section 9.2
http://www.samba.org/samba/docs/man/Samba-Guide/ntmigration.html#id2594565
about accessing the SAM and Security sections of the registry will render
the PDC non operable.
Its clear from the text if you go and edit the registry(regedit etc..) so
you can read the entries your PDC will not work.

What's not exactly clear is if any of the tools like net rcp vampire or
getsid tools change the operation of the PDC in this way or any other way
for that mater.  The net rcp tools don't access the registry in this
destructive way do they?
Like:
# net rpc vampire -S TRANSGRESSION -U Administrator%not24get >
/tmp/vampire.log 2>1

Is it safe to run the net rpc vampire command on a PDC as many times as you
want in effort to test the NT4 -> samba PDC?  While keeping the NT4 PDC in
production mode?
With the goal of test the full operation of the migrated PDC on a separate
network.

Thanks  
Derek
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


RE: [Samba] gidNumber's and ldap backed samba PDC

2009-03-24 Thread Derek Werthmuller
Ok I see it appears that the ldap entries that samba needs in the directory
are under a different O. ou=groups,o=smb,dc=unav,dc=es for example.
dn: cn=Domain Admins,ou=groups,o=smb,dc=unav,dc=es
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 512
cn: Domain Admins 

Where my user/file system groups would be under traditional ldap entries
like:
dn: cn=usrgrp,ou=Group,dc=ct,dc=unav,dc=es
objectClass: posixGroup
objectClass: top
cn: usrgrp
userPassword:: e2NyexB0fX9g=
gidNumber: 512
creatorsName: cn=Manager, dc=ct,dc=unav,dc=es
createTimestamp: 20021007160601Z
modifiersName: cn=Manager,dc=ct,dc=unav,dc=es
modifyTimestamp: 20081205192619Z

This right?

Thanks
Derek

-Original Message-
From: samba-bounces+dwerthmu=ctg.albany@lists.samba.org
[mailto:samba-bounces+dwerthmu=ctg.albany@lists.samba.org] On Behalf Of
Adam Tauno Williams
Sent: Tuesday, March 24, 2009 1:38 PM
To: 'samba@lists.samba.org'
Subject: Re: [Samba] gidNumber's and ldap backed samba PDC

On Tue, 2009-03-24 at 12:10 -0500, Derek Werthmuller wrote:
> In the planning process for migrating from NT4 PDC, and external ldap 
> directory to samba 3.2.8 PDC. The external existing openldap directory 
> is used currently to support the local uid mapping for the Linux 
> logins and samba file servers that are members of the current NT4 PDC.
> While looking at the existing openldap UIDs and GIDs in use and what 
> the samba PDC wants to use I see some uid/gid collisions.  For example 
> I see that the Domain Admins uses gid 512, just so happens to be the 
> same as a file system group(in the ldap directory).

No, it doesn't.  RID != GID.  A RID is a component of the SID and SIDs are
mapped to UIDs & GIDs.

> Is it better to change the users group gid and leave the samba domain 
> admins and such the way they are?

Not necessary.

> I suspect a small shell script can crawl the file system and replace 
> one gid for another if I were to change the users GID.


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


[Samba] gidNumber's and ldap backed samba PDC

2009-03-24 Thread Derek Werthmuller
In the planning process for migrating from NT4 PDC, and external ldap
directory to samba 3.2.8 PDC. The external existing openldap directory is
used currently to support the local uid mapping for the Linux logins and
samba file servers that are members of the current NT4 PDC.

While looking at the existing openldap UIDs and GIDs in use and what the
samba PDC wants to use I see some uid/gid collisions.  For example I see
that the Domain Admins uses gid 512, just so happens to be the same as a
file system group(in the ldap directory).

Is it better to change the users group gid and leave the samba domain admins
and such the way they are? 

I suspect a small shell script can crawl the file system and replace one gid
for another if I were to change the users GID.

Thanks
Derek
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] User home directories on a windows server question.

2009-03-16 Thread Derek Harkness
Ya that's not really an option, I don't control the AD servers, so no  
suf or schema extensions.


But what I'm finding make it pretty clear there is no way to replace  
NFS with SMB for a large multiuser system.  I find that very  
disappointing given the age of the samba project.  I really figured  
someone would have a great solution for dropping a Linux box into a AD  
domain with no modification to the AD.


Follow question.

mount.cifs //server/share /mnt/folder -ousername=user,sec=krb5i

works okay, other then mounting as root and not enforcing perms.

mount.cifs //server/share /mnt/folder - 
ousername=user,sec=krb5i,uid=12345


returns an mount error 126 = Required key not available

Anybody got a comment?

cifs.upcall is working otherwise the first mount wouldn't work.  This  
is attempting to connect to a W2k8 server in an AD.


Thanks,
Derek

On Mar 14, 2009, at 05:15 AM, Per-Erik Persson wrote:


I had a similair problem a couple of years ago.
I tried to get the users credentials to automaticly map the
homedirectories off the windows machine. I never got it working.
In theory it should since the users got a kerberos ticket while they
logged on to linux. But I could not spend to much time on it.

The only solution I got woking was to install services for unix on the
windowsmachine and then export the homedirectories over nfs.
But then I had to spend time to build a script to sync userid:s  
between

unix and windows.
I don't know it that works better nowdays. I assume microsoft don't  
want

to build a to good solutions for integrating with unix.

Okay I've run out of cool ideas and am hoping that someone can  
offer a

brilliant solution to this problem.

I'm attempting to deploy a RHEL 5.3 server as a shared ssh servers,
user home directories are coming off a Windows 2008 fileserver.  I
though autofs would be the winning solution but it doesn't/can't  
mount

the users home directory using kerberos, RedHat doesn't provide
pam_mount so until I build that next week I won't know how well then
works.

So does anyone have a suggest?  How do you provide smb home
directories on multiuser systems?

Thanks,
Derek
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba






--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


[Samba] User home directories on a windows server question.

2009-03-13 Thread Derek Harkness
Okay I've run out of cool ideas and am hoping that someone can offer a  
brilliant solution to this problem.


I'm attempting to deploy a RHEL 5.3 server as a shared ssh servers,  
user home directories are coming off a Windows 2008 fileserver.  I  
though autofs would be the winning solution but it doesn't/can't mount  
the users home directory using kerberos, RedHat doesn't provide  
pam_mount so until I build that next week I won't know how well then  
works.


So does anyone have a suggest?  How do you provide smb home  
directories on multiuser systems?


Thanks,
Derek
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


[Samba] Permissions problems

2008-12-17 Thread Derek Bodner
Hey guys,
Having a problem with permissions on shares I've setup.

I recently migrated a working samba install over to a new box.  This new
servers is running the same  distro (Gentoo 2008.0), same version (3.0.32),
and using the exact same smb.conf.

I'm trying to get directories to have the permissions of 0770 and 0660,
respectively, so users in the same group can read/write to them.

Here is an example share:
[test]
comment = testing
path = /var/samba/files/test
valid users = +users
read only = No
browsable = No
force group = users
force create mode = 0660
force directory mode = 0770

However, directories are being created as 0755 and files as 0644.

I do have  inherit permissions set to no in the global section.

I'm sure there's something obvious that I'm missing that's overriding the
mask, but I can't seem to find it.  The exact same share declaration is
working as expected on the previous box I'm migrating from.

Thanks for your help.
-- 
Derek Bodner
subscribedli...@derekbodner.com
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: [Samba] AD controller problems.

2008-12-09 Thread Derek Harkness
I did check that by doing a time sync against both of the other DCs.   
Ntpdate adjusted the clock by a couple of milliseconds, not enough to  
through off kerberos.


Thanks,
Derek

On Dec 9, 2008, at 12:29 PM, Giovanni Cambria wrote:


What about the time syncronization of the RTC clock of every DCs?

G.
- Original Message - From: "Derek Harkness" <[EMAIL PROTECTED] 
>

To: "Samba List" 
Sent: Monday, December 08, 2008 4:40 PM
Subject: [Samba] AD controller problems.


In my AD setup I have 3 domain controllers (dc1, dc2, dc3) when  
samba/ winbind are talking to dc1 everything is great when talking  
to dc2 or  dc3 I get this error "kinit succeeded but  
ads_sasl_spnego_krb5_bind  failed: Strong(er) authentication  
required" and nothing works.  I  don't think its a samba config  
problem but my AD admins aren't real  helpful in getting samba  
working.

Has anybody else seen this or maybe got a solution/work around?
Thanks,
Derek
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba





--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: [Samba] template homedir question

2008-12-08 Thread Derek Harkness
Okay I'm a bit lost at this point.  I've got created an idmap plugin  
that loads and does some useful stuff for me but I'm still having a  
rough time with the homedir.


I've been working this the nss_*_get_info() using  
nss_rfc2307_get_info() and nss_sfu_get_info() as a guide and the big  
problem I've run into at this point it I don't know the username of  
the user I'm creating the homedir for.  Variable substitution happens  
after I munge the homedir string so, any suggestions on where I can  
get the username would help.


Thanks,
Derek

On Dec 2, 2008, at 11:04 AM, Gerald (Jerry) Carter wrote:


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Derek Harkness wrote:

Hello All,

I'm integrating an existing unix environment into an exist AD
environment.  I'm thinking of switching from nssldap to nss_winbind  
but

have one problem.  My user's home directories are in the format of
/home/user/<$first letter>/<$second letter>/<$username>
(/home/user/d/h/dhaknes).  Looking at the template homedir it doesn't
appear that I can use this format.  Is there away to pull the first  
and
second letters of the username as variables to use in template  
homedir?


No but this would be easy to implement.  The nss_info API allows
you to write a new plugin.  if you code in C, I can point you right
at what to do.  Maybe an hour's work.


Side question, I'm looking at using pam_mkhomedir and
it is creating home directories for computer accounts
is there anyway to prevent that?


Not really.  A Computer object is derived from a user object
in AD.  SO both share the same set of base attributes
(i.e. a computer is just a special type of user).




cheers, jerry
- --
=
Samba--- http://www.samba.org
Likewise Software  -  http://www.likewisesoftware.com
"What man is a man who does not make the world better?"  --Balian
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJNVx/IR7qMdg1EfYRArppAJ4i7Bm3E+UOa0Jk4Y4SL0Xi46TzUACfTpqy
WmNCZFHJnPLWub7fDm0q59E=
=SqmA
-END PGP SIGNATURE-


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


[Samba] AD controller problems.

2008-12-08 Thread Derek Harkness
In my AD setup I have 3 domain controllers (dc1, dc2, dc3) when samba/ 
winbind are talking to dc1 everything is great when talking to dc2 or  
dc3 I get this error "kinit succeeded but ads_sasl_spnego_krb5_bind  
failed: Strong(er) authentication required" and nothing works.  I  
don't think its a samba config problem but my AD admins aren't real  
helpful in getting samba working.


Has anybody else seen this or maybe got a solution/work around?

Thanks,
Derek
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: [Samba] template homedir question

2008-12-02 Thread Derek Harkness


On Dec 2, 2008, at 11:04 AM, Gerald (Jerry) Carter wrote:


No but this would be easy to implement.  The nss_info API allows
you to write a new plugin.  if you code in C, I can point you right
at what to do.  Maybe an hour's work.


Seems doing able.  Point me where I need to go.

Thanks!
Derek
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


[Samba] template homedir question

2008-12-02 Thread Derek Harkness

Hello All,

I'm integrating an existing unix environment into an exist AD  
environment.  I'm thinking of switching from nssldap to nss_winbind  
but have one problem.  My user's home directories are in the format  
of /home/user/<$first letter>/<$second letter>/<$username> (/home/user/ 
d/h/dhaknes).  Looking at the template homedir it doesn't appear that  
I can use this format.  Is there away to pull the first and second  
letters of the username as variables to use in template homedir?


Side question, I'm looking at using pam_mkhomedir and it is creating  
home directories for computer accounts is there anyway to prevent that?


Thanks,
Derek
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: [Samba] Print Operator Rights in AD environment

2008-12-01 Thread Derek Harkness

Cool thanks.

-W did the trick.

Derek

On Dec 1, 2008, at 13:12 PM, Gerald (Jerry) Carter wrote:


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hey Derek,

Derek Harkness wrote:

net sam addmember gives me "Adding local group member failed with
NT_STATUS_NO_SUCH_ALIAS".


 $ net sam createbuiltingroup Administrators

You will need to configure a valid 'idmap alloc backend'
for this.


I added root to my local smbpasswd file but if I attempt to use the
account I get NT_STATUS_LOGON_FAILURE.


Make sure you use -U root -W  when connecting.  (where  


is replaced by your local machine name.





cheers, jerry
- --
=
Samba--- http://www.samba.org
Likewise Software  -  http://www.likewisesoftware.com
"What man is a man who does not make the world better?"  --Balian
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJNCkcIR7qMdg1EfYRAkwWAJ9DlQmeGjpDtAn+wegsuw7L0tvEswCg5PDt
gPBjLF2KITWBfFMwSSyLMTY=
=J5ck
-END PGP SIGNATURE-


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: [Samba] Print Operator Rights in AD environment

2008-12-01 Thread Derek Harkness
net sam addmember gives me "Adding local group member failed with  
NT_STATUS_NO_SUCH_ALIAS".


I added root to my local smbpasswd file but if I attempt to use the  
account I get NT_STATUS_LOGON_FAILURE.


More information might help.  Or it might just confuse the situation.

I am running winbind but not using nss_winbind.  This is an old Samba/ 
unix domain that I'm integrating into an existing AD domain, so I have  
all the user's posix information in ldap and have this in my smb.conf


idmap domains = ADS Domain
idmap config ADSROOT:backend = nss
idmap config ADSROOT:default = yes

Oh and to confuse the matter a bit more, the AD is setup to use pass  
thru authentication to an external kerberos realm.


Thanks,
Derek

On Dec 1, 2008, at 12:11 PM, Gerald (Jerry) Carter wrote:


-BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Derek Harkness wrote:
I am attempting to set the SePrintOperatorPrivilege right on my  
RHEL 5.2
samba server and need some guidance.  The samba box is currently  
joined
to an AD forest in which I have a delegated OU, I do not have a  
Domain

Admin account.  Samba seems to want/need an Admin account in order to
make changes to the server configuration such as rights.

So the question is.  Is there away to set a local administrator  
account

or to map my AD account to a local administrator?


if you are running Winbind, then add your account to
the BUILTIN\Administrators group (net sam addmem Administrators "

Or you can temporarily enable a root in Samba's account db.



cheers, jerry
- --
=
Samba--- http://www.samba.org
Likewise Software  -  http://www.likewisesoftware.com
"What man is a man who does not make the world better?"  --Balian
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJNBqnIR7qMdg1EfYRAtQcAJwNjbWFB93Ulhqnv8LABdKfxkwQzgCfZVK7
8Umn5en2HjdmEO0DsO741so=
=S6/3
-END PGP SIGNATURE-


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


[Samba] Print Operator Rights in AD environment

2008-12-01 Thread Derek Harkness
I am attempting to set the SePrintOperatorPrivilege right on my RHEL  
5.2 samba server and need some guidance.  The samba box is currently  
joined to an AD forest in which I have a delegated OU, I do not have a  
Domain Admin account.  Samba seems to want/need an Admin account in  
order to make changes to the server configuration such as rights.


So the question is.  Is there away to set a local administrator  
account or to map my AD account to a local administrator?


Thanks,
Derek
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


[Samba] CVE-2008-1105

2008-06-05 Thread Derek

Hello list!

Just wanted to confirm whether this CVE affects the 3.0.4 version of 
Samba..


The samba.org website claims "This security advisory is applicable to 
all Samba 3.0.x releases to date"


Yet the actual CVE [1] has "Versions: Samba 3.0.0 - 3.0.29 (inclusive)"

The CVE suggests that the version 3.0.4 would not be affected, my confused!


Thanks in advance,

Derek


[1] http://us1.samba.org/samba/security/CVE-2008-1105.html
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: [Samba] samba in NATed network

2008-05-02 Thread Derek Podoll
You should be able to run the samba server on one of the vlans giving it
an internal ip address just make sure the routing between all the vlans
will forward the traffic to your PDC.  Also for security I would put the
samba server behind the NAT address there should be no reason to make it
public to the Internet unless you have remote people that connect in to
it.  And if that is the case they should be coming in over some kind of
vpn type link.  That can then route there connection to the correct
enteral server or network.

Here is an example of my simple network I am right now running a small
group of samba server at my house and some family members houses that has
3 PDC on 3 different networks all using private address.  With all the
networks linked together over a IPSEC network-to-network VPN.  So I can
have trusted networks setup between the servers.  This allows me to log in
to any of the Domains from my workstation and manage it.


> We have about 300 users distributed on different vlans using private ip
> network spaces,  and sharing one single public IP when going out to the
> Internet. Our samba (3.0.24) server has a pulbic IP and is running as a
> primary domain controller. All clients receive Sambas's public IP as
> their WINS server.   I am able to join the domain but samba stops
> responding sporadically.  Looking at the logs,   I found two things:
> First  on samba/log.smb:
>
>   oscar01 (4.5.6.7) closed connection to service netlogon
> [2008/04/30 11:55:12, 0] lib/util_sock.c:get_peer_addr(1229)
>   getpeername failed. Error was Transport endpoint is not connected
> [2008/04/30 11:55:12, 0] lib/util_sock.c:write_data(562)
>   write_data: write failure in writing to client 4.5.6.7. Error
> Connection reset by peer
> [2008/04/30 11:55:12, 0] lib/util_sock.c:send_smb(769)
>   Error writing 4 bytes to client. -1. (Connection reset by peer)
>
> Searching on google It seems that this is caused by smb ports=445 139
> and can be fixed by setting it to smb ports=445. I already made this
> change.
>
> Second on samba/log.nmbd
>
> [2008/04/30 14:25:31, 1] libsmb/cliconnect.c:cli_connect(1369)
>   Error connecting to 4.5.6.7 (Operation already in progress)
> [2008/04/30 14:40:40, 1] lib/util_sock.c:open_socket_out(896)
>   timeout connecting to 4.5.6.7:139
>
> Here it looks like samba is trying to initiate a connection using the
> NAT/firewall public IP, which is never going to work since there's no
> port forwarding in place. Which makes me wonder, is it possible to run
> samba on a NATed network??
> Thank you in advance for your input,
> eric.
>
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: [Samba] Secondary groups and Posix ACL

2008-02-11 Thread Derek Harkness
Okay I found the solution to this problem.  It appears you shouldn't  
run winbindd on a samba PDC.


Derek Harkness
Data Security Analyst Senior
University of Michigan-Dearborn
(313) 593-5089

On Jan 31, 2008, at 08:08 AM, Derek Harkness wrote:

I've got a very odd situation occurring.  I recently upgraded to  
Samba 2.0.26a and now secondary group membership doesn't work.


On the filesystem I have this layout

/derek
/derek/Folder 1
/derek/Folder 2

derek has these ACLs
# file: derek
# owner: root
# group: root
user::rwx
group::r-x
other:r-x

Folder 1 has these ACLs
# file: Folder 1
# owner: root
# group: g1
user::rwx
group:rwx
other: ---
default:user::rwx
default:group::rwx
default:group:g1:rwx
default:mask:rwx
default:other:---

Folder 2 has these ACLs
# file: Folder 2
# owner: root
# group: g2
user::rwx
group:rwx
other: ---
default:user::rwx
default:group::rwx
default:group:g2:rwx
default:mask:rwx
default:other:---

Here is the share block from the smb.conf
[derek]
comment = Posix ACL test
    path = /derek
guest ok = no
browseable = no
writeable = yes

Now my user testuser1's primary group is g1 and testuser1 is also a  
member of g2.  From the shell testuser1 can access both directories  
and all is good.  Through samba testuser1 get an access denied or  
network path not found when accessing Folder 2.  If I add g1 to the  
acl on Folder 2 then samba will let testuser1 in.  Am I missing  
something?


Derek
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


[Samba] Secondary groups and Posix ACL

2008-01-31 Thread Derek Harkness
I've got a very odd situation occurring.  I recently upgraded to Samba  
2.0.26a and now secondary group membership doesn't work.


On the filesystem I have this layout

/derek
/derek/Folder 1
/derek/Folder 2

derek has these ACLs
# file: derek
# owner: root
# group: root
user::rwx
group::r-x
other:r-x

Folder 1 has these ACLs
# file: Folder 1
# owner: root
# group: g1
user::rwx
group:rwx
other: ---
default:user::rwx
default:group::rwx
default:group:g1:rwx
default:mask:rwx
default:other:---

Folder 2 has these ACLs
# file: Folder 2
# owner: root
# group: g2
user::rwx
group:rwx
other: ---
default:user::rwx
default:group::rwx
default:group:g2:rwx
default:mask:rwx
default:other:---

Here is the share block from the smb.conf
[derek]
comment = Posix ACL test
    path = /derek
guest ok = no
browseable = no
writeable = yes

Now my user testuser1's primary group is g1 and testuser1 is also a  
member of g2.  From the shell testuser1 can access both directories  
and all is good.  Through samba testuser1 get an access denied or  
network path not found when accessing Folder 2.  If I add g1 to the  
acl on Folder 2 then samba will let testuser1 in.  Am I missing  
something?


Derek
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


[Samba] Re: Samba 18GB file Transfer

2007-08-21 Thread Derek Croxton

Brad C wrote:

Hello Guys,

Having a bit of trouble transferring an 18GB file for backup purposes to a
Samba Server. I think the 2GB limit issue was resolved a long time ago?
Running Version:
Version 3.0.23c-SerNet-SuSE

The error on the windows client side ( this is done in some type of bat
script )
file creation error the network connection was aborted by the local system.

tailing the samba logs, I think the part in bold is where things go wrong,
though i cant find anything on it. Any advice would be really welcome:

[2007/08/20 13:13:20, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(691)
  NativeOS=[Windows Server 2003 R2 3790 Service Pack 1] NativeLanMan=[]
PrimaryDomain=[Windows Server 2003 R2 5.2]
[2007/08/20 13:13:20, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(672)
  Got user=[root] domain=[ARCH-SERVER] workstation=[ARCH-SERVER] len1=24
len2=24
[2007/08/20 13:19:26, 3] smbd/oplock.c:init_oplocks(862)
  open_oplock_ipc: initializing messages.
[2007/08/20 13:19:26, 3] smbd/oplock_linux.c:linux_init_kernel_oplocks(260)
  Linux kernel oplocks enabled
[2007/08/20 13:19:26, 3] smbd/process.c:process_smb(1110)
  Transaction 0 of length 137
[2007/08/20 13:19:26, 3] smbd/process.c:switch_message(914)
  switch message SMBnegprot (pid 30689) conn 0x0
[2007/08/20 13:19:26, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2007/08/20 13:19:26, 3] smbd/negprot.c:reply_negprot(487)
  Requested protocol [PC NETWORK PROGRAM 1.0]
[2007/08/20 13:19:26, 3] smbd/negprot.c:reply_negprot(487)
  Requested protocol [LANMAN1.0]
[2007/08/20 13:19:26, 3] smbd/negprot.c:reply_negprot(487)
  Requested protocol [Windows for Workgroups 3.1a]
[2007/08/20 13:19:26, 3] smbd/negprot.c:reply_negprot(487)
  Requested protocol [LM1.2X002]
[2007/08/20 13:19:26, 3] smbd/negprot.c:reply_negprot(487)
  Requested protocol [LANMAN2.1]
[2007/08/20 13:19:26, 3] smbd/negprot.c:reply_negprot(487)
  Requested protocol [NT LM 0.12]
[2007/08/20 13:19:26, 3] smbd/negprot.c:reply_nt1(357)
  using SPNEGO
[2007/08/20 13:19:26, 3] smbd/negprot.c:reply_negprot(580)
  Selected protocol NT LM 0.12
[2007/08/20 13:19:26, 3] smbd/process.c:process_smb(1110)
  Transaction 1 of length 282
[2007/08/20 13:19:26, 3] smbd/process.c:switch_message(914)
  switch message SMBsesssetupX (pid 30689) conn 0x0
[2007/08/20 13:19:26, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2007/08/20 13:19:26, 3] smbd/sesssetup.c:reply_sesssetup_and_X(849)
  wct=12 flg2=0xc807
[2007/08/20 13:19:26, 2] smbd/sesssetup.c:setup_new_vc_session(799)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all
old resources.
[2007/08/20 13:19:26, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(660)
  Doing spnego session setup
[2007/08/20 13:19:26, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(691)
  NativeOS=[Windows Server 2003 R2 3790 Service Pack 1] NativeLanMan=[]
PrimaryDomain=[Windows Server 2003 R2 5.2]
[2007/08/20 13:19:26, 3] smbd/sesssetup.c:reply_spnego_negotiate(551)
  Got OID 1 3 6 1 4 1 311 2 2 10
[2007/08/20 13:19:26, 3] smbd/sesssetup.c:reply_spnego_negotiate(554)
  Got secblob of size 40
[2007/08/20 13:19:26, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
  Got NTLMSSP neg_flags=0xe2088297
[2007/08/20 13:19:26, 3] smbd/process.c:process_smb(1110)
  Transaction 2 of length 408
[2007/08/20 13:19:26, 3] smbd/process.c:switch_message(914)
  switch message SMBsesssetupX (pid 30689) conn 0x0
[2007/08/20 13:19:26, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2007/08/20 13:19:26, 3] smbd/sesssetup.c:reply_sesssetup_and_X(849)
  wct=12 flg2=0xc807
[2007/08/20 13:19:26, 2] smbd/sesssetup.c:setup_new_vc_session(799)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all
old resources.
[2007/08/20 13:19:26, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(660)
  Doing spnego session setup
[2007/08/20 13:19:26, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(691)
  NativeOS=[Windows Server 2003 R2 3790 Service Pack 1] NativeLanMan=[]
PrimaryDomain=[Windows Server 2003 R2 5.2]
[2007/08/20 13:19:26, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(672)
  Got user=[root] domain=[ARCH-SERVER] workstation=[ARCH-SERVER] len1=24
len2=24


When mounting in Linux, I found I had to use "-o lfs" at the end to get 
around the 2GB limit.  But I don't know from a Windows client.



--
Sincerely,
Derek

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


[Samba] roaming profiles for XP RPO Vista 2000 and automounted home directorys

2007-05-18 Thread Derek Podoll
Background on setup

Here is some basic background of my setup I have 3 domains setup running
over a IPSEC tunnel over the Internet with one PDC BDC and some file
servers at each location all running samba (I am sorry I do not have the
version number in front of me for samba) from SUSE enterprise 10 using the
LDAP backend.  There is a trust setup between all the domains and the
IPSEC tunnels is setup so I can access it using client software on my
laptop even if I am not plugged in to any of the networks.

Problem

Background on problem I have a Windows 2000 XP PRO and Vista Ultimate
client that connect to the domains.  The 2000 and XP PRO computers are
able to automount my home directory from any of the domains I login to and
both use the same roaming profile.  But the Vista Ultimate client when I
connected that one to the network it created a new profile directory for
the same account and added .V2 at the end of the name using that as the
location for storing the vista profile.  And the vista client does not
automount the home directory for any of the domains.  But I am able to
browse and mount it after I have the desktop up and running.

Question

Is there a way to make samba use the same roaming profile directory for
all 3 type of clients.  I have files in my documents folder and other
stuff in my profile that I would like to have access to using any of the
clients.  Also is there a change that needs to be made to vista or samba
in order to get vista to automount my home directory.  Once again I am
sorry I do not have access to the samba version right now and the smb.conf
file.  It is running the latest version of samba that is automatically
installed with SUSE Enterprise 10.  I have made no changes to the home
shares and the roaming profiles sections of the smb.conf file.


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


[Samba] roaming profiles for XP RPO Vista 2000 and automounted home directorys

2007-05-18 Thread Derek Podoll
Background on setup

Here is some basic background of my setup I have 3 domains setup running
over a IPSEC tunnel over the Internet with one PDC BDC and some file
servers at each location all running samba (I am sorry I do not have the
version number in front of me for samba) from SUSE enterprise 10 using the
LDAP backend.  There is a trust setup between all the domains and the
IPSEC tunnels is setup so I can access it using client software on my
laptop even if I am not plugged in to any of the networks.

Problem

Background on problem I have a Windows 2000 XP PRO and Vista Ultimate
client that connect to the domains.  The 2000 and XP PRO computers are
able to automount my home directory from any of the domains I login to and
both use the same roaming profile.  But the Vista Ultimate client when I
connected that one to the network it created a new profile directory for
the same account and added .V2 at the end of the name using that as the
location for storing the vista profile.  And the vista client does not
automount the home directory for any of the domains.  But I am able to
browse and mount it after I have the desktop up and running.

Question

Is there a way to make samba use the same roaming profile directory for
all 3 type of clients.  I have files in my documents folder and other
stuff in my profile that I would like to have access to using any of the
clients.  Also is there a change that needs to be made to vista or samba
in order to get vista to automount my home directory.  Once again I am
sorry I do not have access to the samba version right now and the smb.conf
file.  It is running the latest version of samba that is automatically
installed with SUSE Enterprise 10.  I have made no changes to the home
shares and the roaming profiles sections of the smb.conf file.


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: [Samba] windows clients can't see workgroup at all

2007-03-28 Thread Derek Podoll
Here are a few things you might try if the samba server is the only server
on the network.  In the smb.conf file make sure
wins support = yes
And on the windows computer in the tcp/ip settings add the ip address of
the server to the wins tab.  Then when the servers and other windows
computers are running check the logs on the server to see if one of the
windows computers is fighting with the Samba server for browse master on
the network.  If this is happening change the OS level in the smb.conf
file to make samba win the master browser slot on the network.

If this samba server is not going to be the wins server
add these settings to the smb.conf
wins support = no
wins server = (192.168.0.2 ip address of your wins server)
Make sure the wins server ip address is set in the tcp/ip settings

> I'm trying to troubleshoot a new samba setup on a tiny network, and I'm
> clearly missing something. I'm running Samba 3.0.22 on Ubuntu Linux.
>
> When I first set it up, it seemed to go so smoothly. I changed all the
> workstations to the same workgroup (RABNETWORK) and they could see each
> other and the server, but they couldn't open anything on the server. I
> don't
> really understand what the problem is, but I didn't change anything, I
> gave
> up and went home. Now, none of the workstations can browse the network at
> all. When I click "View workgroup computers" the error I get says that the
> network is not accessible. Even with the server off, the network is not
> accessible (hence my suspicion that samba is not the problem).
>
> What I can't sort out is what the problem is likely to be. I tried
> stopping
> the firewall (AVG) altogether, which didn't make a difference. I tried to
> walk through this diagnosis worksheet:
> http://samba.org/samba/docs/man/Samba-HOWTO-Collection/diagnosis.html
>
> and got the following results:
> 1) testparm works
> 2) ping by name fails; I can ping the server's IP address from the Windows
> clients, but can't ping the Windows machines from the server.
> 3)  works: smbclient -L BIGSERVER
>
> Domain=[BEASTIE] OS=[Unix] Server=[Samba 3.0.22]
>
> Sharename   Type  Comment
> -     ---
> homes   Disk  Home Directories
> print$  Disk  Printer Drivers
> Share Drive Disk  This is the server.
> tmp Disk  temporary files
> IPC$IPC   IPC Service (beastie server (Samba,
> Ubuntu))
> ADMIN$  IPC   IPC Service (beastie server (Samba,
> Ubuntu))
> amanda  Disk  Home Directories
> Domain=[BEASTIE] OS=[Unix] Server=[Samba 3.0.22]
>
> Server   Comment
> ----
>
> WorkgroupMaster
> ----
> RABNETWORK   BEASTIE
>
> 4) works: *nmblookup -B BIGSERVER __SAMBA__
>   [EMAIL PROTECTED]:~$ nmblookup -B BEASTIE __SAMBA__
>   querying __SAMBA__ on 127.0.0.1
>   192.168.1.102 __SAMBA__<00>
>
> *5) fails:* nmblookup -B ACLIENT '*'**
>[EMAIL PROTECTED]:~$ nmblookup -B presta '*'
>querying * on 0.0.0.0
>192.168.1.102 *<00>
>
> I'm stopping here because it seems pretty clear that the Windows XP client
> machines are hating me.Where do I go from here?
>
> Thanks,
> Amanda
>
> *
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: [Samba] windows clients can't see workgroup at all

2007-03-28 Thread Derek Podoll
Here are a few things you might try if the samba server is the only server
on the network.  In the smb.conf file make sure
wins support = yes
And on the windows computer in the tcp/ip settings add the ip address of
the server to the wins tab.  Then when the servers and other windows
computers are running check the logs on the server to see if one of the
windows computers is fighting with the Samba server for browse master on
the network.  If this is happening change the OS level in the smb.conf
file to make samba win the master browser slot on the network.

If this samba server is not going to be the wins server
add these settings to the smb.conf
wins support = no
wins server = (192.168.0.2 ip address of your wins server)
Make sure the wins server ip address is set in the tcp/ip settings

> I'm trying to troubleshoot a new samba setup on a tiny network, and I'm
> clearly missing something. I'm running Samba 3.0.22 on Ubuntu Linux.
>
> When I first set it up, it seemed to go so smoothly. I changed all the
> workstations to the same workgroup (RABNETWORK) and they could see each
> other and the server, but they couldn't open anything on the server. I
> don't
> really understand what the problem is, but I didn't change anything, I
> gave
> up and went home. Now, none of the workstations can browse the network at
> all. When I click "View workgroup computers" the error I get says that the
> network is not accessible. Even with the server off, the network is not
> accessible (hence my suspicion that samba is not the problem).
>
> What I can't sort out is what the problem is likely to be. I tried
> stopping
> the firewall (AVG) altogether, which didn't make a difference. I tried to
> walk through this diagnosis worksheet:
> http://samba.org/samba/docs/man/Samba-HOWTO-Collection/diagnosis.html
>
> and got the following results:
> 1) testparm works
> 2) ping by name fails; I can ping the server's IP address from the Windows
> clients, but can't ping the Windows machines from the server.
> 3)  works: smbclient -L BIGSERVER
>
> Domain=[BEASTIE] OS=[Unix] Server=[Samba 3.0.22]
>
> Sharename   Type  Comment
> -     ---
> homes   Disk  Home Directories
> print$  Disk  Printer Drivers
> Share Drive Disk  This is the server.
> tmp Disk  temporary files
> IPC$IPC   IPC Service (beastie server (Samba,
> Ubuntu))
> ADMIN$  IPC   IPC Service (beastie server (Samba,
> Ubuntu))
> amanda  Disk  Home Directories
> Domain=[BEASTIE] OS=[Unix] Server=[Samba 3.0.22]
>
> Server   Comment
> ----
>
> WorkgroupMaster
> ----
> RABNETWORK   BEASTIE
>
> 4) works: *nmblookup -B BIGSERVER __SAMBA__
>   [EMAIL PROTECTED]:~$ nmblookup -B BEASTIE __SAMBA__
>   querying __SAMBA__ on 127.0.0.1
>   192.168.1.102 __SAMBA__<00>
>
> *5) fails:* nmblookup -B ACLIENT '*'**
>[EMAIL PROTECTED]:~$ nmblookup -B presta '*'
>querying * on 0.0.0.0
>192.168.1.102 *<00>
>
> I'm stopping here because it seems pretty clear that the Windows XP client
> machines are hating me.Where do I go from here?
>
> Thanks,
> Amanda
>
> *
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


[Samba] network share from samba slow over vpn

2005-12-16 Thread Derek
I've setup a standard Samba share on one of our Solaris servers.  Everything
works great locally.   Even a  fast VPN connection work fine.  But a VPN
slower  then 80ms ping response time and they start to see delays when
trying to brows through the shared directories.  With an even slower
connection of 120ms ping time an the browsing becomes unbearable.   Seems to
me that the connection is timing out or trying to retransmit.  At first I
thought it may be our firewall or the type of VPN.  But I tested other
services (telnet, ftp, xterm, vnc) at the slower speed without any issues.

Thanks,
Derek



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


[Samba] Replacing debian packages with compiled source

2005-12-16 Thread Derek Croxton
The Samba that is packaged for Xandros 2.0 seems to be broken; at least, 
mine keeps giving me "segmentation fault" errors.  I've tried wiping it 
out and re-installing it, but it hasn't helped.


Recently I decided to get the latest version of Samba and compile it 
from source, which, to my amazement, actually worked.  Now, before I try 
"make install," I would like to know:  which existing packages do I need 
to remove?  I know the base samba package will have to go, but I don't 
know which other ones also have to be deleted, versus which ones are 
actually separate -- for example, I think smbclient is separate, but I'm 
not sure.


I presume "make install" will overwrite any files in the way, but I'd 
rather clear out the old stuff before doing the install.  On the other 
hand, I don't want to remove related packages that I need to use Samba 
on that computer.


Thanks,
Derek Croxton

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


[Samba] subdirectory permissions

2005-11-28 Thread derek
Hi
  
  I recently installed Redhat ES 4 with a view to eventually doing away  with 
our SBS 2003 server. I can share directories ok but cannot seem to  pass the 
directory share parameters onto the subdirectories and files  within. Is there 
a way to do this without creating seperate shares for  the subdirectories 
(there are far too many subdirectories to consider  this, unless I have no 
option). I have tried the 'Inherit permissions  from parent directory' but this 
does not seem to work.
  
  I am quite new to the linux environment as far as using it as a file  server 
are concerned anyway. Any help would be much appreciated

Thanks in advance
  
  Derek
  
 

  
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: [Samba] printer admin: deprecated?

2005-11-28 Thread Derek Harkness

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


On Nov 28, 2005, at 3:37 AM, Fabio wrote:


Hi!


On Thu, 2005-11-24 at 09:53 +1000, Adam Nielsen wrote:

If "printer admin" is deprecated, what option replace it?


I'm not sure, I was wondering this same question myself.

printer admin is still valid? if yes, until version will support  
it?


I'm using Samba 3.0.20 and it still seems to work, but I'm not sure
when it'll be taken out.


I understand it has been replaced with proper ACLs and privileges.
Check the release notes.


Ok, I can use  SePrintOperatorPrivilege but I use printer admin in  
the share
section so that I can decide which users/groups are administrators  
(for a

printer) and which not.
I can do that using SePrintOperatorPrivilege ? No, I think, because  
I can't

specify a particular printer. is it wrong?



I granted the SePrintOperatorPrivilege to everyone who will be  
managing printers and then added specific users or groups to the  
security tab of the printer(s) they will be managing.


Derek


Thanks a lot,
Fabio




Andrew Bartlett


--

Dott. Fabio Marcone

2T srl
Telefono+39 - 0871- 540154
Fax +39 - 0871- 571594
Email   [EMAIL PROTECTED]   
Indirizzo   Viale B. Croce 573, 66013 Chieti Scalo (CH)
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFDiwe4sUNgsBVjM+0RApVmAJ0Vm4Hf1fBLBYq6dLws1fW8FElQ9wCdEJQT
cAZE+q2/tcfSm/9L7bn+63g=
=JNN2
-END PGP SIGNATURE-
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: [Samba] samba domain vs linux network security

2005-11-11 Thread Derek Harkness
We use AFS/Kerberos/LDAP to provide home directories to our Linux/ 
Unix/OSX users, our Windows users connect into our Samba domain.   
Samba has pretty good AFS support for gatewaying SMB <-> AFS  
requests, at a minor weakening of filesystem security.  I'm hoping  
Samba4 will allow me to use Kerberos all the way through.  The  
biggest downside to the AFS/Kerberos/LDAP/Samba setup is complexity,   
each service is a pain to setup by itself, getting them working  
together nearly involved human sacrifice.  But the system has been  
working for about a year with 99.99% uptime.


A big thanks to all the Samba developers!
Derek

On Nov 10, 2005, at 8:27 AM, mourik jan c heupink wrote:



You have several options.  First, there are steps that you can  
take to
improve NFS security somewhat, such as restricting it to  
particular IP
addresses (although IP addresses can be spoofed).  Second, you can  
use

NFSv4, which supports proper authentication.  Third, you can use an
alternative means of sharing drives to Linux.  I've actually been
using SMB to access my Linux server's drives from my Linux client, to
avoid setting up a separate file-sharing service.  Several other
options exist - including SSHFS (for more of a quick-and-dirty
approach), AFS, and Coda, but I don't have experience with any of
them.


Thanks very much for the feedback.

since nfs4 is NOT included in sles9 (apparently because it's acl  
code is not yet stable..?)  I will take look at the two  
alternatives you mention.


The feedback was very much appreciated.

Mourik Jan
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


[Samba] Samba 3.0.14a AFS funkyness

2005-10-18 Thread Derek Harkness
I've been using Samba as an AFS gateway since December 04 and it's  
been working great but I recently deployed a 3.0.14a server and now  
samba isn't honoring AFS acls.  It is enforcing unix mode permissions  
which is completely the wrong behavior in this case.


For example I have a directory with the following unix permissions  
and AFS acl


rwxrwxr--dharknesuserstestfolder

Access list for testfolder is
Normal rights:
itsdept rlidwk
system:administrtors rlidwka

With that setup I will not be able to write to the directory through  
samba even though I'm in the itsdept AFS group.  Samba is generating  
the proper AFS tokens since I can get access to the folder, it just  
wants to enforce file and directory permissions.


Thanks,
Derek
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: [Samba] LDAP PDC question

2005-10-05 Thread Derek Harkness
The cool thing is, I didn't either I simply forgot to comment one  
out.  But hey I'll certainly make use of it.


Derek

On Oct 4, 2005, at 9:46 AM, Marcel de Riedmatten wrote:


Le mar 04/10/2005 à 14:57, Derek Harkness a écrit :


Thanks!  I was doing some testing this morning and found that on the
pdc I was setup nss like this

nss_base_passwd ou=People
nss_base_passwd ou=machines,ou=Samba



I just didn't know that you could have many nss_base_passwd  
entries ;-).


--
Marcel de Riedmatten

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: [Samba] LDAP PDC question

2005-10-04 Thread Derek Harkness
Thanks!  I was doing some testing this morning and found that on the  
pdc I was setup nss like this


nss_base_passwd ou=People
nss_base_passwd ou=machines,ou=Samba

In my 15 minutes of testing it appears to work well.  With the size  
of our LDAP, searching from the base could take a very long time.


Thanks again,
Derek

On Oct 4, 2005, at 8:52 AM, Marcel de Riedmatten wrote:


Le ven 30/09/2005 à 15:37, Derek Harkness a écrit :


When setting up an LDAP PDC do I have to have both user and machines
in the ou=People container?  Here's what I've got.

LDAP Tree

ou=People,o=umd.umich.edu
ou=NIS,ou=Groups,o=umd.umich.eud
ou=machines,ou=Samba,ou=Services,o=umd.umich.edu
ou=Idmap,ou=Samba,ou=Services,o=umd.umich.edu






-m I get "Failed to initialise SAM_ACCOUNT for user its-1150d$. Does
this user exist in the UNIX password database" which would be correct
since machine accounts aren't under ou=People the local workstation
won't be able to look them up.  I don't want my unix users seeing all
the windows workstations.



The domain controllers have to see machine account. I have a setup  
like

yours but on the pdc my nss setup is:

base  o=umd.umich.edu
#nss_base_passwd ou=People


so the whole tree is searched while on other machines it is:

base  o=umd.umich.edu
nss_base_passwd ou=People

and here the machines account are not seen.






--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


[Samba] LDAP PDC question

2005-09-30 Thread Derek Harkness
When setting up an LDAP PDC do I have to have both user and machines  
in the ou=People container?  Here's what I've got.


LDAP Tree

ou=People,o=umd.umich.edu
ou=NIS,ou=Groups,o=umd.umich.eud
ou=machines,ou=Samba,ou=Services,o=umd.umich.edu
ou=Idmap,ou=Samba,ou=Services,o=umd.umich.edu

smb.conf (ldap stuff)
ldap delete dn = no
ldap suffix = o=umd.umich.edu
ldap user suffix = ou=People
ldap group suffix = ou=NIS,ou=Groups
ldap machine suffix = ou=machines,ou=Samba,ou=Services
ldap idmap suffix = ou=Idmap,ou=Services
ldapsam:trusted = yes
idmap backend = ldap:ldap://tien.its.umd.umich.edu
passdb backend = ldapsam:ldap://tien.its.umd.umich.edu

NSS setting
nss_base_passwd ou=People
nss_base_groups  ou=NIS

When I attempt to join a workstation to the domain the smbldap- 
useradd script works and creates the posix entry, but the samba  
attributes are never add and the workstation returns the error user  
can not be found.  If I try adding the workstation using smbpasswd -a  
-m I get "Failed to initialise SAM_ACCOUNT for user its-1150d$. Does  
this user exist in the UNIX password database" which would be correct  
since machine accounts aren't under ou=People the local workstation  
won't be able to look them up.  I don't want my unix users seeing all  
the windows workstations.


Thanks,
Derek
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


[Samba] Samba(4) + AFS

2005-09-28 Thread Derek Harkness
This maybe more appropriate on the developers list but I'll ask here  
first.


Anybody know if any improved support for AFS is being added to either  
samba 3 or 4?  We currently share all user home directories, shared  
files, web sites, etc. etc. from AFS using Samba.  This setup is  
working great, thank you to everyone involved!!  I'm just concerned  
that AFS support might not make it into 4.


Thanks,
Derek
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


[Samba] Login to windows with samba running as domain master doesn't set HOMEPATH environment variable

2005-09-27 Thread Carter, Derek
I'm running samba as a domain master,
Have implemented roaming profiles (correctly I hope). However, have
discovered that if I use the client Windows 2K machine on the domain
"Local machine" the environment variable %HOMEPATH% is set correctly to
\Documents and Settings\myname however if I then login to my domain
implemented by samba %HOMEPATH% is simply not defined. HOMEDRIVE and the
rest seem OK, it's just HOMEPATH.

Now I have searched the archives for related questions but nothing
really applicable has come up therefore its going to be something wrong
with my configuration (either server or client) but I really am stuck to
what it could be.

Thanks

Derek

Information -

Server:
OS  SuSE Linux 9.1
Samba   Version 3.0.13-1.1-SUSE
Smb.conf -
# Global parameters
[global]
workgroup = ELMSCLOSE
map to guest = Bad User
unix password sync = Yes
passdb backend = smbpasswd:/etc/samba/smbpasswd
passwd program = /usr/bin/passwd %u
passwd chat = *password* %n\n *password* %n\n *changed*
passwd chat debug = Yes
printcap cache time = 750
printcap name = cups
add machine script = /usr/sbin/useradd  -c Machine -d
/var/lib/nobody -s /bin/false %m$
logon path = \\%L\profiles\.msprofile
logon drive = Y:
logon home = \\%L\%U\.9xprofile
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
wins support = Yes
admin users = root, derek
printer admin = @ntadmin, root, administrator
cups options = raw
include = /etc/samba/dhcp.conf
template homedir = /home/%D/%U

[homes]
path = /home/%U/
comment = Home Directories
valid users = %S
read only = No
inherit acls = Yes
browseable = No

[profiles]
comment = Network Profiles Service
path = %H
read only = No
create mask = 0600
directory mask = 0700
store dos attributes = Yes

[printers]
comment = All Printers
path = /var/tmp
create mask = 0600
printable = Yes
browseable = No

[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = @ntadmin, root
force group = ntadmin
create mask = 0664
directory mask = 0775

[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
write list = root

[public]
comment = Public Shared Directory
path = /home/public
read only = No
inherit acls = Yes

Client:
OS Windows 2000 Pro
Have joined domain ELMSCLOSE without any problems
Have created a user with profiles being copied to LINUX box without
problems
No other changes made
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: [Samba] Unable to change file permissions on samba mount.

2005-09-16 Thread derek

Ok an update.
I tried mannually mounting the share via mount_smbfs.
Since it defaults to whatever the owner and group IDs from the directory 
where the volume is mounted, I got 755 for all the files. But when I 
chmod anything the change doesn't take.

Is there something seriously wrong with the samba client in Tiger?
It just doesn't make any sense that I can't change file permissions on 
this smb share mounted on a mac. Especially when I can do it from a 
windows machine.

Any thoughts?
Thanks,
Derek

derek wrote:


Hello,
We share out user home dirs from a a solaris server via samba. On a 
windows machine I can change file permissions to files in my samba 
home dir. From OS X 10.4.2 all the files are at 700 and chmod does 
nothing to them. From the GUI get info just says that I can read and 
write. The smb.conf on the sun server has the following entries under 
the [home] section:

browseable = no
read only = no
create mode = 0700
directory mode = 0700
wide links = no
hide dot files = yes

any help would be appreciated. I have also bound the mac to the 
windows domain and it logs me on and auto connects the samba home dir 
fine, I just can't change file permissions.

Thanks,
Derek



--
Derek Pearson
Systems Administrator
Baskin School of Engineering
UCSC
459-5605

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


[Samba] Unable to change file permissions on samba mount.

2005-09-14 Thread derek

Hello,
We share out user home dirs from a a solaris server via samba. On a 
windows machine I can change file permissions to files in my samba home 
dir. From OS X 10.4.2 all the files are at 700 and chmod does nothing to 
them. From the GUI get info just says that I can read and write. The 
smb.conf on the sun server has the following entries under the [home] 
section:

browseable = no
read only = no
create mode = 0700
directory mode = 0700
wide links = no
hide dot files = yes

any help would be appreciated. I have also bound the mac to the windows 
domain and it logs me on and auto connects the samba home dir fine, I 
just can't change file permissions.

Thanks,
Derek

--
Derek Pearson
Systems Administrator
Baskin School of Engineering
UCSC
459-5605

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: [Samba] Print configuration question?

2005-08-30 Thread Derek Harkness

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Actually determined this was a CUPS issue.  I split the CUPS and  
Samba servers, system load on the Samba box now averages about 0.3  
while load average on the CUPS system is about 0.8 or 1.


Thanks,
Derek

On Aug 28, 2005, at 9:47 AM, Jim Ross wrote:


Derek Harkness wrote:

Is it better to setup lots of small print servers or one big  
print  server?
I've currently got 1 print server serving up about 55 printers.   
All  the server does is Samba and CUPS the box has 2 2.8gig P4  
xeon, 2  gigs of RAM and a load average of 3.  Which is way to  
high since  users are complaining about slow print performance.  I  
went with this  solution because I didn't like the idea of having  
2,3, or 4 servers  just for printing but now I'm wondering if  
having multiple boxes  isn't the better solution.  The other  
thought I had was splitting the  box by moving cups to it own server.

Any opinions,
Derek



I've got 25 print queues on a similar server at DTE without a speed  
problem.  I'm suspect in your case students are dumping some huge  
print jobs on it.  You've probably seen this tool before, but if  
you haven't, it's what I use to look at the system, http:// 
dag.wieers.com/home-made/dstat/, which pulls together output from  
what would normal be multiple tools under Linux.  So I was  
thinking, for a couple minutes, this morning about this.  It's  
unlikely that CPU or memory is the problem, but more likely that  
network or disk has bottlenecked.  More likely the disk, since  
you're probably 100mb there at the server and you probably require  
heavier logging to track and charge for paper, etc.  It sounds like  
you might have to try adding another box, maybe smaller boxes with  
fast disks, given you can't cut logging, students always print too  
much, and disks are likely already maxed out.  I suspect the disk  
is really churning.  Too bad you couldn't spool to ram disk, but  
it's probably not feasible.  Just doing some idle brainstorming a  
bit on this early Sunday.  I find it helps sometimes.


Jim Ross




-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFDFHR1sUNgsBVjM+0RAjQlAJ49ZnSCZ5a1gZHkW6AxZ+8t5qSNCwCdF9AS
xYGyppPxb2aWfI/QvS9RTVY=
=diYl
-END PGP SIGNATURE-
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


[Samba] Print configuration question?

2005-07-21 Thread Derek Harkness
Is it better to setup lots of small print servers or one big print  
server?


I've currently got 1 print server serving up about 55 printers.  All  
the server does is Samba and CUPS the box has 2 2.8gig P4 xeon, 2  
gigs of RAM and a load average of 3.  Which is way to high since  
users are complaining about slow print performance.  I went with this  
solution because I didn't like the idea of having 2,3, or 4 servers  
just for printing but now I'm wondering if having multiple boxes  
isn't the better solution.  The other thought I had was splitting the  
box by moving cups to it own server.


Any opinions,
Derek
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


  1   2   >