Re: [Samba] AD integration with multiple groups

[grant little]

I forgot to mention that I also use along with the other:
write list = @ad\securitygroupname

On Tue, Feb 1, 2011 at 8:19 AM, grant little  wrote:

> Yes I do that using:
> valid users = @ad\securitygroupname
>
> works like a charm.
>
> also in my config, don't know if it relates:
> workgroup = AD
> realm = AD.MYDOMAIN.XXX
>
> On Tue, Feb 1, 2011 at 5:57 AM, julien mabillard  wrote:
>
>> Hello,
>> I post here my question after having spent time on google and forums
>> and documentation to find a clue.
>>
>> I use:
>> GNU/Linux RHEL5 x86_64
>> Samba Version 3.5.6
>> Active Directory 2003 on Windows 2003/2008
>>
>> I want to allow an authenticated user (AD authenticated) to access
>> a share partition under samba only if one of his secondary groups
>> is a defined one.
>>
>> ex: user joe
>> uid=4001(joe) gid=4010(domain users) groups=4010(domain users),
>> 4011(IT),4012(operations)
>>
>> I want to be able to only allow group 'operations' to access the
>> share. I was trying to use : valid users = @operations
>> or : valid users = @MYDOM\operations
>>
>> But I only get success with the gid 'domain users'.
>>
>> Can someone tell me if this is possible to do?
>>
>> Thank you very much.
>>
>>
>> --
>> refs : https://mbuf.net/
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] AD integration with multiple groups

[grant little]

Yes I do that using:
valid users = @ad\securitygroupname

works like a charm.

also in my config, don't know if it relates:
workgroup = AD
realm = AD.MYDOMAIN.XXX

On Tue, Feb 1, 2011 at 5:57 AM, julien mabillard  wrote:

> Hello,
> I post here my question after having spent time on google and forums
> and documentation to find a clue.
>
> I use:
> GNU/Linux RHEL5 x86_64
> Samba Version 3.5.6
> Active Directory 2003 on Windows 2003/2008
>
> I want to allow an authenticated user (AD authenticated) to access
> a share partition under samba only if one of his secondary groups
> is a defined one.
>
> ex: user joe
> uid=4001(joe) gid=4010(domain users) groups=4010(domain users),
> 4011(IT),4012(operations)
>
> I want to be able to only allow group 'operations' to access the
> share. I was trying to use : valid users = @operations
> or : valid users = @MYDOM\operations
>
> But I only get success with the gid 'domain users'.
>
> Can someone tell me if this is possible to do?
>
> Thank you very much.
>
>
> --
> refs : https://mbuf.net/
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] performance transfer (samba VS ftp)

[grant little]

On Sat, Sep 18, 2010 at 1:36 AM, Stan Hoeppner wrote:

> Volker Lendecke put forth on 9/18/2010 12:44 AM:
> > On Sat, Sep 18, 2010 at 12:22:53AM -0500, Stan Hoeppner wrote:
> >> Pol Hallen put forth on 9/15/2010 9:36 AM:
> >>
> >>> debian stable (samba version 2:3.2.5-4lenny9)
> >>>
> >>> from clients by ftp the transfer of huge file is about 10/11Mb/s (with
> an
> >>> ethernet 10/100)
> >>>
> >>> by samba came 5/6Mb/s
> >>>
> >>> is it correct?
> >>
> >> Good luck.  It appears that tuning smbd and clients, both Windows and
> >> smbclient, to get anywhere close to wire speed is somewhat of a black
> >> art.  I asked the same question many months ago, and dropped the subject
> >> after Jeremy said it had to be a problem with the W2K redirector.  Funny
> >> thing is, that same W2K redirector can pull at almost wire speed from a
> >> WinXP box.  The most I've ever been able to get out of smbd is ~8MB/s.
> >> I'm running 3.2.5-4lenny12.  To get anything better than that I'll have
> >> to go to GigE.  I probably won't get anywhere close to wire speed, but I
> >> should get at least 30-40MB/s, which is 4-5 times what I get now, and
> >> would thus be a huge improvement for relatively little cost--a few NICs
> >> and a decent desktop GigE switch can be had for around $100 USD.  Even
> >> without using jumbo frames this would be a huge improvement over 100FDX.
> >
> > As always: What about get/put of large files with smbclient, >= 3.2?
>
> Hi Volker.
>
> I don't have a Linux client machine to test smbclient against my
> Debian/Samba server.  However, running smbclient (3.2.5) on the server
> and connecting to shares on a WinXP machine and W2K Pro machine hits 11
> MB/s (near wire speed of 12.5) all day long with GETing moderate to
> large files (30MB+).  PUTing the same files maxes out at ~6MB/s--very
> lopsided.  I've tried various smbclient -O socket options with no effect
> on PUT performance.
>
> Copying from an smbd share to the Windows machines maxes at 9MB/s.
> Copying from the Windows machines to an smbd share yields 8MB/s--much
> more consistent than smbclient.
>
> It sure would be nice to have smbclient's 11MB/s GET speed in both
> directions with all OSes involved.
>
> I've tried every option and optimization in smb.conf and the registries
> of both Windows machines and can't get over 9MB/s.  It's sure better
> than the 5MB/s come people report, so I'm not complaining.  It's kinda
> academic anyway, because the bulk of our transfers to/from smbd are
> large quantities of small files (< 1MB).  Such transfers can crawl at
> less than 1MB/s.  Like I said, I think the best solution for me would be
> to move to GigE.
>
> --
>
>
>
I'm using gigerbit ethernet with samaba 3.4.7 default network settings under
ubuntu 10.04 LTS server and last eveing I moved 35 Gigbytes from an iMac to
the samba server  over gigabit ethernet and it took around 15 minutes which
works out to around 300 mega bits per second which is about a third of wire
speed which on tests comes out at about 920 Mbits/sec.
I have seen mention on this list a while back that the smb protocol is the
bottleneck. OTOH I can live with 300Mbits/sec
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba for AD client?

[grant little]

On Thu, Sep 9, 2010 at 5:20 PM, Matt Richardson  wrote:

> On 09/05/2010 05:14 PM, Ken D'Ambrosio wrote:
>
>
>> 1) Are there any known issues with BTRFS?
>> 2) Which version of Samba would be most appropriate for this?
>> 3) AD integration: I've never really done it (with success); any pointers?
>>  [I've googled a bit, but bump into a zillion different HOWTO's and/or
>> utilities, some of which seem to be mutually exclusive.)
>>
>>
> Can't help you with 1, but I've got a couple of Samba servers running as
> members in an AD domain: 3.2.5 and 3.4.8.  Both integrated into the domain
> fairly easily.  I have some internal docs that I can post once I clean them
> up.  I haven't done any ACL testing yet because groups have been sufficient.
>
>
>
I also have AD integration working great for samba share login from both
windows and os x using kerberos and remote ldap with ubuntu 10.04 + samba
3.4.7 with windows security groups, it's great. However testing the ACLs
they don't work when set from windows. Setting from linux shows fine in
windows but not other way around. They may work when I get around to adding
a local ldap and an ldapsam backend, time alone will tell.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Authentication questions with domain

[grant little]

On Wed, Sep 8, 2010 at 12:32 AM, Jean-Yves Avenard wrote:

> Hi there.
>
> I have a FreeBSD server running Samba 3.3, connected to a domain who's
> PDC is a MacOS 10.6 server running Samba 3.0.28 (ancient I know).
>
> Working all fine, except for one thing I find annoying.
>
> MacOS server has a concept of username alias. You can have as many
> aliases as you want, using any of those aliases are the same as using
> the primary one.
>
> It's rather well implemented in 10.6 server, and you can log on the
> domain with any of those usernames.
> \\server\homes would point to the same directory, no matter which of
> the aliases you used.
>
> On the FreeBSD server however, that is on this domain. You can only
> login using the primary username.
> If I try to login using an alias, I get using smbclient session setup
> failed: NT_STATUS_LOGON_FAILURE
>
> I was under the impression that the authentication is always performed
> against the PDC, so if it's fine with the PDC, if should be fine on
> the client (and sure enough, with Windows, I can login with any of the
> alias too).
>
> For example:
> One user
> simon_russell, has 2 aliases: simonr and simon_russell.
>
> server4# smbclient //server4/public -U simon_russell
> Enter simon_russell's password:
> Domain=[HYDRIX] OS=[Unix] Server=[Samba 3.3.9]
>
> Fine so far.
> However,
>
> server4# smbclient //server4/public -U simon.russell
> Enter simon.russell's password:
> session setup failed: NT_STATUS_LOGON_FAILURE
>
> In the log of the PDC however, I see
> When logging with an alias:
>
> [2010/09/08 17:25:21, 2, pid=89576]
>
> /SourceCache/samba/samba-235.4/samba/source/auth/auth.c:check_ntlm_password(309)
>  check_ntlm_password:  authentication for user [simon.russell] ->
> [simon.russell] -> [simon_russell] succeeded
>
> when logging with the main username:
> [2010/09/08 17:26:32, 2, pid=89576]
>
> /SourceCache/samba/samba-235.4/samba/source/auth/auth.c:check_ntlm_password(309)
>  check_ntlm_password:  authentication for user [simon_russell] ->
> [simon_russell] -> [simon_russell] succeeded
>
>
> As far as the PDC is concerned, the authentication in both case was
> successful.
>
> Yet, the samba client fails and report an authentication failure...
>
> The PDC is running OpenDirectory which is just a LDAP server...
>
> Am I missing something? what could I do to allow users to login using
> any aliases?
>
> Thank you
> Jean-Yves
>  


nsswitch is using local auth first maybe?
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] what flag shows ldapsam is built in?

[grant little]

On Mon, Sep 6, 2010 at 1:29 PM, grant little  wrote:

> what  flag from smbd -b confirms ldapsam is built in?
>
> I see:
> # smbd -b | grep -i ldap
>HAVE_LDAP_H
>HAVE_LDAP
>HAVE_LDAP_ADD_RESULT_ENTRY
>HAVE_LDAP_INIT
>HAVE_LDAP_INITIALIZE
>HAVE_LDAP_SASL_WRAPPING
>HAVE_LDAP_SET_REBIND_PROC
>HAVE_LIBLDAP
>LDAP_SET_REBIND_PROC_ARGS
>idmap_ldap_init
> pdb_ldap pdb_smbpasswd pdb_tdbsam pdb_wbc_sam
>
>
> I was expecting to see something with ldapsam in there say for instance
> pdb_ldapsam or HAVE_LDAPSAM but I'm not sure what the flag is called and
> haven't found a list of all the flags when searching samba.org
>
> thanks.
>

In case anyone else is looking I finally found the build flags here:
http://wiki.samba.org/index.php/Build-time_configuration_options

however I am none the wiser as they don't correspond 1 to 1 to the output of
smbd -b and man on smbd just says that -b provides information about how
samba was built.

it's possible that that pdb_ldap means ldapsam support but I can't find that
documented  even when searching the latest source.   If that is so then why
is there a pdb_tdbsam and a pdb_wbc_sam when to be consistent that should be
just pdb_tdb or the other should be pdb_ldapsam.
In the source I see mention of both pdb_ldap and ldapsam.
I suspect the only way I will find out is by actually doing builds with the
flags on and off and seeing what happens.
Confused.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Problem with groups and user

[grant little]

2010/9/7 Olivier PAVILLA 

> Before everything. Please forgive my poor english. It is not my fault I'm a
> french :(
> I have samba/ldap server with windows users.
> On my Samba/ldap server , I'm using GQ. If I look about groups. There is :
> 'iatoss, exterieurs, other and onther'
> If I look about 'mdupont' user. " GQ says  'mdupont' is in "iatoss" group.
> On the server, If I type "groups". It gives me :  root bin daemon sys adm
> disk wheel
> If I type : 'groups mdupont'. It gives me 'iatoss'
> My problem is when mdupont user makes a file in his windows desktop. If I
> look in his directory and if I do ls -al. His file has owner mdupont group
> "root"... But I do not understand how this user can make a file with
> himself has owner and 'root' has group. Usually, when user from blabla group
> makes a file. This file has this user has owner and blabla as a group. So it
> can be possible. Anyone has a idea?
>
>
> Olivier, first, your english is way better than my *Français*  so no
apology needed.

Maybe  you are using an old version of samba: what version of samba on what
operating system?
what settings do you in smb.conf for the share that mdupont is using?

There is for smb.conf
group (synonym for force group)
and
force group
to force whatever group you want on files made in a share
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] what flag shows ldapsam is built in?

[grant little]

what  flag from smbd -b confirms ldapsam is built in?

I see:
# smbd -b | grep -i ldap
   HAVE_LDAP_H
   HAVE_LDAP
   HAVE_LDAP_ADD_RESULT_ENTRY
   HAVE_LDAP_INIT
   HAVE_LDAP_INITIALIZE
   HAVE_LDAP_SASL_WRAPPING
   HAVE_LDAP_SET_REBIND_PROC
   HAVE_LIBLDAP
   LDAP_SET_REBIND_PROC_ARGS
   idmap_ldap_init
pdb_ldap pdb_smbpasswd pdb_tdbsam pdb_wbc_sam


I was expecting to see something with ldapsam in there say for instance
pdb_ldapsam or HAVE_LDAPSAM but I'm not sure what the flag is called and
haven't found a list of all the flags when searching samba.org

thanks.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba for AD client?

[grant little]

On Mon, Sep 6, 2010 at 11:40 AM, Daniel Müller wrote:

> On Sun, 5 Sep 2010 20:14:03 -0400 (EDT), "Ken D'Ambrosio" 
> Pherhaps it helps: My Thread: HOWTO samba4 centos5.5 named dnsupdate drbd
> simple failover
> http://www.mail-archive.com/samba@lists.samba.org/msg109994.html
> Greetings
> Daniel
>
>
>
caveat: samba 4 is in alpha, not yet production

>
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] valid users option

[grant little]

On Mon, Sep 6, 2010 at 12:39 AM, DUPEYRAT, PIERRE (PIERRE)** CTR ** <
pierre.dupey...@alcatel-lucent.com> wrote:

>  Hello,
>
>
>
> I am using NIS groups , so the nsswitch.conf  is configured as a NIS
> client.
>
> passwd files nis
>
> group files nis …
>
>
>
> With the same smb.conf , it works fine with the version 3.0.30 , but not
> with version 3.0.34 , perhaps a new option to set ?
>
>
>
> Regards.
>
>
>
> *
> *
>

I'm not familiar with what changed between those revs but you can find out
here:
http://www.samba.org/samba/history/

best of luck.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba Time Server Problem

[grant little]

On Fri, Sep 3, 2010 at 4:32 AM, Ian Stirling  wrote:

> I recently reinstalled a system running Samba as a WINS/Time server and I
> can no longer get Windows systems to access it correctly.
>
> I see the following now
>
> [D:\Temp]net time \\timeserver
> System error 5 has occurred.
>
> Access is denied.
>
> I am an administrator on this system and it works OK if I point it at
> another server I know is running Samba
>
> [D:\Temp]net time \\othersystem
> Current time at \\othersystem is 9/3/2010 11:42 AM
>
> The command completed successfully.
>
> What have I missed in the Samba config on my server that is causing this
> problem.   Here is my smb.conf
> 
>
>
>
Is this any help?
http://www.mail-archive.com/samba@lists.samba.org/msg89260.html
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] valid users option

[grant little]

 On Thu, Sep 2, 2010 at 2:08 AM, DUPEYRAT, PIERRE (PIERRE)** CTR ** <
> pierre.dupey...@alcatel-lucent.com> wrote:
>
> Hello,
>
> I am using samba server as members of windows AD domain , with "security =
> ADS", the logins unix and windows are aligned.
> Since the version 3.0.34 , I have strange behaviour  on shares where we use
> "valid users" with unix groups it does'nt work.
>
> Nok:
> Valid users = @group1
> Valid users = +group1
>
> Still work :
> Valid users = Domain\user
> Valid users = user
>
> The bad workaround found , is to use a file users.map and add the entry
> below:
> user = domaine\user
>
> could you help me ?
> Regards.
> _____
> Pierre DUPEYRAT
>

 --

*De :* grant little [mailto:grantlid...@gmail.com]
*Envoyé :* jeudi 2 septembre 2010 19:38
*À :* DUPEYRAT, PIERRE (PIERRE)** CTR **
*Objet :* Re: [Samba] valid users option




>  That drove me crazy figuriung it out for my local system but I finally
> found it, YMMV
> this works for me
>   valid users = @ad\groupname
>   write list = @ad\groupname
> where 'ad' is the domain of my local active directory.
>
>
 On Fri, Sep 3, 2010 at 12:26 AM, DUPEYRAT, PIERRE (PIERRE)** CTR ** <
pierre.dupey...@alcatel-lucent.com> wrote:

Hello,



The problem is when i want to use unix groups  (locals or NIS).



Regards.


Allô Pierre,


maybe the problem lies in your nsswitch.conf
The sources  for  the  "databases"  and
their lookup order are specified in the /etc/nsswitch.conf file.

I'm using ldap so I have this as part of that file:
passwd: files ldap
group:  files ldap
shadow: files ldap

which says it looks first in passwd (etc) files and then ldap

you never described your setup so you might be using something different
like
passwd:  files nis

or

passwd: files winbind

But then maybe I'm way off base.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] ldap_initialize: Bad parameter to an ldap routine

[grant little]

On Thu, Sep 2, 2010 at 12:25 AM, grant little  wrote:

> I searched and found this from Volker in 2007 same error message but the
> fix didn't fix in my case:
> http://lists.samba.org/archive/samba/2007-March/130093.html
>
> my system: ubuntu 10.04 LTS server samba 3.4.7
>
> error:
> [2010/09/01 23:57:17,  5] winbindd/idmap.c:169(smb_register_idmap)
>   Successfully added idmap backend 'ldap'
> [2010/09/01 23:57:17,  0] lib/smbldap.c:716(smb_ldap_setup_conn)
>   ldap_initialize: Bad parameter to an ldap routine
>
> global section of config
> [global]
>   unix extensions = no
>   disable spoolss = Yes
>   name resolve order = hosts
>   workgroup = AD
>   realm = AD.MYDOMAIN
>   server string = %h server (Samba, Ubuntu)
>   dns proxy = no
>   log file = /var/log/samba/log.%m
>   max log size = 1000
>   syslog = 0
>   log level = 3 passdb:0 auth:0 vfs:0 idmap:5
>   ldap debug level = 10
>   ldap debug threshold = 5
>   panic action = /usr/share/samba/panic-action %d
>   security = ads
>   kerberos method = system keytab
>   encrypt passwords = true
>   passdb backend = ldapsam:ldaps://ldap.ad.mydomain/
>   ldap ssl = off
>   ldap admin dn =
> CN=ucenters-ldap,ou=users,OU=UCenters,DC=AD,DC=MYDOMAIN,DC=MYTLD
>   obey pam restrictions = yes
>   unix password sync = yes
>   pam password change = no
>   map to guest = bad user
>   winbind enum groups = yes
>   winbind enum users = yes
>   idmap backend = ldap:ldap_url = ldaps://ldap.ad.mydomain/
>   idmap uid = 1-199
>   idmap gid = 1-199
>   idmap alloc backend = ldap
>   idmap alloc config : ldap_url = ldaps://ldap.ad.mydomain/
>   idmap alloc config : ldap_base_dn =
> OU=Users,OU=UCenters,DC=AD,DC=MYDOMAIN,DC=MYTLD
>   usershare allow guests = no
>
>
> Any hints?
>
> Thanks.
>

my test command is
wbinfo  --uid-info 1064262

OK after many permutations and combinations found it didn't like the line:
 idmap backend = ldap:ldap_url = ldaps://ldap.ad.mydomain/
but was happy with
 idmap backend = ldap:ldaps://ldap.ad.mydomain/

now it fails on
[2010/09/02 13:34:15,  3] lib/smbldap.c:1101(smbldap_connect_system)
  ldap_connect_system: successful connection to the LDAP server
[2010/09/02 13:34:15,  3]
winbindd/idmap_ldap.c:1014(idmap_ldap_unixids_to_sids)
  Failure looking up ids (No such object)

I've searched for that error (no hits) and looked at the source but am no
wiser.

any hints for that latest error? Could it be that ubuntu 10.04 samba 3.4.7
comes without ldapsam?
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba slow and several "Write andx Request"

[grant little]

On Thu, Sep 2, 2010 at 5:51 AM, Luca Ferrari  wrote:

> Hi all,
> I'm running version 3.0.28a on Ubuntu linux, and apparently from a day to
> another I got performance issues: without any change in smb.conf (except a
> few
> added shares) I have mac osx and linux clients getting a very slow
> upload/download speed. I've checked with other protocols, like scp and
> performances are good, so I can exclude a network/hardware problem.
> Other clients are still running fast (e.g., windows xp). Looking at a
> transmission dump I see a lot of "Write Andx Request" packages (and
> replies)
> all moving the data offset by 64 bytes, that I suspect is the cause for the
> slowing down speed. Is there some option or somehting I can investigate
> more?
>
> Was it always like that or is this something new?

That's a really old version of Samba to be running on Ubuntu seems like you
might be running also a very old version of ubuntu itself.
Ubuntu 9.10 was running 3.4.0 as I recall and 10.04 is on 3.4.7 3.0.28 is
not even recommended for windows 7
http://wiki.samba.org/index.php/Windows7
so you will soon hit that wall as well.
Perhaps the issues you are having are fixed in later releases?
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] ldap_initialize: Bad parameter to an ldap routine

[grant little]

I searched and found this from Volker in 2007 same error message but the fix
didn't fix in my case:
http://lists.samba.org/archive/samba/2007-March/130093.html

my system: ubuntu 10.04 LTS server samba 3.4.7

error:
[2010/09/01 23:57:17,  5] winbindd/idmap.c:169(smb_register_idmap)
  Successfully added idmap backend 'ldap'
[2010/09/01 23:57:17,  0] lib/smbldap.c:716(smb_ldap_setup_conn)
  ldap_initialize: Bad parameter to an ldap routine

global section of config
[global]
  unix extensions = no
  disable spoolss = Yes
  name resolve order = hosts
  workgroup = AD
  realm = AD.MYDOMAIN
  server string = %h server (Samba, Ubuntu)
  dns proxy = no
  log file = /var/log/samba/log.%m
  max log size = 1000
  syslog = 0
  log level = 3 passdb:0 auth:0 vfs:0 idmap:5
  ldap debug level = 10
  ldap debug threshold = 5
  panic action = /usr/share/samba/panic-action %d
  security = ads
  kerberos method = system keytab
  encrypt passwords = true
  passdb backend = ldapsam:ldaps://ldap.ad.mydomain/
  ldap ssl = off
  ldap admin dn =
CN=ucenters-ldap,ou=users,OU=UCenters,DC=AD,DC=MYDOMAIN,DC=MYTLD
  obey pam restrictions = yes
  unix password sync = yes
  pam password change = no
  map to guest = bad user
  winbind enum groups = yes
  winbind enum users = yes
  idmap backend = ldap:ldap_url = ldaps://ldap.ad.mydomain/
  idmap uid = 1-199
  idmap gid = 1-199
  idmap alloc backend = ldap
  idmap alloc config : ldap_url = ldaps://ldap.ad.mydomain/
  idmap alloc config : ldap_base_dn =
OU=Users,OU=UCenters,DC=AD,DC=MYDOMAIN,DC=MYTLD
  usershare allow guests = no


Any hints?

Thanks.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] create_canon_ace_lists: unable to map SID

[grant little]

I did search and found other folks with this issue but I didn't see a
solution to my specific issue:

I am running Samba 3.4.7 on ubuntu 10.04 LTS server configured to
authenticate to active directory via Kerberos and LDAP for use with clients
from OS X and Windows (no linux clients)
On the advice of my local active directory team Winbind has been uninstalled
and everything works nicely except except for not being able to set ACLs
from the windows properties security tab.
When I add a new user it shows fine in the security tab until I press apply
at which point the newly added user disappears and the on the samba server
the log shows:

 smbd/posix_acls.c:1711(create_canon_ace_lists)
  create_canon_ace_lists: unable to map SID
S-1-5-21-503695880-695175589-3595387526-10512 to uid or gid.

I can set and get  ACLs from linux command line on the samba share files OK
using setfacl and getfacl and those settings can be seen OK in the windows
properties security tab and I have all the recommended ACL settings in
smb.conf.
getent passwd and getentgroup return the AD groups and users correctly.

I read a mention of something similar here:
http://help.lockergnome.com/linux/Samba-Samba-LDAP-error-windows-xp-ACL--ftopict509241.html


but it is not clear to me from my searches or reading the documents on
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/
if
I must have winbind enabled to allow setting ACLs from windows.

Is winbind required for setting ACLs from windows?

Here's my smb.conf for reference:

[global]
  unix extensions = no
  disable spoolss = Yes
  name resolve order = hosts
  workgroup = AD
  realm = AD.MYDOMAIN
  server string = %h server (Samba, Ubuntu)
  dns proxy = no
  log file = /var/log/samba/log.%m
  max log size = 1000
  syslog = 0
  log level = 0
  logon home = ""
  logon path = ""
  panic action = /usr/share/samba/panic-action %d
  security = ads
  encrypt passwords = true
  passdb backend = tdbsam
  obey pam restrictions = yes
  unix password sync = yes
  pam password change = no
  map to guest = bad user
  usershare allow guests = no
[asgs]
  comment = ASGS
  path = /shares/asgs
  browsable = Yes
  valid users = @ad\ASGSFileUsers
  write list = @ad\ASGSFileUsers
  create mask = 2660
  force create mode = 0660
  directory mask = 2770
  force directory mode = 0770

and here's nsswitch.conf
passwd: files ldap
group:  files ldap
shadow: files ldap
hosts:  files dns
networks:   files
protocols:  db files
services:   db files
ethers: db files
rpc:db files
netgroup:   nis

and my pam.d/samba
@include common-auth
@include common-account
@include common-session
auth required pam_unix.so nullok_secure
auth sufficient pam_krb5.so minimum_uid=1000 use_first_pass
account sufficient pam_ldap.so use_first_pass
session sufficient pam_ldap.so


Thanks for your insight.

Grant
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Users mapping in security tab

[grant little]

-- Forwarded message --
From: grant little 
Date: Wed, Aug 25, 2010 at 10:19 PM
Subject: Re: [Samba] Users mapping in security tab
To: tizo 




On Mon, Aug 23, 2010 at 7:37 AM, tizo  wrote:

>
>> it seems like it may be a case of windows not knowing how to handle Unix
>> User\username
>>
>>
> Grant,
>
> I guess that Windows should not know how to handle them. Instead, Samba
> should made the mapping (at least in my case, as the Unix user is a real
> Unix user, and his UID is not set in the Windows Domain).
>
> Anyone else has had this problem?
>
> Thanks,
>
> tizo
>
> Looks like at least with Samba 3.X it can't be done
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/AccessControls.html#id2613459

Maybe this is improved with Samba 4 I don't know...
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Users mapping in security tab

[grant little]

On Fri, Aug 20, 2010 at 9:57 AM, tizo  wrote:

> Hi there,
>
> I have a Samba installation acting as a Domain Member with a disk share
> (the
> partiton is mounted with acl and user_xattr options). I am not using
> winbind, because I want the domain users to be mapped to Unix users.
> Everything works right, excepting the users in the Windows Explorer
> security
> tab. I will try to explain the situation with an example.
>
> I have username map, that maps Administrator and domainuser into root and
> unixuser respectively. I also have another user that do not need the
> mapping, as the username is the same in both systems. The three users can
> login correctly to the share, and when a user creates a file, the owner of
> the new file is the mapped user corresponding to the logged user.
>
> The problem arise in the Windows Explorer security tab of a file. The users
> seen there, are the Unix users and not the domain ones; for example, I can
> see something like "unixuser (Unix User\unixuser)" or for groups "unixgroup
> (Unix Group\unixgroup)". I can modify the permissions of an entry here (and
> the modifications can be seen in the Posix ACLs in the file), but I cannot
> add another user. For example, in a file that I do not have the unixuser
> entry, I click the Add button, search for domainuser (of course, unixuser
> cannot be obtained from here), add him, set some permissions, and when I
> click "Apply" the new entry dissapears. In that moment, the Samba log says
> something like (and the symptoms are the same for the users in the map, and
> for the user that have the same username on both systems):
>
> smbd/posix_acls.c:create_canon_ace_lists(1510)
>  create_canon_ace_lists: unable to map SID
> X-X-X-XX-XX-XX-XX- to uid or gid.
>
> So, I guess that Samba is not using the same mechanism for the login, than
> for administering ACLs. Maybe that is not possible; I simply do not know
> because I am relatively new to Samba. Can someone explain how Samba should
> work with the security tab?. Shouldn't it map users in both directions so
> from Windows only domain users can be seen?
>
> My smb.conf:
>
> [global]
>workgroup = DUMMY
>netbios name = PRUEBA-ARCHIVOS
>server string = %h (Samba %v)
>security = DOMAIN
>username map = /etc/samba/mapeousuarios
>log level = 2
>syslog = 0
>log file = /var/log/samba/log.%m
>max log size = 1000
>name resolve order = wins host bcast
>wins server = 192.168.X.X, 192.168.X.X
>panic action = /usr/share/samba/panic-action %d
>
> [datos-usu]
>path = /exports/datos
>read only = No
>map acl inherit = Yes
>store dos attributes = Yes
>
> Thanks very much,
>
> tizo
>
>
Tizo,

I found the exact same thing using ldap/kerberos with security=ads and with
winbind disabled

I can set ACLs fine on the files from linux via setfacl and they show that
way when viewed from windows in the security tab but  as
Unix User\username

it seems like it may be a case of windows not knowing how to handle Unix
User\username

here's my smb.conf for comparison (note am running a fileserver only, no
printers):
-
[global]
  # workaround symlink bug with wide links 2-5-2010
  unix extensions = no

  disable spoolss = Yes
  name resolve order = hosts
  workgroup = AD
  realm = AD.MYDOMAIN.EDU
  server string = %h server (Samba, Ubuntu)
  dns proxy = no
  log file = /var/log/samba/log.%m
  max log size = 1000
  syslog = 0
  panic action = /usr/share/samba/panic-action %d
  security = ads
  encrypt passwords = true
  passdb backend = tdbsam
  obey pam restrictions = yes
  unix password sync = yes
  pam password change = no
  map to guest = bad user
  usershare allow guests = no
[sharename]
  comment = SHARENAME
  path = /shares/sharename
  browsable = Yes
  valid users = @ad\CertainFileUsers
  write list = @ad\CertainFileUsers
  create mask = 2660
  force create mode = 0660
  directory mask = 2770


there's a bunch of ACL flags shown in man smb.conf that I'm not at all sure
how to use and it may be that this is just a windows problem in that windows
might not be able to easily specify the Unix User of a file even when that
is an AD user with the uid set.

some of these may affect this:
acl group control
dos filemode
nt acl support (default=yes)

this might also have something to do with the behavior:
username level


I'm hoping that someone who knows more about this might coment.

Cheers,
Grant
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] windows users can login but OS X users cannot

[grant little]

On Sun, Feb 21, 2010 at 2:32 AM, grant little  wrote:

> ~:=) woohoo! I am pleased to report,  that samba 3.5.0rc3,  just released
> yesterday for debian, appears to have fixed this problem.
> I just installed the experimental version of that and at least on the
> initial test I just did, I can now login  to the same share from both
> windows clients and OS X with winbind not running on the samba server. I
> have more tests to do but it is looking good so far. Thanks to all the samba
> and debian teams for making my life a little easier.
>
> I was previously stuck in a rut between using centos 5.4 with samba 3.0.33
> that worked from both clients but centos 5.4 would not support having the
> operating system on GPT hard drives and ubuntu 9.10 which would support GPT
> hard drives but had a buggy version of samba as previously described.
> So thanks for lifting me out of the rut and I look forward to the 3.5.0
> final release version.
>
>
> On Sat, Feb 20, 2010 at 1:31 PM, grant little wrote:
>
>> Thanks Alex.
>> I'm not using winbind, just kerberos and LDAP and I have in all cases
>> tried both domain\username as well as username.
>>
>> Here's a better dump of the ip log that appens on a failed login attempt
>> that seems to show that the authentication is OK from os x:
>> [2010/02/20 13:13:17,  3] smbd/process.c:1453(process_smb)
>>   Transaction 2 of length 366 (0 toread)
>> [2010/02/20 13:13:17,  3] smbd/process.c:1272(switch_message)
>>   switch message SMBsesssetupX (pid 6039) conn 0x0
>> [2010/02/20 13:13:17,  3] smbd/sec_ctx.c:310(set_sec_ctx)
>>
>>   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
>> [2010/02/20 13:13:17,  3] smbd/sesssetup.c:1404(reply_sesssetup_and_X)
>>   wct=12 flg2=0xc801
>> [2010/02/20 13:13:17,  3]
>> smbd/sesssetup.c:1160(reply_sesssetup_and_X_spnego)
>>   Doing spnego session setup
>> [2010/02/20 13:13:17,  3]
>> smbd/sesssetup.c:1202(reply_sesssetup_and_X_spnego)
>>   NativeOS=[Mac OS X 10.6] NativeLanMan=[SMBFS 1.6.0] PrimaryDomain=[]
>> [2010/02/20 13:13:17,  3] libsmb/ntlmssp.c:745(ntlmssp_server_auth)
>>   Got user=[grant] domain=[AD] workstation=[GRANT] len1=24 len2=126
>> [2010/02/20 13:13:19,  3] smbd/oplock.c:911(init_oplocks)
>>   init_oplocks: initializing messages.
>> [2010/02/20 13:13:19,  3]
>> smbd/oplock_linux.c:219(linux_init_kernel_oplocks)
>>   Linux kernel oplocks enabled
>> [2010/02/20 13:13:19,  3] smbd/process.c:1453(process_smb)
>>
>>   Transaction 0 of length 51 (0 toread)
>> [2010/02/20 13:13:19,  3] smbd/process.c:1272(switch_message)
>>   switch message SMBnegprot (pid 6040) conn 0x0
>> [2010/02/20 13:13:19,  3] smbd/sec_ctx.c:310(set_sec_ctx)
>>
>>   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
>> [2010/02/20 13:13:19,  3] smbd/negprot.c:567(reply_negprot)
>>
>>   Requested protocol [NT LM 0.12]
>> [2010/02/20 13:13:19,  3] smbd/negprot.c:387(reply_nt1)
>>   using SPNEGO
>> [2010/02/20 13:13:19,  3] smbd/negprot.c:672(reply_negprot)
>>
>>   Selected protocol NT LM 0.12
>> [2010/02/20 13:13:21,  3] smbd/sec_ctx.c:310(set_sec_ctx)
>>
>>   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
>>  [2010/02/20 13:13:21,  3] smbd/connection.c:31(yield_connection)
>>   Yielding connection to
>> [2010/02/20 13:13:21,  3] smbd/server.c:848(exit_server_common)
>>
>>   Server exit (failed to receive smb request)
>> --
>> what's weird is that there's no sign of the login in auth.log only the
>> test via windows cleint a few seconds before:
>> Feb 20 13:12:14 servername smbd[6033]: pam_unix(samba:session): session
>> opened for user grant by (uid=0)
>> Feb 20 13:12:24 servername smbd[6033]: pam_unix(samba:session): session
>> closed for user grant
>> after that nothing...
>>
>>
>> On Sat, Feb 20, 2010 at 11:17 AM, Alex Ferrara 
>> wrote:
>>
>>> I have seen this behaviour recently using Samba 3.4.5 from the Lucid tree
>>> on Ubuntu 9.10
>>>
>>> Try using domain\username for the username
>>>
>>> To me, it appears to be a bug in winbind not using the default domain,
>>> but I could be wrong.
>>>
>>> Sent from my iPhone
>>>
>>>
>>> On 20/02/2010, at 8:29 PM, grant little  wrote:
>>>
>>>  Hello,
>>>> having spent many hours scouring archives, docs, books and googling
>>>> without
>>>> finding an answer I need to ask your help on this.
>>>>
>>>> running samba 3.4.0-3ubuntu5.3 on ubuntu 9.10 server, client users can
>>>

Re: [Samba] Access from an AD group

[grant little]

On Sun, Jul 18, 2010 at 1:39 AM, Thierry CONSTANT  wrote:

> Hi,
>
> I am using samba 3.0.24
>
> Is it possible to grant access to a samba share
> to an Active Directory group ?
>
yes. look at the various docs. There's a bunch of ways to do this.

>
> I have a samba share, I want an AD group can access
> it (read) without a password, is it possible ?
>
> maybe, depends on the client accessed from. From OS X you'll need a
password most every time but from windows if you are already logged into a
windows domain as an AD user then once things are set up on samba you can
connect without further authentication.

BTW with that version of samba you may have problems with windows 7 clients,
I'm not sure exactly what versions are need, you need to look on the wiki
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] net ads testjoin

[grant little]

On Tue, Jul 6, 2010 at 10:01 AM,  wrote:

>
>
>
>
> On Tuesday 06/07/2010 at 8:03 am, Khaled Blah  wrote:
>
>  It seems you didn't even read my initial question. Quoting myself here:
>>
>
> It seems you are asking for the answer to the ultimate question, the answer
> of which is 42.  However, you haven't asked THE question.
>
>
>>
>>
>> 
>> Now, I use "net" to join Windows AD domains and was wondering where I
>> can find out more information on what happens during a "net ads
>> testjoin".
>>
> It tests the validity of the Samba server's AD machine account status. You
> can see what's happening with wireshark or other packet sniffer.
>
>
>> The information I found on the documentation pages of net
>> or smb.conf on the website did not say much about it. I have noticed
>> that a "testjoin" will ask for a password when the domain membership
>> is not valid and it'll ignore kerberos tickets. Is there something I
>> am missing here?
>>
>
> I dunno, what are you looking for?
>
>
>>
>> 
>>
>> Regards,
>> Khaled
>>
>> 2010/7/6  :
>>
>>>
>>>
>>>
>>>
>>> SNIP
>>>
>>> Is there anyone who can help with this question?
>>>
>>> prism# net ads testjoin
>>> Join is OK
>>>
>>> That's about it.  Pretty simple.
>>>
>>>
>>> Regards,
>>> Khaled
>>>
>>
>
>
You may find some information in chapter 10 of the book Using Samba by **Gerald
Carter ; Jay
Ts;
Robert Eckstein 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] smbd start trouble - CentOS 5.4

[grant little]

On Thu, May 27, 2010 at 1:16 AM, Moray Henderson <
moray.hender...@ict-software.org> wrote:

> Whit Blauvelt wrote:
> >With smbd Version 3.0.33-3.14.el5 on two different CentOS 5.4 64-bit
> boxes,
> >"/etc/init.d/smb start" reports OK for both nmbd and smbd, but an
> instant
> >later smbd stops running, with no errors reported - just fails, no
> matter
> >what logging level is requested of it. Also, "service smb start" fails.
> >
> >On the other hand, "smbd -D" starts and runs smbd just fine, if done
> from
> >a
> >console. Also "sh /etc/init.d/smb start" runs it just fine, if from a
> >console. (sh = bash on CentOS, and the smb script itself specifies
> >/bin/sh.)
>
> That feels as if it could be an SELinux problem.  If your initscript has
> been edited and picked up the wrong context, smbd will not have all the
> permissions it normally gets.  Try
>
>  ls -Z /etc/rc.d/init.d/smb
>  restorecon -v /etc/rc.d/init.d/smb
>
>
> Moray.
> "To err is human.  To purr, feline"
>
>
To test if it is selinux you might try with selinux set to permissive.  I
had all kinds of troubles getting samba 3.0.33 working on centos 5.4, 64-bit
until I tried that. Good luck.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Can join AD 2003 domain; can't list shares from other servers

[grant little]

Also you say that other systems work fine. Are they the same version of
samba on the same OS and version? As in are we comparing apples with
apples...

On Sat, Apr 24, 2010 at 12:14 PM, grant little wrote:

> maybe, but have you also tried
> smbclient -L workhorse  -Uturgon
>
>
> On Fri, Apr 23, 2010 at 3:58 PM, Michael Leone wrote:
>
>> No, dim-win2300 knows who turgon is. ;-) in fact, I am logged in on
>> the console of dim-win2300 right now. And turgon is a Domain Admin. It
>> was the account I used to join the laptop to the domain with. And it
>> did join, as I see the laptop machine account in AD. So I think it
>> must be something else ...
>>
>>
>> On 4/23/10, grant little  wrote:
>> > On Fri, Apr 23, 2010 at 10:14 AM, Mike Leone 
>> wrote:
>> >
>> >> I set up an old laptop with Xubuntu 9.10. I configured Samba as to work
>> >> with my Win2003 AD domain that has MS Services for Unix installed.
>> >>
>> >> I can get a Kerberos ticket. I successfully added the laptop to the AD
>> >> domain. wbinfo -a shows me all users, domain and local. wbinfo -g shows
>> me
>> >> all groups. wbinfo -a user%password returns successfully. "getent
>> passwd"
>> >>  works as expected - I see local users, and domain users.
>> >>
>> >> "net ads info" works correctly, returning info.
>> >>
>> >> LDAP server: 10.0.0.60
>> >> LDAP server name: dim-win2300.DaCrib.local
>> >> Realm: DACRIB.LOCAL
>> >> Bind Path: dc=DACRIB,dc=LOCAL
>> >> LDAP port: 389
>> >> Server time: Fri, 23 Apr 2010 13:12:53 EDT
>> >> KDC server: 10.0.0.60
>> >> Server time offset: 1
>> >>
>> >> And yet:
>> >>
>> >> $ smbclient -L workhorse
>> >> Enter turgon's password:
>> >> session setup failed: NT_STATUS_ACCESS_DENIED
>> >>
>> >> I have no idea why it's failing; I'm not seeing anything in the samba
>> or
>> >> winbind logs. (workhorse is Ubuntu 9.10, configured as a domain member
>> >> server)
>> >>
>> >> I can do the reverse; from "workhorse" I can see all the shares on the
>> >> laptop:
>> >>
>> >> tur...@workhorse:~$ smbclient -L turgon-laptop
>> >> Enter turgon's password:
>> >> Domain=[DACRIB] OS=[Unix] Server=[Samba 3.4.0]
>> >>
>> >>Sharename   Type  Comment
>> >>-     ---
>> >>IPC$IPC   IPC Service (turgon-laptop server
>> (Samba
>> >> 3.4.0, Domain: DACRIB, Server: turgon-laptop - NT1))
>> >>print$  Disk  Printer Drivers
>> >> Domain=[DACRIB] OS=[Unix] Server=[Samba 3.4.0]
>> >>
>> >>Server   Comment
>> >>----
>> >>TURGON-LAPTOPturgon-laptop server (Samba 3.4.0, Domain:
>> ,
>> >> Ser
>> >>
>> >>WorkgroupMaster
>> >>----
>> >>DACRIB
>> >>
>> >> Hints as to where to go next? It must be something wrong on this
>> specific
>> >> laptop, since it works from my other server,
>> >> but I dunno where, since all the other tests work. Firewall is off, on
>> >> both machines.
>> >>
>> >> ===
>> >> smb.conf:
>> >>
>> >> [global]
>> >>workgroup = DACRIB
>> >>realm = DACRIB.LOCAL
>> >>server string = %h server (Samba %v, Domain: %D, Server: %L - R)
>> >>security = ads
>> >>map to guest = Bad User
>> >>
>> >>client use spnego = true
>> >>client ntlmv2 auth = yes
>> >>
>> >>eventlog list = Application System Security SyslogLinux
>> >>
>> >> # PAM AUTH
>> >>encrypt passwords = yes
>> >>obey pam restrictions = Yes
>> >>pam password change = true
>> >>password server = dim-win2300.DaCrib.local
>> >>passwd program = /usr/bin/passwd %u
>> >>passwd chat = *Enter\snew\s*\spassword:* %n\n
>> >> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>> >>un

Re: [Samba] Can join AD 2003 domain; can't list shares from other servers

[grant little]

maybe, but have you also tried
smbclient -L workhorse  -Uturgon

On Fri, Apr 23, 2010 at 3:58 PM, Michael Leone wrote:

> No, dim-win2300 knows who turgon is. ;-) in fact, I am logged in on
> the console of dim-win2300 right now. And turgon is a Domain Admin. It
> was the account I used to join the laptop to the domain with. And it
> did join, as I see the laptop machine account in AD. So I think it
> must be something else ...
>
>
> On 4/23/10, grant little  wrote:
> > On Fri, Apr 23, 2010 at 10:14 AM, Mike Leone 
> wrote:
> >
> >> I set up an old laptop with Xubuntu 9.10. I configured Samba as to work
> >> with my Win2003 AD domain that has MS Services for Unix installed.
> >>
> >> I can get a Kerberos ticket. I successfully added the laptop to the AD
> >> domain. wbinfo -a shows me all users, domain and local. wbinfo -g shows
> me
> >> all groups. wbinfo -a user%password returns successfully. "getent
> passwd"
> >>  works as expected - I see local users, and domain users.
> >>
> >> "net ads info" works correctly, returning info.
> >>
> >> LDAP server: 10.0.0.60
> >> LDAP server name: dim-win2300.DaCrib.local
> >> Realm: DACRIB.LOCAL
> >> Bind Path: dc=DACRIB,dc=LOCAL
> >> LDAP port: 389
> >> Server time: Fri, 23 Apr 2010 13:12:53 EDT
> >> KDC server: 10.0.0.60
> >> Server time offset: 1
> >>
> >> And yet:
> >>
> >> $ smbclient -L workhorse
> >> Enter turgon's password:
> >> session setup failed: NT_STATUS_ACCESS_DENIED
> >>
> >> I have no idea why it's failing; I'm not seeing anything in the samba or
> >> winbind logs. (workhorse is Ubuntu 9.10, configured as a domain member
> >> server)
> >>
> >> I can do the reverse; from "workhorse" I can see all the shares on the
> >> laptop:
> >>
> >> tur...@workhorse:~$ smbclient -L turgon-laptop
> >> Enter turgon's password:
> >> Domain=[DACRIB] OS=[Unix] Server=[Samba 3.4.0]
> >>
> >>Sharename   Type  Comment
> >>-     ---
> >>IPC$IPC   IPC Service (turgon-laptop server
> (Samba
> >> 3.4.0, Domain: DACRIB, Server: turgon-laptop - NT1))
> >>print$  Disk  Printer Drivers
> >> Domain=[DACRIB] OS=[Unix] Server=[Samba 3.4.0]
> >>
> >>Server   Comment
> >>----
> >>TURGON-LAPTOPturgon-laptop server (Samba 3.4.0, Domain: ,
> >> Ser
> >>
> >>WorkgroupMaster
> >>----
> >>DACRIB
> >>
> >> Hints as to where to go next? It must be something wrong on this
> specific
> >> laptop, since it works from my other server,
> >> but I dunno where, since all the other tests work. Firewall is off, on
> >> both machines.
> >>
> >> ===
> >> smb.conf:
> >>
> >> [global]
> >>workgroup = DACRIB
> >>realm = DACRIB.LOCAL
> >>server string = %h server (Samba %v, Domain: %D, Server: %L - R)
> >>security = ads
> >>map to guest = Bad User
> >>
> >>client use spnego = true
> >>client ntlmv2 auth = yes
> >>
> >>eventlog list = Application System Security SyslogLinux
> >>
> >> # PAM AUTH
> >>encrypt passwords = yes
> >>obey pam restrictions = Yes
> >>pam password change = true
> >>password server = dim-win2300.DaCrib.local
> >>passwd program = /usr/bin/passwd %u
> >>passwd chat = *Enter\snew\s*\spassword:* %n\n
> >> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
> >>unix password sync = Yes
> >>
> >>log level = 3
> >>syslog = 0
> >>log file = /var/log/samba/log.%m
> >>max log size = 1000
> >>
> >>domain master = No
> >>local master = No
> >>os level = 2
> >>
> >>dns proxy = No
> >>usershare allow guests = Yes
> >>panic action = /usr/share/samba/panic-action %d
> >>
> >> # WINBIND
> >>
> >>idmap config DACRIB: default = true
> >>   

Re: [Samba] Samba Secondary Groups

[grant little]

On Fri, Apr 23, 2010 at 1:11 AM, David van Laatum wrote:

> 
> Only thing Ive noticed is that I can't seem to change permissions from
> windows
> on a file/directory unless I personally own the file but not sure if that's
> a
> samba problem or a file system thing?
> 
>

I'm no windows expert, far from it, but I think you need to be granted
specific security permissions for that file to be able to change permissions
on that file. Even in a windows server share if you right-click on a file
and choose properties/security then there is a group of folks who can do
various things as denoted by the checked items in the dialog that comes up.
Access Control Lists can get quite complicated and I do know that later
version of Samba have improved ACLs over earlier so it may be a combination
of windows and Samba that you are dealing with.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Can join AD 2003 domain; can't list shares from other servers

[grant little]

On Fri, Apr 23, 2010 at 10:14 AM, Mike Leone  wrote:

> I set up an old laptop with Xubuntu 9.10. I configured Samba as to work
> with my Win2003 AD domain that has MS Services for Unix installed.
>
> I can get a Kerberos ticket. I successfully added the laptop to the AD
> domain. wbinfo -a shows me all users, domain and local. wbinfo -g shows me
> all groups. wbinfo -a user%password returns successfully. "getent passwd"
>  works as expected - I see local users, and domain users.
>
> "net ads info" works correctly, returning info.
>
> LDAP server: 10.0.0.60
> LDAP server name: dim-win2300.DaCrib.local
> Realm: DACRIB.LOCAL
> Bind Path: dc=DACRIB,dc=LOCAL
> LDAP port: 389
> Server time: Fri, 23 Apr 2010 13:12:53 EDT
> KDC server: 10.0.0.60
> Server time offset: 1
>
> And yet:
>
> $ smbclient -L workhorse
> Enter turgon's password:
> session setup failed: NT_STATUS_ACCESS_DENIED
>
> I have no idea why it's failing; I'm not seeing anything in the samba or
> winbind logs. (workhorse is Ubuntu 9.10, configured as a domain member
> server)
>
> I can do the reverse; from "workhorse" I can see all the shares on the
> laptop:
>
> tur...@workhorse:~$ smbclient -L turgon-laptop
> Enter turgon's password:
> Domain=[DACRIB] OS=[Unix] Server=[Samba 3.4.0]
>
>Sharename   Type  Comment
>-     ---
>IPC$IPC   IPC Service (turgon-laptop server (Samba
> 3.4.0, Domain: DACRIB, Server: turgon-laptop - NT1))
>print$  Disk  Printer Drivers
> Domain=[DACRIB] OS=[Unix] Server=[Samba 3.4.0]
>
>Server   Comment
>----
>TURGON-LAPTOPturgon-laptop server (Samba 3.4.0, Domain: ,
> Ser
>
>WorkgroupMaster
>----
>DACRIB
>
> Hints as to where to go next? It must be something wrong on this specific
> laptop, since it works from my other server,
> but I dunno where, since all the other tests work. Firewall is off, on
> both machines.
>
> ===
> smb.conf:
>
> [global]
>workgroup = DACRIB
>realm = DACRIB.LOCAL
>server string = %h server (Samba %v, Domain: %D, Server: %L - R)
>security = ads
>map to guest = Bad User
>
>client use spnego = true
>client ntlmv2 auth = yes
>
>eventlog list = Application System Security SyslogLinux
>
> # PAM AUTH
>encrypt passwords = yes
>obey pam restrictions = Yes
>pam password change = true
>password server = dim-win2300.DaCrib.local
>passwd program = /usr/bin/passwd %u
>passwd chat = *Enter\snew\s*\spassword:* %n\n
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>unix password sync = Yes
>
>log level = 3
>syslog = 0
>log file = /var/log/samba/log.%m
>max log size = 1000
>
>domain master = No
>local master = No
>os level = 2
>
>dns proxy = No
>usershare allow guests = Yes
>panic action = /usr/share/samba/panic-action %d
>
> # WINBIND
>
>idmap config DACRIB: default = true
>idmap uid = 1-2
>idmap gid = 1-2
>idmap config DACRIB:schema_mode = rfc2307
>
>winbind enum users = Yes
>winbind enum groups = Yes
>winbind use default domain = Yes
>winbind nested groups = Yes
>winbind refresh tickets = true
>winbind nss info = rfc2307
>winbind separator = +
>
>template homedir = /home/%D/%u
>template shell = /bin/bash
>
> ;   invalid users = root
>create mask = 0700
>directory mask = 0775
>writable = Yes
>enable privileges = Yes
>restrict anonymous = 2
>
>wide links = no
>
>socket options = TCP_NODELAY
>
>
> --
>
> I get the exact same thing happening on my Ubuntu 9.10 currently running
3.5.0rc2 (until I figure out how to manage 3.5.2 on Ubuntu 9.10)

However if I do
smbclient -L mysambaserver  -UanADuserthatcanlogintothisserver

it works just fine and returns the goods. So my guess is that
dim-win2300.DaCrib.local doesn't know who turgon is...
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba Secondary Groups

[grant little]

I had that problem with samba 3.4.X on ubuntu 9.10,  the only way I could
get it to work was to use 777 folder permissions as you describe. The fix
for me was to go to samba 3.5.X which fixed that and several other problems
like not being able to login to samba from OS X.
 Tried the same on a CENTOS 5.4 install as well and it works for SAMBA
3.0.33 with 770 folder permissions. Maybe a samba upgrade might fix what
ails you but be careful what you upgrade to...


On Sun, Apr 18, 2010 at 10:19 PM, David van Laatum wrote:

> This has been bugging me for years but never got around to spending a lot
> of time on it until I now want/need to use it for work stuff.
>
> Problem is simple I get access denied when trying to create a file in a
> directory that is not owned by me or my primary group that doesn't have
> world writable permissions. Ive also had similar issues with NFS mounts
> where I can't move/create/delete files via
> nfs but works fine if I do it on the local machine even though I am the
> same user in the same groups. All relevant info I can think of follows let
> me know if anything else is needed. Spent all morning looking for an answer
> but only found hints of similar but not
> applicable problems.
>
> [14:14:36 r...@adl-nas-01 filestore]# smbd -V
> Version 3.2.5
> [14:28:42 r...@adl-nas-01 filestore]# uname -a
> Linux adl-nas-01 2.6.26-2-amd64 #1 SMP Tue Mar 9 22:29:32 UTC 2010 x86_64
> GNU/Linux
> [14:28:42 r...@adl-nas-01 filestore]# cat /etc/debian_version
> 5.0.4
>
> [global]
>   security = ads
>   workgroup = VALEX
>   server string = File Store
>   realm = VALEX.LOCAL
>   password server = ldap.valex.local
>   wins server = 172.16.0.150
>   dns proxy = no
>   log file = /var/log/samba/log.%m
>   max log size = 100
>   log level = 3
>   syslog = 1
>   panic action = /usr/share/samba/panic-action %d
>   encrypt passwords = yes
>   printing = bsd
>   printcap name = /etc/printcap
>   idmap backend = ad
>   passdb backend = tdbsam
>   idmap uid = 100-9
>   idmap gid = 100-90
>   winbind cache time = 300
>   winbind nss info = rfc2307
>   winbind enum groups = yes
>   winbind enum users = yes
>   winbind use default domain = yes
>   winbind separator = /
>   winbind nested groups = yes
>   template homedir = /home/%U/homedir
>   template shell = /bin/bash
>   debug uid = yes
>
> [Accounts]
>  comment = Accounts Stuff
>  path = /filestore/accounts
>  guest ok = no
>  browseable = yes
> ;  valid users = @VALEX/vxAccounts @VALEX/vxSystems
>  create mask = 0660
>  directory mask = 0770
>  fstype = EXT3
> ;  force group = +...@valex/vxAccounts
>
> [14:32:58 r...@adl-nas-01 filestore]# id dvanlaatum
> uid=10440(dvanlaatum) gid=2(vxsystems)
> groups=2(vxsystems),20002(domain admins),20003(domain
> users),20001(vxallusers),5006(BUILTIN/administrators),5007(BUILTIN/users)
>
> [14:35:02 r...@adl-nas-01 filestore]# ls -ald /filestore/accounts/
> drwxrwxr-x 3 root vxallusers 4096 2010-04-19 11:32 /filestore/accounts/
>
> [14:37:54 da...@l00018 ~]# smbclient -U dvanlaatum //adl-nas-01/Accounts
> Password:
> Domain=[VALEX] OS=[Unix] Server=[Samba 3.2.5]
> smb: \> mkdir test
> NT_STATUS_MEDIA_WRITE_PROTECTED making remote directory \test
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] 3.5 in Debian Squeeze?

[grant little]

On Wed, Mar 24, 2010 at 7:25 AM, Robert LeBlanc wrote:

> On Wed, Mar 24, 2010 at 12:21 AM, Christian PERRIER  >wrote:
>
> > Quoting Robert LeBlanc (rob...@leblancnet.us):
> > > What is the milestone that will get 3.5 into Debian Squeeze?
> >
> >
> > We're still in the process of deciding whether we'll go for 3.4.* or
> > 3.5 for squeeze.
> >
> > There are arguments for both:
> >
> > - 3.4.* releases are now rock solid and the risk of "important" issues
> > to be discovered that would make these versions unsuitable for
> > production servers is not very high while 3.5.* are fairly young as of
> > now.
> >
> > - Strong support by the Samba Team for 3.4.* releases will be
> > decreasing rapidly in the upcoming months and it might become hard to
> > make this release alive for the planned two years of lifetime (at
> > minimum) that squeeze will have after it's released. There are also
> > several improvements bringed by 3.5 which our users would benefit from.
> >
> >
> > My own stance is to go for 3.5 and, as one of the maintainers, I'll
> > push for it. However, I want to ask to the Debian release team about
> > their feeling for pushing point releases (3.5.2, 3.5.3, etc.) in
> > squeeze during the time squeeze is frozenIt would help a lot if
> > they agree that we can do this even late in the release process but
> > you can imagine that they can't say "yes" to all such
> > requests...otherwise the freeze is no longer a freeze.
> >
> > A key point is having my co-maintainer (Steve Langasek) advice about
> > this. Other co-maintainers have agreed for having 3.5 in squeeze
> > (particularly Matthieu Parent, who maintains ctdb)
> >
> >
> Thank you for taking the time, this is very helpful. I fully understand
> both
> sides of the argument as I take both positions on a regular basis. I do
> like
> 3.4 as it has worked quite well for us, as we move to Windows 7, we have
> uncovered problems which we hope 3.5 will resolve. Winbind has also given
> us
> problems in 3.4, and with the large rework in 3.5 we hope it's solved a lot
> of those pain points. I haven't heard when the freeze will be for Squeeze,
> but if it would be helpful, I can try to carve out some time to pull 3.5
> from experimental on a test box and try it in our environment for feedback.
>
> Thanks,
>
> Robert LeBlanc
> Life Sciences & Undergraduate Education Computer Support
> Brigham Young University
> --
>
> On Ubuntu 9.10 which currently uses 3.4.0 there are, for me,  many problems
solved by moving to 3.5 not the least of which are windows 7, the ability to
login from OS X when using AD/LDAP/Kerberos and better support for ACLs  so
I'm hoping that Debian will move quickly to 3.5 and that it will feed
downstream to Ubuntu 9.10  within my lifetime. It seems that Lucid is still
at 3.4.7 tantalizingly close to 3.5   For ubuntu  9.10 samba 3.4.0 is not up
to much since it cannot do the mac OS X login described or windows 7.
My vote is for 3.5 on both debian squeeze and ubuntu lucid. Faint hope...

Grant.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Fwd: unable to access samba server from long distance

[grant little]

On Fri, Mar 5, 2010 at 2:52 AM, irfaan khan  wrote:

> Hi,
>
> I have a strange issue and wanted some help to resolve , I had searched on
> google but couldn't found suitable answer for the same.
>
> Well, Let you know the scenario and details of my setup.
>
> 1. I am using Centos 5.4 x86 based operating system
> 2. samba version samba-3.0.33-3.15.
> 3. I have a 1 mbps internet line.
> 4. I can access samba server from nearest area, but not from far distance.
>
> why is to so or do I have to make any changes in my smb.conf?
>
> Thanks in advance 
>
> k.irfee
>
>
centos 5.4 comes with   selinux ON by default as I recall. I wonder if that
has something to do with it?

So help us out here: what do you mean by 'nearest area' and 'far distance'?
By 'nearest area' do you mean  by access on the samba server itself? or from
some other computer nearby?
If form another computer what are the relative ip addresses of the server
versus the computer trying to access.
Same question for from far.

Also how do we know if you should change your smb.conf unless you tel us
what you have already..

Please tell us more...

Thanks.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] wbinfo works, getent and check via smbclient not

[grant little]

On Thu, Mar 4, 2010 at 8:13 AM, Karsten Römke  wrote:

> grant little schrieb:
> 



> > OOPS! I misread what you were trying to do. I thought you were using
> > LDAP. Sorry. Please ignore my message
> >
> Hi Grant,
> I'm not sure if you misunderstand me.
> As far as I know ADS is nothing else then LDAP.
> So it is possible that I need LDAP to ask the win2003 server for
> authentification.
> I'm still unsure what my next steps should be.
> Trying to add winbind to the pam-System, which I only understand at
> the "surface" or trying to add ldap support.
> Karsten
>

Hi Karsten,

I have made samba with ads work on two servers here, one running centos 5.4
using samba 3.033  and the other  ubuntu 9.10 server using samba 3.4.0.
On each there is  kerberos, ldap and winbind.
I looked at the instructions that you used and they look as if they should
work but I am now out of my depth. I have never made it work without ldap. I
also had samba 3.5.0rc3 running on unbuntu 9.10 server with only kerberos
and ldap, that was with no winbind.
Note those all use ldap. I don't have personal experience authenticating
without ldap.

Here they do it without ldap:
http://wiki.samba.org/index.php/Samba_&_Active_Directory
 so you might try there.
Sorry I can't be more help for doing it without ldap, not my area of
expertise.
There's a good book on samba put out by OReilly called "Using Samba"
Grant
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] wbinfo works, getent and check via smbclient not

[grant little]

On Thu, Mar 4, 2010 at 7:59 AM, grant little  wrote:

>
>
>> OOPS! I misread what you were trying to do. I thought you were using LDAP.
> Sorry. Please ignore my message
>
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Sernet repository

[grant little]

On Tue, Mar 2, 2010 at 6:51 AM, Wikked one  wrote:

>
> Hi All,
>  If you've using yum and have added ftp.sernet.. to your
> yum.repos.d
> the paths have changed.
> The documentation on the Samba site is no longer accurate,I'm hoping
> someone will update this once I mention it?
> Thanks
>
> _
> Hotmail: Trusted email with Microsoft’s powerful SPAM protection.
> http://clk.atdmt.com/GBL/go/201469226/direct/01/
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Which docs have changed and what should they be changed to?
Thanks.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Hiding dot files from Windows

[grant little]

On Sun, Feb 21, 2010 at 5:55 AM, Michael Wood  wrote:

> On 21 February 2010 12:02, grant little  wrote:
> > On Sat, Feb 20, 2010 at 9:20 AM, alansecker  wrote:
> >
> >> The user section of one of my smb.conf files looks like this yet when I
> >> bring
> >> up XP (a guest under VirtualBox) on my system, all linux dot files are
> >> visible. Am I missing somethng?
> >>
> >> [fred]
> [...]
> >>hide dot files = yes
> >
> > I see the same behavior with 3.50rc3 when I look from windows explorer at
> > files created on the share by OS X all the extra OSX stuff is visible: a
> > folder called
> > .TemporaryItems
> > and a file caled
> > ._.TemporaryItems
> > plus one ._file for each other os x file there.
> >
> > man smb.conf says
> > Default: hide dot files = yes
> >  and it makes me wonder how it looked on older versions. I have 3.0.33
> > setup on a centos box but I can't access it until Monday next to compare.
> > From OSX those files are not visible wich makes me wonder if "hide dot
> > files" only applies to os x views.
>
> This also depends on the client, I imagine.  If Samba just sets the
> hidden attribute when sending the directory listing to the client, the
> client can still decide to show the files.  I don't know if this is
> what's happening, but it seems reasonable to me.
>
> Perhaps Windows Explorer is configured to show hidden files?
>
> OS X hides dot files by default anyway, so it doesn't surprise me that
> you don't see them there.
>
> --
> Michael Wood 
>

Yeah I think that is it Michael, I thought of that too after I went shuteye,
as a sysadmin my windows xp box is set to show hidden and system files so
that would override what samba does.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Hiding dot files from Windows

[grant little]

On Sat, Feb 20, 2010 at 9:20 AM, alansecker  wrote:

>
> The user section of one of my smb.conf files looks like this yet when I
> bring
> up XP (a guest under VirtualBox) on my system, all linux dot files are
> visible. Am I missing somethng?
>
> [fred]
>comment = Alan's service
>path = /home/fred
>writeable = yes
>valid users = fred
>admin users = fred
>browseable = yes
>case sensitive = no
>printing = bsd
>#print command = /usr/share/samba/scripts/print-pdf file path win_path
> recipient IP &
>print command = /usr/share/samba/scripts/print-pdf "%s" "%H" "//%L/%u"
> "%m" "%I" "%J" &
>lpq command = /bin/true
>hide dot files = yes
>
> --
>

I see the same behavior with 3.50rc3 when I look from windows explorer at
files created on the share by OS X all the extra OSX stuff is visible: a
folder called
.TemporaryItems
and a file caled
._.TemporaryItems
plus one ._file for each other os x file there.

man smb.conf says
Default: hide dot files = yes
  and it makes me wonder how it looked on older versions. I have 3.0.33
setup on a centos box but I can't access it until Monday next to compare.
>From OSX those files are not visible wich makes me wonder if "hide dot
files" only applies to os x views.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] windows users can login but OS X users cannot

[grant little]

~:=) woohoo! I am pleased to report,  that samba 3.5.0rc3,  just released
yesterday for debian, appears to have fixed this problem.
I just installed the experimental version of that and at least on the
initial test I just did, I can now login  to the same share from both
windows clients and OS X with winbind not running on the samba server. I
have more tests to do but it is looking good so far. Thanks to all the samba
and debian teams for making my life a little easier.

I was previously stuck in a rut between using centos 5.4 with samba 3.0.33
that worked from both clients but centos 5.4 would not support having the
operating system on GPT hard drives and ubuntu 9.10 which would support GPT
hard drives but had a buggy version of samba as previously described.
So thanks for lifting me out of the rut and I look forward to the 3.5.0
final release version.

On Sat, Feb 20, 2010 at 1:31 PM, grant little  wrote:

> Thanks Alex.
> I'm not using winbind, just kerberos and LDAP and I have in all cases tried
> both domain\username as well as username.
>
> Here's a better dump of the ip log that appens on a failed login attempt
> that seems to show that the authentication is OK from os x:
> [2010/02/20 13:13:17,  3] smbd/process.c:1453(process_smb)
>   Transaction 2 of length 366 (0 toread)
> [2010/02/20 13:13:17,  3] smbd/process.c:1272(switch_message)
>   switch message SMBsesssetupX (pid 6039) conn 0x0
> [2010/02/20 13:13:17,  3] smbd/sec_ctx.c:310(set_sec_ctx)
>
>   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2010/02/20 13:13:17,  3] smbd/sesssetup.c:1404(reply_sesssetup_and_X)
>   wct=12 flg2=0xc801
> [2010/02/20 13:13:17,  3]
> smbd/sesssetup.c:1160(reply_sesssetup_and_X_spnego)
>   Doing spnego session setup
> [2010/02/20 13:13:17,  3]
> smbd/sesssetup.c:1202(reply_sesssetup_and_X_spnego)
>   NativeOS=[Mac OS X 10.6] NativeLanMan=[SMBFS 1.6.0] PrimaryDomain=[]
> [2010/02/20 13:13:17,  3] libsmb/ntlmssp.c:745(ntlmssp_server_auth)
>   Got user=[grant] domain=[AD] workstation=[GRANT] len1=24 len2=126
> [2010/02/20 13:13:19,  3] smbd/oplock.c:911(init_oplocks)
>   init_oplocks: initializing messages.
> [2010/02/20 13:13:19,  3]
> smbd/oplock_linux.c:219(linux_init_kernel_oplocks)
>   Linux kernel oplocks enabled
> [2010/02/20 13:13:19,  3] smbd/process.c:1453(process_smb)
>
>   Transaction 0 of length 51 (0 toread)
> [2010/02/20 13:13:19,  3] smbd/process.c:1272(switch_message)
>   switch message SMBnegprot (pid 6040) conn 0x0
> [2010/02/20 13:13:19,  3] smbd/sec_ctx.c:310(set_sec_ctx)
>
>   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2010/02/20 13:13:19,  3] smbd/negprot.c:567(reply_negprot)
>
>   Requested protocol [NT LM 0.12]
> [2010/02/20 13:13:19,  3] smbd/negprot.c:387(reply_nt1)
>   using SPNEGO
> [2010/02/20 13:13:19,  3] smbd/negprot.c:672(reply_negprot)
>
>   Selected protocol NT LM 0.12
> [2010/02/20 13:13:21,  3] smbd/sec_ctx.c:310(set_sec_ctx)
>
>   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
>  [2010/02/20 13:13:21,  3] smbd/connection.c:31(yield_connection)
>   Yielding connection to
> [2010/02/20 13:13:21,  3] smbd/server.c:848(exit_server_common)
>
>   Server exit (failed to receive smb request)
> --
> what's weird is that there's no sign of the login in auth.log only the test
> via windows cleint a few seconds before:
> Feb 20 13:12:14 servername smbd[6033]: pam_unix(samba:session): session
> opened for user grant by (uid=0)
> Feb 20 13:12:24 servername smbd[6033]: pam_unix(samba:session): session
> closed for user grant
> after that nothing...
>
>
> On Sat, Feb 20, 2010 at 11:17 AM, Alex Ferrara wrote:
>
>> I have seen this behaviour recently using Samba 3.4.5 from the Lucid tree
>> on Ubuntu 9.10
>>
>> Try using domain\username for the username
>>
>> To me, it appears to be a bug in winbind not using the default domain, but
>> I could be wrong.
>>
>> Sent from my iPhone
>>
>>
>> On 20/02/2010, at 8:29 PM, grant little  wrote:
>>
>>  Hello,
>>> having spent many hours scouring archives, docs, books and googling
>>> without
>>> finding an answer I need to ask your help on this.
>>>
>>> running samba 3.4.0-3ubuntu5.3 on ubuntu 9.10 server, client users can
>>> login
>>> to the share from windows clients but the same users is denied access
>>> when
>>> connecting from OS X  via GO/Connect To Server in format
>>> smb://fqdnofserver
>>>
>>> user authentication is to active directory  using kerberos and LDAP and
>>> am
>>> not running winbind
>>>
>>> pam.d/samba is set to allow smb logins, that is shell logins are not
>>> permitted for a

Re: [Samba] rlimit_max errors

[grant little]

On Wed, Feb 17, 2010 at 9:57 AM, cjay  wrote:

> Running Samba 3.4.5 on Solaris 10 Sparc platform.  I can't seem to get rid
> of the following errors:
>
> log.b104d1:rlimit_max: rlimit_max (10020) below minimum Windows limit
> (16384)
>
> I've tried adding "ulimit -n 16384" to the samba start scripts, but still
> getting these errors.  Anyone know what I should do about this. Could these
> errors cause slowness to the samba share for clients?
>
>
>
> --
> C. J. Keist Email: cj.ke...@colostate.edu
> UNIX/Network ManagerPhone: 970-491-0630
> Engineering Network ServicesFax:   970-491-5569
> College of Engineering, CSU
> Ft. Collins, CO 80523-1301
>
>
> Don't know if it will help but that is mentioned here:
http://lists.samba.org/archive/samba/2010-January/153320.html
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] windows users can login but OS X users cannot

[grant little]

Thanks Alex.
I'm not using winbind, just kerberos and LDAP and I have in all cases tried
both domain\username as well as username.

Here's a better dump of the ip log that appens on a failed login attempt
that seems to show that the authentication is OK from os x:
[2010/02/20 13:13:17,  3] smbd/process.c:1453(process_smb)
  Transaction 2 of length 366 (0 toread)
[2010/02/20 13:13:17,  3] smbd/process.c:1272(switch_message)
  switch message SMBsesssetupX (pid 6039) conn 0x0
[2010/02/20 13:13:17,  3] smbd/sec_ctx.c:310(set_sec_ctx)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2010/02/20 13:13:17,  3] smbd/sesssetup.c:1404(reply_sesssetup_and_X)
  wct=12 flg2=0xc801
[2010/02/20 13:13:17,  3]
smbd/sesssetup.c:1160(reply_sesssetup_and_X_spnego)
  Doing spnego session setup
[2010/02/20 13:13:17,  3]
smbd/sesssetup.c:1202(reply_sesssetup_and_X_spnego)
  NativeOS=[Mac OS X 10.6] NativeLanMan=[SMBFS 1.6.0] PrimaryDomain=[]
[2010/02/20 13:13:17,  3] libsmb/ntlmssp.c:745(ntlmssp_server_auth)
  Got user=[grant] domain=[AD] workstation=[GRANT] len1=24 len2=126
[2010/02/20 13:13:19,  3] smbd/oplock.c:911(init_oplocks)
  init_oplocks: initializing messages.
[2010/02/20 13:13:19,  3] smbd/oplock_linux.c:219(linux_init_kernel_oplocks)
  Linux kernel oplocks enabled
[2010/02/20 13:13:19,  3] smbd/process.c:1453(process_smb)
  Transaction 0 of length 51 (0 toread)
[2010/02/20 13:13:19,  3] smbd/process.c:1272(switch_message)
  switch message SMBnegprot (pid 6040) conn 0x0
[2010/02/20 13:13:19,  3] smbd/sec_ctx.c:310(set_sec_ctx)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2010/02/20 13:13:19,  3] smbd/negprot.c:567(reply_negprot)
  Requested protocol [NT LM 0.12]
[2010/02/20 13:13:19,  3] smbd/negprot.c:387(reply_nt1)
  using SPNEGO
[2010/02/20 13:13:19,  3] smbd/negprot.c:672(reply_negprot)
  Selected protocol NT LM 0.12
[2010/02/20 13:13:21,  3] smbd/sec_ctx.c:310(set_sec_ctx)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2010/02/20 13:13:21,  3] smbd/connection.c:31(yield_connection)
  Yielding connection to
[2010/02/20 13:13:21,  3] smbd/server.c:848(exit_server_common)
  Server exit (failed to receive smb request)
--
what's weird is that there's no sign of the login in auth.log only the test
via windows cleint a few seconds before:
Feb 20 13:12:14 servername smbd[6033]: pam_unix(samba:session): session
opened for user grant by (uid=0)
Feb 20 13:12:24 servername smbd[6033]: pam_unix(samba:session): session
closed for user grant
after that nothing...

On Sat, Feb 20, 2010 at 11:17 AM, Alex Ferrara wrote:

> I have seen this behaviour recently using Samba 3.4.5 from the Lucid tree
> on Ubuntu 9.10
>
> Try using domain\username for the username
>
> To me, it appears to be a bug in winbind not using the default domain, but
> I could be wrong.
>
> Sent from my iPhone
>
>
> On 20/02/2010, at 8:29 PM, grant little  wrote:
>
>  Hello,
>> having spent many hours scouring archives, docs, books and googling
>> without
>> finding an answer I need to ask your help on this.
>>
>> running samba 3.4.0-3ubuntu5.3 on ubuntu 9.10 server, client users can
>> login
>> to the share from windows clients but the same users is denied access when
>> connecting from OS X  via GO/Connect To Server in format
>> smb://fqdnofserver
>>
>> user authentication is to active directory  using kerberos and LDAP and am
>> not running winbind
>>
>> pam.d/samba is set to allow smb logins, that is shell logins are not
>> permitted for active directory authenticated users. here's that snippet:
>> # /etc/pam.d/samba
>> auth sufficient pam_krb5.so minimum_uid=1000 use_first_pass
>> account sufficient pam_ldap.so use_first_pass
>> session sufficient pam_ldap.so
>>
>>
>> I have tested my configs on samba 3.0.33 on CENTOS and it works fine there
>> for both OS X and windows
>>
>> the share is setup on
>> /shares/asgs
>> with these permissions:
>> drwxrwsrwx   8 root root   87 2010-02-20 00:17 shares
>> drwxrws--- 2 grant ASGSFileUsers  18 2010-02-20 00:21 asgs
>>
>> here's smb.conf:
>> [global]
>>  unix extensions = no
>>  disable spoolss = Yes
>>  disable netbios = yes
>>  name resolve order = hosts
>>  workgroup = AD
>>  realm = AD.UCSD.EDU
>>  server string = %h server (Samba, Ubuntu)
>>  dns proxy = no
>>  log file = /var/log/samba/log.%m
>>  max log size = 1000
>>  syslog = 0
>>  log level = 3
>>  panic action = /usr/share/samba/panic-action %d
>>  security = ads
>>  encrypt passwords = true
>>  passdb backend = tdbsam
>>  obey pam restrictions = yes
>>  unix password sync = yes
>>  pam password change = no
>>  map to guest = bad user
>>  usershare allow

[Samba] windows users can login but OS X users cannot

[grant little]

Hello,
having spent many hours scouring archives, docs, books and googling without
finding an answer I need to ask your help on this.

running samba 3.4.0-3ubuntu5.3 on ubuntu 9.10 server, client users can login
to the share from windows clients but the same users is denied access when
connecting from OS X  via GO/Connect To Server in format
smb://fqdnofserver

user authentication is to active directory  using kerberos and LDAP and am
not running winbind

pam.d/samba is set to allow smb logins, that is shell logins are not
permitted for active directory authenticated users. here's that snippet:
# /etc/pam.d/samba
auth sufficient pam_krb5.so minimum_uid=1000 use_first_pass
account sufficient pam_ldap.so use_first_pass
session sufficient pam_ldap.so


I have tested my configs on samba 3.0.33 on CENTOS and it works fine there
for both OS X and windows

the share is setup on
/shares/asgs
with these permissions:
drwxrwsrwx   8 root root   87 2010-02-20 00:17 shares
drwxrws--- 2 grant ASGSFileUsers  18 2010-02-20 00:21 asgs

here's smb.conf:
[global]
  unix extensions = no
  disable spoolss = Yes
  disable netbios = yes
  name resolve order = hosts
  workgroup = AD
  realm = AD.UCSD.EDU
  server string = %h server (Samba, Ubuntu)
  dns proxy = no
  log file = /var/log/samba/log.%m
  max log size = 1000
  syslog = 0
  log level = 3
  panic action = /usr/share/samba/panic-action %d
  security = ads
  encrypt passwords = true
  passdb backend = tdbsam
  obey pam restrictions = yes
  unix password sync = yes
  pam password change = no
  map to guest = bad user
  usershare allow guests = no
[asgs]
  comment = ASGS
  path = /shares/asgs
  browsable = Yes
  valid users = @ad\ASGSFileUsers
  write list = @ad\ASGSFileUsers
  create mask = 2660
  directory mask = 2770

The tail n20 of the log of the conecting ip shows this for an OS X attempt:
[2010/02/20 00:56:16,  3] smbd/oplock_linux.c:219(linux_init_kernel_oplocks)
  Linux kernel oplocks enabled
[2010/02/20 00:56:16,  3] smbd/process.c:1453(process_smb)
  Transaction 0 of length 51 (0 toread)
[2010/02/20 00:56:16,  3] smbd/process.c:1272(switch_message)
  switch message SMBnegprot (pid 5658) conn 0x0
[2010/02/20 00:56:16,  3] smbd/sec_ctx.c:310(set_sec_ctx)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2010/02/20 00:56:16,  3] smbd/negprot.c:567(reply_negprot)
  Requested protocol [NT LM 0.12]
[2010/02/20 00:56:16,  3] smbd/negprot.c:387(reply_nt1)
  using SPNEGO
[2010/02/20 00:56:16,  3] smbd/negprot.c:672(reply_negprot)
  Selected protocol NT LM 0.12
[2010/02/20 00:56:18,  3] smbd/sec_ctx.c:310(set_sec_ctx)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2010/02/20 00:56:18,  3] smbd/connection.c:31(yield_connection)
  Yielding connection to
[2010/02/20 00:56:18,  3] smbd/server.c:848(exit_server_common)
  Server exit (failed to receive smb request)



Hope someone can give me a pointer where to look next or what to tweak. Let
me know if you need other log snippets.

Thanks,
Grant
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba