Re: [Samba] winbind user mapping problem
Hello I think that you need to clean the Winbind database that contains bridge between UID/GID - SID And then restart winbind, and he again will fill the database On 30/12/2011 10:44, Bruno Martins wrote: Hello list, I am using Samba + winbind and I have some users that cannot access shares on this server, getting the following error in '/var/log/samba': [2011/12/30 09:33:08.072315, 1] smbd/sesssetup.c:454(reply_spnego_kerberos) Username GALILEU-F\teste is invalid on this system Also, in 'winbind-idmap' log file I am getting this: [2011/12/30 09:32:56.902810, 1] winbindd/idmap_tdb.c:445(idmap_tdb_allocate_id) Fatal Error: UID range full!! (max: 12) So what happens in reality? Trying to 'getent' that user results in nothing, so no mapping, right? root@sputnik:/var/cache/samba# getent passwd bmartins bmartins:*:11:10::/home/GALILEU-F/bmartins:/bin/false root@sputnik:/var/cache/samba# getent passwd teste root@sputnik:/var/cache/samba# However, 'wbinfo' works for that user: root@sputnik:/var/cache/samba# wbinfo -u | grep teste teste My 'smb.conf' returns this, regarding to idmap parameters: root@sputnik:/var/cache/samba# cat /etc/samba/smb.conf | grep idmap # idmap uid = 1-20 idmap uid = 10-12 # idmap gid = 30-40 idmap gid = 10-12 I have tried lower and higher values, did a reload on winbind service, but nothing seems to help. Could you please help me on this? Best regards, Bruno Martins -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind user mapping problem
The database is here (in Linux/Debian): /var/lib/samba/winbindd_idmap.tdb try to just delete (move/rename) it and then restart winbind. But do not forget about BACKUP! I had this problem and this solution helped me In AD there are not only users but also as a special accounts like krbtgt and groups and more... On 30/12/2011 13:00, Bruno Martins wrote: Hello mate, Thanks for your answer. How can I do that? I've noticed this: root@sputnik:/var/lib/samba# wbinfo -u | wc -l 140 root@sputnik:/var/lib/samba# tdbbackup -v winbindd_idmap.tdb winbindd_idmap.tdb : 521 records Is this normal? 140 users on AD (seems correct), but 521 mappings? Best regards, Bruno Martins On Fri, Dec 30, 2011 at 11:57 AM, Lantukh Sergey sergey.lant...@docpath.com wrote: Hello I think that you need to clean the Winbind database that contains bridge between UID/GID - SID And then restart winbind, and he again will fill the database On 30/12/2011 10:44, Bruno Martins wrote: Hello list, I am using Samba + winbind and I have some users that cannot access shares on this server, getting the following error in '/var/log/samba': [2011/12/30 09:33:08.072315, 1] smbd/sesssetup.c:454(reply_spnego_kerberos) Username GALILEU-F\teste is invalid on this system Also, in 'winbind-idmap' log file I am getting this: [2011/12/30 09:32:56.902810, 1] winbindd/idmap_tdb.c:445(idmap_tdb_allocate_id) Fatal Error: UID range full!! (max: 12) So what happens in reality? Trying to 'getent' that user results in nothing, so no mapping, right? root@sputnik:/var/cache/samba# getent passwd bmartins bmartins:*:11:10::/home/GALILEU-F/bmartins:/bin/false root@sputnik:/var/cache/samba# getent passwd teste root@sputnik:/var/cache/samba# However, 'wbinfo' works for that user: root@sputnik:/var/cache/samba# wbinfo -u | grep teste teste My 'smb.conf' returns this, regarding to idmap parameters: root@sputnik:/var/cache/samba# cat /etc/samba/smb.conf | grep idmap # idmap uid = 1-20 idmap uid = 10-12 # idmap gid = 30-40 idmap gid = 10-12 I have tried lower and higher values, did a reload on winbind service, but nothing seems to help. Could you please help me on this? Best regards, Bruno Martins -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba and LDAP Server
Thanks, I got it!
Samba is guided through the SRV records in DNS
On 22/12/2011 19:15, David Roid wrote:
Hello Lantukh,
Domain controller, LDAP server and kdc can be found by DNS, Samba
consults DNS server to find them. Therefore DNS server itself can be a
single-point. I'm guessing your myserver1 is used as the DNS server in
this case and when it's down you are in trouble.
Cheers
-David
2011/12/23 Lantukh Sergey sergey.lant...@docpath.com
mailto:sergey.lant...@docpath.com
Good day
I could not find an answer to my problem/question, can you help me
here...
I have SAMBA 3.2.5 on Linux\Debian 5
I using Winbind for connect to MS Active Directory Windows 2003
and get
a list of all users.
/etc/samba/smb.conf
[global]
realm = MYDOMAIN.LOCAL
Security = ADS
/etc/krb5.con
[realms]
MYDOMAIN.LOCAL = {
kdc = myserver1.mydomain.local: 88
kdc = myserver2.mydomain.local: 88
admin_server = myserver1.mydomain.local: 464
default_domain = DOCPATH.ES http://DOCPATH.ES
[domain_realm]
. mydomain.local = MYDOMAIN.LOCAL
mydomain.local = MYDOMAIN.LOCAL
My question is:
When I give the command:
# net ads info
I have:
LDAP server: 192.168.1.10
LDAP server name: myserver1.mydomain.local
Realm: MYDOMAIN.local
Bind Path: dc = MYDOMAIN, dc = LOCAL
LDAP port: 389
Server time: Thu, 22 Dec 2011 17:52:38 CET
KDC server: 192.168.1.10
Server time offset: 2
192.168.1.10 this is myserver1.mydomain.local
Where SAMBA knows about my LDAP server?
I have 2 Domain Controllers and SAMBA is always connected to the
first.
When the first server is not available SAMBA can not get a list of
users
via winbind. How can I get SAMBA to connect to a second domain
controller? How can I change the LDAP server for samba?
Thanks!
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind user mapping problem
Good for you! I can not say it is logical or not. Maybe in another version works differently... Which version are you using? On 30/12/2011 13:24, Bruno Martins wrote: It solved my problem! Now, new users get allocated right. But why did this happen? By the way, is it normal that previously mapped users keep with the old UID, and newly mapped ones get the UID in the now defined UID range? Best regards, Bruno Martins On Fri, Dec 30, 2011 at 12:14 PM, Lantukh Sergey sergey.lant...@docpath.com wrote: The database is here (in Linux/Debian): /var/lib/samba/winbindd_idmap.tdb try to just delete (move/rename) it and then restart winbind. But do not forget about BACKUP! I had this problem and this solution helped me In AD there are not only users but also as a special accounts like krbtgt and groups and more... On 30/12/2011 13:00, Bruno Martins wrote: Hello mate, Thanks for your answer. How can I do that? I've noticed this: root@sputnik:/var/lib/samba# wbinfo -u | wc -l 140 root@sputnik:/var/lib/samba# tdbbackup -v winbindd_idmap.tdb winbindd_idmap.tdb : 521 records Is this normal? 140 users on AD (seems correct), but 521 mappings? Best regards, Bruno Martins On Fri, Dec 30, 2011 at 11:57 AM, Lantukh Sergey sergey.lant...@docpath.comwrote: Hello I think that you need to clean the Winbind database that contains bridge between UID/GID - SID And then restart winbind, and he again will fill the database On 30/12/2011 10:44, Bruno Martins wrote: Hello list, I am using Samba + winbind and I have some users that cannot access shares on this server, getting the following error in '/var/log/samba': [2011/12/30 09:33:08.072315, 1] smbd/sesssetup.c:454(reply_spnego_kerberos) Username GALILEU-F\teste is invalid on this system Also, in 'winbind-idmap' log file I am getting this: [2011/12/30 09:32:56.902810, 1] winbindd/idmap_tdb.c:445(idmap_tdb_allocate_id) Fatal Error: UID range full!! (max: 12) So what happens in reality? Trying to 'getent' that user results in nothing, so no mapping, right? root@sputnik:/var/cache/samba# getent passwd bmartins bmartins:*:11:10::/home/GALILEU-F/bmartins:/bin/false root@sputnik:/var/cache/samba# getent passwd teste root@sputnik:/var/cache/samba# However, 'wbinfo' works for that user: root@sputnik:/var/cache/samba# wbinfo -u | grep teste teste My 'smb.conf' returns this, regarding to idmap parameters: root@sputnik:/var/cache/samba# cat /etc/samba/smb.conf | grep idmap # idmap uid = 1-20 idmap uid = 10-12 # idmap gid = 30-40 idmap gid = 10-12 I have tried lower and higher values, did a reload on winbind service, but nothing seems to help. Could you please help me on this? Best regards, Bruno Martins -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba and LDAP Server
Good day
I could not find an answer to my problem/question, can you help me here...
I have SAMBA 3.2.5 on Linux\Debian 5
I using Winbind for connect to MS Active Directory Windows 2003 and get
a list of all users.
/etc/samba/smb.conf
[global]
realm = MYDOMAIN.LOCAL
Security = ADS
/etc/krb5.con
[realms]
MYDOMAIN.LOCAL = {
kdc = myserver1.mydomain.local: 88
kdc = myserver2.mydomain.local: 88
admin_server = myserver1.mydomain.local: 464
default_domain = DOCPATH.ES
[domain_realm]
. mydomain.local = MYDOMAIN.LOCAL
mydomain.local = MYDOMAIN.LOCAL
My question is:
When I give the command:
# net ads info
I have:
LDAP server: 192.168.1.10
LDAP server name: myserver1.mydomain.local
Realm: MYDOMAIN.local
Bind Path: dc = MYDOMAIN, dc = LOCAL
LDAP port: 389
Server time: Thu, 22 Dec 2011 17:52:38 CET
KDC server: 192.168.1.10
Server time offset: 2
192.168.1.10 this is myserver1.mydomain.local
Where SAMBA knows about my LDAP server?
I have 2 Domain Controllers and SAMBA is always connected to the first.
When the first server is not available SAMBA can not get a list of users
via winbind. How can I get SAMBA to connect to a second domain
controller? How can I change the LDAP server for samba?
Thanks!
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
[Samba] How to configure winbind to work with two domain controllers?
Hello I have two domain controllers on win2k3 (say srv1.domain1 and srv2.domain2) and winbind runnning on 3rd linux server ( When I put workgroup = domain1 in smb.conf, i can work with domain1 only, i.e. # ntlm_auth --username=dom1user --domain=domain1 --password=goodpassword NT_STATUS_OK: Success (0x0) but with domain2 fails: # ntlm_auth --username=dom2user --domain=domain2 --password=goodpassword NT_STATUS_NO_SUCH_USER: No such user (0xc064) When i change workgroup to workgroup = domain2, the things changed: domain1 fails: # ntlm_auth --username=dom1user --domain=domain1 --password=goodpassword NT_STATUS_NO_SUCH_USER: No such user (0xc064) domain2 is ok: # ntlm_auth --username=dom2user --domain=domain2 --password=goodpassword NT_STATUS_OK: Success (0x0) Please, help, how to tell winbind to work with both domain controllers. winbind and ntlm_auth built from RHEL/CENTOS 5.5 srpm: # /usr/bin/ntlm_auth -V Version 3.0.33-3.28 /usr/sbin/winbindd -V Version 3.0.33-3.28 kerberos is not used. sample smb.conf: [global] winbind separator = + winbind use default domain = no winbind enum users = no winbind enum groups = no winbind use default domain = no security = domain encrypt passwords = yes wins support = no enhanced browsing = no domain master = no domain logons = no local master = no preferred master = no name resolve order = lmhosts auth methods = winbind workgroup = domain1 # or domain2 netbios name = SERVER password server = ip1 ip2 * # or without * -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] winbindd GETGRENT results in trusted domains environment
list namely with the command getent group, without using wbinfo -g. We have analized the source code of winbindd daemon and revealed that the problem was in a value that function rpccli_wbint_QueryGroupList_recv returns. If one of domains is turned off it returns NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND. We have prepared the patch that overcomes the problem by just ignoring that code. Could you comment the way we fixed the problem? Will not it cause any problems to winbindd? Best regards, Sergey Tashkinov. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba+cups printing. drivers on clients.
Hello Guys! Need help myprintserver: CentOS 5.3; Samba 3.0.33-3.7.el5; Cups 1.3.7 (LPD / socket) RAW printing mode; Windows clients: 2000 SP1-4; XP SP1-2; *has no administrative rights I have already installed printer from myprintserver on clients: name: printer_01 model: HP LJ 3050 (drivers automaticly downloaded then installing printer on windows clients at first time.) works fine. Sometimes printers need replace and replace drivers: I replace printer_01 and now it Kyocera 4020DN And i set correct driver to printer_01 on the myprintserver: rpcclient -U'user%password' -csetdriver printer_01 4020DN myprintserver Now all _new_ windows clients will get correct driver; problem: 1)Old clients who has printer_01 will use old driver (HP). Update not occur. If i remove printer_01 on windows client, driver not removes. and if i try connect \\myprintserver\printer_01 windows client will use HP driver! How can i completely remove printer+driver on windows client(without administrative rights) or another way to solve problem? 2)Some clients need Administrative Rights to first install printer driver? Or will be exception then try printer options page? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba+cups printing. drivers on clients.
Any help? May be samba or windows clients can forcefully serve\takes drivers always then printer installing? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] smbd cannot be killed
On Fri, 20 Mar 2009 11:15:41 -0700 Ted Hilts thi...@mcsnet.ca wrote: ... I don't think so. I think his cpu is swamped Well, the server remains responsive. That kill I run over ssh, and I do ssh not PRIOR, but WHEN the issue happens. Moreover, before killing I try /etc/rc.d/samba start/stop/restart several times, and after seeing that it fails I try to kill smbd... Thanks anyway, Ted. Cheers, Sergey -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] smbd cannot be killed
Hello folks, I'm new to this list. Before posting this I tried to search the archives, but couldn't find anything relevant - so excuse me if it's been discussed already. I run a server with Archlinux and Samba 3.2.5 as PDC for ~30 Windows workstations. I have a share containing a CRM-like system with whole bunch of DB files and Windows executables (GoldMine). People run the executables remotely from that share, and regularly it works properly. But once in a week it stops working - the DB program cannot access some files in the share, and also I cannot restart the Samba - several instances of smbd continue running and even kill -9 smbd doesn't help. After I restart the system in such cases everything starts working properly. I've checked the number of open files - it doesn't seem to be too large, and only 5-6 people can run that DB interface simultaneously. Could somebody point the direction I should go to catch the actual problem? Thanks, Sergey -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] smbd cannot be killed
On Thu, 19 Mar 2009 16:47:36 -0700 (PDT) Yan Seiner y...@seiner.com wrote: On Thu, March 19, 2009 3:58 pm, Sergey Manucharian wrote: But once in a week it stops working - the DB program cannot access some files in the share, and also I cannot restart the Samba - several instances of smbd continue running and even kill -9 smbd doesn't help. After I restart the system in such cases everything starts working properly. Could somebody point the direction I should go to catch the actual problem? Samba logs? What does 'ps auxww | grep mbd' say? Thanks for reply, Yan. Well, I need to catch such an event one more time... Both log.smbd and log.smbd.old already do not include the time period of the failure, log.nmbd contains nothing suspicious (during that time), just a lot of stuff like: process_name_query_request: ... process_host_announce: ... process_logon_packet: ... write_browse_list: ... Process list at the moment shows 1 nmbd and 12 smbd processes, all sleeping - again, I need to capture it during the failure. The bad thing is that when such a failure happens, I do not have much time, since the users cannot wait - I restart the server ASAP :) Sergey. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba + ADS in native mode
Hello, friends.
Before change Active Directory Server mode to native mode user
authentification dont' work. In native ADS mode i need use kerberos.
OS: RHEL 4 (x86)
Samba: 3.0.10-1.4E
Kerberos: 1.3.4-9
Domain controller: Win 2003 ADS in native mode
# more /etc/samba/smb.conf
[global]
workgroup = DOMAIN
server string = FTP Server
netbios name = SRVFTP
log file = /var/log/samba/%m.log
log level = 3 auth:5 passdb:5
max log size = 500
security = ADS
realm = CORP.DOMAIN.COM
encrypt passwords = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = no
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
auth methods = winbind
idmap uid = 1-2
idmap gid = 1-2
winbind separator = +
winbind nested groups = yes
password server = dc1.domain.local
case sensitive = no
# more /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = CORP.DOMAIN.COM
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
CORP.DOMAIN.COM = {
kdc = dc1.domain.local:88
admin_server = dc1.domain.local:749
default_domain = CORP.DOMAIN.COM
}
[domain_realm]
.domain.local = CORP.DOMAIN.COM
domain.local = CORP.DOMAIN.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [EMAIL PROTECTED]
Valid starting ExpiresService principal
10/02/08 10:20:43 10/02/08 20:20:50 krbtgt/[EMAIL PROTECTED]
renew until 10/02/08 20:20:43
10/02/08 10:24:30 10/02/08 20:20:50 [EMAIL PROTECTED]
renew until 10/02/08 20:20:43
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
# wbinfo -a [EMAIL PROTECTED]
plaintext password authentication failed
error code was NT_STATUS_NO_SUCH_USER (0xc064)
error messsage was: No such user
Could not authenticate user [EMAIL PROTECTED] with plaintext password
challenge/response password authentication failed
error code was NT_STATUS_NO_SUCH_USER (0xc064)
error messsage was: No such user
Could not authenticate user [EMAIL PROTECTED] with challenge/response
# wbinfo -g
and
# wbinfo -u
work correct.
---
Best regards, Sergey Ivanov.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] wbinfo -t: NT_STATUS_INVALID_COMPUTER_NAME error
samba-3.0.21b on FreeBSD 6.0 and NT4.0 as a PDC. After joining to a domain I can get a users list and a groups list with wbinfo -u|-g but authentication does not work and when I try wbinfo -t I've got the message: checking the trust secret via RPC calls failed error code was NT_STATUS_INVALID_COMPUTER_NAME (0xc122) Could not check secret Just one time it worked after I've restarted winbind, but next time I've restarted it, it stops work again. Any help please? -- Sem. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] User Primary group problem
Michael Barnes wrote: This only makes the user a member of a group. It does not change the PRIMARY GROUP of the user. Ideally, I want to set the primary group of the user at the time of user creation. Lacking that, I'd like to be able to change the user's primary NTgroup and Unixgroup at the same time. Michael Craig White told me on 12/6/2005 18:30: On Tue, 2005-12-06 at 14:08 -0600, Michael Barnes wrote: How do I establish both a user's primary NTgroup and Unixgroup when creating a new user? Depending on the tool, I can set his NTgroup or his Unix group, but I don't seem to be able to establish both with one tool. man smb.conf Example: add user to group script = /usr/sbin/adduser %u %g Craig man smb.conf Option: set primary group script Example set primary group script = ( you_script | idealx script ) But idealx script does not delete primary group in script smbldap-userdel Sergey Loskutov -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: SV: [Samba] Error with usrmgr and groups.
Joel Larsson, PF, Posten wrote:
It's exactly the same. Except that I use tdbsam instead of ldap and the error
message therefore also is different in the log file. But the example and result
is the same. Do you have any idea of workaround or fix?
Cheers,
Joel
-Ursprungligt meddelande-
Från: Doug Campbell [mailto:[EMAIL PROTECTED]
Skickat: den 11 maj 2005 10:49
Till: Joel Larsson, PF, Posten; samba@lists.samba.org
Ämne: RE: [Samba] Error with usrmgr and groups.
I have a problem when using samba together with usrmgr. When adding a
global group I get an error message. The group is still created. You
can't see before you refresh but that's a minor detail.
Joel,
I submitted a bug report on this a month or so back but it is still marked
as new. Maybe take a look and see if what I describe there is the same
problem as you are having (it sounds like it to me). Here is the link:
https://bugzilla.samba.org/show_bug.cgi?id=2509
Doug
In the logfiles
May 10 17:47:27 lanchester smbd[28424]: [2005/05/10 17:47:27, 0]
passdb/pdb_tdb.c:tdbsam_tdbopen(195)
May 10 17:47:27 lanchester smbd[28424]: Unable to open/create TDB
passwd
May 10 17:47:27 lanchester smbd[28424]: [2005/05/10 17:47:27, 0]
passdb/pdb_tdb.c:tdbsam_getsampwrid(488)
May 10 17:47:27 lanchester smbd[28424]: pdb_getsampwrid: Unable to
open TDB rid database!
Also, when trying to add or remove members of the group the same error
message appears in the log file. And the error message in usrmgr is
The user name could not be found. It appears when I try to add or
remove more than one user, but sometimes is appears when just adding or
removing one user.
If I instead click on the user and add a group it works fine 100% of the
times.
Any ideas what could be wrong? I have tried both 3.0.11 and 3.0.14a but
there is no difference.
Cheers,
Joel
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Hello !
Long time ago, i have write patch for fixed more bugs with usrmgr.exe, but
group developer or ignore or has not noticed this. This patch help you and my be
you explain developer about this patch... my english is very poor..
--- srv_samr_nt.c.orig 2005-03-16 09:33:15.394423183 -1000
+++ srv_samr_nt.c 2005-03-17 17:41:13.297259499 -1000
@@ -2865,8 +2865,10 @@
* id21. I don't know if they need to be set.--jerry
*/
- if (IS_SAM_CHANGED(pwd, PDB_GROUPSID))
- set_unix_primary_group(pwd);
+ if (IS_SAM_CHANGED(pwd, PDB_GROUPSID) !set_unix_primary_group(pwd) )
{
+ pdb_free_sam(pwd);
+ return False;
+ }
/* write the change out */
if(!pdb_update_sam_account(pwd)) {
@@ -2933,8 +2935,10 @@
ZERO_STRUCT(plaintext_buf);
- if (IS_SAM_CHANGED(pwd, PDB_GROUPSID))
- set_unix_primary_group(pwd);
+ if (IS_SAM_CHANGED(pwd, PDB_GROUPSID) !set_unix_primary_group(pwd) )
{
+ pdb_free_sam(pwd);
+ return False;
+ }
if(!pdb_update_sam_account(pwd)) {
pdb_free_sam(pwd);
@@ -3624,12 +3628,16 @@
sid_copy(user_sid, get_global_sam_sid());
sid_append_rid(user_sid, q_u-rid);
-
+
+
ret = pdb_init_sam(sam_user);
+
if (!NT_STATUS_IS_OK(ret))
return ret;
+ become_root();
check = pdb_getsampwsid(sam_user, user_sid);
+ unbecome_root();
if (check != True) {
pdb_free_sam(sam_user);
@@ -3708,6 +3716,7 @@
uint32 acc_granted;
SE_PRIV se_rights;
BOOL can_add_accounts;
+ BOOL ret;
/*
* delete the group member named q_u-rid
@@ -3740,7 +3749,12 @@
/* check if the user exists before trying to remove it from the group */
pdb_init_sam(sam_pass);
- if (!pdb_getsampwsid(sam_pass, user_sid)) {
+
+ become_root();
+ ret = pdb_getsampwsid(sam_pass, user_sid);
+ unbecome_root();
+
+ if (!ret) {
DEBUG(5,(User %s doesn't exist.\n,
pdb_get_username(sam_pass)));
pdb_free_sam(sam_pass);
return NT_STATUS_NO_SUCH_USER;
@@ -4253,6 +4267,7 @@
GROUP_MAP map;
GROUP_INFO_CTR *ctr;
uint32 acc_granted;
+ BOOL ret;
if (!get_lsa_policy_samr_sid(p, q_u-pol, group_sid, acc_granted))
return NT_STATUS_INVALID_HANDLE;
@@ -4276,9 +4291,13 @@
default:
return NT_STATUS_INVALID_INFO_CLASS;
}
+
+ become_root();
+ ret = pdb_update_group_mapping_entry(map);
+ unbecome_root();
- if(!pdb_update_group_mapping_entry(map)) {
- return NT_STATUS_NO_SUCH_GROUP;
+ if(!ret) {
+ return NT_STATUS_NO_SUCH_GROUP;
}
return NT_STATUS_OK;
@@ -4430,6 +4449,7 @@
BOOL
[Samba] usrmgr.exe and problems
Hello!
Jerry you are right about script and permissions!
I'm looking again to usrmgr.exe and has corrected most of the problems
of which I spoke earlier
This patch is corrected most problems, but i can't fixed, current
moment, problems where not root create global group ... sorry :(
This patch not create security holes and another holes ... :)
I'm testing and is looking good ...
Is try help you, i hope :)
Sergey Loskutov
--- srv_samr_nt.c.orig 2005-03-16 09:33:15.394423183 -1000
+++ srv_samr_nt.c 2005-03-17 17:41:13.297259499 -1000
@@ -2865,8 +2865,10 @@
* id21. I don't know if they need to be set.--jerry
*/
- if (IS_SAM_CHANGED(pwd, PDB_GROUPSID))
- set_unix_primary_group(pwd);
+ if (IS_SAM_CHANGED(pwd, PDB_GROUPSID) !set_unix_primary_group(pwd) )
{
+ pdb_free_sam(pwd);
+ return False;
+ }
/* write the change out */
if(!pdb_update_sam_account(pwd)) {
@@ -2933,8 +2935,10 @@
ZERO_STRUCT(plaintext_buf);
- if (IS_SAM_CHANGED(pwd, PDB_GROUPSID))
- set_unix_primary_group(pwd);
+ if (IS_SAM_CHANGED(pwd, PDB_GROUPSID) !set_unix_primary_group(pwd) )
{
+ pdb_free_sam(pwd);
+ return False;
+ }
if(!pdb_update_sam_account(pwd)) {
pdb_free_sam(pwd);
@@ -3624,12 +3628,16 @@
sid_copy(user_sid, get_global_sam_sid());
sid_append_rid(user_sid, q_u-rid);
-
+
+
ret = pdb_init_sam(sam_user);
+
if (!NT_STATUS_IS_OK(ret))
return ret;
+ become_root();
check = pdb_getsampwsid(sam_user, user_sid);
+ unbecome_root();
if (check != True) {
pdb_free_sam(sam_user);
@@ -3708,6 +3716,7 @@
uint32 acc_granted;
SE_PRIV se_rights;
BOOL can_add_accounts;
+ BOOL ret;
/*
* delete the group member named q_u-rid
@@ -3740,7 +3749,12 @@
/* check if the user exists before trying to remove it from the group */
pdb_init_sam(sam_pass);
- if (!pdb_getsampwsid(sam_pass, user_sid)) {
+
+ become_root();
+ ret = pdb_getsampwsid(sam_pass, user_sid);
+ unbecome_root();
+
+ if (!ret) {
DEBUG(5,(User %s doesn't exist.\n,
pdb_get_username(sam_pass)));
pdb_free_sam(sam_pass);
return NT_STATUS_NO_SUCH_USER;
@@ -4253,6 +4267,7 @@
GROUP_MAP map;
GROUP_INFO_CTR *ctr;
uint32 acc_granted;
+ BOOL ret;
if (!get_lsa_policy_samr_sid(p, q_u-pol, group_sid, acc_granted))
return NT_STATUS_INVALID_HANDLE;
@@ -4276,9 +4291,13 @@
default:
return NT_STATUS_INVALID_INFO_CLASS;
}
+
+ become_root();
+ ret = pdb_update_group_mapping_entry(map);
+ unbecome_root();
- if(!pdb_update_group_mapping_entry(map)) {
- return NT_STATUS_NO_SUCH_GROUP;
+ if(!ret) {
+ return NT_STATUS_NO_SUCH_GROUP;
}
return NT_STATUS_OK;
@@ -4430,6 +4449,7 @@
BOOLis_user = False;
NTSTATUSresult;
enum SID_NAME_USE type = SID_NAME_UNKNOWN;
+ BOOLret;
sid_copy( delete_sid, q_u-sid.sid );
@@ -4466,18 +4486,27 @@
pdb_init_sam(sam_pass);
- if ( pdb_getsampwsid(sam_pass, delete_sid) ) {
- is_user = True;
+ become_root();
+
+ ret = pdb_getsampwsid(sam_pass, delete_sid);
+
+ if ( ret ) {
+ is_user = True;
} else {
- /* maybe it is a group */
- if( !pdb_getgrsid(map, delete_sid) ) {
- DEBUG(3,(_samr_remove_sid_foreign_domain: %s is not a
user or a group!\n,
- sid_string_static(delete_sid)));
- result = NT_STATUS_INVALID_SID;
- goto done;
- }
+ /* maybe it is a group */
+ ret = pdb_getgrsid(map, delete_sid);
+ }
+
+ unbecome_root();
+
+ if ( !ret ) {
+ DEBUG(3,(_samr_remove_sid_foreign_domain: %s is not a user or
a group!\n,
+ sid_string_static(delete_sid)));
+ result = NT_STATUS_INVALID_SID;
+ goto done;
}
+
/* we can only delete a user from a group since we don't have
nested groups anyways. So in the latter case, just say OK */
@@ -4486,7 +4515,10 @@
int num_groups, i;
struct group*grp2;
- if ( pdb_enum_group_mapping(type, mappings, num_groups,
False) num_groups0 ) {
+ become_root();
+ ret = pdb_enum_group_mapping(type, mappings, num_groups
[Samba] Questions about 3.0.12rc1
Hello!
Before this post, i'm send 3 problems in 3.0.11
I'm compiled 3.0.12rc1 and found next:
1) Settings primary group problem solved, but question to developer
You append to mapping.c in smb_set_primary_group
ret = smbrun(add_script,NULL);
flush_pwnam_cache();
But not check ret code .if my script exit in code != 0, i'm change
primary group ... ( script set primary group still needed ? )
2) Next in this code is winbind, but debug message string have code
DEBUG(3,(smb_delete_group:
You use copy/paste ;)
This is affect in function: smb_add_user_group,smb_delete_user_group
smb_add_user_group have bug
if ( winbind_add_user_to_group( unix_user, unix_group ) ) {
DEBUG(3,(smb_delete_group: winbindd added user (%s) to the group
(%s)\n,
unix_user, unix_group));
return -1;
^^
needed return 0;
}
3) I'm analized problems 1
( user who not have privileges add machine account )
In function _samr_create_user ( srv_samr_nt.c ) you have code:
if ( can_add_account )
become_root();
And if user not have privileges(user|machine) you MAY CREATE USER (
posix account or machine account ) through SCRIPT :(
I'm change code to:
if ( can_add_account == False ) {
return NT_STATUS_ACCESS_DENIED;
}
it's fixed problem
I'm do simple test and is work correct, ... but i'm do not full test.
and I want to apologize for my english, well .. you understand ;)
Sergey Loskutov
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Questions about 3.0.12rc1
Gerald (Jerry) Carter write:
Sergey Loskutov wrote:
| Hello!
|
| Before this post, i'm send 3 problems in 3.0.11
| I'm compiled 3.0.12rc1 and found next:
|
| 1) Settings primary group problem solved, but question to developer
|You append to mapping.c in smb_set_primary_group
|ret = smbrun(add_script,NULL);
|flush_pwnam_cache();
|
| But not check ret code .if my script exit in code != 0, i'm change
| primary group ... ( script set primary group still needed ? )
It's just flushing the internal pwnam cache. Semantically this is ok.
Probably not optimal. I'll look at it later.
I'm know that you flushing the cache... but thank you
| 3) I'm analized problems 1
| ( user who not have privileges add machine account )
|
| In function _samr_create_user ( srv_samr_nt.c ) you have code:
|
| if ( can_add_account )
| become_root();
|
| And if user not have privileges(user|machine) you MAY CREATE USER (
| posix account or machine account ) through SCRIPT :(
|
| I'm change code to:
|
| if ( can_add_account == False ) {
| return NT_STATUS_ACCESS_DENIED;
| }
| it's fixed problem
| I'm do simple test and is work correct, ... but i'm do
| not full test.
I've thought about this before. The problem is actually that
your 'add user script' can be run successfully as a non-root user.
A simple 'chmod 700 script; chown root script' will solve this.
I'll look at it some more but this is not a pressing issue I don't
think. smbd is not doing anything that the normal user couldn't do
anyways. And your fix doesn't cover all the possible scenarios
(e.g. root user with no assigned privileges should still be able to join
clients to the domain).
NO NO NO settings chmod or chown .
Why need privileges ? :) I'm want settings privileges add machine to
user, who not members in root
Sample :)
chmod 770 script; chown root.smart man script;
Look good :)
User: John ( member in smart man )
User: Leon ( member in smart man )
I want give privileges for John, but not for Leon ... :)
Why i must use setfacl|getfacl . i'm have privileges .
you decision ... bad
And anyway user who have uidNumber == 0 and not having privileges, not
able join machine and users ;) i'm checked this before send code.
And why i'm permit execute script if code semantic not allowed use ldap
not member in root ? Check you ldap code ;)
Thanks you help !
Sergey Loskutov
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Srvtools causes smbldap_open: cannot access LDAP when not root
Tony Earnshaw:
Doug Campbell:
[...]
smbldap_open: cannot access LDAP when not root...
[...]
As which user (Unix) is slapd (presume this is OpenLDAP)running?
Do you have an 'ldap admin dn' entry in smb.conf with rights to all LDAP
ACLs?
I.e., I don't have this problem with Samba 3.0.11/OL 2.2.17-23 and
didn't with 3.0.7, either.
My smb.conf file does have the ldap admin dn entry. The relevant section
of my smb.conf file is as follows:
[...]
Again, as which Unix user is slapd running? Who is the owner of your DB
files, config files, etc.? What are the permissions on them? Have you
certificates (i.e. the CA cert) or anything that smbd has to try to read
that can only be read by root? Is cn=Manager,dc=swro,dc=local a proxy
user in your DIT, or the rootdn user in slapd.conf (it's better to make a
proxy user in the DIT and comment out the rootdn). Can a normal user run
ldapsearch, for example, without being root?Etc. ;)
--Tonni
--
mail: [EMAIL PROTECTED]
http://www.billy.demon.nl
Hello!
samba have next code in smbldap.c:
#ifndef NO_LDAP_SECURITY
if (geteuid() != 0) {
DEBUG(0, (smbldap_open: cannot access LDAP when not root..\n));
return LDAP_INSUFFICIENT_ACCESS;
}
#endif
If you user account not have uid=0 sometimes you have a problem
described above.
If you have next lines in smb.conf and user have above privileges this
code affect:
---
smb.conf:
[global]
map to guest = Bad User
enable privileges = Yes
---
User account:
SeMachineAccountPrivilege: if you enter to domain as guest
SeAddUsersPrivilege: if you try create group or change membership users
not tested:
SePrintOperatorPrivilege
SeRemoteShutdownPrivilege
SeDiskOperatorPrivilege
Better ask what uid :)
Who will write to bug-report ? ;)
Best regards,
Loskutov Sergey
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Problems to samba 3.0.11
Hello! I'm installed samba-3.0.11 and property configured for work with LDAP, it's work fine for me, but i have small problems with security and management users! Important parameters my samba config [global] log level = 10 security = user domain master = yes domain logons = yes enable privileges = Yes workgroup = HOME netbios name = A delete user script = /opt/IDEALX/sbin/smbldap-userdel -k -r %u add user script = /opt/IDEALX/sbin/smbldap-useradd -m %u add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m %u %g set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g %g %u delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x %u add group script = /opt/IDEALX/sbin/smbldap-groupadd -a -p %g delete group script = /opt/IDEALX/sbin/smbldap-groupdel %g add machine script = /opt/IDEALX/sbin/smbldap-useradd -w %u add group script = /opt/IDEALX/sbin/smbldap-groupadd -p %g For explanations my problems, i have next settings. Machine A is PDC domain HOME Machine B is not member domain HOME, member in workgroup REMOTE Machine C is member domain HOME Account:Administrator member in Domain Admins Account: nobody member in Domain Guests net rpc say: linux:/etc/samba # net -U Administrator rpc rights list 'HOME\Administrator' Password: SeMachineAccountPrivilege SeAddUsersPrivilege linux:/etc/samba # linux:/etc/samba # net -U Administrator rpc rights list 'HOME\nobody' Password: linux:/etc/samba # User Administrator UID: 512 ( i'm read post before and Samba members say You don't need any more have uid: 0 ... use privileges ;) ) User nobody UID: I'm use tools usrmgr.exe and srvmgr.exe Enter from C to domain HOME ... OK Create user in default group Domain Users ... OK Add machine to domain OK Problem 1. From machine B launch tools srvmgr.exe and select domain HOME. Domain HOME not trust workgroup REMOTE and i'm enter to domain HOME as nobody Try add machine INTRUDER to domain HOME and have message Access denied. I parse debug message .. and has got problems ... Step1 samba added machine INTRUDER added to ldap through add machine script, but not set samba attributes to this machine account Step2 Samba check privileges to user nobody and send message access denied to remote host Why ? Any users not member in my domain HOME, in my ldap server creates any machine account and o my god my database is big very big : ))) Problem 2. Launch tools usrmgr.exe Try create user Username: John. Select to group button. User by default in member to Domain Users Added group Domain Admins press ok and next ok ... user is create . it's greet! Select propertes user John and press again button group. Select group Domain Admins and press set primary group, next remove member in Domain Users And press to OK Devil :( I'm have error Access denied Why ??? Again parse debug message 1) Samba set for user john primary group Domain Admins 2) Samba try to remove user john from group Domain Users, but samba say User 'Jonh' have primary group 'Domain Users' and generate message Access denied Script IDEALX have incorrect code in set smbldap-usermod -g . We MUST set primary group, but before user MUST be member to old primary group ... script IDEALX not do it this.. Problem 3. User Administrator have privileges 'SeAddUsersPrivilege' look up :) Try create group ... Group name: Internet Access Member in: Administrator,John Press button OK Devil again :( Have message Access Denied 1) Samba call script add group script group is create 2) Samba try append samba parameters to group Internet Access and say _samr_set_groupinfo: access check ((granted: 00; required: 0x0002) _samr_set_groupinfo: ACCESS DENIED (granted: 00; required: 0x0002) Please fixed samba-3.0.11 or explain what is wrong ??? Analysis code 3.0.11 say me ... is bad very bad Best regards, Senior engineer of network department MTCES the Magadan. Loskutov Sergey mailto:[EMAIL PROTECTED] phone. +7 90250 82016, +7 41322 27150 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] failed domain logon
we have: samba 3.0.4 + w2k from some ws i can logon into domain, from others - not in logs i found 'authentication for user [USER] succeeded' but after all - logoff thought - causes are spnego, signing or schannel turned them off on samba and workstation all the same :( Sergey -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] failed domain logon
appears to be solved think it was corrupted db i just rejoined troubled ws Thanks! Sergey Sergey V. wrote: we have: samba 3.0.4 + w2k from some ws i can logon into domain, from others - not in logs i found 'authentication for user [USER] succeeded' but after all - logoff thought - causes are spnego, signing or schannel turned them off on samba and workstation all the same :( Sergey -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Dual boot (Win2K, Linux) client machine - one trust machine account
Hello to all, there is a LAN with windows domain running on true 2003 Windows Server. I have comp with both Linux and Win2k installed and I want to be the member of domain in Windows and Linux also. But there is the problem: if I join to domain in Win2K, then Samba (3.0.2a) does not work in Linux and it is needed to re-join to domain in Linux. But after this W2K does not work - it is needed to re-join again. I have extracted domain SID from Windows registry and set in Samba with the help of setlocalsid command, but this doesn't help. After setting SIDs' values from Windows, I see new error messages in Samba: [2004/02/22 18:28:28, 0] auth/auth_domain.c:connect_to_domain_password_server(123) connect_to_domain_password_server: unable to setup the NETLOGON credentials to machine MY_WIN_PDC. Error was : NT_STATUS_ACCESS_DENIED. And the command smbclient -L SOME_WKS returns the following: session setup failed: NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE Have anybody ideas/workaround for that? Thanks a lot, Sergey. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] GOOD DAY
MR. DAVYDOV SERGEY THE SAVINGS BANK OF THE RUSSIAN FEDERATION KIOVSKY BRANCH SAMARA REPUBLIC OF RUSSIAN FEDERATION I am Mr. Davydov Sergey, Bank Manager of The Savings Bank Of Russian Federation, Kiovsky Branch, Samra, R.O.C. I have urgent and very confidential business proposition for you. On February 9, 2000, a America Oil consultant/contractor with the Russian Solid Minerals Corporation, Mr. Trumps Levelle made a numbered time (Fixed) Deposit for twelve calendar months, valued at US$30,000,000.00 (Thirty Million Dollars) in my branch. Upon maturity, I sent a routine notification to his forwarding address but got no reply. After a month, we sent a reminder and finally we discovered from his contract employers, the Russian Solid Minerals Corporation that Mr. Trumps Levelle died from an automobile accident. On further investigation, I found out that he died without making a WILL, and all attempts to trace his next of kin failed. I therefore made further investigation and discovered that Mr. Trumps Levelle did not declare any kin or relations in all his official documents, including his Bank Deposit paperwork in my Bank. This sum of US$30,000,000.00 is still sitting in my Bank and the interest is being rolled over with the principal sum at the end of each year. No one will ever come forward to claim it. According to Laws of Republic of Russian Federation, at the expiration of 5 (five) years, the money will revert to the ownership of the Russian Government if nobody applies to claim the fund. Consequently, my proposal is that I will like you as a foreigner to stand in as the next of kin to Mr. Trumps Levelle so that the fruits of this old man's labor will not get into the hands of some corrupt government officials. This is simple, I will like you to provide immediately your full names and address so that the attorney will prepare the necessary documents that will put you in place as the next of kin. We shall employ the services of an attorney for drafting and notarization of the WILL and to obtain the necessary documents and letter in your favor for the transfer. A bank account in any part of the world that you will provide will then facilitate the transfer of this money to you as the beneficiary/next of kin. The money will be paid into your account for us to share in the ratio of 70% for me 30% for you. There is no risk at all as all the paperwork for this transaction will be done by the attorney and my position as the Branch Manager guarantees the successful execution of this transaction. If you are interested, please reply immediately via the private email address above. Upon your response, I shall then provide you with more details and relevant documents that will help you understand the transaction. Please send me your confidential telephone and fax numbers for easy communication. Please observe utmost confidentiality, and rest assured that this transaction would be most profitable for both of us because I shall require your assistance to invest my share in your country. Awaiting your urgent reply via my email address. Thanks and regards. Mr. Davydov. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Winbindd+LDAP problem: Id mapping data is stored partially
Hello to all, I have installed Samba 3.0.0 PDC + OpenLDAP 2.1. Additionally, I use wbinfo -c to create users and winbindd + libnss_winbind.so to resolve these users in Unix (SID - Unix id mapping). But I have found that users' data, created by wbinfo -c command, is not completely stored in LDAP backed. The sambaUnixIdPool objectclass is stored in LDAP, but sambaIdmapEntry is not. Instead of, there is a file /var/locks/winbindd_idmap.tdb, which contains actual SID-uid mappings among with users' template information (UNIX user's home, shell and etc). The question: how can I get winbindd to store all information in LDAP backend? These are settings related to winbind: winbind enable local accounts = yes winbind separator=@ idmap backend = ldap:ldap://localhost:389/ idmap uid = 2-3 idmap gid = 2-3 winbind enum groups = yes winbind enum users = yes winbind cache time = 5 winbind use default domain = yes template homedir = /home/%U template shell = /bin/false template primary group = users Thanks, Sergey Proskurnya. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Winbind+OpenLDAP: Id mapping data is stored partially
Hello to all, I have installed Samba 3.0.0 PDC + OpenLDAP 2.1. Additionally, I use wbinfo -c to create users and winbindd + libnss_winbind.so to resolve these users in Unix (SID - Unix id mapping). But I have found that users' data, created by wbinfo -c command, is not completely stored in LDAP backed. The sambaUnixIdPool objectclass is stored in LDAP, but sambaIdmapEntry is not. Instead of, there is a file /var/locks/winbindd_idmap.tdb, which contains actual SID-uid mappings among with users' template information (UNIX user's home, shell and etc). The question: how can I get winbindd to store all information in LDAP backend? These are settings related to winbind: winbind enable local accounts = yes winbind separator=@ idmap backend = ldap:ldap://localhost:389/ idmap uid = 2-3 idmap gid = 2-3 winbind enum groups = yes winbind enum users = yes winbind cache time = 5 winbind use default domain = yes template homedir = /home/%U template shell = /bin/false template primary group = users Thanks, Sergey Proskurnya. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Strange invocation of DELETE USER SCRIPT
Hello to all, I have successfully installed Samba as PDC using LDAP. Also I use the Winbindd + libnss_winbind to handle Unix/system accounts and use wbinfo -c username to create unix accounts for newly created users. I have the following options in my smb.conf: add user script = /usr/local/sbin/wb_adduser.sh %u delete user script = /usr/local/sbin/wb_deluser.sh %u After some testing with creating and deleting users via MS UserManagerForDomains (I have tried net rpc user ADD also), I have discovered that delete user script is not invoked. During some dancing with smbd/winbindd I have investigated that SMBD is very smart: it DOES NOT invoke the delete user script, if user's account was created using winbindd and stored in LDAP also. In this case SMBD calls/uses directly WINBINDD to delete the user account. Such intelligent behaviour may be good for some reason, but not in this case: in my delete user script I want to do some extra stuff, not just user removing. Could you please advice to me some workaround for this problem? And of cause, such behaviour must be documented (I haven't found any words about this in smb.conf(5) and Samba-HOWTO-Collection.html). Thanks, Sergey Proskurnya. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] KDC has no support for encryption type
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Gerald (Jerry) Carter wrote: | On Wed, 25 Jun 2003, Sergey Smirnov wrote: | | |~ kerberos_kinit_password [EMAIL PROTECTED] failed: KDC has no support |for encryption type | | | Change the admin password on the Windows DC once and you'll be set to go. How can I change it? I know this password but can't change it because I'm just UNIX sysadmin. | | | | | cheers, jerry | -- | Hewlett-Packard- http://www.hp.com | SAMBA Team -- http://www.samba.org | GnuPG Key http://www.plainjoe.org/gpg_public.asc | You can never go home again, Oatman, but I guess you can shop there. | --John Cusack - Grosse Point Blank (1997) | - -- Sergey Smirnov -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE++w6/DeW3DVbXLdcRAlIzAKDQYWgR8QYPmKCsjfZgmIAfOKzoBQCfQjCV 2mv3aHR3txh+UgDsX6+GTLE= =0lXH -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] KDC has no support for encryption type
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'm using samba 3.0.0beta1. When I try join ADS I got error: # net ADS JOIN -U Administrator [2003/06/25 13:03:34, 1] param/loadparm.c:lp_do_parameter(3103) ~ WARNING: The winbind uid option is deprecated [2003/06/25 13:03:34, 1] param/loadparm.c:lp_do_parameter(3103) ~ WARNING: The winbind gid option is deprecated Administrator password: [2003/06/25 13:03:44, 1] libsmb/clikrb5.c:ads_krb5_mk_req(267) ~ krb5_cc_get_principal failed (No credentials cache found) [2003/06/25 13:03:44, 0] libads/ldap.c:ads_join_realm(1352) ~ Host account for cache already exists - deleting old account [2003/06/25 13:03:44, 1] libads/krb5_setpw.c:do_krb5_kpasswd_request(403) ~ send of chpw failed (Operation not permitted) ads_set_machine_password: Operation not permitted #net ads TESTJOIN [2003/06/25 13:05:26, 1] param/loadparm.c:lp_do_parameter(3103) ~ WARNING: The winbind uid option is deprecated [2003/06/25 13:05:26, 1] param/loadparm.c:lp_do_parameter(3103) ~ WARNING: The winbind gid option is deprecated [2003/06/25 13:05:26, 1] libsmb/clikrb5.c:ads_krb5_mk_req(267) ~ krb5_cc_get_principal failed (No credentials cache found) [2003/06/25 13:05:26, 0] libads/kerberos.c:ads_kinit_password(133) ~ kerberos_kinit_password [EMAIL PROTECTED] failed: KDC has no support for encryption type [2003/06/25 13:05:26, 1] libsmb/clikrb5.c:ads_krb5_mk_req(267) ~ krb5_cc_get_principal failed (No credentials cache found) [2003/06/25 13:05:26, 0] libads/kerberos.c:ads_kinit_password(133) ~ kerberos_kinit_password [EMAIL PROTECTED] failed: KDC has no support for encryption type [2003/06/25 13:05:26, 1] utils/net_ads.c:ads_startup(176) ~ ads_connect: Invalid credentials Join to domain is not valid - -- Sergey Smirnov -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE++WfMDeW3DVbXLdcRAv6kAKCyNxtLWmRXvzeS+qqL1ouhGhDdzgCeO9jN PtzGucGeKNJODpjJSxDlR+w= =rWxq -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Time synchronizing a Samba (member) server
Ak Is it possible to synchronize the time of a Samba (member) server Ak running in a W2K-domain with a W2K-server which is also the time-server Ak for our domain?? Ak Thanks Ak AdK. Is it a problem to put 'rdate -s your-time-server' in cron? Serge. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] samba-python
Hello everybody. Got a problem: need to access samba libs from python without installing samba3 (samba2.2.8 is working well there and we're not going upgrade it to 3beta for a while). Is it possible at all? I've tried to test that: 1) downloaded samba-3.0.0beta1 sources; 2) done './configure --with-python=python2' - OK 3) done 'make' - OK 4) done 'make python_ext' - OK 5) done 'make python_install' - OK Now running python2 I'm trying: from samba import smb Traceback (most recent call last): File stdin, line 1, in ? ImportError: /usr/lib/python2.1/site-packages/samba/smb.so: undefined symbol: dominfo_attr_list Similar errors appear while importing other modules. At last, what should I do? Yours, Sergey Badamshin -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: network printers
I tryed to decrease users number but it didn't help. In order to check a network printer connected to a workstation I had to leave at least 2 workstations. I meant the network printers not connected to the server but ones connected to workstations. Thomas Wong wrote: What happens when you go back to having one user on the list only? Does it work again or is it still failing? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] network printers
Hi, I've configured Samba as PDC. It is to serve Windows 98/2000/XP workstations. Firstly everything works fine but with adding new users to the domain there occurs serious trouble. The network printers begin to refuse access. And then I noticed that the workstations begin to refuse access too. smb.conf --- [global] netbios name = OBLR workgroup = X125 server string = Samba PDC os level = 99 preferred master = yes domain master = yes local master = yes wins support = yes security = user encrypt passwords = yes domain logons = yes logon path = \\%N\profiles\%u logon drive = H: logon home = \\oblr\%u logon script = scripts\%U.cmd socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192 SO_SNDBUF=8192 bind interfaces only = yes interfaces = 10.109.0.1/255.255.255.0 preserve case = yes short preserve case = yes case sensitive = no client code page = 866 character set = KOI8-R guest account = guestuser log level = 2 log file = /usr/local/samba/var/log.%m enhanced browsing = yes time server = yes name resolve order = lmhosts host wins bcast [netlogon] comment = Network Logon Service path = /usr2/samba/netlogon readonly = yes write list = ntadmin guest ok = yes share modes = no [profiles] comment = User profiles browseable = no guest ok = yes writable = yes path = /usr2/samba/ntprofiles read only = no create mask = 0600 directory mask = 0700 logon script = start.bat [public] comment = PUBLIC path = /usr2/public public = yes writable = yes printable = no directory mask = 0770 create mask = 0770 [local] comment = SIT path = /usr3/films public = no writable = no printable = no directory mask = 0770 create mask = 0770 valid users = to01 to02 to03 anv siriy laa bas pc2 sdtu05 vad sdtu_tm write list = to01 to02 to03 anv siriy laa bas pc2 vad [asu] comment = ASU path = /usr2/asu public = no writable = no printable = no directory mask = 0770 create mask = 0770 valid users = laa anv odst siriy ods04 oper01 oper02 tre02 tre04 tre01 write list = laa anv odst siriy ods04 oper01 oper02 tre02 tre04 tre01 --- Thank you for your help, Sergey -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] network printers
Sorry for misleading. I meant the printers not connected to the server but ones on the workstations. To add new users and machines I use the following shell scripts: add-user.sh --- : /usr/sbin/pw user add -n $1 -g soe /usr/bin/passwd $1 ./smbpasswd -a $1 cp /usr2/samba/templates/logon.cmd /usr2/samba/netlogon/scripts/$1.cmd --- add-machine.sh --- : /usr/sbin/pw user add $1$ -g ntusers -d /dev/null -s /sbin/nologin ./smbpasswd -a -m $1 --- I use: FreeBSD 4.8-STABLE Samba 2.8.8 (the same problem on the version 3.0.24) How do you add new users? I didn't see shares named [printers] or [homes] in the posted smb.conf. And not knowing the exact difference, shouldn't the line logon home = \\oblr\%u better read logon home = \\oblr\%U Best regards, Wolfi -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] question
Hello!!! I have a question: Can I using Samba for doing remote run of Windows aplication at Windows 9x/NT/200/XP? Thanks Sergey. ... - p ,p -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
POSIX ACL to NT ACL bugs in get_nt_acl()
Hello , the described bellow happens both in samba 2.2.7a and 3.0-alfa22. ( --with-acl-support) First bug: As it is easy to check smbd , when asked about ACL entry of a file never sends to the client OS DENY Access Control Entries , only ALLOW. so for example for a XFS file with acl: # owner: a user::r-- group::rwx other::rwx Win2K security tab shows for user a: Read exec = nothing here Read= Allowed Write = nothing here But in fact, POSIX ACL will allow user a to read from the file and deny write or execute the file , as posix acl will not consult any other ACL entries, after founding appropriate user:: entry. Not lets see , what Win2K user will expect, when watching this shown ACL. As NT ACL logic suppose, in case nothing here father ACL entries will be consulted, so in this case NT user suppose that he has rwx rights on the file due to other::rwx rule , shown in Win2K security tab as Everybody: Full Access=Allowed but when tried to write - receive Permission Denied. So this situation is plain wrong sent to Win2K flags must have been instead : Read exec = Deny Read= Allowed Write = Deny So that is a samba bug, as samba must have send DENY for write and execute and ALLOW for read for this user's file (user::r--) , but now it just sends ALLOW for read. Second bug: Take ownership flag is curerntly always set ALLOWED for EVERY ACE but actually only root user can take ownership of the file under Unix, so this is plain wrong. As far as I see, this bug was introduced because of the first bug AND NT4 denying to show empty ACL. Third Bug: In POSIX every user which can see a file , can also always 1) Read ACL for the file 2) Read attributes for the file. so SMBD should always show that these things are allowed , but it failes to do that. Of course due to the FIRST BUG this is not very annoying, as there are no entries showed, that this is forbidden. In the next e-mail I will send patches fixing all 3 bugs in samba 2.2.7a 3.0 alfa 22 -- Zhitomirsky Sergey.
ACL bug FIXes for get_nt_acl()
Two patches below for samba 2.2.7a and 3.0-alfa22,
that I've made today, fix 3 bugs mentioned in my previous e-mail.
1) For each file in addition to ALLOW ACE
proper DENY ACE is created.
2) Take ownership is shown DENIED for all except root ACEs
3) Read Permissions and read attributes are always shown as allowed,
as they are actually allowed.
--
Zhitomirsky Sergey.
--- samba-3.0alpha22/source/smbd/posix_acls.c Mon Feb 24 18:12:33 2003
+++ samba-3.0alpha22-fixed/source/smbd/posix_acls.c Thu Mar 6 17:09:56 2003
-354,15 +354,19
not get. Deny entries are implicit on get with ace-perms = 0.
/
-static SEC_ACCESS map_canon_ace_perms(int *pacl_type, DOM_SID *powner_sid, canon_ace
*ace)
+static SEC_ACCESS map_canon_ace_perms(int *pacl_type, DOM_SID *powner_sid, canon_ace
*ace,
+ SEC_ACCESS* sa_deny, int *pacl_type_deny)
{
SEC_ACCESS sa;
uint32 nt_mask = 0;
-
- *pacl_type = SEC_ACE_TYPE_ACCESS_ALLOWED;
+ uint32 nt_mask_deny = 0;
+
+ *pacl_type = SEC_ACE_TYPE_ACCESS_ALLOWED;
+ *pacl_type_deny = SEC_ACE_TYPE_ACCESS_DENIED;
if ((ace-perms ALL_ACE_PERMS) == ALL_ACE_PERMS) {
- nt_mask = UNIX_ACCESS_RWX;
+ nt_mask = UNIX_ACCESS_RWX;
+ nt_mask_deny = WRITE_OWNER_ACCESS;
} else if ((ace-perms ALL_ACE_PERMS) == (mode_t)0) {
/*
* Windows NT refuses to display ACEs with no permissions in them (but
-377,15 +381,31
nt_mask = UNIX_ACCESS_NONE;
else
nt_mask = 0;
+
+ nt_mask_deny = UNIX_ACCESS_RWX;
+
} else {
nt_mask |= ((ace-perms S_IRUSR) ? UNIX_ACCESS_R : 0 );
nt_mask |= ((ace-perms S_IWUSR) ? UNIX_ACCESS_W : 0 );
nt_mask |= ((ace-perms S_IXUSR) ? UNIX_ACCESS_X : 0 );
+
+ nt_mask_deny = ~nt_mask UNIX_ACCESS_RWX;
}
- DEBUG(10,(map_canon_ace_perms: Mapped (UNIX) %x to (NT) %x\n,
- (unsigned int)ace-perms, (unsigned int)nt_mask ));
+ /* READ ACL Read Attributes afai see are always allowed in POSIX */
+ nt_mask_deny = ~( READ_CONTROL_ACCESS | FILE_READ_ATTRIBUTES);
+ nt_mask |= READ_CONTROL_ACCESS | FILE_READ_ATTRIBUTES;
+ /* workaround for take ownership for root's ACE */
+ if (ace-owner_type == UID_ACE !ace-unix_ug.uid) {
+ nt_mask_deny = ~WRITE_OWNER_ACCESS;
+ nt_mask |= WRITE_OWNER_ACCESS;//UNIX_ACCESS_NONE;
+ }
+
+ DEBUG(10,(map_canon_ace_perms: Mapped (UNIX) %x to (NT) %x ~%x\n,
+ (unsigned int)ace-perms, (unsigned int)nt_mask, (unsigned
int)nt_mask_deny));
+
+ init_sec_access(sa_deny, nt_mask_deny);
init_sec_access(sa,nt_mask);
return sa;
}
-2208,6 +2228,7
{
canon_ace *ace;
int nt_acl_type;
+ int nt_acl_type_deny;
int i;
if (nt4_compatible_acls()) {
-2292,12 +2313,12
num_dir_acls = count_canon_ace_list(dir_ace);
/* Allocate the ace list. */
- if ((nt_ace_list = (SEC_ACE *)malloc((num_acls + num_profile_acls +
num_dir_acls)* sizeof(SEC_ACE))) == NULL) {
+ if ((nt_ace_list = (SEC_ACE *)malloc((2 * num_acls + num_profile_acls
+ 2 * num_dir_acls)*sizeof(SEC_ACE))) == NULL) {
DEBUG(0,(get_nt_acl: Unable to malloc space for
nt_ace_list.\n));
goto done;
}
- memset(nt_ace_list, '\0', (num_acls + num_dir_acls) * sizeof(SEC_ACE)
);
+ memset(nt_ace_list, '\0', (num_acls + num_dir_acls) * 2 *
sizeof(SEC_ACE) );
/*
* Create the NT ACE list from the canonical ace lists.
-2307,8 +2328,10
for (i = 0; i num_acls; i++, ace = ace-next) {
SEC_ACCESS acc;
-
- acc = map_canon_ace_perms(nt_acl_type, owner_sid, ace );
+ SEC_ACCESS acc_deny;
+
+ acc = map_canon_ace_perms(nt_acl_type, owner_sid, ace ,
acc_deny, nt_acl_type_deny);
+ init_sec_ace(nt_ace_list[num_aces++], ace-trustee,
nt_acl_type_deny, acc_deny, 0);
init_sec_ace(nt_ace_list[num_aces++], ace-trustee,
nt_acl_type, acc, 0);
}
-2324,8 +2347,11
for (i = 0; i num_dir_acls; i++, ace = ace-next) {
SEC_ACCESS acc;
-
- acc = map_canon_ace_perms(nt_acl_type, owner_sid, ace );
+ SEC_ACCESS acc_deny
[Samba] POSIX ACL to NT ACL bugs in get_nt_acl()
Hello , the described bellow happens both in samba 2.2.7a and 3.0-alfa22. First bug: As it is easy to check smbd , when asked about ACL entry of a file never sends to the client OS DENY Access Control Entries , only ALLOW. so for example for a XFS file with acl: # owner: a user::r-- group::rwx other::rwx Win2K security tab shows for user a: Read exec = nothing here Read= Allowed Write = nothing here But in fact, POSIX ACL will allow user a to read from the file and deny write or execute the file , as posix acl will not consult any other ACL entries, after founding appropriate user:: entry. Not lets see , what Win2K user will expect, when watching this shown ACL. As NT ACL logic suppose, in case nothing here father ACL entries will be consulted, so in this case NT user suppose that he has rwx rights on the file due to other::rwx rule , shown in Win2K security tab as Everybody: Full Access=Allowed but when tried to write - receive Permission Denied. So this situation is plain wrong sent to Win2K flags must have been instead : Read exec = Deny Read= Allowed Write = Deny So that is a samba bug, as samba must have send DENY for write and execute and ALLOW for read for this user's file (user::r--) , but now it just sends ALLOW for read. Second bug: Take ownership flag is curerntly always set ALLOWED for EVERY ACE but actually only root user can take ownership of the file under Unix, so this is plain wrong. As far as I see, this bug was introduced because of the first bug AND NT4 denying to show empty ACL. Third Bug: In POSIX every user which can see a file , can also always 1) Read ACL for the file 2) Read attributes for the file. so SMBD should always show that these things are allowed , but it failes to do that. Of course due to the FIRST BUG this is not very annoying, as there are no entries showed, that this is forbidden. In the next e-mail I will send patches fixing all 3 bugs in samba 2.2.7a 3.0 alfa 22 -- Zhitomirsky Sergey. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] ACL bug FIXes for get_nt_acl()
Two attached patches for samba 2.2.7a and 3.0-alfa22, that I've made today, fix 3 bugs mentioned in my previous e-mail. 1) For each file in addition to ALLOW ACE proper DENY ACE is created. 2) Take ownership is shown DENIED for all except root ACEs 3) Read Permissions and read attributes are always shown as allowed, as they are actually allowed. -- Zhitomirsky Sergey. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] ACL bug FIXes for get_nt_acl() (resend)
It seems attached patches were lost, resending inline :
Two attached patches for samba 2.2.7a and 3.0-alfa22,
that I've made today, fix 3 bugs mentioned in my previous e-mail.
1) For each file in addition to ALLOW ACE
proper DENY ACE is created.
2) Take ownership is shown DENIED for all except root ACEs
3) Read Permissions and read attributes are always shown as allowed,
as they are actually allowed.
--
Zhitomirsky Sergey.
--- samba-3.0alpha22/source/smbd/posix_acls.c Mon Feb 24 18:12:33 2003
+++ samba-3.0alpha22-fixed/source/smbd/posix_acls.c Thu Mar 6 17:09:56 2003
-354,15 +354,19
not get. Deny entries are implicit on get with ace-perms = 0.
/
-static SEC_ACCESS map_canon_ace_perms(int *pacl_type, DOM_SID *powner_sid, canon_ace
*ace)
+static SEC_ACCESS map_canon_ace_perms(int *pacl_type, DOM_SID *powner_sid, canon_ace
*ace,
+ SEC_ACCESS* sa_deny, int *pacl_type_deny)
{
SEC_ACCESS sa;
uint32 nt_mask = 0;
-
- *pacl_type = SEC_ACE_TYPE_ACCESS_ALLOWED;
+ uint32 nt_mask_deny = 0;
+
+ *pacl_type = SEC_ACE_TYPE_ACCESS_ALLOWED;
+ *pacl_type_deny = SEC_ACE_TYPE_ACCESS_DENIED;
if ((ace-perms ALL_ACE_PERMS) == ALL_ACE_PERMS) {
- nt_mask = UNIX_ACCESS_RWX;
+ nt_mask = UNIX_ACCESS_RWX;
+ nt_mask_deny = WRITE_OWNER_ACCESS;
} else if ((ace-perms ALL_ACE_PERMS) == (mode_t)0) {
/*
* Windows NT refuses to display ACEs with no permissions in them (but
-377,15 +381,31
nt_mask = UNIX_ACCESS_NONE;
else
nt_mask = 0;
+
+ nt_mask_deny = UNIX_ACCESS_RWX;
+
} else {
nt_mask |= ((ace-perms S_IRUSR) ? UNIX_ACCESS_R : 0 );
nt_mask |= ((ace-perms S_IWUSR) ? UNIX_ACCESS_W : 0 );
nt_mask |= ((ace-perms S_IXUSR) ? UNIX_ACCESS_X : 0 );
+
+ nt_mask_deny = ~nt_mask UNIX_ACCESS_RWX;
}
- DEBUG(10,(map_canon_ace_perms: Mapped (UNIX) %x to (NT) %x\n,
- (unsigned int)ace-perms, (unsigned int)nt_mask ));
+ /* READ ACL Read Attributes afai see are always allowed in POSIX */
+ nt_mask_deny = ~( READ_CONTROL_ACCESS | FILE_READ_ATTRIBUTES);
+ nt_mask |= READ_CONTROL_ACCESS | FILE_READ_ATTRIBUTES;
+ /* workaround for take ownership for root's ACE */
+ if (ace-owner_type == UID_ACE !ace-unix_ug.uid) {
+ nt_mask_deny = ~WRITE_OWNER_ACCESS;
+ nt_mask |= WRITE_OWNER_ACCESS;//UNIX_ACCESS_NONE;
+ }
+
+ DEBUG(10,(map_canon_ace_perms: Mapped (UNIX) %x to (NT) %x ~%x\n,
+ (unsigned int)ace-perms, (unsigned int)nt_mask, (unsigned
int)nt_mask_deny));
+
+ init_sec_access(sa_deny, nt_mask_deny);
init_sec_access(sa,nt_mask);
return sa;
}
-2208,6 +2228,7
{
canon_ace *ace;
int nt_acl_type;
+ int nt_acl_type_deny;
int i;
if (nt4_compatible_acls()) {
-2292,12 +2313,12
num_dir_acls = count_canon_ace_list(dir_ace);
/* Allocate the ace list. */
- if ((nt_ace_list = (SEC_ACE *)malloc((num_acls + num_profile_acls +
num_dir_acls)* sizeof(SEC_ACE))) == NULL) {
+ if ((nt_ace_list = (SEC_ACE *)malloc((2 * num_acls + num_profile_acls
+ 2 * num_dir_acls)*sizeof(SEC_ACE))) == NULL) {
DEBUG(0,(get_nt_acl: Unable to malloc space for
nt_ace_list.\n));
goto done;
}
- memset(nt_ace_list, '\0', (num_acls + num_dir_acls) * sizeof(SEC_ACE)
);
+ memset(nt_ace_list, '\0', (num_acls + num_dir_acls) * 2 *
sizeof(SEC_ACE) );
/*
* Create the NT ACE list from the canonical ace lists.
-2307,8 +2328,10
for (i = 0; i num_acls; i++, ace = ace-next) {
SEC_ACCESS acc;
-
- acc = map_canon_ace_perms(nt_acl_type, owner_sid, ace );
+ SEC_ACCESS acc_deny;
+
+ acc = map_canon_ace_perms(nt_acl_type, owner_sid, ace ,
acc_deny, nt_acl_type_deny);
+ init_sec_ace(nt_ace_list[num_aces++], ace-trustee,
nt_acl_type_deny, acc_deny, 0);
init_sec_ace(nt_ace_list[num_aces++], ace-trustee,
nt_acl_type, acc, 0);
}
-2324,8 +2347,11
for (i = 0; i num_dir_acls; i++, ace = ace-next) {
SEC_ACCESS acc;
-
- acc = map_canon_ace_perms(nt_acl_type, owner_sid, ace
Re: [Samba] POSIX to NT ACL bug
On Mon, 3 Mar 2003, Brad Sagowitz wrote: I JUST got over this problem with help here on the mailing list... what version/distro of linux are you running? Brad Sagowitz I use samba 2.2.7a downloaded from samba.org on Suse 8.0 Sergey Zhitomirsky wrote: Hello recently I set up XFS share under samba , and played from Win2K with ACL entries of shared files, and noticed that Win2K never DENY ACL entries , so for example for a XFS file with acl: # owner: a user::r-- group::rwx other::rwx Win2K security tab shows for user a: Read exec = nothing here Read= Allowed Write = nothing here But in fact, POSIX ACL will allow user a to read from the file and deny write or execute the file , as posix acl will not consult any other ACL entries, after founding appropriate user: entry. So, shown by Win2K flags are wrong, and must be instead : Read exec = Deny Read= Allowed Write = Deny as NT ACL logic suppose, as far as know(?), that in case nothing here father ACL entries will be consulted, so in this case NT user suppose that he has rwx rights on the file due to other::rwx rule (- Everybody, Full Access=Allowed) but when tried to write - receive Permission Denied. So that is a samba bug, as samba must have send DENY for write and execute and ALLOW for read for this user's file (user::r--) , but now it just sends ALLOW for read. I have samba-2.2.7a, ./configure --with-acl-support --with-ssl --with-smbmount --disable-cups --with-smbwrapper --with-vfs --with-libsmbclient --disable-swat Sergey. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] POSIX to NT ACL bug
Hello recently I set up XFS share under samba , and played from Win2K with ACL entries of shared files, and noticed that Win2K never DENY ACL entries , so for example for a XFS file with acl: # owner: a user::r-- group::rwx other::rwx Win2K security tab shows for user a: Read exec = nothing here Read= Allowed Write = nothing here But in fact, POSIX ACL will allow user a to read from the file and deny write or execute the file , as posix acl will not consult any other ACL entries, after founding appropriate user: entry. So, shown by Win2K flags are wrong, and must be instead : Read exec = Deny Read= Allowed Write = Deny as NT ACL logic suppose, as far as know(?), that in case nothing here father ACL entries will be consulted, so in this case NT user suppose that he has rwx rights on the file due to other::rwx rule (- Everybody, Full Access=Allowed) but when tried to write - receive Permission Denied. So that is a samba bug, as samba must have send DENY for write and execute and ALLOW for read for this user's file (user::r--) , but now it just sends ALLOW for read. I have samba-2.2.7a, ./configure --with-acl-support --with-ssl --with-smbmount --disable-cups --with-smbwrapper --with-vfs --with-libsmbclient --disable-swat Sergey. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re[2]: [Samba] Win98 clients not 'seeing' each other
Hello Carlos, Thursday, December 26, 2002, 4:51:13 PM, you wrote: I've setup the Samba server over Linux to act as a PDC for the domain. I use dhcp to assign the network configuration to the hosts, and the only You should setup DHCP server to anounce samba server as WINS server to all hosts if you are using ISC-DHCPD then add this lines into dhcpd.conf #== option netbios-name-servers 123.456.789.012; # #put your ip here option netbios-node-type 8; #== if your DHCP is Microsoft's, then setup the scope accordingly also, make sure nmbd is running as well on samba box and one last thing - make sure there are this lines in your smb.conf: #== wins support = yes os level = 64 preferred master = yes domain master = yes local master = yes #== -- Best regards, Sergeymailto:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] samba essential files
Hello I'm considering to reinstall my server with fresh FreeBSD and and fresh install of newest samba Right now i'm running 2.2.5 as a domain controller Which files i should preserve (along with /etc/passwd, /etc/group, smb.conf) to put new server at work without reentering client machines to domain and creating user accounts ? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] not configure samba-2.2.5 with parameter --with-pam
In version 2.2.5 not configure with parameter --with-pam: ./configure --with-pam don't work. OS: Redhat7.3, kernel 2.4.18-3, gcc 2.95.3, samba-2.2.5 I'm sorry for my english. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] NT_STATUS_INVALID_DOMAIN_ROLE
Hello samba, here is my config: [global] netbios name = tech-server workgroup = SAGAPROJECT security = domain password server = SERVER encrypt passwords = yes machine SERVER is accessible and works ATTEMPT #1 lion@tech-server:/usr/local/etc# smbpasswd -D 3 -j SAGAPROJECT -r server -Ujoker Initialising global parameters params.c:pm_process() - Processing configuration file /usr/local/etc/smb.conf Processing section [global] added interface ip=172.16.1.9 bcast=172.16.1.255 nmask=255.255.255.0 Password: resolve_lmhosts: Attempting lmhosts lookup for name server0x20 resolve_hosts: Attempting host lookup for name server0x20 Connecting to 172.16.1.10 at port 445 error connecting to 172.16.1.10:445 (Invalid argument) Connecting to 172.16.1.10 at port 139 failed session request Error connecting to server Unable to join domain SAGAPROJECT. ATTEMPT #2 lion@tech-server:/usr/local/etc# smbpasswd -D 3 -j SAGAPROJECT -Ujoker Initialising global parameters params.c:pm_process() - Processing configuration file /usr/local/etc/smb.conf Processing section [global] added interface ip=172.16.1.9 bcast=172.16.1.255 nmask=255.255.255.0 Password: resolve_lmhosts: Attempting lmhosts lookup for name SERVER0x20 resolve_hosts: Attempting host lookup for name SERVER0x20 bind succeeded on port 0 Connecting to 172.16.1.10 at port 445 error connecting to 172.16.1.10:445 (Invalid argument) Connecting to 172.16.1.10 at port 139 session setup ok Domain=[SAGAPROJECT] OS=[Windows NT 4.0] Server=[NT LAN Manager 4.0] lsa_io_sec_qos: length c does not match size 8 error creating domain user: NT_STATUS_INVALID_DOMAIN_ROLE Unable to join domain SAGAPROJECT. what's wrong? -- Best regards, Sergey mailto:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
