Re: [Samba] Problem with 3.0.23 upgrade from 3.0.22 with rfc2307 patch
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Joel Franco wrote: > I think the release notes for the 3.0.23b has > the response: W00t! Someone did release the release notes ! :-) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.4 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE6xUCIR7qMdg1EfYRAg5xAKDPE7WEPzT+ckyrgIK3EWe3uLREiwCgjMFA 91Z/IdI8+4ttcPgy0LS6cX0= =2wIb -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problem with 3.0.23 upgrade from 3.0.22 with rfc2307 patch
I think the release notes for the 3.0.23b has the response:
"Member servers, domain accounts, and smb.conf
=
Since Samba 3.0.8, it has been recommended that all domain accounts
listed in smb.conf on a member server be fully qualified with the
domain name. This is now a requirement. All unqualified names are
assumed to be local to the Unix host, either as part of the server's
local passdb or in the local system list of accounts (e.g. /etc/passwd
or /etc/group).
The reason for this change is that smbd has transitioned from
access checks based on string comparisons to token based
authorization. All names are resolved to a SID and they verified
against the logged on user's NT user token. Local names will
resolve to a local SID, while qualified domain names will resolve
to the appropriate domain SID.
If the member server is not running winbindd at all, domain
accounts will be implicitly mapped to local accounts and their
tokens will be modified appropriately to reflect the local
SID and group membership.
For example, the following share will restrict access to the
domain group "Linux Admins" and the local group srvadmin.
[restricted]
path = /data
valid users = +"DOMAIN\Linux Admins" +srvadmin
Note that to restrict the [homes] share on a member
server to the
owner of that directory, it is necessary to prefix the
%S value
to "valid users".
[global]
security = {domain,ads}
workgroup = DOM
winbind separator = +
[homes]
valid users = DOM+%S
"
--
|
| Joel Franco Guzmán .''`.
| self-powered by : :' :
| Debian Linux `. `'
| `-
On Ter Jul 18 06 18:03, Howard Wilkinson wrote:
> Don,
>
> you are a genius, this fixed it! Anybody know why?
>
> Howard.
>
> Don Meyer wrote:
>
> >Well, I didn't see the last bit you describe, but I don't run RFC2307
> >(yet). We we bit by very similar behavior when moving from 3.0.22 to
> >the 3.0.23 RC's. Turns out that the use-default-domain option is not
> >being universally applied to groups in 3.0.23. As soon as I changed
> >my "valid users = +group" statements to the format "= +domain\group",
> >then this problem was fixed for us. Maybe it will do the trick for
> >you...
> >
> >Cheers,
> >-D
> >
> >
> >At 07:41 AM 7/18/2006, Howard Wilkinson wrote:
> >
> >>I have managed to isolate where the problem is, now I need to work
> >>out what the problem is?
> >>
> >>I have a group
> >>
> >>cohtech:*:16777225:lesley,howard,ecbull
> >>
> >>in which I am a member - howard.
> >>
> >>I have a
> >>
> >>valid users = +cohtech
> >>
> >>entry in smb.conf for the share I am trying to connect to, I get the
> >>following reported in the machine.log file -
> >>
> >>zebra.log: string_to_sid: Sid +cohtech does not start with 'S-'.
> >>
> >>and the users get rejected. If I declare the user directly then
> >>access is allowed.
> >>
> >>This server gets its group database from the AD controllers via RFC2307.
> >>
> >>Anybody know why group expansion may be broken in 3.0.23?
> >
> >
> >Don Meyer <[EMAIL PROTECTED]>
> >Network Manager, ACES Academic Computing Facility
> >Technical System Manager, ACES TeleNet System
> >UIUC College of ACES, Information Technology and Communication Services
> >
> > "They that can give up essential liberty to obtain a little
> >temporary safety,
> >deserve neither liberty or safety." -- Benjamin Franklin,
> >1759
>
>
> --
>
> Howard Wilkinson
>
>
>
> Phone:
>
>
>
> +44(20)76907075
>
> Coherent Technology Limited
>
>
>
> Fax:
>
>
>
>
>
> 23 Northampton Square,
>
>
>
> Mobile:
>
>
>
> +44(7980)639379
>
> London, United Kingdom, EC1V 0HL
>
>
>
> Email:
>
>
>
> [EMAIL PROTECTED]
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/listinfo/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problem with 3.0.23 upgrade from 3.0.22 with rfc2307 patch
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Don Meyer wrote: > Yes, I'm pretty sure Jerry Carter does. ([EMAIL PROTECTED]) > He's posted that he expects a patch for this to be > included in the 3.0.23a release -- due sometime real > soon now... ;-) This was the last major bug to be fixed in 3.0.23a. I've attached a patch to bug 3920. Note that this will break 'winbind nested groups' for local users. Local group membership for domain users still works, but a local user will not get the nested group gids included in his or her token. See my comments in the bug report for more details. Also please note that unqualified domain user or group names have not been supported in smb.conf since Samba 3.0.8. You are advised to fix your configuration files. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEv8PdIR7qMdg1EfYRAkAPAJ910Yjyk4ruFbFTwwIrpa9B20BZ9QCg1I24 NKxIB9tvN5ghsnqduzXslP4= =rK96 -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problem with 3.0.23 upgrade from 3.0.22 with rfc2307 patch
Yes, I'm pretty sure Jerry Carter does. ([EMAIL PROTECTED]) He's posted that he expects a patch for this to be included in the 3.0.23a release -- due sometime real soon now... ;-) Cheers, -D At 12:03 PM 7/18/2006, Howard Wilkinson wrote: you are a genius, this fixed it! Anybody know why? Howard. Don Meyer wrote: Well, I didn't see the last bit you describe, but I don't run RFC2307 (yet). We we bit by very similar behavior when moving from 3.0.22 to the 3.0.23 RC's. Turns out that the use-default-domain option is not being universally applied to groups in 3.0.23. As soon as I changed my "valid users = +group" statements to the format "= +domain\group", then this problem was fixed for us. Maybe it will do the trick for you... Don Meyer <[EMAIL PROTECTED]> Network Manager, ACES Academic Computing Facility Technical System Manager, ACES TeleNet System UIUC College of ACES, Information Technology and Communication Services "They that can give up essential liberty to obtain a little temporary safety, deserve neither liberty or safety." -- Benjamin Franklin, 1759 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problem with 3.0.23 upgrade from 3.0.22 with rfc2307 patch
Don, you are a genius, this fixed it! Anybody know why? Howard. Don Meyer wrote: Well, I didn't see the last bit you describe, but I don't run RFC2307 (yet). We we bit by very similar behavior when moving from 3.0.22 to the 3.0.23 RC's. Turns out that the use-default-domain option is not being universally applied to groups in 3.0.23. As soon as I changed my "valid users = +group" statements to the format "= +domain\group", then this problem was fixed for us. Maybe it will do the trick for you... Cheers, -D At 07:41 AM 7/18/2006, Howard Wilkinson wrote: I have managed to isolate where the problem is, now I need to work out what the problem is? I have a group cohtech:*:16777225:lesley,howard,ecbull in which I am a member - howard. I have a valid users = +cohtech entry in smb.conf for the share I am trying to connect to, I get the following reported in the machine.log file - zebra.log: string_to_sid: Sid +cohtech does not start with 'S-'. and the users get rejected. If I declare the user directly then access is allowed. This server gets its group database from the AD controllers via RFC2307. Anybody know why group expansion may be broken in 3.0.23? Don Meyer <[EMAIL PROTECTED]> Network Manager, ACES Academic Computing Facility Technical System Manager, ACES TeleNet System UIUC College of ACES, Information Technology and Communication Services "They that can give up essential liberty to obtain a little temporary safety, deserve neither liberty or safety." -- Benjamin Franklin, 1759 -- Howard Wilkinson Phone: +44(20)76907075 Coherent Technology Limited Fax: 23 Northampton Square, Mobile: +44(7980)639379 London, United Kingdom, EC1V 0HL Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problem with 3.0.23 upgrade from 3.0.22 with rfc2307 patch
Well, I didn't see the last bit you describe, but I don't run RFC2307 (yet). We we bit by very similar behavior when moving from 3.0.22 to the 3.0.23 RC's. Turns out that the use-default-domain option is not being universally applied to groups in 3.0.23. As soon as I changed my "valid users = +group" statements to the format "= +domain\group", then this problem was fixed for us. Maybe it will do the trick for you... Cheers, -D At 07:41 AM 7/18/2006, Howard Wilkinson wrote: I have managed to isolate where the problem is, now I need to work out what the problem is? I have a group cohtech:*:16777225:lesley,howard,ecbull in which I am a member - howard. I have a valid users = +cohtech entry in smb.conf for the share I am trying to connect to, I get the following reported in the machine.log file - zebra.log: string_to_sid: Sid +cohtech does not start with 'S-'. and the users get rejected. If I declare the user directly then access is allowed. This server gets its group database from the AD controllers via RFC2307. Anybody know why group expansion may be broken in 3.0.23? Don Meyer <[EMAIL PROTECTED]> Network Manager, ACES Academic Computing Facility Technical System Manager, ACES TeleNet System UIUC College of ACES, Information Technology and Communication Services "They that can give up essential liberty to obtain a little temporary safety, deserve neither liberty or safety." -- Benjamin Franklin, 1759 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problem with 3.0.23 upgrade from 3.0.22 with rfc2307 patch
Maybe it's because some default values for winbind settings have changed. The relaesenotes say: winbind enum users Changed default No winbind enum groups Changed default No winbind nested groupsChanged default Yes Howard Wilkinson schrieb: I have managed to isolate where the problem is, now I need to work out what the problem is? I have a group cohtech:*:16777225:lesley,howard,ecbull in which I am a member - howard. I have a valid users = +cohtech entry in smb.conf for the share I am trying to connect to, I get the following reported in the machine.log file - zebra.log: string_to_sid: Sid +cohtech does not start with 'S-'. and the users get rejected. If I declare the user directly then access is allowed. This server gets its group database from the AD controllers via RFC2307. Anybody know why group expansion may be broken in 3.0.23? Howard Wilkinson wrote: No I already had this turned on! Gautier, B (Bob) wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] On Behalf Of Howard Wilkinson Sent: 18 July 2006 11:50 To: samba@lists.samba.org Subject: [Samba] Problem with 3.0.23 upgrade from 3.0.22 with rfc2307 patch I have upgraded one of my servers from a 3.0.22 implementation using the rfc2307 patch I supplied some months ago to the 3.0.23 release. I am now getting some unexplaned failures and would like some pointers as to where to start looking. The rfc2307 schema compatibility in the 'official' 3.0.23 version has to be turned on in smb.conf with winbind nss info = rfc2307 -- that might be something your older code did automatically. Bob G _ This email (including any attachments to it) is confidential, legally privileged, subject to copyright and is sent for the personal attention of the intended recipient only. If you have received this email in error, please advise us immediately and delete it. You are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. Although we have taken reasonable precautions to ensure no viruses are present in this email, we cannot accept responsibility for any loss or damage arising from the viruses in this email or attachments. We exclude any liability for the content of this email, or for the consequences of any actions taken on the basis of the information provided in this email or its attachments, unless that information is subsequently confirmed in writing. If this email contains an offer, that should be considered as an invitation to treat. _ -- Mit freundlichen Grüßen Dietrich Streifert Visionet GmbH -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problem with 3.0.23 upgrade from 3.0.22 with rfc2307 patch
I have managed to isolate where the problem is, now I need to work out what the problem is? I have a group cohtech:*:16777225:lesley,howard,ecbull in which I am a member - howard. I have a valid users = +cohtech entry in smb.conf for the share I am trying to connect to, I get the following reported in the machine.log file - zebra.log: string_to_sid: Sid +cohtech does not start with 'S-'. and the users get rejected. If I declare the user directly then access is allowed. This server gets its group database from the AD controllers via RFC2307. Anybody know why group expansion may be broken in 3.0.23? Howard Wilkinson wrote: No I already had this turned on! Gautier, B (Bob) wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] On Behalf Of Howard Wilkinson Sent: 18 July 2006 11:50 To: samba@lists.samba.org Subject: [Samba] Problem with 3.0.23 upgrade from 3.0.22 with rfc2307 patch I have upgraded one of my servers from a 3.0.22 implementation using the rfc2307 patch I supplied some months ago to the 3.0.23 release. I am now getting some unexplaned failures and would like some pointers as to where to start looking. The rfc2307 schema compatibility in the 'official' 3.0.23 version has to be turned on in smb.conf with winbind nss info = rfc2307 -- that might be something your older code did automatically. Bob G _ This email (including any attachments to it) is confidential, legally privileged, subject to copyright and is sent for the personal attention of the intended recipient only. If you have received this email in error, please advise us immediately and delete it. You are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. Although we have taken reasonable precautions to ensure no viruses are present in this email, we cannot accept responsibility for any loss or damage arising from the viruses in this email or attachments. We exclude any liability for the content of this email, or for the consequences of any actions taken on the basis of the information provided in this email or its attachments, unless that information is subsequently confirmed in writing. If this email contains an offer, that should be considered as an invitation to treat. _ -- Howard Wilkinson Phone: +44(20)76907075 Coherent Technology Limited Fax: 23 Northampton Square, Mobile: +44(7980)639379 London, United Kingdom, EC1V 0HL Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problem with 3.0.23 upgrade from 3.0.22 with rfc2307 patch
No I already had this turned on! Gautier, B (Bob) wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] On Behalf Of Howard Wilkinson Sent: 18 July 2006 11:50 To: samba@lists.samba.org Subject: [Samba] Problem with 3.0.23 upgrade from 3.0.22 with rfc2307 patch I have upgraded one of my servers from a 3.0.22 implementation using the rfc2307 patch I supplied some months ago to the 3.0.23 release. I am now getting some unexplaned failures and would like some pointers as to where to start looking. The rfc2307 schema compatibility in the 'official' 3.0.23 version has to be turned on in smb.conf with winbind nss info = rfc2307 -- that might be something your older code did automatically. Bob G _ This email (including any attachments to it) is confidential, legally privileged, subject to copyright and is sent for the personal attention of the intended recipient only. If you have received this email in error, please advise us immediately and delete it. You are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. Although we have taken reasonable precautions to ensure no viruses are present in this email, we cannot accept responsibility for any loss or damage arising from the viruses in this email or attachments. We exclude any liability for the content of this email, or for the consequences of any actions taken on the basis of the information provided in this email or its attachments, unless that information is subsequently confirmed in writing. If this email contains an offer, that should be considered as an invitation to treat. _ -- Howard Wilkinson Phone: +44(20)76907075 Coherent Technology Limited Fax: 23 Northampton Square, Mobile: +44(7980)639379 London, United Kingdom, EC1V 0HL Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Problem with 3.0.23 upgrade from 3.0.22 with rfc2307 patch
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] ] On Behalf Of Howard Wilkinson > Sent: 18 July 2006 11:50 > To: samba@lists.samba.org > Subject: [Samba] Problem with 3.0.23 upgrade from 3.0.22 with > rfc2307 patch > > I have upgraded one of my servers from a 3.0.22 > implementation using the > rfc2307 patch I supplied some months ago to the 3.0.23 > release. I am now getting some unexplaned failures and would > like some pointers as to where to start looking. The rfc2307 schema compatibility in the 'official' 3.0.23 version has to be turned on in smb.conf with winbind nss info = rfc2307 -- that might be something your older code did automatically. Bob G _ This email (including any attachments to it) is confidential, legally privileged, subject to copyright and is sent for the personal attention of the intended recipient only. If you have received this email in error, please advise us immediately and delete it. You are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. Although we have taken reasonable precautions to ensure no viruses are present in this email, we cannot accept responsibility for any loss or damage arising from the viruses in this email or attachments. We exclude any liability for the content of this email, or for the consequences of any actions taken on the basis of the information provided in this email or its attachments, unless that information is subsequently confirmed in writing. If this email contains an offer, that should be considered as an invitation to treat. _ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Problem with 3.0.23 upgrade from 3.0.22 with rfc2307 patch
I have upgraded one of my servers from a 3.0.22 implementation using the rfc2307 patch I supplied some months ago to the 3.0.23 release. I am now getting some unexplaned failures and would like some pointers as to where to start looking. I am getting the following logged in the samba logs when trying to start the servers. zebra.log: Sid S-1-5-32-544 -> BUILTIN\Administrators(4) zebra.log: create_local_nt_token: Failed to create BUILTIN\Administrators group! I am also getting the following in the log.winbindd-idmap file. [2006/07/18 11:41:33, 1] sam/idmap_ad.c:ad_idmap_get_id_from_sid(314) ad_idmap_get_id_from_sid: ads_pull_uint32: could not read attribute 'gidNumber' I have gidNumber defined for all Unix users and all of their groups and this has been working fine until now. I can access the user homedrive OK, but this failure is occuring when I try to access a share protected by the group access declaration ... e.g. [CoherentWebsites] comment = Coherent Technology Website Data valid users = @cohtech writeable = yes path = /var/www/coherent/websites Anybody able to suggest where I should start looking or any additional log information that might help diagnose. -- Howard Wilkinson Phone: +44(20)76907075 Coherent Technology Limited Fax: 23 Northampton Square, Mobile: +44(7980)639379 London, United Kingdom, EC1V 0HL Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
