Re: [Samba] 'Administrator' account (UID 0) on Samba member of a Samba4 AD DC
On Fri, 2013-05-31 at 12:56 +0100, Alex Matthews wrote: > Hi all, > > I have a samba server as member of an AD DC. > In said AD DC there is the 'administrator' user which has the default > UID of 0 (the same as root) > from the ADDC: > > # id administrator > uid=0(root) gid=513(SMC\Domain Users) groups=0(root),513(SMC\Domain > Users),305(SMC\Group Policy Creator Owners),309(SMC\Enterprise > Admins),512(SMC\Domain Admins),307(SMC\Schema Admins) > > from the member server: > # id administrator > id: administrator: no such user Map it to root: [global] ... username map = /path/to/usermap ... with /path/to/usermap having something like: root = SMC\\administrator SMC\administrator (not sure about the backslashes so I've put both possibilities) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Can't provision with BIND9_DLZ
Version 4.0.7-GIT-d4cd828 openSUSE 12.04 with bind9 installed but not configured. Hi Attempting to provision with BIND9_DLZ or samba_upgradedns from a functioning SAMBA_INTERNAL install produces: Creating DomainDnsZones and ForestDnsZones partitions Populating DomainDnsZones and ForestDnsZones partitions Failed to setup database for BIND, AD based DNS cannot be used ERROR(): uncaught exception - [Errno 2] No such file or directory File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run return self.run(*args, **kwargs) File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/domain.py", line 398, in run use_rfc2307=use_rfc2307, skip_sysvolacl=False) File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py", line 2145, in provision skip_sysvolacl=skip_sysvolacl) File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py", line 1788, in provision_fill targetdir=targetdir, site=DEFAULTSITE) File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/sambadns.py", line 1072, in setup_ad_dns hostip6=hostip6, targetdir=targetdir) File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/sambadns.py", line 1122, in setup_bind9_dns create_samdb_copy(samdb, logger, paths, names, domainsid, domainguid) File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/sambadns.py", line 805, in create_samdb_copy os.path.join(dns_dir, "sam.ldb")) File "/usr/local/samba/lib64/python2.7/site-packages/samba/tdb_util.py", line 36, in tdb_copy status = subprocess.call(tdbbackup_cmd, close_fds=True, shell=False) File "/usr/lib64/python2.7/subprocess.py", line 493, in call return Popen(*popenargs, **kwargs).wait() File "/usr/lib64/python2.7/subprocess.py", line 679, in __init__ errread, errwrite) File "/usr/lib64/python2.7/subprocess.py", line 1249, in _execute_child raise child_exception Same with 4.0.6 on the same box. What have I done wrong? Thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] does cifs understand acl's?
4.0.6 file server for a 4.0.6 domain, reproducible with a 3.6.12, and 3.6.15 file server. File created in a share are created according to the acl set, but not when mounted by cifs: Here is a share [test] read only = No path = /home/test Here is the acl: getfacl test # file: test # owner: root # group: staff2 # flags: -s- user::rwx group::rwx other::r-x default:user::rwx default:group::rwx default:other::r-x Here is a session on the unmounted share on the file server, all as expected: steve2@altea:/home/test> touch steve2.txt steve2@altea:/home/test> ls -l total 0 -rw-rw-r-- 1 steve2 staff2 0 Jun 2 10:58 steve2.txt steve2@altea:/home/test> getfacl steve2.txt # file: steve2.txt # owner: steve2 # group: staff2 user::rw- group::rw- other::r-- Now the same session on a client with the share mounted: catral:/home/steve # mount -t cifs //altea/test /mnt -osec=krb5,username=cifs,multiuser catral:/home/steve # exit exit steve@catral:~> su steve2 Contraseña: steve2@catral:/home/steve> cd /mnt steve2@catral:/mnt> touch steve22.txt steve2@catral:/mnt> ls -l total 0 -rw-r--r-- 1 steve2 staff2 0 jun 2 11:18 steve22.txt -rw-rw-r-- 1 steve2 staff2 0 jun 2 10:58 steve2.txt steve2@catral:/mnt> getfacl steve22.txt # file: steve22.txt # owner: steve2 # group: staff2 user::rw- group::r-- other::r-- steve2@catral:/mnt> mount | grep mnt //altea/test on /mnt type cifs (rw,relatime,vers=1.0,sec=krb5,cache=strict,unc=\\altea \test,multiuser,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.1.100,unix,posixpaths,serverino,acl,noperm,rsize=1048576,wsize=65536,actimeo=1) Note how the acl is ignored by cifs. Question: Does cifs honour acls set on ext4 filesystems with acl,usr_xattr? Must I use smb.conf to control permssions and acl? Thanks, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] dynamic DNS Updates still failing, re-installed 9 more times, tried everything I could think of, now bald.
On Sun, 2013-06-02 at 01:46 -0700, Gary Maurizi wrote:
> This is a follow up to my previous...
>
> Thomas, I have tried everything else I can think of, I WAS able to get
> further debugging information out of samba, winbind, bind9_dlz, and whats
> going wrong in this process for us, but I am not a developer I have no way
> of knowing if this will be useful to you or anyone but I figure I should
> put it out so someday this can get fixed, Thanks:
Hi Gary
I'm no expert but I have dyndns working on openSUSE with 9.9 both from
win7 and Linux clients. Maybe strip your config down to just this, then
add the other stuff afterwards if you get it going?
1. Make sure that named is not running chrooted. That was a real gotcha
for me: it's default on openSUSE.
2. for now, chown -R named.named /var/lib/named
3. Use minimum options /etc/named.conf
options {
directory "/var/lib/named";
managed-keys-directory "/var/lib/named/dyn";
notify no;
tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
};
include "/usr/local/samba/private/named.conf";
Good luck.
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Can't provision with BIND9_DLZ [SOLVED]
On Sun, 2013-06-02 at 23:31 +1000, Andrew Bartlett wrote: > On Fri, 2013-05-31 at 14:34 +0200, steve wrote: > > Version 4.0.7-GIT-d4cd828 > > openSUSE 12.04 with bind9 installed but not configured. > > > > Hi > > Attempting to provision with BIND9_DLZ or samba_upgradedns from a > > functioning SAMBA_INTERNAL install produces: > > > > Creating DomainDnsZones and ForestDnsZones partitions > > Populating DomainDnsZones and ForestDnsZones partitions > > Failed to setup database for BIND, AD based DNS cannot be used > > ERROR(): uncaught exception - [Errno 2] No > > such file or directory > > > File > > "/usr/local/samba/lib64/python2.7/site-packages/samba/tdb_util.py", line > > 36, in tdb_copy > > status = subprocess.call(tdbbackup_cmd, close_fds=True, shell=False) > > File "/usr/lib64/python2.7/subprocess.py", line 493, in call > > return Popen(*popenargs, **kwargs).wait() > > File "/usr/lib64/python2.7/subprocess.py", line 679, in __init__ > > errread, errwrite) > > File "/usr/lib64/python2.7/subprocess.py", line 1249, in > > _execute_child > > raise child_exception > > > > Same with 4.0.6 on the same box. What have I done wrong? > > Thanks > > What has happened here is that your OS has the right version of libtdb, > but hasn't supplied the tdb tools - tdbbackup in this case, which we use > to prepare the databases for the DNS server. Find the OS package for > that, and install it. > > I hope this helps, > > Andrew Bartlett > Hi Thanks. Actually, I did have the tdbtools installed, but openSUSE in their wisdom, chose not to put them in the PATH. A symlink: ln -s /usr/bin/tdbbackup /usr/lib/mit/sbin did it. Sorry, I know it's bad list netiquette not to post the solution. I should have done this before. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] dynamic DNS Updates still failing, re-installed 9 more times, tried everything I could think of, now bald.
On Sun, 2013-06-02 at 23:50 +0300, Giedrius wrote:
> 2013.06.02 16:16, Andrew Bartlett rašė:
> > On Sun, 2013-06-02 at 11:52 +0200, steve wrote:
> >> On Sun, 2013-06-02 at 01:46 -0700, Gary Maurizi wrote:
> >>> This is a follow up to my previous...
> >>>
> >>> Thomas, I have tried everything else I can think of, I WAS able to get
> >>> further debugging information out of samba, winbind, bind9_dlz, and whats
> >>> going wrong in this process for us, but I am not a developer I have no way
> >>> of knowing if this will be useful to you or anyone but I figure I should
> >>> put it out so someday this can get fixed, Thanks:
> >>
> >> Hi Gary
> >> I'm no expert but I have dyndns working on openSUSE with 9.9 both from
> >> win7 and Linux clients. Maybe strip your config down to just this, then
> >> add the other stuff afterwards if you get it going?
> >>
> >> 1. Make sure that named is not running chrooted. That was a real gotcha
> >> for me: it's default on openSUSE.
> > This certainly could be the major issue here. I can imagine this
> > causing no end of drama if folks don't check for it.
> >
> >> 2. for now, chown -R named.named /var/lib/named
> > I certainly agree, for now (try and restore a more secure set of
> > permissions later, but it is very worthwhile to test and rule out).
> >
> >> 3. Use minimum options /etc/named.conf
> >>
> >> options {
> >>directory "/var/lib/named";
> >>managed-keys-directory "/var/lib/named/dyn";
> >>notify no;
> >>tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
> >> };
> >> include "/usr/local/samba/private/named.conf";
> Also add:
> tkey-domain "";
> tkey-gssapi-credential "";
>
> BIND9 in openSUSE seems to require this to enable GSSAPI
>
> Also try hard-linking /usr/local/samba/private/dns.keytab to
> /etc/krb5.keytab
> Somewhere in the mailing lists there was a report bind9 is
> always using system default keytab
> If you get errors loading krb5 principal after specifying
> tkey-gssapi-credential, you might need to regenerate the dns.keytab
> (changed password ?)
Hi
openSUSE 12.3
This is the first time in many years where the SUSE/openSUSE bind has
_almost_ worked out of the box. They will not entertain non chrooted
installs.
I've tested it. It's OK without tkey-domain nor tkey-gssapi-credential
I am trying to present as minimal a setup for the OP. I think in
situations such as these, it is important to get bind working choose
what. For that we must cut it down to an absolute minimal install with
security settings wide open. once it's working, then we can. . .
I think that DNS is still our weakest link and I'm really pleased to see
the devs looking through the end user list occasionally. Until the
internal DNS is ready, we're stuck with bind. Let's try and make it as
painless as possible for ourselves.
Cheers,
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Can't provision with BIND9_DLZ [SOLVED]
On Mon, 2013-06-03 at 08:00 +1000, Andrew Bartlett wrote: > > That is *very* weird. They may be another package with tdbbackup in a > normal path. Otherwise, could you follow this up with the OpenSUSE > folks? > > Thanks, > > Andrew Bartlett We've taken this up with them before: http://web.archiveorange.com/archive/v/wmeLDFrMPjIqJeDjmRdr They blocked us then so I don't think they'll fix it now. Anyway, this thread should reach Google soon. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] dynamic DNS Updates still failing, re-installed 9 more times, tried everything I could think of, now bald.
On Mon, 2013-06-03 at 08:16 +1000, Andrew Bartlett wrote: > On Mon, 2013-06-03 at 00:05 +0200, steve wrote: > > Hi > > openSUSE 12.3 > > This is the first time in many years where the SUSE/openSUSE bind has > > _almost_ worked out of the box. They will not entertain non chrooted > > installs. > > This is somehow totally disabled? No. You can enable it, but the chroot is the default. You cannot install bind without the bind-chroot environment package too. > > > I've tested it. It's OK without tkey-domain nor tkey-gssapi-credential > > Good. > > > I am trying to present as minimal a setup for the OP. I think in > > situations such as these, it is important to get bind working choose > > what. For that we must cut it down to an absolute minimal install with > > security settings wide open. once it's working, then we can. . . > > > > I think that DNS is still our weakest link and I'm really pleased to see > > the devs looking through the end user list occasionally. Until the > > internal DNS is ready, we're stuck with bind. Let's try and make it as > > painless as possible for ourselves. > > The only way we can really improve it (as far as I'm currently aware) is > to take the bind binary, and launch it with a custom config file inside > 'samba' like we do smbd, pointing only at our DNS zone, and with chroot > etc disabled. > > That should, in theory, get us most of the control we get with the > internal server. Someone needs to write the patches however, and it > would mean we gain yet another DNS mode (which may be more trouble than > it's worth - I don't know). > > Andrew Bartlett End users need something simple to install. We also need something that does dynamic dns reliably. The strong points of the internal dns are it's simplicity of installation. Would it be possible to get it to do dns updates from nsupdate? The only reason most of us have to go with bind is because we need reliable dynamic dns updates. Not just sometimes and then only with windows clients. Many of the questions and confusion on this list is to do with DNS. Get that sorted and you have a killer app. As this is a very big stopper for many of us, would it be possible to consider a change of developer emphasis for 4.1? Something like a 'DNS or bust' approach? Many of the things you are doing are amazing but without the basic DNS, they're lost on us end users. If you wanted any DNS testers to get it to the rolling out stage, I'm sure many of us here would be only too pleased to help you test whatever you could throw at us. Thanks for reading. Please don't lose sight of those of us do not code. We're still very much Samba and still very much here to help the devs and so the project. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [samba4] Thank you to the Samba Team
On Mon, 2013-06-03 at 00:56 +0200, François Lafont wrote: > - a second member server identical to the first one (except for the name and > the ip address) which copied in real time the previous server's data just in > case. Hi Just curious. Did you rsync it? Did you try disabling the first file server and do an IP takeover on the second? Or was it a cluster? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Can't provision with BIND9_DLZ [SOLVED]
On Mon, 2013-06-03 at 08:51 +1000, Andrew Bartlett wrote: > On Mon, 2013-06-03 at 00:48 +0200, steve wrote: > > On Mon, 2013-06-03 at 08:00 +1000, Andrew Bartlett wrote: > > > > > > > > That is *very* weird. They may be another package with tdbbackup in a > > > normal path. Otherwise, could you follow this up with the OpenSUSE > > > folks? > > > > > > Thanks, > > > > > > Andrew Bartlett > > > > We've taken this up with them before: > > http://web.archiveorange.com/archive/v/wmeLDFrMPjIqJeDjmRdr > > They blocked us then so I don't think they'll fix it now. Anyway, this > > thread should reach Google soon. > > That's different - Samba's tdbbackup isn't a part of MIT kerberos, while > these other tools are. It might be being packaged there for some other > reason, or it might be a different tool that just seems to be similar. > > I would have expected a tdbtools package that provides this for the > whole system. > > Andrew Bartlett > OK. I'll bugzilla it. Is it OK if I link to this thread in the bug report? Cheers -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] dynamic DNS Updates still failing, re-installed 9 more times, tried everything I could think of, now bald.
On Sun, 2013-06-02 at 17:40 -0700, Gary Maurizi wrote: > I want to thank you both so very much for your help. > > [root@server samba-master]# named -V > BIND 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.4 built with > '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' > '--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' > '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' > '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' > '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' > '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' > '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' > '--enable-threads' '--enable-ipv6' '--with-pic' '--disable-static' > '--disable-openssl-version-check' '--with-dlz-ldap=yes' > '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' > '--with-dlz-filesystem=yes' '--with-gssapi=yes' '--disable-isc-spnego' > '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' > '--enable-fixed-rrset' 'build_alias=x86_64-redhat-linux-gnu' > 'host_alias=x86_64-redhat-linux-gnu' > 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall > -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector > --param=ssp-buffer-size=4 -m64 -mtune=generic' 'CPPFLAGS= > -DDIG_SIGCHASE' > using OpenSSL version: OpenSSL 1.0.0 29 Mar 2010 > using libxml2 version: 2.7.6 > [root@server samba-master]# Here it is on openSUSE 12.3: hh16:/home/steve # named -V BIND 9.9.2-P2 built with '--prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--localstatedir=/var' '--libdir=/usr/lib64' '--includedir=/usr/include/bind' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-openssl' '--enable-threads' '--with-libtool' '--enable-runidn' '--with-libxml2' '--with-dlz-mysql' '--with-dlz-ldap' 'CFLAGS=-fmessage-length=0 -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables -fasynchronous-unwind-tables -g -DNO_VERSION_DATE -fno-strict-aliasing' 'LDFLAGS=-L/usr/lib64' using OpenSSL version: OpenSSL 1.0.1e 11 Feb 2013 hh16:/home/steve # -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] dynamic DNS Updates still failing, re-installed 9 more times, tried everything I could think of, now bald.
On Mon, 2013-06-03 at 09:36 +1000, Andrew Bartlett wrote: > On Mon, 2013-06-03 at 01:11 +0200, steve wrote: > > On Mon, 2013-06-03 at 08:16 +1000, Andrew Bartlett wrote: > > > > End users need something simple to install. We also need something that > > does dynamic dns reliably. The strong points of the internal dns are > > it's simplicity of installation. Would it be possible to get it to do > > dns updates from nsupdate? > > It does do dns updates from nsupdate. There is a client-side error > shown *after* the successful update, but the developer who developed the > patch for this hasn't been able to write the tests to allow his changes > to make it into master. Hi No, I'm sorry but it doesn't. The record goes in once and that's that. You then can't change it. Not with nsupdate. Not with samba-too dns. The only way to free it is to samba_upgradedns to BIND9_DLZ it. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Security = ADS and uidnumbers
On Wed, 2013-06-05 at 16:22 +0100, Jonathan Buzzard wrote: > On Wed, 2013-06-05 at 15:42 +0100, Rowland Penny wrote: > > > > I never said that I couldn't get it to work, I just said that it is > > just too complicated. Yes I can read and there was no need to get > > personal > > > > You said you gave up because it was too complicated. Also if you are > setting up a Samba file server and need UID/GID to SID mappings the only > supported option is Winbind if sssd works at all. Hi Why don't we simply store the uid in the directory along with everything else concerming the user? Why store that information somewhere else? All the OP wants is consistent uidNumbers. The only way I know how to do that is to store the uidNumber in the DN of the object. All DC's pull the same attribute at all times. Forget idmap ranges. You can use winbind to do that and prolly pull stuff from AD too. However, those of us who have tried alternatives for pulling rfc2307 from AD find the alternatives easier to install and configure. Anyone who has tried sssd is unlikely to return to winbind. It also has the advantage that it works fully on a S4 DC, not just for uid and gid but for the whole of rfc2307. For good measure, it throws in dynamic dns updates for fwd and reverse zones. For free. sssd does what it says on the tin. With winbind, there are too many different tins;) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] reverse zone dns updates
Version 4.1.0pre1-GIT-1a6eac2 Hi I added a reverse zone to my internal dns. It won't update the reverse zone. With bind, it does. Before I go any further, is it possible that the internal dns server update the reverse zone from a nsupdate request? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Security = ADS and uidnumbers
On Wed, 2013-06-05 at 18:32 +0100, Rowland Penny wrote: > Well said Steve > > > From what I have read on the two samba mailing lists, Samba 4 is > supposed to be a clone of windows AD, well windows AD does not have > winbind, so I suppose this begs the question, why when running as a DC > controller does Samba4? I think it's still needed because not everything is stored in the directory. sids are stored alongside (what become) their uid or gid in the idmap database, rather than AD. As end users, we can choose to work only with AD, however, every object we add also ends up in idmap too. I can see one of the reasons is so that a unique sid to uid can be guaranteed. There's a counter object in idmap which gets incremented each time we add something ourselves. However, once the xid from idmap has been transferred to AD, or we've allocated our own, we can then delete the idmap entry. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Security = ADS and uidnumbers
On Wed, 2013-06-05 at 23:13 +0100, Jonathan Buzzard wrote: > On 05/06/13 17:56, steve wrote: > > On Wed, 2013-06-05 at 16:22 +0100, Jonathan Buzzard wrote: > >> On Wed, 2013-06-05 at 15:42 +0100, Rowland Penny wrote: > >>> > >>> I never said that I couldn't get it to work, I just said that it is > >>> just too complicated. Yes I can read and there was no need to get > >>> personal > >>> > >> > >> You said you gave up because it was too complicated. Also if you are > >> setting up a Samba file server and need UID/GID to SID mappings the only > >> supported option is Winbind if sssd works at all. > > > > Hi > > Why don't we simply store the uid in the directory along with everything > > else concerming the user? Why store that information somewhere else? > > > > You do store the UID in the directory along with everything else. You > just need some way of looking it up. No, it doesn't. Unless you intervene and force them into the directory yourself, it stores them separately. Try it. Add a user using samba-tool user. Then ldbsearch him. > > > All the OP wants is consistent uidNumbers. > > Actually that is not clear. They want consistent UID's on a machine that > is running Samba which complicates things because it might mean they > want consistent and secure SID to UID mapping as well as consistent UID's. I think we all need a sid that is glued to a uid. How would we work with a user having uid x one session, and then having uid y the next session. I've missed something I know. I'm not a theorist nor coder. > > Anyone who has tried sssd > is unlikely to return to winbind. > > Really, don't think so. Then you can't have tried it. > > > It also has the advantage that it > > works fully on a S4 DC, not just for uid and gid but for the whole of > > rfc2307. For good measure, it throws in dynamic dns updates for fwd and > > reverse zones. For free. > > Your file servers have dynamic DNS!!! No, but our Linux clients do. Luxury on just one line of a config file. > > > sssd does what it says on the tin. With winbind, there are too many > > different tins;) > > The reason for the ranges, which is why winbind is better than sssd for > a Samba file server is that Samba has some builtin SID's that it needs > to assign UID/GID's to. With winbind you can make sure that these don't > incorrectly overlap which would be a security issue. There are a few built in sids which remain in the idmap database. I can't see any reason why they couldn't be put in the directory too. If you take the same xid which is assigned to the sid when the domain is provioned, how could there be overlap? I've mentioned the counter object in idmap which takes care of unique xid's. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Security = ADS and uidnumbers
On Wed, 2013-06-05 at 23:13 +0100, Jonathan Buzzard wrote: > > As far as I can tell sssd does not provide a mechanism for the smbd on > at least 3.5 (the 4.x series might be different but the OP is running > 3.6) to see an incoming SID and work out the UID. It would be pretty useless without. It does the same job as nss-ldapd and idmap_rid. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Security = ADS and uidnumbers
On Thu, 2013-06-06 at 10:19 +0100, Jonathan Buzzard wrote: > > So given the OP wants consistent UID's on presumably his Samba file > server running a 3.6.x variant of Samba how does sssd help? Hi sssd is an alternative to using winbind to extract information from AD. It may help the OP to try it instead of winbind. Here are a few of the advantages we have found. - sssd is supported: if you have a problem, it will be resolved one day to the next. - It has only one branch which gives the same results with the same configuration for both samba and smbd. - It does not need entries in smb.conf At the moment, winbind seems to be under development. I'm sure that once it is finished, it will be just as good as sssd at extracting consistent information from AD. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] chmod g+s not working over cifs
Hi I've had this problem since 3.0.9 an I've now reproduced it on 4.0.6, 4.0.7 git and 4.1.0 pre1 Summary: if I chmod g+s a shared folder, the file created therein are not group owned. Here is the original post from March which didn't get a reply: Version 4.0.5-GIT-9ec44d4 Single DC and fileserver running the samba binary. Hi I have a share called shared: [shared] path = /home/shared read only = No I set the ACL: setfacl -R -m g:staff:rw,d:g:staff:rw /home/shared This is what it looks like: getfacl shared # file: shared # owner: root # group: staff # flags: -s- user::rwx group::rwx group:staff:rw- mask::rwx other::--- default:user::rwx default:group::rwx default:group:staff:rw- default:mask::rwx default:other::--- The file listing looks OK: drwxrws---+ 3 root staff 4096 Mar 29 10:05 shared Problem: Files created from Linux cifs mounted or W7 clients are group 'Domain users', the primary group of the user, not 'staff' as the g+s should give. Files created in the share on the DC are correctly assigned to group 'staff'. Question: How do I get files created in the share 'shared' to be group owned by group 'staff'? Cheers, Steve. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 + cups - it is working for someone?
On Sun, 2013-06-09 at 09:10 +0200, Adam Sienkiewicz wrote: > Hi; > Thanks for tip. I implemented given changes but with no luck > I still have messages in samba log: Hi I don't think it's as simple as adding shares to smb.conf. I have managed to get a test page printed using this method: https://wiki.samba.org/index.php/Samba_as_a_print_server but no more. Something changed between 4.0.0 and where we are now but I can't work out what it is. Try the wiki next? hth Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 + cups - it is working for someone?
On 09/06/13 11:00, Adam Sienkiewicz wrote: Hi Steve I procceeded regarding this howtu. All seems to be fine except connection samba-cups. From windows I can add printer, print test page but all print jobs from samba are lost between samba and cups I think. There is no entries in cups logs only issue in samba logs Hi I just found my eror. i hope it's the same for you: Here is my smb.conf: [printers] path = /var/spool/samba printable = yes printing = CUPS [print$] path = /srv/samba/Printer_drivers comment = Printer Drivers writeable = yes [hpdeskjetf2200series] path = /var/spool/samba/ browseable = yes printable = yes printer name = hpdeskjetf2200series #printer name = "HP Deskjet F2200 series" Note the printer name lines. I had the windows name "HP Deskjet F2200 series" The clue was in the logs: /usr/local/samba/sbin/smbd: Unable to get jobs for ipp://localhost/printers/HP Deskjet F2200 series - client-error-not-found I changed to the Linux/cups printer name and print jobs got sent without error. HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 + cups - it is working for someone?
On 09/06/13 20:16, Gerry Reno wrote: On 06/09/2013 06:45 AM, steve wrote: On 09/06/13 11:00, Adam Sienkiewicz wrote: Hi Steve I procceeded regarding this howtu. All seems to be fine except connection samba-cups. From windows I can add printer, print test page but all print jobs from samba are lost between samba and cups I think. There is no entries in cups logs only issue in samba logs Hi I just found my eror. i hope it's the same for you: Here is my smb.conf: [printers] path = /var/spool/samba printable = yes printing = CUPS [print$] path = /srv/samba/Printer_drivers comment = Printer Drivers writeable = yes [hpdeskjetf2200series] path = /var/spool/samba/ browseable = yes printable = yes printer name = hpdeskjetf2200series #printer name = "HP Deskjet F2200 series" Note the printer name lines. I had the windows name "HP Deskjet F2200 series" The clue was in the logs: /usr/local/samba/sbin/smbd: Unable to get jobs for ipp://localhost/printers/HP Deskjet F2200 series - client-error-not-found I changed to the Linux/cups printer name and print jobs got sent without error. HTH Steve Steve, still not working for me. What is the output of lpinfo -v on your system? Gerry Hi Gerry lpinfo -v network http network ipp network ipps network https direct usb://HP/Deskjet%20F2200%20series?serial=CN8BO1S0S605CC network socket network lpd direct hp:/usb/Deskjet_F2200_series?serial=CN8BO1S0S605CC network smb direct parallel:/dev/lp0 network beh direct hpfax I wonder if you have the cups dev libraries and headers installed before you compile. I didn't so that was another problem I had. On openSUSE it's cups-devel. Just to make sure, I built with ./configure --enable-cups Suerte, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Folder permissions not working
On 07/06/13 08:13, Mike Bryce wrote: I seem to be having a bit of a brain fade with regard to permissions in samba. I have a share with several folders owned by different groups: drwxrws--- 13 root accounts 4.0K Jun 7 12:12 Accounts drwxrws--- 16 ian accounts 4.0K Jun 7 11:24 Administration drwxrws--- 14 accounts users4.0K Apr 22 12:05 Downloads drwxrwsr-x 7 ian users4.0K Mar 22 13:51 Graphics drwxrws--- 14 marion admins 4.0K Jun 6 14:39 Ian & Marion drwxrws--- 5 ian myob 4.0K Jun 5 12:02 MYOB Accounts drwxrws--- 41 ian users4.0K Jun 4 16:03 Plant Health drwxrwsr-x 8 ian users4.0K Jan 8 07:49 Research drwxrws--- 12 ian users4.0K Apr 16 16:57 Staff drwxrws--- 21 ldapuser coffeecentre 4.0K Jun 5 13:32 The Australian Coffee Centre I have a user (marion) who is a member of all these groups and more: # groups marion admins users coffeecentre accounts domadmins domusers myob The issue is, Marion can't access the folder called "The Australian Coffee Centre", Windows 7 says no permission and the samba server shows: # tail /var/log/samba/log.marionhome-pc [2013/06/07 08:28:31.144321, 1] smbd/service.c:805(make_connection_snum) create_connection_session_info failed: NT_STATUS_ACCESS_DENIED [2013/06/07 08:28:31.240024, 1] smbd/service.c:805(make_connection_snum) create_connection_session_info failed: NT_STATUS_ACCESS_DENIED All other sub-folders in this folder are accessible as expected. Where do I need to go looking for this problem? Anyone struck this before? Happy to provide further info as directed. Hi I'm no expert, but how about using a big hammer? Backup first, then: setfacl -Rm u:marion:rwx "The Australian Coffee Centre" Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 + cups - it is working for someone?
On Mon, 2013-06-10 at 09:54 -0400, Gerry Reno wrote: > On 06/10/2013 03:47 AM, steve wrote: > > On 09/06/13 20:16, Gerry Reno wrote: > >> On 06/09/2013 06:45 AM, steve wrote: > >>> On 09/06/13 11:00, Adam Sienkiewicz wrote: > >>>> Hi Steve > >>>> > >>>> I procceeded regarding this howtu. All seems to be fine except > >>>> connection samba-cups. From windows I can add printer, print test page > >>>> but all print jobs from samba are lost between samba and cups I think. > >>>> There is no entries in cups logs only issue in samba logs > >>> Hi > >>> I just found my eror. i hope it's the same for you: > >>> > >>> Here is my smb.conf: > >>> > >>> [printers] > >>> path = /var/spool/samba > >>> printable = yes > >>> printing = CUPS > >>> > >>> [print$] > >>> path = /srv/samba/Printer_drivers > >>> comment = Printer Drivers > >>> writeable = yes > >>> > >>> [hpdeskjetf2200series] > >>> path = /var/spool/samba/ > >>> browseable = yes > >>> printable = yes > >>> printer name = hpdeskjetf2200series > >>> #printer name = "HP Deskjet F2200 series" > >>> > >>> Note the printer name lines. I had the windows name "HP Deskjet F2200 > >>> series" > >>> > >>> The clue was in the logs: > >>> /usr/local/samba/sbin/smbd: Unable to get jobs for > >>> ipp://localhost/printers/HP Deskjet F2200 series - > >>> client-error-not-found > >>> > >>> I changed to the Linux/cups printer name and print jobs got sent without > >>> error. > >>> HTH > >>> Steve > >>> > >>> > >> Steve, still not working for me. > >> > >> What is the output of lpinfo -v on your system? > >> > >> Gerry > >> > >> > >> > >> > > Hi Gerry > > lpinfo -v > > network http > > network ipp > > network ipps > > network https > > direct usb://HP/Deskjet%20F2200%20series?serial=CN8BO1S0S605CC > > network socket > > network lpd > > direct hp:/usb/Deskjet_F2200_series?serial=CN8BO1S0S605CC > > network smb > > direct parallel:/dev/lp0 > > network beh > > direct hpfax > > > > I wonder if you have the cups dev libraries and headers installed before > > you compile. I didn't so that was another > > problem I had. On openSUSE it's cups-devel. Just to make sure, I built with > > ./configure --enable-cups > > > > Suerte, > > Steve > > > > > Ok, here's lpinfo -v on my test system: > # lpinfo -v > network ipp > network lpd > file cups-pdf:/ > network socket > direct scsi > network https > network http > network socket://192.168.2.180 > > The last entry is a networked printer > > I notice that "network smb" is missing. Going to CH10 in the Samba manual I > see that it takes a symlink from smbspool. > Did you have to do that manually? Or did it just get made during install? > > Gerry Hi No idea about the symlink until you mentioned it so it must have been made during the install. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 + cups - it is working for someone?
On Mon, 2013-06-10 at 12:40 -0400, Gerry Reno wrote: > On 06/10/2013 12:16 PM, steve wrote: > > On Mon, 2013-06-10 at 09:54 -0400, Gerry Reno wrote: > >> On 06/10/2013 03:47 AM, steve wrote: > >>> On 09/06/13 20:16, Gerry Reno wrote: > >>>> On 06/09/2013 06:45 AM, steve wrote: > >>>>> On 09/06/13 11:00, Adam Sienkiewicz wrote: > >>>>>> Hi Steve > >>>>>> > >>>>>> I procceeded regarding this howtu. All seems to be fine except > >>>>>> connection samba-cups. From windows I can add printer, print test page > >>>>>> but all print jobs from samba are lost between samba and cups I think. > >>>>>> There is no entries in cups logs only issue in samba logs > >>>>> Hi > >>>>> I just found my eror. i hope it's the same for you: > >>>>> > >>>>> Here is my smb.conf: > >>>>> > >>>>> [printers] > >>>>> path = /var/spool/samba > >>>>> printable = yes > >>>>> printing = CUPS > >>>>> > >>>>> [print$] > >>>>> path = /srv/samba/Printer_drivers > >>>>> comment = Printer Drivers > >>>>> writeable = yes > >>>>> > >>>>> [hpdeskjetf2200series] > >>>>> path = /var/spool/samba/ > >>>>> browseable = yes > >>>>> printable = yes > >>>>> printer name = hpdeskjetf2200series > >>>>> #printer name = "HP Deskjet F2200 series" > >>>>> > >>>>> Note the printer name lines. I had the windows name "HP Deskjet F2200 > >>>>> series" > >>>>> > >>>>> The clue was in the logs: > >>>>> /usr/local/samba/sbin/smbd: Unable to get jobs for > >>>>> ipp://localhost/printers/HP Deskjet F2200 series - > >>>>> client-error-not-found > >>>>> > >>>>> I changed to the Linux/cups printer name and print jobs got sent > >>>>> without error. > >>>>> HTH > >>>>> Steve > >>>>> > >>>>> > >>>> Steve, still not working for me. > >>>> > >>>> What is the output of lpinfo -v on your system? > >>>> > >>>> Gerry > >>>> > >>>> > >>>> > >>>> > >>> Hi Gerry > >>> lpinfo -v > >>> network http > >>> network ipp > >>> network ipps > >>> network https > >>> direct usb://HP/Deskjet%20F2200%20series?serial=CN8BO1S0S605CC > >>> network socket > >>> network lpd > >>> direct hp:/usb/Deskjet_F2200_series?serial=CN8BO1S0S605CC > >>> network smb > >>> direct parallel:/dev/lp0 > >>> network beh > >>> direct hpfax > >>> > >>> I wonder if you have the cups dev libraries and headers installed before > >>> you compile. I didn't so that was another > >>> problem I had. On openSUSE it's cups-devel. Just to make sure, I built > >>> with ./configure --enable-cups > >>> > >>> Suerte, > >>> Steve > >>> > >> > >> Ok, here's lpinfo -v on my test system: > >> # lpinfo -v > >> network ipp > >> network lpd > >> file cups-pdf:/ > >> network socket > >> direct scsi > >> network https > >> network http > >> network socket://192.168.2.180 > >> > >> The last entry is a networked printer > >> > >> I notice that "network smb" is missing. Going to CH10 in the Samba manual > >> I see that it takes a symlink from smbspool. > >> Did you have to do that manually? Or did it just get made during install? > >> > >> Gerry > > Hi > > No idea about the symlink until you mentioned it so it must have been > > made during the install. > > > > > > I don't understand then why my Samba git stable (4.0.6) install doesn't have > this symlink. > $ find . -name config.h > ./source4/heimdal_build/config.h > ./bin/default/include/config.h > > Is there some configure switch that causes this to be generated? > > Gerry > > > Hi I couldn't get it to work with 4.0.6. We have: Version 4.1.0pre1-GIT-56055f7 It's the one you get from here: git://git.samba.org/samba.git -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] The problem with setting up AD domain to Samba 4
On Fri, 2013-06-14 at 18:05 +0400, Vladimir A Fomkin wrote: > Hello Marc! > Thank you for response! > I added this string in smb.conf on PDC and BDC, but after sync BDC again do > not give access. I see UID for files created for one user via PDC - 322 > and via BDC - 319 Hi Make sure that you have the rfc2307 line in both the DC's. Add: uidNumber: 322 to the the DN of the user on one of the DC's. Wait a few minutes. Now create a file. It will have uid 322 no matter which DC is consulted. HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] rsync command for sysvol
Hi I'm trying to understand this sort of stuff: https://lists.samba.org/archive/samba/2012-August/168907.html so. . . I setup DC1 with this /etc/rsyncd.conf: [sysvol] uid = 0 gid = 300 read only = no path = /usr/local/samba/var/locks/sysvol On DC2, I cron this: rsync -AXauzv rsync://DC1/sysvol /usr/local/var/locks/sysvol Test: kill samba on DC1. Result: the gpo's still work. That's it isn't it? I now plan to make DC2 a rsync server too and cron that back DC1. Surely it's not as simple as that. Is it? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] The problem with setting up AD domain to Samba 4
On 17/06/13 08:57, Vladimir A Fomkin wrote: Good day! What is "DN"? Hi Make sure that you have the rfc2307 line in both the DC's. Add: uidNumber: 322 to the the DN of the user on one of the DC's. Wait a few minutes. Now create a file. It will have uid 322 no matter which DC is consulted. HTH Steve Hi DN is ldap for Distingished Name e.g. a user could have an entry in the directory: dn: CN=vladimir, CN=Users,DC=samba,DC=com just add: uidNumber: 322 somewhere for that user. The easiest way to do that so that you can understand what's happening, is to add it like this: ldbedit --url=/usr/local/samba/private/sam.ldb CN=vladimir That will use vi. If you don't know vi, use your favourite editor (e.g. let's say it's called 'yfe') instead: ldbedit -e yfe --url=/usr/local/samba/private/sam.ldb CN=vladimir HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] The problem with setting up AD domain to Samba 4
Hi Just try adding the user anyway and let's see what happens: samba-rool user add tester4 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] The problem with setting up AD domain to Samba 4
On Mon, 2013-06-17 at 12:27 +0200, steve wrote: > Hi > Just try adding the user anyway and let's see what happens: > > samba-rool user add tester4 > * samba-tool sorry -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] The problem with setting up AD domain to Samba 4
On Mon, 2013-06-17 at 14:50 +0400, Vladimir A Fomkin wrote: > HI! > root@bdc-samba:~# /usr/local/samba/bin/samba-tool user add tester4 > New Password: > Retype Password: > ERROR(ldb): Failed to add user 'tester4': - samldb: Account name > (sAMAccountName) 'tester4' already in use! > root@bdc-samba:~# Hi ldbsearch --url=/usr/local/samba/private/sam.ldb | grep tester4 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] The problem with setting up AD domain to Samba 4
On Wed, 2013-06-19 at 12:59 +0400, Vladimir A Fomkin wrote: > Hi! > > I'm tried to change idmap backend from tdb to rid and setting up idmap > range, but samba uses old type of UIDs. > What am I doing wrong? > > > [global] > workgroup = TEST > realm = test.local > netbios name = BDC-SAMBA > server role = active directory domain controller > dns forwarder = 192.168.1.102 > idmap config TEST:backend = rid > idmap config TEST:range = 400 - 500 > idmap config TEST:schema_mode = rfc2307 > idmap config *:backend = rid > > Change to this: [global] workgroup = TEST realm = test.local netbios name = BDC-SAMBA server role = active directory domain controller dns forwarder = 192.168.1.102 idmap_ldb use:rfc2307 = Yes > > > > root@bdc-samba:~# /usr/local/samba/bin/testparm > -sv /usr/local/samba/etc/smb.conf | grep backend > Load smb config files from /usr/local/samba/etc/smb.conf > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit > (16384) > Processing section "[netlogon]" > Processing section "[sysvol]" > Processing section "[profiles]" > Loaded services file OK. > Server role: ROLE_ACTIVE_DIRECTORY_DC > passdb backend = samba_dsdb > idmap backend = tdb > share backend = > idmap config TEST:backend = rid > idmap config * : backend = rid > root@bdc-samba:~# > > > > > 2013/6/17 Vladimir A Fomkin > Hi! > > root@debian-samba4:/usr/local/samba/private# > /usr/local/samba/bin/ldbsearch --url=/usr/local/samba/private/sam.ldb | grep > tester4 > sAMAccountName: tester4 > userPrincipalName: tester4@test.local > root@debian-samba4:/usr/local/samba/private# > > > > And I found there UID is saved - /usr/local/samba/bin/ldbedit > --url=/usr/local/samba/private/idmap.ldb > On PDC shows (cutted): > > # record 7 > dn: CN=S-1-5-21-3451120384-2816699473-3647757164-1110 > cn: S-1-5-21-3451120384-2816699473-3647757164-1110 > objectClass: sidMap > objectSid: S-1-5-21-3451120384-2816699473-3647757164-1110 > type: ID_TYPE_BOTH > xidNumber: 323 > distinguishedName: > CN=S-1-5-21-3451120384-2816699473-3647757164-1110 > > > On BDC shows (cutted): > # record 5 > dn: CN=S-1-5-21-3451120384-2816699473-3647757164-1110 > cn: S-1-5-21-3451120384-2816699473-3647757164-1110 > objectClass: sidMap > objectSid: S-1-5-21-3451120384-2816699473-3647757164-1110 > type: ID_TYPE_BOTH > xidNumber: 320 > distinguishedName: > CN=S-1-5-21-3451120384-2816699473-3647757164-1110 > > > > SID is the same, but the UID is different! > Good. Now delete the whole of BOTH these entries: ldbedit --url=/usr/local/samba/private/idmap.ldb Now delete tester4: samba-tool user delete tester4 Now add the user tester4: samba-tool user add tester4 wbinfo -i tester4 (I don't have tester4 so I'll use steve2 as an example) wbinfo -i steve2 HH3\steve2:*:321:20513::/home/HH3/steve2:/bin/false Note the uid 321 Now, we add uidNumber: 321 to AD: ldbedit --url=/usr/local/samba/private/sam.ldb cn=steve2 # editing 1 records # record 1 dn: CN=steve2,CN=Users,DC=hh3,DC=site cn: steve2 instanceType: 4 whenCreated: 20130605152701.0Z uSNCreated: 3800 name: steve2 objectGUID: 3dfcb8e8-fca2-49ea-9ac8-8e1b0563a379 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 primaryGroupID: 513 objectSid: S-1-5-21-451355595-2219208293-2714859210-1107 logonCount: 0 sAMAccountName: steve2 sAMAccountType: 805306368 userPrincipalName: ste...@hh3.site objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=hh3,DC=site pwdLastSet: 13014919621000 userAccountControl: 66048 accountExpires: 0 uidNumber: 321 Now: ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/libnss_winbind.so ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2 and edit /etc/nsswitch.conf passwd: files winbind group: files winbind Test it: getent passwd steve2 steve2:*:321:20513:steve2:/home/users/steve2:/bin/bash login as steve2 and create a file: su steve2 touch /tmp/somefile ls -l somefile -rw-r--r-- 1 steve2 Domain Users 0 Jun 19 11:41 somefile HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] The problem with setting up AD domain to Samba 4
On Wed, 2013-06-19 at 10:34 +0100, Rowland Penny wrote: > The problem is that you are mixing up how samba 4 works with how samba > 3 works, samba 4 winbind does not work the same as the samba 3 > winbind. > > What you need to do is give your linux users a uidNumber and groups > like Domain Users a gidNumber, how you do this is up to you, it can be > done from windows (ADUC?) or by using an ldif on linux, try a web > search. > > You then need to extract this information on the linux clients, you > can use winbind, but do not use the rid backend. If do you use the rid > backend, whilst you will get the same UID for a user on any linux > client that uses the exact same winbind settings, you will never get > the same UID on the server. Using the ad backend will get you the > same UID where ever you ask for it, but in my opinion is not the way > to go, try using sssd, it is a lot easier to set up. > > > Rowland > Hi Rowland >From what I can work out from the posts, the OP is trying to do this on a DC. What I find difficult to get across is the idea of storing stuff in AD. In cases such as these I really can't see any other way to go. The OP's idmap is really screwed up. I've had a go via the DC winbind and the only way I could go with this was to delete the idmap entries and start again. This is in the other post about an hour or so ago, if you have any easier way. . . Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [CentOS] Samba4 and NFSv4
On Thu, 2013-06-20 at 15:21 -0400, Steve Thompson wrote: > mount -t nfs4 -o sec=krb5 :/data /mnt What do you have in /etc/idmapd.conf What does ps aux | grep rpc give? Can the user browse using nfs3? mount -t nfs3 -o sec=krb5 :/data /mnt Have a look at the gotchas. There's loadsa wrong info abut kerberos and nfs4: http://linux-nfs.org/wiki/index.php/Nfsv4_configuration hth Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [CentOS] Samba4 and NFSv4
On Thu, 2013-06-20 at 16:57 -0400, Steve Thompson wrote: > On Thu, 20 Jun 2013, steve wrote: > > Thanks for your reply! I am really pulling my hair out over this one, and > I don't have that much left :( > > > What do you have in /etc/idmapd.conf > > The content of this file is correct as far as I understand it, as it works > with NFSv3 and NFSv4 with sec=sys: > > [General] > Verbosity = 0 > Domain = icse.cornell.edu > Local-Realms = TITAN.TEST.CORNELL.EDU > > [Mapping] > Nobody-User = nobody > Nobody-Group = nobody > > [Translation] > Method = nsswitch > > (and I have nsswitch.conf correctly configured). > > Note: in my case, the value of Domain in idmapd.conf is NOT the same as > the DNS domain name. But as I understand it, as long as it is the same on > all servers and clients, this should not matter, as it is just a label. I > tried setting it to the DNS domain name, but it didn't make any > difference. And changing it on just the server and not the clients leaves > all ownerships as being nobody:nobody instead of the proper ownerships, > which is (a) expected, and (b) leads me to believe that rpc.idmapd is > working as it should. Starting rpc.idmapd with -vvv dumps the mappings to > /var/log/messages, and they are correct. In any case, clients don't all > have the same DNS domain name. > > > What does ps aux | grep rpc give? > > rpc 1616 0.0 0.0 18972 992 ?Ss Jun18 0:00 rpcbind > rpcuser 1649 0.0 0.0 25420 1380 ?Ss Jun18 0:00 rpc.statd > root 1678 0.0 0.0 0 0 ?SJun18 0:00 [rpciod/0] > root 1679 0.0 0.0 0 0 ?SJun18 0:01 [rpciod/1] > root 5789 0.0 0.0 50112 2072 ?Ss 12:06 0:00 rpc.svcgssd > -vvv > root 5795 0.0 0.0 107304 276 ?Ss 12:06 0:00 rpc.rquotad > root 5799 0.0 0.0 22832 2560 ?Ss 12:06 0:00 rpc.mountd > --no-nfs-version 2 > root 5850 0.0 0.0 36900 1048 ?Ss 12:06 0:00 rpc.idmapd > -vvv > root 8807 0.0 0.0 37340 2556 ?Ss 16:37 0:00 rpc.gssd -vvv > > All the expected daemons are present, including rpc.gssd and rpc.svcgssd. > I have rpc.svcgssd running on the clients too, although it should not be > necessary there (but the CentOS init scripts don't give the option to not > start it). > > > Can the user browse using nfs3? > > mount -t nfs3 -o sec=krb5 :/data /mnt > > No; exactly the same result as NFSv4. But yes with sec=sys. > > > Have a look at the gotchas. There's loadsa wrong info abut kerberos and > > nfs4: http://linux-nfs.org/wiki/index.php/Nfsv4_configuration > > That's one of the many articles that I've read (several times). I don't > see anything wrong in what I have done (btw, I don't agree that the fsid=0 > export should be mode 1777, and I don't agree that your first exports > example is the proper way to do it. But in any event I have tried those > too, to no effect). > > Steve Hi Nobody agrees with anything for nfs4, so don't worry! Ok, that narrows it down to kerberos I suppose. What does the mount look like: rpc.gssd -fvvv and the idmapping: rpc.idmapd -fvvv The latter may throw up some uidNumbers -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Shared drives not writeable
On Thu, 2013-06-20 at 15:05 -0400, Chris Nighswonger wrote: > No takers? > > On Thu, Jun 6, 2013 at 12:04 PM, Chris Nighswonger < > cnighswon...@foundations.edu> wrote: > > > I am running Samba 3.6.6 on a Ubuntu 12.10 Samba domain member server. > > Users are authenticated against a Samba DC running 3.6.9 over an LDAP > > backend. I have a share configured as show below. Members of the > > 'staff-faculty' group can browse the share, but cannot write files to > > any subdir for which they are not the owner. It appears that the only > > reason they can read/traverse is because of o::r-x. > > > > What I am looking for is a share where any member of the group may rw, > > but the various users retain ownership of the files/dirs they create. > > > > Here is what the perms, etc. look like: > > > > drwxrwxr-x+ 2 jdoe staff-faculty 4.0K Jun 6 09:01 test > > > > The acl looks like this: > > > > # file: test > > # owner: jdoe > > # group: staff-faculty > > user::rwx > > group::rwx > > group:staff-faculty:rwx > > mask::rwx > > other::r-x > > > > I can post extended debug information, but thought perhaps there is an > > obvious mistake in my share configuration and so am posting that > > first. > > > > Kind Regards, > > Chris > > > > --- > > > > [Shared Drives] > > comment = Staff-Faculty Shares > > path = /netdrives/shared > > browsable = yes > > read only = no > > inherit acls = no > > inherit permissions = no > > create mask = 0771 > > directory mask = 2771 > > valid users = @"CAMPUS\staff-faculty" > > write list = @"CAMPUS\staff-faculty" > > admin users = @"CAMPUS\Domain Admins" > > Hi OK, I'll have a go. Either use acls or smb.conf. I've never been able to get a mixture of both to work. Tidy up: chgrp -R staff-faculty /netdrives/shared chmod 0770 /netdrives/shared chmod g+s /netdrives/shared setfacl -d -Rm g::rwx /netdrives/shared set a loose acl for Domain Admins or map them to root Then just: [Shared Drives] path = /netdrives/shared read only = no inherit acls = Yes Worth a try? Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [CentOS] Samba4 and NFSv4
On Thu, 2013-06-20 at 17:44 -0400, Steve Thompson wrote: > On Thu, 20 Jun 2013, John Hodrien wrote: > Five minutes later: holy crap! That is it. I took a user in only one > group: permission denied. I set the NO_AUTH_DATA_REQUIRED flag in > userAccountControl (via ldbedit), and hey presto NFSv4+krb5 now works. Great news. Would it be possible to post the directory entry for the user you ldbedited? I can't see how to set the flag you mention. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 missing group membership with getent group
On Fri, 2013-06-21 at 06:23 +, philippe.simo...@swisscom.com wrote: > Hi Samba users > > but does not return group/user membership : > TEST3\g1:*:327: > > any advices ? It doesn't work for groups:( use: getent group TEST\g1 hth Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 missing group membership with getent group
On Fri, 2013-06-21 at 08:36 +, philippe.simo...@swisscom.com wrote: > Hi Steve > > give an empty result, and > with the same result as , without user/group membership. > > in fact my problem goes further : shares access control (write list, ...) > does not work for @g1, only with u1 ... > > Philippe Oh dear. I know the feeling. You can wait for someone who knows winbind to read and help or, if you want it to just work, use sssd or nslcd and forget winbind. The latter you can do now. . . hth Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 missing group membership with getent group
On Fri, 2013-06-21 at 10:12 +0100, Rowland Penny wrote: > Hi, well yet another reason to use sssd instead of winbind. When I > turned on winbind in /etc/nsswitch.conf on my test S4 server, > > > > Also I would suggest forgetting using @group in smb.conf and use ACL's > instead. Didn't see this, but absolutely. Use acl's. Have you ever tried referring to man smb.conf. Phew! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 missing group membership with getent group
On Fri, 2013-06-21 at 15:39 +0200, Ali Bendriss wrote: > On Friday, June 21, 2013 10:12:26 AM Rowland Penny wrote: > > Hi, well yet another reason to use sssd instead of winbind. > > [...] > > Hi, > > An other option is to use samba AD in one server and the file server (smbd + > winbindd) in an other. Since I've done that (last year I think) I've got no > problem at all. At first you may think that it's to much resources (2 servers > or vm) but it's really flexible and easy to maintain. Hi, That's a good idea but we don't know what setup the OP has, we only know that getent group doesn't work. In any case, if he wants to see getent password work with the setup you suggest, he's going to have to configure winbind in at least two distinct ways, once for the DC and once for the file server. He will also have to edit smb.conf. Or maybe, he could get away with not using getent at all on the DC? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba 4.0.6 getent group
On Mon, 2013-06-24 at 11:48 -0700, smb l. ist wrote: > Hello all listies. > > I've got samba4.0.6 running on FreeBSD 9.1. > > Joined W2K12 domain as member server. > > running getent group I noticed it takes a long time to resolve groups. > > The result is correct, but it is inordinately long. > > With 3.6.13 on FreeBSD 9.1 the return is nearly instantaneous. Hi Do you ever need to list _all_ the groups? If not then set: winbind enum groups = No and then query the groups singly: getent group name.of.group Also, you could cache them. I'm not sure but nscd may work with winbind. hth Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 missing group membership with getent group
On Mon, 2013-06-24 at 18:21 +0200, Marc Muehlfeld wrote: > Hello Rowland, > > Am 24.06.2013 12:26, schrieb Rowland Penny: > > As far as I can see, the only way to get getent on the S4 server to show > > groupmembers is to use sssd > > nslcd works great for that job here, too. Hi nslcd is simplicity itself but we couldn't get it going for nested groups. Also it doesn't do dynamic dns updates, which sssd throws in for free and unless you use nscd, it's slow. Maybe your wiki could include the config for kerberised binds to the S4 ldap? This is all you need: /etc/nslcd.conf uid nslcd gid nslcd uri ldap://your.f.q.d.n base dc=foo,dc=bar map passwd uid samAccountName mappasswd homeDirectory unixHomeDirectory sasl_mech GSSAPI sasl_realm YOUR.REALM krb5_ccname /tmp/nslcd.tkt Hope you get a chance to have a play with sssd. It would be good to hear other views on how it compares with winbind and nslcd. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba 4.0.6 getent group
On Tue, 2013-06-25 at 14:57 -0700, smb l. ist wrote: > On Mon, 2013-06-24 at 11:48 -0700, smb l. ist wrote: > > Hello all listies. > > > > I've got samba4.0.6 running on FreeBSD 9.1. > > > > Joined W2K12 domain as member server. > > > > running getent group I noticed it takes a long time to resolve groups. > > > > The result is correct, but it is inordinately long. > > > > With 3.6.13 on FreeBSD 9.1 the return is nearly instantaneous. > > Hi > Do you ever need to list _all_ the groups? If not then set: > winbind enum groups = No > and then query the groups singly: > getent group name.of.group > > Also, you could cache them. I'm not sure but nscd may work with winbind. > hth > Steve > > Yes, in fact the tool I'm writing NEEDS all groups from AD, so, that's not > going to work. And as the script doesn't know the groups ahead of time. > > It's weird, I'll grab a winbind -i d 10 file when I get a minute. Something > is looping around during the group call... > > Thanks for your time. > > T3 Hi I don't think winbind will return all the groups: https://lists.samba.org/archive/samba/2012-August/168659.html i.e. it only works with: getent group single-group If you want it to just work, now, today, you could use nslcd or sssd instead of winbind, than you'd not need to change your scripts. HTH -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] The problem with setting up AD domain to Samba 4
On Wed, 2013-06-26 at 15:06 +0400, Vladimir A Fomkin wrote: > Hi again! > I configured my AD samba PDC and BDC for applying uid from uidNumber > line in AD LDAP. > But I have a problem - "uidNumber" is not a creating automaticaly. I > must create this for each user by hands. How to solve this problem? > Thx! > samba-tool user add vladimir --uid-number=1234567 Now for your next question: How do I choose the uid-number;) hth Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba 4.0.6 getent group
On Wed, 2013-06-26 at 08:09 -0700, smb l. ist wrote: > > > Well, winbind works fine for listing groups. But not for you. Nor I;) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] The problem with setting up AD domain to Samba 4
On 27/06/13 13:58, Vladimir A Fomkin wrote: Hi! samba-tool don't work with --uid-number option! Hi It only works with the development version. Why not add the uidNumber to the user using ldbedit or ldbadd? Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] The problem with setting up AD domain to Samba 4
On Thu, 2013-06-27 at 17:28 +0400, Vladimir A Fomkin wrote: > How add one parameter by ldbedit without interactive editor? (for > scripting) ldbmodify There are scripts here: http://linuxcostablanca.blogspot.com.es/p/s4bind.html hth -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] file server or member server?
Hi everyone What's the difference between a file server and a member server? I have a 4.0.6 DC which is a file server for sysvol. I also have a 4.0.6 file server for the other folders which go out to the clients. Do I have a member server? Or is a member server one upon which all files are served from the DC? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] file server or member server?
On Mon, 2013-07-01 at 17:04 +0100, Jonathan Buzzard wrote: > On Mon, 2013-07-01 at 09:59 -0400, Gaiseric Vandal wrote: > > [SNIP] > > > > > A domain controller can be a file server, although in many cases a > > domain controller will only provide authentication and logon > > functions.It does need to have file shares to provide access to to > > the logon scripts and profile directories used by Windows clients but > > that doesn't really make a a file server. > > The profile directories can be located on a server other than a domain > controller. Hi Our profile directories are stored on what I call our file server. Does that make it a member server? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] file server or member server?
On Mon, 2013-07-01 at 14:35 -0400, Gaiseric Vandal wrote: > I don't think it necessarily makes it a member a member server BUT if it > isn't a member server it is going to be pretty useless for serving profiles. Ok, so if a samba 4 box can serve profiles, then it is called a member server, whether that be the DC or a separate 'file server'??? > > I have not worked with Samba4 myself- I have worked with Samba 3 (and > Windows 200x AD , and NT4) so you may want to review the samba 4 > specific docn fir basic config. In samba 3 a quick review of the > smb.conf file (or the output of "testparm -v" will reveal the type of > setup. > > > Did you inherit these machines from someone else? > Yes. We take stand alone machines and network them by adding a DC and what we call a file server. What I'd like to know is why some guys here call what seems to be what we call a file server, a member server. I feel we're missing out on something. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] file server or member server?
On Mon, 2013-07-01 at 22:36 +0100, Jonathan Buzzard wrote: Thanks for the input. But. . . > > In both NT4 style and AD domains you have servers called domain servers . . .now you've introduced yet another term. What's a domain server? I could make a guess and I'm almost certain it would be correct. But would I? Can anyone simply give a plain English definition on any of these in a samba context: - file server - member server and now - domain server I know that language evolves, but having to move the goalposts so often depending on what post you read is a nightmare for non native English speakers. It would help enormously over here, if we all stuck to calling a spade a spade. Thanks for reading, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] file server or member server?
On Mon, 2013-07-01 at 19:55 -0500, Ricky Nance wrote: > > > I feel like I am saying what has already been said, so if you could be > more specific about what kind of hierarchy you have, I could give you > a more specific answer. For the most part, if its serving files and in > a domain, but not providing authentication itself, its a 'member > server', if its NOT in a domain, but simply serving files to any and > all windows clients, its a simple file server, if its in a domain and > providing the domain with username/password authentication its a > domain server (or domain controller). Phew, I think I'm getting there. OK, I have: 1. a 4.0.6 DC It serves these files selfishly: [netlogon] path = /usr/local/samba/var/locks/sysvol/hh3.site/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No 2. A 4.0.6 box joined to the domain. It serves profiles, home directories, stuff that groups can rw to and anything else you can throw at it e.g. [users] path = /home/users read only = No [profiles] path = /home/profiles read only = No [shared] path = /home/shared read only = No /home/profiles and /home/shared have ace's set to mimic what we would otherwise have to set in smb.conf Do I have this? 1. is a domain controller and a file server. 2. is a member server and a file server. Another question, why do you say: '...its a domain server (or domain controller).' Which _is_ it? If it's the same thing then why does it have two names? This thread may seem like a waste of space to many, but it's merely the tip of the iceberg for us. Our main problem is that we are not dealing with native English speakers. The grammatical and interpretational problems which this list and the samba documentation in general throw up are at times insurmountable. Thank you all for the patience which you afford us. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] file server or member server?
On Tue, 2013-07-02 at 11:02 +0200, Michael Wood wrote: > Hi Steve > > On 2 July 2013 09:28, steve wrote: > On Mon, 2013-07-01 at 19:55 -0500, Ricky Nance wrote: > > > I feel like I am saying what has already been said, so if > you could be > > more specific about what kind of hierarchy you have, I could > give you > > a more specific answer. For the most part, if its serving > files and in > > a domain, but not providing authentication itself, its a > 'member > > server', if its NOT in a domain, but simply serving files to > any and > > all windows clients, its a simple file server, if its in a > domain and > > providing the domain with username/password authentication > its a > > domain server (or domain controller). > > > Phew, I think I'm getting there. > OK, I have: > 1. a 4.0.6 DC > It serves these files selfishly: > [netlogon] > path > = /usr/local/samba/var/locks/sysvol/hh3.site/scripts > read only = No > > [sysvol] > path = /usr/local/samba/var/locks/sysvol > read only = No > > 2. A 4.0.6 box joined to the domain. It serves profiles, home > directories, stuff that groups can rw to and anything else you > can throw > at it e.g. > [users] > path = /home/users > read only = No > > [profiles] > path = /home/profiles > read only = No > > [shared] > path = /home/shared > read only = No > > /home/profiles and /home/shared have ace's set to mimic what > we would > otherwise have to set in smb.conf > > Do I have this? > 1. is a domain controller and a file server. > > Yes, I suppose so, although most people would not really call it a > file server, because the files it's serving are just related to the DC > functionality. (Or at least that's how I look at it.) It's not a > general "anything else you can throw at it" file server. > > 2. is a member server and a file server. > > Yes. > The two "Yes"'s there are wonderful to read. We're going to pretend that you didn't add the 'I suppose so'. This introduces another question for which I suppose I should start another thread but there may be some relevance here. I think we're making the wrong decision given 2 boxes to make the domain. We're using the more powerful box with the bigger disk as the DC but it sits there with hardly any load all the time. The member server hits smbd hard all day. top gives high %CPU and %MEM a lot of the time, especially when we're doing photos. It doesn't seem to slow things down much and the other thing we see is that when everyone logs on at the same time, it's slow. The latter is the DC but it still doesn't show much activity. Could that be because it's reading the profile for windows and the home folder for Linux? Are there any guidelines for this sort of stuff? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Sync - sysvol and getfacl
On Wed, 2013-07-10 at 08:30 +0200, Sandbox wrote: > My PDC's and BDC's user and group ID's are totaly different. > > Is it possible to set my PDC/BDC ID's equal, because as I see BDC couldn't > do his job while this isn't solved. Hi You can have the same id's everywhere by putting uidNumber and gidNumber attributes in the directory in the DN of the user or group and then recovering them using nss with winbind, nslcd or sssd. But make sure that if you use winbind you actually configure it to pull the values from AD and not any external database. If you already have groups and users, only add the new attributes to one of the DC's. Disable the other DC while you do this. Take the id's from whatever the xidNumber is on the DC you choose. hth Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] What great things can a non-windows user do with Samba
On Thu, 2013-07-11 at 13:46 -0400, Robert Heller wrote: > At Thu, 11 Jul 2013 11:52:49 -0400 Steve Litt > wrote: > > > > > Hi all, > > > > I ask this question about once a decade. > > > > I have about 7 computers, all Linux or BSD. Are there any cool things I > > can do with Samba, even though I have no Windows computers? > > Not really. Samba is just a tool to deal with pesky mess-windows machines. > On a pure UNIX (Linux, BSD, Solaris, AIX, etc.) LAN, Samba is about as useful > as Air Conditioners in Antartica in the middle of the Antartic winter. Hi We network stand alone Linux and xp boxes using s4 AD. As the windows desks break and virus, we replace them with Linux. We have no intention of replacing Samba4 with anything else if the lan becomes pure Linux. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [Announce] Samba 4.1.0rc1 Available for Download
On Thu, 2013-07-11 at 20:31 +0200, Karolin Seeger wrote: > Release Announcements > = > > This is the first release candidate of Samba 4.1. Hi A bit confused about this: >From git://git.samba.org/samba f387d9a..940395d master -> origin/master 5c488cf..ae2e0a6 v4-1-stable -> origin/v4-1-stable * [new tag] samba-4.1.0rc1 -> samba-4.1.0rc1 I think I have the 4.1.0rc1 that will be patched to rc2 if there is one and then to 4.2master. Am I close? Let's say I want to stop testing at 4.1.0. Can I then get the tarball and make install it over the last git? Does ./configure for the git take the same defaults as the release? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 domain members
On Fri, 2013-07-12 at 15:21 +0100, Chris Alavoine wrote: > Hi there, > > I would like to setup a Samba 4 member server to act as a separate > fileserver within my Samba 4 domain. > > Does anyone have any recommendations for this setup? > > I've tried to create one following this: > > https://wiki.samba.org/index.php/Samba4/Domain_Member > > Which seems to work ok until I try to change any permission on any shares > (or anything within the shares). I then get "access denied" errors. > Obviously, this is unworkable as a solution as I need to set permissions. Hi Give us an example of a share that's working. Then, what you change within it and what permissions you change to get the 'access denied'. Which version have you installed? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 domain members
On Tue, 2013-07-16 at 09:40 +0100, Chris Alavoine wrote: > Hi there, > > Just to add I've been using Ubuntu as my distro of choice (cos it's the one > I know best). Has anyone had any successes with other Distros they could > share? I am willing to jump ship if it works! Hi openSUSE. One install we did has 2 DC's and a 4.0.7 file server. But I think that if you build from source, it doesn't make much difference. HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] New ADC configuration
On Tue, 2013-07-16 at 12:04 -0400, Matthew Daubenspeck wrote: > On Tue, Jul 16, 2013 at 04:42:48PM +0100, Rowland Penny wrote: > >Hi, Have you given your users & groups a uidNumber and/or gidNumber on > >the server? > >Rowland > > Is that something that has to be done with ADUC? I have added all the > test users with samba-tool. This is all on the server: > > # wbinfo -n testuser > S-1-5-21-2599942137-598557555-1723227496-1110 SID_USER (1) > > # wbinfo -S S-1-5-21-2599942137-598557555-1723227496-1110 > 328 > No, you don't have to use ADUC. Just add the entry: uidNumber: 328 to the directory. An easy way to do that is to use ldbedit: ldbedit --url=/usr/local/samba/private/sam.ldb cn=testuser Now getent will work. hth Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] New ADC configuration
On Tue, 2013-07-16 at 18:48 -0400, Matthew Daubenspeck wrote: > On Tue, Jul 16, 2013 at 08:45:15PM +0200, Marc Muehlfeld wrote: > > Did you clean up the tdb files on your member server? I could imagine, that > > Samba mixes the old and new domain in it's idmap cache. If it's a new > > installation and nothing important in the member servers registry (like > > print server printer settings), just remove the whole samba installation, > > 'make install' again and rejoin. > > Well now I am out of ideas. I hosed both setups and started from > scratch. Redid the provision with the proper rfc2307 added, and I have > created test users and assigned them UIDs in ADUC. I can create groups > and give them GIDs as well. I rejoined the member server, I can list all > users, but I still get no results from id on the member server. What the > heck could I be missing? Are the uid entries really there? ldbsearch --url=/usr/local/samba/private/sam.ldb cn=testuser | grep uidNumber BTW, you really are doing this the hard way. There is none of this fiddling with sssd. Cheers -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Can someone explain SMB passwords?
On Sun, 2013-07-21 at 01:34 -0700, Paul D. DeRocco wrote: > > On Sat, Jul 20, 2013 at 10:41:31PM -0700, Paul D. DeRocco wrote: > > > I've read what I can find about SMB passwords, but I don't > > > get what they > > > are. Are they Unix passwords or an alternative to them? If > > > I have a file > > > share, and the underlying file system requires some sort of > > > credentials to > > > access it, what is the relationship between that and an SMB > > > password? > > > > > > If a client tries to access the share, using a user account > > > that is listed > > > in the smbpasswd file, does the client have to provide a > > > password that > > > matches the SMB password in order for the server to allow > > > the access, and > > > having done that, does it then not need to know the Unix > > > password? Or is the > > > SMB password the Unix password that the server will use to > > > access the share, > > > so that the client doesn't have to supply a password at all? > > > > > > I don't even understand if the SMB server runs as root, and > > > can therefore > > > access anything, or if it can't access local files unless > > > it is given a > > > password somehow. The smbpasswd(5) and smbpasswd(8) man pages, and > > > everything else I've read, seem to assume that whoever is > > > reading them > > > already knows the answers to these questions. > > > From: Volker Lendecke [mailto:volker.lende...@sernet.de] > > > > The Samba server never sees the plaintext password. The > > Samba password is a one-way hashed version of the plaintext > > password, that is all Samba needs to do its > > challenge-response authentication. If Samba is a domain > > member, it does not even have the hash, it has nothing but > > trusts the domain controller to have it and check it > > properly. > > > > What file system is this? If it happens to be AFS, then > > there's the fake_kaserver functionality. The basic trick is > > that this makes the file server the KDC. A blatant violation > > of any security policy, but that's the only way. > > You completely misunderstood my question. I'm asking something much simpler > and more basic than all that. What's an SMB password for, and how does it > relate to a Unix password? > > Here's the situation. I have a directory on a machine, and the files in it > are created by a service which runs as root, so the files are owned by root > and only locally accessible to root. I need to make this directory > accessible to ANY remote client who knows a particular password. Do I have > to tell the client the root password, so that the client can tell the Samba > server the password needed to access the files? Or does Samba run as root > and have access to everything anyway? If the former, is the SMB password the > same as the Unix password needed to access the files, programmed into the > Samba server so that the client doesn't have to supply it? If the latter, is > the SMB password a completely independent password that Samba uses to grant > access? > > Nothing in the docs gives me a clue how this works. It all seems to be > written by and for people who've been working with networking since the > Stone Age, and already know all the mechanisms and issues. My only involving > with networking over the years has been as a user, who is given a user name > and a password to access various network services. How that maps to what's > going on in the Samba server is a complete mystery to me. But now I need to > set up a simple server with one file share, as described above. Some of the > docs imply that the client must supply a password that matches a password on > one of the local Unix user accounts (or in some remote password server). Yet > then there's this talk about an SMB password. I don't see where that fits > in. > > Is my question clearer now? Hi. I sympathise with your need for plain English. I'll have a go from what you describe. Each Linux user needs also to be a samba user. It's easier to use the same password for both, so as root: useradd paul (enter a password) smbpasswd -a paul (enter the same password) paul is now a local Linux user and also a samba user who can now access folders defined in smb.conf on that machine. Setup a share like this: [myshare] path = /path/to/the/folder read only = No valid users = paul paul can now access that folder not only from that machine but also from remote machines, including windows. An easy way to do that in Linux is to use a browser: smb://ip.of.the.server/myshare Samba will then ask for a username and password on the remote machine, be it Linux or windows. That may be enough to get started but I'm afraid that from here the learning curve is steep. I know systems like GNOME and KDE have quite simple right click > share folder as > samba. Maybe that's good enough if you have just one folder? HTH, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Mon, 2013-07-22 at 15:52 -0400, Matthew Daubenspeck wrote: > On Mon, Jul 22, 2013 at 08:41:09PM +0100, Rowland Penny wrote: > >Have you tried 'getent passwd username' > >Rowland > > root@srv2:~# getent passwd Administrator > root@srv2:~# getent passwd user1 > root@srv2:~# getent passwd user2 > root@srv2:~# getent passwd user3 > Can you post smb.conf on SRV2? Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Mon, 2013-07-22 at 16:46 -0400, Matthew Daubenspeck wrote: > On Mon, Jul 22, 2013 at 10:27:36PM +0200, steve wrote: > > Can you post smb.conf on SRV2? > > Steve > > Certainly: > > [global] > >workgroup = NWLTECH >security = ADS >realm = NWLTECH.ORG >encrypt passwords = yes > >idmap config *:backend = tdb >idmap config *:range = 70001-8 >idmap config NWLTECH:backend = ad >idmap config NWLTECH:schema_mode = rfc2307 >idmap config NWLTECH:range = 500-4 > >winbind nss info = rfc2307 >winbind trusted domains only = no >winbind use default domain = yes >winbind enum users = yes >winbind enum groups = yes > Similar to what I had when I used winbind, except the * range was lower than the range we wanted. Try something like 3000-3500 and 3501-4 perhaps? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Mon, 2013-07-22 at 17:29 -0400, Matthew Daubenspeck wrote: > On Mon, Jul 22, 2013 at 10:15:10PM +0100, Rowland Penny wrote: > >OK, that seems like it should work, I had the winbind ad backend > >working, but found it difficult to setup so jumped ship to sssd > >The idmap setup I used was: > >idmap config *:backend = tdb > >idmap config *:range = 1100-2000 > >idmap config DOMAIN:backend = ad > >idmap config DOMAIN:schema_mode = rfc2307 > >idmap config DOMAIN:range = 1-310 > >As you can see the number ranges are the opposite way round to what you > >have i.e. config*:range is lower than DOMAIN:range > >You could also try (as a test) changing backend = ad to backend = rid, > >this will ignore the rfc2307 bit but will test the connect to the AD > >server. > >Rowland > > Changing the above ranges made no difference. However, changing backend > = rid gets me: > > root@srv2:~# getent passwd administrator > administrator:*:10005:1013:Administrator:/home/Administrator:/bin/sh Amazing;) > > That seems to be working perfectly. What would I be losing without > rfc2307 (please excuse the ignorance)? You'd lose control over uidNumber, gidNumber and you wouldn't be able to specify your own home directories and login shells. It's also a nightmare if you add a second DC. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Tue, 2013-07-23 at 09:40 +0200, L.P.H. van Belle wrote: > Hai, > > > I'm having exactly the same problem with winbind as Matthew Daubenspeck. > also on ubuntu 12.04 with sernet packages. ( used sernet-samba-winbind 4.0.7 ) > > I remove the complete config atm but am at the point reinstalling now. > I'll wait with that until you put you howto on. > i cant loose the rfc2307 :-( > and i cant lose control over uidNumber, gidNumber, home directories and login > shells. > and im adding a second DC later on, but whats the difference between RID and > AD exactly. > or just these 4 things? With AD you get exactly what _you_ put into the directory. There are no algorithms or separate databases used to confuse an already complicated issue. You put rfc2307 in AD and you get it back out when you need it, e.g. when a user logs in. > > I'll go try the sssd as suggested below on ubuntu 12.04. +1 sssd just works: there is plain English documentation available and you get rfc2307 out of the box. The same day;) otoh, if you must stick with winbind there are reports of success here. Just one more thought to bugzilla it. ¡Suerte! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Tue, 2013-07-23 at 10:05 +0100, Jonathan Buzzard wrote: > > It's probably still not working for him because he needs to clear the > now poluted cache/database that winbind has created from previous > attempts. Using net cache flush might work. Personally I would stop > samba delete the tdb files and start it again, redo the domain join and > try it. Just thought about nscd too. On some distros it's default. . . Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Tue, 2013-07-23 at 14:53 +0100, Jonathan Buzzard wrote: > > What gets me is people claiming that half a dozen lines of configuration > in smb.conf is more complicated than 30+ lines of configuration in an > entirely separate configuration file in addition to several lines in > smb.conf. It might be more performant, it might have fewer bugs etc. but > it is absolutely not simpler to configure. The main difference is that even though sssd may involve copying and pasting a configuration file to /etc somewhere and changing the domain name therein, once you've done it, you just start it and forget it. Unfortunately most mortles here cannot do that with winbind. That's why we always try and help users with winbind. Don't let's forget the OP in all this: the winbind documentations seems to be written for devs for devs. There is nothing written in simple terms to help us nor the OP. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Tue, 2013-07-23 at 15:04 +0100, Jonathan Buzzard wrote: > On Tue, 2013-07-23 at 14:39 +0100, Rowland Penny wrote: > > Could this be yet another reason to use sssd instead of winbind? > > > > sssd does use the account gidNumber > > > > testuser > > > > primaryGroupID: 513 > > uidNumber: 3001106 > > gidNumber: 20513 > > > > getent passwd testuser > > testuser:*:3001106:20513:testuser:/home/DOMAIN/testuser:/bin/bash > > > > > > Not what I said. The primaryGroupID is an identifier for a group in AD, > bit like a SID is (I don't get that either). So primaryGroupID 513 might > refer to a group called sambausers, which has a it's own set of > RFC2307bis attributes which include a gidNumber. Winbind uses the > gidNumber of the primaryGroupID, not the primaryGroupID itself which is > something entirely different. I'd put good money on this working as both group and primary group: getent group Domain\ Users Domain Users:*:20513: ldbsearch --url=/usr/local/samba/private/sam.ldb cn=Domain\ Users # record 1 dn: CN=Domain Users,CN=Users,DC=hh3,DC=site cn: Domain Users description: All domain users instanceType: 4 whenCreated: 20130605151145.0Z uSNCreated: 3541 name: Domain Users objectGUID: c684aa92-fd56-46d5-a4cf-8a46c459707b objectSid: S-1-5-21-451355595-2219208293-2714859210-513 sAMAccountName: Domain Users sAMAccountType: 268435456 groupType: -2147483646 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=hh3,DC=site isCriticalSystemObject: TRUE memberOf: CN=Users,CN=Builtin,DC=hh3,DC=site gidNumber: 20513 whenChanged: 20130605152357.0Z objectClass: top objectClass: posixGroup objectClass: group uSNChanged: 3792 distinguishedName: CN=Domain Users,CN=Users,DC=hh3,DC=site There are problems in setting primaryGroupID to groups other than Domain Users using S4 but as I understand it, the primary group will determine the default group of the file ownership when a user creates a file. He could be in many groups but files created by default will be of group of the primary group. > > As such your example does not show what you think it does show because > you have not shown the gidNumber of the group identified by > primaryGroupID 513. I would say even if sssd uses the gidNumber of the > user it would in my opinion be good practice to keep the gidNumber of > the user the same as the gidNumber of the Windows primary group. > > Sometimes my mind boggles at just how much people don't understand AD > and Samba in the Linux/Unix world. > > JAB. > > -- > Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk > Fife, United Kingdom. > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Tue, 2013-07-23 at 16:44 +0100, Jonathan Buzzard wrote: > On Tue, 2013-07-23 at 15:23 +0100, Rowland Penny wrote: > > > > > > > > If you want my opinion and you probably don't, people need to stop > > thinking NT server if they connect to a samba4 AD server and start > > thinking AD server, they are totally different. > > > > Absolutely. I think much of the Samba4 related stuff on this mailing > list would not be here if the users bothered to read a dummies guide to > AD at a minimum. If you don't have a good understanding of how AD works > then trying to setup a Samba4 AD domain controller is probably a bad > idea. To me AD is LDAP. If I'd never setup openLDAP in a Linux only environment a few years back, I'd be totally and utterly knackered with S4 AD. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Tue, 2013-07-23 at 23:21 +0100, Jonathan Buzzard wrote: > On 23/07/13 17:10, Rowland Penny wrote: > > [SNIP] > > > > > But if the group identified by primaryGroupID 513 has gidNumber 20513 > > (which would be in my opinion best practice) without looking in the > > source code of sssd you don't know whether sssd took the gidNumber of > > the user or took the primaryGroupID, and then looked up gidNumber of > > that group. As your example has not shown what the gidNumber of the > > group identified by primaryGroupID 513 it has not demonstrated what you > > claim it has demonstrated. > > > > > > Does it matter, as long as the right answer is returned? > > > > Only in that you gave an example that claimed to show that sssd used the > gidNumber from the users entry. The point I was making is that it did > not actually show that. What it showed was sssd returning a GID that > matched the gidNumber from the users entry which while close is not what > you claimed. > > > But for your information, sssd pulls ALL the information from the users > > RFC2307 information, in fact it pulls more information than winbind. > > > > Well then that sucks and I prefer the winbind method, because as far as > I am aware changing the Windows primary group (at least under 2003R2 and > 2008R2, not tested 2012 or Samba4) of a user has no effect on the users > gidNumber. As such it is inevitable that mistakes will be made, things > will get out of sync and stuff will break in odd not apparent ways. > > Reasons why winbind is better than sssd if you ask me :-) Well, I don't think we're here to decide what is better and I don't think we're helping the OP at all, rather serving to confuse:( For the record, sssd pulls all it's info from AD. A user does not need a gidNumber, it is drawn from the primaryGroupID. For Linux clients it is vital that whatever the primaryGroupID is contains the gidNumber attribute. sssd does the rest. I see that the classicupgrade retains the user gidNumber so maybe we should keep it in the DN of not only the primaryGroup but also in the DN for new users too. For compatibility? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] RE Samba (winbind) troubles
On Wed, 2013-07-24 at 09:09 +0200, L.P.H. van Belle wrote: > hijacked the winbind threat.. but.. > Don't feel threatened. There _are_ alternatives. > > I do like samba, but wiki/howtos are lots to improve. To be fair, it's not just Samba. It's most open source stuff. There are too many hobbyists and armchair users. As joe public, what we should be doing is not criticising the devs for their poor documentation. We should be writing it ourselves at our own level. Let the devs enjoy their C and let's thank them for the code. It's not down to them to document it for end users. I doubt that Microsoft would allow their coders anywhere near the end user documentation department. Anyway, hopefully complex DC's and windows domains will soon be a thing of the past. You don't need winbind for Cloud. You won't need sysadmins either. Just someone who can read the quickstart guide. Just my €0.02 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] RE Samba (winbind) troubles
On Wed, 2013-07-24 at 01:26 -0700, Paul D. DeRocco wrote: > > From: steve > > > > On Wed, 2013-07-24 at 09:09 +0200, L.P.H. van Belle wrote: > > > > > > I do like samba, but wiki/howtos are lots to improve. > > > > To be fair, it's not just Samba. It's most open source stuff. > > There are > > too many hobbyists and armchair users. As joe public, what we > > should be > > doing is not criticising the devs for their poor documentation. We > > should be writing it ourselves at our own level. Let the devs enjoy > > their C and let's thank them for the code. It's not down to them to > > document it for end users. > > It's a little hard to write documentation when all you've got is a million > questions and no answers. The only people who actually have the answers are > the developers. Hi That's not the case. They are too far removed from being an end user let alone a beginner. You're just about to solve an issue that you have raised in this thread. As soon as you have it solved then document it in your own words: your own notes in case you get the issue again. It's a small step from there to tidy it up a bit and blog or wiki it. You have the opportunity of using the non jargon, non technical language end users hate. Other end users will hit the blog like it's going out of fashion. There's a demand for this level of documentation. Salu2 Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Wed, 2013-07-24 at 11:59 +0100, Jonathan Buzzard wrote: > On Wed, 2013-07-24 at 00:49 +0200, steve wrote: > > [SNIP] > > > For the record, sssd pulls all it's info from AD. > > I never said otherwise. > > > A user does not need a gidNumber, it is drawn from the > > primaryGroupID.For Linux clients it is vital that whatever the > > primaryGroupID is contains the gidNumber attribute. sssd does the > > rest. > > Hum, according to Rowland it uses the gidNumber in the users DN, He was correct. I was wrong in assuming that you needed no gidNumber in the user DN. It is indeed the gidNumber that is used for rfc2307, exactly as openLDAP. I apologise for misleading the list before I tested it live. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 not honoring setgid
On Wed, 2013-07-24 at 22:34 -0400, Ryan Bair wrote: > I'm running Samba 4.0.7 on CentOS 6.4 as a AD DC with s3fs. > > I have a shared directory with the setgid bit set. From the shell on the > server, new files and directories inherit the group as expected. However, > new items created through samba get the user's primary group instead. > > Config for the share is super simple: > > [test] > path = /srv/test > read only = no > > > Sounds like a bug. Has any one else experienced this? Hi openSUSE 12.3 DC 4.0.7 also tested with latest git Not sure what /srv/test has but am guessing that you have set chmod g+s? If so, I can reproduce what you see. The g+s is ignored when accessed on a cifs mounted share and instead the primaryGroupID is used. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 not honoring setgid
On Thu, 2013-07-25 at 08:17 -0400, Ryan Bair wrote: > Thank you for confirming. I do have g+s on the directory. I'll file a > bug about this issue today. No problem. If you go with the bugzilla, could you post the link here? Thanks. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Question on approach to authenticate Linux against Samba4
On Thu, 2013-07-25 at 16:59 +, dahopk...@comcast.net wrote: > > I have read through the recent thread on winbind and honestly I am not sure > that I want to pursue either winbind or sssd if it is possible to use > nss_pam_ldap which seems closest to the current approach. Hi Ok, I can understand that. So why not have a look at nss-pam-ldapd with nslcd? It's almost as good as sssd and it's quick and easy to setup: http://linuxcostablanca.blogspot.com.es/2013/04/ubuntu-client-for-samba4.html hth Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Question on approach to authenticate Linux against Samba4
On Thu, 2013-07-25 at 19:14 +, dahopk...@comcast.net wrote: > Thank you for the very quick response. But in trying to follow the > suggested link, there are few steps are different. > > First, Step 3 is to install various packages. I already have > auth-client-config installed which had installed libpam_ldap and > libnss-ldap since I simply pulled this system into the test > environment rather than rebuild from scratch. I have uninstalled these > and then added libnss-ldapd and libpam-ldapd along with the kerberos > packages. Perfect. > Issue is that I was never asked for a Kerberos realm or IP of the > DC. I should have mentioned that this system is running 10.04, not > 12.04. So .. which config file do I need to edit to ensure that the IP > of the DC is correctly specified? DNS does that so you don't need to. Just run: sudo dpkg-reconfigure krb5-config or simply copy /usr/local/samba/private/krb5.conf from the DC to /etc on the client For good measure add the DC to /etc/hosts on the client. > I also installed nslcd. > Correct. > Step 6: I already have samba-common, and samba-common-bin (latest for > 10.04) installed. 10.04 . Did these go in OK? sasl2-bin libsasl2-2 libsasl2-modules libsasl2-modules-gssapi-mit > I'd assume I need to uninstall these and install samba4 instead > (especially as step 8 is to join the domain). > No. You only need enough of samba on the client to get the net command to join the domain. Any old version of samba will do. What you have is more than enough. HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Question on approach to authenticate Linux against Samba4
On Thu, 2013-07-25 at 20:59 +0100, Jonathan Buzzard wrote: > On 25/07/13 20:14, dahopk...@comcast.net wrote: > > [SNIP] > > > > > Step 6: I already have samba-common, and samba-common-bin (latest for > > 10.04) installed. I'd assume I need to uninstall these and install > > samba4 instead (especially as step 8 is to join the domain). > > > > Not familiar with Ubuntu, but that is very very unlikely. Samba 3.x has > been able to be a member server of an AD domain for a long time now, and > the version included with 10.04 is almost certainly capable of doing that. > > Samba4 is primarily about being able to imitate an Active Directory > domain controller. The point about joining the domain is to get a > Kerberos ticket so the machine can authenticate against the AD to do > lookups etc. So that's a 'No.' then:) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba 4 userid mapping
On Tue, 2013-07-09 at 18:22 -0700, Nick B wrote: Hi None of this works on a s4 DC > > # Setup user maps > > idmap config * : backend = tdb > > idmap config * : range = 10-19 > > idmap config MYDOMAIN : backend = ad > > idmap config MYDOMAIN : schema_mode = rfc2307 > > idmap config MYDOMAIN : range = 5-9 > > winbind nss info = rfc2307 > > winbind trusted domains only = No > > winbind use default domain = Yes > > winbind enum users = Yes > > winbind enum groups = Yes replace it with this: idmap_ldb use:rfc2307 = Yes make the winbind links: ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib64/libnss_winbind.so ln -s libnss_winbind.so /lib64/libnss_winbind.so.2 and the nss stuff in /etc/nsswitch.conf: passwd: files winbind group: files winbind Now add the uidNumber and gidNumber attributes to the user or group DN in AD. YOu can use ldbmodify or ldbedit for that. If you are brave, you can build the master and use samba-tool add the attributes when you create the user. Note: if you want the whole of rfc2307 as your smb.conf suggests, then use sssd and forget about winbind. HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] file locking failure
4.0.7 DC, 4.0.7 fileserver, with openSUSE, w7 and xp clients. cifs-utils 6.1 on Linux. Hi I have set: kernel oplocks = yes on the fileserver If the xp client opens a file using e.g. Notepad, the opensuse client can edit it at the same time and vica versa. If I open the same file on each client using Libre Office then fine, it works (I think because of Libre Office, not samba) How do I get locking to work outside Libre Office. Nothing else seems to work. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 as member server
On Mon, 2013-08-05 at 22:25 +0200, Klaus Rörig wrote: > I cannot the member server working. > > My smb.conf: > Hi Leave the domain and remove the .tdb files in /var/lib/smb. Then rejoin with this: > [global] > workgroup = VERWALTUNG > security = ads > realm = VERWALTUNG.LEIBNIZ-REMSCHEID.DE > encrypt passwords = true > idmap config *:backend = tdb > idmap config *:range = 70001-8 > idmap config VERWALTUNG:backend = ad > idmap config VERWALTUNG:schema_mode = rfc2307 > idmap config VERWALTUNG:range = 500-4 > > winbind nss info = rfc2307 > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > > [verwaltung] > path = /srv/shares > read only = no Start it with: smbd; winbindd Prolly not perfect, but should get you a bit close. hth Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 as member server
On Tue, 2013-08-06 at 09:21 +0200, Klaus Rörig wrote: > > But there are no smb/nmbd/winbindd binaries. Hi Oh, I see. The Ubuntu packages must only be for AD then. Sorry, I missed that you only wanted ntvfs. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 as member server
On Tue, 2013-08-06 at 10:57 +0200, Klaus Rörig wrote: > OK, than I have to use the Samba 3.6 packages shipped with Ubuntu. > Anything special I have to care about? > Hi, no, but as you have only a few clients, it may be simpler to use the dc itself as file server, especially as you have specified ntvfs. If you want rfc2307 from winbind though, you'll have to either build samba 4.0.x from source on a separate box and use smbd or use the Ubuntu 3.6 packages, also on a separate box. If you're OK with ntvfs and you only have win7 clients, I'd go with the single DC/fileserver and forget about rfc2307. HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 as member server
On Tue, 2013-08-06 at 12:36 +0200, Klaus Rörig wrote: > Hi, > > it seems that the ntvfs module is not working on Ubuntu, I get lots of > error messages about this. > I don't see Samba4 servers on network neighborhood, so users cannot > browses shares but I do see Samba3 servers, so I have to get Samba3 > working with Samba4. > > Or I have to build Samba4 by myself. > > Klaus Hi I don't think you can have (or would want?) network neighbourhood with AD. It may be best to have real shares and control access using ACL's or smb.conf. If you can, I really would advise building s4 from source: 4.0.8 for both DC and file server and using samba for the DC and smbd for the file server. It takes longer but it's easy to do and you can be sure to have the latest version. If you want to stick with Ubuntu then I see the s4 DC and separate s3 file server the best way to go. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 as member server
On Tue, 2013-08-06 at 14:34 +0200, Klaus Rörig wrote: > Hi! > > I set up s3 on the fileserver now but I cannot connect to my share. > > 'wbinfo -u' lists all user > 'wbinfo-g' lists all groups > > getent also list the queried user. > > But when I try to connect from Win7 to my s3 share, it asks for creds > but does not accept any. I cannot see any log entries. > > What's wrong now? Hi Too general without knowing a bit more: Who is logged in on the Win7 box? Is the Win7 box joined to the domain? What are the permissions on /srv and /srv/share? Can the user access the share if logged in on the file server? Can the user access the share using smbclient? Does the share appear as a folder in explorer? What does the windows security tab give for the share? Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 Using AD/UNIX attributes for home directory and shell not possible?
On 10/08/13 22:23, Markus Gillmeister wrote: Hi, I'm would like to use the attributes in AD for home directory (homeDirectory) and the login shell (loginShell) for users logging in via ssh to a linux box. I added the following parameters in the global-Section of /etc/samba/smb.conf: winbind nss info = rfc2307 idmap_ldb:use rfc2307 = yes Also I set the attributes for a test-user (called tim) with some values. But when calling "getent passwd" I got the following result: ... SHADOW\tim:*:317:100:Tim Testinger:/home/SHADOW/tim:/bin/false So it seems that winbind is ignoring AD attributes. Is this a bug or did I misconfigure my samba installation? Best Regards Markus Hi On the DC, winbind will only read uidNumber and gidNumber. To be able to use the whole of rfc2307, use sssd or nss-ldapd. If you want to use winbind, you will have to install Samba4 on a separate machine, domainify it and run it as a file server only. I suppose you could then ssh into that instead. HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 Using AD/UNIX attributes for home directory and shell not possible?
On 12/08/13 10:04, Markus Gillmeister wrote: Hi, while googling around I already suspected that using winbind and samba4 is not a perfect solution. I tried to setup sssd on my debian wheezy machine but I'm not able to get a running setup: When starting up sssd the following error appear: (Mon Aug 12 09:57:43 2013) [sssd[be[shadow.local]]] [setup_child] (0x0010): Could not verify keytab (Mon Aug 12 09:57:43 2013) [sssd[be[shadow.local]]] [load_backend_module] (0x0010): Error (2) in module (ldap) initialization (sssm_ldap_id_init)! (Mon Aug 12 09:57:43 2013) [sssd[be[shadow.local]]] [be_process_init] (0x0010): fatal error initializing data providers (Mon Aug 12 09:57:43 2013) [sssd[be[shadow.local]]] [main] (0x0010): Could not initialize backend [2] My /etc/sssd/sssd.conf looks like: [sssd] config_file_version = 2 domains = shadow.local services = nss, pam debug_level = 7 [nss] [pam] [domain/shadow.local] cache_credentials = true id_provider = ldap auth_provider = krb5 chpass_provider = krb5 access_provider = ldap krb5_realm = SHADOW.LOCAL ldap_referrals = false ldap_sasl_mech = GSSAPI ldap_schema = rfc2307bis ldap_access_order = expire ldap_account_expire_policy = ad ldap_force_upper_case_realm = true ldap_user_object_class = user ldap_user_name = sAMAccountName ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userPrincipalName ldap_group_object_class = group ldap_group_name = sAMAccountName sssd version on debian wheezy is 1.8.4. Any ideas whats wrong? Best Regards Markus Hi mmm, 1.8.4. For AD out of the box you need version 1.10.1 but you could try this. You haven't specified the DC or any of the gssapi stuff: remove: access_provider = and add : krb5_realm = krb5_server = krb5_kpasswd = ldap_sasl_authid = ldap_krb5_keytab = /etc/krb5.keytab ldap_krb5_init_creds = true krb5_validate = False for server and kpasswd use names not IP's for ldap_sasl_authid use the machine key from the keytab it prodv¡ded when you joined the domain, something like MACHINE$ There are example configs for both rfc2307bis and AD schemas here: http://linuxcostablanca.blogspot.com.es/2013/04/sssd-in-samba-40.html -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba/winbind UID mismatch.
On 12/08/13 13:04, Pramod Venugopal wrote: Hello everyone, I am running Samba 4.0.8 on Arch Linux (installed from the Arch Repo) I have winbind authentication configured and working. I am able to login via ssh, and at the machine console with my samba credentials. I also have a Windows 8 client and an OS X client which is able to connect to this system via smb. However, when I create files or directories via smb I seem to have a UID mismatch compared to when I create files/directories via shell or at the console When I type id at the shell, it tells me my uid is 318 . Files created at the shell or console have this as the owner. When I copy files via smb the uid is 300. In idmap.ldb , my xidNumber is 318. Am I missing something ? Thanks in advance, - Pramod Hi A quick fix maybe. 1. Add the line: idmap_ldb use:rfc2307 = Yes to smb.conf 2. add: uidNumber: 318 to the DN of the user 3. Always work on the DC either by ssh or at the console. Then the uidNumber will _always_ be 318. There are many ways to do the same but I don't know Arch so dare not suggest. HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 Using AD/UNIX attributes for home directory and shell not possible?
On Tue, 2013-08-13 at 10:06 +0200, Markus Gillmeister wrote: > Steve, thanks a lot, I finally got sssd (version 1.8.4) on debian wheezy > working with samba 4 (Version 4.0.8-SerNet-Debian-5.wheezy)! > > But one last question regarding unix attributes in the AD stays: I noticed > that uidnumber/gid... is not written back to the active directory when > creating a user or group. I set "idmap_ldb:use rfc2307 = yes" in my > smb.conf, but it seems that samba-tool is ignoring this. Is this a bug? > > At http://linuxcostablanca.blogspot.com.es/2013/04/sssd-in-samba-40.html I > see a script that wraps around the "samba-tool" when creating a user. After > creating it asks winbind for uid/gid and writes these information back to > AD. This seems fine as workaround but it would be nice if samba-tool does > this out-of-the-box or? > Hi You have to add the attribute yourself on 4.0.8 and earlier. That's what our scripts do. It's unfortunate that samba-tool doesn't do this. The devs use a non AD solution for rfc2307. There is some better news: the new RC's and master have e.g. samba-tool user add steve [...] --uid-number=12345678 which does add the necessary attribute to AD I'd recommend using the latest version of sssd. It has native support for AD and loads of other goodies such as dynamic dns. Although it's non-trivial building it on Debian, it would be worth the effort. Many congrats on getting 1.8.4 working however. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Options for paid Samba (4) support
> some users consistently can't see > > their profile on some machines, despite the profile and redirected folders > > looking fine on the server.) If there are problematic machines, it's best to delete the user profiles and allow them to be recreated the next time the users log in: HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ProfileList HTH 2 save a bit of cash -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 + Winbind + PAM Installation/Configuration
On Thu, 2013-08-15 at 11:15 +0200, Andreas Krupp wrote: > > This got me through to the point where "Using pam_winbind" starts. Hi >From that point: ln -s /usr/local/samba/lib/security/pam_winbind.so /lib/security then: pam-config -a --winbind Add: template shell = /bin/bash to smb.conf Do _not_ start winbindd. Best of luck. Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] share permissions
On Tue, 2013-08-20 at 10:22 -0500, Ricky Nance wrote: > Permissions are hard to explain (possibly because I don't fully understand > them myself I guess), but if you have a directory (say /srv) and you give > it 0700 permissions, then only the person that owns that directory is able > to see anything under it, however if you give it 0755, then ANYONE can see > (the second 5 is R-X for everyone) whats in there, now you have a directory > under that, lets call it share, (so /srv/share) and you give it permissions > of 0777, then everyone can read/write in the share folder, but no one can > write to the /srv folder except the owner. So when you had a share under > /home/user (which is typically /home is 755, and the /home/user is 0700) > then no one had access to the underlying directories (even if the > underlying directory is 777, because the user simply can't get to that > point)... > > If anyone disagree's or could explain this better please feel free to do > so, I am not opposed to learning new things :) Hi How about: 700 You have to walk through /srv to be able to get to /srv/share. You can't fly over it. Only the owner of /srv can get into /srv and therefore anything else inside it. It doesn't matter what permissions you set on /srv/share. The only user who can access it will be the owner of /srv. 755 Anyone can now walk through /srv and therefore have a chance of accessing /srv/share. 777 Anyone can do anything. If you can get there in the first place. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4.0.9 winbind isn't passing through uid and gid numbers from Win 2003 R2
On Tue, 2013-08-20 at 16:31 -0500, Jason Michaelson wrote: > idmap cache time = 1800 > idmap config FOUR-HORSEMEN:backend = ad > idmap config FOUR-HORSEMEN:schema_mode = rfc2307 > idmap config FOUR-HORSEMEN:default = yes > idmap config FOUR-HORSEMEN:range = 1-2 > idmap config FOUR-HORSEMEN:cache time = 1800 add this: idmap config *:backend = tdb idmap config *:range = 20001-20100 hth Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [samba]How to config samba4 internal dns?
On Wed, 2013-08-21 at 14:45 +0800, Sense Zeng wrote: > I'm new for samba4 and I'm trying to test samba4(Version 4.0.8) with > internal dns. > Did internal dns can config? Could I just manual add some host(A) in? Hi Yes, no problem: samba-tool dns addA hth Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problem with klist -k and smbclient
On Fri, 2013-08-23 at 17:15 +, Eduardo Sotomayor wrote: > I am having two problems when testing the samba4 installation > > and this one is when running klist -k > > sienicdc1:/home/eduardo # klist -k > Keytab name: FILE:/etc/krb5.keytab > klist: no such file or directory while starting keytab scan > > all the test commands in the samba4 how to has been sucessful, just this two > outputs these errors Hi An off the shelf samba4 install doesn't need nor produce a keytab. hth -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] smbd looking for non existent files
Hi 4.0.8 file server in a 4.0.8 domain After a user logs in on a Linux client which is joined to the domain, smbd is constantly looking for files which don't exist: Here is the file server log after a user login to a Linux client has settled down: [2013/08/24 18:43:24.748511, 3] ../source3/smbd/vfs.c:1140(check_reduced_name) check_reduced_name [steve2/.icons/gnome] [/home/users] [2013/08/24 18:43:24.751496, 3] ../source3/smbd/vfs.c:1270(check_reduced_name) check_reduced_name: steve2/.icons/gnome reduced to /home/users/steve2/.icons/gnome [2013/08/24 18:43:24.753922, 3] ../source3/smbd/trans2.c:5399(call_trans2qfilepathinfo) call_trans2qfilepathinfo: SMB_VFS_LSTAT of steve2/.icons/gnome failed (No such file or directory) [2013/08/24 18:43:24.755239, 3] ../source3/smbd/error.c:82(error_packet_set) NT error packet at ../source3/smbd/trans2.c(5401) cmd=50 (SMBtrans2) NT_STATUS_OBJECT_NAME_NOT_FOUND [2013/08/24 18:43:24.760257, 3] ../source3/smbd/process.c:1794(process_smb) Transaction 1113 of length 122 (0 toread) [2013/08/24 18:43:24.761808, 3] ../source3/smbd/process.c:1397(switch_message) switch message SMBtrans2 (pid 1122) conn 0xb8f54520 [2013/08/24 18:43:24.770442, 3] ../source3/smbd/trans2.c:5291(call_trans2qfilepathinfo) call_trans2qfilepathinfo: TRANSACT2_QPATHINFO: level = 512 [2013/08/24 18:43:24.774313, 3] ../source3/smbd/vfs.c:1140(check_reduced_name) check_reduced_name [steve2/.icons/hicolor] [/home/users] [2013/08/24 18:43:24.777104, 3] ../source3/smbd/vfs.c:1270(check_reduced_name) check_reduced_name: steve2/.icons/hicolor reduced to /home/users/steve2/.icons/hicolor [2013/08/24 18:43:24.780783, 3] ../source3/smbd/trans2.c:5399(call_trans2qfilepathinfo) call_trans2qfilepathinfo: SMB_VFS_LSTAT of steve2/.icons/hicolor failed (No such file or directory) [2013/08/24 18:43:24.785670, 3] ../source3/smbd/error.c:82(error_packet_set) NT error packet at ../source3/smbd/trans2.c(5401) cmd=50 (SMBtrans2) NT_STATUS_OBJECT_NAME_NOT_FOUND [2013/08/24 18:43:24.791477, 3] ../source3/smbd/process.c:1794(process_smb) Transaction 1114 of length 128 (0 toread) [2013/08/24 18:43:24.796225, 3] ../source3/smbd/process.c:1397(switch_message) switch message SMBtrans2 (pid 1122) conn 0xb8f54520 [2013/08/24 18:43:24.798960, 3] ../source3/smbd/trans2.c:5291(call_trans2qfilepathinfo) file server: [global] workgroup = HH3 realm = HH3.SITE security = ADS kerberos method = secrets and keytab username map = /home/steve/smbmap log level = 3 [users] path = /home/users read only = No smbmap: !Administrator = HH3\Administrator Client: [global] workgroup = HH3 realm = HH3.SITE security = ADS kerberos method = system keytab Tested with sssd and nslcd. (yes, it's the same with winbind) Why is smbd looking for files which don't exist? Is there a cache I should clear? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] smbd looking for non existent files
On Sat, 2013-08-24 at 20:57 +0200, Michael Wood wrote: > Hi > > On 24 August 2013 19:05, steve wrote: > Hi > 4.0.8 file server in a 4.0.8 domain > > After a user logs in on a Linux client which is joined to the > domain, > smbd is constantly looking for files which don't exist: > > > smbd has no reason to look for those files unless the client asks for > them. > > > I suspect you just need to turn down the debug level a bit. > > Here is the file server log after a user login to a Linux > client has > settled down: > [2013/08/24 18:43:24.748511, > 3] ../source3/smbd/vfs.c:1140(check_reduced_name) > check_reduced_name [steve2/.icons/gnome] [/home/users] > [...] Hi But if I turn the log level down, it's only at 3, that doesn't stop it looking. Does it? As you say, steve2/.icons/gnome must be coming from the Linux client. Would it be correct to eliminate samba from this issue? My fear is that scaling this up by replacing windows boxes with Linux is going to grind the whole thing to a halt. Watching tail -f log.smbd is scary. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] issue with multiple Samba DC and uid/gid assignment.
On Sat, 2013-08-24 at 23:02 +, dahopk...@comcast.net wrote: > > > Notice that the group id and uid are both different. Why? How did you provision the second DC? Are they replicating OK? When they are, both DC's need: idmap_ldb use:rfc2307 = Yes in the [global] of their smb.conf On either DC, winbind will only pull uid and gid from AD. If you want to see all of rfc2307, you must use sssd or nslcd. Then getent passwd will show not only the correct uidNumber and gidNumber, but also the loginShell and unixHomeDirectory too Advice: don't use Test24.User as a username for debugging. Lose the capitalisation and the dot. HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] issue with multiple Samba DC and uid/gid assignment.
On Sat, 2013-08-24 at 23:27 +, dahopk...@comcast.net wrote: > A quick follow-on ... if I examine the local sam.ldb on the server2 via > ldbedit, it appears the information is correct, but wbinfo still reports > different numbers: > Replication OK then. > wbinfo -i Test24.User > Domain\Test24.User:*:3000134:100::/home/Domain/Test24.User:/bin/false idmap_ldb use:rfc2307 = Yes nscd not running ?? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
