Roaming Profiles
Hi, I have a Linux Redhat 8.0 server running samba 2.2.6 and a network of 15 windows 2000 clients. I would like to implement roaming profiles for all windows users. I have set up samba to be the PDC and master browser. The domain logons work fine bu the roaming profiles give me an error saying; "The process cannot access the file because it is being used by another process" This happens even if I simply log on and log off again. It's driving me nuts. Can anyone help me explain this? Below is my smb.conf as issued by 'testparm'. Many Thanks in advance Neil Jobbins # Global parameters[global] coding system = client code page = 850 code page directory = /etc/codepages workgroup = CCF netbios name = SCCFDATA1 netbios aliases = SCCFDATA1 netbios scope = server string = Samba 2.2.6 interfaces = bind interfaces only = No security = USER encrypt passwords = Yes update encrypted = No allow trusted domains = Yes hosts equiv = min passwd length = 5 map to guest = Never null passwords = No obey pam restrictions = No password server = smb passwd file = /etc/samba/smbpasswd root directory = pam password change = No passwd program = /usr/bin/passwd passwd chat = *new*password* %n\n *new*password* %n\n *changed* passwd chat debug = No username map = password level = 0 username level = 0 unix password sync = No restrict anonymous = No lanman auth = Yes use rhosts = No admin log = No log level = 2 syslog = 1 syslog only = No log file = /var/log/samba/samba.log max log size = 5000 timestamp logs = Yes debug hires timestamp = No debug pid = No debug uid = No protocol = NT1 large readwrite = Yes max protocol = NT1 min protocol = CORE read bmpx = No read raw = Yes write raw = Yes nt smb support = Yes nt pipe support = Yes nt status support = Yes announce version = 4.9 announce as = NT max mux = 50 max xmit = 16644 name resolve order = lmhosts host wins bcast max ttl = 259200 max wins ttl = 518400 min wins ttl = 21600 time server = No unix extensions = No change notify timeout = 60 deadtime = 0 getwd cache = Yes keepalive = 300 lpq cache time = 10 max smbd processes = 0 max disk size = 0 max open files = 1 name cache timeout = 660 read size = 16384 socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=8192SO_SNDBUF=8192 stat cache size = 50 use mmap = Yes total print jobs = 0 load printers = Yes printcap name = /etc/printcap disable spoolss = No enumports command = addprinter command = deleteprinter command = show add printer wizard = Yes os2 driver map = strip dot = No mangling method = hash character set = mangled stack = 50 stat cache = Yes domain admin group = @root @ccfadmin @ccfusers domain guest group = machine password timeout = 604800 add user script = delete user script = logon script = ccflogon.bat logon path = \\SCCFDATA1\profile\%u logon drive = L: logon home = \\SCCFDATA1\%u domain logons = Yes os level = 20 lm announce = Auto lm interval = 60 preferred master = Yes local master = Yes domain master = Yes browse list = Yes enhanced browsing = Yes dns proxy = Yes wins proxy = No wins server = wins support = Yes wins hook = kernel oplocks = Yes lock spin count = 3 lock spin time = 10 oplock break wait time = 0 add share command = change share command = delete share command = config file = preload = lock dir = /var/cache/samba pid directory = /var/run/samba utmp directory = wtmp directory = utmp = No default service = global message command = dfree command = valid chars = remote announce = 192.168.0.255/CCF remote browse sync = socket address = 0.0.0.0 homedir map = time offset = 0 NIS homedir = No source environment = panic action =""> hide local users = No host msdfs = No winbind uid = winbind gid = template homedir = /home/%D/%U template shell = /bin/false winbind separator = \ winbind cache time = 15 winbind e
Prevent winbind idmap corruption
Hi,
the attached patch prevents winbindd from corrupting the
id mapping database in case of write failure. For example when
the filesystem hosting the TDB file is full.
Storing a new meapping consists of three steps
1. allocate UID/GID (increment HWM)
2. store mapping UID/GID : SID
3. store reverse mapping SID : UID/GID
which should be done as a transaction, either completely or not
at all.
The present winbindd_idmap.c does not check success of the
operations above, and will result in an inconsistent mapping
database when any of them fails.
The patched version does check success, and rolls back in
case of failure.
It's not 100% failure proof (transaction is not atomic), but
better than before IMO. :)
Michael
Index: nsswitch/winbindd_idmap.c
===
RCS file: /cvsroot/samba/source/nsswitch/winbindd_idmap.c,v
retrieving revision 1.3.4.13
diff -u -r1.3.4.13 winbindd_idmap.c
--- nsswitch/winbindd_idmap.c 27 Apr 2002 03:04:08 - 1.3.4.13
+++ nsswitch/winbindd_idmap.c 18 Dec 2002 14:51:08 -
@@ -44,6 +44,8 @@
if ((hwm = tdb_fetch_int32(idmap_tdb,
isgroup ? HWM_GROUP : HWM_USER)) == -1) {
+DEBUG(0, ("Failed to fetch %s : %s\n", isgroup ? HWM_GROUP : HWM_USER,
+tdb_errorstr(idmap_tdb)));
return False;
}
@@ -63,7 +65,45 @@
/* Store new high water mark */
-tdb_store_int32(idmap_tdb, isgroup ? HWM_GROUP : HWM_USER, hwm);
+if (tdb_store_int32(idmap_tdb, isgroup ? HWM_GROUP : HWM_USER, hwm)) {
+DEBUG(0, ("Failed to store %s %d : %s\n", isgroup ? HWM_GROUP : HWM_USER,
+hwm, tdb_errorstr(idmap_tdb)));
+return False;
+}
+
+return True;
+}
+
+/* Deallocate either a user or group id, used for failure rollback */
+
+static BOOL deallocate_id(uid_t id, BOOL isgroup)
+{
+int hwm;
+
+/* Get current high water mark */
+
+if ((hwm = tdb_fetch_int32(idmap_tdb,
+ isgroup ? HWM_GROUP : HWM_USER)) == -1) {
+DEBUG(0, ("Failed to fetch %s : %s\n", isgroup ? HWM_GROUP : HWM_USER,
+tdb_errorstr(idmap_tdb)));
+return False;
+}
+
+if (hwm != id + 1) {
+/* Should actually never happen, internal redundancy... */
+DEBUG(0, ("winbind %s mismatch on deallocation!\n", isgroup ? HWM_GROUP :
+HWM_USER));
+return False;
+}
+
+hwm--;
+
+/* Store new high water mark */
+
+if (tdb_store_int32(idmap_tdb, isgroup ? HWM_GROUP : HWM_USER, hwm)) {
+DEBUG(0, ("Failed to store %s %d : %s\n", isgroup ? HWM_GROUP : HWM_USER,
+ hwm, tdb_errorstr(idmap_tdb)));
+return False;
+}
return True;
}
@@ -109,16 +149,37 @@
fstring keystr2;
/* Store new id */
-
+
slprintf(keystr2, sizeof(keystr2), "%s %d", isgroup ? "GID" : "UID", *id);
data.dptr = keystr2;
data.dsize = strlen(keystr2) + 1;
-tdb_store(idmap_tdb, key, data, TDB_REPLACE);
-tdb_store(idmap_tdb, data, key, TDB_REPLACE);
+/* If any of the following actions fails try to
+ revert modifications successfully made so far. */
result = True;
+
+if (result && tdb_store(idmap_tdb, key, data, TDB_REPLACE)) {
+DEBUG(0, ("Failed to store id mapping %s:%s : %s\n",
+ key.dptr, data.dptr, tdb_errorstr(idmap_tdb)));
+
+if (!deallocate_id(*id, isgroup))
+DEBUG(0, ("Failed to rollback id mapping\n"));
+
+result = False;
+}
+
+if (result && tdb_store(idmap_tdb, data, key, TDB_REPLACE)) {
+DEBUG(0, ("Failed to store reverse id mapping %s:%s : %s\n",
+ data.dptr, key.dptr, tdb_errorstr(idmap_tdb)));
+
+if (!deallocate_id(*id, isgroup) || tdb_delete(idmap_tdb, key))
+DEBUG(0, ("Failed to rollback id mapping\n"));
+
+tdb_delete(idmap_tdb, key);
+result = False;
+}
}
}
Another Bug and Temporary Fix (LDAP Trust Account)
Developers, I hope I am not giving you another item that is already resolved in CVS somewhere (my CVS skills are rusty), but here is what I have found with respect to a trust relationship using an LDAP backend with 3.0a21. I have this: 1. NT Domain: NTDOMAIN 2. Samba Domain: SMBDOMAIN I want my NT domain to trust my SAMBA domain. So I create the user account (posixAccount objectClass only) for my NT domain in the LDAP directory: dn: uid=NTDOMAIN$, dc=example, dc=org objectclass: top objectclass: posixAccount uid: NTDOMAIN$ uidNumber: ... gidNumber: ... and so on. I tell Samba to setup this as a new trust: net rpc trustdom add COMMUNICATION -U Administrator Which succeeds and updates the above LDIF with the usual sambaAccount attributes, including this one: acctFlags: [I ] I tell Samba to set the initial password for this account: $ smbpasswd NTDOMAIN$ New Password: ... Which also succeeds. Then I go to my NT domain controller, fire up User Manager, and tell it to trust my SMBDOMAIN system, which appears to succeed but gives me a warning about verification of the trust failing. But the trust doesn't work just yet. If I look at my LDIF again at this point, I see that 'acctFlags' has been changed to: acctFlags: [U ] So I go in with my favorite tool and change it back to: acctFlags: [I ] And now my trust works. But I had to make that last manual change to the LDAP entry for NTDOMAIN$ to make the trust actually function. Did I do something wrong in my setup, or should the 'smbd' that received the trust request from my NT PDC have not changed that flag from 'I' to 'U'? Thanks again, Matt
[PATCH] module stuff (BIG patch :-)
t -- vfs initialization function
vfs_*_init (e.g. vfs_recycle_init ) must return proper initialized
vfs_op_tuple[] array
which describes all operations this module claims to intercept. This
function
is called whenever module is loaded into smbd process using sys_dlopen().
vfs_*_init must have a list (indexed by the SNUM(conn) or CNUM(conn))
for storing the default_vfs_ops and if module wants to store private
information for further usage.
Prototypes:
vfs_op_tuple *vfs_recycle_init(struct connection_struct *conn, struct
vfs_ops *default_vfs_ops, const char *param);
'vfs path' is removed
'vfs options' is removed ( parametric options should be used)
'vfs object' move to 'vfs objects' ( but 'vfs object' is an alias)
'vfs objects = {[]}
- vfs_audit.c is installed as audit.so
- vfs_recycle.c is installed as recycle.so
- vfs_nettalk.c is installed as nettalk.so
vfs_audit.c and vfs_recycle.c are now per connection safe
vfs_netatalk.c should be updated to use SMB_VFS_INTERFACE_VERSION 6 later
I have tested this patch this afternoon and I have no problems...
metze
-
Stefan "metze" Metzmacher <[EMAIL PROTECTED]>
modules-20021218-02.diff.tgz
Description: application/compressed
Unable to lookup names to display / .NET client problem
Hi, I am running samba 2.2.7 on FreeBSD 4.7 as PDC with LDAP database backend. I have serveral Windows XP Pro client. Eveything fine about joining the domain ( after change the reg key ), logging in. But when I run, .NET application on the client, it says user need to be in Debugger User Group on local machine. Is there any way to make it work ?? My workaround is trying to change permission on some folders, assuming that if i add Domain User as full permission, it might solve. But when I add the permission, it give me the error "Unable to lookup user names for display" and I cann't add the group. But I still can add individual user. I need to add the group since i have thousand of users and I cannot add all. I searched around the mailing list and the unable to lookup names problem is said to be fixed in ver 2.2.3. But why am i haveing problem ?? Am I doing something wrong ?? Here is my snipplet from my smb.conf file. ldap admin dn = "cn=root,dc=cs,dc=mydomain,dc=com" ldap server = directory.cs.mydomain.com ldap suffix = "ou=People,dc=cs,dc=mydomain,dc=com" ldap port = 389 ldap ssl = start tls ## ## Passwords & Authentication ## security = user encrypt passwords = yes domain logons = yes domain admin group = @smbadmin domain guest group = @smbguest wins support = yes Pls help Thanks in advance. Myo
RE: Kerberized SMB client? User level SMB client?
On Mon, 16 Dec 2002, Naomaru Itoi wrote: > Thanks, Steve, > > I was actually asking about SMB/CIFS client *filesystem*. Excuse me for > being unclear ... smbfs (not userspace) works just fine (*) with kerberos. All kerberos work is done by smbmount (userspace) and that code is the same as the one used by smbclient. The filesystem parts doesn't care about kerberos when it is only used for authentication. smbfs signals back to smbmount if it wants it to reconnect. But perhaps you wanted more than authentication. /Urban * - Well, it needs some changes to use ntstatus error codes, but that has nothing to do with kerberos.
Samba-3.0.0aplha builds on SuSE Linux
Hi, Would anyone who is building samba-3.0.0alphas on SuSE 8.1 please drop me a line on <[EMAIL PROTECTED]>. I'd like to know what options you are passing to configure. Thanks. - John T. -- John H Terpstra Email: [EMAIL PROTECTED]
