I'm currently developping a program that takes the smbtree output, parse it,
retrieve all connected workstations, then call nmblookup for each
workstation, resolve the IP, create a BIND zone file with this.
Why not use wins hook?
Now; to secure this programs; I tought about 2 things
-
the internet using openvpn. I've been told that samba (through no fault of
its own) doesn't work very well through a VPN.
Rubbish. I have a ~dozen users using it via a VPN, it works just the same as if
they were local (albiet more slowly, for obvious reasons).
I want the workstations in
If you find smb too slow, you should try using http to serve the files
across the VPN.
Set up apache to use samba authentication and you should be all set.
You could even run both Samba and Apache at the same time, and see for
yourself which works out better.
We use Davenport, which is a
I wonder if it is posible to write a VFS module to block the listing of
directory in a share?
The files inside the directory should be accesible for read/write
operations, but should be able to list the files in the directory.
Is that posible?
Can't you do this exact thing with UNIX
I just tested your settings and they seem to be working.
The auth takes much longer now, maybe because it is working.
When checking shares the getpwnam does not even get called any more.
I noticed many SMB_VFS, NT_STATUS_NO_SUCH_OBJECT in the log, I guess
that let's me know VFS was
Are failed client logins on the XP clients logged anywhere ?
How about non-domain member clients accessing shares ?
It completely depends on your logging settings. Perhaps show your
smb.conf global section so we can tell.
In my setup, and from the looks of things around here, a lot of
Perhaps this is a stupid question, but if you are using a LDAP backend, is
there any requirement to have a userPassword for a user for them to be able
Only if you want to authenticate other services to the DSA.
to authenticate to a Samba PDC?
No (well, unless it is requried by schema).
Perhaps this is a stupid question, but if you are using a LDAP backend, is
there any requirement to have a userPassword for a user for them to be able
Only if you want to authenticate other services to the DSA.
to authenticate to a Samba PDC?
No (well, unless it is requried by schema).
I use log.%M to get per client logs. This works but I always end up
with -
[EMAIL PROTECTED] root]# cd /var/log/samba
[EMAIL PROTECTED] samba]# ls -l log.pc01699
-rw-r--r--1 root root 2642617 Nov 12 07:30 log.pc01699
[EMAIL PROTECTED] samba]# host pc01699
pc01699.morrison.iserv.net
On Fri, Nov 12, 2004 at 08:26:54AM -0500, Adam Tauno Williams wrote:
I use log.%M to get per client logs. This works but I always end up
with -
[EMAIL PROTECTED] root]# cd /var/log/samba
[EMAIL PROTECTED] samba]# ls -l log.pc01699
-rw-r--r--1 root root 2642617 Nov 12 07:30
I have a couple of Windows 2000 boxes that only accept logons from users
who have logged onto the system before. For new users the logon
appears to succeed, proceeds to Loading your personal settings and
then the following error appears -
Windows cannot log you on because the profile cannot be
I thought the profile copy was smart and only copied files that had
changed? What can I do improve this performance?
Maybe theoretically, but we've seen it 'stupid' on frequent occasions.
Really best just to redirect the My Documents short cut to a real share
(such as a home directory)
I would like to have a DIT similar to this for my Samba server :
ou=People,dc=domain,dc=com: users accounts
ou=Group,dc=Domain,dc=com: groups
ou=Hosts,dc=domain,dc=com: machine accounts
ou=Samba,dc=domain,dc=com: Samba specific stuff, such as sambaDomain,
sambaUnixIdPool, etc
My
I thought the profile copy was smart and only copied files that had changed?
What can I do improve this performance?
Maybe theoretically, but we've seen it 'stupid' on frequent occasions.
Really best just to redirect the My Documents short cut to a real share
(such as a home directory) that
I use samba 3.0.1pre1
I make a config.pol with .adm templates.
But, when I use it in netlogon, register are no set.
netlogon and config.pol have correct permissions.
Shouldn't it be ntconfig.pol?
--
To unsubscribe from this list go to the following URL and read the
instructions:
I have recently installed a machine with the above mentioned
configuration. The machine will be a fax-server. It will only receive
(at the moment) faxes and store them on its hard-drive.
the problem is that all the faxes that I receive are either
black pages or they are white pages with a
As it is relatively easy to have one LDAP database across all office
branches, I don't know how to make Samba 3 to read/retrieve
usernames/passwords from local OpenLDAP slave, but to write added
machines/changed passwords to the master OpenLDAP server (which would
then replicate the
I'm planning a Samba3 new installation. I need to make Samba interact with
a third party directory server (it's a standard implementation that can be
accessed with ldapsearch, ldapadd, etc). Is it possible to use ldapsam
with an LDAP directory that's not running under OpenLDAP?
Yes; I've
I'm planning a Samba3 new installation. I need to make Samba interact
with
a third party directory server (it's a standard implementation that can
be
accessed with ldapsearch, ldapadd, etc). Is it possible to use ldapsam
with an LDAP directory that's not running under OpenLDAP?
Yes;
I don't use MS products at all, so I have very little knowledge with them,
but I believe Microsoft has as protocol where Internet Explorer can
automatically authenticate against an IIS server, and given that the server
and client are on the same NT domain, and the client user is logged in
I am using a Samba PDC with OpenLDAP.
After updating my Samba 2.2.7 to version 3.0.7, I encountered the
following problem : All my Windows-clients are able to logon to the Domain
but it takes several minutes until the Client finally is logged on. If I
try to open a directory that is
Hi guys, I have a working samba and openldap pdc which is actively being
tested. I have a group of users that have specifics tools to use such as
oracle client tools (sqlplus etc). I tried to logon as a test user and run
the sqlplus but nothing happened, I tried adding this user to the local
[netlogon] is a special share. I would guess Windows mounts it more than
once when user logins but you should see it then with 'log level = 5' as
'cmd=/home/samba/scripts/create-login-script.sh adrian.h' line in smbd
logs. Have you tried to put this 'root preexec' into [home] share instead?
objectclass ( 1.3.6.1.4.1.6921.1.18
NAME 'nssBisGroup'
DESC 'Adds POSIX Attributes To A GroupOfNames'
SUP top
AUXILIARY
MUST ( cn, gidNumber )
MAY ( userPassword, description )
)
Uh... gee, on second thought I don't see how this is going to work with
the
Hi, the simple answer is dont use suse firewall,( iptables scripts are
easy to google )
and study more chapters from Samba Browsing
That's not very nice, the Suse 'firewall' is well written. And you can't
expect everyone to learn that much about paket filtering just to run samba.
And
As far as I know, it *HAS* to be done this way because the posixGroup
schema is way out of date (it wont take a dn as a member).
That is true, well the out of date part. It doesn't have to be done
this way.
This info
according to the gurus on the OpenLDAP list. In effect we have to keep
Could explain more your problem ?
On samba there are machine account for windows NT4, 2000, XP but no
separation between workstation and server and DC.
? A machine account is machine account, only WINS cares about the difference.
And also, there are no specific group for machine which are
It seems to me like - at least my - software raid can't dance Samba. I've
got a box with SUSE 9.1 (Linux datagarden 2.6.4-54.5-default #1 Fri May 7
16:47:49 UTC 2004 x86_64 x86_64 x86_64 GNU/Linux) and I've dld and compiled
Samba version 3.0.7-1.1-SUSE.
And as you might guess from the
Hi there! Is possible to install software on the Samba Server and make users
run that software from their workstations instead of installing locally? I
know that it could take down the network perfomance but it could be useful
for some little software like 7-zip, yahoo messenger, etc...
It
What I wanna to do is put one script on cron.daily to :
1. Clean all the files on the directories .recyycle(see below) that are
older than 15 days.
\files\production\.recycle
\files\directory\.recycle
\files\it_teste\.recycle
\files\adm\sandra\.recycle
\files\testing\piedro\.recycle
I have some reservations about fedora - I just dont know how stable it
is for a production server (our services are mainly
samba/ldap/ntp/ssh/rsync/clamav) - we have about 15 samba servers in
production currently.
RHEL - well - the cost is a factor
gentoo - takes to long to deploy
Mandrake
I have a suggestion. I think you can partition off the groups by
putting them in sub OU's of your groups OU.
Yes, and you could partition those OUs across servers.
Alternatively you could use some Balanceing Domain Controllers with
disconnected authentication. This entails setting up
The redXs mean the connection has been dropped probably due to idle
time, this is done in order to conserve resources on the server. This
is normal.
http://support.microsoft.com/default.aspx?scid=kb;en-us;297684
http://support.microsoft.com/default.aspx?scid=kb;EN-US;138365
I even have the
Ive been using samba for a while, but I have no backups...
Id just like something simple and effective, with some easy way to
Restore
files...
Any quick suggestion, please?
If you have ACL support enabled on you Samba server make sure your
backup solution supports backing up meta-data
Two quick questions:
1.
For a samba server what backend would produce the best performance with
samba. ldbm or bdb?
bdb performance will always be MANY ORDERS OF MAGNITUDE faster than
ldbm. And ldbm is depricated anyway.
Make sure your using a recent OpenLDAP version, not one of the
I saw the following log entry when connecting to a print share on a
Samba 3.0.7 box from a Windows 2000 client.
I assume the attempt to allocate 1Gb+ of RAM has got to be wrong?
[2004/09/14 11:07:14, 1] smbd/service.c:make_connection_snum(648)
pcladydeath (192.168.1.110) connect to service
We have just started to roll out Thinstation thin-clients that are
connecting to Win TSRV servers. What is being planned is 1 Terminal
Server per location. This will significantly reduce the adminstrative
nightmare on multiple Windows boxes and centralize it. However, this
is where I
I have noticed a few people post issues with 3.0.6 and I wonder if there is
a bug somewhere? I did run a trace using ethereal - when opening files,
packets just stopped between client and server except for a few keepalives.
The samba logs didn't contain much info for my level of knowledge
Hi , I want to understand the above terms , where can I find good
doucmentation please ?
Any decent UNIX administration text, any decent NT administration text.
Or ftp://ftp.kalamazoolinux.org/pub/pdf/CIFSnPOSIX.pdf
--
To unsubscribe from this list go to the following URL and read the
That is a good reference. But any out there on the web that are freely
available?
Dozens, if not hundreds.
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
Since we updated to 3.0.6 we are having an oddity that the server IP
appears in printer UNCs rather than the IP address. For instance
printer \\barbel\grdps appears in the printer status box as 192.168.1.9
on grdps. It still works, but this is both odd and unsightly. DNS
forward and reverse is
I updated one of my file servers to 3.0.6, and while file serving is
improved (no M$-Office file already open messages), every time I access
a printer my logs flood with messages like to those below. It seems I
can set printer properites, etc... but when I print the jobs seem to go
to
Samba schema and related indices were added and containers created.
Added user xxx to LDAP database via phpLDAPadmin and executed
smbpasswd -a xxx -D 256
Besides the does not exist issues, the attribute sambaDomainName was added.
Are there additional containers and/or attributes
Where I remain unclear is the ldap password sync flag in smb.conf. If set to
yes, does a Windows NT/2K/XP user participating with Samba3 in a workgroup
(security=user) automatically have his or her password transparently
synchronized on the Samba box the next time he or she attempts to
I remain unclear regarding Samba and LDAP.
It appears that mkntpwd is required to generate a viable sambaNTPassword and
sambaLMPassword attribute values.
No.
But I believe I read that the current
incarnation of smbpasswd can accomplish this.
Yes, this is all done via the PDB backend.
I'm still looking for a possible integration of MIT K5 and AFS through
the windows login, so I will ask you a question.
A first considerations is that afs+k5 works fine but we have to create a
local account with a fake password. The profile will be on the local
disk. We can gain tickets and
i wanna know exactly the principal functions of ldap, if is posible send
me a example because im not very clear about this protocol with samba.
Samba uses LDAP for the same purposes/reasons everything else does - a secure,
high-performance, highly available, hierarchical data repository.
There
I'm having a problem where I can gain the lock but the process is
still writing to the file.
If your building a 'drop box' so to speak, where a process picks up
files after they are copied in, perhaps you want to look into hooking
for application into 'fam'
http://oss.sgi.com/projects/fam/
I've wondered that too. Samba gets better and this list seems to get less useful.
Excellent documentation is now available. MANY of the questions/topics
routinely posted to this list could be resolved if the posters availed
themselves of that resource.
We've implemented an extensive
I believe you need to build it against the openldap libraries, but then
you can point it against any LDAP server you wish once it's built. Of
course I haven't tried that, but it seems to be the consensus I've found.
Yes.
--
To unsubscribe from this list go to the following URL and read
The consensus seems to be XFS but I'm not sure how proven this filesystem is
(I know SGI have used it since Irix 6.5 but that's a different OS).
Been using it for years under Linux 2.4.x, and now 2.6.x, never had a
lick of trouble.
I need quotas and would like acls, but most of all want a
I'm trying to install pam_ldap on my fedora core 1 machine. It is asking
for liblber.so and libldap.so dependencies even though I have them in
/usr/lib. Should I just go install it with out a dependencies? what is wrong
with this picture?
Why are you asking here and NOT on the pam_ldap list
I've read alot of dated material about various registry hacks to make
various patch levels of XP Clients work.
NONE
NONE
NONE
NONE
NONE
NONE
NONE
NONE
NONE
NONE
NONE
NONE
Even Windows 2003 will merrily join a domain controlled by a recent version of
Samba. I know, I can show you one.
It
pwdLastSet: 1086920093
logonTime: 0
logoffTime: 0
kickoffTime: 0
pwdCanChange: 0
pwdMustChange: 0
RECAP -
samba controlled domain (2.2.8a) with an LDAP backend.
Everything was working snazzy, till I changed my password yesterday. Now when I log
in (win2k server sp4) I get the
Ok.. I figured a lot of this out... But I am lost on how to keep the UID and GIDs
identical.
How do I make sure system A uses the same IDs that system B will use?
winbind with idmap (see Samba HOWTO Collection) or better yet, NSS with
an LDAP backend.
--
To unsubscribe from this list go to
Sorry.. One more email.. I tried to create the IDMAP container on the LDAP with an
example I found:
dn: ou=Idmap,dc=softeng,dc=com
objectClass: organizationalUnit
ou: idmap
structuralObjectClass: organizationalUnit
Try dopping the structuralObjectClass line, or either use objectclass
OR
I have a solaris machine running samba, and a lot of computers with
windows 2000. I need to generate a log file with the time when a user
logon into the machine and the time when the user logout.
Have you tried just capturing 03 (messagnger) WINS registrations and
deregistrations via DNS hook?
Is Samba only a Windows File Server/Domain Controller, or can it act as terminal
server for windows clients too?
No, you need a M$ OS to be a M$ Terminal server (if you intend to run
M$ apps).
--
To unsubscribe from this list go to the following URL and read the
instructions:
Is there any way to make it so that Samba3 with an LDAP backend doesn't need
to create local linux accounts to work? Thanks.
You *NEED* a POSIX account for each CIFS account, no way around that.
Just use NSS and store the POSIX accounts in LDAP along with the CIFS
accounts.
--
To
I'd like to ask you what do you limit Desktops syncing in case users
put large files on them, e.g. films.
Downloading / uploading such large files can generate lots of
unnecessary traffic. Is there any kind of filtering possible ?
Other solutions ?
Via policies, just like with a Windows
Does this mean that it would be impossible to create a Virtual Samba Server.
I currently use Slackware which does not use PAM so LDAP though NSS I don't
think is possible for me.
Nah. You don't need PAM. But NSS is part of glibc, so it would be
amazing if you couldn't use the
Does this mean that it would be impossible to create a Virtual Samba
Server.
I currently use Slackware which does not use PAM so LDAP though NSS I don't
think is possible for me.
Nah. You don't need PAM. But NSS is part of glibc, so it would be
amazing if you couldn't use the
We are planing to move from Netware to Samba in the near future. The
trouble we have is that we have about 50 Microsoft servers in various
Domains and Workgroups. These will be brought into the new domain
structure when they are replaced (In the near future as well). If we
could then we
I hope someone can tell me what is the difference between a domain (who I am not
member of) and a workgroup in samba with the same name.
Allot. Consult a CIFS text.
--
To unsubscribe from this list go to the following URL and read the
instructions:
logs look fine, reg.patches applied, uid=0 used, machines and users in
the same ou=Users ...
You don't need ANY registry patches to run a Samba PDC. Perhaps your
using some bits of stale documentation. I recommend using the two Samba
PDF collections, and nothing else - too much out there is
WHAT I AM TRYING TO ACCOMPLISH: I want this one server to present
itself to Windows Networking as both ctstools and ftp such that
when clients browse to \\ctstools all they see is the [tools] share
and that when they browse to \\ftp they see whatever shares I place
there.
I'm missing
Yes, ntconfig.pol
OK, so we need to create a .pol file. It seems that the tools that
will do this for NT/2000 don't cope with XP because (as it was
explained to me) XP now supports a bigger, deeper registry and the
tools can't load the .adm files.
ntconfig.pol works fine for XP clients.
I was trying to restart my LDAP service and used /etc/init.d/slapd restart, but it
said slapd: unrecognized service. so I tried /etc/init.d ldap restart and it says
that restarts the service slapd [ok]. I tried to look for the service on webmin and
slapd doesn't even exist. Is the problem
Im not a complete expert in this area, but. If you try winbind its got to
have a correctly configured kerberos client to contact the AD. Could you try
this but specify your MIT Kerberos kdc instead.
Samba cannot currently acquire Kerberos tickets on behalf of the client
--
To unsubscribe
Ahh well, worth a shot.
There is some development effort to integrate OpenLDAP, Samba,
Heimdal. So you will be able to do this someday.
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
Now, everything seems to be going down the pan, and it looks like the
problem is that XP has dropped support for 'old style' controls and
only supports Access Control Lists - so tit seems to log in a user,
but then the permissions are all screwed as it can't get the info it
wants from the
Don't hi-jack threads!
I have a samba server 3.0.0-15 acting as a PDC on a
Windows domain (98, XP and 2000). Is there a way to
automatically install printers to windows clients
when users log in? Maybe by running a logon script...
Yes.
--
To unsubscribe from this list go to the following
But I do have one request for help; is there a way in which I can allow users
connected to the Samba machine to change thier Samba passwords via a web interface?
Or probably a command in which I can change it from Windows?
Ctrl-Alt-Del, Change Password
--
To unsubscribe from this list go
So, I want to set up each share so that it is only readable and writeable by
a single user. And so that only that user can see the share. What are the key
settings to achieve this kind of visibility and access control?
I have figured out most of my Samba issues on my own, but I have a
Asked this question with absolutely no response - seems it's a high
volume list ;-)
This has been answered many times.
Is there no way for unix crypt password - ntPassword conversion ?
No.
Just too strange - someone must have met the problem of moving
existing unix users to NT domain
http://www.math.gatech.edu/~dijuremo/ldap/
However, you can add Kerberos to your existing Samba LDAP server. That
is, if you run Heimdal 0.6.1 (or better still a snapshot) you can use
your sambaNTpassword as the type 23 encryption key, and have
linux/unix/OSX clients use kerberos.
Just
|pdbedit -c='[]' user will clear all flags
| Removing the 'U' flag is probably a bad idea (breaks some user manager
| function at least), so I would suggest
| pdbedit -c='[U]'
The U flag is set by default. I tested it before I sent the mail.
I get -
[EMAIL PROTECTED] root]# pdbedit -c='[U]'
well, on NDS and Netware you could give file system access rights to a
container and then all users in that container would inherit these rights.
BTW, Windows and AD also cannot do this.
This just doesn't conceptually exist in a windows domain; but you might be
able to use dynamic groups
How are you ?
Is tdb the standard passwd backend (/usr/local/samba/private/smbpasswd) ?
I suppose.
I'm looking at migrating my Samba-3.0.1 server which has the standard tdb
backend to Samba-3.0.2a with an LDAP backend.
I plan to use nss_ldap too.
What would be the best way of doing this ?
| I have a samba server which has a directory with 11764 files. (The
| program stores information about jobs and each job has 3 files,
| nothing I can do about it).
| When I do a listing of that directory using smbclient, it takes 15+
| seconds to complete, same thing on Windows XP.
| Does
Once an account gets the L flag set in sambaAcctFlags is there a
utility way to clear the lock on the account? I can clear the
sambaBadPasswordCount with pdbedit -z, but that leaves the account in a
locked state. I don't see any way to use pdbedit or smbpassword to
unlock an account (although I
pdb_init_ldapsam: Continuing on regardless, will be unable to allocate new
users/groups, and will risk BDCs having inconsistant SIDs
Adam Tauno Williams
Network Systems Administrator
Morrison Industries
Grand Rapids, Mi. USA
--
To unsubscribe from this list go to the following URL and read
to do
anything; valid users is a share only directive? Is there anyway to limit
logon access to a specific workstation via samba?
Adam Tauno Williams
Network Systems Administrator
Morrison Industries
Grand Rapids, Mi. USA
--
To unsubscribe from this list go to the following URL and read
terribly
precise. I'd like to explain to my test users the kind of criteria their new
passwords have to meet.
Adam Tauno Williams
Network Systems Administrator
Morrison Industries
Grand Rapids, Mi. USA
--
To unsubscribe from this list go to the following URL and read the
instructions: http
Are there certain extra's for payed distros if they run as server, or
are the distro's only extra featured in terms of configuration.
In other words: are free versions as stable as their costly
counterparts?
Sometimes. Usually they have better support. Sometimes they have specially
Is there, on a intranet, any way to resolve the computername from
its ip
? I have a setup where I know which users are on which ip, and I
wan't to notify some events to some users with a smbclient -M. But
since I don't know the computername, I don't know any way to send
the
Is there, on a intranet, any way to resolve the computername
from its ip
? I have a setup where I know which users are on which ip,
and I
wan't to notify some events to some users with a smbclient -M.
But since I don't know the computername, I don't know any way to
I have setup a samba PDC with ldap backends. I don't want to mess my LDAP
database with
machine accounts, I use it to auth UNIX and MAIL servers. Can some one give
me some good idea?
Put the machine accounts in a seperate organizational unit or parition. I don't
see how they
after some investigation, I found out why my users always get an error
back when they try to change their passwords on win2k.
unix password sync option is enabled and passwords are synchronised via
passwd chat. All acounts are stored in ldap.
With the value of 2000 ms in
Looking at a Linux monitoring program -- I believe it's called XOSVIEW
- -- I
think I can see the problem.
Take a look at -
ftp://ftp.kalamazoolinux.org/pub/pdf/PerfTune2001.pdf
And use smbtorture to test your throughput to Samba after each tweak (BACKING UP
smb.conf BEFORE EVERY CHANGE,
O.K., I am not bound to ReiserFS, but I want to use a journaling
file system
and ACLs. What filesystems would You recommend? Or does somebody know a
solution for the problem with the ReiserFS?
I'm using XFS (currently 2.4.21 vanilla with XFS 1.3 patch) and I can
recommend it. Stable, fast and
i want to update samba 2.2.6 to 3.0.
i have samba-ldap installed.
i don't want to create all the machine again. What files i have to save
from samba 2.2.6 to have all the machines in the domaine after installed
you just need to maintain the same domain SID (and name of course0
Is anyone using Samba 3 in a production environment? If so what
version and how stable is it?
I'm running Samba3 RC4 in production and it's been running for over a
month with no hiccups.
We have five Samba 3.0.0 servers (one PDC, one print server, one fileserver, two
other misc. boxes) with
401 - 493 of 493 matches
Mail list logo
