min / Websmith . 800.441.3873 x130
Photo Craft Imaging . 3550 Arapahoe Ave. #6
http://www.pcraft.com . . .. Boulder, CO 80303, U.S.A.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba
At 11:22 AM 5/11/2007, Don Meyer wrote:
At 07:17 AM 5/11/2007, simo wrote:
> Afterward, testing the UID mappings that should have been established
> (by 'getent passwd {username}' results in allocation of a new number.
I need to know what error you get, I have no errors in
redhat conference. Jerry has shown me the proper way
to build fresh RPMs from the SVN tree with *all* the patches -- I'll
plan on building fresh from this and also tearing down and starting
the LDAP fresh, so I can get clean results later this
afternoon/evening. We
At 04:40 PM 5/9/2007, simo wrote:
On Fri, 2007-05-04 at 19:14 -0500, Don Meyer wrote:
> At 06:00 PM 5/4/2007, simo wrote:
> >Sorry for the problem, this slipped through during recent patches to fix
> >the sid checking layer violation and the idmap offline code.
>
> No pr
s not. (Cached) Running 'getent passwd user2'
opens another session, etc. This occurs whether the UID is already
present, or if it needs to be added new.
If you need more information on any of this, just let me know. It
seems so close... ;-)
Cheers,
-D
Don Meyer
mp file I had just created, and received the same long string of
errors. Thus, I suspect there is something not quite right in the
'net idmap restore' functionality...
Cheers,
-D
Don Meyer <[EMAIL PROTECTED]>
Network Manager, ACES Academ
At 08:30 AM 5/3/2007, simo wrote:
On Mon, 2007-04-30 at 23:35 -0500, Don Meyer wrote:
[..]
> This system NFS mounts the remote file storage resource on a backend
> RHEL4 server. The public facing web frontends also mount these same
> resources. Here is where things get hinky -- s
n = cn=sambaadmin,dc=aces-web
idmap config ALLDOMAINS:ldap_base_dn = ou=idmap,dc=aces-web
idmap config ALLDOMAINS:backend = ldap
idmap config ALLDOMAINS:default = yes
create mask = 0664
directory mask = 02775
inherit permi
one can offer will be extremely welcome.
(Frankly, even just hearing that someone else is seeing a similar
problem would be welcome at this point... ;-)
Thanks,
-D
Don Meyer <[EMAIL PROTECTED]>
Network Manager, ACES Academic Computing Facility
ads
join' with Domain Admin credentials...(Even up through 3.0.25rc3)
Don Meyer <[EMAIL PROTECTED]>
Network Manager, ACES Academic Computing Facility
Technical System Manager, ACES TeleNet System
UIUC College of ACES, Information Technology an
he 3.0.23c level, IIRC. (maybe
3.0.23b?)That explains the version differences you are seeing.
The gotcha is that I get this failure despite attempting the 'net ads
join' with Domain Admin credentials...(Even up through 3.0.25rc3)
-D
Don Meyer
ers, but a real solution
to the problem would be most welcome !
--
Ole Holm Nielsen
Department of Physics, Technical University of Denmark
Don Meyer <[EMAIL PROTECTED]>
Network Manager, ACES Academic Computing Facility
Technical System Manager, ACES Tel
ficient/lib/security/$ISA/pam_unix.so likeauth
nullok use_first_pass
authrequired /lib/security/$ISA/pam_deny.so
Cheers,
-D
Don Meyer <[EMAIL PROTECTED]>
Network Manager, ACES Academic Computing Facility
Technical System Manage
ers = @"BENCHCAN\domain users"
Although this will give all your users access to / which doesn't seem
like a good idea, but I assume this is just for testing.
Don't forget the necessary modifications to nsswitch.conf:
passwd: files winbind
by searching the samba
list archives for "SELinux".
Cheers,
-D
Don Meyer <[EMAIL PROTECTED]>
Network Manager, ACES Academic Computing Facility
Technical System Manager, ACES TeleNet System
UIUC College of ACES, Information Technology and Com
le AD groups to this group. Winbind should do
the magic beyond this point.
Adjust your pam_succeed_if.so line for this new gid once it
propagates through winbind, and you should be all set...
Cheers,
-D
Don Meyer <[EMAIL PROTECTED]>
Netw
LzlUk2Pjcfk=
=Ggf7
-END PGP SIGNATURE-
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Don Meyer <[EMAIL PROTECTED]>
Network Manager, ACES Academic Computing F
y know why?
Howard.
Don Meyer wrote:
Well, I didn't see the last bit you describe, but I don't run
RFC2307 (yet). We we bit by very similar behavior when moving from
3.0.22 to the 3.0.23 RC's. Turns out that the use-default-domain
option is not being universally applied to groups
Sid +cohtech does not start with 'S-'.
and the users get rejected. If I declare the user directly then
access is allowed.
This server gets its group database from the AD controllers via RFC2307.
Anybody know why group expansion may be broken in 3.0.23?
Don Meyer
based packages, and as long as it is documented
somewhere, is trivial/easy to undo for someone who wants to modify
their SELinux config later.
This also reminds me that I've been wanting to write up a similar
patch to handle the selinux chcons for the /var/cache/samba/
At 01:15 PM 7/13/2006, Gerald (Jerry) Carter wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Don Meyer wrote:
> Were it up to me, I'd post the RPMs for RHEL with
> a prominent disclaimer on the support issue. (But
> then I'd probably want to separate builds
> for
't aware of the
improved ability to build RHEL packages from the tarball, and they
only see the complete lack of RHEL binary packages as non-support for RHEL.
And I think a CentOS "branch" symlinked to the RHEL branch, or
vice-versa, would be a nice recognition of
--
* cd ../..
(should be /etc/selinux/targeted/src/policy/ )
* run the command: "make load"
This will load some additional rules that will allow winbindd to run
without any (significant) AVC errors. This should only need to be done once.
Don Meyer
tations of this "fix"...
Don Meyer <[EMAIL PROTECTED]>
Network Manager, ACES Academic Computing Facility
Technical System Manager, ACES TeleNet System
UIUC College of ACES, Information Technology and Communication Services
"They that c
At 08:15 PM 7/10/2006, Gerald (Jerry) Carter wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Don Meyer wrote:
> My question though is what are the ramifications of
> a similar situation: Where the CNAME might be
> dynamically moved to point to another system's base
>
ffected from a Samba-based system, in order to avoid the need
for commands run at the DC? (I suppose if the setting(s) could be
safely preloaded for each server/object that might host a particular
service address, then this remote capability might not be quite so
necessary...)
I look forward
ace that displays a user's queued jobs and allows release &
selection of billing code, etc. should also be do-able with enough
time and resources.)
Cheers,
-D
Don Meyer <[EMAIL PROTECTED]>
Network Manager, ACES Academic Computing Facili
using the NET [ADS|RPC] utility. But I don't see a way to
either create the user with home directory / logon script preset, or
to change these settings after user creation. Am I missing something?
TIA,
-D
Don Meyer <[EMAIL PROTECTED]>
N
27;t wait for
this to be fixed.
Volker
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Don Meyer <[EMAIL PROTECTED]>
Network Manager, ACES Academic Computing Facilit
I can shut down the smb & winbind services, run "setenforce
1" to re-enable SElinux enforcing mode, and then restart smb &
winbind. If all goes well, this should not generate any AVC errors...
Hope this helps someone...
-D
Don Meyer
they are even in SVN code for
the next version at this point.
Perhaps someone in the know could fill in the blanks and correct
anything that I've mis-recalled above...
-D
Don Meyer <[EMAIL PROTECTED]>
Network Manager, ACES Academic Comput
heck the membership of a
user in a group of another AD domain ?
I hope it is clear enough :)
This sounds like the same situation that has been
discussed here a bit in the past week or so. You
probably want to follow bug#3530 on https://bugzilla.samba.org.
Cheers,
-D
D
At 09:26 PM 3/3/2006, Gerald (Jerry) Carter wrote:
Don Meyer wrote:
> As far as trying to at least get Domain Local group handling fixed in
> winbind, I would suggest looking at Bug 3530 on bugzilla.samba.org.
> The more people that can show similar failure cases, the more likely
n't work at all unless the user is in the same domain as the group.
How do we get this escalated?
-Original Message-
From: Don Meyer [mailto:[EMAIL PROTECTED]
Sent: Thursday, March 02, 2006 6:06 PM
To: Trimble, Ronald D; samba@lists.samba.org
Subject: Re: [Samba] Problem with Universa
EU\\inblr-auth1 not in required
group(s).
Does anyone else have something like this working? What am I doing
wrong?
Thanks,
Ron
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listin
ect_r:samba_share_t /data
drwxrwsrwx root root system_u:object_r:samba_share_t /data/public
I think this is a better solution then to have samba have access to any
new dir with default_t. What do you think?
-Louis
On Sat, 2006-02-25 at 23:43 -0600, Don Meyer wrote:
> Look at your AVC error (below) -- to
but doesn't work. I still get:
type=AVC msg=audit(1140923608.645:86): avc: denied { search } for
pid=3338 comm="smbd" name="/" dev=hda5 ino=2
scontext=root:system_r:smbd_t tcontext=system_u:object_r:default_t
tclass=dir
...
why does smbd_t
about /data/public access.
-Louis
On Fri, 2006-02-24 at 16:54 -0600, Don Meyer wrote:
> [Caveat: My systems are mostly RHEL4 based, I don't have a FC4
> system handy to verify paths & package names. But they should be
> somewhat close...]
>
> First, you need to identify w
t; path = /data/public
> > >> public = Yes
> > >> read only = No
> > >> browseable = Yes
> > >> guest ok = Yes
> > >> create mask = 2777
> > >>
> > >> I am able to browse the s
Mv1 on the domain controllers?"Can anyone speak to this?
Thanks much,
-Don
Don Meyer <[EMAIL PROTECTED]>
Network Manager, ACES Academic Computing Facility
Technical System Manager, ACES TeleNet System
UIUC College of ACES, Infor
mins, I can't even access those share
folder. Do I have to chagne to
[Test2]
comment = Test
path = /usr/tmp/
valid users = "@Domain Admins", myaccount
readonly = Yes
write list = myaccount
Thanks
Alex
On Fri, 17 Feb 2006 13:29:50 -0600
Don M
s a domain separator,
you need to be very cognizant of where you need to properly escape
it. (I.E., use "\\" instead of just "\") I'm pretty sure that
"valid users =" is one of those places...
Cheers,
-D
Don Meyer
m.
Thank you.
*
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Don Meyer <[EMAIL PROTECTED]>
Network Manager, ACES Academic Computing
be appreciated.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Don Meyer <[EMAIL PROTECTED]>
Network Manager, ACES Academic Computing Facility
Technical System Manager,
ps://lists.samba.org/mailman/listinfo/samba
Don Meyer <[EMAIL PROTECTED]>
Network Manager, ACES Academic Computing Facility
Technical System Manager, ACES TeleNet System
UIUC College of ACES, Information Technology and Communication Services
"
out. That is the key. Does
"getent passwd 'EU\inblr-auth1'" return anything?
What does wbinfo --sequence show?
Don Meyer <[EMAIL PROTECTED]>
Network Manager, ACES Academic Computing Facility
Technical System Manager, ACES Tele
At 04:06 PM 2/15/2006, Craig White wrote:
On Wed, 2006-02-15 at 14:42 -0600, Gerald (Jerry) Carter wrote:
> Don Meyer wrote:
> > At 08:24 AM 2/15/2006, Gerald (Jerry) Carter wrote:
> >> Oliver Schulze L. wrote:
> >> > Hi,
> >> > I use CentOS4 (RHEL4) an
ed
via inclusion in the set specified on your "valid users=" line.)
E.g.
valid users = "@Domain Users"
write list = "@Subset_of_users"
Don Meyer <[EMAIL PROTECTED]>
Network Manager, ACES Academic Compu
ng URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Don Meyer <[EMAIL PROTECTED]>
/samba/.
Does this change in the packaging reflect a "sea change" towards use
of /var/lib/samba/ for the future?(I.E. Can we "expect" future
RHEL-distributed packagings to adopt use of /var/lib/samba/ as well?)
-D
Don Meyer
No
create mask = 0664
directory mask = 02770
inherit permissions = Yes
veto oplock files = /*.TTF/*.XLS/*.DOC/
[prod-W]
path = /export/prod/W
valid users = "@ITCS CSS Team", "@Domain Admins", IUSR_ACESWEB
admin users = &quo
51 matches
Mail list logo
