gmane.network.samba.general

Re: GPFS on Linux exported via Samba to Windows Clients, locking issue

steve — 2012-05-26T07:45:26

Hi Leanard

It seems to be program dependent. We can only get file locking to work 
with libreoffice, office 2010, gimp and inkscape. Anything else, and the 
file can be opened rw by anyone, even if it is open elsewhere.

I wonder why file locking only works with certain programs?
Cheers,
Steve

Splitting up directories with Samba variables

Heather Choi — 2012-05-26T03:16:47

In my smb.conf file, I currently I have a user share definition as:


[userdir]
     path = /samba/%U
     writeable = yes

The problem is, the user pool is in the tens of thousands, so it is not 
practical to have that many directories within /samba.
I'd like to somehow dynamically configure the path with subdirectories, 
using the first, and second letter of the username as the first and 
second nested subdirectory.
So the share path for username  "JOHN" would point dynamically to  
/samba/J/O/JOHN.

Does anyone know how to accomplish this using the user session variable 
%U?  Is there any concept of using a sub-string for a Samba variable?

GPFS on Linux exported via Samba to Windows Clients,locking issue

Leonard Degollado — 2012-05-24T17:52:26

I have a 3-node GPFS on Linux Cluster (3.4.0-12) with Samba 3.6.5
The problem  is with file locking across the Cluster.
Windows Client-1 maps the GPFS directory-1 from GPFS node-1 and initiates a
Write of File-1
Windows Client-2 maps the GPFS directory-1 from GPFS node-2 and should only
have READ access but not Modify/Delete/Rename access to File-1.

However, Windows Client-2 is able to Modify, Delete and Rename File-1
instead of being prevented by the locks.

If both Windows Clients (1 and 2) both map to GPFS node-1, the locking
mechanism works as designed.  Client-2 can Read but cannot
Modify/Delete/Rename File-1.
What are all the required parameters that should be specified in the
smb.conf file to enable the locking to work across the GPFS Cluster when
various Clients map to different nodes?

I have defined and tested every smb locking parameter combination without
any success.



Leonard

errors during samba 3.6.5 compile

Derek Lewis — 2012-05-25T18:24:19

Hello,

I am trying to compile Samba 3.6.5 from the official tarball, I am
following the how-to from samba.org and run into several errors like the
following example when I try to run configure from the source3 directory:
configure: failed program was:
| /* confdefs.h */

I am running Ubuntu 10.04 LTS server edition.

I have compiled a previous version and ran into a similar problem, I
suspect I am missing some libraries.

Derek

Re: Basic questions regarding Samba capabilities

steve — 2012-05-25T17:34:44

Hi
Is there "Group Policy Management Console" on a Linux DC? Without being 
an LDAP expert that is.
Cheers,
Steve

Re: Basic questions regarding Samba capabilities

Jeremy Allison — 2012-05-25T17:20:24

Sure, use openldap as a backend and replicate. Been a while
since I had anything to do with that but that's how it's
traditionally been done.

Jeremy.

Re: Basic questions regarding Samba capabilities

Lukasz Zalewski — 2012-05-25T16:26:19

Hi Jorell,
On 25/05/12 16:57, Jorell wrote:

We have been running samba4 in production environment for almost two 
years. Our setup is quite basic, single S4 DC, and s3 member servers for 
file serving and printing.
We have ~300 pc's (almost all Windows 7) and ~2500 users

But you probably will need more elaborate setup.

Windows RAT will do the trick:
http://wiki.samba.org/index.php/Samba4/HOWTO#Step_1:_Installing_Windows_Remote_Administration_Tools_onto_Windows

Re: Problem joining to a Samba PDC (Probably caused by "unix charset")

Jeremy Allison — 2012-05-25T16:10:37

We think this is bug #8373

https://bugzilla.samba.org/show_bug.cgi?id=8373

for which we have a patch currently undergoing test. With more testing it'll
be fixed in the next 3.6.x release.

Jeremy.

Re: Basic questions regarding Samba capabilities

Jorell — 2012-05-25T15:57:30

 >
 From reading the mailing list, people using S4 for it's Active 
Directory have had great success, it's when they try to use the file 
server side of things is when they have problems.
Also Samba 4 ADS is interchangeable with Windows Server ADS.
To manage group policies you install "Group Policy Management Console" 
(gpmc.msi) on a windows workstation connected to the domain.

Re: Basic questions regarding Samba capabilities

Jason Voorhees — 2012-05-25T14:49:12

Hi:

On Mon, May 21, 2012 at 8:01 AM, Daniel Müller <mueller< at >tropenklinik.de> wrote:

Is this possible to implement with Samba 3.x?

Re: Basic questions regarding Samba capabilities

Jason Voorhees — 2012-05-25T14:48:30

Hi, thanks for your reply:

On Mon, May 21, 2012 at 7:51 AM, Aaron E. <ssureshot< at >gmail.com> wrote:

Actually I was thinking about using a stable version of Samba like
3.x. I know that Samba 4 is still being developed for many years. Do
you really suggest me to use this alpha version of Samba4 for a
critical environment like the one I described? It would be great to
have an Open Source ADS implementation with Samba4 but for now I think
I can just get as much as possible of features that Samba 3.x can
offer me.


What tool do you use for edit/create policies? I was reading a little
about the native MS Windows 2000 tool for policy editing but if you
suggest me to use Samba4 I believe you could recommend me to use the
Windows 2003/2008 policy editor or something like that?



I'm sorry but I have never heard about RODCs before. Are they read
only primary or backup domain controller? How do they work?


Thanks for all

Re: exported LDAP DB > file > smbpasswd?

Gaiseric Vandal — 2012-05-25T14:17:00

I understand what you are trying to accomplish.

However I do not know which LDAP field is used for the "pGina"
password-  I believe it is "userPassword" but I am not sure.

If seems to me you have three options

1.  Crack the unix passwords so you can create matching windows passwords.
2.  Configure Samba and your Windows clients to use plain text
authentication so that your "unix" passwords can be used for authentication.
3.  Prior to switching users to samba, have them create their "samba"
passwords.  Or you may have to set an initial password for each user. 

 

If I were to try to have users set their samba passwords, I would
probably try to set up a web page that validates their login against the
current non-samba password (Plaintext auth over SSL encryption ) , then
passes the password and user name to a script to set their samba password. 



It would be simpler if the Windows machines were in a Samba domain - but
that may be tricky to do. 



On 05/25/12 09:57, aurfalien wrote:

Re: exported LDAP DB > file > smbpasswd?

aurfalien — 2012-05-25T14:02:56

I would also like to add that since Samba and in effect Windows does not behave like Nix with regards to who you are and what you are trying to do, looks like I will have to integrate PDC functionality into my LDAP server :(

Man, this easily quadruples my over all LDAP database, gross.

But at least SSO will work.

Am I on the right track?

- aurf

On May 25, 2012, at 9:44 AM, Gaiseric Vandal wrote:

Re: exported LDAP DB > file > smbpasswd?

aurfalien — 2012-05-25T13:57:11

I am using pGina for authing, correct.

But when I map drive shares, I'll need some kind of authing mechanism.

My desire was this;

Since I already auth the user during there pGina login to Windows, I did not want to auth again for drive mapping to a Samba server.

But... since this SSO doesn't carry through to Samba as the Samba file server does not know who this person is requesting a drive map, they will need to input credentials.

What I would really LOVE is this;

Since authing has already been taking care of during log in, to be able to map a drive as that user w/o needing the input a password.

This way whatever they touch on the server will maintain there UID/GID or UGO rather.

This in effect will make Samba act as NFS in a way with regards to security (who are you and what are you allowed to do).

- aurf




On May 25, 2012, at 9:44 AM, Gaiseric Vandal wrote:

Re: exported LDAP DB > file > smbpasswd?

Gaiseric Vandal — 2012-05-25T13:44:15

pbdedit will export the "Windows" password from the "SambaNTPassword"
field (won't it?)

My understanding was the pGina was using the unix password in the
"userPassword"  field?    Or am I wrong?




On 05/25/12 09:36, aurfalien wrote:

Re: exported LDAP DB > file > smbpasswd?

aurfalien — 2012-05-25T13:36:45

Now thats brilliant, elegant and simple.

Thanks Collen, looking forward to trying it.

- aurf
On May 25, 2012, at 2:31 AM, Collen wrote:

Can't join samba4 as domain controller

Juan Pablo Lorier — 2012-05-25T13:25:22

Hi,

I'm trying to join samba 4 alpha 20 to my windows 2003 AD domain and I get this error:

Adding SPNs to CN=SAMBADC1,OU=Domain Controllers,DC=montecarlotv,DC=com,DC=uy
Setting account password for SAMBADC1$
Enabling account
Calling bare provision
Join failed - cleaning up
checking sAMAccountName
Deleted CN=SAMBADC1,OU=Domain Controllers,DC=montecarlotv,DC=com,DC=uy
Deleted
 CN=NTDS 
Settings,CN=SAMBADC1,CN=Servers,CN=Nombre-predeterminado-primer-sitio,CN=Sites,CN=Configuration,DC=montecarlotv,DC=com,DC=uy
Deleted CN=SAMBADC1,CN=Servers,CN=Nombre-predeterminado-primer-sitio,CN=Sites,CN=Configuration,DC=montecarlotv,DC=com,DC=uy
ERROR(exceptions.NameError): uncaught exception - global name 'all' is not defined
  File "/usr/local/samba/lib64/python2.4/site-packages/samba/netcmd/__init__.py", line 160, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/samba/lib64/python2.4/site-packages/samba/netcmd/domain.py", line 179, in run
    machinepass=machinepass)
  File "/usr/local/samba/lib6

Re: Samba4 : Problem setting folder and file permissions from windows box

François Moyson — 2012-05-25T13:19:38

Hi,

Thanks for pointing me to this bug. I'm not sure whether it's the same 
thing happening here though.
Because at first everything was running fine. The only thing I did was 
backing up the sytem using rsync, which
did not preserve the extended attributes.

But as I said, copying those extended attribute back on homes and other 
folders didn't fix the issue either.
I may try to reboot the system maybe, but I also have another idea in 
the meantime :

I see that the linux to windows accounts mapping is still working, for 
example the "profiles" folder have users ownership like 3000029,
and the map correctly to AD users in windows.

So I might as well create linux groups including those numerical user 
IDs, and apply them directly from command line in linux to files and 
folders,
instead of using windows explorer and security tab.
And it would also solve the backups issue. Because I realize that my 
"rsnaphot" incremental backups don't save those xattributes eiter...

I will look into it further into it, po

Enabling winbind idmap_hash module

Marc Rechté — 2012-05-25T12:38:12

Hello,
I am using samba 3.5 (Red Hat Linux 6) which comes with idmap_hash plugin.

I have put the following in smb.conf:
    workgroup = WORKGROUP
    password server = *
    security = domain
    idmap backend = hash
    idmap uid = 500-33554431
    idmap gid = 500-33554431
    winbind nss info = hash
    winbind normalize names = yes
    idmap_hash:name_map = /etc/samba/name_map.cfg
    template shell = /bin/bash
    winbind use default domain = false
    winbind offline logon = no
    winbind enum users = true
    winbind enum groups = true
    log level = winbind:3

An abstract of /etc/samba/name_map.cfg is:
ntadmins=WORKGROUP\Domain Admins


I restarted winbind.

The problem is that the following command gives:
# getent group "WORKGROUP\Domain Admins"
WORKGROUP\domain_admins:*:16777224:

Instead of something like:
ntadmins:x:503:

The same problem with getent passwd.

I noticed that whatever value I put  for idmap backend (event a xrong 
value), it does not change anything nor produces any error message

Re: Samba as member of multi domain AD (nss/pam)

NdK — 2012-05-25T12:34:57

Il 25/05/2012 09:57, Marcel Ritter ha scritto:

Add winbind to /etc/nss.conf (passwd and group lines). Then use idmap
rid for the domains you're interested in (and tdb fot eventual others):
        idmap backend = tdb
        idmap uid = 10000-99999
        idmap gid = 10000-99999
        idmap config PERSONALE:backend = rid
        idmap config PERSONALE:base_rid  = 500
        idmap config PERSONALE:range = 100000 - 49999999
        idmap config STUDENTI:backend = rid
        idmap config STUDENTI:base_rid  = 500
        idmap config STUDENTI:range = 50000000 - 99999999
Users and groups in PERSONALE and STUDENTI are consistent across all
servers, while other domains receive "first come first served" ids.

Neither did I.
I tried really hard with:
        idmap domains = PERSONALE STUDENTI
        idmap config PERSONALE:default = no
        idmap config STUDENTI:default = yes
To make 'STUDENTI' the default domain while the server is joined to
'PERSONALE', but it didn't work. Maybe someone have a clue.

I'm i

Re: multi home dir locations

Collen — 2012-05-25T11:17:57

Hmm, i played around with this nss_ldap, also with the rfc2307 from winbind
looks all nice, but samba4 does not have posix scheme loaded
and filled for users by default.

if i make a new user, it will not have the posix attributes.
and the attributes are not auto set (no uid, gid)

so yeh it can go around the problem, but creates a bunch of new ones
to bad we can't do the nss_ldap mapping within winbind.
since it's only the (unix)homedir we're after at.

thx anny way...

Collen

On 24-5-2012 19:11, steve wrote: