tag:old.nabble.com,2006:forum-13150Nabble - Samba2009-11-23T20:13:48ZSamba is software that can be run on a platform other than Microsoft Windows, for example, UNIX, Linux, IBM System 390, OpenVMS, and other operating systems. Samba uses the TCP/IP protocol that is installed on the host server. When correctly configured, it allows that host to interact with a Microsoft Windows client or server as if it is a Windows file and print server. Samba home is <a href="http://samba.org/" target="_top" rel="nofollow">here</a>.tag:old.nabble.com,2006:post-26490247Re: [OT] Remote control powerboard2009-11-23T20:13:48Z2009-11-23T20:13:48ZKevin PuloOn Tue, Nov 24, 2009 at 12:17:19PM +1100, Rainer Klein wrote:
<br><br>> There are commercial products.
<br>>
<br>> In mid October, Aldi had on special "Digital Home System" product with 4
<br>> remote controlled powerboards and a simple remote. Each of those boards
<br>> consume less than 1 Watt and come with a build-in on-/off-switch.
<br><br>Do you know if there are any where the "simple remote" includes
<br>software monitoring and control, eg. usb/serial/whatever...?
<br><br>Kev.
<br><br>--
<br>.----------------------------------------------------------------------.
<br>| Kevin Pulo Quidquid latine dictum sit, altum viditur. |
<br>| <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26490247&i=0" target="_top" rel="nofollow">kev@...</a> _ll l_ng__g_e_ _r_ hi__ly p__d_ct__le. |
<br>| <a href="http://www.kev.pulo.com.au/" target="_top" rel="nofollow">http://www.kev.pulo.com.au/</a> God casts the die, not the dice. |
<br>`--------------- Linux: The choice of a GNU generation. ---------------'
<br><br /> <br />--
<br>linux mailing list
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26490247&i=1" target="_top" rel="nofollow">linux@...</a>
<br><a href="https://lists.samba.org/mailman/listinfo/linux" target="_top" rel="nofollow">https://lists.samba.org/mailman/listinfo/linux</a><br><div class="small"><br/><img src="http://old.nabble.com/images/icon_attachment.gif" > <strong>attachment0</strong> (196 bytes) <a href="http://old.nabble.com/attachment/26490247/0/attachment0" target="_top">Download Attachment</a></div><p>From forum: <a href="http://old.nabble.com/Samba---linux-f13154.html" embed="fixTarget[13154]" target="_top" >Samba - linux</a></p>tag:old.nabble.com,2006:post-26490168Re: Fwd: Vista laptop in Samba 3.3.4 domain suddenly trying to use roaming profiles?2009-11-23T19:51:12Z2009-11-23T19:51:12ZPaul VenzkeOn Mon November 23 2009 15:27, David Whitney wrote:
<div class='shrinkable-quote'><br>> Hi, and thanks for your interest!
<br>>
<br>> I am still using an smbpasswd backend because this is a very small
<br>> home network I maintain for my own educational purposes, although I
<br>> might migrate to LDAP at some point for the same reason.
<br>>
<br>> I have manually changed the troublesome profile type from roaming
<br>> to local, but when I logged back in from that same profile, it
<br>> switched back to roaming! The more I read about this bizarre
<br>> behavior, the more I start to suspect the possibility of malware or
<br>> virus, which is what I plan to investigate tonight.
<br>>
<br>> As far as the logon scripts go, the irony is that the script
<br>> actually fired from my admin-prived logon, but could not
<br>> access/load the "right" profile from the local box. They still
<br>> don't fire from my desktop boxes. Per your question, I can access
<br>> and execute the scripts from the desktop with no problem. Per other
<br>> sources, it appears that the necessary privs to the netlogon
<br>> directory should be 755, (rwxr-xr-x), which is what I have set and
<br>> verified.
<br>>
<br>> Again, many thanks for your interest and suggestions.
<br>>
<br>>
<br>>
<br>> On Mon, Nov 23, 2009 at 1:16 PM, Gaiseric Vandal
<br>>
<br>> <<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26490168&i=0" target="_top" rel="nofollow">gaiseric.vandal@...</a>>wrote:
<br>> > This happened to us when we switched from TDB to LDAP backend.
<br>> > (Samba 3.03x) I suspect that for some users sambaProfilePath
<br>> > may have had space character but wasn't actually null. For
<br>> > some users we just deleted the sambaProfilePath attribute.
<br>> >
<br>> > You may need to change the profile type on the users computer
<br>> > from roaming back to local. (On XP, right-click My Computer->
<br>> > Properties->Advanced->User Profiles.)
<br>> >
<br>> >
<br>> > Login scripts could be several things
<br>> > - share and file permissions for the netlogon directory
<br>> > should probably allow everyone read-only.
<br>> > - I usually add a "pause" command in the login script when
<br>> > troubleshooting
<br>> > - You need to specify the logon script as part of the user's
<br>> > account. (In LDAP, SambaLogonScript attribute I don't think you
<br>> > can a default logon script.
<br>> >
<br>> >
<br>> > From an XP session, can you go to the netlogon share and run the
<br>> > logon script?
<br>> >
<br>> > On 11/23/09 10:03, David Whitney wrote:
<br>> >> Grettings, all
<br>> >>
<br>> >> I have a bizarre problem on a laptop in my Samba 3.3.4 domain.
<br>> >> This domain includes a mixture of XP Pro and Vista Ultimate
<br>> >> clients.
<br>> >>
<br>> >> I had just completed a migration to this new domain (from a
<br>> >> Samba 2.2.8a domain), and all seemed happy and well - machines
<br>> >> had rebooted and were still active in the domain, users were
<br>> >> logging in with no problem, shares were working perfectly - all
<br>> >> over the span of a week or so - until last night.
<br>> >>
<br>> >> Trying to log into my wife's laptop (Vista Ultimate) under her
<br>> >> account, I got an odd message that said "Your roaming profile
<br>> >> was not completely synchronized. Please contact your
<br>> >> administrator." The only problem is I am *not* using roaming
<br>> >> profiles in my Samba domain! And this account had logged
<br>> >> into the domain several times on this laptop with no problem
<br>> >> after the migration.
<br>> >>
<br>> >> I looked on the home shares for the particular account, and
<br>> >> surely enough there is the "profile.V2" folder indicating what I
<br>> >> understand is the attempt
<br>> >> by a Vista box to build a first-time Vista-style roaming profile
<br>> >> on my Samba-defined user share. I logged in under a different
<br>> >> account that has admin privs, and sure enough, it tried to load
<br>> >> a roaming profile there, too.
<br>> >> That told me, additionally, that Vista thought this was the
<br>> >> first time this
<br>> >> user had logged into that box/domain, which was obviously
<br>> >> incorrect. The profiles for each user that had used until that
<br>> >> point were on the machine, intact.
<br>> >>
<br>> >> I've changed the local policy on that box to disallow roaming
<br>> >> profiles expressly, but now the local profiles that had been
<br>> >> working just fine are no
<br>> >> longer associated with their proper users, and I'm not sure how
<br>> >> to restore the association (or even if I can). I can browse the
<br>> >> machine remotely and copy the files from that local profile if I
<br>> >> have to, but I'd like to avoid it.
<br>> >> Could the learned folks here offer any suggestions on why this
<br>> >> laptop would
<br>> >> suddenly think it was supposed to use roaming profiles on my
<br>> >> non-roaming-profile Samba domain? Is there some mystery setting
<br>> >> in smb.conf
<br>> >> I might possibly have set (or perhaps deleted??) that would
<br>> >> leave Samba thinking was trying to use roaming profiles? Based
<br>> >> on late-night research, I
<br>> >> expressly set "logon path" to be blank in smb.conf, which is
<br>> >> supposed to disable Samba roaming profiles. It had not been
<br>> >> expressly set before. I have
<br>> >> logged into a desktop box and it worked normally.
<br>> >>
<br>> >> Appreciate any thoughts or suggestions. The desktop boxes, so
<br>> >> far, seem unaffected and are working normally. I'm thinking my
<br>> >> next step is to copy the files from the particular profile in
<br>> >> question, remove the machine from the domain, and then rejoin
<br>> >> it, but I'm not sure I still won't have the same
<br>> >> problem.
<br>> >>
<br>> >> The only other problem I've had in this migration was in getting
<br>> >> logon scripts to work (which I never did), but I don't think
<br>> >> this is related to that issue....and the fact that other than
<br>> >> scripts the domain was working fine is what really has me
<br>> >> puzzled.
<br>> >>
<br>> >> Any thoughts or suggestions appreciated.
<br>> >> -David
<br>> >
<br>> > --
<br>> > To unsubscribe from this list go to the following URL and read
<br>> > the instructions: <a href="https://lists.samba.org/mailman/options/samba" target="_top" rel="nofollow">https://lists.samba.org/mailman/options/samba</a></div>David;
<br>We have similar problems with Vista using the wrong profile. Although
<br>the situations that caused the problem are a bit different from yours
<br>the answer was to use "regedit" to adjust the profile path. Before
<br>you do this BACK UP the registry just in case you need to roll back.
<br><br>Use regedit to change this key:
<br><br>hkey_local_machine/software/Microsoft/WindowsNT/currentversion/Profilelist/<your
<br>users SID>/
<br><br>Local user have no entry: CentralProfile, if this is present I think
<br>just removing it will keep the machine from looking on the server.
<br>Make sure the entries here conform with the other local users. Make
<br>sure the "ProfileImagePath" points to the local profile:
<br>C:Users\<username>
<br>--
<br>PV
<br><br>"We have met the enemy and he is us"; Pogo
<br>--
<br>To unsubscribe from this list go to the following URL and read the
<br>instructions: <a href="https://lists.samba.org/mailman/options/samba" target="_top" rel="nofollow">https://lists.samba.org/mailman/options/samba</a><br><p>From forum: <a href="http://old.nabble.com/Samba---General-f62.html" embed="fixTarget[62]" target="_top" >Samba - General</a></p>tag:old.nabble.com,2006:post-26489851Re: samba 3.4.3 DC breaks Windows groups2009-11-23T19:06:34Z2009-11-23T19:06:34ZGaiseric VandalOn the assumption that Unix systems (solaris and linux) will not like spaces
<br>in names, I never created unix groups called "Domain Admins" and "Domain
<br>Users" etc. Instead I had created "smb_domadmins" and "smb_domusers" etc
<br>instead.
<br><br>I don't know if Windows systems actually pay attention to the name of the
<br>group (e.g. "Domain Admins") or just the SID (e.g. S-1-5-21-****-512.)
<br>We would have a similar issue with a group like "Human Resources" but not
<br>with "Marketing."
<br><br><br>On samba 3.0.x, setting "ldap group suffix" parameter is honored. On Samba
<br>3.4.x it seems to be ignored- instead samba seems to read the entire ldap
<br>tree (or at least from the "ldap suffix" parameter down.) "pbedit -Lv
<br>Administrator" on samba 3.4 will then complain about duplicate entries
<br><br>BDC2# pdbedit -Lv Administrator
<br>smbldap_search_domain_info: Searching
<br>for:[(&(objectClass=sambaDomain)(sambaDomainName=MYDOMAIN))]
<br>smbldap_open_connection: connection opened
<br>ldap_connect_system: successful connection to the LDAP server
<br>init_sam_from_ldap: Entry found for user: Administrator
<br>ldapsam_getgroup: Duplicate entries for filter
<br>(&(objectClass=sambaGroupMapping)
<br>(gidNumber=512)): count=2
<br><br><br><br>Since in this case if have both of the following objects in ldap
<br><br>dn: cn=Domain Admins,ou=smb_groups,o=mydomain.com
<br>objectClass: posixGroup
<br>objectClass: sambaGroupMapping
<br>objectClass: top
<br>cn: Domain Admins
<br>description: Domain Admins
<br>displayName: Domain Admins
<br>gidNumber: 512
<br>sambaGroupType: 2
<br>sambaSID: S-1-5-21-******-512
<br><br>AND
<br><br>dn: cn=smb_domadmins,ou=group,o=mydomain.com
<br>objectClass: top
<br>objectClass: posixGroup
<br>objectClass: sambaGroupMapping
<br>objectClass: groupOfUniqueNames
<br>cn: domadmins
<br>description: domadmins
<br>displayName: domadmins
<br>gidNumber: 512
<br>memberUid: Administrator
<br>.
<br>sambaGroupType: 2
<br>sambaSID:
<br>...
<br><br><br>I also noticed the following
<br><br>Output from pdbedit on samba 3.4.x includes
<br><br> ldapsam_getgroup
<br><br>Output from pdbedit on samba 3.0.x includes
<br><br> init_group_from_ldap
<br><br><br><br>I am not sure if that is somehow related.
<br><br>Thanks
<br><br><br><br><br><br><br><br>-----Original Message-----
<br>From: Gaiseric Vandal [mailto:<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26489851&i=0" target="_top" rel="nofollow">gaiseric.vandal@...</a>]
<br>Sent: Monday, November 23, 2009 4:41 PM
<br>To: <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26489851&i=1" target="_top" rel="nofollow">samba@...</a>
<br>Subject: samba 3.4.3 DC breaks Windows groups
<br><br>I have the following setup:
<br><br> PDC: Samba 3.0.37 on Solaris 10
<br> BDC1: Samba 3.0.37 on Solaris 10
<br> BDC2: Samba 3.4.3 on Solaris 10
<br><br><br>Samba 3.0.37 is the bundled version of Samba.
<br>Samba 3.4.3 is compiled from source.
<br><br>BDC2 is a recent addition to the network.
<br>All machine use LDAP as the backend for everything. They use winbind to
<br>handle a domain trust with another domain, but otherwise isn't needed.
<br><br>On BDC2, users do not appear to be in any groups beyond Domain Users.
<br><br><br>Group mapping seems OK on each DC.
<br><br>BDC2# net groupmap list
<br>Domain Admins (S-1-5-21-xxxxx-xxxxx-512) -> smb_domadmins
<br>Domain Users (S-1-5-21-xxxxx-xxxxx-513) -> smb_domusers
<br>Domain Guests (S-1-5-21-xxxxx-xxxxx9-514) -> smb_domguests
<br>Domain Computers (S-1-5-21-xxxxx-xxxxx-515) -> smb_machines
<br>Domain Controllers (S-1-5-21-xxxxx-xxxxx-516) -> smb_dc
<br>Domain Certificate Admins (S-1-5-21-xxxxx-xxxxx-517) -> smb_domcertadmins
<br>Builtin Admins (S-1-5-21-xxxxx-xxxxx-544) -> smb_admins
<br>Builtin users (S-1-5-21-xxxxx-xxxxx-545) -> smb_users
<br>Builtin Guests (S-1-5-21-xxxxx-xxxxx-546) -> smb_guests
<br>Administrators (S-xxxx-544) -> xxxx
<br>Users (S-xxxx-545) -> xxxx
<br>BDC2#
<br><br>The last two in the listing above were automatically created by
<br>winbind/idmap for a trusted domain.
<br><br><br><br>Unix level group memberships are OK
<br><br>BDC2# groups Administrator
<br>smb_domadmins smb_domusers
<br>BDC2#
<br><br>Windows/Samba level group memberships are not
<br><br>BDC2# net rpc user info Administrator -U Administrator -S PDC
<br>Enter Administrator's password:
<br>Domain Admins
<br>Domain Users
<br>BDC2#
<br><br><br>BDC2# net rpc user info Administrator -U Administrator -S BDC2
<br>Enter Administrator's password:
<br>Domain Users
<br>BDC2#
<br><br><br>Same deal with regular users
<br><br><br><br>Nt. Not all unix groups are mapped to Windows groups. However I
<br>believe all required "well known" windows groups are.
<br><br>Ldap structure includes
<br> ou=people
<br> ou=group
<br> ou=smb_groups (where samba stores group mappings, ldap
<br>objectClass=sambaGroupMapping)
<br><br><br><br><br><br>You can verify machine PDC or BDC is being used by an Windows client
<br>with the "echo %LOGONSERVER%" command.
<br><br><br>If I logon as Domain Administrator to an XP or Win 2003 machine that is
<br>using BDC2, I will not have any Administrator privileges.
<br><br><br>smb.conf includes
<br> ldap group suffix = ou=smb_groups
<br><br><br>(When I converted from tdb to ldap backend, I already had unix groups
<br>in ldap and wasn't sure how stuff would import. I don't think
<br>existing groups or group mappings imported so I had to manually retype
<br>the "net group map commands." )
<br><br>The "Domain Admins" sambaGroupMapping does include Administrator as a
<br>member.
<br><br><br><br>BDC2# net rpc group members "Domain Admins" -U Administrator -S PDC
<br>MYDOMAIN\Administrator
<br>MYDOMAIN\jsmith
<br><br><br>BDC2# net rpc group members "Domain Admins" -U Administrator -S BDC2
<br>Enter Administrator's password:
<br>MYDOMAIN\Administrator
<br>MYDOMAIN\jsmith
<br><br><br><br><br><br>Thanks
<br><br><br><br><br><br><br>--
<br>To unsubscribe from this list go to the following URL and read the
<br>instructions: <a href="https://lists.samba.org/mailman/options/samba" target="_top" rel="nofollow">https://lists.samba.org/mailman/options/samba</a><br><p>From forum: <a href="http://old.nabble.com/Samba---General-f62.html" embed="fixTarget[62]" target="_top" >Samba - General</a></p>tag:old.nabble.com,2006:post-26489708Re: PATCHS: manipulation of NT ACL in command line2009-11-23T18:46:22Z2009-11-23T18:46:22ZAndrew BartlettOn Fri, 2009-11-20 at 17:55 +0300, Matthieu Patou wrote:
<div class='shrinkable-quote'><div class='shrinkable-quote'><br>> Hello, this is a rework of this,
<br>>
<br>> 0001-s4-utils-recreate-setntacl-and-improve-setntacl.patch,Creation of
<br>> the setntacl utils which allow to set the NTACL from commandline from
<br>> its SDDL representation. It also add the option to export the NTACL as a
<br>> SDDL
<br>> 0002-s4-Create-torture-test-for-samba-utils.patch: This patch a simple
<br>> torture test for getntacl and setntacl.
<br>> 0003-s4-Create-a-library-for-xattr-python-bindings.patch: This patch
<br>> allow to create a .so with the python binding generated code for xattr.idl
<br>> 0004-s4-add-python-bindings-for-wrap_-s-g-etxattr.patch: This patch
<br>> allow to create a .so with the python binding generated code for xattr.idl
<br>> 0005-s4-Create-unit-tests-for-python-samba.xattr-module.patch: Unit
<br>> tests for the above stuff
<br>> 0006-s4-regroup-gpo-modification-in-one-function-set-acl-.patch: Use the
<br>> above functions for setacl on GPO objects.
</div></div>What happens on systems without the xattrs?
<br><br>You may need to skip the tests like we do on systems without gnutls
<br><br>Otherwise, the patch looks good.
<br><br>Jelmer: Any comments?
<br><br>Andrew Bartlett
<br><br>--
<br>Andrew Bartlett <a href="http://samba.org/~abartlet/" target="_top" rel="nofollow">http://samba.org/~abartlet/</a><br>Authentication Developer, Samba Team <a href="http://samba.org" target="_top" rel="nofollow">http://samba.org</a><br>Samba Developer, Cisco Inc.
<br><br><br /> <div class="small"><br/><img src="http://old.nabble.com/images/icon_attachment.gif" > <strong>signature.asc</strong> (196 bytes) <a href="http://old.nabble.com/attachment/26489708/0/signature.asc" target="_top">Download Attachment</a></div><p>From forum: <a href="http://old.nabble.com/Samba---samba-technical-f13164.html" embed="fixTarget[13164]" target="_top" >Samba - samba-technical</a></p>tag:old.nabble.com,2006:post-26489621Re: Commit: 1169dd3b50dfefa59b56cd1897bcd0b6c2ffb3be2009-11-23T18:31:45Z2009-11-23T18:31:45ZAndrew BartlettOn Mon, 2009-11-23 at 15:52 -0200, Crístian Viana wrote:
<br>> does the attached patch fix the problem? I'm not very familiar with talloc
<br>> memory stealing yet.
<br><br>It looks alright. I think it should consider that
<br>ldb_dn_alloc_linearized() might fail, and return an error in that case.
<br><br>Andrew Bartlett
<br><br>--
<br>Andrew Bartlett <a href="http://samba.org/~abartlet/" target="_top" rel="nofollow">http://samba.org/~abartlet/</a><br>Authentication Developer, Samba Team <a href="http://samba.org" target="_top" rel="nofollow">http://samba.org</a><br>Samba Developer, Cisco Inc.
<br><br><br /> <div class="small"><br/><img src="http://old.nabble.com/images/icon_attachment.gif" > <strong>signature.asc</strong> (196 bytes) <a href="http://old.nabble.com/attachment/26489621/0/signature.asc" target="_top">Download Attachment</a></div><p>From forum: <a href="http://old.nabble.com/Samba---samba-technical-f13164.html" embed="fixTarget[13164]" target="_top" >Samba - samba-technical</a></p>tag:old.nabble.com,2006:post-26489068Re: November Canberra Linux Users Group meeting [SEC=PERSONAL]2009-11-23T17:19:07Z2009-11-23T17:19:07ZRoppola, Antti - BRS-2<br>I *suspect* that infinitely configurable is easy, but getting that
<br>precisely tuned heat uniformly applied to every bean in your roaster is
<br>the harder part. That'd be a mechanical engineering or physics problem.
<br><br>Most roasters appear to fix this by randomising the beans so they don't
<br>linger in hot/cold spots. Like via a rotating drum or a hot air jet.
<br><br>Unfortunately I have other commitments that night so it looks like I'll
<br>miss out. :o(
<br><br>Antti
<br><br>-----Original Message-----
<br>Jm's friend commented:
<br><br>Even the pricey home roasters (Hottop for instance, ~$1700
<br><a href="http://www.dibartoli.com.au/product_details.asp?pid=340" target="_top" rel="nofollow">http://www.dibartoli.com.au/product_details.asp?pid=340</a>) are still
<br>pretty clunky in their temp control. Having something that is more
<br>infinitely configurable would be a good thing (and rather sellable, I
<br>would have thought).
<br><br><br>------
<br>IMPORTANT - This message has been issued by The Department of Agriculture, Fisheries and Forestry (DAFF). The information transmitted is for the use of the intended recipient only and may contain sensitive and/or legally privileged material. It is your responsibility to check any attachments for viruses and defects before opening or sending them on.
<br><br>Any reproduction, publication, communication, re-transmission, disclosure, dissemination or other use of the information contained in this e-mail by persons or entities other than the intended recipient is prohibited. The taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you have received this e-mail in error please notify the sender and delete all copies of this transmission together with any attachments. If you have received this e-mail as part of a valid mailing list and no longer want to receive a message such as this one advise the sender by return e-mail accordingly. Only e-mail correspondence which includes this footer, has been authorised by DAFF
<br><br>------
<br><br>--
<br>linux mailing list
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26489068&i=0" target="_top" rel="nofollow">linux@...</a>
<br><a href="https://lists.samba.org/mailman/listinfo/linux" target="_top" rel="nofollow">https://lists.samba.org/mailman/listinfo/linux</a><br><p>From forum: <a href="http://old.nabble.com/Samba---linux-f13154.html" embed="fixTarget[13154]" target="_top" >Samba - linux</a></p>tag:old.nabble.com,2006:post-26489193Re: [OT] Remote control powerboard2009-11-23T17:17:19Z2009-11-23T17:17:19ZBugzilla from rklein@tpg.com.auThere are commercial products.
<br><br>In mid October, Aldi had on special "Digital Home System" product with 4
<br>remote controlled powerboards and a simple remote. Each of those boards
<br>consume less than 1 Watt and come with a build-in on-/off-switch.
<br><br>If someone is interested, I can bring an example to our next meeting.
<br><br>Cheers,
<br><br>Rainer
<br><br>On Wed, 18 Nov 2009, David Schoen wrote:
<div class='shrinkable-quote'><br>> I bought a switch just like the one you've linked to from one of the
<br>> Hardware stores in Belconnen. Most hardware/electrical stores (I've
<br>> even seen a couple of supermarkets stocking them) should have
<br>> something like that.
<br>>
<br>> I didn't actually use my in line switch in line though.
<br>>
<br>> I had somethign like (excuse ascii art):
<br>> | Junction |
<br>> | box |
<br>>
<br>> Plug N ------------------- power board
<br>> E -------------------
<br>> A -------| |--------
<br>>
<br>>
<br>>
<br>> Switch
<br>>
<br>> Depending on the switch you should be easily able to block one end and
<br>> run both wires out one end of the switch. I think I had to reuse the
<br>> earth or the neutral terminator in my switch to avoid cutting/removing
<br>> bits of plastic, but from the outside it looks fairly normal. It's
<br>> been working for my Mum's lounge room set up for years now.
<br>>
<br>> If you want really simple, there's a Cabac PB80 [0] sitting under my
<br>> desk at work right now that I can easily turn on and off with my foot.
<br>>
<br>>
<br>> Cheers,
<br>> Dave
<br>>
<br>> [0] <a href="http://www.dealsdirect.com.au/p/power-surge-protector-8-outlets/" target="_top" rel="nofollow">http://www.dealsdirect.com.au/p/power-surge-protector-8-outlets/</a><br>>
<br>> 2009/11/17 Alex Satrapa <<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26489193&i=0" target="_top" rel="nofollow">alexsatrapa@...</a>>:
<br>> > On 17/11/2009, at 08:55 , David Schoen wrote:
<br>> >> The simplest way is just to get a standard in line switch (like you
<br>> >> get on the cable running to a desk lamp) and run the active wire from
<br>> >> somewhere before it enters a power board and back again.
<br>> >
<br>> > That's the solution I was hoping to find, but I can't for the life of me
<br>> > find any extension cables that have inline switches. There are options
<br>> > for DIY though[1]!
<br>> >
<br>> > Guess I'll go for the inline switch option, since there's much less
<br>> > chance of losing the switch and not being able to turn off the power ;)
<br>> >
<br>> > Alex
<br>> >
<br>> > [1]
<br>> > <a href="http://www.electusdistribution.com.au/productView.asp?ID=2411&CATID=35&ke" target="_top" rel="nofollow">http://www.electusdistribution.com.au/productView.asp?ID=2411&CATID=35&ke</a><br>> >ywords=&SPECIAL=&form=CAT&SUBCATID=172
<br>> >
<br>> > --
<br>> > linux mailing list
<br>> > <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26489193&i=1" target="_top" rel="nofollow">linux@...</a>
<br>> > <a href="https://lists.samba.org/mailman/listinfo/linux" target="_top" rel="nofollow">https://lists.samba.org/mailman/listinfo/linux</a></div><br><br>--
<br>linux mailing list
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26489193&i=2" target="_top" rel="nofollow">linux@...</a>
<br><a href="https://lists.samba.org/mailman/listinfo/linux" target="_top" rel="nofollow">https://lists.samba.org/mailman/listinfo/linux</a><br><p>From forum: <a href="http://old.nabble.com/Samba---linux-f13154.html" embed="fixTarget[13154]" target="_top" >Samba - linux</a></p>tag:old.nabble.com,2006:post-26488530Re: migrating NT4 PDC net rpc vampire errors with capital letters2009-11-23T16:17:17Z2009-11-23T16:17:17ZJohn H Terpstra - Samba TeamRyan Davis wrote:
<div class='shrinkable-quote'><br>> Hi,
<br>>
<br>> I have searched for days on Google and can't find a clear answer to my
<br>> question. I have a NT4 PDC which I am migrating to Samba 3 (Version
<br>> 3.4.2-47.fc12) on FC12 with kernel(2.6.31.5-127.fc12.i686). I am using
<br>> tdbsam as my passdb backend.
<br>>
<br>> I setup Samba as a BDC and then joined to NT4 Domain succesfully. When I go
<br>> to vampire the accounts I get lots of errors and some user accounts get
<br>> transfered over. It turns that all the user accounts that transfer are
<br>> those that don't have a capital letter in their username on the NT4 domain
<br>> server. Most do and don't get transfered. There seems to be errors with my
<br>> groups and Computer accounts. I was able in the past to vampire all the
<br>> accounts (even capital letters) so any ideas would be great.
<br>>
</div><br>Some Linux systems will not allow creation of user or group accounts
<br>that have uppercase characters or spaces in them. OpenSUSE 11.2 does
<br>not have this limitation. Perhaps you can ask on the FedoraProject list
<br>to find how to disable the restriction against uppercase characters in
<br>user and group names. While it is an admirable intention of some Linux
<br>distros to stop users from creating stupid account names, when migrating
<br>from MS Windows this is a real handicap.
<br><br>- John T.
<br><div class='shrinkable-quote'><br>> Thanks in advance.
<br>>
<br>> Here is a type of error I get:
<br>>
<br>> Creating account: Ryan
<br>> useradd: invalid user name 'Ryan'
<br>> fetch_account: Running the command `/usr/sbin/useradd -m 'Ryan'' gave 3
<br>> Could not create posix account info for 'Ryan'
<br>>
<br>> I get this error for groups:
<br>>
<br>> Creating unix group: 'SophosDomainPowerUser'
<br>> groupadd: 'SophosDomainPowerUser' is not a valid group name
<br>> smb_create_group: Running the command `/usr/sbin/groupadd
<br>> 'SophosDomainPowerUser'' gave 3
<br>>
<br>> and for Computer names:
<br>> Creating account: LIMS1$
<br>> useradd: invalid user name 'LIMS1$'
<br>> fetch_account: Running the command `/usr/sbin/useradd -s /bin/false -d
<br>> /dev/null 'LIMS1$'' gave 3
<br>>
<br>>
<br>> Here is my smb.conf
<br>>
<br>> [global]
<br>> workgroup = GENOME1
<br>> netbios name = HERCULES
<br>> passdb backend = tdbsam
<br>> domain master = No
<br>> domain logons = Yes
<br>> os level = 40
<br>> add user script = /usr/sbin/useradd "%u" -n -g users
<br>> delete user script = /usr/sbin/userdel "%u"
<br>> add group script = /usr/sbin/groupadd "%g"
<br>> delete group script = /usr/sbin/groupdel "%g"
<br>> add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d
<br>> /nohome -s /bin/false "%u"
<br>> # username map = /etc/samba/smbusers
<br>> logon path =
<br>> logon home =
<br>> # wins support = yes
<br>>
<br>> [files]
<br>> comment = SAMBA File Server
<br>> path = /files
<br>> read only = No
<br>>
</div><br>--
<br>To unsubscribe from this list go to the following URL and read the
<br>instructions: <a href="https://lists.samba.org/mailman/options/samba" target="_top" rel="nofollow">https://lists.samba.org/mailman/options/samba</a><br><p>From forum: <a href="http://old.nabble.com/Samba---General-f62.html" embed="fixTarget[62]" target="_top" >Samba - General</a></p>tag:old.nabble.com,2006:post-26488444migrating NT4 PDC net rpc vampire errors with capital letters2009-11-23T16:09:24Z2009-11-23T16:09:24ZRyan Davis-5Hi,
<br><br>I have searched for days on Google and can't find a clear answer to my
<br>question. I have a NT4 PDC which I am migrating to Samba 3 (Version
<br>3.4.2-47.fc12) on FC12 with kernel(2.6.31.5-127.fc12.i686). I am using
<br>tdbsam as my passdb backend.
<br><br>I setup Samba as a BDC and then joined to NT4 Domain succesfully. When I go
<br>to vampire the accounts I get lots of errors and some user accounts get
<br>transfered over. It turns that all the user accounts that transfer are
<br>those that don't have a capital letter in their username on the NT4 domain
<br>server. Most do and don't get transfered. There seems to be errors with my
<br>groups and Computer accounts. I was able in the past to vampire all the
<br>accounts (even capital letters) so any ideas would be great.
<br><br>Thanks in advance.
<br><br>Here is a type of error I get:
<br><br>Creating account: Ryan
<br>useradd: invalid user name 'Ryan'
<br>fetch_account: Running the command `/usr/sbin/useradd -m 'Ryan'' gave 3
<br>Could not create posix account info for 'Ryan'
<br><br>I get this error for groups:
<br><br>Creating unix group: 'SophosDomainPowerUser'
<br>groupadd: 'SophosDomainPowerUser' is not a valid group name
<br>smb_create_group: Running the command `/usr/sbin/groupadd
<br>'SophosDomainPowerUser'' gave 3
<br><br>and for Computer names:
<br>Creating account: LIMS1$
<br>useradd: invalid user name 'LIMS1$'
<br>fetch_account: Running the command `/usr/sbin/useradd -s /bin/false -d
<br>/dev/null 'LIMS1$'' gave 3
<br><br><br>Here is my smb.conf
<br><br>[global]
<br> workgroup = GENOME1
<br> netbios name = HERCULES
<br> passdb backend = tdbsam
<br> domain master = No
<br> domain logons = Yes
<br> os level = 40
<br> add user script = /usr/sbin/useradd "%u" -n -g users
<br> delete user script = /usr/sbin/userdel "%u"
<br> add group script = /usr/sbin/groupadd "%g"
<br> delete group script = /usr/sbin/groupdel "%g"
<br> add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d
<br>/nohome -s /bin/false "%u"
<br># username map = /etc/samba/smbusers
<br> logon path =
<br> logon home =
<br># wins support = yes
<br><br>[files]
<br> comment = SAMBA File Server
<br> path = /files
<br> read only = No
<br>--
<br>To unsubscribe from this list go to the following URL and read the
<br>instructions: <a href="https://lists.samba.org/mailman/options/samba" target="_top" rel="nofollow">https://lists.samba.org/mailman/options/samba</a><br><p>From forum: <a href="http://old.nabble.com/Samba---General-f62.html" embed="fixTarget[62]" target="_top" >Samba - General</a></p>tag:old.nabble.com,2006:post-26488348Re: [IPA] Disabling Heimdal service2009-11-23T15:59:12Z2009-11-23T15:59:12ZAndrew BartlettOn Mon, 2009-11-23 at 12:56 -0500, Endi Sukma Dewata wrote:
<br>> Andrew,
<br>>
<br>> Please take a look at the attached patches. The first one is the
<br>> implementation of the proposal. The second one copies some additional
<br>> setup files into the install dir.
<br><br>I'm not sure on this. I'll push the ldap_backend_start.sh template into
<br>inline strings in the python code, I think it's too small and silly to
<br>bother having in a file.
<br><br>The copy of the schema is a bit more of a worry to me - where does it
<br>end up exactly?
<br><br>> The third one creates the default
<br>> location for custom LDB modules .so files.
<br><br>That seems reasonable.
<br><div class='shrinkable-quote'><div class='shrinkable-quote'><br>> ----- "Andrew Bartlett" <<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26488348&i=0" target="_top" rel="nofollow">abartlet@...</a>> wrote:
<br>>
<br>> > > <a href="http://www.freeipa.org/page/Samba_4_Disabling_Heimdal_Service" target="_top" rel="nofollow">http://www.freeipa.org/page/Samba_4_Disabling_Heimdal_Service</a><br>>
<br>> > The approach of using 'kdc port = 0' to disable seems very reasonable.
<br>>
<br>> I updated the wiki page with some clarifications about the parameters.
<br>> In this proposal I'm using existing parameters "krb5 port" and "kpasswd
<br>> port". You'll need to set both to 0 to completely disable Heimdal ports.
<br>> Is this what you meant or should I add another "kdc port" parameter to
<br>> overwrite both?
</div></div>No, it was just too many acronyms for the hour of night :-)
<br><br>Your patch looks good, but I would prefer not to have two almost
<br>identical routines. Instead, can we parametrise the listener?
<br><br>ie, one 'listen on tcp and udp' function, which for kpassed (as an
<br>example) provides kpasswdd_tcp_stream_ops and kpasswdd_process as a
<br>parameter? (Bonus points for rationalising it down to just
<br>kpasswd_process).
<br><br>Thanks,
<br><br>--
<br>Andrew Bartlett <a href="http://samba.org/~abartlet/" target="_top" rel="nofollow">http://samba.org/~abartlet/</a><br>Authentication Developer, Samba Team <a href="http://samba.org" target="_top" rel="nofollow">http://samba.org</a><br>Samba Developer, Cisco Inc.
<br><br><br /> <div class="small"><br/><img src="http://old.nabble.com/images/icon_attachment.gif" > <strong>signature.asc</strong> (196 bytes) <a href="http://old.nabble.com/attachment/26488348/0/signature.asc" target="_top">Download Attachment</a></div><p>From forum: <a href="http://old.nabble.com/Samba---samba-technical-f13164.html" embed="fixTarget[13164]" target="_top" >Samba - samba-technical</a></p>tag:old.nabble.com,2006:post-26487910Re: November Canberra Linux Users Group meeting2009-11-23T15:18:56Z2009-11-23T15:18:56Zjm-13<br>Passing along a comment a friend made:
<br><br>I'd be interested to see what he's done... If somebody goes along,
<br>convince him to put some info up somewhere about it.
<br><br>There's plenty of ppl who datalog their roast temps vs time so that they
<br>can repeat a roast exactly (or almost exactly). I imagine he's PIDing
<br>the roast profile to get it to where he wants.
<br><br>Even the pricey home roasters (Hottop for instance, ~$1700
<br><a href="http://www.dibartoli.com.au/product_details.asp?pid=340" target="_top" rel="nofollow">http://www.dibartoli.com.au/product_details.asp?pid=340</a>) are still
<br>pretty clunky in their temp control. Having something that is more
<br>infinitely configurable would be a good thing (and rather sellable, I
<br>would have thought).
<br><br><br>Jeff.
<br><br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26487910&i=0" target="_top" rel="nofollow">chris@...</a> wrote:
<div class='shrinkable-quote'><br>>
<br>> Abstract:
<br>> Tridge will be demonstrating his Linux powered coffee
<br>> roaster.
<br>>
<br>> Tridge's description is simple yet profound: "It has a
<br>> bit of python, a bit of USB hackery, some circuit
<br>> building, a bit of control theory and of course coffee.
<br>> Should appeal to most geeks :-)" Please bring your own
<br>> coffee cup to sample the end product, as there will be
<br>> regular and decaf coffee available.
<br>>
<br>>
</div>--
<br>linux mailing list
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26487910&i=1" target="_top" rel="nofollow">linux@...</a>
<br><a href="https://lists.samba.org/mailman/listinfo/linux" target="_top" rel="nofollow">https://lists.samba.org/mailman/listinfo/linux</a><br><p>From forum: <a href="http://old.nabble.com/Samba---linux-f13154.html" embed="fixTarget[13154]" target="_top" >Samba - linux</a></p>tag:old.nabble.com,2006:post-26487566Re: including samba vfs module scannedonly in source tree2009-11-23T14:53:28Z2009-11-23T14:53:28ZVolker LendeckeOn Mon, Nov 23, 2009 at 10:18:05PM +0100, Olivier Sessink wrote:
<br>> Could you take a look at the code and see if things go in the right
<br>> direction? If so I'll branch, remove all the 3.0/3.2/3.4 compatibility
<br>> and create a 3.5-only version.
<br><br>Yep, that looks better. Thanks!
<br><br>Some more comments. Some of them are hints to make the code
<br>more readable, they would not be blockers for inclusion.
<br>Some are (IMHO) bugs.
<br><br>For example, one thing that helps in avoiding deep nesting
<br>is to do early returns in functions. For example, in
<br>construct_full_path(), the "else" branch is not required.
<br>You always return in the "if" branch, so you can shift the
<br>code in the "else" branch one tab left.
<br><br>Line 242 is missing a "return -1"?
<br><br>In line 310 you should check for the return value of
<br>connect_to_scanner() I think.
<br><br>Line 320 and 335: gcc does the clean tail recursion
<br>optimization, so you don't grow the stack, but other
<br>compilers don't. Can you turn that into a while loop?
<br><br>Line 342: We have "bool" for free_tmp.
<br><br>Line 436: Turning that into
<br><br>if ((retval == 0) && (sbuf1.st_mtime <= sbuf2.st_mtime)) {
<br> SAFE_FREE(cachefile);
<br> return 1;
<br>}
<br><br>reversing the if-condition and doing an early return gets
<br>rid of one indent and makes cleaner code. Similar for line
<br>566 for example.
<br><br>Line 830: Reverse the condition and do a continue;
<br><br>Volker
<br><br /> <div class="small"><br/><img src="http://old.nabble.com/images/icon_attachment.gif" > <strong>signature.asc</strong> (204 bytes) <a href="http://old.nabble.com/attachment/26487566/0/signature.asc" target="_top">Download Attachment</a></div><p>From forum: <a href="http://old.nabble.com/Samba---samba-technical-f13164.html" embed="fixTarget[13164]" target="_top" >Samba - samba-technical</a></p>tag:old.nabble.com,2006:post-26486830Re: [s4] My recent work2009-11-23T14:05:12Z2009-11-23T14:05:12ZAndrew BartlettOn Mon, 2009-11-23 at 15:20 +0100, Matthias Dieter Wallnöfer wrote:
<br>> Hi abartlet and other s4 developers,
<br>>
<br>> I would like to bring to attention my recent work:
<br>> - "const" patches: I did improvements over the last weekend and some
<br>> (those in common with s3) where merged - the s4 ones are outstanding:
<br>> <a href="http://repo.or.cz/w/Samba/mdw.git/shortlog/refs/heads/const" target="_top" rel="nofollow">http://repo.or.cz/w/Samba/mdw.git/shortlog/refs/heads/const</a><br><br>On these, I would still like a single, typesafe function that takes a
<br>(char **) and returns a (const char **), as then we don't risk missing a
<br>change in the type (rather than just the addition of a const).
<br><br>> - "operational" work: I changed the operational attributes to be
<br>> read-only through a indeed very simple patch - I hope that's enough:
<br>> <a href="http://repo.or.cz/w/Samba/mdw.git/shortlog/refs/heads/operational" target="_top" rel="nofollow">http://repo.or.cz/w/Samba/mdw.git/shortlog/refs/heads/operational</a><br><br>I'll push this shortly. I'll skip to 'remove useless init' however, as
<br>I've found a use for the init :-)
<br><br>> - "index counters": I corrected the patch for LDB
<br>> (<a href="http://repo.or.cz/w/Samba/mdw.git/commitdiff/8fec9b617e00dc577bdaebad45440a612c23cd15" target="_top" rel="nofollow">http://repo.or.cz/w/Samba/mdw.git/commitdiff/8fec9b617e00dc577bdaebad45440a612c23cd15</a>)
<br>> - hope to have fixed it according to your suggestions
<br><br>I've not looked at this yet.
<br><br>Thanks for putting these up for review!
<br><br>Andrew Bartlett
<br><br>--
<br>Andrew Bartlett <a href="http://samba.org/~abartlet/" target="_top" rel="nofollow">http://samba.org/~abartlet/</a><br>Authentication Developer, Samba Team <a href="http://samba.org" target="_top" rel="nofollow">http://samba.org</a><br>Samba Developer, Cisco Inc.
<br><br><br /> <div class="small"><br/><img src="http://old.nabble.com/images/icon_attachment.gif" > <strong>signature.asc</strong> (196 bytes) <a href="http://old.nabble.com/attachment/26486830/0/signature.asc" target="_top">Download Attachment</a></div><p>From forum: <a href="http://old.nabble.com/Samba---samba-technical-f13164.html" embed="fixTarget[13164]" target="_top" >Samba - samba-technical</a></p>tag:old.nabble.com,2006:post-26486760November Canberra Linux Users Group meeting2009-11-23T14:00:02Z2009-11-23T14:00:02ZChris Smart-7 Canberra Linux Users Group Meeting - 26th November 2009
<br> =======================================================
<br><br>Date: 26th November 2009 (Fourth Thursday of the month)
<br><br>Time: 19:00 - 21:00 (or when it finishes)
<br><br>Speaker: Andrew Tridgell
<br><br>Abstract:
<br> Tridge will be demonstrating his Linux powered coffee
<br> roaster.
<br>
<br> Tridge's description is simple yet profound: "It has a
<br> bit of python, a bit of USB hackery, some circuit
<br> building, a bit of control theory and of course coffee.
<br> Should appeal to most geeks :-)" Please bring your own
<br> coffee cup to sample the end product, as there will be
<br> regular and decaf coffee available.
<br>
<br>
<br>
<br><br>Venue: Room N101
<br> Computer Science and Information Technology Building
<br> North Road
<br> The Australian National University
<br><br> See <a href="http://clug.org.au/" target="_top" rel="nofollow">http://clug.org.au/</a> for more directions and a map
<br><br>Food/drink: Pizza and soft drink/juice. Come hungry, and bring
<br> about $6 to cover the cost of your share if you
<br> want some.
<br><br>If you would like to give a talk at a future meeting, please email me.
<br><br>--
<br>linux mailing list
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26486760&i=0" target="_top" rel="nofollow">linux@...</a>
<br><a href="https://lists.samba.org/mailman/listinfo/linux" target="_top" rel="nofollow">https://lists.samba.org/mailman/listinfo/linux</a><br><p>From forum: <a href="http://old.nabble.com/Samba---linux-f13154.html" embed="fixTarget[13154]" target="_top" >Samba - linux</a></p>tag:old.nabble.com,2006:post-26486416samba 3.4.3 DC breaks Windows groups2009-11-23T13:40:30Z2009-11-23T13:40:30ZGaiseric VandalI have the following setup:
<br><br> PDC: Samba 3.0.37 on Solaris 10
<br> BDC1: Samba 3.0.37 on Solaris 10
<br> BDC2: Samba 3.4.3 on Solaris 10
<br><br><br>Samba 3.0.37 is the bundled version of Samba.
<br>Samba 3.4.3 is compiled from source.
<br><br>BDC2 is a recent addition to the network.
<br>All machine use LDAP as the backend for everything. They use winbind to
<br>handle a domain trust with another domain, but otherwise isn't needed.
<br><br>On BDC2, users do not appear to be in any groups beyond Domain Users.
<br><br><br>Group mapping seems OK on each DC.
<br><br>BDC2# net groupmap list
<br>Domain Admins (S-1-5-21-xxxxx-xxxxx-512) -> smb_domadmins
<br>Domain Users (S-1-5-21-xxxxx-xxxxx-513) -> smb_domusers
<br>Domain Guests (S-1-5-21-xxxxx-xxxxx9-514) -> smb_domguests
<br>Domain Computers (S-1-5-21-xxxxx-xxxxx-515) -> smb_machines
<br>Domain Controllers (S-1-5-21-xxxxx-xxxxx-516) -> smb_dc
<br>Domain Certificate Admins (S-1-5-21-xxxxx-xxxxx-517) -> smb_domcertadmins
<br>Builtin Admins (S-1-5-21-xxxxx-xxxxx-544) -> smb_admins
<br>Builtin users (S-1-5-21-xxxxx-xxxxx-545) -> smb_users
<br>Builtin Guests (S-1-5-21-xxxxx-xxxxx-546) -> smb_guests
<br>Administrators (S-xxxx-544) -> xxxx
<br>Users (S-xxxx-545) -> xxxx
<br>BDC2#
<br><br>The last two in the listing above were automatically created by
<br>winbind/idmap for a trusted domain.
<br><br><br><br>Unix level group memberships are OK
<br><br>BDC2# groups Administrator
<br>smb_domadmins smb_domusers
<br>BDC2#
<br><br>Windows/Samba level group memberships are not
<br><br>BDC2# net rpc user info Administrator -U Administrator -S PDC
<br>Enter Administrator's password:
<br>Domain Admins
<br>Domain Users
<br>BDC2#
<br><br><br>BDC2# net rpc user info Administrator -U Administrator -S BDC2
<br>Enter Administrator's password:
<br>Domain Users
<br>BDC2#
<br><br><br>Same deal with regular users
<br><br><br><br>Nt. Not all unix groups are mapped to Windows groups. However I
<br>believe all required "well known" windows groups are.
<br><br>Ldap structure includes
<br> ou=people
<br> ou=group
<br> ou=smb_groups (where samba stores group mappings, ldap
<br>objectClass=sambaGroupMapping)
<br><br><br><br><br><br>You can verify machine PDC or BDC is being used by an Windows client
<br>with the "echo %LOGONSERVER%" command.
<br><br><br>If I logon as Domain Administrator to an XP or Win 2003 machine that is
<br>using BDC2, I will not have any Administrator privileges.
<br><br><br>smb.conf includes
<br> ldap group suffix = ou=smb_groups
<br><br><br>(When I converted from tdb to ldap backend, I already had unix groups
<br>in ldap and wasn't sure how stuff would import. I don't think
<br>existing groups or group mappings imported so I had to manually retype
<br>the "net group map commands." )
<br><br>The "Domain Admins" sambaGroupMapping does include Administrator as a
<br>member.
<br><br><br><br>BDC2# net rpc group members "Domain Admins" -U Administrator -S PDC
<br>MYDOMAIN\Administrator
<br>MYDOMAIN\jsmith
<br><br><br>BDC2# net rpc group members "Domain Admins" -U Administrator -S BDC2
<br>Enter Administrator's password:
<br>MYDOMAIN\Administrator
<br>MYDOMAIN\jsmith
<br><br><br><br><br><br>Thanks
<br><br><br><br><br><br>--
<br>To unsubscribe from this list go to the following URL and read the
<br>instructions: <a href="https://lists.samba.org/mailman/options/samba" target="_top" rel="nofollow">https://lists.samba.org/mailman/options/samba</a><br><p>From forum: <a href="http://old.nabble.com/Samba---General-f62.html" embed="fixTarget[62]" target="_top" >Samba - General</a></p>tag:old.nabble.com,2006:post-26486203Fwd: Vista laptop in Samba 3.3.4 domain suddenly trying to use roaming profiles?2009-11-23T13:27:41Z2009-11-23T13:27:41ZDavid Whitney-3 Hi, and thanks for your interest!
<br><br>I am still using an smbpasswd backend because this is a very small home
<br>network I maintain for my own educational purposes, although I might migrate
<br>to LDAP at some point for the same reason.
<br><br>I have manually changed the troublesome profile type from roaming to local,
<br>but when I logged back in from that same profile, it switched back to
<br>roaming! The more I read about this bizarre behavior, the more I start to
<br>suspect the possibility of malware or virus, which is what I plan to
<br>investigate tonight.
<br><br>As far as the logon scripts go, the irony is that the script actually fired
<br>from my admin-prived logon, but could not access/load the "right" profile
<br>from the local box. They still don't fire from my desktop boxes. Per your
<br>question, I can access and execute the scripts from the desktop with no
<br>problem. Per other sources, it appears that the necessary privs to the
<br>netlogon directory should be 755, (rwxr-xr-x), which is what I have set and
<br>verified.
<br><br>Again, many thanks for your interest and suggestions.
<br><br><br><br>On Mon, Nov 23, 2009 at 1:16 PM, Gaiseric Vandal
<br><<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26486203&i=0" target="_top" rel="nofollow">gaiseric.vandal@...</a>>wrote:
<br><div class='shrinkable-quote'><br>> This happened to us when we switched from TDB to LDAP backend. (Samba
<br>> 3.03x) I suspect that for some users sambaProfilePath may have had space
<br>> character but wasn't actually null. For some users we just deleted the
<br>> sambaProfilePath attribute.
<br>>
<br>> You may need to change the profile type on the users computer from roaming
<br>> back to local. (On XP, right-click My Computer-> Properties->Advanced->User
<br>> Profiles.)
<br>>
<br>>
<br>> Login scripts could be several things
<br>> - share and file permissions for the netlogon directory should probably
<br>> allow everyone read-only.
<br>> - I usually add a "pause" command in the login script when
<br>> troubleshooting
<br>> - You need to specify the logon script as part of the user's account.
<br>> (In LDAP, SambaLogonScript attribute I don't think you can a default logon
<br>> script.
<br>>
<br>>
<br>> From an XP session, can you go to the netlogon share and run the logon
<br>> script?
<br>>
<br>>
<br>> On 11/23/09 10:03, David Whitney wrote:
<br>>
<br>>> Grettings, all
<br>>>
<br>>> I have a bizarre problem on a laptop in my Samba 3.3.4 domain. This domain
<br>>> includes a mixture of XP Pro and Vista Ultimate clients.
<br>>>
<br>>> I had just completed a migration to this new domain (from a Samba 2.2.8a
<br>>> domain), and all seemed happy and well - machines had rebooted and were
<br>>> still active in the domain, users were logging in with no problem, shares
<br>>> were working perfectly - all over the span of a week or so - until last
<br>>> night.
<br>>>
<br>>> Trying to log into my wife's laptop (Vista Ultimate) under her account, I
<br>>> got an odd message that said "Your roaming profile was not completely
<br>>> synchronized. Please contact your administrator." The only problem is I am
<br>>> *not* using roaming profiles in my Samba domain! And this account had
<br>>> logged
<br>>> into the domain several times on this laptop with no problem after the
<br>>> migration.
<br>>>
<br>>> I looked on the home shares for the particular account, and surely enough
<br>>> there is the "profile.V2" folder indicating what I understand is the
<br>>> attempt
<br>>> by a Vista box to build a first-time Vista-style roaming profile on my
<br>>> Samba-defined user share. I logged in under a different account that has
<br>>> admin privs, and sure enough, it tried to load a roaming profile there,
<br>>> too.
<br>>> That told me, additionally, that Vista thought this was the first time
<br>>> this
<br>>> user had logged into that box/domain, which was obviously incorrect. The
<br>>> profiles for each user that had used until that point were on the machine,
<br>>> intact.
<br>>>
<br>>> I've changed the local policy on that box to disallow roaming profiles
<br>>> expressly, but now the local profiles that had been working just fine are
<br>>> no
<br>>> longer associated with their proper users, and I'm not sure how to restore
<br>>> the association (or even if I can). I can browse the machine remotely and
<br>>> copy the files from that local profile if I have to, but I'd like to avoid
<br>>> it.
<br>>> Could the learned folks here offer any suggestions on why this laptop
<br>>> would
<br>>> suddenly think it was supposed to use roaming profiles on my
<br>>> non-roaming-profile Samba domain? Is there some mystery setting in
<br>>> smb.conf
<br>>> I might possibly have set (or perhaps deleted??) that would leave Samba
<br>>> thinking was trying to use roaming profiles? Based on late-night research,
<br>>> I
<br>>> expressly set "logon path" to be blank in smb.conf, which is supposed to
<br>>> disable Samba roaming profiles. It had not been expressly set before. I
<br>>> have
<br>>> logged into a desktop box and it worked normally.
<br>>>
<br>>> Appreciate any thoughts or suggestions. The desktop boxes, so far, seem
<br>>> unaffected and are working normally. I'm thinking my next step is to copy
<br>>> the files from the particular profile in question, remove the machine from
<br>>> the domain, and then rejoin it, but I'm not sure I still won't have the
<br>>> same
<br>>> problem.
<br>>>
<br>>> The only other problem I've had in this migration was in getting logon
<br>>> scripts to work (which I never did), but I don't think this is related to
<br>>> that issue....and the fact that other than scripts the domain was working
<br>>> fine is what really has me puzzled.
<br>>>
<br>>> Any thoughts or suggestions appreciated.
<br>>> -David
<br>>>
<br>>>
<br>>
<br>> --
<br>> To unsubscribe from this list go to the following URL and read the
<br>> instructions: <a href="https://lists.samba.org/mailman/options/samba" target="_top" rel="nofollow">https://lists.samba.org/mailman/options/samba</a><br>>
</div>--
<br>To unsubscribe from this list go to the following URL and read the
<br>instructions: <a href="https://lists.samba.org/mailman/options/samba" target="_top" rel="nofollow">https://lists.samba.org/mailman/options/samba</a><br><p>From forum: <a href="http://old.nabble.com/Samba---General-f62.html" embed="fixTarget[62]" target="_top" >Samba - General</a></p>tag:old.nabble.com,2006:post-26485981Re: including samba vfs module scannedonly in source tree2009-11-23T13:18:05Z2009-11-23T13:18:05ZOlivier SessinkVolker Lendecke wrote:
<div class='shrinkable-quote'><br>> On Sun, Nov 22, 2009 at 01:00:54PM +0100, Olivier Sessink wrote:
<br>>> that is correct, I've tried to keep the VFS module as simple and generic
<br>>> as possible, it only uses a domain socket or it talks over UDP.
<br>>
<br>> Ok, thanks for that info.
<br>>
<br>>> Where can I find the new interface documentation?
<br>>
<br>> Nowhere, sorry. It's much as it was before: Look at the
<br>> examples in modules/vfs*.c
<br>>
<br>>> ok, I'll first correct these first pointers and send a
<br>>> corrected vfs module.
<br>>
<br>> Thanks! Looking forward to that!
</div><br>The latest revision
<br><a href="http://scannedonly.svn.sourceforge.net/viewvc/scannedonly/trunk/src/vfs_scannedonly.c?revision=46&view=markup" target="_top" rel="nofollow">http://scannedonly.svn.sourceforge.net/viewvc/scannedonly/trunk/src/vfs_scannedonly.c?revision=46&view=markup</a><br>has all requested changes, except for the 3.5 changes, because I
<br>couldn't get autoconf to run in the 3.5 tree.
<br>/usr/bin/m4:configure.in:23: cannot open `pkg.m4': No such file or directory
<br><br>Could you take a look at the code and see if things go in the right
<br>direction? If so I'll branch, remove all the 3.0/3.2/3.4 compatibility
<br>and create a 3.5-only version.
<br><br>thanks,
<br> Olivier Sessink
<br><br><p>From forum: <a href="http://old.nabble.com/Samba---samba-technical-f13164.html" embed="fixTarget[13164]" target="_top" >Samba - samba-technical</a></p>tag:old.nabble.com,2006:post-26484203Re: Vista laptop in Samba 3.3.4 domain suddenly trying to use roaming profiles?2009-11-23T11:16:55Z2009-11-23T11:16:55ZGaiseric VandalThis happened to us when we switched from TDB to LDAP backend. (Samba
<br>3.03x) I suspect that for some users sambaProfilePath may have had
<br>space character but wasn't actually null. For some users we just
<br>deleted the sambaProfilePath attribute.
<br><br>You may need to change the profile type on the users computer from
<br>roaming back to local. (On XP, right-click My Computer->
<br>Properties->Advanced->User Profiles.)
<br><br><br>Login scripts could be several things
<br> - share and file permissions for the netlogon directory should
<br>probably allow everyone read-only.
<br> - I usually add a "pause" command in the login script when
<br>troubleshooting
<br> - You need to specify the logon script as part of the user's
<br>account. (In LDAP, SambaLogonScript attribute I don't think you can a
<br>default logon script.
<br><br><br> From an XP session, can you go to the netlogon share and run the logon
<br>script?
<br><br>On 11/23/09 10:03, David Whitney wrote:
<div class='shrinkable-quote'><br>> Grettings, all
<br>>
<br>> I have a bizarre problem on a laptop in my Samba 3.3.4 domain. This domain
<br>> includes a mixture of XP Pro and Vista Ultimate clients.
<br>>
<br>> I had just completed a migration to this new domain (from a Samba 2.2.8a
<br>> domain), and all seemed happy and well - machines had rebooted and were
<br>> still active in the domain, users were logging in with no problem, shares
<br>> were working perfectly - all over the span of a week or so - until last
<br>> night.
<br>>
<br>> Trying to log into my wife's laptop (Vista Ultimate) under her account, I
<br>> got an odd message that said "Your roaming profile was not completely
<br>> synchronized. Please contact your administrator." The only problem is I am
<br>> *not* using roaming profiles in my Samba domain! And this account had logged
<br>> into the domain several times on this laptop with no problem after the
<br>> migration.
<br>>
<br>> I looked on the home shares for the particular account, and surely enough
<br>> there is the "profile.V2" folder indicating what I understand is the attempt
<br>> by a Vista box to build a first-time Vista-style roaming profile on my
<br>> Samba-defined user share. I logged in under a different account that has
<br>> admin privs, and sure enough, it tried to load a roaming profile there, too.
<br>> That told me, additionally, that Vista thought this was the first time this
<br>> user had logged into that box/domain, which was obviously incorrect. The
<br>> profiles for each user that had used until that point were on the machine,
<br>> intact.
<br>>
<br>> I've changed the local policy on that box to disallow roaming profiles
<br>> expressly, but now the local profiles that had been working just fine are no
<br>> longer associated with their proper users, and I'm not sure how to restore
<br>> the association (or even if I can). I can browse the machine remotely and
<br>> copy the files from that local profile if I have to, but I'd like to avoid
<br>> it.
<br>> Could the learned folks here offer any suggestions on why this laptop would
<br>> suddenly think it was supposed to use roaming profiles on my
<br>> non-roaming-profile Samba domain? Is there some mystery setting in smb.conf
<br>> I might possibly have set (or perhaps deleted??) that would leave Samba
<br>> thinking was trying to use roaming profiles? Based on late-night research, I
<br>> expressly set "logon path" to be blank in smb.conf, which is supposed to
<br>> disable Samba roaming profiles. It had not been expressly set before. I have
<br>> logged into a desktop box and it worked normally.
<br>>
<br>> Appreciate any thoughts or suggestions. The desktop boxes, so far, seem
<br>> unaffected and are working normally. I'm thinking my next step is to copy
<br>> the files from the particular profile in question, remove the machine from
<br>> the domain, and then rejoin it, but I'm not sure I still won't have the same
<br>> problem.
<br>>
<br>> The only other problem I've had in this migration was in getting logon
<br>> scripts to work (which I never did), but I don't think this is related to
<br>> that issue....and the fact that other than scripts the domain was working
<br>> fine is what really has me puzzled.
<br>>
<br>> Any thoughts or suggestions appreciated.
<br>> -David
<br>>
</div><br>--
<br>To unsubscribe from this list go to the following URL and read the
<br>instructions: <a href="https://lists.samba.org/mailman/options/samba" target="_top" rel="nofollow">https://lists.samba.org/mailman/options/samba</a><br><p>From forum: <a href="http://old.nabble.com/Samba---General-f62.html" embed="fixTarget[62]" target="_top" >Samba - General</a></p>tag:old.nabble.com,2006:post-26482967Re: [IPA] Disabling Heimdal service2009-11-23T09:56:29Z2009-11-23T09:56:29ZEndi Sukma Dewata-3Andrew,
<br><br>Please take a look at the attached patches. The first one is the
<br>implementation of the proposal. The second one copies some additional
<br>setup files into the install dir. The third one creates the default
<br>location for custom LDB modules .so files.
<br><br>----- "Andrew Bartlett" <<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26482967&i=0" target="_top" rel="nofollow">abartlet@...</a>> wrote:
<br><br>> > <a href="http://www.freeipa.org/page/Samba_4_Disabling_Heimdal_Service" target="_top" rel="nofollow">http://www.freeipa.org/page/Samba_4_Disabling_Heimdal_Service</a><br><br>> The approach of using 'kdc port = 0' to disable seems very reasonable.
<br><br>I updated the wiki page with some clarifications about the parameters.
<br>In this proposal I'm using existing parameters "krb5 port" and "kpasswd
<br>port". You'll need to set both to 0 to completely disable Heimdal ports.
<br>Is this what you meant or should I add another "kdc port" parameter to
<br>overwrite both?
<br><br>Thanks!
<br><br>--
<br>Endi S. Dewata
<br><br><br /> <br /><tt>[0002-s4-script-Install-setup-scripts-and-examples.patch]</tt><br /><hr align="left" width="300" /><tt>From 7be7cacb2fe6d35953fae831df802624f92dce84 Mon Sep 17 00:00:00 2001
<br>From: Endi S. Dewata <<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26482967&i=1" target="_top" rel="nofollow">edewata@...</a>>
<br>Date: Fri, 20 Nov 2009 14:16:47 -0600
<br>Subject: [PATCH] s4:script - Install setup scripts and examples.
<br><br>---
<br> source4/script/installmisc.sh | 2 ++
<br> 1 files changed, 2 insertions(+), 0 deletions(-)
<br><br>diff --git a/source4/script/installmisc.sh b/source4/script/installmisc.sh
<br>index 8e3f723..7bff2e2 100755
<br>--- a/source4/script/installmisc.sh
<br>+++ b/source4/script/installmisc.sh
<br>@@ -26,8 +26,10 @@ cp setup/*.zone $SETUPDIR || exit 1
<br> cp setup/*.conf $SETUPDIR || exit 1
<br> cp setup/*.php $SETUPDIR || exit 1
<br> cp setup/*.txt $SETUPDIR || exit 1
<br>+cp setup/*.sh $SETUPDIR || exit 1
<br> cp setup/provision.smb.conf.dc $SETUPDIR || exit 1
<br> cp setup/provision.smb.conf.member $SETUPDIR || exit 1
<br> cp setup/provision.smb.conf.standalone $SETUPDIR || exit 1
<br>+cp -r ../examples $SETUPDIR/../.. || exit 1
<br>
<br> exit 0
<br>--
<br>1.6.0.6
<br><br></tt><hr align="left" width="300" /><br /><tt>[0003-s4-Create-default-modules-directory.patch]</tt><br /><hr align="left" width="300" /><tt>From bc411082471cf7773ba969910010613e05e83e86 Mon Sep 17 00:00:00 2001
<br>From: Endi S. Dewata <<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26482967&i=2" target="_top" rel="nofollow">edewata@...</a>>
<br>Date: Fri, 20 Nov 2009 14:57:11 -0600
<br>Subject: [PATCH] s4 - Create default modules directory.
<br><br>---
<br> source4/Makefile | 1 +
<br> 1 files changed, 1 insertions(+), 0 deletions(-)
<br><br>diff --git a/source4/Makefile b/source4/Makefile
<br>index 03b4e73..3aea791 100644
<br>--- a/source4/Makefile
<br>+++ b/source4/Makefile
<br>@@ -221,6 +221,7 @@ installdirs::
<br> $(DESTDIR)$(torturedir) \
<br> $(DESTDIR)$(libdir) \
<br> $(DESTDIR)$(modulesdir) \
<br>+ $(DESTDIR)$(modulesdir)/ldb \
<br> $(DESTDIR)$(mandir) \
<br> $(DESTDIR)$(localstatedir) \
<br> $(DESTDIR)$(localstatedir)/lib \
<br>--
<br>1.6.0.6
<br><br></tt><hr align="left" width="300" /><div class="small"><br/><img src="http://old.nabble.com/images/icon_attachment.gif" > <strong>0001-s4-kdc-Disable-KDC-port-when-it-s-set-to-0.patch</strong> (5K) <a href="http://old.nabble.com/attachment/26482967/0/0001-s4-kdc-Disable-KDC-port-when-it-s-set-to-0.patch" target="_top">Download Attachment</a></div><p>From forum: <a href="http://old.nabble.com/Samba---samba-technical-f13164.html" embed="fixTarget[13164]" target="_top" >Samba - samba-technical</a></p>tag:old.nabble.com,2006:post-26482921Re: Commit: 1169dd3b50dfefa59b56cd1897bcd0b6c2ffb3be2009-11-23T09:52:43Z2009-11-23T09:52:43Zcd1does the attached patch fix the problem? I'm not very familiar with talloc
<br>memory stealing yet.
<br><br>On Mon, Nov 23, 2009 at 8:37 AM, <<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26482921&i=0" target="_top" rel="nofollow">tridge@...</a>> wrote:
<br><div class='shrinkable-quote'><div class='shrinkable-quote'><br>> Hi Andrew,
<br>>
<br>> > Yes, I think it should be ldb_msg_add_linearized_dn(). That would match
<br>> > the current nomenclature of the ldb_dn.c code, and not add an extended
<br>> > DN (which is another, quite valid DN form).
<br>>
<br>> yep, you're right.
<br>>
<br>> > Perhaps just use ldb_msg_add_steal_string() and
<br>> > ldb_dn_alloc_linearized()?
<br>>
<br>> good suggestion.
<br>>
<br>> Cheers, Tridge
<br>>
</div></div><br><br>--
<br>Crístian Deives dos Santos Viana [aka CD1]
<br>Sent from Campinas, SP, Brazil
<br><br /> <div class="small"><br/><img src="http://old.nabble.com/images/icon_attachment.gif" > <strong>0001-changed-function-name-and-fixed-memory-issue.patch</strong> (5K) <a href="http://old.nabble.com/attachment/26482921/0/0001-changed-function-name-and-fixed-memory-issue.patch" target="_top">Download Attachment</a></div><p>From forum: <a href="http://old.nabble.com/Samba---samba-technical-f13164.html" embed="fixTarget[13164]" target="_top" >Samba - samba-technical</a></p>tag:old.nabble.com,2006:post-26482917Re: [PATCH] s4-drs: replmd_delete implementation2009-11-23T09:52:20Z2009-11-23T09:52:20ZEduardo Lima-6Hi,
<br><br>>your code is doing a ldb modify, so in the modify you would need toget
<br>>list them as LDB_FLAG_MOD_DELETE. So you actually should use a
<br>>db_msg_add_*() call, but sets the element flags to mark it as an
<br>>element to delete.
<br><br>I'm inserting a new element to the "msg" using ldb_msg_add_empty():
<br><br>ret = ldb_msg_add_empty(msg, "badPwdCount", LDB_FLAG_MOD_DELETE, &el);
<br>if (ret != LDB_SUCCESS) {
<br> DEBUG(0,(__location__ ": Failed to remove badPwdCount element\n"));
<br> ret = LDB_ERR_OTHER;
<br> goto done;
<br>}
<br><br>But when I run this code, the field is not deleted and isDeleted and
<br>lastKnownParent are not added to the object. (If I don't use this code,
<br>isDeleted and lastKnownParent are inserted correctly).
<br><br>Is that what I was expected to do?
<br><br>Another question, how can I find the element "badPwdCount"?
<br><br>I've already tried to do :
<br><br>element = ldb_msg_find_element(msg, "badPwdCount");
<br><br>but I think I'm using the wrong ldb_message var. How can I find it? If I
<br>have the element, can I use ldb_msg_remove_element() ?
<br><br>Thanks.
<br><br>--
<br>Eduardo Lima
<br>Sent from Campinas, SP, Brazil
<br><br>On Wed, Nov 18, 2009 at 23:40, Eduardo Lima <<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26482917&i=0" target="_top" rel="nofollow">eduardoll@...</a>> wrote:
<br><div class='shrinkable-quote'><br>> Hi Tridge,
<br>>
<br>> My GIT tree was not updated.. I just did a commit with a newer (but not the
<br>> latest) version..
<br>>
<br>> The version that is now on the git tree is the one that I was doing tests
<br>> to remove some fields from a deleted object.
<br>>
<br>> Tomorrow I will ready more carefully your email.
<br>>
<br>> Thanks!
<br>>
<br>>
<br>> --
<br>> Eduardo Lima
<br>> Sent from Campinas, SP, Brazil
<br>>
<br>> On Wed, Nov 18, 2009 at 23:16, <<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26482917&i=1" target="_top" rel="nofollow">tridge@...</a>> wrote:
<br>>
<br>>> Hi Eduardo,
<br>>>
<br>>> > I created this utility function that gets the defaultNamingContext and
<br>>> put
<br>>> > "CN=Deleted Objects" in front of the DN.
<br>>>
<br>>> I found your git tree at git://repo.or.cz/Samba/eduardoll.git and had
<br>>> a look at the function. It has a couple of problems:
<br>>>
<br>>> 1) it suffers from the very common cut&paste problem with error
<br>>> messages - I think 'dsServiceName' in the error message should be
<br>>> 'defaultNamingContext'
<br>>>
<br>>> 2) it doesn't add the "Deleted Objects" rDN to the returned
<br>>> result. You could use ldb_dn_add_child_fmt() to add it like this:
<br>>>
<br>>> deleted_dn = ldb_dn_add_child_fmt(base_dn, "Deleted Objects");
<br>>>
<br>>> 3) I don't think you actually need to do the search for
<br>>> defaultNamingContext. Take a look at the function
<br>>> samdb_partitions_dn() for what would be a closer example to what you
<br>>> need. That one adds "CN=Partitions" to samdb_config_dn(). If you
<br>>> instead add "CN=Deleted Objects" to samdb_base_dn() then I think
<br>>> you'll have what you want.
<br>>>
<br>>> > Will this work for every type of object? (every object in the
<br>>> > domain - even if it's in the deepest depth - should be moved
<br>>> > directly to CN=Deleted Objects,DC=w2k8... when deleted?)
<br>>>
<br>>> hmm, looking at a w2k8 server, it looks like there is a separate
<br>>> "Deleted Objects" container in the configuration partition. That means
<br>>> my suggestion above is wrong, and you'll instead need to work out the
<br>>> correct "Deleted Objects" location based upon the DN of the object
<br>>> being deleted.
<br>>>
<br>>> One curious thing is that there is no "Deleted Objects" container in
<br>>> the schema partition on w2k8. I think you should investigate what
<br>>> happens to deleted objects in the schema partition. Perhaps if a
<br>>> partition does not have a Deleted Objects container then
<br>>> the repl_meta_data module should not do the rename/modify change and
<br>>> instead should just delete it? Or maybe it get moved into the Deleted
<br>>> Objects container of the next partition up?
<br>>>
<br>>> You should investigate this by creating and then deleting an object in
<br>>> a schema partitino of a w2k8 server and see what happens to the
<br>>> object. If you run something like this:
<br>>>
<br>>> bin/ldbsearch -H ldap://w2k8 -Uadministrator%password --controls
<br>>> show_deleted:1,search_options:1:2 'isDeleted=TRUE' dn objectclass
<br>>> lastKnownParent
<br>>>
<br>>> then it will give you an idea of where the deleted objects are going.
<br>>>
<br>>> Once you've done that, you'll need to add a function in
<br>>> repl_meta_data.c that works out the DN of the Deleted Objects
<br>>> container given the DN of an object being deleted. There are several
<br>>> ways to do this. One reasonable approach would be to add a function in
<br>>> dsdb/common/util.c like this:
<br>>>
<br>>> struct ldb_dn *dsdb_find_nc_root(struct ldb_context *samdb, struct ldb_dn
<br>>> *dn);
<br>>>
<br>>> it would work by chopping off components from the DN (using
<br>>> ldb_dn_get_parent()) one at a time until it found a DN that has an
<br>>> instanceType with INSTANCE_TYPE_IS_NC_HEAD set. You'll need to do a
<br>>> base search for instanceType for each DN as you loop.
<br>>>
<br>>> Then you'd add the "CN=Deleted Objects" to that, and see if it
<br>>> exists. If it does then you can do the rename/modify. If not then just
<br>>> pass the original delete request down to the next module.
<br>>>
<br>>> You will also need to change our provision to add a "Deleted Objects"
<br>>> container for the configuration partition. If you look at
<br>>> setup/provision.ldif you'll see that it has adds "Deleted Objects"
<br>>> container for the DOMAINDN, but not for the configuration
<br>>> partition. You'll need to add it to
<br>>> setup/provision_configuration_basedn.ldif.
<br>>>
<br>>> > This is the part that I'm having more difficulty. I still can't
<br>>> understand
<br>>> > well what the modules are and the way that they work in the Samba
<br>>> source. I
<br>>> > saw that ldb_module structure has *prev and *next fields and modules
<br>>> might
<br>>> > be linked together but why would all the modules be renamed if I use
<br>>> the
<br>>> > ldb_rename with the top level ldb context? When I do a bin/ldbdel
<br>>> operation,
<br>>> > what is the execution's flow that the modules follow?
<br>>>
<br>>> This is one of the more complex aspects of Samba. I'll try and explain
<br>>> it, and if you have any more questions then please ask.
<br>>>
<br>>> Plain ldb is very simple. It knows nothing about the complexities of
<br>>> active directory. It knows nothing about schemas, or objectclasses or
<br>>> any of the things that go to make up a AD compatible system. It just
<br>>> knows how to store, retrieve and modify objects in a dumb fashion.
<br>>>
<br>>> The way it becomes more like AD is to have a series of modules. If you
<br>>> do this search:
<br>>>
<br>>> bin/ldbsearch -H $PREFIX/private/sam.ldb -b @MODULES -s base
<br>>>
<br>>> then you'll see the list of modules that are in your database. That
<br>>> list currently looks like this:
<br>>>
<br>>> @LIST:
<br>>> resolve_oids,rootdse,lazy_commit,paged_results,ranged_results,anr,server_sort,asq,extended_dn_store,extended_dn_in,rdn_name,objectclass,descriptor,acl,samldb,password_hash,operational,kludge_acl,instancetype,repl_meta_data,subtree_rename,subtree_delete,linked_attributes,extended_dn_out_ldb,show_deleted,schema_load,new_partition,partition
<br>>>
<br>>> as you can see, there are a lot of modules!
<br>>>
<br>>> When you call an ldb operation, for example a ldb_delete() call, then
<br>>> the ldb code will check with each of these modules in the order they
<br>>> are listed, and if the module has a registered 'delete' function then
<br>>> that function is called.
<br>>>
<br>>> If you look at the first module in the list (the resolve_oids module)
<br>>> and look near the bottom of resolve_oids.c you'll see that it doesn't
<br>>> have a function for delete. That means that the resolve_oids module
<br>>> will not affect delete operations.
<br>>>
<br>>> It does however have a method for 'add'. So let's look at what that
<br>>> does.
<br>>>
<br>>> Imagine we called ldb_add() to add an object to the database. The ldb
<br>>> code will see that the resolve_oids module has an 'add' method, so it
<br>>> will call resolve_oids_add(). If you look inside that function you'll
<br>>> see that it can complete in a number of ways:
<br>>>
<br>>> 1) if it decides that it doesn't need to do anything, it can call
<br>>> ldb_next_request() passing the original request (the 'req'
<br>>> argument). That asks ldb to call the next module in the list that has
<br>>> an 'add' method.
<br>>>
<br>>> 2) it can return an error. You can see for examples places where it
<br>>> returns LDB_ERR_OPERATIONS_ERROR when it fails to allocate some
<br>>> memory.
<br>>>
<br>>> 3) it can construct a new request which does something different, and
<br>>> then call ldb_next_request() with that new request. This is what it
<br>>> does in this line:
<br>>>
<br>>> return ldb_next_request(module, down_req);
<br>>>
<br>>> That asks ldb to pass a newly constructed request down to the next
<br>>> module. Notice that it has specified a callback
<br>>> (resolve_oids_callback) that should be called when this new request
<br>>> is finished.
<br>>>
<br>>> In this way, each ldb request passes through each of the modules that
<br>>> wants to be involved with that type of request. Eventually the request
<br>>> gets down to the last module in the chain, which is the ldb_tdb module
<br>>> that actually implements the backend (that is not shown in the @LIST
<br>>> above, it is implied). The ldb_tdb module, which just implements dumb
<br>>> message storage, does the actual change to the database.
<br>>>
<br>>> So, back to my original comment on using ldb_rename() with a ldb
<br>>> context. The way you had done it will work, but it probably isn't
<br>>> quite the right thing to do. You are calling it from within the
<br>>> repl_meta_data module. That means you are half way through the list of
<br>>> modules above. All of the modules above have either done what they
<br>>> want to do to this request, or don't want to do anything.
<br>>>
<br>>> By calling ldb_rename() you are starting at the top of the module list
<br>>> again. This means every module above you will see the rename. Do you
<br>>> want that? I think in this case you probably don't, and what you
<br>>> really want to do is pass the rename down to the modules below you,
<br>>> skipping the ones above.
<br>>>
<br>>> One of the reasons we try to do this is to avoid looping forever. If
<br>>> we go to the top of the stack for this rename, then that means the
<br>>> rename will come back down to the repl_meta_data module again. So
<br>>> we'll be calling our own module. I think in this case it will work,
<br>>> but it can be a bit hard to follow sometimes!
<br>>>
<br>>> If you look at dsdb/samdb/ldb_modules/util.c then you can see some
<br>>> helper functions have been added to make this sort of "do an operation
<br>>> on the rest of the modules" call a bit easier. The helper functions
<br>>> are currently only for search, but you could add a new one for doing a
<br>>> rename starting at the current module. Following the pattern in that
<br>>> file, you'd add a new function:
<br>>>
<br>>> int dsdb_module_rename(struct ldb_module *module,
<br>>> struct ldb_dn *olddn, struct ldb_dn *newdn);
<br>>>
<br>>> it would call ldb_build_rename_req() to build a new rename request
<br>>> structure, then it would call ldb_next_request() and then call
<br>>> ldb_wait(), in much the same way that dsdb_module_search() works.
<br>>>
<br>>> If you then use dsdb_module_rename() in your new code, then you will
<br>>> be doing the rename only on the modules below you in the stack. You
<br>>> should similarly add a dsdb_module_modify() call that follows the same
<br>>> pattern.
<br>>>
<br>>> The only caveat to this is if there is a module above you in the stack
<br>>> that you actually want to see the rename. For example, the rdn_name
<br>>> module (in lib/ldb/modules/rdn_name.c) has special handling for rename
<br>>> operations to fix the 'name' field. If you follow my suggestion above
<br>>> then this special handling won't happen. What you need to do is check
<br>>> on a w2k8 server and see if the 'name' attribute is changed when you
<br>>> delete an object.
<br>>>
<br>>> If I do this:
<br>>>
<br>>> bin/ldbsearch -H ldap://w2k8 -Uadministrator%password --controls
<br>>> show_deleted:1,search_options:1:2 'isDeleted=TRUE' dn objectclass
<br>>> lastKnownParent name --show-binary
<br>>>
<br>>> then I can see that, yes, the 'name' attribute does look like it is
<br>>> being modified when you do a delete. That means we have two choices:
<br>>>
<br>>> 1) also fix the 'name' attribute in the modify operation that you
<br>>> will do as part of the delete handling in repl_meta_data.c. Add it
<br>>> to the same modify that adds the isDeleted=TRUE attribute.
<br>>>
<br>>> 2) forget what I said above and just use ldb_rename(). That means
<br>>> that the rdn_name modules will do the fixup of 'name' for you.
<br>>>
<br>>> I think that (1) is a better choice, as I think it makes it clearer
<br>>> exactly what a delete does in the repl_meta_data module.
<br>>>
<br>>> I hope this helps!
<br>>>
<br>>> Cheers, Tridge
<br>>>
<br>>
<br>>
<br></div><p>From forum: <a href="http://old.nabble.com/Samba---samba-technical-f13164.html" embed="fixTarget[13164]" target="_top" >Samba - samba-technical</a></p>tag:old.nabble.com,2006:post-26482343Re: [Release Planning 3.5] Samba 3.5.0pre1 on October 26?2009-11-23T09:21:17Z2009-11-23T09:21:17ZJeremy AllisonOn Mon, Nov 23, 2009 at 09:13:09AM +0100, Karolin Seeger wrote:
<div class='shrinkable-quote'><br>> Hi Jeremy,
<br>>
<br>> On Thu, Nov 12, 2009 at 02:29:36PM -0800, Jeremy Allison wrote:
<br>> > On Tue, Nov 10, 2009 at 10:21:44AM +0100, Karolin Seeger wrote:
<br>> > >
<br>> > > I am wondering when we can ship the first 3.5.0 preview tarball.
<br>> > >
<br>> > > Do you still estimate mid November for your "create time" store?
<br>> > > Would November 26 be a realistic release date for pre1?
<br>> >
<br>> > Yes, I'll try and get this fix done and included by the
<br>> > end of next week (20th).
<br>>
<br>> have you finished the create time stuff?
<br>> Would you like to provide some information on your 3.5 changes for the
<br>> release notes, please?
</div><br>Yes it's done - I'm still testing of course but the
<br>code is in :-).
<br><br>I'll write something this before 26th.
<br><br>Thanks !
<br><br>Jeremy.
<br><p>From forum: <a href="http://old.nabble.com/Samba---samba-technical-f13164.html" embed="fixTarget[13164]" target="_top" >Samba - samba-technical</a></p>tag:old.nabble.com,2006:post-26482114Re: Structure of prefixMap over LDAP2009-11-23T09:06:56Z2009-11-23T09:06:56ZObaid FarooqiHi Andrew:
<br>We're still working on this issue and I'll be in touch as soon as I have something concrete.
<br><br>Regards,
<br>Obaid Farooqi
<br>Sr. Support Escalation Engineer | Microsoft
<br><br>-----Original Message-----
<br>From: Obaid Farooqi
<br>Sent: Wednesday, November 11, 2009 2:38 PM
<br>To: 'Andrew Bartlett'
<br>Cc: <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26482114&i=0" target="_top" rel="nofollow">cifs-protocol@...</a>; <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26482114&i=1" target="_top" rel="nofollow">pfif@...</a>
<br>Subject: RE: Structure of prefixMap over LDAP
<br><br>Hi Andrew:
<br>I'll be helping you with your question regarding perfMap over LDAP. If you have any question/clarification about this issue, please feel free to contact me.
<br><br>Regards,
<br>Obaid Farooqi
<br>Sr. Support Escalation Engineer | Microsoft
<br><br>-----Original Message-----
<br>From: Andrew Bartlett [mailto:<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26482114&i=2" target="_top" rel="nofollow">abartlet@...</a>]
<br>Sent: Tuesday, November 10, 2009 6:39 PM
<br>To: Interoperability Documentation Help
<br>Cc: <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26482114&i=3" target="_top" rel="nofollow">cifs-protocol@...</a>; <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26482114&i=4" target="_top" rel="nofollow">pfif@...</a>
<br>Subject: Structure of prefixMap over LDAP
<br><br>MS-ADA3 2.115 describes the prefixmap:
<br><br> Attribute prefixMap
<br> The prefixMap attribute is for internal use only.
<br><br>However, it is exposed over LDAP, and I don't see a description of it's format in MS-ADTS. With ldp I see only: 'binary blob'. With ldbsearch, I see:
<br><br>bin/ldbsearch -H ldap://win2k3-2.ad.naomi.abartlet.net -s base -b CN=Schema,CN=Configuration,DC=ad,DC=naomi,DC=abartlet,DC=net
<br>-Uadministrator prefixMap
<br><br># record 1
<br>dn: CN=Schema,CN=Configuration,DC=ad,DC=naomi,DC=abartlet,DC=net
<br>prefixMap::
<br>BwAAAFkAAADUEQcAKoZIikEBBcsTCAAqhkiB/xcBBbZuCAAqhkiBzBEBBVBvCAAqhk
<br> iCugUBBesFCAAqhkiB8xcBBZQGBwAqhkiJHQEFzwYHACqGSNMFAQU=
<br><br>(and our --show-binary option does not know how to parse this).
<br><br>It was in the past assumed that this attribute was not available over LDAP, but as it is, could you please describe the format?
<br><br>Thanks,
<br><br>Andrew Bartlett
<br><br>--
<br>Andrew Bartlett <a href="http://samba.org/~abartlet/" target="_top" rel="nofollow">http://samba.org/~abartlet/</a><br>Authentication Developer, Samba Team <a href="http://samba.org" target="_top" rel="nofollow">http://samba.org</a><br>Samba Developer, Cisco Inc.
<br><br>_______________________________________________
<br>cifs-protocol mailing list
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26482114&i=5" target="_top" rel="nofollow">cifs-protocol@...</a>
<br><a href="https://lists.samba.org/mailman/listinfo/cifs-protocol" target="_top" rel="nofollow">https://lists.samba.org/mailman/listinfo/cifs-protocol</a><br><p>From forum: <a href="http://old.nabble.com/Samba---cifs-protocol-f13152.html" embed="fixTarget[13152]" target="_top" >Samba - cifs-protocol</a></p>tag:old.nabble.com,2006:post-26479955Re: a few SD questions2009-11-23T07:19:42Z2009-11-23T07:19:42ZMatthias Dieter Wallnöfer-3Nadya,
<br><br>Ah, okay.
<br><br>Regarding security descriptors: this still fails in ldap.py (at least
<br>on my box). Do you plan investigations?
<br><br>> test: Test add_ldif() with BASE64 security descriptor input using
<br>> WRONG domain SID
<br>...
<br>> failure: Test add_ldif() with BASE64 security descriptor input using
<br>> WRONG domain SID [
<br>> Traceback (most recent call last):
<br>> File "./lib/ldb/tests/python/ldap.py", line 1730, in
<br>> test_security_descriptor_add_neg
<br>> self.assertRaises(KeyError, lambda: res[0]["nTSecurityDescriptor"])
<br>> AssertionError: KeyError not raised
<br>> ]
<br>Greets,
<br>Matthias
<br><br>Nadezhda Ivanova wrote:
<div class='shrinkable-quote'><br>> Hi Matthias,
<br>> I have some more work to do on access checks for the search request - as you can see, acl.c does not yet handle them. I expect this will be done by the end of the week. After that, kludge will stay in the codebase for a little while, and will be optionally enabled by a configuration parameter. This will allow testers (read ekacnet) to fall back to it if some very serious bug is found. I suppose eventually we will remove it altogether.
<br>>
<br>> Regards,
<br>> Nadya
<br>> ----- Original Message -----
<br>>
<br>>> From: Matthias Dieter Wallnöfer<<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26479955&i=0" target="_top" rel="nofollow">mdw@...</a>>
<br>>> To: Nadezhda Ivanova<<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26479955&i=1" target="_top" rel="nofollow">nadezhda.ivanova@...</a>>
<br>>> Cc: <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26479955&i=2" target="_top" rel="nofollow">mat@...</a><<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26479955&i=3" target="_top" rel="nofollow">mat@...</a>>, <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26479955&i=4" target="_top" rel="nofollow">samba-technical@...</a><<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26479955&i=5" target="_top" rel="nofollow">samba-technical@...</a>>, Andrew Bartlett<<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26479955&i=6" target="_top" rel="nofollow">abartlet@...</a>>
<br>>> Sent: Monday, November 23, 2009 4:00:21 PM GMT+0200 Europe;Athens
<br>>> Subject: Re: a few SD questions
<br>>>
<br>>
<br>>>> Hi Nadya,
<br>>>>
<br>>> (maybe a bit out of topic - but I think it's worth to ask) do you plan
<br>>>
<br>>> to remove the "kludge_acl" module? I think with your recent work it's
<br>>> nearly obsolete and I personally don't see it useful anymore (to be
<br>>> honest I would like to see it dropped soon). I think with some minor
<br>>> work and suggestions by abartlet it should be feasible.
<br>>>
<br>>> Matthias
<br>>>
<br>>> Nadezhda Ivanova wrote:
<br>>>
<br>>>> Hi Mattieu,
<br>>>> Thanks for the research. I do not understand however why you expect
<br>>>>
<br>>> to have an ID (I assume that is what you mean by DI) flag in the DACL
<br>>> ace. The DACL has the P flag, which means break inheritance - we are
<br>>> not supposed to inherit anything from the parent in the DACL. This is
<br>>> also the case in the win2k3 descriptor that you have pasted. In that
<br>>> descriptor you seem to have nothing inherited in the DACL as well.
<br>>>
<br>>>> The sacl seems to me missing an inherit only flag, will have to
<br>>>>
<br>>> debug what is causing this...
<br>>>
<br>>>> I am also not sure about the differences in the group. Are you sure
<br>>>>
<br>>> the policy in win2k3 has been created without providing an owner or a
<br>>> group?
<br>>>
<br>>>> Regards,
<br>>>> Nadya
<br>>>> ----- Original Message -----
<br>>>>
<br>>>>
<br>>>>> From: Matthieu Patou<<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26479955&i=7" target="_top" rel="nofollow">mat@...</a>>
<br>>>>> To: samba-technical<<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26479955&i=8" target="_top" rel="nofollow">samba-technical@...</a>>, Nadezhda
<br>>>>>
<br>>> Ivanova<<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26479955&i=9" target="_top" rel="nofollow">nadezhda.ivanova@...</a>>
<br>>>
<br>>>>> Sent: Monday, November 23, 2009 8:42:09 AM GMT+0200 Europe;Athens
<br>>>>> Subject: a few SD questions
<br>>>>>
<br>>>>>
<br>>>>
<br>>>>
<br>>>>>> Hello nadya,
<br>>>>>>
<br>>>>>>
<br>>>>> I made some tests today with GPO and it seems that things are
<br>>>>>
<br>>> getting
<br>>>
<br>>>>> a
<br>>>>> lot more better
<br>>>>>
<br>>>>> Below it's the SD for a newly created policy, it quite OK just we
<br>>>>>
<br>>> have
<br>>>
<br>>>>> the duplicate ACL for Domain Admins due to the fact that the
<br>>>>>
<br>>> creator
<br>>>
<br>>>>> owner is Domain Admin. Also I think that we should have the AI
<br>>>>>
<br>>> control
<br>>>
<br>>>>> flag as the SD is DACL_PROTECTED and that it has some (all?) ACL
<br>>>>>
<br>>> from
<br>>>
<br>>>>> the parent SD. Also those inherited ACE should have the flag DI
<br>>>>> (although it isn't very clear what is the effect of this flag,
<br>>>>>
<br>>> seems
<br>>>
<br>>>>> more cosmetic than something else to me).
<br>>>>>
<br>>>>> O:S-1-5-21-487418869-183637953-2310109715-512G:
<br>>>>> S-1-5-21-487418869-183637953-2310109715-513D:P
<br>>>>>
<br>>>>>
<br>>> (A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;S-1-5-21-487418869-183637953-231010971
<br>>>
<br>>>
<br>>>>> 5-512)(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;S-1-5-2
<br>>>>> 1-487418869-183637953-2310109715-519)
<br>>>>> (A;;RPWPCCDCLCLORCWOWDSDDTSW;;;S-1-5-21-
<br>>>>>
<br>>>>>
<br>>>>>
<br>>> 487418869-183637953-2310109715-512)(A;CIIO;RPWPCCDCLCLORCWOWDSDDTSW;;;C
<br>>>
<br>>>
<br>>>>> O)(A;C
<br>>>>> I;RPWPCCDCLCLORCWOWDSDDTSW;;;SY)
<br>>>>> (A;CI;RPLCLORC;;;AU)(OA;CI;CR;edacfd8f-ffb3-1
<br>>>>> 1d1-b41d-00a0c968f939;;AU)
<br>>>>> (A;CI;RPLCLORC;;;ED)
<br>>>>> S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0
<br>>>>>
<br>>>>>
<br>>>>>
<br>>> -11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CII
<br>>>
<br>>>
<br>>>>> DSA;WP
<br>>>>>
<br>>>>>
<br>>>>>
<br>>> ;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa00304
<br>>>
<br>>>
<br>>>>> 9e2;WD
<br>>>>> )
<br>>>>>
<br>>>>>
<br>>>>>
<br>>>>> In the same time here is the SD for a newly create gpo in w2k3:
<br>>>>> They are identical for the DACL part, there is still some
<br>>>>>
<br>>> difference
<br>>>
<br>>>>> on
<br>>>>> the sacl part. Also it's worth noting that the group is different
<br>>>>>
<br>>>>>
<br>>>>>
<br>>> O:S-1-5-21-3208502064-746857408-2662927446-512G:S-1-5-21-3208502064-746
<br>>>
<br>>>
<br>>>>> 857408-2662927446-512
<br>>>>> D:PAI
<br>>>>>
<br>>>>>
<br>>> (A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;S-1-5-21-3208502064-746857408-26629274
<br>>>
<br>>>
<br>>>>> 46-512)
<br>>>>>
<br>>>>>
<br>>> (A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;S-1-5-21-3208502064-746857408-26629274
<br>>>
<br>>>
<br>>>>> 46-519)
<br>>>>>
<br>>>>>
<br>>> (A;;RPWPCCDCLCLORCWOWDSDDTSW;;;S-1-5-21-3208502064-746857408-2662927446
<br>>>
<br>>>
<br>>>>> -512)
<br>>>>> (A;CIIO;RPWPCCDCLCLORCWOWDSDDTSW;;;CO)
<br>>>>> (A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;SY)
<br>>>>> (A;CI;RPLCLORC;;;AU)
<br>>>>> (OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)
<br>>>>> (A;CI;RPLCLORC;;;ED)
<br>>>>> S:AI
<br>>>>>
<br>>>>>
<br>>> (OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0
<br>>>
<br>>>
<br>>>>> -a285-00aa003049e2;WD)
<br>>>>>
<br>>>>>
<br>>> (OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0
<br>>>
<br>>>
<br>>>>> -a285-00aa003049e2;WD)
<br>>>>> (OU;CIIDSA;WPWD;;f30e3bc2-9ff0-11d1-b603-0000f80367c1;WD)
<br>>>>>
<br>>>>>
<br>>>>> Matthieu.
<br>>>>>
<br>>>>>
<br>>>>
<br>>
</div><br><p>From forum: <a href="http://old.nabble.com/Samba---samba-technical-f13164.html" embed="fixTarget[13164]" target="_top" >Samba - samba-technical</a></p>tag:old.nabble.com,2006:post-26480038Re: a few SD questions2009-11-23T07:19:24Z2009-11-23T07:19:24ZNadezhda Ivanova-2Eventually yes. Got to ask Zahari what is the purpose of this test...
<br><br>----- Original Message -----
<br>> From: Matthias Dieter Wallnöfer <<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26480038&i=0" target="_top" rel="nofollow">mdw@...</a>>
<br>> To: Nadezhda Ivanova <<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26480038&i=1" target="_top" rel="nofollow">nadezhda.ivanova@...</a>>
<br>> Cc: <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26480038&i=2" target="_top" rel="nofollow">mat@...</a> <<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26480038&i=3" target="_top" rel="nofollow">mat@...</a>>, <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26480038&i=4" target="_top" rel="nofollow">abartlet@...</a> <<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26480038&i=5" target="_top" rel="nofollow">abartlet@...</a>>, <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26480038&i=6" target="_top" rel="nofollow">samba-technical@...</a> <<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26480038&i=7" target="_top" rel="nofollow">samba-technical@...</a>>
<br>> Sent: Monday, November 23, 2009 5:15:00 PM GMT+0200 Europe;Athens
<br>> Subject: Re: a few SD questions
<br><div class='shrinkable-quote'><br>> > Nadya,
<br>>
<br>> Ah, okay.
<br>>
<br>> Regarding security descriptors: this still fails in ldap.py (at least
<br>>
<br>> on my box). Do you plan investigations?
<br>>
<br>> > test: Test add_ldif() with BASE64 security descriptor input using
<br>> > WRONG domain SID
<br>> ...
<br>> > failure: Test add_ldif() with BASE64 security descriptor input using
<br>>
<br>> > WRONG domain SID [
<br>> > Traceback (most recent call last):
<br>> > File "./lib/ldb/tests/python/ldap.py", line 1730, in
<br>> > test_security_descriptor_add_neg
<br>> > self.assertRaises(KeyError, lambda:
<br>> res[0]["nTSecurityDescriptor"])
<br>> > AssertionError: KeyError not raised
<br>> > ]
<br>> Greets,
<br>> Matthias
<br>>
<br>> Nadezhda Ivanova wrote:
<br>> > Hi Matthias,
<br>> > I have some more work to do on access checks for the search request
<br>> - as you can see, acl.c does not yet handle them. I expect this will
<br>> be done by the end of the week. After that, kludge will stay in the
<br>> codebase for a little while, and will be optionally enabled by a
<br>> configuration parameter. This will allow testers (read ekacnet) to
<br>> fall back to it if some very serious bug is found. I suppose
<br>> eventually we will remove it altogether.
<br>> >
<br>> > Regards,
<br>> > Nadya
<br>> > ----- Original Message -----
<br>> >
<br>> >> From: Matthias Dieter Wallnöfer<<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26480038&i=8" target="_top" rel="nofollow">mdw@...</a>>
<br>> >> To: Nadezhda Ivanova<<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26480038&i=9" target="_top" rel="nofollow">nadezhda.ivanova@...</a>>
<br>> >> Cc: <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26480038&i=10" target="_top" rel="nofollow">mat@...</a><<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26480038&i=11" target="_top" rel="nofollow">mat@...</a>>,
<br>> <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26480038&i=12" target="_top" rel="nofollow">samba-technical@...</a><<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26480038&i=13" target="_top" rel="nofollow">samba-technical@...</a>>,
<br>> Andrew Bartlett<<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26480038&i=14" target="_top" rel="nofollow">abartlet@...</a>>
<br>> >> Sent: Monday, November 23, 2009 4:00:21 PM GMT+0200 Europe;Athens
<br>> >> Subject: Re: a few SD questions
<br>> >>
<br>> >
<br>> >>> Hi Nadya,
<br>> >>>
<br>> >> (maybe a bit out of topic - but I think it's worth to ask) do you
<br>> plan
<br>> >>
<br>> >> to remove the "kludge_acl" module? I think with your recent work
<br>> it's
<br>> >> nearly obsolete and I personally don't see it useful anymore (to be
<br>> >> honest I would like to see it dropped soon). I think with some
<br>> minor
<br>> >> work and suggestions by abartlet it should be feasible.
<br>> >>
<br>> >> Matthias
<br>> >>
<br>> >> Nadezhda Ivanova wrote:
<br>> >>
<br>> >>> Hi Mattieu,
<br>> >>> Thanks for the research. I do not understand however why you
<br>> expect
<br>> >>>
<br>> >> to have an ID (I assume that is what you mean by DI) flag in the
<br>> DACL
<br>> >> ace. The DACL has the P flag, which means break inheritance - we
<br>> are
<br>> >> not supposed to inherit anything from the parent in the DACL. This
<br>> is
<br>> >> also the case in the win2k3 descriptor that you have pasted. In
<br>> that
<br>> >> descriptor you seem to have nothing inherited in the DACL as well.
<br>> >>
<br>> >>> The sacl seems to me missing an inherit only flag, will have to
<br>> >>>
<br>> >> debug what is causing this...
<br>> >>
<br>> >>> I am also not sure about the differences in the group. Are you
<br>> sure
<br>> >>>
<br>> >> the policy in win2k3 has been created without providing an owner or
<br>> a
<br>> >> group?
<br>> >>
<br>> >>> Regards,
<br>> >>> Nadya
<br>> >>> ----- Original Message -----
<br>> >>>
<br>> >>>
<br>> >>>> From: Matthieu Patou<<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26480038&i=15" target="_top" rel="nofollow">mat@...</a>>
<br>> >>>> To: samba-technical<<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26480038&i=16" target="_top" rel="nofollow">samba-technical@...</a>>, Nadezhda
<br>> >>>>
<br>> >> Ivanova<<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26480038&i=17" target="_top" rel="nofollow">nadezhda.ivanova@...</a>>
<br>> >>
<br>> >>>> Sent: Monday, November 23, 2009 8:42:09 AM GMT+0200 Europe;Athens
<br>> >>>> Subject: a few SD questions
<br>> >>>>
<br>> >>>>
<br>> >>>
<br>> >>>
<br>> >>>>> Hello nadya,
<br>> >>>>>
<br>> >>>>>
<br>> >>>> I made some tests today with GPO and it seems that things are
<br>> >>>>
<br>> >> getting
<br>> >>
<br>> >>>> a
<br>> >>>> lot more better
<br>> >>>>
<br>> >>>> Below it's the SD for a newly created policy, it quite OK just we
<br>> >>>>
<br>> >> have
<br>> >>
<br>> >>>> the duplicate ACL for Domain Admins due to the fact that the
<br>> >>>>
<br>> >> creator
<br>> >>
<br>> >>>> owner is Domain Admin. Also I think that we should have the AI
<br>> >>>>
<br>> >> control
<br>> >>
<br>> >>>> flag as the SD is DACL_PROTECTED and that it has some (all?) ACL
<br>> >>>>
<br>> >> from
<br>> >>
<br>> >>>> the parent SD. Also those inherited ACE should have the flag DI
<br>> >>>> (although it isn't very clear what is the effect of this flag,
<br>> >>>>
<br>> >> seems
<br>> >>
<br>> >>>> more cosmetic than something else to me).
<br>> >>>>
<br>> >>>> O:S-1-5-21-487418869-183637953-2310109715-512G:
<br>> >>>> S-1-5-21-487418869-183637953-2310109715-513D:P
<br>> >>>>
<br>> >>>>
<br>> >>
<br>> (A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;S-1-5-21-487418869-183637953-231010971
<br>>
<br>> >>
<br>> >>
<br>> >>>> 5-512)(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;S-1-5-2
<br>> >>>> 1-487418869-183637953-2310109715-519)
<br>> >>>> (A;;RPWPCCDCLCLORCWOWDSDDTSW;;;S-1-5-21-
<br>> >>>>
<br>> >>>>
<br>> >>>>
<br>> >>
<br>> 487418869-183637953-2310109715-512)(A;CIIO;RPWPCCDCLCLORCWOWDSDDTSW;;;C
<br>>
<br>> >>
<br>> >>
<br>> >>>> O)(A;C
<br>> >>>> I;RPWPCCDCLCLORCWOWDSDDTSW;;;SY)
<br>> >>>> (A;CI;RPLCLORC;;;AU)(OA;CI;CR;edacfd8f-ffb3-1
<br>> >>>> 1d1-b41d-00a0c968f939;;AU)
<br>> >>>> (A;CI;RPLCLORC;;;ED)
<br>> >>>> S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0
<br>> >>>>
<br>> >>>>
<br>> >>>>
<br>> >>
<br>> -11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CII
<br>>
<br>> >>
<br>> >>
<br>> >>>> DSA;WP
<br>> >>>>
<br>> >>>>
<br>> >>>>
<br>> >>
<br>> ;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa00304
<br>>
<br>> >>
<br>> >>
<br>> >>>> 9e2;WD
<br>> >>>> )
<br>> >>>>
<br>> >>>>
<br>> >>>>
<br>> >>>> In the same time here is the SD for a newly create gpo in w2k3:
<br>> >>>> They are identical for the DACL part, there is still some
<br>> >>>>
<br>> >> difference
<br>> >>
<br>> >>>> on
<br>> >>>> the sacl part. Also it's worth noting that the group is different
<br>> >>>>
<br>> >>>>
<br>> >>>>
<br>> >>
<br>> O:S-1-5-21-3208502064-746857408-2662927446-512G:S-1-5-21-3208502064-746
<br>>
<br>> >>
<br>> >>
<br>> >>>> 857408-2662927446-512
<br>> >>>> D:PAI
<br>> >>>>
<br>> >>>>
<br>> >>
<br>> (A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;S-1-5-21-3208502064-746857408-26629274
<br>>
<br>> >>
<br>> >>
<br>> >>>> 46-512)
<br>> >>>>
<br>> >>>>
<br>> >>
<br>> (A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;S-1-5-21-3208502064-746857408-26629274
<br>>
<br>> >>
<br>> >>
<br>> >>>> 46-519)
<br>> >>>>
<br>> >>>>
<br>> >>
<br>> (A;;RPWPCCDCLCLORCWOWDSDDTSW;;;S-1-5-21-3208502064-746857408-2662927446
<br>>
<br>> >>
<br>> >>
<br>> >>>> -512)
<br>> >>>> (A;CIIO;RPWPCCDCLCLORCWOWDSDDTSW;;;CO)
<br>> >>>> (A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;SY)
<br>> >>>> (A;CI;RPLCLORC;;;AU)
<br>> >>>> (OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)
<br>> >>>> (A;CI;RPLCLORC;;;ED)
<br>> >>>> S:AI
<br>> >>>>
<br>> >>>>
<br>> >>
<br>> (OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0
<br>>
<br>> >>
<br>> >>
<br>> >>>> -a285-00aa003049e2;WD)
<br>> >>>>
<br>> >>>>
<br>> >>
<br>> (OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0
<br>>
<br>> >>
<br>> >>
<br>> >>>> -a285-00aa003049e2;WD)
<br>> >>>> (OU;CIIDSA;WPWD;;f30e3bc2-9ff0-11d1-b603-0000f80367c1;WD)
<br>> >>>>
<br>> >>>>
<br>> >>>> Matthieu.
<br>> >>>>
<br>> >>>>
<br>> >>>
<br>> >
<br></div><p>From forum: <a href="http://old.nabble.com/Samba---samba-technical-f13164.html" embed="fixTarget[13164]" target="_top" >Samba - samba-technical</a></p>tag:old.nabble.com,2006:post-26479634Vista laptop in Samba 3.3.4 domain suddenly trying to use roaming profiles?2009-11-23T07:03:20Z2009-11-23T07:03:20ZDavid Whitney-3Grettings, all
<br><br>I have a bizarre problem on a laptop in my Samba 3.3.4 domain. This domain
<br>includes a mixture of XP Pro and Vista Ultimate clients.
<br><br>I had just completed a migration to this new domain (from a Samba 2.2.8a
<br>domain), and all seemed happy and well - machines had rebooted and were
<br>still active in the domain, users were logging in with no problem, shares
<br>were working perfectly - all over the span of a week or so - until last
<br>night.
<br><br>Trying to log into my wife's laptop (Vista Ultimate) under her account, I
<br>got an odd message that said "Your roaming profile was not completely
<br>synchronized. Please contact your administrator." The only problem is I am
<br>*not* using roaming profiles in my Samba domain! And this account had logged
<br>into the domain several times on this laptop with no problem after the
<br>migration.
<br><br>I looked on the home shares for the particular account, and surely enough
<br>there is the "profile.V2" folder indicating what I understand is the attempt
<br>by a Vista box to build a first-time Vista-style roaming profile on my
<br>Samba-defined user share. I logged in under a different account that has
<br>admin privs, and sure enough, it tried to load a roaming profile there, too.
<br>That told me, additionally, that Vista thought this was the first time this
<br>user had logged into that box/domain, which was obviously incorrect. The
<br>profiles for each user that had used until that point were on the machine,
<br>intact.
<br><br>I've changed the local policy on that box to disallow roaming profiles
<br>expressly, but now the local profiles that had been working just fine are no
<br>longer associated with their proper users, and I'm not sure how to restore
<br>the association (or even if I can). I can browse the machine remotely and
<br>copy the files from that local profile if I have to, but I'd like to avoid
<br>it.
<br>Could the learned folks here offer any suggestions on why this laptop would
<br>suddenly think it was supposed to use roaming profiles on my
<br>non-roaming-profile Samba domain? Is there some mystery setting in smb.conf
<br>I might possibly have set (or perhaps deleted??) that would leave Samba
<br>thinking was trying to use roaming profiles? Based on late-night research, I
<br>expressly set "logon path" to be blank in smb.conf, which is supposed to
<br>disable Samba roaming profiles. It had not been expressly set before. I have
<br>logged into a desktop box and it worked normally.
<br><br>Appreciate any thoughts or suggestions. The desktop boxes, so far, seem
<br>unaffected and are working normally. I'm thinking my next step is to copy
<br>the files from the particular profile in question, remove the machine from
<br>the domain, and then rejoin it, but I'm not sure I still won't have the same
<br>problem.
<br><br>The only other problem I've had in this migration was in getting logon
<br>scripts to work (which I never did), but I don't think this is related to
<br>that issue....and the fact that other than scripts the domain was working
<br>fine is what really has me puzzled.
<br><br>Any thoughts or suggestions appreciated.
<br>-David
<br>--
<br>To unsubscribe from this list go to the following URL and read the
<br>instructions: <a href="https://lists.samba.org/mailman/options/samba" target="_top" rel="nofollow">https://lists.samba.org/mailman/options/samba</a><br><p>From forum: <a href="http://old.nabble.com/Samba---General-f62.html" embed="fixTarget[62]" target="_top" >Samba - General</a></p>tag:old.nabble.com,2006:post-26479059Re: [s4] My recent work2009-11-23T06:24:35Z2009-11-23T06:24:35ZNadezhda Ivanova-2I noticed that you fixed some warnings. Way to go, they were annoying :). I really think we should avoid warnings like "incompatible pointer type" and "not handled in switch", these are all potential bugs...
<br><br>----- Original Message -----
<br>> From: <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26479059&i=0" target="_top" rel="nofollow">samba-technical-bounces@...</a> <<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26479059&i=1" target="_top" rel="nofollow">samba-technical-bounces@...</a>>
<br>> To: Andrew Bartlett <<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26479059&i=2" target="_top" rel="nofollow">abartlet@...</a>>, Matthias Dieter Wallnöfer <<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26479059&i=3" target="_top" rel="nofollow">mdw@...</a>>
<br>> Cc: samba-technical <<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26479059&i=4" target="_top" rel="nofollow">samba-technical@...</a>>
<br>> Sent: Monday, November 23, 2009 4:15:53 PM GMT+0200 Europe;Athens
<br>> Subject: [s4] My recent work
<br><div class='shrinkable-quote'><br>> > Hi abartlet and other s4 developers,
<br>>
<br>> I would like to bring to attention my recent work:
<br>> - "const" patches: I did improvements over the last weekend and some
<br>> (those in common with s3) where merged - the s4 ones are outstanding:
<br>> <a href="http://repo.or.cz/w/Samba/mdw.git/shortlog/refs/heads/const" target="_top" rel="nofollow">http://repo.or.cz/w/Samba/mdw.git/shortlog/refs/heads/const</a><br>> - "operational" work: I changed the operational attributes to be
<br>> read-only through a indeed very simple patch - I hope that's enough:
<br>> <a href="http://repo.or.cz/w/Samba/mdw.git/shortlog/refs/heads/operational" target="_top" rel="nofollow">http://repo.or.cz/w/Samba/mdw.git/shortlog/refs/heads/operational</a><br>> - "index counters": I corrected the patch for LDB
<br>> (<a href="http://repo.or.cz/w/Samba/mdw.git/commitdiff/8fec9b617e00dc577bdaebad4" target="_top" rel="nofollow">http://repo.or.cz/w/Samba/mdw.git/commitdiff/8fec9b617e00dc577bdaebad4</a><br>> 5440a612c23cd15)
<br>> - hope to have fixed it according to your suggestions
<br>>
<br>> Matthias
<br></div><p>From forum: <a href="http://old.nabble.com/Samba---samba-technical-f13164.html" embed="fixTarget[13164]" target="_top" >Samba - samba-technical</a></p>tag:old.nabble.com,2006:post-26478915[s4] My recent work2009-11-23T06:20:35Z2009-11-23T06:20:35ZMatthias Dieter Wallnöfer-3Hi abartlet and other s4 developers,
<br><br>I would like to bring to attention my recent work:
<br>- "const" patches: I did improvements over the last weekend and some
<br>(those in common with s3) where merged - the s4 ones are outstanding:
<br><a href="http://repo.or.cz/w/Samba/mdw.git/shortlog/refs/heads/const" target="_top" rel="nofollow">http://repo.or.cz/w/Samba/mdw.git/shortlog/refs/heads/const</a><br>- "operational" work: I changed the operational attributes to be
<br>read-only through a indeed very simple patch - I hope that's enough:
<br><a href="http://repo.or.cz/w/Samba/mdw.git/shortlog/refs/heads/operational" target="_top" rel="nofollow">http://repo.or.cz/w/Samba/mdw.git/shortlog/refs/heads/operational</a><br>- "index counters": I corrected the patch for LDB
<br>(<a href="http://repo.or.cz/w/Samba/mdw.git/commitdiff/8fec9b617e00dc577bdaebad45440a612c23cd15" target="_top" rel="nofollow">http://repo.or.cz/w/Samba/mdw.git/commitdiff/8fec9b617e00dc577bdaebad45440a612c23cd15</a>)
<br>- hope to have fixed it according to your suggestions
<br><br>Matthias
<br><p>From forum: <a href="http://old.nabble.com/Samba---samba-technical-f13164.html" embed="fixTarget[13164]" target="_top" >Samba - samba-technical</a></p>tag:old.nabble.com,2006:post-26478906Re: a few SD questions2009-11-23T06:14:48Z2009-11-23T06:14:48ZNadezhda Ivanova-2Hi Matthias,
<br>I have some more work to do on access checks for the search request - as you can see, acl.c does not yet handle them. I expect this will be done by the end of the week. After that, kludge will stay in the codebase for a little while, and will be optionally enabled by a configuration parameter. This will allow testers (read ekacnet) to fall back to it if some very serious bug is found. I suppose eventually we will remove it altogether.
<br><br>Regards,
<br>Nadya
<br>----- Original Message -----
<br>> From: Matthias Dieter Wallnöfer <<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26478906&i=0" target="_top" rel="nofollow">mdw@...</a>>
<br>> To: Nadezhda Ivanova <<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26478906&i=1" target="_top" rel="nofollow">nadezhda.ivanova@...</a>>
<br>> Cc: <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26478906&i=2" target="_top" rel="nofollow">mat@...</a> <<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26478906&i=3" target="_top" rel="nofollow">mat@...</a>>, <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26478906&i=4" target="_top" rel="nofollow">samba-technical@...</a> <<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26478906&i=5" target="_top" rel="nofollow">samba-technical@...</a>>, Andrew Bartlett <<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26478906&i=6" target="_top" rel="nofollow">abartlet@...</a>>
<br>> Sent: Monday, November 23, 2009 4:00:21 PM GMT+0200 Europe;Athens
<br>> Subject: Re: a few SD questions
<br><div class='shrinkable-quote'><br>> > Hi Nadya,
<br>>
<br>> (maybe a bit out of topic - but I think it's worth to ask) do you plan
<br>>
<br>> to remove the "kludge_acl" module? I think with your recent work it's
<br>> nearly obsolete and I personally don't see it useful anymore (to be
<br>> honest I would like to see it dropped soon). I think with some minor
<br>> work and suggestions by abartlet it should be feasible.
<br>>
<br>> Matthias
<br>>
<br>> Nadezhda Ivanova wrote:
<br>> > Hi Mattieu,
<br>> > Thanks for the research. I do not understand however why you expect
<br>> to have an ID (I assume that is what you mean by DI) flag in the DACL
<br>> ace. The DACL has the P flag, which means break inheritance - we are
<br>> not supposed to inherit anything from the parent in the DACL. This is
<br>> also the case in the win2k3 descriptor that you have pasted. In that
<br>> descriptor you seem to have nothing inherited in the DACL as well.
<br>> > The sacl seems to me missing an inherit only flag, will have to
<br>> debug what is causing this...
<br>> > I am also not sure about the differences in the group. Are you sure
<br>> the policy in win2k3 has been created without providing an owner or a
<br>> group?
<br>> >
<br>> > Regards,
<br>> > Nadya
<br>> > ----- Original Message -----
<br>> >
<br>> >> From: Matthieu Patou<<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26478906&i=7" target="_top" rel="nofollow">mat@...</a>>
<br>> >> To: samba-technical<<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26478906&i=8" target="_top" rel="nofollow">samba-technical@...</a>>, Nadezhda
<br>> Ivanova<<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26478906&i=9" target="_top" rel="nofollow">nadezhda.ivanova@...</a>>
<br>> >> Sent: Monday, November 23, 2009 8:42:09 AM GMT+0200 Europe;Athens
<br>> >> Subject: a few SD questions
<br>> >>
<br>> >
<br>> >>> Hello nadya,
<br>> >>>
<br>> >> I made some tests today with GPO and it seems that things are
<br>> getting
<br>> >> a
<br>> >> lot more better
<br>> >>
<br>> >> Below it's the SD for a newly created policy, it quite OK just we
<br>> have
<br>> >>
<br>> >> the duplicate ACL for Domain Admins due to the fact that the
<br>> creator
<br>> >> owner is Domain Admin. Also I think that we should have the AI
<br>> control
<br>> >>
<br>> >> flag as the SD is DACL_PROTECTED and that it has some (all?) ACL
<br>> from
<br>> >> the parent SD. Also those inherited ACE should have the flag DI
<br>> >> (although it isn't very clear what is the effect of this flag,
<br>> seems
<br>> >> more cosmetic than something else to me).
<br>> >>
<br>> >> O:S-1-5-21-487418869-183637953-2310109715-512G:
<br>> >> S-1-5-21-487418869-183637953-2310109715-513D:P
<br>> >>
<br>> (A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;S-1-5-21-487418869-183637953-231010971
<br>>
<br>> >> 5-512)(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;S-1-5-2
<br>> >> 1-487418869-183637953-2310109715-519)
<br>> >> (A;;RPWPCCDCLCLORCWOWDSDDTSW;;;S-1-5-21-
<br>> >>
<br>> >>
<br>> 487418869-183637953-2310109715-512)(A;CIIO;RPWPCCDCLCLORCWOWDSDDTSW;;;C
<br>>
<br>> >> O)(A;C
<br>> >> I;RPWPCCDCLCLORCWOWDSDDTSW;;;SY)
<br>> >> (A;CI;RPLCLORC;;;AU)(OA;CI;CR;edacfd8f-ffb3-1
<br>> >> 1d1-b41d-00a0c968f939;;AU)
<br>> >> (A;CI;RPLCLORC;;;ED)
<br>> >> S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0
<br>> >>
<br>> >>
<br>> -11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CII
<br>>
<br>> >> DSA;WP
<br>> >>
<br>> >>
<br>> ;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa00304
<br>>
<br>> >> 9e2;WD
<br>> >> )
<br>> >>
<br>> >>
<br>> >>
<br>> >> In the same time here is the SD for a newly create gpo in w2k3:
<br>> >> They are identical for the DACL part, there is still some
<br>> difference
<br>> >> on
<br>> >> the sacl part. Also it's worth noting that the group is different
<br>> >>
<br>> >>
<br>> O:S-1-5-21-3208502064-746857408-2662927446-512G:S-1-5-21-3208502064-746
<br>>
<br>> >> 857408-2662927446-512
<br>> >> D:PAI
<br>> >>
<br>> (A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;S-1-5-21-3208502064-746857408-26629274
<br>>
<br>> >> 46-512)
<br>> >>
<br>> (A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;S-1-5-21-3208502064-746857408-26629274
<br>>
<br>> >> 46-519)
<br>> >>
<br>> (A;;RPWPCCDCLCLORCWOWDSDDTSW;;;S-1-5-21-3208502064-746857408-2662927446
<br>>
<br>> >> -512)
<br>> >> (A;CIIO;RPWPCCDCLCLORCWOWDSDDTSW;;;CO)
<br>> >> (A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;SY)
<br>> >> (A;CI;RPLCLORC;;;AU)
<br>> >> (OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)
<br>> >> (A;CI;RPLCLORC;;;ED)
<br>> >> S:AI
<br>> >>
<br>> (OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0
<br>>
<br>> >> -a285-00aa003049e2;WD)
<br>> >>
<br>> (OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0
<br>>
<br>> >> -a285-00aa003049e2;WD)
<br>> >> (OU;CIIDSA;WPWD;;f30e3bc2-9ff0-11d1-b603-0000f80367c1;WD)
<br>> >>
<br>> >>
<br>> >> Matthieu.
<br>> >>
<br>> >
<br></div><p>From forum: <a href="http://old.nabble.com/Samba---samba-technical-f13164.html" embed="fixTarget[13164]" target="_top" >Samba - samba-technical</a></p>tag:old.nabble.com,2006:post-26478705Re: home directories ask user for password2009-11-23T06:09:03Z2009-11-23T06:09:03ZMassimo-21>Perhaps removing the 'valid users' solves your problem. In theory it can
<br>>only display the homedir of the user connecting. The 'homes' share is
<br>>translated to the user name. Below if my current config that is working
<br>>for me. The preexec that I have is creating the homedir if it does not
<br>>exist (Perhaps that may be another possible cause of your error?).
<br>>Script is included. Make sure you change $path to your homedir location.
<br>>For quota uncomment and change the quota function for a given device.
<br><br>Hi Ton, Thank you for the help.
<br>I tryed to set your configuration.
<br>It creates the home directories but I receive access denied, wathching into the log I found that it looking for username.dll file but I don't know the matter.
<br>Below the log ...
<br>Bye
<br>Massimo
<br><br><br><br>[2009/11/23 14:43:05, 0] param/loadparm.c:process_usershare_file(4611)
<br> process_usershare_file: stat of /var/lib/samba/usershares/massimo.dll failed. Permission denied
<br>[2009/11/23 14:43:07, 0] param/loadparm.c:process_usershare_file(4611)
<br> process_usershare_file: stat of /var/lib/samba/usershares/massimo.dll failed. No such file or directory
<br>[2009/11/23 14:43:07, 0] smbd/service.c:make_connection(1200)
<br> kdgp3fb (10.29.30.1) couldn't find service massimo.dll
<br>[2009/11/23 14:43:07, 0] smbd/service.c:set_current_service(184)
<br> chdir (/home/massimo) failed
<br>[2009/11/23 14:43:07, 0] param/loadparm.c:process_usershare_file(4611)
<br> process_usershare_file: stat of /var/lib/samba/usershares/massimo.dll failed. Permission denied
<br>[2009/11/23 14:43:09, 0] param/loadparm.c:process_usershare_file(4611)
<br> process_usershare_file: stat of /var/lib/samba/usershares/massimo.dll failed. No such file or directory
<br>[2009/11/23 14:43:09, 0] smbd/service.c:make_connection(1200)
<br> kdgp3fb (10.29.30.1) couldn't find service massimo.dll
<br>[2009/11/23 14:43:09, 0] smbd/service.c:set_current_service(184)
<br> chdir (/home/massimo) failed
<br>[2009/11/23 14:43:09, 0] smbd/service.c:set_current_service(184)
<br> chdir (/home/massimo) failed
<br>[2009/11/23 14:43:09, 0] smbd/service.c:set_current_service(184)
<br> chdir (/home/massimo) failed
<br>[2009/11/23 14:43:09, 0] smbd/service.c:set_current_service(184)
<br> chdir (/home/massimo) failed
<br>--
<br>To unsubscribe from this list go to the following URL and read the
<br>instructions: <a href="https://lists.samba.org/mailman/options/samba" target="_top" rel="nofollow">https://lists.samba.org/mailman/options/samba</a><br><p>From forum: <a href="http://old.nabble.com/Samba---General-f62.html" embed="fixTarget[62]" target="_top" >Samba - General</a></p>tag:old.nabble.com,2006:post-26478634Re: a few SD questions2009-11-23T06:05:09Z2009-11-23T06:05:09ZMatthias Dieter Wallnöfer-3Hi Nadya,
<br><br>(maybe a bit out of topic - but I think it's worth to ask) do you plan
<br>to remove the "kludge_acl" module? I think with your recent work it's
<br>nearly obsolete and I personally don't see it useful anymore (to be
<br>honest I would like to see it dropped soon). I think with some minor
<br>work and suggestions by abartlet it should be feasible.
<br><br>Matthias
<br><br>Nadezhda Ivanova wrote:
<div class='shrinkable-quote'><br>> Hi Mattieu,
<br>> Thanks for the research. I do not understand however why you expect to have an ID (I assume that is what you mean by DI) flag in the DACL ace. The DACL has the P flag, which means break inheritance - we are not supposed to inherit anything from the parent in the DACL. This is also the case in the win2k3 descriptor that you have pasted. In that descriptor you seem to have nothing inherited in the DACL as well.
<br>> The sacl seems to me missing an inherit only flag, will have to debug what is causing this...
<br>> I am also not sure about the differences in the group. Are you sure the policy in win2k3 has been created without providing an owner or a group?
<br>>
<br>> Regards,
<br>> Nadya
<br>> ----- Original Message -----
<br>>
<br>>> From: Matthieu Patou<<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26478634&i=0" target="_top" rel="nofollow">mat@...</a>>
<br>>> To: samba-technical<<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26478634&i=1" target="_top" rel="nofollow">samba-technical@...</a>>, Nadezhda Ivanova<<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26478634&i=2" target="_top" rel="nofollow">nadezhda.ivanova@...</a>>
<br>>> Sent: Monday, November 23, 2009 8:42:09 AM GMT+0200 Europe;Athens
<br>>> Subject: a few SD questions
<br>>>
<br>>
<br>>>> Hello nadya,
<br>>>>
<br>>> I made some tests today with GPO and it seems that things are getting
<br>>> a
<br>>> lot more better
<br>>>
<br>>> Below it's the SD for a newly created policy, it quite OK just we have
<br>>>
<br>>> the duplicate ACL for Domain Admins due to the fact that the creator
<br>>> owner is Domain Admin. Also I think that we should have the AI control
<br>>>
<br>>> flag as the SD is DACL_PROTECTED and that it has some (all?) ACL from
<br>>> the parent SD. Also those inherited ACE should have the flag DI
<br>>> (although it isn't very clear what is the effect of this flag, seems
<br>>> more cosmetic than something else to me).
<br>>>
<br>>> O:S-1-5-21-487418869-183637953-2310109715-512G:
<br>>> S-1-5-21-487418869-183637953-2310109715-513D:P
<br>>> (A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;S-1-5-21-487418869-183637953-231010971
<br>>> 5-512)(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;S-1-5-2
<br>>> 1-487418869-183637953-2310109715-519)
<br>>> (A;;RPWPCCDCLCLORCWOWDSDDTSW;;;S-1-5-21-
<br>>>
<br>>> 487418869-183637953-2310109715-512)(A;CIIO;RPWPCCDCLCLORCWOWDSDDTSW;;;C
<br>>> O)(A;C
<br>>> I;RPWPCCDCLCLORCWOWDSDDTSW;;;SY)
<br>>> (A;CI;RPLCLORC;;;AU)(OA;CI;CR;edacfd8f-ffb3-1
<br>>> 1d1-b41d-00a0c968f939;;AU)
<br>>> (A;CI;RPLCLORC;;;ED)
<br>>> S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0
<br>>>
<br>>> -11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CII
<br>>> DSA;WP
<br>>>
<br>>> ;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa00304
<br>>> 9e2;WD
<br>>> )
<br>>>
<br>>>
<br>>>
<br>>> In the same time here is the SD for a newly create gpo in w2k3:
<br>>> They are identical for the DACL part, there is still some difference
<br>>> on
<br>>> the sacl part. Also it's worth noting that the group is different
<br>>>
<br>>> O:S-1-5-21-3208502064-746857408-2662927446-512G:S-1-5-21-3208502064-746
<br>>> 857408-2662927446-512
<br>>> D:PAI
<br>>> (A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;S-1-5-21-3208502064-746857408-26629274
<br>>> 46-512)
<br>>> (A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;S-1-5-21-3208502064-746857408-26629274
<br>>> 46-519)
<br>>> (A;;RPWPCCDCLCLORCWOWDSDDTSW;;;S-1-5-21-3208502064-746857408-2662927446
<br>>> -512)
<br>>> (A;CIIO;RPWPCCDCLCLORCWOWDSDDTSW;;;CO)
<br>>> (A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;SY)
<br>>> (A;CI;RPLCLORC;;;AU)
<br>>> (OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)
<br>>> (A;CI;RPLCLORC;;;ED)
<br>>> S:AI
<br>>> (OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0
<br>>> -a285-00aa003049e2;WD)
<br>>> (OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0
<br>>> -a285-00aa003049e2;WD)
<br>>> (OU;CIIDSA;WPWD;;f30e3bc2-9ff0-11d1-b603-0000f80367c1;WD)
<br>>>
<br>>>
<br>>> Matthieu.
<br>>>
<br>>
</div><br><p>From forum: <a href="http://old.nabble.com/Samba---samba-technical-f13164.html" embed="fixTarget[13164]" target="_top" >Samba - samba-technical</a></p>tag:old.nabble.com,2006:post-26477641Re: home directories ask user for password2009-11-23T05:01:19Z2009-11-23T05:01:19ZHoogstraten, TonMassimo,
<br><br>Perhaps removing the 'valid users' solves your problem. In theory it can
<br>only display the homedir of the user connecting. The 'homes' share is
<br>translated to the user name. Below if my current config that is working
<br>for me. The preexec that I have is creating the homedir if it does not
<br>exist (Perhaps that may be another possible cause of your error?).
<br>Script is included. Make sure you change $path to your homedir location.
<br>For quota uncomment and change the quota function for a given device.
<br><br>Regards,
<br><br>Ton
<br><br><br>[homes]
<br> comment = Home Directories
<br> read only = No
<br> browseable = No
<br> root preexec = /etc/samba/homedir.pl %U
<br> create mask = 0664
<br> directory mask = 0775
<br><br><br>homedir.pl:
<br><br>#!/usr/bin/perl -w
<br>use strict;
<br><br>my $user = shift;
<br>my $path = "<path to your homedir locations>";
<br>my $logfile = "/var/log/samba/homedir.log";
<br><br>if (! -d "$path/$user" && $user) {
<br>
<br> if (my $uid = getpwnam($user)) {
<br><br> if ((mkdir "$path/$user",0750) && (chown $uid, -1,
<br>"$path/$user")) {
<br>
<br> open(LOG, ">>$logfile");
<br> my $time = localtime;
<br><br> print LOG "$time: Homedir $path/$user for
<br>uid:$uid created.\n";
<br>
<br> #Set default quota for mount points:
<br> #quota($user,15000,"</dev/sda>");
<br>
<br> close(LOG);
<br> }
<br> }
<br>}
<br><br><br><br>sub quota {
<br>my $user = shift;
<br>my $quota = shift;
<br>my $mount = shift;
<br><br> if (system("/usr/sbin/setquota -u $user 0 $quota 0 0 $mount") ==
<br>0)
<br> {
<br> my $time = localtime;
<br> print LOG "$time: Updated quota settings for user $user on
<br>$mount\n";
<br> }
<br><br>}
<br><br>--
<br>To unsubscribe from this list go to the following URL and read the
<br>instructions: <a href="https://lists.samba.org/mailman/options/samba" target="_top" rel="nofollow">https://lists.samba.org/mailman/options/samba</a><br><p>From forum: <a href="http://old.nabble.com/Samba---General-f62.html" embed="fixTarget[62]" target="_top" >Samba - General</a></p>tag:old.nabble.com,2006:post-26477434Re: Samba 3.0.33/3.2.15 AD joined slow initial connect with LDAP backend2009-11-23T04:45:53Z2009-11-23T04:45:53ZHoogstraten, TonDiego,
<br><br>Thank you for your reply. I'm testing with 3.0.33 since that's the latest version Redhat is using in RHEL5 (Redhat has the habbit of holding a version and do backport patching). The 3.2.x version was marked for production and what I saw in FAQ was that the 3.4.x was still to experiment with?
<br><br>If you mean the 'winbind enum users/groups' setting that has been turned off as suggested in the man pages. If activated it could crash a certain role AD controller. That's not something I can risk. But would that in normal behaviour not fill somekind of cache? If I increase the caching in theory that would perhaps reduce the numer of queries required for a user at a given time. I don't know if it would be a problem setting this to 3 days so the cache could also pass over the weekend. Does not take away why it takes so long to query the AD.
<br><br>What do you mean with:
<br><br>Looking up group names is really slow (up to a couple of minutes when using "id user.name" or "groups user.name").
<br><br>Is it always slow to query the AD? Would the 3.0.23d server that I need to upgrade be using more caching then the later versions by default?
<br><br>To answer your last question. Yes, the ldap is running on the local system for the idmaps. In production I have one samba server running a master ldap idmap backend and the other samba server configured as slave.
<br><br>Kind regards,
<br><br>Ton
<br><br><br>-----Original Message-----
<br>From: Diego Zuccato [mailto:<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26477434&i=0" target="_top" rel="nofollow">diego.zuccato@...</a>]
<br>Sent: maandag 23 november 2009 12:42
<br>To: Hoogstraten, Ton
<br>Subject: Re: [Samba] Samba 3.0.33/3.2.15 AD joined slow initial connect with LDAP backend
<br><br>Hoogstraten, Ton wrote:
<br><br>> However on the test 3.0.33 system I'm experiencing a problem that I
<br>Why are you using such an ancient version? What about 3.4.x ?
<br><br>> I think the explanation for the difference in slowness per user is based
<br>> on the group membership of that user. For example an user that is only a
<br>> member of Domain Users takes about 10 seconds to display the shares
<br>> (still to slow in my opinion). For testing purpose I've reduced the
<br>> cache for winbind and idmap so the server needs to keep looking up the
<br>> user and SID information.
<br>Looking up group names is really slow (up to a couple of minutes when
<br>using "id user.name" or "groups user.name").
<br><br>Have you tried playing with enum users/groups ? If activated on large AD
<br>trees, it could impact performances a lot!
<br><br>> idmap alloc config:ldap_url = ldap://127.0.0.1/
<br>Are you using a locally running (on localhost!) ldap server?
<br><br>--
<br>Diego Zuccato
<br>Servizi Informatici
<br>Dip. di Astronomia - Università di Bologna
<br>Via Ranzani, 1 - 40126 Bologna - Italy
<br>tel.: +39 051 20 95786
<br>mail: <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26477434&i=1" target="_top" rel="nofollow">diego.zuccato@...</a>
<br>--
<br>To unsubscribe from this list go to the following URL and read the
<br>instructions: <a href="https://lists.samba.org/mailman/options/samba" target="_top" rel="nofollow">https://lists.samba.org/mailman/options/samba</a><br><p>From forum: <a href="http://old.nabble.com/Samba---General-f62.html" embed="fixTarget[62]" target="_top" >Samba - General</a></p>tag:old.nabble.com,2006:post-26477064Re: FreeBSD 7.2 domain member problem - partially SOLVED2009-11-23T04:17:53Z2009-11-23T04:17:53ZDaniel O'Connor-2On Mon, 23 Nov 2009, Ivo Karabojkov wrote:
<br>> I am sure it should work without these strange links I've made.
<br>> I don't know what is the problem. I use ports, just to keep my
<br>> installations more standard.
<br>>
<br>> May you point me a good manual how to set up nss/ldap with Samba?
<br><br>I used the samba how to guide and googled, the net/smbldap-tools is
<br>pretty helpful.
<br><br>That said it wasn't especially simple to setup :(
<br><br>However I don't use winbind on my FreeBSD machine, I use nss/pam_ldap
<br>and Samba talks to the LDAP server as well.
<br><br>--
<br>Daniel O'Connor software and network engineer
<br>for Genesis Software - <a href="http://www.gsoft.com.au" target="_top" rel="nofollow">http://www.gsoft.com.au</a><br>"The nice thing about standards is that there
<br>are so many of them to choose from."
<br> -- Andrew Tanenbaum
<br>GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C
<br><br /> <br />--
<br>To unsubscribe from this list go to the following URL and read the
<br>instructions: <a href="https://lists.samba.org/mailman/options/samba" target="_top" rel="nofollow">https://lists.samba.org/mailman/options/samba</a><div class="small"><br/><img src="http://old.nabble.com/images/icon_attachment.gif" > <strong>signature.asc</strong> (195 bytes) <a href="http://old.nabble.com/attachment/26477064/0/signature.asc" target="_top">Download Attachment</a></div><p>From forum: <a href="http://old.nabble.com/Samba---General-f62.html" embed="fixTarget[62]" target="_top" >Samba - General</a></p>tag:old.nabble.com,2006:post-26476610home directories ask user for password2009-11-23T03:47:24Z2009-11-23T03:47:24ZMassimo-21Hi to all,
<br>I have Samba configured as domain member with winbind and kerberos, I can access all share but I have some problem with the home directories because it ask me for password.
<br><br>This is my smb.conf
<br>[global]
<br> workgroup = domain
<br> netbios name = Manufac
<br> server string = Server di rete
<br> comment = server di rete
<br> encrypt passwords = true
<br> realm = DOMAIN..LOCAL
<br> password server = pdc01.domain.local
<br> security = ADS
<br> winbind enum users = yes
<br> winbind enum groups = yes
<br> winbind separator= +
<br> idmap uid = 500-100000000
<br> idmap gid = 500-100000000
<br> template shell = /bin/true
<br> syslog = 0
<br> log file = /var/log/samba/log.%m
<br> max log size = 1000
<br> dns proxy = No
<br> ldap ssl = no
<br> panic action = /usr/share/samba/panic-action %d
<br> invalid users = root
<br> template homedir = /home/%U
<br>[homes]
<br> comment = Home Directories
<br> browseable = no
<br> writable = yes
<br> public = no
<br> valid users = DOMAIN/%U
<br> create mode = 0777
<br> directory mode = 0777
<br><br>I have the home directory created in /home/ with domain user right
<br><br>Thank you in advance.
<br><br>Bye
<br>--
<br>To unsubscribe from this list go to the following URL and read the
<br>instructions: <a href="https://lists.samba.org/mailman/options/samba" target="_top" rel="nofollow">https://lists.samba.org/mailman/options/samba</a><br><p>From forum: <a href="http://old.nabble.com/Samba---General-f62.html" embed="fixTarget[62]" target="_top" >Samba - General</a></p>