CentOS - Feb 2009 - Easiest way to get samba up and working for Windows users?

Everytime I have to setup samba to handle Windows users, sometime
inadvertently goes wrong or doesn''t work the way I expected, or takes
forever to setup, especially when there are many users and various policies.
So far, the easiest, sureest and quickest method appears to be install
WindowsXP into VMWare and use it to handle Windows sharing. Needless to say,
this strucks me as rather ironic and stupid.

Thus could anybody please suggest a working frontend to samba that makes it
easy to add users, set their permissions and get something that works like
basic windows file sharing?

So far I''ve tried the following which all don''t quite work.

1. CentOS''s samba configuration tool
- added users never show up on the share configuration so the only shares it
could create was for public access.

2. Webmin
- thinks it added the users, but again they never show up when checked
against the bundled CentOS tool and needless to say, the shares never work
too

3. Samba SWAT
- Very confusing tool, selecting shares sometimes end up as another share,
and again, doesn''t seem to work.


So I just need a very basic tool that will reliably allow me to do the
following
- specify user name, specify password, and maybe specify a group
- specify a share the user or group has read only or read/write access
- force new files/folders to take on group ID so that it behaves like a
normal windows share

Don''t need print services or anything, it''s just far easier to
dump a
hardware print server into the network than to contemplate the additional
complexity of making something like CUPS work.

Just need to make sure that the Windows users can browse to the folders, get
a prompt for their login and password where needed.

Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.centos.org/pipermail/centos/attachments/20090224/5331795f/attachment.html

On Tue, 2009-02-24 at 02:53 +0800, Noob Centos Admin
wrote:
> Everytime I have to setup samba to handle Windows users, sometime
> inadvertently goes wrong or doesn''t work the way I expected, or
takes
> forever to setup, especially when there are many users and various
> policies. So far, the easiest, sureest and quickest method appears to
> be install WindowsXP into VMWare and use it to handle Windows sharing.
> Needless to say, this strucks me as rather ironic and stupid.
> 
> Thus could anybody please suggest a working frontend to samba that
> makes it easy to add users, set their permissions and get something
> that works like basic windows file sharing?
> 
> So far I''ve tried the following which all don''t quite
work.
> 
> 1. CentOS''s samba configuration tool
> - added users never show up on the share configuration so the only
> shares it could create was for public access.
> 
> 2. Webmin
> - thinks it added the users, but again they never show up when checked
> against the bundled CentOS tool and needless to say, the shares never
> work too
> 
> 3. Samba SWAT
> - Very confusing tool, selecting shares sometimes end up as another
> share, and again, doesn''t seem to work.
> 
> 
> So I just need a very basic tool that will reliably allow me to do the
> following
> - specify user name, specify password, and maybe specify a group
> - specify a share the user or group has read only or read/write access
> - force new files/folders to take on group ID so that it behaves like
> a normal windows share
> 
> Don''t need print services or anything, it''s just far
easier to dump a
> hardware print server into the network than to contemplate the
> additional complexity of making something like CUPS work.
> 
> Just need to make sure that the Windows users can browse to the
> folders, get a prompt for their login and password where needed.
----
probably not the answer you want to hear but...

swat is supposed to be the tool for simple administration.

You are asking several questions but lumping them all under one category
samba. The concept of UNIX or Linux administration is simple text files
that can be manipulated with just about any editor that suits you though
I would suggest that you refrain from using Windows editors because they
add line endings that often cause issues.

the group idea is rather simple...
let''s say that you have a directory /home/samba/files and you set up a
share in smb.conf called [Files], and all your users are members of the
group ''users'' then you would simply ''chgrp users
/home/samba/files'' and
''chmod g+s /home/samba/files'' and that enables the
''group sticky bit'' so
that all files and folders in that directory are owned by group
''users''

Now adding users is a bit more complicated in that samba users must
necessarily be Linux users AND samba users so they would have to be
added to both systems.

Something like Webmin can help here in that it can be configured to
automatically create the samba user at the same time that a Linux user
is created but it doesn''t do that upon first install.

You probably want to check out something like the ''Samba By
Example''
publication which can be purchased at your favorite bookstore in dead
tree form or can be downloaded in PDF form or read online @
http://www.samba.org/samba/docs (see left side) which will walk you
through basic steps.

Craig

Noob Centos Admin wrote:
> 
> So far I''ve tried the following which all don''t quite
work.
> 
> 1. CentOS''s samba configuration tool
> - added users never show up on the share configuration so the only shares
it
> could create was for public access.
> 
The samba configuration tool (system-config-samba) is finally fixed in 
5.3 (due out soon) and will now correctly show added samba users :-)

On Tue, Feb 24, 2009 at 3:12 AM, Craig White <craigwhite at azapple.com>
wrote:
>
> probably not the answer you want to hear but...
> swat is supposed to be the tool for simple administration.

I was afraid of that. By the time I gave up and completed the task manually,
I was thinking maybe it might be easier to write my own script to repeat all
those useradd, gpasswd -a, smbpasswd and nano smb.conf :(

> You are asking several questions but lumping them all under one category
> samba. The concept of UNIX or Linux administration is simple text files
> that can be manipulated with just about any editor that suits you though  I
> would suggest that you refrain from using Windows editors because they  add
> line endings that often cause issues.

No worries about that one, I only edit conf files on my CentOS box using
nano. The closest to using Windows for this is to manage my servers are SSH
through putty, and writing long php scripts to be uploaded.

> the group idea is rather simple...
> let''s say that you have a directory /home/samba/files and you set
up a
> share in smb.conf called [Files], and all your users are members of the
> group ''users'' then you would simply ''chgrp users
/home/samba/files'' and
> ''chmod g+s /home/samba/files'' and that enables the
''group sticky bit'' so
> that all files and folders in that directory are owned by group
''users''

For a single common to everybody share it was easy of course. In fact, for
something like that, I''ll do away with bothering everybody with a login
and
simply make a single login everybody shares for filesharing.

It''s when I have 8 people  who have to share aaa, then a sub group B
have to
share bbb, then a subgroup C have to share ccc, then a subgroup of people
from B+C need to share ddd and so forth that it becomes untenable to do
everything by hand and the tools at the moment just dont cut it.

Now adding users is a bit more complicated in that samba users
must
> necessarily be Linux users AND samba users so they would have to be added
> to both systems.

This was one of the caveats I discovered over time, struggling with webmin
and the likes.

Something like Webmin can help here in that it can be configured
to
> automatically create the samba user at the same time that a Linux user  is
> created but it doesn''t do that upon first install.

Except of course webmin doesn''t actually create the smbuser correctly.
Maybe
it has to do with how I use it, but maybe again like CentOS''s tool,
that
particular functionality is actually broken.


You probably want to check out something like the ''Samba By
Example''
> publication which can be purchased at your favorite bookstore in dead  tree
> form or can be downloaded in PDF form or read online @
> http://www.samba.org/samba/docs (see left side) which will walk you
> through basic steps.

Trust me, I did read through that. I usually don''t like to bug people
for
help unless I really cannot find any relevant existing information and
cannot figure out what else can I try.


Thanks for replying in any case :)
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.centos.org/pipermail/centos/attachments/20090224/d72502cc/attachment.html

On Tue, Feb 24, 2009 at 3:23 AM, Ned Slider <ned at unixmail.co.uk> wrote:

> The samba configuration tool (system-config-samba) is finally fixed in
> 5.3 (due out soon) and will now correctly show added samba users :-)
>
Honestly, I''m so glad to see this! Although I won''t likely
benefit from it
until the next server install or re-install, at least I now know it
wasn''t
ME! :D
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.centos.org/pipermail/centos/attachments/20090224/d0dcddee/attachment.html

Noob Centos Admin wrote:
> 
> 
>     probably not the answer you want to hear but...
>     swat is supposed to be the tool for simple administration.
> 
> 
> I was afraid of that. By the time I gave up and completed the task 
> manually, I was thinking maybe it might be easier to write my own script 
> to repeat all those useradd, gpasswd -a, smbpasswd and nano smb.conf :(
Is there a windows domain or AD in this picture somewhere?  If so, point 
samba authentication there and don''t worry about separate
passwords.
> 
> No worries about that one, I only edit conf files on my CentOS box using 
> nano. The closest to using Windows for this is to manage my servers are 
> SSH through putty, and writing long php scripts to be uploaded.
If you want something nicer, run freenx on the server and the NX client 
from www.nomachine.com for your windows box.  That lets you connect to a 
complete GUI desktop remotely and conveniently.
> For a single common to everybody share it was easy of course. In fact, 
> for something like that, I''ll do away with bothering everybody
with a
> login and simply make a single login everybody shares for filesharing.
> 
> It''s when I have 8 people  who have to share aaa, then a sub group
B
> have to share bbb, then a subgroup C have to share ccc, then a subgroup 
> of people from B+C need to share ddd and so forth that it becomes 
> untenable to do everything by hand and the tools at the moment just dont 
> cut it.
Not that complicated.  Just create groups as needed and add the 
appropriate users to each group (independently, don''t worry about which
are sub-groups of others).

Then the samba shares look like:

[aaa-share]
    comment = aaa workspace
    path = /path/to/aaa-share
    public = no
    valid users = @aaa
    writable = yes
    printable = no
    force create mode = 0775
    force directory mode = 775
    force group = aaa

You might want some other mode, just make sure it is group-read/write. 
Then you can cut/paste those, substituting the appropriate groups, and 
do an initial chgrp -R and chmod -R of the top directories to make sure 
they have the right starting ownership and modes.
> Except of course webmin doesn''t actually create the smbuser
correctly.
> Maybe it has to do with how I use it, but maybe again like
CentOS''s
> tool, that particular functionality is actually broken.
If you use smb authentication against a domain controller, all you have 
to do is create the linux users with the same login name.  With winbind 
you might not even have to do that, but then I don''t know how you 
control the groups.

-- 
   Les Mikesell
    lesmikesell at gmail.com

Noob Centos Admin wrote:
> On Tue, Feb 24, 2009 at 3:23 AM, Ned Slider <ned at unixmail.co.uk>
wrote:
> 
> 
>> The samba configuration tool (system-config-samba) is finally fixed in
>> 5.3 (due out soon) and will now correctly show added samba users :-)
>>
> 
> Honestly, I''m so glad to see this! Although I won''t
likely benefit from it
> until the next server install or re-install, at least I now know it
wasn''t
> ME! :D
> 
It is documented on the bug tracker and forums so is a well known issue 
and is fixed in system-config-samba-1.2.41-3.el5. You could always grab 
the upstream src.rpm now and build it yourself.

On Tue, Feb 24, 2009 at 5:52 AM, Les Mikesell <lesmikesell at gmail.com>
wrote:
> Is there a windows domain or AD in this picture somewhere?
Not at all for all the usual Windows network migrations I''ve been
setting up. Typically small offices with less than 20 people so they
simply used workgroups without domains.
> If you want something nicer, run freenx on the server and the NX
Thanks for the suggestion, I discovered freenx just days ago and
actually had the packages installed on the new setup, just have not
gotten around to using it.
> Then the samba shares look like:
>
> [aaa-share]
> ? ?comment = aaa workspace
> ? ?path = /path/to/aaa-share
> ? ?public = no
> ? ?valid users = @aaa
> ? ?writable = yes
> ? ?printable = no
> ? ?force create mode = 0775
> ? ?force directory mode = 775
> ? ?force group = aaa
I just had an OMFG moment reading your conf. Does the valid users=@aaa
means all users in the group aaa? I thought I had read it to mean
exclude hence never tried it, instead I had tried things like valid
users = groupAAA which obviously didn''t work.
> If you use smb authentication against a domain controller
>all you have  to do is create the linux users with the same login
> name. ?With winbind  you might not even have to do that, but
> then I don''t know how you
> control the groups.
Would setting up a domain controller on the CentOS be better in the
long run for only 10 to 20 people situation? I''ve avoided it since
I''m
still learning to setup Linux based servers and didn''t want to bite
off more than I can chew.

Thanks again for all the suggestions!

On Tue, Feb 24, 2009 at 6:26 AM, Ned Slider <ned at unixmail.co.uk>
wrote:
> It is documented on the bug tracker and forums so is a well known
> issue and is fixed in system-config-samba-1.2.41-3.el5. You could
> always grab the upstream src.rpm now and build it yourself.
Thanks for the information, somehow it never struck me to check the
bugtracker for this since I always half assumed it must be something I
am not doing quite correctly!

Noob Centos Admin wrote:
> On Tue, Feb 24, 2009 at 5:52 AM, Les Mikesell <lesmikesell at
gmail.com> wrote:
>> Is there a windows domain or AD in this picture somewhere?
> 
> Not at all for all the usual Windows network migrations I''ve been
> setting up. Typically small offices with less than 20 people so they
> simply used workgroups without domains.
That makes it somewhat harder to use multiple machines since you end up 
having to create and maintain passwords on each.
>> If you want something nicer, run freenx on the server and the NX
> 
> Thanks for the suggestion, I discovered freenx just days ago and
> actually had the packages installed on the new setup, just have not
> gotten around to using it.
It is very much worth the trouble.
>> Then the samba shares look like:
>>
>> [aaa-share]
>>    comment = aaa workspace
>>    path = /path/to/aaa-share
>>    public = no
>>    valid users = @aaa
>>    writable = yes
>>    printable = no
>>    force create mode = 0775
>>    force directory mode = 775
>>    force group = aaa
> 
> I just had an OMFG moment reading your conf. Does the valid users=@aaa
> means all users in the group aaa? I thought I had read it to mean
> exclude hence never tried it, instead I had tried things like valid
> users = groupAAA which obviously didn''t work.
Yes, valid users means the ones allowed to connect to the share and 
@groupname is the set of users in the group.  On unix a different group 
is always a different group.  Even if only one member is different 
between groups, don''t try to make exceptions with ACLs or
you''ll wish
you hadn''t when the reasons for the exceptions change.
>> If you use smb authentication against a domain controller
>> all you have  to do is create the linux users with the same login
>> name.  With winbind  you might not even have to do that, but
>> then I don''t know how you
>> control the groups.
> 
> Would setting up a domain controller on the CentOS be better in the
> long run for only 10 to 20 people situation? I''ve avoided it since
I''m
> still learning to setup Linux based servers and didn''t want to
bite
> off more than I can chew.
If you have to ask things like that, I''d recommend looking at the free 
SME server distribution.  It mostly uses Centos packages, but is a 
''windows server'' appliance that will do everything you are
likely to
need and more (including acting as a domain controller) with all 
administration through simple web forms.  http://www.contribs.org.  It 
simplifies a lot of concepts - for example when you create groups
you''ll
get email groups as well as unix permission groups, and when you create 
the shared workspaces it calls "ibays" you can access them via http, 
ftp, and samba, and can control public and private access separately. 
The only down side is that because it is already customized and uses 
perl scripts to build the config files, it is somewhat difficult to add 
or modify things beyond what it already provides.

ClarkConnect is something similar and might be better these days but I 
haven''t looked at it for a long time.  I thought I saw a release notice
that said they were adding LDAP authentication as an option even in the 
first system which is something Linux distros have needed for a long time.

-- 
   Les Mikesell
    lesmikesell at gmail.com

On Wed, Feb 25, 2009 at 1:20 AM, Les Mikesell <lesmikesell at gmail.com>
wrote:
> That makes it somewhat harder to use multiple machines since you end up
> having to create and maintain passwords on each.
True, but the usual work behaviour here means that seldom happen. Even
if they do need to work on somebody else''s machine, most customers
simply used the permissions of whoever it is.

I''ve not quite succeeded in convincing any of them that it''s a
bad
idea to let everybody else in the department know your password for
"convenience".

> If you have to ask things like that, I''d recommend looking at the
free
> SME server distribution. ?It mostly uses Centos packages, but is a
> ''windows server'' appliance that will do everything you
are likely to
> need and more (including acting as a domain controller) with all
> administration through simple web forms.
Thanks for the suggestion, I''ll take a look at it but chances are I
won''t actually get to try it until at least a couple of months later
either with a new server or an existing. No point ruffling feathers
after just fixing what was broken! :D

Noob Centos Admin wrote:
> On Wed, Feb 25, 2009 at 1:20 AM, Les Mikesell <lesmikesell at
gmail.com> wrote:
>> That makes it somewhat harder to use multiple machines since you end up
>> having to create and maintain passwords on each.
> 
> True, but the usual work behaviour here means that seldom happen. Even
> if they do need to work on somebody else''s machine, most customers
> simply used the permissions of whoever it is.
> 
> I''ve not quite succeeded in convincing any of them that
it''s a bad
> idea to let everybody else in the department know your password for
> "convenience".
This becomes much easier when you have appropriate shared space on the 
server(s) with group access permissions so there is never any need to 
impersonate someone else.
>> If you have to ask things like that, I''d recommend looking at
the free
>> SME server distribution.  It mostly uses Centos packages, but is a
>> ''windows server'' appliance that will do everything
you are likely to
>> need and more (including acting as a domain controller) with all
>> administration through simple web forms.
> 
> Thanks for the suggestion, I''ll take a look at it but chances are
I
> won''t actually get to try it until at least a couple of months
later
> either with a new server or an existing. No point ruffling feathers
> after just fixing what was broken! :D
You can always fire one up under vmware or a test box to see how it works.

-- 
   Les Mikesell
    lesmikesell at gmail.com

I''m seriously befuddled by Samba now.

I followed the good advice given and got the previous server set up nicely.

I did the same thing on another one and it refuses to work.

1. useradd some users
2. gpasswd -a them to a "staff" group nd smbpasswd -a them
3. chmod g+s the staff directory
4. tested smbclient -L smbserver works
5. Windows user can see the Netbios name but not the share
6. Trying to access fails after timeout
7. Checked iptables/firewall not blocking
8. tail -f samba logs but nothing happens, it''s like samba never see
the incoming request. Note that it doesn''t log anything with smbclient
-L either.
9. mv the smb.conf and used a very basic one, similar to the one
suggested in this thread.
10. yum remove and installed samba again just in case

Still not working.

I''m almost certain now that samba coder snuck in a devious randomizer
that requires every single installation to only work after an random
sequence of actions is taken. :(

Any hints or magic words?

From: Noob Centos Admin <centos.admin at
gmail.com>
> 8. tail -f samba logs but nothing happens, it''s like samba never
see
> the incoming request. Note that it doesn''t log anything with
smbclient
> -L either.
Did you try to raise the log level (log level = 3)?
> I''m almost certain now that samba coder snuck in a devious
randomizer
> that requires every single installation to only work after an random
> sequence of actions is taken. :(
But I feel your pain...  I cannot count how many days I lost on Samba+Windows
issues...
Last one (not sure yet) was on Windows side: apparently, the nvidia service
preventing profiles to be saved on logout...
It is a 2007 issue and apparently it still exists!

JD

On Fri, 2009-02-27 at 17:59 +0800, Noob Centos Admin
wrote:
> I''m seriously befuddled by Samba now.
> 
> I followed the good advice given and got the previous server set up nicely.
> 
> I did the same thing on another one and it refuses to work.
> 
> 1. useradd some users
> 2. gpasswd -a them to a "staff" group nd smbpasswd -a them
> 3. chmod g+s the staff directory
How about chown -R root:staff /directory_name ???
                   chmod -R 777 /directory_name ???
> 4. tested smbclient -L smbserver works
smbclient -L localhost -U% try that.
> 5. Windows user can see the Netbios name but not the share
> 6. Trying to access fails after timeout
> 7. Checked iptables/firewall not blocking
> 8. tail -f samba logs but nothing happens, it''s like samba never
see
> the incoming request. Note that it doesn''t log anything with
smbclient
> -L either.
> 9. mv the smb.conf and used a very basic one, similar to the one
> suggested in this thread.
> 10. yum remove and installed samba again just in case
> 
> Still not working.
> 
> I''m almost certain now that samba coder snuck in a devious
randomizer
> that requires every single installation to only work after an random
> sequence of actions is taken. :(
> 
> Any hints or magic words?
-----
Just to rule out user input error take the working samba configuration
from the previous server and copy it over to the current none working
one. Then "service smb reload" or "service smb restart".

At least make sure you are working with the same samba package versions.
Lastly it would be or "WE" could help a bit more if you posted the
current configuration your working with to possibly spot errors in it.

JohnStanley

On Fri, Feb 27, 2009 at 8:12 PM, JohnS <jses27 at gmail.com>
wrote:
> How about chown -R root:staff /directory_name ???
> ? ? ? ? ? ? ? ? ? chmod -R 777 /directory_name ???
The directory was chown -R to staff:staff and chmod -R to 770
I''ll give a try on 777 on Monday (US Sunday). They are currently using
an older Win2K server for sharing so not an urgent transition hence I
don''t get to go in again until they start on Monday.
>> 4. tested smbclient -L smbserver works
>
> smbclient -L localhost -U% try that.
I did try the -U <username> previously. samba will ask me for a
password, and then show me the standard information. So it''s rather
odd that this doesn''t show up on log, and coming in from the network
doesn''t work at all. Iptables has the ports opened and server can be
pinged so it''s not due to traffic being blocked either.
> Just to rule out user input error take the working samba configuration
> from the previous server and copy it over to the current none working
> one. Then "service smb reload" or "service smb
restart".
Will try that on Monday, although the exact names are not quite the same.
> At least make sure you are working with the same samba package versions.
Both of them should be the latest version as in both cases, I did a
yum remove and install after initial difficulties just to clear out
any possible errors introduced by this clueless admin.
> Lastly it would be or "WE" could help a bit more if you posted
the
> current configuration your working with to possibly spot errors in it.
Ok, again, Monday :)

Thanks!

Noob Centos Admin wrote:
> I''m seriously befuddled by Samba now.
> 
> I followed the good advice given and got the previous server set up nicely.
> 
> I did the same thing on another one and it refuses to work.
> 
> 1. useradd some users
> 2. gpasswd -a them to a "staff" group nd smbpasswd -a them
> 3. chmod g+s the staff directory
> 4. tested smbclient -L smbserver works
> 5. Windows user can see the Netbios name but not the share
> 6. Trying to access fails after timeout
> 7. Checked iptables/firewall not blocking
> 8. tail -f samba logs but nothing happens, it''s like samba never
see
> the incoming request. Note that it doesn''t log anything with
smbclient
> -L either.
> 9. mv the smb.conf and used a very basic one, similar to the one
> suggested in this thread.
> 10. yum remove and installed samba again just in case
> 
> Still not working.
> 
> I''m almost certain now that samba coder snuck in a devious
randomizer
> that requires every single installation to only work after an random
> sequence of actions is taken. :(
> 
> Any hints or magic words?
First, I''ll repeat my advice about using the SME server distribution 
which makes it as easy as filling in simple forms on web pages for 
users, groups, and shares and basically would take no other 
administration unless you want email or additional services.

But, if you want to do it the hard way, you probably have an 
authentication issue.  With the default security setting of
''user'', the
windows users must authenticate before they can even see a share - and 
things get weird if the name they used to log into windows is not the 
same as the linux/samba login name.   You can still map drives if you 
explicitly specify \\server\share, ''connect as other user'' and
fill in
the name and password, but browsing for shares often doesn''t work.  If 
you aren''t too concerned about security, you can change this to 
''security = share'' and then you can browse before
authenticating, and
also have the option to authenticate as different users when connecting 
to different shares on the same machine which you can''t do in user or 
server modes.

I don''t understand the log issue, though.  Are you sure smbd is
running?
    Nmbd would be enough to activate the netbios name - maybe you have a 
syntax error in smb.conf and smbd did not start.

-- 
   Les Mikesell
    lesmikesell at gmail.com

On Sun, Mar 1, 2009 at 2:21 AM, Les Mikesell <lesmikesell at gmail.com>
wrote:
> But, if you want to do it the hard way, you probably have an
Unfortunately I do want to do it the hard way. While the SME server
would make things really easy, the lesson I learnt in the past with
easy thing is that, once something break, I will really have no idea
what is going on.

It''s kind of like folks who grew up knowing only GUI, they usually are
helpless if the mouse doesn''t work.
> authentication issue. ?With the default security setting of
''user'', the
> windows users must authenticate before they can even see a share - and
> things get weird if the name they used to log into windows is not the
> same as the linux/samba login name. ? You can still map drives if you
> explicitly specify \\server\share, ''connect as other
user'' and fill in
> the name and password, but browsing for shares often doesn''t work.
I think we have a winner! This could be it as the names they use to
log into their Windows machine are not their own. Most of them are
inherited PC, they simply continued using the previous login since no
password were set, usually.

Where as the other location was a new setup with new PC setup.
> you aren''t too concerned about security, you can change this to
> ''security = share'' and then you can browse before
authenticating, and
> also have the option to authenticate as different users when connecting
> to different shares on the same machine which you can''t do in user
or
> server modes.
I''ll probably do this since this is what they are used to, and expect.

> I don''t understand the log issue, though. ?Are you sure smbd is
running?
> ? ?Nmbd would be enough to activate the netbios name - maybe you have a
> syntax error in smb.conf and smbd did not start.
Definitely running. I have tail -f on both their logs and ls the log
folder every time. The startup message gets logged everytime I did a
service restart on trying a different setting. Which was why I was
curious why there was no log message whatsoever.

The other machine would show new logs for connecting IP/machines (I
think as a result of me using the split log function) even if they got
rejected.

On Sun, 2009-03-01 at 02:44 +0800, Noob Centos Admin
wrote:
> On Sun, Mar 1, 2009 at 2:21 AM, Les Mikesell <lesmikesell at
gmail.com> wrote:
> 
> > But, if you want to do it the hard way, you probably have an
> 
> Unfortunately I do want to do it the hard way. While the SME server
> would make things really easy, the lesson I learnt in the past with
> easy thing is that, once something break, I will really have no idea
> what is going on.
> 
> It''s kind of like folks who grew up knowing only GUI, they usually
are
> helpless if the mouse doesn''t work.
> 
> > authentication issue.  With the default security setting of
''user'', the
> > windows users must authenticate before they can even see a share - and
> > things get weird if the name they used to log into windows is not the
> > same as the linux/samba login name.   You can still map drives if you
> > explicitly specify \\server\share, ''connect as other
user'' and fill in
> > the name and password, but browsing for shares often doesn''t
work.
> 
> I think we have a winner! This could be it as the names they use to
> log into their Windows machine are not their own. Most of them are
> inherited PC, they simply continued using the previous login since no
> password were set, usually.
> 
> Where as the other location was a new setup with new PC setup.
> 
> > you aren''t too concerned about security, you can change this
to
> > ''security = share'' and then you can browse before
authenticating, and
> > also have the option to authenticate as different users when
connecting
> > to different shares on the same machine which you can''t do in
user or
> > server modes.
> 
> I''ll probably do this since this is what they are used to, and
expect.
Share Mode is depreciated now. All that does is revert back to user mode.
> > I don''t understand the log issue, though.  Are you sure smbd
is running?
> >    Nmbd would be enough to activate the netbios name - maybe you have
a
> > syntax error in smb.conf and smbd did not start.
> 
> Definitely running. I have tail -f on both their logs and ls the log
> folder every time. The startup message gets logged everytime I did a
> service restart on trying a different setting. Which was why I was
> curious why there was no log message whatsoever.
> 
> The other machine would show new logs for connecting IP/machines (I
> think as a result of me using the split log function) even if they got
> rejected.
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos

Noob Centos Admin wrote:
> 
>> But, if you want to do it the hard way, you probably have an
> 
> Unfortunately I do want to do it the hard way. While the SME server
> would make things really easy, the lesson I learnt in the past with
> easy thing is that, once something break, I will really have no idea
> what is going on.
There''s a tradeoff here.  When you cobble up a one-of-a-kind system 
yourself, not only is it much more likely to break than one set up by an 
expert, but no one else is going to be having the same problem so you 
won''t be able to easily get help from a mail list or forum.  If SME 
server breaks, other people will likely have already posted the 
workaround or update to fix it.
> It''s kind of like folks who grew up knowing only GUI, they usually
are
> helpless if the mouse doesn''t work.
Not exactly.  SME server mostly runs the same programs with the same 
config files as Centos, so you can look at the configs and understand 
them if you want.  The configs are actually created by perl scripts that 
merge canned snippets with your web form entries, so it is somewhat more 
difficult to modify them in ways that weren''t planned but
that''s not
really out of the question either.
>> authentication issue.  With the default security setting of
''user'', the
>> windows users must authenticate before they can even see a share - and
>> things get weird if the name they used to log into windows is not the
>> same as the linux/samba login name.   You can still map drives if you
>> explicitly specify \\server\share, ''connect as other
user'' and fill in
>> the name and password, but browsing for shares often doesn''t
work.
> 
> I think we have a winner! This could be it as the names they use to
> log into their Windows machine are not their own. Most of them are
> inherited PC, they simply continued using the previous login since no
> password were set, usually.
> 
> Where as the other location was a new setup with new PC setup.
You can test this with the explicit mapping commands.
>> you aren''t too concerned about security, you can change this
to
>> ''security = share'' and then you can browse before
authenticating, and
>> also have the option to authenticate as different users when connecting
>> to different shares on the same machine which you can''t do in
user or
>> server modes.
> 
> I''ll probably do this since this is what they are used to, and
expect.
I see someone mentioned that this may not work anymore.  Making the 
windows and Linux logins match may be a better approach.  You can test 
that on one one box to see if it works.

-- 
   Les Mikesell
    lesmikesell at gmail.com

On Sun, 2009-03-01 at 02:44 +0800, Noob Centos Admin wrote:
> > you aren''t too concerned about security, you can change this
to
> > ''security = share'' and then you can browse before
authenticating, and
> > also have the option to authenticate as different users when
connecting
> > to different shares on the same machine which you can''t do in
user or
> > server modes.
> 
> I''ll probably do this since this is what they are used to, and
expect.
----
security = share is for all purposes deprecated and probably a bad
option to start with now.
----
> > I don''t understand the log issue, though.  Are you sure smbd
is running?
> >    Nmbd would be enough to activate the netbios name - maybe you have
a
> > syntax error in smb.conf and smbd did not start.
> 
> Definitely running. I have tail -f on both their logs and ls the log
> folder every time. The startup message gets logged everytime I did a
> service restart on trying a different setting. Which was why I was
> curious why there was no log message whatsoever.
> 
> The other machine would show new logs for connecting IP/machines (I
> think as a result of me using the split log function) even if they got
> rejected.
----
you can set the log level in smb.conf between 0 and 10 (10 being
highest) and the amount of detail steadily increases. Consult the man
page for smb.conf for details. The configuration from smb.conf is
re-read approximately once a minute so you don''t actually have to
restart the service for changes once they are saved to take effect.

Also, it''s useful to note that in ''security = user''
mode, that a user
must exist in both /etc/passwd and samba
s passdb (usually now /etc/samba/passdb.tdb) and you can figure this out
by executing something like ''testparm -s -v |grep passdb'' 

If you want detailed help, it''s generally helpful to include the output
of the ''testparm -s'' command.

Last thing that I have found useful to test users and passwords in samba
are things like this from command line on Linux machine...

smbclient -L $NETBIOS_NAME -U% 
 # anonymous authentication should show shares (no password)

smbclient -L $NETBIOS_NAME -U administrator
 # should prompt administrator password and generally, there is a file
 # called /etc/samba/smbusers which maps ''root'' to
''administrator''

Once a ''user'' like administrator above can connect without
error, then
you can test access to specific shares like this...

smbclient //$NETBIOS_NAME/staff -U administrator
 # should prompt for administrator password

smbclient //$NETBIOS_NAME/staff -U $SOME_USER
 # should prompt for $SOME_USER password and if user is allowed access,
you are given a command prompt.

Craig

on 2-23-2009 10:53 AM Noob Centos Admin spake the
following:
> Everytime I have to setup samba to handle Windows users, sometime
> inadvertently goes wrong or doesn't work the way I expected, or takes
> forever to setup, especially when there are many users and various
> policies. So far, the easiest, sureest and quickest method appears to be
> install WindowsXP into VMWare and use it to handle Windows sharing.
> Needless to say, this strucks me as rather ironic and stupid.
> 
> Thus could anybody please suggest a working frontend to samba that makes
> it easy to add users, set their permissions and get something that works
> like basic windows file sharing?
> 
> So far I've tried the following which all don't quite work.
> 
> 1. CentOS's samba configuration tool
> - added users never show up on the share configuration so the only
> shares it could create was for public access.
> 
> 2. Webmin
> - thinks it added the users, but again they never show up when checked
> against the bundled CentOS tool and needless to say, the shares never
> work too
Webmin does work, as I use it all the time to add users. You have to make sure
that the user module has the option "Create and update in other
modules" set
to yes. I think it defaults to no.
> 
> 3. Samba SWAT
> - Very confusing tool, selecting shares sometimes end up as another
> share, and again, doesn't seem to work.
> 
> 
> So I just need a very basic tool that will reliably allow me to do the
> following
> - specify user name, specify password, and maybe specify a group
> - specify a share the user or group has read only or read/write access
> - force new files/folders to take on group ID so that it behaves like a
> normal windows share
Learn to use a file editor and edit the configs yourself. That is the only way
to have the best control. Once you have a working config, copy and modify it
for the next share.
> 
> Don't need print services or anything, it's just far easier to dump
a
> hardware print server into the network than to contemplate the
> additional complexity of making something like CUPS work.
> 
> Just need to make sure that the Windows users can browse to the folders,
> get a prompt for their login and password where needed.
> 
> Thanks!

-- 
MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 258 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.centos.org/pipermail/centos/attachments/20090305/ffaae291/attachment-0004.sig>

On Fri, Mar 6, 2009 at 3:57 AM, Scott Silva <ssilva at sgvwater.com>
wrote:
> Learn to use a file editor and edit the configs yourself. That is the only
way
> to have the best control.
That's generally how I try to do things, except sometimes hand
"written" doesn't work the way I expect it to. Then I'd like
to have a
GUI that does works, then learn from the conf file it creates if
possible. Unfortunately, in this case they didn't work either! :D


Once you have a working config, copy and modify it
> for the next share.
That's the part of the problem I'm facing, getting a working config to
be working on another machine where things might not be exactly be the
same and the whole voodoo ritual starts anew.