-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================
"Where does he get those wonders toys?"
-- The Joker (Batman 1989)
=============================================================Release
Announcements
====================
This is the latest stable release of Samba. This is the version
that production Samba servers should be running for all current
bug-fixes. Please read the changes in this section and for the
original 3.0.23 release regarding new features and difference
in behavior from previous releases.
Common bugs fixed in 3.0.23b include:
o Ambiguity with unqualified names in smb.conf parameters
such as "force user" and "valid users".
o Errors in 'net ads join' caused by bad IP address in the list
of domain controllers.
o SMB signing errors in the client and server code.
o Domain join failures when using smbpasswd on a Samba PDC.
Member servers, domain accounts, and smb.conf
============================================
Since Samba 3.0.8, it has been recommended that all domain
accounts listed in smb.conf on a member server be fully
qualified with the domain name. This is now a requirement.
All unqualified names are assumed to be local to the Unix
host, either as part of the server's local passdb or in the
local system list of accounts (e.g. /etc/passwd or /etc/group).
The reason for this change is that smbd has transitioned from
access checks based on string comparisons to token based
authorization. All names are resolved to a SID and then
verified against the logged on user's NT user token. Local
names will resolve to a local SID, while qualified domain
names will resolve to the appropriate domain SID.
If the member server is not running winbindd at all, domain
accounts will be implicitly mapped to local accounts and their
tokens will be modified appropriately to reflect the local
SID and group membership.
For example, the following share will restrict access to the
domain group "Linux Admins" and the local group srvadmin.
[restricted]
path = /data
valid users = +"DOMAIN\Linux Admins" +srvadmin
Note that to restrict the [homes] share on a member server to the
owner of that directory, it is necessary to prefix the %S value
to "valid users".
[global]
security = {domain,ads}
workgroup = DOM
winbind separator = +
[homes]
valid users = DOM+%S
===============Download Details
===============
The uncompressed tarballs and patch files have been signed
using GnuPG (ID 157BC95E). The source code can be
downloaded from:
http://download.samba.org/samba/ftp/
The release notes are available online at:
http://www.samba.org/samba/history/samba-3.0.23b.html
Binary packages are available at
http://download.samba.org/samba/ftp/Binary_Packages/
Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)
--Enjoy
The Samba Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFE2KnSIR7qMdg1EfYRAt7TAKC7K8yfOHpbD8otgHjrOC+YcNUJXACfXSL0
Nn/7BF1poOib6PXUvQCWoHs=6Ewu
-----END PGP SIGNATURE-----
Lars Müller
2006-Aug-08 15:48 UTC
Samba 3.0.23b RPM packages for all SUSE Linux products (was: [Samba] Samba 3.0.23b Available for Download)
On Tue, Aug 08, 2006 at 10:12:18AM -0500, Gerald Carter wrote: [snip]> Binary packages are available at > > http://download.samba.org/samba/ftp/Binary_Packages/RPM packages of Samba 3.0.23b for all SUSE Linux products are available at ftp://ftp.suse.com/pub/projects/samba/3.0/ or http://ftp.suse.com/pub/projects/samba/3.0/ Supported SUSE Linux based products are at the moment SUSE Linux 9.2, 9.3, 10.0, 10.1, UnitedLinux 1/ SUSE Linux Enterprise Server (SLES) 8, SLES 9 and 10, and factory (= the currently developed product). For some architectures - like ia64, ppc, s390(x) - you find a limited releases subset. The same packages are also available at http://download.Samba.org/samba/ftp/Binary_Packages/SuSE/3.0/ Please use a mirror close to your site. A list of Samba.org mirrors is available at http://Samba.org/ There choose a mirror at the right top of the page. There are also a bunch of SUSE mirrors. A list of international mirror sites is at http://www.novell.com/products/suselinux/downloads/ftp/int_mirrors.html A list of mirrors in Germany is at http://www.novell.com/products/suselinux/downloads/ftp/germ_mirrors.html If you encounter any problem with these packages please don't blame the Samba Team. Instead file a bug to https://bugzilla.Samba.org/, pick product Samba 3.0, then select 'component' Packaging and set 'assign to' to samba-maintainers at suse dot de. Or use http://bugzilla.Novell.com with the same assignee instead. For additional information - how to report bugs and which log files are required - see http://en.openSUSE.org/Samba Our customers, our products, our responsibility. Have a lot of fun... Lars - for the Novell Samba Team -- Lars M?ller [?la?(r)z ?m?l?] Samba Team SUSE Linux, Maxfeldstra?e 5, 90409 N?rnberg, Germany -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.samba.org/archive/samba/attachments/20060808/c6a606c3/attachment.bin
hi jerry&samba team!> Since Samba 3.0.8, it has been recommended that all domain > accounts listed in smb.conf on a member server be fully > qualified with the domain name. This is now a requirement. > All unqualified names are assumed to be local to the Unix > host, either as part of the server's local passdb or in the > local system list of accounts (e.g. /etc/passwd or /etc/group)."now" means from version "b" on or 3.0.23 at all? * Added lookup_name_smbconf() to be called when looking up names from smb.conf. Unqualified names are assumed to be local. -> seems for me from "b" on, right? i?m asking because there have been a lot of threads since the release of 3.0.23 and samba members always advised to use FQ-names. does this also imply that bug 3920 is "fixed" now if we have to use FQ-names??> If the member server is not running winbindd at all, domain > accounts will be implicitly mapped to local accounts and their > tokens will be modified appropriately to reflect the local > SID and group membership.and if winbind is running with "use default domain" are users also mapped to local ones? many thx in advance! micha -- Michael Gasch Max Planck Institute for Evolutionary Anthropology Department of Human Evolution (IT Staff) Deutscher Platz 6 D-04103 Leipzig Germany Phone: 49 (0)341 - 3550 137 49 (0)341 - 3550 374 Fax: 49 (0)341 - 3550 399
hi jerry&samba team!> Since Samba 3.0.8, it has been recommended that all domain > accounts listed in smb.conf on a member server be fully > qualified with the domain name. This is now a requirement. > All unqualified names are assumed to be local to the Unix > host, either as part of the server's local passdb or in the > local system list of accounts (e.g. /etc/passwd or /etc/group)."now" means from version "b" on or 3.0.23 at all? * Added lookup_name_smbconf() to be called when looking up names from smb.conf. Unqualified names are assumed to be local. -> seems for me from "b" on, right? i?m asking because there have been a lot of threads since the release of 3.0.23 and samba members always advised to use FQ-names. does this also imply that bug 3920 is "fixed" now if we have to use FQ-names??> If the member server is not running winbindd at all, domain > accounts will be implicitly mapped to local accounts and their > tokens will be modified appropriately to reflect the local > SID and group membership.and if winbind is running with "use default domain" are users also mapped to local ones? many thx in advance! micha -- Michael Gasch Max Planck Institute for Evolutionary Anthropology Department of Human Evolution (IT Staff) Deutscher Platz 6 D-04103 Leipzig Germany Phone: 49 (0)341 - 3550 137 49 (0)341 - 3550 374 Fax: 49 (0)341 - 3550 399
Hi
I have updated a samba AD memeber server to 3.0.23b in an environment, where
all Usernames are available in the AD and in NIS.
With 3.0.21b if I create a file with windows on a samba share
and open the security dialog, samba shows the DOM\USERNAME
string as owner of the file.
With 3.0.23b only the SID+RID of the user is shown.
The SID is the SID of the Samba-server.
If I add the domain-user USERNAME2 with the security dialog, this user
ist shown as
DOM\USERNAME2 until I reopen the security dialog.
Then I see alos the SID-RID
If I stop winbind and do the same procedure I get
Unix User/USERNAME1 for the owner of the file in the dialog
If I give another user USERNAME2 access to this file
and reopen the security dialog, the entry is not shown.
To make it work with samba-3.0.21b
we had this setting in smb.conf (winbindd running)
With this settings in the Windows file-dialog all
users appear DOM\USERNAME
and in Unix teh ACL's show the correct NIS Unix Users
idmap uid = 10000-10000
idmap gid = 10000-10000
winbind use default domain = Yes
winbind trusted domains only = Yes
Is it possible to make this work again with 3.0.23b?
(I know that the zero uid and gid range might be brain damaged,
but with this settings it works fine on both sides)
Greetings
Hansj?rg
Gerald (Jerry) Carter wrote:
> =============================================================>
"Where does he get those wonders toys?"
> -- The Joker (Batman 1989)
> =============================================================> Release
Announcements
> ====================>
> This is the latest stable release of Samba. This is the version
> that production Samba servers should be running for all current
> bug-fixes. Please read the changes in this section and for the
> original 3.0.23 release regarding new features and difference
> in behavior from previous releases.
>
> Common bugs fixed in 3.0.23b include:
>
> o Ambiguity with unqualified names in smb.conf parameters
> such as "force user" and "valid users".
> o Errors in 'net ads join' caused by bad IP address in the list
> of domain controllers.
> o SMB signing errors in the client and server code.
> o Domain join failures when using smbpasswd on a Samba PDC.
>
>
> Member servers, domain accounts, and smb.conf
> ============================================>
> Since Samba 3.0.8, it has been recommended that all domain
> accounts listed in smb.conf on a member server be fully
> qualified with the domain name. This is now a requirement.
> All unqualified names are assumed to be local to the Unix
> host, either as part of the server's local passdb or in the
> local system list of accounts (e.g. /etc/passwd or /etc/group).
>
> The reason for this change is that smbd has transitioned from
> access checks based on string comparisons to token based
> authorization. All names are resolved to a SID and then
> verified against the logged on user's NT user token. Local
> names will resolve to a local SID, while qualified domain
> names will resolve to the appropriate domain SID.
>
> If the member server is not running winbindd at all, domain
> accounts will be implicitly mapped to local accounts and their
> tokens will be modified appropriately to reflect the local
> SID and group membership.
>
> For example, the following share will restrict access to the
> domain group "Linux Admins" and the local group srvadmin.
>
> [restricted]
> path = /data
> valid users = +"DOMAIN\Linux Admins" +srvadmin
>
> Note that to restrict the [homes] share on a member server to the
> owner of that directory, it is necessary to prefix the %S value
> to "valid users".
>
> [global]
> security = {domain,ads}
> workgroup = DOM
> winbind separator = +
> [homes]
> valid users = DOM+%S
>
On Wed, 2006-08-09 at 19:06 +0200, Hansj?rg Maurer wrote:> Just for clarification.. > We have all users in both databases (nis and AD) > with the same Username. > The unix system with the samba server only uses NIS (no nss/pam winbind). > as nameservice for users and groups. > With 3.0.21b and the setting below, > the owner of a file on the unix filesystem (USER1) > shows up in the windows security automatically as > DOM\USER1 > Now with 3.0.23b is shown as the SID-RID String > The SID ist the SID of the Samba Server, the RID is 2 * uid + 1000 > which is not the sid of the domainuser but the mapped SID of winbind... > Therfore the Security dialog cant resolve it.Hansj?rg, I have been working recently around this kind of problems, can you send me a level 10 log file of a session where you just connect to the server and look up the users via the security tab? Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: idra@samba.org http://samba.org