Am Donnerstag, den 08.08.2019, 20:01 +0100 schrieb Rowland penny via samba:> On 08/08/2019 19:10, David Ayers wrote: > > > Can we see your smb.conf file ? > > > > attached... slightly redacted. > > Inline without all the commented lines and default settings: > > [global] > ??? workgroup = WORKGROUP > ??? netbios name = REDACTED > ??? server string = %h server > ??? dns proxy = no > ??? log file = /var/log/samba/log.%m > ??? max log size = 1000 > ??? syslog = 0 > ??? panic action = /usr/share/samba/panic-action %d > ??? server role = standalone server > ??? obey pam restrictions = yes > ??? unix password sync = yes > ??? passwd program = /usr/bin/passwd %u > ??? passwd chat = *Enter\snew\s*\spassword:* %n\n? > *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . > ??? pam password change = yes > ??? map to guest = bad user > ??? usershare allow guests = yes > > [homes] > ??? comment = Home Directories > ??? browseable = no > ??? create mask = 0700 > ??? directory mask = 0700 > ??? valid users = %S > > [printers] > ??? comment = All Printers > ??? browseable = no > ??? path = /var/spool/samba > ??? printable = yes > ??? create mask = 0700 > > [print$] > ??? comment = Printer Drivers > ??? path = /var/lib/samba/printers > > [resources] > ??? comment = Redacted Resources > ??? username = redacted > ??? read only = No > ??? create mask = 0664 > ??? directory mask = 0775 > ??? path = /usr/Redacted > > [sicherung] > ??? comment = Server Sicherung > ??? username = redacted > ??? path = /var/RedactedI should have generated this with testparm?> Only one comment, 'username' was removed at 4.5.0, you should use > 'valid?users' instead.testparm would have told me that and would have filtered it from the output... my bad. I have now replaced 'username' with 'valid users'. 'valid user'> Can you upgrade Samba in place ?Not very keen on not being able rely on Debian (old)stable security upgrades and the concerted package upgrades... but if need be, I guess. The upgrade to Buster isn't rely planned until early next year. But what I could do, is copy the setup incl. the tdb files to a test VM to try to reproduce it, upgrade that test VM in the hope to produce a dump, that can then be imported back into new clean installation of the older version. Is that feasible? I.e. would a clean dump of a later version be backward compatible to 4.5.16-Debian?> You may have a problem, but it may already have been fixed in a > later?versionUnderstood. Since I personally didn't have the passwords, was never able to test the other systems access (and non access). I also explicitly have "guest?ok = No" set. So I got to wondering, if username had been ignored all this time, why could the machines access the shares at all? But I guess, the reason is that a standalone server would still require an authenticated user but any authenticated user would do, correct? Thank you! David -- David Ayers - Team Austria Free Software Foundation Europe (FSFE) [] (http://www.fsfe.org) Become a supporter of the FSFE! [][][] (https://fsfe.org/join) Your donation powers our work! || (http://fsfe.org/donate) -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: This is a digitally signed message part URL: <http://lists.samba.org/pipermail/samba/attachments/20190809/83542526/signature.sig>
On 09/08/2019 07:38, David Ayers via samba wrote:> Am Donnerstag, den 08.08.2019, 20:01 +0100 schrieb Rowland penny via > samba: >> On 08/08/2019 19:10, David Ayers wrote: >>>> Can we see your smb.conf file ? >>> attached... slightly redacted. >> Inline without all the commented lines and default settings: >> >> [global] >> ??? workgroup = WORKGROUP >> ??? netbios name = REDACTED >> ??? server string = %h server >> ??? dns proxy = no >> ??? log file = /var/log/samba/log.%m >> ??? max log size = 1000 >> ??? syslog = 0 >> ??? panic action = /usr/share/samba/panic-action %d >> ??? server role = standalone server >> ??? obey pam restrictions = yes >> ??? unix password sync = yes >> ??? passwd program = /usr/bin/passwd %u >> ??? passwd chat = *Enter\snew\s*\spassword:* %n\n >> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . >> ??? pam password change = yes >> ??? map to guest = bad user >> ??? usershare allow guests = yes >> >> [homes] >> ??? comment = Home Directories >> ??? browseable = no >> ??? create mask = 0700 >> ??? directory mask = 0700 >> ??? valid users = %S >> >> [printers] >> ??? comment = All Printers >> ??? browseable = no >> ??? path = /var/spool/samba >> ??? printable = yes >> ??? create mask = 0700 >> >> [print$] >> ??? comment = Printer Drivers >> ??? path = /var/lib/samba/printers >> >> [resources] >> ??? comment = Redacted Resources >> ??? username = redacted >> ??? read only = No >> ??? create mask = 0664 >> ??? directory mask = 0775 >> ??? path = /usr/Redacted >> >> [sicherung] >> ??? comment = Server Sicherung >> ??? username = redacted >> ??? path = /var/Redacted > I should have generated this with testparm? > >> Only one comment, 'username' was removed at 4.5.0, you should use >> 'valid?users' instead. > testparm would have told me that and would have filtered it from the > output... my bad. I have now replaced 'username' with 'valid users'. > 'valid user' >> Can you upgrade Samba in place ? > Not very keen on not being able rely on Debian (old)stable security > upgrades and the concerted package upgrades... but if need be, I guess. > The upgrade to Buster isn't rely planned until early next year. > > But what I could do, is copy the setup incl. the tdb files to a test VM > to try to reproduce it, upgrade that test VM in the hope to produce a > dump, that can then be imported back into new clean installation of the > older version. > > Is that feasible? > I.e. would a clean dump of a later version be backward compatible to > 4.5.16-Debian?Yes and Yes> >> You may have a problem, but it may already have been fixed in a >> later?version > Understood. > > Since I personally didn't have the passwords, was never able to test > the other systems access (and non access). I also explicitly have > "guest?ok = No" set. So I got to wondering, if username had been > ignored all this time, why could the machines access the shares at all? > But I guess, the reason is that a standalone server would still > require an authenticated user but any authenticated user would do, > correct?The 'username' parameter would have been ignored, so any authenticated user would be allowed access. Rowland
Am Freitag, den 09.08.2019, 08:45 +0100 schrieb Rowland penny via samba:> On 09/08/2019 07:38, David Ayers via samba wrote: > > Am Donnerstag, den 08.08.2019, 20:01 +0100 schrieb Rowland penny > > via > > samba: > > >> > But what I could do, is copy the setup incl. the tdb files to a > > test VM to try to reproduce it, upgrade that test VM in the hope to > > produce a dump, that can then be imported back into new clean > > installation of the older version. > > > > Is that feasible? > > I.e. would a clean dump of a later version be backward compatible > > to > > 4.5.16-Debian? > > Yes and YesOkay... just for validation of the process itself I just tried this: - installed the current version of Debian 10 (Buster) into a new vm - installed samba Version 4.9.5-Debian - without any changes to the default smb.conf: ayers at vmbuster:~$ sudo smbpasswd -a ayers New SMB password: Retype new SMB password: Added user ayers. ayers at vmbuster:~$ sudo pdbedit -L -v --------------- Unix username:????????ayers NT username:?????????? Account Flags:????????[U??????????] User SID:?????????????S-1-5-21-2831882250-3016382946-1246711671-1000 Primary Group SID:????S-1-5-21-2831882250-3016382946-1246711671-513 Full Name:????????????David Ayers Home Directory:???????\\vmbuster\ayers HomeDir Drive:???????? Logon Script:????????? Profile Path:?????????\\vmbuster\ayers\profile Domain:???????????????VMBUSTER Account desc:????????? Workstations:????????? Munged dial:?????????? Logon time:???????????0 Logoff time:??????????Mi, 06 Feb 2036 16:06:39 CET Kickoff time:?????????Mi, 06 Feb 2036 16:06:39 CET Password last set:????Fr, 09 Aug 2019 13:40:33 CEST Password can change:??Fr, 09 Aug 2019 13:40:33 CEST Password must change: never Last bad password???: 0 Bad password count??: 0 Logon hours?????????: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF ayers at vmbuster:~$ sudo pdbedit -e tdbsam:/home/ayers/samba.tdbsam-export ayers at vmbuster:~$ sudo tdbdump samba.tdbsam-export? { key(19) = "INFO/minor_version\00" data(4) = "\00\00\00\00" } { key(9) = "NEXT_RID\00" data(4) = "\E8\03\00\00" } { key(13) = "INFO/version\00" data(4) = "\04\00\00\00" } I assume that ist not what its supposed to look like? Cheers, David -- David Ayers - Team Austria Free Software Foundation Europe (FSFE) [] (http://www.fsfe.org) Become a supporter of the FSFE! [][][] (https://fsfe.org/join) Your donation powers our work! || (http://fsfe.org/donate) -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: This is a digitally signed message part URL: <http://lists.samba.org/pipermail/samba/attachments/20190809/ecb1591a/signature.sig>