search for: cwseys

Hi Mike and all, I still see ._ files with fruit:resource=xattr and not with fruit:resource=stream. Try extracting the attached zip file using a macintosh on the samba share. (Sounds dangerous, right?!) With fruit:resource=xattr # ls -al total 537 drwxrwx---+ 2 cwseys cwseys 9 Feb 17 09:57 . drwxrwx---+ 3 cwseys cwseys 5 Feb 17 09:57 .. -rwxrwxr--+ 1 cwseys cwseys 20120 Feb 17 09:57 'directory listing.png' -rwxrwxr--+ 1 cwseys cwseys 6148 Feb 17 09:57 .DS_Store -rwxrwxr--+ 1 cwseys cwseys 61808 Feb 17 09:57 '._RF=151KB Extension'...

...rdis01:/# file /smbbackupdir/smb01/home/eleonard/utils/alien/alien /smbbackupdir/smb01/home/eleonard/utils/alien/alien: directory Strangely, copying to a different directory makes this non-reproducible: root at tardis01:/# mount /smbbackupdir/smb01 root at tardis01:/# file /smbbackupdir/smb01/home/cwseys/utils/alien/Alien/ /smbbackupdir/smb01/home/cwseys/utils/alien/Alien/: directory root at tardis01:/# file /smbbackupdir/smb01/home/cwseys/utils/alien/alien /smbbackupdir/smb01/home/cwseys/utils/alien/alien: writable, executable, regular file, no read permission Using protocol v1.0 makes problem g...

...t and is per-share. [myshare] msdfs root = no path = ... Should do the trick. Otherwise if mounting on linux you can also use the 'nodfs' mount option (mount.cifs //host/share/... /mnt/ -o ...,nodfs) to disable DFS resolving and automatic sub-mounting. Chad W Seys <cwseys at physics.wisc.edu> writes: > Hi Aurélien, > Thanks! The mount option nodfs worked if I also used vers=1.0, but > otherwise msdfs resolving still occurred. (Looks like cifs uses a > higher smb version if vers=1.0 not specified.) I'll send an email to > the CIFS kerne...

Hi Rowland, > Are you using sssd or nslcd ? I am using sssd. I can ssh into the server using credentials from either kerberos realm. E.g. ssh cwseys at PHYSICS.WISC.EDU@smb01.physics.wisc.edu (works) ssh seys at AD.WISC.EDU@smb01.physics.wisc.edu (works) PHYSICS.WISC.EDU is an MIT kerberos KDC. AD.WISC.EDU is a active directory KDC (etc). The reason I thought sssd would be best is because I want to use the /etc/passwd file for user existence...

...gt; I am not saying that sssd won't work for what you are trying to do, you > are just asking this in the wrong place, try the sssd-users mailing list. It seems to me that samba is the sticking point. If REALM=AD.WISC.EDU I can gain access to samba shares with seys at AD.WISC.EDU, but not cwseys at PHYSICS.WISC.EDU. If REALM=PHYSICS.WISC.EDU, cwseys at PHYSICS.WISC.EDU can gain access, but seys at AD.WISC.EDU can not. I change nothing else besides REALM= in smb.conf . My guess is that Samba is using REALM=BLAH to check only principals in the keytab whose realm is BLAH. So, it seems a...

(Let's keep this on the list) Aurélien Aptel via samba <samba at lists.samba.org> writes: > Chad William Seys <cwseys at physics.wisc.edu> writes: >> Somehow the destination having 'msdfsroot yes' prevents the cifs kernel >> module from following the link. I've taken a look at your traces and right off the bat I see things like this: [...] /linux-4.9.30/fs/cifs/smb1ops.c: cifs_query_s...

...the environment     to the same value before opening the credcache, to hint to the krb5     libs where they ought to look.          This new behavior is on by default, but can be disabled by having     request-key pass a '-E' flag to cifs.upcall.          Reported-by: Chad William Seys <cwseys at physics.wisc.edu>     Signed-off-by: Jeff Layton <jlayton at samba.org> commit ec3874fdc669901f4a9e8a90a856f999cd627a3f Author: Jeff Layton <jlayton at samba.org> Date:   Thu Feb 16 09:55:45 2017 -0500     cifs.upcall: trim even more capabilities          We really only need CAP...

...what you are trying to do, you >> are just asking this in the wrong place, try the sssd-users mailing list. > It seems to me that samba is the sticking point. No it isn't, you are > > If REALM=AD.WISC.EDU I can gain access to samba shares with seys at AD.WISC.EDU, > but not cwseys at PHYSICS.WISC.EDU. > > If REALM=PHYSICS.WISC.EDU, cwseys at PHYSICS.WISC.EDU can gain access, but > seys at AD.WISC.EDU can not. > > I change nothing else besides REALM= in smb.conf . > > My guess is that Samba is using REALM=BLAH to check only principals in the > keytab w...

> Which smb version are you using (mount option)? Support for DFS on smb2+ > was only added in linux 4.11. smbstatus shows the connection as NT1. DFS links do work like this: serverA_msdfsrootYES => serverB_msdfsrootNO But not like this: serverA_msdfsrootYES => serverB_msdfsrootYES Somehow the destination having 'msdfsroot yes' prevents the cifs kernel module from

Hello, >> Can more than one server have a share with 'msdfs root = yes'? Or >> can there be only one root? (Setting 'msdfs root = yes' on shares on > > yes Thanks! It works great for all clients* except the linux kernel (v4.9) mount, which was what led me astray. Any idea if this works in more recent kernels? If not where do I wish list this. :)

Hi Chad, Sorry for the late reply. Looking at this now. Chad William Seys <cwseys at physics.wisc.edu> writes: > I've attached traces and logs of these situations: > > msdfs root = yes, link points to share, link CAN be followed > trace_msdfsrootyes_share.* > > msdfs root = yes, link points to path, link CANNOT be followed > trace_msdfsrootyes_path.*...

Chad William Seys <cwseys at physics.wisc.edu> writes: > Kernel 4.13 can resolve either style of link, so I don't think we need > to spend more time with it! > gvfs in Debian 9 also works (as do Windows 7+ and Mac 10.12+). Good. I actually remember fixing something similar now, ha. If you cannot update yo...

Chad W Seys <cwseys at physics.wisc.edu> writes: >> Yep, sounds like a bug indeed. You still have the option to edit the smb.conf >> on the server side if you want to use smb2+. > > Good to keep in mind. > I'm speculating leaving 'nodfs' out of smb2+ was purposeful. Originally &g...

On 2/14/20 4:54 PM, Mike Pastore wrote: > I guess the question is: what are you streaming to? And if the answer is > streams_xattr, the question becomes: then why not just use > fruit:resource=xattr? When I tried fruit:resource=xattr appledouble files ._ were created. (I know I'm hung up on aesthetics.) Chad.

On 01/03/16 23:16, Chad William Seys wrote: > Hi Rowland, > >> Are you using sssd or nslcd ? > I am using sssd. I can ssh into the server using credentials from either > kerberos realm. > E.g. > ssh cwseys at PHYSICS.WISC.EDU@smb01.physics.wisc.edu > (works) > ssh seys at AD.WISC.EDU@smb01.physics.wisc.edu > (works) > > PHYSICS.WISC.EDU is an MIT kerberos KDC. > AD.WISC.EDU is a active directory KDC (etc). > > The reason I thought sssd would be best is because I want to use th...

Hi Rowland, Thanks for your explanation. We have set up Samba to authenticate users against an external MIT Kerberos server and usernames match those in Unix password files. The setup was almost exactly like the Ubuntu help page: https://help.ubuntu.com/community/Samba/Kerberos#MIT_Kerberos There are others who have also set up Samba this way:

Hi Rowland, Below is output of testparm. Samba is set up as standalone server. # testparm Load smb config files from /etc/samba/smb.conf Processing section "[generic]" Loaded services file OK. Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions [global] realm = PHYSICS.WISC.EDU server string = %h server server role =

Third respin of this series. Reordered for better safety for bisecting. The environment scraping is now on by default, but can be disabled with "-E" in environments where it's not needed. Also, I've added a patch to make cifs.upcall drop capabilities before doing most of its work. This may help reduce the attack surface of the program. Jeff Layton (4): cifs.upcall: convert

Small respin of the patches that I posted a few days ago. The main difference is the reordering of the series to make it do the group and grouplist manipulation first, and then the patch that makes it grab the KRB5CCNAME from the initiating process. I think the code is sound, my main question is whether we really need the command-line switch for this. Should this just be the default mode of

Apologies for v3 series, I had some extra patches in there. This is the one that should have been sent. Relabeled as v4 for clarity. Third respin of this series. Reordered for better safety for bisecting. The environment scraping is now on by default, but can be disabled with "-E" in environments where it's not needed. Also, I've added a patch to make cifs.upcall drop