Note You need to log in before you can comment on or make changes to this bug. File services show other bugs. Patch for 3. Replacement patcg for 3. Show Obsolete 2 View All Add an attachment proposed patch, testcase, etc. Crawling through support forums, mailing lists, and MS technet, it seems that this is an issue that is plaguing many people. Using samba 3.
I have implemented a patch that checks to see what kind of object is next in the spnego packet if any that I will attach as soon as I finish cloning the master branch. The relevant parameters are :. Points to the directory containing the user defined share definitions.
The filesystem permissions on this directory control who can create user defined shares. Comma-separated list of absolute pathnames restricting what directories can be shared. Only directories below the pathnames in this list are permitted.
Directories below the pathnames in this list are prohibited. Names a pre-existing share used as a template for creating new usershares. All other share parameters not specified in the user defined share definition are copied from this named share. To allow members of the UNIX group foo to create user defined shares, create the directory to contain the share definitions as follows:. Members of the group foo may then manipulate the user defined shares using the following commands.
Some parameters are specific to the [global] section e. Some parameters are usable in all sections e. All others are permissible only in normal sections. For the purposes of the following descriptions the [homes] and [printers] sections will be considered normal. The letter G in parentheses indicates that a parameter is specific to the [global] section.
The letter S indicates that a parameter can be specified in a service specific section. All S parameters can also be specified in the [global] section - in which case they will define the default behavior for all services. Parameters are arranged here in alphabetical order - this may not create best bedfellows, but at least you can find them!
Where there are synonyms, the preferred synonym is described, others refer to the preferred synonym. Many of the strings that are settable in the config file can take substitutions. These substitutions are mostly noted in the descriptions below, but there are some general substitutions which apply whenever they might be relevant. These are:. This parameter is not available when Samba listens on port , as clients no longer send this information. This will cause Samba to not listen on port and will permit include functionality to function as it did with Samba 2.
This allows you to change your config based on what the client calls you. The architecture of the remote machine. The following substitutes apply only to some configuration options only those that are used when a connection has been established :. This is obtained from your NIS auto. The NIS auto. There are some quite creative things that can be done with these substitutions and other smb. Samba supports name mangling so that DOS and Windows clients can use files that don't conform to the 8. It can also be set to adjust the case of 8.
There are several options that control the way mangling is performed, and they are grouped here rather than listed separately. For the defaults look at the output of the testparm program. If they aren't, Samba must do a filename search and match on passed names. No Windows or DOS system supports case-sensitive filename so setting this option to auto is that same as setting it to no for them.
Default auto. Default lower. This change is needed as part of the optimisations for directories containing large numbers of files. Default yes. By default, Samba 3. There are a number of ways in which a user can connect to a service. The server uses the following steps in determining if it will allow a connection to a specified service. If all the steps fail, the connection request is rejected. However, if one of the steps succeeds, the following steps are not checked.
If the client has previously registered a username with the system and now supplies a correct password for that username, the connection is allowed. The client's NetBIOS name and any previously used usernames are checked against the supplied password. If they match, the connection is allowed as the corresponding user. There are two levels of registry configuration:. Share definitions stored in registry are used. The registry shares are loaded not at startup but on demand at runtime by smbd.
Shares defined in smb. Global smb. This can be activated in two different ways:. This resets everything that has been read from config files to this point and reads the content of the global configuration section from the registry. This is the recommended method of using registry based configuration. This reads the global options from registry with the same priorities as for an include of a text file. This may be especially useful in cases where an initial configuration is needed to access the registry.
Activation of global registry options automatically activates registry shares. So in the registry only case, shares are loaded on demand only. Note: To make registry-based configurations foolproof at least to a certain extent, the use of lock directory and config backend inside the registry configuration has been disabled: Especially by changing the lock directory inside the registry configuration, one would create a broken setup where the daemons do not see the configuration they loaded once it is active.
More conveniently, the conf subcommand of the net 8 utility offers a dedicated interface to read and write the registry based configuration locally, i. This a full path name to a script called by smbd 8 that should stop a shutdown procedure issued by the shutdown script. If the connected user posseses the SeRemoteShutdownPrivilege , right, this command will be run as root. This boolean parameter controls what smbd 8 does on receiving a protocol request of "open for delete" from a Windows client.
If a Windows client doesn't have permissions to delete a file then they expect this to be denied at open time. POSIX systems normally only detect restrictions on delete by actually attempting to delete the file or directory. As Windows clients can and do "back out" a delete request by unsetting the "delete on close" bit Samba cannot delete the file immediately on "open for delete" request as we cannot restore such a deleted file. With this parameter set to true the default then smbd checks the file system permissions directly on "open for delete" and denies the request without actually deleting the file if the file system permissions would seem to deny it.
This is not perfect, as it's possible a user could have deleted a file without Samba being able to check the permissions correctly, but it is close enough to Windows semantics for mostly correct behaviour. If this parameter is set to "false" Samba doesn't check permissions on "open for delete" and allows the open. If the user doesn't have permission to delete the file this will only be discovered at close time, which is too late for the Windows user tools to display an error message to the user.
The symptom of this is files that appear to have been deleted "magically" re-appearing on a Windows explorer refresh. This is an extremely advanced protocol option which should not need to be changed. This parameter was introduced in its final form in 3. That older version is not documented here. Possible values are winnt for Windows NT 4, win2k for Windows and above and auto.
If you specify auto , the value for this parameter will be based upon the version of the client. There should be no reason to change this parameter from the default. If this parameter is set, then Samba overrides this restriction, and also allows the primary group owner of a file or directory to modify the permissions and ACLs on that file.
On a Windows server, groups may be the owner of a file or directory - thus allowing anyone in that group to modify the permissions on it. This allows the delegation of security controls on a point in the filesystem to the group owner of a directory and anything below it also owned by that group. This means there are multiple people with permissions to modify ACLs on a file or directory, easing managability. This parameter allows Samba to also permit delegation of the control over a point in the exported directory hierarchy in much the same way as Windows.
This allows all members of a UNIX group to control the permissions on a file or directory they have group ownership on. This parameter is best used with the inherit owner option and also on on a share containing directories with the UNIX setgid bit set on them, which causes new files and directories created within it to inherit the group ownership from the containing directory.
This is parameter has been was deprecated in Samba 3. It is now no longer equivalent to the dos filemode option. This script is only useful for installations using the Windows NT domain administration tools. The script is free to create a group with an arbitrary name to circumvent unix group name restrictions. In that case the script must print the numeric gid of the created group on stdout.
Samba 3. This option defines an external program to be executed when smbd receives a request to add a new Port to the system. The script is passed two parameters:. For a Samba host this means that the printer must be physically added to the underlying printing system.
The addprinter command defines a script to be run which will perform the necessary operations for adding the printer to the print system and to add the appropriate service definition to the smb. The addprinter command is automatically invoked with the following parameter in order :.
The "Windows 9x driver location" parameter is included for backwards compatibility only. The remaining fields in the structure are generated from answers to the APW questions. Once the addprinter command has been executed, smbd will reparse the smb. The addprinter command program can output a single line of text, which Samba will set as the port the new printer is connected to.
If this line isn't output, Samba won't reload its printer shares. Samba 2. The add share command is used to define an external program or script which will add a new service definition to smb. In order to successfully execute the add share command , smbd requires that the administrator connects using a root account i.
Scripts defined in the add share command parameter are executed as root. When executed, smbd will automatically invoke the add share command with five parameters.
This parameter is only used to add file shares. To add printer shares, see the addprinter command. Normally, a Samba server requires that UNIX users are created for all users accessing files on this server.
For sites that use Windows NT account databases as their primary user database creating these users and keeping the user list in sync with the Windows NT PDC is an onerous task.
When the Windows user attempts to access the Samba server, at login session setup in the SMB protocol time, smbd 8 contacts the password server and attempts to authenticate the given user with the given password. If this script successfully creates the user then smbd will continue on as though the UNIX user already existed.
See also security , password server , delete user script. Full path to the script that will be called when a user is added to a group using the Windows NT domain administration tools. Note that the adduser command used in the example below does not support the used syntax on all systems.
If this parameter is set to yes for a share, then the share will be an administrative share. The Administrative Shares are the default network shares created by all Windows NT-based operating systems. See the section below on security for more information about this option.
This is a list of users who will be granted administrative privileges on the share. This means that they will do all file operations as the super-user root. You should use this option very carefully, as any user in this list will be able to do anything they like on the share, irrespective of file permissions. This is by design. This parameter controls whether special AFS features are enabled for this share. If enabled, it assumes that the directory exported via the path parameter is a local AFS import.
The special AFS features include the attempt to hand-craft an AFS token if you enabled --with-fake-kaserver in configure. If you are using the fake kaserver AFS feature, you might want to hand-craft the usernames you are creating tokens for. The mapped user name must contain the cell name to log into, so without setting this parameter there will be no token.
Note that it happens only for non-chained and non-chaining reads and when not using write cache. Related command: write cache size. Related command: aio write size. Instead, Samba will immediately return that the write request has been finished successfully, no matter if the operation will succeed or not. This might speed up clients without aio support, but is really dangerous, because data could be lost and files could be damaged.
The syntax is identical to the veto files parameter. Related command: aio read size. Setting this option to a larger value could be useful to sites transitioning from WinNT and Win2k, as existing user and group rids would otherwise clash with sytem users etc.
As such the algorithmic mapping can't be 'turned off', but pushing it 'out of the way' should resolve the issues. Users and groups can then be assigned 'low' RIDs in arbitrary-rid supporting backends. This parameter allows an administrator to tune the allocation size reported to Windows clients. The default size of 1Mb generally results in improved Windows client performance. However, rounding the allocation size may cause difficulties for some applications, e.
MS Visual Studio. If the MS Visual Studio compiler starts to crash with an internal error, set this parameter to zero for this share. This option only takes effect when the security option is set to server , domain or ads. If it is set to no, then attempts to connect to a resource from a domain or workgroup other than the one which smbd is running in will fail, even if that domain is trusted by the remote server doing the authentication. This is useful if you only want your Samba server to serve resources to users in the domain it is a member of.
This can make implementing a security boundary difficult. This specifies what type of server nmbd 8 will announce itself as, to a network neighborhood browse list. By default this is set to Windows NT.
Do not change this parameter unless you have a specific need to stop Samba appearing as an NT server as this may prevent Samba servers from participating as browser servers correctly.
This specifies the major and minor version numbers that nmbd will use when announcing itself as a server. The default is 4. Do not change this parameter unless you have a specific need to set a Samba server to be a downlevel server. This option allows the administrator to chose what authentication methods smbd will use when authenticating a user. This option defaults to sensible values based on security. This should be considered a developer option and used only in rare circumstances.
In the majority if not all of production servers, the default setting should be adequate. Each entry in the list attempts to authenticate the user in turn, until the user authenticates. In practice only one method will ever actually be able to complete the authentication.
Possible options include guest anonymous access , sam lookups in local list of accounts based on netbios name or domain name , winbind relay authentication requests for remote users through winbindd , ntdomain pre-winbindd method of authentication for remote domain users; deprecated in favour of winbind method , trustdomain authenticate trusted users by contacting the remote DC directly from smbd; deprecated in favour of winbind method.
This parameter lets you "turn off" a service. Such failures are logged. This global parameter allows the Samba admin to limit what interfaces on a machine will serve SMB requests. It affects file service smbd 8 and name service nmbd 8 in a slightly different ways. For name service it causes nmbd to bind to ports and on the interfaces listed in the interfaces parameter.
If this option is not set then nmbd will service name requests on all of these sockets. If bind interfaces only is set then nmbd will check the source address of any packets coming in on the broadcast sockets and discard any that don't match the broadcast addresses of the interfaces in the interfaces parameter list.
As unicast packets are received on the other sockets it allows nmbd to refuse to serve names to machines that send packets that arrive through any interfaces not listed in the interfaces list.
IP Source address spoofing does defeat this simple check, however, so it must not be used seriously as a security feature for nmbd. For file service it causes smbd 8 to bind only to the interface list given in the interfaces parameter. This restricts the networks that smbd will serve, to packets coming in on those interfaces. Note that you should not use this parameter for machines that are serving PPP or other intermittent or non-broadcast network interfaces as it will not cope with non-permanent interfaces.
If bind interfaces only is set and the network address To change a users SMB password, the smbpasswd by default connects to the localhost - If bind interfaces only is set then unless the network address The swat status page tries to connect with smbd and nmbd at the address Not adding This parameter controls the behavior of smbd 8 when given a request by a client to obtain a byte range lock on a region of an open file, and the request has a time limit associated with it.
If this parameter is set and the lock range requested cannot be immediately satisfied, samba will internally queue the lock request, and periodically attempt to obtain the lock until the timeout period expires. If this parameter is set to no , then samba will behave as previous versions of Samba would and will fail the lock request immediately if the lock range cannot be obtained.
This parameter controls the behavior of smbd 8 when reporting disk free sizes. By default, this reports a disk block size of bytes. Changing this parameter may have some effect on the efficiency of client writes, this is not yet confirmed. This parameter was added to allow advanced administrators to change it usually to a higher value and test the effect it has on client write performance without re-compiling the code.
As this is an experimental option it may be removed in a future release. Changing this option does not change the disk free reporting size, just the block size unit reported to the client. This controls whether this share is seen in the list of available shares in a net view and in the browse list. This controls whether smbd 8 will serve a browse list to a client doing a NetServerEnum call. Normally set to yes.
You should never need to change this. See the discussion in the section name mangling. The change share command is used to define an external program or script which will modify an existing service definition in smb.
In order to successfully execute the change share command , smbd requires that the administrator connects using a root account i. Scripts defined in the change share command parameter are executed as root. When executed, smbd will automatically invoke the change share command with five parameters.
This parameter is only used to modify existing file share definitions. To modify printer shares, use the "Printers The name of a program that can be used to check password complexity.
The password is sent to the program's standard input. The program must return 0 on a good password, or any other value if the password is bad. In case the password is considered weak the program does not return 0 the user will be notified and the password change will fail.
Note: In the example directory is a sample program called crackcheck that uses cracklib to check the password quality. This parameter determines whether or not smbclient 8 and other samba client tools will attempt to authenticate itself to servers using the weaker LANMAN password hash. If disabled, only server which support NT password hashes e. Disabling this option will also disable the client plaintext auth option.
Likewise, if the client ntlmv2 auth parameter is enabled, then only NTLMv2 logins will be attempted. The client ldap sasl wrapping defines whether ldap traffic will be signed or signed and encrypted sealed. Possible values are plain , sign and seal. Windows SP3 or higher.
In this case, sign is just an alias for seal. The default value is plain which is not irritable to KRB5 clock skew errors. That implies synchronizing the time with the KDC in the case of using sign or seal. This parameter determines whether or not smbclient 8 will attempt to authenticate itself to servers using the NTLMv2 encrypted password response. Similarly, if enabled, NTLMv1, client lanman auth and client plaintext auth authentication will be disabled. This also disables share-level authentication.
Specifies whether a client should send a plaintext password if the server does not support encrypted passwords. This controls whether the client offers or even demands the use of the netlogon schannel. This controls whether the client is allowed or required to use SMB signing. Possible values are auto , mandatory and disabled. When set to auto, SMB signing is offered, but not enforced.
This enables Kerberos authentication in particular. With this parameter you can add additional addresses nmbd will register with a WINS server. These addresses are not necessarily present on all nodes simultaneously, but they will be registered with the WINS server so that clients can contact any of the nodes.
This parameter specifies whether Samba should contact ctdb for accessing its tdb files and use ctdb as a backend for its messaging backend. Set this parameter to yes only if you have a cluster setup with ctdb running.
This is a text field that is seen next to a share when a client does a queries the server, either via the network neighborhood or via net view to list what shares are available. If you want to set the string that is displayed next to the machine name then see the server string parameter.
This controls the backend for storing the configuration. Possible values are file the default and registry. So this triggers a registry only configuration. Share definitions are not read immediately but instead registry shares is set to yes. This allows you to override the config file to use, instead of the default usually smb. There is a chicken and egg problem here as this option is set in the config file! For this reason, if the name of the config file has changed when the parameters are loaded then it will reload them from the new config file.
If the config file doesn't exist then it won't be loaded allowing you to special case the config files of just a few clients. This parameter allows you to "clone" service entries. The specified service is simply duplicated under the current service's name. Any parameters specified in the current section will override those in the section being copied.
This feature lets you set up a 'template' service and create similar services easily. Note that the service being copied must occur earlier in the configuration file than the service doing the copying.
Any bit not set here will be removed from the modes set on a file when it is created. The default value of this parameter removes the group and other write and execute bits from the UNIX modes. Following this Samba will bit-wise 'OR' the UNIX mode created from this parameter with the value of the force create mode parameter which is set to by default.
This parameter does not affect directory masks. See the parameter directory mask for details. If the administrator wishes to enforce a mask on access control lists also, they need to set the security mask.
This stands for client-side caching policy , and specifies how clients capable of offline caching will cache the files in the share. The valid values are: manual, documents, programs, disable.
The default path as of ctdb 1. This parameter is only applicable if printing is set to cups. If set, this option specifies the number of seconds that smbd will wait whilst trying to contact to the CUPS server. The connection will fail if it takes longer than this number of seconds. Its value is a free form string of options passed directly to the cups library. You can also pass any printer specific option as listed in "lpoptions -d printername -l" valid for the target queue. This is necessary if you have virtual samba servers that connect to different CUPS daemons.
Optionally, a port can be specified by separating the server name and port number with a colon. If no port was specified, the default port for IPP will be used. The value of the parameter a decimal integer represents the number of minutes of inactivity before a connection is considered dead, and it is disconnected.
The deadtime only takes effect if the number of open files is zero. This is useful to stop a server's resources being exhausted by a large number of inactive connections.
Most clients have an auto-reconnect feature when a connection is broken so in most cases this parameter should be transparent to users. For more information about currently available debug classes, see section about log level. Sometimes the timestamps in the log messages are needed with a resolution of higher that seconds, this boolean parameter adds microsecond resolution to the timestamp message header when turned on.
Note that the parameter debug timestamp must be on for this to have an effect. When using only one log file for more then one forked smbd 8 -process there may be hard to follow which process outputs which message. This boolean parameter is adds the process-id to the timestamp message headers in the logfile when turned on.
With this option enabled, the timestamp message header is prefixed to the debug message without the filename and function information that is included with the debug timestamp parameter.
This gives timestamps to the messages without adding an additional line. Note that this parameter overrides the debug timestamp parameter. Samba debug log messages are timestamped by default. If you are running at a high debug level these timestamps can be distracting. This boolean parameter allows timestamping to be turned off. Samba is sometimes run as root and sometime run as the connected user, this boolean parameter inserts the current euid, egid, uid and gid to the timestamp message headers in the log file if turned on.
See the section on name mangling. Also note the short preserve case parameter. This parameter is only applicable to printable services.
The device mode can only correctly be generated by the printer driver itself which can only be executed on a Win32 platform. Because smbd is unable to execute the driver code to generate the device mode, the default behavior is to set this field to NULL.
Certain drivers will do things such as crashing the client's Explorer. However, other printer drivers can cause the client's spooler service spoolsv. This parameter should be used with care and tested with the printer driver in question. This parameter specifies the name of a service which will be connected to if the service actually requested cannot be found. Note that the square brackets are NOT given in the parameter value see example below.
There is no default value for this parameter. If this parameter is not given, attempting to connect to a nonexistent service results in an error. Typically the default service would be a guest ok , read-only service. This allows for interesting things. Windows allows specifying how a file will be shared with other processes when it is opened. Sharing violations occur when a file is opened by a different process using options that violate the share settings specified by other processes.
This parameter causes smbd to act as a Windows server does, and defer returning a "sharing violation" error message for up to one second, allowing the client to close the file causing the violation in the meantime. There should be no reason to turn off this parameter, as it is designed to enable Samba to more correctly emulate Windows.
For a Samba host this means that the printer must be physically deleted from the underlying printing system. The deleteprinter command defines a script to be run which will perform the necessary operations for removing the printer from the print system and from smb. The deleteprinter command is automatically called with only one parameter: printer name.
Once the deleteprinter command has been executed, smbd will reparse the smb. This parameter allows readonly files to be deleted. This option may be useful for running applications such as rcs, where UNIX file ownership prevents changing file permissions, and DOS semantics prevent deletion of a read only file. The delete share command is used to define an external program or script which will remove an existing service definition from smb.
In order to successfully execute the delete share command , smbd requires that the administrator connects using a root account i. Scripts defined in the delete share command parameter are executed as root. When executed, smbd will automatically invoke the delete share command with two parameters. This parameter is only used to remove file shares.
To delete printer shares, see the deleteprinter command. Full path to the script that will be called when a user is removed from a group using the Windows NT domain administration tools. This is the full pathname to a script that will be run by smbd 8 when managing users with remote RPC NT tools. This script is called when a remote client removes a user from the server, normally using 'User Manager for Domains' or rpcclient.
This option is used when Samba is attempting to delete a directory that contains one or more vetoed directories see the veto files option. If this option is set to no the default then if a vetoed directory contains any non-vetoed files or directories then the directory delete will fail. This is usually what you want. If this option is set to yes , then Samba will attempt to recursively delete any files and directories within the vetoed directory.
The dfree cache time should only be used on systems where a problem occurs with the internal disk space calculations. This has been known to happen with Ultrix, but may occur with other operating systems.
The symptom that was seen was an error of "Abort Retry Ignore" at the end of each directory listing. This is a new parameter introduced in Samba version 3.
It specifies in seconds the time that smbd will cache the output of a disk free query. If set to zero the default no caching is done. This allows a heavily loaded server to prevent rapid spawning of dfree command scripts increasing the load. The dfree command setting should only be used on systems where a problem occurs with the internal disk space calculations.
This setting allows the replacement of the internal routines to calculate the total disk space and amount available with an external routine. The example below gives a possible script that might fulfill this function.
In Samba version 3. The external program will be passed a single parameter indicating a directory in the filesystem being queried. This will typically consist of the string. The first should be the total disk space in blocks, and the second should be the number of available blocks. An optional third return value can give the block size in bytes. The default blocksize is bytes. Note: Your script should NOT be setuid or setgid and should be owned by and writeable only by root! By default internal routines for determining the disk capacity and remaining space will be used.
Any bit not set here will be removed from the modes set on a directory when it is created. The default value of this parameter removes the 'group' and 'other' write bits from the UNIX mode, allowing only the user who owns the directory to modify it. Following this Samba will bit-wise 'OR' the UNIX mode created from this parameter with the value of the force directory mode parameter. This parameter is set to by default i. If the administrator wishes to enforce a mask on access control lists also, they need to set the directory security mask.
We were supposed to go over some printer stuff in class, but didnt get to it. When hooked directly to the printer it seems to recognize and print fine. When I try to add the printer through the system settings it says something about firewallid missing and other services. It also gave the error "Idle - Unable to connect to CIFS host after tried 3 times " under the printer settings menu on the printer state field. I'm not sure whats up, but I'd like to get past this stage.
Other then that I havent came across any other problems with mint. The network printing worked fine with fedora 16, dont know why it wont get going with mint. I read that the firewallid was a redhat daemon and that had something to do with it, but even after adding the pritnter through the system-config-printer utility I still cant get it going.
It was pretty much the same with cups. My printer is a HP Deskjet F I made sure HPLIP and that was installed and should have all the dependencies that are supposed to go along with that so I'm not sure whats going on. Code: Select all params. Post by chipbuster » Wed Apr 04, pm Well, logs are pointing to a particular file Post by freestyle » Thu Apr 05, am Hey thanks for the response. I'm not clear which file you want me to pass the ls-l arg to? Still kind of new to this terminal stuff.
Post by altair4 » Thu Apr 05, am params. Code: Select all testparm -s. Code: Select all smbtree -d3 grep "smb. Post by freestyle » Thu Apr 05, pm Hey altair4 thanks for the help. I might have downloaded some samba4 packages, but I'm not totally sure. Post by altair4 » Fri Apr 06, am Based on your description this is what I would do: Note: Some of these commands might come back and tell you it's not installed but that's because I don't know to what extent, if any, there have been any Samba4 packages installed.
Run each command - one at a time. Code: Select all sudo apt-get --purge remove samba4 sudo apt-get --purge remove samba4-clients sudo apt-get --purge remove samba4-common-bin sudo apt-get install samba sudo apt-get install samba-common-bin sudo apt-get install samba-common sudo apt-get install smbclient sudo apt-get install libsmbclient sudo apt-get install libwbclient0 sudo apt-get install python-smbc.
Code: Select all sudo service smbd restart.
0コメント