Everytime I have to setup samba to handle Windows users, sometime inadvertently goes wrong or doesn't work the way I expected, or takes forever to setup, especially when there are many users and various policies. So far, the easiest, sureest and quickest method appears to be install WindowsXP into VMWare and use it to handle Windows sharing. Needless to say, this strucks me as rather ironic and stupid.
Thus could anybody please suggest a working frontend to samba that makes it easy to add users, set their permissions and get something that works like basic windows file sharing?
So far I've tried the following which all don't quite work.
1. CentOS's samba configuration tool - added users never show up on the share configuration so the only shares it could create was for public access.
2. Webmin - thinks it added the users, but again they never show up when checked against the bundled CentOS tool and needless to say, the shares never work too
3. Samba SWAT - Very confusing tool, selecting shares sometimes end up as another share, and again, doesn't seem to work.
So I just need a very basic tool that will reliably allow me to do the following - specify user name, specify password, and maybe specify a group - specify a share the user or group has read only or read/write access - force new files/folders to take on group ID so that it behaves like a normal windows share
Don't need print services or anything, it's just far easier to dump a hardware print server into the network than to contemplate the additional complexity of making something like CUPS work.
Just need to make sure that the Windows users can browse to the folders, get a prompt for their login and password where needed.
Thanks!
On Tue, 2009-02-24 at 02:53 +0800, Noob Centos Admin wrote:
Everytime I have to setup samba to handle Windows users, sometime inadvertently goes wrong or doesn't work the way I expected, or takes forever to setup, especially when there are many users and various policies. So far, the easiest, sureest and quickest method appears to be install WindowsXP into VMWare and use it to handle Windows sharing. Needless to say, this strucks me as rather ironic and stupid.
Thus could anybody please suggest a working frontend to samba that makes it easy to add users, set their permissions and get something that works like basic windows file sharing?
So far I've tried the following which all don't quite work.
- CentOS's samba configuration tool
- added users never show up on the share configuration so the only
shares it could create was for public access.
- Webmin
- thinks it added the users, but again they never show up when checked
against the bundled CentOS tool and needless to say, the shares never work too
- Samba SWAT
- Very confusing tool, selecting shares sometimes end up as another
share, and again, doesn't seem to work.
So I just need a very basic tool that will reliably allow me to do the following
- specify user name, specify password, and maybe specify a group
- specify a share the user or group has read only or read/write access
- force new files/folders to take on group ID so that it behaves like
a normal windows share
Don't need print services or anything, it's just far easier to dump a hardware print server into the network than to contemplate the additional complexity of making something like CUPS work.
Just need to make sure that the Windows users can browse to the folders, get a prompt for their login and password where needed.
---- probably not the answer you want to hear but...
swat is supposed to be the tool for simple administration.
You are asking several questions but lumping them all under one category samba. The concept of UNIX or Linux administration is simple text files that can be manipulated with just about any editor that suits you though I would suggest that you refrain from using Windows editors because they add line endings that often cause issues.
the group idea is rather simple... let's say that you have a directory /home/samba/files and you set up a share in smb.conf called [Files], and all your users are members of the group 'users' then you would simply 'chgrp users /home/samba/files' and 'chmod g+s /home/samba/files' and that enables the 'group sticky bit' so that all files and folders in that directory are owned by group 'users'
Now adding users is a bit more complicated in that samba users must necessarily be Linux users AND samba users so they would have to be added to both systems.
Something like Webmin can help here in that it can be configured to automatically create the samba user at the same time that a Linux user is created but it doesn't do that upon first install.
You probably want to check out something like the 'Samba By Example' publication which can be purchased at your favorite bookstore in dead tree form or can be downloaded in PDF form or read online @ http://www.samba.org/samba/docs (see left side) which will walk you through basic steps.
Craig
On Tue, Feb 24, 2009 at 3:12 AM, Craig White craigwhite@azapple.com wrote:
probably not the answer you want to hear but... swat is supposed to be the tool for simple administration.
I was afraid of that. By the time I gave up and completed the task manually, I was thinking maybe it might be easier to write my own script to repeat all those useradd, gpasswd -a, smbpasswd and nano smb.conf :(
You are asking several questions but lumping them all under one category samba. The concept of UNIX or Linux administration is simple text files that can be manipulated with just about any editor that suits you though I would suggest that you refrain from using Windows editors because they add line endings that often cause issues.
No worries about that one, I only edit conf files on my CentOS box using nano. The closest to using Windows for this is to manage my servers are SSH through putty, and writing long php scripts to be uploaded.
the group idea is rather simple... let's say that you have a directory /home/samba/files and you set up a share in smb.conf called [Files], and all your users are members of the group 'users' then you would simply 'chgrp users /home/samba/files' and 'chmod g+s /home/samba/files' and that enables the 'group sticky bit' so that all files and folders in that directory are owned by group 'users'
For a single common to everybody share it was easy of course. In fact, for something like that, I'll do away with bothering everybody with a login and simply make a single login everybody shares for filesharing.
It's when I have 8 people who have to share aaa, then a sub group B have to share bbb, then a subgroup C have to share ccc, then a subgroup of people from B+C need to share ddd and so forth that it becomes untenable to do everything by hand and the tools at the moment just dont cut it.
Now adding users is a bit more complicated in that samba users must
necessarily be Linux users AND samba users so they would have to be added to both systems.
This was one of the caveats I discovered over time, struggling with webmin and the likes.
Something like Webmin can help here in that it can be configured to
automatically create the samba user at the same time that a Linux user is created but it doesn't do that upon first install.
Except of course webmin doesn't actually create the smbuser correctly. Maybe it has to do with how I use it, but maybe again like CentOS's tool, that particular functionality is actually broken.
You probably want to check out something like the 'Samba By Example'
publication which can be purchased at your favorite bookstore in dead tree form or can be downloaded in PDF form or read online @ http://www.samba.org/samba/docs (see left side) which will walk you through basic steps.
Trust me, I did read through that. I usually don't like to bug people for help unless I really cannot find any relevant existing information and cannot figure out what else can I try.
Thanks for replying in any case :)
Noob Centos Admin wrote:
probably not the answer you want to hear but... swat is supposed to be the tool for simple administration.I was afraid of that. By the time I gave up and completed the task manually, I was thinking maybe it might be easier to write my own script to repeat all those useradd, gpasswd -a, smbpasswd and nano smb.conf :(
Is there a windows domain or AD in this picture somewhere? If so, point samba authentication there and don't worry about separate passwords.
No worries about that one, I only edit conf files on my CentOS box using nano. The closest to using Windows for this is to manage my servers are SSH through putty, and writing long php scripts to be uploaded.
If you want something nicer, run freenx on the server and the NX client from www.nomachine.com for your windows box. That lets you connect to a complete GUI desktop remotely and conveniently.
For a single common to everybody share it was easy of course. In fact, for something like that, I'll do away with bothering everybody with a login and simply make a single login everybody shares for filesharing.
It's when I have 8 people who have to share aaa, then a sub group B have to share bbb, then a subgroup C have to share ccc, then a subgroup of people from B+C need to share ddd and so forth that it becomes untenable to do everything by hand and the tools at the moment just dont cut it.
Not that complicated. Just create groups as needed and add the appropriate users to each group (independently, don't worry about which are sub-groups of others).
Then the samba shares look like:
[aaa-share] comment = aaa workspace path = /path/to/aaa-share public = no valid users = @aaa writable = yes printable = no force create mode = 0775 force directory mode = 775 force group = aaa
You might want some other mode, just make sure it is group-read/write. Then you can cut/paste those, substituting the appropriate groups, and do an initial chgrp -R and chmod -R of the top directories to make sure they have the right starting ownership and modes.
Except of course webmin doesn't actually create the smbuser correctly. Maybe it has to do with how I use it, but maybe again like CentOS's tool, that particular functionality is actually broken.
If you use smb authentication against a domain controller, all you have to do is create the linux users with the same login name. With winbind you might not even have to do that, but then I don't know how you control the groups.
On Tue, Feb 24, 2009 at 5:52 AM, Les Mikesell lesmikesell@gmail.com wrote:
Is there a windows domain or AD in this picture somewhere?
Not at all for all the usual Windows network migrations I've been setting up. Typically small offices with less than 20 people so they simply used workgroups without domains.
If you want something nicer, run freenx on the server and the NX
Thanks for the suggestion, I discovered freenx just days ago and actually had the packages installed on the new setup, just have not gotten around to using it.
Then the samba shares look like:
[aaa-share] comment = aaa workspace path = /path/to/aaa-share public = no valid users = @aaa writable = yes printable = no force create mode = 0775 force directory mode = 775 force group = aaa
I just had an OMFG moment reading your conf. Does the valid users=@aaa means all users in the group aaa? I thought I had read it to mean exclude hence never tried it, instead I had tried things like valid users = groupAAA which obviously didn't work.
If you use smb authentication against a domain controller all you have to do is create the linux users with the same login name. With winbind you might not even have to do that, but then I don't know how you control the groups.
Would setting up a domain controller on the CentOS be better in the long run for only 10 to 20 people situation? I've avoided it since I'm still learning to setup Linux based servers and didn't want to bite off more than I can chew.
Thanks again for all the suggestions!
Noob Centos Admin wrote:
On Tue, Feb 24, 2009 at 5:52 AM, Les Mikesell lesmikesell@gmail.com wrote:
Is there a windows domain or AD in this picture somewhere?
Not at all for all the usual Windows network migrations I've been setting up. Typically small offices with less than 20 people so they simply used workgroups without domains.
That makes it somewhat harder to use multiple machines since you end up having to create and maintain passwords on each.
If you want something nicer, run freenx on the server and the NX
Thanks for the suggestion, I discovered freenx just days ago and actually had the packages installed on the new setup, just have not gotten around to using it.
It is very much worth the trouble.
Then the samba shares look like:
[aaa-share] comment = aaa workspace path = /path/to/aaa-share public = no valid users = @aaa writable = yes printable = no force create mode = 0775 force directory mode = 775 force group = aaa
I just had an OMFG moment reading your conf. Does the valid users=@aaa means all users in the group aaa? I thought I had read it to mean exclude hence never tried it, instead I had tried things like valid users = groupAAA which obviously didn't work.
Yes, valid users means the ones allowed to connect to the share and @groupname is the set of users in the group. On unix a different group is always a different group. Even if only one member is different between groups, don't try to make exceptions with ACLs or you'll wish you hadn't when the reasons for the exceptions change.
If you use smb authentication against a domain controller all you have to do is create the linux users with the same login name. With winbind you might not even have to do that, but then I don't know how you control the groups.
Would setting up a domain controller on the CentOS be better in the long run for only 10 to 20 people situation? I've avoided it since I'm still learning to setup Linux based servers and didn't want to bite off more than I can chew.
If you have to ask things like that, I'd recommend looking at the free SME server distribution. It mostly uses Centos packages, but is a 'windows server' appliance that will do everything you are likely to need and more (including acting as a domain controller) with all administration through simple web forms. http://www.contribs.org. It simplifies a lot of concepts - for example when you create groups you'll get email groups as well as unix permission groups, and when you create the shared workspaces it calls "ibays" you can access them via http, ftp, and samba, and can control public and private access separately. The only down side is that because it is already customized and uses perl scripts to build the config files, it is somewhat difficult to add or modify things beyond what it already provides.
ClarkConnect is something similar and might be better these days but I haven't looked at it for a long time. I thought I saw a release notice that said they were adding LDAP authentication as an option even in the first system which is something Linux distros have needed for a long time.
On Wed, Feb 25, 2009 at 1:20 AM, Les Mikesell lesmikesell@gmail.com wrote:
That makes it somewhat harder to use multiple machines since you end up having to create and maintain passwords on each.
True, but the usual work behaviour here means that seldom happen. Even if they do need to work on somebody else's machine, most customers simply used the permissions of whoever it is.
I've not quite succeeded in convincing any of them that it's a bad idea to let everybody else in the department know your password for "convenience".
If you have to ask things like that, I'd recommend looking at the free SME server distribution. It mostly uses Centos packages, but is a 'windows server' appliance that will do everything you are likely to need and more (including acting as a domain controller) with all administration through simple web forms.
Thanks for the suggestion, I'll take a look at it but chances are I won't actually get to try it until at least a couple of months later either with a new server or an existing. No point ruffling feathers after just fixing what was broken! :D
Noob Centos Admin wrote:
On Wed, Feb 25, 2009 at 1:20 AM, Les Mikesell lesmikesell@gmail.com wrote:
That makes it somewhat harder to use multiple machines since you end up having to create and maintain passwords on each.
True, but the usual work behaviour here means that seldom happen. Even if they do need to work on somebody else's machine, most customers simply used the permissions of whoever it is.
I've not quite succeeded in convincing any of them that it's a bad idea to let everybody else in the department know your password for "convenience".
This becomes much easier when you have appropriate shared space on the server(s) with group access permissions so there is never any need to impersonate someone else.
If you have to ask things like that, I'd recommend looking at the free SME server distribution. It mostly uses Centos packages, but is a 'windows server' appliance that will do everything you are likely to need and more (including acting as a domain controller) with all administration through simple web forms.
Thanks for the suggestion, I'll take a look at it but chances are I won't actually get to try it until at least a couple of months later either with a new server or an existing. No point ruffling feathers after just fixing what was broken! :D
You can always fire one up under vmware or a test box to see how it works.
I'm seriously befuddled by Samba now.
I followed the good advice given and got the previous server set up nicely.
I did the same thing on another one and it refuses to work.
1. useradd some users 2. gpasswd -a them to a "staff" group nd smbpasswd -a them 3. chmod g+s the staff directory 4. tested smbclient -L smbserver works 5. Windows user can see the Netbios name but not the share 6. Trying to access fails after timeout 7. Checked iptables/firewall not blocking 8. tail -f samba logs but nothing happens, it's like samba never see the incoming request. Note that it doesn't log anything with smbclient -L either. 9. mv the smb.conf and used a very basic one, similar to the one suggested in this thread. 10. yum remove and installed samba again just in case
Still not working.
I'm almost certain now that samba coder snuck in a devious randomizer that requires every single installation to only work after an random sequence of actions is taken. :(
Any hints or magic words?
From: Noob Centos Admin centos.admin@gmail.com
- tail -f samba logs but nothing happens, it's like samba never see
the incoming request. Note that it doesn't log anything with smbclient -L either.
Did you try to raise the log level (log level = 3)?
I'm almost certain now that samba coder snuck in a devious randomizer that requires every single installation to only work after an random sequence of actions is taken. :(
But I feel your pain... I cannot count how many days I lost on Samba+Windows issues... Last one (not sure yet) was on Windows side: apparently, the nvidia service preventing profiles to be saved on logout... It is a 2007 issue and apparently it still exists!
JD
On Fri, 2009-02-27 at 17:59 +0800, Noob Centos Admin wrote:
I'm seriously befuddled by Samba now.
I followed the good advice given and got the previous server set up nicely.
I did the same thing on another one and it refuses to work.
- useradd some users
- gpasswd -a them to a "staff" group nd smbpasswd -a them
- chmod g+s the staff directory
How about chown -R root:staff /directory_name ??? chmod -R 777 /directory_name ???
- tested smbclient -L smbserver works
smbclient -L localhost -U% try that.
- Windows user can see the Netbios name but not the share
- Trying to access fails after timeout
- Checked iptables/firewall not blocking
- tail -f samba logs but nothing happens, it's like samba never see
the incoming request. Note that it doesn't log anything with smbclient -L either. 9. mv the smb.conf and used a very basic one, similar to the one suggested in this thread. 10. yum remove and installed samba again just in case
Still not working.
I'm almost certain now that samba coder snuck in a devious randomizer that requires every single installation to only work after an random sequence of actions is taken. :(
Any hints or magic words?
----- Just to rule out user input error take the working samba configuration from the previous server and copy it over to the current none working one. Then "service smb reload" or "service smb restart".
At least make sure you are working with the same samba package versions. Lastly it would be or "WE" could help a bit more if you posted the current configuration your working with to possibly spot errors in it.
JohnStanley
On Fri, Feb 27, 2009 at 8:12 PM, JohnS jses27@gmail.com wrote:
How about chown -R root:staff /directory_name ??? chmod -R 777 /directory_name ???
The directory was chown -R to staff:staff and chmod -R to 770 I'll give a try on 777 on Monday (US Sunday). They are currently using an older Win2K server for sharing so not an urgent transition hence I don't get to go in again until they start on Monday.
- tested smbclient -L smbserver works
smbclient -L localhost -U% try that.
I did try the -U <username> previously. samba will ask me for a password, and then show me the standard information. So it's rather odd that this doesn't show up on log, and coming in from the network doesn't work at all. Iptables has the ports opened and server can be pinged so it's not due to traffic being blocked either.
Just to rule out user input error take the working samba configuration from the previous server and copy it over to the current none working one. Then "service smb reload" or "service smb restart".
Will try that on Monday, although the exact names are not quite the same.
At least make sure you are working with the same samba package versions.
Both of them should be the latest version as in both cases, I did a yum remove and install after initial difficulties just to clear out any possible errors introduced by this clueless admin.
Lastly it would be or "WE" could help a bit more if you posted the current configuration your working with to possibly spot errors in it.
Ok, again, Monday :)
Thanks!
Noob Centos Admin wrote:
I'm seriously befuddled by Samba now.
I followed the good advice given and got the previous server set up nicely.
I did the same thing on another one and it refuses to work.
- useradd some users
- gpasswd -a them to a "staff" group nd smbpasswd -a them
- chmod g+s the staff directory
- tested smbclient -L smbserver works
- Windows user can see the Netbios name but not the share
- Trying to access fails after timeout
- Checked iptables/firewall not blocking
- tail -f samba logs but nothing happens, it's like samba never see
the incoming request. Note that it doesn't log anything with smbclient -L either. 9. mv the smb.conf and used a very basic one, similar to the one suggested in this thread. 10. yum remove and installed samba again just in case
Still not working.
I'm almost certain now that samba coder snuck in a devious randomizer that requires every single installation to only work after an random sequence of actions is taken. :(
Any hints or magic words?
First, I'll repeat my advice about using the SME server distribution which makes it as easy as filling in simple forms on web pages for users, groups, and shares and basically would take no other administration unless you want email or additional services.
But, if you want to do it the hard way, you probably have an authentication issue. With the default security setting of 'user', the windows users must authenticate before they can even see a share - and things get weird if the name they used to log into windows is not the same as the linux/samba login name. You can still map drives if you explicitly specify \server\share, 'connect as other user' and fill in the name and password, but browsing for shares often doesn't work. If you aren't too concerned about security, you can change this to 'security = share' and then you can browse before authenticating, and also have the option to authenticate as different users when connecting to different shares on the same machine which you can't do in user or server modes.
I don't understand the log issue, though. Are you sure smbd is running? Nmbd would be enough to activate the netbios name - maybe you have a syntax error in smb.conf and smbd did not start.
On Sun, Mar 1, 2009 at 2:21 AM, Les Mikesell lesmikesell@gmail.com wrote:
But, if you want to do it the hard way, you probably have an
Unfortunately I do want to do it the hard way. While the SME server would make things really easy, the lesson I learnt in the past with easy thing is that, once something break, I will really have no idea what is going on.
It's kind of like folks who grew up knowing only GUI, they usually are helpless if the mouse doesn't work.
authentication issue. With the default security setting of 'user', the windows users must authenticate before they can even see a share - and things get weird if the name they used to log into windows is not the same as the linux/samba login name. You can still map drives if you explicitly specify \server\share, 'connect as other user' and fill in the name and password, but browsing for shares often doesn't work.
I think we have a winner! This could be it as the names they use to log into their Windows machine are not their own. Most of them are inherited PC, they simply continued using the previous login since no password were set, usually.
Where as the other location was a new setup with new PC setup.
you aren't too concerned about security, you can change this to 'security = share' and then you can browse before authenticating, and also have the option to authenticate as different users when connecting to different shares on the same machine which you can't do in user or server modes.
I'll probably do this since this is what they are used to, and expect.
I don't understand the log issue, though. Are you sure smbd is running? Nmbd would be enough to activate the netbios name - maybe you have a syntax error in smb.conf and smbd did not start.
Definitely running. I have tail -f on both their logs and ls the log folder every time. The startup message gets logged everytime I did a service restart on trying a different setting. Which was why I was curious why there was no log message whatsoever.
The other machine would show new logs for connecting IP/machines (I think as a result of me using the split log function) even if they got rejected.
On Sun, 2009-03-01 at 02:44 +0800, Noob Centos Admin wrote:
On Sun, Mar 1, 2009 at 2:21 AM, Les Mikesell lesmikesell@gmail.com wrote:
But, if you want to do it the hard way, you probably have an
Unfortunately I do want to do it the hard way. While the SME server would make things really easy, the lesson I learnt in the past with easy thing is that, once something break, I will really have no idea what is going on.
It's kind of like folks who grew up knowing only GUI, they usually are helpless if the mouse doesn't work.
authentication issue. With the default security setting of 'user', the windows users must authenticate before they can even see a share - and things get weird if the name they used to log into windows is not the same as the linux/samba login name. You can still map drives if you explicitly specify \server\share, 'connect as other user' and fill in the name and password, but browsing for shares often doesn't work.
I think we have a winner! This could be it as the names they use to log into their Windows machine are not their own. Most of them are inherited PC, they simply continued using the previous login since no password were set, usually.
Where as the other location was a new setup with new PC setup.
you aren't too concerned about security, you can change this to 'security = share' and then you can browse before authenticating, and also have the option to authenticate as different users when connecting to different shares on the same machine which you can't do in user or server modes.
I'll probably do this since this is what they are used to, and expect.
Share Mode is depreciated now. All that does is revert back to user mode.
I don't understand the log issue, though. Are you sure smbd is running? Nmbd would be enough to activate the netbios name - maybe you have a syntax error in smb.conf and smbd did not start.
Definitely running. I have tail -f on both their logs and ls the log folder every time. The startup message gets logged everytime I did a service restart on trying a different setting. Which was why I was curious why there was no log message whatsoever.
The other machine would show new logs for connecting IP/machines (I think as a result of me using the split log function) even if they got rejected. _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Noob Centos Admin wrote:
But, if you want to do it the hard way, you probably have an
Unfortunately I do want to do it the hard way. While the SME server would make things really easy, the lesson I learnt in the past with easy thing is that, once something break, I will really have no idea what is going on.
There's a tradeoff here. When you cobble up a one-of-a-kind system yourself, not only is it much more likely to break than one set up by an expert, but no one else is going to be having the same problem so you won't be able to easily get help from a mail list or forum. If SME server breaks, other people will likely have already posted the workaround or update to fix it.
It's kind of like folks who grew up knowing only GUI, they usually are helpless if the mouse doesn't work.
Not exactly. SME server mostly runs the same programs with the same config files as Centos, so you can look at the configs and understand them if you want. The configs are actually created by perl scripts that merge canned snippets with your web form entries, so it is somewhat more difficult to modify them in ways that weren't planned but that's not really out of the question either.
authentication issue. With the default security setting of 'user', the windows users must authenticate before they can even see a share - and things get weird if the name they used to log into windows is not the same as the linux/samba login name. You can still map drives if you explicitly specify \server\share, 'connect as other user' and fill in the name and password, but browsing for shares often doesn't work.
I think we have a winner! This could be it as the names they use to log into their Windows machine are not their own. Most of them are inherited PC, they simply continued using the previous login since no password were set, usually.
Where as the other location was a new setup with new PC setup.
You can test this with the explicit mapping commands.
you aren't too concerned about security, you can change this to 'security = share' and then you can browse before authenticating, and also have the option to authenticate as different users when connecting to different shares on the same machine which you can't do in user or server modes.
I'll probably do this since this is what they are used to, and expect.
I see someone mentioned that this may not work anymore. Making the windows and Linux logins match may be a better approach. You can test that on one one box to see if it works.
On Sun, 2009-03-01 at 02:44 +0800, Noob Centos Admin wrote:
you aren't too concerned about security, you can change this to 'security = share' and then you can browse before authenticating, and also have the option to authenticate as different users when connecting to different shares on the same machine which you can't do in user or server modes.
I'll probably do this since this is what they are used to, and expect.
---- security = share is for all purposes deprecated and probably a bad option to start with now. ----
I don't understand the log issue, though. Are you sure smbd is running? Nmbd would be enough to activate the netbios name - maybe you have a syntax error in smb.conf and smbd did not start.
Definitely running. I have tail -f on both their logs and ls the log folder every time. The startup message gets logged everytime I did a service restart on trying a different setting. Which was why I was curious why there was no log message whatsoever.
The other machine would show new logs for connecting IP/machines (I think as a result of me using the split log function) even if they got rejected.
---- you can set the log level in smb.conf between 0 and 10 (10 being highest) and the amount of detail steadily increases. Consult the man page for smb.conf for details. The configuration from smb.conf is re-read approximately once a minute so you don't actually have to restart the service for changes once they are saved to take effect.
Also, it's useful to note that in 'security = user' mode, that a user must exist in both /etc/passwd and samba s passdb (usually now /etc/samba/passdb.tdb) and you can figure this out by executing something like 'testparm -s -v |grep passdb'
If you want detailed help, it's generally helpful to include the output of the 'testparm -s' command.
Last thing that I have found useful to test users and passwords in samba are things like this from command line on Linux machine...
smbclient -L $NETBIOS_NAME -U% # anonymous authentication should show shares (no password)
smbclient -L $NETBIOS_NAME -U administrator # should prompt administrator password and generally, there is a file # called /etc/samba/smbusers which maps 'root' to 'administrator'
Once a 'user' like administrator above can connect without error, then you can test access to specific shares like this...
smbclient //$NETBIOS_NAME/staff -U administrator # should prompt for administrator password
smbclient //$NETBIOS_NAME/staff -U $SOME_USER # should prompt for $SOME_USER password and if user is allowed access, you are given a command prompt.
Craig
Noob Centos Admin wrote:
So far I've tried the following which all don't quite work.
- CentOS's samba configuration tool
- added users never show up on the share configuration so the only shares it
could create was for public access.
The samba configuration tool (system-config-samba) is finally fixed in 5.3 (due out soon) and will now correctly show added samba users :-)
On Tue, Feb 24, 2009 at 3:23 AM, Ned Slider ned@unixmail.co.uk wrote:
The samba configuration tool (system-config-samba) is finally fixed in 5.3 (due out soon) and will now correctly show added samba users :-)
Honestly, I'm so glad to see this! Although I won't likely benefit from it until the next server install or re-install, at least I now know it wasn't ME! :D
Noob Centos Admin wrote:
On Tue, Feb 24, 2009 at 3:23 AM, Ned Slider ned@unixmail.co.uk wrote:
The samba configuration tool (system-config-samba) is finally fixed in 5.3 (due out soon) and will now correctly show added samba users :-)
Honestly, I'm so glad to see this! Although I won't likely benefit from it until the next server install or re-install, at least I now know it wasn't ME! :D
It is documented on the bug tracker and forums so is a well known issue and is fixed in system-config-samba-1.2.41-3.el5. You could always grab the upstream src.rpm now and build it yourself.
On Tue, Feb 24, 2009 at 6:26 AM, Ned Slider ned@unixmail.co.uk wrote:
It is documented on the bug tracker and forums so is a well known issue and is fixed in system-config-samba-1.2.41-3.el5. You could always grab the upstream src.rpm now and build it yourself.
Thanks for the information, somehow it never struck me to check the bugtracker for this since I always half assumed it must be something I am not doing quite correctly!
on 2-23-2009 10:53 AM Noob Centos Admin spake the following:
Everytime I have to setup samba to handle Windows users, sometime inadvertently goes wrong or doesn't work the way I expected, or takes forever to setup, especially when there are many users and various policies. So far, the easiest, sureest and quickest method appears to be install WindowsXP into VMWare and use it to handle Windows sharing. Needless to say, this strucks me as rather ironic and stupid.
Thus could anybody please suggest a working frontend to samba that makes it easy to add users, set their permissions and get something that works like basic windows file sharing?
So far I've tried the following which all don't quite work.
- CentOS's samba configuration tool
- added users never show up on the share configuration so the only
shares it could create was for public access.
- Webmin
- thinks it added the users, but again they never show up when checked
against the bundled CentOS tool and needless to say, the shares never work too
Webmin does work, as I use it all the time to add users. You have to make sure that the user module has the option "Create and update in other modules" set to yes. I think it defaults to no.
- Samba SWAT
- Very confusing tool, selecting shares sometimes end up as another
share, and again, doesn't seem to work.
So I just need a very basic tool that will reliably allow me to do the following
- specify user name, specify password, and maybe specify a group
- specify a share the user or group has read only or read/write access
- force new files/folders to take on group ID so that it behaves like a
normal windows share
Learn to use a file editor and edit the configs yourself. That is the only way to have the best control. Once you have a working config, copy and modify it for the next share.
Don't need print services or anything, it's just far easier to dump a hardware print server into the network than to contemplate the additional complexity of making something like CUPS work.
Just need to make sure that the Windows users can browse to the folders, get a prompt for their login and password where needed.
Thanks!
On Fri, Mar 6, 2009 at 3:57 AM, Scott Silva ssilva@sgvwater.com wrote:
Learn to use a file editor and edit the configs yourself. That is the only way to have the best control.
That's generally how I try to do things, except sometimes hand "written" doesn't work the way I expect it to. Then I'd like to have a GUI that does works, then learn from the conf file it creates if possible. Unfortunately, in this case they didn't work either! :D
Once you have a working config, copy and modify it
for the next share.
That's the part of the problem I'm facing, getting a working config to be working on another machine where things might not be exactly be the same and the whole voodoo ritual starts anew.
on 3-5-2009 12:03 PM Noob Centos Admin spake the following:
On Fri, Mar 6, 2009 at 3:57 AM, Scott Silva ssilva-m4n3GYAQT2lWk0Htik3J/w@public.gmane.org wrote:
Learn to use a file editor and edit the configs yourself. That is the only way to have the best control.
That's generally how I try to do things, except sometimes hand "written" doesn't work the way I expect it to. Then I'd like to have a GUI that does works, then learn from the conf file it creates if possible. Unfortunately, in this case they didn't work either! :D
Once you have a working config, copy and modify it
for the next share.
That's the part of the problem I'm facing, getting a working config to be working on another machine where things might not be exactly be the same and the whole voodoo ritual starts anew.
Give an example of what you want and maybe I can help you with it.
Probably off list as not to bother everyone else.
I was back onsite and trying it again, in vain. Copied the conf from another site's working setup and dumped directly, recreated with the same names and all. No go.
So again removed and install samba again, made a blank conf file, fire up SWAT and did the most basic config.
Even chmod 777 the directory.
Conf file [global] workgroup = MKSC52 netbios name = MKSC52 security = SHARE log level = 2 os level = 35
[staff] comment = Staff Share path = /home/staff valid users = jackie @staff
I've changed one of the Windows machine workgroup to a fresh one as above, in case the existing WIndows 2000 domain controller was somehow interfering. The pc name was also changed to the user's name. But no joy either.
But at least Samba is logging something after that
# [2009/03/06 17:38:31, 2] smbd/reply.c:reply_special(324) netbios connect: name1=MKS2009C52 name2=JACKIE
[2009/03/06 17:38:31, 2] smbd/reply.c:reply_special(331) netbios connect: local=mks2009c52 remote=jackie, name type = 0
[2009/03/06 17:40:31, 2] smbd/process.c:timeout_processing(1363) Closing idle connection
On the windows side, there was a brief pause before Windows tells me I have no permission to access the network resource. No prompt for password.
On Fri, 2009-03-06 at 17:46 +0800, Noob Centos Admin wrote:
I was back onsite and trying it again, in vain. Copied the conf from another site's working setup and dumped directly, recreated with the same names and all. No go.
So again removed and install samba again, made a blank conf file, fire up SWAT and did the most basic config.
Even chmod 777 the directory.
Conf file [global] workgroup = MKSC52 netbios name = MKSC52 security = SHARE log level = 2 os level = 35
[staff] comment = Staff Share path = /home/staff valid users = jackie @staff
I've changed one of the Windows machine workgroup to a fresh one as above, in case the existing WIndows 2000 domain controller was somehow interfering. The pc name was also changed to the user's name. But no joy either.
But at least Samba is logging something after that
# [2009/03/06 17:38:31, 2] smbd/reply.c:reply_special(324) netbios connect: name1=MKS2009C52 name2=JACKIE
[2009/03/06 17:38:31, 2] smbd/reply.c:reply_special(331) netbios connect: local=mks2009c52 remote=jackie, name type = 0
[2009/03/06 17:40:31, 2] smbd/process.c:timeout_processing(1363) Closing idle connection
On the windows side, there was a brief pause before Windows tells me I have no permission to access the network resource. No prompt for password.
---- I gave you some clues on how to troubleshoot on Saturday afternoon
Craig
Noob Centos Admin wrote:
I was back onsite and trying it again, in vain. Copied the conf from another site's working setup and dumped directly, recreated with the same names and all. No go.
So again removed and install samba again, made a blank conf file, fire up SWAT and did the most basic config.
Even chmod 777 the directory.
Conf file [global] workgroup = MKSC52 netbios name = MKSC52 security = SHARE log level = 2 os level = 35
[staff] comment = Staff Share path = /home/staff valid users = jackie @staff
I've changed one of the Windows machine workgroup to a fresh one as above, in case the existing WIndows 2000 domain controller was somehow interfering. The pc name was also changed to the user's name. But no joy either.
But at least Samba is logging something after that
# [2009/03/06 17:38:31, 2] smbd/reply.c:reply_special(324) netbios connect: name1=MKS2009C52 name2=JACKIE
[2009/03/06 17:38:31, 2] smbd/reply.c:reply_special(331) netbios connect: local=mks2009c52 remote=jackie, name type = 0
[2009/03/06 17:40:31, 2] smbd/process.c:timeout_processing(1363) Closing idle connection
On the windows side, there was a brief pause before Windows tells me I have no permission to access the network resource. No prompt for password.
Try adding guest ok = no
in the global section. If security = share doesn't work like it used to, you may be required to authenticate before seeing the shares and if guest is permitted you can be silently mapped to a user with no permissions. All linux permissions continue to apply, all the way down the path, so you must be able to log into linux as the user (or su to) and access the directory/files. Then you need to make sure samba connects as the correct user.
on 3-6-2009 1:46 AM Noob Centos Admin spake the following:
I was back onsite and trying it again, in vain. Copied the conf from another site's working setup and dumped directly, recreated with the same names and all. No go.
So again removed and install samba again, made a blank conf file, fire up SWAT and did the most basic config.
Even chmod 777 the directory.
Conf file [global] workgroup = MKSC52 netbios name = MKSC52 security = SHARE log level = 2 os level = 35
Security = share is depreciated and doesn't work the same anymoreIt might even default to security = user...
[staff] comment = Staff Share path = /home/staff valid users = jackie @staff
I've changed one of the Windows machine workgroup to a fresh one as above, in case the existing WIndows 2000 domain controller was somehow interfering. The pc name was also changed to the user's name. But no joy either.
But at least Samba is logging something after that
# [2009/03/06 17:38:31, 2] smbd/reply.c:reply_special(324) netbios connect: name1=MKS2009C52 name2=JACKIE
[2009/03/06 17:38:31, 2] smbd/reply.c:reply_special(331) netbios connect: local=mks2009c52 remote=jackie, name type = 0
[2009/03/06 17:40:31, 2] smbd/process.c:timeout_processing(1363) Closing idle connection
On the windows side, there was a brief pause before Windows tells me I have no permission to access the network resource. No prompt for password.
This sometimes happens if the username is the same between samba and windows, but the passwords are either different or empty. It also happens with Windows XP if they are set to simple file sharing mode.
On Fri, 2009-03-06 at 14:53 -0800, Scott Silva wrote:
on 3-6-2009 1:46 AM Noob Centos Admin spake the following:
I was back onsite and trying it again, in vain. Copied the conf from another site's working setup and dumped directly, recreated with the same names and all. No go.
So again removed and install samba again, made a blank conf file, fire up SWAT and did the most basic config.
Even chmod 777 the directory.
Conf file [global] workgroup = MKSC52 netbios name = MKSC52 security = SHARE log level = 2 os level = 35
Security = share is depreciated and doesn't work the same anymoreIt might even default to security = user...
Your correct it does revert to user. As from my samba test machine.
JohnStanley
-
Craig White -
John Doe -
JohnS -
Les Mikesell -
Ned Slider -
Noob Centos Admin -
Scott Silva