Christmas Gift

Today i got christmas gift from myself. From a long time my samba setup suffering from problem of 'network unavailable messges' . Today i got reason of that problem. This error come when my virtual ip conflict with active virtual ip with other server. When our abpdel2 server goes down due to script, ip 10.11.0.107 assigned to abpdel1. After activating abpdel2 if we forget to unactive assigned virtual ip 10.11.0.107 from abpdel1 then that message come.

winbind reconnect delay

Today browsing samba.org, i noticed release news of samba 3.3.0rc2. The long waited feature i found is 'winbind reconnect delay' this parameter is used to set timeout for considering windows domain unavailibility. The dault value of this parameter is 30 that cane be changed.

Q. Windows seems to treat authentication as a per server bases. Once you've logged in as one user it will try to use that users credentials for the next share from that server. I haven't figured out a workaround but it would be great if someone knows one. Sometimes Windows doesn't even show that you are connected to a share and the client has to be rebooted before you'll get the login prompt again to pick a different login name from what I've seen. Definitely not ideal behavior.

Ans.

Connect to the netbios name for one share.Connect to the ip address for the other share.
This will allow different credentials.Don't know if you need more than two....  

Q. When samba running, i issued command to list process using ps -C smbd list more than one process. I have following queries regarding this how one can determine how many smbd process run? Is there any way to determine which smbd process link with which share session.

Ans.
smbstatus command will be helpful in this regard.

Q. I am using winbind to get ADz user on samba. The problem i facing is related with group.
To clear the problem i am taking an example  There is a AD user that belong to "Domain users" and "Marketting" Group, the new file/folder created by that user has group ownership "Domain users" but i want that "Marketting" should be group owner. Is it possible without setting SGID bit? Is there any short of primary group feature in AD?.

Ans.
There is, and only (fortunately) for POSIX compatibility. AD makes no
real use of it, it's just normally set to what Domain Users equates to.

I have modified it for accounts used on UNIX OSs that want a different
group FROM AD as primary group (note: I have found that attempting to
point it to an (effective) GID that's not derived from AD, I always
found failed, and AD would either deny the update or reset it to Domain
Users).

If you use something like adsiedit, the user attribute you want is
primaryGroupID. And (being as I used winbind with RID mapping for UID
and GID currently, I make sure I find what id (from the UNIX command
line) perceives as the GID for the AD group I'm interested in, then set
that value using adsiedit, as the primaryGroupID in AD for the user
account.

Q. Does "inherit permission" and "inherit acl" parameter should be used  only 
when default acl  not present on parent directory ?.

Ans.
No, if you want to be sure that permissions are inhereted properly, you need both, default permissions and "inherit permissions/acl". If "inherit permissions/acl" is missing, the default acl are inherited but may be they are modified. The man page reads:

inherit acls (S)

          This parameter can be used to ensure that if default acls exist on parent directories, they are always honored when creating a new file or subdirectory in these
          parent directories. The default behavior is to use the unix mode specified when creating the directory. Enabling this option sets the unix mode to 0777, thus
          guaranteeing that default directory acls are propagated.

The important point is, that the unix mode is set to 0777, if "inherit acl = yes" is set. Otherwise the unix mode, that is active for the user context Samba is running in, will be taken. I will give an example to make things clear.

Imagine you have a directory with the following acls:

default:mask::rwx
default:user::rwx
default:user:my_account:r-x

and the effective user mode is not 0777 but 0666 and "inherit acl" is set to "no". In this case the new file gets the following acls

default:mask::rw-
default:user::rw-
default:user:my_account:r--

Please recognize the missing executive bit. The acl of the new object is the logical AND operation of the default acl and the effective unix mode. The acl are inherited anyway, no matter what "inherit acl" says. But the result might be different from what you expect.

Q. Is there any way to check the parameters defaults value ?. for example i want to know default value for parameter "map acl inherit ".

Ans.
testparm -sv|grep "map acl"
testparm -v (show default values for smb.conf parameter)

Q. i am running samba 3.0.28 on two server and using winbind to get active directory users and group. the problem i facing is attach the uid assigned for same user is diffrent on samba servers.The uid saved in the Active Directory is different from the winbind Linux side ?

Ans:

No, the problem is that the uids on the two samba servers are
different for the same user. This is because you are using
(the default of) "idmap backend = tdb". This assigns increasing
uids (per server) to users in the the order the access the server.

If you need the same user ids, you have (at least) the following
two options:

1. Use "idmap backend = rid". Then a user gets the the
  uid built as LOW_RANGE_UID + RID.
  Here LOW_RANGE_UID is the lower bound of the range
  "idmap uid = LOW_RANGE_UID - HIGH_RANGE_UID"
  and RID is the "relative identifyer": the user SID
  is built as follows: DOMAIN_SID-RID. i.e. the rid
  is the last block of digits of the user's sid, hence
  is unique inside one domain, and users will get the
  same uid on all samba servers using "idmap backend = rid".
  See the man paget idmap_rid(8).

2. Use "idmap backend = ad":
  When you install the SFU (Services For Unix) schema
  extensions, then you can set unix attributes for users
  and groups in actice directory. and the same uid is
  obtained for users on all samba servers using this backend.

winbind uid->sid mapping

There are multiple methods winbind can use to generate the uid<->sid mapping.
The default being tdb, which just generates a uid on the fly. As you noticed
it does not necessarily sync between machines. If you need uid sync, you are
better off looking at the rid module, which generates a uid based on the
windows sid.