Re: ldap delete user?
Hi, Guenther! On Tue, Mar 18, 2003 at 12:17:21AM +0100, Guenther Deschner wrote: > no. but SuSE ships a diff for 2_2 for quite some time now with another > smb.conf option that helps users not to delete their posix-account by > coincidence. Why don't you use the make_a_mod function? Volker pgp0.pgp Description: PGP signature
Re: ldap delete user?
On Tue, 2003-03-18 at 09:08, Volker Lendecke wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Hi! > > While looking at HEAD / ldapsam_delete_sam_account a bit closer I > found that we completely delete the user. Would it not be better just > to remove the samba-specific attributes and let the 'delete user > script' do the rest? Hmm. srv_samr_nt.c works the other way > round... Has anybody ever tried this? It very much depends on your point of view - is Samba a tacked on part of the rest of the world, or the whole world with other stuff tacked onto us? I think we probably should make it an option - I like the idea that the delete will be atomic - ie no race between deleting the user in pdb_ldap and the delete user script running. By default we should probably just remove the Samba entries. There was a similar discussion on the samba-tng mailing lists a few months back. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part
Re: [PATCH] groups in ldap
On Tue, 2003-03-18 at 09:14, Volker Lendecke wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Hi! > > Here's my first attempt at putting the group mapping into ldap. It > should apply to HEAD. > > Comments? Especially the schema might be discussed, this is my very > first attempt at LDAP schema design. Well, on a 30-second reading, I have to say it looks good! Thanks for putting the time into this, Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part
Re: overmalloc_safe_strcpy?
On Tue, Mar 18, 2003 at 04:11:23PM +1100, Martin Pool wrote: > For developer mode, this seems to be the same as safe_strcpy: we > clobber the specified region at runtime. Otherwise, it skips the > static CHECK_STRING_SIZE call. > > I think this is meant to allow you to call it passing the address of > an array whose size is less than the maxlength passed to safe_strcpy. > CHECK_STRING_SIZE would normally trap on this because it expects > either a string pointer, or an exact fit? > > Is that right? If so I'll add a comment to this effect -- and perhaps > a plea not to use it in new code. Correct. The only user is nmbd now - because I changed the stat cache to use pointers into the overmalloc()ed buffer. It's a pity that we can't tell what's behind a pointer, but it's a start. :-) Andrew Bartlett
overmalloc_safe_strcpy?
For developer mode, this seems to be the same as safe_strcpy: we clobber the specified region at runtime. Otherwise, it skips the static CHECK_STRING_SIZE call. I think this is meant to allow you to call it passing the address of an array whose size is less than the maxlength passed to safe_strcpy. CHECK_STRING_SIZE would normally trap on this because it expects either a string pointer, or an exact fit? Is that right? If so I'll add a comment to this effect -- and perhaps a plea not to use it in new code. -- Martin
Re: 2.2.8 compile problem
On 17 Mar 2003, "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> wrote: > checking whether to use included popt... ./popt > > > checking configure summary... configure: error: summary failure. > Aborting config Have a look in config.log. If you can't work out what's wrong from that, post the *relevant* sections to the [EMAIL PROTECTED] users list. -- Martin
security patches for latest vul for 2.0.10
Folks I know 2.0.10 is *old*, but we are still using it internally (we have simple needs and it provides them nicely). Are there patches available that we can apply to the 2.0.10 code that will address the latest security vul? It mentioned in the advisory to ask here for th I know we have to upgrade to the latest code stream, but I would prefer not to do that in a rush (which is what we have to do here). thanks tony
Re: winbind vs. pam/nss alternatives
>I agree, but was thinking about ease of use, and longer term whether we >could have the >logon/caching/performance intensive UID/GID caching leveraged by the four >and five >main alternatives (winbind already supports two) and whether the caching >code for >a particular pam/nss daemon was already significantly better than winbind. We have always argued that caching of nameservice information should be performed by a provider-agnostic mechanism, such as nscd. We agree that the existing implementation of nscd is flawed in that it does not cache enumerations, and to that end we suggest that one may run a caching LDAP proxy on each client machine and have nss_ldap communicate with it via domain sockets (ldapi://). >Seems >like extending one or the other pam/nss pair could be done in theory so the >client >logon daemon could autodetect RFC 2307 vs. AD vs. DCE/RPC and take away >some >of the configuration headache of moving a machine around to different >security >domains in heterogeneous environments. As I see it, daemon architecture notwithstanding, winbindd and nss_ldap cater to different problem spaces. That could change if winbindd supported RFC 2307, admiteddly. >The other thing that seems a little unusual is the idea of using pam_ldap >for authentication >(on the other hand nss_ldap makes more sense to me) because intuitively it >seems like >I need Kerberos tickets anyway (for nfs v4 client and eventually cifs >client) so why >don't I just get my TGT in the pam module (ala pam_winbind or pam_kerberos) >and only >use nss_ldap or nss_winbind (or a convergence of the two that autosenses >the server >schema). The ldap client presumably prefers binding via Kerberos anyway >so seems >like Kerberos authentication is going to occur in any case. Not everyone uses Kerberos; particularly on UNIX, the deployment cost for a long time has been quite high (no integrated directory and authentication server, perceived complexity, etc), and many organisations have chosen to deploy LDAP-based authentication solutions. I for a long time argued that LDAP was not an authentication protocol, and that a pam_ldap module should not exist, but in the end there was a demonstrable need for such a module. >Today Linux (and a few other Unix platforms) can require manual >reconfiguration >to switch to a different type of logon server, e.g. if an RFC 2307 server >is ever >replaced by Samba or Windows or vice versa even though PAM/NSS has >quite a bit of flexibility. What are the implications if different users >from >different security domains (one Kerberized & RFC 2307 and one Samba or AD) >on the same physical client As long as you can avoid namespace collision, there is no problem with this. Of course, avoiding namespace collision is difficult without a hierchical namespace, and thus requires some administrative collusion. >I don't know how easily RFC 2307 could be reconciled with ActiveDirectory >on the >OpenLDAP side to make the issue on the client almost moot, but in the >meantime. There are schema conflicts between RFC 2307 and Active Directory. Microsoft chose to resolve this in their Services for UNIX product by renaming some attributes and object classes (moreso in subsequent versions). We have had to address similar issues in our domain controller implementation, albeit less aggressively. -- Luke -- Luke Howard | PADL Software Pty Ltd | www.padl.com
Re: winbind vs. pam/nss alternatives
>While there are probably more domain controllers than RFC 2307-compliant >LDAP servers, it is the de facto LDAP nameservice schema for the UNIX >platform, and is thus unlikely to disappear overnight. Many large >organisations have deployed this schema (they are our customers). I agree, but was thinking about ease of use, and longer term whether we could have the logon/caching/performance intensive UID/GID caching leveraged by the four and five main alternatives (winbind already supports two) and whether the caching code for a particular pam/nss daemon was already significantly better than winbind. Seems like extending one or the other pam/nss pair could be done in theory so the client logon daemon could autodetect RFC 2307 vs. AD vs. DCE/RPC and take away some of the configuration headache of moving a machine around to different security domains in heterogeneous environments. The other thing that seems a little unusual is the idea of using pam_ldap for authentication (on the other hand nss_ldap makes more sense to me) because intuitively it seems like I need Kerberos tickets anyway (for nfs v4 client and eventually cifs client) so why don't I just get my TGT in the pam module (ala pam_winbind or pam_kerberos) and only use nss_ldap or nss_winbind (or a convergence of the two that autosenses the server schema). The ldap client presumably prefers binding via Kerberos anyway so seems like Kerberos authentication is going to occur in any case. Today Linux (and a few other Unix platforms) can require manual reconfiguration to switch to a different type of logon server, e.g. if an RFC 2307 server is ever replaced by Samba or Windows or vice versa even though PAM/NSS has quite a bit of flexibility. What are the implications if different users from different security domains (one Kerberized & RFC 2307 and one Samba or AD) on the same physical client I don't know how easily RFC 2307 could be reconciled with ActiveDirectory on the OpenLDAP side to make the issue on the client almost moot, but in the meantime. Steve French Senior Software Engineer Linux Technology Center - IBM Austin phone: 512-838-2294 email: [EMAIL PROTECTED]
Problem in listing print drivers in WinXP
Hi, I am facing strange problem with Windows-XP and samba 2.2.7a. Every thing was working just fine with Win2000, but with WinXP I am not able to see the list of drivers that I already installed with Win2000. So if I look at printer property of any printer on samba server (from My Network Places) they show only driver associated with that particular printer but not the complete list of drivers. I have the printer name entry in the printcap file. Also I am not able to upload new driver on the printer share on samba server, as "New Driver" option in the advance tab of spooler property is disabled, unless I modify "show add printer wizard = No" to "show add printer wizard = yes". Actually I do not want to create printers from windows add printer wizard. I create them manually or though my scripts and allow only upload driver feature from windows client (WinXP/2k,9x/Me). I posted this to [EMAIL PROTECTED] earlier in order to find the answer without disturbing Samba team, but I received no response, so now bothering you. Thanks for your help. -Sanjay Following is the result from testparm. Load smb config files from /usr/local/config/current/smb.conf Processing section "[print$]" Processing section "[share]" Processing section "[printers]" Processing section "[DQ]" Loaded services file OK. Press enter to see a dump of your service definitions # Global parameters [global] coding system = client code page = 850 code page directory = /usr/local/resources/codepages workgroup = myworkgroup netbios name = printserver netbios aliases = netbios scope = server string = Print Server interfaces = eth0 127.0.0.1 bind interfaces only = Yes security = USER encrypt passwords = Yes update encrypted = No allow trusted domains = Yes hosts equiv = min passwd length = 5 map to guest = Never null passwords = No obey pam restrictions = No password server = smb passwd file = /usr/local/private/smbpasswd root directory = pam password change = No passwd program = /usr/bin/passwd passwd chat = *new*password* %n\n *new*password* %n\n *changed* passwd chat debug = No username map = /etc/samba/smbusers password level = 0 username level = 0 unix password sync = No restrict anonymous = No lanman auth = Yes use rhosts = No admin log = No log level = 3 syslog = 1 syslog only = No log file = /var/samba/[EMAIL PROTECTED] max log size = 5000 timestamp logs = Yes debug hires timestamp = No debug pid = No debug uid = No protocol = NT1 large readwrite = Yes max protocol = NT1 min protocol = CORE read bmpx = No read raw = Yes write raw = Yes nt smb support = Yes nt pipe support = Yes nt status support = Yes announce version = 4.9 announce as = NT max mux = 50 max xmit = 16644 name resolve order = lmhosts host wins bcast max ttl = 259200 max wins ttl = 518400 min wins ttl = 21600 time server = No unix extensions = No change notify timeout = 60 deadtime = 0 getwd cache = Yes keepalive = 300 lpq cache time = 10 max smbd processes = 0 max disk size = 0 max open files = 1 name cache timeout = 660 read size = 16384 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 stat cache size = 50 use mmap = Yes total print jobs = 0 load printers = Yes printcap name = %$(PRINTCAP) disable spoolss = No e
Re: cvs updating failure
On Mon, Mar 17, 2003 at 11:38:40PM +0100, Rafal Szczesniak wrote: > On Mon, Mar 17, 2003 at 03:01:38PM -0700, David Bear wrote: > > sorry to be stupid on cvs -- its always worked as documented on the > > web site.. but now its not. > > > > after I do > > > > $cvs -d :pserver:[EMAIL PROTECTED]:/cvsroot login > > > > $ cvs update -d -P > > Why don't you checkout the source tree first, before updating ? becuase I already have the source tree from a previous checkout that I have been updating. -- David Bear College of Public Programs/ASU Mail Code 0803
Re: winbind vs. pam/nss alternatives
>3) Could winbind easily handle some of the nss lookups via ldap ala rfc >2307 schema (if it matters anymore - it is just an experimental RFC) as a While there are probably more domain controllers than RFC 2307-compliant LDAP servers, it is the de facto LDAP nameservice schema for the UNIX platform, and is thus unlikely to disappear overnight. Many large organisations have deployed this schema (they are our customers). -- Luke -- Luke Howard | PADL Software Pty Ltd | www.padl.com
patch for Win2K terminal server %U issues
Hi, I've attached a patch against 2.2.7 which fixes issues I had with Terminal servers mapping home dirs off a samba PDC, its also at: http://rjstuart.cable.nu/patch-2.2.7-userfix Andrew, you refered to what I think is the issue on Jan 2 in a email to the samba list: http://lists.samba.org/pipermail/samba/2003-January/087721.html You said: "...You will suffer some nasty performance issues however, as Samba has to change user between different requests (rather than the OS just scheduling a new process)." In source/lib/substitute.c a static var was created to hold the user associated with a connection for 2.2.7. I think this assumes that there is a 1 to 1 relationship between a connection and a process. This certainly isn't the case for Win2K in a terminal server environment where multiple connections are shared by one smb process. I've got more details about my setup in a email regarding this: http://lists.samba.org/pipermail/samba/2003-January/088108.html Could someone apply this patch for the next samba release? I'm not subscribed to the list. Regards, Robert Stuart Systems Administratordiff -u -r samba-2.2.7-broken/source/lib/substitute.c samba-2.2.7/source/lib/substitute.c --- samba-2.2.7-broken/source/lib/substitute.c Wed Nov 20 11:31:32 2002 +++ samba-2.2.7/source/lib/substitute.c Thu Oct 10 06:27:21 2002 @@ -29,25 +29,8 @@ BOOL sam_logon_in_ssb = False; fstring remote_proto="UNKNOWN"; fstring remote_machine=""; -static fstring smb_user_name; -/* - setup the string used by %U substitution -*/ -void sub_set_smb_name(const char *name) -{ - fstring tmp; - - /* ignore anonymous settings */ - if (! *name) return; - - fstrcpy(tmp,name); - trim_string(tmp," "," "); - strlower(tmp); - alpha_strcpy(smb_user_name,tmp,SAFE_NETBIOS_CHARS,sizeof(smb_user_name)-1); -} - /*** Given a pointer to a %$(NAME) expand it as an environment variable. Return the number of characters by which the pointer should be advanced. @@ -197,12 +180,12 @@ switch (*(p+1)) { case 'U' : - fstrcpy(tmp_str, sam_logon_in_ssb?samlogon_user:smb_user_name); + fstrcpy(tmp_str, sam_logon_in_ssb?samlogon_user:current_user_info.smb_name); strlower(tmp_str); string_sub(p,"%U",tmp_str,l); break; case 'G' : - fstrcpy(tmp_str, sam_logon_in_ssb?samlogon_user:smb_user_name); + fstrcpy(tmp_str, sam_logon_in_ssb?samlogon_user:current_user_info.smb_name); if ((pass = Get_Pwnam(tmp_str, False))!=NULL) { string_sub(p,"%G",gidtoname(pass->pw_gid),l); } else { diff -u -r samba-2.2.7-broken/source/nsswitch/winbindd_user.c samba-2.2.7/source/nsswitch/winbindd_user.c --- samba-2.2.7-broken/source/nsswitch/winbindd_user.c Wed Nov 20 11:31:33 2002 +++ samba-2.2.7/source/nsswitch/winbindd_user.c Wed Oct 16 14:30:57 2002 @@ -70,7 +70,6 @@ by lp_string() calling standard_sub_basic(). */ fstrcpy(current_user_info.smb_name, user_name); - sub_set_smb_name(user_name); fstrcpy(current_user_info.domain, dom_name); pstrcpy(homedir, lp_template_homedir()); diff -u -r samba-2.2.7-broken/source/smbd/reply.c samba-2.2.7/source/smbd/reply.c --- samba-2.2.7-broken/source/smbd/reply.c Wed Nov 20 11:31:33 2002 +++ samba-2.2.7/source/smbd/reply.c Tue Mar 18 09:32:06 2003 @@ -893,9 +893,9 @@ } } - /* setup %U substitution */ - sub_set_smb_name(user); - + + + /* If no username is sent use the guest account */ if (!*user) { pstrcpy(user,lp_guestaccount(-1));
Weird problems with Samba 2.2.8 under Solaris 8 + latest kernel patch
Hello all, This weekend, we upgraded our Samba servers to 2.2.8 (pre3 according to the include/version.h -- CVS "synced" this past Saturday afternoon, EDT). I compiled this new release for the following Solaris/kernel : Solaris 6 : kernel patch 105181-33 Solaris 7 : kernel patch 106541-23 Solaris 8 : kernel patch 108528-19 Prior to Solaris 8 108528-19, that was installed yesterday *not by me* , we were running 108528-12. Solaris 8 with kernel patch 108518-19 + latest Samba is causing us troubles. ps : nothing changed in our smb.conf file / we had no problems before (the fcntl() bug was not an issue for us, we only have around ~ 150 concurrent connections on that machine). There's no problems on the other boxes (Solaris 6 & 7), note that we have much less connections on those boxes. [Q] Is there anyone on this list running with the latest Solaris 8 (108528-19) kernel patch and with Samba 2.2.8? After receiving a few complains, I decided to dig into the log files. Here's what I found: 1- Many dptr_close() errors, more than usually. log.wcanomp1775:[2003/03/17 14:04:09, 0] smbd/dir.c:dptr_close(277) log.wcanomp1775: Invalid key 256 given to dptr_close 2- Many oplock_break errors, much more than we had: [2003/03/17 15:32:49, 0] smbd/oplock.c:oplock_break(791) oplock_break: end of file from client oplock_break failed for file New Lisp/mbold.lsp (dev = 3d8000a, inode = 1467387, file_id = 15). [2003/03/17 15:32:49, 0] smbd/oplock.c:oplock_break(879) oplock_break: client failure in break - shutting down this smbd. [2003/03/17 15:32:49, 1] smbd/service.c:close_cnum(677) wcanomp2081 (10.10.92.33) closed connection to service imews [2003/03/17 15:32:49, 1] smbd/service.c:close_cnum(677) wcanomp2081 (10.10.92.33) closed connection to service site_doc [2003/03/17 15:32:49, 1] smbd/service.c:close_cnum(677) wcanomp2081 (10.10.92.33) closed connection to service docoss [2003/03/17 15:34:24, 1] smbd/service.c:make_connection(636) wcanomp2081 (10.10.92.33) connect to service site_doc as user imews (uid=2138, gid=240) (pid 4863) [2003/03/17 15:35:10, 0] smbd/oplock.c:request_oplock_break(1011) request_oplock_break: no response received to oplock break request to pid 4858 on port 56392 for dev = 3d8000a, inode = 825700, file_id = 15 [2003/03/17 15:35:10, 0] smbd/open.c:open_mode_check(652) open_mode_check: exlusive oplock left by process 4858 after break ! For file C 1505A/AA1710-W.dwg, dev = 3d8000a, inode = 825700. Deleting it to continue... [2003/03/17 15:35:10, 0] smbd/open.c:open_mode_check(656) open_mode_check: Existent process 4858 left active oplock. [2003/03/17 15:36:59, 1] smbd/service.c:make_connection(636) wcanomp2081 (10.10.92.33) connect to service site_doc as user imews (uid=2138, gid=240) (pid 4883) [2003/03/17 15:36:59, 0] smbd/dir.c:dptr_close(277) Invalid key 256 given to dptr_close [2003/03/17 15:36:59, 0] smbd/dir.c:dptr_close(277) Invalid key 257 given to dptr_close [2003/03/17 15:37:10, 0] smbd/oplock.c:process_local_message(397) process_local_message: Received unsolicited break reply - dumping info. [2003/03/17 15:37:10, 0] smbd/oplock.c:process_local_message(412) process_local_message: unsolicited oplock break reply from pid 4863, port 56392, dev = 3d8000a, inode = 825700, file_id = 15 [2003/03/17 15:38:02, 1] smbd/service.c:close_cnum(677) wcanomp2081 (10.10.92.33) closed connection to service site_doc [2003/03/17 15:38:09, 1] smbd/service.c:make_connection(636) wcanomp2081 (10.10.92.33) connect to service site_doc as user imews (uid=2138, gid=240) (pid 4904) [2003/03/17 15:41:22, 1] smbd/service.c:close_cnum(677) wcanomp2081 (10.10.92.33) closed connection to service imews [2003/03/17 15:41:22, 1] smbd/service.c:close_cnum(677) wcanomp2081 (10.10.92.33) closed connection to service docoss I will "downgrade" tonight to the previous version that we were running prior to the upgrade, it says "2.2.8pre1" but I remember taken that from CVS around February the 5th, according to the installation date!!! I wish I would have more time for this but I don't :-( I'll "find" time tomorrow to let you know if the downgrade helped or not. Cheers, Pierre B.
Re: ldap delete user?
hello volker, On Mon, Mar 17, 2003 at 11:08:09PM +0100, Volker Lendecke wrote: > Hi! > > While looking at HEAD / ldapsam_delete_sam_account a bit closer I > found that we completely delete the user. Would it not be better just > to remove the samba-specific attributes and let the 'delete user > script' do the rest? Hmm. srv_samr_nt.c works the other way > round... Has anybody ever tried this? no. but SuSE ships a diff for 2_2 for quite some time now with another smb.conf option that helps users not to delete their posix-account by coincidence. thanks, guenther -- Guenther Deschner [EMAIL PROTECTED] SuSE Linux AGGnuPG: 8EE11688 Berliner Str. 27 phone: +49 (0) 30 / 430944778 D-13507 Berlin fax: +49 (0) 30 / 43732804 --- source/include/proto.h +++ source/include/proto.h 2002/05/13 10:58:13 @@ -1965,6 +1965,7 @@ char *lp_ldap_admin_dn(void); int lp_ldap_port(void); int lp_ldap_ssl(void); +BOOL lp_ldap_del_only_sam(void); char *lp_add_share_cmd(void); char *lp_change_share_cmd(void); char *lp_delete_share_cmd(void); --- source/param/loadparm.c +++ source/param/loadparm.c 2002/05/13 10:34:46 @@ -215,6 +215,7 @@ #ifdef WITH_LDAP_SAM int ldap_port; int ldap_ssl; + BOOL ldap_del_only_sam; char *szLdapServer; char *szLdapSuffix; char *szLdapFilter; @@ -1033,6 +1034,7 @@ {"ldap filter", P_STRING, P_GLOBAL, &Globals.szLdapFilter, NULL, NULL, 0}, {"ldap admin dn", P_STRING, P_GLOBAL, &Globals.szLdapAdminDn, NULL, NULL, 0}, {"ldap ssl", P_ENUM, P_GLOBAL, &Globals.ldap_ssl, NULL, enum_ldap_ssl, 0}, + {"ldap del only sam attr", P_BOOL, P_GLOBAL, &Globals.ldap_del_only_sam, NULL, NULL, 0}, #endif /* WITH_LDAP_SAM */ {"Miscellaneous Options", P_SEP, P_SEPARATOR}, @@ -1418,6 +1420,7 @@ string_set(&Globals.szLdapAdminDn, ""); Globals.ldap_port = 636; Globals.ldap_ssl = LDAP_SSL_ON; + Globals.ldap_del_only_sam = False; #endif /* WITH_LDAP_SAM */ /* these parameters are set to defaults that are more appropriate for the increasing samba install base: @@ -1605,6 +1608,7 @@ FN_GLOBAL_STRING(lp_ldap_admin_dn, &Globals.szLdapAdminDn) FN_GLOBAL_INTEGER(lp_ldap_port, &Globals.ldap_port) FN_GLOBAL_INTEGER(lp_ldap_ssl, &Globals.ldap_ssl) +FN_GLOBAL_BOOL(lp_ldap_del_only_sam, &Globals.ldap_del_only_sam) #endif /* WITH_LDAP_SAM */ FN_GLOBAL_STRING(lp_add_share_cmd, &Globals.szAddShareCommand) FN_GLOBAL_STRING(lp_change_share_cmd, &Globals.szChangeShareCommand) --- source/passdb/pdb_ldap.c +++ source/passdb/pdb_ldap.c2002/05/14 08:39:12 @@ -960,7 +960,90 @@ entry = ldap_first_entry (ldap_struct, result); dn = ldap_get_dn (ldap_struct, entry); - rc = ldap_delete_s (ldap_struct, dn); + if ( lp_ldap_del_only_sam() ){ + /* LDAP attributes that are used (and only needed) by sambaAccount */ + char *sam_attrs[] = { "lmPassword", "ntPassword", "pwdLastSet", "logonTime", + "logoffTime", "kickoffTime", "pwdCanChange", "pwdMustChange", "acctFlags", + "displayName", "smbHome", "homeDrive", "scriptPath", "profilePath", + "userWorkstations", "primaryGroupID", "domain", "rid", NULL }; + char *oc_values[] = { "sambaAccount", NULL }; + BerElement *ptr; + char *name = NULL; + int act_mod = 0; + LDAPMod *mods[sizeof(sam_attrs)/sizeof(char*)]; + int i; + + for(i=0; i < ( sizeof(sam_attrs)/sizeof(char*) ); i++ ){ + mods[i] = NULL; + } + DEBUG (3, ("Deleting only SAM attributes\n")); + /* Find out which attributes from the list above have to be deleted */ + for( name = ldap_first_attribute( ldap_struct, entry, &ptr ); name != NULL; + name = ldap_next_attribute( ldap_struct, entry, ptr ) ){ + char **act_attr = NULL; + for( act_attr = sam_attrs; *act_attr != NULL; act_attr++ ){ + /* if an attribute is in the above list AND actually set in the entry, put it + into the LDAPMod-Array */ + if(strcmp(*act_attr, name) == 0){ + DEBUG (10, ("DelAttr %s\n", name)); + mods[act_mod] = (LDAPMod*) malloc(sizeof(LDAPMod)); + if(! mods[act_mod] ){ + DEBUG(0, ("pdb_delete_sam_account: out of memory!\n")); + if( name ){ + ldap_memfree(name); +
Re: cvs updating failure
On Mon, Mar 17, 2003 at 03:01:38PM -0700, David Bear wrote: > sorry to be stupid on cvs -- its always worked as documented on the > web site.. but now its not. > > after I do > > $cvs -d :pserver:[EMAIL PROTECTED]:/cvsroot login > > $ cvs update -d -P Why don't you checkout the source tree first, before updating ? cheers, -- Rafal Szczesniak mimir[at]diament.ists.pwr.wroc.pl Samba Team member mimir[at]samba.org +-+ *BSD, GNU/Linux and Samba http://www.samba.org +-+
[PATCH] groups in ldap
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi! Here's my first attempt at putting the group mapping into ldap. It should apply to HEAD. Comments? Especially the schema might be discussed, this is my very first attempt at LDAP schema design. Volker P.S.: smbgroupedit *really* needs to be rewritten :-) -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Key-ID D32186CF, Fingerprint available: phone +49 551 370 iD8DBQE+dkijOmSXH9Mhhs8RArcTAJ9Y7WBbbNd3KrPi6HHG2OhsYwRwQQCghEww wp4Z47jdiawpj8Jioj7HHDc= =TAq9 -END PGP SIGNATURE- Index: examples/LDAP/samba.schema === RCS file: /data/cvs/samba/examples/LDAP/samba.schema,v retrieving revision 1.9 diff -u -r1.9 samba.schema --- examples/LDAP/samba.schema 14 Jan 2003 16:03:27 - 1.9 +++ examples/LDAP/samba.schema 17 Mar 2003 22:12:24 - @@ -111,6 +111,19 @@ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) ## +## group mapping attributes +## +attributetype ( 1.3.6.1.4.1.7165.2.1.19 NAME 'ntGroupType' + DESC 'NT Group Type' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.7165.2.1.20 NAME 'ntSid' + DESC 'Security ID' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE ) + +## ## The smbPasswordEntry objectclass has been depreciated in favor of the ## sambaAccount objectclass ## @@ -138,6 +151,11 @@ logoffTime $ kickoffTime $ pwdCanChange $ pwdMustChange $ acctFlags $ displayName $ smbHome $ homeDrive $ scriptPath $ profilePath $ description $ userWorkstations $ primaryGroupID $ domain )) + +objectclass ( 1.3.6.1.4.1.7165.2.2.4 NAME 'sambaGroupMapping' SUP top AUXILIARY + DESC 'Samba Group Mapping' + MUST ( gidNumber $ ntSid $ ntGroupType ) + MAY ( displayName $ description )) ## ## Used for Winbind experimentation Index: source/passdb/pdb_ldap.c === RCS file: /data/cvs/samba/source/passdb/pdb_ldap.c,v retrieving revision 1.81 diff -u -r1.81 pdb_ldap.c --- source/passdb/pdb_ldap.c17 Mar 2003 22:09:06 - 1.81 +++ source/passdb/pdb_ldap.c17 Mar 2003 22:12:29 - @@ -786,8 +786,11 @@ if (attribute == NULL || *attribute == '\0') return; - if (value == NULL || *value == '\0') +#if 0 + /* Why do we need this??? -- vl */ + if (value == NULL || *value == '\0') return; +#endif if (mods == NULL) { @@ -1987,6 +1990,495 @@ /* No need to free any further, as it is talloc()ed */ } +static const char *group_attr[] = {"gid", "ntSid", "ntGroupType", + "gidNumber", + "displayName", "description", + NULL }; + +static int ldapsam_search_one_group (struct ldapsam_privates *ldap_state, +const char *filter, +LDAPMessage ** result) +{ + int scope = LDAP_SCOPE_SUBTREE; + int rc; + + DEBUG(2, ("ldapsam_search_one_group: searching for:[%s]\n", filter)); + + rc = ldapsam_search(ldap_state, lp_ldap_suffix (), scope, + filter, group_attr, 0, result); + + if (rc != LDAP_SUCCESS) { + DEBUG(0, ("ldapsam_search_one_group: " + "Problem during the LDAP search: %s\n", + ldap_err2string(rc))); + DEBUG(3, ("ldapsam_search_one_group: Query was: %s, %s\n", + lp_ldap_suffix(), filter)); + } + + return rc; +} + +static BOOL init_group_from_ldap(struct ldapsam_privates *ldap_state, +GROUP_MAP *map, LDAPMessage *entry) +{ + pstring temp; + + if (ldap_state == NULL || map == NULL || entry == NULL || + ldap_state->ldap_struct == NULL) { + DEBUG(0, ("init_group_from_ldap: NULL parameters found!\n")); + return False; + } + + if (!get_single_attribute(ldap_state->ldap_struct, entry, "gidNumber", + temp)) { + DEBUG(0, ("Mandatory attribute gidNumber not found\n")); + return False; + } + DEBUG(2, ("Entry found for group: %s\n", temp)); + + map->gid = (uint32)atol(temp); + + if (!get_single_attribute(ldap_state->ldap_struct, entry, "ntSid", + temp)) { + DEBUG(0, ("Mandatory attribute ntSid not found\n")); + return False; + } + string_to_sid(&map->sid, temp); + + if (!get_single_attribute(ldap_state->ldap_struct, entry, "ntGroupType", + temp)) { +
ldap delete user?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi! While looking at HEAD / ldapsam_delete_sam_account a bit closer I found that we completely delete the user. Would it not be better just to remove the samba-specific attributes and let the 'delete user script' do the rest? Hmm. srv_samr_nt.c works the other way round... Has anybody ever tried this? Volker -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Key-ID D32186CF, Fingerprint available: phone +49 551 370 iD8DBQE+djuaOmSXH9Mhhs8RAvA8AKCI0jLcN5OPeAx+a1YIXkgUXAO3LwCgkRA4 c05ackxlk3yo5aQV1mXIQmw= =EZzJ -END PGP SIGNATURE-
cvs updating failure
sorry to be stupid on cvs -- its always worked as documented on the web site.. but now its not. after I do $cvs -d :pserver:[EMAIL PROTECTED]:/cvsroot login $ cvs update -d -P ? source/myconf.sh cvs server: Updating . P Manifest cvs [update aborted]: cannot open .new.Manifest: Permission denied Was trying to get current 2.2.x in order to fix new buffer overflow issue. what am I doing wrong? -- David Bear College of Public Programs/ASU Mail Code 0803
Re: ldapsam_nua and SAMBA_3_0 CVS
On Tue, 2003-03-18 at 08:01, [EMAIL PROTECTED] wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > hi, > > i tried a lot of things with the current SAMBA_3_0 today. > everything is working fine, except, the ldapsam_nua passdb backend. > > i've all accounts in the ldap tree and i want to provide 2 machines > running FreeBSD. one is used to be the PDC and one the BDC and nothing > more. no writing or reading of files only the domain logons. > the disadvantage is, that nss_ldap still isn't working with FreeBSD. > > so i need the ldapsam_nua because i don't want to use NIS or want to put > all accounts to the local files too. > > now i'm a little bit confused because everything i tried ends up with the > following message: > > auth/auth_util.c:get_user_groups_from_local_sam(687) > user XXX does not have a unix identity! NUA accounts are a real hack, and are only suitable for use with machines - we need to get the group list for domain logins, and that comes from getgrouplist(). Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part
ldapsam_nua and SAMBA_3_0 CVS
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 hi, i tried a lot of things with the current SAMBA_3_0 today. everything is working fine, except, the ldapsam_nua passdb backend. i've all accounts in the ldap tree and i want to provide 2 machines running FreeBSD. one is used to be the PDC and one the BDC and nothing more. no writing or reading of files only the domain logons. the disadvantage is, that nss_ldap still isn't working with FreeBSD. so i need the ldapsam_nua because i don't want to use NIS or want to put all accounts to the local files too. now i'm a little bit confused because everything i tried ends up with the following message: auth/auth_util.c:get_user_groups_from_local_sam(687) user XXX does not have a unix identity! i searched a little bit in the source (but i'm not a real programmer). normally there should be a message like: user has posixAcccount attributes from 'get_unix_attributes' in pdb_ldap.c but it seemes to me that this function is not invoked, because i get nothing about "posix" in the logs. and yes, the ldap entry really has posixAccount attributes like uidNumber, gidNumber, homeDirectory, userPassword, gecos ... i don't know how to fix this problem. maybe someone of the core-developers can have a look at this. thanks in advance joerg - -- _/_/_/_/ _/_/_/ _/ _/ _/_/ Joerg Pulz _/ _/_/ _/_/ _/_/ _/ _/ TU Muenchen _/ _/_/ _/ _/_/ _/ _/ ZWE-FRM-II _/_/_/ _/_/_/ _/ _/ _/ _/_/_/ Lichtenbergstrasse 1 _/ _/_/ _/ _/_/ 85747 Garching _/ _/ _/ _/ _/ _/ Tel.: +49 (0)89-289-14708 _/ _/_/ _/ _/ _/_/_/_/ Fax : +49 (0)89-289-14666 -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE+djevSPOsGF+KA+MRApzmAJ9cnBCEmqZhR1PHjL5+OG630GDxtgCeN25Y klDwFe/2O9iOotfHmN/M9EA= =NzYR -END PGP SIGNATURE-
[PATCH] autogen.sh
Hi! This patch fixes autogen.sh on systems which have only autoconf-2.53 installed. It makes it simple to add other autoconf versions which might occur in the future (TESTAUTOCONF/HEADER var). I've only tested it on RedHat 7.3 with 3.0 branch, so please review it carefully before you apply it. Willi Mann --- autogen.sh 10 Feb 2003 17:31:25 - 1.1.2.2 +++ autogen.sh 17 Mar 2003 20:32:43 - @@ -2,29 +2,46 @@ # Run this script to build samba from CVS. -## first try the default names -AUTOHEADER="autoheader" -AUTOCONF="autoconf" - -if which $AUTOCONF > /dev/null -then -: -else -echo "$0: need autoconf 2.53 or later to build samba from CVS" >&2 -exit 1 -fi -## -## what version do we need? -## -if [ `$AUTOCONF --version | head -1 | cut -d. -f 2` -lt 53 ]; then +## insert all possible names +TESTAUTOHEADER="autoheader autoheader-2.53" +TESTAUTOCONF="autoconf autoconf-2.53" + +AUTOHEADERFOUND="0" +AUTOCONFFOUND="0" + - ## maybe it's installed under a different name (e.g. RedHat 7.3) +for i in $TESTAUTOHEADER; +do + if which $i >& /dev/null + then + if [ `$i --version | head -1 | cut -d. -f 2` -ge 53 ]; then + AUTOHEADER=$i + AUTOHEADERFOUND="1" + break; + fi; +fi; +done - AUTOCONF="autoconf-2.53" - AUTOHEADER="autoheader-2.53" +for i in $TESTAUTOCONF; +do +if which $i >& /dev/null +then + if [ `$i --version | head -1 | cut -d. -f 2` -ge 53 ]; then +AUTOCONF=$i +AUTOCONFFOUND="1" +break; + fi; +fi; +done; + +if [ "$AUTOCONFFOUND" == "0" -o "$AUTOHEADERFOUND" == "0" ]; then + +echo "$0: need autoconf 2.53 or later to build samba from CVS" >&2 +exit 1 fi + echo "$0: running $AUTOHEADER" $AUTOHEADER || exit 1
winbind vs. pam/nss alternatives
>From a quick check of a couple of distributions it looks like winbind is not included as part of the logon (pam/nss) configuration choices although users who know what they are doing could manually configure it by hand editing files after the installation of Samba. Discounting the esoteric, useless or insecure options for pam/nss, leaves a few common choices (for remote authentication/user information) which distributions seem to offer: pam_ldap/nss_ldap or pam_kerberos/nss_ldap and the older pam_smb? (pam_ntdom?) Given that rather meagre list, winbind looks more appealing among other reasons because it can handle these operations via a choice of multiple network protocols, and also because it presumably performs better. A couple of obvious questions: 1) Is winbind likely to be preferable (e.g. due to better performance with the new dual daemon approach) than pam_ldap/nss_ldap? 2) In particular is it likely to be better than the alternatives for the case of the common kerberized client applications (not just nfs v4 and eventually the cifs vfs clients) 3) Could winbind easily handle some of the nss lookups via ldap ala rfc 2307 schema (if it matters anymore - it is just an experimental RFC) as a fallback choice if the ldap server did not store user/group info in the ActiveDirectory style. It looks like winbindd_ cache.c already handles two backends winbindd_ads and winbindd_rpc With the addition of ldap to winbind, it seems odd to have to worry about the older pam_ldap/nss_ldap which has a much, much smaller installed base (ie lots more domain controllers than RFC2307 compliant security servers) 4) Is the reason that winbind doesn't appear particular important for distributions because it is (relatively) hard to configure (smb.conf, machine joining the domain etc.)? or that they haven't recognized winbind improvements? Steve French Senior Software Engineer Linux Technology Center - IBM Austin phone: 512-838-2294 email: [EMAIL PROTECTED]
Re: [SECURITY] Samba 2.2.8 available for download
On Mon, Mar 17, 2003 at 08:13:15PM +0100, Willi Mann wrote: > Is 3.0 also vulnerable? 3.0 is not released yet. 3.0 alphas are vulnerable, the SAMBA_3_0 code in CVS is not. Jeremy.
Re: [SECURITY] Samba 2.2.8 available for download
Is 3.0 also vulnerable? Willi Mann From: "Gerald (Jerry) Carter" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED], <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> Subject: [SECURITY] Samba 2.2.8 available for download This release provides an important security fix outlined in the release notes that follow. This is the latest stable release of Samba and the version that all production Samba servers should be running for all current bug-fixes.
Re: typos in SAMBA_3_0 CVS
On Mon, Mar 17, 2003 at 11:22:57PM +1100, Andrew Bartlett wrote: > > Yep - I'm about 2 weeks behind on janitorial duties :-( That's very dangerous. What happens then is someone fixes it differently in 3.0, and then we have a problem. Remember, if a fix is obviously applicable to 3.0 it should *not* be checked into HEAD until the same change is ready to be checked into 3.0. Jeremy.
Unable to build Samba 2.2.8 libsmbclient on HP-UX 11.00
Hello, I am having problems building Samba 2.2.8 on HP-UX 11.00. I am using the ANSI C compiler, /opt/ansic/bin/cc: LINT A.11.01.25171.GP CXREF A.11.01.25171.GP HP92453-01 A.11.01.25171.GP HP C Compiler $ Sep 8 2000 23:13:51 $ My configure line is CC=cc CFLAGS='+DA2.0W' ./configure --with-automount --with-libsmbclient --with-winbind I get the following errors Linking libsmbclient non-shared library bin/libsmbclient.a Linking libsmbclient shared library bin/libsmbclient.sl ld: (Warning) Cannot make undefined symbol "ISSECURE" symbolic. Symbol was refer enced from file /usr/lib/pa20_64/libsec.sl ld: Unsatisfied protected symbol "ISSECURE" in file "libsmb/libsmbclient.po" ld: Unsatisfied protected symbol "ISSECURE" in file "lib/charcnv.po" [deleted lines] ld: Unsatisfied protected symbol "ISSECURE" in file "ubiqx/ubi_sLinkList.po" ld: Unsatisfied protected symbol "ISSECURE" in file "ubiqx/debugparse.po" 1 warnings. 83 errors. make: *** [bin/libsmbclient.sl] Error 1 Any ideas? -- Eric M. Boehm /"\ ASCII Ribbon Campaign [EMAIL PROTECTED] \ / No HTML or RTF in mail X No proprietary word-processing Respect Open Standards / \ files in mail
Possible memory leakage in Samba code
Hello, I was reviewing the code of del_share_entry function (.../locking/locking.c) that is suppose to return the entry deleted when supplied with a ppse pointer. If there are a number of entries that satisfy the share_mode_identical criteria (more than one), memdup will be called more then once, thus losing the pointer stored previously in the *ppse. What is the chance that such a scenario could occur? Thanks, Menny Menny Hamburger System Engineering Exanet Inc. www.exanet.com Email: [EMAIL PROTECTED] Phone: +972 9 9717763 Fax: +972 9 9717778 Mobile: +972 55 679763
Proposal for smbd failing more gracefully when ngroups > NGROUPS_MAX
Hello, The "[Samba] number of groups of NT account causes authentication problems" thread discussed the problem of dealing with NT users, which are members of more domain global groups than the OS running Samba can cope with. Limits do vary, some have 16, or 20, or 32, with some platforms it's tunable, with others it isn't, or only with very much trouble. How about making smbd a bit more tolerant concerning groups? If the total number returned by winbind for a given user exceeds maximum, it may drop all but the primary group. This would at least allow to cope with such users in setups where access control is only done via "valid users", plus "force group" for common access. Users who got their supplementary groups stripped this way would not be able to utilize their memberships when using ACLs. This should represent a fail-to-close, except when "others" is having more privileges than specific groups. Would this be acceptable? It's is not ideal, of course, but maybe better than no way of dealing with such users? Attached is a little patch implementing this in 2.2.8. Cheers! Michael Index: source/nsswitch/wb_client.c === RCS file: /cvsroot/samba/source/nsswitch/wb_client.c,v retrieving revision 1.5.2.19 diff -u -r1.5.2.19 wb_client.c --- source/nsswitch/wb_client.c 13 Sep 2002 23:46:27 - 1.5.2.19 +++ source/nsswitch/wb_client.c 17 Mar 2003 14:11:29 - @@ -325,6 +325,15 @@ ngroups++; } + /* Omit supplementary groups when exceeding maximum */ + + if (ngroups > groups_max()) { + DEBUG(1,("number of group memberships (%d) for user %s exceeds maximum %d, restricting to gid %d\n", + ngroups, user, groups_max(), gid)); + groups[0] = gid; + ngroups = 1; + } + /* Set the groups */ if (sys_setgroups(ngroups, groups) == -1) { Index: source/smbd/sec_ctx.c === RCS file: /cvsroot/samba/source/smbd/sec_ctx.c,v retrieving revision 1.7.2.19 diff -u -r1.7.2.19 sec_ctx.c --- source/smbd/sec_ctx.c 16 Jul 2002 01:09:44 - 1.7.2.19 +++ source/smbd/sec_ctx.c 17 Mar 2003 14:11:29 - @@ -343,7 +343,7 @@ gain_root(); #ifdef HAVE_SETGROUPS - sys_setgroups(ngroups, groups); + sys_setgroups((ngroups > groups_max() ? 0 : ngroups), groups); #endif ctx_p->ngroups = ngroups; @@ -419,7 +419,7 @@ prev_ctx_p = &sec_ctx_stack[sec_ctx_stack_ndx]; #ifdef HAVE_SETGROUPS - sys_setgroups(prev_ctx_p->ngroups, prev_ctx_p->groups); + sys_setgroups((prev_ctx_p->ngroups > groups_max() ? 0 : prev_ctx_p->ngroups), prev_ctx_p->groups); #endif become_id(prev_ctx_p->uid, prev_ctx_p->gid);
RE: [PATCH] Joining domains specifying auth realm
BTW, the patch also includes two more lines of output for "net ads info" -- the KDC server and server time offset. I find them useful for helping to automate the join process. Ken Ken Cross Network Storage Solutions Phone 865.675.4070 ext 31 [EMAIL PROTECTED] > -Original Message- > From: > [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] > amba.org] On Behalf Of Ken Cross > Sent: Monday, March 17, 2003 8:48 AM > To: 'Andrew Bartlett' > Cc: 'Multiple recipients of list SAMBA-TECHNICAL' > Subject: RE: [PATCH] Joining domains specifying auth realm > > > Andrew: > > Patch to HEAD below -- sorry, should have realized that. > > The reason I had to change it was that ads_set_machine_password uses > ads->auth.realm to build the principal name. Should that be > ads->config.realm? > > Ken > > > Ken Cross > > Network Storage Solutions > Phone 865.675.4070 ext 31 > [EMAIL PROTECTED] > > > -Original Message- > > From: Andrew Bartlett [mailto:[EMAIL PROTECTED] > > Sent: Sunday, March 16, 2003 11:24 PM > > To: Ken Cross > > Cc: 'Multiple recipients of list SAMBA-TECHNICAL'; 'Andrew Bartlett' > > Subject: Re: [PATCH] Joining domains specifying auth realm > > > > > > On Sat, 2003-03-15 at 03:01, Ken Cross wrote: > > > Let's try this again. The previous patch I submitted > > didn't work in > > > some configurations. (ads->auth.realm needs to be > > preserved over the > > > ads_connect call.) > > > > If it's not preserved, won't it be free()ed in the process? > > > > And shouldn't change the code that's clobbering it instead? > > > > I applied the previous patch - can you get me the changes > > against current HEAD? > > > > Andrew Bartlett > > > > -- > > Andrew Bartlett [EMAIL PROTECTED] > > Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] > > Student Network Administrator, Hawker College [EMAIL PROTECTED] > > http://samba.org http://build.samba.org http://hawkerc.net > > > >
RE: [PATCH] Joining domains specifying auth realm
Andrew: Patch to HEAD below -- sorry, should have realized that. The reason I had to change it was that ads_set_machine_password uses ads->auth.realm to build the principal name. Should that be ads->config.realm? Ken Ken Cross Network Storage Solutions Phone 865.675.4070 ext 31 [EMAIL PROTECTED] > -Original Message- > From: Andrew Bartlett [mailto:[EMAIL PROTECTED] > Sent: Sunday, March 16, 2003 11:24 PM > To: Ken Cross > Cc: 'Multiple recipients of list SAMBA-TECHNICAL'; 'Andrew Bartlett' > Subject: Re: [PATCH] Joining domains specifying auth realm > > > On Sat, 2003-03-15 at 03:01, Ken Cross wrote: > > Let's try this again. The previous patch I submitted > didn't work in > > some configurations. (ads->auth.realm needs to be > preserved over the > > ads_connect call.) > > If it's not preserved, won't it be free()ed in the process? > > And shouldn't change the code that's clobbering it instead? > > I applied the previous patch - can you get me the changes > against current HEAD? > > Andrew Bartlett > > -- > Andrew Bartlett [EMAIL PROTECTED] > Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] > Student Network Administrator, Hawker College [EMAIL PROTECTED] > http://samba.org http://build.samba.org http://hawkerc.net > --- /tmp/samba/source/utils/net_ads.c Sat Mar 15 21:14:05 2003 +++ utils/net_ads.c Mon Mar 17 08:26:50 2003 @@ -109,6 +107,9 @@ static int net_ads_info(int argc, const d_printf("LDAP port: %d\n", ads->ldap_port); d_printf("Server time: %s\n", http_timestring(ads->config.current_time)); + d_printf("KDC server: %s\n", ads->auth.kdc_server ); /* KJC */ + d_printf("Server time offset: %d\n", ads->auth.time_offset ); /* KJC */ + return 0; } @@ -124,7 +125,7 @@ static ADS_STRUCT *ads_startup(void) ADS_STATUS status; BOOL need_password = False; BOOL second_time = False; - char *realm; + char *realm, *realm_save = NULL; ads = ads_init(NULL, NULL, opt_host); @@ -154,14 +156,26 @@ retry: /* * If the username is of the form "[EMAIL PROTECTED]", * extract the realm and convert to upper case. +* This is only used to establish the connection. */ + realm_save = ads->auth.realm; if ((realm = strchr(ads->auth.user_name, '@'))) { *realm++ = '\0'; - ads->auth.realm = strdup(realm); + ads->auth.realm = realm; strupper(ads->auth.realm); } status = ads_connect(ads); + + /* +* Restore the realm name. If there wasn't one, +* default to the configuration realm. +*/ + if( realm_save == NULL ) + realm_save = strdup(ads->config.realm); + + ads->auth.realm = realm_save; + if (!ADS_ERR_OK(status)) { if (!need_password && !second_time) { need_password = True;
2.2.8 compile problem
Hi ! I have a problem with compiling samba 2.2.8 on rh 7.3 (all erratas applyed, kernel 2.4.20 with ac2 patch). When i do rpm -ba samba.spec, i have error: checking whether struct passwd has pw_age... no checking for poptGetContext in -lpopt... no checking whether to use included popt... ./popt checking configure summary... configure: error: summary failure. Aborting config błąd: Bad exit status from /var/tmp/rpm-tmp.77044 (%build) RPM build errors: Bad exit status from /var/tmp/rpm-tmp.77044 (%build) I have popt installed in my system ... greetz gnu... -- W nowym KONTAKCIE możesz WSTAWIĆ swoje ZDJĘCIE! A oprócz tego rozmawiać on-line, wysyłać smsy, e-maile, pliki. Kontakt łączy się też z ICQ i GG oraz jako jedyny CZYTA wiadomości! ściągnij za friko < http://kontakt.wp.pl >
Re: typos in SAMBA_3_0 CVS
On Mon, 2003-03-17 at 22:56, Tim Potter wrote: > On Mon, Mar 17, 2003 at 11:22:54AM +0100, [EMAIL PROTECTED] wrote: > > > i tried to compile the current CVS today and found a typo and missing > > arguments. > > > > i append a small diff, that fixes these problems.. > > Hi - someone forgot their janitorial duties with regard to the > smbwrapper support. I've merged the changes in. Yep - I'm about 2 weeks behind on janitorial duties :-( Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part
Re: typos in SAMBA_3_0 CVS
On Mon, Mar 17, 2003 at 11:22:54AM +0100, [EMAIL PROTECTED] wrote: > i tried to compile the current CVS today and found a typo and missing > arguments. > > i append a small diff, that fixes these problems.. Hi - someone forgot their janitorial duties with regard to the smbwrapper support. I've merged the changes in. Thanks, Tim.
typos in SAMBA_3_0 CVS
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 hi, i tried to compile the current CVS today and found a typo and missing arguments. i append a small diff, that fixes these problems.. also it would be very nice if someone could add some lines to 'configure.in' to have a option "--with-ldap-base" like it is for kerberos. this helps alot if openldap is installed in a non standard way. - --> diff - --- smbwrapper/smbsh.c_org Tue Feb 25 13:10:26 2003 +++ smbwrapper/smbsh.c Mon Mar 17 11:08:47 2003 @@ -92,7 +92,7 @@ smbw_setshared("PASSWORD", p); } - - setenv("PS1", "smbsh$ "); + setenv("PS1", "smbsh$ ", 1); sys_getwd(wd); @@ -101,18 +101,18 @@ smbw_setshared(line, wd); slprintf(line,sizeof(line)-1,"%s/smbwrapper.so", libd); - - etenv("LD_PRELOAD", line); + setenv("LD_PRELOAD", line, 1); slprintf(line,sizeof(line)-1,"%s/smbwrapper.32.so", libd); if (file_exist(line, NULL)) { slprintf(line,sizeof(line)-1,"%s/smbwrapper.32.so:DEFAULT", libd); - - setenv("_RLD_LIST", line); + setenv("_RLD_LIST", line, 1); slprintf(line,sizeof(line)-1,"%s/smbwrapper.so:DEFAULT", libd); - - setenv("_RLDN32_LIST", line); + setenv("_RLDN32_LIST", line, 1); } else { slprintf(line,sizeof(line)-1,"%s/smbwrapper.so:DEFAULT", libd); - - setenv("_RLD_LIST", line); + setenv("_RLD_LIST", line, 1); } { - --> eo diff thanks and regards joerg - -- _/_/_/_/ _/_/_/ _/ _/ _/_/ Joerg Pulz _/ _/_/ _/_/ _/_/ _/ _/ TU Muenchen _/ _/_/ _/ _/_/ _/ _/ ZWE-FRM-II _/_/_/ _/_/_/ _/ _/ _/ _/_/_/ Lichtenbergstrasse 1 _/ _/_/ _/ _/_/ 85747 Garching _/ _/ _/ _/ _/ _/ Tel.: +49 (0)89-289-14708 _/ _/_/ _/ _/ _/_/_/_/ Fax : +49 (0)89-289-14666 -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE+daIBSPOsGF+KA+MRAnoZAJ9XXztQSHPM6w9H45Q8xuHxwSJ4hACgr78G CrcLLl6DJt5zK3wcxplw4P4= =SgV8 -END PGP SIGNATURE-
could not find domain entry for domain @xxxxx
Thank you for your feedback, the command gives us all Domain-Controllers and the name of the Domain. But what are the 1C-Adresses ??? -What does 1C mean ? BTW: We have another problem now: some Workstations get during the first logon the message: "could not connect to domain controller" After some more restarts the workstation is able to logon. In the case of the error the logon-server is the own workstation insted of on of the domain controllers. Do you have any ideas. Tank you verry much, Holger -Ursprüngliche Nachricht- Von: Christopher R. Hertel [mailto:[EMAIL PROTECTED] Gesendet: Donnerstag, 13. März 2003 23:33 An: schmieder, holger Cc: '[EMAIL PROTECTED]' Betreff: Re: could not find domain entry for domain @x "schmieder, holger" wrote: > > Have anybody seen that problem ? We have that in an NT40Serverfarm with > samba 2.2.7a as BDC. > > during the start of winbind we saw also following message: > could not get sid of domain ... > > The users get access to there shares but the policies dont work corectly > > We have an IP-Segmented network, the server are in there own net, wins is > running on the NT40 PDC. > > Thanks for every idea > > Holger We would need a lot more information. First thing to try is this: $ nmblookup -R -U #1C That checks to see that all of the 1C IP addresses for your WINS database. Chris -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED] Diese Mail wurde im Hause SCHMIEDER it-solutions GmbH auf Viren überprüft !
AW: could not find domain entry for domain @xxxxx
Thank you for your feedback, the command gives us all Domain-Controllers and the name of the Domain. But what are the 1C-Adresses ??? -What does 1C mean ? BTW: We have another problem now: some Workstations get during the first logon the message: "could not connect to domain controller" After some more restarts the workstation is able to logon. In the case of the error the logon-server is the own workstation insted of on of the domain controllers. Do you have any ideas. Tank you verry much, Holger -Ursprüngliche Nachricht- Von: Christopher R. Hertel [mailto:[EMAIL PROTECTED] Gesendet: Donnerstag, 13. März 2003 23:33 An: schmieder, holger Cc: '[EMAIL PROTECTED]' Betreff: Re: could not find domain entry for domain @x "schmieder, holger" wrote: > > Have anybody seen that problem ? We have that in an NT40Serverfarm with > samba 2.2.7a as BDC. > > during the start of winbind we saw also following message: > could not get sid of domain ... > > The users get access to there shares but the policies dont work corectly > > We have an IP-Segmented network, the server are in there own net, wins is > running on the NT40 PDC. > > Thanks for every idea > > Holger We would need a lot more information. First thing to try is this: $ nmblookup -R -U #1C That checks to see that all of the 1C IP addresses for your WINS database. Chris -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED] Diese Mail wurde im Hause SCHMIEDER it-solutions GmbH auf Viren überprüft !
RE: rd /s, "can't find the file specified" (internal reference b1996)
Enjoy. >From a very very fast look, it looks like something with file mangling, but IANA >Samba Expert. baddosdel.cap is against Samba-CVS (From yesterday) gooddosdel.cap is against my personal W2K workstation. -- Nir Soffer -=- Exanet Inc. -=- http://www.evilpuppy.org "Father, why are all the children weeping? / They are merely crying son O, are they merely crying, father? / Yes, true weeping is yet to come" -- Nick Cave and the Bad Seeds, The Weeping Song > -Original Message- > From: Richard Sharpe [mailto:[EMAIL PROTECTED] > Sent: Monday, March 17, 2003 9:23 AM > To: Nir Soffer > Cc: [EMAIL PROTECTED] > Subject: RE: rd /s, "can't find the file specified" (internal > reference b1996) > > > On Sun, 16 Mar 2003, Nir Soffer wrote: > > > > > Following up to myself, reproducing this is apparently even simpler > > than I thought - simply do a: > > > > "touch nir test test" > > > > and try to delete it from a DOS command line. It will fail. > > > > "nirtest123456" fails as well, but "nirtest12345" so it seems to > > filename size related. 13 characters won't work and 12 > will. Perhaps > > it's because something is geared towards 8 characters, a dot, and 3 > > characters somewhere along the line? > > > > Needless to say, it works fine on w2k shares... > > Can you get us a sniff? > > Regards > - > Richard Sharpe, rsharpe[at]ns.aus.com, rsharpe[at]samba.org, > sharpe[at]ethereal.com, http://www.richardsharpe.com > > baddosdel.cap Description: baddosdel.cap gooddosdel.cap Description: gooddosdel.cap