Re: ???`: ??????: When the keep-alive packet sent out,rfc1002 saysdifferent things!!
On Tue, Apr 01, 2003 at 01:33:14PM +0800, [EMAIL PROTECTED] wrote: : > ...but they will be in sequence, not mixed. The WriteRaw OK message will > be a complete SMB message, so you will not have any trouble parsing them. > Just read the number of bytes specified in the NBT header's length field. > > ~~~ Here I'd ask a quite stupid question:) :If server sends > client two packets, one by one. > Until both are in socket buffer,client calls recv( ) to get > the all in buffer, will client get a mixture > or only the first packet? That's a very good question, actually... TCP provides a stream. The packets will be made available in the order in which they were sent, but *not* as discreet packets. You might call recv() and get the end of the last packet, all of the current packet, and the first part of the next packet. You have to collect and parse the input. The nature of the SMB protocol hides that fact. In general, the client will only get a message from the server if the client asked for it. You send a request, wait for the entire reply, then send another request. The keep-alive is one situation in which the messages can get interleaved. It can also happen if there are multiple processes using the same SMB connection. > If it is the first situation,Then,I have to suppose that it > is possible > that keep-alive is in front of WriteRaw OK,then I have to > remove first 4Bytes and get > WriteRaw OK.It is more troublesome. Could be ahead, could be behind. Fortunately, the NBT Session Service headers all provide a message length field. Yes, you do have to watch for and handle this situation. : > ~~ I 'd like to show you the read raw packet format, which I >have got using NAI sniffer4.6. Ethereal is recommended, if only because the rest of us know how to read it... >I have make a picture,pls >see the attached file. You can see that in read raw,the first >packet has a netbios header,yet the others haven't. Okay. I wasn't sure about that. Thanks for letting me know. > As I have seen in rfc1002, server or client should reset > timer when they receive a packet. When they receive an *NBT* packet. The NBT keepalive timer is managed at the NBT layer. The TCP stream won't reset the timer, but the initial READ RAW request *should* reset the timer. > If so, we won't have to worry about keep-alive packet. > I don't know why they ignore this rule, introducing > so much complexity. What I can't tell from the graphic you sent is whether the keep-alive message is interleaved with the raw read messages. It shouldn't be because, as I've said, the initial READ RAW request from the client should reset the timer and the READ RAW itself should be finished before the timer expires. I really can't imagine Samba making the mistake of sending the keep-alive while it is in the middle of a READ RAW operation, but I would believe it if I saw a capture that shows it (an Ethereal capture would be best...www.ethereal.com...it's free). Windows... well, I suppose it would be easier to imagine, but I'd still want to see the capture. Chris -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
RE: (fwd) amigasamba?
> CL! > > On Thu, 2003-03-13 at 23:08, Ulf Bertilsson wrote: > > I look into this in a few days. > > > > Use www.birrabrothers.com/tiger/data/samba as mirror > > > > I'm on vacation and don't have the info here. Yes, now everything is fine. -- Uber Amiga rulez ;D
Samba 3.0 HEAD - Print share problem.
Hi all, I'm trying to get the latest CVS version running on solaris 8, and it seems that it has some problems with the print shares. Namely - when I try to connect via smbclient to a shared printer, it passes the auth phase only to come up with an error message like: tree connect failed: NT_STATUS_BAD_DEVICE_TYPE Worse, it appears that W2K/WXP clients are getting either blue-screens because of it, or they simply reboot as soon as the user tries to add a printer shared on this server. I was running 3.0 alpha 18 - without a problem, so there's something fishy with this HEAD version. Any ideea of what might cause this thing? If you need more info, I can send the debug logs/configs/whatever, just ask. Cheers, Ino!~ -- I have seen things you people wouldn't believe. Attack ships on fire off the shoulder of Orion. I watched C-beams glitter in the dark near the Tannhauser Gate. All those moments will be lost in time, like tears in rain. Time to die.
Re: ??????: When the keep-alive packet sent out,rfc1002 saysdifferent things!!
On Tue, Apr 01, 2003 at 09:40:06AM +0800, [EMAIL PROTECTED] wrote: > Thank you all. > For the case 1.there will be many echo overhead. And I have no way to > know the server timeout when I am in client, so I can't determinate when > to send echo packet. Well, it shouldn't really be needed anyway since the first packet of a READ RAW or WRITE RAW should reset the server timer anyway. I thought of it as a way to force a timer reset, but it should not be necessary. As for overhead, though, I was suggesting sending it just before the READ RAW or WRITE RAW request. That would be minimal overhead. > For case 2, I have though over it. suppose there is such a situation: > when I WriteRaw data to server and server will send me a "writeRaw OK" > response.And almost the same time,keep-alive is sent.Now I take the > stuff out from socket buffer, which is a mixture of "writeRaw OK" and > keep-alive packet. ...but they will be in sequence, not mixed. The WriteRaw OK message will be a complete SMB message, so you will not have any trouble parsing them. Just read the number of bytes specified in the NBT header's length field. The READ RAW, as you point out below, is the real problem... > And it is worse when it happens during the ReadRaw, > as you know, the data in the ReadRaw has no protocol header, when a > keep-alive packet is inserted into the stream, or if the raw data might > be also something like {0x85 0 0 0},simply discarding will do the wrong > thing. (although the possibility is very low.) See, this is where I'm confused. The initial SMB message (READ RAW or WRITE RAW) sent to the server should reset the timer. The timer should have a timeout on the order of minutes. Even a READ RAW or WRITE RAW should be completed before the timeout, so there should never be a keepalive mixed in with the data. I have never seen a READ RAW, though, so I don't know for sure how it works. I know there isn't an SMB header, but is the NBT header also bypassed? If it is, and if the READ RAW request doesn't reset the timer, and if the timeout is too short...then you're absolutely right. The keepalives will wind up in odd places in the data stream and mess things up. I'd call it a bug, but I would have to see a trace before I would believe that Samba has this bug. Samba is written such that it should complete one operation before starting the next, so even if we did fail to reset the timer the keepalive message would follow the READ RAW, and not be lost within it. Chris -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: only the first "wins server" works?
On Mon, Mar 31, 2003 at 04:04:30PM -0800, Chere Zhou wrote: > If I have 2 "wins server" set in smb.conf like the following: > wins server = 172.16.0.61, 172.16.10.8 > > I can verify that only the first works, the second does not, because the 2 > wins servers have different contents in them, one for some domains and the > other for some other domains. I have trusted domains in both of the wins > servers. The domains are w2k domains, so the trust works through DNS, but I > joined samba 3.0 as an NT4 server. > > So my question is, is this by design of how WINS suppose to work, or > otherwise a problem in samba? I am using cvs HEAD code of Mar. 19th. WINS is badly designed. The original NBNS design was better. Samba has to be compatible with WINS, though, so we're stuck with Microsoft's design. That said... The 'wins server' parameter handles *two* different new features. The first is WINS failover, and the second is multi-namespace. WINS failover (which is what your line above is using) allows Samba to try a second WINS server if the first WINS server fails. So, the way you have things written, if 172.16.0.61 gets crushed by a falling asteroid, Samba will use 172.16.0.8. That only works if the two WINS servers are synchronized. Otherwise, they will have separate (and incompatible) namespaces. The other new feature is multi-namespace. If you use a colon (":") to separate the IP addresses, the second WINS server will be used if the first could not resolve the NetBIOS name to an address. Note that it is dangerous to have a single node using multiple namespaces. NBT was not designed to work that way, and conflicts can occur. Chris -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
答复: When the keep-alive packet sent out,rfc1002 says different things!!
Thank you all. For the case 1.there will be many echo overhead.And I have no way to know the server timeout when I am in client, so I can't determinate when to send echo packet. For case 2, I have though over it. suppose there is such a situation: when I WriteRaw data to server and server will send me a "writeRaw OK" response.And almost the same time,keep-alive is sent.Now I take the stuff out from socket buffer, which is a mixture of "writeRaw OK" and keep-alive packet. And it is worse when it happens during the ReadRaw, as you know, the data in the ReadRaw has no protocol header, when a keep-alive packet is inserted into the stream, or if the raw data might be also something like {0x85 0 0 0},simply discarding will do the wrong thing. (although the possibility is very low.) -原始邮件- 发件人: Christopher R. Hertel [mailto:[EMAIL PROTECTED] 发送时间: 2003年4月1日 2:07 收件人: Andrew Bartlett 抄送: Aladdin Cai(絆價_豎奻漆ㄘ; [EMAIL PROTECTED] 主题: Re: When the keep-alive packet sent out,rfc1002 says different things!! On Mon, Mar 31, 2003 at 08:07:16PM +1000, Andrew Bartlett wrote: > On Mon, 2003-03-31 at 19:42, [EMAIL PROTECTED] wrote: > > Hello everyone, When I am programming a samba client in freeDOS,using > > wattcp, I found a strange thing, which is not the same as rfc1002 claims. > > In rfc 1002,see below: > > > So,during I write data or read data to server, it seems that server will > > not send me any keep-alive packet because he will reset the timer.But > > in fact,during I raw write a very large piece data to server(not > > matter windows or linux),it will send me a keep-alive > > occasionally,leading my defendless code crash. > > I REALLY don't understand why they don't obey the rules, or do I > > mistake rfc1002? > > > > Urgently hope for your kindly help,thank you > > See www.ubiqx.org/cifs for a description of this horrid protocol... > > Also, make sure you understand - the standard is what Microsoft does, > not what what any RFC says. Also note that you may have trouble with ReadRaw and WriteRaw. Microsoft published documentation regarding these SMBs a long time ago and never suggested that there might be licensing issues. Just about a year ago, however, they coughed up some patents which may or may not apply to implementations of ReadRaw and WriteRaw. See: http://us3.samba.org/samba/ms_license.html That said, the problem you are experiencing, if I understand correctly, is that the server is sending keep-alives during a WriteRaw from your client because the server-side keep-alive timer is not reset. Two solutions: 1) Send an SMB ECHO just before doing the WriteRaw. That will reset the timer. 2) Handle the keep-alive. For case #2, the keep-alive will contain the bytes { 0x85, 0, 0, 0 } and that's it. You should be able to recognize those and simply discard them. Chris -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
only the first "wins server" works?
If I have 2 "wins server" set in smb.conf like the following: wins server = 172.16.0.61, 172.16.10.8 I can verify that only the first works, the second does not, because the 2 wins servers have different contents in them, one for some domains and the other for some other domains. I have trusted domains in both of the wins servers. The domains are w2k domains, so the trust works through DNS, but I joined samba 3.0 as an NT4 server. So my question is, is this by design of how WINS suppose to work, or otherwise a problem in samba? I am using cvs HEAD code of Mar. 19th. Chere
Re: Samba performance
Jeremy, I apologise for the format hassle. Hope this works. Cheers Ravi > Please resend with a mailer that doesn't wrap at 80 columns :-). > > Jeremy. Samba Performance testing == 1.0 Architecture: - Server: CPU: Intel(R) Pentium(R) III CPU family 1266MHz Memory: 1GB Kernel: Linux 2.4.18 File System: xfs-1.1 Samba version: 3.0-alpha19 Network: 1 GB point to point Client: 1/2 GB memory and 1.6 GHZ Pentium 1.1 Introduction: - We have been trying to measure samba performance. The following are our observations. 1.2 Is it samba ? - We wanted to find out for sure whether samba was the bottleneck. So we did the following experiment. 1. dbench (to measure disk TP) 2. tbench (to measure TCP/IP TP) 3. dbench+tbench: In this experiment we wanted to find out whether system, not samba was the limitation. For each number of clients dbench and tbench was stated simultaneously. 4. nbench with clients_oplocks.txt trace (to measure samba TP) The results are as follows Num dbench tbench dbench tbench min(1,2) nbench clis alonealone(simul (simul tbench) dbench) (1)(2) 177.152 20.91577.1373 19.7312 19.7312 11.5006 4 106.174 40.6007 71.2576 33.9155 33.9155 19.3349 893.378 56.4977 63.2581 43.745 43.74519.8468 12 81.908 60.8616 59.0883 43.675 43.67519.2888 16 56.834 63.6999 52.1449 41.525 41.52519.3474 20 63.398 64.96750.9493 41.776 41.77619.1162 24 61.818 66.6186 50.22341.8949 41.8949 18.9119 28 55.442 67.3411 49.1058 41.5549 41.5549 19.0702 32 54.318 69.2981 47.8511 41.9139 41.9139 18.8018 36 54.986 70.1524 45.6686 41.3715 41.3715 18.3617 40 46.994 70.8444 45.2621 41.459 41.45918.2381 44 41.702 69.8389 42.6287 41.0206 41.0206 18.1785 48 45.988 69.8389 40.4743 40.3336 40.3336 18.1683 The nbench experiment measures samba performance with the same work load trace used for other experiments. As can be seen nbench TP is much smaller than minimum of (1) and (2) which implies that samba is the performance bottleneck. (The disk configuration for the above experiment was a 11 drive RAID 5 with LVM) 1.3 Where in Samba and what is the limitation ?: We observe that our system is severely CPU limited. Here is the summary of top -d 1 trace of CPU usage during the period 16 nbench clients were active.(2 drive RAID 0 + LVM) UserSystem Total Mean34.60447761 64.14477612 98.74925373 Median 35.263.799.9 Stdev 0.070189292 0.076303659 0.06342686 So it seems that more CPU time is spent in the system. Is this compatible with what we saw in earlier Samba versions ? Then we used the Samba build in profiling facility to get some information about performance intensive code paths. We discovered that the time spent on stat calls was excessive. The time was more than the time spent on read or write calls! Here are the time consuming system calls Namenum calls time(us) Min(us) Max(us) - --- -- -- syscall_opendir 189841 369136560 396806 syscall_readdir 2329741 402250420 312880 syscall_open194256 150164226 0 1245872 syscall_close 133504 419837470 475361 syscall_read320496 880930840 350440 syscall_write 149776 906659260 382059 syscall_stat1335959 145079345 0 336839 syscall_unlink 33520 101113573 0 1132776 Here are the time consuming Trans2 calls Trans2_findfirst57184 201725472 0 430785 Trans2_qpathinfo147536 255836025 0 412576 and the time consuming SMB calls SMBntcreateX175984 952635310 346844 SMBdskattr 27344 632755720 351798 SMBreadX320496 905934190 350444 SMBwriteX 149776 925847210 382067 SMBunlink 33520 101522665 0 1132787 SMBclose133696 661404910 475414 and cache statistics are Statcache *** lookups:398768 misses: 41 hits: 398727 Writecache ** read_hits: 0 abutted_writes: 0 total_writes: 149776 non_oplock_writes: 149776 direct_writes: 149776 init_writes:0 flushed_writes[SEEK]: 0 flushed_writes[READ]: 0 flushed_writes[WRITE]: 0 flushed_writes[READRAW]:0 flushed_writes[OPLOCK_RELEASE]: 0 flushed_writes[CLOSE]:
Re: Samba performance
On Mon, Mar 31, 2003 at 10:41:25PM +, [EMAIL PROTECTED] wrote: > Please resend with a mailer that doesn't wrap at 80 columns :-). > > Jeremy. Looks more like 60 columns. -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: Samba performance
On Mon, Mar 31, 2003 at 10:41:25PM +, [EMAIL PROTECTED] wrote: > Please resend with a mailer that doesn't wrap at 80 columns :-). > > Jeremy. Looks more like 55 c -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
RE: encrypt passwords=no, security=yes, samba 2.2.8,W2K user aut h fails
How do bug fixes work? Do they go through some sort of review? Who decides whether they get put into the next release? As Sun is now distributing Samba as part of the OS (started in Solaris 9), we are tracking this issue as bugID: #4839885. tony --On Monday, March 31, 2003 04:29:57 PM -0500 "MCCALL,DON (HP-USA,ex1)" <[EMAIL PROTECTED]> wrote: From: "MCCALL,DON (HP-USA,ex1)" <[EMAIL PROTECTED]> To: 'tony shepherd' <[EMAIL PROTECTED]>, "MCCALL,DON (HP-USA,ex1)" <[EMAIL PROTECTED]>, "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> Subject: RE: encrypt passwords=no, security=yes, samba 2.2.8, W2K user aut h fails Date-Sent: Tuesday, April 01, 2003 07:29:57 AM Hi Tony, Problem appears to be a result of your having null passwords = no map to guest = bad user AND encrypt passwords = no What appears to be happening is that reply.c only checks the smbpasswd file to see if you have a 'bad user', and with encrypt passwords = NO, you won't have an smbpasswd file, and it never goes to check the /etc/passwd or nis store, etc, for this map to guest=bad user case. Since it's ALREADY failed password_ok, what it's doing at this time is trying to decide if it has the 'bad password' or the 'bad user' case, since the return from password_ok doesn't differentiate. Since it never finds the username in smbpasswd (since that doesn't exist), it assumes that the problem is NOT a bad password, but a bad USER, and goes off to try to use guest. in your log file, this actually works, your sessionsetup&x succeeds, but you are mapped to the guest user. ( Registered username ts74081 for guest access) Later on, the actual share (home share for ts7481 I am assuming) tconX fails because the guest account has a null password, and you didn't specify guest ok for homes. For reasons completely unknown to me, win2k is NOT ever sending the password you type in UNTIL you try a different user, which generates an SMBulogoff() request, so the next negotprot,sesssetupX sequence starts, and THEN the win2k client sends the appropriate password, and you get authenticated appropriately (instead of being mapped to guest...) My guess is that the original attempt to connect to the share used your current username with a null password, which set up the vc, and from then on, all the sessionsetups are on that vc, no more negot.prot's are made, until an SMBulogoff is done. Since win2k was successful in it's initial attempt at sessionsetup&X with a null password (because you got mapped to guest as a bad user), it won't send a real password, even though it's ASKING FOR ONE, until you force an SMBulogoff, and a complete resetup of the vc, etc... (which is what using another username does) Win2k REALLY doesn't like using cleartext passwords, apparently (grin). I can make this problem go away by changing reply.c so that it checks the /etc/passwd/nis store for a user instead of smbpasswd when encrypted passwords = no; my diffs are listed below if you want to try it. I'm copying the samba_technical list in hopes that someone smarter than I (practically everyone) will know more about what's going on and do an appropriate fix for this. This diff is on a 2.2.8 code base. # diff reply.c reply.original.c 1028c1028 < if (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_USER && lp_encrypted_pass words()) --- if (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_USER) 1054,1062d1053 < /* add mccall */ < if (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_USER && !lp_encrypted_pas swords() && sys_getpwnam(user)) < { < /* delete_nt_token(&ptok); */ < DEBUG(1,("Rejecting user '%s': authentication failed\n", user)); < END_PROFILE(SMBsesssetupX); < return ERROR_BOTH(NT_STATUS_LOGON_FAILURE,ERRSRV,ERRbadpw); < } < /* end add mccall */ -Original Message- From: tony shepherd [mailto:[EMAIL PROTECTED] Sent: Sunday, March 30, 2003 22:49 To: MCCALL,DON (HP-USA,ex1) Cc: tony.shepherd Subject: RE: encrypt passwords=no, security=yes, samba 2.2.8, W2K user aut h fails Hi Don attached are the files requested. Thanks for looking at this for me. Solaris must be tweaking something that is not showing up under other OS's. tony --On Friday, March 28, 2003 06:13:14 AM -0800 "MCCALL,DON (HP-USA,ex1)" <[EMAIL PROTECTED]> wrote: > Hi Tony, > Can't make it happen here on my HP-UX system, and I don't have a Solaris > system to test on. But if you want to get me a log level 10 debug of > the issue, and the output of testparm, I'll see if I can spot anything. > Send the log and testparm off list, and compressed, ok? > > Don > >> -Original Message- >> From: tony shepherd [mailto:[EMAIL PROTECTED] >> Sent: Thursday, March 27, 2003 23:31 >> To: MCCALL,DON (HP-USA,ex1); [EMAIL PROTECTED] >> Subject: RE: encrypt passwords=no, security=yes, samba 2.2.8, W2K user >> aut h fails >> >> >> >> >> --On Thursday, March 27, 2003 10:06:08 AM -0500 "MCCALL,DON >> (HP-USA,ex1)" >> <[EMAIL PROTECTED]> wrote: >> >
Re: Samba performance
Please resend with a mailer that doesn't wrap at 80 columns :-). Jeremy.
Samba performance
Samba Performance testing == 1.0 Architecture: - Server: CPU: Intel(R) Pentium(R) III CPU family 1266MHz Memory: 1GB Kernel: Linux 2.4.18 File System: xfs-1.1 Samba version: 3.0-alpha19 Network: 1 GB point to point Client: 1/2 GB memory and 1.6 GHZ Pentium 1.1 Introduction: - We have been trying to measure samba performance. The following are our observations. 1.2 Is it samba ? - We wanted to find out for sure whether samba was the bottleneck. So we did the following experiment. 1. dbench (to measure disk TP) 2. tbench (to measure TCP/IP TP) 3. dbench+tbench: In this experiment we wanted to find out whether system, not samba was the limitation. For each number of clients dbench and tbench was stated simultaneously. 4. nbench with clients_oplocks.txt trace (to measure samba TP) The results are as follows Num dbench tbenchdbench tbench min(1,2) nbench clients alonealone(simul (simul tbench) dbench) (1)(2) 1 77.152 20.915 77.1373 19.7312 19.7312 11.5006 4 106.174 40.6007 71.2576 33.9155 33.9155 19.3349 8 93.378 56.4977 63.2581 43.745 43.745 19.8468 12 81.908 60.8616 59.0883 43.675 43.675 19.2888 16 56.834 63.6999 52.1449 41.5259 41.5259 19.3474 20 63.398 64.9676 50.9493 41.776 41.776 19.1162 24 61.818 66.6186 50.223 41.8949 41.8949 18.9119 28 55.442 67.3411 49.1058 41.5549 41.5549 19.0702 32 54.318 69.2981 47.8511 41.9139 41.9139 18.8018 36 54.986 70.1524 45.6686 41.3715 41.3715 18.3617 40 46.994 70.8444 45.2621 41.459 41.459 18.2381 44 41.702 69.8389 42.6287 41.0206 41.0206 18.1785 48 45.988 69.8389 40.4743 40.3336 40.3336 18.1683 The nbench experiment measures samba performance with the same work load trace used for other experiments. As can be seen nbench TP is much smaller than minimum of (1) and (2) which implies that samba is the performance bottleneck. (The disk configuration for the above experiment was a 11 drive RAID 5 with LVM) 1.3 Where in Samba and what is the limitation ?: We observe that our system is severely CPU limited. Here is the summary of top -d 1 trace of CPU usage during the period 16 nbench clients were active.(2 drive RAID 0 + LVM) UserSystem Total Mean34.60447761 64.14477612 98.74925373 Median 35.263.799.9 Stdev 0.070189292 0.076303659 0.06342686 So it seems that more CPU time is spent in the system. Is this compatible with what we saw in earlier Samba versions ? Then we used the Samba build in profiling facility to get some information about performance intensive code paths. We discovered that the time spent on stat calls was excessive. The time was more than the time spent on read or write calls! Here are the time consuming system calls Namenum calls time(us) Min(us) Max(us) - --- -- -- syscall_opendir 189841 369136560 396806 syscall_readdir 2329741 402250420 312880 syscall_open194256 150164226 0 1245872 syscall_close 133504 419837470 475361 syscall_read320496 880930840 350440 syscall_write 149776 906659260 382059 syscall_stat1335959 145079345 0 336839 syscall_unlink 33520 101113573 0 1132776 Here are the time consuming Trans2 calls Trans2_findfirst57184 201725472 0 430785 Trans2_qpathinfo147536 255836025 0 412576 and the time consuming SMB calls SMBntcreateX175984 952635310 346844 SMBdskattr 27344 632755720 351798 SMBreadX320496 905934190 350444 SMBwriteX 149776 925847210 382067 SMBunlink 33520 101522665 0 1132787 SMBclose133696 661404910 475414 and cache statistics are Statcache *** lookups:398768 misses: 41 hits: 398727 Writecache ** read_hits: 0 abutted_writes: 0 total_writes: 149776 non_oplock_writes: 149776 direct_writes: 149776 init_writes:0 flushed_writes[SEEK]: 0 flushed_writes[READ]: 0 flushed_writes[WRITE]: 0 flushed_writes[READRAW]:0 flushed_writes[OPLOCK_RELEASE]: 0 flushed_writes[CLOSE]: 0 flushed_writes[SYNC]: 0 flushed_writes[SIZECHANGE]: 0 num_perfect_writes: 0 num_write_caches: 0 allocated_write_caches: 0 For the above experiment <16 cli
FW: encrypt passwords=no, security=yes, samba 2.2.8, W2K user aut h fails
Sorry, forgot to cc the list... Jerry, you made some comments around the code I modified, maybe you could take a look at this and comment?? Don -Original Message- From: MCCALL,DON (HP-USA,ex1) Sent: Monday, March 31, 2003 16:30 To: 'tony shepherd'; MCCALL,DON (HP-USA,ex1); '[EMAIL PROTECTED]' Subject: RE: encrypt passwords=no, security=yes, samba 2.2.8, W2K user aut h fails Hi Tony, Problem appears to be a result of your having null passwords = no map to guest = bad user AND encrypt passwords = no What appears to be happening is that reply.c only checks the smbpasswd file to see if you have a 'bad user', and with encrypt passwords = NO, you won't have an smbpasswd file, and it never goes to check the /etc/passwd or nis store, etc, for this map to guest=bad user case. Since it's ALREADY failed password_ok, what it's doing at this time is trying to decide if it has the 'bad password' or the 'bad user' case, since the return from password_ok doesn't differentiate. Since it never finds the username in smbpasswd (since that doesn't exist), it assumes that the problem is NOT a bad password, but a bad USER, and goes off to try to use guest. in your log file, this actually works, your sessionsetup&x succeeds, but you are mapped to the guest user. ( Registered username ts74081 for guest access) Later on, the actual share (home share for ts7481 I am assuming) tconX fails because the guest account has a null password, and you didn't specify guest ok for homes. For reasons completely unknown to me, win2k is NOT ever sending the password you type in UNTIL you try a different user, which generates an SMBulogoff() request, so the next negotprot,sesssetupX sequence starts, and THEN the win2k client sends the appropriate password, and you get authenticated appropriately (instead of being mapped to guest...) My guess is that the original attempt to connect to the share used your current username with a null password, which set up the vc, and from then on, all the sessionsetups are on that vc, no more negot.prot's are made, until an SMBulogoff is done. Since win2k was successful in it's initial attempt at sessionsetup&X with a null password (because you got mapped to guest as a bad user), it won't send a real password, even though it's ASKING FOR ONE, until you force an SMBulogoff, and a complete resetup of the vc, etc... (which is what using another username does) Win2k REALLY doesn't like using cleartext passwords, apparently (grin). I can make this problem go away by changing reply.c so that it checks the /etc/passwd/nis store for a user instead of smbpasswd when encrypted passwords = no; my diffs are listed below if you want to try it. I'm copying the samba_technical list in hopes that someone smarter than I (practically everyone) will know more about what's going on and do an appropriate fix for this. This diff is on a 2.2.8 code base. # diff reply.c reply.original.c 1028c1028 < if (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_USER && lp_encrypted_pass words()) --- > if (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_USER) 1054,1062d1053 < /* add mccall */ < if (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_USER && !lp_encrypted_pas swords() && sys_getpwnam(user)) < { < /* delete_nt_token(&ptok); */ < DEBUG(1,("Rejecting user '%s': authentication failed\n", user)); < END_PROFILE(SMBsesssetupX); < return ERROR_BOTH(NT_STATUS_LOGON_FAILURE,ERRSRV,ERRbadpw); < } < /* end add mccall */ > -Original Message- > From: tony shepherd [mailto:[EMAIL PROTECTED] > Sent: Sunday, March 30, 2003 22:49 > To: MCCALL,DON (HP-USA,ex1) > Cc: tony.shepherd > Subject: RE: encrypt passwords=no, security=yes, samba 2.2.8, W2K user > aut h fails > > > > > Hi Don > > attached are the files requested. Thanks for looking at this for me. > Solaris must be tweaking something that is not showing up > under other OS's. > > > > tony > > --On Friday, March 28, 2003 06:13:14 AM -0800 "MCCALL,DON > (HP-USA,ex1)" > <[EMAIL PROTECTED]> wrote: > > > Hi Tony, > > Can't make it happen here on my HP-UX system, and I don't > have a Solaris > > system to test on. But if you want to get me a log level > 10 debug of > > the issue, and the output of testparm, I'll see if I can > spot anything. > > Send the log and testparm off list, and compressed, ok? > > > > Don > > > >> -Original Message- > >> From: tony shepherd [mailto:[EMAIL PROTECTED] > >> Sent: Thursday, March 27, 2003 23:31 > >> To: MCCALL,DON (HP-USA,ex1); [EMAIL PROTECTED] > >> Subject: RE: encrypt passwords=no, security=yes, samba > 2.2.8, W2K user > >> aut h fails > >> > >> > >> > >> > >> --On Thursday, March 27, 2003 10:06:08 AM -0500 "MCCALL,DON > >> (HP-USA,ex1)" > >> <[EMAIL PROTECTED]> wrote: > >> > >> > Hi tony, > >> > based on your log file, it sure does APPEAR that you have > >> NOT turned off > >> > encrypted passwords, > >> > as samba is trying to open > >> /usr/local
Request - security patch for 2.0.6
Is there a plan for a patch for 2.0.6 to address the security bug announced 3/14/03? If not, I am requesting such a patch, as upgrading to 2.2.8 will cause difficulty in our environment. (the "Take Ownership" overloading no longer works in 2.2.8, so emply ACE's don';t show up in the permission dialog in NT) The release notes for 2.2.8 says "As this is a security issue, patches for this flaw specific to earlier versions of Samba will be posted on the [EMAIL PROTECTED] mailing list as requested."
Re: Samba 2.2.8 - Snap Server Support
On Mon, Mar 31, 2003 at 09:30:07AM -0500, Irving Carrion wrote: > Currently the snap has a hard time reading Samba's domain users / groups > correctly. The patch (I did not write the code) simply fixes this > problem. It works fine on W2k servers, but I think it runs on a windows > appliance operating system. Not sure though. Yes please, can we look at the patch. Thanks, Jeremy.
RE: Samba 2.2.8 - Snap Server Support
Ok, so the patch was to a Samba PDC, now this all makes more sense to me :). This is not something that our organization has ever tracked, but I'm glad the Samba community could help you in providing a fix to the PDC. Since we've never tracked it (The Tech was right, it is not officially supported), I cannot tell you whether the patch will still apply against 2.2.8 -- but I would guess so since it was written for 2.2.3 and it works for 2.2.6. -Marc -Original Message- From: Irving Carrion [mailto:[EMAIL PROTECTED] Sent: Monday, March 31, 2003 10:14 AM To: 'Marc Kaplan'; 'Paul Reilly' Cc: [EMAIL PROTECTED] Subject: RE: Samba 2.2.8 - Snap Server Support Thanks for your response! The patch that I applied was applied to the Samba Server not the Snap. It was a patch given to me by someone on this list (I'll have to look for his name to give him proper credit). It was written for Samba Version 2.2.3 but it is working for me in version 2.2.6. We have 2 snap servers that don't work correctly (although worked fine with w2k server and Samba 3.0). They are: Snap Server 2000 20gig mirror & Dell Power Vault 705N (I understand they resell snap) 80 gig mirror Without the patch, both tend to not read users/groups with Samba 2.2.x PDC's. I don't know what operating systems the snaps have. Also, after speaking to Quantum support, they don't support anything other than W2k PDC's. The tech I spoke with didn't even know what Samba was. The patch is working great, I just wanted to make sure of SNAP compatibility with 2.2.8 before upgrading. If not, I may just have to compile from source again. Thanks! P.S. I can provide you with the patch if you need it. -Original Message- From: Marc Kaplan [mailto:[EMAIL PROTECTED] Sent: Monday, March 31, 2003 12:46 PM To: 'Irving Carrion'; 'Paul Reilly' Cc: [EMAIL PROTECTED] Subject: RE: Samba 2.2.8 - Snap Server Support Irving, Applying patches to your Snap Server is probably not a good idea, and usually impossible since the box doesn't have a compiler or the smbd source we use. If you're putting in a patched binary, that also may have unintended effects. I just don't want you to get your box in an unsupported state (since we do have free tech support for our customers). Please let me know the: 1) SnapServer model you have 2) The OS it's running 3) Where the patch came from 4) How you applied it Maybe you can also explain to me the problems that you were having. Is it using the Snap against a Samba PDC? If so, is the Samba PDC the place where you applied the patch? Also, the SnapServer is either BSD or Linux based, depending on the model. -Marc -- Marc Kaplan Software Quality Assurance Engineer SnapAppliance - Network Attached Storage Division 408-879-8769 -Original Message- From: Irving Carrion [mailto:[EMAIL PROTECTED] Sent: Monday, March 31, 2003 6:30 AM To: 'Paul Reilly' Cc: [EMAIL PROTECTED] Subject: RE: Samba 2.2.8 - Snap Server Support Currently the snap has a hard time reading Samba's domain users / groups correctly. The patch (I did not write the code) simply fixes this problem. It works fine on W2k servers, but I think it runs on a windows appliance operating system. Not sure though. -Original Message- From: Paul Reilly [mailto:[EMAIL PROTECTED] Sent: Monday, March 31, 2003 9:26 AM To: Irving Carrion Subject: RE: Samba 2.2.8 - Snap Server Support > These are prebuilt NAS (network attached storage) servers with html gui > interfaces to configure. For more info go to > http://www.snapappliance.com/. > I see... But does samba not work with these already? What does your code do ? Paul
RE: Samba 2.2.8 - Snap Server Support
Thanks for your response! The patch that I applied was applied to the Samba Server not the Snap. It was a patch given to me by someone on this list (I'll have to look for his name to give him proper credit). It was written for Samba Version 2.2.3 but it is working for me in version 2.2.6. We have 2 snap servers that don't work correctly (although worked fine with w2k server and Samba 3.0). They are: Snap Server 2000 20gig mirror & Dell Power Vault 705N (I understand they resell snap) 80 gig mirror Without the patch, both tend to not read users/groups with Samba 2.2.x PDC's. I don't know what operating systems the snaps have. Also, after speaking to Quantum support, they don't support anything other than W2k PDC's. The tech I spoke with didn't even know what Samba was. The patch is working great, I just wanted to make sure of SNAP compatibility with 2.2.8 before upgrading. If not, I may just have to compile from source again. Thanks! P.S. I can provide you with the patch if you need it. -Original Message- From: Marc Kaplan [mailto:[EMAIL PROTECTED] Sent: Monday, March 31, 2003 12:46 PM To: 'Irving Carrion'; 'Paul Reilly' Cc: [EMAIL PROTECTED] Subject: RE: Samba 2.2.8 - Snap Server Support Irving, Applying patches to your Snap Server is probably not a good idea, and usually impossible since the box doesn't have a compiler or the smbd source we use. If you're putting in a patched binary, that also may have unintended effects. I just don't want you to get your box in an unsupported state (since we do have free tech support for our customers). Please let me know the: 1) SnapServer model you have 2) The OS it's running 3) Where the patch came from 4) How you applied it Maybe you can also explain to me the problems that you were having. Is it using the Snap against a Samba PDC? If so, is the Samba PDC the place where you applied the patch? Also, the SnapServer is either BSD or Linux based, depending on the model. -Marc -- Marc Kaplan Software Quality Assurance Engineer SnapAppliance - Network Attached Storage Division 408-879-8769 -Original Message- From: Irving Carrion [mailto:[EMAIL PROTECTED] Sent: Monday, March 31, 2003 6:30 AM To: 'Paul Reilly' Cc: [EMAIL PROTECTED] Subject: RE: Samba 2.2.8 - Snap Server Support Currently the snap has a hard time reading Samba's domain users / groups correctly. The patch (I did not write the code) simply fixes this problem. It works fine on W2k servers, but I think it runs on a windows appliance operating system. Not sure though. -Original Message- From: Paul Reilly [mailto:[EMAIL PROTECTED] Sent: Monday, March 31, 2003 9:26 AM To: Irving Carrion Subject: RE: Samba 2.2.8 - Snap Server Support > These are prebuilt NAS (network attached storage) servers with html gui > interfaces to configure. For more info go to > http://www.snapappliance.com/. > I see... But does samba not work with these already? What does your code do ? Paul
Re: When the keep-alive packet sent out,rfc1002 says differentthings!!
On Mon, Mar 31, 2003 at 08:07:16PM +1000, Andrew Bartlett wrote: > On Mon, 2003-03-31 at 19:42, [EMAIL PROTECTED] wrote: > > Hello everyone, When I am programming a samba client in freeDOS,using > > wattcp, I found a strange thing, which is not the same as rfc1002 claims. > > In rfc 1002,see below: > > > So,during I write data or read data to server, it seems that server will > > not send me any keep-alive packet because he will reset the timer.But > > in fact,during I raw write a very large piece data to server(not > > matter windows or linux),it will send me a keep-alive > > occasionally,leading my defendless code crash. > > I REALLY don't understand why they don't obey the rules, or do I > > mistake rfc1002? > > > > Urgently hope for your kindly help,thank you > > See www.ubiqx.org/cifs for a description of this horrid protocol... > > Also, make sure you understand - the standard is what Microsoft does, > not what what any RFC says. Also note that you may have trouble with ReadRaw and WriteRaw. Microsoft published documentation regarding these SMBs a long time ago and never suggested that there might be licensing issues. Just about a year ago, however, they coughed up some patents which may or may not apply to implementations of ReadRaw and WriteRaw. See: http://us3.samba.org/samba/ms_license.html That said, the problem you are experiencing, if I understand correctly, is that the server is sending keep-alives during a WriteRaw from your client because the server-side keep-alive timer is not reset. Two solutions: 1) Send an SMB ECHO just before doing the WriteRaw. That will reset the timer. 2) Handle the keep-alive. For case #2, the keep-alive will contain the bytes { 0x85, 0, 0, 0 } and that's it. You should be able to recognize those and simply discard them. Chris -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
RE: Samba 2.2.8 - Snap Server Support
Irving, Applying patches to your Snap Server is probably not a good idea, and usually impossible since the box doesn't have a compiler or the smbd source we use. If you're putting in a patched binary, that also may have unintended effects. I just don't want you to get your box in an unsupported state (since we do have free tech support for our customers). Please let me know the: 1) SnapServer model you have 2) The OS it's running 3) Where the patch came from 4) How you applied it Maybe you can also explain to me the problems that you were having. Is it using the Snap against a Samba PDC? If so, is the Samba PDC the place where you applied the patch? Also, the SnapServer is either BSD or Linux based, depending on the model. -Marc -- Marc Kaplan Software Quality Assurance Engineer SnapAppliance - Network Attached Storage Division 408-879-8769 -Original Message- From: Irving Carrion [mailto:[EMAIL PROTECTED] Sent: Monday, March 31, 2003 6:30 AM To: 'Paul Reilly' Cc: [EMAIL PROTECTED] Subject: RE: Samba 2.2.8 - Snap Server Support Currently the snap has a hard time reading Samba's domain users / groups correctly. The patch (I did not write the code) simply fixes this problem. It works fine on W2k servers, but I think it runs on a windows appliance operating system. Not sure though. -Original Message- From: Paul Reilly [mailto:[EMAIL PROTECTED] Sent: Monday, March 31, 2003 9:26 AM To: Irving Carrion Subject: RE: Samba 2.2.8 - Snap Server Support > These are prebuilt NAS (network attached storage) servers with html gui > interfaces to configure. For more info go to > http://www.snapappliance.com/. > I see... But does samba not work with these already? What does your code do ? Paul
Re: Problems with ACLs in 2.2.8
i'm also seeing some aberrant ACL-setting behavior in samba 2.2.8. more- over, the new Creator Owner and Creator Group semantics are bewildering, although i can understand if, in that sense, they're just mimicking NT behavior all the more closely. at any rate, below's a patch that purports to do the following: 1. the hunk for util_sid.c make the Creator Owner and Creator Group icons show up appropriately in my NT-permissions-chooser thingy 2. the first three hunks for posix_acls.c allows one to drop entries from an ACL without having samba re-insert the ``missing'' ACEs behind the scenes with the share-default perms. this may or may not address your concern 3. the fourth hunk excepts Creator Owner and Creator Group from being dropped from the incoming ACL as ``non-mappable SIDs'' 4. the fifth hunk corrects for the fact that--according to the ``-s'' option description from the setfacl(1) man page of Solaris 2.6, anyway-- Solaris needs a default ``CLASS_OBJ'' entry if it has any other default ACL entries 5. the sixth hunk makes use of the mask_perms mode that set_canon_ace_list() munges all the way through but then does nothing with. this isn't required for correct functionality, though, i don't think 6. the seventh hunk (in NT4-compatible mode) abridges the code to elide the non-default ACL entry for the group owner if the group owner has no permissions, since i thought this might allay confusion, as indicated by the CPP macro name used there. again, this isn't required for correct functionality none of these are meant to be applied to anybody's samba source tree; i'm just trying to point out some areas that may need attention i think, however, for my purposes, i'm just going to drop in the old 2.2.7 posix_acls.c, since i find named ACEs with non-bogus perms in both parenthe- sized slots in the NT-permissions-thingy display much less confusing, if a bit misleading --buck On Tue, Mar 25, 2003 at 01:39:22AM +, Jan Houstek wrote: > Hi all! > > I posted this in [EMAIL PROTECTED] but there were no reactions. > Particulary I'm interested if anyone observe the same behavior. > > -- Honza Houstek > > -- > > server: > linux 2.4.19 with xfs 1.2 and its ACL > libacl 2.0.19 > samba 2.2.8 compiled from source with --with-acl-support > acting as PDC > interesting parts of smb.conf > create mask = 0600 > directory mask = 0700 > [testshare] > path = /data/testshare > readonly = No > client: > 1) Windows XP, servicepack 1.2a > 2) smbmount from another linux box > > server:~# getfacl /data/testshare/testdir > # file: testdir > # owner: testuser > # group: users > user::rwx > group::--- > group:somegroup:r-x > group:anothergroup:rwx > mask::rwx > other::--- > default:user::rwx > default:group::--- > default:group:somegroup:r-x > default:group:anothergroup:rwx > default:mask::rwx > default:other::--- > > server:~# umask 007 > server:~# mkdir /data/testshare/testdir/test1 > server:~# getfacl /data/testshare/testdir/test1 > # file: test1 > # owner: root > # group: root > user::rwx > group::--- > group:somegroup:r-x > group:anothergroup:rwx > mask::rwx > other::--- > default:user::rwx > default:group::--- > default:group:somegroup:r-x > default:group:anothergroup:rwx > default:mask::rwx > default:other::--- > > On windows: > logon to domain as testuser > create test2 in testdir (right mouse button -> New -> Folder) > > server:~# getfacl /data/testshare/testdir/test2 > # file: test2 > # owner: testuser > # group: users > user::rwx > group::rwx# !!! problem !!! > group:somegroup:r-x > group:anothergroup:rwx > mask::rwx > other::--- > default:user::rwx > default:group::--- > default:group:somegroup:r-x > default:group:anothergroup:rwx > default:mask::rwx > default:other::--- --- samba-2.2.8/source/lib/util_sid.c.orig Fri Mar 14 16:34:47 2003 +++ samba-2.2.8/source/lib/util_sid.c Mon Mar 31 07:50:10 2003 @@ -64,7 +64,8 @@ {0, (enum SID_NAME_USE)0, NULL}}; static known_sid_users creator_owner_users[] = { - { 0, SID_NAME_ALIAS, "Creator Owner" }, + { 0, SID_NAME_WKN_GRP, "Creator Owner" }, + { 1, SID_NAME_WKN_GRP, "Creator Group" }, {0, (enum SID_NAME_USE)0, NULL}}; static known_sid_users nt_authority_users[] = { --- samba-2.2.8/source/smbd/posix_acls.c.orig Fri Mar 14 16:34:49 2003 +++ samba-2.2.8/source/smbd/posix_acls.cMon Mar 31 09:10:10 2003 @@ -653,6 +653,7 @@ * we would get mask instead of group. Let's do it via ACL. */ +#if RETAIN_ACE_IF_MISSING_FROM_INCOMING_ACL if (setting_acl && (!got_user || !got_grp || !got_other)) { SMB_ACL_ENTRY_T entry; @@ -701,6 +702,7 @@ fsp->fsp_name)); } } +#en
Re: Patch for Bad Password Attempt Lockout, samba3.0a22.
Now the users of "Domain Admins" will not be locked. But until we have not the right provilege for "Domain Admins", I will continue to use the "admin users" for administrator's use (like add machine, user manager for domain...). In attach is the new patch. Jianliang Lu TieSse s.p.a. Via Jervis, 60. 10015 Ivrea (To) - Italy [EMAIL PROTECTED] [EMAIL PROTECTED] --- auth_sam.c. Thu Mar 20 16:31:34 2003 +++ auth_sam.c.fix Mon Mar 31 17:23:09 2003 @@ -326,6 +326,12 @@ return NT_STATUS_ACCOUNT_DISABLED; } + /* Quit if the account was locked out. */ + if (acct_ctrl & ACB_AUTOLOCK) { + DEBUG(1,("Account for user '%s' was locked out.\n", pdb_get_username(sampass))); + return NT_STATUS_ACCOUNT_LOCKED_OUT; + } + /* Test account expire time */ kickoff_time = pdb_get_kickoff_time(sampass); @@ -414,6 +420,8 @@ NTSTATUS nt_status; uint8 user_sess_key[16]; const uint8* lm_hash; + uint32 account_policy_lockout, badpwattempt; + GROUP_MAP map; if (!user_info || !auth_context) { return NT_STATUS_UNSUCCESSFUL; @@ -448,10 +456,45 @@ nt_status = sam_password_ok(auth_context, mem_ctx, sampass, user_info, user_sess_key); if (!NT_STATUS_IS_OK(nt_status)) { + if (NT_STATUS_EQUAL(nt_status,NT_STATUS_WRONG_PASSWORD)) { + badpwattempt = (uint32)pdb_get_bad_pw_attempt(sampass) + 1; + if (!pdb_set_bad_pw_attempt(sampass, badpwattempt, PDB_CHANGED)) + DEBUG(1, ("Failed to set 'badPwAttempt' for user % s. \n", + user_info->internal_username.str)); + account_policy_get(AP_BAD_ATTEMPT_LOCKOUT, &account_policy_lockout); + if (!get_group_map_from_ntname("Domain Admins", &map, MAPPING_WITHOUT_PRIV)) + DEBUG(1, ("auth_sam.c: Failed to get groupmap for Domain Admins")); + if ((badpwattempt >= account_policy_lockout) && !user_in_list(user_info->internal_username.str, lp_admin_users(-1), NULL, 0) && !user_in_group_list(user_info->internal_username.str, gidtoname(map.gid), NULL, 0)) + if (!pdb_set_acct_ctrl (sampass, + pdb_get_acct_ctrl(sampass) |ACB_AUTOLOCK, + PDB_CHANGED)) { + DEBUG(1, ("Failed to set 'disabled' flag for user % s. \n", + user_info->internal_username.str)); + } + + become_root(); + if (!pdb_update_sam_account(sampass)) { + DEBUG(1, ("Failed to modify entry for user % s.\n", + user_info->internal_username.str)); + unbecome_root(); +} + } pdb_free_sam(&sampass); return nt_status; } + if (!pdb_set_bad_pw_attempt(sampass, 0, PDB_CHANGED)) + DEBUG(1, ("Failed to set 'badPwAttempt' for user % s. \n", +user_info->internal_username.str)); + if (!pdb_set_logon_time(sampass, time(NULL), PDB_CHANGED)) + DEBUG(1, ("auth_sam.c : pdb_set_logon_time fialed!\n")); + + become_root(); + if(!pdb_update_sam_account(sampass)) + DEBUG(1, ("Failed to modify entry for user % s.\n", +user_info->internal_username.str)); + unbecome_root(); + if (!NT_STATUS_IS_OK(nt_status = make_server_info_sam(server_info, sampass))) { DEBUG(0,("check_sam_security: make_server_info_sam() failed with '%s'\n", nt_errstr(nt_status))); return nt_status;
[PATCH] fix vfs objecta order
Hi Alexander, here's the small fix witchh corrects the vfs objects order metze - Stefan "metze" Metzmacher <[EMAIL PROTECTED]> vfs-fix-02.diff Description: Binary data
Samba-3.0alpha23 available on samba.org mirrors
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 We've just posted another snapshot of the SAMBA_3_0 cvs tree for download. This is a non-production release provided for testing only. Note that this release **does** contain the security fixes included in the Samba 2.2.8 release. The source code can be downloaded from : http://download.samba.org/samba/ftp/alpha/ The uncompressed tarball and patch file have been signed using GnuPG. The Samba public key is available at http://download.samba.org/samba/ftp/samba-pubkey.asc Binary packages for RedHat have been released and can be found at http://download.samba.org/samba/ftp/Binary_Packages/ Others will be available as they are submitted by volunteers. A simplified version of the CVS log of updates since 3.0alpha22 can be found in the the download directory under the name ChangeLog-3.0alpha22-alpha23. The release notes follow. As always, all bugs are our responsibility. --Enjoy The Samba Team - WHATS NEW IN Samba 3.0 alpha23 30th March 2003 == This is a pre-release of Samba 3.0. This is NOT a stable release. Use at your own risk. The purpose of this alpha release is to get wider testing of the major new pieces of code in the current Samba 3.0 development tree. We have officially ceased development on the 2.2.x release of Samba and are concentrating on Samba 3.0. To reduce the time before the final Samba 3.0 release we need as many people as possible to start testing these alpha releases, and hopefully giving us some high quality feedback on what needs fixing. Note that Samba 3.0 is not feature complete yet. There is a more coding we have planned, but unless we get what we have done already more widely tested we will have a hard time doing a stable release in a reasonable time frame. Major new features: - --- - - Active Directory support. This release is able to join a ADS realm as a member server and authenticate users using LDAP/kerberos. - - Unicode support. Samba will now negotiate UNICODE on the wire and internally there is now a much better infrastructure for multi-byte and UNICODE character sets. - - New authentication system. The internal authentication system has been almost completely rewritten. Most of the changes are internal, but the new auth system is also very configurable. - - new filename mangling system. The filename mangling system has been completely rewritten. An internal database now stores mangling maps persistently. This needs lots of testing. - - new "net" command. A new "net" command has been added. It is somewhat similar to the "net" command in windows. Eventually we plan to replace a bunch of other utilities (such as smbpasswd) with subcommands in "net", at the moment only a few things are implemented. - - Samba now negotiates NT-style status32 codes on the wire. This improves error handling a lot. - - better w2k printing support including publishing printer attributes in active directory - - new loadable RPC modules - - new dual-daemon winbindd support for better performance - - support for migrating from a Windows NT 4.0 domain - - support for establishing trust relationships with Windows NT 4.0 domain controllers Plus lots of other changes! Reporting bugs & Development Discussion - --- Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.freenode.net. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. Changes in alpha23: - --- LDAP Group Mapping -- pdbedit -i -e sets all SAM_ACCOUNT elements to CHANGED to satisfy the new pdb_ldap.c handling. pdbedit -g transfers group mappings. I made this separate from the user database, as current installations have to live with a split backend. So, if you are running 3_0 alphas with LDAP as a backend and upgrade to 3.0alpha23, you must call root# pdbedit -i tdbsam -e ldapsam -g to transfer your group mapping database to LDAP. All groups must be represented as posixGroup objects in the directory and you must adapt your LDAP schema to support the sambaGroupMapping before running this command. Refer to examples/LDAP/samba.schema for details on the objectclass. Parameters -- Modified Parameters (see smb.conf(5) for details): * passdb backend Added Parameters * ldap del only sam attr * ldap delete dn ChangeLog - See cvs log for SAMBA_3_0 for complete details. There are many smaller numerous changes that would clutter the release notes. 0)
RE: [SECURITY] Samba 2.2.8 available for download
Andrew Bartlett [mailto:[EMAIL PROTECTED] wrote: > On Mon, 2003-03-31 at 06:12, Green, Paul wrote: > > Green, Paul [mailto:[EMAIL PROTECTED] wrote: > > > The 2.2.8 release notes say: > > > > > > > A buffer overrun condition exists in the SMB/CIFS packet > > > > fragment re-assembly code in smbd which would allow an > > > > attacker to cause smbd to overwrite arbitrary areas of > > > > memory in its own process address space. This could > > > > allow a skilled attacker to inject binary specific > > > > exploit code into smbd. > > > > I have written a short test case (available upon request) to > > confirm that Stratus VOS, when running on the HP PA-RISC > > hardware, is not susceptible to such an attack. While such > > an attack can indeed be used to insert code onto the VOS > > stack, as soon as the processor attempts to begin executing > > the code it will take a no-execute permission fault or an > > invalid-page fault. Therefore, the last sentence of this > > warning in the 2.2.8 release notes about "inject[ing] binary > > specific exploit code into smbd" does not apply to VOS on HP > > PA-RISC. > > > > As other experts have noted, there are probably other > > OS/Hardware combinations that are also immune to this attack. > > I hope other maintainers will post such information so that > > we can have a public record, and not needlessly scare our > > customers. > > I would not be so confident. You don't need to modify the > code that will be executed, or cause a jump to your exploit > to cause mischief. If you can overwrite an arbitrary > position in memory, I'm sure you can find some variable > that is critical to Samba's internal state, and go from > there. I agree with your comment, but in my defense, I was trying to respond to the comment in the release notes about injecting binary-specific exploit code. That can't happen on VOS when it is running on PA-RISC. We're in the process of porting VOS to the Intel Pentium family, and one of the things we're investigating is how to prevent this same attack on that chip. We're reasonably confident we'll be able to prevent this attack there, too. I think most of the attempts to attack Samba on VOS would result in denial of service, but I agree it is possible that someone could get Samba to bypass one of its internal checks. I'm far more concerned about the issue of injecting binary-specific code, because a successful attack of that type would open up the entire resources of the machine to the attacker. Having said all this, because some of my customers are interested in receiving the 2.2.x version of Samba for VOS, and because the 2.2.x version has the fix for the buffer overruns, and also because 3.0 is not yet ready for prime time, I hope that the patches I'm submitting to 2.2.x will be applied. I'm willing to apply them myself, and monitor the build farm for any fallout, if I'm granted access. I've been porting Samba to VOS since version 2.0.5, working on POSIX and open-source software since 1996, and been a software developer since 1969. I have extensive experience in operating systems and compilers and have been the architect and lead developer for the Stratus VOS POSIX environment. I have made it a rule to test all patches on both VOS and Solaris before submitting them to samba-technical. I'm also the maintainer of the ports of Perl and OpenSSL to VOS, among others. Thanks PG -- Paul Green, Senior Technical Consultant, Stratus Technologies, Maynard, MA USA Voice: +1 978-461-7557; FAX: +1 978-461-3610
RE: Samba 2.2.8 - Snap Server Support
Currently the snap has a hard time reading Samba's domain users / groups correctly. The patch (I did not write the code) simply fixes this problem. It works fine on W2k servers, but I think it runs on a windows appliance operating system. Not sure though. -Original Message- From: Paul Reilly [mailto:[EMAIL PROTECTED] Sent: Monday, March 31, 2003 9:26 AM To: Irving Carrion Subject: RE: Samba 2.2.8 - Snap Server Support > These are prebuilt NAS (network attached storage) servers with html gui > interfaces to configure. For more info go to > http://www.snapappliance.com/. > I see... But does samba not work with these already? What does your code do ? Paul
RE: Samba 2.2.8 - Snap Server Support
These are prebuilt NAS (network attached storage) servers with html gui interfaces to configure. For more info go to http://www.snapappliance.com/. We buy 'em 'cause they're compact, stable, network ready, and have lots of disk space. -Original Message- From: Paul Reilly [mailto:[EMAIL PROTECTED] Sent: Monday, March 31, 2003 8:51 AM To: Irving Carrion Subject: RE: Samba 2.2.8 - Snap Server Support > Is the Samba Team interested in supporting SNAP for 2.x versions? If so > I can provide the patch. > What is SNAP ? What functionaility does it provide? Paul
RE: How to verify the domain secret is good or bad?
By default machine account passwords are changed ever 7 days in MS world. you can change this via the "machine password timeout" smb.conf parameter. Hope this helps, Don > -Original Message- > From: Joey Collins [mailto:[EMAIL PROTECTED] > Sent: Sunday, March 30, 2003 20:10 > To: Gerald (Jerry) Carter > Cc: Chere Zhou; [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: Re: How to verify the domain secret is good or bad? > > > > > "Gerald (Jerry) Carter" wrote: > > > > [snip] > > > > Also, sometimes I saw problems like "wbinfo -t" just says > "secret is bad", > > > when all the daemons were running. It sure was good at > some point before. > > > > Samba periodially changes the password on the server. > secrets.tdb should > > be in sync with this. > > Hi, > > Why does Samba do this? Does the secret expire after a certain period > of time or is this done as a safety precaution? > > thanks, > Joey. >
RE: hide files problem
Thats not a problem, that is as designed. USER has control over whether they want to view 'hidden' files via their gui. You only have control over whethere they are marked as 'hidden' or not. IF you want to make sure that the user cannot get to these files AT ALL, then check out the 'veto files' option instead. Hope this helps, Don > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Monday, March 31, 2003 4:17 > To: [EMAIL PROTECTED] > Subject: hide files problem > > > Hi ! > > > I want to hide files with names beginning with "." So I have > > > added following lines to my smb.conf (2.2.8): > > > ? ? ? ? hide dot files = yes > > > ? ? ? ? hide files = /.* > > > When user changes options in folder options to show hide files > > > and folders, he can see all files/folders beginning with "." > > > greetz > > > boka > > > -- > Opłatom bankowym mówimy NIE! Załóż eKONTO w mBanku! < > http://pasazfin.wp.pl/mbank.html > > >
Re: New modules system and vfs_done
On Mon, Mar 31, 2003 at 11:30:42AM +1000, Andrew Bartlett wrote about 'New modules system and vfs_done': > As per my recent commit, the new (VFS) modules system completely breaks > on tree disconnect! > We need to separate the different cases - the compat and the central > modules, and provide either a flag or a function pointer to the correct > way to shut down a module. if(handle->handle == NULL) then we're using a central module. I've got a patch that fixes all this, which I'll apply later today. > The code in conn_close is really in the wrong place - it's dealing with > the VFS, not the connection. > And how should a internal module 'end' it's operations anyway? We don't > seem to have that coded up at all... Problem is we can't assume a plugin is ever going to be unloaded - not all operating systems support dlclose() and plugins might be linked in statically. Jelmer -- Jelmer Vernooij <[EMAIL PROTECTED]> ~/.plan: create seperate include files look at coolo's patches pgp0.pgp Description: PGP signature
Re: SID related debug messages
On Mon, Mar 31, 2003 at 01:56:45PM +0200, Michael Steffens wrote: > the attached enhancements of SID related debug messages were quite > useful for me for tracking down where "strange" SIDs winbindd > complained about are coming from. > > Being there I found that my suspicous SIDs are included in the > user token from DC on domain client validation, in the "other > sids" section. Is this the place where W2k SID history lives? I'm not sure where the SID history lives. As far as I can work out the other SIDs section seems to be where membership of universal groups from trusted domains is contained. Tim.
RE: Samba 2.2.8 - Snap Server Support
Is the Samba Team interested in supporting SNAP for 2.x versions? If so I can provide the patch. Thanks!! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andrew Bartlett Sent: Monday, March 31, 2003 7:07 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: Samba 2.2.8 - Snap Server Support On Mon, 2003-03-31 at 19:18, [EMAIL PROTECTED] wrote: > Hello All! > > I've looked threw some docs of 2.2.8 and haven't yet seen anything. > Please forgive me if I may have missed something. > > Is there SNAP Server support in Samba 2.2.8? If not, is there any plans > to support it in the future? I am aware that samba 3.0 has this > functionality. Sorry, no that code never made it back into 2.2, as far as I know. > I was provided with a patch that seems to work just fine. I can pass this > along to anyone interested. > > Many thanks to the Samba Team and all of it's developers world-wide for a > great product. -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net
Re: Defaults for 'profile path' etc to "" in 3.0?
On Mon, 2003-03-31 at 21:55, Stefan (metze) Metzmacher wrote: > At 13:31 31.03.2003 +0200, Volker Lendecke wrote: > >-BEGIN PGP SIGNED MESSAGE- > >Hash: SHA1 > > > >Hi! > > > >Given our 'rich' SAM backends I'd like to ask for your opinion on > >changing the defaults for 'profile path' and 'logon home' to "" to > >have workstation-local profiles be the default. NT does this, and we > >change so much in the PDC anyway. The reason why I'm asking: It has > >hit me several times now after doing a 'net rpc vampire' for testing > >purposes that suddenly the users got server-based profiles when before > >they had local profiles. > > I would say it's ok to change it I think we should have a ./configure option for it, certainly. We have managed to keep option compatibility with 2.2 (even having a --with-ldapsam that sets the old defaults), so I would oppose changing the defaults. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part
Re: Samba 2.2.8 - Snap Server Support
On Mon, 2003-03-31 at 19:18, [EMAIL PROTECTED] wrote: > Hello All! > > I've looked threw some docs of 2.2.8 and haven't yet seen anything. > Please forgive me if I may have missed something. > > Is there SNAP Server support in Samba 2.2.8? If not, is there any plans > to support it in the future? I am aware that samba 3.0 has this > functionality. Sorry, no that code never made it back into 2.2, as far as I know. > I was provided with a patch that seems to work just fine. I can pass this > along to anyone interested. > > Many thanks to the Samba Team and all of it's developers world-wide for a > great product. -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part
SID related debug messages
Hi, the attached enhancements of SID related debug messages were quite useful for me for tracking down where "strange" SIDs winbindd complained about are coming from. Being there I found that my suspicous SIDs are included in the user token from DC on domain client validation, in the "other sids" section. Is this the place where W2k SID history lives? Cheers! Michael Index: source/nsswitch/winbindd_group.c === RCS file: /cvsroot/samba/source/nsswitch/winbindd_group.c,v retrieving revision 1.3.4.25 diff -u -r1.3.4.25 winbindd_group.c --- source/nsswitch/winbindd_group.c14 Oct 2002 03:00:14 - 1.3.4.25 +++ source/nsswitch/winbindd_group.c31 Mar 2003 11:46:32 - @@ -290,7 +290,10 @@ sid_append_rid(&group_sid, group_rid); if (!winbindd_lookup_name_by_sid(&group_sid, dom_name, group_name, &name_type)) { - DEBUG(1, ("could not lookup sid\n")); + fstring temp; + + sid_to_string(temp, &group_sid); + DEBUG(1, ("could not lookup sid %s\n", temp)); return WINBINDD_ERROR; } Index: source/nsswitch/winbindd_util.c === RCS file: /cvsroot/samba/source/nsswitch/winbindd_util.c,v retrieving revision 1.7.4.26 diff -u -r1.7.4.26 winbindd_util.c --- source/nsswitch/winbindd_util.c 4 Mar 2003 23:35:50 - 1.7.4.26 +++ source/nsswitch/winbindd_util.c 31 Mar 2003 11:46:32 - @@ -262,7 +262,7 @@ domain = find_domain_from_sid(sid); if (!domain) { - DEBUG(1,("Can't find domain from sid\n")); + DEBUG(1,("Can't find domain from sid %s\n", sid_string_static(sid))); return False; } Index: source/smbd/password.c === RCS file: /cvsroot/samba/source/smbd/password.c,v retrieving revision 1.186.2.71 diff -u -r1.186.2.71 password.c --- source/smbd/password.c 4 Mar 2003 23:36:00 - 1.186.2.71 +++ source/smbd/password.c 31 Mar 2003 11:46:32 - @@ -1667,6 +1667,16 @@ sid_append_rid(&ptok->user_sids[i], info3.gids[i].g_rid); } + if (DEBUGLVL(10)) { + dbgtext("info3 group sids for %s in domain %s\n", user, domain); + for (i = 0; i < info3.num_groups2; i++) { + fstring temp; + + sid_to_string(temp, &ptok->user_sids[i]); + dbgtext("[%d] %s\n", i, temp); + } + } + /* Universal group memberships for other domains are stored in the info3.other_sids field. We also need to do sid filtering here. */ @@ -1674,6 +1684,16 @@ for (i = 0; i < info3.num_other_sids; i++) sid_copy(&ptok->user_sids[info3.num_groups2 + i], &info3.other_sids[i].sid); + + if (DEBUGLVL(10)) { + dbgtext("info3 other sids for %s in domain %s\n", user, domain); + for (i = 0; i < info3.num_other_sids; i++) { + fstring temp; + + sid_to_string(temp, &ptok->user_sids[info3.num_groups2 + i]); + dbgtext("[%d] %s\n", i, temp); + } + } *pptoken = ptok; }
Re: Defaults for 'profile path' etc to "" in 3.0?
At 13:31 31.03.2003 +0200, Volker Lendecke wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi! Given our 'rich' SAM backends I'd like to ask for your opinion on changing the defaults for 'profile path' and 'logon home' to "" to have workstation-local profiles be the default. NT does this, and we change so much in the PDC anyway. The reason why I'm asking: It has hit me several times now after doing a 'net rpc vampire' for testing purposes that suddenly the users got server-based profiles when before they had local profiles. I would say it's ok to change it metze - Stefan "metze" Metzmacher <[EMAIL PROTECTED]>
Defaults for 'profile path' etc to "" in 3.0?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi! Given our 'rich' SAM backends I'd like to ask for your opinion on changing the defaults for 'profile path' and 'logon home' to "" to have workstation-local profiles be the default. NT does this, and we change so much in the PDC anyway. The reason why I'm asking: It has hit me several times now after doing a 'net rpc vampire' for testing purposes that suddenly the users got server-based profiles when before they had local profiles. Volker -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Key-ID D32186CF, Fingerprint available: phone +49 551 370 iD8DBQE+iCcMOmSXH9Mhhs8RAo3aAJ4oECHtGD4yFFiu1U2BrhdcqAwJWwCdHs4n D3tnh88xo1opWHHB8yJLvUA= =GzQn -END PGP SIGNATURE-
Re: New modules system and vfs_done
At 13:02 31.03.2003 +0200, Simo Sorce wrote: > Eh, the shutdown stuff was just a thing, I was thinking yesterday ... > I agree we should have to way to startup and shutdown the modules, as we > have to way to load it (preload and fork). to -> two this is what my patch is about :-) the old modules will have conn->vfs_private and the new modules will have conn->vfs_handles but I think there's no way to beware old modules from recompiling :-( metze - Stefan "metze" Metzmacher <[EMAIL PROTECTED]>
Re: New modules system and vfs_done
On Mon, 2003-03-31 at 12:25, Simo Sorce wrote: > Eh, the shutdown stuff was just a thing, I was thinking yesterday ... > I agree we should have to way to startup and shutdown the modules, as we > have to way to load it (preload and fork). to -> two > This is mandatory for modules that uses databases or other repository > they connect to through a socket or other communication mechanism. > > Simo. -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. - http://www.xsec.it via Durando 10 Ed. G - 20158 - Milano mobile: +39 329 328 7702 tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: New modules system and vfs_done
At 12:25 31.03.2003 +0200, Simo Sorce wrote: On Mon, 2003-03-31 at 03:30, Andrew Bartlett wrote: > As per my recent commit, the new (VFS) modules system completely breaks > on tree disconnect! > > We need to separate the different cases - the compat and the central > modules, and provide either a flag or a function pointer to the correct > way to shut down a module. I have a patch for that, ab will look at it later this week. It would be nice if you don't touch the vfs_done() function calls (I want to remove the vfs_init() and vfs_done() fn's for the new modules) and the shut down stuff should be in vfs_disconnect() ! > > The code in conn_close is really in the wrong place - it's dealing with > the VFS, not the connection. > > And how should a internal module 'end' it's operations anyway? We don't > seem to have that coded up at all... Eh, the shutdown stuff was just a thing, I was thinking yesterday ... I agree we should have to way to startup and shutdown the modules, as we have to way to load it (preload and fork). This is mandatory for modules that uses databases or other repository they connect to through a socket or other communication mechanism. metze - Stefan "metze" Metzmacher <[EMAIL PROTECTED]>
[PATCH] fix the format of the new backtrace output
Hi all, here's a small formatting fix to the new backtrace output in smb_panic() metze - Stefan "metze" Metzmacher <[EMAIL PROTECTED]> backtrace.diff Description: Binary data
Re: New modules system and vfs_done
On Mon, 2003-03-31 at 03:30, Andrew Bartlett wrote: > As per my recent commit, the new (VFS) modules system completely breaks > on tree disconnect! > > We need to separate the different cases - the compat and the central > modules, and provide either a flag or a function pointer to the correct > way to shut down a module. > > The code in conn_close is really in the wrong place - it's dealing with > the VFS, not the connection. > > And how should a internal module 'end' it's operations anyway? We don't > seem to have that coded up at all... Eh, the shutdown stuff was just a thing, I was thinking yesterday ... I agree we should have to way to startup and shutdown the modules, as we have to way to load it (preload and fork). This is mandatory for modules that uses databases or other repository they connect to through a socket or other communication mechanism. Simo. -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. - http://www.xsec.it via Durando 10 Ed. G - 20158 - Milano mobile: +39 329 328 7702 tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
[PATCH] fix some vfs bugs
Hi Alexander, here're the following fixes: 1.) fix the logic when overloading vfs functions, the last vfs object should be called at first! 2.) let vfs_load_old_plugin() return the vfs_op_tuple * (Now this function has really no effect! :-) metze - Stefan "metze" Metzmacher <[EMAIL PROTECTED]> vfs-fix-01.diff Description: Binary data
Re: status of unixsam and guest passdb backends?
On Mon, 2003-03-31 at 18:52, Alexander Bokovoy wrote: > On Mon, Mar 31, 2003 at 10:23:16AM +1000, Andrew Bartlett wrote: > > > > Guestsam is in there to provide the only useful thing unixsam did - > > > > ensuring that the guest account really was the guest, and had the guest > > > > RID. It also helped with some Win2k behavior that assumed the presence > > > > of the guest account. > > > > > > Could you update smb.conf(5) to this effect? Thanks. > > Sure. > Andrew, also put your changes into new smb.conf(5) doc in HEAD > (docs/docbook/smbdotconf/) so that data wouldn't be unsychronized. I'm > expecting to finish HEAD conversion to Docbook XML late this week. I was wondering about that... Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part
Re: When the keep-alive packet sent out,rfc1002 says differentthings!!
On Mon, 2003-03-31 at 19:42, [EMAIL PROTECTED] wrote: > Hello everyone, When I am programming a samba client in freeDOS,using wattcp, > I found a strange thing, which is not the same as rfc1002 claims. > In rfc 1002,see below: > So,during I write data or read data to server, it seems that server will > not send me any keep-alive packet because he will reset the timer.But > in fact,during I raw write a very large piece data to server(not > matter windows or linux),it will send me a keep-alive > occasionally,leading my defendless code crash. > I REALLY don't understand why they don't obey the rules,or do I mistake rfc1002? > > Urgently hope for your kindly help,thank you See www.ubiqx.org/cifs for a description of this horrid protocol... Also, make sure you understand - the standard is what Microsoft does, not what what any RFC says. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part
Re: Patch for Bad Password Attempt Lockout, samba3.0a22.
> On Fri, 2003-03-28 at 23:55, Jianliang Lu wrote: > > Now the users of "admin users" will not be locked. > > "admin users" not the appropriate choice here. Better would be the > members of the 'domain admins' group. The interesting bit is finding > this out at the right point in time... Yes, I agree with you. But until the privilege of "domain admins" does not work I can only use the "admin users" as the workaround to administrator's group. > > > In attach is the new patch > > file. > > About lockout duration, I will implement next time. I think that we should > > extend another attribute to record the lockout time. > > We also need to check that the account policy has been set, and that > it's not 0 (which I assume is the 'don't lock out' value). > '0' means forever. we can always put the max number like 9.. to that. As soon as the user logon with the correct password the bad attempt count will be reset to 0. > Also, I'm worried about the writes this will cause on the backend. An > LDAP write can be quite expensive, and for the LDAP case this means that > the master ldap server will be hit for every logon attempt. > Yes, but I don't know how to implement it differently. > Andrew Bartlett > > -- > Andrew Bartlett [EMAIL PROTECTED] > Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] > Student Network Administrator, Hawker College [EMAIL PROTECTED] > http://samba.org http://build.samba.org http://hawkerc.net Jianliang Lu TieSse s.p.a. Via Jervis, 60. 10015 Ivrea (To) - Italy [EMAIL PROTECTED] [EMAIL PROTECTED]
Samba 2.2.8 - Snap Server Support
Hello All! I've looked threw some docs of 2.2.8 and haven't yet seen anything. Please forgive me if I may have missed something. Is there SNAP Server support in Samba 2.2.8? If not, is there any plans to support it in the future? I am aware that samba 3.0 has this functionality. I was provided with a patch that seems to work just fine. I can pass this along to anyone interested. Many thanks to the Samba Team and all of it's developers world-wide for a great product.
When the keep-alive packet sent out,rfc1002 says different things!!
Hello everyone, When I am programming a samba client in freeDOS,using wattcp, I found a strange thing, which is not the same as rfc1002 claims.In rfc 1002,see below: NetBIOS Working Group [Page 72] RFC 1002 March 1987 5.2.2.2. RECEIVED PACKET PROCESSING These are packets received after a session has been established. PROCEDURE session_packet(packet) /* * processing initiated by receipt of a session service * packet for a session in the data transfer phase. */ BEGIN CASE packet type OF SESSION MESSAGE: BEGIN process message header; read in user data; reset and restart keep-alive timer; // note this! deliver data to user; END /* session message */ SESSION KEEP ALIVE: discard packet; END /* case */ END /* procedure */ So,during I write data or read data to server, it seems that server will not send me any keep-alive packet because he will reset the timer.But in fact,during I raw write a very large piece data to server(not matter windows or linux),it will send me a keep-alive occasionally,leading my defendless code crash. I REALLY don't understand why they don't obey the rules,or do I mistake rfc1002? Urgently hope for your kindly help,thank you
hide files problem
Hi ! I want to hide files with names beginning with "." So I have added following lines to my smb.conf (2.2.8): ? ? ? ? hide dot files = yes ? ? ? ? hide files = /.* When user changes options in folder options to show hide files and folders, he can see all files/folders beginning with "." greetz boka -- Opłatom bankowym mówimy NIE! Załóż eKONTO w mBanku! < http://pasazfin.wp.pl/mbank.html >
net rpc samsync patch
Small patch to stop net rpc samsync from copying an empty comment when syncing group data. Cheers, Waider. Index: source/utils/net_rpc_samsync.c === RCS file: /cvsroot/samba/source/utils/net_rpc_samsync.c,v retrieving revision 1.20 diff -u -r1.20 net_rpc_samsync.c --- source/utils/net_rpc_samsync.c 30 Mar 2003 16:46:28 - 1.20 +++ source/utils/net_rpc_samsync.c 31 Mar 2003 09:09:46 - @@ -521,7 +521,10 @@ map.sid = group_sid; map.sid_name_use = SID_NAME_DOM_GRP; fstrcpy(map.nt_name, name); - fstrcpy(map.comment, comment); + +if (delta->hdr_grp_desc.buffer) { +fstrcpy(map.comment, comment); +} map.priv_set.count = 0; map.priv_set.set = NULL; -- [EMAIL PROTECTED] / Yes, it /is/ very personal of me. "it's this new keyboard. damn thing types faster than i do. i wish i knew where my old one went. it was connected to the computer when i went to bed last night." - Nikolai Kingsley
Re: status of unixsam and guest passdb backends?
On Mon, Mar 31, 2003 at 10:23:16AM +1000, Andrew Bartlett wrote: > > > Guestsam is in there to provide the only useful thing unixsam did - > > > ensuring that the guest account really was the guest, and had the guest > > > RID. It also helped with some Win2k behavior that assumed the presence > > > of the guest account. > > > > Could you update smb.conf(5) to this effect? Thanks. > Sure. Andrew, also put your changes into new smb.conf(5) doc in HEAD (docs/docbook/smbdotconf/) so that data wouldn't be unsychronized. I'm expecting to finish HEAD conversion to Docbook XML late this week. -- / Alexander Bokovoy --- "You know, of course, that the Tasmanians, who never committed adultery, are now extinct." - M. Somerset Maugham