Re: [Samba] passwd: Authentication token manipulation error
Hi John, The smbpasswd utilitiy only changes the password in /etc/samba/smbpasswd. It does NOT use PAM at all. The system tool 'passwd' (/bin/passwd or /usr/bin/passwd) will use PAM. Whatever you configure PAM to do it will follow. Firstly, pam_smbpass.so does NOT do unix system password changing! It can be added to your PAM configuration to update the /etc/samba/smbpasswd file. In the case LDAP is configured, smbpasswd will change the lm/ntPassword Fields in the Samba Schemata instead of /etc/samba/smbpasswd. Do you know if pam_smbpass.so also regognizes this configuration? Thanks, Thorsten. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] passwd: Authentication token manipulation error
On Sun, 2 Feb 2003, Thorsten D. Marsen wrote: Hi John, The smbpasswd utilitiy only changes the password in /etc/samba/smbpasswd. It does NOT use PAM at all. The system tool 'passwd' (/bin/passwd or /usr/bin/passwd) will use PAM. Whatever you configure PAM to do it will follow. Firstly, pam_smbpass.so does NOT do unix system password changing! It can be added to your PAM configuration to update the /etc/samba/smbpasswd file. In the case LDAP is configured, smbpasswd will change the lm/ntPassword Fields in the Samba Schemata instead of /etc/samba/smbpasswd. Do you know if pam_smbpass.so also regognizes this configuration? No. pam_smbpass.so is a PAM module that directly acts on the /etc/samba/smbpasswd file. - John T. -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] passwd: Authentication token manipulation error
Hi John, Thanks for the help... will try out the audit migrate option and see what I get Regards, Keith The linuX Files -- The Source is Out There. - Original Message - From: John H Terpstra [EMAIL PROTECTED] To: Keith Fernandez [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Sunday, February 02, 2003 5:30 AM Subject: Re: [Samba] passwd: Authentication token manipulation error On Sun, 2 Feb 2003, Keith Fernandez wrote: Whoa Keith! Nowhere in your first email did you explain that you had already changed your Linux PAM configuration _AND_ are trying to use pam_smbpass.so. The smbpasswd utilitiy only changes the password in /etc/samba/smbpasswd. It does NOT use PAM at all. The system tool 'passwd' (/bin/passwd or /usr/bin/passwd) will use PAM. Whatever you configure PAM to do it will follow. Firstly, pam_smbpass.so does NOT do unix system password changing! It can be added to your PAM configuration to update the /etc/samba/smbpasswd file. If you want to update both /etc/passwd (/etc/shadow) entries as well as /etc/samba/smbpasswd then the following recommendation is included in the source code by the author: #%PAM-1.0 # password-sync # # A sample PAM configuration that shows the use of pam_smbpass to make # sure private/smbpasswd is kept in sync when /etc/passwd (/etc/shadow) # is changed. Useful when an expired password might be changed by an # application (such as ssh). auth requisitepam_nologin.so auth required pam_unix.so accountrequired pam_unix.so password requisitepam_cracklib.so retry=3 password requisitepam_unix.so shadow md5 use_authtok try_first_pass password required pam_smbpass.so nullok use_authtok try_first_pass sessionrequired pam_unix.so And that is from the documentation in ~samba/source/pam_smbpass/samples. Your RH8 machine may use pam_pwdb.so, or pam_unix2.so, or similar for system account password changing. I think it is a samba question, I did try to use more than 8 characters in the password and it still gave the same error. If you do not have the pam_pwdb.so or pam_unix.so module in your PAM configuration then you have a hosed up PAM. I got this error when I tried to add a new user to the unix system and change his password. This is ONLY when I used the pam_smbpass option to samba. Wait a moment. You added pam_smbpass.so to PAM - NOT to samba! So I think it is a samba question. Whatever! the only workaround is what I had given below. If you have got the pam_smbpass option to sync unixpassword with smbpassword for NEW users, Please let me know. You say smbpassword adds any user present in /etc/password, TRUE... But my question is why cant I add a unix password to the user which will sync it with smbpassword the 1st time I create a user.. Explained above. Once I create my smbpassword and then I change my unix password then it sync's it with smbpassword and no error, why cant it do it the first time. Fix you PAM configuration. Here is my error again using 8 characters in my password . --- [root@localhost named]# useradd -g users keith [root@localhost named]# passwd keith Changing password for user keith. New password: Retype new password: Failed to find entry for user keith. passwd: Authentication token manipulation error - Right. Did you add the 'debug' or 'audit' options to the pam_smbpass.so line in your PAM configuration and then check /var/log/messages or /var/log/security for error messages? NOW IF I HAD DONE THIS [root@localhost named]# useradd -g users keith [root@localhost named]# smbpasswd -a keith New SMB password: Retype new SMB password: Added user keith. Password changed for user keith. Of course it worked! It just changes /etc/samba/smbpasswd entries. You added the account (with the -a option), so now pam_smbpass.so can change the password. The account entry in /etc/samba/smbpasswd has to exist first. [root@localhost named]# passwd keith Changing password for user keith. New password: Retype new password: passwd: all authentication tokens updated successfully -- Added this line to my /etc/pam.d/system-auth to get it to work after the pam_cracklib.so line password required /lib/security/pam_smbpass.so nullok use_authtok try_first_pass Try: password required /lib/security/pam_smbpass.so nullok use_authtok try_first_pass audit migrate Cheers, John T. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [despammed] [Samba] Samba - winXP lookup
from time to time I get a ~30 second lockup Same for me! Rumour has is that you should make sure that XP's web dave client is disabled. Guess it's the WebClient service. Thanks a lot. I'll try that! -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Windows 2000 Terminal Server Environment
I am running Citrix Metaframe XP on Windows 2000 server and would like to have the ability to access files on my AIX Unix server. Are there any issues with Samba in a Windows Terminal Server environment? Thanks, Tim Brooks -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Extra sheet after printing a job.
Hi Erik, Although I use CUPS, I had this problem while in Mandrake 8 9, I used Webmin to locate the Samba server and found that the CUPS printer had banner pages turned on. I turned it off and the 2nd sheet went away. Dont know if this helps or not. Doug Lytle Erik Jakobsen wrote: At the end of a printerjob in my HP-DJ895Cxi and HP-1100A in my samba-server (SuSE Linux 8.1) an extra -blank- sheet is comming out of the printers. From the server if printing direct there's no extra paper sheet. I know the problem has been on the list before, and can also see how to solve it, but there's a problem. From default the SuSE 8.1 is installed with cups, and I wanted to install it with LPRng. The printers are printing ok from the server, and via samba my printers are also printing fine. But here's the problem. I print from a Fujitsu/Siemens C6155 Lifebook computer, and whether I print via samba to either of the 2 printers, they always stop a job by sending out an extra sheet. In the archives there stands: Uncommenting #PRINT_RAW_SUPPRESS_FORMFEED=yes in /etc/apsfilterrc. But due to my install of LPRng, I cannot find the apsfilterrc. What can I get rid of the problem ?. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] RAV for Samba (Linux i386)
Just wondering if anyone has thoughts (good or bad) about this product (RAV AntiVirus for Samba (Linux i386))...or any other? I have a client that wants to have A/V *on* their samba server, rather than just scanning the shares from a WS. Any comments regarding ANTIVIRUS PROTECTION and SAMBA are gratefully welcome! TIA -Ryan Beisner -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] howto kill connection to an smbclient
I read through the man pages and could not find anything but swat to kill a connection to a samba client. I have the following situation. I have a CD-changer with 6 discs that serves a video archive. Upon magazine insertion I start mounting all 6 discs in row. To be able to eject the magazine again I have to umount each disc. Unfortunatly I get a device busy on the last disc that was accessed. I tried smbcontrol smbd close-share (sharename/busy drive) but that did not do it. I can only restart samba (which is not my intention) or I can use swat, click on status and kill the connection to the client. But this is not doable for my kind of configutration since I have to umount the drives through a script. Any suggestions on how I can kill the connection to the client on the command line are greatly appreciated. André. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] howto kill connection to an smbclient
smbstatus will show you the pids of active connections. Joel On Sun, Feb 02, 2003 at 06:41:33PM +0100, André Weidemann wrote: Any suggestions on how I can kill the connection to the client on the command line are greatly appreciated. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] FreeBSD 5.0 + ACLs
Hi all, I am playing with a test box at the moment running a Samba 2.2.7a domain on FreeBSD 5.0. I wish to enable ACLs, but I am not exactly sure what I am supposed to expect once they are enabled. I have created a UFS2 partition and enabled ACL support using tunefs. Since doing that, I have been able to connect to the Samba shares and modify ACLs, but so far the only things I have been able to accomplish are changing ownership, and modifying the o/g/u permissions. As I understand it, because UFS2 supports ACLs, am I not supposed to be able to create more thorough ACLs (much like NTFS can?) Have I chosen the correct file-system to do the job? Regards, -- Adam Smith Information Technology Officer SAGE Automation Ltd. [EMAIL PROTECTED] http://www.sageautomation.com -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba on OSX
Hi Delmar, Best place to go is www.afp48.com. They have a tutorial to set up OS X as a PDC. I have followed it and have my OS X server as a PDC for Win 2K computers. On 2/1/03 11:31 PM, delmar watkins [EMAIL PROTECTED] wrote: Hi all, new to the list but have read the archives. I am trying to get my OSX box to be a PDC with win2k clients, but am having trouble. I can't seem to find any documentation on this, nor have I seen anyone with experience doing this. Can someone point me to some resources I could RTFM before I start asking questions to the list? Thanks! __ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com Sean Roulet Technology Manager Artradis Fund Management Pte Ltd #11-01 Royal Brothers Building Raffles Place, 22 Malacca Street Singapore 048980 Tel: +65 6538 1998 Fax: +65 6538 8331 - This message is strictly confidential and intended solely for the use of the intended recipient(s). The recipient of this communication should not copy, disclose or distribute this communication without permission from Artradis Fund Management Pte Ltd. This communication is for information purposes only and should not be regarded as an offer to sell or as a solicitation of an offer to buy any financial product, or as an official statement of Artradis Fund Management Pte Ltd. The material is based upon information that we consider reliable, but we do not represent that it is accurate or complete, and it should not be relied upon as such. As such, we accept no responsibility or liability for the accuracy or otherwise of such information. - -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: FreeBSD 5.0 + ACLs
--- Adam Smith [EMAIL PROTECTED] wrote: I am playing with a test box at the moment running a Samba 2.2.7a domain on FreeBSD 5.0. I wish to enable ACLs, but I am not exactly sure what I am supposed to expect once they are enabled. I have created a UFS2 partition and enabled ACL support using tunefs. Since doing that, I have been able to connect to the Samba shares and modify ACLs, but so far the only things I have been able to accomplish are changing ownership, and modifying the o/g/u permissions. As I understand it, because UFS2 supports ACLs, am I not supposed to be able to create more thorough ACLs (much like NTFS can?) Have I chosen the correct file-system to do the job? It appears you have. We're using ACL support on Linux and ext3. We had to patch our kernel and got ACL options when we did. After booting the new kernel, we were able to add 'acl' after 'defaults' in fstab. You _might_ need the same; run mount and see what the options are next to your partition. The next step (and what you're probably missing) is compiling samba --with-acl-support (or something like that.. do ./configure --help | grep -i acl). I tweaked a .spec file in a SRPM and you might have to edit your port's Makefile or something. We also had to install acl/libacl/libacl-devel and attr/libattr/libattr-devel (e.g. binaries, libraries, and development headers+includes) packages in order to compile. In FreeBSD this probably means compiling the acl/libacl/attr/libattr tarballs, but look at acl.bestbits.at and the FreeBSD docs for more help there. WATCH your ./configure output and make sure it enables ACL support.. don't just assume! It was there we determined we needed the above packages. We used Sam's Teach Yourself Samba In 24 Hours as a guide, and it can no doubt help you, too. /dev/idal __ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Re: FreeBSD 5.0 + ACLs
The next step (and what you're probably missing) is compiling samba --with-acl-support (or something like that.. do ./configure --help | grep -i acl). I tweaked a .spec file in a SRPM and you might have to edit your port's Makefile or something. I installed Samba from the ports with a make install. The configuration screen allowed me to select ACLs, but to be safe, I recompiled it and reinstalled it manually with a 'make --with-acl-support.' The output from mount says: /dev/ar0s1g on /data (ufs, local, acls) We also had to install acl/libacl/libacl-devel and attr/libattr/libattr-devel (e.g. binaries, libraries, and development headers+includes) packages in order to compile. I did a quick search on freebsd.org and Google but found nothing extremely helpful :/ Am I supposed to be able to modify 'extended' ACLs on the UFS2 file system? Something could be wrong with it. Whenever I do an 'ls -la' I get the following results: ls: ./.: Operation not supported drwxrwx--- 10 root administration 512 Jan 29 11:08 . ls: ./..: Operation not supported drwxr-xr-x 12 root wheel 512 Jan 29 16:28 .. ls: ./Accounts: Operation not supported drwxrwx--- 3 root administration 512 Jan 29 09:02 Accounts ls: ./Accounts Payable: Operation not supported drwxrwx--- 4 root administration 512 Jan 29 08:36 Accounts Payable ls: ./Finance: Operation not supported drwxrwx--- 26 root administration1536 Jan 29 08:37 Finance Every directory brings that up. It is the -l option causing the problem. A normal 'ls' on its own doesn't display these errors. Any ideas here? Adam -- Adam Smith Information Technology Officer SAGE Automation Ltd. [EMAIL PROTECTED] http://www.sageautomation.com -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] RE: Winbind on HPUX11, Totally Stuck, Please Help
Hi All, Thanks for your help, still no luck though. More info for you. with no debug statements in my /etc/pam.conf I get in sys log the following. Feb 2 14:43:02 coastdr pam_winbind[2832]: user 'traininguser' granted acces with debug turned on I get Feb 2 14:47:49 coastdr pam_winbind[2839]: Verify user `traininguser' Feb 2 14:47:49 coastdr pam_winbind[2839]: user 'traininguser' granted acces the user is still logging out. incidentlally, when I log in as a unix user, rather than a win2k user I don't get anything in sys log. I've included my pam.conf below. Also, I checked for /etc/shells, no such file, and I have set my smb.conf shell line to template shell = /sbin/sh and also tried template shell = /usr/bin/sh both files exist. # # PAM configuration # # Authentication management # loginauth sufficient/usr/lib/security/libpam_unix.1 debug loginauth sufficient/usr/lib/security/libpam_winbind.1 debug #login auth sufficient/usr/lib/security/libpam_smb.1 nolocal debug su auth required /usr/lib/security/libpam_unix.1 debug dtlogin auth required /usr/lib/security/libpam_unix.1 debug dtaction auth required /usr/lib/security/libpam_unix.1 debug ftp auth required /usr/lib/security/libpam_unix.1 debug OTHERauth required /usr/lib/security/libpam_unix.1 debug # # Account management # loginaccount sufficient /usr/lib/security/libpam_unix.1 debug loginaccount sufficient /usr/lib/security/libpam_winbind.1 debug su account required /usr/lib/security/libpam_unix.1 debug dtlogin account required /usr/lib/security/libpam_unix.1 debug dtaction account required /usr/lib/security/libpam_unix.1 debug ftp account required /usr/lib/security/libpam_unix.1 debug # OTHERaccount required /usr/lib/security/libpam_unix.1 debug # # Session management # loginsession sufficient /usr/lib/security/libpam_unix.1 debug loginsession sufficient /usr/lib/security/libpam_winbind.1 debug dtlogin session required /usr/lib/security/libpam_unix.1 debug dtaction session required /usr/lib/security/libpam_unix.1 debug OTHERsession required /usr/lib/security/libpam_unix.1 debug # # Password management # loginpassword sufficient/usr/lib/security/libpam_unix.1 debug loginpassword sufficient/usr/lib/security/libpam_winbind.1 debug passwd password required /usr/lib/security/libpam_unix.1 debug passwd password required /usr/lib/security/libpam_winbind.1 debug dtlogin password required /usr/lib/security/libpam_unix.1 debug dtaction password required /usr/lib/security/libpam_unix.1 debug OTHERpassword required /usr/lib/security/libpam_unix.1 debug Cheers Miles -Original Message- From: MCCALL,DON (HP-USA,ex1) [mailto:[EMAIL PROTECTED]] Sent: Saturday, 1 February 2003 04:53 a.m. To: 'John H Terpstra'; Miles Roper Cc: '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]'; Esh, Andrew; Ronan Waide; STEFFENS,MICHAEL (HP-Germany,ex1); MCCALL,DON (HP-USA,ex1); 'Richard Sharpe' Subject: RE: [Samba] RE: Winbind on HPUX11, Totally Stuck, Please Help Hi, Miles, Actually on HP-UX, you will need to add the word 'debug' at the end of each of the lines in you /etc/pam.conf file, to enable more debugging to go into the /var/adm/syslog/syslog.log file. One thing that I have seen something like this happen on is if the /etc/shells file is corrupt, or if the shell that is defined for the user (since they don't have a /etc/passwd entry, this would be whatever you put in template in the smb.conf) does not exactly match one of the lines in /etc/shells, or the defaults, if this file does not exist. The defaults for 11.0 are: /sbin/sh /usr/bin/sh /usr/bin/rsh /usr/bin/ksh /usr/bin/rksh /usr/bin/csh /usr/bin/keysh Hope this helps, Don -Original Message- From: John H Terpstra [mailto:[EMAIL PROTECTED]] Sent: Friday, January 31, 2003 1:36 To: Miles Roper Cc: '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]'; Esh, Andrew; Ronan Waide; STEFFENS,MICHAEL (HP-Germany,ex1); 'MCCALL,DON (HP-USA,ex1)'; 'Richard Sharpe' Subject: RE: [Samba] RE: Winbind on HPUX11, Totally Stuck, Please Help On Fri, 31 Jan 2003, Miles Roper wrote: Hi Everyone, I'm forgetting about the password one at the moment, thanks for all your input :o) I still don't have a clue how to solve my main problem. I'm assuming that its not actually winbind related now, as I've recently tried pam_smb and get the same basic problem. Basically, when I log into the UNIX box, the username/password of a NT user is being authenticated, but doesn't actually log in. It doesn't get past the password line. I know it
Re: Will these patches make it into 2.2.8?
Gerald (Jerry) Carter wrote: On Fri, 31 Jan 2003 [EMAIL PROTECTED] wrote: They are in my inbox queue of things to merge. I have to work on HP printing bugs as my 'day' job priority, but I have not forgotten these and will ensure they get added before 2.2.8 But probably not for 2.2.8pre1. Oops, did it sound that impatient? Sorry, that was not intended. Just didn't wan't to delay the question until one hour before final release :) Michael
Re: heimdal didn't have AP_OPTS_USE_SUBKEY
Sorry, the previously posted patch was needlessly complicated.
The attached patch just contains the Kerberos-related stuff.
-- Luke
Index: configure.in
===
RCS file: /cvsroot/samba/source/configure.in,v
retrieving revision 1.397
diff -u -r1.397 configure.in
--- configure.in1 Feb 2003 11:00:39 - 1.397
+++ configure.in2 Feb 2003 12:12:47 -
@@ -2198,6 +2198,8 @@
# now see if we can find the gssapi libs in standard paths
+ AC_CHECK_LIB(gssapi, gss_display_status, [LIBS=$LIBS -lgssapi;
+ AC_DEFINE(HAVE_GSSAPI,1,[Whether GSSAPI is available])])
AC_CHECK_LIB(gssapi_krb5, gss_display_status, [LIBS=$LIBS -lgssapi_krb5;
AC_DEFINE(HAVE_GSSAPI,1,[Whether GSSAPI is available])])
Index: libads/kerberos_verify.c
===
RCS file: /cvsroot/samba/source/libads/kerberos_verify.c,v
retrieving revision 1.5
diff -u -r1.5 kerberos_verify.c
--- libads/kerberos_verify.c11 Jan 2003 03:29:31 - 1.5
+++ libads/kerberos_verify.c2 Feb 2003 12:12:48 -
@@ -3,7 +3,7 @@
kerberos utility library
Copyright (C) Andrew Tridgell 2001
Copyright (C) Remus Koos 2001
-
+ Copyright (C) Luke Howard 2003
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -29,25 +29,28 @@
authorization_data if available
*/
NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket,
- char **principal, DATA_BLOB *auth_data)
+ char **principal, DATA_BLOB *auth_data,
+ uint8 session_key[16])
{
krb5_context context;
krb5_auth_context auth_context = NULL;
krb5_keytab keytab = NULL;
krb5_data packet;
krb5_ticket *tkt = NULL;
- krb5_data salt;
- krb5_encrypt_block eblock;
int ret, i;
+#ifndef XAD
krb5_keyblock * key;
krb5_principal host_princ;
char *host_princ_s;
fstring myname;
char *password_s;
+#endif
krb5_data password;
- krb5_enctype *enctypes = NULL;
- BOOL auth_ok = False;
+ krb5_keyblock *skey;
+#ifdef XAD
+ /* We would rather use the keytab. */
+#else
if (!secrets_init()) {
DEBUG(1,(secrets_init failed\n));
return NT_STATUS_LOGON_FAILURE;
@@ -61,6 +64,7 @@
password.data = password_s;
password.length = strlen(password_s);
+#endif /* XAD */
ret = krb5_init_context(context);
if (ret) {
@@ -83,6 +87,7 @@
return NT_STATUS_LOGON_FAILURE;
}
+#ifndef XAD
fstrcpy(myname, global_myname());
strlower(myname);
asprintf(host_princ_s, HOST/%s@%s, myname, lp_realm());
@@ -92,69 +97,58 @@
return NT_STATUS_LOGON_FAILURE;
}
- ret = krb5_principal2salt(context, host_princ, salt);
- if (ret) {
- DEBUG(1,(krb5_principal2salt failed (%s)\n, error_message(ret)));
- return NT_STATUS_LOGON_FAILURE;
- }
-
if (!(key = (krb5_keyblock *)malloc(sizeof(*key {
return NT_STATUS_NO_MEMORY;
}
- if ((ret = krb5_get_permitted_enctypes(context, enctypes))) {
- DEBUG(1,(krb5_get_permitted_enctypes failed (%s)\n,
-error_message(ret)));
- return NT_STATUS_LOGON_FAILURE;
+ ret = create_kerberos_key_from_string(context, host_princ, password, key);
+ if (ret) {
+ continue;
}
- /* we need to setup a auth context with each possible encoding type in turn */
- for (i=0;enctypes[i];i++) {
- krb5_use_enctype(context, eblock, enctypes[i]);
-
- ret = krb5_string_to_key(context, eblock, key, password, salt);
- if (ret) {
- continue;
- }
+ krb5_auth_con_setuseruserkey(context, auth_context, key);
+#endif /* XAD */
- krb5_auth_con_setuseruserkey(context, auth_context, key);
+ packet.length = ticket-length;
+ packet.data = (krb5_pointer)ticket-data;
- packet.length = ticket-length;
- packet.data = (krb5_pointer)ticket-data;
-
- if (!(ret = krb5_rd_req(context, auth_context, packet,
- NULL, keytab, NULL, tkt))) {
- krb5_free_ktypes(context, enctypes);
- auth_ok = True;
- break;
- }
- }
-
- if (!auth_ok) {
+ if ((ret = krb5_rd_req(context, auth_context, packet,
+ NULL, keytab, NULL, tkt))) {
DEBUG(3,(krb5_rd_req with auth failed (%s)\n,
Re: REPOST: Meaning of tdb_free: left read failed at ...?
On Sun, 2003-02-02 at 15:58, Ralf G. R. Bergs wrote: On Sun, 02 Feb 2003 14:47:11 +0100, Simo Sorce wrote: you can try to delete unexpected.tdb it does not hold any vital information. The problem has reappeared even after I removed the above file: Feb 2 11:18:29 Fileserver nmbd[22451]: [2003/02/02 11:18:29, 0] tdb/tdbutil.c:tdb_log(531) Feb 2 11:18:29 Fileserver nmbd[22451]: tdb (/var/run/samba/unexpected.tdb): tdb_oob len -2320 beyond eof at 24576 Feb 2 11:18:29 Fileserver nmbd[22451]: [2003/02/02 11:18:29, 0] tdb/tdbutil.c:tdb_log(531) Feb 2 11:18:29 Fileserver nmbd[22451]: tdb (/var/run/samba/unexpected.tdb): tdb_free: left read failed at 4294964952 (4096) [...] do they reside on an nfs mount? or any other alternative filesystem? They? Does what reside on an NFS mount? sorry I mean the tdb files. I have only shares with local XFS filesystems (as large as 250G.) what kernel? what samba version? The system in question is a Debian i386 stable (3.0) system, kernel is 2.4.20 release (with some patches such as EVMS and XFS, but EVMS is NOT in use for shares exported via Samba!!), Samba is 2.2.7a (a Debian package that I created myself.) I would try again with a standard ext2/3 file system. Just compile and install all samba related file under a well tested file system like ext2/3, I have had no problem with XFS, but 2.4.20 may have broke something subtle, who knows? bye, Simo -- Simo Sorce- [EMAIL PROTECTED] Samba Team- http://www.samba.org Italian Site - http://samba.xsec.it
Re: REPOST: Meaning of tdb_free: left read failed at ...?
On Sun, 02 Feb 2003 15:44:18 +0100, Simo Sorce wrote: On Sun, 2003-02-02 at 15:58, Ralf G. R. Bergs wrote: On Sun, 02 Feb 2003 14:47:11 +0100, Simo Sorce wrote: you can try to delete unexpected.tdb it does not hold any vital information. The problem has reappeared even after I removed the above file: Feb 2 11:18:29 Fileserver nmbd[22451]: [2003/02/02 11:18:29, 0] tdb/tdbutil.c:tdb_log(531) Feb 2 11:18:29 Fileserver nmbd[22451]: tdb (/var/run/samba/unexpected.tdb): tdb_oob len -2320 beyond eof at 24576 Feb 2 11:18:29 Fileserver nmbd[22451]: [2003/02/02 11:18:29, 0] tdb/tdbutil.c:tdb_log(531) Feb 2 11:18:29 Fileserver nmbd[22451]: tdb (/var/run/samba/unexpected.tdb): tdb_free: left read failed at 4294964952 (4096) [...] do they reside on an nfs mount? or any other alternative filesystem? They? Does what reside on an NFS mount? sorry I mean the tdb files. Weell, the TDB files (/var/run/samba) DO reside on an alternative filesystem in your words: They're on an XFS filesystem that itself resides on an EVMS logical volume that itself resides on a RAID-5 region. :-) But the thing is that the system otherwise seems to run extremely well -- I don't see ANY other suspicious log entries. [...] The system in question is a Debian i386 stable (3.0) system, kernel is 2.4.20 release (with some patches such as EVMS and XFS, but EVMS is NOT in use for shares exported via Samba!!), Samba is 2.2.7a (a Debian package that I created myself.) I would try again with a standard ext2/3 file system. Just compile and install all samba related file under a well tested file system like ext2/3, I have had no problem with XFS, but 2.4.20 may have broke something subtle, who knows? This is just not possible. The system we're talking about is a production fileserver for some hundred or so users. I can't change the partitioning scheme, nor can I change the filesystem used. Shouldn't we rather try to isolate and fix the problem, rather than working around it? Thanks, Ralf -- L I N U X .~. The Choice /V\ of a GNU /( )\ Generation ^^-^^
RE: Drive already connected Error in Windows 2000
are you sure you haven't just broken your net use /persistent:no w2k reconnects your drives as they were last time by default. -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] a.org]Name ns Green, Paul Verzonden: Sunday, February 02, 2003 4:46 PM Aan: 'Grierson, Garry (UK07)'; [EMAIL PROTECTED] Onderwerp: RE: Drive already connected Error in Windows 2000 (please reply to list) Some standard questions... What service pack level for W2K? What operating system are you running under samba 2.2.7? Do you have a reproducible test case you can post? Anything out of the ordinary in your smb.conf file? Sounds like an operating system resource-limit issue... PG -Original Message- From: Grierson, Garry (UK07) [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 28, 2003 7:45 AM To: [EMAIL PROTECTED] Subject: FW: Drive already connected Error in Windows 2000 The log.smbd file has lots of (No locks available) errors.. Any help? -Original Message- From: Grierson, Garry (UK07) Sent: 28 January 2003 11:36 To: '[EMAIL PROTECTED]' Subject: Drive already connected Error in Windows 2000 I have been successfully running with Samba 2.0.7 for more than a year now but am having problems using version 2.2.7 Drive connections to windows 2000 systems have started coming up with 'Drive already connected' errors. When I look at the SMBD processes running on the samba server there are several deamons running that are not currently used. There is also more than one connection per client machine and I cant seem to kill -15 (or even kill -9) these smbd deamons. Any help would be gratefully appreciated!
Re: improved dos attribute handling
Sorry. I'm not subscribed to this list so I could not preserve the reply-to header. Please Cc: me if you want me to know the mail. :) John E. Malmberg wrote: Ola Lundqvist wrote: Hello again. This is the next issue for which I have created a patch. There is a problem with the current dos filemode option. The problem is that you can only set read only but not remove it again. You can of course not because you do no longer have write permissions to the file. My fix change the behaviour to check the directory and file for permissions. If the user has write permission to the dir and (is owner of file, or member of group or part of group) of the file the read-only can be removed. The code is tested but not for very long time. Right now just a week in a production server. I have not checked if it is possible to bypass something but I do not think so. I think I have catched all cases, but checking is good. You are aware that this can introduce a security hole because the way that DOS / Windows handles the Readonly bit is quite different than in a POSIX or UNIX environment. Yes, I'm aware of that. My solution is based on that all users can only access the data using samba, and do not have a shell account. I have not analyzed problems with shell accounts (yet). In the Microsoft Windows and DOS environment, the Readonly attribute means that no one has write or delete access to the file, not even the Administrator or root account. If your platform supports ACLs, the Readonly bit is supposed to overide them also. So unless you change the security model of the host platform, it is not possible to have the Readonly attribute behave the way that it does in a Microsoft Windows environment. Now you can determine if the file is Readonly to the client, and use the bit to report this. But it is not possible to for a POSIX host to allow the client to change this attribute and have it have the same effect. You are probably right. On the other hand, samba could deny every write to a file that has no write permission, even if the user is administrator. It would need more patching though. The model of simulating a Readonly bit by removing Write and delete access from the Owner, Group, and World bits is ignoring that root or setuid root programs can still write to the file, and does not take into account that ACLs can still grant write access. The problem with this, is that while you can allow the client to remove the write/delete bits from a file that they have permission to change the permission on, it is not good to have the client put the write permissions back on. On the other hand, with the current setup users must have administrative rights to modify read-only bit. This is a problem because in a windows environment (with users used to windows stuff) there is no such thing as file owners. You simply do not know what the Group and World settings were prior to the Readonly attribute being set. And that is why I check the directory permissions. Iff the user has write access to the directory and is member of the file it can modify the permissions. If you have a file that starts out: W:readonly, G:readonly, O:read-write, and the client sets the Readonly bit, then the result is obvious. When the client clears Readonly bit, then if you just add Write and Delete access to the owner, everthing is back to normal. I assume that in this situation the user has no write access to the directory and thus will be denied access. If you have write access to the directory you can actually (with normal posix permissions) go around this anyway. Just copy the file, delete the old and move it back to its original place. Test using: touch foo sudo chown otheruser foo sudo chmod g-w foo rm foo rm: Remove write protected file foo? y ls -l foo ls: foo: File or directory not found So my patch do not change anything. I just make the copy, del, move thing easier (using the usual dialog box). However if the file starts out: W:readonly, G:read-write, and O:read-write, and when the client sets the Readonly bit, write access is removed from the Group, and Owner. But what happens when you just set the O: write+delete settings when the client clears the Readonly bit, the other members of the group still will not have write access to the file. True. A similar situation will exist in the event that the file started out with W:write+delete access. Now with ACLs implemented on the host platform, even this simulation will not work. The Readonly bit based on solely on the protection mask becomes totally misleading. You can set it or clear it, but it may have no effect on access to the file by either the host programs or to clients. With ACLs, you can create a SAMBA_READONLY entry, and then use that to simulate the READONLY bit. But it must be applied in such a way that gives it priority over all ACEs. Because it is a DENY if present ACE, on OpenVMS, it would require that all user
Re: HEAD and 3.0 configure broken
Quoting Simo Sorce ([EMAIL PROTECTED]) from 2 February 2003: checking whether to build winbind... yes checking whether struct passwd has pw_comment... no checking whether struct passwd has pw_age... no checking for poptGetContext in -lpopt... no checking whether to use included popt... yes checking configure summary... configure: error: summary failure. Aborting config seem the HEAD and 3.0 are not able to finish ./configure can somone check what happened? If you actually look in the logs, its quite apparent whats wrong. The configure attempts to link the summary test with libraries that do not exist on the hosts. I imagine this would be easy enough to fix with a couple tweaks to the configure to make less assumptions. According to the build farm it is broken on OpenBSD older FreeBSDs due to -lroken not being found and on one RH 7.2 machine with -lkrb5. You can probably hand tweak it for your build until it gets fixed in tree (I would assume someone will fix it before too long as its pretty obviously broken.) I did this a while back when I was trying to build samba-cvs on my OpenBSD machine for some testing.. very easy to fix but it was still busted in compilation stages with other problems so I dropped it. I believe I reported the configure bustage back then as well and it was fixed for a bit. -b
any work going into remote registry service?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [please CC me, I'm not on the list] Hi all, using google, I found out that some time ago there was some code in samba-tng for remotely changing the registry via rpc's. Are there any plans to implement this in Samba (3?)? Did it work, would it be possible to extract the required code for a standalone utility? Thanks a lot in advance, Andreas PS. You are doing great work, we are using Samba as production server (PDC) at the Physics Dept, and everything is working perfectly with nearly no maintenace... :-) - - Dipl.-Phys. Andreas K. Huettel tel. +49 89 2180 3349 (univ.) Sektion Physik der LMU fax +49 89 2180 3182 (univ.) LS Prof. J.P. Kotthaus [EMAIL PROTECTED] Geschwister-Scholl-Platz 1 [EMAIL PROTECTED] 80539 Muenchen [EMAIL PROTECTED] Germany http://www.akhuettel.de/research/ - - Privat: Andreas K. Huettel, Enhuberstraße 5, 80333 Muenchen, Germany - - Please use GNUPG or PGP for signed and encrypted email. My public key can be found at http://www.akhuettel.de/pgp_key.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+PaYAL+gLs3iH94cRAsxuAJ9b+IbwlBu8xT6XwnSdopS7SZuRvgCeMibu mr9TSgJbAYLYApGKzNaxEbA= =xKJL -END PGP SIGNATURE-
Re: any work going into remote registry service?
On Mon, Feb 03, 2003 at 12:12:58AM +0100, Andreas K. Huettel wrote: using google, I found out that some time ago there was some code in samba-tng for remotely changing the registry via rpc's. Are there any plans to implement this in Samba (3?)? Did it work, would it be possible to extract the required code for a standalone utility? I don't think there is any current work going on at the moment on this. I would guess that when someone implements this is would go in to rpcclient as well as the Samba python wrappers. Tim.
Re: HEAD and 3.0 configure broken
On Sun, Feb 02, 2003 at 03:25:35PM -0500, Brian Poole wrote about 'Re: HEAD and 3.0 configure broken': Quoting Simo Sorce ([EMAIL PROTECTED]) from 2 February 2003: checking whether to build winbind... yes checking whether struct passwd has pw_comment... no checking whether struct passwd has pw_age... no checking for poptGetContext in -lpopt... no checking whether to use included popt... yes checking configure summary... configure: error: summary failure. Aborting config seem the HEAD and 3.0 are not able to finish ./configure can somone check what happened? If you actually look in the logs, its quite apparent whats wrong. The configure attempts to link the summary test with libraries that do not exist on the hosts. I imagine this would be easy enough to fix with a couple tweaks to the configure to make less assumptions. According to the build farm it is broken on OpenBSD older FreeBSDs due to -lroken not being found and on one RH 7.2 machine with -lkrb5. You can probably hand tweak it for your build until it gets fixed in tree (I would assume someone will fix it before too long as its pretty obviously broken.) I did this a while back when I was trying to build samba-cvs on my OpenBSD machine for some testing.. very easy to fix but it was still busted in compilation stages with other problems so I dropped it. I believe I reported the configure bustage back then as well and it was fixed for a bit. It's got to do with the mit/heimdal differences. They need certain libs on certain platforms and iirc we assume that if we find one of them, the other ones are there too.. I'll look at it if I can find time... Jelmer -- Jelmer Vernooij [EMAIL PROTECTED] - http://nl.linux.org/~jelmer/ 21:42:52 up 2 days, 15:42, 6 users, load average: 2.52, 2.35, 2.36
RE: [Samba] RE: Winbind on HPUX11, Totally Stuck, Please Help
Hi All, Thanks for your help, still no luck though. More info for you. with no debug statements in my /etc/pam.conf I get in sys log the following. Feb 2 14:43:02 coastdr pam_winbind[2832]: user 'traininguser' granted acces with debug turned on I get Feb 2 14:47:49 coastdr pam_winbind[2839]: Verify user `traininguser' Feb 2 14:47:49 coastdr pam_winbind[2839]: user 'traininguser' granted acces the user is still logging out. incidentlally, when I log in as a unix user, rather than a win2k user I don't get anything in sys log. I've included my pam.conf below. Also, I checked for /etc/shells, no such file, and I have set my smb.conf shell line to template shell = /sbin/sh and also tried template shell = /usr/bin/sh both files exist. # # PAM configuration # # Authentication management # loginauth sufficient/usr/lib/security/libpam_unix.1 debug loginauth sufficient/usr/lib/security/libpam_winbind.1 debug #login auth sufficient/usr/lib/security/libpam_smb.1 nolocal debug su auth required /usr/lib/security/libpam_unix.1 debug dtlogin auth required /usr/lib/security/libpam_unix.1 debug dtaction auth required /usr/lib/security/libpam_unix.1 debug ftp auth required /usr/lib/security/libpam_unix.1 debug OTHERauth required /usr/lib/security/libpam_unix.1 debug # # Account management # loginaccount sufficient /usr/lib/security/libpam_unix.1 debug loginaccount sufficient /usr/lib/security/libpam_winbind.1 debug su account required /usr/lib/security/libpam_unix.1 debug dtlogin account required /usr/lib/security/libpam_unix.1 debug dtaction account required /usr/lib/security/libpam_unix.1 debug ftp account required /usr/lib/security/libpam_unix.1 debug # OTHERaccount required /usr/lib/security/libpam_unix.1 debug # # Session management # loginsession sufficient /usr/lib/security/libpam_unix.1 debug loginsession sufficient /usr/lib/security/libpam_winbind.1 debug dtlogin session required /usr/lib/security/libpam_unix.1 debug dtaction session required /usr/lib/security/libpam_unix.1 debug OTHERsession required /usr/lib/security/libpam_unix.1 debug # # Password management # loginpassword sufficient/usr/lib/security/libpam_unix.1 debug loginpassword sufficient/usr/lib/security/libpam_winbind.1 debug passwd password required /usr/lib/security/libpam_unix.1 debug passwd password required /usr/lib/security/libpam_winbind.1 debug dtlogin password required /usr/lib/security/libpam_unix.1 debug dtaction password required /usr/lib/security/libpam_unix.1 debug OTHERpassword required /usr/lib/security/libpam_unix.1 debug Cheers Miles -Original Message- From: MCCALL,DON (HP-USA,ex1) [mailto:[EMAIL PROTECTED]] Sent: Saturday, 1 February 2003 04:53 a.m. To: 'John H Terpstra'; Miles Roper Cc: '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]'; Esh, Andrew; Ronan Waide; STEFFENS,MICHAEL (HP-Germany,ex1); MCCALL,DON (HP-USA,ex1); 'Richard Sharpe' Subject: RE: [Samba] RE: Winbind on HPUX11, Totally Stuck, Please Help Hi, Miles, Actually on HP-UX, you will need to add the word 'debug' at the end of each of the lines in you /etc/pam.conf file, to enable more debugging to go into the /var/adm/syslog/syslog.log file. One thing that I have seen something like this happen on is if the /etc/shells file is corrupt, or if the shell that is defined for the user (since they don't have a /etc/passwd entry, this would be whatever you put in template in the smb.conf) does not exactly match one of the lines in /etc/shells, or the defaults, if this file does not exist. The defaults for 11.0 are: /sbin/sh /usr/bin/sh /usr/bin/rsh /usr/bin/ksh /usr/bin/rksh /usr/bin/csh /usr/bin/keysh Hope this helps, Don -Original Message- From: John H Terpstra [mailto:[EMAIL PROTECTED]] Sent: Friday, January 31, 2003 1:36 To: Miles Roper Cc: '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]'; Esh, Andrew; Ronan Waide; STEFFENS,MICHAEL (HP-Germany,ex1); 'MCCALL,DON (HP-USA,ex1)'; 'Richard Sharpe' Subject: RE: [Samba] RE: Winbind on HPUX11, Totally Stuck, Please Help On Fri, 31 Jan 2003, Miles Roper wrote: Hi Everyone, I'm forgetting about the password one at the moment, thanks for all your input :o) I still don't have a clue how to solve my main problem. I'm assuming that its not actually winbind related now, as I've recently tried pam_smb and get the same basic problem. Basically, when I log into the UNIX box, the username/password of a NT user is being authenticated, but doesn't actually log in. It doesn't get past the password line. I know it
CVS update: samba/source/libsmb
Date: Sun Feb 2 11:11:24 2003 Author: abartlet Update of /data/cvs/samba/source/libsmb In directory dp.samba.org:/tmp/cvs-serv18122/libsmb Modified Files: cliconnect.c clientgen.c Log Message: Add some return values, and don't attempt signing for NTLMSSP yet (it uses a different algorithm). Andrew Bartlett Revisions: cliconnect.c1.119 = 1.120 http://www.samba.org/cgi-bin/cvsweb/samba/source/libsmb/cliconnect.c?r1=1.119r2=1.120 clientgen.c 1.211 = 1.212 http://www.samba.org/cgi-bin/cvsweb/samba/source/libsmb/clientgen.c?r1=1.211r2=1.212
CVS update: samba/source/smbd
Date: Sun Feb 2 17:57:00 2003 Author: idra Update of /data/cvs/samba/source/smbd In directory dp.samba.org:/tmp/cvs-serv6717/smbd Modified Files: Tag: SAMBA_2_2 vfs.c Log Message: closing bug PR#26498 wide links parameter was not working for symlinks to files (see PR#26498 for the discussion). I tried to be as less invasive as possible in reduce_name function so that I should have not changed any previous behaviour but only addedd the missing check. Jeremy can you check thi is ok? Simo. Revisions: vfs.c 1.16.2.40 = 1.16.2.41 http://www.samba.org/cgi-bin/cvsweb/samba/source/smbd/vfs.c?r1=1.16.2.40r2=1.16.2.41
CVS update: samba/source/smbd
Date: Sun Feb 2 18:08:43 2003 Author: idra Update of /data/cvs/samba/source/smbd In directory dp.samba.org:/tmp/cvs-serv7505/smbd Modified Files: vfs.c Log Message: untest fix for wide links parameter bug. it work properly on 2.2 and the patch apply so I think it should be ok. Revisions: vfs.c 1.68 = 1.69 http://www.samba.org/cgi-bin/cvsweb/samba/source/smbd/vfs.c?r1=1.68r2=1.69
CVS update: samba/source/client
Date: Sun Feb 2 22:49:28 2003 Author: tpot Update of /data/cvs/samba/source/client In directory dp.samba.org:/tmp/cvs-serv21244 Modified Files: smbmount.c Log Message: smb signing compile fix Revisions: smbmount.c 1.61 = 1.62 http://www.samba.org/cgi-bin/cvsweb/samba/source/client/smbmount.c?r1=1.61r2=1.62
CVS update: sambaweb/devel
Date: Mon Feb 3 13:38:41 2003 Author: mbp Update of /data/cvs/sambaweb/devel In directory dp.samba.org:/tmp/cvs-serv2127 Modified Files: index.html Log Message: * Fix Source Navigator link. Revisions: index.html 1.10 = 1.11 http://www.samba.org/cgi-bin/cvsweb/sambaweb/devel/index.html?r1=1.10r2=1.11
