[Samba] Re: Authenticateing DC's on an ldap backend... nobody knows how?
access to dn.subtree=dc=j9starr,dc=net by group/posixGroup/memberUid=cn=Domain Controllers,ou=Group,dc=j9starr,dc=net by * read I pulled that info from faq-o-matic just a minute ago. No dice. See below. access to dn.subtree=dc=j9starr,dc=net by group/posixGroup/memberUid=cn=Domain Controllers,ou=Group,dc=j9starr,dc=net by * read # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org pidfile /var/run/ldap/slapd.pid argsfile/var/run/ldap/slapd.args modulepath /usr/lib/openldap slapd.conf 154L, 5397C written [EMAIL PROTECTED] 0 openldap]$ slapd -t /etc/openldap/slapd.conf: line 47: group cn=Domain Controllers,ou=Group,dc=j9starr,dc=net: inappropriate syntax: 1.3.6.1.4.1.1466.115.121.1.26 There has to be a way to do this. I just can't imagine OpenLDAP being so lame that it can't. Jim C. -- - | I can be reached on the following Instant Messenger services: | |---| | MSN: [EMAIL PROTECTED] AIM: WyteLi0n ICQ: 123291844 | |---| | Y!: j_c_llings Jabber: [EMAIL PROTECTED]| - -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] String Overflow in samba.log
Hi all. Since upgrading to 3.05 from 2.2.9a ive been getting load of errors like these: [2004/09/30 08:16:02, 0] lib/util_str.c:safe_strcpy_fn(602) ERROR: string overflow by 1 (29 - 28) in safe_strcpy [RESULTS ANALYSIS SUMMER 2004.doc] [2004/09/30 08:18:18, 0] lib/util_str.c:safe_strcpy_fn(602) ERROR: string overflow by 1 (9 - 8) in safe_strcpy [SARAH~XB.DOC] [2004/09/30 08:18:18, 0] lib/util_str.c:safe_strcpy_fn(602) ERROR: string overflow by 1 (15 - 14) in safe_strcpy [Sarah all subs.doc] [2004/09/30 08:18:23, 0] lib/util_str.c:safe_strcpy_fn(602) ERROR: string overflow by 1 (20 - 19) in safe_strcpy [Kara Birmingham ref.doc] Any ideas as to what could be causing this? Many thanks Ross McInnes -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Switch profile from local to roaming?
You had your answers right in front of ya. Every xp includes Files and Settings transfer wizard (accessories-system tools) for this job. It's simple : 1. login as local user, run wizard, select old computer, select some directory to store your data, click next, wait till its done, logoff. 2. login as new user, run wizard, select new computer, find directory you stored your data to, click next, wait till its done, relogon. You're done. Migrated some 20 pcs with it and it was a breeze, however, there might be some issues with file ownerships, but users don't complain so neither do I. deff On Wednesday 29 September 2004 19:50, Misty Stanley-Jones wrote: I've got a WinXP machine that was configured for local profiles. I have now joined that machine to the domain, but when I try to log in as a user, it tries to use a roaming profile. Fine, that's what I want anyway. But it doesn't do the smart thing and copy the user's local profile to roaming -- it gives an error instead. OK, no problem, I will change the type. I log in as local admin and go to her profile. It only gives me Local as an option. Maybe it's because I'm not logged into the domain. OK, I log into the domain as Administrator (alias root -- uid of 0). It doesn't even let me SEE her profile then. Because it is local, I assume. So ok, I add MYDOMAIN\Administrator as a local administrator on her machine. It lets me see her profile now but I still can't change it to roaming. And every time I try to copy it into either Administrator's directory on the server, or hers, it gives me Permission Denied. So what is the real way to get this accomplished? Thanks, Misty -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] (no subject)
hi samba community and team ! I m playing with policies under win2k/samba3/ntconfig.pol/poledit It worked at first, but now seems my win2k test machine doesn't want to load the ntconfig.pol located into \\mysmbpdc\netlogon Could someone give me an explanation of what this logs means ? : is_in_path: ntconfig.pol.LOG log.pc-inf-xp: is_in_path: ntconfig.pol log.pc-inf-xp: is_in_path: ntconfig.pol.LOG log.pc-inf-xp: is_in_path: ntconfig.pol log.pc-inf-xp: ms_fnmatch(net,ntconfig.pol.LOG) - -1 log.pc-inf-xp: name_map: ntconfig.pol.LOG - 4C3305C6 - NL54T6~U.LOG (cache=0) : the '-1' value seems strange to me, no ? -- Xavier mailto: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: [cups.general] Re: Windows Clients keep finished jobs in Queue
Misty Stanley-Jones wrote: On Wednesday 29 September 2004 09:29, Ryan Suarez wrote: I'm also seeing this problem. We're running samba 3.0.7 with CUPS 1.1.20. The clients printing are WinXP Professional SP1. The jobs printed are still displayed in the Windows printer status window, even though it's been printed already and disappears from the CUPS printer queue list. You will note that if you refresh, they disappear. I see the problem too with 3.0.6. Have not tested with 3.0.7 yet. I think it's also with WinNT clients. Another person on this list reported the same refresh problem with files in Explorer too. Misty I am having the same problem. Refresh does not clear the jobs, and CUPS shows the jobs as printed. It is interesting to have a complete history of the printer, but this confuses users! Deleting the jobs works, but is there a way to stop them filling up the windows printer queue? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Fw: Samba problem
Hallo, I'm a samba 2.2.1a server user and I've experienced a new problem installing XP SP2 on client PC. Now printing on the samba printer from client that installed XP SP2 became very slow. This not happen with client windows XP SP1. Did you have any solution to this problem? Many thanks, Marco Gemma -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Warning: E-mail viruses detected
Our virus detector has just been triggered by a message you sent:- To: [EMAIL PROTECTED] Subject: Re: thanks! Date: Thu Sep 30 14:10:29 2004 One or more of the attachments (bill.txt.exe) are on the list of unacceptable attachments for this site and will not have been delivered. Consider renaming the files to avoid this constraint. The virus detector said this about the message: Report: MailScanner: Executable DOS/Windows programs are dangerous in email (bill.txt.exe) -- MailScanner Email Virus Scanner www.mailscanner.info MailScanner thanks transtec Computers for their support -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] ntconfig.pol not loaded
hi samba community and team ! I' m playing with policies under win2k/samba3/ntconfig.pol/poledit It worked at first, but now seems my win2k test machine doesn't want to load the ntconfig.pol located into \\mysmbpdc\netlogon I've seen some threads about the same prob. but none with a solution. I know there is a project with an editreg tool planned. But for now I would like to apply policies under my win2k workstation with old format. If anyone have a good policies conf. working, I'm interested in. Xavier -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba Security Announcement -- Potential Arbitrary File Access
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Subject:Potential Arbitrary File Access Affected Versions: Samba 2.2.x = 2.2.11 and Samba 3.0.x = 3.0.5 Summary:A remote attacker may be able to gain access to files which exist outside of the share's defined path. Such files must still be readable by the account used for the connection. Patch Availability - -- The patch for Samba 3.0.5 and earlier releases (samba-3.0.5-reduce_name.patch) can be downloaded from http://download.samba.org/samba/ftp/patches/security/ Samba 2.2.12 has been released to specifically address this bug. Description - --- A bug in the input validation routines used to convert DOS path names to path names on the Samba host's file system may be exploited to gain access to files outside of the share's path defined by smb.conf. Protecting Unpatched Servers - Samba file shares with 'wide links = no' (a non-default setting) in the service definition in smb.conf are *not* vulnerable to this attack. The Samba Team always encourages users to run the latest stable release as a defense of against attacks. However, under certain circumstances it may not be possible to immediately upgrade important installations. In such cases, administrators should read the Server Security documentation found at http://www.samba.org/samba/docs/server_security.html. Credits - Both security issues were reported to Samba developers by iDEFENSE (http://www.idefense.com/). Karol Wiesek is credited with this discovery. - -- Our Code, Our Bugs, Our Responsibility. -- The Samba Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBW91bIR7qMdg1EfYRAryKAKCM6HhbxeNod4NSAwcLFGTSQuCtdwCcDptN cSde6d+LmaB1Ep5BATtH3ns= =dC/O -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] SECURITY: Samba 2.2.12 Available for Download
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SECURITY RELEASE Summary:Potential Arbitrary File Access Summary:A remote attacker may be able to gain to files which exist outside of the share's defined path. Such files must still be readable by the account used for the connection. CVE ID: CAN-2004-0815 (http://cve.mitre.org/) This is the last stable release of the Samba 2.2 code base. There will be no further Samba 2.2.x releases. - - CAN-2004-0815 - - A bug in the input validation routines used to convert DOS path names to path names on the Samba host's file system may be exploited to gain access to files outside of the share's path defined by smb.conf. Protecting Unpatched Servers - Samba file shares with 'wide links = no' (a non-default setting) in the service definition in smb.conf are *not* vulnerable to this attack. The Samba Team always encourages users to run the latest stable release as a defense of against attacks. However, under certain circumstances it may not be possible to immediately upgrade important installations. In such cases, administrators should read the Server Security documentation found at http://www.samba.org/samba/docs/server_security.html. Credits - Both security issues were reported to Samba developers by iDEFENSE (http://www.idefense.com/). Karol Wiesek is credited with this discovery. - -- The source code can be downloaded from : http://download.samba.org/samba/ftp/ The uncompressed tarball and patch file have been signed using GnuPG. The Samba public key is available at http://download.samba.org/samba/ftp/samba-pubkey.asc Binary packages are available at http://download.samba.org/samba/ftp/Binary_Packages/ The release notes are also available on-line at http://www.samba.org/samba/history/samba-2.2.12.html Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) The Samba Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBW95sIR7qMdg1EfYRAneCAKDy4kqR4LAm4qlZPSM+ubRaJxsLmACfeLB7 KCkm8fxaCg8ozy6yB8KUnic= =TOJT -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
SUMMARY [Samba] Problems with Samba 3.0.5 only seeing 1360 files on a share to a Windows 2000
Hi, I was having problems with Windows 2000 not seeing all files on a share. It would only show a certain number of files. The solution was to get rid of the Windows 2000. Just kidding, actually the problem was with the character set, when I configured the the unix character set to ISO-8859-1, we saw all the files. Thanks Cyril Jaouich (Consultant Unix) -- Support technique des infrastructures Unix -- Tél: 514-840-3000x5527 -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Envoyé : jeudi 23 septembre 2004 12:03 À : [EMAIL PROTECTED] Objet : [Samba] Problems with Samba 3.0.5 only seeing 1360 files on a share to a Windows 2000 Hi, I have a share: [share] path = /appl/md/data valid users = +asd write list = +asd read only = No create mask = 0664 directory mask = 0775 And it has directories that have 3000 files in them, but when I look at the same directory thru a Windows 2000, I only see 1360 files, no more. If I type the path a file that isn't shown in the directory listing, I can get to it. Also if I create a new file in the directory, it gets created, but doesn't show in the directory list. Any ideas? Looks like a Windows thing, but... Thanks Cyril Jaouich (Consultant Unix) -- Support technique des infrastructures Unix -- Tél: 514-840-3000x5527 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Fw: Samba problem
I'm a samba 2.2.1a server user and I've experienced a new problem Did you have any solution to this problem? Holy old version Batman. Upgrade to at least the latest stable 2.2.x (currently 12 as of this morning) or better yet go up to the latest 3.0.x which I believe is 7. There are known issues with SP2 printing before 2.2.11 and 3.0.(some version that I can't remember). -- Paul Gienger Office: 701-281-1884 Applied Engineering Inc. Information Systems Consultant Fax:701-281-1322 URL: www.ae-solutions.commailto: [EMAIL PROTECTED] - The information contained in this message is privileged and intended only for the recipient names. If the reader is not a representative of the intended recipient, any review, dissemination or copying of this message or the information it contains is prohibited. If you have received this message in error, please immediately notify the sender, and delete the original message and attachments. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Domain member server with local users
Hi, I'm trying to build a samba server that shall substitue one of our NT4 servers but I'm having some problems with setting up the local user account: The NT4 server was member of a ressource domain (R1) and also had a local user account named bcd which is needed for a boot-cd. Normal users authenticated through the master domains M1 and M2 which has all the necessary trusts setup and working. For samba I'm using 3.0.7-Debian. I've setup winbindd and joined samba to the domain (security = domain). Authentication is working for domain users from M1 and M2 so this seems to be fine. Then I've added a linux user bcd and a samba user bcd (smbpasswd -a bcd) to allow authentication from the boot-cd. But this does not work, after a few seconds I always get the error that no logon server is available. To work around this, I tried to include /etc/samba/%Dauth.conf to let me create one auth.conf (containing security = user) for the bcd user), M1auth.conf and M2auth.conf (containing the settings needed for authenticating against the domain) but acording to the log samba always uses the auth.conf which results in the domain users unable to authenticate. Google didn't show anything useful. How can the non-domain user authenticate against the samba server while the domain users are still able to access the server? I've attached my config and a few lines from the log below. Thanks for taking your time, Daniel Frank If it helps here's my config: [global] workgroup = R1 ; The ressource domain. Users are in M1 and M2, all needed trusts are setup and working server string = CDS Server announce as = NT Workstation log file = /var/log/samba/%m max log size = 100 syslog = 0 security = DOMAIN invalid users = root load printers = no unix charset = iso8859-15 display charset = iso8859-15 idmap uid = 15000-3 idmap gid = 15000-3 use sendfile = Yes winbind separator = + winbind use default domain = Yes ; Also tried with no winbind enum users = no ; M1 and M2 have severall thousand users winbind enum groups = no winbind cache time = 15 winbind trusted domains only = yes ; Also tried with no log level = 5 ; I can provide more detailed logs if it's useful. include = /etc/samba/services.conf ; Only shares in it, so I'm not adding it to the mail. If it's useful, just tell me to post it. Here are a few lines of the log (I filtered a few lines to keep it smaller): [2004/09/30 13:53:12, 2] smbd/sesssetup.c:setup_new_vc_session(608) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2004/09/30 13:53:12, 3] smbd/sesssetup.c:reply_sesssetup_and_X(804) sesssetupX:[EMAIL PROTECTED] [2004/09/30 13:53:12, 5] auth/auth_util.c:make_user_info_map(225) make_user_info_map: Mapping user []\[BCD] from workstation [pc-525533] [2004/09/30 13:53:12, 5] libsmb/trustdom_cache.c:trustdom_cache_fetch(184) no entry for trusted domain R1 found. [2004/09/30 13:53:12, 5] auth/auth_util.c:make_user_info(133) attempting to make a user_info for BCD (BCD) [2004/09/30 13:53:12, 5] auth/auth_util.c:make_user_info(143) making strings for BCD's user_info struct [2004/09/30 13:53:12, 5] auth/auth_util.c:make_user_info(185) making blobs for BCD's user_info struct [2004/09/30 13:53:12, 3] auth/auth.c:check_ntlm_password(219) check_ntlm_password: Checking password for unmapped user [EMAIL PROTECTED] with the new password interface [2004/09/30 13:53:12, 3] auth/auth.c:check_ntlm_password(222) check_ntlm_password: mapped user is: [EMAIL PROTECTED] [2004/09/30 13:53:43, 5] auth/auth.c:check_ntlm_password(271) check_ntlm_password: winbind authentication for user [BCD] FAILED with error NT_STATUS_NO_LOGON_SERVERS [2004/09/30 13:53:43, 2] auth/auth.c:check_ntlm_password(312) check_ntlm_password: Authentication for user [BCD] - [BCD] FAILED with error NT_STATUS_NO_LOGON_SERVERS -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Puzzle -- Logon/Login from Windows XP
In a message dated 9/30/2004 1:55:16 AM Eastern Daylight Time, [EMAIL PROTECTED] writes: Long answer: a limitation of Windows is that when you connect via SMB to a remote server, all connections to that server must use the same credentials. If you are connected to \\sambaserver\datafiles as the user *nigel* and wish to connect to \\sambaserver\frederick (which is accessible only to the user *frederick*), the Windows workstation attempts to connect as *nigel*. In order to connect as *frederick* you must break all connections to that server. Simply put, you cannot make two connections to a server from one workstation with two different sets of credentials. Thanks Jon, To further clarify the situation, User 2 will only want to connect to User 2-specific shares after User 1 logs off the Windows workstation. So, in theory, logging off should close all network connections. After User 1 logs off, User 2 goes to Microsoft Windows Network in Explorer and sees the following: - Workgroup_Name + Samba Server + Workstation 1 + Workstation 2 + Etc... If User 2 clicks on Samba Server he sees: - Workgroup_Name - Samba Server [ ] Public Share [ ] Printers and Faxes + Workstation 1 + Workstation 2 + Etc... What user 2 doesn't see is his own private shares. If he clicks on Public Share, then when a few moments later he'll see this in Explorer: - Workgroup_Name - Samba Server [ ] Public Share available to Members of the Workgroup Only [ ] User 2 Private Share A [ ] User 2 Private Share B [ ] Printers and Faxes + Workstation 1 + Workstation 2 + Etc... I can create a similar effect if I am NOT logged on to the Windows workstation as a recognized Samba user by doing the following: So now, User 2 is logged on as Non Samba User and can see the following. - Workgroup_Name - Samba Server [ ] Public Share [ ] Printers and Faxes + Workstation 1 + Workstation 2 + Etc... If he clicks on Public Share, he gets an error message that the share is not accessible You might not havepermission to use this network resource. Contact the administrator... However, if he maps the Public Share as a network drive, and selects Connect using a different username and inputs his own username and password, when he comes back to Explorer he sees this: - Workgroup_Name - Samba Server [ ] Public Share available to Members of the Workgroup Only [ ] User 2 Private Share A [ ] User 2 Private Share B [ ] Printers and Faxes + Workstation 1 + Workstation 2 + Etc... Same as above, when User 2 logged on to the Windows machine as himself. So, the question is, why isn't Windows asking for a username and password when User 2 clicks on Public Share, and instead giving an error message. And why isn't Windows asking for a username and password when User 2 clicks on Samba Server. Why is it showing User 2 the Public Share available to Members of the Workgroup Only when it's not clear yet that User 2 is even a member of the workgroup? When I try to connect from one Windows workstation (# 2) to another (#1) , unless I'm logged on to workstation 2 as a user who has an account on workstation 1, I get a dialog box asking me for a username and password BEFORE I can see any shares on workstation 1. Do you think that with my Samba Server the fact that I'm SEEING that Public Share available only to members of the workgroup even though I can't access it is somehow related to why I'm not getting the username and password prompt? I really don't want to go down the Domain route. The servers I'm building need to be accessed by a large number of ever changing workstations ( including laptops that will come and go) and I don't want to create a nightmare for the person who has to administer the systems. If they have to constantly add computers to the domain, that will be a problem. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] samba 2.2 to samba 3
Hello, I have 2 different servers: One old Server RH 8.0 with a SaMBa 2.2.8 One new server Debian with a SaMBa 3.1.0 Data are synchronize with rsync 2 times per day. What I want to do: I want to migrate SaMBa acounts of users and computers from the SaMBa 2.8 server to the SaMBa 3 server. After I want to stop the old server. How can I do this? thanks in advance for any help! -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Roaming Profiles:Samba PDC:WinXP:User must be local admin SOLVED
at all. However, he indicated in his post that doing it that way might cause a setting or two to get left out. It is conceivable that Most of the issues are application level things that you can't reasonably expect it to migrate, like say Mozilla data folders in the prefs.js files, and other things of the type that have file based settings. HOWEVER, I still toss a YMMV on it because I haven't played with a migrated profile that much. As a developer, my profiles are so screwed up that I usually just rebuild them... oh wait, I'm using one now... works pretty good ;) -- Paul Gienger Office: 701-281-1884 Applied Engineering Inc. Information Systems Consultant Fax:701-281-1322 URL: www.ae-solutions.commailto: [EMAIL PROTECTED] - The information contained in this message is privileged and intended only for the recipient names. If the reader is not a representative of the intended recipient, any review, dissemination or copying of this message or the information it contains is prohibited. If you have received this message in error, please immediately notify the sender, and delete the original message and attachments. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Authenticateing DC's on an ldap backend... nobody knows how?
Jim C. wrote: access to dn.subtree=dc=j9starr,dc=net by group/posixGroup/memberUid=cn=Domain Controllers,ou=Group,dc=j9starr,dc=net by * read I pulled that info from faq-o-matic just a minute ago. No dice. See below. access to dn.subtree=dc=j9starr,dc=net by group/posixGroup/memberUid=cn=Domain Controllers,ou=Group,dc=j9starr,dc=net by * read # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org pidfile /var/run/ldap/slapd.pid argsfile/var/run/ldap/slapd.args modulepath /usr/lib/openldap slapd.conf 154L, 5397C written [EMAIL PROTECTED] 0 openldap]$ slapd -t /etc/openldap/slapd.conf: line 47: group cn=Domain Controllers,ou=Group,dc=j9starr,dc=net: inappropriate syntax: 1.3.6.1.4.1.1466.115.121.1.26 My bad - I forgot to add 'write': access to dn.subtree=dc=j9starr,dc=net by group/posixGroup/memberUid=cn=Domain Controllers,ou=Group,dc=j9starr,dc=net write by * read Igor -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Redhat, Samba 4, Kerberos, Netscape Directory Server
As you may have heard Redhat just recently acquired Netscape's Directory Server. I am curious about any potential compatibility issues that we may run into down the road with Samba 4. In particular can any integration be done with Netscapes LDAP and are we going to be facing any major issues if we remain on MIT kerberos? Any thoughts/feedback would be greatly appreciated. Christian -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Links to Samba 3.x PDC+LDAP info? [Was: Can join domain, can't login]
Igor-- Thanks for trying. I looked at Samba 3.x, but I couldn't find nearly as much information about using it as an LDAP-based PDC. Does anyone have a links to information on that? Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University 402.465.7549 On Thu, 30 Sep 2004, Igor Belyi wrote: Chris St. Pierre wrote: Thanks. The log is attached. Well... It looks like a job way over my head. :o( The only thing I can see is that request come to Samba for a connection without any Domain or User specified and instead of letting this connection to be a guest connection Samba just give up and exit. Plus, on exit it gets a Segmentation Fault (Signal 11). I probably, shouldn't be surprised about this SegFault since code shows that Samba 2.9.9 isn't quite well adjusted to User and Domain being NULL during request. Plus, according to log it starts to show user as 'no' at some point instead of an empty string which could be an indication of memory overide... This also could be the cause of the not able to login problem you see. So, my conclusion: Have you ever thought about moving to Samba 3.x? ;o) There's still some activity to patch things when they don't work well with Samba 3.x. Unfortunately, I couldn't say that about Samba 2.x. Hope you find some value in my answer, Igor -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Links to Samba 3.x PDC+LDAP info? [Was: Can join domain, can't login]
Chris St. Pierre wrote: Igor-- Thanks for trying. I looked at Samba 3.x, but I couldn't find nearly as much information about using it as an LDAP-based PDC. Does anyone have a links to information on that? You could always try TOSHARG or the ... By Example book Mr. Terpstra wrote. Both are available from the samba web page or your local book retailer. Perhaps there aren't as many seperate links because there only need be a couple good ones. :-P -- Paul Gienger Office: 701-281-1884 Applied Engineering Inc. Information Systems Consultant Fax:701-281-1322 URL: www.ae-solutions.commailto: [EMAIL PROTECTED] - The information contained in this message is privileged and intended only for the recipient names. If the reader is not a representative of the intended recipient, any review, dissemination or copying of this message or the information it contains is prohibited. If you have received this message in error, please immediately notify the sender, and delete the original message and attachments. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Puzzle -- More Logon/Login from Windows XP
In a message dated 9/30/2004 9:41:44 AM Eastern Daylight Time, AndyLiebman writes: In a message dated 9/30/2004 1:55:16 AM Eastern Daylight Time, [EMAIL PROTECTED] writes: Long answer: a limitation of Windows is that when you connect via SMB to a remote server, all connections to that server must use the same credentials. If you are connected to \\sambaserver\datafiles as the user *nigel* and wish to connect to \\sambaserver\frederick (which is accessible only to the user *frederick*), the Windows workstation attempts to connect as *nigel*. In order to connect as *frederick* you must break all connections to that server. Simply put, you cannot make two connections to a server from one workstation with two different sets of credentials. I think I solved the problem. By setting the Public Share only available to members of the Workgroup as not readable by guests, Windows will now prompt me for a username and password when I click on the share. The curious thing is, Windows still doesn't ask me for a username and password when I click on the Samba Server. It shows me the Public Share and I have to click on that to get the prompt. That's different behavior than when I click on another Windows XP workstation. I don't see any shares until I'm authenticated. The other curious thing is, before I made the share not readable by guests, I wasn't prompted for the password, but as a guest I couldn't open the folder anyway. I would get the Not authorized to access this resource message. Is there a problem with map to guest = bad user in global settings? BTW, I'm using Samba 3.0.2a, I believe. Came with Mandrake 10 Official. Andy Liebman -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Puzzle -- Logon/Login from Windows XP
In a message dated 9/30/2004 1:55:16 AM Eastern Daylight Time, [EMAIL PROTECTED] writes: Long answer: a limitation of Windows is that when you connect via SMB to a remote server, all connections to that server must use the same credentials. If you are connected to \\sambaserver\datafiles as the user *nigel* and wish to connect to \\sambaserver\frederick (which is accessible only to the user *frederick*), the Windows workstation attempts to connect as *nigel*. In order to connect as *frederick* you must break all connections to that server. Simply put, you cannot make two connections to a server from one workstation with two different sets of credentials. I think I solved the problem. By setting the Public Share only available to members of the Workgroup as not readable by guests, Windows will now prompt me for a username and password when I click on the share. The curious thing is, Windows still doesn't ask me for a username and password when I click on the Samba Server. It shows me the Public Share and I have to click on that to get the prompt. That's different behavior than when I click on another Windows XP workstation. I don't see any shares until I'm authenticated. The other curious thing is, before I made the share not readable by guests, I wasn't prompted for the password, but as a guest I couldn't open the folder anyway. I would get the Not authorized to access this resource message. Is there a problem with map to guest = bad user in global settings? BTW, I'm using Samba 3.0.2a, I believe. Came with Mandrake 10 Official. Andy Liebman -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] passwd syncing?
Can Samba provide a central service for mapping or syncing username and password across different applications for example AD users accounts and Lotus Notes ClientID's ... (something just shy of a metadirectory service) I've used Samba in a past life do something simular and sound like Samba has matured significantly. any thoughts ... or am I hunting down the wrong hole -james -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] (no subject)
Am running samba-3.0.7,1 on freebsd 5.2. How do I get wbinfo to pass plain text auth on a 2003 AD server? It passes the NTLM challenge/response just fine...but plain text fails and claims No Such User as well as complaining about a null winbind separator. All examples I have seen have no definition for the winbind separator, is this important for plain text auth or is it not supported in 2003? Here is the session: /usr/ports/www/squid # wbinfo -a admintest%pa\$\$word plaintext password authentication failed error code was NT_STATUS_NO_SUCH_USER (0xc064) error messsage was: No such user Could not authenticate user admintest%pa$$word with plaintext password winbind separator was NULL! challenge/response password authentication succeeded You have new mail. machine:~ /usr/ports/www/squid # Michael Wray S4F Technologies, Inc. 2448 S. 81st St. Tulsa, OK 74137 http://www.s4f.com mailto:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Authenticateing DC's on an ldap backend... nobody knows how?
My bad - I forgot to add 'write': access to dn.subtree=dc=j9starr,dc=net by group/posixGroup/memberUid=cn=Domain Controllers,ou=Group,dc=j9starr,dc=net write by * read Yes, I noticed but I had compensated. This should work according to OpenLDAP's faq-o-matic. Perhaps this is a genuine bug. Of course, it may be a doc bug rather than a software bug. -- - | I can be reached on the following Instant Messenger services: | |---| | MSN: [EMAIL PROTECTED] AIM: WyteLi0n ICQ: 123291844 | |---| | Y!: j_c_llings Jabber: [EMAIL PROTECTED]| - -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Real-time file synchronisation
everyone run their software from the network share as to ensure consistency, but I hardly think a 300 MB application with 15 MB (!!) executables (about 8 of them) is really suitable for being deployed in that fashion. Try a 1.1GB app with the main executable being 131MB and run by 60+ users at once. That really is the best way to run this particular app (Pro/Engineer) as that way the config files all point to the same license server and other important file paths. If you ever have to run around and fix it you either change it once and it just works or you change it, script a push to all the clients, and then run around fixing the ones that didn't work for some reason, which assumes the users have permission to replace system executables. I'll pick the network option personally. -- Paul Gienger Office: 701-281-1884 Applied Engineering Inc. Information Systems Consultant Fax:701-281-1322 URL: www.ae-solutions.commailto: [EMAIL PROTECTED] - The information contained in this message is privileged and intended only for the recipient names. If the reader is not a representative of the intended recipient, any review, dissemination or copying of this message or the information it contains is prohibited. If you have received this message in error, please immediately notify the sender, and delete the original message and attachments. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Real-time file synchronisation
Chris Ricks wrote: Hi all! I'm looking for a method of doing the following, given that I'm taking care of a network with a Samba 3.0.6 box (running Mandrake 10.0) acting as a PDC for about 15 W2K boxes: . There is a share full of program files and data files on the Samba box . These files are currently synchronized at logon - all movement is from the server to the clients via a logon script using XCOPY /D I want to engineer a solution that would allow updates of the share to have changes propagated out to clients as the share is updated without the users being made aware. Essentially, the software vendor is demanding that everyone run their software from the network share as to ensure consistency, but I hardly think a 300 MB application with 15 MB (!!) executables (about 8 of them) is really suitable for being deployed in that fashion. All comments appreciated! I would say that your vendor is being unreasonable, and that you are correct to want to run these locally. A few questions to think about : How often do you update the application ? If it's only every few months, then there's no problem. Do you ever do it while users are working ? Well you shouldn't be ! And what does the vendor propose to do about the problem of changing a binary whilst it is in use ? Having said that, I have done in-place upgrades on Unix systems by MOVING the original file and slipping the new one into place - if it's in use then the system will continue to use the old file (referenced by inode no, not file name) until it is closed. Do you have (or do you ever expect to have, any remote workers ? If so then there is no way (even on Broadband/ADSL) that you want users sucking that sort of file size down the pipe. One way of dealing with the issue is to make all the users log out and back in again when you upgrade. Another might be to run a scheduled task that periodically does an XCOPY, but then you'll run into problems of the program crashing when you change the binary running (or more likely a file in use error). Simon -- Simon Hobson MA MIEE, Technology Specialist Colony Gift Corporation Limited Lindal in Furness, Ulverston, Cumbria, LA12 0LD Tel 01229 461100, Fax 01229 461101 Registered in England No. 1499611 Regd. Office : 100 New Bridge Street, London, EC4V 6JA. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Real-time file synchronisation
I'm intrigued! What sort of config are you running on your Samba box(es) (I'm assuming it's served from a Samba box) to support that app? I'm also curious as to the start-up times you experience compared to locally installed copies. I'm not trying to challenge what you've said at all - I'm genuinely interested in how things perform in your particular situation (given that the performance in this situation is absolutely shocking when the dopey thing is run from a share). Best regards, Chris -Original Message- From: Paul Gienger [mailto:[EMAIL PROTECTED] Sent: Friday, 1 October 2004 1:08 AM To: Chris Ricks Cc: [EMAIL PROTECTED] Subject: Re: [Samba] Real-time file synchronisation everyone run their software from the network share as to ensure consistency, but I hardly think a 300 MB application with 15 MB (!!) executables (about 8 of them) is really suitable for being deployed in that fashion. Try a 1.1GB app with the main executable being 131MB and run by 60+ users at once. That really is the best way to run this particular app (Pro/Engineer) as that way the config files all point to the same license server and other important file paths. If you ever have to run around and fix it you either change it once and it just works or you change it, script a push to all the clients, and then run around fixing the ones that didn't work for some reason, which assumes the users have permission to replace system executables. I'll pick the network option personally. -- Paul Gienger Office: 701-281-1884 Applied Engineering Inc. Information Systems Consultant Fax:701-281-1322 URL: www.ae-solutions.commailto: [EMAIL PROTECTED] - The information contained in this message is privileged and intended only for the recipient names. If the reader is not a representative of the intended recipient, any review, dissemination or copying of this message or the information it contains is prohibited. If you have received this message in error, please immediately notify the sender, and delete the original message and attachments. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Real-time file synchronisation
I'm looking for a method of doing the following, given that I'm taking care ... but I hardly think a 300 MB application with 15 MB (!!) executables (about 8 of them) is really suitable for being deployed in that fashion. rsync is available on both platforms and could be scripted in a bat script. Why don't you just set up an application share? I run OpenOffice and MS Office from a share that I have mapped to network drives on the clients. Also, I think if you place the files in a directory on the Linux box and then put links from each user directory to the application directory, you can even avoid mapping drives. Perms/Ownership might get tricky though. Should be safe, despite certain Samba bugs, since the link is from the user's directory to an outside directory rather than vice versa. Real time synchronization might be a good idea for a VFS module. One might even use something like that to get around having to set up re-directed folders etc. Could be a nice way to fool Windows into functioning a little more like NFS with less setup on the client side. -- - | I can be reached on the following Instant Messenger services: | |---| | MSN: [EMAIL PROTECTED] AIM: WyteLi0n ICQ: 123291844 | |---| | Y!: j_c_llings Jabber: [EMAIL PROTECTED]| - -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Real-time file synchronisation
I'm intrigued! What sort of config are you running on your Samba box(es) (I'm assuming it's served from a Samba box) to support that app? Nothing too special for hardware or config files, I don't have real hard speed numbers on the big installation since that's at a customer's site and it's not my baby to support them, but they were running on a Quad cpu E450, now it's a v240 I believe, gigabit network and a decent disk array. We run a smaller config in our office that is an old Ultra 2 with a really slow disk array but we run only 6 or so users at once. Oh, sorry, those are all Sun boxes if you didn't know by the numbers. I've run it off various other things but never for more than a couple of users. By far the biggest installs *I've* run into are at this client's site and they don't seem to mind. This app doesn't run any database or anything, so if you're doing that then you could be looking at some issues. I'll check the load up times when I get back into the office. The app is generally a big hog so the users don't ever complain. I've seen it use nearly a gig of ram before so you know it's piggy. -- Paul Gienger Office: 701-281-1884 Applied Engineering Inc. Information Systems Consultant Fax:701-281-1322 URL: www.ae-solutions.commailto: [EMAIL PROTECTED] - The information contained in this message is privileged and intended only for the recipient names. If the reader is not a representative of the intended recipient, any review, dissemination or copying of this message or the information it contains is prohibited. If you have received this message in error, please immediately notify the sender, and delete the original message and attachments. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Real-time file synchronisation
-Original Message- From: Paul Gienger [mailto:[EMAIL PROTECTED] Sent: Friday, 1 October 2004 1:23 AM To: Chris Ricks Cc: [EMAIL PROTECTED] Subject: Re: [Samba] Real-time file synchronisation I'm intrigued! What sort of config are you running on your Samba box(es) (I'm assuming it's served from a Samba box) to support that app? Nothing too special for hardware or config files, I don't have real hard speed numbers on the big installation since that's at a customer's site and it's not my baby to support them, but they were running on a Quad cpu E450, now it's a v240 I believe, gigabit network and a decent disk array. We run a smaller config in our office that is an old Ultra 2 with a really slow disk array but we run only 6 or so users at once. Oh, sorry, those are all Sun boxes if you didn't know by the numbers. I've run it off various other things but never for more than a couple of users. By far the biggest installs *I've* run into are at this client's site and they don't seem to mind. Admittedly, this place has a sub-optimal network setup; the Samba box and DB server are plugged into one switch, which has the uplink port from another switch plugged into it. This second switch has workstations plugged into it and a cable running from (you guessed it) the uplink port of yet another switch that services workstations - all connections are 100 Mb. This app doesn't run any database or anything, so if you're doing that then you could be looking at some issues. There is a DB server in place, which is one reason I'd prefer to keep the network traffic low as to not tie the DB server up waiting to send result sets down the wire. The app does a lot of processing on both the client and server side, and neither side massively efficient (hint: the DB server and client-side libraries both come from www.guptaworldwide.com). I'll check the load up times when I get back into the office. The app is generally a big hog so the users don't ever complain. I've seen it use nearly a gig of ram before so you know it's piggy. Sounds like an excellent testimonial to hit clients with that are considering going with some weird MS server product -- Paul Gienger Office: 701-281-1884 Applied Engineering Inc. Information Systems Consultant Fax:701-281-1322 URL: www.ae-solutions.commailto: [EMAIL PROTECTED] - The information contained in this message is privileged and intended only for the recipient names. If the reader is not a representative of the intended recipient, any review, dissemination or copying of this message or the information it contains is prohibited. If you have received this message in error, please immediately notify the sender, and delete the original message and attachments. Best regards, Chris -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Real-time file synchronisation
Hi Simon, My responses are interleaved with your questions. -Original Message- From: Simon Hobson [mailto:[EMAIL PROTECTED] Sent: Friday, 1 October 2004 1:12 AM To: Chris Ricks; [EMAIL PROTECTED] Subject: Re: [Samba] Real-time file synchronisation Chris Ricks wrote: Hi all! I'm looking for a method of doing the following, given that I'm taking care of a network with a Samba 3.0.6 box (running Mandrake 10.0) acting as a PDC for about 15 W2K boxes: . There is a share full of program files and data files on the Samba box . These files are currently synchronized at logon - all movement is from the server to the clients via a logon script using XCOPY /D I want to engineer a solution that would allow updates of the share to have changes propagated out to clients as the share is updated without the users being made aware. Essentially, the software vendor is demanding that everyone run their software from the network share as to ensure consistency, but I hardly think a 300 MB application with 15 MB (!!) executables (about 8 of them) is really suitable for being deployed in that fashion. All comments appreciated! I would say that your vendor is being unreasonable, and that you are correct to want to run these locally. Funny that - last time I checked, Windows doesn't actually fit with the idea of thin-client style computing at all! :-) A few questions to think about : How often do you update the application ? If it's only every few months, then there's no problem. Updates are done every now and then, but very rarely for binaries. Most updates take the form of replacing report files (of the order of 100KB). This sort of update happens every few months. Do you ever do it while users are working ? Well you shouldn't be ! And what does the vendor propose to do about the problem of changing a binary whilst it is in use ? Having said that, I have done in-place upgrades on Unix systems by MOVING the original file and slipping the new one into place - if it's in use then the system will continue to use the old file (referenced by inode no, not file name) until it is closed. An excellent point. They often do such things whilst people are working. If I recall correctly, Windows' VM model does not horde executable data in swap space (which is why compressed executables stay compressed or something - I'd have to look at UPX's docs). Considering it's Windows, I don't like the idea of trying to move such things around, even if Windows should lock running executables. Further, do you know offhand if the trick you use above carries across the UNIX-Windows divide that Samba takes care of? I know that Samba will use FDs to reference things, but SMB is a complicated protocol... Do you have (or do you ever expect to have, any remote workers ? If so then there is no way (even on Broadband/ADSL) that you want users sucking that sort of file size down the pipe. We do have remote workers, and they run the app locally with only queries and result sets traversing the wire. That said, rsync makes short work of that problem for keeping remote installs in sync. One way of dealing with the issue is to make all the users log out and back in again when you upgrade. Another might be to run a scheduled task that periodically does an XCOPY, but then you'll run into problems of the program crashing when you change the binary running (or more likely a file in use error). I was thinking of using dnotify / FAM and a conditional script. Most of the DLLs will never change, the same for the executables. How Gupta's products handle .QRP files changing underfoot will be interesting... Simon -- Simon Hobson MA MIEE, Technology Specialist Colony Gift Corporation Limited Lindal in Furness, Ulverston, Cumbria, LA12 0LD Tel 01229 461100, Fax 01229 461101 Registered in England No. 1499611 Regd. Office : 100 New Bridge Street, London, EC4V 6JA. Best regards, Chris -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] WINS names intermittently unregister after 5 days
Hi, (I posted this question about 6 months ago and never really got anywhere with it so I thought I'd try again.) We're using Samba as a WINS server. Windows servers appear to correctly register themselves and I can look them up e.g. with nmblookup. However some servers lose their registration after 5 days. And it's the same servers, about 4 (of about 25 servers and 200 workstations). I can't find any similarity between these servers, there's one NT 4 server and 3 Win2000 servers with varying service packs. I can get the names to re-register by restarting the server but this registration is again lost after 5 days. Does anyone have any experience of this or can suggest any tests to help me troubleshoot? (I realize this problem probably isn't Samba's fault but I can't find any reference to this issue anywhere else). Samba 3.0.4 on RedHat 9.0. Thanks, Leon... -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Real-time file synchronisation
Chris Ricks wrote: A few questions to think about : How often do you update the application ? If it's only every few months, then there's no problem. Updates are done every now and then, but very rarely for binaries. Most updates take the form of replacing report files (of the order of 100KB). This sort of update happens every few months. Then I find it hard to see any problem at all. Do you ever do it while users are working ? Well you shouldn't be ! And what does the vendor propose to do about the problem of changing a binary whilst it is in use ? Having said that, I have done in-place upgrades on Unix systems by MOVING the original file and slipping the new one into place - if it's in use then the system will continue to use the old file (referenced by inode no, not file name) until it is closed. An excellent point. They often do such things whilst people are working. If I recall correctly, Windows' VM model does not horde executable data in swap space (which is why compressed executables stay compressed or something - I'd have to look at UPX's docs). Considering it's Windows, I don't like the idea of trying to move such things around, even if Windows should lock running executables. Further, do you know offhand if the trick you use above carries across the UNIX-Windows divide that Samba takes care of? I know that Samba will use FDs to reference things, but SMB is a complicated protocol... In principal, but I know Samba has it's own locking mechanism and I don't know if that works by file name or file id - hopefully one of the people with knowledge of the internal could answer that one. As long as the Samba locking uses inodes and not filenames, then I see no reason it shouldn't work. Simon -- Simon Hobson MA MIEE, Technology Specialist Colony Gift Corporation Limited Lindal in Furness, Ulverston, Cumbria, LA12 0LD Tel 01229 461100, Fax 01229 461101 Registered in England No. 1499611 Regd. Office : 100 New Bridge Street, London, EC4V 6JA. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba 3.0, Windows 2k/XP and usrmgr.exe
OK, so it is possible to get it working with a Domain Admin user although I am not using LDAP (too much of a novice to dare to attempt it). Running RH9 and Samba 3.0.1a Here is my net groupmap list System Operators (S-1-5-32-549) - -1 Replicators (S-1-5-32-552) - -1 Guests (S-1-5-32-546) - -1 Domain Admins (S-1-5-21-3006511841-651929057-3908437317-512) - root Domain Guests (S-1-5-21-3006511841-651929057-3908437317-514) - nogroup Domain Users (S-1-5-21-3006511841-651929057-3908437317-513) - domusers Power Users (S-1-5-32-547) - -1 year_2 (S-1-5-21-3006511841-651929057-3908437317-2051) - year_2 Print Operators (S-1-5-32-550) - -1 Administrators (S-1-5-32-544) - root year_7 (S-1-5-21-3006511841-651929057-3908437317-2041) - year_7 year_11 (S-1-5-21-3006511841-651929057-3908437317-2033) - year_11 staff (S-1-5-21-3006511841-651929057-3908437317-2003) - staff year_1 (S-1-5-21-3006511841-651929057-3908437317-2053) - year_1 year_6 (S-1-5-21-3006511841-651929057-3908437317-2043) - year_6 year_10 (S-1-5-21-3006511841-651929057-3908437317-2035) - year_10 Account Operators (S-1-5-32-548) - -1 year_4 (S-1-5-21-3006511841-651929057-3908437317-2047) - year_4 year_5 (S-1-5-21-3006511841-651929057-3908437317-2045) - year_5 year_9 (S-1-5-21-3006511841-651929057-3908437317-2037) - year_9 year_3 (S-1-5-21-3006511841-651929057-3908437317-2049) - year_3 year_8 (S-1-5-21-3006511841-651929057-3908437317-2039) - year_8 Backup Operators (S-1-5-32-551) - -1 Users (S-1-5-32-545) - -1 and here is the pdbedit output for the my user Unix username:nivenjr NT username: Account Flags:[U ] User SID: S-1-5-21-3006511841-651929057-3908437317-2000 Primary Group SID:S-1-5-21-3006511841-651929057-3908437317-512 Full Name:James Niven Home Directory: \\susie\nivenjr\.win_profile\ HomeDir Drive:H: Logon Script: logon.bat Profile Path: \\susie\profiles\nivenjr\ Domain: OAKFIELD Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: Tue, 19 Jan 2038 03:14:07 GMT Kickoff time: Tue, 19 Jan 2038 03:14:07 GMT Password last set:Sun, 21 Mar 2004 09:29:12 GMT Password can change: Sun, 21 Mar 2004 09:29:12 GMT Password must change: Tue, 19 Jan 2038 03:14:07 GMT and here is the Global section of my smb.conf [Global] # Netbios name is the name other Windows clients will see the PDC as on the Network Neighbourhood netbios name = susie # Workgroup is the name of the domain that windows clients will be joining workgroup = OAKFIELD # Encrypt passwords must be on for a PDC, Windows 95 does not use encypted passwords... encrypt passwords = yes # Set the datbase to be used for user authentication passdb backend = tdbsam # Set the PDC to be the master browser for the domain domain master = yes # Set the domain to be the local master browser local master = yes # and the prefered master browser preferred master = yes # this setting will beat the level of all clients on the subnet during a master browser election os level = 65 # User level security - required for domain control security = user # Allows the PDC to handle logons to the domain domain logons = yes # logon path tells Samba where to put Windows NT/2000/XP roaming profiles logon path = \\%L\profiles\%U\%m # Logon batch file to be run - should (read must) include a net set time for proper synchronisation logon script = logon.bat # Sets the users home directory to H: logon drive = H: # logon home is used to specify home directory and Windows 95/98/Me roaming profile location logon home = \\%L\%U\.win_profile\%m # PDC will act as a nntp time server time server = yes # User add script, creates users on the fly add user script = /usr/sbin/useradd -g 513 -s /bin/false %u # Add machines on the fly add machine script = /usr/sbin/useradd -d /dev/null -g 502 -s /bin/false -M %u # Group Add script add group script = /usr/local/samba/bin/smbgrpadd.sh %g # Group Delete Script delete group script = /usr/sbin/groupdel %g # Add User to group Script add user to group script = /usr/local/samba/bin/addu2g.sh %u %g # Delete user from group script delete user from group script = /usr/local/samba/bin/delu2g.sh %u %g In the useradd script group 513 is domuser and in the machineadd script group 502 is the ntmachine group I've tried restarting the samba daemon with a higher debug level and I don't get any messages or errors associated with my ntuser trying to use the USRMGR program. I am of course guessing that the problem lies in my samba configuration. Any suggestions would be much appreciated TIA James Niven -Original Message- From: rruegner [mailto:[EMAIL PROTECTED] Sent: 30 September 2004 02:14 To: James Niven Cc: samba list Subject: Re: [Samba] Samba 3.0, Windows 2k/XP and usrmgr.exe Hi
[Samba] Moving from Samba 2.2.8 to 3.x
Samba Users: I work in a Windows 2000 mixed mode environment. Soon they will be switching to 2000 native mode running active directory. Currently I have a samba server that is a member server in a NT domain. When a user from the NT domain attaches to the samba server it automatically creates their account and their home directory share (through a script). I imagine that I will need to generate a new SID for this machine to be a member of the new domain. Once I upgrade the software from 2.2.8 to 3.x will it behave they same as it did before or do I need to contend with additional configuration changes? Any assistance would be appreciated either direct or any urls that I can refer to. Bruce Embrey Bruce Edward Embrey : Linux Systems Manager Campus Email Admin / NETREG : UNIX / Linux Administrator Hood College : [EMAIL PROTECTED] : Phone (301)696-3927 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Real-time file synchronisation
I've read all answers, but you should do it by distribuited file systems. You should try AFS; it's easy to install and works well. uz. Il giorno ven, 01-10-2004 alle 00:50 +1000, Chris Ricks ha scritto: Hi all! I'm looking for a method of doing the following, given that I'm taking care of a network with a Samba 3.0.6 box (running Mandrake 10.0) acting as a PDC for about 15 W2K boxes: . There is a share full of program files and data files on the Samba box . These files are currently synchronized at logon - all movement is from the server to the clients via a logon script using XCOPY /D I want to engineer a solution that would allow updates of the share to have changes propagated out to clients as the share is updated without the users being made aware. Essentially, the software vendor is demanding that everyone run their software from the network share as to ensure consistency, but I hardly think a 300 MB application with 15 MB (!!) executables (about 8 of them) is really suitable for being deployed in that fashion. All comments appreciated! Best regards, Chris -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Win2003 ADS member server - almost working, ideas?
I am attempting to install a Samba-3.0.0,1 on FreeBSD 5.2.1-RELEASE server to an existing Windows 2003 Server Active Directory Domain. I've followed Chapter 6 of the HOWTO man to get as far as I have. #kinit gooduser --successfully gets a kerberos ticket #wbinfo --authenticate=gooduser%goodpassword -- successfully authenticates all user accounts (that I've tested) #wbinfo -u yields Error geting Domain Users #wbinfo -g yields Error geting Domain Groups and any user accounts I newly create in AD since joining the Samba3 server as a Domain member are successfully able to authenticate and access the Samba3 server. However, pre-existing AD users are not able to access the Samba3 server. These accounts get an error NT_STATUS_LOGON_FAILURE. I noted some mention in various places of a quirk requiring the changing of domain passwords to allow something to work - which I've tried to no avail. New AD accounts work fine, pre-existing accounts don't. Any ideas on how to troubleshoot or fix this quirk would be greatly appreciated. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] After net rpc vampire of 2000 users admin of user db has problems
Greetings, I was able to admin users and machines database via usrmgr.exe in a samba3.0.7 + ldap server. I was able to set trusting domains too. After I vampired my ex-PDC NT server usrmgr.exe stop working and trusting stop to be showed. usrmgr.exe gives the error: The tag is invalid. Do you want to select another domain to administer? And net rpc trustdom list -UAdministrator%passwd gives me: Trusted domains list: OTHER-DOM S-1-5-21-136393487-307246644-928725530 Trusting domains list: [2004/09/30 16:44:16, 0] utils/net_rpc.c:rpc_trustdom_list(3430) Couldn't enumerate accounts. Error was: NT_STATUS_ACCESS_DENIED Is this a known error between samba and ldap? Other tools that I use to administer the users database also can´t show all imported users. Just about 500. Is this correct? Any answers will be grate. Gustavo -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Win2003 ADS member server - almost working, ideas?
BSD Samba wrote: I am attempting to install a Samba-3.0.0,1 on FreeBSD 5.2.1-RELEASE server I'm running 3.0.7 on 5.2.1 and not able to reproduce the problem. Maybe try 3.0.7. to an existing Windows 2003 Server Active Directory Domain. I've followed Chapter 6 of the HOWTO man to get as far as I have. #kinit gooduser --successfully gets a kerberos ticket #wbinfo --authenticate=gooduser%goodpassword -- successfully authenticates all user accounts (that I've tested) #wbinfo -u yields Error geting Domain Users #wbinfo -g yields Error geting Domain Groups and any user accounts I newly create in AD since joining the Samba3 server as a Domain member are successfully able to authenticate and access the Samba3 server. However, pre-existing AD users are not able to access the Samba3 server. These accounts get an error NT_STATUS_LOGON_FAILURE. I noted some mention in various places of a quirk requiring the changing of domain passwords to allow something to work - which I've tried to no avail. New AD accounts work fine, pre-existing accounts don't. Any ideas on how to troubleshoot or fix this quirk would be greatly appreciated. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] WINS names intermittently unregister after 5 days
Hi Leon Realising it isnt quite relevent to your posting, I had trouble sometime ago with our company PDC's WINS record disappearing from the corporate WINS box. Rebooting our PDC would make it appear again. In our case we never did quite resolve the reason (both NT4 boxes) but doing a manual clean on the WINS servers (about 4 of them) fixed it. There was some thought that errant data was being propogated in a circle. What I am getting at here is similar things happen with the M$ product. I'll admit that I dont know how to display the status of the Samba WINS service. If you can figure out how to have a look at the age/timout of the record and whether any duplicate names have occurred. Do an nbstat on the M$ boxes too to see if and conflicts have occurred. Does using lmhosts (say on the dissappearing servers) stop WINS lookups (and hence refreshing) after a while? Just a thought. Might be worthwhile checking whether the four servers in question starts as a master browser or not, and whether during an election sends different data to the WINS server. Have a look at the event logs after startup. I have no idea whether this might cause a problem, it is the only thing I could come up with when trying to debug our fix. Apologies for not being much more use on this. Cheers Bob Leon Stringer wrote: Hi, (I posted this question about 6 months ago and never really got anywhere with it so I thought I'd try again.) We're using Samba as a WINS server. Windows servers appear to correctly register themselves and I can look them up e.g. with nmblookup. However some servers lose their registration after 5 days. And it's the same servers, about 4 (of about 25 servers and 200 workstations). I can't find any similarity between these servers, there's one NT 4 server and 3 Win2000 servers with varying service packs. I can get the names to re-register by restarting the server but this registration is again lost after 5 days. Does anyone have any experience of this or can suggest any tests to help me troubleshoot? (I realize this problem probably isn't Samba's fault but I can't find any reference to this issue anywhere else). Samba 3.0.4 on RedHat 9.0. Thanks, Leon... -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Multiple Controllers to auth against
Hello, I am currently using samba along side of squid to do ntlm authentication. I have a primary, and secondary NT4.0 controllers, and have listed in smb.conf as such: password server: server1 server2 I expected that when server1 went down, server2 would be queried next. This was not the case for me. I actually had server1 go down, and samba continued to attempt and fail against server1. How should this be setup? Thanks. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Can't add new users
Hi all, I tried to add a new user to a Samba share, I did all the usual: made a Unix account on the Unix server for the user which was the same as the user's window's UID. Put her name as a valid user for that directory in server:/etc/opt/samba/smb.conf, and stopped and started server:/sbin/init.d/samba server; nothing worked. Interesting observations: 1- After performing the steps described above, I do a server# /opt/samba/bin/testparm and don't even see the new user's name for that particular Samba share. 2- Samba is working fine for all the previously defined users in smb.conf. Many thanks in advance and best regards. Majid Chavoshi Unix System Administrator Confidential This e-mail and any files transmitted with it are the property of Belkin Corporation and/or its affiliates, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipients or otherwise have reason to believe that you have received this e-mail in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] After net rpc vampire of 2000 users admin of user db has problems
On Thu, 2004-09-30 at 13:05, Gustavo Lima wrote: Greetings, I was able to admin users and machines database via usrmgr.exe in a samba3.0.7 + ldap server. I was able to set trusting domains too. After I vampired my ex-PDC NT server usrmgr.exe stop working and trusting stop to be showed. usrmgr.exe gives the error: The tag is invalid. Do you want to select another domain to administer? I have found the following - If you migrate a domain to samba, promote samba to PDC status, the existing NT4 machine that was the PDC/BDC doesn't work well and in fact, you have to stop netlogon service to use it at all. Yours was the type of error I received when running usrmgr.exe on that machine until I stopped netlogon service. It is also possible that on your LDAP setup, the machine accounts aren't being found by samba/LDAP. User Manager for Domains (usrmgr.exe) does work if you are running it on a computer attached to the domain and current logon has Domain Administrator privileges. If it fails to run, one or both of these issues need to be looked at. And net rpc trustdom list -UAdministrator%passwd gives me: Trusted domains list: OTHER-DOM S-1-5-21-136393487-307246644-928725530 Trusting domains list: [2004/09/30 16:44:16, 0] utils/net_rpc.c:rpc_trustdom_list(3430) Couldn't enumerate accounts. Error was: NT_STATUS_ACCESS_DENIED almost sounds like samba is having trouble querying LDAP. Is this a known error between samba and ldap? NO - things can work well when they work Other tools that I use to administer the users database also cant show all imported users. Just about 500. Is this correct? - don't know what tools you are talking about but getent passwd should give you all of the listings in /etc/passwd first, then all of the contents in LDAP (similar results for getent group) It is possible that you can have limits on a return from ldap query but that is beyond the scope of samba list. Craig -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] samba printing and disk quotas in Active Directory domain
I've recently made a great deal of progress getting ready to roll out linux workstations in our Windows Active Directory environment. There are a couple of very significant problems I'm stuck with though, one of which is definitely Samba related, and the other which is borderline Samba related. Problem 1 - Printing from Linux to Windows print servers I have read all the documentation I could find on this subject and it appears that CUPS and Samba work fairly well together for this purpose. The problem is that our AD domain is well over 4 users. The only way I see to print to a windows print server is by embedding the username/password combo in a CUPS URI, something like smb://user:[EMAIL PROTECTED]/printersharename. That doesn't work well on a workstation where users are going to be logging in with their Active Directory accounts, via Winbind. It appears to me that even though I am using Kerberos, there's no way to seamlessly pass the credentials used to login, to the print server. Is this a limitation of CUPS or is it a Samba limitation? I thought of writing a script and having a shortcut to it on the desktop to setup printing. The script would prompt users again for credentials to setup a printer, and then setup the printer using lpadmin with the URI format above. Since CUPS and/or Samba handles the username:password combo in the URI in clear text, that's not really a good option though. It states in the Samba documentation that although the URI is sanitized in certain instances, such as logging, the username and password are in clear text in some places, such as the process list. I feel like I must be missing something. It seems odd that if Samba already has Kerberos and AD integration, not being able to seamlessly pass those credentials to Windows machines in the domain for printing, would be a very significant limitation. Has anyone come up with a better way to deal with printing in such an environment? Also, I don't have any other options for printing because our university utilizes a printing quota system that must receive the Active Directory credentials (i.e. I can't bypass authentication or use a guest account). Problem 2 - Using quotas for Active Directory accounts I'm using Winbind so that users can login to our Linux workstations with their Active Directory accounts. This works fine but it seems there is no good way to use quotas, partly because of the huge number of users in our environment. This seems to be primarily a quota utilities problem since the utilities don't to my knowledge provide the functionality that I would find most useful. Being able to set a quota for example on all users with a UID greater than X for example, or having a group quota apply to individuals in that group rather than the group as a whole. For example, being able to set a soft limit of 100K for the group Users and having that be the quota for each individual in the group, rather than the quota for all individuals in that group combined. I realize this is certainly a limitation of the quota utilities rather than Samba, but in my opinion it severely limits the use of Winbind in a large enterprise environment. Any suggestions for getting around this issue? Basically I just need a way to set a quota for all 40,000+ users whose accounts exist in Active Directory, not on the Linux workstations. Thanks, Vern -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] name resolution between windows and samba
I've got a simple anonymous read/write samba server with the following configuration: # Global parameters [global] workgroup = MSHOME netbios name = FILESERVER security = SHARE server string = NAS Server log file = /var/log/samba/%m.log max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 [data] comment = RAID5 Share path = /data force user = nobody force group = nobody read only = No guest ok = Yes On the same network I have a WinXP system (named 'WINXP') and a Win98 system (named 'WIN98') all connected through a Linksys firewall/gateway using DHCP from the Linksys. Everything seems to work fine via windows 'network neighborhood', however I'm having some difficulties understanding what I need for proper name resolution outside of network neighborhood. For example, I wish to be able to drop to a dos box on a windows machine and do a 'telnet fileserver', however 'fileserver' is not resolved. I realize I can edit the hosts file on each windows system but if fileserver has DHCP address this doesn't work. Additionally I wish to be able to 'ping winxp' from the fileserver, but there is no name resolution. Basically, what I do not understand is how to implement netbios to tcp/ip name mapping. Can anyone give me some suggestions or point me to the relevant docs. I've read through a lot of the samba docs, but I do still not understand this aspect. Thanks, Tim -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] After net rpc vampire of 2000 users admin of user dbhas problems - solution
The solution was to add a parameter to ldap server. sizelimit 4000 Everything works fine now. Thanks. Gustavo -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Can't add new users
On Thu, 30 Sep 2004 13:49:45 -0700, Majid Chavoshi [EMAIL PROTECTED] wrote: Hi all, I tried to add a new user to a Samba share, I did all the usual: made a Unix account on the Unix server for the user which was the same as the user's window's UID. Put her name as a valid user for that directory in server:/etc/opt/samba/smb.conf, and stopped and started server:/sbin/init.d/samba server; nothing worked. Interesting observations: 1- After performing the steps described above, I do a server# /opt/samba/bin/testparm and don't even see the new user's name for that particular Samba share. 2- Samba is working fine for all the previously defined users in smb.conf. Many thanks in advance and best regards. Majid Chavoshi Does id username work? if that's the case, sounds like you have multiple smb.conf files do testparm /path/to/smb.conf make sure your /etc/init.d/smb points to the correct smb.conf file. Yang -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Can't add new users
I believe in addition to a Unix account, each user also needs to be entered as a SAMBA user. The smbpasswd file shows the SAMBA users along with their encrypted passwords. To add a SAMBA user: smbpasswd [userid] you'll be prompted to enter a password for the new user and then to confirm it. that should do it. I'll guess that viewing the file smbpasswd right now, you'll see the users listed there that do already work with the SAMBA shares... Hope this helps, Steve Steven R. Bryant - Network Manager Henderson, Daily, Withrow DeVoe Indianapolis, IN (317) 639-4121 *** * This e-mail is sent from a law firm and may contain* *information that is privileged and confidential. * * If you are not the intended recipient, please delete * * the e-mail and notify the sender. Thank you. * *** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Majid Chavoshi Sent: Thursday, September 30, 2004 3:50 PM To: '[EMAIL PROTECTED]' Cc: Majid Chavoshi Subject: [Samba] Can't add new users Hi all, I tried to add a new user to a Samba share, I did all the usual: made a Unix account on the Unix server for the user which was the same as the user's window's UID. Put her name as a valid user for that directory in server:/etc/opt/samba/smb.conf, and stopped and started server:/sbin/init.d/samba server; nothing worked. Interesting observations: 1- After performing the steps described above, I do a server# /opt/samba/bin/testparm and don't even see the new user's name for that particular Samba share. 2- Samba is working fine for all the previously defined users in smb.conf. Many thanks in advance and best regards. Majid Chavoshi Unix System Administrator Confidential This e-mail and any files transmitted with it are the property of Belkin Corporation and/or its affiliates, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipients or otherwise have reason to believe that you have received this e-mail in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] passwd syncing?
What about NTLM authentication, Active Directory, OpenLDAP, and MySQL all can be used as passwd backends. (please add more if I missed any). Yang On Thu, 30 Sep 2004 07:16:53 -0700, James [EMAIL PROTECTED] wrote: Can Samba provide a central service for mapping or syncing username and password across different applications for example AD users accounts and Lotus Notes ClientID's ... (something just shy of a metadirectory service) I've used Samba in a past life do something simular and sound like Samba has matured significantly. any thoughts ... or am I hunting down the wrong hole -james -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Win2003 ADS member server - almost working, ideas?
Are you sure winbind is running ? Yang On Thu, 30 Sep 2004 12:58:03 -0700 (PDT), BSD Samba [EMAIL PROTECTED] wrote: I am attempting to install a Samba-3.0.0,1 on FreeBSD 5.2.1-RELEASE server to an existing Windows 2003 Server Active Directory Domain. I've followed Chapter 6 of the HOWTO man to get as far as I have. #kinit gooduser --successfully gets a kerberos ticket #wbinfo --authenticate=gooduser%goodpassword -- successfully authenticates all user accounts (that I've tested) #wbinfo -u yields Error geting Domain Users #wbinfo -g yields Error geting Domain Groups and any user accounts I newly create in AD since joining the Samba3 server as a Domain member are successfully able to authenticate and access the Samba3 server. However, pre-existing AD users are not able to access the Samba3 server. These accounts get an error NT_STATUS_LOGON_FAILURE. I noted some mention in various places of a quirk requiring the changing of domain passwords to allow something to work - which I've tried to no avail. New AD accounts work fine, pre-existing accounts don't. Any ideas on how to troubleshoot or fix this quirk would be greatly appreciated. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] winbind apache htaccess
hello all, im sorry if this is the wrong list to address this topic. if this is the case, id appreciate a pointer to the right list. id like to be able to restrict access to apache dirs with an .htaccess file. instead of using the local linux user.group database, id like to use our Active Directory user account. I was able to get this to work through the use of mod_auth_kerb, but have since learned that there is no support for NT groups with this method. Poking around the internet has led me to winbind. I'd like to use something similar to the 'require group' directive in an .htaccess file. The required group will exist in Active Directory. For example, In Active Directory, we have a group named CVS-DEVS. We'd like only the members of CVS-DEVS to be able to authenticate to the apache site protected by the .htaccess file. As far as I can tell, this is possible, though i havent been able to find enough specific information on how to install / configure such an environment. Im hoping someone here would be so kind as to point me in the right direction of more information, or the appropriate forum to address such a topic. all flames, advice, experiences, ideas welcome. thanks. e- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Real-time file synchronisation
Hmm.I can appreciate that AFS is an excellent technology, but I'm a bit confused as to you suggesting it, given that we're dealing with Windows boxes on the client side. Could you point me to some info that gives an example of the solution you're recommending? Best regards, Chris _ From: Umberto Zanatta [mailto:[EMAIL PROTECTED] Sent: Friday, 1 October 2004 5:01 AM To: Chris Ricks Cc: [EMAIL PROTECTED] Subject: Re: [Samba] Real-time file synchronisation I've read all answers, but you should do it by distribuited file systems. You should try AFS; it's easy to install and works well. uz. Il giorno ven, 01-10-2004 alle 00:50 +1000, Chris Ricks ha scritto: Hi all! I'm looking for a method of doing the following, given that I'm taking care of a network with a Samba 3.0.6 box (running Mandrake 10.0) acting as a PDC for about 15 W2K boxes: . There is a share full of program files and data files on the Samba box . These files are currently synchronized at logon - all movement is from the server to the clients via a logon script using XCOPY /D I want to engineer a solution that would allow updates of the share to have changes propagated out to clients as the share is updated without the users being made aware. Essentially, the software vendor is demanding that everyone run their software from the network share as to ensure consistency, but I hardly think a 300 MB application with 15 MB (!!) executables (about 8 of them) is really suitable for being deployed in that fashion. All comments appreciated! Best regards, Chris -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Renamed Samba Domain, now machine accounts fail
Hello Everyone, Situation: I have been testing Samba-3.07 for its NT4 domain functionality so that I can migrate from Samba-2.2. I had setup the Samba domain and everything was working quite well. I had initially been working with a domain called TEST. Now that I am finished with my initial testing, I wanted to rename the domain to something I would be able to keep. After changing workgroup = test to workgroup = interact, many problems followed. Obviously doing this causes problems with the SID, and any machine accounts that are attached to this domain. I have since removed all system accounts, but I can not log in to the domain. When trying to add a machine to the domain, everything seems to be working. The machine account gets added to the passwd file and the smbpasswd file, and the workstation reports that it joined the domain successfully. After a reboot, when trying to log in, I get the error The system cannot log you on to this domain because the system's computer account in its primary domain is missing or the password on that account is correct. I have monitored what happens when the workstation adds itself to the domain, and the machine account is getting added at that time. Do I have a problem with my SID? I don't have an existing SID that i care about, so if I want to reset the SID to something else ... what should I set it to? System Info: FreeBSD-4.9 using NIS Samba-3.0.7 (from source, not ports) smb.conf [global] # Main Server Options netbios name = zeus workgroup = interact domain master = yes local master = yes preferred master = yes os level = 240 dns proxy = no security = user passdb backend = smbpasswdroot = administratorrestrict anonymous = 2 domain logons = yes logon path = \\%L\profiles\%U logon script = %U.bat logon drive = U: root preexec = /usr/local/scripts/genlogon.pl %U %G %L # Script Options passwd program = /usr/bin/passwd %u passwd chat = *New*password*%n\n*Retype*New*Password*%n\n add user script = /usr/sbin/pw useradd %u -c %u -d /u1/%u -g 200 -m -w no -s /bin/date -Y add group script = /usr/sbin/pw groupadd %g -Y add machine script = /usr/sbin/pw useradd %u -c workstation -d /dev/null -g 150 -s /bin/false -Y delete group script = /usr/sbin/pw groupdel %g -Y # TODO add wrapper to remove nis samba passwd ; delete user script = /usr/sbin/pw userdel %u -Y ; delete user script = /usr/local/samba/sbin/smbpasswd -x %u ; add user to group script? ; delete user from group script? server string = Zeus - PDC interfaces = 10.10.8.28 hosts allow = 127. 10.10.8. socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 log file = /var/log/samba/log.%m max log size = 50 time server = yes load printers = no ; printcap name = /etc/printcap ; printing = cups # Share Definitions == [netlogon] path = /STORAGE/netlogon writable = no browsable = no write list = @domainadmin @wheel [profiles] path = /STORAGE/ntprofiles read only = no browseable = no create mask = 0600 directory mask = 0700 Any help would be greatly appreciated. -- Zack Lawson Network Administrator @ [EMAIL PROTECTED], Inc. www.interactivate.com -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Can't add new users
During Samba installation, by logging in as a NT admin with the password given on the command line, I think we avoid using this file. Please see below: mecca:/opt/samba/bin # ./smbpasswd chrisg New SMB password: Retype new SMB password: Failed to find entry for user chrisg. Failed to modify password entry for user chrisg mecca:/opt/samba/bin # Regards, Majid Chavoshi Unix System Administrator -Original Message- From: Bryant, Steven R. [mailto:[EMAIL PROTECTED] Sent: Thursday, September 30, 2004 2:37 PM To: Majid Chavoshi; [EMAIL PROTECTED] Subject: RE: [Samba] Can't add new users I believe in addition to a Unix account, each user also needs to be entered as a SAMBA user. The smbpasswd file shows the SAMBA users along with their encrypted passwords. To add a SAMBA user: smbpasswd [userid] you'll be prompted to enter a password for the new user and then to confirm it. that should do it. I'll guess that viewing the file smbpasswd right now, you'll see the users listed there that do already work with the SAMBA shares... Hope this helps, Steve Steven R. Bryant - Network Manager Henderson, Daily, Withrow DeVoe Indianapolis, IN (317) 639-4121 *** * This e-mail is sent from a law firm and may contain* *information that is privileged and confidential. * * If you are not the intended recipient, please delete * * the e-mail and notify the sender. Thank you. * *** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Majid Chavoshi Sent: Thursday, September 30, 2004 3:50 PM To: '[EMAIL PROTECTED]' Cc: Majid Chavoshi Subject: [Samba] Can't add new users Hi all, I tried to add a new user to a Samba share, I did all the usual: made a Unix account on the Unix server for the user which was the same as the user's window's UID. Put her name as a valid user for that directory in server:/etc/opt/samba/smb.conf, and stopped and started server:/sbin/init.d/samba server; nothing worked. Interesting observations: 1- After performing the steps described above, I do a server# /opt/samba/bin/testparm and don't even see the new user's name for that particular Samba share. 2- Samba is working fine for all the previously defined users in smb.conf. Many thanks in advance and best regards. Majid Chavoshi Unix System Administrator Confidential This e-mail and any files transmitted with it are the property of Belkin Corporation and/or its affiliates, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipients or otherwise have reason to believe that you have received this e-mail in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba Confidential This e-mail and any files transmitted with it are the property of Belkin Corporation and/or its affiliates, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipients or otherwise have reason to believe that you have received this e-mail in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] directory permissions invisible
I'm running Samba 3.0.7; I cannot see the permissions on directories on the server (right-click on directory, select Properties, select Security). None of the names listed show any checks on Allow or Deny. Yet, if I check them myself, and Apply, the unix permissions on the folder are changed, but they are still not visible to Windows. I can see permissions on files, though, and on folders on non-Samba servers. Hugh -- Hugh Caley | Unix Systems Administrator | CIS AFFYMETRIX, INC. | 6550 Vallejo St. Ste 100 | Emeryville, CA 94608 Tel: 510-428-8537 | [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Heimdal Version Question
We would like to build a SuSE Professional 8.2 box as a Domain Member Server in a Windows 2000 Active Directory domain, and we are referencing Chapter 9.3.3 of Samba3-By-Example. The version of heimdal supplied with SuSE 8.2 is 0.4e. S3BE references heimdal version 0.6 plus patches. Since SuSE often backports fixes from later versions of products into older versions, the question is: will the 0.4e heimdal rpms supplied with SuSE 8.2 work with Samba 3.0.7 in this configuration? TIA, Mark -- _ A Message From... L. Mark Stone Reliable Networks of Maine, LLC 477 Congress Street Portland, ME 04101 Tel: (207) 772-5678 Web: www.RNoME.com -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Heimdal Version Question
L. Mark Stone wrote: We would like to build a SuSE Professional 8.2 box as a Domain Member Server in a Windows 2000 Active Directory domain, and we are referencing Chapter 9.3.3 of Samba3-By-Example. The version of heimdal supplied with SuSE 8.2 is 0.4e. S3BE references heimdal version 0.6 plus patches. Since SuSE often backports fixes from later versions of products into older versions, the question is: will the 0.4e heimdal rpms supplied with SuSE 8.2 work with Samba 3.0.7 in this configuration? All my research suggests no. Heimdal 0.6 is necessary. However, I have no idea what SuSE has in its RPM's. TIA, Mark -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba Session Error
Hi, I'm seeing the following error when I tried to access shared home folder on samba. [2004/09/30 11:35:30, 0] auth/pampass.c:smb_pam_error_handler(73) smb_pam_error_handler: PAM: session setup failed : Permission denied [2004/09/30 11:35:30, 1] smbd/session.c:session_claim(124) pam_session rejected the session for ARKDOM/nzhang [smb/1769/100] [2004/09/30 11:35:30, 1] smbd/password.c:register_vuid(248) Failed to claim session for vuid=100 Everything seems to be fine though. Googling does give me anything. I'm using LM10.0 with 3.0.2a. Could someone please give me some pointers? Regards, Norman # wbinfo -t checking the trust secret via RPC calls succeeded # wbinfo -g Domain Admins Domain Guests Domain Users # wbinfo -u arkonmailadmin domainadmin ekwong Guest nzhang sxu # getent passwd nzhang nzhang:x:10009:10006::/home/ARKDOM/nzhang:/bin/bash [global] workgroup = ARKDOM server string = Samba Server %v security = DOMAIN obey pam restrictions = Yes password server = EXCH5 log file = /var/log/samba/log.%m max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 os level = 18 preferred master = No local master = No domain master = No dns proxy = No ldap ssl = no idmap uid = 15000-2 idmap gid = 15000-2 template shell = /bin/bash winbind separator = / winbind use default domain = Yes [homes] comment = Home Folders path = %H read only = No browseable = No -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] samba 3.0.7 + OpenLDAP + smbldap-tools-0.8.5
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello! I have some problems using samba 3.0.7 with OpenLDAP and smbldap-tools-0.8.5 on FreeBSD 5.2.1 I've installed samba 3.0.7 from the ports and can add join xp workstations without a problem. When a normal LDAP user logs on the machine, he/she cannot install the printer. A Administrator can install the printer without a problem and can print. I looked at the stations log file and found the following messages repeating a few times: [2004/10/01 03:24:05, 0] lib/smbldap.c:smbldap_open(818) ~ smbldap_open: cannot access LDAP when not root.. [2004/10/01 03:24:05, 0] passdb/pdb_ldap.c:ldapsam_search_one_group(1873) ~ ldapsam_search_one_group: Problem during the LDAP search: LDAP error: (Timed out) Do you have any suggestions? I googled the messages and found out, that this errors should been solved since samba 3.0.2. ... :-( nice greetings, Andi - -- Andi Limberger Limberger Handelsges.m.b.H. Schmiedgasse 16 A-4822 Bad Goisern Tel: 0664 - 1437614 Fax: 06135 - 7978 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3-nr1 (Windows XP) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBXLtu6E2r941QJAcRAkgOAKDVVr2T9NmFWNQLifjWiqu5KwrFxQCgk/f0 dW8Jz9u+FsLgmOlTbvZ3DFI= =IAlB -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba Upgrade
Hi guys! I have a samba 3.0.5pre1 installed in my system and using openldap 2.2.13 and it's working OK except for the annoying desktop.ini popping up everytime an ordinary logs on. Now what I want is to uprade Samba to a stable release like 3.0.7? but Im worried that there may be issues that I should be aware of. Im asking anyone who may provide with the specifics on how to go about the upgrade process and the things that should consider. Thanks in advance Jan - Yahoo! Messenger - Communicate instantly...Ping your friends today! Download Messenger Now -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: winbind stops responding
And please try wbinfo -t or -p too. Cheers xBadung Hamish wrote: Have you tried stopping nscd? I know it causes problems with winbind Borut Kurnik wrote: Hi! Windbind ocasionally stops responding. Both winbind processes are still there, but eig. wbinfo -u returns Error looking up domain users. I've got to restart winbindd to reactivate it again. Nothing in log.winbindd. SuSE SLES-8 (fully updated) samba3-3.0.7-13 winbind cache time = 180 Please, if You have any hints, ... Thanks, Borut -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Real-time file synchronisation
The OpenAFS windows client has finally gotten stable in the past year. My department here uses the AFS client on windows rather extensively. I experimented a while ago with software distribution of a large windows application (Pro/Engineer) over AFS with pretty good results. So, you get the same local caching benefits that unix clients get for software distribution. Another major benefit is that cache invalidation only happens when you release a new version to the read-only replicas. Plus, clients automatically load-balance across all fileservers containing the read-only volume replicas they're looking for. Regards, Tom Keiser [EMAIL PROTECTED] On Fri, 1 Oct 2004, Chris Ricks wrote: Hmm.I can appreciate that AFS is an excellent technology, but I'm a bit confused as to you suggesting it, given that we're dealing with Windows boxes on the client side. Could you point me to some info that gives an example of the solution you're recommending? Best regards, Chris _ From: Umberto Zanatta [mailto:[EMAIL PROTECTED] Sent: Friday, 1 October 2004 5:01 AM To: Chris Ricks Cc: [EMAIL PROTECTED] Subject: Re: [Samba] Real-time file synchronisation I've read all answers, but you should do it by distribuited file systems. You should try AFS; it's easy to install and works well. uz. Il giorno ven, 01-10-2004 alle 00:50 +1000, Chris Ricks ha scritto: Hi all! I'm looking for a method of doing the following, given that I'm taking care of a network with a Samba 3.0.6 box (running Mandrake 10.0) acting as a PDC for about 15 W2K boxes: . There is a share full of program files and data files on the Samba box . These files are currently synchronized at logon - all movement is from the server to the clients via a logon script using XCOPY /D I want to engineer a solution that would allow updates of the share to have changes propagated out to clients as the share is updated without the users being made aware. Essentially, the software vendor is demanding that everyone run their software from the network share as to ensure consistency, but I hardly think a 300 MB application with 15 MB (!!) executables (about 8 of them) is really suitable for being deployed in that fashion. All comments appreciated! Best regards, Chris -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Possible email virus.
A message has been blocked, because it contains a virus. You might have received this warning even though you did not send a virus-infected email to KPMG. This is due to the fact that many viruses use false email addresses (spoofing) and unfortunately this virus has used yours. If you have received this email because of address spoofing, we apologize for the inconvenience and suggest you delete this mail. Sender: [EMAIL PROTECTED] Subject: Message could not be delivered PLEASE READ THIS IMPORTANT ETIQUETTE MESSAGE BEFORE POSTING: http://www.catb.org/~esr/faqs/smart-questions.html
Abwesenheitsnotiz: Mail Delivery (failure g.nagel@faz.de)
Guten Tag, vom 28.-30.09.2004, finden Sie mich auf der OMD, Stand Z19. E-Mails werden nicht weitergeleitet. In dringenden Fllen wenden Sie sich bitte an Frau Heike Jonczok, Tel. 069 / 7591 1389, [EMAIL PROTECTED] Mit freundlichen Gren Gerrit Nagel PLEASE READ THIS IMPORTANT ETIQUETTE MESSAGE BEFORE POSTING: http://www.catb.org/~esr/faqs/smart-questions.html
svn commit: samba-web r362 - in trunk: .
Author: jerry Date: 2004-09-30 13:08:21 + (Thu, 30 Sep 2004) New Revision: 362 WebSVN: http://websvn.samba.org/websvn/changeset.php?rep=samba-webpath=/trunkrev=362nolog=1 Log: fixing typo Modified: trunk/index.html Changeset: Modified: trunk/index.html === --- trunk/index.html2004-09-30 13:04:52 UTC (rev 361) +++ trunk/index.html2004-09-30 13:08:21 UTC (rev 362) @@ -38,7 +38,7 @@ no guarantees. But the 3.1 tree will also has some new experimental features that may entice you to take a look (we hope)./p -p(a href=/samba/ftp/unstable/WHATSNEW-3-1-0.txt...more release notes/a)./p +p(a href=/samba/ftp/unstable/WHATSNEW-3-1-0.txt...more release notes/a)./p pThe a href=/samba/ftp/unstable/samba-3.1.0.tar.gzSamba 3.1.0 source code/a can be downloaded now. The a href=/samba/ftp/unstable/samba-3.1.0.tar.ascGnuPG
svn commit: samba r2757 - in branches/SAMBA_4_0/source/ldap_server: .
Author: metze Date: 2004-09-30 13:29:27 + (Thu, 30 Sep 2004) New Revision: 2757 WebSVN: http://websvn.samba.org/websvn/changeset.php?rep=sambapath=/branches/SAMBA_4_0/source/ldap_serverrev=2757nolog=1 Log: some minor fixes metze Modified: branches/SAMBA_4_0/source/ldap_server/ldap_simple_ldb.c Changeset: Modified: branches/SAMBA_4_0/source/ldap_server/ldap_simple_ldb.c === --- branches/SAMBA_4_0/source/ldap_server/ldap_simple_ldb.c 2004-09-30 01:04:58 UTC (rev 2756) +++ branches/SAMBA_4_0/source/ldap_server/ldap_simple_ldb.c 2004-09-30 13:29:27 UTC (rev 2757) @@ -40,7 +40,7 @@ */ static char *sldb_fix_dn(const char *dn) { - char *new_dn, *n, *current; + char *new_dn; int i, j, k; /* alloc enough room to host the whole dn as multibyte string */ @@ -333,8 +333,6 @@ ldb_set_alloc(ldb, talloc_ldb_alloc, samdb); ldb_ret = ldb_delete(ldb, dn); - errstr = ldb_errstring(ldb); - del_reply = ldapsrv_init_reply(call, LDAP_TAG_DelResponse); ALLOC_CHECK(del_reply);
svn commit: samba-web r363 - in trunk: . news/releases
Author: deryck Date: 2004-09-30 13:43:33 + (Thu, 30 Sep 2004) New Revision: 363 WebSVN: http://websvn.samba.org/websvn/changeset.php?rep=samba-webpath=/trunkrev=363nolog=1 Log: Add security announcement to news, and fix html and typos on the main samba.org page. --deryck Added: trunk/news/releases/security_2.2.12.html Modified: trunk/index.html Changeset: Modified: trunk/index.html === --- trunk/index.html2004-09-30 13:08:21 UTC (rev 362) +++ trunk/index.html2004-09-30 13:43:33 UTC (rev 363) @@ -12,15 +12,15 @@ h4a30 September 2004/a/h4 p class=headlineSecurity Notice -- CVE CAN-2004-0815/p -pA security vulnerability has been located in Samba 2.2.x = 2.2.11 - and Samba 3.0.x = 3.0.5. A remote attacker may be able to gain access - to files which exist outside of the share's defined path. Such files - must still be readable by the account used for the connection./p +pA security vulnerability has been located in Samba 2.2.x lt;= 2.2.11 +and Samba 3.0.x lt;= 3.0.5. A remote attacker may be able to gain +access to files which exist outside of the share's defined path. Such +files must still be readable by the account used for the connection./p pa href=/samba/ftp/samba-2.2.12.tar.gzSamba 2.2.12/a (a href=/samba/ftp/samba-2.2.12.tar.ascsignature/a) has been released to address this issue in the 2.2.x release series. A a href=/samba/ftp/patches/security/samba-3.0.5-reduce_name.patchpatch - for Samba 3.0.5 and earlieri/a (a href=/samba/ftp/patches/security/samba-3.0.5-reduce_name.patch.ascsignature/a) + for Samba 3.0.5 and earlier/a (a href=/samba/ftp/patches/security/samba-3.0.5-reduce_name.patch.ascsignature/a) is available as well./p Added: trunk/news/releases/security_2.2.12.html === --- trunk/news/releases/security_2.2.12.html2004-09-30 13:08:21 UTC (rev 362) +++ trunk/news/releases/security_2.2.12.html2004-09-30 13:43:33 UTC (rev 363) @@ -0,0 +1,13 @@ +h3a name=security_2.2.12Security Notice -- CVE CAN-2004-0815/a/h3 + +div class=article +pA security vulnerability has been located in Samba 2.2.x lt;= 2.2.11 and Samba 3.0.x lt;= 3.0.5. A remote attacker may be able to gain access to files which exist outside of the share's defined path. Such files must still be readable by the account used for the connection./p + +pa href=/samba/ftp/samba-2.2.12.tar.gzSamba 2.2.12/a (a href=/samba/ftp/samba-2.2.12.tar.ascsignature/a) + has been released to address this issue in the 2.2.x release series. A + a href=/samba/ftp/patches/security/samba-3.0.5-reduce_name.patchpatch + for Samba 3.0.5 and earlier/a (a href=/samba/ftp/patches/security/samba-3.0.5-reduce_name.patch.ascsignature/a) + is available as well. +/div + + Property changes on: trunk/news/releases/security_2.2.12.html ___ Name: svn:executable + *
svn commit: samba-web r364 - in trunk: . history
Author: deryck Date: 2004-09-30 14:46:26 + (Thu, 30 Sep 2004) New Revision: 364 WebSVN: http://websvn.samba.org/websvn/changeset.php?rep=samba-webpath=/trunkrev=364nolog=1 Log: Update 2.2.12 info in history and stable release sections. --deryck Modified: trunk/header2.html trunk/history/header_history.html Changeset: Modified: trunk/header2.html === --- trunk/header2.html 2004-09-30 13:43:33 UTC (rev 363) +++ trunk/header2.html 2004-09-30 14:46:26 UTC (rev 364) @@ -141,10 +141,10 @@ /ul ul -lia href=/samba/ftp/old-versions/samba-2.2.11.tar.gzSamba 2.2.11 +lia href=/samba/ftp/samba-2.2.12.tar.gzSamba 2.2.12 (gzipped)/a/li -lia href=/samba/history/samba-2.2.11.htmlRelease Notes/a/li -lia href=/samba/ftp/old-versions/samba-2.2.11.tar.ascSignature/a/li +lia href=/samba/history/samba-2.2.12.htmlRelease Notes/a/li +lia href=/samba/ftp/samba-2.2.12.tar.ascSignature/a/li /ul pa href=/samba/history/Release History/a/p Modified: trunk/history/header_history.html === --- trunk/history/header_history.html 2004-09-30 13:43:33 UTC (rev 363) +++ trunk/history/header_history.html 2004-09-30 14:46:26 UTC (rev 364) @@ -93,6 +93,8 @@ lia href=samba-3.0.2.htmlsamba-3.0.2.html/a/li lia href=samba-3.0.1.htmlsamba-3.0.1.html/a/li lia href=samba-3.0.0.htmlsamba-3.0.0.html/a/li +lia href=samba-2.2.12.htmlsamba-2.2.12.html/a/li +lia href=samba-2.2.11.htmlsamba-2.2.11.html/a/li lia href=samba-2.2.10.htmlsamba-2.2.10.html/a/li lia href=samba-2.2.9.htmlsamba-2.2.9.html/a/li lia href=samba-2.2.8a.htmlsamba-2.2.8a.html/a/li
svn commit: samba r2758 - in branches/SAMBA_4_0/source/ldap_server: . devdocs
Author: idra Date: 2004-09-30 16:08:09 + (Thu, 30 Sep 2004) New Revision: 2758 WebSVN: http://websvn.samba.org/websvn/changeset.php?rep=sambapath=/branches/SAMBA_4_0/source/ldap_serverrev=2758nolog=1 Log: keep docos handy while developing it Added: branches/SAMBA_4_0/source/ldap_server/devdocs/ branches/SAMBA_4_0/source/ldap_server/devdocs/rfc2252.txt branches/SAMBA_4_0/source/ldap_server/devdocs/rfc2253.txt branches/SAMBA_4_0/source/ldap_server/devdocs/rfc2254.txt branches/SAMBA_4_0/source/ldap_server/devdocs/rfc2255.txt branches/SAMBA_4_0/source/ldap_server/devdocs/rfc2256.txt branches/SAMBA_4_0/source/ldap_server/devdocs/rfc2307.txt Changeset: Sorry, the patch is too large (5709 lines) to include; please use WebSVN to see it! WebSVN: http://websvn.samba.org/websvn/changeset.php?rep=sambapath=/branches/SAMBA_4_0/source/ldap_serverrev=2758nolog=1
svn commit: samba-web r365 - in trunk/history: .
Author: deryck Date: 2004-09-30 21:19:31 + (Thu, 30 Sep 2004) New Revision: 365 WebSVN: http://websvn.samba.org/websvn/changeset.php?rep=samba-webpath=/trunk/historyrev=365nolog=1 Log: Add today's security release to security page. --deryck Modified: trunk/history/security.html Changeset: Modified: trunk/history/security.html === --- trunk/history/security.html 2004-09-30 14:46:26 UTC (rev 364) +++ trunk/history/security.html 2004-09-30 21:19:31 UTC (rev 365) @@ -21,6 +21,16 @@ tdemComplete Release Notes/em/td /tr +tr +td30 September 2004/td +tda href=/samba/ftp/samba-2.2.12.tar.gzSamba 2.2.12/a and/or a href=/samba/ftp/patches/security/samba-3.0.5-reduce_name.patchpatch for lt;#61;Samba 3.0.5/a +tdPotential arbitrary file access/td +tdSamba 2.2.x lt;#61;2.2.11 and Samba 3.0.x lt;#61;3.0.5/td +tda href=http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0815;CAN-2004-0815/a/td +tda href=/samba/history/samba-2.2.12.htmlRelease Notes/a/td +/tr + + tr td13 Sept 2004/td tda href=/samba/ftp/patches/security/samba-3.0.5-DoS.patch3.0.5 patch/a/td
svn commit: samba r2759 - branches/SAMBA_3_0/source branches/SAMBA_3_0/source/nsswitch trunk/source trunk/source/nsswitch
Author: tpot Date: 2004-10-01 02:57:10 + (Fri, 01 Oct 2004) New Revision: 2759 WebSVN: http://websvn.samba.org/websvn/changeset.php?rep=sambapath=/rev=2759nolog=1 Log: Fix for winbindd on AIX 5.1. Apparently it doesn't have as many methods in struct secmethod_table as AIX 5.2. Patch from The Written Word. Modified: branches/SAMBA_3_0/source/configure.in branches/SAMBA_3_0/source/nsswitch/winbind_nss_aix.c trunk/source/configure.in trunk/source/nsswitch/winbind_nss_aix.c Changeset: Modified: branches/SAMBA_3_0/source/configure.in === --- branches/SAMBA_3_0/source/configure.in 2004-09-30 16:08:09 UTC (rev 2758) +++ branches/SAMBA_3_0/source/configure.in 2004-10-01 02:57:10 UTC (rev 2759) @@ -4291,6 +4291,14 @@ AC_DEFINE(HAVE_PASSWD_PW_AGE, 1, [Defined if struct passwd has pw_age field]),, [#include pwd.h]) +# AIX 4.3.x and 5.1 do not have as many members in +# struct secmethod_table as AIX 5.2 +AC_CHECK_MEMBERS([struct secmethod_table.method_attrlist], , , + [#include usersec.h]) +AC_CHECK_MEMBERS([struct secmethod_table.method_version], , , + [#include usersec.h]) + + # # Check to see if we should use the included popt Modified: branches/SAMBA_3_0/source/nsswitch/winbind_nss_aix.c === --- branches/SAMBA_3_0/source/nsswitch/winbind_nss_aix.c2004-09-30 16:08:09 UTC (rev 2758) +++ branches/SAMBA_3_0/source/nsswitch/winbind_nss_aix.c2004-10-01 02:57:10 UTC (rev 2759) @@ -741,6 +741,7 @@ return; } +#ifdef HAVE_STRUCT_SECMETHOD_TABLE_METHOD_ATTRLIST /* return a list of additional attributes supported by the backend */ @@ -764,6 +765,7 @@ return ret; } +#endif /* @@ -977,7 +979,9 @@ { ZERO_STRUCTP(methods); +#ifdef HAVE_STRUCT_SECMETHOD_TABLE_METHOD_VERSION methods-method_version = SECMETHOD_VERSION_520; +#endif methods-method_getgrgid = wb_aix_getgrgid; methods-method_getgrnam = wb_aix_getgrnam; @@ -997,7 +1001,9 @@ methods-method_passwdrestrictions = wb_aix_passwdrestrictions; methods-method_getgracct = wb_aix_getgracct; methods-method_getgrusers = wb_aix_getgrusers; +#ifdef HAVE_STRUCT_SECMETHOD_TABLE_METHOD_ATTRLIST methods-method_attrlist = wb_aix_attrlist; +#endif #if LOG_UNIMPLEMENTED_CALLS methods-method_delgroup = method_delgroup; Modified: trunk/source/configure.in === --- trunk/source/configure.in 2004-09-30 16:08:09 UTC (rev 2758) +++ trunk/source/configure.in 2004-10-01 02:57:10 UTC (rev 2759) @@ -4297,6 +4297,14 @@ AC_DEFINE(HAVE_PASSWD_PW_AGE, 1, [Defined if struct passwd has pw_age field]),, [#include pwd.h]) +# AIX 4.3.x and 5.1 do not have as many members in +# struct secmethod_table as AIX 5.2 +AC_CHECK_MEMBERS([struct secmethod_table.method_attrlist], , , + [#include usersec.h]) +AC_CHECK_MEMBERS([struct secmethod_table.method_version], , , + [#include usersec.h]) + + # # Check to see if we should use the included popt Modified: trunk/source/nsswitch/winbind_nss_aix.c === --- trunk/source/nsswitch/winbind_nss_aix.c 2004-09-30 16:08:09 UTC (rev 2758) +++ trunk/source/nsswitch/winbind_nss_aix.c 2004-10-01 02:57:10 UTC (rev 2759) @@ -741,6 +741,7 @@ return; } +#ifdef HAVE_STRUCT_SECMETHOD_TABLE_METHOD_ATTRLIST /* return a list of additional attributes supported by the backend */ @@ -764,6 +765,7 @@ return ret; } +#endif /* @@ -977,7 +979,9 @@ { ZERO_STRUCTP(methods); +#ifdef HAVE_STRUCT_SECMETHOD_TABLE_METHOD_VERSION methods-method_version = SECMETHOD_VERSION_520; +#endif methods-method_getgrgid = wb_aix_getgrgid; methods-method_getgrnam = wb_aix_getgrnam; @@ -997,7 +1001,9 @@ methods-method_passwdrestrictions = wb_aix_passwdrestrictions; methods-method_getgracct = wb_aix_getgracct; methods-method_getgrusers = wb_aix_getgrusers; +#ifdef HAVE_STRUCT_SECMETHOD_TABLE_METHOD_ATTRLIST methods-method_attrlist = wb_aix_attrlist; +#endif #if LOG_UNIMPLEMENTED_CALLS methods-method_delgroup = method_delgroup;
svn commit: samba r2760 - branches/SAMBA_3_0/source/nsswitch trunk/source/nsswitch
Author: tpot Date: 2004-10-01 02:59:43 + (Fri, 01 Oct 2004) New Revision: 2760 WebSVN: http://websvn.samba.org/websvn/changeset.php?rep=sambapath=/rev=2760nolog=1 Log: Another patch from The Written Word. Don't declare function prototypes inside a function. Bugzilla #1762. Modified: branches/SAMBA_3_0/source/nsswitch/winbind_nss_aix.c trunk/source/nsswitch/winbind_nss_aix.c Changeset: Modified: branches/SAMBA_3_0/source/nsswitch/winbind_nss_aix.c === --- branches/SAMBA_3_0/source/nsswitch/winbind_nss_aix.c2004-10-01 02:57:10 UTC (rev 2759) +++ branches/SAMBA_3_0/source/nsswitch/winbind_nss_aix.c2004-10-01 02:59:43 UTC (rev 2760) @@ -159,12 +159,13 @@ return id; } +static struct passwd *wb_aix_getpwuid(uid_t uid); + static char *decode_user(const char *name) { struct passwd *pwd; unsigned id; char *ret; - static struct passwd *wb_aix_getpwuid(uid_t uid); sscanf(name+1, %u, id); pwd = wb_aix_getpwuid(id); Modified: trunk/source/nsswitch/winbind_nss_aix.c === --- trunk/source/nsswitch/winbind_nss_aix.c 2004-10-01 02:57:10 UTC (rev 2759) +++ trunk/source/nsswitch/winbind_nss_aix.c 2004-10-01 02:59:43 UTC (rev 2760) @@ -159,12 +159,13 @@ return id; } +static struct passwd *wb_aix_getpwuid(uid_t uid); + static char *decode_user(const char *name) { struct passwd *pwd; unsigned id; char *ret; - static struct passwd *wb_aix_getpwuid(uid_t uid); sscanf(name+1, %u, id); pwd = wb_aix_getpwuid(id);
svn commit: samba r2761 - in branches/SAMBA_3_0/source/rpc_server: .
Author: abartlet Date: 2004-10-01 03:14:57 + (Fri, 01 Oct 2004) New Revision: 2761 WebSVN: http://websvn.samba.org/websvn/changeset.php?rep=sambapath=/branches/SAMBA_3_0/source/rpc_serverrev=2761nolog=1 Log: Print the decrypted, not encrypted key. Andrew Bartlett Modified: branches/SAMBA_3_0/source/rpc_server/srv_netlog_nt.c Changeset: Modified: branches/SAMBA_3_0/source/rpc_server/srv_netlog_nt.c === --- branches/SAMBA_3_0/source/rpc_server/srv_netlog_nt.c2004-10-01 02:59:43 UTC (rev 2760) +++ branches/SAMBA_3_0/source/rpc_server/srv_netlog_nt.c2004-10-01 03:14:57 UTC (rev 2761) @@ -486,8 +486,8 @@ cred_hash3( pwd, q_u-pwd, p-dc.sess_key, 0); DEBUG(100,(Server password set : new given value was :\n)); - for(i = 0; i 16; i++) - DEBUG(100,(%02X , q_u-pwd[i])); + for(i = 0; i sizeof(pwd); i++) + DEBUG(100,(%02X , pwd[i])); DEBUG(100,(\n)); old_pw = pdb_get_nt_passwd(sampass);
svn commit: samba r2762 - in branches/SAMBA_3_0/source: nsswitch utils
Author: abartlet Date: 2004-10-01 03:28:39 + (Fri, 01 Oct 2004) New Revision: 2762 WebSVN: http://websvn.samba.org/websvn/changeset.php?rep=sambapath=/branches/SAMBA_3_0/sourcerev=2762nolog=1 Log: Remove silly conversion to and from UTF8 on the winbind pipe. Fix the naming of the require_membership_of parameter in pam_winbind and fix the error code for 'you didn't specify a domain' in ntlm_auth. Andrew Bartlett Modified: branches/SAMBA_3_0/source/nsswitch/pam_winbind.c branches/SAMBA_3_0/source/nsswitch/wbinfo.c branches/SAMBA_3_0/source/nsswitch/winbindd_nss.h branches/SAMBA_3_0/source/nsswitch/winbindd_pam.c branches/SAMBA_3_0/source/utils/ntlm_auth.c Changeset: Sorry, the patch is too large (368 lines) to include; please use WebSVN to see it! WebSVN: http://websvn.samba.org/websvn/changeset.php?rep=sambapath=/branches/SAMBA_3_0/sourcerev=2762nolog=1
svn commit: samba r2763 - in branches/SAMBA_4_0/source/librpc/rpc: .
Author: tridge Date: 2004-10-01 05:19:51 + (Fri, 01 Oct 2004) New Revision: 2763 WebSVN: http://websvn.samba.org/websvn/changeset.php?rep=sambapath=/branches/SAMBA_4_0/source/librpc/rpcrev=2763nolog=1 Log: use no-auth bind on ncacn_np unless we specify at least one of sign, seal or connect Modified: branches/SAMBA_4_0/source/librpc/rpc/dcerpc_util.c Changeset: Modified: branches/SAMBA_4_0/source/librpc/rpc/dcerpc_util.c === --- branches/SAMBA_4_0/source/librpc/rpc/dcerpc_util.c 2004-10-01 03:28:39 UTC (rev 2762) +++ branches/SAMBA_4_0/source/librpc/rpc/dcerpc_util.c 2004-10-01 05:19:51 UTC (rev 2763) @@ -496,7 +496,8 @@ if (username username[0] (binding-flags DCERPC_SCHANNEL_ANY)) { status = dcerpc_bind_auth_schannel(*p, pipe_uuid, pipe_version, domain, username, password); - } else if (username username[0]) { + } else if (username username[0] + (binding-flags (DCERPC_CONNECT|DCERPC_SIGN|DCERPC_SEAL))) { status = dcerpc_bind_auth_ntlm(*p, pipe_uuid, pipe_version, domain, username, password); } else { status = dcerpc_bind_auth_none(*p, pipe_uuid, pipe_version);
svn commit: lorikeet r82 - in trunk/samba4-ad-thesis: .
Author: abartlet Date: 2004-10-01 05:23:53 + (Fri, 01 Oct 2004) New Revision: 82 WebSVN: http://websvn.samba.org/websvn/changeset.php?rep=lorikeetpath=/trunk/samba4-ad-thesisrev=82nolog=1 Log: Add yet more information on NTLMSSP Modified: trunk/samba4-ad-thesis/chapters.lyx Changeset: Modified: trunk/samba4-ad-thesis/chapters.lyx === --- trunk/samba4-ad-thesis/chapters.lyx 2004-09-27 23:14:25 UTC (rev 81) +++ trunk/samba4-ad-thesis/chapters.lyx 2004-10-01 05:23:53 UTC (rev 82) @@ -858,9 +858,12 @@ this third party, preferably by some cryptographic proof. Often this is by yet another shared-secret authentication scheme. +\layout Chapter + +NTLM \layout Section -NTLM +NTLM Challenge Response \layout Standard The NTLM authentication scheme is a challenge-response authentication scheme, @@ -1053,17 +1056,25 @@ \layout Subsubsection* LM session key construction +\layout Standard + +The LM session key is constructed from the first 8 bytes of the LM hash, + padded to 16 bytes with zeros. + Given what we understand about the LM hash, it is equivilant to the password + for passwords of 7 characters or less! +\layout LyX-Code + +LM_key = concat(head(ascii(password), 8), zeros[8]); \layout Subsubsection* NT session key construction \layout Standard -The NT session key is a fixed derivative of the password - it contains none - of the per-session information that the otherwise weaker LM key does: +The NT session key is also fixed derivative of the password: \layout LyX-Code NT_key = md4(md4(unicode(password)); -\layout Subsection +\layout Section NLTMSSP \layout Standard @@ -1085,7 +1096,7 @@ to understand them. At each end of the connection, these blobs of data are passed down to the security libraries for processing. -\layout Subsubsection* +\layout Subsection NTLMSSP Packets \layout Standard @@ -1114,7 +1125,7 @@ \layout Standard The format of these packets, and the meaning of most of the options carried - in them is now reasonably well understood, and partially documented in + in them is now reasonably well understood, and partially documented by \begin_inset LatexCommand \citet{opengroupntlm} @@ -1122,8 +1133,91 @@ . +\layout Subsection + +NTLMSSP Options +\layout Standard + +Within the NTLMSSP context, a different set of session keys, cyphers and + authentication inputs are used - depending on the negotiated options. + The fact that these are negotiated is promlementic, but the implementation + may define minimum required options. + What follows is a discussion of some of the options - but a more complete + treatment (of some of the options) is given by +\begin_inset LatexCommand \citet{davenportntlm} + +\end_inset + +. \layout Subsubsection* +LM Session Key +\layout Standard + +The LM session key is created as specified by +\begin_inset LatexCommand \citet{opengroupntlm} + +\end_inset + + - it is based on the NTLM `LM Key', and includes part of the LM response + (and therefore the server-generated random challenge) in a DES based hash, + making it unique for each session. + It is negotiated by the specification of the +\family typewriter +NTLMSSP_NEGOTIATE_LM_KEY +\family default + in the negotiated options. +\layout Standard + +This key is then 'weakened' to various strengths, to fix export requirements. + The irony is that the 128 bit negotiated key is far from this real strength, + due to there being at most 56 bits of key input! +\layout Subsubsection* + +NT Sesssion Key (v1) +\layout Standard + +When the LM_KEY option is not negotiated, and no other options are specified, + the session key is the NT Key from the NTLM level. + This is stronger in hash strength, with real 128 bit stength, but again, + the key is fixed until the user's password changes. + Unfortunetly other factors - the use the LM response function for the authentic +ation step - means that the key can be discovered by breaking a 56 bit cypher. +\layout Subsubsection* + +NTLM2 Session Response +\layout Standard + +Another modification to the NTLMSSP login scheme, this option prevents a + server-initiated dictionary attack, by providing input from the client + and server in calculating the challenge input to the challenge-response + function. + This option also modifies the session key negotiation, to include mutually + agreed random data into the key. + This ensures that the session key again changes between sessions. +\layout Subsubsection* + +Key Exchange +\layout Standard + +In another modification to the session key negotiation, the specfication + of the +\family typewriter +NTLMSSP_NEGOTIATE_KEY_EXCHANGE +\family default + flag allows the client to specify a new session key, to be encrypted with + what otherwise would be the session key. + Presumably, the client would choose a random sequence of bytes, unrelated + to the password, but as will be noted in +\begin_inset LatexCommand
svn commit: samba r2764 - in branches/SAMBA_4_0/source/build/pidl: .
Author: tpot Date: 2004-10-01 05:28:20 + (Fri, 01 Oct 2004) New Revision: 2764 WebSVN: http://websvn.samba.org/websvn/changeset.php?rep=sambapath=/branches/SAMBA_4_0/source/build/pidlrev=2764nolog=1 Log: Use hand-written function for all occurrences of IDL strings, not just those with a single pointer. Modified: branches/SAMBA_4_0/source/build/pidl/swig.pm Changeset: Modified: branches/SAMBA_4_0/source/build/pidl/swig.pm === --- branches/SAMBA_4_0/source/build/pidl/swig.pm2004-10-01 05:19:51 UTC (rev 2763) +++ branches/SAMBA_4_0/source/build/pidl/swig.pm2004-10-01 05:28:20 UTC (rev 2764) @@ -91,7 +91,7 @@ # Special cases -if ($e-{TYPE} eq string $e-{POINTERS} == 1) { +if ($e-{TYPE} eq string) { $result .= \ts-$prefix$e-{NAME} = string_ptr_from_python(mem_ctx, $obj, \$e-{NAME}\);\n; return $result; } @@ -187,7 +187,7 @@ # Special cases -if ($e-{TYPE} eq string $e-{POINTERS} == 1) { +if ($e-{TYPE} eq string) { $result .= \tPyDict_SetItemString(obj, \$e-{NAME}\, string_ptr_to_python(mem_ctx, s-$prefix$e-{NAME}));\n; return $result; }