RE: [Samba] Problems with Samba 3.0.20b and OS X 10.4.3 Clients
Dunno. I know macs use samba 2.0 which don't support smb signing. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jaccon Sent: Saturday, December 03, 2005 3:48 AM To: samba@lists.samba.org Subject: [Samba] Problems with Samba 3.0.20b and OS X 10.4.3 Clients Hi, i have the Samba Server 3.0.20b running Debian 3.1 Sarge and clients with Mac Os X 10.4.3, after update to 10.4.3 version while the clients copy via Finder to Samba volume, after copy the files hide in directory. The others clients running Mac Os X 10.4.3, dont see the files but the Linux Workstations and Windows Workstaions dont present problems. Please some idea for the problem. Thanks. -- André Jaccon Engenharia da Computação 055 11 9488 7978 - São Paulo - S.P -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] winbind auth using ADS with domain trusts
I would be interested in contributing, but I have oh so many questions, once I understand, I will document what I know. For myself, I am totally not interested in ANY NT style domain functionality, but rather full 100% pure Active Directory integration. I am now exploring PADL stuff and Kerberos stuff along with either AD4Unix or SFU3.5. However, I am concerned over PADL's lack of caching and I'm interested in winbindd. I'm also interested in automation of UID/GID generation perhaps with IDMAP. I would want them written back to AD LDAP, rather than a separate database. I don't know if it does this already. I would also be interested in developing my own scheme to how UID/GID are generated in correlation to SID, so I might avoid IDMAP (or change it, mumuhuhuhaha). - Joaquin Menchaca -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John H Terpstra Sent: Wednesday, November 23, 2005 2:25 PM To: Shaun Kruger Cc: [EMAIL PROTECTED] Subject: Re: [Samba] winbind auth using ADS with domain trusts On Wednesday 23 November 2005 14:34, you wrote: On 11/23/05, John H Terpstra [EMAIL PROTECTED] wrote: On Wednesday 23 November 2005 14:03, Shaun Kruger wrote: In reading the documentation I havn't found anything that covers the use of winbindd when authenticating against one domain (lets call it 'A') while also allowing users from a domain trusted by A (lets call it 'B'). What documentation have you read so far? I've been spending alot of time with the Samba howto collection http://us4.samba.org/samba/docs/man/Samba-HOWTO-Collection/ I've been reading about domain membership and winbindd OK. So perhaps are you delving head-first into the mechanic's guide before you have mastered deployment? The book, Samba-3 by Example is designed to help people to deploy Samba-3 BEFORE they start to tinker with its arkane features. (see http://www.samba.org/samba/docs/Samba3-ByExample.pdf) Having a working system before tinkering makes it easier to observe the effects of change, and thus aides and accelerates learning. Chapter 7 of the ByExample book provides information on adding Samba servers that are domain members. Mastery of domain member servers will help you with interdomain trust handling. In any case, the Samba3-HOWTO (aka Samba3-HOWTO-Collection) (see http://www.samba.org/samba/docs/Samba3-HOWTO.pdf) has a few chapters you will need to refer to: Chapter 18 describes how interdomain trusts can be established - create interdomain trusts so that users from one domain can access resources in a foreign domain. Chapter 11 describes group management concepts. Chapter 12 describes the use of the 'net' command - you will need to establish nested groups that will be used to permit users from trusted domains to access resources that are used in the trusting domain. If you do not do this, foreign domain users and groups will operate with independent UID/GID date thus necessitating relaxation of UNIX file system permissions so that local and foreign users can access the same resources. Chapter 13 describes IDMAP functionality - your foreign user and group SIDs must be translated to locally known UID/GID values - that is the role of winbind. However it can also be done without winbind - in that case the accounts must be capable of being resolved locally on the Samba server. Chapter 14 describes user rights and privileges - remote administration of a foreign domain is possible only through use of these facilities that were new to Samba 3.0.11. Above all, you need to understand how in a pure Windows NT/200x world interdomain trusts are used. My documentation does not try to impart that knowledge. I am the first to admit that the HOWTO does not provide a neatly integrated guide to setting up a domain member server, nor does it provide a detailed document to describe use of interdomain file and directory access. I'd much appreciate it if someone would contribute a well documented chapter on these subjects. Despite all this, I strongly believe that the domain controller, backup domain controller and domain membership chapters in the HOWTO are in need of restructuring. I am working on the next generation documentation that will ulitmately replace these chapters - I just do not know when this will be implemented due to other priorities. I believe that the Samba-3 by Example is the best place for deployment guidance and that the HOWTO should stick to explanation of how Samba features function and
RE: [Samba] Problems with Samba 3.0.20b and OS X 10.4.3 Clients
On Sun, 2005-12-04 at 00:04 -0800, SAMBA wrote: Dunno. I know macs use samba 2.0 which don't support smb signing. I really don't see how this is relevant. Typically, the macs don't use Samba as a client, but instead use a derivative of the FreeBSD smbfs. I see no mention of SMB signing here, and it is off by default anywway Andrew Bartlett -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jaccon Sent: Saturday, December 03, 2005 3:48 AM To: samba@lists.samba.org Subject: [Samba] Problems with Samba 3.0.20b and OS X 10.4.3 Clients Hi, i have the Samba Server 3.0.20b running Debian 3.1 Sarge and clients with Mac Os X 10.4.3, after update to 10.4.3 version while the clients copy via Finder to Samba volume, after copy the files hide in directory. The others clients running Mac Os X 10.4.3, dont see the files but the Linux Workstations and Windows Workstaions dont present problems. Please some idea for the problem. Thanks. -- André Jaccon Engenharia da Computação 055 11 9488 7978 - São Paulo - S.P -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Any downsides to using MS Services for Unix NIS server?
On Sat, 2005-12-03 at 23:57 -0800, SAMBA wrote: Other than NIS is extremely insecure, and anyone concerned with security would not use it. If you are using SFU, just use LDAP/Kerberos instead of NIS. You'll get the same results, but with more security. The main issues with NIS security (compared with unsigned LDAP connections) is that passwords my be present in the tables. This isn't the case with the AD implementation anyway (I think you would need to use Kerberos authentication, as there are no NIS compatible passwords in AD, to my knowlege). You don't have to use IDMAP to have GID/UID based on SID. You can manually enter it yourself as per design you're your network. Also check out PADL NSS/PAM modules. There's also I think some scripts for automating migration from NIS to LDAP. In Samba, IDMAP is the plugin interface for assigning the UID/GID mappings, and can be backed onto many sources, including attributes in the AD LDAP server (that would be used by the SFU 3.5 NIS server). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jim Hatfield Sent: Friday, November 25, 2005 2:51 AM To: samba@lists.samba.org Subject: [Samba] Any downsides to using MS Services for Unix NIS server? I have both an AD domain and an existing NIS setup, and would like to merge the accounts. It would seem from reading the help files that installing Services for Unix on my domain controllers and using the AD-integrated NIS server would work well. I wouldn't need to use winbind, and I would have not only consistent but predictable ID mapping, ie I can ensure that INTERNAL\jhatfield maps to UID 115, which is what it is on the existing NIS server. Are there any downsides to doing this - it seems much simpler than deploying winbind that I feel there must be a catch! I think you should be able to use winbindd, which assists with windows clients (which expect SIDs), while still maintaining your centralised mapping. See idmap_ad. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] User and Groups Problem with ADS (Win2003) and Solaris 10
On Sat, 2005-12-03 at 23:38 -0800, SAMBA wrote: Do you need to configure PAM to authenticate through Kerberos? I don't think this is relevant: In general, Samba doesn't use PAM at all, and for the local login case (not the issue here), you probably want pam_winbindd. On the original question: You set: winbind use default domain = yes And then wonder why it does exactly as the documentation states? One of the best suggestions I have is to use the bare minimum configuration, and avoid setting things (client use spnego and other settings) that you don't actually know you need. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind cache time
On Mon, 2005-11-28 at 12:31 -0600, Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Adam Clark wrote: | http://lists.samba.org/archive/samba-technical/2003-February/027095.html | | Which confused me a bit. Ignore that mail. Out of date. | Is the argument to winbind cache time in seconds? | And what is the default value for this parameter? yes. it's in seconds. Default is 5 minutes (300 seconds). | With that in mind, how long after a password change can | a user be guaranteed To be authenticated properly with ntlm_auth? Winbindd does not cache passwords. So the answer really depends on your DC. There was a Windows 2003 bug where the DC would continue to authenticate the old password for a period of time. I think it's claimed to be a feature, and as far as my tests showed, it appeared in Win2k3 SP1 Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problem with setting Normal attribute for a file owned by another user
are we speaking about MAC Excel or Windows Boxes only? we´ve had several issues with Office Mac, see [Samba] Mac OSX breaking POSIX rights with SMB/CIFS cheerz Oleg Starshinov wrote: Hi Everyone, We have a Samba 3.0.20b server running in a multi-user environment. There is a serveruser username that does batch processing on the files using VB.NET code. There are many other regular users: user1, user2, etc... They are all part of the users group If user1 opens up a file in Excel, it changes the ownership on the file and permissions to: User - rwe Group - rw- Other - --- The default setting is: User - rwe Group - rwe Other - --- I can live with the change of the permissions, but it also changes the ownership from serveruser to user1. As part of my code, the server applies a Normal attribute to the files once it is done copying them. It works fine when the serveruser is the owner of the file, but when someone else owns the file an exception is raised. This is the line of code: File.SetAttributes(myFile.FullName, FileAttributes.Normal) I can open and save the files with any user name, but the setting of the attribute is only allowed if I own the file. Is this by design or am I missing something? As a workaround I included this line in the conf file: force user = serveruser I would rather have the last user that saved the file to be registered as the owner. Here is the conf file relating to that share: writeable = yes path = /data force user = serveruser write list = @users force directory mode = 2775 force group = users valid users = user1,user2,serveruser,@users create mode = 0771 directory mode = 2775 Thanks, Oleg. -- Michael Gasch Max Planck Institute for Evolutionary Anthropology Department of Human Evolution (IT) Deutscher Platz 6 D-04103 Leipzig Germany Phone: 49 (0)341 - 3550 137 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind auth using ADS with domain trusts
On Sunday 04 December 2005 01:20, SAMBA wrote: I would be interested in contributing, but I have oh so many questions, once I understand, I will document what I know. For myself, I am totally not interested in ANY NT style domain functionality, but rather full 100% pure Active Directory integration. I am now exploring PADL stuff and Kerberos stuff along with either AD4Unix or SFU3.5. However, I am concerned over PADL's lack of caching and I'm interested in winbindd. Check the information regarding the pam_updatedb and pam_ccreds open source modules available on the PADL web site. http://www.padl.com/Articles/NewOpenSourceSoftware.html I'm also interested in automation of UID/GID generation perhaps with IDMAP. I would want them written back to AD LDAP, rather than a separate database. I don't know if it does this already. This can already be done using MS ADAM on the ADS servers, and then using the ADS LDAP server for IDMAP storage. You simply need to specify the LDAP server to the idmap backend parameter. I would also be interested in developing my own scheme to how UID/GID are generated in correlation to SID, so I might avoid IDMAP (or change it, mumuhuhuhaha). Specifically, what are you trying to achieve that has not already been documented? - John T. - Joaquin Menchaca -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John H Terpstra Sent: Wednesday, November 23, 2005 2:25 PM To: Shaun Kruger Cc: [EMAIL PROTECTED] Subject: Re: [Samba] winbind auth using ADS with domain trusts On Wednesday 23 November 2005 14:34, you wrote: On 11/23/05, John H Terpstra [EMAIL PROTECTED] wrote: On Wednesday 23 November 2005 14:03, Shaun Kruger wrote: In reading the documentation I havn't found anything that covers the use of winbindd when authenticating against one domain (lets call it 'A') while also allowing users from a domain trusted by A (lets call it 'B'). What documentation have you read so far? I've been spending alot of time with the Samba howto collection http://us4.samba.org/samba/docs/man/Samba-HOWTO-Collection/ I've been reading about domain membership and winbindd OK. So perhaps are you delving head-first into the mechanic's guide before you have mastered deployment? The book, Samba-3 by Example is designed to help people to deploy Samba-3 BEFORE they start to tinker with its arkane features. (see http://www.samba.org/samba/docs/Samba3-ByExample.pdf) Having a working system before tinkering makes it easier to observe the effects of change, and thus aides and accelerates learning. Chapter 7 of the ByExample book provides information on adding Samba servers that are domain members. Mastery of domain member servers will help you with interdomain trust handling. In any case, the Samba3-HOWTO (aka Samba3-HOWTO-Collection) (see http://www.samba.org/samba/docs/Samba3-HOWTO.pdf) has a few chapters you will need to refer to: Chapter 18 describes how interdomain trusts can be established - create interdomain trusts so that users from one domain can access resources in a foreign domain. Chapter 11 describes group management concepts. Chapter 12 describes the use of the 'net' command - you will need to establish nested groups that will be used to permit users from trusted domains to access resources that are used in the trusting domain. If you do not do this, foreign domain users and groups will operate with independent UID/GID date thus necessitating relaxation of UNIX file system permissions so that local and foreign users can access the same resources. Chapter 13 describes IDMAP functionality - your foreign user and group SIDs must be translated to locally known UID/GID values - that is the role of winbind. However it can also be done without winbind - in that case the accounts must be capable of being resolved locally on the Samba server. Chapter 14 describes user rights and privileges - remote administration of a foreign domain is possible only through use of these facilities that were new to Samba 3.0.11. Above all, you need to understand how in a pure Windows NT/200x world interdomain trusts are used. My documentation does not try to impart that knowledge. I am the first to admit that the HOWTO does not provide a neatly integrated guide to setting up a domain member server, nor does it provide a detailed document to describe use of interdomain file and directory access. I'd much appreciate it if someone would
[Samba] netlogon problems
Folks, I'm trying to achieve control over who logs into a share according to the group to which that person belongs, but with no luck. I'm running SUSE Pro 9.3 and Samba 3.0.13, with a Win2k machine on one subnet and an XP laptop on another subnet. In all cases, the user, instead of getting into his share transparently, gets invited to log in, and then the login is rejected. I've run the login.bat from the Windows machines, and that also only gets access denied. Share valid users is set to %G (%U lets the user in just fine, but that's inadequate security). Users get into their home directories just fine. My login.bat is net time \\lserver0 /set /yes net use \\lserver0\accounts net use \\lserver0\finsvcs net use x: /home My [netlogon] share is [netlogon] comment = Network logon service path = /data/%U valid users = %S read only = No My [global] is [global] workgroup = ASTRA_ENT username map = /etc/samba/smbusers syslog = 0 name resolve order = wins bcast hosts printcap name = CUPS show add printer wizard = No add user script = /usr/sbin/useradd -m '%u' delete user script = /usr/sbin/userdel -r '%u' add group script = /usr/sbin/groupadd '%g' delete group script = /usr/sbin/groupdel '%g' add user to group script = /usr/sbin/groupmod -G '%g' '%u' add machine script = /usr/sbin/useradd -s /bin/false -d /var/lib/nobody '%u' logon script = scripts\login.bat logon path = logon drive = X: domain logons = Yes preferred master = Yes wins support = Yes ldap ssl = no I've placed the login.bat file in the share accounts (\data\accounts and /data/financials in this case), and I've placed the login.bat file in each user's home directory. Nothing has worked. I've been through the TOSHARG2 with no luck, and Googleing hasn't brought me anything I recognized, either. Any help would be greatly appreciated. Eric Hines There is no nonsense so errant that it cannot be made the creed of the vast majority by adequate governmental action. --Bertrand Russell -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba timekeeping
On Sat, 2005-12-03 at 12:57 +1100, taso wrote: Just wondering why Samba time and system time are different. Eg: # net time;date Sat Dec 3 12:56:57 2005 Sat Dec 3 12:56:22 EST 2005 Which server is 'net time' talking to? It should be looking for the PDC I think. If that's not the local machine, it could explain it. You can specify a server with -S Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] net rpc vampire not working
Hi, Can someone help me get net rpc vampire in one of its forms working. The objective is to migrate from an NT4 PDC to a SAMBA 3.0 PDC using LDAP as a back end. I am trying to migrate the user and machine accounts across in a lab environment, separate from the main network (I have replicated the PDC to do this). I have samba-3.0.20b built from the samba team source RPM on Fedora Core 3, and I'm trying to follow the steps here: http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/NT4Migration.html also here: http://samba.idealx.org/smbldap-howto.en.html (section 11.1) I have seen the problems listed here: http://lists.samba.org/archive/samba/2004-June/088448.html http://lists.samba.org/archive/samba/2004-July/089147.html and I'm getting the same thing happening to me. I have also tried using net rpc vampire ldif with similar results: I started by creating a samba server and setting it up as a BDC: [global] workgroup = MYDOMAIN netbios name = MYSAMBASERVER server string = Samba Server security = domain encrypt passwords = Yes password server = MYPDC log file = /var/log/samba/%m.log max log size = 0 name resolve order = host wins bcast socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 local master = No domain master = False dns proxy = No wins server = 192.168.1.1 winbind uid = 1-2 winbind gid = 1-2 winbind separator = + create mask = 0777 directory mask = 0777 hosts allow = 192.168. 127. printing = lprng oplocks = No follow symlinks = No idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 template shell = /bin/false winbind use default domain = no Then I added the following parts to smb.conf to give it the LDAP information: ldap suffix = dc=debortoli,dc=local ldap user suffix = ou=People ldap machine suffix = ou=Computers ldap group suffix = ou=Groups Join the domain: net rpc join -U Administrator%PASSWORD service smb start I can verify the domain is joined by using: net rpc testjoin Also, I can see all of the accounts using winbind: service winbind start getent passwd However from this point on nothing in net rpc vampire works. net rpc vampire ldif ./vampire.ldif fails with: Could not retrieve domain trust secret net rpc vampire ldif ./vampire.ldif -S MYPDC -U Administrator%PASSWORD fails with: Cannot import users from DBW at this time, as the current domain: FC3-DBW-3: S-1-5-21-92691229-39247329-4222772032 conflicts with the remote domain DBW: S-1-5-21-423981254-716712060-315576832 This is a suggested fix: * http://lists.samba.org/archive/samba/2004-July/089148.html but it fails like this: # net setlocalsid S-1-5-21-423981254-716712060-315576832 # net rpc vampire ldif Cannot import users from FC3-DBW-3 at this time, as the current domain: FC3-DBW-3: S-1-5-21-423981254-716712060-315576832 conflicts with the remote domain FC3-DBW-3: S-1-5-21-92691229-39247329-4222772032 Alternatively, running this: net rpc vampire ldif ./vampire.ldif -S MYPDC -U Administrator%PASSWORD ... results in an empty ./vampire.ldif file, and two files /tmp/add.ldif and /tmp/mod.ldif. /tmp/mod.ldif is empty and /tmp/add.ldif contains the base LDAP structure but no users other than root and nobody. I have tried the http://samba.idealx.org/smbldap-howto.en.html method (making samba a PDC, stopping the other PDC, restarting samba, etc) but that fails as well with just about the same error messages as above. Is there any way of getting this net rpc vampire tool to work? Has anyone had any success with it? What entries do I need in smb.conf etc to get things working? -- Del -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Admin Printers and Faxes from Windows XP
hi all, I have been stuffing around with thsi problem for a couple of weeks now, without much success :) I am sure i am missing something simple. I have a Samba server setup as a member server in a 2000 domain. (samba 3.0.10) Samba is printing through CUPS and the printing works fine. when i click on Printers and Faxes froma windows xp machine, it takes about 30-60 seconds to show the list and the samba logs show: [2005/12/02 09:42:56, 0] rpc_server/srv_spoolss_nt.c :spoolss_connect_to_client(2583) spoolss_connect_to_client: unable to connect to SMB server on machine MALAZ. Error was : SUCCESS - 0. [2005/12/02 09:43:14, 1] lib/util_sock.c:open_socket_out(774) timeout connecting to 10.63.34.249:445 [2005/12/02 09:43:31, 1] lib/util_sock.c:open_socket_out(774) timeout connecting to 10.63.34.249:139 [2005/12/02 09:43:31, 1] libsmb/cliconnect.c:cli_connect(1312) Error connecting to 10.63.34.249 (Operation already in progress) [2005/12/02 09:43:31, 0] rpc_server/srv_spoolss_nt.c:spoolss_connect_to_client(2583) spoolss_connect_to_client: unable to connect to SMB server on machine MALAZ. Error was : SUCCESS - 0. AND [2005/12/02 09:08:59, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(161) user '::{2227a280-3aea-1069-a2de-08002b30309d}' does not exist [2005/12/02 09:08:59, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(161) user '::{2227A280-3AEA-1069-A2DE-08002B30309D}' does not exist [2005/12/02 09:08:59, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(161) user '::{2227a280-3aea-1069-a2de-08002b30309d}' does not exist [2005/12/02 09:08:59, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(161) user '::{2227A280-3AEA-1069-A2DE-08002B30309D}' does not exist From what i understand the Samba machine trys to connect back to the spooler service on my client machine but fails. (well times out) If i do it from a windows 2000 server, it works fine, I can find people with the same symptons, but no solutions :( Pertinent parts of samba config below: 2 [global] 3 4workgroup = MYDOMAIN 5server string = MYDOMAIN Print Server 6 7printing = cups 8printcap name = cups 9load printers = no 10 11log file = /var/log/samba/smbd.log 12log level = 2 13max log size = 500 14 15realm = MYDOMAIN.COM.AU http://mydomain.com.au/ 16security = ads 17encrypt passwords = yes 18password server = MYDC.MYDOMAIN.COM.AUhttp://mydc.mydomain.com.au/ 19 20idmap uid = 500-1000 21idmap gid = 500-1000 22winbind use default domain = Yes 23winbind nested groups = Yes 24 25socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 SO_KEEPALIVE 26 27domain master = no 28local master = no 29preferred master = no 30 31name resolve order = hosts wins 32 33wins support = no 34wins server = 10.63.34.140 35 36dns proxy = no 37 38username map = /etc/samba/smbusers 39 40use sendfile = yes 41 42 # Share Definitions == 43 [print$] 44 comment = Printer Drivers 45 path = /var/storage/printer_drivers 46 47 guest ok = yes 48 browseable = yes 49 read only = yes 50 write list = ww, root 51 admin users = ww, root 52 62 63 [BUS-COPY] 64 comment = Business Services 65 printer name = BUS-COPY 66 path = /var/spool/samba 67 68 printable = yes 69 guest ok = yes 70 writeable = no 71 browseable = yes 72 printer admin = ww, root 73 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba Trusts Relationship - Users map
Sirs, I am studying about the Samba servers and I am with a doubt. I have achieved to configure the trust relationship between two servers, althought I could only log users that would exist in those two domains (trusting and thrusted). Observing the logs I have noticed that Samba could not authenticate the users that were not common, because it could not create a users locally. Using the chmod a+s at the archive /usr/sbin/useradd I could make that the user could be created normally. My doubts are: - Why is there the need to create the user in the local domain? - Is there any other way I could get to authenticate such users without having to create them using root (chmod a+s useradd)? I am thankful in advance. Eduardo. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net rpc vampire not working
On Mon, 2005-12-05 at 08:31 +1100, Del wrote: Hi, Can someone help me get net rpc vampire in one of its forms working. The objective is to migrate from an NT4 PDC to a SAMBA 3.0 PDC using LDAP as a back end. I am trying to migrate the user and machine accounts across in a lab environment, separate from the main network (I have replicated the PDC to do this). I have samba-3.0.20b built from the samba team source RPM on Fedora Core 3, and I'm trying to follow the steps here: http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/NT4Migration.html that isn't a complete walk through and is probably leaving out some details that you probably didn't know were necessary. Use http://www.samba.org/samba/docs/man/Samba-Guide/ntmigration.html which is much more complete of a walk-through. I would recommend that the user is familiar with setup, usage, maintenance of LDAP prior to doing this. Oh - yes, the net rpc vampire indeed works, I've done it a few times - going back to 3.0.0 (and it worked then) and I doubt they've broken it in the interim. The steps are very important. Not understanding LDAP makes it extremely difficult to do. Get practiced at backing up your LDAP db and restoring as the vampire process takes a number of practice runs to get it right. Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba Trusts Relationship - Users map
- Original Message - From: Craig White [EMAIL PROTECTED] To: Eduardo Sousa [EMAIL PROTECTED] Sent: Sunday, December 04, 2005 9:41 PM Subject: Re: [Samba] Samba Trusts Relationship - Users map On Sun, 2005-12-04 at 21:00 -0200, Eduardo Sousa wrote: Sirs, I am studying about the Samba servers and I am with a doubt. I have achieved to configure the trust relationship between two servers, althought I could only log users that would exist in those two domains (trusting and thrusted). Observing the logs I have noticed that Samba could not authenticate the users that were not common, because it could not create a users locally. Using the chmod a+s at the archive /usr/sbin/useradd I could make that the user could be created normally. this shouldn't be necessary Ok I know. But without it, authetication doesn´t works correctly. My doubts are: - Why is there the need to create the user in the local domain? because the samba developers thought it necessary for samba to work within the native system of users/privileges This is obvious. However it does not clarify me technical. I would like to better understand about this necessity. Then I will be capable to understand and to resolve this problem. - Is there any other way I could get to authenticate such users without having to create them using root (chmod a+s useradd)? there is some fairly extensive documentation on usage http://samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html Thanks I will try to use this text. Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net rpc vampire not working
Use http://www.samba.org/samba/docs/man/Samba-Guide/ntmigration.html Thanks, that is a great help. I have it working now. I would recommend that the user is familiar with setup, usage, maintenance of LDAP prior to doing this. Oh, LDAP is no problem. I'm the author of the LdapImport scripts which some of you may have seen http://wiki.babel.com.au/index.php?area=Linux_Projectspage=LdapImport The problem I was having was correct configuration of samba prior to running net rpc vampire. Just some notes on the migration guide above that you might want to incorporate into a later edition: -- example 9.1: security = user is missing? Is this intentional? the configure.pl script from smbldap-tools adds it to smb.conf in any case. May be useful to mention extending the LDAP schema before attempting any of this, e.g. with the samba.schema file. Before Step 7: You can't run ./configure.pl in the smbldap-tools directory unless samba is running. So you need to do service smb start or your OS equivalent first. In fact, before doing that you need to inform samba of your LDAP bind DN password using: smbpasswd -w password Step 8: Since you need to start samba before you run ./configure.pl, and since samba tries to connect to the LDAP server when it starts, you will need to start LDAP before you start samba. So this probably belongs around step 4 or 5. Step 10: You need to do this before starting Samba, so again this needs to happen earlier than step 7. Step 11: Also, starting Samba will attempt to populate the LDAP directory. On Fedora Directory Server (and in fact any non-OpenLDAP server) you may hit troubles doing this because the entries aren't formatted correctly with the top objectClass (on OpenLDAP this parent object class is added automatically). To fix this, what I did was: cd /opt/IDEALX/sbin ./smbldap-populate -e /root/LDAP/smb-populate.ldif vi /root/LDAP/smb-populate.ldif Change the last LDIF entry in this file to include objectClass: top ldapadd -x -c -D 'cn=Directory Manager' -W -f /root/LDAP/smb-populate.ldif ... and you will need to supply your root DN password to the above command. Step 12: This should not actually be necessary on non-OpenLDAP servers. A running LDAP server will notice that its directory has been populated. It is, however, the case that the OpenLDAP directory is completely empty after installation so you may need to do this. Step 14: It might be useful to test this using: net rpc testjoin Step 17: This seems to take a long time. Expect that -- nothing happens in the log file for a few seconds at least, don't panic. -- Del -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net rpc vampire not working
On Mon, 2005-12-05 at 12:25 +1100, Del wrote: Use http://www.samba.org/samba/docs/man/Samba-Guide/ntmigration.html Thanks, that is a great help. I have it working now. thought so - the detailed walk through used to be in the 'How-To' and gove moved to the 'by example' and whatever was left in the 'How-To' seems to be incomplete - as I looked at your link, I could see that some of the important stuff wasn't there but enough detail was there to make you think you could try it. I would recommend that the user is familiar with setup, usage, maintenance of LDAP prior to doing this. Oh, LDAP is no problem. I'm the author of the LdapImport scripts which some of you may have seen http://wiki.babel.com.au/index.php?area=Linux_Projectspage=LdapImport The problem I was having was correct configuration of samba prior to running net rpc vampire. obviously - I thought the complete walk through was probably the thing that you really needed to see. I actually fooled with your LdapImport and didn't get it to work straight away and for the most part, I didn't have much of an issue with conversion from openldap slapcat output. Still trying to get my head around fedora-ds ACI's ;-) I also see the need to use groupOfUniqueNames but I haven't figured that one out either but I'm working on it. Thanks Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Missing user in list of Windows 9x
In a server Debian Sarge with Samba 3 PDC user security that spreads to LAN of 15 W9x/2000 clients, weeks ago the user Rick (with permissions of admin) disappeared of the list of users that is seen in the window Share of the Windows 9x clients (NOT in the W2K clients), reason why he cannot be added to shared folders on W9x. I erased and create again (on Linux and Samba) the same user Rick with such permissions and in such groups in which was, but Rick follows without appearing on W9x user list Some idea??? Regards Ricardo -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Solaris Winbind causes problem with SSH.
Hello, I have been testing Samba 3.0.21 (rc1, rc2) on Solaris 8 and Solaris 9 compiled with ADS support. In my testing smbd seems to work with a Windows 2000 ADS and Windows XP workstations in a basic setup where winbindd is running in default mode netlogon proxy only (but winbind is NOT enabled in /etc/nsswitch.conf). When I configure winbind to use idmap and enable winbind in /etc/nsswitch.conf, smbd seems to work even better but my SSH logins no longer work properly. If I connect with SSH to the Samba server using public key authentication while winbind is enabled in /etc/nsswitch.conf, the SSH login succeeds but the SSH server disconnects me after a few minutes. I see the following messages in the console log: |Dec 5 12:51:07 numbat sshd[7356]: [ID 800047 auth.info] Accepted publickey for mewtwo from 192.168.1.101 port 34809 ssh2 |Dec 5 12:53:02 numbat sshd[7356]: [ID 800047 auth.crit] fatal: Timeout before authentication for 192.168.1.101 Can anyone help explain what is happening? Do I need to edit pam.conf as well as nsswitch.conf? My smb.conf file (with winbind) is as follows: # Samba config file. [global] workgroup = PERTH realm = PERTH.LOCALDOMAIN security = ADS encrypt passwords = yes client use spnego = yes winbind cache time = 10 winbind enum users = yes winbind enum groups = yes idmap uid = 1-2 idmap gid = 1-2 template shell = /usr/bin/sh template homedir = /home/%U [homes] guest ok = no read only = no My /etc/nsswitch.conf file (with winbind) is as follows: passwd: files nis winbind group: files nis winbind -- ___ Play 100s of games for FREE! http://games.mail.com/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
svn commit: samba r12056 - in branches/SAMBA_4_0/source/auth/kerberos: .
Author: abartlet Date: 2005-12-04 12:17:02 + (Sun, 04 Dec 2005) New Revision: 12056 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=12056 Log: Some clarification fixes for the keytab code, and use the right function for enctype to string. Andrew Bartlett Modified: branches/SAMBA_4_0/source/auth/kerberos/kerberos_util.c Changeset: Modified: branches/SAMBA_4_0/source/auth/kerberos/kerberos_util.c === --- branches/SAMBA_4_0/source/auth/kerberos/kerberos_util.c 2005-12-03 20:28:18 UTC (rev 12055) +++ branches/SAMBA_4_0/source/auth/kerberos/kerberos_util.c 2005-12-04 12:17:02 UTC (rev 12056) @@ -50,7 +50,7 @@ char *machine_username; char *salt_body; char *lower_realm; - char *salt_principal; + const char *salt_principal; struct principal_container *mem_ctx = talloc(parent_ctx, struct principal_container); if (!mem_ctx) { return ENOMEM; @@ -249,7 +249,7 @@ int i; krb5_error_code ret; krb5_enctype *enctypes; - char *enctype_string = NULL; + char *enctype_string; struct enctypes_container *etc; krb5_data password; TALLOC_CTX *mem_ctx = talloc_new(parent_ctx); @@ -283,7 +283,7 @@ krb5_keytab_entry entry; ret = create_kerberos_key_from_string(smb_krb5_context-krb5_context, salt_princ, password, entry.keyblock, enctypes[i]); - if (ret) { + if (ret != 0) { talloc_free(mem_ctx); return ret; } @@ -291,19 +291,21 @@ entry.principal = princ; entry.vno = kvno; ret = krb5_kt_add_entry(smb_krb5_context-krb5_context, keytab, entry); + enctype_string = NULL; + krb5_enctype_to_string(smb_krb5_context-krb5_context, enctypes[i], enctype_string); if (ret != 0) { - DEBUG(1, (Failed to add entry for %s(kvno %d) to keytab: %s, + DEBUG(1, (Failed to add %s entry for %s(kvno %d) to keytab: %s\n, + enctype_string, princ_string, kvno, smb_get_krb5_error_message(smb_krb5_context-krb5_context, ret, mem_ctx))); talloc_free(mem_ctx); + free(enctype_string); krb5_free_keyblock_contents(smb_krb5_context-krb5_context, entry.keyblock); return ret; } - enctype_string = NULL; - krb5_keytype_to_string(smb_krb5_context-krb5_context, enctypes[i], enctype_string); DEBUG(5, (Added %s(kvno %d) to keytab (%s)\n, princ_string, kvno, enctype_string)); @@ -318,7 +320,7 @@ static int create_keytab(TALLOC_CTX *parent_ctx, struct cli_credentials *machine_account, struct smb_krb5_context *smb_krb5_context, -struct keytab_container *keytab_container, +krb5_keytab keytab, BOOL add_old) { krb5_error_code ret; @@ -328,7 +330,6 @@ int kvno; krb5_principal salt_princ; krb5_principal princ; - krb5_keytab keytab; const char *princ_string; TALLOC_CTX *mem_ctx = talloc_new(parent_ctx); @@ -336,8 +337,6 @@ return ENOMEM; } - keytab = keytab_container-keytab; - princ_string = cli_credentials_get_principal(machine_account, mem_ctx); /* Get the principal we will store the new keytab entries under */ ret = principal_from_credentials(mem_ctx, machine_account, smb_krb5_context, princ); @@ -400,7 +399,7 @@ return ret; } - krb5_keytype_to_string(smb_krb5_context-krb5_context, ENCTYPE_ARCFOUR_HMAC, enctype_string); + krb5_enctype_to_string(smb_krb5_context-krb5_context, ENCTYPE_ARCFOUR_HMAC, enctype_string); DEBUG(5, (Added %s(kvno %d) to keytab (%s)\n, cli_credentials_get_principal(machine_account, mem_ctx), cli_credentials_get_kvno(machine_account), @@ -417,7 +416,7 @@ kvno = cli_credentials_get_kvno(machine_account); /* good, we actually have the real plaintext */ ret = keytab_add_keys(mem_ctx, princ_string, princ, salt_princ, - kvno, password_s, smb_krb5_context, keytab); + kvno, password_s, smb_krb5_context, keytab); if (!ret)
Build status as of Mon Dec 5 00:00:01 2005
URL: http://build.samba.org/ --- /home/build/master/cache/broken_results.txt.old 2005-12-04 00:00:09.0 + +++ /home/build/master/cache/broken_results.txt 2005-12-05 00:00:48.0 + @@ -1,17 +1,17 @@ -Build status as of Sun Dec 4 00:00:02 2005 +Build status as of Mon Dec 5 00:00:01 2005 Build counts: Tree Total Broken Panic -ccache 11 2 0 -distcc 13 2 0 -lorikeet-heimdal 32 17 0 -ppp 19 0 0 -rsync35 2 0 +ccache 9 2 0 +distcc 10 2 0 +lorikeet-heimdal 32 16 0 +ppp 17 0 0 +rsync34 2 0 samba3 0 0 samba-docs 0 0 0 -samba4 35 18 1 -samba_3_036 7 0 -smb-build28 2 0 -talloc 33 12 0 -tdb 8 2 0 +samba4 34 19 1 +samba_3_035 6 0 +smb-build26 2 0 +talloc 32 11 0 +tdb 6 2 0
svn commit: samba r12057 - in branches/SAMBA_4_0/source/lib/ldb/tools: .
Author: tridge Date: 2005-12-05 00:43:50 + (Mon, 05 Dec 2005) New Revision: 12057 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=12057 Log: fixed authentication in ldb client tools Modified: branches/SAMBA_4_0/source/lib/ldb/tools/cmdline.c Changeset: Modified: branches/SAMBA_4_0/source/lib/ldb/tools/cmdline.c === --- branches/SAMBA_4_0/source/lib/ldb/tools/cmdline.c 2005-12-04 12:17:02 UTC (rev 12056) +++ branches/SAMBA_4_0/source/lib/ldb/tools/cmdline.c 2005-12-05 00:43:50 UTC (rev 12057) @@ -170,6 +170,9 @@ if (ldb_set_opaque(ldb, sessionInfo, system_session(ldb))) { goto failed; } + if (ldb_set_opaque(ldb, credentials, cmdline_credentials)) { + goto failed; + } #endif if (ldb_connect(ldb, ret-url, flags, ret-options) != 0) { fprintf(stderr, Failed to connect to %s - %s\n,
svn commit: samba r12058 - in branches/SAMBA_4_0/source/auth: .
Author: abartlet Date: 2005-12-05 01:36:53 + (Mon, 05 Dec 2005) New Revision: 12058 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=12058 Log: Set an anonymous fallback, if the machine account isn't available. Andrew Bartlett Modified: branches/SAMBA_4_0/source/auth/auth_util.c Changeset: Modified: branches/SAMBA_4_0/source/auth/auth_util.c === --- branches/SAMBA_4_0/source/auth/auth_util.c 2005-12-05 00:43:50 UTC (rev 12057) +++ branches/SAMBA_4_0/source/auth/auth_util.c 2005-12-05 01:36:53 UTC (rev 12058) @@ -604,6 +604,8 @@ } cli_credentials_set_conf(session_info-credentials); + /* set anonymous as the fallback, if the machine account won't work */ + cli_credentials_set_anonymous(session_info-credentials); cli_credentials_set_machine_account_pending(session_info-credentials); *_session_info = session_info;
svn commit: samba r12059 - in branches/SAMBA_4_0/source/auth/kerberos: .
Author: abartlet Date: 2005-12-05 01:38:26 + (Mon, 05 Dec 2005) New Revision: 12059 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=12059 Log: Use random keytab names (so we get different keytabs, rather than share the MEMORY: keytab). Andrew Bartlett Modified: branches/SAMBA_4_0/source/auth/kerberos/kerberos_util.c Changeset: Modified: branches/SAMBA_4_0/source/auth/kerberos/kerberos_util.c === --- branches/SAMBA_4_0/source/auth/kerberos/kerberos_util.c 2005-12-05 01:36:53 UTC (rev 12058) +++ branches/SAMBA_4_0/source/auth/kerberos/kerberos_util.c 2005-12-05 01:38:26 UTC (rev 12059) @@ -611,7 +611,8 @@ { krb5_error_code ret; TALLOC_CTX *mem_ctx = talloc_new(parent_ctx); - const char *keytab_name = MEMORY:; + const char *rand_string; + const char *keytab_name; krb5_keytab keytab; if (!mem_ctx) { return ENOMEM; @@ -619,6 +620,19 @@ *keytab_container = talloc(mem_ctx, struct keytab_container); + rand_string = generate_random_str(mem_ctx, 16); + if (!rand_string) { + talloc_free(mem_ctx); + return ENOMEM; + } + + keytab_name = talloc_asprintf(mem_ctx, MEMORY:%s, + rand_string); + if (!keytab_name) { + talloc_free(mem_ctx); + return ENOMEM; + } + /* Find the keytab */ ret = krb5_kt_resolve(smb_krb5_context-krb5_context, keytab_name, keytab); if (ret) {
svn commit: samba r12060 - in branches/SAMBA_4_0/source/auth: credentials gensec
Author: abartlet Date: 2005-12-05 03:20:40 + (Mon, 05 Dec 2005) New Revision: 12060 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=12060 Log: Work towards allowing the credentials system to allow/deny certain GENSEC mechansims. This will allow a machine join to an NT4 domain to avoid even trying kerberos, or a sensitive operation to require it. Andrew Bartlett Modified: branches/SAMBA_4_0/source/auth/credentials/config.mk branches/SAMBA_4_0/source/auth/credentials/credentials.c branches/SAMBA_4_0/source/auth/credentials/credentials.h branches/SAMBA_4_0/source/auth/gensec/gensec.c branches/SAMBA_4_0/source/auth/gensec/spnego.c Changeset: Sorry, the patch is too large (399 lines) to include; please use WebSVN to see it! WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=12060
svn commit: samba r12061 - in branches/SAMBA_4_0/source/auth/credentials: .
Author: abartlet Date: 2005-12-05 03:42:28 + (Mon, 05 Dec 2005) New Revision: 12061 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=12061 Log: Add missing file to previous commit. This provides a hook on which to attach a restriction on available GENSEC mechanisms. Andrew Bartlett Added: branches/SAMBA_4_0/source/auth/credentials/credentials_gensec.c Changeset: Added: branches/SAMBA_4_0/source/auth/credentials/credentials_gensec.c === --- branches/SAMBA_4_0/source/auth/credentials/credentials_gensec.c 2005-12-05 03:20:40 UTC (rev 12060) +++ branches/SAMBA_4_0/source/auth/credentials/credentials_gensec.c 2005-12-05 03:42:28 UTC (rev 12061) @@ -0,0 +1,31 @@ +/* + Unix SMB/CIFS implementation. + + User credentials handling + + Copyright (C) Andrew Bartlett [EMAIL PROTECTED] 2005 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include includes.h + +const struct gensec_security_ops **cli_credentials_gensec_list(struct cli_credentials *creds) +{ + if (!creds-gensec_list) { + return gensec_security_all(); + } + return creds-gensec_list; +}
svn commit: samba r12062 - in branches/SAMBA_4_0/source/libcli/ldap: .
Author: abartlet Date: 2005-12-05 04:10:13 + (Mon, 05 Dec 2005) New Revision: 12062 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=12062 Log: SASL negotiation now requires a gensec_security context, so that we only try permitted mechanims. Andrew Bartlett Modified: branches/SAMBA_4_0/source/libcli/ldap/ldap_bind.c Changeset: Modified: branches/SAMBA_4_0/source/libcli/ldap/ldap_bind.c === --- branches/SAMBA_4_0/source/libcli/ldap/ldap_bind.c 2005-12-05 03:42:28 UTC (rev 12061) +++ branches/SAMBA_4_0/source/libcli/ldap/ldap_bind.c 2005-12-05 04:10:13 UTC (rev 12062) @@ -223,7 +223,7 @@ } sasl_names[i] = NULL; - mechs = gensec_security_by_sasl(tmp_ctx, sasl_names); + mechs = gensec_security_by_sasl(conn-gensec, tmp_ctx, sasl_names); if (!mechs || !mechs[0]) { DEBUG(1, (None of the %d proposed SASL mechs were acceptable\n, count));
svn commit: samba r12063 - in branches/SAMBA_4_0/source/auth/kerberos: .
Author: tridge Date: 2005-12-05 06:01:22 + (Mon, 05 Dec 2005) New Revision: 12063 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=12063 Log: fixed the krb5 client code to handle ICMP port unreachable errors, and error out immediatelly. This prevents a long timeout Modified: branches/SAMBA_4_0/source/auth/kerberos/krb5_init_context.c Changeset: Modified: branches/SAMBA_4_0/source/auth/kerberos/krb5_init_context.c === --- branches/SAMBA_4_0/source/auth/kerberos/krb5_init_context.c 2005-12-05 04:10:13 UTC (rev 12062) +++ branches/SAMBA_4_0/source/auth/kerberos/krb5_init_context.c 2005-12-05 06:01:22 UTC (rev 12063) @@ -84,30 +84,41 @@ static void smb_krb5_socket_recv(struct smb_krb5_socket *smb_krb5) { TALLOC_CTX *tmp_ctx = talloc_new(smb_krb5); - NTSTATUS status; DATA_BLOB blob; size_t nread, dsize; switch (smb_krb5-hi-proto) { case KRB5_KRBHST_UDP: - status = socket_pending(smb_krb5-sock, dsize); - if (!NT_STATUS_IS_OK(status)) { + smb_krb5-status = socket_pending(smb_krb5-sock, dsize); + if (!NT_STATUS_IS_OK(smb_krb5-status)) { talloc_free(tmp_ctx); return; } + if (dsize == 0) { + smb_krb5-status = NT_STATUS_UNEXPECTED_NETWORK_ERROR; + talloc_free(tmp_ctx); + return; + } blob = data_blob_talloc(tmp_ctx, NULL, dsize); if (blob.data == NULL) { + smb_krb5-status = NT_STATUS_NO_MEMORY; talloc_free(tmp_ctx); return; } - status = socket_recv(smb_krb5-sock, blob.data, blob.length, nread, 0); - if (!NT_STATUS_IS_OK(status)) { + smb_krb5-status = socket_recv(smb_krb5-sock, blob.data, blob.length, nread, 0); + if (!NT_STATUS_IS_OK(smb_krb5-status)) { talloc_free(tmp_ctx); return; } blob.length = nread; + + if (nread == 0) { + smb_krb5-status = NT_STATUS_UNEXPECTED_NETWORK_ERROR; + talloc_free(tmp_ctx); + return; + } DEBUG(2,(Received smb_krb5 packet of length %d\n, (int)blob.length)); @@ -131,17 +142,14 @@ if (smb_krb5-partial_read 4) { uint32_t packet_length; - status = socket_recv(smb_krb5-sock, + smb_krb5-status = socket_recv(smb_krb5-sock, smb_krb5-partial.data + smb_krb5-partial_read, 4 - smb_krb5-partial_read, nread, 0); - if (NT_STATUS_IS_ERR(status)) { - smb_krb5-status = status; + /* todo: this should be converted to the packet_*() routines */ + if (!NT_STATUS_IS_OK(smb_krb5-status)) { return; } - if (!NT_STATUS_IS_OK(status)) { - return; - } smb_krb5-partial_read += nread; if (smb_krb5-partial_read != 4) { @@ -161,15 +169,11 @@ } /* read in the body */ - status = socket_recv(smb_krb5-sock, + smb_krb5-status = socket_recv(smb_krb5-sock, smb_krb5-partial.data + smb_krb5-partial_read, smb_krb5-partial.length - smb_krb5-partial_read, nread, 0); - if (NT_STATUS_IS_ERR(status)) { - smb_krb5-status = status; - return; - } - if (!NT_STATUS_IS_OK(status)) return; + if (!NT_STATUS_IS_OK(smb_krb5-status)) return; smb_krb5-partial_read += nread;
svn commit: samba r12064 - in branches/SAMBA_4_0/source/auth/kerberos: .
Author: tridge Date: 2005-12-05 06:05:02 + (Mon, 05 Dec 2005) New Revision: 12064 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=12064 Log: pass back the socket level error correctly (so we get NT_STATUS_CONNECTION_REFUSED when a KDC is not listening) Modified: branches/SAMBA_4_0/source/auth/kerberos/krb5_init_context.c Changeset: Modified: branches/SAMBA_4_0/source/auth/kerberos/krb5_init_context.c === --- branches/SAMBA_4_0/source/auth/kerberos/krb5_init_context.c 2005-12-05 06:01:22 UTC (rev 12063) +++ branches/SAMBA_4_0/source/auth/kerberos/krb5_init_context.c 2005-12-05 06:05:02 UTC (rev 12064) @@ -94,14 +94,9 @@ talloc_free(tmp_ctx); return; } - if (dsize == 0) { - smb_krb5-status = NT_STATUS_UNEXPECTED_NETWORK_ERROR; - talloc_free(tmp_ctx); - return; - } - + blob = data_blob_talloc(tmp_ctx, NULL, dsize); - if (blob.data == NULL) { + if (blob.data == NULL dsize != 0) { smb_krb5-status = NT_STATUS_NO_MEMORY; talloc_free(tmp_ctx); return;
svn commit: samba r12065 - in branches/SAMBA_4_0/source/auth/credentials: .
Author: metze Date: 2005-12-05 06:55:20 + (Mon, 05 Dec 2005) New Revision: 12065 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=12065 Log: fix compiler warning metze Modified: branches/SAMBA_4_0/source/auth/credentials/credentials.h Changeset: Modified: branches/SAMBA_4_0/source/auth/credentials/credentials.h === --- branches/SAMBA_4_0/source/auth/credentials/credentials.h2005-12-05 06:05:02 UTC (rev 12064) +++ branches/SAMBA_4_0/source/auth/credentials/credentials.h2005-12-05 06:55:20 UTC (rev 12065) @@ -93,5 +93,5 @@ BOOL machine_account; /* A list of valid GENSEC mechanisms for use on this account */ - struct gensec_security_ops **gensec_list; + const struct gensec_security_ops **gensec_list; };