[Samba] Question about policies [OT?]
Hi, I'm using samba 3 as a domain controller. For some XP-pro laptops I would like to disable the firewall when they are logged in on our network (I don't like it but I have to). Is this possible with Windows policies ? If so, does someone know about good reading material about policies ? I do have Mastering Windows XP professional but that's absolutely no help. Thanks for any thoughts. Regards, Koenraad Lelong. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Question about policies [OT?]
Koenraad Lelong wrote: Hi, I'm using samba 3 as a domain controller. For some XP-pro laptops I would like to disable the firewall when they are logged in on our network (I don't like it but I have to). Is this possible with Windows policies ? If so, does someone know about good reading material about policies ? I do have Mastering Windows XP professional but that's absolutely no help. Thanks for any thoughts. Regards, Koenraad Lelong. Samba 3 doesn't support group policies. However, you could install for example WPKG - http://wpkg.org - and execute scripts on your machines as administrator/SYSTEM. You can set the scripts/programs to execute only once on each workstation, which would be your case for disabling firewall. You can disable the builtin firewall on XP with this: netsh firewall set opmode disable -- Tomasz Chmielewski -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Question about policies [OT?]
Yea, that is possible. First of all find the registry hive/key over any of your XP client, which controlls the 'firewall' then create a new custom ADM file to provide you the power to control the firewall settings from policy editor (search google for how to create custom adm files ~~ http://www.google.co.in/search?hl=enq=how+to+create+adm+filesbtnG=Google+Searchmeta=). Now import your first customised ADM file in policy editor then disable firewall from there. Save all your changes to a filename as NTCONFIG.POL. Place it in your netlogon share its all done. Let your XP clients log off n log on for changes to take effect. With the same way you can control any registry setting. But make sure you revert back the setting in policy editor to get that effect off from clients as these changes are tattooed to your box need to revert back precisely for reverse effect. Regards Amit.. From: Koenraad Lelong [EMAIL PROTECTED] To: samba samba@lists.samba.org Subject: [Samba] Question about policies [OT?] Date: Fri, 17 Feb 2006 08:37:48 +0100 Hi, I'm using samba 3 as a domain controller. For some XP-pro laptops I would like to disable the firewall when they are logged in on our network (I don't like it but I have to). Is this possible with Windows policies ? If so, does someone know about good reading material about policies ? I do have Mastering Windows XP professional but that's absolutely no help. Thanks for any thoughts. Regards, Koenraad Lelong. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smbclient -L misses some shares when using NULL-Sessions (SOLVED)
List, there seems to be a limitation to 12 chars in smbclient. If someone has the same problem: net rpc share list -S IP_target_system -U% is the solution. Toby Tobias Glemser wrote on 14.02.2006 15:50: List, while trying to list all shares in my network using smbclient I recognized that some shares are missing. (hostname is a Win2K Box). smbclient -L -U -N hostname shows no shares (using NULL-Session-Logon as you can see) if I use a windows box to connect to hostname using net use \\hostname /User: I can see all shares of this box in the explorer. On samba-based boxes, smblient seems to retrieve all shares. But don't blame it only on the Null-Session-Logon, also if I connect to the box using smbclient -L -U Administrator -N hostname I only get the admin-shares. Is there an option I missed on smbclient to also see the missing share? And, by the way, is there a way to retrieve the admin shares using NULL Session Logon like some w$nd0ws based audit tools? Thanks in advance! Toby -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba version and ports
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 James John - jrjame wrote: I have been unable to find what version of Samba is running on a particular HP/UX server. The information is not included in the ../samba/lib/smb.conf where I am used to finding it. Also, I can not tell what port they have configured on this box any tips? Look in the session information returned by $ smbclient -L servername -N or if you have a shell account on the server, just run `smbd -V` cheers, jerry = I live in a Reply-to-All world. --- Samba--- http://www.samba.org Centeris --- http://www.centeris.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFD9dEzIR7qMdg1EfYRAkUaAKDhW8HNMXOX8svga4UxtFIOHTCHAgCeOq2y HuNsKqq7e2Dh7uvTw3K94c0= =T5fi -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] NTLM Join Errors
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jeremy Allison wrote: No, we need to add the correct security layer to the LDAP libraries we're using for this. Please log a bug at bugzilla so we can track this. It'll take a little while to get fixed but I don't want to forget this. https://bugzilla.samba.org/show_bug.cgi?id=765 cheers, jerry = I live in a Reply-to-All world. --- Samba--- http://www.samba.org Centeris --- http://www.centeris.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFD9dIsIR7qMdg1EfYRAjzGAKCC5cULk/hleBRO6mQA1JCOcGJ4ygCfTFtu 2kuJWiLXH0G1wIlXMMKcEy0= =RFm4 -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba isn't trying the correct mix of capitals for a given username
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Tom Dickson wrote: I'm watching the logs, and Samba is trying the following combinations for _Get_Pwnam() with the name UserName in the domain DOMAIN: domain+username DOMAIN+UserName DOMAIN+USERNAME and then it trys: username UserName USERNAME however, all 6 fail because what getent passwd shows is DOMAIN+username. The getpwnam() lookup in winbindd is case insensitive. So I doubt that this is the real problem. cheers, jerry = I live in a Reply-to-All world. --- Samba--- http://www.samba.org Centeris --- http://www.centeris.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFD9dKzIR7qMdg1EfYRAjjiAJ9yXfk5LXAL7m48iKcf+r8X3KqfYACg3PEw HjZjJnbd5S2PmxUmklioMu8= =KiKl -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Problem with NTConfig.POL+SAMBA+LDAP
Hello, I installed two debian sarge servers with the following services: OPENLDAP, SAMBA 3.0, HEARTBEAT and DRBD. I used debian packages. The RAID over IP is used for the /data and /home partitions. I created a NTConfig.POL for my domain workstations and put it in /home/samba/netlogon. But when a user log on a machine, the policy is not applied. For details: # l /home/samba/ total 4 drwxrwxr-x 2 root root 4096 2006-01-25 14:31 netlogon drwxrwxrwt 8 root root 98 2006-01-25 13:15 profiles # l /home/samba/netlogon/N* -rw-r-xr-x 1 root root 262144 2006-01-25 11:33 /home/samba/netlogon/NTConfig.POL #vi /etc/samba/smb.conf [...] [netlogon] comment = Network Logon Service path = /home/samba/netlogon browseable = No guest ok = yes valid users = %U read only = yes Do you have an idea? Let me know if you need more informations... Thanks a lot, Mike -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] edited tdb... restart samba?
Gerald (Jerry) Carter wrote: My system is leading me to believe otherwise however I am on 3.0.4. You'll have to be more clear. If you used tdbtool to remove an entry you bypass any constency checking that smbd would do for printers and drivers. So you could say delete a driver record but the driver name is still stored in the printer record. The tdb files trhemselves are mmap()'d so there is no caching of driver objects in memory. There was some caching of printer objects up to 3.0.20 or so. For whatever reason, at least on 3.0.4 you cannot remove a printer _driver_ once added via windows. I removed the driver files manually and then used tdbtool to remove reference to the drivers. The printer is still defined in ntprinters.tdb. I expect windows to not be able to recognize the printer and prompt me to find the drivers. Instead windows explicitly says the drivers for printer HP 4050tn PCL 6 cannot be found. Even when you point windows to the correct driver it would respond with cannot locate suitable driver. That description was found in ntdrivers.tdb not ntprinters.tdb. Once I removed it from ntdrivers.tdb the same problem resulted. To fix it I was forced to install the driver (not the printer) into samba (via windows). Here is the ntprinters.tdb record after I removed the driver reference in ntdrivers.tdb. I do not see the driver name stored as you say it is. key 12 bytes SECDESC/p37 data 160 bytes [000] 94 00 00 00 01 00 00 00 94 00 00 00 01 00 04 80 ... [010] 78 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 x.. ... [020] 02 00 64 00 03 00 00 00 00 02 14 00 00 00 00 E0 ..d [030] 01 01 00 00 00 00 00 01 00 00 00 00 00 09 24 00 ..$ [040] 00 00 00 10 01 05 00 00 00 00 00 05 15 00 00 00 ... ... [050] D4 A1 11 E3 58 D3 6B 19 2B 2A A2 31 F4 01 00 00 X.k. +*.1... [060] 00 02 24 00 00 00 00 10 01 05 00 00 00 00 00 05 ..$. [070] 15 00 00 00 D4 A1 11 E3 58 D3 6B 19 2B 2A A2 31 X.k.+*.1 [080] F4 01 00 00 01 05 00 00 00 00 00 05 15 00 00 00 ... ... [090] D4 A1 11 E3 58 D3 6B 19 2B 2A A2 31 F4 01 00 00 X.k. +*.1... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Rejoining Computers to the domain
On 2/16/06, mallapadi niranjan [EMAIL PROTECTED] wrote: I have a query, I have a samba 3.0.21 with openldap, all my windows clients are joined to PDC. but suddenly now , all my windows clients uanble to login but when i do getent passwd on the server , i could see all my computer accounts . even when i do ldapsearch -x -b ou=Computers,dc=msdpl,dc=com , i could see the list of computer account names but my windows clients report error message that the compter name is missing from the domain . all the systems had to rejoin to the domain. even having the computer account names in the ldap database. Check that the computer accounts in LDAP have the appropriate Samba object class and attributes. (In other words, check that they're not just POSIX accounts.) Check that their RIDs are correct. Under the default setup, I think, a user account's RID = uid * 2 + 1000. Try turning up the log level to see if that gives any more information. Josh Kelley -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Strange messages in logs
On 2/16/06, Emmanuel Lesouef [EMAIL PROTECTED] wrote: I often have this type of message in my samba logs : Feb 16 18:06:42 lxdata smbd[3731]: read_socket_data: recv failure for 4. Error = No route to host and Feb 16 18:06:42 lxdata smbd[3731]: [2006/02/16 18:06:42, 0] lib/util_sock.c:read_socket_data(384) This seems to be a FAQ. If the messages are from 0.0.0.0, then the problem is that Windows clients by default open connections on both port 139 and port 445. When one connection succeeds, they silently drop the other connection. The messages that you're seeing are from Samba realizing the connection was dropped. You can get rid of the messages by setting smb ports = 139 (which will force Win2K and newer clients to use NetBT, even if they don't have to) or smb ports = 445 (which will break pre-Win2K clients), but they're harmless, and I'd recommend just ignoring them. If the messages are from another IP address, then that probably indicates a client problem or networking problem. Josh Kelley -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba Problem on AIX
5300-03 for both servers. One works fine. The other worked fine for several weeks until yesterday. William Jojo [EMAIL PROTECTED] 02/16/2006 05:57 PM To [EMAIL PROTECTED] cc samba@lists.samba.org Subject Re: [Samba] Samba Problem on AIX On Thu, 16 Feb 2006, [EMAIL PROTECTED] wrote: I've been running Samba3.0.21a on two AIX5.3 servers for several weeks with no major problems. Today, one of the servers stopped working. I received the following message from Windows when I tried to access one of the share drives: What does oslevel -r report? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] No access check deleting printer drivers
Hi. I have the same poblem. I can delete any unused printer driver from my samba server. I use samba-3.0.21b. The difference is that I use a windows 2000 client; login as user to the samba domain (no administrative privileges). Then I go to \\server , printers, server properties, and I can delete any unused printer driver. However, I cannot add any printer driver (as a normal user). Also, I cannot create/delete/modify any file in \\server\print$. When I connect as administrator, I can delete/add, etc.. printer drivers as usual. That user is in domain users, and hasn't any privilege (like SePrintOperatorPrivilege). My smb.conf is the following: [global] preferred master = yes domain master = yes local master = yes domain logons = yes add machine script = /etc/groupware/scripts/create_machine.sh %u os level=33 logon path = \\%L\Profiles\%U logon home= \\%L\Profiles\%U logon drive = j: enable privileges = yes logon script = startup.bat security = user workgroup = JLPDOM netbios name = jlp printing = cups printcap name = cups map to guest = Bad User passdb backend = ldapsam:ldap://127.0.0.1 ldap admin dn = cn=manager,dc=jlp,dc=es ldap ssl = on ldap delete dn = no ldap user suffix = ou=People ldap group suffix = ou=Groups ldap machine suffix = ou=Computers ldap suffix = dc=jlp,dc=es log file = /var/log/samba/log.%m max log size = 50 server string = Samba Server at jlp.jlp.es encrypt passwords = yes ldap replication sleep = 1 log level=10 [users] comment = All users path = /var/homes writeable = Yes veto files = /aquota.user/groups/shares/ browseable = yes guest ok = no printable = no vfs object = vscan-clamav vscan-clamav: config-file = /etc/samba/vscan-clamav.conf [homes] comment = Home directory writeable=yes vfs object = vscan-clamav vscan-clamav: config-file = /etc/samba/vscan-clamav.conf [printers] read only=yes browseable = yes guest ok = no printable = yes admin users = @Administrators comment = All Printers path = /tmp [print$] comment = Printer Drivers path = /var/lib/samba/drivers write list = admin.jlp.es admin users = admin.jlp.es read only=yes create mask = 0664 directory mask = 0775 browseable = yes guest ok = no printable = no [netlogon] path = /var/lib/samba/netlogon read only = yes write list = @Administrators admin users = @Administrators vfs object = vscan-clamav vscan-clamav: config-file = /etc/samba/vscan-clamav.conf [profiles] path = /var/lib/samba/profiles read only = no preexec=/etc/groupware/scripts/check_quota_user.sh %m %I vfs object = vscan-clamav vscan-clamav: config-file = /etc/samba/vscan-clamav.conf [viruses] path = /var/lib/samba/viruses admin users = @Administrators valid users = @Administrators write list = @Administrators Even using read only=yesor writeable=no in [print$] I can delete printer drivers. Normally, I use write list = admin.jlp.es and admin users = admin.jlp.es (admin.jlp.es is the domain administrator user) . If I delete the last two lines, I can also delete drivers. Permissions in /var/lib/samba/drivers are 755, with owner root:root. I also send you the samba log, with log level 10. It's very big, I don't know if it would very useful to you... Thanks Cesar Hernandez [EMAIL PROTECTED] Genos Open Source S.L. Tarragona, 100. 08015 Barcelona Tel. 932 282 231 http://genos.es http://www.genos.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] No access check deleting printer drivers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cesar Hernandez wrote: Hi. I have the same poblem. I can delete any unused printer driver from my samba server. I use samba-3.0.21b. Yes. I know. It will be fixed in 3.0.21c. I'm working on it today. cheers, jerry -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFD9fi+IR7qMdg1EfYRAjboAJ9GlYNiCDGpxt6cAqktc9pPjRq9kACeJIO1 ImFBNbADoD69eupc3Y3nA7k= =iCnY -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] unexpected smb stop service.
Hi All, I'm working on SUSE Linux 2.6.11.4-21.9-default i686 i386 GNU/Linux, with Samba Version 3.0.21a-0.1-SUSE. At Initially installation seems all works fine, but sometimes happens nobody can access to data share, people already authenticated, continuing working as well, while new users entry receive an error message. I have found something in /var/log/messages file reported below: Feb 17 12:01:38 server smbd[1021]: chdir (/data) failed Feb 17 12:01:44 server smbd[965]: [2006/02/17 12:01:44, 0] smbd/service.c:set_current_service(49) Feb 17 12:01:44 server smbd[965]: chdir (/data) failed Feb 17 12:01:47 server smbd[6722]: [2006/02/17 12:01:47, 0] smbd/service.c:set_current_service(49) Feb 17 12:01:47 server smbd[6722]: chdir (/data) failed Feb 17 12:01:49 server smbd[3033]: [2006/02/17 12:01:49, 0] smbd/service.c:set_current_service(49) Feb 17 12:01:50 server sshd[7775]: Accepted publickey for root from :::10.90.1.31 port 4622 ssh2 Feb 17 12:01:50 server smbd[3033]: chdir (/data) failed Feb 17 12:01:58 server smbd[3244]: [2006/02/17 12:01:58, 0] tdb/tdbutil.c:tdb_log(772) Feb 17 12:01:58 server smbd[3244]: tdb(/etc/samba/secrets.tdb): tdb_lock failed on list 2 ltype=1 (Interrupted system call) Feb 17 12:01:58 server smbd[3244]: [2006/02/17 12:01:58, 0] tdb/tdbutil.c:tdb_chainlock_with_timeout_internal(82) Feb 17 12:01:58 server smbd[3244]: tdb_chainlock_with_timeout_internal: alarm (10) timed out for key replay cache mutex in tdb /etc/samba/secrets.tdb Feb 17 12:02:01 server smbd[3931]: [2006/02/17 12:02:01, 0] tdb/tdbutil.c:tdb_log(772) Chdir (/data) failed is a recurrent error but seems doesn't stop the service, while Interrupted system call produce effects described above. Could you help me to eliminate both errors or tell me why they appear? Restarting daemons seems the only work around solution now. Below my smb.conf file: [global] server string = xxx netbios name = XXX workgroup = WORKGROUP security = ADS password server = XXX XXX socket options = TCP_NODELAY SO_KEEPALIVE realm = WORKGROUP.DOMAIN allow trusted domains = yes auth methods = guest sam_ignoredomain winbind:ntdomain encrypt passwords = yes admin users = xxx nt acl support = yes map acl inherit = yes idmap uid = 1-2 idmap gid = 1-2 winbind enum users = yes winbind enum groups = yes winbind separator = / winbind use default domain = no dos charset = 850 unix charset = ISO8859-15 display charset = ISO8859-15 printing = cups printcap name = cups printcap cache time = 750 cups options = raw domain master = No log file = /var/log/samba/log.%m log level = 1 max log size = 50 passdb expand explicit = no [data] comment = Linux-Fileserver path = /data writeable = yes create mask = 0770 security mask = 0777 directory security mask = 0777 directory mask = 0770 force directory security mode = 0 directory security mask = 0777 hide unreadable = yes Thanks. Marco. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] unexpected smb stop service.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Meli Marco wrote: Feb 17 12:01:38 server smbd[1021]: chdir (/data) failed Feb 17 12:01:44 server smbd[965]: [2006/02/17 12:01:44, 0] smbd/service.c:set_current_service(49) Just a simple question... Does the /data directory exist? Samba doesn't usually create a directory that doesn't exist. Are the permissions on the directory correct? 'ls -la / | grep data' James -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFD9hQsjNkgON6wBZARAqc7AJ9Hxfo0kX/+iiBLFhzZ4cjWJvcnkgCghUyU HoNq60NaPGMM9GhJ7UKEffg= =9fgV -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Domain User access control in the smb.conf
Hi All My system is Freebsd 5.4 and Samba 3.0.21a. I am using ADS for system security. In my smb.conf, I create a share like that. [Test2] comment = Test path = /usr/tmp/ valid users = @Domain Admins,@Domain\myaccount The domain administrator can access the share folder, but I can't. It keeps asking me the username and password. The samba is joined to the domain and auth is working fine. I can auth my account under the shell without any problem. ** samba# klist Credentials cache: FILE:/tmp/krb5cc_0 Principal: [EMAIL PROTECTED] Issued ExpiresPrincipal Feb 15 17:38:15 Expired krbtgt/[EMAIL PROTECTED] Feb 15 18:29:51 Expired [EMAIL PROTECTED] ** smb# wbinfo -a myaccount%*** plaintext password authentication succeeded challenge/response password authentication succeeded smb# I guess the @Domain\myaccount is the wrong format, but I check the manual and can't find anything talk about the user list in smb.conf smb# testparm Load smb config files from /usr/local/etc/smb.conf Processing section [Test] Processing section [Test2] Loaded services file OK. Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions [global] workgroup = DOMAIN realm = DOMAIN.COM server string = Samba Server security = ADS allow trusted domains = No password server = dc syslog only = Yes log file = /var/log/samba/log.%m max log size = 50 dns proxy = No wins server = 192.168.0.100 passdb expand explicit = No idmap backend = idmap_rid:DOMAIN=500-1 idmap uid = 500-1 idmap gid = 500-1 template homedir = /usr/samba/%U template shell = /bin/sh winbind cache time = 3600 winbind use default domain = Yes winbind nested groups = Yes hosts allow = 192.168.0. [Test] path = /usr/samba read only = No [Test2] comment = Test path = /usr/tmp/ valid users = @Domain Admins, @DOMAIN\myaccount Thanks Alex -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Domain User access control in the smb.conf
At 12:52 PM 2/17/2006, Alex Wang wrote: I guess the @Domain\myaccount is the wrong format, but I check the manual and can't find anything talk about the user list in smb.conf smb# testparm ... winbind use default domain = Yes First off, if myaccount is a user account, then drop the @ -- that is one of the specials used to designate a group. Second, with winbind use default domain active/enabled, you should not have to specify the DOMAIN\ part. Also, since you are using the special char \ as a domain separator, you need to be very cognizant of where you need to properly escape it. (I.E., use \\ instead of just \) I'm pretty sure that valid users = is one of those places... Cheers, -D Don Meyer [EMAIL PROTECTED] Network Manager, ACES Academic Computing Facility Technical System Manager, ACES TeleNet System UIUC College of ACES, Information Technology and Communication Services They that can give up essential liberty to obtain a little temporary safety, deserve neither liberty or safety. -- Benjamin Franklin, 1759 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] RE: Print Migrator help needed...
Hi Jerry, I cannot get drivers to migrate using the printmig.exe tool. Please see the samba log with log level of 3. w2k3-dc (192.168.1.13) closed connection to service print$ [2006/02/17 19:20:20, 1] smbd/service.c:make_connection_snum(662) w2k3-dc (192.168.1.13) connect to service print$ initially as user root (uid=0, gid=0) (pid 25564) [2006/02/17 19:20:20, 1] smbd/service.c:close_cnum(833) w2k3-dc (192.168.1.13) closed connection to service print$ [2006/02/17 19:20:20, 1] smbd/service.c:make_connection_snum(662) w2k3-dc (192.168.1.13) connect to service print$ initially as user root (uid=0, gid=0) (pid 25564) [2006/02/17 19:20:20, 0] printing/nt_printing.c:move_driver_to_download_area(1811) move_driver_to_download_area: Unable to rename [W32X86/BUPM815.GPD] to [W32X86/3/BUPM815.GPD] [2006/02/17 19:20:20, 1] smbd/service.c:close_cnum(833) w2k3-dc (192.168.1.13) closed connection to service print$ [2006/02/17 19:20:31, 1] smbd/service.c:make_connection_snum(662) w2k3-dc (192.168.1.13) connect to service print$ initially as user root (uid=0, gid=0) (pid 25564) [2006/02/17 19:20:31, 1] smbd/service.c:close_cnum(833) w2k3-dc (192.168.1.13) closed connection to service print$ [2006/02/17 19:20:31, 1] smbd/service.c:make_connection_snum(662) w2k3-dc (192.168.1.13) connect to service print$ initially as user root (uid=0, gid=0) (pid 25564) [2006/02/17 19:20:31, 0] printing/nt_printing.c:move_driver_to_download_area(1811) move_driver_to_download_area: Unable to rename [W32X86/CI8510.GPD] to [W32X86/3/CI8510.GPD] [2006/02/17 19:20:31, 1] smbd/service.c:close_cnum(833) w2k3-dc (192.168.1.13) closed connection to service print$ [2006/02/17 19:20:58, 1] smbd/service.c:make_connection_snum(662) w2k3-dc (192.168.1.13) connect to service print$ initially as user root (uid=0, gid=0) (pid 25564) [2006/02/17 19:20:58, 1] smbd/service.c:close_cnum(833) w2k3-dc (192.168.1.13) closed connection to service print$ [2006/02/17 19:20:58, 1] smbd/service.c:make_connection_snum(662) w2k3-dc (192.168.1.13) connect to service print$ initially as user root (uid=0, gid=0) (pid 25564) [2006/02/17 19:20:58, 0] printing/nt_printing.c:move_driver_to_download_area(1811) move_driver_to_download_area: Unable to rename [W32X86/CNBJ20.GPD] to [W32X86/3/CNBJ20.GPD] -Original Message- From: Gerald (Jerry) Carter [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 08, 2006 10:07 AM To: Geoffrey Scott Cc: samba@lists.samba.org; Aarti Varshney (asadhnan) Subject: Re: [Samba] RE: Print Migrator help needed... -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Gerald (Jerry) Carter wrote: Gerald (Jerry) Carter wrote: Geoffrey Scott wrote: On a debian Sarge box this is what I get in the log for the machine connected from after using the mmc plugin: sh: line 1: /usr/lib/samba/svcctl/NETLOGON: No such file or directory sh: line 1: /usr/lib/samba/svcctl/Spooler: No such file or directory sh: line 1: /usr/lib/samba/svcctl/Spooler: No such file or directory I can't reproduce this failure anymore. I have you log files but I need your smb.conf. Ahhhok. Apparently, there's a bug when you don't list any external services in smb.conf. Patch forthcoming. And here's the patch. Some older code that didn't get removed during the latest rewrite. cheers, jerry -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFD6gkNIR7qMdg1EfYRAvAnAJ9KVqfkhTioqy6qu1zDe3bf4SSiRACguib5 kEHh8BfbiPq4Xem8RPmPr3M= =HsN2 -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re[2]: [Samba] Domain User access control in the smb.conf
Thanks Don, it works. Another question about that is, do I have to list all the users who need to access that share folder? [Test2] comment = Test path = /usr/tmp/ valid users = @Domain Admins readonly = Yes write list = myaccount Since myaccount is not in Domain Admins, I can't even access those share folder. Do I have to chagne to [Test2] comment = Test path = /usr/tmp/ valid users = @Domain Admins, myaccount readonly = Yes write list = myaccount Thanks Alex On Fri, 17 Feb 2006 13:29:50 -0600 Don Meyer [EMAIL PROTECTED] wrote: At 12:52 PM 2/17/2006, Alex Wang wrote: I guess the @Domain\myaccount is the wrong format, but I check the manual and can't find anything talk about the user list in smb.conf smb# testparm ... winbind use default domain = Yes First off, if myaccount is a user account, then drop the @ -- that is one of the specials used to designate a group. Second, with winbind use default domain active/enabled, you should not have to specify the DOMAIN\ part. Also, since you are using the special char \ as a domain separator, you need to be very cognizant of where you need to properly escape it. (I.E., use \\ instead of just \) I'm pretty sure that valid users = is one of those places... Cheers, -D Don Meyer [EMAIL PROTECTED] Network Manager, ACES Academic Computing Facility Technical System Manager, ACES TeleNet System UIUC College of ACES, Information Technology and Communication Services They that can give up essential liberty to obtain a little temporary safety, deserve neither liberty or safety. -- Benjamin Franklin, 1759 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re[2]: [Samba] Domain User access control in the smb.conf
Yes, if you have the valid users = line present in a resource's config block, then access to that resource is limited to the defined set of users. If not present, then any user can connect to the resource. -D At 01:41 PM 2/17/2006, Alex Wang wrote: Thanks Don, it works. Another question about that is, do I have to list all the users who need to access that share folder? [Test2] comment = Test path = /usr/tmp/ valid users = @Domain Admins readonly = Yes write list = myaccount Since myaccount is not in Domain Admins, I can't even access those share folder. Do I have to chagne to [Test2] comment = Test path = /usr/tmp/ valid users = @Domain Admins, myaccount readonly = Yes write list = myaccount Thanks Alex On Fri, 17 Feb 2006 13:29:50 -0600 Don Meyer [EMAIL PROTECTED] wrote: At 12:52 PM 2/17/2006, Alex Wang wrote: I guess the @Domain\myaccount is the wrong format, but I check the manual and can't find anything talk about the user list in smb.conf smb# testparm ... winbind use default domain = Yes First off, if myaccount is a user account, then drop the @ -- that is one of the specials used to designate a group. Second, with winbind use default domain active/enabled, you should not have to specify the DOMAIN\ part. Also, since you are using the special char \ as a domain separator, you need to be very cognizant of where you need to properly escape it. (I.E., use \\ instead of just \) I'm pretty sure that valid users = is one of those places... Cheers, -D Don Meyer [EMAIL PROTECTED] Network Manager, ACES Academic Computing Facility Technical System Manager, ACES TeleNet System UIUC College of ACES, Information Technology and Communication Services They that can give up essential liberty to obtain a little temporary safety, deserve neither liberty or safety. -- Benjamin Franklin, 1759 Don Meyer [EMAIL PROTECTED] Network Manager, ACES Academic Computing Facility Technical System Manager, ACES TeleNet System UIUC College of ACES, Information Technology and Communication Services They that can give up essential liberty to obtain a little temporary safety, deserve neither liberty or safety. -- Benjamin Franklin, 1759 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re[3]: [Samba] Domain User access control in the smb.conf
Thanks a lot. It's working perfect right now. ALex On Fri, 17 Feb 2006 13:48:51 -0600 Don Meyer [EMAIL PROTECTED] wrote: Yes, if you have the valid users = line present in a resource's config block, then access to that resource is limited to the defined set of users. If not present, then any user can connect to the resource. -D At 01:41 PM 2/17/2006, Alex Wang wrote: Thanks Don, it works. Another question about that is, do I have to list all the users who need to access that share folder? [Test2] comment = Test path = /usr/tmp/ valid users = @Domain Admins readonly = Yes write list = myaccount Since myaccount is not in Domain Admins, I can't even access those share folder. Do I have to chagne to [Test2] comment = Test path = /usr/tmp/ valid users = @Domain Admins, myaccount readonly = Yes write list = myaccount Thanks Alex On Fri, 17 Feb 2006 13:29:50 -0600 Don Meyer [EMAIL PROTECTED] wrote: At 12:52 PM 2/17/2006, Alex Wang wrote: I guess the @Domain\myaccount is the wrong format, but I check the manual and can't find anything talk about the user list in smb.conf smb# testparm ... winbind use default domain = Yes First off, if myaccount is a user account, then drop the @ -- that is one of the specials used to designate a group. Second, with winbind use default domain active/enabled, you should not have to specify the DOMAIN\ part. Also, since you are using the special char \ as a domain separator, you need to be very cognizant of where you need to properly escape it. (I.E., use \\ instead of just \) I'm pretty sure that valid users = is one of those places... Cheers, -D Don Meyer [EMAIL PROTECTED] Network Manager, ACES Academic Computing Facility Technical System Manager, ACES TeleNet System UIUC College of ACES, Information Technology and Communication Services They that can give up essential liberty to obtain a little temporary safety, deserve neither liberty or safety. -- Benjamin Franklin, 1759 Don Meyer [EMAIL PROTECTED] Network Manager, ACES Academic Computing Facility Technical System Manager, ACES TeleNet System UIUC College of ACES, Information Technology and Communication Services They that can give up essential liberty to obtain a little temporary safety, deserve neither liberty or safety. -- Benjamin Franklin, 1759 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Are these still all the recommended settings for using roaming profiles?
I got these several years ago, but we are having problems with Outlook with roaming profiles so I want to check and see if something new should be added to this list of mods for roaming profiles. - Go to Local Computer Policy-Administrative Templates-System-Logon and enable: 1) Enable Do not check for ownership of Roaming Profiles Folders 2) Enable Add the Administrators security group to roaming users profiles 3) Enable Delete cached copies of roaming profiles 4) Enable Wait for remote user profile 5) Enable log users off when roaming profile fails Use regedit and search for the following two registry keys: RequireSignOrSeal ValueType REG_DWORD = 4 SignSecureChannel ValueType REG_DWORD = 4 Change them to: RequireSignOrSeal ValueType REG_DWORD = 0 SignSecureChannel ValueType REG_DWORD = 0 - Thanks Doug P -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] edited tdb... restart samba?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Joe wrote: For whatever reason, at least on 3.0.4 you cannot remove a printer _driver_ once added via windows. I removed the driver files manually and then used tdbtool to remove reference to the drivers. The printer is still defined in ntprinters.tdb. I expect windows to not be able to recognize the printer and prompt me to find the drivers. Instead windows explicitly says the drivers for printer HP 4050tn PCL 6 cannot be found. Even when you point windows to the correct driver it would respond with cannot locate suitable driver. That description was found in ntdrivers.tdb not ntprinters.tdb. Once I removed it from ntdrivers.tdb the same problem resulted. To fix it I was forced to install the driver (not the printer) into samba (via windows). First, you really need to upgrade from 3.0.4. The capability to delete drivers is one of them. The amount of bugs that have been fixed in the past 20 months is really large. Secondly, like I said, the driver name is stored in the printer object. Here is the ntprinters.tdb record after I removed the driver reference in ntdrivers.tdb. I do not see the driver name stored as you say it is. key 12 bytes SECDESC/p37 That's because this is the security descriptor record and not the printer object record. cheers, jerry = I live in a Reply-to-All world--- Samba--- http://www.samba.org Centeris --- http://www.centeris.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFD9iswIR7qMdg1EfYRAvxRAKCtZDfxeeUUZXA+Q7HkF6EWdeEpWgCfQXPK irf5FJnknKW/OyOqxKP0wY8= =Rl8O -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Outlook path to pst file is lost when using roaming profiles
We are having a problem getting the path to the Outlook PST file to move from machine to machine using roaming profiles (Samba 3.0.10 on RHEL 4). When a user logs off on one machine and logs on to another, the outlook path to the PST file is gone. I found this message in the archive back in 2002 but I see no resolution for it: http://lists.samba.org/archive/samba/2002-July/047507.html Here is the text from that post: Does anybody know how to manage roaming profiles with outlook 2002 ? I have XP boxes with roaming profiles and all work fine. The only problem is that XP doesn´t export the path where outlook stores ist .pst file. This is not the problem for the .pst file where outlook stores contacts and so. The path of the normal pst is on a network drive. But I have an IMAP mail account for every user and if you configure outlook for imap it creates another .pst file under the normal path ...Local Settings../outlook/ I am not able to store this file under a different path e.g. a network drive. I think that there are 2 ways for my problem: 1.) show outlook the path to a network drive for the imap pst as I did it for the normal pst -- I don´t know how 2.) export the whole outlook path under local settings -- It works, but not for a long time: After you create an outlook account for the first time, outlook adds a registry entry under HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -- ExcludeProfileDirs In this entry you can add directories of the roaming profile not to export. -- because of that, the outlook pst would not exported with the roaming profile. If I delete this entry on all workstations under the default and the user profile of the registry it works for some time. But after some time, I don´t know why the entry is back in the registry to not export the outlook folder. Does anybody have an idea ? Regards sven Has anybody else seen this problem or found a resolution? Thanks Doug P -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] No access check deleting printer drivers
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Cesar Hernandez wrote:
I have the same poblem. I can delete any unused printer
driver from my samba server. I use samba-3.0.21b.
Please try this patch at let me know. It should apply
to any 3.0.20 or 3.0.21 release.
cheers, jerry
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFD9jqtIR7qMdg1EfYRAlPYAJoDqYymY3Go5XCFsQC+uo2UFSHkOgCg2SpD
JsyzkiGmo3RvzfXpP8coyPE=
=zM1p
-END PGP SIGNATURE-
Index: printing/nt_printing.c
===
--- printing/nt_printing.c (revision 13546)
+++ printing/nt_printing.c (working copy)
@@ -4779,6 +4779,11 @@
return False;
}
+ if ( !CAN_WRITE(conn) ) {
+ DEBUG(3,(delete_driver_files: Cannot delete print driver when
[print$] is read-only\n));
+ return False;
+ }
+
/* Save who we are - we are temporarily becoming the connection user.
*/
if ( !become_user(conn, conn-vuid) ) {
Index: rpc_server/srv_spoolss_nt.c
===
--- rpc_server/srv_spoolss_nt.c (revision 13546)
+++ rpc_server/srv_spoolss_nt.c (working copy)
@@ -1967,9 +1967,20 @@
struct current_user user;
WERROR status;
WERROR status_win2k = WERR_ACCESS_DENIED;
+ SE_PRIV se_printop = SE_PRINT_OPERATOR;
get_current_user(user, p);
+ /* if the user is not root, doesn't have SE_PRINT_OPERATOR privilege,
+ and not a printer admin, then fail */
+
+ if ( (user.uid != 0)
+!user_has_privileges(user.nt_user_token, se_printop )
+!user_in_list(uidtoname(user.uid), lp_printer_admin(-1),
user.groups, user.ngroups) )
+ {
+ return WERR_ACCESS_DENIED;
+ }
+
unistr2_to_ascii(driver, q_u-driver, sizeof(driver)-1 );
unistr2_to_ascii(arch, q_u-arch, sizeof(arch)-1 );
@@ -2053,9 +2064,20 @@
struct current_user user;
WERROR status;
WERROR status_win2k = WERR_ACCESS_DENIED;
+ SE_PRIV se_printop = SE_PRINT_OPERATOR;
get_current_user(user, p);
+ /* if the user is not root, doesn't have SE_PRINT_OPERATOR privilege,
+ and not a printer admin, then fail */
+
+ if ( (user.uid != 0)
+!user_has_privileges(user.nt_user_token, se_printop )
+!user_in_list(uidtoname(user.uid), lp_printer_admin(-1),
user.groups, user.ngroups) )
+ {
+ return WERR_ACCESS_DENIED;
+ }
+
unistr2_to_ascii(driver, q_u-driver, sizeof(driver)-1 );
unistr2_to_ascii(arch, q_u-arch, sizeof(arch)-1 );
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] No access check deleting printer drivers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Gerald (Jerry) Carter wrote: Cesar Hernandez wrote: I have the same poblem. I can delete any unused printer driver from my samba server. I use samba-3.0.21b. Please try this patch at let me know. It should apply to any 3.0.20 or 3.0.21 release. After looking at this some more I think you'll find that the actual driver files were never removed. On the tdb record for the driver. That should not be fixed. cheers, jerry -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFD9jwqIR7qMdg1EfYRAl7PAKCJ4YaUgqw06sK2ZPxN0eQSXHruWQCcCPaq X7NBHQh28lq06GPzUrGO0eU= =zz4M -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] edited tdb... restart samba?
Gerald (Jerry) Carter wrote: First, you really need to upgrade from 3.0.4. The capability to delete drivers is one of them. The amount of bugs that have been fixed in the past 20 months is really large. Secondly, like I said, the driver name is stored in the printer object. Been too nervous!! 3.0.4 has been stable. :) Here is the ntprinters.tdb record after I removed the driver reference in ntdrivers.tdb. I do not see the driver name stored as you say it is. key 12 bytes SECDESC/p37 That's because this is the security descriptor record and not the printer object record. Hmmm... which tdb is the printer object? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] domain member with LDAP nss
I think I'm getting a better idea of what's required for this... One thing that I've noticed is that since my user and group management tools already store the sambaSID attributes in the user/group entries, along with uidNumber/gidNumber, all that I need to do to make these entries valid for winbind is add the sambaIdmapEntry objectclass. Now, in theory my directory is a complete database, usable by winbind for its idmap functions. However, winbind still seems to require an admin dn and password to be saved locally. I'd really rather that winbind treat the directory as a read-only repository of data. Is that possible? Gordon Messmer wrote: I have a domain member server running samba 3. NSS info currently comes from ldap, and the PDC is another samba 3 host. The PDC is also using the ldap server for its data. I'm not clear on how winbind is used in this configuration. When I look at the owner/group of files from a Windows workstation, I see names of the form MYHOST\gmessmer rather than MYDOMAIN\gmessmer. I presume that this is so because samba can map my domain login (MYDOMAIN\gmessmer) to the unix user gmessmer, but can't do the reverse without winbind. What is the minimum amount of configuration needed to provide this reverse mapping? Do I have to go so far as to replace the NSS source with winbind? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba + LDAP Windows Join Domain
James Taylor wrote: I am currently running samba 3.0.13. I have set the samba server up as a NT4 Domain controller and I have also integrated my LDAP configuration with samba. When I try to join the samba domain from any Windows 2000 or Windows XP machine I get the error message The user could not be found. My smbldap-tools scripts are working in the sense that the Machine Add script is adding the machinename$ domain account. Does getent passwd machinename$ produce the expected result? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] share permissions
Donald W Watson wrote: If I have a samba server with the following share: [share1] readlist= user1 path = /tmp/share1 writelist = user2 On the surface this indicates that user1 can only read files in the share, while user2 and read and write. However: 1. If the share is mounted on another unix machine with mount -t cifs what effect does -o username=some user have on the read/write behavior of files in the share? All of the permissions processing on the samba server will be done in the context of some user. All users on the client will share that context, in other words. 2. What effect do unix ownership and permissions of the files in the share have on read/write behavior of those files? user2 will be able to write, *if* the unix permissions allow him to. user1 will never be able to write anything at all, regardless of the permissions on the files. Naturally, that means that when someone connects to the server as user2, those permissions will be enforced. Mounting the share on a unix system with cifs will not allow user1 and user2 to share a mount point and still get the appropriate security levels for each. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba + LDAP Windows Join Domain
I figured out the issues I was having... Basically when the machine accounts were created the smbldap-tools I was using did not add the sambaSAMAccount objectclass and the appropriate sub information needed for the Domain lookup. I made several modifications to my scripts and viola! It works. Thank you James -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gordon Messmer Sent: Friday, February 17, 2006 4:41 PM To: samba@lists.samba.org Subject: Re: [Samba] Samba + LDAP Windows Join Domain James Taylor wrote: I am currently running samba 3.0.13. I have set the samba server up as a NT4 Domain controller and I have also integrated my LDAP configuration with samba. When I try to join the samba domain from any Windows 2000 or Windows XP machine I get the error message The user could not be found. My smbldap-tools scripts are working in the sense that the Machine Add script is adding the machinename$ domain account. Does getent passwd machinename$ produce the expected result? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smb/cifs or nfsv3: which is cheaper
Anthony Messina wrote: My question is, which is cheaper both in terms of processing power and network overhead: nfsv3 or smbfs or cifs? I'll also take information on nfsv4, though that is not my current setup. I'd expect NFS to be the better option for Linux - Linux sharing. In particular, because the daemon is in the kernel, it should perform better. Of course, since NFS is similar in security to samba with security=share, you should be able to have both running, and their configurations will be very minimal. If NFS doesn't do it for you, you can try samba fairly easily. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Rejoining Computers to the domain
Hi Josh As you have suggested my Computer Accounts have the following object classes. and RID is also uid*2+1000. dn: uid=comp07$,ou=Computers,dc=msdpl,dc=com *objectClass: top objectClass: inetOrgPerson objectClass: posixAccount objectClass: sambaSamAccount *cn: comp07$ sn: comp07$ uid: comp07$ uidNumber: *1037 *gidNumber: 515 homeDirectory: /dev/null loginShell: /bin/false description: Computer gecos: Computer sambaSID: S-1-5-21-3963901886-956592875-555457773-*3074* sambaPrimaryGroupSID: S-1-5-21-3963901886-956592875-555457773-515 displayName: comp07$ sambaPwdCanChange: 0 sambaAcctFlags: [W ] The above information is when the computer is joined to the domain and works properly. But when if my pdc gets shut down abruptly , the above information regarding the computer account is same. but the computer gives the error that the computer name is missing in the domain. I get the following errors 1.) _net_sam_logon: creds_server_setup failed. Rejecting auth request from client comp07 machine 2.) _net_auth2: creds_server_check failed, Rejecting auth request from client comp07 machine account comp07 The error 2 gets repeated whenever the user logon's request from that computer, ie the error 2 repeats always even when the computer is joined to the domain. and working properly. I get the following messges in /var/log/messages, when the PDC is running and all my clients are joined , what does these messages mean, i don't know. 1. smbd. api_samr_set_userinfo: unable to marshall SAMR_Q_SET_USERINFO. 2. getpeername failed. error was transport end pt. is not connected. My samba version is 3.0.21, and smbldap-tools version is 0.9 and slapd version is openldap: slapd 2.2.13 Regards Niranjan On 2/17/06, Josh Kelley [EMAIL PROTECTED] wrote: On 2/16/06, mallapadi niranjan [EMAIL PROTECTED] wrote: I have a query, I have a samba 3.0.21 with openldap, all my windows clients are joined to PDC. but suddenly now , all my windows clients uanble to login but when i do getent passwd on the server , i could see all my computer accounts . even when i do ldapsearch -x -b ou=Computers,dc=msdpl,dc=com , i could see the list of computer account names but my windows clients report error message that the compter name is missing from the domain . all the systems had to rejoin to the domain. even having the computer account names in the ldap database. Check that the computer accounts in LDAP have the appropriate Samba object class and attributes. (In other words, check that they're not just POSIX accounts.) Check that their RIDs are correct. Under the default setup, I think, a user account's RID = uid * 2 + 1000. Try turning up the log level to see if that gives any more information. Josh Kelley -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
svn commit: samba r13541 - branches/SAMBA_3_0/source/auth trunk/source/auth
Author: jerry
Date: 2006-02-17 13:30:34 + (Fri, 17 Feb 2006)
New Revision: 13541
WebSVN:
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=13541
Log:
we have to wrap pen_enum_group_memberships() in become/unbecome_root()
blocks. This fixes the problem I had with missing groups in the
net_samlogon() reply from a Samba PDC.
Modified:
branches/SAMBA_3_0/source/auth/auth_sam.c
trunk/source/auth/auth_sam.c
Changeset:
Modified: branches/SAMBA_3_0/source/auth/auth_sam.c
===
--- branches/SAMBA_3_0/source/auth/auth_sam.c 2006-02-17 04:22:34 UTC (rev
13540)
+++ branches/SAMBA_3_0/source/auth/auth_sam.c 2006-02-17 13:30:34 UTC (rev
13541)
@@ -328,7 +328,11 @@
return nt_status;
}
- if (!NT_STATUS_IS_OK(nt_status = make_server_info_sam(server_info,
sampass))) {
+ become_root();
+ nt_status = make_server_info_sam(server_info, sampass);
+ unbecome_root();
+
+ if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(0,(check_sam_security: make_server_info_sam() failed
with '%s'\n, nt_errstr(nt_status)));
pdb_free_sam(sampass);
data_blob_free(user_sess_key);
Modified: trunk/source/auth/auth_sam.c
===
--- trunk/source/auth/auth_sam.c2006-02-17 04:22:34 UTC (rev 13540)
+++ trunk/source/auth/auth_sam.c2006-02-17 13:30:34 UTC (rev 13541)
@@ -328,7 +328,11 @@
return nt_status;
}
- if (!NT_STATUS_IS_OK(nt_status = make_server_info_sam(server_info,
sampass))) {
+ become_root();
+ nt_status = make_server_info_sam(server_info, sampass);
+ unbecome_root();
+
+ if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(0,(check_sam_security: make_server_info_sam() failed
with '%s'\n, nt_errstr(nt_status)));
pdb_free_sam(sampass);
data_blob_free(user_sess_key);
svn commit: samba r13542 - in branches/SAMBA_3_0/source/passdb: .
Author: jra
Date: 2006-02-17 15:51:25 + (Fri, 17 Feb 2006)
New Revision: 13542
WebSVN:
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=13542
Log:
Don't reuse a pointer we just freed (Doh!).
Jeremy.
Modified:
branches/SAMBA_3_0/source/passdb/secrets.c
Changeset:
Modified: branches/SAMBA_3_0/source/passdb/secrets.c
===
--- branches/SAMBA_3_0/source/passdb/secrets.c 2006-02-17 13:30:34 UTC (rev
13541)
+++ branches/SAMBA_3_0/source/passdb/secrets.c 2006-02-17 15:51:25 UTC (rev
13542)
@@ -1051,6 +1051,8 @@
pdc-domain);
if (ret == -1 || l1 != 8 || l2 != 8 || l3 != 8 || l4 != 16 || l5 != 16)
{
+ /* Bad record - delete it. */
+ tdb_delete_bystring(tdb_sc, keystr);
talloc_free(keystr);
talloc_free(pdc);
SAFE_FREE(pseed_chal);
@@ -1059,8 +1061,6 @@
SAFE_FREE(psess_key);
SAFE_FREE(pmach_pw);
SAFE_FREE(value.dptr);
- /* Bad record - delete it. */
- tdb_delete_bystring(tdb_sc, keystr);
return False;
}
svn commit: samba r13543 - in trunk/source/passdb: .
Author: jra
Date: 2006-02-17 15:51:27 + (Fri, 17 Feb 2006)
New Revision: 13543
WebSVN:
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=13543
Log:
Don't reuse a pointer we just freed (Doh!).
Jeremy.
Modified:
trunk/source/passdb/secrets.c
Changeset:
Modified: trunk/source/passdb/secrets.c
===
--- trunk/source/passdb/secrets.c 2006-02-17 15:51:25 UTC (rev 13542)
+++ trunk/source/passdb/secrets.c 2006-02-17 15:51:27 UTC (rev 13543)
@@ -1051,6 +1051,8 @@
pdc-domain);
if (ret == -1 || l1 != 8 || l2 != 8 || l3 != 8 || l4 != 16 || l5 != 16)
{
+ /* Bad record - delete it. */
+ tdb_delete_bystring(tdb_sc, keystr);
talloc_free(keystr);
talloc_free(pdc);
SAFE_FREE(pseed_chal);
@@ -1059,8 +1061,6 @@
SAFE_FREE(psess_key);
SAFE_FREE(pmach_pw);
SAFE_FREE(value.dptr);
- /* Bad record - delete it. */
- tdb_delete_bystring(tdb_sc, keystr);
return False;
}
svn commit: samba r13544 - branches/SAMBA_3_0/source/rpc_server trunk/source/rpc_server
Author: vlendec
Date: 2006-02-17 17:20:53 + (Fri, 17 Feb 2006)
New Revision: 13544
WebSVN:
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=13544
Log:
-O1 janitor work :-)
Modified:
branches/SAMBA_3_0/source/rpc_server/srv_netlog_nt.c
trunk/source/rpc_server/srv_netlog_nt.c
Changeset:
Modified: branches/SAMBA_3_0/source/rpc_server/srv_netlog_nt.c
===
--- branches/SAMBA_3_0/source/rpc_server/srv_netlog_nt.c2006-02-17
15:51:27 UTC (rev 13543)
+++ branches/SAMBA_3_0/source/rpc_server/srv_netlog_nt.c2006-02-17
17:20:53 UTC (rev 13544)
@@ -592,9 +592,8 @@
rpcstr_pull_unistr2_fstring(workstation,
q_u-sam_id.client.login.uni_comp_name);
become_root();
- secrets_restore_schannel_session_info(p-pipe_state_mem_ctx,
- workstation,
- p-dc);
+ ret = secrets_restore_schannel_session_info(
+ p-pipe_state_mem_ctx, workstation, p-dc);
unbecome_root();
if (!ret) {
return NT_STATUS_INVALID_HANDLE;
@@ -730,9 +729,9 @@
BOOL ret;
become_root();
-
secrets_restore_schannel_session_info(p-pipe_state_mem_ctx,
- nt_workstation,
- p-dc);
+ ret = secrets_restore_schannel_session_info(
+ p-pipe_state_mem_ctx, nt_workstation,
+ p-dc);
unbecome_root();
if (!ret) {
return NT_STATUS_INVALID_HANDLE;
Modified: trunk/source/rpc_server/srv_netlog_nt.c
===
--- trunk/source/rpc_server/srv_netlog_nt.c 2006-02-17 15:51:27 UTC (rev
13543)
+++ trunk/source/rpc_server/srv_netlog_nt.c 2006-02-17 17:20:53 UTC (rev
13544)
@@ -592,9 +592,8 @@
rpcstr_pull_unistr2_fstring(workstation,
q_u-sam_id.client.login.uni_comp_name);
become_root();
- secrets_restore_schannel_session_info(p-pipe_state_mem_ctx,
- workstation,
- p-dc);
+ ret = secrets_restore_schannel_session_info(
+ p-pipe_state_mem_ctx, workstation, p-dc);
unbecome_root();
if (!ret) {
return NT_STATUS_INVALID_HANDLE;
@@ -730,9 +729,9 @@
BOOL ret;
become_root();
-
secrets_restore_schannel_session_info(p-pipe_state_mem_ctx,
- nt_workstation,
- p-dc);
+ ret = secrets_restore_schannel_session_info(
+ p-pipe_state_mem_ctx, nt_workstation,
+ p-dc);
unbecome_root();
if (!ret) {
return NT_STATUS_INVALID_HANDLE;
svn commit: samba r13545 - branches/SAMBA_3_0/source/passdb trunk/source/passdb
Author: jerry Date: 2006-02-17 19:07:58 + (Fri, 17 Feb 2006) New Revision: 13545 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=13545 Log: A patch which I think it's time has come. VOlker, we can talk about this more but it gets around the primary group issue. * don't map a SID to a name from the group mapping code if the map doesn't have a valid gid. This is only an issue in a tdb setup * Always allow S-1-$DOMAIN-513 to resolve (just like Windows) * if we cannot resolve a users primary GID to a SID, then set it to S-1-$DOMAIN-513 * Ignore the primary group SID inside pdb_enum_group_memberships(). Only look at the Unix group membersip. Jeremy, this fixes a fresh install startup for smbd as far as my tests are concerned. Modified: branches/SAMBA_3_0/source/passdb/passdb.c branches/SAMBA_3_0/source/passdb/pdb_get_set.c branches/SAMBA_3_0/source/passdb/pdb_interface.c trunk/source/passdb/passdb.c trunk/source/passdb/pdb_get_set.c trunk/source/passdb/pdb_interface.c Changeset: Sorry, the patch is too large (353 lines) to include; please use WebSVN to see it! WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=13545
svn commit: samba r13546 - in branches/SAMBA_3_0/source: .
Author: jerry
Date: 2006-02-17 19:19:25 + (Fri, 17 Feb 2006)
New Revision: 13546
WebSVN:
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=13546
Log:
NSS soname merge from trunk
Modified:
branches/SAMBA_3_0/source/configure.in
Changeset:
Modified: branches/SAMBA_3_0/source/configure.in
===
--- branches/SAMBA_3_0/source/configure.in 2006-02-17 19:07:58 UTC (rev
13545)
+++ branches/SAMBA_3_0/source/configure.in 2006-02-17 19:19:25 UTC (rev
13546)
@@ -206,7 +206,7 @@
AC_SUBST(SHELL)
AC_SUBST(LDSHFLAGS)
AC_SUBST(SONAMEFLAG)
-AC_SUBST(SONAMEVERSIONSUFFIX)
+AC_SUBST(NSSSONAMEVERSIONSUFFIX)
AC_SUBST(SHLD)
AC_SUBST(HOST_OS)
AC_SUBST(PICFLAGS)
@@ -1422,7 +1422,7 @@
HOST_OS=$host_os
LDSHFLAGS=-shared
SONAMEFLAG=#
-SONAMEVERSIONSUFFIX=
+NSSSONAMEVERSIONSUFFIX=
SHLD=\${CC} \${CFLAGS}
PICFLAGS=
PICSUFFIX=po
@@ -1447,7 +1447,7 @@
DYNEXP=-Wl,--export-dynamic
PICFLAGS=-fPIC
SONAMEFLAG=-Wl,-soname=
- SONAMEVERSIONSUFFIX=.2
+ NSSSONAMEVERSIONSUFFIX=.2
AC_DEFINE(STAT_ST_BLOCKSIZE,512)
;;
*solaris*) AC_DEFINE(SUNOS5,1,[Whether the host os is solaris])
@@ -1456,6 +1456,8 @@
SONAMEFLAG=-h
if test ${GCC} = yes; then
PICFLAGS=-fPIC
+ SONAMEFLAG=-Wl,-soname=
+ NSSSONAMEVERSIONSUFFIX=.1
if test ${ac_cv_prog_gnu_ld} = yes; then
DYNEXP=-Wl,-E
fi
svn commit: samba r13547 - branches/SAMBA_3_0/source/printing branches/SAMBA_3_0/source/rpc_server trunk/source/printing trunk/source/rpc_server
Author: jerry
Date: 2006-02-17 21:07:26 + (Fri, 17 Feb 2006)
New Revision: 13547
WebSVN:
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=13547
Log:
add earlier checks to deny deleting a printer driver. The previous
code relied upon file permissions alone. Now we check that
the user is a printer administrator and that the share has not been
marked read only for that user.
Modified:
branches/SAMBA_3_0/source/printing/nt_printing.c
branches/SAMBA_3_0/source/rpc_server/srv_spoolss_nt.c
trunk/source/printing/nt_printing.c
trunk/source/rpc_server/srv_spoolss_nt.c
Changeset:
Modified: branches/SAMBA_3_0/source/printing/nt_printing.c
===
--- branches/SAMBA_3_0/source/printing/nt_printing.c2006-02-17 19:19:25 UTC
(rev 13546)
+++ branches/SAMBA_3_0/source/printing/nt_printing.c2006-02-17 21:07:26 UTC
(rev 13547)
@@ -4783,6 +4783,11 @@
return False;
}
+ if ( !CAN_WRITE(conn) ) {
+ DEBUG(3,(delete_driver_files: Cannot delete print driver when
[print$] is read-only\n));
+ return False;
+ }
+
/* Save who we are - we are temporarily becoming the connection user.
*/
if ( !become_user(conn, conn-vuid) ) {
Modified: branches/SAMBA_3_0/source/rpc_server/srv_spoolss_nt.c
===
--- branches/SAMBA_3_0/source/rpc_server/srv_spoolss_nt.c 2006-02-17
19:19:25 UTC (rev 13546)
+++ branches/SAMBA_3_0/source/rpc_server/srv_spoolss_nt.c 2006-02-17
21:07:26 UTC (rev 13547)
@@ -1973,9 +1973,21 @@
struct current_user user;
WERROR status;
WERROR status_win2k = WERR_ACCESS_DENIED;
+ SE_PRIV se_printop = SE_PRINT_OPERATOR;
get_current_user(user, p);
+ /* if the user is not root, doesn't have SE_PRINT_OPERATOR privilege,
+ and not a printer admin, then fail */
+
+ if ( (user.ut.uid != 0)
+!user_has_privileges(user.nt_user_token, se_printop )
+!token_contains_name_in_list( uidtoname(user.ut.uid),
+ NULL, user.nt_user_token, lp_printer_admin(-1)) )
+ {
+ return WERR_ACCESS_DENIED;
+ }
+
unistr2_to_ascii(driver, q_u-driver, sizeof(driver)-1 );
unistr2_to_ascii(arch, q_u-arch, sizeof(arch)-1 );
@@ -2059,9 +2071,21 @@
struct current_user user;
WERROR status;
WERROR status_win2k = WERR_ACCESS_DENIED;
+ SE_PRIV se_printop = SE_PRINT_OPERATOR;
get_current_user(user, p);
+ /* if the user is not root, doesn't have SE_PRINT_OPERATOR privilege,
+ and not a printer admin, then fail */
+
+ if ( (user.ut.uid != 0)
+!user_has_privileges(user.nt_user_token, se_printop )
+!token_contains_name_in_list( uidtoname(user.ut.uid),
+ NULL, user.nt_user_token, lp_printer_admin(-1)) )
+ {
+ return WERR_ACCESS_DENIED;
+ }
+
unistr2_to_ascii(driver, q_u-driver, sizeof(driver)-1 );
unistr2_to_ascii(arch, q_u-arch, sizeof(arch)-1 );
Modified: trunk/source/printing/nt_printing.c
===
--- trunk/source/printing/nt_printing.c 2006-02-17 19:19:25 UTC (rev 13546)
+++ trunk/source/printing/nt_printing.c 2006-02-17 21:07:26 UTC (rev 13547)
@@ -4783,6 +4783,11 @@
return False;
}
+ if ( !CAN_WRITE(conn) ) {
+ DEBUG(3,(delete_driver_files: Cannot delete print driver when
[print$] is read-only\n));
+ return False;
+ }
+
/* Save who we are - we are temporarily becoming the connection user.
*/
if ( !become_user(conn, conn-vuid) ) {
Modified: trunk/source/rpc_server/srv_spoolss_nt.c
===
--- trunk/source/rpc_server/srv_spoolss_nt.c2006-02-17 19:19:25 UTC (rev
13546)
+++ trunk/source/rpc_server/srv_spoolss_nt.c2006-02-17 21:07:26 UTC (rev
13547)
@@ -1973,9 +1973,21 @@
struct current_user user;
WERROR status;
WERROR status_win2k = WERR_ACCESS_DENIED;
+ SE_PRIV se_printop = SE_PRINT_OPERATOR;
get_current_user(user, p);
+ /* if the user is not root, doesn't have SE_PRINT_OPERATOR privilege,
+ and not a printer admin, then fail */
+
+ if ( (user.ut.uid != 0)
+!user_has_privileges(user.nt_user_token,
svn commit: samba r13548 - in branches/SAMBA_3_0/source: passdb rpc_server
Author: jra
Date: 2006-02-17 21:32:31 + (Fri, 17 Feb 2006)
New Revision: 13548
WebSVN:
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=13548
Log:
Always use the get_remote_macinhe_name() as the key
for the creds store. This should fix the problems
Jerry reported (but I have still to run tests :-).
Jeremy.
Modified:
branches/SAMBA_3_0/source/passdb/secrets.c
branches/SAMBA_3_0/source/rpc_server/srv_netlog_nt.c
Changeset:
Modified: branches/SAMBA_3_0/source/passdb/secrets.c
===
--- branches/SAMBA_3_0/source/passdb/secrets.c 2006-02-17 21:07:26 UTC (rev
13547)
+++ branches/SAMBA_3_0/source/passdb/secrets.c 2006-02-17 21:32:31 UTC (rev
13548)
@@ -930,13 +930,15 @@
Note we must be root here.
***/
-BOOL secrets_store_schannel_session_info(TALLOC_CTX *mem_ctx, const struct
dcinfo *pdc)
+BOOL secrets_store_schannel_session_info(TALLOC_CTX *mem_ctx,
+ const char *remote_machine,
+ const struct dcinfo *pdc)
{
TDB_CONTEXT *tdb_sc = NULL;
TDB_DATA value;
BOOL ret;
char *keystr = talloc_asprintf(mem_ctx, %s/%s, SECRETS_SCHANNEL_STATE,
- pdc-remote_machine);
+ remote_machine);
if (!keystr) {
return False;
}
Modified: branches/SAMBA_3_0/source/rpc_server/srv_netlog_nt.c
===
--- branches/SAMBA_3_0/source/rpc_server/srv_netlog_nt.c2006-02-17
21:07:26 UTC (rev 13547)
+++ branches/SAMBA_3_0/source/rpc_server/srv_netlog_nt.c2006-02-17
21:32:31 UTC (rev 13548)
@@ -281,10 +281,6 @@
q_u-uni_logon_clnt.buffer,
sizeof(fstring),q_u-uni_logon_clnt.uni_str_len*2,0);
- /* Remember the workstation name. This is what we'll use to look
- up the secrets.tdb record later. */
- fstrcpy(p-wks, p-dc-remote_machine);
-
/* Save the client challenge to the server. */
memcpy(p-dc-clnt_chal.data, q_u-clnt_chal.data,
sizeof(q_u-clnt_chal.data));
@@ -448,7 +444,9 @@
/* Store off the state so we can continue after client disconnect. */
become_root();
- secrets_store_schannel_session_info(p-mem_ctx, p-dc);
+ secrets_store_schannel_session_info(p-mem_ctx,
+ get_remote_machine_name(),
+ p-dc);
unbecome_root();
return r_u-status;
@@ -480,7 +478,7 @@
/* Restore the saved state of the netlogon creds. */
become_root();
ret =
secrets_restore_schannel_session_info(p-pipe_state_mem_ctx,
- workstation,
+
get_remote_machine_name(),
p-dc);
unbecome_root();
if (!ret) {
@@ -505,7 +503,9 @@
/* We must store the creds state after an update. */
become_root();
- secrets_store_schannel_session_info(p-pipe_state_mem_ctx, p-dc);
+ secrets_store_schannel_session_info(p-pipe_state_mem_ctx,
+ get_remote_machine_name(),
+ p-dc);
pdb_init_sam(sampass);
ret=pdb_getsampwnam(sampass, p-dc-mach_acct);
unbecome_root();
@@ -579,8 +579,6 @@
NTSTATUS _net_sam_logoff(pipes_struct *p, NET_Q_SAM_LOGOFF *q_u,
NET_R_SAM_LOGOFF *r_u)
{
- fstring workstation;
-
if (!get_valid_user_struct(p-vuid))
return NT_STATUS_NO_SUCH_USER;
@@ -588,12 +586,10 @@
/* Restore the saved state of the netlogon creds. */
BOOL ret;
- *workstation = '\0';
- rpcstr_pull_unistr2_fstring(workstation,
q_u-sam_id.client.login.uni_comp_name);
-
become_root();
- ret = secrets_restore_schannel_session_info(
- p-pipe_state_mem_ctx, workstation, p-dc);
+ ret =
secrets_restore_schannel_session_info(p-pipe_state_mem_ctx,
+ get_remote_machine_name(),
+ p-dc);
unbecome_root();
if (!ret) {
return NT_STATUS_INVALID_HANDLE;
@@ -616,7 +612,9 @@
/* We must store the creds state after an update. */
become_root();
- secrets_store_schannel_session_info(p-pipe_state_mem_ctx, p-dc);
+ secrets_store_schannel_session_info(p-pipe_state_mem_ctx,
+ get_remote_machine_name(),
+ p-dc);
svn commit: samba r13549 - in trunk/source: passdb rpc_server
Author: jra
Date: 2006-02-17 21:32:34 + (Fri, 17 Feb 2006)
New Revision: 13549
WebSVN:
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=13549
Log:
Always use the get_remote_macinhe_name() as the key
for the creds store. This should fix the problems
Jerry reported (but I have still to run tests :-).
Jeremy.
Modified:
trunk/source/passdb/secrets.c
trunk/source/rpc_server/srv_netlog_nt.c
Changeset:
Modified: trunk/source/passdb/secrets.c
===
--- trunk/source/passdb/secrets.c 2006-02-17 21:32:31 UTC (rev 13548)
+++ trunk/source/passdb/secrets.c 2006-02-17 21:32:34 UTC (rev 13549)
@@ -930,13 +930,15 @@
Note we must be root here.
***/
-BOOL secrets_store_schannel_session_info(TALLOC_CTX *mem_ctx, const struct
dcinfo *pdc)
+BOOL secrets_store_schannel_session_info(TALLOC_CTX *mem_ctx,
+ const char *remote_machine,
+ const struct dcinfo *pdc)
{
TDB_CONTEXT *tdb_sc = NULL;
TDB_DATA value;
BOOL ret;
char *keystr = talloc_asprintf(mem_ctx, %s/%s, SECRETS_SCHANNEL_STATE,
- pdc-remote_machine);
+ remote_machine);
if (!keystr) {
return False;
}
Modified: trunk/source/rpc_server/srv_netlog_nt.c
===
--- trunk/source/rpc_server/srv_netlog_nt.c 2006-02-17 21:32:31 UTC (rev
13548)
+++ trunk/source/rpc_server/srv_netlog_nt.c 2006-02-17 21:32:34 UTC (rev
13549)
@@ -281,10 +281,6 @@
q_u-uni_logon_clnt.buffer,
sizeof(fstring),q_u-uni_logon_clnt.uni_str_len*2,0);
- /* Remember the workstation name. This is what we'll use to look
- up the secrets.tdb record later. */
- fstrcpy(p-wks, p-dc-remote_machine);
-
/* Save the client challenge to the server. */
memcpy(p-dc-clnt_chal.data, q_u-clnt_chal.data,
sizeof(q_u-clnt_chal.data));
@@ -448,7 +444,9 @@
/* Store off the state so we can continue after client disconnect. */
become_root();
- secrets_store_schannel_session_info(p-mem_ctx, p-dc);
+ secrets_store_schannel_session_info(p-mem_ctx,
+ get_remote_machine_name(),
+ p-dc);
unbecome_root();
return r_u-status;
@@ -480,7 +478,7 @@
/* Restore the saved state of the netlogon creds. */
become_root();
ret =
secrets_restore_schannel_session_info(p-pipe_state_mem_ctx,
- workstation,
+
get_remote_machine_name(),
p-dc);
unbecome_root();
if (!ret) {
@@ -505,7 +503,9 @@
/* We must store the creds state after an update. */
become_root();
- secrets_store_schannel_session_info(p-pipe_state_mem_ctx, p-dc);
+ secrets_store_schannel_session_info(p-pipe_state_mem_ctx,
+ get_remote_machine_name(),
+ p-dc);
pdb_init_sam(sampass);
ret=pdb_getsampwnam(sampass, p-dc-mach_acct);
unbecome_root();
@@ -579,8 +579,6 @@
NTSTATUS _net_sam_logoff(pipes_struct *p, NET_Q_SAM_LOGOFF *q_u,
NET_R_SAM_LOGOFF *r_u)
{
- fstring workstation;
-
if (!get_valid_user_struct(p-vuid))
return NT_STATUS_NO_SUCH_USER;
@@ -588,12 +586,10 @@
/* Restore the saved state of the netlogon creds. */
BOOL ret;
- *workstation = '\0';
- rpcstr_pull_unistr2_fstring(workstation,
q_u-sam_id.client.login.uni_comp_name);
-
become_root();
- ret = secrets_restore_schannel_session_info(
- p-pipe_state_mem_ctx, workstation, p-dc);
+ ret =
secrets_restore_schannel_session_info(p-pipe_state_mem_ctx,
+ get_remote_machine_name(),
+ p-dc);
unbecome_root();
if (!ret) {
return NT_STATUS_INVALID_HANDLE;
@@ -616,7 +612,9 @@
/* We must store the creds state after an update. */
become_root();
- secrets_store_schannel_session_info(p-pipe_state_mem_ctx, p-dc);
+ secrets_store_schannel_session_info(p-pipe_state_mem_ctx,
+ get_remote_machine_name(),
+ p-dc);
unbecome_root();
r_u-status = NT_STATUS_OK;
@@ -694,44 +692,15 @@
if
svn commit: samba r13550 - branches/SAMBA_3_0/source branches/SAMBA_3_0/source/passdb trunk/source trunk/source/passdb
Author: jerry Date: 2006-02-17 23:16:13 + (Fri, 17 Feb 2006) New Revision: 13550 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=13550 Log: remove pdb_guest Removed: branches/SAMBA_3_0/source/passdb/pdb_guest.c trunk/source/passdb/pdb_guest.c Modified: branches/SAMBA_3_0/source/configure.in trunk/source/configure.in Changeset: Sorry, the patch is too large (371 lines) to include; please use WebSVN to see it! WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=13550
svn commit: samba r13551 - in branches/SAMBA_4_0/source/torture/rpc: .
Author: abartlet
Date: 2006-02-17 23:51:43 + (Fri, 17 Feb 2006)
New Revision: 13551
WebSVN:
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=13551
Log:
Add an accessor function for the user sid.
Andrew Bartlett
Modified:
branches/SAMBA_4_0/source/torture/rpc/testjoin.c
Changeset:
Modified: branches/SAMBA_4_0/source/torture/rpc/testjoin.c
===
--- branches/SAMBA_4_0/source/torture/rpc/testjoin.c2006-02-17 23:16:13 UTC
(rev 13550)
+++ branches/SAMBA_4_0/source/torture/rpc/testjoin.c2006-02-17 23:51:43 UTC
(rev 13551)
@@ -494,7 +494,12 @@
return join-dom_sid;
}
+const struct dom_sid *torture_join_user_sid(struct test_join *join)
+{
+ return join-user_sid;
+}
+
struct test_join_ads_dc {
struct test_join *join;
};
svn commit: samba r13552 - in branches/SAMBA_3_0/source/rpc_server: .
Author: jra
Date: 2006-02-17 23:57:28 + (Fri, 17 Feb 2006)
New Revision: 13552
WebSVN:
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=13552
Log:
Make sure we're using the same name to load the stored
creds under all circumstances. This may be wrong, but
at least we're now consistent.
Jeremy.
Modified:
branches/SAMBA_3_0/source/rpc_server/srv_pipe.c
Changeset:
Modified: branches/SAMBA_3_0/source/rpc_server/srv_pipe.c
===
--- branches/SAMBA_3_0/source/rpc_server/srv_pipe.c 2006-02-17 23:51:43 UTC
(rev 13551)
+++ branches/SAMBA_3_0/source/rpc_server/srv_pipe.c 2006-02-17 23:57:28 UTC
(rev 13552)
@@ -1293,7 +1293,7 @@
}
become_root();
- ret = secrets_restore_schannel_session_info(p-mem_ctx, neg.myname,
pdcinfo);
+ ret = secrets_restore_schannel_session_info(p-mem_ctx,
get_remote_machine_name(), pdcinfo);
unbecome_root();
if (!ret) {
Build status as of Sat Feb 18 00:00:02 2006
URL: http://build.samba.org/ --- /home/build/master/cache/broken_results.txt.old 2006-02-17 00:00:03.0 + +++ /home/build/master/cache/broken_results.txt 2006-02-18 00:00:09.0 + @@ -1,17 +1,17 @@ -Build status as of Fri Feb 17 00:00:02 2006 +Build status as of Sat Feb 18 00:00:02 2006 Build counts: Tree Total Broken Panic ccache 7 2 0 -distcc 8 2 0 +distcc 9 2 0 lorikeet-heimdal 15 14 0 -ppp 16 0 0 +ppp 15 0 0 rsync32 3 0 samba2 0 0 samba-docs 0 0 0 -samba4 34 22 2 -samba_3_033 10 0 -smb-build24 4 0 -talloc 11 7 0 -tdb 6 1 0 +samba4 33 22 2 +samba_3_032 10 0 +smb-build23 4 0 +talloc 10 7 0 +tdb 5 1 0
svn commit: samba r13553 - in branches/SAMBA_3_0/source: include libsmb rpc_server utils
Author: jra
Date: 2006-02-18 00:27:31 + (Sat, 18 Feb 2006)
New Revision: 13553
WebSVN:
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=13553
Log:
Fix all our warnings at -O6 on an x86_64 box.
Jeremy.
Modified:
branches/SAMBA_3_0/source/include/hmacmd5.h
branches/SAMBA_3_0/source/include/ntdomain.h
branches/SAMBA_3_0/source/include/rpc_misc.h
branches/SAMBA_3_0/source/libsmb/credentials.c
branches/SAMBA_3_0/source/libsmb/smbencrypt.c
branches/SAMBA_3_0/source/rpc_server/srv_lsa_nt.c
branches/SAMBA_3_0/source/rpc_server/srv_netlog_nt.c
branches/SAMBA_3_0/source/utils/passwd_util.c
Changeset:
Modified: branches/SAMBA_3_0/source/include/hmacmd5.h
===
--- branches/SAMBA_3_0/source/include/hmacmd5.h 2006-02-17 23:57:28 UTC (rev
13552)
+++ branches/SAMBA_3_0/source/include/hmacmd5.h 2006-02-18 00:27:31 UTC (rev
13553)
@@ -21,12 +21,10 @@
#ifndef _HMAC_MD5_H
-typedef struct
-{
-struct MD5Context ctx;
-uchar k_ipad[65];
-uchar k_opad[65];
-
+typedef struct {
+ struct MD5Context ctx;
+ unsigned char k_ipad[65];
+ unsigned char k_opad[65];
} HMACMD5Context;
#endif /* _HMAC_MD5_H */
Modified: branches/SAMBA_3_0/source/include/ntdomain.h
===
--- branches/SAMBA_3_0/source/include/ntdomain.h2006-02-17 23:57:28 UTC
(rev 13552)
+++ branches/SAMBA_3_0/source/include/ntdomain.h2006-02-18 00:27:31 UTC
(rev 13553)
@@ -140,8 +140,8 @@
DOM_CHAL clnt_chal; /* Client credential */
DOM_CHAL srv_chal; /* Server credential */
- uchar sess_key[16]; /* Session key - 8 bytes followed by 8 zero bytes
*/
- uchar mach_pw[16]; /* md4(machine password) */
+ unsigned char sess_key[16]; /* Session key - 8 bytes followed by 8
zero bytes */
+ unsigned char mach_pw[16]; /* md4(machine password) */
fstring mach_acct; /* Machine name we've authenticated. */
@@ -187,7 +187,7 @@
/* auth state for schannel. */
struct schannel_auth_struct {
- uchar sess_key[16];
+ unsigned char sess_key[16];
uint32 seq_num;
};
Modified: branches/SAMBA_3_0/source/include/rpc_misc.h
===
--- branches/SAMBA_3_0/source/include/rpc_misc.h2006-02-17 23:57:28 UTC
(rev 13552)
+++ branches/SAMBA_3_0/source/include/rpc_misc.h2006-02-18 00:27:31 UTC
(rev 13553)
@@ -324,7 +324,7 @@
/* DOM_CHAL - challenge info */
typedef struct chal_info {
- uchar data[8]; /* credentials */
+ unsigned char data[8]; /* credentials */
} DOM_CHAL;
/* DOM_CREDs - timestamped client or server credentials */
Modified: branches/SAMBA_3_0/source/libsmb/credentials.c
===
--- branches/SAMBA_3_0/source/libsmb/credentials.c 2006-02-17 23:57:28 UTC
(rev 13552)
+++ branches/SAMBA_3_0/source/libsmb/credentials.c 2006-02-18 00:27:31 UTC
(rev 13553)
@@ -43,7 +43,7 @@
static void creds_init_128(struct dcinfo *dc,
const DOM_CHAL *clnt_chal_in,
const DOM_CHAL *srv_chal_in,
- const char mach_pw[16])
+ const unsigned char mach_pw[16])
{
unsigned char zero[4], tmp[16];
HMACMD5Context ctx;
@@ -95,7 +95,7 @@
static void creds_init_64(struct dcinfo *dc,
const DOM_CHAL *clnt_chal_in,
const DOM_CHAL *srv_chal_in,
- const char mach_pw[16])
+ const unsigned char mach_pw[16])
{
uint32 sum[2];
unsigned char sum2[8];
@@ -176,13 +176,13 @@
struct dcinfo *dc,
DOM_CHAL *clnt_chal,
DOM_CHAL *srv_chal,
- const char mach_pw[16],
+ const unsigned char mach_pw[16],
DOM_CHAL *init_chal_out)
{
DEBUG(10,(creds_server_init: neg_flags : %x\n, (unsigned
int)neg_flags));
DEBUG(10,(creds_server_init: client chal : %s\n,
credstr(clnt_chal-data) ));
DEBUG(10,(creds_server_init: server chal : %s\n,
credstr(srv_chal-data) ));
- dump_data_pw(creds_server_init: machine pass, (const unsigned char
*)mach_pw, 16);
+ dump_data_pw(creds_server_init: machine pass, mach_pw, 16);
/* Generate the session key and the next client and server creds. */
if (neg_flags NETLOGON_NEG_128BIT) {
Modified: branches/SAMBA_3_0/source/libsmb/smbencrypt.c
===
--- branches/SAMBA_3_0/source/libsmb/smbencrypt.c 2006-02-17 23:57:28 UTC
(rev 13552)
+++ branches/SAMBA_3_0/source/libsmb/smbencrypt.c 2006-02-18 00:27:31 UTC
(rev 13553)
svn commit: samba r13555 - in trunk/source/rpc_server: .
Author: jra
Date: 2006-02-18 00:39:24 + (Sat, 18 Feb 2006)
New Revision: 13555
WebSVN:
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=13555
Log:
Ensure that any potential creds operation are protected
by schannel if server schannel = true was set.
Jeremy.
Modified:
trunk/source/rpc_server/srv_netlog_nt.c
Changeset:
Modified: trunk/source/rpc_server/srv_netlog_nt.c
===
--- trunk/source/rpc_server/srv_netlog_nt.c 2006-02-18 00:28:05 UTC (rev
13554)
+++ trunk/source/rpc_server/srv_netlog_nt.c 2006-02-18 00:39:24 UTC (rev
13555)
@@ -474,6 +474,15 @@
rpcstr_pull(workstation,q_u-clnt_id.login.uni_comp_name.buffer,
sizeof(workstation),q_u-clnt_id.login.uni_comp_name.uni_str_len*2,0);
+ if ( (lp_server_schannel() == True) (p-auth.auth_type !=
PIPE_AUTH_TYPE_SCHANNEL) ) {
+ /* 'server schannel = yes' should enforce use of
+ schannel, the client did offer it in auth2, but
+ obviously did not use it. */
+ DEBUG(0,(_net_srv_pwset: client %s not using schannel for
netlogon\n,
+ get_remote_machine_name() ));
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
if (!p-dc) {
/* Restore the saved state of the netlogon creds. */
become_root();
@@ -579,6 +588,16 @@
NTSTATUS _net_sam_logoff(pipes_struct *p, NET_Q_SAM_LOGOFF *q_u,
NET_R_SAM_LOGOFF *r_u)
{
+ if ( (lp_server_schannel() == True) (p-auth.auth_type !=
PIPE_AUTH_TYPE_SCHANNEL) ) {
+ /* 'server schannel = yes' should enforce use of
+ schannel, the client did offer it in auth2, but
+ obviously did not use it. */
+ DEBUG(0,(_net_sam_logoff: client %s not using schannel for
netlogon\n,
+ get_remote_machine_name() ));
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
+
if (!get_valid_user_struct(p-vuid))
return NT_STATUS_NO_SUCH_USER;
@@ -671,10 +690,20 @@
auth_serversupplied_info *server_info = NULL;
SAM_ACCOUNT *sampw;
struct auth_context *auth_context = NULL;
-
+
+ if ( (lp_server_schannel() == True) (p-auth.auth_type !=
PIPE_AUTH_TYPE_SCHANNEL) ) {
+ /* 'server schannel = yes' should enforce use of
+ schannel, the client did offer it in auth2, but
+ obviously did not use it. */
+ DEBUG(0,(_net_sam_logon_internal: client %s not using schannel
for netlogon\n,
+ get_remote_machine_name() ));
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
usr_info = TALLOC_P(p-mem_ctx, NET_USER_INFO_3);
- if (!usr_info)
+ if (!usr_info) {
return NT_STATUS_NO_MEMORY;
+ }
ZERO_STRUCTP(usr_info);
@@ -710,18 +739,7 @@
if (!p-dc || !p-dc-authenticated) {
return NT_STATUS_INVALID_HANDLE;
}
- }
- if ( (lp_server_schannel() == True) (p-auth.auth_type !=
PIPE_AUTH_TYPE_SCHANNEL) ) {
- /* 'server schannel = yes' should enforce use of
- schannel, the client did offer it in auth2, but
- obviously did not use it. */
- DEBUG(0,(_net_sam_logon: client %s not using schannel for
netlogon\n,
- get_remote_machine_name() ));
- return NT_STATUS_ACCESS_DENIED;
- }
-
- if (process_creds) {
/* checks and updates credentials. creates reply credentials */
if (!creds_server_step(p-dc, q_u-sam_id.client.cred,
r_u-srv_creds)) {
DEBUG(2,(_net_sam_logon: creds_server_step failed.
Rejecting auth
@@ -738,7 +756,6 @@
unbecome_root();
}
-
switch (q_u-sam_id.logon_level) {
case INTERACTIVE_LOGON_TYPE:
uni_samlogon_user = ctr-auth.id1.uni_user_name;
svn commit: samba r13556 - in branches/SAMBA_3_0/source/rpc_server: .
Author: jra
Date: 2006-02-18 00:39:31 + (Sat, 18 Feb 2006)
New Revision: 13556
WebSVN:
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=13556
Log:
Ensure that any potential creds operation are protected
by schannel if server schannel = true was set.
Jeremy.
Modified:
branches/SAMBA_3_0/source/rpc_server/srv_netlog_nt.c
Changeset:
Modified: branches/SAMBA_3_0/source/rpc_server/srv_netlog_nt.c
===
--- branches/SAMBA_3_0/source/rpc_server/srv_netlog_nt.c2006-02-18
00:39:24 UTC (rev 13555)
+++ branches/SAMBA_3_0/source/rpc_server/srv_netlog_nt.c2006-02-18
00:39:31 UTC (rev 13556)
@@ -474,6 +474,15 @@
rpcstr_pull(workstation,q_u-clnt_id.login.uni_comp_name.buffer,
sizeof(workstation),q_u-clnt_id.login.uni_comp_name.uni_str_len*2,0);
+ if ( (lp_server_schannel() == True) (p-auth.auth_type !=
PIPE_AUTH_TYPE_SCHANNEL) ) {
+ /* 'server schannel = yes' should enforce use of
+ schannel, the client did offer it in auth2, but
+ obviously did not use it. */
+ DEBUG(0,(_net_srv_pwset: client %s not using schannel for
netlogon\n,
+ get_remote_machine_name() ));
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
if (!p-dc) {
/* Restore the saved state of the netlogon creds. */
become_root();
@@ -579,6 +588,16 @@
NTSTATUS _net_sam_logoff(pipes_struct *p, NET_Q_SAM_LOGOFF *q_u,
NET_R_SAM_LOGOFF *r_u)
{
+ if ( (lp_server_schannel() == True) (p-auth.auth_type !=
PIPE_AUTH_TYPE_SCHANNEL) ) {
+ /* 'server schannel = yes' should enforce use of
+ schannel, the client did offer it in auth2, but
+ obviously did not use it. */
+ DEBUG(0,(_net_sam_logoff: client %s not using schannel for
netlogon\n,
+ get_remote_machine_name() ));
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
+
if (!get_valid_user_struct(p-vuid))
return NT_STATUS_NO_SUCH_USER;
@@ -671,10 +690,20 @@
auth_serversupplied_info *server_info = NULL;
SAM_ACCOUNT *sampw;
struct auth_context *auth_context = NULL;
-
+
+ if ( (lp_server_schannel() == True) (p-auth.auth_type !=
PIPE_AUTH_TYPE_SCHANNEL) ) {
+ /* 'server schannel = yes' should enforce use of
+ schannel, the client did offer it in auth2, but
+ obviously did not use it. */
+ DEBUG(0,(_net_sam_logon_internal: client %s not using schannel
for netlogon\n,
+ get_remote_machine_name() ));
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
usr_info = TALLOC_P(p-mem_ctx, NET_USER_INFO_3);
- if (!usr_info)
+ if (!usr_info) {
return NT_STATUS_NO_MEMORY;
+ }
ZERO_STRUCTP(usr_info);
@@ -710,18 +739,7 @@
if (!p-dc || !p-dc-authenticated) {
return NT_STATUS_INVALID_HANDLE;
}
- }
- if ( (lp_server_schannel() == True) (p-auth.auth_type !=
PIPE_AUTH_TYPE_SCHANNEL) ) {
- /* 'server schannel = yes' should enforce use of
- schannel, the client did offer it in auth2, but
- obviously did not use it. */
- DEBUG(0,(_net_sam_logon: client %s not using schannel for
netlogon\n,
- get_remote_machine_name() ));
- return NT_STATUS_ACCESS_DENIED;
- }
-
- if (process_creds) {
/* checks and updates credentials. creates reply credentials */
if (!creds_server_step(p-dc, q_u-sam_id.client.cred,
r_u-srv_creds)) {
DEBUG(2,(_net_sam_logon: creds_server_step failed.
Rejecting auth
@@ -738,7 +756,6 @@
unbecome_root();
}
-
switch (q_u-sam_id.logon_level) {
case INTERACTIVE_LOGON_TYPE:
uni_samlogon_user = ctr-auth.id1.uni_user_name;
svn commit: samba r13558 - in trunk/source/rpc_server: .
Author: jra
Date: 2006-02-18 01:21:27 + (Sat, 18 Feb 2006)
New Revision: 13558
WebSVN:
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=13558
Log:
(Hopefully) get the creds store/restore key right from
the correct part of the netlogon and schannel packets.
Jeremy.
Modified:
trunk/source/rpc_server/srv_netlog_nt.c
trunk/source/rpc_server/srv_pipe.c
Changeset:
Modified: trunk/source/rpc_server/srv_netlog_nt.c
===
--- trunk/source/rpc_server/srv_netlog_nt.c 2006-02-18 01:21:18 UTC (rev
13557)
+++ trunk/source/rpc_server/srv_netlog_nt.c 2006-02-18 01:21:27 UTC (rev
13558)
@@ -385,6 +385,8 @@
rpcstr_pull(mach_acct,
q_u-clnt_id.uni_acct_name.buffer,sizeof(fstring),
q_u-clnt_id.uni_acct_name.uni_str_len*2,0);
+
+ /* We use this as the key to store the creds. */
rpcstr_pull(remote_machine,
q_u-clnt_id.uni_comp_name.buffer,sizeof(fstring),
q_u-clnt_id.uni_comp_name.uni_str_len*2,0);
@@ -445,7 +447,7 @@
/* Store off the state so we can continue after client disconnect. */
become_root();
secrets_store_schannel_session_info(p-mem_ctx,
- get_remote_machine_name(),
+ remote_machine,
p-dc);
unbecome_root();
@@ -459,7 +461,7 @@
NTSTATUS _net_srv_pwset(pipes_struct *p, NET_Q_SRV_PWSET *q_u, NET_R_SRV_PWSET
*r_u)
{
NTSTATUS status = NT_STATUS_ACCESS_DENIED;
- fstring workstation;
+ fstring remote_machine;
SAM_ACCOUNT *sampass=NULL;
BOOL ret = False;
unsigned char pwd[16];
@@ -470,16 +472,16 @@
DEBUG(5,(_net_srv_pwset: %d\n, __LINE__));
- /* We need the workstation name for the creds lookup. */
- rpcstr_pull(workstation,q_u-clnt_id.login.uni_comp_name.buffer,
-
sizeof(workstation),q_u-clnt_id.login.uni_comp_name.uni_str_len*2,0);
+ /* We need the remote machine name for the creds lookup. */
+ rpcstr_pull(remote_machine,q_u-clnt_id.login.uni_comp_name.buffer,
+
sizeof(remote_machine),q_u-clnt_id.login.uni_comp_name.uni_str_len*2,0);
if ( (lp_server_schannel() == True) (p-auth.auth_type !=
PIPE_AUTH_TYPE_SCHANNEL) ) {
/* 'server schannel = yes' should enforce use of
schannel, the client did offer it in auth2, but
obviously did not use it. */
DEBUG(0,(_net_srv_pwset: client %s not using schannel for
netlogon\n,
- get_remote_machine_name() ));
+ remote_machine ));
return NT_STATUS_ACCESS_DENIED;
}
@@ -487,7 +489,7 @@
/* Restore the saved state of the netlogon creds. */
become_root();
ret =
secrets_restore_schannel_session_info(p-pipe_state_mem_ctx,
-
get_remote_machine_name(),
+ remote_machine,
p-dc);
unbecome_root();
if (!ret) {
@@ -499,21 +501,21 @@
return NT_STATUS_INVALID_HANDLE;
}
- DEBUG(3,(_net_srv_pwset: Server Password Set by Wksta:[%s] on account
[%s]\n,
- workstation, p-dc-mach_acct));
+ DEBUG(3,(_net_srv_pwset: Server Password Set by remote machine:[%s] on
account [%s]\n,
+ remote_machine, p-dc-mach_acct));
/* Step the creds chain forward. */
if (!creds_server_step(p-dc, q_u-clnt_id.cred, cred_out)) {
DEBUG(2,(_net_srv_pwset: creds_server_step failed. Rejecting
auth
request from client %s machine account %s\n,
- p-dc-remote_machine, p-dc-mach_acct ));
+ remote_machine, p-dc-mach_acct ));
return NT_STATUS_INVALID_PARAMETER;
}
/* We must store the creds state after an update. */
become_root();
secrets_store_schannel_session_info(p-pipe_state_mem_ctx,
- get_remote_machine_name(),
+ remote_machine,
p-dc);
pdb_init_sam(sampass);
ret=pdb_getsampwnam(sampass, p-dc-mach_acct);
@@ -588,6 +590,8 @@
NTSTATUS _net_sam_logoff(pipes_struct *p, NET_Q_SAM_LOGOFF *q_u,
NET_R_SAM_LOGOFF *r_u)
{
+ fstring remote_machine;
+
if ( (lp_server_schannel() == True) (p-auth.auth_type !=
PIPE_AUTH_TYPE_SCHANNEL) ) {
/* 'server schannel = yes' should enforce use of
schannel, the client did offer it in auth2, but
@@ -601,13 +605,17 @@
if
svn commit: samba r13559 - in branches/SAMBA_3_0/source/smbd: .
Author: jra
Date: 2006-02-18 02:02:11 + (Sat, 18 Feb 2006)
New Revision: 13559
WebSVN:
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=13559
Log:
Fix bug #3522 reported by Sandeep Tamhankar [EMAIL PROTECTED].
mkdir foo returns the wrong error message when file foo exists.
Jeremy.
Modified:
branches/SAMBA_3_0/source/smbd/open.c
Changeset:
Modified: branches/SAMBA_3_0/source/smbd/open.c
===
--- branches/SAMBA_3_0/source/smbd/open.c 2006-02-18 01:21:27 UTC (rev
13558)
+++ branches/SAMBA_3_0/source/smbd/open.c 2006-02-18 02:02:11 UTC (rev
13559)
@@ -1802,12 +1802,6 @@
return NULL;
}
- if (dir_existed !S_ISDIR(psbuf-st_mode)) {
- DEBUG(0,(open_directory: %s is not a directory !\n, fname ));
- set_saved_ntstatus(NT_STATUS_NOT_A_DIRECTORY);
- return NULL;
- }
-
switch( create_disposition ) {
case FILE_OPEN:
/* If directory exists open. If directory doesn't
svn commit: samba r13560 - in trunk/source/smbd: .
Author: jra
Date: 2006-02-18 02:02:34 + (Sat, 18 Feb 2006)
New Revision: 13560
WebSVN:
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=13560
Log:
Fix bug #3522 reported by Sandeep Tamhankar [EMAIL PROTECTED].
mkdir foo returns the wrong error message when file foo exists.
Jeremy.
Modified:
trunk/source/smbd/open.c
Changeset:
Modified: trunk/source/smbd/open.c
===
--- trunk/source/smbd/open.c2006-02-18 02:02:11 UTC (rev 13559)
+++ trunk/source/smbd/open.c2006-02-18 02:02:34 UTC (rev 13560)
@@ -1802,12 +1802,6 @@
return NULL;
}
- if (dir_existed !S_ISDIR(psbuf-st_mode)) {
- DEBUG(0,(open_directory: %s is not a directory !\n, fname ));
- set_saved_ntstatus(NT_STATUS_NOT_A_DIRECTORY);
- return NULL;
- }
-
switch( create_disposition ) {
case FILE_OPEN:
/* If directory exists open. If directory doesn't
