Re: [Samba] Must restart Samba regularly because saving files stops working
On 2006/7/19, Volker Lendecke [EMAIL PROTECTED] wrote: On Wed, Jul 19, 2006 at 06:42:30PM +0200, Roel Slegers wrote: When you say tuning tcp parameters could you point me in the right direction please? Are you talking about tuning the HP-UX kernel, or This would be the kernel first. smb.conf does not do anything here. But I don't know enough about HP/UX to how to tune it. You need to give the TCP/IP more space, but to know what exactly needs tuning I can't tell from here. Volker Thanks Volker, We'll see what we can find in our kernel parameters. Roel PS: Sorry but I forgot to send a copy of my previous message to the samba list, so I include that now: On Wed, Jul 19..., Roel Slegers wrote: Hi, and thanks. That No buffer space available message is something we've always had on our test servers, also on servers with plenty of RAM running only samba with maybe 1 or 2 pc's connected. And this with the various samba versions (2.x - 3.x) we've experimented with in the past. So IMHO I do not think this is RAM related. But to make sure we should maybe resolve this before looking any further. When you say tuning tcp parameters could you point me in the right direction please? Are you talking about tuning the HP-UX kernel, or about tuning smb.conf? Do you know of some documentation that can help do this? BTW googling seems to show that this No buffer space available especially occurs a lot on HP-UX 11 servers; is that possible? PS: sorry for the upper case... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] samba as pdc in Ubuntu dapper, fails on ps$ join?
Hola, I've done everything as correct as I can see in smb.conf under fresh ubuntu 6.06 fully updated install to have it run as a PDC on hostname florentine, domain DAVEYST. There are no testparm errors. I've added users with useradd and smbpasswd -a I've added machines with useradd and smbpasswd -a -m I can see the server in my network neighbourhood and access/browse folders on the samba server using a linux account login within the network neighbourhood. However, when I try to go to My computer properties --- computer name --- Change.., and then put in my domain name and computer name and when prompted use root account and password (or any account and password) I get an Access Denied error. I've attached a log level = 10 tar.gz of the /var/log/samba/smbd.log of everything that happens when I do this process on the workstation (hostname = robin, ie robin$) - it's quite long, but it also seems to be successful - see below for abridged listing. I've been on the ubuntu forums where they suggested I should install quota - but I don't think that installing quota would solve my problems. Has anyone seen anything like this before, or know why despite my smb-log having the like of: [2006/07/15 15:57:41, 3] auth/auth.c:check_ntlm_password(219) check_ntlm_password: Checking password for unmapped user [EMAIL PROTECTED] with the new password interface [2006/07/15 15:57:41, 3] auth/auth.c:check_ntlm_password(222) check_ntlm_password: mapped user is: [EMAIL PROTECTED] [2006/07/15 15:57:41, 3] passdb/lookup_sid.c:fetch_sid_from_gid_cache(267) fetch sid from gid cache 0 - S-1-5-21-3923429160-1838912494-2447857936-512 [2006/07/15 15:57:41, 3] auth/auth.c:check_ntlm_password(268) check_ntlm_password: sam authentication for user [root] succeeded ... ... [2006/07/15 15:57:41, 2] auth/auth.c:check_ntlm_password(307) check_ntlm_password: authentication for user [root] - [root] - [root] succeeded [2006/07/15 15:59:43, 3] auth/auth.c:check_ntlm_password(219) check_ntlm_password: Checking password for unmapped user [EMAIL PROTECTED] with the new password interface [2006/07/15 15:59:43, 3] auth/auth.c:check_ntlm_password(222) check_ntlm_password: mapped user is: [EMAIL PROTECTED] [2006/07/15 15:59:43, 3] smbd/service.c:make_connection_snum(488) Connect path is '/tmp' for service [IPC$] [2006/07/15 15:59:43, 3] lib/util_seaccess.c:se_access_check(250) [2006/07/15 15:59:43, 3] lib/util_seaccess.c:se_access_check(251) se_access_check: user sid is S-1-5-21-3923429160-1838912494-2447857936-501 se_access_check: also S-1-5-21-3923429160-1838912494-2447857936-514 se_access_check: also S-1-1-0 se_access_check: also S-1-5-2 se_access_check: also S-1-5-32-546 [2006/07/15 15:59:43, 3] smbd/process.c:timeout_processing(1447) timeout_processing: End of file from client (client has disconnected). [2006/07/15 15:59:43, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2006/07/15 15:59:43, 2] smbd/server.c:exit_server(614) Closing connections [2006/07/15 15:59:43, 3] smbd/connection.c:yield_connection(69) Yielding connection to [2006/07/15 15:59:43, 3] smbd/server.c:exit_server(655) Server exit (normal exit) any ideas? smb.conf follows: #=== Global Settings === [global] workgroup = DAVEYST netbios name = florentine server string = %h server (Samba, Ubuntu) wins support = yes dns proxy = no name resolve order = wins bcast hosts security = user encrypt passwords = true username map = /etc/samba/smbusers unix password sync = yes ; passdb backend = tdbsam obey pam restrictions = yes ; guest account = nobody invalid users = root log file = /var/log/samba/smdb.log log level = 3 max log size = 1 time server = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* . veto oplock files = \*.prm\*.mdb\*.mda pam password change = yes domain logons = yes # domain admin group = root @admin administrator preferred master = yes local master = yes os level = 65 # Useradd scripts add user script = /usr/sbin/useradd -m %u delete user script = /usr/sbin/userdel -r %u add group script = /usr/sbin/groupadd %g delete group script = /usr/sbin/groupdel %g add user to group script = /usr/sbin/usermod -G %g %u add machine script = /usr/sbin/useradd -s /bin/false/ -d /var/lib/nobody %u logon path = \\%N\%U\profile logon drive = H: logon home = \\%N\%U logon script = startnet.bat socket options = TCP_NODELAY SO_RCVBUF=8191 SO_SNDBUF=8192 domain master = yes idmap uid = 1-2 idmap gid = 1-2 template shell = /bin/bash #=== Share Definitions === [homes] comment = Home Directories
Re: [Samba] ArcView + Samba: Performance nightmare under Linux, ok under Solaris or HP-UX
On Wed, Jul 19, 2006 at 04:00:00PM +0200, Andreas Haumer wrote: Any comments? No, except a big thanks for this analysis. It is always nice to see that this completely paranoid hunt for the 100% compatibility that can be very exhausting sometimes does pay off. Volker pgpegj0YC0xxy.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba as pdc in Ubuntu dapper, fails on ps$ join?
ok, this time with attachment, sorry :) L. Hola, I've done everything as correct as I can see in smb.conf under fresh ubuntu 6.06 fully updated install to have it run as a PDC on hostname florentine, domain DAVEYST. There are no testparm errors. I've added users with useradd and smbpasswd -a I've added machines with useradd and smbpasswd -a -m I can see the server in my network neighbourhood and access/browse folders on the samba server using a linux account login within the network neighbourhood. However, when I try to go to My computer properties --- computer name --- Change.., and then put in my domain name and computer name and when prompted use root account and password (or any account and password) I get an Access Denied error. I've attached a log level = 10 tar.gz of the /var/log/samba/smbd.log of everything that happens when I do this process on the workstation (hostname = robin, ie robin$) - it's quite long, but it also seems to be successful - see below for abridged listing. I've been on the ubuntu forums where they suggested I should install quota - but I don't think that installing quota would solve my problems. Has anyone seen anything like this before, or know why despite my smb-log having the like of: [2006/07/15 15:57:41, 3] auth/auth.c:check_ntlm_password(219) check_ntlm_password: Checking password for unmapped user [EMAIL PROTECTED] with the new password interface [2006/07/15 15:57:41, 3] auth/auth.c:check_ntlm_password(222) check_ntlm_password: mapped user is: [EMAIL PROTECTED] [2006/07/15 15:57:41, 3] passdb/lookup_sid.c:fetch_sid_from_gid_cache(267) fetch sid from gid cache 0 - S-1-5-21-3923429160-1838912494-2447857936-512 [2006/07/15 15:57:41, 3] auth/auth.c:check_ntlm_password(268) check_ntlm_password: sam authentication for user [root] succeeded ... ... [2006/07/15 15:57:41, 2] auth/auth.c:check_ntlm_password(307) check_ntlm_password: authentication for user [root] - [root] - [root] succeeded [2006/07/15 15:59:43, 3] auth/auth.c:check_ntlm_password(219) check_ntlm_password: Checking password for unmapped user [EMAIL PROTECTED] with the new password interface [2006/07/15 15:59:43, 3] auth/auth.c:check_ntlm_password(222) check_ntlm_password: mapped user is: [EMAIL PROTECTED] [2006/07/15 15:59:43, 3] smbd/service.c:make_connection_snum(488) Connect path is '/tmp' for service [IPC$] [2006/07/15 15:59:43, 3] lib/util_seaccess.c:se_access_check(250) [2006/07/15 15:59:43, 3] lib/util_seaccess.c:se_access_check(251) se_access_check: user sid is S-1-5-21-3923429160-1838912494-2447857936-501 se_access_check: also S-1-5-21-3923429160-1838912494-2447857936-514 se_access_check: also S-1-1-0 se_access_check: also S-1-5-2 se_access_check: also S-1-5-32-546 [2006/07/15 15:59:43, 3] smbd/process.c:timeout_processing(1447) timeout_processing: End of file from client (client has disconnected). [2006/07/15 15:59:43, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2006/07/15 15:59:43, 2] smbd/server.c:exit_server(614) Closing connections [2006/07/15 15:59:43, 3] smbd/connection.c:yield_connection(69) Yielding connection to [2006/07/15 15:59:43, 3] smbd/server.c:exit_server(655) Server exit (normal exit) any ideas? smb.conf follows: #=== Global Settings === [global] workgroup = DAVEYST netbios name = florentine server string = %h server (Samba, Ubuntu) wins support = yes dns proxy = no name resolve order = wins bcast hosts security = user encrypt passwords = true username map = /etc/samba/smbusers unix password sync = yes ; passdb backend = tdbsam obey pam restrictions = yes ; guest account = nobody invalid users = root log file = /var/log/samba/smdb.log log level = 3 max log size = 1 time server = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* . veto oplock files = \*.prm\*.mdb\*.mda pam password change = yes domain logons = yes # domain admin group = root @admin administrator preferred master = yes local master = yes os level = 65 # Useradd scripts add user script = /usr/sbin/useradd -m %u delete user script = /usr/sbin/userdel -r %u add group script = /usr/sbin/groupadd %g delete group script = /usr/sbin/groupdel %g add user to group script = /usr/sbin/usermod -G %g %u add machine script = /usr/sbin/useradd -s /bin/false/ -d /var/lib/nobody %u logon path = \\%N\%U\profile logon drive = H: logon home = \\%N\%U logon script = startnet.bat socket options = TCP_NODELAY SO_RCVBUF=8191 SO_SNDBUF=8192 domain master = yes
[Samba] Re: samba Digest, Vol 43, Issue 26
Hello: I'm away on holidays right now! If this is an Urgent ticket please submit a repair ticket herehttp://ts.sd57.bc.ca I will be checking my mail still every few days Or Page #613-4732 Thanks Benny.nerd -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Excluding directories from a read-only = yes
i think it's hard in smb.conf without using ACLs provided by the filesystem. can you use veto files, or must your users be able to see those thousands of folders, too? greez Ed Curtis wrote: I have a share with thousands of folders. In each of those folders there is another directory named 'files'. I want to be able to lock down these thousands of folders but allow r/w access to the 'files' folders inside of them. Is there anyway to do this in smb.conf? Thanks, Ed -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Cifs Mount w/ACL
this tool could be a possible workaround http://de.samba.org/samba/docs/man/manpages-3/smbcacls.1.html greez Max Kipness wrote: Hello - I've tried doing some research of previous posts and can't seem to figure out how this may be done. Basically I would like to mount a Windows XP share (using cifs.mount) on a Fedora 4 server, and by doing a stat on on any file in that mounted share, be able to see the windows acl permissions/owner. Is this possible? And if so, how? Thanks, Max -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba 3.0.22 freez share
Hello I have problem with my samba server... My configuration: system: CentOS release 4.2 (Final) kernel: 2.6.9-22.0.1.ELsmp samba: 3.0.22 (compiled by myself) server: HP DL380 G3 2xIntel(R) Xeon(TM) CPU 3.40GHz ram: 4GB This server is working with cluster with another one. They have access to storage (SAN fibre channel). File system is GFS. Problem with samba - sometimes some shares don't response to clients. It's look like freez. Sometimes it's with all share, sometimes selected directory. In that sytuation client (windows 2000, XP) must ALT+CTRL+DEL to kill explorer proces and connect again. Users read/write to share typical documents *.doc, *.xls, *.pdf. I have no idea when is that problem. Could you suggest solution? Sorry for my english. Regards Marek -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] pdbedia and password policy
Hello, I need to be able to change this: Password must change: Sat, 20 Dec 02:15:51 GMT Apparently the pbdedit utility should be able to change it but I'm not sure of the syntax to use. Thanks Regards, Komal -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Home directories
Hi , I have a small requirement , I have a samba setup on my server with the following configuration in [homes] share : [homes] comment = Home Directories browseable = no writable = yes path = /home/%u valid users = %u root force user = %u I have added samba and linux users and done all the configuration and shares are visible in windows. When a user logs on the machine only his home directory should be visible. Since i have multiple users who use the windows machines, if i logout say from some machine and if i login once again on the same machine with different user the previous user's home directory is still visible with current user's home directory. I need to resolve it. how could i change my [homes] configuration to do this. Thanks in advance Regards Madhavan -- Get a spam free email account - Visit http://www.bluebottle.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Wins problems
I am experiencing annoying problems. Minimum 2 times per hour samba is stopping serving as WINS serve. BOSS is my PDC: boss nmblookup BOSS no results found bossnet lookup dc (nothing) also other computers using BOSS as wins server cannot find it andalso a domain controller. after stopping and starting samba it works for some time. my smb.conf tdi.kill-9.pl/smb.conf -- Regards, Dariusz Dwornikowski Network Administrator Cognifide Poland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] setdriver fails with WERR_ACCESS_DENIED
Hi, I'm using samba 3.0.22 on a Linux/Debian machine. I'm trying to get printer drivers on the server automatically picked by the XP clients on the server. $ rpcclient localhost -U flavien -c 'enumdrivers' Password: [Windows NT x86] Printer Driver Info 1: Driver Name: [hp1] The user flavien has PrintOperator privileges : $ net rpc rights list flavien -U flavien Password: SePrintOperatorPrivilege SeDiskOperatorPrivilege I try to set the driver to the printer : $ rpcclient localhost -U flavien -c 'setdriver hp1 hp1' Password: result was WERR_ACCESS_DENIED Something that looks suspicious to me : $ rpcclient localhost -U flavien -c 'getdriverdir Windows NT x86' Password: Directory Name:[\\LOCALHOST\print$\W32X86] Shouldn't it be the netbios name of the server instead of LOCALHOST ? FWIW, the /etc/samba/drivers dir is writeable by flavien I'm pretty stuck here now. Any help appreciated. Flavien. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: samba Digest, Vol 43, Issue 27
Hello: I'm away on holidays right now! If this is an Urgent ticket please submit a repair ticket herehttp://ts.sd57.bc.ca I will be checking my mail still every few days Or Page #613-4732 Thanks Benny.nerd -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Cannot add ACL entry in Windows.
Hello, Just upgraded from Samba 3.0.22 to 3.0.23, running on a SlackWare Linux Box with a 2.4.31 kernel. All Unix users and samba users are stored in ldap. Using setfacl renders correct user/groups in the windows acl editor, and works perfectly. However, when I try to add a user/group in the Security tab for a share/folder I get the following message The program cannot open the required dialog box because it cannot determine wheter the computer named fileserv is joined to a domain. Close this message and try again. Followed by The system cannot find text for message 0x%1 in the message file for %2. The error occurs with all users, tested on windows xp SP2 and windows 2k3 SP1. The problem occured in samba 3.0.23, was not present in samba 3.0.22. The improved group handling in samba 3.0.23 makes me reluctant to downgrading though. Anyone got any ideas what to test/do? Regards, Linus -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] 3.0.23 for Debian Sarge: LDAP problems
Hi, I always prefer the Samba packages for Debian-Stable from the Samba-Team and I never had a problem so far (thank you, Simo!). Yesterday I updated from 3.0.22 to 3.0.23 in my LDAP-based network. I updated samba.schema, added index sambaSID eq,sub to my slapd.conf and ran slapindex. When I started slapd and samba afterwards, I saw error messages like these (from smbd.log): [2006/07/20 00:14:36, 0] lib/smbldap.c:smb_ldap_setup_conn(638) ldap_initialize: Time limit exceeded [2006/07/20 00:14:36, 1] lib/smbldap.c:another_ldap_try(1150) Connection to LDAP server failed for the 1 try! [2006/07/20 00:14:37, 0] lib/smbldap.c:smb_ldap_setup_conn(638) ldap_initialize: Time limit exceeded [2006/07/20 00:14:37, 1] lib/smbldap.c:another_ldap_try(1150) Connection to LDAP server failed for the 2 try! ... ... [message repeated several times] ... [2006/07/20 00:14:50, 1] lib/smbldap.c:another_ldap_try(1150) Connection to LDAP server failed for the 15 try! [2006/07/20 00:14:51, 0] lib/smbldap.c:smb_ldap_setup_conn(638) ldap_initialize: Time limit exceeded [2006/07/20 00:14:51, 0] smbd/server.c:main(960) ERROR: failed to setup guest info. So Samba/smbd does not work anymore. The same errors occur when I run the net command: athena:~# net groupmap list [2006/07/20 14:14:48, 0] lib/smbldap.c:smb_ldap_setup_conn(638) ldap_initialize: Time limit exceeded [2006/07/20 14:14:49, 0] lib/smbldap.c:smb_ldap_setup_conn(638) ldap_initialize: Time limit exceeded ... ... [message repeated several times] ... [2006/07/20 14:15:18, 0] passdb/pdb_ldap.c:ldapsam_setsamgrent(3039) ldapsam_setsamgrent: LDAP search failed: Time limit exceeded [2006/07/20 14:15:18, 0] passdb/pdb_ldap.c:ldapsam_enum_group_mapping(3111) ldapsam_enum_group_mapping: Unable to open passdb Switching back to the previous slapd.conf and samba.schema doesn't work, disabling TLS did not help either. The slapd can be connected with any other non-Samba tool (ldapsearch, phpldapadmin). Does anybody have an idea what the problem might be? thank you, Uwe -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Cannot add ACL entry in Windows.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Linus Lund wrote: Hello, Just upgraded from Samba 3.0.22 to 3.0.23, running on a SlackWare Linux Box with a 2.4.31 kernel. All Unix users and samba users are stored in ldap. Using setfacl renders correct user/groups in the windows acl editor, and works perfectly. However, when I try to add a user/group in the Security tab for a share/folder I get the following message The program cannot open the required dialog box because it cannot determine wheter the computer named fileserv is joined to a domain. Close this message and try again. Already fixed in the upcoming 3.0.23a code which should be out tomorrow. One more bug to fix. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEv31fIR7qMdg1EfYRAkKxAJ4wcYQghuG5+wq8zzSMYHA0Tx1UXwCfVuOC Jnf54WcGnUCyYFKQydeaa4k= =LaiZ -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Samba 3.0.23 winbind use default domain = yes behaviour
Hi Dietrich, I tried the patch and at first it looked like it worked OK, but it breaks the support of BUILTIN groups With stripping the domain, I lost also the support of the BUILTIN groups. When tested on a machine with an unpatched 3.0.23 BUILTIN groups works Dietrich Streifert [EMAIL PROTECTED] schreef in bericht news:[EMAIL PROTECTED] Hi John, this is already filed as a bug: https://bugzilla.samba.org/show_bug.cgi?id=3920 and Jerry is working on it. I'v attached an inofficial not supported patch against relaease 3.0.23 of nsswitch/winbindd_group.c which reverted the change and worked for me. John schrieb: Hello list, I encountered a problem in Samba 3.0.23 regarding the winbind use default domain = yes behaviour. It only works for the users an NOT anymore for the Group. So this make getent group to show NETBIOSDOMAINNAME/group which course mail squid configuration to fail. My squid configuration allowed access based on the AD groups, which are provided by Winbindd. Tested distribution: SuSE 9.0, CentOS 4.3 Samba build: Sernet 3.0.23 Is this a bug or is this by design? Does anybody know a way to getent group to honour the winbind use default domain = yes option? Regards, John The Netherlands. -- Mit freundlichen Grüßen Dietrich Streifert Visionet GmbH --- samba-3.0.23.orig/source/nsswitch/winbindd_group.c Fri Jun 23 15:16:50 2006 +++ samba-3.0.23/source/nsswitch/winbindd_group.c Thu Jul 13 10:34:06 2006 @@ -42,7 +42,7 @@ { fstring full_group_name; - fill_domain_username( full_group_name, dom_name, gr_name, False); + fill_domain_username( full_group_name, dom_name, gr_name, True); gr-gr_gid = unix_gid; @@ -146,7 +146,7 @@ /* Append domain name */ - fill_domain_username(name, domain-name, the_name, False); + fill_domain_username(name, domain-name, the_name, True); len = strlen(name); @@ -752,7 +752,7 @@ /* Fill in group entry */ fill_domain_username(domain_group_name, ent-domain_name, - name_list[ent-sam_entry_index].acct_name, False); + name_list[ent-sam_entry_index].acct_name, True); result = fill_grent(group_list[group_list_ndx], ent-domain_name, @@ -929,7 +929,7 @@ groups.sam_entries)[i].acct_name; fstring name; - fill_domain_username(name, domain-name, group_name, False); + fill_domain_username(name, domain-name, group_name, True); /* Append to extra data */ memcpy(extra_data[extra_data_len], name, strlen(name)); -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Cannot add ACL entry in Windows.
Same problem here. I thinks its a bug in the new version. --- Linus Lund [EMAIL PROTECTED] wrote: Hello, Just upgraded from Samba 3.0.22 to 3.0.23, running on a SlackWare Linux Box with a 2.4.31 kernel. All Unix users and samba users are stored in ldap. Using setfacl renders correct user/groups in the windows acl editor, and works perfectly. However, when I try to add a user/group in the Security tab for a share/folder I get the following message The program cannot open the required dialog box because it cannot determine wheter the computer named fileserv is joined to a domain. Close this message and try again. Followed by The system cannot find text for message 0x%1 in the message file for %2. The error occurs with all users, tested on windows xp SP2 and windows 2k3 SP1. The problem occured in samba 3.0.23, was not present in samba 3.0.22. The improved group handling in samba 3.0.23 makes me reluctant to downgrading though. Anyone got any ideas what to test/do? Regards, Linus -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Samba 3.0.23 winbind use default domain = yes behaviour
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 John wrote: I tried the patch and at first it looked like it worked OK, but it breaks the support of BUILTIN groups With stripping the domain, I lost also the support of the BUILTIN groups. When tested on a machine with an unpatched 3.0.23 BUILTIN groups works That was what I was afraid of since getting BUILTIN to work correct was the reason for the original change. I'm going to try to have the resolved today. When I do, I'll post a patch to bug # 3920. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEv40kIR7qMdg1EfYRAnp5AJ0eTzIVDit2jGvesoZ4+Krp63a2aACgoDlQ zTzYtW0sSZn/mHkrlCPt9Xo= =pvD7 -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] user login ldap problems, misunderstandings
hi, i have managed to set up samba and ldap to work together i have got machines joined to the server, used IDEALX to create default entries. i can log into the machines with root and nobody accouts but nobody elses. i have added on about 80 users to ldap but none of them can login they all appear to have posix and samba attributes in the ldap directory. i am geting a bit confused also by this smbpasswd do i need to run it for each user in ldap, i kinda figured i did not but got a little confused when reading others posts on the web. also where can i look to find why the logins are failed i have the samba log level set to 3 which i believe is the highest but nothing shows up to show that an attempt was made. any help with log files to check levels to change or anything that can help me figure out where i am going wrong, as samba and ldap seem to work and communicate fine. any help appreciated thxs i have managed to come so far not knowing ldap or samba to this point. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Can't connect with force user set (3.0.23)
Hi, after an update to samba 3.0.23 i can't connect to shares if i set the option force user. Samba is used on a Freebsd 5.5p1 Server, the Domain Controller is a Windows 2003 Server. The [Global] part and a [Share] part follows: # Global parameters [global] workgroup = IPRO.LEO netbios name = UNIXSERVER server string = IPRO Samba %v interfaces = bge0 bind interfaces only = Yes security = DOMAIN client NTLMv2 auth = Yes client lanman auth = No client plaintext auth = No log level = 2 log file = /var/log/samba.log time server = Yes os level = 30 lm interval = 120 preferred master = No local master = No domain master = No wins support = Yes ldap ssl = no preload = homes,usr socket address = 172.16.0.1 idmap uid = 17000-22000 idmap gid = 17000-22000 winbind use default domain = Yes hosts allow = 172.16., 127.0.0.1 hosts deny = 0.0.0.0/0 hide dot files = No veto oplock files = /*log*/ [plone] force user = zope writeable = yes valid users = jok,kerkow,goetz write list = jok,kerkow,goetz path = /usr/local/www/Zope/z29test/ force group = zope I tried to patch the auth_util.c to rev. 17022 as i seen some posts regarding this, but it didn't work (can't connect at all, core dump) Ciao, Jochen -- -- Jochen Knuth WebMaster http://www.ipro.de IPRO GmbH Phone ++49-7152-93330 Steinbeisstr. 6 Fax ++49-7152-933340 71229 LeonbergEMail: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] password required when connecting from xp but not linux
Hi, I have samba version 3.0.22 installed on solaris 8. I have added users with smbpasswd -a. When mounting from an XP machine passwords are required, yet when mounting from fedora5 it prompts for a password but mounts irrespective of what is entered. Any ideas? TIA Rich # more /usr/local/samba_new/lib/smb.conf # Samba config file created using SWAT # from 127.0.0.1 (127.0.0.1) # Date: 2006/06/22 15:34:54 [global] workgroup = HOME server string = Unix Server unix password sync = Yes log level = 2 log file = /var/log/samba/samba.log.%m max log size = 50 wins support = Yes invalid users = bin, web, daemon, adm, sync, shutdown, halt, mail, news, uucp, operator, nuucp, lp, listen, nobody, noaccess create mask = 0777 directory mask = 0777 hosts allow = 192.168.1., localhost [homes] comment = Home Directories path = /userdata/home/%u read only = No guest ok = Yes browseable = No [point1] comment = point1 path = /point1 valid users = user1,user2,user3 read only = No [point2] comment = point2 path = /point2 valid users = user1,user2,user3 read only = No cut -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] setdriver fails with WERR_ACCESS_DENIED
Flavien, I had a similar problem about a month ago. Just like you, I could execute rpcclient enumdrivers, but rpcclient setdriver resulted in the WERR_ACCESS_DENIED. In my case, I am using winbind to the fullest so that our Windows sysadmin can control access to folders within shares based on Active Directory security group memberships. That means that when I mount a share, I'm not identified as simply rtanner but rather as CATNET\rtanner, CATNET being the name of the domain. I resolved the WERR_ACCESS_DENIED issue in rpcclient by specifying CATNET\rtanner as a printer admin and authenticating as the user CATNET\rtanner rather than simply rtanner in rpcclient. The only oddity was that the global setting in printers was not enough. I had to explicitly declare CATNET\rtanner as a printer admin in each printer definition in smb.cfg. And after that, everything was honky dory. Hope that helps. -- Rob Flavien said the following on 07/20/2006 04:50 AM: Hi, I'm using samba 3.0.22 on a Linux/Debian machine. I'm trying to get printer drivers on the server automatically picked by the XP clients on the server. $ rpcclient localhost -U flavien -c 'enumdrivers' Password: [Windows NT x86] Printer Driver Info 1: Driver Name: [hp1] The user flavien has PrintOperator privileges : $ net rpc rights list flavien -U flavien Password: SePrintOperatorPrivilege SeDiskOperatorPrivilege I try to set the driver to the printer : $ rpcclient localhost -U flavien -c 'setdriver hp1 hp1' Password: result was WERR_ACCESS_DENIED Something that looks suspicious to me : $ rpcclient localhost -U flavien -c 'getdriverdir Windows NT x86' Password: Directory Name:[\\LOCALHOST\print$\W32X86] Shouldn't it be the netbios name of the server instead of LOCALHOST ? FWIW, the /etc/samba/drivers dir is writeable by flavien I'm pretty stuck here now. Any help appreciated. Flavien. -- Rob Tanner UNIX Services Manager Linfield College, McMinnville OR -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Home directories
Madhu Kumar: I have a small requirement , I have a samba setup on my server with the following configuration in [homes] share : [...] Since i have multiple users who use the windows machines, if i logout say from some machine and if i login once again on the same machine with different user the previous user's home directory is still visible with current user's home directory. I need to resolve it. how could i change my [homes] configuration to do this. I deal with the same problem long ago. On one Samba site I have 800+ users which uses 30 PC, and remaining previous user's home directory very soon shows dozens visible directories, and causing full mess. This is not problem with Samba, it's up to the Windows Networking. I solved that by avoid using [homes] built-in section, but using generic [personal] share, with this main option: [Personal] path = %H ... This ensures that each user's home directory is always named Personal (not by user's name), pointed to right each user's home path, and without remaining multiples homes (because it is only one share name). Try that, and say if this satisfies you. HTH, Ivan Gustin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] No mapping between account names and security IDs wasdone
Ivan Gustin: I get an error message No mapping between account names and security IDs was done on fresh clean Windows XP SP2 PC when I try to join it to Samba PDC. For information to all who need solution to this problem: I solved it. :-) I found the LJ article on http://www.linuxjournal.com/article/6604, with solution in this paragraph: The following error occurred attempting to join the domain MYDOMAIN: No mapping between account names and security IDs was done. This obscure error reportedly has been fixed by using lower-case names for the workstation name in /etc/passwd and smbpasswd and on the Windows XP client. So, correcting character case in workstation names allows joining to Samba PDC. HTH, Ivan Gustin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Q: winbindd, unqualfied users, name conflicts (a.k.a Death to 'winbind use default domain'!)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Volker, Assume I have a member server named LINUX joined to a domain name AD. Now assume I have a local user named foo in my passdb and a user named foo in the domain as well. I'm modifying winbindd_util.c:parse_domain_user() to do a lookup_name() to try to figure out which domain to prepend to the username rather than just assuming its a domain user. But this means that we'll always choose the local user (due to the order of an isolated search in lookup_name()). The main problem is the use default domain abomination will confuse local and domain users of the same name and possibly return incorrect group membership. I am about a 1/2 inch from marking the smb.conf option as deprecated and adding similar option to pam_winbind.conf. This option just cannot work reliably. Do you have any suggestions? cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEv7C/IR7qMdg1EfYRAte3AJ9bR2BcglUsI4l47KSz0zH9FUX5YwCgk36H 50pVU6+8aK4QvmEeNAwBruw= =DfC7 -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] programmatical retrieval of windows event logs from linux
Am a Linux guy and trying to support security monitoring for Windows devices. Am trying to find a programmatic way of pulling security and application logs from Windows machine. OR it can be a push model where windows can generate events/traps. It should all be built-in in windows with no external tool installation. Looks like there is no NATIVE built in asynchronous event reporting from windows (2000/2003/xp)? It can be in terms of SNMP Traps as well. Given this, one can use Samba apis (rpcclient) to periodically pull the event logs from windows. Is there any better way to accomplish the same programmatically using Push or Pull model to get the security and application logs on windows from Linux ? -Dave - Do you Yahoo!? Next-gen email? Have it all with the all-new Yahoo! Mail Beta. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] programmatical retrieval of windows event logs from linux
I was only looking at Native windows support with no Hassles of any external agent installation: Am a Linux guy and trying to support security monitoring for Windows devices. Am trying to find a programmatic way of pulling security and application logs from Windows machine. OR it can be a push model where windows can generate events/traps. It should all be built-in in windows with no external tool installation. Looks like there is no NATIVE built in asynchronous event reporting from windows (2000/2003/xp)? It can be in terms of SNMP Traps as well. Given this, one can use Samba apis (rpcclient) to periodically pull the event logs from windows. Is there any better way to accomplish the same programmatically using Push or Pull model to get the security and application logs on windows from Linux ? Jeff Saxton [EMAIL PROTECTED] wrote: http://www.intersectalliance.com/projects/SnareWindows/ dave wrote: Am a Linux guy and trying to support security monitoring for Windows devices. Am trying to find a programmatic way of pulling security and application logs from Windows machine. OR it can be a push model where windows can generate events/traps. It should all be built-in in windows with no external tool installation. Looks like there is no NATIVE built in asynchronous event reporting from windows (2000/2003/xp)? It can be in terms of SNMP Traps as well. Given this, one can use Samba apis (rpcclient) to periodically pull the event logs from windows. Is there any better way to accomplish the same programmatically using Push or Pull model to get the security and application logs on windows from Linux ? -Dave - Do you Yahoo!? Next-gen email? Have it all with the all-new Yahoo! Mail Beta. -- Jeff Saxton SenSage, Inc. 55 Hawthorne Street Suite 700 San Francisco, CA 94105 Phone: 415.808.5900 Fax:415.371.1385 Direct: 415-808-5921 Cell: 650-235-0776 mailto:[EMAIL PROTECTED] Enterprise Security Analytics SenSage, the leading provider of enterprise security analytics, offers unparalleled performance and a scalable means for organizations to centrally aggregate, efficiently analyze, dynamically monitor and cost-effectively store massive volumes of event log data. - See the all-new, redesigned Yahoo.com. Check it out. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Q: winbindd, unqualfied users, name conflicts (a.k.a Death to 'winbind use default domain'!)
On Thu, 2006-07-20 at 11:35 -0500, Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Volker, Assume I have a member server named LINUX joined to a domain name AD. Now assume I have a local user named foo in my passdb and a user named foo in the domain as well. I'm modifying winbindd_util.c:parse_domain_user() to do a lookup_name() to try to figure out which domain to prepend to the username rather than just assuming its a domain user. But this means that we'll always choose the local user (due to the order of an isolated search in lookup_name()). The main problem is the use default domain abomination will confuse local and domain users of the same name and possibly return incorrect group membership. I am about a 1/2 inch from marking the smb.conf option as deprecated and adding similar option to pam_winbind.conf. This option just cannot work reliably. Do you have any suggestions? I would just document that local users will always take precendence. Winbind use default domain is too valuable to be removed imho. Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] View disk size
Greetings, This is my first visit to this list. We run Samba to talk to our HP-UX 11.i machine. I'm wondering if there is a configuration feature in Samba that will allow me to see the full properties of my Unix drives from the PC side. We use Windows XP. Currently when I do a properties on the Unix drive I can see the amount of data stored there but it does not report the remaining free space. This causes some of my PC applications to generate an error if it thinks the output file been created is greater than the free space it sees. In all cases the process has completed because there was enough free space, however I would like the error messages to disappear. Thanks, Conrad -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Q: winbindd, unqualfied users, name conflicts (a.k.a Death to 'winbind use default domain'!)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Simo, I am about a 1/2 inch from marking the smb.conf option as deprecated and adding similar option to pam_winbind.conf. This option just cannot work reliably. Do you have any suggestions? I would just document that local users will always take precendence. Winbind use default domain is too valuable to be removed imho. First assigning the wrong groups to a user is a security issue. Second, I said pull 'winbind use default domain' from the server code and put it in the client code. The fact is that this parameter is fundamentally broken. It cannot actually work correctly. At some point (probably for 3.0.24) we will have to break it and move it to the client. There is no way around it. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEv79FIR7qMdg1EfYRAqQuAKDiEQZRH9npORt5bJYT8j8Jqom78ACg8WEK iOGOYZqXmVk/N3/apLtAJ8s= =rO9A -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Q: winbindd, unqualfied users, name conflicts (a.k.a Death to 'winbind use default domain'!)
On Thu, 2006-07-20 at 12:37 -0500, Gerald (Jerry) Carter wrote: First assigning the wrong groups to a user is a security issue. Second, I said pull 'winbind use default domain' from the server code and put it in the client code. ok so you do the translation in pam_winbindd and nss_winbindd instead of winbindd, sounds reasonable, sorry for the misunderstanding. The fact is that this parameter is fundamentally broken. It cannot actually work correctly. At some point (probably for 3.0.24) we will have to break it and move it to the client. There is no way around it. I was just worried you said you wanted to remove it, I have no objection on just moving it in the client libraries. Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problem with 3.0.23 upgrade from 3.0.22 with rfc2307 patch
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Don Meyer wrote: Yes, I'm pretty sure Jerry Carter does. ([EMAIL PROTECTED]) He's posted that he expects a patch for this to be included in the 3.0.23a release -- due sometime real soon now... ;-) This was the last major bug to be fixed in 3.0.23a. I've attached a patch to bug 3920. Note that this will break 'winbind nested groups' for local users. Local group membership for domain users still works, but a local user will not get the nested group gids included in his or her token. See my comments in the bug report for more details. Also please note that unqualified domain user or group names have not been supported in smb.conf since Samba 3.0.8. You are advised to fix your configuration files. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEv8PdIR7qMdg1EfYRAkAPAJ910Yjyk4ruFbFTwwIrpa9B20BZ9QCg1I24 NKxIB9tvN5ghsnqduzXslP4= =rK96 -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Anybody building Mandriva rpms?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 David Rankin wrote: Thanks Gemes: Gerry, do you have any additional info on this??? Nope. Buchan was (still is?) doing packages for Mandriva but I have not heard from him in a while. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEv8bKIR7qMdg1EfYRAi+IAJwP6BClAJqlzi11Aken3JWgcEMjNACdEpKY UgbF+8idam+lgFra5emneH8= =UL/D -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Kerberos Keytab Code Update in 3.0.23
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Doug VanLeuven wrote: Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Doug, File a bug report if you believe this to be true. I'm not at 3.0.23 right now and don't have the time to try it here. I wouldn't want to lose this. I did see a mention they dropped support of joins from machines where the domain differs from the realm, but haven't had time to check this. There has been a rewrite of the ads join code since 3.0.22. Doug, You should probably review my comments to Scott. Keytab support is being rewritten, not dropped. I was saying dns domain not equal realm dropped and rewrite ads join code No it wasn't. I run with this on a daily basis. Perhaps something else is attributing to your failures. PS: I asked out Apache guy (at Centeris) who is working with mod_auth_kerb and he claims that krb5 authentication to http://SerVer.ExaMple.COM still gets a ticket for HTTP/server.example.com which supports my theory about tickets based on SPN values. Yes, it works with rc4-hmac. But it's been coming back to me. It didn't work with des-cbc-md5 until the permutations were added. How soon we forget. It's really difficult to test des-only now. Have to join with rc4, then hand edit with adsi.exe in the AD, then remove the rc4 from krb5.conf and reboot the machine to purge the caches, because samba set's the des-only on a compile time flag. I'll go back and retest but I'm still not convinced (until I can reproduce it myself). cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com What man is a man who does not make the world better? -- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEv8xTIR7qMdg1EfYRAmjxAJwN0i1/kOlvoCittCd+HwDd/BzL1ACgviXe I84w7wN7ptp0OMJMCb9rfgI= =ayvR -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Q: winbindd, unqualfied users, name conflicts (a.k.a Death to 'winbind use default domain'!)
On Thu, Jul 20, 2006 at 11:35:11AM -0500, Gerald (Jerry) Carter wrote: Assume I have a member server named LINUX joined to a domain name AD. Now assume I have a local user named foo in my passdb and a user named foo in the domain as well. I'm modifying winbindd_util.c:parse_domain_user() to do a lookup_name() to try to figure out which domain to prepend to the username rather than just assuming its a domain user. But this means that we'll always choose the local user (due to the order of an isolated search in lookup_name()). What about in the case of winbind use default domain doing a qualified lookup_name() first and if that fails do the unqualified one? Volker pgpYEkg5jA7mt.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Q: winbindd, unqualfied users, name conflicts (a.k.a Death to 'winbind use default domain'!)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Volker Lendecke wrote: What about in the case of winbind use default domain doing a qualified lookup_name() first and if that fails do the unqualified one? We're given a username. Both LINUX\foo and DOMAIN\foo exist so lookup_name() on either of those will succeed. How do you know which one is which? A local user is always unqualified and a domain user may or may not be. How do you tell them apart? ciao, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEv8+FIR7qMdg1EfYRAljDAJ4scHn2Z1FcY60O4D42d7w/nUA6lgCeMi1V 33k9WArv5SCZeWCwog4+cLw= =xgPw -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Q: winbindd, unqualfied users, name conflicts (a.k.a Death to 'winbind use default domain'!)
On Thu, Jul 20, 2006 at 01:46:29PM -0500, Gerald (Jerry) Carter wrote: We're given a username. Both LINUX\foo and DOMAIN\foo exist so lookup_name() on either of those will succeed. How do you know which one is which? A local user is always unqualified and a domain user may or may not be. How do you tell them apart? What happens now? Looking at the code I get the impression that we default to DOMAIN\foo. So if we get an unqualified name, talloc_asprintf(ctx, %s\\%s, lp_workgroup(), name), try with that and only if that fails then do the naked lookup_name() which has its defined order. This is a hack, but that whole thing is. I did not try this, so it might break horribly. But I've looked at putting lookup_name into parse_domain_user before and did _not_ try that yet. Volker pgpBLSEMOwHeh.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Q: winbindd, unqualfied users, name conflicts (a.k.a Deathto 'winbind use default domain'!)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dave Daugherty wrote: My opinion: Local users should always take precedence. People should specifically refer to local users as SambaHostName\localuser, if that is the form the SMB client insists on sending. Tacking on default domains and/or stripping domains to/from user names and trying them out is playing fast and loose with user identity and is a breeding ground for potential security holes. Dave, I don't think you fully understand the problem. We're talking about Unix shell tools, not SMB clients. A local username is always unqualfied when sent by Unix tools like 'id' to query group membership. A domain user may or may not be qualfied so how do you know an unqualified domain user from a normal local user? For example, With 'winbind use default domain = no' $ id uid=780(jerry) gid=100(users) groups=16(dialout),33(video),100(users),10001(BUILTIN\users), 10007(SUSE10\developers) With 'winbind use default domain = yes' $ id uid=780(jerry) gid=100(users) groups=16(dialout),33(video),100(users) the problem is that when guesing the domain, we assume the Windows domain name. Prior to querying group membership, we do a lookup_name() query to the DC for this name (DOMAIN\jerry) which fails since it is a local user. So any local groups are excluded from the getgroups() return. *This* ambiguity is why I will be removing the geuss work from the server code in 3.0.24. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEv9DpIR7qMdg1EfYRAhMoAJ9mu5FujBGJgheCqD57c5BC4VUQ6ACfU4SA nKAFtPFGUBQa7CyY0QKrdk4= =Yc53 -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Q: winbindd, unqualfied users, name conflicts (a.k.a Death to 'winbind use default domain'!)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Volker Lendecke wrote: What happens now? Looking at the code I get the impression that we default to DOMAIN\foo. So if we get an unqualified name, talloc_asprintf(ctx, %s\\%s, lp_workgroup(), name), try with that and only if that fails then do the naked lookup_name() which has its defined order. This is a hack, but that whole thing is. Sure. If a user of the same name doesn't exist in the local passdb and domain SAM. But when LINUX\foo and DOMAIN\foo both exist, the lookup for DOMAIN\foo will succeed. I did not try this, so it might break horribly. But I've looked at putting lookup_name into /parse_domain_user before and did _not_ try that yet. I was about to and realized it cannot work 100% of the time. That is what prompted this thread. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEv9GTIR7qMdg1EfYRAjn7AJ9WRKpeUoHup7SQxTeNp9Py8Z4GxwCaA7J8 O+xNAflypuPvPvp52Xx/z5A= =PbIM -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Security = ADS and 3.0.23 Upgrade
Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dale Schroeder wrote: I've attached the screenshots, but I think my confusion was expecting the pdc to display the FQDN from its DNS records for the samba system, not the hosts file on the samba system. I will almost guarantee that you have host a broken /etc/hosts on you Samba box. The machine's hostname should not be listed in the 127.0.0.1 line. This will also break Krb5 authentication. Fix this on the Unix box and rejoin the domain. Should be fine. You are quite correct that adding the missing parameter to the hosts file and rejoining the domain would fix this problem. That leaves only the 'valid users' bug you mentioned. Of the three parameters following: 1. 'valid users' had to be disabled 2. 'write list' had to be present 3. 'admin users' had no effect either way in order for me to access the test share. I used all three quite frequently in 3.0.22 and prior, so I surely do hope it is something that can be remedied. I greatly appreciate your time and your help. Dale -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] New to this list. How to Samba Archives.
Hello all, What is the easiest way to search the samba archives? The archive doesn't have a search option like the qmail archives search option. Regards, Ariel Duran -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] New to this list. How to Samba Archives.
On Thu, 20 Jul 2006, Ariel Duran wrote: Hello all, What is the easiest way to search the samba archives? The archive doesn't have a search option like the qmail archives search option. The easiest way to search the archives is to goto: http://marc.theaimsgroup.com/ And scrolling down until you get to the Samba portion. You can click on a mailing list, and then run a search on it. Many, many mailing lists are there, so it's really a great resource for sysadmins. HTH. Regards, Ariel Duran -- -- +-+ | Sean Elble | | Virginia Tech | | Computer Engineering, Class of 2008| | Vice President, VTLUUG | | E-Mail: [EMAIL PROTECTED]| +-+ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Security = ADS and 3.0.23 Upgrade
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dale Schroeder wrote: You are quite correct that adding the missing parameter to the hosts file and rejoining the domain would fix this problem. That leaves only the 'valid users' bug you mentioned. Of the three parameters following: 1. 'valid users' had to be disabled 2. 'write list' had to be present 3. 'admin users' had no effect either way Fixed in 3.0.23a: http://viewcvs.samba.org/cgi-bin/viewcvs.cgi?rev=17022view=rev Please test the svn://svnanon.samba.org/samba/branches/SAMBA_3_0_23 tree to be sure. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEv9dBIR7qMdg1EfYRAgjJAKCysDrXXi4+VtXKsOKVFXdlB9nM9QCg7yIh ZJ9ucaWzZluYG9oq/K7ty2c= =ABLv -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Can't connect with force user set (3.0.23)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jochen Knuth wrote: Hi, after an update to samba 3.0.23 i can't connect to shares if i set the option force user. Just to clarify yet again, unqualfied domain user and group names are not suppored in smb.conf and have not been since Samba 3.0.8. But your failure has been fixed in 3.0.23a (due out tomorrow). Please test the SAMBA_3_0_23 svn branch if you can to verify this fix. Thanks. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEv9msIR7qMdg1EfYRArwyAJ4jmn4DQ8a/PGYyoLZSqYA/8tSbjQCgzYdN +0PZI8NRDYRS5ide9B62IYI= =/zOg -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] identifying servers
Hi Norbert, you can configure IAS at windows (2000 or 2003) and configure freeradius to use IAS (radius server) to authenticate your users. Marcos --- Norbert Wegener [EMAIL PROTECTED] escreveu: I want to use freeradius and Active directory for authentication in a larger Active Directory forest and therefore freeradius must know the relevant domain servers. As this forest is living with servers beeing added and removed, I want to identify the global catalog servers in that forest automatically. How could this be achieved using samba tools? Thanks Norbert Wegener -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba ___ Novidade no Yahoo! Mail: receba alertas de novas mensagens no seu celular. Registre seu aparelho agora! http://br.mobile.yahoo.com/mailalertas/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] [SECURITY] Samba 3.0.1 - 3.0.22: memory exhaustion DoSagainst smbd
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Gautier, B (Bob) wrote: -Original Message- == == == Subject: Memory exhaustion DoS against smbd == CVE ID#: CAN-2006-3403 While we wait for this patch to get backported into 3.0.10 as a RHEL4 update, will setting the 'max connections' parameter on all shares work around this problem? The problem is that a 'max connections' would limit the total connections and what you really want to limit is the share connections per smbd. If could set something like max connections = 1 in [global] to set a ceiling but you will take a slight performance hit for it. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEv+NEIR7qMdg1EfYRAsa1AKDFV1dnX+HSVVM+S+RjSBV9S85otwCfRniQ ajxDm1Io1ptpGPo98ZJZ1/k= =FK96 -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] USRMGR, groups, and ldap
I currently have samba version 3.0.23 installed using ldap as the backend. I am experiencing the same problems as Holger Wesser mentioned in his posting USRMGR.exe not working properly. However, it appears that the fix of creating the group mappings does not work. They appear to be mapped correctly on my setup. My net groupmap list is: Domain Admins (S-1-5-21-1882045844-2771900506-1057560041-512) - Domain Admins Domain Users (S-1-5-21-1882045844-2771900506-1057560041-513) - Domain Users Domain Guests (S-1-5-21-1882045844-2771900506-1057560041-514) - Domain Guests Domain Computers (S-1-5-21-1882045844-2771900506-1057560041-515) - Domain Computers Administrators (S-1-5-32-544) - Administrators Account Operators (S-1-5-32-548) - Account Operators Print Operators (S-1-5-32-550) - Print Operators Backup Operators (S-1-5-32-551) - Backup Operators Replicators (S-1-5-32-552) - Replicators However, there are no groups listed in usrmgr.exe or any of the dialog boxes for adding users/groups in XP. The users are listed correctly in usrmgr.exe but with none of the group memberships. In addition, net rpc group members Administrators reports: Couldn't list alias members I was hoping for some direction on how to diagnose and correct the problem. -James -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] MS06-035 problems?
It was a false alarm, it turns out. The guy who was installing the machine forgot to edit the selinux configuration on the default FC5 install. It was in permissive mode, but it needed to be disabled in order for it to work. Thanks, Alan On Thu, 2006-07-13 at 12:52 -0500, Gerald (Jerry) Carter wrote: Alan Munter wrote: I just patched our domain controllers with MS06-035 because it said it was just fixing a couple of memory leak problems with SMB in srvsvc. Now, this afternoon, one of my colleagues tried to join a FC5 machine to our active directory using the recipe that we have been using for years (which worked yesterday, according to him), and it fails on net ads join. No changes have been made to the domain controllers other than the Black Tuesday patches. Here's a log dump from net -d4 ads join. We get the error: What version of Samba is this 3.0.22 ? [2006/07/12 15:55:14, 3] libads/kerberos.c:kerberos_derive_salting_principal_for_enctype(571) verify_service_password: get_service_ticket failed: KDC has no support for encryption type Ignore that. It's not the issue. Any ideas of what's going on? Need more info? Did MS sneak some more changes into the server service that they aren't talking about in that patch? Need more details. What do level 10 debug logs from smbd tell you about the failed authentication? cheers, jerry -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] New to this list. How to Samba Archives.
Try this http://www.mail-archive.com/ Cheers, henrik 20 jul 2006 kl. 20:27 skrev Ariel Duran: Hello all, What is the easiest way to search the samba archives? The archive doesn't have a search option like the qmail archives search option. Regards, Ariel Duran -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] USRMGR, groups, and ldap
I currently have samba version 3.0.23 installed using ldap as the backend. I am experiencing the same problems as Holger Wesser mentioned in his posting USRMGR.exe not working properly. However, it appears that the fix of creating the group mappings does not work. They appear to be mapped correctly on my setup. My net groupmap list is: Domain Admins (S-1-5-21-1882045844-2771900506-1057560041-512) - Domain Admins Domain Users (S-1-5-21-1882045844-2771900506-1057560041-513) - Domain Users Domain Guests (S-1-5-21-1882045844-2771900506-1057560041-514) - Domain Guests Domain Computers (S-1-5-21-1882045844-2771900506-1057560041-515) - Domain Computers Administrators (S-1-5-32-544) - Administrators Account Operators (S-1-5-32-548) - Account Operators Print Operators (S-1-5-32-550) - Print Operators Backup Operators (S-1-5-32-551) - Backup Operators Replicators (S-1-5-32-552) - Replicators However, there are no groups listed in usrmgr.exe or any of the dialog boxes for adding users/groups in XP. The users are listed correctly in usrmgr.exe but with none of the group memberships. In addition, net rpc group members Administrators reports: Couldn't list alias members I was hoping for some direction on how to diagnose and correct the problem. -James -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Kerberos Keytab Code Update in 3.0.23
Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Doug VanLeuven wrote: Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Doug, File a bug report if you believe this to be true. I'm not at 3.0.23 right now and don't have the time to try it here. I wouldn't want to lose this. I did see a mention they dropped support of joins from machines where the domain differs from the realm, but haven't had time to check this. There has been a rewrite of the ads join code since 3.0.22. Doug, You should probably review my comments to Scott. Keytab support is being rewritten, not dropped. I was saying dns domain not equal realm dropped and rewrite ads join code No it wasn't. I run with this on a daily basis. Perhaps something else is attributing to your failures. First, I'm not having failures. I was commenting information I believed I read. So what did you mean in this post: http://marc.theaimsgroup.com/?l=sambam=115193492903190w=2 qoute: You were right. ( as usual.. ) I had the wrong FQDN on the samba server. After reconfiguring my network and I got the FQDN back from 'hostname' the join worked as planned. For the record, this is what WinXP does as well. You cannot join a WinXP box to a domain using a non-admin account if the client's FQDN is outside the AD domain. I agree this is a change from previous Samba version, but then previous Samba releases always required domain admin creds to join. endquote Did you mean if one joins with non-admin credentials it no longer works, but if one's credentials are administrative it still works? I understand previously joined machines still work. Not trying to be a wise guy, just trying to understand. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Kerberos Keytab Code Update in 3.0.23
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Doug, I was saying dns domain not equal realm dropped and rewrite ads join code No it wasn't. I run with this on a daily basis. Perhaps something else is attributing to your failures. First, I'm not having failures. I was commenting information I believed I read. So what did you mean in this post: http://marc.theaimsgroup.com/?l=sambam=115193492903190w=2 ... Did you mean if one joins with non-admin credentials it no longer works, but if one's credentials are administrative it still works? I understand previously joined machines still work. Not trying to be a wise guy, just trying to understand. No problem. I spent a couple of days just staring at traces and reading to try to track down the corner cases. It's pretty confusing. The best thing to do is to read here: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/control_access_rights.asp and then use ADSIedit to view the default security descriptor on a machine account object. A non-admin (and the machine itself) only has validated-write access to the dNSHostName and servicePrincipalName attributes. This means that the dNSHostName value has to be with the AD realm and the SPN has to match the dNSHostName. Try to join a WinXP box to a domain using a non-admin account with the dns suffix outside of the AD realm and you will see what I mean. It fails to joins and tells you to contact the administrator to relax the rules (or something similar). If you are a domain admin, the you have full control to these attributes and can do whatever you like. Samba 3.0.22 did all the ads join operations using LDAP requests which required you to be a Domain Admins. As part of the join, the machine SID was given full control over the object in AD so again you could do whatever you liked with 'net ads keytab add -P'. The code in 3.0.23 uses a mixture of RPC and LDAP just like Windows 2000/XP. The advantage is that a non-admin can now join a Samba box to a domain given the same privileges as required by Windows. The disadvantage is that we can no longer assume we have admin rights to set any property we like. This is why for example, we no longer try to create a UPN by default (although I added a new option to net ads join in 3.0.23a that will do that) or set the operatingSystem attribute value. Hope this helps clear up some of the confusion. Note that I've added in a fair amount of new code in 3.0.23a for (a) deriving the DES salt (b) generating the keytab file (c) optionally creating the UPN as part of the join. Please give it a whirl and let me know how it goes. Our Krb5 code is over 3 years old spreading about multiple MIT and heimdal versions. It's time for some spring cleaning but I don't want to loose functionality if we can help it. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEwALEIR7qMdg1EfYRAqxYAKCEtHnMHWcM0jfe8rEW+qMDHtq+/ACgqoSp 8h+xhVsePFFBKvjfXYisoXQ= =540H -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] SAMBA_3_0_RELEASE == Samba 3.0.23a
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Foks, With the exception of a few help messages I need to add to 'net ads join', the release tree should be ready. If people could run their tests and report back if anything that should be fixed is not. Check the release notes for details. We are due to release tomorrow afternoon. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEwANiIR7qMdg1EfYRAj3EAJsF9/aLA5NlMT8BVNED4bJAWuUOHQCcDAeQ IVkX7WeW6ggybIjx53EEMW0= =BjEN -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] guest ok
I have the following smb.conf file. Note the guestaccount parameter, and the guest parameters in shareA, shareB, and shareC. # # Generated by modify_samba_config.pl # [global] adminusers= Administrator, root logonhome = \\%L\%U\.9xprofile addsharecommand = /usr/local/autobench/sources/samba/util/modify_samba_config.pl addgroupscript= /usr/sbin/groupadd -p %g deletesharecommand= /usr/local/autobench/sources/samba/util/modify_samba_config.pl include = /etc/samba/dhcp.conf deleteuserfromgroupscript = /usr/sbin/groupmod -x %u %g adduserscript = /usr/sbin/useradd -m %u deleteprintercommand = /usr/local/autobench/sources/samba/util/modify_samba_config.pl maptoguest= Bad User addprintercommand = /usr/local/autobench/sources/samba/util/modify_samba_config.pl setprimarygroupscript = /usr/sbin/usermod -g %g %u addmachinescript = /usr/sbin/useradd %u domainlogons = yes deleteuserscript = /usr/sbin/userdel -r %u printcapname = cups passdbbackend = tdbsam guestaccount = testguest printing = cups cupsoptions = raw logondrive= P: addusertogroupscript = /usr/sbin/groupmod -m %u %g logonpath = \\%L\profiles\.msprofile printcapcachetime = 750 workgroup = SAMBA_TEST security = user domainmaster = yes ## Section - [users] [users] readonly = No comment = All users vetofiles = /aquota.user/groups/shares/ inheritacls = Yes path = /home ## Section - [homes] [homes] readonly = No browseable= No comment = Home Directories inheritacls = Yes validusers= %S ## Section - [printers] [printers] createmask= 0600 browseable= No comment = All Printers printable = Yes path = /var/tmp ## Section - [shareC] [shareC] write list= testguest guest only = yes guest ok = yes path = /tmp/shareC ## Section - [print$] [print$] directorymask = 0775 createmask= 0664 comment = Printer Drivers forcegroup= ntadmin path = /var/lib/samba/drivers writelist = @ntadmin root ## Section - [shareA] [shareA] path = /tmp/shareA writelist = user1 ## Section - [groups] [groups] readonly = No comment = All groups inheritacls = Yes path = /home/groups ## Section - [profiles] [profiles] directorymask = 0700 createmask= 0600 readonly = No storedosattributes= Yes comment = Network Profiles Service path = %H ## Section - [shareB] [shareB] path = /tmp/shareB guestok = yes writelist = user1 # # end of generated smb.conf # After reading the smb.conf man page, here's what I think should happen with the shares. Using smbclient get and put: user1 should be able to read/write shareA testguest should not be able to read/write shareA user1 should be able to read but not write shareB (is authenticated as testguest) testguest should be able to read but not write shareB (no password needed) user1 should not be able to read/write shareC (is not allowed to connect) testguest should be able to read/write shareC (no password needed) Mounting the shares should produce similar results with file opens. However, here's what actually happens: user1 can read but not write shareA (different from above) testguest can neither read nor write shareA (ok) user1 can read but not write shareB (ok) testguest can read but not write shareB (ok) user1 can read but not write shareC (different from above) testguest can read but not write shareC (different from above) Have I misinterpreted the man page? Sincerely,Don Watson Linux Technology and Solutions; Beaverton, OR 503-578-4861/TL: 775-4861; [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] guest ok
Donald W Watson wrote: passdbbackend = tdbsam guestaccount = testguest [shareC] write list= testguest guest only = yes guest ok = yes path = /tmp/shareC it should be guest account = testguest and guest ok = yes - notice the spaces. the other parameters are similar. check your spacing. -- Anthony http://messinet.com http://messinet.com/~amessina/gallery 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E signature.asc Description: OpenPGP digital signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] guest ok
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Anthony, Donald W Watson wrote: passdbbackend = tdbsam guestaccount = testguest [shareC] write list= testguest guest only = yes guest ok = yes path = /tmp/shareC it should be guest account = testguest and guest ok = yes - notice the spaces. the other parameters are similar. check your spacing. Doesn't matter. Parameter names are case and white space insensitive. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEwAo/IR7qMdg1EfYRAjR7AKDEcEM7Pc+bkcxk6bVng1tb3nT1ewCeLuid emKN2vHe/IJpr53QUmSYrCY= =NY5/ -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] guest ok
Gerald (Jerry) Carter wrote: Anthony, it should be guest account = testguest and guest ok = yes - notice the spaces. the other parameters are similar. check your spacing. Doesn't matter. Parameter names are case and white space insensitive. ahh, thank you. that's an interesting tidbit about which i was unaware (among other things):) -a -- Anthony http://messinet.com http://messinet.com/~amessina/gallery 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E signature.asc Description: OpenPGP digital signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] simple configuration problem
This is smb.conf: [global] workgroup = workgroup netbios name = darkstar security = share log file = /var/log/samba.%m max log size = 50 [homes] comment = Home Directories browseable = yes read only = No [printers] comment = All Printers path = /var/spool/samba guest ok = yes printable = yes browseable = yes However, when I try to read homes on samba 3.0.22 from Win, appears a window that has as username DARKSTAR/Guest and ask me a password. Why does it ask me a password, if I set share? And which can be that password for guest, for it's nobody user? Thanx! M. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Win2k Master Browser believes Linux box is master browser
Cheers This has seems to fix the problem. Thanks alot Mark On 17 Jul 2006, at 16:26, Nanni X wrote: Hi Mark, I think you should set the os level directive to a low value ( try 5 or 10). This directive instructs smb to have a low profile during the election of a new master browser. Then add a line: preferred master = NO This line prevents the samba box to start a new election Instead, when I set up a samba PDC I use values like 200+ and preferred master = YES to be sure (is it possible to be sure when you play with windoze? ;-) ) the samba box becomes a master browser. Perhaps the directive left open, without a value can be assumed as an high value. Really I don't know. Let me know hope this helps Giovanni -- Nessun virus nel messaggio in uscita. Controllato da AVG Antivirus. Versione: 7.1.394 / Database dei virus: 268.10.1/389 - Data di rilascio: 14/07/06 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] How to get login name of logged user?
Hello list. Is there any way to get login name of a currently logged user on remote machine using samba? I can get the list of all users with command smbclient -L host, but how do I know who of them logged now? Thanks in advance. Roman Gorohov. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] mount a window 2003 nfs share on a sun running solaris10
Hi Is there a way to mount a shared 2.5 tb volume from 1 2003 windows onto a sun running solaris 10. is there a simple way to do this with samba? thanks donr email [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Can't become connected user?
Please be note to the part that I found in samba.doc. Windows XP Professional When attempting to join a domain, you receive the following error message: Computer Name Changes: The following error occurred attempting to join the domain MYDOMAIN: The specified network password is not correct. Additionally, your Samba logfile (at debug level 1) reveals: smbd/service.c:make_connection(): Can't become connected user!. This is usually caused by improper registry settings in the client. Use Window's Group Policy Editor (gpedit.msc) to make the following changes in the Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options branch: Disable: Domain member: Digitally encrypt or sign secure channel data Disable: Domain member: Digitally sign secure channel data (when possible) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Failed to set servicePrincipalNames (Samba+Solaris 10+NISplus+ADS+DNS)
When joining our Solaris 10 Samba 3.0.23 system to ADS via... # /usr/local/samba/bin/net ads join -U Administrator Administrator's password: Using short domain name -- ULS Failed to set servicePrincipalNames. Only NTLM authentication will be possible. Please ensure that the DNS domain of this server matches the AD domain, Or rejoin with using Domain Admin credentials. Joined 'KRAKEN' to realm 'ULS.NT.PITT.EDU' Our Unix system FQDNS name is kraken.library.pitt.edu Our Windows ADS realm is ULS.NT.PITT.EDU. Our Active Directory DNS Tree starts at NT.PITT.EDU as we (Pitt) did not want to integrate the existing DNS tree with the Active Directory DNS Tree. An Option that is defined by Microsoft. We can not put our UNIX system under the Active Directory Tree as it exists in a Solaris NIS+ configuration where the other UNIX systems are located in the library.pitt.edu DNS Tree. Thus neither setting the DNS domain to the AD domain or vise versa is possible. My question is - given this setup what problems will we run into? Thanks for any info. Brian Gregg. -- ++--+ | Brian D. Gregg | | | Systems Analyst| | | University Library System | | | University of Pittsburgh |e-mail: [EMAIL PROTECTED] | | 7500 Thomas Blvd. | voice: 412-244-7507 | | Pittsburgh, PA 15208 | fax: 412-244-7515 | ++--+ | Member: | | ASNP - Association of Storage Networking Professionals| +---+ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] programmatical retrieval of windows event logs from linux
Am a Linux guy and trying to support security monitoring for Windows devices. Am trying to find a programmatic way of pulling security and application logs from Windows machine. OR it can be a push model where windows can generate events/traps. It should all be built-in in windows with no external tool installation. Looks like there is no NATIVE built in asynchronous event reporting from windows (2000/2003/xp)? It can be in terms of SNMP Traps as well. Given this, one can use Samba apis (rpcclient) to periodically pull the event logs from windows. Is there any better way to accomplish the same programmatically using Push or Pull model to get the security and application logs on windows from Linux ? -Dave - See the all-new, redesigned Yahoo.com. Check it out. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] samba with ads
Hi There, I'm using samba 3.0.21c with ADS. getting the following error message [EMAIL PROTECTED] ~]# smbclient -k -UAdministrator //192.168.1.45/Public session setup failed: NT_STATUS_LOGON_FAILURE. Please advice -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Clients fail to join domain, machine password not found
I have setup a samba PDC+LDAP on our fileserver, which is housed in the university's server room, so it is on a different subnet. I give our client machines the ip of the pdc as the wins server. This allows our clients to join the domain, but it fails with user name not found. Checking the logs, I see that Administrator was able to login, and the smbldap-tools script ran and added the machine to the domain. But before this even happens, it seems samba looks for the machine password, and fails. Its the only error that is in the log. I'm running Samba 3.0.22(Blastwave) on Solaris 10. I've run the same version on Linux(RHEL v4) to do the same job(before we moved the homes to the fileserver) and didn't have any of these problems. I've tried everything I can think off, but still no go. Any ideas? The smb.conf: [global] workgroup = CBI netbios name = Cajal enable privileges = yes interfaces = ce0 127.0.0.1 server string = Cajal PDC %v security = user encrypt passwords = Yes log level = 2 syslog = 0 time server = yes domain logons = yes os level = 90 preferred master = yes domain master = yes wins support = yes passdb backend = ldapsam:ldap://x.x.x ldap admin dn = cn=samba,ou=DSA,dc=x ldap suffix = dc=x ldap group suffix = ou=group ldap user suffix = ou=people ldap machine suffix = ou=machines ldap idmap suffix = ou=Idmap ldap passwd sync = Yes ldap ssl = start tls add user script = /opt/csw/sbin/smbldap-useradd -m %u add machine script = /opt/csw/sbin/smbldap-useradd -w %u add group script = /opt/csw/sbin/smbldap-groupadd -p %g add user to group script = /opt/csw/sbin/smbldap-groupmod -m %u %g delete user from group script = /opt/csw/sbin/smbldap-groupmod -x %u %g set primary group script = /opt/csw/sbin/smbldap-usermod -g %g %u -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] RE: Q: winbindd, unqualfied users, name conflicts (a.k.a Deathto 'winbind use default domain'!)
My opinion: Local users should always take precedence. People should specifically refer to local users as SambaHostName\localuser, if that is the form the SMB client insists on sending. Tacking on default domains and/or stripping domains to/from user names and trying them out is playing fast and loose with user identity and is a breeding ground for potential security holes. Dave Daugherty -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] org] On Behalf Of simo Sent: Thursday, July 20, 2006 9:59 AM To: Gerald (Jerry) Carter Cc: Volker Lendecke; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: Q: winbindd, unqualfied users, name conflicts (a.k.a Deathto 'winbind use default domain'!) On Thu, 2006-07-20 at 11:35 -0500, Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Volker, Assume I have a member server named LINUX joined to a domain name AD. Now assume I have a local user named foo in my passdb and a user named foo in the domain as well. I'm modifying winbindd_util.c:parse_domain_user() to do a lookup_name() to try to figure out which domain to prepend to the username rather than just assuming its a domain user. But this means that we'll always choose the local user (due to the order of an isolated search in lookup_name()). The main problem is the use default domain abomination will confuse local and domain users of the same name and possibly return incorrect group membership. I am about a 1/2 inch from marking the smb.conf option as deprecated and adding similar option to pam_winbind.conf. This option just cannot work reliably. Do you have any suggestions? I would just document that local users will always take precendence. Winbind use default domain is too valuable to be removed imho. Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] NTConfig.pol /samba troubleshooting
Hello, I have (had) poledit/NTConfig.pol working on rhel4 for one of the labs, it has winexit.scr and a custom adm that has worked fine. I have used the net rpc groupmap to map users and root. It doesn't appear the configuration is being picked up on some machines for the next lab. Even the base one . There is only Default User and Computer. Is there nt group related issues I should be checking? I have heard nested groups do not get picked up. I get GID errors in samba machine logs (still) users:@students, @labs etc regards Bruce Hermes [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] an error User tftp in passdb, but getpwnam() fails!
hi there im trying to to raise the smbd deamon but i can't and in the log i get an error... User tftp in passdb, but getpwnam() fails! can ypu please give me an answer assaf -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] SSH and winbind authentication on Solaris 10
I've googled my heart out, but I cannot see an example of ssh authentication with Active Directory and winbindd, particularly on Solaris 10. I have it working on Solaris 8 with telnet, but I'm trying to break my users of telnet. Has anyone got it working? If so, would you be willing to share the global section of your smb.conf and pam.conf with me? Is there something I need to put in one of the ssh configuration files? Celeste Suliin Burris Systems Administrator Community and Economic Development Department Phone - 253-591-5093 Email - [EMAIL PROTECTED] URL - http://www.cityofdestiny.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Failed to set servicePrincipalNames (Samba+Solaris 10+NISplus+ADS+DNS)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Brian, # /usr/local/samba/bin/net ads join -U Administrator Administrator's password: Using short domain name -- ULS Failed to set servicePrincipalNames. Only NTLM authentication will be possible. Please ensure that the DNS domain of this server matches the AD domain, Or rejoin with using Domain Admin credentials. Joined 'KRAKEN' to realm 'ULS.NT.PITT.EDU' Our Unix system FQDNS name is kraken.library.pitt.edu Our Windows ADS realm is ULS.NT.PITT.EDU. Our Active Directory DNS Tree starts at NT.PITT.EDU as we (Pitt) did not want to integrate the existing DNS tree with the Active Directory DNS Tree. An Option that is defined by Microsoft. We can not put our UNIX system under the Active Directory Tree as it exists in a Solaris NIS+ configuration where the other UNIX systems are located in the library.pitt.edu DNS Tree. Thus neither setting the DNS domain to the AD domain or vise versa is possible. My question is - given this setup what problems will we run into? Please send me a level 10 debug log from 'net ads join'. You should be able to do this as a Domain Admin. And please make sure that your /etc/hosts is not broken. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEwC8MIR7qMdg1EfYRAsLrAKCTe0ltb1r+h14i3Xz7DxWPr/4ejwCeL6Gr WbDrAHMvCgI3hum3q8smu9w= =DaC3 -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] SSH and winbind authentication on Solaris 10
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Burris, Celeste Suliin wrote: I've googled my heart out, but I cannot see an example of ssh authentication with Active Directory and winbindd, particularly on Solaris 10. I have it working on Solaris 8 with telnet, but I'm trying to break my users of telnet. There's not much to it besides adding pam_winbind.so to your pam file and make sure to set 'template shell' to a valid shell on your system. The default in /bin/false. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com What man is a man who does not make the world better? -- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEwDBpIR7qMdg1EfYRAqxpAKCn3oERV/11rUBUUAabPVPwGOJfVgCfTaYC I+bI7ZzC2qgouEYNnAoLlSE= =mupj -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Can't access Samba server with NetBIOS Name but OK with IP
Hi, folks I installed samba 3.0.21b-2 with winbind on a Fedora 5 server. I edited 5 files (show below) and join Windows AD by net join ADS command. It worked in the first month. I could access to folders with appropriate permission. Then I found I couldn't access to the server by keying-in \\smbservername. A pop-up Windows box say Incorrect password or unknown user. I tried domain\domain-username, domain-username, userNo-in-getent-passwd but none of them worked. However, if I use its IP address such as \\10.10.10.2, it worked as normal. I check DNS record. They all exist in the DNS server. I even key in the DNS record in all hosts file. But no difference. I also noticed one thing. When I use Windows XP I check the security tag of the folder shared on this FC5. I can see AD username, AD group name and everyone which stand for user, group and others. All check-boxed in front of these username, groupname and everyone are un-checked even if I can access the folders. What did I do wrong? Shall I edit /etc/pam.d/login file as well? How? Here is my current /etc/pam.d/login #%PAM-1.0 auth required pam_securetty.so auth include system-auth accountrequired pam_nologin.so accountinclude system-auth password include system-auth Thanks for any comment, Yujie ==Fstab== LABEL=/home /home ext3defaults,acl1 2 ==Nsswitch.conf=== passwd: files winbind shadow: files group: files winbind hosts: files dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc:files services: files netgroup: nisplus publickey: nisplus automount: files nisplus aliases:files nisplus =Krb5.conf= [libdefaults] default_realm = COMPANY.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes [realms] COMPANY.COM = { kdc = adserver.company.com:88 admin_server = adserver.company.com:749 default_domain = company.com } [domain_realm] .example.com = COMPANY.COM example.com = COMPANY.COM [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } =/etc/samba/smb.conf security = ADS template shell = /bin/false template homedir = /home/%D/%U idmap uid = 1-2 idmap gid = 1-2 enhanced browsing = no winbind use default domain = yes ===hosts== 10.10.10.2 fc5.company.com fc5 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] SSH and winbind authentication on Solaris 10
The answer is (weird) you cannot log in the first time from PUTTY. I brought my guinea pig to my Mac, had her log in via SSH one time, and now she can log in from putty. On 7/20/06 6:39 PM, Gerald (Jerry) Carter [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Burris, Celeste Suliin wrote: I've googled my heart out, but I cannot see an example of ssh authentication with Active Directory and winbindd, particularly on Solaris 10. I have it working on Solaris 8 with telnet, but I'm trying to break my users of telnet. There's not much to it besides adding pam_winbind.so to your pam file and make sure to set 'template shell' to a valid shell on your system. The default in /bin/false. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com What man is a man who does not make the world better? -- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEwDBpIR7qMdg1EfYRAqxpAKCn3oERV/11rUBUUAabPVPwGOJfVgCfTaYC I+bI7ZzC2qgouEYNnAoLlSE= =mupj -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Problem with tdb files.
Hi All: I have problems with maintain tdb files. From samba doc, these files are classified into persistent and temporary. From the man page of smbd, these file are classified into persistent and not. However, there are some files no need to backup but need to be persistent (netsamlogon_cache.tdb), and some files need to backup but not need to be persisten (registry.tdb). There are also some .dat files also mentioned in samba FAQ that need to be deleted under particular case (change ip address). How can I maintain these tdb/dat files? Which file needed to be deleted when samba restarts? Which files should be ket and backup regularly?I believe some tdb files can't be kept because of size problem. I also noticed join domain would have problem if browse.dat and gencache.tdb keep wrong data. Please give me some advice. Thanks in advance, Latrell. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
svn commit: samba r17154 - in branches/tmp/vl-messaging/source/lib: .
Author: jmcd Date: 2006-07-20 09:37:44 + (Thu, 20 Jul 2006) New Revision: 17154 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=17154 Log: From Aleksey Fedoseev: - add some more debug - correct the unpacking functions - one shared database can be used now by multiple processes - refactor clean database messages processing as a result: now smbd with locking via lockd passes tests on a single node server. Modified: branches/tmp/vl-messaging/source/lib/dbwrap_msg.c Changeset: Sorry, the patch is too large (885 lines) to include; please use WebSVN to see it! WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=17154
svn commit: samba r17155 - in branches/tmp/vl-messaging/source: . include libads passdb rpc_parse rpc_server services smbd utils
Author: vlendec Date: 2006-07-20 12:17:13 + (Thu, 20 Jul 2006) New Revision: 17155 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=17155 Log: merge -r17132:17154 Modified: branches/tmp/vl-messaging/source/Makefile.in branches/tmp/vl-messaging/source/configure.in branches/tmp/vl-messaging/source/include/ads_dns.h branches/tmp/vl-messaging/source/libads/dns.c branches/tmp/vl-messaging/source/passdb/pdb_interface.c branches/tmp/vl-messaging/source/passdb/pdb_ldap.c branches/tmp/vl-messaging/source/passdb/pdb_tdb.c branches/tmp/vl-messaging/source/rpc_parse/parse_lsa.c branches/tmp/vl-messaging/source/rpc_server/srv_samr_nt.c branches/tmp/vl-messaging/source/services/svc_winreg.c branches/tmp/vl-messaging/source/smbd/open.c branches/tmp/vl-messaging/source/utils/net_ads.c Changeset: Sorry, the patch is too large (1152 lines) to include; please use WebSVN to see it! WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=17155
svn commit: samba r17156 - in branches/SAMBA_4_0/source/lib/talloc: .
Author: metze Date: 2006-07-20 12:51:42 + (Thu, 20 Jul 2006) New Revision: 17156 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=17156 Log: check for the size of a pointer metze Modified: branches/SAMBA_4_0/source/lib/talloc/config.m4 Changeset: Modified: branches/SAMBA_4_0/source/lib/talloc/config.m4 === --- branches/SAMBA_4_0/source/lib/talloc/config.m4 2006-07-20 12:17:13 UTC (rev 17155) +++ branches/SAMBA_4_0/source/lib/talloc/config.m4 2006-07-20 12:51:42 UTC (rev 17156) @@ -11,3 +11,4 @@ AC_CHECK_SIZEOF(off_t,cross) AC_CHECK_SIZEOF(size_t,cross) AC_CHECK_SIZEOF(ssize_t,cross) +AC_CHECK_SIZEOF(void *,cross)
svn commit: samba r17157 - in branches/SAMBA_4_0/source/lib/talloc: .
Author: metze Date: 2006-07-20 14:35:41 + (Thu, 20 Jul 2006) New Revision: 17157 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=17157 Log: bail out if sizeof(size_t) sizeof(void *) metze Modified: branches/SAMBA_4_0/source/lib/talloc/config.m4 Changeset: Modified: branches/SAMBA_4_0/source/lib/talloc/config.m4 === --- branches/SAMBA_4_0/source/lib/talloc/config.m4 2006-07-20 12:51:42 UTC (rev 17156) +++ branches/SAMBA_4_0/source/lib/talloc/config.m4 2006-07-20 14:35:41 UTC (rev 17157) @@ -12,3 +12,7 @@ AC_CHECK_SIZEOF(size_t,cross) AC_CHECK_SIZEOF(ssize_t,cross) AC_CHECK_SIZEOF(void *,cross) + +if test $ac_cv_sizeof_size_t -lt $ac_cv_sizeof_void_p; then + AC_ERROR([sizeof(size_t) sizeof(void *)]) +fi
svn commit: samba r17158 - in branches: SAMBA_3_0/source/utils SAMBA_3_0_23/source/utils
Author: jerry Date: 2006-07-20 14:39:06 + (Thu, 20 Jul 2006) New Revision: 17158 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=17158 Log: Add two new options to 'net ads join' * [EMAIL PROTECTED] * createcomputer=ou path top to bottom (this was previously the only arg) Modified: branches/SAMBA_3_0/source/utils/net_ads.c branches/SAMBA_3_0_23/source/utils/net_ads.c Changeset: Modified: branches/SAMBA_3_0/source/utils/net_ads.c === --- branches/SAMBA_3_0/source/utils/net_ads.c 2006-07-20 14:35:41 UTC (rev 17157) +++ branches/SAMBA_3_0/source/utils/net_ads.c 2006-07-20 14:39:06 UTC (rev 17158) @@ -928,7 +928,7 @@ static ADS_STATUS net_set_machine_spn(TALLOC_CTX *ctx, ADS_STRUCT *ads_s ) { ADS_STATUS status = ADS_ERROR(LDAP_SERVER_DOWN); - char *host_upn, *new_dn; + char *new_dn; ADS_MODLIST mods; const char *servicePrincipalName[3] = {NULL, NULL, NULL}; char *psp; @@ -964,9 +964,7 @@ return ADS_ERROR(LDAP_NO_MEMORY); } - /* Windows only creates HOST/shortname HOST/fqdn. We create - the UPN as well so that 'kinit -k' will work. You can only - request a TGT for entries with a UPN in AD. */ + /* Windows only creates HOST/shortname HOST/fqdn. */ if ( !(psp = talloc_asprintf(ctx, HOST/%s, machine_name)) ) goto done; @@ -979,9 +977,63 @@ goto done; servicePrincipalName[1] = psp; - if (!(host_upn = talloc_asprintf(ctx, [EMAIL PROTECTED], servicePrincipalName[0], ads_s-config.realm))) + if (!(mods = ads_init_mods(ctx))) { goto done; + } + + /* fields of primary importance */ + + ads_mod_str(ctx, mods, dNSHostName, my_fqdn); + ads_mod_strlist(ctx, mods, servicePrincipalName, servicePrincipalName); + status = ads_gen_mod(ads_s, new_dn, mods); + +done: + ads_msgfree(ads_s, res); + + return status; +} + +/*** + Set a machines dNSHostName and servicePrincipalName attributes + / + +static ADS_STATUS net_set_machine_upn(TALLOC_CTX *ctx, ADS_STRUCT *ads_s, const char *upn ) +{ + ADS_STATUS status = ADS_ERROR(LDAP_SERVER_DOWN); + char *new_dn; + ADS_MODLIST mods; + LDAPMessage *res = NULL; + char *dn_string = NULL; + const char *machine_name = global_myname(); + int count; + + if ( !machine_name ) { + return ADS_ERROR(LDAP_NO_MEMORY); + } + + /* Find our DN */ + + status = ads_find_machine_acct(ads_s, (void **)(void *)res, machine_name); + if (!ADS_ERR_OK(status)) + return status; + + if ( (count = ads_count_replies(ads_s, res)) != 1 ) { + DEBUG(1,(net_set_machine_spn: %d entries returned!\n, count)); + return ADS_ERROR(LDAP_NO_MEMORY); + } + + if ( (dn_string = ads_get_dn(ads_s, res)) == NULL ) { + DEBUG(1, (ads_add_machine_acct: ads_get_dn returned NULL (malloc failure?)\n)); + goto done; + } + + new_dn = talloc_strdup(ctx, dn_string); + ads_memfree(ads_s, dn_string); + if (!new_dn) { + return ADS_ERROR(LDAP_NO_MEMORY); + } + /* now do the mods */ if (!(mods = ads_init_mods(ctx))) { @@ -990,8 +1042,7 @@ /* fields of primary importance */ - ads_mod_str(ctx, mods, dNSHostName, my_fqdn); - ads_mod_strlist(ctx, mods, servicePrincipalName, servicePrincipalName); + ads_mod_str(ctx, mods, userPrincipalName, upn); status = ads_gen_mod(ads_s, new_dn, mods); @@ -1001,7 +1052,6 @@ return status; } - /*** join a domain using ADS (LDAP mods) / @@ -1089,6 +1139,19 @@ return kerberos_secrets_store_des_salt( salt ); } +/* + utility function to parse an integer parameter from + parameter = value +**/ +static char* get_string_param( const char* param ) +{ + char *p; + + if ( (p = strchr( param, '=' )) == NULL ) + return NULL; + + return (p+1); +} /*** join a domain using ADS (LDAP mods) / @@ -1103,6 +1166,10 @@ struct cldap_netlogon_reply cldap_reply; TALLOC_CTX *ctx; DOM_SID
svn commit: samba r17159 - in branches: SAMBA_3_0/source/nsswitch SAMBA_3_0_23/source/nsswitch
Author: jerry Date: 2006-07-20 18:02:51 + (Thu, 20 Jul 2006) New Revision: 17159 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=17159 Log: Bug 3920: Restore wnibind use default domain behavior for domain groups. This break local users and 'winbind nested groups' on domain members. Cannot be helped. My plans is to move the default domain crud to the client code (pam and nss libraries) in 3.0.24. Modified: branches/SAMBA_3_0/source/nsswitch/winbindd_group.c branches/SAMBA_3_0/source/nsswitch/winbindd_util.c branches/SAMBA_3_0_23/source/nsswitch/winbindd_group.c branches/SAMBA_3_0_23/source/nsswitch/winbindd_util.c Changeset: Modified: branches/SAMBA_3_0/source/nsswitch/winbindd_group.c === --- branches/SAMBA_3_0/source/nsswitch/winbindd_group.c 2006-07-20 14:39:06 UTC (rev 17158) +++ branches/SAMBA_3_0/source/nsswitch/winbindd_group.c 2006-07-20 18:02:51 UTC (rev 17159) @@ -41,16 +41,9 @@ const char *gr_name, gid_t unix_gid) { fstring full_group_name; - BOOL can_assume = False; - /* I *hate* winbind use default domain Somehow I will figure out - how to remove this parameter.-jerry */ + fill_domain_username( full_group_name, dom_name, gr_name, True ); - if ( (lp_server_role() == ROLE_DOMAIN_MEMBER) strequal(dom_name, lp_workgroup() ) ) - can_assume = True; - - fill_domain_username( full_group_name, dom_name, gr_name, can_assume); - gr-gr_gid = unix_gid; /* Group name and password */ @@ -153,7 +146,7 @@ /* Append domain name */ - fill_domain_username(name, domain-name, the_name, False); + fill_domain_username(name, domain-name, the_name, True); len = strlen(name); @@ -759,7 +752,7 @@ /* Fill in group entry */ fill_domain_username(domain_group_name, ent-domain_name, -name_list[ent-sam_entry_index].acct_name, False); +name_list[ent-sam_entry_index].acct_name, True); result = fill_grent(group_list[group_list_ndx], ent-domain_name, @@ -936,7 +929,7 @@ groups.sam_entries)[i].acct_name; fstring name; - fill_domain_username(name, domain-name, group_name, False); + fill_domain_username(name, domain-name, group_name, True); /* Append to extra data */ memcpy(extra_data[extra_data_len], name, strlen(name)); Modified: branches/SAMBA_3_0/source/nsswitch/winbindd_util.c === --- branches/SAMBA_3_0/source/nsswitch/winbindd_util.c 2006-07-20 14:39:06 UTC (rev 17158) +++ branches/SAMBA_3_0/source/nsswitch/winbindd_util.c 2006-07-20 18:02:51 UTC (rev 17159) @@ -812,14 +812,28 @@ /* Is this a domain which we may assume no DOMAIN\ prefix? */ -static BOOL assume_domain(const char *domain) { - if ((lp_winbind_use_default_domain() - || lp_winbind_trusted_domains_only()) - strequal(lp_workgroup(), domain)) - return True; +static BOOL assume_domain(const char *domain) +{ + /* never assume the domain on a standalone server */ - if (strequal(get_global_sam_name(), domain)) + if ( lp_server_role() == ROLE_STANDALONE ) + return False; + + /* domain member servers may possibly assume for the domain name */ + + if ( lp_server_role() == ROLE_DOMAIN_MEMBER ) { + if ( !strequal(lp_workgroup(), domain) ) + return False; + + if ( lp_winbind_use_default_domain() || lp_winbind_trusted_domains_only() ) + return True; + } + + /* only left with a domain controller */ + + if ( strequal(get_global_sam_name(), domain) ) { return True; + } return False; } @@ -832,7 +846,7 @@ if ( !p ) { fstrcpy(user, domuser); - + if ( assume_domain(lp_workgroup())) { fstrcpy(domain, lp_workgroup()); } else { Modified: branches/SAMBA_3_0_23/source/nsswitch/winbindd_group.c === --- branches/SAMBA_3_0_23/source/nsswitch/winbindd_group.c 2006-07-20 14:39:06 UTC (rev 17158) +++ branches/SAMBA_3_0_23/source/nsswitch/winbindd_group.c 2006-07-20 18:02:51 UTC (rev 17159) @@ -42,7 +42,7 @@ { fstring full_group_name; - fill_domain_username( full_group_name, dom_name, gr_name, False); + fill_domain_username(
svn commit: samba r17160 - in branches/SAMBA_3_0_23/source/auth: .
Author: jerry Date: 2006-07-20 19:15:49 + (Thu, 20 Jul 2006) New Revision: 17160 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=17160 Log: merge r17022 from SAMBA_3_0. Thansk to Thomas Bork for pointing this out Modified: branches/SAMBA_3_0_23/source/auth/auth_util.c Changeset: Modified: branches/SAMBA_3_0_23/source/auth/auth_util.c === --- branches/SAMBA_3_0_23/source/auth/auth_util.c 2006-07-20 18:02:51 UTC (rev 17159) +++ branches/SAMBA_3_0_23/source/auth/auth_util.c 2006-07-20 19:15:49 UTC (rev 17160) @@ -955,7 +955,8 @@ return NT_STATUS_NO_MEMORY; } - if (server_info-was_mapped) { + if (((lp_server_role() == ROLE_DOMAIN_MEMBER) !winbind_ping()) || + server_info-was_mapped) { status = create_token_from_username(server_info, server_info-unix_name, server_info-guest,
svn commit: samba r17161 - in branches/SAMBA_3_0_RELEASE/source: auth nsswitch passdb rpc_server smbd utils
Author: jerry Date: 2006-07-20 19:44:11 + (Thu, 20 Jul 2006) New Revision: 17161 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=17161 Log: sync files from SAMBA_3_0_23 branch Modified: branches/SAMBA_3_0_RELEASE/source/auth/auth_util.c branches/SAMBA_3_0_RELEASE/source/nsswitch/winbindd_group.c branches/SAMBA_3_0_RELEASE/source/nsswitch/winbindd_util.c branches/SAMBA_3_0_RELEASE/source/passdb/pdb_interface.c branches/SAMBA_3_0_RELEASE/source/passdb/pdb_ldap.c branches/SAMBA_3_0_RELEASE/source/passdb/pdb_tdb.c branches/SAMBA_3_0_RELEASE/source/rpc_server/srv_samr_nt.c branches/SAMBA_3_0_RELEASE/source/smbd/open.c branches/SAMBA_3_0_RELEASE/source/utils/net_ads.c Changeset: Sorry, the patch is too large (888 lines) to include; please use WebSVN to see it! WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=17161
svn commit: samba r17162 - in branches: SAMBA_3_0/source/libsmb SAMBA_3_0/source/nsswitch SAMBA_3_0_23/source/libsmb SAMBA_3_0_23/source/nsswitch SAMBA_3_0_RELEASE/source/libsmb SAMBA_3_0_RELEASE/sour
Author: jerry Date: 2006-07-20 20:23:04 + (Thu, 20 Jul 2006) New Revision: 17162 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=17162 Log: Fix typo small typos noticed by Paul Green. Modified: branches/SAMBA_3_0/source/libsmb/clikrb5.c branches/SAMBA_3_0/source/nsswitch/winbindd_nss.h branches/SAMBA_3_0_23/source/libsmb/clikrb5.c branches/SAMBA_3_0_23/source/nsswitch/winbindd_nss.h branches/SAMBA_3_0_RELEASE/source/libsmb/clikrb5.c branches/SAMBA_3_0_RELEASE/source/nsswitch/winbindd_nss.h Changeset: Modified: branches/SAMBA_3_0/source/libsmb/clikrb5.c === --- branches/SAMBA_3_0/source/libsmb/clikrb5.c 2006-07-20 19:44:11 UTC (rev 17161) +++ branches/SAMBA_3_0/source/libsmb/clikrb5.c 2006-07-20 20:23:04 UTC (rev 17162) @@ -112,7 +112,7 @@ #ifndef HAVE_KRB5_SET_REAL_TIME /* - * Thir function is not in the Heimdal mainline. + * This function is not in the Heimdal mainline. */ krb5_error_code krb5_set_real_time(krb5_context context, int32_t seconds, int32_t microseconds) { Modified: branches/SAMBA_3_0/source/nsswitch/winbindd_nss.h === --- branches/SAMBA_3_0/source/nsswitch/winbindd_nss.h 2006-07-20 19:44:11 UTC (rev 17161) +++ branches/SAMBA_3_0/source/nsswitch/winbindd_nss.h 2006-07-20 20:23:04 UTC (rev 17162) @@ -45,7 +45,7 @@ #if defined(uint64) # define SMB_TIME_T uint64 #else -# define SMB_TIME_t time_t +# define SMB_TIME_T time_t #endif /* Socket commands */ Modified: branches/SAMBA_3_0_23/source/libsmb/clikrb5.c === --- branches/SAMBA_3_0_23/source/libsmb/clikrb5.c 2006-07-20 19:44:11 UTC (rev 17161) +++ branches/SAMBA_3_0_23/source/libsmb/clikrb5.c 2006-07-20 20:23:04 UTC (rev 17162) @@ -112,7 +112,7 @@ #ifndef HAVE_KRB5_SET_REAL_TIME /* - * Thir function is not in the Heimdal mainline. + * This function is not in the Heimdal mainline. */ krb5_error_code krb5_set_real_time(krb5_context context, int32_t seconds, int32_t microseconds) { Modified: branches/SAMBA_3_0_23/source/nsswitch/winbindd_nss.h === --- branches/SAMBA_3_0_23/source/nsswitch/winbindd_nss.h2006-07-20 19:44:11 UTC (rev 17161) +++ branches/SAMBA_3_0_23/source/nsswitch/winbindd_nss.h2006-07-20 20:23:04 UTC (rev 17162) @@ -45,7 +45,7 @@ #if defined(uint64) # define SMB_TIME_T uint64 #else -# define SMB_TIME_t time_t +# define SMB_TIME_T time_t #endif /* Socket commands */ Modified: branches/SAMBA_3_0_RELEASE/source/libsmb/clikrb5.c === --- branches/SAMBA_3_0_RELEASE/source/libsmb/clikrb5.c 2006-07-20 19:44:11 UTC (rev 17161) +++ branches/SAMBA_3_0_RELEASE/source/libsmb/clikrb5.c 2006-07-20 20:23:04 UTC (rev 17162) @@ -112,7 +112,7 @@ #ifndef HAVE_KRB5_SET_REAL_TIME /* - * Thir function is not in the Heimdal mainline. + * This function is not in the Heimdal mainline. */ krb5_error_code krb5_set_real_time(krb5_context context, int32_t seconds, int32_t microseconds) { Modified: branches/SAMBA_3_0_RELEASE/source/nsswitch/winbindd_nss.h === --- branches/SAMBA_3_0_RELEASE/source/nsswitch/winbindd_nss.h 2006-07-20 19:44:11 UTC (rev 17161) +++ branches/SAMBA_3_0_RELEASE/source/nsswitch/winbindd_nss.h 2006-07-20 20:23:04 UTC (rev 17162) @@ -45,7 +45,7 @@ #if defined(uint64) # define SMB_TIME_T uint64 #else -# define SMB_TIME_t time_t +# define SMB_TIME_T time_t #endif /* Socket commands */
svn commit: samba r17163 - in branches/SAMBA_3_0_RELEASE: . source
Author: jerry Date: 2006-07-20 20:35:26 + (Thu, 20 Jul 2006) New Revision: 17163 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=17163 Log: correct version and save draf of release notes Modified: branches/SAMBA_3_0_RELEASE/WHATSNEW.txt branches/SAMBA_3_0_RELEASE/source/VERSION Changeset: Modified: branches/SAMBA_3_0_RELEASE/WHATSNEW.txt === --- branches/SAMBA_3_0_RELEASE/WHATSNEW.txt 2006-07-20 20:23:04 UTC (rev 17162) +++ branches/SAMBA_3_0_RELEASE/WHATSNEW.txt 2006-07-20 20:35:26 UTC (rev 17163) @@ -1,13 +1,41 @@ - == - Release Notes for Samba 3.0.23 -Jul 10, 2006 - == + === + Release Notes for Samba 3.0.23a + Jul 21, 2006 + === This is the latest stable release of Samba. This is the version that production Samba servers should be running for all current bug-fixes. Please read the changes in this section for details on new features and difference in behavior from previous releases. + +## +Changes +### + +Changes since 3.0.23 + + +commits +--- +o Jeremy Allison [EMAIL PROTECTED] + +o Gerald (Jerry) Carter [EMAIL PROTECTED] + +o Guenther Deschner [EMAIL PROTECTED] + +o Volker Lendecke [EMAIL PROTECTED] + + +Release Notes for older release follow: + + -- + + == + Release Notes for Samba 3.0.23 +Jul 10, 2006 + == + There has been a substantial amount of cleanup work done during this development cycle. We would like to thank both Coverity (http://www.coverity.com/) and Klocwork (http://www.klocwork.com/) @@ -155,68 +183,12 @@ wins partners Removed -Changes since 3.0.23rc3 +Changes since 3.0.22 + commits --- o Jeremy Allison [EMAIL PROTECTED] -* BUG 3858: Ensure that all files are removed by a wildcard - delete when 'hide unreadable = yes'. -* Fix various issues raised by the Klocwork code analyzer. -* Fix nmbd WINS serving bug causing duplicate IPs in the *1b - query reply (enhanced browsing = yes). -* Fix SMB signing failures in client tools. -* BUG 3909: Avoid EA lookups on MS-DFS links. - - -o Nicholas Brealey [EMAIL PROTECTED] -* Compile fix for pam_winbind. - - -o Gerald (Jerry) Carter [EMAIL PROTECTED] -* Use system provided killproc() in RedHat init scripts for - more robust shutdown. -* Fix a crash in the printer publishing code when adding a - new printer via the APW. -* Fix broken compile of unsupported smbwrapper utility. -* BUG 3905: Fix smbd startup failure caused by a failure to - create an NT token for the guest account. -* BUG 3908: Fix RPC bind authentication failure which broke - user password changes. -* Ensure that net ads join reports failure correctly if - it cannot set the machine account password. - - -o Guenther Deschner [EMAIL PROTECTED] -* Fix different extended_dn handling in adssearch.pl - (Thanks to Frederic Brin at Novell). -* Fix a memleak in winbindd's credentials cache. -* Protect against crashes in CLDAP request processing. -* Remove incomplete DfsEnum() info level to avoid an smbd crash. - - -o Volker Lendecke [EMAIL PROTECTED] -* Fix a memleak in the server registry code for enumeration - shares. -* Fix an invalid munlock() call in winbindd's credentials cache. -* Fix compile warnings when passing NULL to snprintf(). -* BUG 3915: Fall back to a pure unix user with S-1-22 SIDs in the - token in case anything weird is going on with the 'force user'. -* CVE-2006-3403: Fix minor memory exhaustion DoS in smbd. - - -o Jason Mader [EMAIL PROTECTED] -* Compiler warning fixes. - - -o Simo Sorce [EMAIL PROTECTED] -* Set the correct sid type when looking up a gid. - - -Changes since 3.0.22 - -o Jeremy Allison [EMAIL PROTECTED] * Fixes for various Klocwork defect reports. * Cleanup pdb_get_XXX() methods and ensure that a failure to allocate memory for a samu user structure is reported @@ -313,6 +285,13 @@ read fails (inspired by Justin Best). * BUG 3668: Workaround Windows bug with LARGE_READX where if you ask for exactly 64k bytes it returns 0. +* BUG 3858: Ensure that all files are removed by a wildcard + delete when 'hide unreadable = yes'. +* Fix various issues raised by the
svn commit: samba r17164 - in tags: .
Author: jerry Date: 2006-07-20 20:49:06 + (Thu, 20 Jul 2006) New Revision: 17164 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=17164 Log: tagging final real copy of trunk for posterity (and svn annotaue) Added: tags/trunk-final-update/ Changeset: Copied: tags/trunk-final-update (from rev 17033, trunk)
svn commit: samba r17165 - in branches/SAMBA_3_0_RELEASE: .
Author: jerry Date: 2006-07-20 21:22:06 + (Thu, 20 Jul 2006) New Revision: 17165 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=17165 Log: more changes to the release notes Modified: branches/SAMBA_3_0_RELEASE/WHATSNEW.txt Changeset: Modified: branches/SAMBA_3_0_RELEASE/WHATSNEW.txt === --- branches/SAMBA_3_0_RELEASE/WHATSNEW.txt 2006-07-20 20:49:06 UTC (rev 17164) +++ branches/SAMBA_3_0_RELEASE/WHATSNEW.txt 2006-07-20 21:22:06 UTC (rev 17165) @@ -5,10 +5,28 @@ This is the latest stable release of Samba. This is the version that production Samba servers should be running for all current -bug-fixes. Please read the changes in this section for details on -new features and difference in behavior from previous releases. +bug-fixes. Please read the changes in this section and for the +original 3.0.23 release regarding new features and difference +in behavior from previous releases. +Common bugs fixed in 3.0.23a include: + o Failure to strip the domain name from groups when 'winbind +use default domain = yes' + o Failure in pam_winbind to correctly parse arguments. + o Bad token creation of local users on member servers not +running winbindd. + o Failure to add users or groups to ACLs using the Windows +object picker. + +New features in 3.0.23a include: + + o New createupn option to net ads join + o Rewritten Kerberos keytab generation when 'use kerberos +keytab = yes' + + + ## Changes ### @@ -19,14 +37,64 @@ commits --- o Jeremy Allison [EMAIL PROTECTED] +* Fix memory leaks in the POSIX locking for for the Linux CIFS fs + client. +* Fix memory leaks in the AD schema parsing code. +* Fixed bug in interaction with Linux kernel oplocks. + o Gerald (Jerry) Carter [EMAIL PROTECTED] +* Rewrite the detection of the correct DES salting principal name + when joining an Active Directory Domain. +* Rewrite the keytab generation code based on existing SPN, + UPN, and sAMAccountName attributes in the AD machine object. +* Cleanup of dead code from idmap_ad. +* Fix Winbind 32bit/64bit portability issues. +* Fail 'net ads join' and disable the machine account if we cannot + set any SPNs for ourselves. +* Make sure to lower case all usernames before calling the create, + delete, or rename hooks. +* Preserve case for usernames in passdb +* Flush the getpwnam cache after renaming a user +* Add become/unbecome root block in _samr_delete_dom_user() when + trying to verify the account's existence. +* Changed 'net ads join' syntax for specifying an alternate + OU. New syntax is createcomputer=ou path top to bottom. +* Add createupn=[UPN] option to 'net ads join' for setting the + userPrincipalName attribute. +* Bug 3920: Restore winbind use default domain behavior for domain + groups. This break local users and 'winbind nested groups' on + domain members. + o Guenther Deschner [EMAIL PROTECTED] +* Don't clear the cache when starting winbindd in off line mode. +* Fix erron reporting in pam_winbind debug messages. +* BUG 3937: Fix segv in libnss_wins.so. + o Volker Lendecke [EMAIL PROTECTED] +* Fix memory leaks in the in error paths out of the CLDAP + request code. +* AIX portability fixes for DNS client code. +* BUG 3811, 3948: Fix alignment bug in on lsaquery. +* BUG 3949: Fixed authorization issue no domain member + servers not running winbindd. +o Andrew Tridgell [EMAIL PROTECTED] +* Fixed a bug which caused resolve_ads() to spin forever if + one of the DCs isn't resolvable in DNS. + + +o Simo Sorce [EMAIL PROTECTED] +* Debian packaging fixes. + + +o Dietrich Streifert [EMAIL PROTECTED] +* BUG 3916: Fix error parsing pam_winbind config arguments. + + Release Notes for older release follow: -- @@ -480,7 +548,7 @@ * Add help text for new 'net rpc audit' utility. * Add net ads search SID. * samrQueryDomainInfo level 5 should return the domain name, not our - netbios name when we are a DC. + NetBIOS name when we are a DC. * Add some more client rpc for the querydominfo calls (from samba4 idl). * Process all the supported info levels in the samr_query_domain_info2 call.
svn commit: samba r17166 - in branches/SAMBA_3_0_RELEASE: .
Author: jerry Date: 2006-07-20 22:27:03 + (Thu, 20 Jul 2006) New Revision: 17166 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=17166 Log: fixups based on comments from Volker Modified: branches/SAMBA_3_0_RELEASE/WHATSNEW.txt Changeset: Modified: branches/SAMBA_3_0_RELEASE/WHATSNEW.txt === --- branches/SAMBA_3_0_RELEASE/WHATSNEW.txt 2006-07-20 21:22:06 UTC (rev 17165) +++ branches/SAMBA_3_0_RELEASE/WHATSNEW.txt 2006-07-20 22:27:03 UTC (rev 17166) @@ -18,6 +18,7 @@ running winbindd. o Failure to add users or groups to ACLs using the Windows object picker. + o Failure in file serving code when 'kernel oplocks = yes'. New features in 3.0.23a include: @@ -69,7 +70,7 @@ o Guenther Deschner [EMAIL PROTECTED] * Don't clear the cache when starting winbindd in off line mode. -* Fix erron reporting in pam_winbind debug messages. +* Fix errno reporting in pam_winbind debug messages. * BUG 3937: Fix segv in libnss_wins.so. @@ -78,7 +79,7 @@ request code. * AIX portability fixes for DNS client code. * BUG 3811, 3948: Fix alignment bug in on lsaquery. -* BUG 3949: Fixed authorization issue no domain member +* BUG 3949: Fixed authorization issue on domain member servers not running winbindd.
Build status as of Fri Jul 21 00:00:02 2006
URL: http://build.samba.org/ --- /home/build/master/cache/broken_results.txt.old 2006-07-20 00:00:18.0 + +++ /home/build/master/cache/broken_results.txt 2006-07-21 00:00:09.0 + @@ -1,18 +1,18 @@ -Build status as of Thu Jul 20 00:00:02 2006 +Build status as of Fri Jul 21 00:00:02 2006 Build counts: Tree Total Broken Panic SOC 0 0 0 -ccache 34 6 0 -distcc 28 2 0 +ccache 33 6 0 +distcc 27 2 0 lorikeet-heimdal 0 0 0 ppp 17 0 0 -rsync28 0 0 +rsync27 0 0 samba3 0 0 samba-docs 0 0 0 samba4 38 26 4 -samba_3_037 26 3 +samba_3_036 23 1 smb-build24 24 0 -talloc 32 13 0 -tdb 29 10 0 +talloc 31 12 0 +tdb 28 9 0
svn commit: samba r17167 - in branches/SAMBA_4_0/source/lib/util: .
Author: abartlet Date: 2006-07-21 00:56:48 + (Fri, 21 Jul 2006) New Revision: 17167 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=17167 Log: indent Modified: branches/SAMBA_4_0/source/lib/util/data_blob.c Changeset: Modified: branches/SAMBA_4_0/source/lib/util/data_blob.c === --- branches/SAMBA_4_0/source/lib/util/data_blob.c 2006-07-20 22:27:03 UTC (rev 17166) +++ branches/SAMBA_4_0/source/lib/util/data_blob.c 2006-07-21 00:56:48 UTC (rev 17167) @@ -206,7 +206,7 @@ append some data to a data blob **/ _PUBLIC_ NTSTATUS data_blob_append(TALLOC_CTX *mem_ctx, DATA_BLOB *blob, - const void *p, size_t length) + const void *p, size_t length) { blob-data = talloc_realloc_size(mem_ctx, blob-data, blob-length + length);
svn commit: samba r17168 - in branches/SAMBA_4_0/source/lib: socket tls
Author: abartlet Date: 2006-07-21 01:34:56 + (Fri, 21 Jul 2006) New Revision: 17168 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=17168 Log: Now that TLS (and soon SASL) is below the socket layer, we need to make the testnonblock skip some things. The socket *under* the tls socket is still tested. Andrew Bartlett Modified: branches/SAMBA_4_0/source/lib/socket/socket.c branches/SAMBA_4_0/source/lib/socket/socket.h branches/SAMBA_4_0/source/lib/tls/config.mk branches/SAMBA_4_0/source/lib/tls/tls.c Changeset: Modified: branches/SAMBA_4_0/source/lib/socket/socket.c === --- branches/SAMBA_4_0/source/lib/socket/socket.c 2006-07-21 00:56:48 UTC (rev 17167) +++ branches/SAMBA_4_0/source/lib/socket/socket.c 2006-07-21 01:34:56 UTC (rev 17168) @@ -66,6 +66,7 @@ /* by enabling testnonblock mode, all socket receive and send calls on non-blocking sockets will randomly recv/send less data than requested */ + if (!(flags SOCKET_FLAG_BLOCK) type == SOCKET_TYPE_STREAM lp_parm_bool(-1, socket, testnonblock, False)) { @@ -185,14 +186,21 @@ return NT_STATUS_NOT_IMPLEMENTED; } - if ((sock-flags SOCKET_FLAG_TESTNONBLOCK) wantlen 1) { - if (random() % 10 == 0) { - *nread = 0; - return STATUS_MORE_ENTRIES; + if ((sock-flags SOCKET_FLAG_TESTNONBLOCK) +wantlen 1) { + + /* The returning of 0 and MORE_ENTRIES is incompatible + with TLS and SASL sockets, as there is not a + constant event source to re-trigger the reads */ + + if (!(sock-flags SOCKET_FLAG_FAKE)) { + if (random() % 10 == 0) { + *nread = 0; + return STATUS_MORE_ENTRIES; + } } return sock-ops-fn_recv(sock, buf, 1+(random() % wantlen), nread); } - return sock-ops-fn_recv(sock, buf, wantlen, nread); } @@ -229,17 +237,21 @@ if (!sock-ops-fn_send) { return NT_STATUS_NOT_IMPLEMENTED; } - - if ((sock-flags SOCKET_FLAG_TESTNONBLOCK) blob-length 1) { - DATA_BLOB blob2 = *blob; + + if ((sock-flags SOCKET_FLAG_TESTNONBLOCK) +blob-length 1) { if (random() % 10 == 0) { *sendlen = 0; return STATUS_MORE_ENTRIES; } - blob2.length = 1+(random() % blob2.length); - return sock-ops-fn_send(sock, blob2, sendlen); + /* The variable size sends are incompatilbe with TLS and SASL +* sockets, which require re-sends to be consistant */ + if (!(sock-flags SOCKET_FLAG_FAKE)) { + DATA_BLOB blob2 = *blob; + blob2.length = 1+(random() % blob2.length); + return sock-ops-fn_send(sock, blob2, sendlen); + } } - return sock-ops-fn_send(sock, blob, sendlen); } Modified: branches/SAMBA_4_0/source/lib/socket/socket.h === --- branches/SAMBA_4_0/source/lib/socket/socket.h 2006-07-21 00:56:48 UTC (rev 17167) +++ branches/SAMBA_4_0/source/lib/socket/socket.h 2006-07-21 01:34:56 UTC (rev 17168) @@ -102,6 +102,7 @@ #define SOCKET_FLAG_BLOCK0x0001 #define SOCKET_FLAG_PEEK 0x0002 #define SOCKET_FLAG_TESTNONBLOCK 0x0004 +#define SOCKET_FLAG_FAKE 0x0008 /* This is an implementation not directly on top of a real socket */ struct socket_context { enum socket_type type; Modified: branches/SAMBA_4_0/source/lib/tls/config.mk === --- branches/SAMBA_4_0/source/lib/tls/config.mk 2006-07-21 00:56:48 UTC (rev 17167) +++ branches/SAMBA_4_0/source/lib/tls/config.mk 2006-07-21 01:34:56 UTC (rev 17168) @@ -5,7 +5,7 @@ tls.o \ tlscert.o PUBLIC_DEPENDENCIES = \ - LIBTALLOC GNUTLS LIBSAMBA-CONFIG + LIBTALLOC GNUTLS LIBSAMBA-CONFIG samba-socket # # End SUBSYSTEM LIBTLS Modified: branches/SAMBA_4_0/source/lib/tls/tls.c === --- branches/SAMBA_4_0/source/lib/tls/tls.c 2006-07-21 00:56:48 UTC (rev 17167) +++ branches/SAMBA_4_0/source/lib/tls/tls.c 2006-07-21 01:34:56 UTC (rev 17168) @@ -443,7 +443,8 @@ NTSTATUS nt_status; nt_status = socket_create_with_ops(socket, tls_socket_ops, new_sock, - SOCKET_TYPE_STREAM, 0); +
svn commit: samba r17169 - in branches/SAMBA_4_0/source/script/tests: .
Author: abartlet Date: 2006-07-21 01:35:26 + (Fri, 21 Jul 2006) New Revision: 17169 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=17169 Log: Test LDAP with testnonblock. Andrew Bartlett Modified: branches/SAMBA_4_0/source/script/tests/test_ldap.sh Changeset: Modified: branches/SAMBA_4_0/source/script/tests/test_ldap.sh === --- branches/SAMBA_4_0/source/script/tests/test_ldap.sh 2006-07-21 01:34:56 UTC (rev 17168) +++ branches/SAMBA_4_0/source/script/tests/test_ldap.sh 2006-07-21 01:35:26 UTC (rev 17169) @@ -24,7 +24,7 @@ . $incdir/test_functions.sh for p in $PROTOCOLS; do - for options in -U$USERNAME%$PASSWORD; do + for options in --option=socket:testnonblock=true -U$USERNAME%$PASSWORD --option=socket:testnonblock=true -U$USERNAME%$PASSWORD; do echo TESTING PROTOCOL $p with options $options testit RootDSE bin/ldbsearch $CONFIGURATION $options --basedn='' -H $p://$SERVER -s base DUMMY=x dnsHostName highestCommittedUSN || failed=`expr $failed + 1`
svn commit: samba r17170 - in branches/SAMBA_4_0/source/auth/ntlmssp: .
Author: abartlet Date: 2006-07-21 01:37:38 + (Fri, 21 Jul 2006) New Revision: 17170 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=17170 Log: Catch some more out-of-memory cases, and provide some clues when chasing down bad signatures that may be due to data truncation. Andrew Bartlett Modified: branches/SAMBA_4_0/source/auth/ntlmssp/ntlmssp_sign.c Changeset: Modified: branches/SAMBA_4_0/source/auth/ntlmssp/ntlmssp_sign.c === --- branches/SAMBA_4_0/source/auth/ntlmssp/ntlmssp_sign.c 2006-07-21 01:35:26 UTC (rev 17169) +++ branches/SAMBA_4_0/source/auth/ntlmssp/ntlmssp_sign.c 2006-07-21 01:37:38 UTC (rev 17170) @@ -110,6 +110,9 @@ memcpy(sig-data + 4, digest, 8); memcpy(sig-data + 12, seq_num, 4); + DEBUG(10, (NTLM2: created signature over %llu bytes of input:\n, (unsigned long long)pdu_length)); + dump_data(11, sig-data, sig-length); + } else { uint32_t crc; crc = crc32_calc_buffer(data, length); @@ -119,8 +122,10 @@ gensec_ntlmssp_state-crypt.ntlm.seq_num++; arcfour_crypt_sbox(gensec_ntlmssp_state-crypt.ntlm.arcfour_state, sig-data+4, sig-length-4); + + DEBUG(10, (NTLM1: created signature over %llu bytes of input:\n, (unsigned long long)length)); + dump_data(11, sig-data, sig-length); } - dump_data_pw(calculated ntlmssp signature\n, sig-data, sig-length); return NT_STATUS_OK; } @@ -179,26 +184,26 @@ if (local_sig.length != sig-length || memcmp(local_sig.data, sig-data, sig-length) != 0) { - DEBUG(5, (BAD SIG NTLM2: wanted signature of\n)); + DEBUG(5, (BAD SIG NTLM2: wanted signature over %llu bytes of input:\n, (unsigned long long)pdu_length)); dump_data(5, local_sig.data, local_sig.length); - DEBUG(5, (BAD SIG: got signature of\n)); + DEBUG(5, (BAD SIG: got signature over %llu bytes of input:\n, (unsigned long long)pdu_length)); dump_data(5, sig-data, sig-length); - DEBUG(0, (NTLMSSP NTLM2 packet check failed due to invalid signature!\n)); + DEBUG(0, (NTLMSSP NTLM2 packet check failed due to invalid signature on %llu bytes of input!\n, (unsigned long long)pdu_length)); return NT_STATUS_ACCESS_DENIED; } } else { if (local_sig.length != sig-length || memcmp(local_sig.data + 8, sig-data + 8, sig-length - 8) != 0) { - DEBUG(5, (BAD SIG NTLM1: wanted signature of\n)); + DEBUG(5, (BAD SIG NTLM1: wanted signature of %llu bytes of input:\n, (unsigned long long)length)); dump_data(5, local_sig.data, local_sig.length); - DEBUG(5, (BAD SIG: got signature of\n)); + DEBUG(5, (BAD SIG: got signature of %llu bytes of input:\n, (unsigned long long)length)); dump_data(5, sig-data, sig-length); - DEBUG(0, (NTLMSSP NTLM1 packet check failed due to invalid signature!\n)); + DEBUG(0, (NTLMSSP NTLM1 packet check failed due to invalid signature on %llu bytes of input:\n, (unsigned long long)length)); return NT_STATUS_ACCESS_DENIED; } } @@ -456,6 +461,9 @@ if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) { *out = data_blob_talloc(sig_mem_ctx, NULL, in-length + NTLMSSP_SIG_SIZE); + if (!out-data) { + return NT_STATUS_NO_MEMORY; + } memcpy(out-data + NTLMSSP_SIG_SIZE, in-data, in-length); nt_status = gensec_ntlmssp_seal_packet(gensec_security, sig_mem_ctx, @@ -473,6 +481,9 @@ } else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) { *out = data_blob_talloc(sig_mem_ctx, NULL, in-length + NTLMSSP_SIG_SIZE); + if (!out-data) { + return NT_STATUS_NO_MEMORY; + } memcpy(out-data + NTLMSSP_SIG_SIZE, in-data, in-length); nt_status = gensec_ntlmssp_sign_packet(gensec_security, sig_mem_ctx,
svn commit: samba r17171 - in branches/SAMBA_4_0/source/auth/gensec: .
Author: abartlet Date: 2006-07-21 01:44:24 + (Fri, 21 Jul 2006) New Revision: 17171 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=17171 Log: Add a gensec function to determine the maximum negotiated buffer size, and the maximum amount of user data that may be fitted into that. This is used in the new SASL code, to correctly honour SASL buffer sizes. Andrew Bartlett Modified: branches/SAMBA_4_0/source/auth/gensec/gensec.c branches/SAMBA_4_0/source/auth/gensec/gensec.h branches/SAMBA_4_0/source/auth/gensec/gensec_gssapi.c Changeset: Modified: branches/SAMBA_4_0/source/auth/gensec/gensec.c === --- branches/SAMBA_4_0/source/auth/gensec/gensec.c 2006-07-21 01:37:38 UTC (rev 17170) +++ branches/SAMBA_4_0/source/auth/gensec/gensec.c 2006-07-21 01:44:24 UTC (rev 17171) @@ -815,6 +815,24 @@ return gensec_security-ops-sig_size(gensec_security, data_size); } +size_t gensec_max_input_size(struct gensec_security *gensec_security) +{ + if (!gensec_security-ops-max_input_size) { + return (1 17) - gensec_sig_size(gensec_security, 1 17); + } + + return gensec_security-ops-max_input_size(gensec_security); +} + +size_t gensec_max_wrapped_size(struct gensec_security *gensec_security) +{ + if (!gensec_security-ops-max_wrapped_size) { + return (1 17); + } + + return gensec_security-ops-max_wrapped_size(gensec_security); +} + _PUBLIC_ NTSTATUS gensec_wrap(struct gensec_security *gensec_security, TALLOC_CTX *mem_ctx, const DATA_BLOB *in, Modified: branches/SAMBA_4_0/source/auth/gensec/gensec.h === --- branches/SAMBA_4_0/source/auth/gensec/gensec.h 2006-07-21 01:37:38 UTC (rev 17170) +++ branches/SAMBA_4_0/source/auth/gensec/gensec.h 2006-07-21 01:44:24 UTC (rev 17171) @@ -78,6 +78,8 @@ const uint8_t *whole_pdu, size_t pdu_length, DATA_BLOB *sig); size_t (*sig_size)(struct gensec_security *gensec_security, size_t data_size); + size_t (*max_input_size)(struct gensec_security *gensec_security); + size_t (*max_wrapped_size)(struct gensec_security *gensec_security); NTSTATUS (*check_packet)(struct gensec_security *gensec_security, TALLOC_CTX *sig_mem_ctx, const uint8_t *data, size_t length, const uint8_t *whole_pdu, size_t pdu_length, Modified: branches/SAMBA_4_0/source/auth/gensec/gensec_gssapi.c === --- branches/SAMBA_4_0/source/auth/gensec/gensec_gssapi.c 2006-07-21 01:37:38 UTC (rev 17170) +++ branches/SAMBA_4_0/source/auth/gensec/gensec_gssapi.c 2006-07-21 01:44:24 UTC (rev 17171) @@ -67,8 +67,13 @@ uint8_t sasl_protection; /* What was negotiated at the SASL * layer, independent of the GSSAPI * layer... */ + + size_t max_wrap_buf_size; }; +static size_t gensec_gssapi_max_input_size(struct gensec_security *gensec_security); +static size_t gensec_gssapi_max_wrapped_size(struct gensec_security *gensec_security); + static char *gssapi_error_string(TALLOC_CTX *mem_ctx, OM_uint32 maj_stat, OM_uint32 min_stat) { @@ -129,6 +134,9 @@ return NT_STATUS_NO_MEMORY; } + gensec_gssapi_state-max_wrap_buf_size + = lp_parm_int(-1, gensec_gssapi, max wrap buf size, 65535); + gensec_gssapi_state-sasl = False; gensec_gssapi_state-sasl_state = STAGE_GSS_NEG; @@ -490,6 +498,7 @@ } break; } + /* These last two stages are only done if we were invoked as SASL */ case STAGE_SASL_SSF_NEG: { @@ -497,11 +506,17 @@ case GENSEC_CLIENT: { uint8_t maxlength_proposed[4]; + uint8_t maxlength_accepted[4]; uint8_t security_supported; int conf_state; gss_qop_t qop_state; input_token.length = in.length; input_token.value = in.data; + + /* As a client, we have just send a +* zero-length blob to the server (after the +* normal GSSAPI exchange), and it has replied +* with it's SASL negotiation */ maj_stat = gss_unwrap(min_stat, gensec_gssapi_state-gssapi_context, @@ -521,10 +536,14 @@ memcpy(maxlength_proposed,
svn commit: samba r17172 - in branches/SAMBA_3_0: .
Author: jht Date: 2006-07-21 01:58:17 + (Fri, 21 Jul 2006) New Revision: 17172 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=17172 Log: Fix typo. Modified: branches/SAMBA_3_0/MAINTAINERS Changeset: Modified: branches/SAMBA_3_0/MAINTAINERS === --- branches/SAMBA_3_0/MAINTAINERS 2006-07-21 01:44:24 UTC (rev 17171) +++ branches/SAMBA_3_0/MAINTAINERS 2006-07-21 01:58:17 UTC (rev 17172) @@ -7,7 +7,7 @@ responsible for 3rd party projects that work with Samba (e.g. vfs modules). -Note that this list is for you benefit, but please do not +Note that this list is for your benefit, but please do not abuse it by constantly emailing a stream of help questions to the maintainers. Some are more open to direct communication than others and some struggle with enormous
svn commit: samba r17173 - in branches/SAMBA_4_0/source/auth/gensec: .
Author: abartlet Date: 2006-07-21 02:05:45 + (Fri, 21 Jul 2006) New Revision: 17173 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=17173 Log: Check for oversize output, not oversize input, and fix the GSSAPI mech to work (it broke it in the previous commit). Andrew Bartlett Modified: branches/SAMBA_4_0/source/auth/gensec/gensec_gssapi.c Changeset: Modified: branches/SAMBA_4_0/source/auth/gensec/gensec_gssapi.c === --- branches/SAMBA_4_0/source/auth/gensec/gensec_gssapi.c 2006-07-21 01:58:17 UTC (rev 17172) +++ branches/SAMBA_4_0/source/auth/gensec/gensec_gssapi.c 2006-07-21 02:05:45 UTC (rev 17173) @@ -741,16 +741,6 @@ input_token.length = in-length; input_token.value = in-data; - if (gensec_gssapi_state-sasl) { - size_t max_input_size = gensec_gssapi_max_input_size(gensec_security); - if (max_input_size in-length) { - DEBUG(1, (gensec_gssapi_wrap: INPUT data (%u) is larger than SASL negotiated maximum size (%u)\n, - in-length, - (unsigned int)max_input_size)); - } - return NT_STATUS_INVALID_PARAMETER; - } - maj_stat = gss_wrap(min_stat, gensec_gssapi_state-gssapi_context, gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL), @@ -767,6 +757,17 @@ *out = data_blob_talloc(mem_ctx, output_token.value, output_token.length); gss_release_buffer(min_stat, output_token); + if (gensec_gssapi_state-sasl) { + size_t max_wrapped_size = gensec_gssapi_max_wrapped_size(gensec_security); + if (max_wrapped_size out-length) { + DEBUG(1, (gensec_gssapi_wrap: when wrapped, INPUT data (%u) is grew to be larger than SASL negotiated maximum output size (%u %u)\n, + in-length, + out-length, + (unsigned int)max_wrapped_size)); + return NT_STATUS_INVALID_PARAMETER; + } + } + if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL) !conf_state) { return NT_STATUS_ACCESS_DENIED;