Re: [Samba] Must restart Samba regularly because saving files stops working

2006-07-20 Thread Roel Slegers

On 2006/7/19, Volker Lendecke [EMAIL PROTECTED] wrote:

On Wed, Jul 19, 2006 at 06:42:30PM +0200, Roel Slegers wrote:
 When you say tuning tcp parameters could you point me in the right
 direction please? Are you talking about tuning the HP-UX kernel, or

This would be the kernel first. smb.conf does not do
anything here. But I don't know enough about HP/UX to how to
tune it. You need to give the TCP/IP more space, but to know
what exactly needs tuning I can't tell from here.

Volker



Thanks Volker,
We'll see what we can find in our kernel parameters.

Roel

PS: Sorry but I forgot to send a copy of my previous message to the
samba list, so I include that now:



On Wed, Jul 19..., Roel Slegers wrote:
Hi, and thanks.

That No buffer space available message is something we've always had
on our test servers, also on servers with plenty of RAM running only
samba with maybe 1 or 2 pc's connected. And this with the various
samba versions (2.x - 3.x) we've experimented with in the past.
So IMHO I do not think this is RAM related. But to make sure we should
maybe resolve this before looking any further.
When you say tuning tcp parameters could you point me in the right
direction please? Are you talking about tuning the HP-UX kernel, or
about tuning smb.conf? Do you know of some documentation that can help
do this?

BTW googling seems to show that this No buffer space available
especially occurs a lot on HP-UX 11 servers; is that possible?

PS: sorry for the upper case...

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


[Samba] samba as pdc in Ubuntu dapper, fails on ps$ join?

2006-07-20 Thread Lachlan Simpson
Hola, 

I've done everything as correct as I can see in smb.conf under fresh ubuntu 
6.06 fully 
updated install to have it run as a PDC on hostname florentine, domain DAVEYST.

There are no testparm errors.

I've added users with useradd and smbpasswd -a
I've added machines with useradd and smbpasswd -a -m

I can see the server in my network neighbourhood and access/browse folders on 
the samba 
server using a linux account login within the network neighbourhood.

However, when I try to go to My computer properties --- computer name --- 
Change.., and 
then put in my domain name and computer name and when prompted use root account 
and 
password (or any account and password) I get an Access Denied error.

I've attached a log level = 10 tar.gz of the /var/log/samba/smbd.log of 
everything that 
happens when I do this process on the workstation (hostname = robin, ie robin$) 
- it's 
quite long, but it also seems to be successful - see below for abridged listing.

I've been on the ubuntu forums where they suggested I should install quota - 
but I don't 
think that installing quota would solve my problems.

Has anyone seen anything like this before, or know why despite my smb-log 
having the like 
of:

[2006/07/15 15:57:41, 3] auth/auth.c:check_ntlm_password(219)
  check_ntlm_password:  Checking password for unmapped user [EMAIL PROTECTED] 
with 
the new password interface
[2006/07/15 15:57:41, 3] auth/auth.c:check_ntlm_password(222)
  check_ntlm_password:  mapped user is: [EMAIL PROTECTED]


[2006/07/15 15:57:41, 3] passdb/lookup_sid.c:fetch_sid_from_gid_cache(267)
  fetch sid from gid cache 0 - S-1-5-21-3923429160-1838912494-2447857936-512


[2006/07/15 15:57:41, 3] auth/auth.c:check_ntlm_password(268)
  check_ntlm_password: sam authentication for user [root] succeeded
...
...
[2006/07/15 15:57:41, 2] auth/auth.c:check_ntlm_password(307)
  check_ntlm_password:  authentication for user [root] - [root] - [root] 
succeeded


[2006/07/15 15:59:43, 3] auth/auth.c:check_ntlm_password(219)
  check_ntlm_password:  Checking password for unmapped user [EMAIL PROTECTED] 
with the new 
password interface
[2006/07/15 15:59:43, 3] auth/auth.c:check_ntlm_password(222)
  check_ntlm_password:  mapped user is: [EMAIL PROTECTED]


[2006/07/15 15:59:43, 3] smbd/service.c:make_connection_snum(488)
  Connect path is '/tmp' for service [IPC$]
[2006/07/15 15:59:43, 3] lib/util_seaccess.c:se_access_check(250)
[2006/07/15 15:59:43, 3] lib/util_seaccess.c:se_access_check(251)
  se_access_check: user sid is S-1-5-21-3923429160-1838912494-2447857936-501
  se_access_check: also S-1-5-21-3923429160-1838912494-2447857936-514
  se_access_check: also S-1-1-0
  se_access_check: also S-1-5-2
  se_access_check: also S-1-5-32-546


[2006/07/15 15:59:43, 3] smbd/process.c:timeout_processing(1447)
  timeout_processing: End of file from client (client has disconnected).
[2006/07/15 15:59:43, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/07/15 15:59:43, 2] smbd/server.c:exit_server(614)
  Closing connections
[2006/07/15 15:59:43, 3] smbd/connection.c:yield_connection(69)
  Yielding connection to 
[2006/07/15 15:59:43, 3] smbd/server.c:exit_server(655)
  Server exit (normal exit)


any ideas?

smb.conf follows:

#=== Global Settings ===

[global]
   workgroup = DAVEYST
   netbios name = florentine
   server string = %h server (Samba, Ubuntu)
   wins support = yes
   dns proxy = no
   name resolve order = wins bcast hosts
   security = user
   encrypt passwords = true
   username map = /etc/samba/smbusers
   unix password sync = yes
;   passdb backend = tdbsam
   obey pam restrictions = yes
;   guest account = nobody
   invalid users = root
   log file = /var/log/samba/smdb.log
   log level = 3
   max log size = 1  
   time server = Yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\sUNIX\spassword:* %n\n 
*Retype\snew\sUNIX\spassword:* %n\n 
*password\supdated\ssuccessfully* .
   veto oplock files = \*.prm\*.mdb\*.mda   pam password change = yes 
   domain logons = yes
#   domain admin group = root @admin administrator
   preferred master = yes
   local master = yes
   os level = 65

# Useradd scripts
   add user script = /usr/sbin/useradd -m %u
   delete user script = /usr/sbin/userdel -r %u
   add group script = /usr/sbin/groupadd %g
   delete group script = /usr/sbin/groupdel %g
   add user to group script = /usr/sbin/usermod -G %g %u
   add machine script = /usr/sbin/useradd -s /bin/false/ -d /var/lib/nobody %u


   logon path = \\%N\%U\profile

   logon drive = H:
   logon home = \\%N\%U

   logon script = startnet.bat

   socket options = TCP_NODELAY SO_RCVBUF=8191 SO_SNDBUF=8192

   domain master = yes 

   idmap uid = 1-2
   idmap gid = 1-2
   template shell = /bin/bash

#=== Share Definitions ===

[homes]
   comment = Home Directories
   

Re: [Samba] ArcView + Samba: Performance nightmare under Linux, ok under Solaris or HP-UX

2006-07-20 Thread Volker Lendecke
On Wed, Jul 19, 2006 at 04:00:00PM +0200, Andreas Haumer wrote:
 Any comments?

No, except a big thanks for this analysis. It is always nice
to see that this completely paranoid hunt for the 100%
compatibility that can be very exhausting sometimes does pay
off.

Volker


pgpegj0YC0xxy.pgp
Description: PGP signature
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] samba as pdc in Ubuntu dapper, fails on ps$ join?

2006-07-20 Thread Lachlan Simpson
ok, this time with attachment, sorry :)

L.

 Hola, 
 
 I've done everything as correct as I can see in smb.conf under fresh ubuntu 
 6.06 fully 
 updated install to have it run as a PDC on hostname florentine, domain 
 DAVEYST.
 
 There are no testparm errors.
 
 I've added users with useradd and smbpasswd -a
 I've added machines with useradd and smbpasswd -a -m
 
 I can see the server in my network neighbourhood and access/browse folders on 
 the samba 
 server using a linux account login within the network neighbourhood.
 
 However, when I try to go to My computer properties --- computer name --- 
 Change.., and 
 then put in my domain name and computer name and when prompted use root 
 account and 
 password (or any account and password) I get an Access Denied error.
 
 I've attached a log level = 10 tar.gz of the /var/log/samba/smbd.log of 
 everything that 
 happens when I do this process on the workstation (hostname = robin, ie 
 robin$) - it's 
 quite long, but it also seems to be successful - see below for abridged 
 listing.
 
 I've been on the ubuntu forums where they suggested I should install quota - 
 but I don't 
 think that installing quota would solve my problems.
 
 Has anyone seen anything like this before, or know why despite my smb-log 
 having the like 
 of:
 
 [2006/07/15 15:57:41, 3] auth/auth.c:check_ntlm_password(219)
   check_ntlm_password:  Checking password for unmapped user [EMAIL PROTECTED] 
 with 
 the new password interface
 [2006/07/15 15:57:41, 3] auth/auth.c:check_ntlm_password(222)
   check_ntlm_password:  mapped user is: [EMAIL PROTECTED]
 
 
 [2006/07/15 15:57:41, 3] passdb/lookup_sid.c:fetch_sid_from_gid_cache(267)
   fetch sid from gid cache 0 - S-1-5-21-3923429160-1838912494-2447857936-512
 
 
 [2006/07/15 15:57:41, 3] auth/auth.c:check_ntlm_password(268)
   check_ntlm_password: sam authentication for user [root] succeeded
 ...
 ...
 [2006/07/15 15:57:41, 2] auth/auth.c:check_ntlm_password(307)
   check_ntlm_password:  authentication for user [root] - [root] - [root] 
 succeeded
 
 
 [2006/07/15 15:59:43, 3] auth/auth.c:check_ntlm_password(219)
   check_ntlm_password:  Checking password for unmapped user [EMAIL PROTECTED] 
 with the new 
 password interface
 [2006/07/15 15:59:43, 3] auth/auth.c:check_ntlm_password(222)
   check_ntlm_password:  mapped user is: [EMAIL PROTECTED]
 
 
 [2006/07/15 15:59:43, 3] smbd/service.c:make_connection_snum(488)
   Connect path is '/tmp' for service [IPC$]
 [2006/07/15 15:59:43, 3] lib/util_seaccess.c:se_access_check(250)
 [2006/07/15 15:59:43, 3] lib/util_seaccess.c:se_access_check(251)
   se_access_check: user sid is S-1-5-21-3923429160-1838912494-2447857936-501
   se_access_check: also S-1-5-21-3923429160-1838912494-2447857936-514
   se_access_check: also S-1-1-0
   se_access_check: also S-1-5-2
   se_access_check: also S-1-5-32-546
 
 
 [2006/07/15 15:59:43, 3] smbd/process.c:timeout_processing(1447)
   timeout_processing: End of file from client (client has disconnected).
 [2006/07/15 15:59:43, 3] smbd/sec_ctx.c:set_sec_ctx(288)
   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
 [2006/07/15 15:59:43, 2] smbd/server.c:exit_server(614)
   Closing connections
 [2006/07/15 15:59:43, 3] smbd/connection.c:yield_connection(69)
   Yielding connection to 
 [2006/07/15 15:59:43, 3] smbd/server.c:exit_server(655)
   Server exit (normal exit)
 
 
 any ideas?
 
 smb.conf follows:
 
 #=== Global Settings ===
 
 [global]
workgroup = DAVEYST
netbios name = florentine
server string = %h server (Samba, Ubuntu)
wins support = yes
dns proxy = no
name resolve order = wins bcast hosts
security = user
encrypt passwords = true
username map = /etc/samba/smbusers
unix password sync = yes
 ;   passdb backend = tdbsam
obey pam restrictions = yes
 ;   guest account = nobody
invalid users = root
log file = /var/log/samba/smdb.log
log level = 3
max log size = 1  
time server = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n 
 *Retype\snew\sUNIX\spassword:* %n\n 
 *password\supdated\ssuccessfully* .
veto oplock files = \*.prm\*.mdb\*.mda   pam password change = yes 
domain logons = yes
 #   domain admin group = root @admin administrator
preferred master = yes
local master = yes
os level = 65
 
 # Useradd scripts
add user script = /usr/sbin/useradd -m %u
delete user script = /usr/sbin/userdel -r %u
add group script = /usr/sbin/groupadd %g
delete group script = /usr/sbin/groupdel %g
add user to group script = /usr/sbin/usermod -G %g %u
add machine script = /usr/sbin/useradd -s /bin/false/ -d /var/lib/nobody %u
 
 
logon path = \\%N\%U\profile
 
logon drive = H:
logon home = \\%N\%U
 
logon script = startnet.bat
 
socket options = TCP_NODELAY SO_RCVBUF=8191 SO_SNDBUF=8192
 
domain master = yes 
 
   

[Samba] Re: samba Digest, Vol 43, Issue 26

2006-07-20 Thread Ben Stewart
Hello: I'm away on holidays right now!
If this is an Urgent ticket please submit a repair ticket
herehttp://ts.sd57.bc.ca

I will be checking  my mail still every few days

Or Page #613-4732

Thanks
Benny.nerd

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: [Samba] Excluding directories from a read-only = yes

2006-07-20 Thread Michael Gasch

i think it's hard in smb.conf without using ACLs provided by the filesystem.

can you use veto files, or must your users be able to see those 
thousands of folders, too?


greez

Ed Curtis wrote:

I have a share with thousands of folders. In each of those folders there
is another directory named 'files'. I want to be able to lock down these
thousands of folders but allow r/w access to the 'files' folders inside of
them. Is there anyway to do this in smb.conf?

Thanks,

Ed




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: [Samba] Cifs Mount w/ACL

2006-07-20 Thread Michael Gasch

this tool could be a possible workaround
http://de.samba.org/samba/docs/man/manpages-3/smbcacls.1.html

greez

Max Kipness wrote:

Hello -

I've tried doing some research of previous posts and can't seem to figure
out how this may be done.

Basically I would like to mount a Windows XP share (using cifs.mount) on a
Fedora 4 server, and by doing a stat on on any file in that mounted share,
be able to see the windows acl permissions/owner.

Is this possible? And if so, how?

Thanks,
Max



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


[Samba] Samba 3.0.22 freez share

2006-07-20 Thread Marek Dabrowski

Hello

I have problem with my samba server... My configuration:
system: CentOS release 4.2 (Final)
kernel: 2.6.9-22.0.1.ELsmp
samba: 3.0.22 (compiled by myself)
server: HP DL380 G3 2xIntel(R) Xeon(TM) CPU 3.40GHz
ram: 4GB

This server is working with cluster with another one. They have access 
to storage (SAN fibre channel). File system is GFS.


Problem with samba - sometimes some shares don't response to clients. 
It's look like freez. Sometimes it's with all share, sometimes selected 
directory. In that sytuation client (windows 2000, XP) must ALT+CTRL+DEL 
to kill explorer proces and connect again. Users read/write to share 
typical documents *.doc, *.xls, *.pdf.


I have no idea when is that problem. Could you suggest solution?


Sorry for my english.
Regards
Marek
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


[Samba] pdbedia and password policy

2006-07-20 Thread Komal Shah

Hello,

I need to be able to change this: Password must change: Sat, 20 Dec 
02:15:51 GMT


Apparently the pbdedit utility should be able to change it but I'm not 
sure of the syntax to use.


Thanks

Regards,

Komal
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


[Samba] Home directories

2006-07-20 Thread Madhu Kumar
Hi ,

I have a small requirement , I have a samba setup on my server with
the following configuration in [homes] share : 

[homes]
comment = Home Directories
browseable = no
writable = yes
path = /home/%u
valid users = %u root
force user = %u

I have added samba and linux users  and done all the configuration and
shares are visible in windows.

When a user logs on the machine only his home directory should be
visible.

Since i have multiple users who use the windows machines, if i logout
say from some machine and if i login once again on the same machine
with different user the previous user's home directory is still
visible with current user's home directory. I need to resolve it. how
could i change my [homes]  configuration to do this.

Thanks in advance 

Regards

Madhavan




--
Get a spam free email account - Visit http://www.bluebottle.com

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


[Samba] Wins problems

2006-07-20 Thread Dariusz Dwornikowski
I am experiencing annoying problems.

Minimum 2 times per hour samba is stopping serving as WINS serve.
BOSS is my PDC:


boss nmblookup BOSS
no results found
bossnet lookup dc
(nothing)

also other computers using BOSS as wins server cannot find it andalso a
domain controller.
after stopping and starting samba it works for some time.


my smb.conf tdi.kill-9.pl/smb.conf


-- 
Regards,
Dariusz Dwornikowski  Network Administrator
Cognifide Poland


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


[Samba] setdriver fails with WERR_ACCESS_DENIED

2006-07-20 Thread Flavien
Hi,



I'm using samba 3.0.22 on a Linux/Debian machine.

I'm trying to get printer drivers on the server automatically picked by
the XP clients on the server.

$ rpcclient  localhost -U flavien -c 'enumdrivers'
Password:
[Windows NT x86]
Printer Driver Info 1:
Driver Name: [hp1]

The user flavien has PrintOperator privileges :
$ net rpc rights list flavien -U flavien
Password:
SePrintOperatorPrivilege
SeDiskOperatorPrivilege

I try to set the driver to the printer :
$ rpcclient  localhost -U flavien -c 'setdriver hp1 hp1'
Password:
result was WERR_ACCESS_DENIED


Something that looks suspicious to me :

$ rpcclient  localhost -U flavien -c 'getdriverdir Windows NT x86'
Password:
Directory Name:[\\LOCALHOST\print$\W32X86]


Shouldn't it be the netbios name of the server instead of LOCALHOST ?

FWIW, the /etc/samba/drivers dir is writeable by flavien


I'm pretty stuck here now. Any help appreciated.


Flavien.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


[Samba] Re: samba Digest, Vol 43, Issue 27

2006-07-20 Thread Ben Stewart
Hello: I'm away on holidays right now!
If this is an Urgent ticket please submit a repair ticket
herehttp://ts.sd57.bc.ca

I will be checking  my mail still every few days

Or Page #613-4732

Thanks
Benny.nerd

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


[Samba] Cannot add ACL entry in Windows.

2006-07-20 Thread Linus Lund

Hello,

Just upgraded from Samba 3.0.22 to 3.0.23, running on a SlackWare Linux 
Box with a 2.4.31 kernel. All Unix users and samba users are stored in 
ldap. Using setfacl renders correct user/groups in the windows acl 
editor, and works perfectly. However, when I try to add a user/group in 
the Security tab for a share/folder I get the following message


The program cannot open the required dialog box because it cannot 
determine wheter the computer named fileserv is joined to a domain. 
Close this message and try again.


Followed by
The system cannot find text for message 0x%1 in the message file for %2.

The error occurs with all users, tested on windows xp SP2 and windows 
2k3 SP1. The problem occured in samba 3.0.23, was not present in samba 
3.0.22. The improved group handling in samba 3.0.23 makes me reluctant 
to downgrading though.


Anyone got any ideas what to test/do?

Regards,
Linus
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


[Samba] 3.0.23 for Debian Sarge: LDAP problems

2006-07-20 Thread Uwe Laverenz
Hi,

I always prefer the Samba packages for Debian-Stable from the
Samba-Team and I never had a problem so far (thank you, Simo!).

Yesterday I updated from 3.0.22 to 3.0.23 in my LDAP-based network. I
updated samba.schema, added index sambaSID eq,sub to my slapd.conf
and ran slapindex. When I started slapd and samba afterwards, I saw
error messages like these (from smbd.log):

[2006/07/20 00:14:36, 0] lib/smbldap.c:smb_ldap_setup_conn(638)
  ldap_initialize: Time limit exceeded
[2006/07/20 00:14:36, 1] lib/smbldap.c:another_ldap_try(1150)
  Connection to LDAP server failed for the 1 try!
[2006/07/20 00:14:37, 0] lib/smbldap.c:smb_ldap_setup_conn(638)
  ldap_initialize: Time limit exceeded
[2006/07/20 00:14:37, 1] lib/smbldap.c:another_ldap_try(1150)
  Connection to LDAP server failed for the 2 try!
...
... [message repeated several times]
...
[2006/07/20 00:14:50, 1] lib/smbldap.c:another_ldap_try(1150)
  Connection to LDAP server failed for the 15 try!
[2006/07/20 00:14:51, 0] lib/smbldap.c:smb_ldap_setup_conn(638)
  ldap_initialize: Time limit exceeded
[2006/07/20 00:14:51, 0] smbd/server.c:main(960)
  ERROR: failed to setup guest info.

So Samba/smbd does not work anymore. The same errors occur when I run
the net command:

athena:~# net groupmap list
[2006/07/20 14:14:48, 0] lib/smbldap.c:smb_ldap_setup_conn(638)
  ldap_initialize: Time limit exceeded
[2006/07/20 14:14:49, 0] lib/smbldap.c:smb_ldap_setup_conn(638)
  ldap_initialize: Time limit exceeded
...
... [message repeated several times]
...
[2006/07/20 14:15:18, 0] passdb/pdb_ldap.c:ldapsam_setsamgrent(3039)
  ldapsam_setsamgrent: LDAP search failed: Time limit exceeded
[2006/07/20 14:15:18, 0]
passdb/pdb_ldap.c:ldapsam_enum_group_mapping(3111)
  ldapsam_enum_group_mapping: Unable to open passdb


Switching back to the previous slapd.conf and samba.schema doesn't work,
disabling TLS did not help either. The slapd can be connected with any
other non-Samba tool (ldapsearch, phpldapadmin).

Does anybody have an idea what the problem might be?

thank you,
Uwe

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: [Samba] Cannot add ACL entry in Windows.

2006-07-20 Thread Gerald (Jerry) Carter
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Linus Lund wrote:
 Hello,
 
 Just upgraded from Samba 3.0.22 to 3.0.23, running on a SlackWare Linux
 Box with a 2.4.31 kernel. All Unix users and samba users are stored in
 ldap. Using setfacl renders correct user/groups in the windows acl
 editor, and works perfectly. However, when I try to add a user/group in
 the Security tab for a share/folder I get the following message
 
 The program cannot open the required dialog box because it cannot
 determine wheter the computer named fileserv is joined to a domain.
 Close this message and try again.

Already fixed in the upcoming 3.0.23a code which should be out
tomorrow.  One more bug to fix.






cheers, jerry
=
Samba--- http://www.samba.org
Centeris ---  http://www.centeris.com
What man is a man who does not make the world better?  --Balian
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFEv31fIR7qMdg1EfYRAkKxAJ4wcYQghuG5+wq8zzSMYHA0Tx1UXwCfVuOC
Jnf54WcGnUCyYFKQydeaa4k=
=LaiZ
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


[Samba] Re: Samba 3.0.23 winbind use default domain = yes behaviour

2006-07-20 Thread John
Hi Dietrich,

I tried the patch and at first it looked like it worked OK, but it breaks 
the support of BUILTIN groups
With stripping the domain, I lost also the support of the BUILTIN groups.

When tested on a machine with an unpatched 3.0.23 BUILTIN groups works



Dietrich Streifert [EMAIL PROTECTED] schreef in bericht 
news:[EMAIL PROTECTED]
Hi John,

this is already filed as a bug:

https://bugzilla.samba.org/show_bug.cgi?id=3920

and Jerry is working on it.

I'v attached an inofficial not supported patch against relaease 3.0.23
of nsswitch/winbindd_group.c which reverted the change and worked for me.



John schrieb:
 Hello list,

 I encountered a problem in Samba 3.0.23 regarding the winbind use default
 domain = yes behaviour.
 It only works for the users an NOT anymore for the Group. So this make
 getent group to show NETBIOSDOMAINNAME/group which course mail squid
 configuration to fail. My squid configuration allowed access based on the 
 AD
 groups, which are provided by Winbindd.
 Tested distribution:
 SuSE 9.0, CentOS 4.3
 Samba build: Sernet 3.0.23
 Is this a bug or is this by design? Does anybody know a way to getent 
 group
 to honour the winbind use default domain = yes option?

 Regards,
 John
 The Netherlands.





-- 
Mit freundlichen Grüßen
Dietrich Streifert
Visionet GmbH







 --- samba-3.0.23.orig/source/nsswitch/winbindd_group.c Fri Jun 23 15:16:50 
 2006
 +++ samba-3.0.23/source/nsswitch/winbindd_group.c Thu Jul 13 10:34:06 2006
 @@ -42,7 +42,7 @@
 {
  fstring full_group_name;

 - fill_domain_username( full_group_name, dom_name, gr_name, False);
 + fill_domain_username( full_group_name, dom_name, gr_name, True);

  gr-gr_gid = unix_gid;

 @@ -146,7 +146,7 @@

  /* Append domain name */

 - fill_domain_username(name, domain-name, the_name, False);
 + fill_domain_username(name, domain-name, the_name, True);

  len = strlen(name);

 @@ -752,7 +752,7 @@
  /* Fill in group entry */

  fill_domain_username(domain_group_name, ent-domain_name,
 - name_list[ent-sam_entry_index].acct_name, False);
 + name_list[ent-sam_entry_index].acct_name, True);

  result = fill_grent(group_list[group_list_ndx],
  ent-domain_name,
 @@ -929,7 +929,7 @@
  groups.sam_entries)[i].acct_name;
  fstring name;

 - fill_domain_username(name, domain-name, group_name, False);
 + fill_domain_username(name, domain-name, group_name, True);
  /* Append to extra data */
  memcpy(extra_data[extra_data_len], name,
strlen(name));






 -- 
 To unsubscribe from this list go to the following URL and read the
 instructions:  https://lists.samba.org/mailman/listinfo/samba 



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: [Samba] Cannot add ACL entry in Windows.

2006-07-20 Thread Sascha
Same problem here. I thinks its a bug in the new
version. 

--- Linus Lund [EMAIL PROTECTED] wrote:

 Hello,
 
 Just upgraded from Samba 3.0.22 to 3.0.23, running
 on a SlackWare Linux 
 Box with a 2.4.31 kernel. All Unix users and samba
 users are stored in 
 ldap. Using setfacl renders correct user/groups in
 the windows acl 
 editor, and works perfectly. However, when I try to
 add a user/group in 
 the Security tab for a share/folder I get the
 following message
 
 The program cannot open the required dialog box
 because it cannot 
 determine wheter the computer named fileserv is
 joined to a domain. 
 Close this message and try again.
 
 Followed by
 The system cannot find text for message 0x%1 in the
 message file for %2.
 
 The error occurs with all users, tested on windows
 xp SP2 and windows 
 2k3 SP1. The problem occured in samba 3.0.23, was
 not present in samba 
 3.0.22. The improved group handling in samba 3.0.23
 makes me reluctant 
 to downgrading though.
 
 Anyone got any ideas what to test/do?
 
 Regards,
 Linus
 -- 
 To unsubscribe from this list go to the following
 URL and read the
 instructions: 
 https://lists.samba.org/mailman/listinfo/samba
 


__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: [Samba] Re: Samba 3.0.23 winbind use default domain = yes behaviour

2006-07-20 Thread Gerald (Jerry) Carter
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

John wrote:

 I tried the patch and at first it looked like it 
 worked OK, but it breaks  the support of BUILTIN groups
 With stripping the domain, I lost also the support 
 of the BUILTIN groups.
 
 When tested on a machine with an unpatched 3.0.23 
 BUILTIN groups works

That was what I was afraid of since getting BUILTIN to
work correct was the reason for the original change.  I'm
going to try to have the resolved today.  When I do,
I'll post a patch to bug # 3920.





cheers, jerry
=
Samba--- http://www.samba.org
Centeris ---  http://www.centeris.com
What man is a man who does not make the world better?  --Balian
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFEv40kIR7qMdg1EfYRAnp5AJ0eTzIVDit2jGvesoZ4+Krp63a2aACgoDlQ
zTzYtW0sSZn/mHkrlCPt9Xo=
=pvD7
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


[Samba] user login ldap problems, misunderstandings

2006-07-20 Thread oly
hi,

i have managed to set up samba and ldap to work together i have got
machines joined to the server, used IDEALX to create default entries.

i can log into the machines with root and nobody accouts but nobody
elses. i have added on about 80 users to ldap but none of them can login
they all appear to have posix and samba attributes in the ldap
directory.

i am geting a bit confused also by this smbpasswd do i need to run it
for each user in ldap, i kinda figured i did not but got a little
confused when reading others posts on the web.

also where can i look to find why the logins are failed i have the samba
log level set to 3 which i believe is the highest but nothing shows up
to show that an attempt was made.

any help with log files to check levels to change or anything that can
help me figure out where i am going wrong, as samba and ldap seem to
work and communicate fine.

any help appreciated thxs

i have managed to come so far not knowing ldap or samba to this point.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


[Samba] Can't connect with force user set (3.0.23)

2006-07-20 Thread Jochen Knuth

Hi,

after an update to samba 3.0.23 i can't connect to shares if i set the 
option force user.


Samba is used on a Freebsd 5.5p1 Server, the Domain Controller is a 
Windows 2003 Server.


The [Global] part and a [Share] part follows:

# Global parameters
[global]
workgroup = IPRO.LEO
netbios name = UNIXSERVER
server string = IPRO Samba %v
interfaces = bge0
bind interfaces only = Yes
security = DOMAIN
client NTLMv2 auth = Yes
client lanman auth = No
client plaintext auth = No
log level = 2
log file = /var/log/samba.log
time server = Yes
os level = 30
lm interval = 120
preferred master = No
local master = No
domain master = No
wins support = Yes
ldap ssl = no
preload = homes,usr
socket address = 172.16.0.1
idmap uid = 17000-22000
idmap gid = 17000-22000
winbind use default domain = Yes
hosts allow = 172.16., 127.0.0.1
hosts deny = 0.0.0.0/0
hide dot files = No
veto oplock files = /*log*/

[plone]
force user = zope
writeable = yes
valid users = jok,kerkow,goetz
write list = jok,kerkow,goetz
path = /usr/local/www/Zope/z29test/
force group = zope

I tried to patch the auth_util.c to rev. 17022 as i seen some posts 
regarding this, but it didn't work (can't connect at all, core dump)


Ciao,
Jochen

--
--
Jochen Knuth  WebMaster http://www.ipro.de
IPRO GmbH Phone ++49-7152-93330
Steinbeisstr. 6   Fax ++49-7152-933340
71229 LeonbergEMail: [EMAIL PROTECTED]

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


[Samba] password required when connecting from xp but not linux

2006-07-20 Thread rich

Hi,

I have samba version 3.0.22 installed on solaris 8.
I have added users with smbpasswd -a.
When mounting from an XP machine passwords are required, yet when 
mounting from fedora5 it prompts for a password but mounts

irrespective of what is entered. Any ideas?

TIA
Rich

# more /usr/local/samba_new/lib/smb.conf
# Samba config file created using SWAT
# from 127.0.0.1 (127.0.0.1)
# Date: 2006/06/22 15:34:54

[global]
   workgroup = HOME
   server string = Unix Server
   unix password sync = Yes
   log level = 2
   log file = /var/log/samba/samba.log.%m
   max log size = 50
   wins support = Yes
   invalid users = bin, web, daemon, adm, sync, shutdown, halt, 
mail, news, uucp, operator, nuucp, lp, listen, nobody, noaccess

   create mask = 0777
   directory mask = 0777
   hosts allow = 192.168.1., localhost

[homes]
   comment = Home Directories
   path = /userdata/home/%u
   read only = No
   guest ok = Yes
   browseable = No

[point1]
   comment = point1
   path = /point1
   valid users = user1,user2,user3
   read only = No

[point2]
   comment = point2
   path = /point2
   valid users = user1,user2,user3
   read only = No


cut
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: [Samba] setdriver fails with WERR_ACCESS_DENIED

2006-07-20 Thread Rob Tanner

Flavien,

I had a similar problem about a month ago.  Just like you, I could 
execute  rpcclient enumdrivers, but rpcclient setdriver resulted in 
the WERR_ACCESS_DENIED.  In my case, I am using winbind to the fullest 
so that our Windows sysadmin can control access to folders within shares 
based on Active Directory security group memberships.  That means that 
when I mount a share, I'm not identified as simply rtanner but rather 
as CATNET\rtanner, CATNET being the name of the domain. 

I resolved the WERR_ACCESS_DENIED issue in rpcclient by specifying 
CATNET\rtanner as a printer admin and authenticating as the user 
CATNET\rtanner rather than simply rtanner in rpcclient.  The only 
oddity was that the global setting in printers was not enough.  I had 
to explicitly declare CATNET\rtanner as a printer admin in each 
printer definition in smb.cfg.  And after that, everything was honky dory.


Hope that helps.

-- Rob

Flavien said the following on 07/20/2006 04:50 AM:


Hi,



I'm using samba 3.0.22 on a Linux/Debian machine.

I'm trying to get printer drivers on the server automatically picked by
the XP clients on the server.

   $ rpcclient  localhost -U flavien -c 'enumdrivers'
   Password:
   [Windows NT x86]
   Printer Driver Info 1:
   Driver Name: [hp1]

The user flavien has PrintOperator privileges :
   $ net rpc rights list flavien -U flavien
   Password:
   SePrintOperatorPrivilege
   SeDiskOperatorPrivilege

I try to set the driver to the printer :
   $ rpcclient  localhost -U flavien -c 'setdriver hp1 hp1'
   Password:
   result was WERR_ACCESS_DENIED


Something that looks suspicious to me :

   $ rpcclient  localhost -U flavien -c 'getdriverdir Windows NT x86'
   Password:
   Directory Name:[\\LOCALHOST\print$\W32X86]


Shouldn't it be the netbios name of the server instead of LOCALHOST ?

FWIW, the /etc/samba/drivers dir is writeable by flavien


I'm pretty stuck here now. Any help appreciated.


Flavien.
 



--

Rob Tanner
UNIX Services Manager
Linfield College, McMinnville OR
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: [Samba] Home directories

2006-07-20 Thread Ivan Gustin

Madhu Kumar:
 I have a small requirement , I have a samba setup on my server with
 the following configuration in [homes] share :
[...]
 Since i have multiple users who use the windows machines, if i logout
 say from some machine and if i login once again on the same machine
 with different user the previous user's home directory is still
 visible with current user's home directory. I need to resolve it. how
 could i change my [homes]  configuration to do this.

I deal with the same problem long ago. On one Samba site I have 800+ 
users which uses 30 PC, and remaining previous user's home directory 
very soon shows dozens visible directories, and causing full mess. This 
is not problem with Samba, it's up to the Windows Networking.


I solved that by avoid using [homes] built-in section, but using generic 
[personal] share, with this main option:


[Personal]
path = %H
...

This ensures that each user's home directory is always named Personal 
(not by user's name), pointed to right each user's home path, and 
without remaining multiples homes (because it is only one share name).


Try that, and say if this satisfies you.

HTH,
Ivan Gustin
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: [Samba] No mapping between account names and security IDs wasdone

2006-07-20 Thread Ivan Gustin

Ivan Gustin:
I get an error message No mapping between account names and security 
IDs was done on fresh clean Windows XP SP2 PC when I try to join it to 
Samba PDC.


For information to all who need solution to this problem: I solved it. :-)

I found the LJ article on http://www.linuxjournal.com/article/6604, with 
solution in this paragraph:


The following error occurred attempting to join the domain MYDOMAIN: 
No mapping between account names and security IDs was done. This obscure 
error reportedly has been fixed by using lower-case names for the 
workstation name in /etc/passwd and smbpasswd and on the Windows XP client.


So, correcting character case in workstation names allows joining to 
Samba PDC.


HTH,
Ivan Gustin
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


[Samba] Q: winbindd, unqualfied users, name conflicts (a.k.a Death to 'winbind use default domain'!)

2006-07-20 Thread Gerald (Jerry) Carter
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Volker,

Assume I have a member server named LINUX joined to a
domain name AD.  Now assume I have a local user named foo
in my passdb and a user named foo in the domain as well.
I'm modifying winbindd_util.c:parse_domain_user() to do
a lookup_name() to try to figure out which domain to prepend
to the username rather than just assuming its a domain user.
But this means that we'll always choose the local user
(due to the order of an isolated search in lookup_name()).

The main problem is the use default domain abomination
will confuse local and domain users of the same name and
possibly return incorrect group membership.

I am about a 1/2 inch from marking the smb.conf option
as deprecated and adding similar option to pam_winbind.conf.
This option just cannot work reliably.

Do you have any suggestions?





cheers, jerry
=
Samba--- http://www.samba.org
Centeris ---  http://www.centeris.com
What man is a man who does not make the world better?  --Balian
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFEv7C/IR7qMdg1EfYRAte3AJ9bR2BcglUsI4l47KSz0zH9FUX5YwCgk36H
50pVU6+8aK4QvmEeNAwBruw=
=DfC7
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


[Samba] programmatical retrieval of windows event logs from linux

2006-07-20 Thread dave
  Am a Linux guy and trying to support security monitoring for Windows  
devices.  Am trying to find a  programmatic way of pulling security and 
application logs
  from Windows machine.  OR it can be a push model where windows can generate
  events/traps. It should  all be built-in in windows with no external tool  
installation.
  
  Looks like there is  no NATIVE built in asynchronous event reporting from 
  windows   (2000/2003/xp)?
 It can be in terms of  SNMP Traps as well. 
  
  Given this,  one can  use Samba apis (rpcclient)  to  periodically pull the 
event logs
  from windows. Is there  any better way to accomplish the same programmatically
  using Push or Pull  model to get the security and application logs on  
windows from  Linux ?


-Dave

  



-
Do you Yahoo!?
 Next-gen email? Have it all with the  all-new Yahoo! Mail Beta.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: [Samba] programmatical retrieval of windows event logs from linux

2006-07-20 Thread dave

I was only looking at Native windows support with no Hassles of
any external agent installation:
 Am a Linux guy and trying to support security monitoring for Windows devices. 
 Am trying to find a programmatic way of pulling security and application logs
   from Windows machine.  OR it can be a push model where windows can generate
   events/traps. It should  all be built-in in windows with no external tool  
 installation.
   
   Looks like there is  no NATIVE built in asynchronous event reporting from 
   windows   (2000/2003/xp)?
  It can be in terms of  SNMP Traps as well. 
   
   Given this,  one can  use Samba apis (rpcclient)  to  periodically pull the 
 event logs
   from windows. Is there  any better way to accomplish the same 
 programmatically
   using Push or Pull  model to get the security and application logs on  
 windows from  Linux ?


Jeff Saxton [EMAIL PROTECTED] wrote: 
http://www.intersectalliance.com/projects/SnareWindows/

dave wrote:
   Am a Linux guy and trying to support security monitoring for Windows  
 devices.  Am trying to find a  programmatic way of pulling security and 
 application logs
   from Windows machine.  OR it can be a push model where windows can generate
   events/traps. It should  all be built-in in windows with no external tool  
 installation.
   
   Looks like there is  no NATIVE built in asynchronous event reporting from 
   windows   (2000/2003/xp)?
  It can be in terms of  SNMP Traps as well. 
   
   Given this,  one can  use Samba apis (rpcclient)  to  periodically pull the 
 event logs
   from windows. Is there  any better way to accomplish the same 
 programmatically
   using Push or Pull  model to get the security and application logs on  
 windows from  Linux ?
 
 
 -Dave
 
   
 
 

 -
 Do you Yahoo!?
  Next-gen email? Have it all with the  all-new Yahoo! Mail Beta.

-- 
Jeff Saxton
SenSage, Inc.
55 Hawthorne Street Suite 700
San Francisco, CA 94105
Phone:  415.808.5900
Fax:415.371.1385
Direct: 415-808-5921
Cell:   650-235-0776
mailto:[EMAIL PROTECTED]

Enterprise Security Analytics

SenSage, the leading provider of enterprise security analytics, offers
unparalleled performance and a scalable means for organizations to centrally
aggregate, efficiently analyze, dynamically monitor and cost-effectively
store massive volumes of event log data.





-
See the all-new, redesigned Yahoo.com.  Check it out.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


[Samba] Re: Q: winbindd, unqualfied users, name conflicts (a.k.a Death to 'winbind use default domain'!)

2006-07-20 Thread simo
On Thu, 2006-07-20 at 11:35 -0500, Gerald (Jerry) Carter wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 Volker,
 
 Assume I have a member server named LINUX joined to a
 domain name AD.  Now assume I have a local user named foo
 in my passdb and a user named foo in the domain as well.
 I'm modifying winbindd_util.c:parse_domain_user() to do
 a lookup_name() to try to figure out which domain to prepend
 to the username rather than just assuming its a domain user.
 But this means that we'll always choose the local user
 (due to the order of an isolated search in lookup_name()).
 
 The main problem is the use default domain abomination
 will confuse local and domain users of the same name and
 possibly return incorrect group membership.
 
 I am about a 1/2 inch from marking the smb.conf option
 as deprecated and adding similar option to pam_winbind.conf.
 This option just cannot work reliably.
 
 Do you have any suggestions?

I would just document that local users will always take precendence.

Winbind use default domain is too valuable to be removed imho.

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer
email: [EMAIL PROTECTED]
http://samba.org

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


[Samba] View disk size

2006-07-20 Thread Wyrzykowski, Conrad
Greetings,

This is my first visit to this list. We run Samba to talk to our HP-UX
11.i machine. I'm wondering if there is a configuration feature in Samba
that will allow me to see the full properties of my Unix drives from the
PC side. We use Windows XP. Currently when I do a properties on the Unix
drive I can see the amount of data stored there but it does not report
the remaining free space. This causes some of my PC applications to
generate an error if it thinks the output file been created is greater
than the free space it sees. In all cases the process has completed
because there was enough free space, however I would like the error
messages to disappear.

Thanks,
Conrad
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


[Samba] Re: Q: winbindd, unqualfied users, name conflicts (a.k.a Death to 'winbind use default domain'!)

2006-07-20 Thread Gerald (Jerry) Carter
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Simo,

 I am about a 1/2 inch from marking the smb.conf option
 as deprecated and adding similar option to pam_winbind.conf.
 This option just cannot work reliably.

 Do you have any suggestions?
 
 I would just document that local users will 
 always take precendence.
 
 Winbind use default domain is too valuable to 
 be removed imho.

First assigning the wrong groups to a user is a security
issue.  Second, I said pull 'winbind use default domain'
from the server code and put it in the client code.

The fact is that this parameter is fundamentally broken.
It cannot actually work correctly.  At some point (probably
for 3.0.24) we will have to break it and move it to the
client.  There is no way around it.




cheers, jerry
=
Samba--- http://www.samba.org
Centeris ---  http://www.centeris.com
What man is a man who does not make the world better?  --Balian
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFEv79FIR7qMdg1EfYRAqQuAKDiEQZRH9npORt5bJYT8j8Jqom78ACg8WEK
iOGOYZqXmVk/N3/apLtAJ8s=
=rO9A
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


[Samba] Re: Q: winbindd, unqualfied users, name conflicts (a.k.a Death to 'winbind use default domain'!)

2006-07-20 Thread simo
On Thu, 2006-07-20 at 12:37 -0500, Gerald (Jerry) Carter wrote:

 First assigning the wrong groups to a user is a security
 issue.  Second, I said pull 'winbind use default domain'
 from the server code and put it in the client code.

ok so you do the translation in pam_winbindd and nss_winbindd instead of
winbindd, sounds reasonable, sorry for the misunderstanding.

 The fact is that this parameter is fundamentally broken.
 It cannot actually work correctly.  At some point (probably
 for 3.0.24) we will have to break it and move it to the
 client.  There is no way around it.

I was just worried you said you wanted to remove it, I have no objection
on just moving it in the client libraries.

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer
email: [EMAIL PROTECTED]
http://samba.org

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: [Samba] Problem with 3.0.23 upgrade from 3.0.22 with rfc2307 patch

2006-07-20 Thread Gerald (Jerry) Carter
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Don Meyer wrote:

 Yes, I'm pretty sure Jerry Carter does.  ([EMAIL PROTECTED])   
 He's posted that he expects a patch for this to be
 included in the 3.0.23a release -- due sometime real
 soon now... ;-)

This was the last major bug to be fixed in 3.0.23a.
I've attached a patch to bug 3920.

Note that this will break 'winbind nested groups' for
local users.  Local group membership for domain users
still works, but a local user will not get the nested
group gids included in his or her token.  See my comments
in the bug report for more details.

Also please note that unqualified domain user or group
names have not been supported in smb.conf since Samba
3.0.8.  You are advised to fix your configuration files.






cheers, jerry
=
Samba--- http://www.samba.org
Centeris ---  http://www.centeris.com
What man is a man who does not make the world better?  --Balian
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFEv8PdIR7qMdg1EfYRAkAPAJ910Yjyk4ruFbFTwwIrpa9B20BZ9QCg1I24
NKxIB9tvN5ghsnqduzXslP4=
=rK96
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: [Samba] Anybody building Mandriva rpms?

2006-07-20 Thread Gerald (Jerry) Carter
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

David Rankin wrote:
 Thanks Gemes:
 
 Gerry, do you have any additional info on this???

Nope.  Buchan was (still is?) doing packages for Mandriva
but I have not heard from him in a while.




cheers, jerry
=
Samba--- http://www.samba.org
Centeris ---  http://www.centeris.com
What man is a man who does not make the world better?  --Balian
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFEv8bKIR7qMdg1EfYRAi+IAJwP6BClAJqlzi11Aken3JWgcEMjNACdEpKY
UgbF+8idam+lgFra5emneH8=
=UL/D
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: [Samba] Kerberos Keytab Code Update in 3.0.23

2006-07-20 Thread Gerald (Jerry) Carter
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Doug VanLeuven wrote:
 Gerald (Jerry) Carter wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 Doug,

 File a bug report if you believe this to be true.  I'm not at 3.0.23
 right now and don't have the time to try it
 here.  I wouldn't want to lose this. I did see a mention
 they dropped support of joins from machines where
 the domain differs from the realm, but haven't had time to check
 this. There has been a rewrite of the
 ads join code since 3.0.22.

 Doug,

 You should probably review my comments to Scott. Keytab
 support is being rewritten, not dropped.

 I was saying dns domain not equal realm dropped
 and rewrite ads join code

No it wasn't.  I run with this on a daily basis.
Perhaps something else is attributing to your failures.

 PS: I asked out Apache guy (at Centeris) who is working
 with mod_auth_kerb and he claims that krb5 authentication
 to http://SerVer.ExaMple.COM still gets a ticket for
 HTTP/server.example.com which supports my theory about
 tickets based on SPN values.

 Yes, it works with rc4-hmac.  But it's been coming 
 back to me. It didn't work with des-cbc-md5 until
 the permutations were added.  How soon we forget.
 It's really difficult to test des-only now.  Have to
 join with rc4, then hand edit with adsi.exe in the
 AD, then remove the rc4 from krb5.conf
 and reboot the machine to purge the caches, because 
 samba set's the des-only on a compile time flag.

I'll go back and retest but I'm still not convinced
(until I can reproduce it myself).




cheers, jerry
=
Samba--- http://www.samba.org
Centeris ---  http://www.centeris.com
What man is a man who does not make the world better?  --
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFEv8xTIR7qMdg1EfYRAmjxAJwN0i1/kOlvoCittCd+HwDd/BzL1ACgviXe
I84w7wN7ptp0OMJMCb9rfgI=
=ayvR
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


[Samba] Re: Q: winbindd, unqualfied users, name conflicts (a.k.a Death to 'winbind use default domain'!)

2006-07-20 Thread Volker Lendecke
On Thu, Jul 20, 2006 at 11:35:11AM -0500, Gerald (Jerry) Carter wrote:
 Assume I have a member server named LINUX joined to a
 domain name AD.  Now assume I have a local user named foo
 in my passdb and a user named foo in the domain as well.
 I'm modifying winbindd_util.c:parse_domain_user() to do
 a lookup_name() to try to figure out which domain to prepend
 to the username rather than just assuming its a domain user.
 But this means that we'll always choose the local user
 (due to the order of an isolated search in lookup_name()).

What about in the case of winbind use default domain doing a
qualified lookup_name() first and if that fails do the
unqualified one?

Volker


pgpYEkg5jA7mt.pgp
Description: PGP signature
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: Q: winbindd, unqualfied users, name conflicts (a.k.a Death to 'winbind use default domain'!)

2006-07-20 Thread Gerald (Jerry) Carter
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Volker Lendecke wrote:

 What about in the case of winbind use default domain 
 doing a qualified lookup_name() first and if that
 fails do the unqualified one?

We're given a username.  Both LINUX\foo and DOMAIN\foo
exist so lookup_name() on either of those will succeed.
How do you know which one is which?  A local user is
always unqualified and a domain user may or may not be.
How do you tell them apart?





ciao, jerry
=
Samba--- http://www.samba.org
Centeris ---  http://www.centeris.com
What man is a man who does not make the world better?  --Balian
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFEv8+FIR7qMdg1EfYRAljDAJ4scHn2Z1FcY60O4D42d7w/nUA6lgCeMi1V
33k9WArv5SCZeWCwog4+cLw=
=xgPw
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


[Samba] Re: Q: winbindd, unqualfied users, name conflicts (a.k.a Death to 'winbind use default domain'!)

2006-07-20 Thread Volker Lendecke
On Thu, Jul 20, 2006 at 01:46:29PM -0500, Gerald (Jerry) Carter wrote:
 We're given a username.  Both LINUX\foo and DOMAIN\foo
 exist so lookup_name() on either of those will succeed.
 How do you know which one is which?  A local user is
 always unqualified and a domain user may or may not be.
 How do you tell them apart?

What happens now? Looking at the code I get the impression
that we default to DOMAIN\foo. So if we get an unqualified
name, talloc_asprintf(ctx, %s\\%s, lp_workgroup(), name),
try with that and only if that fails then do the naked
lookup_name() which has its defined order. This is a hack,
but that whole thing is.

I did not try this, so it might break horribly. But I've
looked at putting lookup_name into parse_domain_user before
and did _not_ try that yet.

Volker


pgpBLSEMOwHeh.pgp
Description: PGP signature
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: Q: winbindd, unqualfied users, name conflicts (a.k.a Deathto 'winbind use default domain'!)

2006-07-20 Thread Gerald (Jerry) Carter
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Dave Daugherty wrote:
 My opinion:
 
 Local users should always take precedence. 
 
 People should specifically refer to local users as
 SambaHostName\localuser, if that is the form the 
 SMB client insists on sending.
 
 Tacking on default domains and/or stripping 
 domains to/from user names and trying them out is playing
 fast and loose with user identity and
 is a breeding ground for potential security holes.

Dave,

I don't think you fully understand the problem.  We're
talking about Unix shell tools, not SMB clients.  A local
username is always unqualfied when sent by Unix tools like
'id' to query group membership.  A domain user may or may
not be qualfied so how do you know an unqualified domain
user from a normal local user?   For example,

With 'winbind use default domain = no'

$ id
uid=780(jerry) gid=100(users)
groups=16(dialout),33(video),100(users),10001(BUILTIN\users),
10007(SUSE10\developers)

With 'winbind use default domain = yes'

$ id
uid=780(jerry) gid=100(users)
groups=16(dialout),33(video),100(users)

the problem is that when guesing the domain, we assume
the Windows domain name.  Prior to querying group membership,
we do a lookup_name() query to the DC for this name
(DOMAIN\jerry) which fails since it is a local user.
So any local groups are excluded from the getgroups()
return.

*This* ambiguity is why I will be removing the geuss
work from the server code in 3.0.24.





cheers, jerry
=
Samba--- http://www.samba.org
Centeris ---  http://www.centeris.com
What man is a man who does not make the world better?  --Balian
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFEv9DpIR7qMdg1EfYRAhMoAJ9mu5FujBGJgheCqD57c5BC4VUQ6ACfU4SA
nKAFtPFGUBQa7CyY0QKrdk4=
=Yc53
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


[Samba] Re: Q: winbindd, unqualfied users, name conflicts (a.k.a Death to 'winbind use default domain'!)

2006-07-20 Thread Gerald (Jerry) Carter
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Volker Lendecke wrote:

 What happens now? Looking at the code I get the impression
 that we default to DOMAIN\foo. So if we get an unqualified
 name, talloc_asprintf(ctx, %s\\%s, lp_workgroup(), name),
 try with that and only if that fails then do the naked
 lookup_name() which has its defined order. This is a hack,
 but that whole thing is.

Sure.  If a user of the same name doesn't exist in
the local passdb and domain SAM.  But when LINUX\foo
and DOMAIN\foo both exist, the lookup for DOMAIN\foo
will succeed.

 I did not try this, so it might break horribly.  But I've
 looked at putting lookup_name into /parse_domain_user
 before and did _not_ try that yet.

I was about to and realized it cannot work 100% of the time.
That is what prompted this thread.





cheers, jerry
=
Samba--- http://www.samba.org
Centeris ---  http://www.centeris.com
What man is a man who does not make the world better?  --Balian
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFEv9GTIR7qMdg1EfYRAjn7AJ9WRKpeUoHup7SQxTeNp9Py8Z4GxwCaA7J8
O+xNAflypuPvPvp52Xx/z5A=
=PbIM
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: [Samba] Security = ADS and 3.0.23 Upgrade

2006-07-20 Thread Dale Schroeder

Gerald (Jerry) Carter wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Dale Schroeder wrote:
  

I've attached the screenshots, but I think my
confusion was expecting the pdc to display the FQDN
from its DNS records for the samba system,
not the hosts file on the samba system.



I will almost guarantee that you have host a
broken /etc/hosts  on you Samba box.  The machine's
hostname should not be listed in the 127.0.0.1 line.
This will also break Krb5 authentication.

Fix this on the Unix box and rejoin the domain.
Should be fine.
  


You are quite correct that adding the missing parameter to the hosts 
file and rejoining the domain would fix this problem.


That leaves only the 'valid users' bug you mentioned.   Of the three 
parameters following:


1. 'valid users' had to be disabled
2. 'write list' had to be present
3. 'admin users' had no effect either way

in order for me to access the test share.  I used all three quite 
frequently in 3.0.22 and prior, so I surely do hope it is something that 
can be remedied.


I greatly appreciate your time and your help.

Dale
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


[Samba] New to this list. How to Samba Archives.

2006-07-20 Thread Ariel Duran
Hello all,

 

What is the easiest way to search the samba archives? The archive doesn't
have a search option like the qmail archives search option. 

 

Regards,

Ariel Duran

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: [Samba] New to this list. How to Samba Archives.

2006-07-20 Thread Sean P. Elble

On Thu, 20 Jul 2006, Ariel Duran wrote:


Hello all,



What is the easiest way to search the samba archives? The archive doesn't
have a search option like the qmail archives search option.



The easiest way to search the archives is to goto:

http://marc.theaimsgroup.com/

And scrolling down until you get to the Samba portion. You can click on a 
mailing list, and then run a search on it. Many, many mailing lists are 
there, so it's really a great resource for sysadmins. HTH.





Regards,

Ariel Duran




--
--
+-+
|  Sean Elble |
|  Virginia Tech  |
|  Computer Engineering, Class of 2008|
|  Vice President, VTLUUG |
|  E-Mail:   [EMAIL PROTECTED]|
+-+

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: [Samba] Security = ADS and 3.0.23 Upgrade

2006-07-20 Thread Gerald (Jerry) Carter
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Dale Schroeder wrote:

 You are quite correct that adding the missing parameter 
 to the hosts file and rejoining the domain would fix
 this problem.
 
 That leaves only the 'valid users' bug you mentioned.   
 Of the three parameters following:
 
 1. 'valid users' had to be disabled
 2. 'write list' had to be present
 3. 'admin users' had no effect either way

Fixed in 3.0.23a:
http://viewcvs.samba.org/cgi-bin/viewcvs.cgi?rev=17022view=rev

Please test the svn://svnanon.samba.org/samba/branches/SAMBA_3_0_23
tree to be sure.





cheers, jerry
=
Samba--- http://www.samba.org
Centeris ---  http://www.centeris.com
What man is a man who does not make the world better?  --Balian
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFEv9dBIR7qMdg1EfYRAgjJAKCysDrXXi4+VtXKsOKVFXdlB9nM9QCg7yIh
ZJ9ucaWzZluYG9oq/K7ty2c=
=ABLv
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: [Samba] Can't connect with force user set (3.0.23)

2006-07-20 Thread Gerald (Jerry) Carter
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Jochen Knuth wrote:
 Hi,
 
 after an update to samba 3.0.23 i can't connect to shares 
 if i set the option force user.

Just to clarify yet again, unqualfied domain user and
group names are not suppored in smb.conf and have not
been since Samba 3.0.8.

But your failure has been fixed in 3.0.23a (due out
tomorrow).  Please test the SAMBA_3_0_23 svn branch if
you can to verify this fix.  Thanks.





cheers, jerry
=
Samba--- http://www.samba.org
Centeris ---  http://www.centeris.com
What man is a man who does not make the world better?  --Balian
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFEv9msIR7qMdg1EfYRArwyAJ4jmn4DQ8a/PGYyoLZSqYA/8tSbjQCgzYdN
+0PZI8NRDYRS5ide9B62IYI=
=/zOg
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: [Samba] identifying servers

2006-07-20 Thread x

Hi Norbert,

you can configure IAS at windows (2000 or 2003) and
configure freeradius to use IAS (radius server) to
authenticate your users.

Marcos

--- Norbert Wegener [EMAIL PROTECTED] escreveu:

 I want to use freeradius and Active directory for
 authentication in a 
 larger Active Directory forest and therefore
 freeradius must know the 
 relevant domain servers.
 As this forest is living with servers beeing added
 and removed, I want 
 to identify the global catalog servers in that
 forest automatically.
 How could this be achieved using samba tools?
 Thanks
 Norbert Wegener
 -- 
 To unsubscribe from this list go to the following
 URL and read the
 instructions: 
 https://lists.samba.org/mailman/listinfo/samba
 




___ 
Novidade no Yahoo! Mail: receba alertas de novas mensagens no seu celular. 
Registre seu aparelho agora! 
http://br.mobile.yahoo.com/mailalertas/ 
 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: [Samba] [SECURITY] Samba 3.0.1 - 3.0.22: memory exhaustion DoSagainst smbd

2006-07-20 Thread Gerald (Jerry) Carter
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Gautier, B (Bob) wrote:
 -Original Message-

 ==
 ==
 == Subject: Memory exhaustion DoS against smbd
 == CVE ID#: CAN-2006-3403

 While we wait for this patch to get backported into 3.0.10 
 as a RHEL4 update, will setting the 'max connections'
 parameter on all shares work around this problem?

The problem is that a 'max connections' would limit
the total connections and what you really want to limit
is the share connections per smbd.  If could set
something like max connections = 1 in [global]
to set a ceiling but you will take a slight performance
hit for it.




cheers, jerry
=
Samba--- http://www.samba.org
Centeris ---  http://www.centeris.com
What man is a man who does not make the world better?  --Balian
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFEv+NEIR7qMdg1EfYRAsa1AKDFV1dnX+HSVVM+S+RjSBV9S85otwCfRniQ
ajxDm1Io1ptpGPo98ZJZ1/k=
=FK96
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


[Samba] USRMGR, groups, and ldap

2006-07-20 Thread James Money
I currently have samba version 3.0.23 installed using ldap as the
backend. I am experiencing the same problems as Holger Wesser mentioned
in his posting USRMGR.exe not working properly. However, it appears
that the fix of creating the group mappings does not work. They appear
to be mapped correctly on my setup. My net groupmap list is:

Domain Admins (S-1-5-21-1882045844-2771900506-1057560041-512) - Domain
Admins
Domain Users (S-1-5-21-1882045844-2771900506-1057560041-513) - Domain
Users
Domain Guests (S-1-5-21-1882045844-2771900506-1057560041-514) - Domain
Guests
Domain Computers (S-1-5-21-1882045844-2771900506-1057560041-515) -
Domain Computers
Administrators (S-1-5-32-544) - Administrators
Account Operators (S-1-5-32-548) - Account Operators
Print Operators (S-1-5-32-550) - Print Operators
Backup Operators (S-1-5-32-551) - Backup Operators
Replicators (S-1-5-32-552) - Replicators


However, there are no groups listed in usrmgr.exe or any of the dialog
boxes for adding users/groups in XP. The users are listed correctly in
usrmgr.exe but with none of the group memberships.

In addition, net rpc group members Administrators reports:
Couldn't list alias members

I was hoping for some direction on how to diagnose and correct the
problem.
-James



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: [Samba] MS06-035 problems?

2006-07-20 Thread Alan Munter
It was a false alarm, it turns out.  The guy who was installing the
machine forgot to edit the selinux configuration on the default FC5
install.  It was in permissive mode, but it needed to be disabled in
order for it to work.

Thanks,

Alan

On Thu, 2006-07-13 at 12:52 -0500, Gerald (Jerry) Carter wrote:

 Alan Munter wrote:
 
  I just patched our domain controllers with MS06-035 
  because it said it was just fixing a couple of memory
  leak problems with SMB in srvsvc.
  
  Now, this afternoon, one of my colleagues tried to 
  join a FC5 machine to our active directory using
  the recipe that we have been using for years
  (which worked yesterday, according to him), and 
  it fails on net ads join.
  
  No changes have been made to the domain controllers 
  other than the Black Tuesday patches.
  
  Here's a log dump from net -d4 ads join.  We get the error:
 
 What version of Samba is this 3.0.22 ?
 
  [2006/07/12 15:55:14, 3]
  libads/kerberos.c:kerberos_derive_salting_principal_for_enctype(571) 
verify_service_password: get_service_ticket failed: KDC has no support
  for encryption type
 
 Ignore that.  It's not the issue.
 
  Any ideas of what's going on?  Need more info?  Did MS 
  sneak some more changes into the server service that
  they aren't talking about in that patch?
 
 Need more details.  What do level 10 debug logs from smbd tell you about
 the failed authentication?
 
 
 
 cheers, jerry


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: [Samba] New to this list. How to Samba Archives.

2006-07-20 Thread Henrik Zagerholm

Try this
http://www.mail-archive.com/
Cheers, henrik
20 jul 2006 kl. 20:27 skrev Ariel Duran:


Hello all,



What is the easiest way to search the samba archives? The archive  
doesn't

have a search option like the qmail archives search option.



Regards,

Ariel Duran

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


[Samba] USRMGR, groups, and ldap

2006-07-20 Thread James Money
I currently have samba version 3.0.23 installed using ldap as the
backend. I am experiencing the same problems as Holger Wesser mentioned
in his posting USRMGR.exe not working properly. However, it appears
that the fix of creating the group mappings does not work. They appear
to be mapped correctly on my setup. My net groupmap list is:

Domain Admins (S-1-5-21-1882045844-2771900506-1057560041-512) - Domain
Admins
Domain Users (S-1-5-21-1882045844-2771900506-1057560041-513) - Domain
Users
Domain Guests (S-1-5-21-1882045844-2771900506-1057560041-514) - Domain
Guests
Domain Computers (S-1-5-21-1882045844-2771900506-1057560041-515) -
Domain Computers
Administrators (S-1-5-32-544) - Administrators
Account Operators (S-1-5-32-548) - Account Operators
Print Operators (S-1-5-32-550) - Print Operators
Backup Operators (S-1-5-32-551) - Backup Operators
Replicators (S-1-5-32-552) - Replicators


However, there are no groups listed in usrmgr.exe or any of the dialog
boxes for adding users/groups in XP. The users are listed correctly in
usrmgr.exe but with none of the group memberships.

In addition, net rpc group members Administrators reports:
Couldn't list alias members

I was hoping for some direction on how to diagnose and correct the
problem.
-James



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: [Samba] Kerberos Keytab Code Update in 3.0.23

2006-07-20 Thread Doug VanLeuven

Gerald (Jerry) Carter wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Doug VanLeuven wrote:

Gerald (Jerry) Carter wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Doug,


File a bug report if you believe this to be true.  I'm not at 3.0.23
right now and don't have the time to try it
here.  I wouldn't want to lose this. I did see a mention
they dropped support of joins from machines where
the domain differs from the realm, but haven't had time to check
this. There has been a rewrite of the
ads join code since 3.0.22.

Doug,

You should probably review my comments to Scott. Keytab
support is being rewritten, not dropped.

I was saying dns domain not equal realm dropped
and rewrite ads join code


No it wasn't.  I run with this on a daily basis.
Perhaps something else is attributing to your failures.


First, I'm not having failures.  I was commenting information
I believed I read.
So what did you mean in this post:
http://marc.theaimsgroup.com/?l=sambam=115193492903190w=2

qoute:
 You were right. ( as usual.. )
 I had the wrong FQDN on the samba server.
 After reconfiguring my network and I got the FQDN back
 from 'hostname' the join worked as planned.

For the record, this is what WinXP does as well.
You cannot join a WinXP box to a domain using a non-admin
account if the client's FQDN is outside the AD domain.

I agree this is a change from previous Samba version,
but then previous Samba releases always required domain
admin creds to join.
endquote

Did you mean if one joins with non-admin credentials
it no longer works, but if one's credentials are
administrative it still works?

I understand previously joined machines still work.

Not trying to be a wise guy, just trying to understand.

Regards, Doug
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: [Samba] Kerberos Keytab Code Update in 3.0.23

2006-07-20 Thread Gerald (Jerry) Carter
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Doug,

 I was saying dns domain not equal realm dropped
 and rewrite ads join code

 No it wasn't.  I run with this on a daily basis.
 Perhaps something else is attributing to your failures.

 First, I'm not having failures.  I was commenting information
 I believed I read.  So what did you mean in this post:
 http://marc.theaimsgroup.com/?l=sambam=115193492903190w=2
...
 Did you mean if one joins with non-admin credentials
 it no longer works, but if one's credentials are
 administrative it still works?
 
 I understand previously joined machines still work.
 
 Not trying to be a wise guy, just trying to understand.

No problem.  I spent a couple of days just staring at
traces and reading to try to track down the corner cases.
It's pretty confusing.

The best thing to do is to read here:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/control_access_rights.asp

and then use ADSIedit to view the default security
descriptor on a machine account object.

A non-admin (and the machine itself) only has validated-write
access to the dNSHostName and servicePrincipalName
attributes.  This means that the dNSHostName value has to
be with the AD realm and the SPN has to match the dNSHostName.
Try to join a WinXP box to a domain using a non-admin account
with the dns suffix outside of the AD realm and you will see
what I mean.  It fails to joins and tells you to contact the
administrator to relax the rules (or something similar).
If you are a domain admin, the you have full control to these
attributes and can do whatever you like.

Samba 3.0.22 did all the ads join operations using LDAP
requests which required you to be a Domain Admins.  As part
of the join, the machine SID was given full control over the
object in AD so again you could do whatever you liked with
'net ads keytab add -P'.

The code in 3.0.23 uses a mixture of RPC and LDAP just like
Windows 2000/XP.  The advantage is that a non-admin can
now join a Samba box to a domain given the same privileges
as required by Windows.  The disadvantage is that we can no
longer assume we have admin rights to set any property we
like.  This is why for example, we no longer try to create
a UPN by default (although I added a new option to net ads
join in 3.0.23a that will do that) or set the operatingSystem
attribute value.

Hope this helps clear up some of the confusion.

Note that I've added in a fair amount of new code in 3.0.23a
for

(a) deriving the DES salt
(b) generating the keytab file
(c) optionally creating the UPN as part of the join.

Please give it a whirl and let me know how it goes.
Our Krb5 code is over 3 years old spreading about
multiple MIT and heimdal versions.  It's time for some
spring cleaning but I don't want to loose functionality
if we can help it.





cheers, jerry
=
Samba--- http://www.samba.org
Centeris ---  http://www.centeris.com
What man is a man who does not make the world better?  --Balian
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFEwALEIR7qMdg1EfYRAqxYAKCEtHnMHWcM0jfe8rEW+qMDHtq+/ACgqoSp
8h+xhVsePFFBKvjfXYisoXQ=
=540H
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


[Samba] SAMBA_3_0_RELEASE == Samba 3.0.23a

2006-07-20 Thread Gerald (Jerry) Carter
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Foks,

With the exception of a few help messages I need to
add to 'net ads join', the release tree should be ready.
If people could run their tests and report back if
anything that should be fixed is not.  Check the
release notes for details.

We are due to release tomorrow afternoon.




cheers, jerry
=
Samba--- http://www.samba.org
Centeris ---  http://www.centeris.com
What man is a man who does not make the world better?  --Balian
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFEwANiIR7qMdg1EfYRAj3EAJsF9/aLA5NlMT8BVNED4bJAWuUOHQCcDAeQ
IVkX7WeW6ggybIjx53EEMW0=
=BjEN
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


[Samba] guest ok

2006-07-20 Thread Donald W Watson




I have the following smb.conf file.  Note the guestaccount parameter, and
the guest parameters in shareA, shareB, and shareC.

#
# Generated by modify_samba_config.pl
#
[global]
  adminusers= Administrator, root
  logonhome = \\%L\%U\.9xprofile
  addsharecommand   =
/usr/local/autobench/sources/samba/util/modify_samba_config.pl
  addgroupscript= /usr/sbin/groupadd -p %g
  deletesharecommand=
/usr/local/autobench/sources/samba/util/modify_samba_config.pl
  include   = /etc/samba/dhcp.conf
  deleteuserfromgroupscript = /usr/sbin/groupmod -x %u %g
  adduserscript = /usr/sbin/useradd -m %u
  deleteprintercommand  =
/usr/local/autobench/sources/samba/util/modify_samba_config.pl
  maptoguest= Bad User
  addprintercommand =
/usr/local/autobench/sources/samba/util/modify_samba_config.pl
  setprimarygroupscript = /usr/sbin/usermod -g %g %u
  addmachinescript  = /usr/sbin/useradd %u
  domainlogons  = yes
  deleteuserscript  = /usr/sbin/userdel -r %u
  printcapname  = cups
  passdbbackend = tdbsam
  guestaccount  = testguest
  printing  = cups
  cupsoptions   = raw
  logondrive= P:
  addusertogroupscript  = /usr/sbin/groupmod -m %u %g
  logonpath = \\%L\profiles\.msprofile
  printcapcachetime = 750
  workgroup = SAMBA_TEST
  security  = user
  domainmaster  = yes

## Section - [users]
[users]
  readonly  = No
  comment   = All users
  vetofiles = /aquota.user/groups/shares/
  inheritacls   = Yes
  path  = /home

## Section - [homes]
[homes]
  readonly  = No
  browseable= No
  comment   = Home Directories
  inheritacls   = Yes
  validusers= %S

## Section - [printers]
[printers]
  createmask= 0600
  browseable= No
  comment   = All Printers
  printable = Yes
  path  = /var/tmp

## Section - [shareC]
[shareC]
  write list= testguest
  guest only = yes
  guest ok = yes
  path  = /tmp/shareC

## Section - [print$]
[print$]
  directorymask = 0775
  createmask= 0664
  comment   = Printer Drivers
  forcegroup= ntadmin
  path  = /var/lib/samba/drivers
  writelist = @ntadmin root

## Section - [shareA]
[shareA]
  path  = /tmp/shareA
  writelist = user1

## Section - [groups]
[groups]
  readonly  = No
  comment   = All groups
  inheritacls   = Yes
  path  = /home/groups

## Section - [profiles]
[profiles]
  directorymask = 0700
  createmask= 0600
  readonly  = No
  storedosattributes= Yes
  comment   = Network Profiles Service
  path  = %H

## Section - [shareB]
[shareB]
  path  = /tmp/shareB
  guestok   = yes
  writelist = user1

#
# end of generated smb.conf
#

After reading the smb.conf man page, here's what I think should happen with
the shares.  Using smbclient get and put:

  user1 should be able to read/write shareA
  testguest should not be able to read/write shareA
  user1 should be able to read but not write shareB (is authenticated
  as testguest)
  testguest should be able to read but not write shareB (no password
  needed)
  user1 should not be able to read/write shareC (is not allowed to
  connect)
  testguest should be able to read/write shareC (no password needed)

Mounting the shares should produce similar results with file opens.
However, here's what actually happens:

  user1 can read but not write shareA (different from above)
  testguest can neither read nor write shareA (ok)
  user1 can read but not write shareB (ok)
  testguest can read but not write shareB (ok)
  user1 can read but not write shareC (different from above)
  testguest can read but not write shareC (different from above)

Have I misinterpreted the man page?

Sincerely,Don Watson
Linux Technology and Solutions; Beaverton, OR
503-578-4861/TL: 775-4861; [EMAIL PROTECTED]
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: [Samba] guest ok

2006-07-20 Thread Anthony Messina
Donald W Watson wrote:

   passdbbackend = tdbsam
   guestaccount  = testguest

 [shareC]
   write list= testguest
   guest only = yes
   guest ok = yes
   path  = /tmp/shareC

it should be guest account = testguest and guest ok = yes - notice
the spaces.  the other parameters are similar.  check your spacing.

-- 
Anthony
http://messinet.com
http://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E



signature.asc
Description: OpenPGP digital signature
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] guest ok

2006-07-20 Thread Gerald (Jerry) Carter
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Anthony,

 Donald W Watson wrote:
 
   passdbbackend = tdbsam
   guestaccount  = testguest
 
 [shareC]
   write list= testguest
   guest only = yes
   guest ok = yes
   path  = /tmp/shareC
 
 it should be guest account = testguest and guest ok 
 = yes - notice the spaces.  the other parameters
 are similar.  check your spacing.

Doesn't matter.  Parameter names are case and white
space insensitive.






cheers, jerry
=
Samba--- http://www.samba.org
Centeris ---  http://www.centeris.com
What man is a man who does not make the world better?  --Balian
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFEwAo/IR7qMdg1EfYRAjR7AKDEcEM7Pc+bkcxk6bVng1tb3nT1ewCeLuid
emKN2vHe/IJpr53QUmSYrCY=
=NY5/
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: [Samba] guest ok

2006-07-20 Thread Anthony Messina
Gerald (Jerry) Carter wrote:
 Anthony,
 
 it should be guest account = testguest and guest ok 
 = yes - notice the spaces.  the other parameters
 are similar.  check your spacing.
 
 Doesn't matter.  Parameter names are case and white
 space insensitive.
 

ahh, thank you.  that's an interesting tidbit about which i was unaware
(among other things):)

-a

-- 
Anthony
http://messinet.com
http://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E



signature.asc
Description: OpenPGP digital signature
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] simple configuration problem

2006-07-20 Thread Mauro Sacchetto
This is smb.conf:

[global]
workgroup = workgroup
netbios name = darkstar
security = share
log file = /var/log/samba.%m
max log size = 50

[homes]
comment = Home Directories
browseable = yes
read only = No

[printers]
comment = All Printers
path = /var/spool/samba
guest ok = yes
printable = yes
browseable = yes

However, when I try to read homes on samba 3.0.22
from Win, appears a window that has as username DARKSTAR/Guest
and ask me a password. Why does it ask me a password,
if I set share? And which can be that password
for guest, for it's nobody user?

Thanx!
M.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: [Samba] Win2k Master Browser believes Linux box is master browser

2006-07-20 Thread Mark Cooke


Cheers This has seems to fix the problem.

Thanks alot

Mark

On 17 Jul 2006, at 16:26, Nanni X wrote:




Hi Mark,
I think you should set the os level directive to a low value  
( try 5 or 10). This directive instructs smb to have a low  
profile during the election of a new master browser.

Then add a line:

preferred master = NO

This line prevents the samba box to start a new election

Instead, when I set up a samba PDC I use values like 200+  and  
preferred master = YES to be sure (is it possible to be sure  
when you play with windoze?  ;-) ) the samba box becomes a master  
browser.


Perhaps the directive left open, without a value can be assumed as  
an high value. Really I don't know.


Let me know

hope this helps

Giovanni


--
Nessun virus nel messaggio in uscita.
Controllato da AVG Antivirus.
Versione: 7.1.394 / Database dei virus: 268.10.1/389 - Data di  
rilascio: 14/07/06




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


[Samba] How to get login name of logged user?

2006-07-20 Thread [EMAIL PROTECTED]
Hello list.
Is there any way to get login name of a currently logged user on remote machine 
using samba?
I can get the list of all users with command smbclient -L host, but how do I 
know who of them logged now?
Thanks in advance.
Roman Gorohov.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


[Samba] mount a window 2003 nfs share on a sun running solaris10

2006-07-20 Thread Don Rauenhorst

Hi

Is there a way to mount a shared 2.5 tb volume from 1 2003 windows onto a 
sun running solaris 10.

is there a simple way to do this with samba?

thanks donr
email [EMAIL PROTECTED]

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: [Samba] Can't become connected user?

2006-07-20 Thread Dannenberg, Arne
Please be note to the part that I found in samba.doc.

Windows XP Professional
When attempting to join a domain, you receive the following error message:
Computer Name Changes: The following error occurred attempting to join the
domain MYDOMAIN: The specified network password is not correct.
Additionally, your Samba logfile (at debug level 1) reveals:
smbd/service.c:make_connection(): Can't become connected user!. This is
usually caused by improper registry settings in the client. Use Window's
Group Policy Editor (gpedit.msc) to make the following changes in the Local
Computer Policy\Computer Configuration\Windows Settings\Security
Settings\Local Policies\Security Options branch:
Disable: Domain member: Digitally encrypt or sign secure channel data
Disable: Domain member: Digitally sign secure channel data (when possible)


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


[Samba] Failed to set servicePrincipalNames (Samba+Solaris 10+NISplus+ADS+DNS)

2006-07-20 Thread Brian Gregg

When joining our Solaris 10 Samba 3.0.23 system to ADS via...

# /usr/local/samba/bin/net ads join -U Administrator
Administrator's password:

Using short domain name -- ULS
Failed to set servicePrincipalNames. Only NTLM authentication will be 
possible.

Please ensure that the DNS domain of this server matches the AD domain,
Or rejoin with using Domain Admin credentials.
Joined 'KRAKEN' to realm 'ULS.NT.PITT.EDU'


Our Unix system FQDNS name is kraken.library.pitt.edu
Our Windows ADS realm is ULS.NT.PITT.EDU.
Our Active Directory DNS Tree starts at NT.PITT.EDU as we (Pitt) did not 
want to integrate the existing DNS tree with the Active Directory DNS 
Tree. An Option that is defined by Microsoft.


We can not put our UNIX system under the Active Directory Tree as it 
exists in a Solaris NIS+ configuration where the other UNIX systems are 
located in the library.pitt.edu DNS Tree.


Thus neither setting the DNS domain to the AD domain or vise versa is 
possible. 


My question is - given this setup what problems will we run into?

Thanks for any info.

Brian Gregg.

--

++--+
| Brian D. Gregg |  |
| Systems Analyst|  |
| University Library System  |  |
| University of Pittsburgh   |e-mail:  [EMAIL PROTECTED] |
| 7500 Thomas Blvd.  | voice:  412-244-7507 |
| Pittsburgh, PA 15208   |   fax:  412-244-7515 |
++--+
| Member:   |
| ASNP - Association of Storage Networking Professionals|
+---+



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


[Samba] programmatical retrieval of windows event logs from linux

2006-07-20 Thread dave
 Am a Linux guy and trying to support security monitoring for Windows  devices.
  Am trying to find a  programmatic way of pulling security and application logs
  from Windows machine.  OR it can be a push model where windows can generate
  events/traps. It should  all be built-in in windows with no external tool  
installation.
  
  Looks like there is  no NATIVE built in asynchronous event reporting from 
  windows  (2000/2003/xp)?
 It can be in terms of  SNMP Traps as well. 
  
  Given this,  one can  use Samba apis (rpcclient)  to  periodically pull the 
event logs
  from windows. Is there  any better way to accomplish the same programmatically
  using Push or Pull  model to get the security and application logs on  
windows from Linux ?


-Dave



-
See the all-new, redesigned Yahoo.com.  Check it out.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


[Samba] samba with ads

2006-07-20 Thread Barry Goldberg

Hi There,


I'm using samba 3.0.21c   with ADS.

getting the following error message


[EMAIL PROTECTED] ~]# smbclient -k -UAdministrator //192.168.1.45/Public
session setup failed: NT_STATUS_LOGON_FAILURE.


Please advice
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


[Samba] Clients fail to join domain, machine password not found

2006-07-20 Thread Yatima Meiji

I have setup a samba PDC+LDAP on our fileserver, which is housed in the
university's server room, so it is on a different subnet.  I give our client
machines the ip of the pdc as the wins server.  This allows our clients to
join the domain, but it fails with user name not found.  Checking the logs,
I see that Administrator was able to login, and the smbldap-tools script ran
and added the machine to the domain.  But before this even happens, it seems
samba looks for the machine password, and fails.  Its the only error that is
in the log.

I'm running Samba 3.0.22(Blastwave) on Solaris 10.  I've run the same
version on Linux(RHEL v4) to do the same job(before we moved the homes to
the fileserver) and didn't have any of these problems.  I've tried
everything I can think off, but still no go.  Any ideas?

The smb.conf:

[global]
   workgroup = CBI
   netbios name = Cajal
   enable privileges = yes
   interfaces = ce0 127.0.0.1
   server string = Cajal PDC %v
   security = user
   encrypt passwords = Yes
   log level = 2
   syslog = 0
   time server = yes

   domain logons = yes
   os level = 90
   preferred master = yes
   domain master = yes
   wins support = yes

   passdb backend = ldapsam:ldap://x.x.x
   ldap admin dn = cn=samba,ou=DSA,dc=x
   ldap suffix = dc=x
   ldap group suffix = ou=group
   ldap user suffix = ou=people
   ldap machine suffix = ou=machines
   ldap idmap suffix = ou=Idmap
   ldap passwd sync = Yes
   ldap ssl = start tls

   add user script = /opt/csw/sbin/smbldap-useradd -m %u
   add machine script = /opt/csw/sbin/smbldap-useradd -w %u
   add group script = /opt/csw/sbin/smbldap-groupadd -p %g
   add user to group script = /opt/csw/sbin/smbldap-groupmod -m %u
%g
   delete user from group script = /opt/csw/sbin/smbldap-groupmod -x
%u %g
   set primary group script = /opt/csw/sbin/smbldap-usermod -g %g
%u
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


[Samba] RE: Q: winbindd, unqualfied users, name conflicts (a.k.a Deathto 'winbind use default domain'!)

2006-07-20 Thread Dave Daugherty
My opinion:

Local users should always take precedence. 

People should specifically refer to local users as
SambaHostName\localuser, if that is the form the SMB client insists on
sending.

Tacking on default domains and/or stripping domains to/from user names
and trying them out is playing fast and loose with user identity and
is a breeding ground for potential security holes.

Dave Daugherty


-Original Message-
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
org] On Behalf Of simo
Sent: Thursday, July 20, 2006 9:59 AM
To: Gerald (Jerry) Carter
Cc: Volker Lendecke; [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: Q: winbindd, unqualfied users,  name conflicts (a.k.a
Deathto 'winbind use default domain'!)

On Thu, 2006-07-20 at 11:35 -0500, Gerald (Jerry) Carter wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 Volker,
 
 Assume I have a member server named LINUX joined to a
 domain name AD.  Now assume I have a local user named foo
 in my passdb and a user named foo in the domain as well.
 I'm modifying winbindd_util.c:parse_domain_user() to do
 a lookup_name() to try to figure out which domain to prepend
 to the username rather than just assuming its a domain user.
 But this means that we'll always choose the local user
 (due to the order of an isolated search in lookup_name()).
 
 The main problem is the use default domain abomination
 will confuse local and domain users of the same name and
 possibly return incorrect group membership.
 
 I am about a 1/2 inch from marking the smb.conf option
 as deprecated and adding similar option to pam_winbind.conf.
 This option just cannot work reliably.
 
 Do you have any suggestions?

I would just document that local users will always take precendence.

Winbind use default domain is too valuable to be removed imho.

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer
email: [EMAIL PROTECTED]
http://samba.org

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


[Samba] NTConfig.pol /samba troubleshooting

2006-07-20 Thread bhermes
Hello,
I have (had) poledit/NTConfig.pol working on rhel4 for one of the labs,
it has winexit.scr and a custom adm that has worked fine. I have used
the net rpc groupmap to map users and root.  It doesn't appear the
configuration is being picked up on some machines for the next lab. Even
the base one . There is only Default User and Computer. Is there nt
group related issues I should be checking? I have heard nested groups do
not get picked up.
I get GID errors in samba machine logs (still)
users:@students, @labs etc
regards
Bruce Hermes
[EMAIL PROTECTED]
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


[Samba] an error User tftp in passdb, but getpwnam() fails!

2006-07-20 Thread Asaf Zaltzman

hi there

im trying to to raise the smbd deamon

but i can't and in the log  i get an error... User tftp in passdb, but
getpwnam() fails!

can ypu please give me an answer



assaf
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


[Samba] SSH and winbind authentication on Solaris 10

2006-07-20 Thread Burris, Celeste Suliin
I've googled my heart out, but I cannot see an example of ssh authentication
with Active Directory and winbindd, particularly on Solaris 10. I have it
working on Solaris 8 with telnet, but I'm trying to break my users of
telnet.

Has anyone got it working? If so, would you be willing to share the global
section of your smb.conf and pam.conf with me?  Is there something I need to
put in one of the ssh configuration files?

Celeste Suliin Burris
Systems Administrator
Community and Economic Development Department
Phone - 253-591-5093
Email - [EMAIL PROTECTED]
URL   - http://www.cityofdestiny.com


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: [Samba] Failed to set servicePrincipalNames (Samba+Solaris 10+NISplus+ADS+DNS)

2006-07-20 Thread Gerald (Jerry) Carter
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Brian,

 # /usr/local/samba/bin/net ads join -U Administrator
 Administrator's password:
 
 Using short domain name -- ULS
 Failed to set servicePrincipalNames. Only NTLM authentication 
 will be possible.
 Please ensure that the DNS domain of this server matches 
 the AD domain, Or rejoin with using Domain Admin credentials.
 Joined 'KRAKEN' to realm 'ULS.NT.PITT.EDU'
  
 Our Unix system FQDNS name is kraken.library.pitt.edu
 Our Windows ADS realm is ULS.NT.PITT.EDU.
 Our Active Directory DNS Tree starts at NT.PITT.EDU as 
 we (Pitt) did not want to integrate the existing DNS
 tree with the Active Directory DNS Tree. An Option
 that is defined by Microsoft.
 
 We can not put our UNIX system under the Active Directory 
 Tree as it exists in a Solaris NIS+ configuration where
 the other UNIX systems are located in the library.pitt.edu DNS
 Tree.
 
 Thus neither setting the DNS domain to the AD domain 
 or vise versa is possible.  My question is - given this
 setup what problems will we run into?

Please send me a level 10 debug log from 'net ads join'.
You should be able to do this as a Domain Admin.
And please make sure that your /etc/hosts is not broken.





cheers, jerry
=
Samba--- http://www.samba.org
Centeris ---  http://www.centeris.com
What man is a man who does not make the world better?  --Balian
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFEwC8MIR7qMdg1EfYRAsLrAKCTe0ltb1r+h14i3Xz7DxWPr/4ejwCeL6Gr
WbDrAHMvCgI3hum3q8smu9w=
=DaC3
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: [Samba] SSH and winbind authentication on Solaris 10

2006-07-20 Thread Gerald (Jerry) Carter
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Burris, Celeste Suliin wrote:
 I've googled my heart out, but I cannot see an example 
 of ssh authentication with Active Directory and winbindd,
 particularly on Solaris 10. I have it working on Solaris
 8 with telnet, but I'm trying to break my users of
 telnet.

There's not much to it besides adding pam_winbind.so to
your pam file and make sure to set 'template shell'
to a valid shell on your system.  The default in
/bin/false.





cheers, jerry
=
Samba--- http://www.samba.org
Centeris ---  http://www.centeris.com
What man is a man who does not make the world better?  --
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFEwDBpIR7qMdg1EfYRAqxpAKCn3oERV/11rUBUUAabPVPwGOJfVgCfTaYC
I+bI7ZzC2qgouEYNnAoLlSE=
=mupj
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


[Samba] Can't access Samba server with NetBIOS Name but OK with IP

2006-07-20 Thread Yujie Liang
Hi, folks

I installed samba 3.0.21b-2 with winbind on a Fedora 5 server. I edited 5 files 
(show below) and join Windows AD by net join ADS command.

It worked in the first month. I could access to folders with appropriate 
permission. Then I found I couldn't access to the server by keying-in 
\\smbservername. A pop-up Windows box say Incorrect password or unknown 
user. I tried domain\domain-username, domain-username, userNo-in-getent-passwd 
but none of them worked. However, if I use its IP address such as \\10.10.10.2, 
it worked as normal. I check DNS record. They all exist in the DNS server. I 
even key in the DNS record in all hosts file. But no difference.

I also noticed one thing. When I use Windows XP I check the security tag of the 
folder shared on this FC5. I can see AD username, AD group name and everyone 
which stand for user, group and others. All check-boxed in front of these 
username, groupname and everyone are un-checked even if I can access the 
folders.

What did I do wrong? Shall I edit /etc/pam.d/login file as well? How?

Here is my current /etc/pam.d/login
#%PAM-1.0
auth   required pam_securetty.so
auth   include  system-auth
accountrequired pam_nologin.so
accountinclude  system-auth
password   include  system-auth

Thanks for any comment,
 
Yujie



==Fstab==

LABEL=/home /home   ext3defaults,acl1 2



==Nsswitch.conf===

passwd: files winbind
shadow: files
group:  files winbind
hosts:  files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks:   files
networks:   files
protocols:  files
rpc:files
services:   files
netgroup:   nisplus
publickey:  nisplus
automount:  files nisplus
aliases:files nisplus


=Krb5.conf=

[libdefaults]
 default_realm = COMPANY.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes
[realms]
 COMPANY.COM = {
  kdc = adserver.company.com:88
  admin_server = adserver.company.com:749
  default_domain = company.com
 }
[domain_realm]
 .example.com = COMPANY.COM
 example.com = COMPANY.COM
[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }


=/etc/samba/smb.conf

   security = ADS   
   template shell = /bin/false
   template homedir = /home/%D/%U
   idmap uid = 1-2
   idmap gid = 1-2
   enhanced browsing = no
   winbind use default domain = yes


===hosts==
10.10.10.2   fc5.company.com fc5
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: [Samba] SSH and winbind authentication on Solaris 10

2006-07-20 Thread Burris, Celeste Suliin
The answer is (weird) you cannot log in the first time from PUTTY. I brought
my guinea pig to my Mac, had her log in via SSH one time, and now she can
log in from putty.


On 7/20/06 6:39 PM, Gerald (Jerry) Carter [EMAIL PROTECTED] wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 Burris, Celeste Suliin wrote:
 I've googled my heart out, but I cannot see an example
 of ssh authentication with Active Directory and winbindd,
 particularly on Solaris 10. I have it working on Solaris
 8 with telnet, but I'm trying to break my users of
 telnet.
 
 There's not much to it besides adding pam_winbind.so to
 your pam file and make sure to set 'template shell'
 to a valid shell on your system.  The default in
 /bin/false.
 
 
 
 
 
 cheers, jerry
 =
 Samba--- http://www.samba.org
 Centeris ---  http://www.centeris.com
 What man is a man who does not make the world better?  --
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1.4.2 (GNU/Linux)
 Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org
 
 iD8DBQFEwDBpIR7qMdg1EfYRAqxpAKCn3oERV/11rUBUUAabPVPwGOJfVgCfTaYC
 I+bI7ZzC2qgouEYNnAoLlSE=
 =mupj
 -END PGP SIGNATURE-

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


[Samba] Problem with tdb files.

2006-07-20 Thread Latrell

Hi All:

I have problems with maintain tdb files. From samba doc, these files are 
classified into persistent and temporary. From the man page of smbd, these 
file are classified into persistent and not. However, there are some files 
no need to backup but need to be persistent (netsamlogon_cache.tdb), and 
some files need to backup but not need to be persisten (registry.tdb). There 
are also some .dat files also mentioned in samba FAQ that need to be deleted 
under particular case (change ip address).


How can I maintain these tdb/dat files? Which file needed to be deleted 
when samba restarts? Which files should be ket and backup regularly?I 
believe some tdb files can't be kept because of size problem. I also noticed 
join domain would have problem if browse.dat and gencache.tdb keep wrong 
data. Please give me some advice.


Thanks in advance,
Latrell.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


svn commit: samba r17154 - in branches/tmp/vl-messaging/source/lib: .

2006-07-20 Thread jmcd
Author: jmcd
Date: 2006-07-20 09:37:44 + (Thu, 20 Jul 2006)
New Revision: 17154

WebSVN: 
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=17154

Log:
From Aleksey Fedoseev:
- add some more debug
- correct the unpacking functions
- one shared database can be used now by multiple processes
- refactor  clean database messages processing

as a result: now smbd with locking via lockd passes tests on a
single node server.

Modified:
   branches/tmp/vl-messaging/source/lib/dbwrap_msg.c


Changeset:
Sorry, the patch is too large (885 lines) to include; please use WebSVN to see 
it!
WebSVN: 
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=17154


svn commit: samba r17155 - in branches/tmp/vl-messaging/source: . include libads passdb rpc_parse rpc_server services smbd utils

2006-07-20 Thread vlendec
Author: vlendec
Date: 2006-07-20 12:17:13 + (Thu, 20 Jul 2006)
New Revision: 17155

WebSVN: 
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=17155

Log:
merge -r17132:17154
Modified:
   branches/tmp/vl-messaging/source/Makefile.in
   branches/tmp/vl-messaging/source/configure.in
   branches/tmp/vl-messaging/source/include/ads_dns.h
   branches/tmp/vl-messaging/source/libads/dns.c
   branches/tmp/vl-messaging/source/passdb/pdb_interface.c
   branches/tmp/vl-messaging/source/passdb/pdb_ldap.c
   branches/tmp/vl-messaging/source/passdb/pdb_tdb.c
   branches/tmp/vl-messaging/source/rpc_parse/parse_lsa.c
   branches/tmp/vl-messaging/source/rpc_server/srv_samr_nt.c
   branches/tmp/vl-messaging/source/services/svc_winreg.c
   branches/tmp/vl-messaging/source/smbd/open.c
   branches/tmp/vl-messaging/source/utils/net_ads.c


Changeset:
Sorry, the patch is too large (1152 lines) to include; please use WebSVN to see 
it!
WebSVN: 
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=17155


svn commit: samba r17156 - in branches/SAMBA_4_0/source/lib/talloc: .

2006-07-20 Thread metze
Author: metze
Date: 2006-07-20 12:51:42 + (Thu, 20 Jul 2006)
New Revision: 17156

WebSVN: 
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=17156

Log:
check for the size of a pointer

metze
Modified:
   branches/SAMBA_4_0/source/lib/talloc/config.m4


Changeset:
Modified: branches/SAMBA_4_0/source/lib/talloc/config.m4
===
--- branches/SAMBA_4_0/source/lib/talloc/config.m4  2006-07-20 12:17:13 UTC 
(rev 17155)
+++ branches/SAMBA_4_0/source/lib/talloc/config.m4  2006-07-20 12:51:42 UTC 
(rev 17156)
@@ -11,3 +11,4 @@
 AC_CHECK_SIZEOF(off_t,cross)
 AC_CHECK_SIZEOF(size_t,cross)
 AC_CHECK_SIZEOF(ssize_t,cross)
+AC_CHECK_SIZEOF(void *,cross)



svn commit: samba r17157 - in branches/SAMBA_4_0/source/lib/talloc: .

2006-07-20 Thread metze
Author: metze
Date: 2006-07-20 14:35:41 + (Thu, 20 Jul 2006)
New Revision: 17157

WebSVN: 
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=17157

Log:
bail out if sizeof(size_t)  sizeof(void *)

metze
Modified:
   branches/SAMBA_4_0/source/lib/talloc/config.m4


Changeset:
Modified: branches/SAMBA_4_0/source/lib/talloc/config.m4
===
--- branches/SAMBA_4_0/source/lib/talloc/config.m4  2006-07-20 12:51:42 UTC 
(rev 17156)
+++ branches/SAMBA_4_0/source/lib/talloc/config.m4  2006-07-20 14:35:41 UTC 
(rev 17157)
@@ -12,3 +12,7 @@
 AC_CHECK_SIZEOF(size_t,cross)
 AC_CHECK_SIZEOF(ssize_t,cross)
 AC_CHECK_SIZEOF(void *,cross)
+
+if test $ac_cv_sizeof_size_t -lt $ac_cv_sizeof_void_p; then
+   AC_ERROR([sizeof(size_t)  sizeof(void *)])
+fi



svn commit: samba r17158 - in branches: SAMBA_3_0/source/utils SAMBA_3_0_23/source/utils

2006-07-20 Thread jerry
Author: jerry
Date: 2006-07-20 14:39:06 + (Thu, 20 Jul 2006)
New Revision: 17158

WebSVN: 
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=17158

Log:
Add two new options to 'net ads join'

  * [EMAIL PROTECTED]
  * createcomputer=ou path top to bottom (this was previously
the only arg)


Modified:
   branches/SAMBA_3_0/source/utils/net_ads.c
   branches/SAMBA_3_0_23/source/utils/net_ads.c


Changeset:
Modified: branches/SAMBA_3_0/source/utils/net_ads.c
===
--- branches/SAMBA_3_0/source/utils/net_ads.c   2006-07-20 14:35:41 UTC (rev 
17157)
+++ branches/SAMBA_3_0/source/utils/net_ads.c   2006-07-20 14:39:06 UTC (rev 
17158)
@@ -928,7 +928,7 @@
 static ADS_STATUS net_set_machine_spn(TALLOC_CTX *ctx, ADS_STRUCT *ads_s )
 {
ADS_STATUS status = ADS_ERROR(LDAP_SERVER_DOWN);
-   char *host_upn, *new_dn;
+   char *new_dn;
ADS_MODLIST mods;
const char *servicePrincipalName[3] = {NULL, NULL, NULL};
char *psp;
@@ -964,9 +964,7 @@
return ADS_ERROR(LDAP_NO_MEMORY);
}
 
-   /* Windows only creates HOST/shortname  HOST/fqdn.  We create 
-  the UPN as well so that 'kinit -k' will work.  You can only 
-  request a TGT for entries with a UPN in AD. */
+   /* Windows only creates HOST/shortname  HOST/fqdn. */
   
if ( !(psp = talloc_asprintf(ctx, HOST/%s, machine_name)) ) 
goto done;
@@ -979,9 +977,63 @@
goto done;
servicePrincipalName[1] = psp;

-   if (!(host_upn = talloc_asprintf(ctx, [EMAIL PROTECTED], 
servicePrincipalName[0], ads_s-config.realm)))
+   if (!(mods = ads_init_mods(ctx))) {
goto done;
+   }
+   
+   /* fields of primary importance */
+   
+   ads_mod_str(ctx, mods, dNSHostName, my_fqdn);
+   ads_mod_strlist(ctx, mods, servicePrincipalName, 
servicePrincipalName);
 
+   status = ads_gen_mod(ads_s, new_dn, mods);
+
+done:
+   ads_msgfree(ads_s, res);
+   
+   return status;
+}
+
+/***
+ Set a machines dNSHostName and servicePrincipalName attributes
+ /
+
+static ADS_STATUS net_set_machine_upn(TALLOC_CTX *ctx, ADS_STRUCT *ads_s, 
const char *upn )
+{
+   ADS_STATUS status = ADS_ERROR(LDAP_SERVER_DOWN);
+   char *new_dn;
+   ADS_MODLIST mods;
+   LDAPMessage *res = NULL;
+   char *dn_string = NULL;
+   const char *machine_name = global_myname();
+   int count;
+   
+   if ( !machine_name ) {
+   return ADS_ERROR(LDAP_NO_MEMORY);
+   }
+   
+   /* Find our DN */
+   
+   status = ads_find_machine_acct(ads_s, (void **)(void *)res, 
machine_name);
+   if (!ADS_ERR_OK(status)) 
+   return status;
+   
+   if ( (count = ads_count_replies(ads_s, res)) != 1 ) {
+   DEBUG(1,(net_set_machine_spn: %d entries returned!\n, count));
+   return ADS_ERROR(LDAP_NO_MEMORY);   
+   }
+   
+   if ( (dn_string = ads_get_dn(ads_s, res)) == NULL ) {
+   DEBUG(1, (ads_add_machine_acct: ads_get_dn returned NULL 
(malloc failure?)\n));
+   goto done;
+   }
+   
+   new_dn = talloc_strdup(ctx, dn_string);
+   ads_memfree(ads_s, dn_string);
+   if (!new_dn) {
+   return ADS_ERROR(LDAP_NO_MEMORY);
+   }
+   
/* now do the mods */

if (!(mods = ads_init_mods(ctx))) {
@@ -990,8 +1042,7 @@

/* fields of primary importance */

-   ads_mod_str(ctx, mods, dNSHostName, my_fqdn);
-   ads_mod_strlist(ctx, mods, servicePrincipalName, 
servicePrincipalName);
+   ads_mod_str(ctx, mods, userPrincipalName, upn);
 
status = ads_gen_mod(ads_s, new_dn, mods);
 
@@ -1001,7 +1052,6 @@
return status;
 }
 
-
 /***
   join a domain using ADS (LDAP mods)
  /
@@ -1089,6 +1139,19 @@
return kerberos_secrets_store_des_salt( salt );
 }
 
+/*
+ utility function to parse an integer parameter from 
+ parameter = value
+**/
+static char* get_string_param( const char* param )
+{
+   char *p;
+   
+   if ( (p = strchr( param, '=' )) == NULL )
+   return NULL;
+   
+   return (p+1);
+}
 /***
   join a domain using ADS (LDAP mods)
  /
@@ -1103,6 +1166,10 @@
struct cldap_netlogon_reply cldap_reply;
TALLOC_CTX *ctx;
DOM_SID 

svn commit: samba r17159 - in branches: SAMBA_3_0/source/nsswitch SAMBA_3_0_23/source/nsswitch

2006-07-20 Thread jerry
Author: jerry
Date: 2006-07-20 18:02:51 + (Thu, 20 Jul 2006)
New Revision: 17159

WebSVN: 
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=17159

Log:
Bug 3920: Restore wnibind use default domain behavior for domain groups.
This break local users and 'winbind nested groups' on domain members.
Cannot be helped.  

My plans is to move the default domain crud to the client code (pam and 
nss libraries) in 3.0.24.


Modified:
   branches/SAMBA_3_0/source/nsswitch/winbindd_group.c
   branches/SAMBA_3_0/source/nsswitch/winbindd_util.c
   branches/SAMBA_3_0_23/source/nsswitch/winbindd_group.c
   branches/SAMBA_3_0_23/source/nsswitch/winbindd_util.c


Changeset:
Modified: branches/SAMBA_3_0/source/nsswitch/winbindd_group.c
===
--- branches/SAMBA_3_0/source/nsswitch/winbindd_group.c 2006-07-20 14:39:06 UTC 
(rev 17158)
+++ branches/SAMBA_3_0/source/nsswitch/winbindd_group.c 2006-07-20 18:02:51 UTC 
(rev 17159)
@@ -41,16 +41,9 @@
   const char *gr_name, gid_t unix_gid)
 {
fstring full_group_name;
-   BOOL can_assume = False;
 
-   /* I *hate* winbind use default domain Somehow I will figure out 
-  how to remove this parameter.-jerry */
+   fill_domain_username( full_group_name, dom_name, gr_name, True );
 
-   if ( (lp_server_role() == ROLE_DOMAIN_MEMBER)  strequal(dom_name, 
lp_workgroup() ) )
-   can_assume = True;
-
-   fill_domain_username( full_group_name, dom_name, gr_name, can_assume);
-
gr-gr_gid = unix_gid;
 
/* Group name and password */
@@ -153,7 +146,7 @@
 
/* Append domain name */
 
-   fill_domain_username(name, domain-name, the_name, False);
+   fill_domain_username(name, domain-name, the_name, True);
 
len = strlen(name);

@@ -759,7 +752,7 @@
/* Fill in group entry */
 
fill_domain_username(domain_group_name, ent-domain_name, 
-name_list[ent-sam_entry_index].acct_name, False);
+name_list[ent-sam_entry_index].acct_name, True);
 
result = fill_grent(group_list[group_list_ndx], 
ent-domain_name,
@@ -936,7 +929,7 @@
groups.sam_entries)[i].acct_name; 
fstring name;
 
-   fill_domain_username(name, domain-name, group_name, 
False);
+   fill_domain_username(name, domain-name, group_name, 
True);
/* Append to extra data */  
memcpy(extra_data[extra_data_len], name, 
strlen(name));

Modified: branches/SAMBA_3_0/source/nsswitch/winbindd_util.c
===
--- branches/SAMBA_3_0/source/nsswitch/winbindd_util.c  2006-07-20 14:39:06 UTC 
(rev 17158)
+++ branches/SAMBA_3_0/source/nsswitch/winbindd_util.c  2006-07-20 18:02:51 UTC 
(rev 17159)
@@ -812,14 +812,28 @@
 
 /* Is this a domain which we may assume no DOMAIN\ prefix? */
 
-static BOOL assume_domain(const char *domain) {
-   if ((lp_winbind_use_default_domain()  
- || lp_winbind_trusted_domains_only()) 
-   strequal(lp_workgroup(), domain)) 
-   return True;
+static BOOL assume_domain(const char *domain)
+{
+   /* never assume the domain on a standalone server */
 
-   if (strequal(get_global_sam_name(), domain)) 
+   if ( lp_server_role() == ROLE_STANDALONE )
+   return False;
+
+   /* domain member servers may possibly assume for the domain name */
+
+   if ( lp_server_role() == ROLE_DOMAIN_MEMBER ) {
+   if ( !strequal(lp_workgroup(), domain) )
+   return False;
+
+   if ( lp_winbind_use_default_domain() || 
lp_winbind_trusted_domains_only() )
+   return True;
+   } 
+
+   /* only left with a domain controller */
+
+   if ( strequal(get_global_sam_name(), domain) )  {
return True;
+   }

return False;
 }
@@ -832,7 +846,7 @@
 
if ( !p ) {
fstrcpy(user, domuser);
-   
+
if ( assume_domain(lp_workgroup())) {
fstrcpy(domain, lp_workgroup());
} else {

Modified: branches/SAMBA_3_0_23/source/nsswitch/winbindd_group.c
===
--- branches/SAMBA_3_0_23/source/nsswitch/winbindd_group.c  2006-07-20 
14:39:06 UTC (rev 17158)
+++ branches/SAMBA_3_0_23/source/nsswitch/winbindd_group.c  2006-07-20 
18:02:51 UTC (rev 17159)
@@ -42,7 +42,7 @@
 {
fstring full_group_name;
 
-   fill_domain_username( full_group_name, dom_name, gr_name, False);
+   fill_domain_username( 

svn commit: samba r17160 - in branches/SAMBA_3_0_23/source/auth: .

2006-07-20 Thread jerry
Author: jerry
Date: 2006-07-20 19:15:49 + (Thu, 20 Jul 2006)
New Revision: 17160

WebSVN: 
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=17160

Log:
merge r17022 from SAMBA_3_0.  Thansk to Thomas Bork for pointing this out
Modified:
   branches/SAMBA_3_0_23/source/auth/auth_util.c


Changeset:
Modified: branches/SAMBA_3_0_23/source/auth/auth_util.c
===
--- branches/SAMBA_3_0_23/source/auth/auth_util.c   2006-07-20 18:02:51 UTC 
(rev 17159)
+++ branches/SAMBA_3_0_23/source/auth/auth_util.c   2006-07-20 19:15:49 UTC 
(rev 17160)
@@ -955,7 +955,8 @@
return NT_STATUS_NO_MEMORY;
}
 
-   if (server_info-was_mapped) {
+   if (((lp_server_role() == ROLE_DOMAIN_MEMBER)  !winbind_ping()) || 
+   server_info-was_mapped) {
status = create_token_from_username(server_info,
server_info-unix_name,
server_info-guest,



svn commit: samba r17161 - in branches/SAMBA_3_0_RELEASE/source: auth nsswitch passdb rpc_server smbd utils

2006-07-20 Thread jerry
Author: jerry
Date: 2006-07-20 19:44:11 + (Thu, 20 Jul 2006)
New Revision: 17161

WebSVN: 
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=17161

Log:
sync files from SAMBA_3_0_23 branch
Modified:
   branches/SAMBA_3_0_RELEASE/source/auth/auth_util.c
   branches/SAMBA_3_0_RELEASE/source/nsswitch/winbindd_group.c
   branches/SAMBA_3_0_RELEASE/source/nsswitch/winbindd_util.c
   branches/SAMBA_3_0_RELEASE/source/passdb/pdb_interface.c
   branches/SAMBA_3_0_RELEASE/source/passdb/pdb_ldap.c
   branches/SAMBA_3_0_RELEASE/source/passdb/pdb_tdb.c
   branches/SAMBA_3_0_RELEASE/source/rpc_server/srv_samr_nt.c
   branches/SAMBA_3_0_RELEASE/source/smbd/open.c
   branches/SAMBA_3_0_RELEASE/source/utils/net_ads.c


Changeset:
Sorry, the patch is too large (888 lines) to include; please use WebSVN to see 
it!
WebSVN: 
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=17161


svn commit: samba r17162 - in branches: SAMBA_3_0/source/libsmb SAMBA_3_0/source/nsswitch SAMBA_3_0_23/source/libsmb SAMBA_3_0_23/source/nsswitch SAMBA_3_0_RELEASE/source/libsmb SAMBA_3_0_RELEASE/sour

2006-07-20 Thread jerry
Author: jerry
Date: 2006-07-20 20:23:04 + (Thu, 20 Jul 2006)
New Revision: 17162

WebSVN: 
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=17162

Log:
Fix typo small typos noticed by Paul Green.


Modified:
   branches/SAMBA_3_0/source/libsmb/clikrb5.c
   branches/SAMBA_3_0/source/nsswitch/winbindd_nss.h
   branches/SAMBA_3_0_23/source/libsmb/clikrb5.c
   branches/SAMBA_3_0_23/source/nsswitch/winbindd_nss.h
   branches/SAMBA_3_0_RELEASE/source/libsmb/clikrb5.c
   branches/SAMBA_3_0_RELEASE/source/nsswitch/winbindd_nss.h


Changeset:
Modified: branches/SAMBA_3_0/source/libsmb/clikrb5.c
===
--- branches/SAMBA_3_0/source/libsmb/clikrb5.c  2006-07-20 19:44:11 UTC (rev 
17161)
+++ branches/SAMBA_3_0/source/libsmb/clikrb5.c  2006-07-20 20:23:04 UTC (rev 
17162)
@@ -112,7 +112,7 @@
 
 #ifndef HAVE_KRB5_SET_REAL_TIME
 /*
- * Thir function is not in the Heimdal mainline.
+ * This function is not in the Heimdal mainline.
  */
  krb5_error_code krb5_set_real_time(krb5_context context, int32_t seconds, 
int32_t microseconds)
 {

Modified: branches/SAMBA_3_0/source/nsswitch/winbindd_nss.h
===
--- branches/SAMBA_3_0/source/nsswitch/winbindd_nss.h   2006-07-20 19:44:11 UTC 
(rev 17161)
+++ branches/SAMBA_3_0/source/nsswitch/winbindd_nss.h   2006-07-20 20:23:04 UTC 
(rev 17162)
@@ -45,7 +45,7 @@
 #if defined(uint64)
 #  define SMB_TIME_T uint64
 #else
-#  define SMB_TIME_t time_t
+#  define SMB_TIME_T time_t
 #endif
 
 /* Socket commands */

Modified: branches/SAMBA_3_0_23/source/libsmb/clikrb5.c
===
--- branches/SAMBA_3_0_23/source/libsmb/clikrb5.c   2006-07-20 19:44:11 UTC 
(rev 17161)
+++ branches/SAMBA_3_0_23/source/libsmb/clikrb5.c   2006-07-20 20:23:04 UTC 
(rev 17162)
@@ -112,7 +112,7 @@
 
 #ifndef HAVE_KRB5_SET_REAL_TIME
 /*
- * Thir function is not in the Heimdal mainline.
+ * This function is not in the Heimdal mainline.
  */
  krb5_error_code krb5_set_real_time(krb5_context context, int32_t seconds, 
int32_t microseconds)
 {

Modified: branches/SAMBA_3_0_23/source/nsswitch/winbindd_nss.h
===
--- branches/SAMBA_3_0_23/source/nsswitch/winbindd_nss.h2006-07-20 
19:44:11 UTC (rev 17161)
+++ branches/SAMBA_3_0_23/source/nsswitch/winbindd_nss.h2006-07-20 
20:23:04 UTC (rev 17162)
@@ -45,7 +45,7 @@
 #if defined(uint64)
 #  define SMB_TIME_T uint64
 #else
-#  define SMB_TIME_t time_t
+#  define SMB_TIME_T time_t
 #endif
 
 /* Socket commands */

Modified: branches/SAMBA_3_0_RELEASE/source/libsmb/clikrb5.c
===
--- branches/SAMBA_3_0_RELEASE/source/libsmb/clikrb5.c  2006-07-20 19:44:11 UTC 
(rev 17161)
+++ branches/SAMBA_3_0_RELEASE/source/libsmb/clikrb5.c  2006-07-20 20:23:04 UTC 
(rev 17162)
@@ -112,7 +112,7 @@
 
 #ifndef HAVE_KRB5_SET_REAL_TIME
 /*
- * Thir function is not in the Heimdal mainline.
+ * This function is not in the Heimdal mainline.
  */
  krb5_error_code krb5_set_real_time(krb5_context context, int32_t seconds, 
int32_t microseconds)
 {

Modified: branches/SAMBA_3_0_RELEASE/source/nsswitch/winbindd_nss.h
===
--- branches/SAMBA_3_0_RELEASE/source/nsswitch/winbindd_nss.h   2006-07-20 
19:44:11 UTC (rev 17161)
+++ branches/SAMBA_3_0_RELEASE/source/nsswitch/winbindd_nss.h   2006-07-20 
20:23:04 UTC (rev 17162)
@@ -45,7 +45,7 @@
 #if defined(uint64)
 #  define SMB_TIME_T uint64
 #else
-#  define SMB_TIME_t time_t
+#  define SMB_TIME_T time_t
 #endif
 
 /* Socket commands */



svn commit: samba r17163 - in branches/SAMBA_3_0_RELEASE: . source

2006-07-20 Thread jerry
Author: jerry
Date: 2006-07-20 20:35:26 + (Thu, 20 Jul 2006)
New Revision: 17163

WebSVN: 
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=17163

Log:
correct version and save draf of release notes
Modified:
   branches/SAMBA_3_0_RELEASE/WHATSNEW.txt
   branches/SAMBA_3_0_RELEASE/source/VERSION


Changeset:
Modified: branches/SAMBA_3_0_RELEASE/WHATSNEW.txt
===
--- branches/SAMBA_3_0_RELEASE/WHATSNEW.txt 2006-07-20 20:23:04 UTC (rev 
17162)
+++ branches/SAMBA_3_0_RELEASE/WHATSNEW.txt 2006-07-20 20:35:26 UTC (rev 
17163)
@@ -1,13 +1,41 @@
-   ==
-   Release Notes for Samba 3.0.23
-Jul 10, 2006
-   ==
+   ===
+   Release Notes for Samba 3.0.23a
+ Jul 21, 2006
+   ===
 
 This is the latest stable release of Samba. This is the version 
 that production Samba servers should be running for all current 
 bug-fixes.  Please read the changes in this section for details on 
 new features and difference in behavior from previous releases.
 
+
+##
+Changes
+###
+
+Changes since 3.0.23
+
+
+commits
+---
+o   Jeremy Allison [EMAIL PROTECTED]
+
+o   Gerald (Jerry) Carter [EMAIL PROTECTED]
+
+o   Guenther Deschner [EMAIL PROTECTED]
+
+o   Volker Lendecke [EMAIL PROTECTED]
+
+
+Release Notes for older release follow:
+
+  --
+
+   ==
+   Release Notes for Samba 3.0.23
+Jul 10, 2006
+   ==
+
 There has been a substantial amount of cleanup work done during 
 this development cycle.  We would like to thank both Coverity 
 (http://www.coverity.com/) and Klocwork (http://www.klocwork.com/)
@@ -155,68 +183,12 @@
 wins partners  Removed
 
 
-Changes since 3.0.23rc3

+Changes since 3.0.22
+
 
 commits
 ---
 o   Jeremy Allison [EMAIL PROTECTED]
-* BUG 3858: Ensure that all files are removed by a wildcard 
-  delete when 'hide unreadable = yes'.
-* Fix various issues raised by the Klocwork code analyzer.
-* Fix nmbd WINS serving bug causing duplicate IPs in the *1b 
-  query reply (enhanced browsing = yes).
-* Fix SMB signing failures in client tools.
-* BUG 3909: Avoid EA lookups on MS-DFS links.
-
-
-o   Nicholas Brealey [EMAIL PROTECTED]
-* Compile fix for pam_winbind.
-
-
-o   Gerald (Jerry) Carter [EMAIL PROTECTED]
-* Use system provided killproc() in RedHat init scripts for 
-  more robust shutdown.
-* Fix a crash in the printer publishing code when adding a 
-  new printer via the APW.
-* Fix broken compile of unsupported smbwrapper utility.
-* BUG 3905: Fix smbd startup failure caused by a failure to
-  create an NT token for the guest account.
-* BUG 3908: Fix RPC bind authentication failure which broke
-  user password changes.
-* Ensure that net ads join reports failure correctly if
-  it cannot set the machine account password.
-
-
-o   Guenther Deschner [EMAIL PROTECTED]
-* Fix different extended_dn handling in adssearch.pl
-  (Thanks to Frederic Brin at Novell).
-* Fix a memleak in winbindd's credentials cache.
-* Protect against crashes in CLDAP request processing.
-* Remove incomplete DfsEnum() info level to avoid an smbd crash.
-
-
-o   Volker Lendecke [EMAIL PROTECTED]
-* Fix a memleak in the server registry code for enumeration 
-  shares.
-* Fix an invalid munlock() call in winbindd's credentials cache.
-* Fix compile warnings when passing NULL to snprintf().
-* BUG 3915: Fall back to a pure unix user with S-1-22 SIDs in the
-  token in case anything weird is going on with the 'force user'.
-* CVE-2006-3403: Fix minor memory exhaustion DoS in smbd.
-
-
-o   Jason Mader [EMAIL PROTECTED]
-* Compiler warning fixes.
-
-
-o   Simo Sorce [EMAIL PROTECTED]
-* Set the correct sid type when looking up a gid.
-
-
-Changes since 3.0.22
-
-o   Jeremy Allison [EMAIL PROTECTED]
 * Fixes for various Klocwork defect reports.
 * Cleanup pdb_get_XXX() methods and ensure that a failure
   to allocate memory for a samu user structure is reported 
@@ -313,6 +285,13 @@
   read fails (inspired by Justin Best).
 * BUG 3668: Workaround Windows bug with LARGE_READX where if 
   you ask for exactly 64k bytes it returns 0.
+* BUG 3858: Ensure that all files are removed by a wildcard 
+  delete when 'hide unreadable = yes'.
+* Fix various issues raised by the 

svn commit: samba r17164 - in tags: .

2006-07-20 Thread jerry
Author: jerry
Date: 2006-07-20 20:49:06 + (Thu, 20 Jul 2006)
New Revision: 17164

WebSVN: 
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=17164

Log:
tagging final real copy of trunk for posterity (and svn annotaue)


Added:
   tags/trunk-final-update/


Changeset:
Copied: tags/trunk-final-update (from rev 17033, trunk)



svn commit: samba r17165 - in branches/SAMBA_3_0_RELEASE: .

2006-07-20 Thread jerry
Author: jerry
Date: 2006-07-20 21:22:06 + (Thu, 20 Jul 2006)
New Revision: 17165

WebSVN: 
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=17165

Log:
more changes to the release notes
Modified:
   branches/SAMBA_3_0_RELEASE/WHATSNEW.txt


Changeset:
Modified: branches/SAMBA_3_0_RELEASE/WHATSNEW.txt
===
--- branches/SAMBA_3_0_RELEASE/WHATSNEW.txt 2006-07-20 20:49:06 UTC (rev 
17164)
+++ branches/SAMBA_3_0_RELEASE/WHATSNEW.txt 2006-07-20 21:22:06 UTC (rev 
17165)
@@ -5,10 +5,28 @@
 
 This is the latest stable release of Samba. This is the version 
 that production Samba servers should be running for all current 
-bug-fixes.  Please read the changes in this section for details on 
-new features and difference in behavior from previous releases.
+bug-fixes.  Please read the changes in this section and for the 
+original 3.0.23 release regarding new features and difference 
+in behavior from previous releases.
 
+Common bugs fixed in 3.0.23a include:
 
+  o Failure to strip the domain name from groups when 'winbind 
+use default domain = yes'
+  o Failure in pam_winbind to correctly parse arguments.
+  o Bad token creation of local users on member servers not 
+running winbindd.
+  o Failure to add users or groups to ACLs using the Windows
+object picker.
+
+New features in 3.0.23a include:
+
+  o New createupn option to net ads join
+  o Rewritten Kerberos keytab generation when 'use kerberos 
+keytab = yes'
+
+
+
 ##
 Changes
 ###
@@ -19,14 +37,64 @@
 commits
 ---
 o   Jeremy Allison [EMAIL PROTECTED]
+* Fix memory leaks in the POSIX locking for for the Linux CIFS fs 
+  client.
+* Fix memory leaks in the AD schema parsing code.
+* Fixed bug in interaction with Linux kernel oplocks.
 
+
 o   Gerald (Jerry) Carter [EMAIL PROTECTED]
+* Rewrite the detection of the correct DES salting principal name
+  when joining an Active Directory Domain.
+* Rewrite the keytab generation code based on existing SPN, 
+  UPN, and sAMAccountName attributes in the AD machine object.
+* Cleanup of dead code from idmap_ad.
+* Fix Winbind 32bit/64bit portability issues.
+* Fail 'net ads join' and disable the machine account if we cannot 
+  set any SPNs for ourselves.
+* Make sure to lower case all usernames before calling the create, 
+  delete, or rename hooks.
+* Preserve case for usernames in passdb
+* Flush the getpwnam cache after renaming a user
+* Add become/unbecome root block in _samr_delete_dom_user() when 
+  trying to verify the account's existence.
+* Changed 'net ads join' syntax for specifying an alternate 
+  OU.  New syntax is createcomputer=ou path top to bottom.
+* Add createupn=[UPN] option to 'net ads join' for setting the
+  userPrincipalName attribute.
+* Bug 3920: Restore winbind use default domain behavior for domain 
+  groups.  This break local users and 'winbind nested groups' on 
+  domain members.
 
+
 o   Guenther Deschner [EMAIL PROTECTED]
+* Don't clear the cache when starting winbindd in off line mode.
+* Fix erron reporting in pam_winbind debug messages.
+* BUG 3937: Fix segv in libnss_wins.so.
 
+
 o   Volker Lendecke [EMAIL PROTECTED]
+* Fix memory leaks in the in error paths out of the CLDAP 
+  request code.
+* AIX portability fixes for DNS client code.
+* BUG 3811, 3948: Fix alignment bug in on lsaquery. 
+* BUG 3949: Fixed authorization issue no domain member 
+  servers not running winbindd.
 
 
+o   Andrew Tridgell [EMAIL PROTECTED]
+* Fixed a bug which caused resolve_ads() to spin forever if 
+  one of the DCs isn't resolvable in DNS.
+
+
+o   Simo Sorce [EMAIL PROTECTED]
+* Debian packaging fixes.
+
+
+o   Dietrich Streifert [EMAIL PROTECTED]
+* BUG 3916: Fix error parsing pam_winbind config arguments.
+
+
 Release Notes for older release follow:
 
   --
@@ -480,7 +548,7 @@
 * Add help text for new 'net rpc audit' utility.
 * Add net ads search SID.
 * samrQueryDomainInfo level 5 should return the domain name, not our 
-  netbios name when we are a DC.
+  NetBIOS name when we are a DC.
 * Add some more client rpc for the querydominfo calls (from samba4 idl).
 * Process all the supported info levels in the samr_query_domain_info2 
   call.



svn commit: samba r17166 - in branches/SAMBA_3_0_RELEASE: .

2006-07-20 Thread jerry
Author: jerry
Date: 2006-07-20 22:27:03 + (Thu, 20 Jul 2006)
New Revision: 17166

WebSVN: 
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=17166

Log:
fixups based on comments from Volker
Modified:
   branches/SAMBA_3_0_RELEASE/WHATSNEW.txt


Changeset:
Modified: branches/SAMBA_3_0_RELEASE/WHATSNEW.txt
===
--- branches/SAMBA_3_0_RELEASE/WHATSNEW.txt 2006-07-20 21:22:06 UTC (rev 
17165)
+++ branches/SAMBA_3_0_RELEASE/WHATSNEW.txt 2006-07-20 22:27:03 UTC (rev 
17166)
@@ -18,6 +18,7 @@
 running winbindd.
   o Failure to add users or groups to ACLs using the Windows
 object picker.
+  o Failure in file serving code when 'kernel oplocks = yes'.
 
 New features in 3.0.23a include:
 
@@ -69,7 +70,7 @@
 
 o   Guenther Deschner [EMAIL PROTECTED]
 * Don't clear the cache when starting winbindd in off line mode.
-* Fix erron reporting in pam_winbind debug messages.
+* Fix errno reporting in pam_winbind debug messages.
 * BUG 3937: Fix segv in libnss_wins.so.
 
 
@@ -78,7 +79,7 @@
   request code.
 * AIX portability fixes for DNS client code.
 * BUG 3811, 3948: Fix alignment bug in on lsaquery. 
-* BUG 3949: Fixed authorization issue no domain member 
+* BUG 3949: Fixed authorization issue on domain member 
   servers not running winbindd.
 
 



Build status as of Fri Jul 21 00:00:02 2006

2006-07-20 Thread build
URL: http://build.samba.org/

--- /home/build/master/cache/broken_results.txt.old 2006-07-20 
00:00:18.0 +
+++ /home/build/master/cache/broken_results.txt 2006-07-21 00:00:09.0 
+
@@ -1,18 +1,18 @@
-Build status as of Thu Jul 20 00:00:02 2006
+Build status as of Fri Jul 21 00:00:02 2006
 
 Build counts:
 Tree Total  Broken Panic 
 SOC  0  0  0 
-ccache   34 6  0 
-distcc   28 2  0 
+ccache   33 6  0 
+distcc   27 2  0 
 lorikeet-heimdal 0  0  0 
 ppp  17 0  0 
-rsync28 0  0 
+rsync27 0  0 
 samba3  0  0 
 samba-docs   0  0  0 
 samba4   38 26 4 
-samba_3_037 26 3 
+samba_3_036 23 1 
 smb-build24 24 0 
-talloc   32 13 0 
-tdb  29 10 0 
+talloc   31 12 0 
+tdb  28 9  0 
 


svn commit: samba r17167 - in branches/SAMBA_4_0/source/lib/util: .

2006-07-20 Thread abartlet
Author: abartlet
Date: 2006-07-21 00:56:48 + (Fri, 21 Jul 2006)
New Revision: 17167

WebSVN: 
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=17167

Log:
indent

Modified:
   branches/SAMBA_4_0/source/lib/util/data_blob.c


Changeset:
Modified: branches/SAMBA_4_0/source/lib/util/data_blob.c
===
--- branches/SAMBA_4_0/source/lib/util/data_blob.c  2006-07-20 22:27:03 UTC 
(rev 17166)
+++ branches/SAMBA_4_0/source/lib/util/data_blob.c  2006-07-21 00:56:48 UTC 
(rev 17167)
@@ -206,7 +206,7 @@
   append some data to a data blob
 **/
 _PUBLIC_ NTSTATUS data_blob_append(TALLOC_CTX *mem_ctx, DATA_BLOB *blob,
- const void *p, size_t length)
+  const void *p, size_t length)
 {
blob-data = talloc_realloc_size(mem_ctx, blob-data,
 blob-length + length);



svn commit: samba r17168 - in branches/SAMBA_4_0/source/lib: socket tls

2006-07-20 Thread abartlet
Author: abartlet
Date: 2006-07-21 01:34:56 + (Fri, 21 Jul 2006)
New Revision: 17168

WebSVN: 
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=17168

Log:
Now that TLS (and soon SASL) is below the socket layer, we need to
make the testnonblock skip some things.  The socket *under* the tls
socket is still tested.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/lib/socket/socket.c
   branches/SAMBA_4_0/source/lib/socket/socket.h
   branches/SAMBA_4_0/source/lib/tls/config.mk
   branches/SAMBA_4_0/source/lib/tls/tls.c


Changeset:
Modified: branches/SAMBA_4_0/source/lib/socket/socket.c
===
--- branches/SAMBA_4_0/source/lib/socket/socket.c   2006-07-21 00:56:48 UTC 
(rev 17167)
+++ branches/SAMBA_4_0/source/lib/socket/socket.c   2006-07-21 01:34:56 UTC 
(rev 17168)
@@ -66,6 +66,7 @@
/* by enabling testnonblock mode, all socket receive and
   send calls on non-blocking sockets will randomly recv/send
   less data than requested */
+
if (!(flags  SOCKET_FLAG_BLOCK) 
type == SOCKET_TYPE_STREAM 
lp_parm_bool(-1, socket, testnonblock, False)) {
@@ -185,14 +186,21 @@
return NT_STATUS_NOT_IMPLEMENTED;
}
 
-   if ((sock-flags  SOCKET_FLAG_TESTNONBLOCK)  wantlen  1) {
-   if (random() % 10 == 0) {
-   *nread = 0;
-   return STATUS_MORE_ENTRIES;
+   if ((sock-flags  SOCKET_FLAG_TESTNONBLOCK) 
+wantlen  1) {
+
+   /* The returning of 0 and MORE_ENTRIES is incompatible
+  with TLS and SASL sockets, as there is not a
+  constant event source to re-trigger the reads */
+
+   if (!(sock-flags  SOCKET_FLAG_FAKE)) {
+   if (random() % 10 == 0) {
+   *nread = 0;
+   return STATUS_MORE_ENTRIES;
+   }
}
return sock-ops-fn_recv(sock, buf, 1+(random() % wantlen), 
nread);
}
-
return sock-ops-fn_recv(sock, buf, wantlen, nread);
 }
 
@@ -229,17 +237,21 @@
if (!sock-ops-fn_send) {
return NT_STATUS_NOT_IMPLEMENTED;
}
-
-   if ((sock-flags  SOCKET_FLAG_TESTNONBLOCK)  blob-length  1) {
-   DATA_BLOB blob2 = *blob;
+   
+   if ((sock-flags  SOCKET_FLAG_TESTNONBLOCK)
+blob-length  1) {
if (random() % 10 == 0) {
*sendlen = 0;
return STATUS_MORE_ENTRIES;
}
-   blob2.length = 1+(random() % blob2.length);
-   return sock-ops-fn_send(sock, blob2, sendlen);
+   /* The variable size sends are incompatilbe with TLS and SASL
+* sockets, which require re-sends to be consistant */
+   if (!(sock-flags  SOCKET_FLAG_FAKE)) {
+   DATA_BLOB blob2 = *blob;
+   blob2.length = 1+(random() % blob2.length);
+   return sock-ops-fn_send(sock, blob2, sendlen);
+   }
}
-
return sock-ops-fn_send(sock, blob, sendlen);
 }
 

Modified: branches/SAMBA_4_0/source/lib/socket/socket.h
===
--- branches/SAMBA_4_0/source/lib/socket/socket.h   2006-07-21 00:56:48 UTC 
(rev 17167)
+++ branches/SAMBA_4_0/source/lib/socket/socket.h   2006-07-21 01:34:56 UTC 
(rev 17168)
@@ -102,6 +102,7 @@
 #define SOCKET_FLAG_BLOCK0x0001
 #define SOCKET_FLAG_PEEK 0x0002
 #define SOCKET_FLAG_TESTNONBLOCK 0x0004
+#define SOCKET_FLAG_FAKE 0x0008 /* This is an implementation not 
directly on top of a real socket */
 
 struct socket_context {
enum socket_type type;

Modified: branches/SAMBA_4_0/source/lib/tls/config.mk
===
--- branches/SAMBA_4_0/source/lib/tls/config.mk 2006-07-21 00:56:48 UTC (rev 
17167)
+++ branches/SAMBA_4_0/source/lib/tls/config.mk 2006-07-21 01:34:56 UTC (rev 
17168)
@@ -5,7 +5,7 @@
tls.o \
tlscert.o
 PUBLIC_DEPENDENCIES = \
-   LIBTALLOC GNUTLS LIBSAMBA-CONFIG
+   LIBTALLOC GNUTLS LIBSAMBA-CONFIG samba-socket
 #
 # End SUBSYSTEM LIBTLS
 

Modified: branches/SAMBA_4_0/source/lib/tls/tls.c
===
--- branches/SAMBA_4_0/source/lib/tls/tls.c 2006-07-21 00:56:48 UTC (rev 
17167)
+++ branches/SAMBA_4_0/source/lib/tls/tls.c 2006-07-21 01:34:56 UTC (rev 
17168)
@@ -443,7 +443,8 @@
NTSTATUS nt_status;

nt_status = socket_create_with_ops(socket, tls_socket_ops, new_sock, 
-  SOCKET_TYPE_STREAM, 0);
+ 

svn commit: samba r17169 - in branches/SAMBA_4_0/source/script/tests: .

2006-07-20 Thread abartlet
Author: abartlet
Date: 2006-07-21 01:35:26 + (Fri, 21 Jul 2006)
New Revision: 17169

WebSVN: 
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=17169

Log:
Test LDAP with testnonblock.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/script/tests/test_ldap.sh


Changeset:
Modified: branches/SAMBA_4_0/source/script/tests/test_ldap.sh
===
--- branches/SAMBA_4_0/source/script/tests/test_ldap.sh 2006-07-21 01:34:56 UTC 
(rev 17168)
+++ branches/SAMBA_4_0/source/script/tests/test_ldap.sh 2006-07-21 01:35:26 UTC 
(rev 17169)
@@ -24,7 +24,7 @@
 . $incdir/test_functions.sh
 
 for p in $PROTOCOLS; do
- for options in  -U$USERNAME%$PASSWORD; do
+ for options in  --option=socket:testnonblock=true -U$USERNAME%$PASSWORD 
--option=socket:testnonblock=true -U$USERNAME%$PASSWORD; do
 echo TESTING PROTOCOL $p with options $options
 
 testit RootDSE bin/ldbsearch $CONFIGURATION $options --basedn='' -H 
$p://$SERVER -s base DUMMY=x dnsHostName highestCommittedUSN || failed=`expr 
$failed + 1`



svn commit: samba r17170 - in branches/SAMBA_4_0/source/auth/ntlmssp: .

2006-07-20 Thread abartlet
Author: abartlet
Date: 2006-07-21 01:37:38 + (Fri, 21 Jul 2006)
New Revision: 17170

WebSVN: 
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=17170

Log:
Catch some more out-of-memory cases, and provide some clues when
chasing down bad signatures that may be due to data truncation.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/auth/ntlmssp/ntlmssp_sign.c


Changeset:
Modified: branches/SAMBA_4_0/source/auth/ntlmssp/ntlmssp_sign.c
===
--- branches/SAMBA_4_0/source/auth/ntlmssp/ntlmssp_sign.c   2006-07-21 
01:35:26 UTC (rev 17169)
+++ branches/SAMBA_4_0/source/auth/ntlmssp/ntlmssp_sign.c   2006-07-21 
01:37:38 UTC (rev 17170)
@@ -110,6 +110,9 @@
memcpy(sig-data + 4, digest, 8);
memcpy(sig-data + 12, seq_num, 4);
 
+   DEBUG(10, (NTLM2: created signature over %llu bytes of 
input:\n, (unsigned long long)pdu_length));
+   dump_data(11, sig-data, sig-length);
+   
} else {
uint32_t crc;
crc = crc32_calc_buffer(data, length);
@@ -119,8 +122,10 @@
gensec_ntlmssp_state-crypt.ntlm.seq_num++;
 

arcfour_crypt_sbox(gensec_ntlmssp_state-crypt.ntlm.arcfour_state, sig-data+4, 
sig-length-4);
+
+   DEBUG(10, (NTLM1: created signature over %llu bytes of 
input:\n, (unsigned long long)length));
+   dump_data(11, sig-data, sig-length);
}
-   dump_data_pw(calculated ntlmssp signature\n, sig-data, sig-length);
return NT_STATUS_OK;
 }
 
@@ -179,26 +184,26 @@
if (local_sig.length != sig-length ||
memcmp(local_sig.data, 
   sig-data, sig-length) != 0) {
-   DEBUG(5, (BAD SIG NTLM2: wanted signature of\n));
+   DEBUG(5, (BAD SIG NTLM2: wanted signature over %llu 
bytes of input:\n, (unsigned long long)pdu_length));
dump_data(5, local_sig.data, local_sig.length);

-   DEBUG(5, (BAD SIG: got signature of\n));
+   DEBUG(5, (BAD SIG: got signature over %llu bytes of 
input:\n, (unsigned long long)pdu_length));
dump_data(5, sig-data, sig-length);

-   DEBUG(0, (NTLMSSP NTLM2 packet check failed due to 
invalid signature!\n));
+   DEBUG(0, (NTLMSSP NTLM2 packet check failed due to 
invalid signature on %llu bytes of input!\n, (unsigned long long)pdu_length));
return NT_STATUS_ACCESS_DENIED;
}
} else {
if (local_sig.length != sig-length ||
memcmp(local_sig.data + 8, 
   sig-data + 8, sig-length - 8) != 0) {
-   DEBUG(5, (BAD SIG NTLM1: wanted signature of\n));
+   DEBUG(5, (BAD SIG NTLM1: wanted signature of %llu 
bytes of input:\n, (unsigned long long)length));
dump_data(5, local_sig.data, local_sig.length);

-   DEBUG(5, (BAD SIG: got signature of\n));
+   DEBUG(5, (BAD SIG: got signature of %llu bytes of 
input:\n, (unsigned long long)length));
dump_data(5, sig-data, sig-length);

-   DEBUG(0, (NTLMSSP NTLM1 packet check failed due to 
invalid signature!\n));
+   DEBUG(0, (NTLMSSP NTLM1 packet check failed due to 
invalid signature on %llu bytes of input:\n, (unsigned long long)length));
return NT_STATUS_ACCESS_DENIED;
}
}
@@ -456,6 +461,9 @@
if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
 
*out = data_blob_talloc(sig_mem_ctx, NULL, in-length + 
NTLMSSP_SIG_SIZE);
+   if (!out-data) {
+   return NT_STATUS_NO_MEMORY;
+   }
memcpy(out-data + NTLMSSP_SIG_SIZE, in-data, in-length);

nt_status = gensec_ntlmssp_seal_packet(gensec_security, 
sig_mem_ctx, 
@@ -473,6 +481,9 @@
} else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
 
*out = data_blob_talloc(sig_mem_ctx, NULL, in-length + 
NTLMSSP_SIG_SIZE);
+   if (!out-data) {
+   return NT_STATUS_NO_MEMORY;
+   }
memcpy(out-data + NTLMSSP_SIG_SIZE, in-data, in-length);
 
nt_status = gensec_ntlmssp_sign_packet(gensec_security, 
sig_mem_ctx, 



svn commit: samba r17171 - in branches/SAMBA_4_0/source/auth/gensec: .

2006-07-20 Thread abartlet
Author: abartlet
Date: 2006-07-21 01:44:24 + (Fri, 21 Jul 2006)
New Revision: 17171

WebSVN: 
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=17171

Log:
Add a gensec function to determine the maximum negotiated buffer size,
and the maximum amount of user data that may be fitted into that.

This is used in the new SASL code, to correctly honour SASL buffer sizes.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/auth/gensec/gensec.c
   branches/SAMBA_4_0/source/auth/gensec/gensec.h
   branches/SAMBA_4_0/source/auth/gensec/gensec_gssapi.c


Changeset:
Modified: branches/SAMBA_4_0/source/auth/gensec/gensec.c
===
--- branches/SAMBA_4_0/source/auth/gensec/gensec.c  2006-07-21 01:37:38 UTC 
(rev 17170)
+++ branches/SAMBA_4_0/source/auth/gensec/gensec.c  2006-07-21 01:44:24 UTC 
(rev 17171)
@@ -815,6 +815,24 @@
return gensec_security-ops-sig_size(gensec_security, data_size);
 }
 
+size_t gensec_max_input_size(struct gensec_security *gensec_security) 
+{
+   if (!gensec_security-ops-max_input_size) {
+   return (1  17) - gensec_sig_size(gensec_security, 1  17);
+   }
+   
+   return gensec_security-ops-max_input_size(gensec_security);
+}
+
+size_t gensec_max_wrapped_size(struct gensec_security *gensec_security) 
+{
+   if (!gensec_security-ops-max_wrapped_size) {
+   return (1  17);
+   }
+   
+   return gensec_security-ops-max_wrapped_size(gensec_security);
+}
+
 _PUBLIC_ NTSTATUS gensec_wrap(struct gensec_security *gensec_security, 
 TALLOC_CTX *mem_ctx, 
 const DATA_BLOB *in, 

Modified: branches/SAMBA_4_0/source/auth/gensec/gensec.h
===
--- branches/SAMBA_4_0/source/auth/gensec/gensec.h  2006-07-21 01:37:38 UTC 
(rev 17170)
+++ branches/SAMBA_4_0/source/auth/gensec/gensec.h  2006-07-21 01:44:24 UTC 
(rev 17171)
@@ -78,6 +78,8 @@
const uint8_t *whole_pdu, size_t pdu_length, 
DATA_BLOB *sig);
size_t   (*sig_size)(struct gensec_security *gensec_security, size_t 
data_size);
+   size_t   (*max_input_size)(struct gensec_security *gensec_security);
+   size_t   (*max_wrapped_size)(struct gensec_security *gensec_security);
NTSTATUS (*check_packet)(struct gensec_security *gensec_security, 
TALLOC_CTX *sig_mem_ctx, 
 const uint8_t *data, size_t length, 
 const uint8_t *whole_pdu, size_t pdu_length, 

Modified: branches/SAMBA_4_0/source/auth/gensec/gensec_gssapi.c
===
--- branches/SAMBA_4_0/source/auth/gensec/gensec_gssapi.c   2006-07-21 
01:37:38 UTC (rev 17170)
+++ branches/SAMBA_4_0/source/auth/gensec/gensec_gssapi.c   2006-07-21 
01:44:24 UTC (rev 17171)
@@ -67,8 +67,13 @@
uint8_t sasl_protection; /* What was negotiated at the SASL
  * layer, independent of the GSSAPI
  * layer... */
+
+   size_t max_wrap_buf_size;
 };
 
+static size_t gensec_gssapi_max_input_size(struct gensec_security 
*gensec_security);
+static size_t gensec_gssapi_max_wrapped_size(struct gensec_security 
*gensec_security);
+
 static char *gssapi_error_string(TALLOC_CTX *mem_ctx, 
 OM_uint32 maj_stat, OM_uint32 min_stat)
 {
@@ -129,6 +134,9 @@
return NT_STATUS_NO_MEMORY;
}

+   gensec_gssapi_state-max_wrap_buf_size
+   = lp_parm_int(-1, gensec_gssapi, max wrap buf size, 65535);
+   
gensec_gssapi_state-sasl = False;
gensec_gssapi_state-sasl_state = STAGE_GSS_NEG;
 
@@ -490,6 +498,7 @@
}
break;
}
+
/* These last two stages are only done if we were invoked as SASL */
case STAGE_SASL_SSF_NEG:
{
@@ -497,11 +506,17 @@
case GENSEC_CLIENT:
{
uint8_t maxlength_proposed[4]; 
+   uint8_t maxlength_accepted[4]; 
uint8_t security_supported;
int conf_state;
gss_qop_t qop_state;
input_token.length = in.length;
input_token.value = in.data;
+
+   /* As a client, we have just send a
+* zero-length blob to the server (after the
+* normal GSSAPI exchange), and it has replied
+* with it's SASL negotiation */

maj_stat = gss_unwrap(min_stat, 
  
gensec_gssapi_state-gssapi_context, 
@@ -521,10 +536,14 @@
 
memcpy(maxlength_proposed, 

svn commit: samba r17172 - in branches/SAMBA_3_0: .

2006-07-20 Thread jht
Author: jht
Date: 2006-07-21 01:58:17 + (Fri, 21 Jul 2006)
New Revision: 17172

WebSVN: 
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=17172

Log:
Fix typo.
Modified:
   branches/SAMBA_3_0/MAINTAINERS


Changeset:
Modified: branches/SAMBA_3_0/MAINTAINERS
===
--- branches/SAMBA_3_0/MAINTAINERS  2006-07-21 01:44:24 UTC (rev 17171)
+++ branches/SAMBA_3_0/MAINTAINERS  2006-07-21 01:58:17 UTC (rev 17172)
@@ -7,7 +7,7 @@
 responsible for 3rd party projects that work with Samba
 (e.g. vfs modules).
 
-Note that this list is for you benefit, but please do not
+Note that this list is for your benefit, but please do not
 abuse it by constantly emailing a stream of help questions
 to the maintainers.  Some are more open to direct 
 communication than others and some struggle with enormous



svn commit: samba r17173 - in branches/SAMBA_4_0/source/auth/gensec: .

2006-07-20 Thread abartlet
Author: abartlet
Date: 2006-07-21 02:05:45 + (Fri, 21 Jul 2006)
New Revision: 17173

WebSVN: 
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=17173

Log:
Check for oversize output, not oversize input, and fix the GSSAPI mech
to work (it broke it in the previous commit).

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/auth/gensec/gensec_gssapi.c


Changeset:
Modified: branches/SAMBA_4_0/source/auth/gensec/gensec_gssapi.c
===
--- branches/SAMBA_4_0/source/auth/gensec/gensec_gssapi.c   2006-07-21 
01:58:17 UTC (rev 17172)
+++ branches/SAMBA_4_0/source/auth/gensec/gensec_gssapi.c   2006-07-21 
02:05:45 UTC (rev 17173)
@@ -741,16 +741,6 @@
input_token.length = in-length;
input_token.value = in-data;
 
-   if (gensec_gssapi_state-sasl) {
-   size_t max_input_size = 
gensec_gssapi_max_input_size(gensec_security);
-   if (max_input_size  in-length) {
-   DEBUG(1, (gensec_gssapi_wrap: INPUT data (%u) is 
larger than SASL negotiated maximum size (%u)\n,
- in-length, 
- (unsigned int)max_input_size));
-   }
-   return NT_STATUS_INVALID_PARAMETER;
-   }
-   
maj_stat = gss_wrap(min_stat, 
gensec_gssapi_state-gssapi_context, 
gensec_have_feature(gensec_security, 
GENSEC_FEATURE_SEAL),
@@ -767,6 +757,17 @@
*out = data_blob_talloc(mem_ctx, output_token.value, 
output_token.length);
gss_release_buffer(min_stat, output_token);
 
+   if (gensec_gssapi_state-sasl) {
+   size_t max_wrapped_size = 
gensec_gssapi_max_wrapped_size(gensec_security);
+   if (max_wrapped_size  out-length) {
+   DEBUG(1, (gensec_gssapi_wrap: when wrapped, INPUT data 
(%u) is grew to be larger than SASL negotiated maximum output size (%u  %u)\n,
+ in-length, 
+ out-length, 
+ (unsigned int)max_wrapped_size));
+   return NT_STATUS_INVALID_PARAMETER;
+   }
+   }
+   
if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)
 !conf_state) {
return NT_STATUS_ACCESS_DENIED;