[Samba] Problem with LDAP failover config

2007-08-08 Thread Ben Tisdall 
Hi,

I have working master  slave OpenLDAP servers the Samba PDC works
correctly when using either as the passdb backend.

However, when configuring for LDAP failover as per this doc:

http://samba.org/samba/docs/man/Samba-Guide/2000users.html

Samba doesn't work  the logs fill up with this:

ldap_initialize: Bad parameter to an ldap routine
Connection to LDAP server failed for the 1 try!

This is the actual directive I'm using save for the FQDNs:

passdb backend = ldapsam:ldap://master.example.com:1389 \
ldap://slave.example.com;

Strace didn't produce anything useful.

Version is Samba 3.0.23a-1.fc4.1

Probably something very silly but I'm out of ideas!

Cheers,

-- 
Ben Tisdall
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] libpthread warning while compiling samba 3.0 on Suse Linux (SLES 10)

2007-08-08 Thread Pierre Lebrun 

I compile Samba for the first time on LINUX (SLES 10) and
have a weird libpthread warning message.
I dug the list to find some explanations about the way I have
to handle this problem, without success.

Below are the 'configure' parameters and the part of config.log about 
libpthread.


Is there a way to not link libpthread to avoid this
performance degradation ?

What must I do with this warning ?


./configure --with-smbwrapper --with-quotas --with-msdfs --with-acl-support 
--with-winbind --with-smbmount --with-cifsmount --with-aio-support




configure:66245: checking if libpthread is linked
configure:66268: gcc -o conftest -O -D_SAMBA_BUILD_=3  -D_LARGEFILE64_SOURCE 
-D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE   -Wl,-rpath,/usr/lib conftest.c -lcrypt -lresolv 
-lresolv -lnsl  -ldl  -lrt 5
configure:66274: $? = 0
configure:66281: result: yes
configure:66284: WARNING: using libpthreads - this may degrade performance
configure:66504: result: Using libraries:
configure:66506: result: LIBS = -lcrypt -lresolv -lresolv -lnsl -ldl -lrt
configure:66520: result: AUTH_LIBS = -lcrypt



Thank you for your help.

Pierre

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] How should guest access work with Samba 3 and User Mode Security???

2007-08-08 Thread Mansell, Gary 
Hi,

Please can someone confirm to me how guest access should work on a Samba
3 Server configured for User Mode Security.

Am I correct in thinking that shares configured as guest OK should be
accessible by users without accounts on the server and hence they should
not have to supply login name and password. (This used to work OK on
Samba 2 and Share Mode security)

I want to share out applications and a few other shares from my server
without having to create accounts on the server for the users and so
that they don't have to supply a username/password.

I am running Samba samba-3.0.24-5 and here is my smb.conf file:

Regards

Gary


[global]

workgroup = DFGSRV
server string = dfgsrv Samba Server %v
printcap name = /etc/printcap
load printers = yes
printing = cups
cups options = raw
log file = /var/log/samba/%m.log
max log size = 200
security = user
password level = 8
username level = 8
socket options = SO_KEEPALIVE SO_BROADCAST TCP_NODELAY IPTOS_THROUGHPUT
dns proxy = no 
log level = 9
deadtime = 30
oplocks = false
level2 oplocks = false
encrypt passwords = no
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/false
winbind use default domain = no
map to guest = Bad User


[homes]
   comment = Home Directories
   browseable = yes
   writable = yes
   create mode = 0664
   directory mode = 0775

[cdrom]
path = /media/cdrom
writeable = no
browseable = yes
guest ok = yes
comment = dfgsrv CDROM Drive
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
- - - - -
This e-mail and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they are addressed.If 
you have received this e-mail in error please notify the sender immediately and 
delete this e-mail from your system.Please note that any views or opinions 
presented in this e-mail are solely those of the author and do not necessarily 
represent those of Ricardo (save for reports and other documentation formally 
approved and signed for release to the intended recipient).Only Directors are 
authorised to enter into legally binding obligations on behalf of Ricardo. 
Ricardo may monitor outgoing and incoming e-mails and other telecommunications 
systems.
By replying to this e-mail you give consent to such monitoring.The recipient 
should check e-mail and any attachments for the presence of viruses. Ricardo 
accepts no liability for any damage caused by any virus transmitted by this 
e-mail. Ricardo means Ricardo plc and its subsidiary companies.
Ricardo plc is a public limited company registered in England with registered 
number 00222915.
The registered office of Ricardo plc is Shoreham Technical Centre, Shoreham-by 
Sea, West Sussex, BN43 5FG.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
- - - - - 
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Problem with LDAP failover config

2007-08-08 Thread John Drescher 
On 8/8/07, Ben Tisdall [EMAIL PROTECTED] wrote:
 Hi,

 I have working master  slave OpenLDAP servers the Samba PDC works
 correctly when using either as the passdb backend.

 However, when configuring for LDAP failover as per this doc:

 http://samba.org/samba/docs/man/Samba-Guide/2000users.html

 Samba doesn't work  the logs fill up with this:

 ldap_initialize: Bad parameter to an ldap routine
 Connection to LDAP server failed for the 1 try!

 This is the actual directive I'm using save for the FQDNs:

 passdb backend = ldapsam:ldap://master.example.com:1389 \
 ldap://slave.example.com;


Is 1389 the real port on the master ldap server? Have you configured
the ldap server to use ldap ssl?

John
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Problem with LDAP failover config

2007-08-08 Thread Ben Tisdall 
John Drescher wrote:

 
 Is 1389 the real port on the master ldap server?

Yes (I have Scalix running it's own LDAP-like directory on the standard
port).

To further clarify:

passdb backend = ldapsam:ldap://master.example.com:1389

And

passdb backend = ldapsam:ldap://slave.example.com

Both work individually, but not both at once.


 Have you configured
 the ldap server to use ldap ssl?

Previously, but I'm currently testing without in the interest of
simplicity, ie:

ldap ssl = off

Thanks.

-- 
Ben Tisdall
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] How should guest access work with Samba 3 and User Mode Security???

2007-08-08 Thread Kaustubh Chaudhari 

Mansell, Gary wrote:

Hi,

Please can someone confirm to me how guest access should work on a Samba
3 Server configured for User Mode Security.
  


Not sure if this can be done or not, but what i know is that 
security=user you need to provide with the username and password.

http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/ServerType.html#id325823

Regards,
Kaustubh

Am I correct in thinking that shares configured as guest OK should be
accessible by users without accounts on the server and hence they should
not have to supply login name and password. (This used to work OK on
Samba 2 and Share Mode security)

I want to share out applications and a few other shares from my server
without having to create accounts on the server for the users and so
that they don't have to supply a username/password.

I am running Samba samba-3.0.24-5 and here is my smb.conf file:

Regards

Gary


[global]

workgroup = DFGSRV
server string = dfgsrv Samba Server %v
printcap name = /etc/printcap
load printers = yes
printing = cups
cups options = raw
log file = /var/log/samba/%m.log
max log size = 200
security = user
password level = 8
username level = 8
socket options = SO_KEEPALIVE SO_BROADCAST TCP_NODELAY IPTOS_THROUGHPUT
dns proxy = no 
log level = 9

deadtime = 30
oplocks = false
level2 oplocks = false
encrypt passwords = no
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/false
winbind use default domain = no
map to guest = Bad User


[homes]
   comment = Home Directories
   browseable = yes
   writable = yes
   create mode = 0664
   directory mode = 0775

[cdrom]
path = /media/cdrom
writeable = no
browseable = yes
guest ok = yes
comment = dfgsrv CDROM Drive
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
- - - - -
This e-mail and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they are addressed.If 
you have received this e-mail in error please notify the sender immediately and 
delete this e-mail from your system.Please note that any views or opinions 
presented in this e-mail are solely those of the author and do not necessarily 
represent those of Ricardo (save for reports and other documentation formally 
approved and signed for release to the intended recipient).Only Directors are 
authorised to enter into legally binding obligations on behalf of Ricardo. 
Ricardo may monitor outgoing and incoming e-mails and other telecommunications 
systems.
By replying to this e-mail you give consent to such monitoring.The recipient should check 
e-mail and any attachments for the presence of viruses. Ricardo accepts no liability for 
any damage caused by any virus transmitted by this e-mail. Ricardo means 
Ricardo plc and its subsidiary companies.
Ricardo plc is a public limited company registered in England with registered 
number 00222915.
The registered office of Ricardo plc is Shoreham Technical Centre, Shoreham-by 
Sea, West Sussex, BN43 5FG.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
  


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Problem with LDAP failover config

2007-08-08 Thread John Drescher 
On 8/8/07, Ben Tisdall [EMAIL PROTECTED] wrote:
 John Drescher wrote:

 
  Is 1389 the real port on the master ldap server?

 Yes (I have Scalix running it's own LDAP-like directory on the standard
 port).

 To further clarify:

 passdb backend = ldapsam:ldap://master.example.com:1389

 And

 passdb backend = ldapsam:ldap://slave.example.com

 Both work individually, but not both at once.


I believe I have both servers listed on one line but I am using
samba-3.0.24-X on 64 bit gentoo.

John
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Problem with LDAP failover config

2007-08-08 Thread Ben Tisdall 
John Drescher wrote:
 On 8/8/07, Ben Tisdall [EMAIL PROTECTED] wrote:
 John Drescher wrote:

 Is 1389 the real port on the master ldap server?
 Yes (I have Scalix running it's own LDAP-like directory on the standard
 port).

 To further clarify:

 passdb backend = ldapsam:ldap://master.example.com:1389

 And

 passdb backend = ldapsam:ldap://slave.example.com

 Both work individually, but not both at once.


 I believe I have both servers listed on one line but I am using
 samba-3.0.24-X on 64 bit gentoo.

H, can you post your passdb backend line pls?

Cheers.

-- 
Ben Tisdall

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Permission problems with Samba Version 3.0.23d

2007-08-08 Thread Dennis Schwan 

Hello List members,

i have a strange problem with my new Samba Server. It is the Version 
3.0.23d.
I have configured a share in which i want all users of a certain group 
be able to write in.


This is the Configuration:

[Agents]
  comment = Gemeinsames Laufwerk
  browseable = yes
  path = /samba/public
  writeable = yes
  write list = @agents, sonja, administrator, engesser, atzler
  admin users = administrator
  force create mode = 0770
  force directory mode = 0770
  create mask = 0770
  directory mode = 0770
  force group = agents
  nt acl support = yes
  inherit acls = yes
  oplocks = no


But now i have the problem that all files that are copied on this share 
are generated as follows:


-rwxr-xr-x

I treid to change the create mask and force create mode options but i 
never got a write permission for the group.


The server is used as PDC with LDAP Authentication and the clients are 
all W2000. I hope that you can help me.


Regards,
Dennis
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Problem with LDAP failover config

2007-08-08 Thread John Drescher 
On 8/8/07, Ben Tisdall [EMAIL PROTECTED] wrote:
 John Drescher wrote:
  H, can you post your passdb backend line pls?
 
  Later, I will not be at work for 3 to 6 hours as it is early in the
  morning here (GMT -5 timezone).
 
 No problem, I can't do anything until the users have left anyway,
 another ~9 hrs.

If the email client does something weird there is one space between
the entries. These are two different machines with the first being the
PDC and it is in the dns but the second is not so I used the numerical
ip for that one instead.

passdb backend = ldapsam:ldap://sysserv0.radimg.pitt.edu ldap://192.168.1.230;

John
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] setfacl(1) - Can FreeBSD's ACLs contain groups from NT/AD domains ?

2007-08-08 Thread Wilkinson, Alex 
0n Mon, Aug 06, 2007 at 04:09:37PM +0200, Greg Byshenk wrote: 

 sambaserver# setfacl -m u:ADDOMAIN\\gbytest:rwx,g:ADDOMAIN\\domain\ 
users:rx z-test/
 sambaserver# getfacl z-test/
 #file:z-test/
 #owner:1361
 #group:100
 user::rwx
 user:gbytest:rwx
 group::r-x
 group:domain users:r-x
 mask::rwx
 other::r-x
 sambaserver#

This is on 6-STABLE, but it has worked on CURRENT also (though I don't 
have a
machine running now), configured using idmap_rid (and 'winbind use default 
domain = yes').

At some point in the past when I was testing, I saw the same sort of errors
as above.  This was before I set idmap_rid (and configured samba with 
experimental
modules), so it may have been related to this change.

Do the domain users/groups show up using 'id' and 'wbinfo'?

OK, well this is interesting because after extensive testing of setting group
permissions with setfacl(1) some groups work ... and some don't. And yes I can
enumerate all the groups in AD e.g.

 #wbinfo -g | wc -l
 2574

And id(1) does print the GIDs e.g

 #id -a
 uid=13340(myusername) gid=10513(domain users) groups=10513(domain users)

So I am suspecting not all groups in the AD world are the same ?
And why would I be able to assign group ACLs using some AD groups but not 
others ?

 -aW

IMPORTANT: This email remains the property of the Australian Defence 
Organisation and is subject to the jurisdiction of section 70 of the CRIMES ACT 
1914.  If you have received this email in error, you are requested to contact 
the sender and delete the email.


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Permission problems with Samba Version 3.0.23d

2007-08-08 Thread Felipe Augusto van de Wiel 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Dennis Schwan wrote, On 08-08-2007 06:00:
 [Agents]
comment = Gemeinsames Laufwerk
browseable = yes
path = /samba/public
writeable = yes
write list = @agents, sonja, administrator, engesser, atzler
admin users = administrator
force create mode = 0770
force directory mode = 0770
create mask = 0770
directory mode = 0770
force group = agents
nt acl support = yes
inherit acls = yes
oplocks = no
 
 But now i have the problem that all files that are copied 
 on this share are generated as follows:
 
 -rwxr-xr-x
 
 I treid to change the create mask and force create mode 
 options but i never got a write permission for the group.

Copy in this context is the act of add a new file or
the act of duplicate an existent file in the share?  I'm
asking because sometimes, some aplications can do strange
things with file permissions when they are duplicating an
existent file that differs when they are creating it.


 The server is used as PDC with LDAP Authentication and the 
 clients are all W2000. I hope that you can help me.

Sorry if this sounds silly, but did you reload or restart
or gave enough time to have the configs automatically reloaded by
samba?

You should check for filesystem ACLs, that could change
the behaviour. You should also check the 'directory security mask'
but as far as I can see there are no problems with your setup, I
have a similar share (with similar permissions) and it is working
fine. (I'm using Samba 3.0.24 from Debian etch).

Kind regards,
- --
Felipe Augusto van de Wiel [EMAIL PROTECTED]
Coordenadoria de Tecnologia da Informação (CTI) - SEDU/PARANACIDADE
http://www.paranacidade.org.br/   Phone: (+55 41 3350 3300)
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGucEXCj65ZxU4gPQRCNQgAKChLGMajDa5RZ2bhfJLmkL6E5A1wgCeMhYP
OQL/IvRtERkFPh/eHGlsum0=
=H51d
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Can't connect to Windows 2000 Server v. 3.0.25

2007-08-08 Thread Henrik Zagerholm 

Hello list,

I have a weird problem where I can easily connect to Windows 2003  
Servers. Both Standard, Enterprise and R2.
But I can't connect to any Windows 2000 Servers on the same net. A  
port scan shows that exactly the same ports are opened.



Here is my smb.conf

workgroup = CITY
server string = Cube file sharing
netbios name = cube
security = USER
encrypt passwords = yes

Here is a debug 4 output of smbclient.

[EMAIL PROTECTED]:~$ /usr/local/samba/bin/smbclient  //boxwin3.box.se/C$ -U  
cnadmin -I 62.95.110.163 -d 4

lp_load: refreshing parameters
Initialising global parameters
params.c:pm_process() - Processing configuration file /usr/local/ 
samba/lib/smb.conf

Processing section [global]
doing parameter workgroup = CITY
doing parameter server string = Cube file sharing
doing parameter netbios name = cube
handle_netbios_name: set global_myname to: CUBE
doing parameter security = USER
doing parameter encrypt passwords = yes
pm_process() returned Yes
Module '/usr/local/samba/lib/charset/CP850.so' loaded
added interface ip=212.214.41.16 bcast=212.214.41.255  
nmask=255.255.255.0

Client started (version 3.0.25b-SVN-build-23210).
Connecting to 62.95.110.163 at port 445
 session request ok
Password:
Doing spnego session setup (blob length=16)
server didn't supply a full spnego negprot
Got challenge flags:
Got NTLMSSP neg_flags=0x628a8215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_CHAL_ACCEPT_RESPONSE
  NTLMSSP_NEGOTIATE_NTLM2
  NTLMSSP_CHAL_TARGET_INFO
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_NTLM2
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_NTLM2
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
Domain=[BOXWIN3] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager]
 session setup ok
tree connect failed: NT_STATUS_BAD_NETWORK_NAME


Regards,
Henrik

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] ACLs and winbind

2007-08-08 Thread Thierry Lacoste 
I'm trying to allow XP clients to add ACLs in the homes share.
It appears that I'm unable to do it unless I use winbind
although I'm in a pure Samba/OpenLDAP environment.

I have a PDC and BDC with Samba/OpenLDAP
and a member Samba server with homes and profiles (below
is its smb.conf) on which I have Posix ACLs.
If I comment out the idmap lines I cannot add ACLs from XP
in my home share though. I can browse and pick domain users
and groups but cannot add them to the security tab of a file
in a user's home share.

Do I really need winbind?

Regards,
Thierry.

workgroup = STARS
netbios name = CAPELLA
security = DOMAIN
name resolve order = wins bcast
wins server = castor
netbios aliases = AHOMES APROFILES
password server = ALDAP1 ALDAP2

log level = 2

idmap gid = 1-2
idmap uid = 1-2

[homes]
  comment = Home Directories
  valid users = %S
  read only = No
  browseable = No

[Profiles]
  comment = Roaming Profile Share
  path = /export/profiles
  read only = No
  profile acls = Yes

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Questions about samba+LDAP

2007-08-08 Thread Hadmut Danisch 
Hi,

just three simple questions about samba+LDAP:

Samba allows to configure several LDAP suffixes,

ldap group suffix
ldap idmap suffix
ldap machine suffix
ldap user suffix

and the general ldap base with ldap suffix.


But is there a way to configure a suffix for
the sambaDomain objects?

When I call pdbedit -L , it automatically creates
a Domain for the machine, but directly under the
ldap base, which is a little bit annoying, would like
to have them in a subtree with ou=...

Interestingly, the LDAP administration tool
ldap-account-manager does keep the sambaDomains in a
subtree separated with ou=..., but samba does not accept
them.



Second question:

does pdbedit always create (and does samba always use) a
sambaDomain object named after the netbios name?


Third question:

The configuration file for the smbldap tools allow to
specify a slave LDAP just for the read access, and a master
for write access, thus supporting LDAP replications.

Does ldapsam support the same?



regards
Hadmut
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Enforcing Password Policies...

2007-08-08 Thread Matt Anderson 
Dear Help,

I'm currently running Samba with an LDAP passdb backend.  I'm trying to figure
out how to NOT allow a particular user to change their password (through
Windows, or any interface).  I've tried modifying the values for
sambaPwdCanChange and sambaPwdMustChange for a particular user, but it seems
like it only effects making them change their password, instead of whether or
not they're ALLOWED to.

Secondly, I've used pdbedit to edit the lockout policies when using a bad
password (lockout duration = 30, bad lockout attempt = 5 and reset count
minutes = 30).  When I type in the wrong password 5 times for a user, it locks
the account as it should.  However, 30 minutes later (or more) it's still locked
and the bad attempt count is not being reset.  Is there something else I need to
modify to make this functionality work?

Any help would be most appreciated.  Thank you!

-Matt

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: Questions about samba+LDAP

2007-08-08 Thread Matt Anderson 

 
 Third question:
 
 The configuration file for the smbldap tools allow to
 specify a slave LDAP just for the read access, and a master
 for write access, thus supporting LDAP replications.
 
 Does ldapsam support the same?
 
 regards
 Hadmut

Hi Hadmut,

I can at least help you with this one.  The answer is definitely yes.  I have my
smb.conf set up like the following:
passdb backend = ldapsam:ldaps://192.168.2.2 ldaps://192.168.2.3

Just separate the backup servers by spaces, and put the whole thing in quotes
and you should be good to go!

Hopefully that helps...

-Matt


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Domain with public shares

2007-08-08 Thread samba-list 
I have a samba server setup with security = user (NT-domain). I use
openldap for authentiation and that part is working fine. People can log in
and see the files they have permission to.
I need to have some public folders on the samba server that anybody can use
(also non domain users (ie. WinXP Home users that can't join a domain)).
And the printers should be public in the same way. Unfortunately this is
not happening as I was hoping.

Here is my smb.conf: 

---
[global]
workgroup = jaegergaarden
netbios name = mainserver
security = user
enable privileges = yes
server string = Samba Server %v
encrypt passwords = Yes
admin users=root smbadmin

ldap passwd sync = Yes
passwd program = /usr/bin/passwd %u
passwd chat = Changing password for*\nNew password* %n\n *Retype
new password* %n\n

log level = 0
syslog = 0
log file = /var/log/samba/log.%m
max log size = 10
time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
Unix charset = UTF8
display charset = UTF8

logon drive = P:
logon home = \\mainserver\%U
logon path = 


domain logons = Yes
domain master = Yes
os level = 65
preferred master = Yes
wins support = yes

passdb backend = ldapsam:ldap://127.0.0.1/
ldap admin dn = cn=admin,dc=jaegergaarden,dc=skolesys,dc=org
ldap suffix = dc=jaegergaarden,dc=skolesys,dc=org
ldap group suffix = ou=Groups,ou=Samba
ldap user suffix = ou=Users,ou=Samba
ldap machine suffix = ou=Computers,ou=Samba
add machine script = ss_hostmanager join_domain %u %D

load printers = Yes
create mask = 0640
directory mask = 0750

nt acl support = No
printing = cups
printcap name = cups
deadtime = 10
guest account = nobody
map to guest = Bad User
dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
show add printer wizard = yes
; to maintain capital letters in shortcuts in any of the profile
folders:
preserve case = yes
short preserve case = yes
case sensitive = no

[netlogon]
path = /home/netlogon/
browseable = No
read only = yes

[homes]
   comment = Home Directories
   path = /skolesys/jaegergaarden.dk/users/%S/.windows
   browseable = yes
   read only = no
   create mode = 0600
   directory mode = 0700


[profiles]
path = /skolesys/jaegergaarden.dk/profiles
read only = No
create mask = 0600
directory mask = 0700
browseable = No
guest ok = Yes
profile acls = yes
csc policy = disable
force user = %U 
valid users = %U Domain Admins

[printers]
comment = Network Printers
printer admin = @Print Operators
guest ok = yes 
printable = yes
path = /home/spool/
browseable = No
read only  = Yes
printable = Yes
print command = /usr/bin/lpr -P%p -r %s
lpq command = /usr/bin/lpq -P%p
lprm command = /usr/bin/lprm -P%p %j


[print$]
path = /home/printers
guest ok = Yes
browseable = Yes
read only = Yes
valid users = @Print Operators
write list = @Print Operators
create mask = 0664
directory mask = 0775


P.S. Profiles aren't working either, but let's take that another time

Best regards Jakob Simon-Gaarde

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Enforcing Password Policies...

2007-08-08 Thread Thierry Lacoste 
On Wednesday 08 August 2007 20:17, Matt Anderson wrote:
 Dear Help,

 I'm currently running Samba with an LDAP passdb backend.  I'm trying to
 figure out how to NOT allow a particular user to change their password
 (through Windows, or any interface).  I've tried modifying the values for
 sambaPwdCanChange and sambaPwdMustChange for a particular user, but it
 seems like it only effects making them change their password, instead of
 whether or not they're ALLOWED to.
If you set sambaPwdCanChange in the future (e.g 1286597349 which corresponds
to Saturday, October 9th 2010, 4:09:09 (GMT)) the user can not change its
password until this date with windows.

The problem is that he can still modify its LDAP password.
You could add acls to your slapd.conf such that only your
ldap admin dn has write acces to the userPassword attribute.
In this case the only way to change the password is via samba.

HTH,
Thierry.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Domain with public shares

2007-08-08 Thread Chris Smith 
On Wednesday 08 August 2007, samba-list wrote:
 I need to have some public folders on the samba server that anybody can use

Use a username map and set nobody = guest.

-- 
Chris
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] SERIOUS PROBLEM - Root Account Locked

2007-08-08 Thread Jason Baker 
My root account keeps getting locked out automatically. I am running 
Samba 3.0.25b on a CentOS server, as PDC with LDAP backend. I have 
accounts set to lock after 8 un-successful login attempts. I zeroed out 
the bad password count, and then in less than a few seconds the account 
gets locked again and a /pdbedit -Lv -u root /yields the following:

Unix username:root
Logon time:   0
Logoff time:  never
Kickoff time: never
Password last set:Wed, 01 Jan 1969 03:00:00 EST
Password can change:  Wed, 08 Jan 1969 03:00:00 EST
Password must change: never
Last bad password   : Wed, 08 Aug 2007 13:51:14 EDT
Bad password count  : 8

If I enter w on the command line, it only shows that two (authorized) 
users are logged into the server. So I'm confident that no one from the 
outside is attempting to log in as root. Below is my conf file. If I go 
into LDAP Account Manager and unlock the account, it will stay unlocked 
for a few minutes (or seconds), then it is locked out again. With the 
account lock I cannot join machines to the domain, nor change domain 
permissions for users and groups. Any suggestions would be helpful.


[global]
   unix charset = LOCALE
   workgroup = glastendernet
   netbios name = aster
   server string = Glastender Domain Controller running %v
   interfaces = eth1, lo, tun+
   bind interfaces only = yes
   os level = 255
   preferred master = yes
   local master = yes
   domain master = yes
   security = user
   time server = yes
   username map = /etc/samba/smbusers
   wins support = yes
   encrypt passwords = yes
   pam password change = yes
   name resolve order = wins bcast hosts
   winbind nested groups = no
   passdb backend = ldapsam:ldap://aster.glastender.com
   ldap passwd sync = Yes
   ldap suffix = dc=glastender,dc=com
   ldap admin dn = cn=Manager,dc=glastender,dc=com
   ldap ssl = no
   ldap group suffix = ou=Groups
   ldap user suffix = ou=People
   ldap machine suffix = ou=People
   ldap idmap suffix = ou=Idmap
   idmap backend = ldap:ldap://aster.glastender.com
   idmap uid = 1-2
   idmap gid = 1-2
   map acl inherit = yes
   add user script = /opt/IDEALX/sbin/smbldap-useradd -m %u
   #delete user script = /opt/IDEALX/sbin/smbldap-userdel %u
   add machine script = /opt/IDEALX/sbin/smbldap-useradd -w %u
   add group script = /opt/IDEALX/sbin/smbldap-groupadd -p %g
   #delete group script = /opt/IDEALX/sbin/smbldap-groupdel %g
   add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m 
%u %g
   delete user from group script = 
/opt/IDEALX/sbin/smbldap-groupmod -x %u %g
   set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g 
%g %u

   domain logons = yes
   log file = /var/log/samba/log.%m
   log level = 0
   syslog = 0
   max log size = 50
   #smb ports = 139 445
   smb ports = 139
   hosts allow = 127.0.0.1 172.16.0.0/255.255.0.0 
192.168.100.0/255.255.255.0

   # User profiles and home directories
   logon drive = U:
   logon path = \\%L\profiles\%U
   logon script = %U.bat
   large readwrite = no
   read raw = no
   write raw = no
   printcap name = /etc/printcap
   load printers = no
   printing =
  template shell = /bin/false
  winbind use default domain = yes


--

*Jason Baker
*/IT Coordinator/


*Glastender Inc.*
5400 North Michigan Road
Saginaw, Michigan 48604 USA
800.748.0423
Phone: 989.752.4275 ext. 228
Fax: 989.752.
www.glastender.com http://www.glastender.com

-BEGIN GEEK CODE BLOCK- 
Version: 3.1

GIT$ d- s: a C++$ LU+++$ P+ L++L !E--- W+++ N o? K?
w !O M !V PS PE++ Y? PGP- t 5? X+ R+ tv+ b- DI-- D++ G e+ h--- 
r+++ y+++

--END GEEK CODE BLOCK--

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Re: Questions about samba+LDAP

2007-08-08 Thread Hadmut Danisch 
Hi Matt,

On Wed, Aug 08, 2007 at 06:20:42PM +, Matt Anderson wrote:

 passdb backend = ldapsam:ldaps://192.168.2.2 ldaps://192.168.2.3

Well, I had already tried this (replication first, master second) but 
got an error message about missing write access.

The problem seems to be that samba (in contrast to smbldap tools) does 
not distinguish between read and write access, but to always try the first
one first and only if it does not exist the second one.

regards
Hadmut
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] LDAP Account Manager 2.0.0 released

2007-08-08 Thread Roland Gruber 
LDAP Account Manager (LAM) 2.0.0 - August 8th, 2007
===

LAM is a web frontend for managing accounts stored in an LDAP directory.


Announcement:
-

This is the first release which requires PHP5. It includes two new
translations (Simplified Chinese and Czech) and includes several bug
fixes and minor improvements.


Features:
-

* management of Unix user and group accounts (posixAccount/posixGroup)
* management of Samba 2.x/3 user and host accounts
  (sambaAccount/sambaSamAccount)
* management of Kolab 2 accounts (kolabInetorgPerson)
* profiles for account creation
* account creation via file upload
* automatic creation/deletion of home directories
* setting quotas
* PDF output for all accounts
* editor for organizational units (OU)
* schema browser
* tree view
* multiple configuration files
* multi-language support (Catalan, Chinese, Czech, Dutch, English,
  French, German, Hungarian, Italian, Japanese, Russian, Spanish)
* support for LDAP+SSL


Availability:
-

This software is available under the GNU General Public License V2.0.

You can get the newest version at http://lam.sf.net.

File formats: DEB, RPM, tar.gz
There is also a FreeBSD port and Debian users may use the packages in
Debian/unstable.


Demo installation:
--

You can try our demo installation online.

http://lam.sf.net/live-demo/index.htm


Support:


If you find a bug please file a bug report. For questions or
implementing new features please use the forum and feature request
tracker at our Sourceforge homepage http://www.sf.net/projects/lam.



Authors  Copyright:


Copyright (C) 2003 - 2007:
Michael Duergner [EMAIL PROTECTED]
Roland Gruber [EMAIL PROTECTED]
Tilo Lutz [EMAIL PROTECTED]


LAM is published under the GNU General Public License.
The comlete list of licenses can be found in the copyright file.


-- 

Best regards

Roland Gruber


LDAP Account Manager
http://lam.sourceforge.net

Want more? Get LDAP Account Manager Pro!
http://lam.sourceforge.net/lamPro/index.htm


signature.asc
Description: OpenPGP digital signature
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: Enforcing Password Policies...

2007-08-08 Thread Matt Anderson 
 The problem is that he can still modify its LDAP password.
 You could add acls to your slapd.conf such that only your
 ldap admin dn has write acces to the userPassword attribute.
 In this case the only way to change the password is via samba.
 
 HTH,
 Thierry.
 

Hi Thierry,

Modifying SambaPwdCanChange did help... but for some reason I can't set the date
to more than 30 (or so) years in the future--not that I need more than that, I
just thought it was interesting.  BTW- I'm using eDirectory as the backend,
which seems to be blocking Windows users OK.  So thanks for your help on that.

Anyone with any thoughts one why the account lockout isn't clearing?

Thanks!

-Matt


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] SERIOUS PROBLEM - Root Account Locked

2007-08-08 Thread Jonathan Johnson 
Do you have a process (like a service or scheduled task) running on a 
client machine as user 'root' with an incorrect cached password?


Jon Johnson
Sutinen Consulting, Inc.
www.sutinen.com

Jason Baker wrote:
My root account keeps getting locked out automatically. I am running 
Samba 3.0.25b on a CentOS server, as PDC with LDAP backend. I have 
accounts set to lock after 8 un-successful login attempts. I zeroed 
out the bad password count, and then in less than a few seconds the 
account gets locked again and a /pdbedit -Lv -u root /yields the 
following:

Unix username:root
Logon time:   0
Logoff time:  never
Kickoff time: never
Password last set:Wed, 01 Jan 1969 03:00:00 EST
Password can change:  Wed, 08 Jan 1969 03:00:00 EST
Password must change: never
Last bad password   : Wed, 08 Aug 2007 13:51:14 EDT
Bad password count  : 8

If I enter w on the command line, it only shows that two (authorized) 
users are logged into the server. So I'm confident that no one from 
the outside is attempting to log in as root. Below is my conf file. If 
I go into LDAP Account Manager and unlock the account, it will stay 
unlocked for a few minutes (or seconds), then it is locked out again. 
With the account lock I cannot join machines to the domain, nor change 
domain permissions for users and groups. Any suggestions would be 
helpful.


[global]
   unix charset = LOCALE
   workgroup = glastendernet
   netbios name = aster
   server string = Glastender Domain Controller running %v
   interfaces = eth1, lo, tun+
   bind interfaces only = yes
   os level = 255
   preferred master = yes
   local master = yes
   domain master = yes
   security = user
   time server = yes
   username map = /etc/samba/smbusers
   wins support = yes
   encrypt passwords = yes
   pam password change = yes
   name resolve order = wins bcast hosts
   winbind nested groups = no
   passdb backend = ldapsam:ldap://aster.glastender.com
   ldap passwd sync = Yes
   ldap suffix = dc=glastender,dc=com
   ldap admin dn = cn=Manager,dc=glastender,dc=com
   ldap ssl = no
   ldap group suffix = ou=Groups
   ldap user suffix = ou=People
   ldap machine suffix = ou=People
   ldap idmap suffix = ou=Idmap
   idmap backend = ldap:ldap://aster.glastender.com
   idmap uid = 1-2
   idmap gid = 1-2
   map acl inherit = yes
   add user script = /opt/IDEALX/sbin/smbldap-useradd -m %u
   #delete user script = /opt/IDEALX/sbin/smbldap-userdel %u
   add machine script = /opt/IDEALX/sbin/smbldap-useradd -w %u
   add group script = /opt/IDEALX/sbin/smbldap-groupadd -p %g
   #delete group script = /opt/IDEALX/sbin/smbldap-groupdel %g
   add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m 
%u %g
   delete user from group script = 
/opt/IDEALX/sbin/smbldap-groupmod -x %u %g
   set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g 
%g %u

   domain logons = yes
   log file = /var/log/samba/log.%m
   log level = 0
   syslog = 0
   max log size = 50
   #smb ports = 139 445
   smb ports = 139
   hosts allow = 127.0.0.1 172.16.0.0/255.255.0.0 
192.168.100.0/255.255.255.0

   # User profiles and home directories
   logon drive = U:
   logon path = \\%L\profiles\%U
   logon script = %U.bat
   large readwrite = no
   read raw = no
   write raw = no
   printcap name = /etc/printcap
   load printers = no
   printing =
  template shell = /bin/false
  winbind use default domain = yes



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Default User in netlogon trouble

2007-08-08 Thread Server Gremlin 

Hey Samba list,

   I have a Default User folder in the netlogon share on my samba PDC.  
I am having a very difficult time getting users to use this as their 
default profile.  I think my basic understanding of how this is supposed 
to work might be flawed.


   My current understanding is as follows.  When a user logs onto a 
domain for the first time Windows XP Pro SP2 machines first check the 
netlogon share.  If they find a Default User folder there, then they 
download that and use it as the user's baseline profile.  If they don't 
find it there, then they look on the local system under C:\Documents and 
Settings\Default User and create a profile for the user based on that 
profile.  If they don't find a profile there, then there's nothing for 
Windows to use and you get some crazy error message about not having a 
profile to load.


   Windows uses *either* the Default User in the netlogon share or the 
Default User in C:\Documents and Settings on the local machine.  It's 
either or, it does NOT combine these two folders in any way to make the 
baseline profile.  Is this accurate?


Thanks,
- SG
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] SERIOUS PROBLEM - Root Account Locked

2007-08-08 Thread Jason Baker 
Do you have a process (like a service or scheduled task) running on a 
client machine as user 'root' with an incorrect cached password? 

No actually, this is what seems to be happening:
I log into a windows xp pro workstation as Administrator and browse the 
network. I double-click on a network share, in this case a samba 
computer called HENBANE. If I view pdbedit -Lv -u root from another 
computer while I'm doing this, I can watch the bad login count rise from 
0 to 8. I then get a message that pops up on the Windows workstation 
that says something to the effect of account locked.
I added guest account = nobody to my smb.conf file and now I can browse 
the HENBANE share after being prompted for a username and password, but 
the bad password count for root now shows 2, and it rises higher each 
time I access a share that requires a username and password.


*Jason Baker
*/IT Coordinator/


*Glastender Inc.*
5400 North Michigan Road
Saginaw, Michigan 48604 USA
800.748.0423
Phone: 989.752.4275 ext. 228
Fax: 989.752.
www.glastender.com http://www.glastender.com

-BEGIN GEEK CODE BLOCK- 
Version: 3.1

GIT$ d- s: a C++$ LU+++$ P+ L++L !E--- W+++ N o? K?
w !O M !V PS PE++ Y? PGP- t 5? X+ R+ tv+ b- DI-- D++ G e+ h--- 
r+++ y+++

--END GEEK CODE BLOCK--



Jonathan Johnson wrote:
Do you have a process (like a service or scheduled task) running on a 
client machine as user 'root' with an incorrect cached password?


Jon Johnson
Sutinen Consulting, Inc.
www.sutinen.com

Jason Baker wrote:
My root account keeps getting locked out automatically. I am running 
Samba 3.0.25b on a CentOS server, as PDC with LDAP backend. I have 
accounts set to lock after 8 un-successful login attempts. I zeroed 
out the bad password count, and then in less than a few seconds the 
account gets locked again and a /pdbedit -Lv -u root /yields the 
following:

Unix username:root
Logon time:   0
Logoff time:  never
Kickoff time: never
Password last set:Wed, 01 Jan 1969 03:00:00 EST
Password can change:  Wed, 08 Jan 1969 03:00:00 EST
Password must change: never
Last bad password   : Wed, 08 Aug 2007 13:51:14 EDT
Bad password count  : 8

If I enter w on the command line, it only shows that two (authorized) 
users are logged into the server. So I'm confident that no one from 
the outside is attempting to log in as root. Below is my conf file. 
If I go into LDAP Account Manager and unlock the account, it will 
stay unlocked for a few minutes (or seconds), then it is locked out 
again. With the account lock I cannot join machines to the domain, 
nor change domain permissions for users and groups. Any suggestions 
would be helpful.


[global]
   unix charset = LOCALE
   workgroup = glastendernet
   netbios name = aster
   server string = Glastender Domain Controller running %v
   interfaces = eth1, lo, tun+
   bind interfaces only = yes
   os level = 255
   preferred master = yes
   local master = yes
   domain master = yes
   security = user
   time server = yes
   username map = /etc/samba/smbusers
   wins support = yes
   encrypt passwords = yes
   pam password change = yes
   name resolve order = wins bcast hosts
   winbind nested groups = no
   passdb backend = ldapsam:ldap://aster.glastender.com
   ldap passwd sync = Yes
   ldap suffix = dc=glastender,dc=com
   ldap admin dn = cn=Manager,dc=glastender,dc=com
   ldap ssl = no
   ldap group suffix = ou=Groups
   ldap user suffix = ou=People
   ldap machine suffix = ou=People
   ldap idmap suffix = ou=Idmap
   idmap backend = ldap:ldap://aster.glastender.com
   idmap uid = 1-2
   idmap gid = 1-2
   map acl inherit = yes
   add user script = /opt/IDEALX/sbin/smbldap-useradd -m %u
   #delete user script = /opt/IDEALX/sbin/smbldap-userdel %u
   add machine script = /opt/IDEALX/sbin/smbldap-useradd -w %u
   add group script = /opt/IDEALX/sbin/smbldap-groupadd -p %g
   #delete group script = /opt/IDEALX/sbin/smbldap-groupdel %g
   add user to group script = /opt/IDEALX/sbin/smbldap-groupmod 
-m %u %g
   delete user from group script = 
/opt/IDEALX/sbin/smbldap-groupmod -x %u %g
   set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g 
%g %u

   domain logons = yes
   log file = /var/log/samba/log.%m
   log level = 0
   syslog = 0
   max log size = 50
   #smb ports = 139 445
   smb ports = 139
   hosts allow = 127.0.0.1 172.16.0.0/255.255.0.0 
192.168.100.0/255.255.255.0

   # User profiles and home directories
   logon drive = U:
   logon path = \\%L\profiles\%U
   logon script = %U.bat
   large readwrite = no
   read raw = no
   write raw = no
   printcap name = /etc/printcap
   load printers = no
   printing =
  template shell = /bin/false
  winbind use default domain = yes



--

[Samba] username map

2007-08-08 Thread JESSE CARROLL 
Forgive me for being new - but you've got start somewhere.

I've setup SAMBA on a Unix server that talks to AD. Almost everything works
save for a user name map. From my configuration (names changed)below I can
attach from windusr1 on PC1 to the Unix system and it sets up as unxusr1 no
problems and clean. I can access all three shares. However, when I try to do
the same thing from PC2 for appusrwin I am prompted for a name/password. No
matter what I put in (windows ID/password or Unix ID/password, or combinations
of these)I can't connect. The message in the log.smbd is
domain_client_validate: unable to validate password for user appusru in
domain XXXGLOBAL to Domain controller USORSDC00. Error was
NT_STATUS_NO_SUCH_USER.  Note that in reality the Unix ID and Windows are
very similar, with the difference being that the Windows ID is the same as the
Unix ID but with 2 more characters.  What am I doing incorrectly?



::
smb.conf
::
[global]
security = domain
workgroup = XXXGLOBAL
netbios name = unix01
password server = adserver01, adserver02
domain master = no
local master = no
preferred master = no

username map = /usr/local/samba/lib/smb.users

[homes]
writeable = yes
# +sysadmin is a Unix group which unxusr1 is a member
valid users = +sysadmin
wide links = no

[trax]  
path = /var/data_files
writeable = yes
valid users = unxusr1, appusru
wide links = no

[test]  
path = /var/tmp
writeable = yes
valid users = unxusr1, appusru
wide links = no
::
smb.users
::
unxusr1 = XXXGLOBAL\windusr1
appusru = XXXGLOBAL\appusrwin


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] SERIOUS PROBLEM - Root Account Locked

2007-08-08 Thread Jonathan Johnson 
This sounds like you have 'root = Administrator' in your /etc/samba/smbusers 
file. Is the password you are using for Administrator *different* from what is 
set for root in Samba (smbpasswd root to change)? That could be the issue.
 
Note that typically, Linux and Samba use different password databases, so even 
though they map the same user name, the passwords may be different.
 
Jon Johnson
Sutinen Consulting, Inc.
www.sutinen.com
 


From: Jason Baker [mailto:[EMAIL PROTECTED]
Sent: Wed 8/8/2007 1:51 PM
To: Jonathan Johnson
Cc: samba@lists.samba.org
Subject: Re: [Samba] SERIOUS PROBLEM - Root Account Locked



Do you have a process (like a service or scheduled task) running on a 
client machine as user 'root' with an incorrect cached password? 

No actually, this is what seems to be happening:
I log into a windows xp pro workstation as Administrator and browse the 
network. I double-click on a network share, in this case a samba computer 
called HENBANE. If I view pdbedit -Lv -u root from another computer while I'm 
doing this, I can watch the bad login count rise from 0 to 8. I then get a 
message that pops up on the Windows workstation that says something to the 
effect of account locked.
I added guest account = nobody to my smb.conf file and now I can browse the 
HENBANE share after being prompted for a username and password, but the bad 
password count for root now shows 2, and it rises higher each time I access a 
share that requires a username and password.



Jason Baker
IT Coordinator


Glastender Inc.
5400 North Michigan Road
Saginaw, Michigan 48604 USA
800.748.0423
Phone: 989.752.4275 ext. 228
Fax: 989.752.
www.glastender.com http://www.glastender.com/ 

-BEGIN GEEK CODE BLOCK- 
Version: 3.1
GIT$ d- s: a C++$ LU+++$ P+ L++L !E--- W+++ N o? K?
w !O M !V PS PE++ Y? PGP- t 5? X+ R+ tv+ b- DI-- D++ G e+ h--- 
r+++ y+++
--END GEEK CODE BLOCK-- 



Jonathan Johnson wrote: 

Do you have a process (like a service or scheduled task) running on a 
client machine as user 'root' with an incorrect cached password? 

Jon Johnson 
Sutinen Consulting, Inc. 
www.sutinen.com http://www.sutinen.com/  

Jason Baker wrote: 


My root account keeps getting locked out automatically. I am 
running Samba 3.0.25b on a CentOS server, as PDC with LDAP backend. I have 
accounts set to lock after 8 un-successful login attempts. I zeroed out the bad 
password count, and then in less than a few seconds the account gets locked 
again and a /pdbedit -Lv -u root /yields the following: 
Unix username:root 
Logon time:   0 
Logoff time:  never 
Kickoff time: never 
Password last set:Wed, 01 Jan 1969 03:00:00 EST 
Password can change:  Wed, 08 Jan 1969 03:00:00 EST 
Password must change: never 
Last bad password   : Wed, 08 Aug 2007 13:51:14 EDT 
Bad password count  : 8 

If I enter w on the command line, it only shows that two 
(authorized) users are logged into the server. So I'm confident that no one 
from the outside is attempting to log in as root. Below is my conf file. If I 
go into LDAP Account Manager and unlock the account, it will stay unlocked for 
a few minutes (or seconds), then it is locked out again. With the account lock 
I cannot join machines to the domain, nor change domain permissions for users 
and groups. Any suggestions would be helpful. 

[global] 
   unix charset = LOCALE 
   workgroup = glastendernet 
   netbios name = aster 
   server string = Glastender Domain Controller running %v 
   interfaces = eth1, lo, tun+ 
   bind interfaces only = yes 
   os level = 255 
   preferred master = yes 
   local master = yes 
   domain master = yes 
   security = user 
   time server = yes 
   username map = /etc/samba/smbusers 
   wins support = yes 
   encrypt passwords = yes 
   pam password change = yes 
   name resolve order = wins bcast hosts 
   winbind nested groups = no 
   passdb backend = ldapsam:ldap://aster.glastender.com 
   ldap passwd sync = Yes 
   ldap suffix = dc=glastender,dc=com 
   ldap admin dn = cn=Manager,dc=glastender,dc=com 
   ldap ssl = no 
   ldap group suffix = ou=Groups 
   ldap user suffix = ou=People

Fwd: Re: [Samba] Domain with public shares

2007-08-08 Thread samba-list 
Hi.

 [sample]
 comment = Free for all
 path = /storage/everyone
 read only = No
 create mask = 0777
 directory mask = 0777
 guest ok = Yes

This worked right away - thanks!


Still having trouble with the printers.
I can browse the printers, but after running through the Add printer
wizard the status of the printer is Access denied :-(

Her is my printers section:

[printers]
comment = Network Printers
printer admin = @Print Operators
guest ok = yes
printable = yes
path = /home/spool/
browseable = No
read only  = Yes
print command = /usr/bin/lpr -P%p -r %s
lpq command = /usr/bin/lpq -P%p
lprm command = /usr/bin/lprm -P%p %j
# print command = /usr/bin/lpr [EMAIL PROTECTED] -P%p -r %s
# lpq command = /usr/bin/lpq [EMAIL PROTECTED] -P%p
# lprm command = /usr/bin/lprm [EMAIL PROTECTED] -P%p %j
# lppause command = /usr/sbin/lpc [EMAIL PROTECTED] hold %p %j
# lpresume command = /usr/sbin/lpc [EMAIL PROTECTED] release %p %j
# queuepause command = /usr/sbin/lpc [EMAIL PROTECTED] stop %p
# queueresume command = /usr/sbin/lpc [EMAIL PROTECTED] start %p

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] ppolicy overlay (WAS: Enforcing Password Policies...)

2007-08-08 Thread Thierry Lacoste 
On Wednesday 08 August 2007 20:17, Matt Anderson wrote:
 Dear Help,

 I'm currently running Samba with an LDAP passdb backend.  I'm trying to
 figure out how to NOT allow a particular user to change their password
 (through Windows, or any interface).  I've tried modifying the values for
 sambaPwdCanChange and sambaPwdMustChange for a particular user, but it
 seems like it only effects making them change their password, instead of
 whether or not they're ALLOWED to.
With OpenLDAP one can use
  ldap passwd sync = only
in smb.conf  and let the smbk5pwd overlay synchronize the LM and NT passwords.

If you add the ppolicy overlay you have a clean way to prevent password
changes for some acounts (through Windows, or any interface).
For instance one can use a pwdPolicy with pwdAllowUserChange: FALSE

The only problem is that a Windows client reports a successful password
change even though the password was not changed because of the above
pwdPolicy.

Regards,
Thierry.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] home dir file permissions samba, winbind with ldap backend, AD Server 2003 R2 domain

2007-08-08 Thread Stang, Sharol 
I have samba 3.0.23 running as a clustered service on RHEL5 and I am
wondering if it is okay that when I check the file permissions on the
home directories they are numerical even if I reset the permissions.
They stay in the long listing format until I restart the service and
when I check again it looks like I typed ls -n instead of ls -s. I
hadn't noticed it doing this before. It seems like everything works fine
and the UIDs are correct I just want to make sure before I replace the
RH9 samba server with it.

Thanks so much!

-sharol

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Problem with LDAP failover config

2007-08-08 Thread Ben Tisdall 
John Drescher wrote:

 If the email client does something weird there is one space between
 the entries. These are two different machines with the first being the
 PDC and it is in the dns but the second is not so I used the numerical
 ip for that one instead.
 
 passdb backend = ldapsam:ldap://sysserv0.radimg.pitt.edu 
 ldap://192.168.1.230;
 
Thanks John, I'd already tried  failed this way :(

It turns out this appears to be related to newest Samba package as
provided by Fedora Core 4 (3.0.23a-1.fc4.1) as using 3.0.25b compiled
from the official Samba sources failover works fine.

Unfortunately I'd already made a slightly embarrassing regression from
3.0.25b to the Fedora package on Monday due to resource utilisation
issues I haven't yet had time to diagnose. All the more reason to get
back on the case!

Cheers,

-- 
Ben Tisdall
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

svn commit: samba r24277 - in branches/SAMBA_4_0/source/dsdb/samdb/ldb_modules: .

2007-08-08 Thread abartlet 
Author: abartlet
Date: 2007-08-08 06:37:37 + (Wed, 08 Aug 2007)
New Revision: 24277

WebSVN: 
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=24277

Log:
Tidyup as requested by metze.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/dsdb/samdb/ldb_modules/objectclass.c


Changeset:
Modified: branches/SAMBA_4_0/source/dsdb/samdb/ldb_modules/objectclass.c
===
--- branches/SAMBA_4_0/source/dsdb/samdb/ldb_modules/objectclass.c  
2007-08-08 03:20:37 UTC (rev 24276)
+++ branches/SAMBA_4_0/source/dsdb/samdb/ldb_modules/objectclass.c  
2007-08-08 06:37:37 UTC (rev 24277)
@@ -201,16 +201,18 @@
return LDB_SUCCESS;
 }
 
-DATA_BLOB *get_sd(struct ldb_module *module, TALLOC_CTX *mem_ctx, 
- const struct dsdb_class *objectclass) 
+static DATA_BLOB *get_sd(struct ldb_module *module, TALLOC_CTX *mem_ctx, 
+const struct dsdb_class *objectclass) 
 {
NTSTATUS status;
DATA_BLOB *linear_sd;
struct auth_session_info *session_info
= ldb_get_opaque(module-ldb, sessionInfo);
-   struct security_descriptor *sd = sddl_decode(mem_ctx, 
-
objectclass-defaultSecurityDescriptor,
-
samdb_domain_sid(module-ldb));
+   struct security_descriptor *sd
+   = sddl_decode(mem_ctx, 
+ objectclass-defaultSecurityDescriptor,
+ samdb_domain_sid(module-ldb));
+
if (!session_info || !session_info-security_token) {
return NULL;
}
@@ -300,17 +302,21 @@
for (current = sorted; current; current = current-next) {
ret = ldb_msg_add_string(msg, objectClass, 
current-objectclass);
if (ret != LDB_SUCCESS) {
-   ldb_set_errstring(module-ldb, objectclass: could not 
re-add sorted objectclass to modify msg);
+   ldb_set_errstring(module-ldb, 
+ objectclass: could not re-add sorted 

+ objectclass to modify msg);
talloc_free(mem_ctx);
return ret;
}
/* Last one is the critical one */
if (schema  !current-next) {
const struct dsdb_class *objectclass
-   = dsdb_class_by_lDAPDisplayName(schema, 
current-objectclass);
+   = dsdb_class_by_lDAPDisplayName(schema, 
+   
current-objectclass);
if (objectclass) {
if (!ldb_msg_find_element(msg, 
objectCategory)) {
-   ldb_msg_add_string(msg, 
objectCategory, objectclass-defaultObjectCategory);
+   ldb_msg_add_string(msg, 
objectCategory, 
+  
objectclass-defaultObjectCategory);
}
if (!ldb_msg_find_element(msg, 
ntSecurityDescriptor)) {
DATA_BLOB *sd = get_sd(module, mem_ctx, 
objectclass);

svn commit: lorikeet r780 - in trunk/heimdal/tests/kdc: .

2007-08-08 Thread lha 
Author: lha
Date: 2007-08-08 07:08:30 + (Wed, 08 Aug 2007)
New Revision: 780

WebSVN: 
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=lorikeetrev=780

Log:
Merged with Heimdal svn revision 21858
Modified:
   trunk/heimdal/tests/kdc/check-iprop.in
   trunk/heimdal/tests/kdc/wait-kdc.sh


Changeset:
Modified: trunk/heimdal/tests/kdc/check-iprop.in
===
--- trunk/heimdal/tests/kdc/check-iprop.in  2007-08-08 04:57:56 UTC (rev 
779)
+++ trunk/heimdal/tests/kdc/check-iprop.in  2007-08-08 07:08:30 UTC (rev 
780)
@@ -67,6 +67,8 @@
 rm -f mkey.file*
 rm -f messages.log
 
+ messages.log
+
 echo Creating database
 ${kadmin} -l \
 init \
@@ -88,33 +90,32 @@
 ipdm=
 kdcpid=
 
-trap kill \${ipdm} \${ipds} \${kdcpid}; echo killing ipropd slave + master; 
exit 1; EXIT
+ iprop-stats
+trap echo 'killing ipropd s + m + kdc'; kill \${ipdm} \${ipds} \${kdcpid}; 
tail -10 messages.log iprop-stats; exit 1; EXIT
 
 echo Starting kdc
 ${kdc} 
 kdcpid=$!
 
-sh ${srcdir}/wait-kdc.sh
-if [ $? != 0 ] ; then
-kill ${kdcpid}
-exit 1
-fi
+sh ${srcdir}/wait-kdc.sh || exit 1
 
 echo starting master
 ${ipropdmaster} --hostname=localhost -k ${keytab} \
 --database=${objdir}/current-db 
 ipdm=$!
-sleep 2
+sh ${srcdir}/wait-kdc.sh ipropd-master || exit 1
 
 echo starting slave
 KRB5_CONFIG=${objdir}/krb5-slave.conf \
 ${ipropdslave} --hostname=slave -k ${keytab} localhost 
 ipds=$!
+sh ${srcdir}/wait-kdc.sh ipropd-slave || exit 1
 
-sleep 2
 echo checking slave is up
 ${EGREP} 'iprop/[EMAIL PROTECTED]' iprop-stats /dev/null || exit 1
 
+# - checking: pushing lives changes
+
 echo Add host
 ${kadmin} -l add --random-key --use-defaults host/[EMAIL PROTECTED] || exit 1
 sleep 2
@@ -141,6 +142,17 @@
 
 ${EGREP} 'iprop/[EMAIL PROTECTED]' iprop-stats /dev/null || exit 1
 
+# - checking: slave is missing changes while down
+
+echo doing changes while slave is down
+${kadmin} -l cpw --random-password [EMAIL PROTECTED]  /dev/null || exit 1
+${kadmin} -l cpw --random-password [EMAIL PROTECTED]  /dev/null || exit 1
+
+echo Makeing a copy of the master log file
+cp ${objdir}/current.log ${objdir}/current.log.tmp
+
+# - checking: checking that master and slaves resyncs
+
 echo starting slave again
  iprop-stats
 KRB5_CONFIG=${objdir}/krb5-slave.conf \
@@ -168,6 +180,8 @@
 echo checking for replay problems
 ${EGREP} 'Entry already exists in database' messages.log  exit 1
 
+# - checking: checking live truncation of master log
+
 ${kadmin} -l cpw --random-password [EMAIL PROTECTED]  /dev/null || exit 1
 sleep 2
 
@@ -175,10 +189,9 @@
 ${iproplog} truncate || exit 1
 sleep 2
 
-trap  EXIT
+echo Killing master and slave
+kill ${ipdm} ${ipds}
 
-kill ${ipdm} ${ipds} ${kdcpid}
-
 sleep 2
 ${EGREP} ^master down at  iprop-stats  /dev/null || exit 1
 
@@ -188,4 +201,39 @@
 ${iproplog} last-version  master-last.tmp
 cmp master-last.tmp slave-last.tmp || exit 1
 
+# - checking: master going backward
+
+echo Going back to old version of the master log file
+cp ${objdir}/current.log.tmp ${objdir}/current.log
+
+echo starting master
+${ipropdmaster} --hostname=localhost -k ${keytab} \
+--database=${objdir}/current-db 
+ipdm=$!
+sleep 4
+
+echo starting slave
+ iprop-stats
+KRB5_CONFIG=${objdir}/krb5-slave.conf \
+${ipropdslave} --hostname=slave -k ${keytab} localhost 
+ipds=$!
+sleep 2
+echo checking slave is up again
+${EGREP} 'iprop/[EMAIL PROTECTED]' iprop-stats /dev/null || exit 1
+echo checking for replay problems
+${EGREP} 'Entry already exists in database' messages.log  exit 1
+
+echo pushing one change
+${kadmin} -l cpw --random-password [EMAIL PROTECTED]  /dev/null || exit 1
+sleep 2
+
+trap  EXIT
+kill ${ipdm} ${ipds} ${kdcpid}
+
+echo compare versions on master and slave logs
+KRB5_CONFIG=${objdir}/krb5-slave.conf \
+${iproplog} last-version  slave-last.tmp
+${iproplog} last-version  master-last.tmp
+cmp master-last.tmp slave-last.tmp || exit 1
+
 exit $ec

Modified: trunk/heimdal/tests/kdc/wait-kdc.sh
===
--- trunk/heimdal/tests/kdc/wait-kdc.sh 2007-08-08 04:57:56 UTC (rev 779)
+++ trunk/heimdal/tests/kdc/wait-kdc.sh 2007-08-08 07:08:30 UTC (rev 780)
@@ -31,29 +31,30 @@
 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
 # SUCH DAMAGE. 
 #
-# $Id: wait-kdc.sh 18396 2006-10-10 10:30:09Z lha $
+# $Id: wait-kdc.sh 21858 2007-08-08 07:01:03Z lha $
 #
 
-log=${1:-messages.log}
+name=${1:-KDC}
+log=${2:-messages.log}
 
 t=0
 waitsec=20
 
-echo Waiting for KDC to start, looking logfile ${log}
+echo Waiting for ${name} to start, looking logfile ${log}
 
 while true ; do
 t=`expr ${t} + 2`
 sleep 2
 echo Have waited $t seconds
-if tail -3 ${log} | grep 'KDC started'  /dev/null; then
+if tail -30 ${log} | grep ${name} started  /dev/null; then
break
 fi
-if tail -3

svn commit: samba r24278 - in branches/SAMBA_3_2/source/smbd: .

2007-08-08 Thread vlendec 
Author: vlendec
Date: 2007-08-08 18:40:26 + (Wed, 08 Aug 2007)
New Revision: 24278

WebSVN: 
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=24278

Log:
Push down reply_prep_legacy in reply_write_and_X

Remove the need for reply_prep_legacy for reply_pipe_write_and_X

Modified:
   branches/SAMBA_3_2/source/smbd/pipes.c
   branches/SAMBA_3_2/source/smbd/reply.c


Changeset:
Modified: branches/SAMBA_3_2/source/smbd/pipes.c
===
--- branches/SAMBA_3_2/source/smbd/pipes.c  2007-08-08 06:37:37 UTC (rev 
24277)
+++ branches/SAMBA_3_2/source/smbd/pipes.c  2007-08-08 18:40:26 UTC (rev 
24278)
@@ -183,26 +183,29 @@
  wrinkles to handle pipes.
 /
 
-int reply_pipe_write_and_X(char *inbuf,char *outbuf,int length,int bufsize)
+void reply_pipe_write_and_X(struct smb_request *req)
 {
-   smb_np_struct *p = get_rpc_pipe_p(SVAL(inbuf,smb_vwv2));
-   uint16 vuid = SVAL(inbuf,smb_uid);
-   size_t numtowrite = SVAL(inbuf,smb_vwv10);
+   smb_np_struct *p = get_rpc_pipe_p(SVAL(req-inbuf,smb_vwv2));
+   size_t numtowrite = SVAL(req-inbuf,smb_vwv10);
int nwritten = -1;
-   int smb_doff = SVAL(inbuf, smb_vwv11);
-   BOOL pipe_start_message_raw = ((SVAL(inbuf, smb_vwv7)  
(PIPE_START_MESSAGE|PIPE_RAW_MODE)) ==
-   
(PIPE_START_MESSAGE|PIPE_RAW_MODE));
+   int smb_doff = SVAL(req-inbuf, smb_vwv11);
+   BOOL pipe_start_message_raw =
+   ((SVAL(req-inbuf, smb_vwv7)
+  (PIPE_START_MESSAGE|PIPE_RAW_MODE))
+== (PIPE_START_MESSAGE|PIPE_RAW_MODE));
char *data;
 
if (!p) {
-   return(ERROR_DOS(ERRDOS,ERRbadfid));
+   reply_doserror(req, ERRDOS, ERRbadfid);
+   return;
}
 
-   if (p-vuid != vuid) {
-   return ERROR_NT(NT_STATUS_INVALID_HANDLE);
+   if (p-vuid != req-vuid) {
+   reply_nterror(req, NT_STATUS_INVALID_HANDLE);
+   return;
}
 
-   data = smb_base(inbuf) + smb_doff;
+   data = smb_base(req-inbuf) + smb_doff;
 
if (numtowrite == 0) {
nwritten = 0;
@@ -214,9 +217,12 @@
 * them (we don't trust the client). JRA.
 */
   if(numtowrite  2) {
-   DEBUG(0,(reply_pipe_write_and_X: start of 
message set and not enough data sent.(%u)\n,
-   (unsigned int)numtowrite ));
-   return (UNIXERROR(ERRDOS,ERRnoaccess));
+   DEBUG(0,(reply_pipe_write_and_X: start of 
+message set and not enough data 
+sent.(%u)\n,
+(unsigned int)numtowrite ));
+   reply_unixerror(req, ERRDOS, ERRnoaccess);
+   return;
}
 
data += 2;
@@ -226,17 +232,18 @@
}
 
if ((nwritten == 0  numtowrite != 0) || (nwritten  0)) {
-   return (UNIXERROR(ERRDOS,ERRnoaccess));
+   reply_unixerror(req, ERRDOS,ERRnoaccess);
+   return;
}
-  
-   set_message(inbuf,outbuf,6,0,True);
 
+   reply_outbuf(req, 6, 0);
+
nwritten = (pipe_start_message_raw ? nwritten + 2 : nwritten);
-   SSVAL(outbuf,smb_vwv2,nwritten);
+   SSVAL(req-outbuf,smb_vwv2,nwritten);
   
DEBUG(3,(writeX-IPC pnum=%04x nwritten=%d\n, p-pnum, nwritten));
 
-   return chain_reply(inbuf,outbuf,length,bufsize);
+   chain_reply_new(req);
 }
 
 /

Modified: branches/SAMBA_3_2/source/smbd/reply.c
===
--- branches/SAMBA_3_2/source/smbd/reply.c  2007-08-08 06:37:37 UTC (rev 
24277)
+++ branches/SAMBA_3_2/source/smbd/reply.c  2007-08-08 18:40:26 UTC (rev 
24278)
@@ -3289,35 +3289,39 @@
 
START_PROFILE(SMBwriteX);
 
-   if (!reply_prep_legacy(req, inbuf, outbuf, length, bufsize)) {
-   reply_nterror(req, NT_STATUS_NO_MEMORY);
+   if ((req-wct != 12)  (req-wct != 14)) {
+   reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
END_PROFILE(SMBwriteX);
return;
}
 
-   if ((CVAL(inbuf, smb_wct) != 12)  (CVAL(inbuf, smb_wct) != 14)) {
-   reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+   numtowrite = SVAL(req-inbuf,smb_vwv10);
+   smb_doff = SVAL(req-inbuf,smb_vwv11);
+   smblen = smb_len(req-inbuf);
+   large_writeX = ((req-wct == 14)  (smblen  0x));
+
+   /* Deal with possible LARGE_WRITEX */
+   if (large_writeX) {

svn commit: samba r24279 - in branches/SAMBA_3_2/source/smbd: .

2007-08-08 Thread vlendec 
Author: vlendec
Date: 2007-08-08 19:05:30 + (Wed, 08 Aug 2007)
New Revision: 24279

WebSVN: 
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=24279

Log:
Remove reply_prep_legacy from reply_write_and_X
Modified:
   branches/SAMBA_3_2/source/smbd/aio.c
   branches/SAMBA_3_2/source/smbd/reply.c


Changeset:
Modified: branches/SAMBA_3_2/source/smbd/aio.c
===
--- branches/SAMBA_3_2/source/smbd/aio.c2007-08-08 18:40:26 UTC (rev 
24278)
+++ branches/SAMBA_3_2/source/smbd/aio.c2007-08-08 19:05:30 UTC (rev 
24279)
@@ -284,11 +284,10 @@
 */
 
 BOOL schedule_aio_write_and_X(connection_struct *conn,
-   char *inbuf, char *outbuf,
-   int length, int len_outbuf,
-   files_struct *fsp, char *data,
-   SMB_OFF_T startpos,
-   size_t numtowrite)
+ struct smb_request *req,
+ files_struct *fsp, char *data,
+ SMB_OFF_T startpos,
+ size_t numtowrite)
 {
struct aio_extra *aio_ex;
SMB_STRUCT_AIOCB *a;
@@ -306,7 +305,7 @@
 
/* Only do this on non-chained and non-chaining reads not using the
 * write cache. */
-if (chain_size !=0 || (CVAL(inbuf,smb_vwv0) != 0xFF)
+if (chain_size !=0 || (CVAL(req-inbuf,smb_vwv0) != 0xFF)
|| (lp_write_cache_size(SNUM(conn)) != 0) ) {
return False;
}
@@ -320,23 +319,25 @@
  (mid = %u)\n,
  fsp-fsp_name, (double)startpos,
  (unsigned int)numtowrite,
- (unsigned int)SVAL(inbuf,smb_mid) ));
+ (unsigned int)req-mid ));
return False;
}
 
-   inbufsize =  smb_len(inbuf) + 4;
-   outbufsize = smb_len(outbuf) + 4;
+   inbufsize =  smb_len(req-inbuf) + 4;
+   reply_outbuf(req, 6, 0);
+   outbufsize = smb_len(req-outbuf) + 4;
if (!(aio_ex = create_aio_ex_write(fsp, inbufsize, outbufsize,
-  SVAL(inbuf,smb_mid {
+  req-mid))) {
DEBUG(0,(schedule_aio_write_and_X: malloc fail.\n));
return False;
}
 
/* Copy the SMB header already setup in outbuf. */
-   memcpy(aio_ex-inbuf, inbuf, inbufsize);
+   memcpy(aio_ex-inbuf, req-inbuf, inbufsize);
 
/* Copy the SMB header already setup in outbuf. */
-   memcpy(aio_ex-outbuf, outbuf, outbufsize);
+   memcpy(aio_ex-outbuf, req-outbuf, outbufsize);
+   TALLOC_FREE(req-outbuf);
SCVAL(aio_ex-outbuf,smb_vwv0,0xFF); /* Never a chained reply. */
 
a = aio_ex-acb;
@@ -344,7 +345,7 @@
/* Now set up the aio record for the write call. */

a-aio_fildes = fsp-fh-fd;
-   a-aio_buf = aio_ex-inbuf + (PTR_DIFF(data, inbuf));
+   a-aio_buf = aio_ex-inbuf + (PTR_DIFF(data, req-inbuf));
a-aio_nbytes = numtowrite;
a-aio_offset = startpos;
a-aio_sigevent.sigev_notify = SIGEV_SIGNAL;
@@ -633,11 +634,10 @@
 }
 
 BOOL schedule_aio_write_and_X(connection_struct *conn,
-char *inbuf, char *outbuf,
-int length, int len_outbuf,
-files_struct *fsp, char *data,
-SMB_OFF_T startpos,
-size_t numtowrite)
+ struct smb_request *req,
+ files_struct *fsp, char *data,
+ SMB_OFF_T startpos,
+ size_t numtowrite)
 {
return False;
 }

Modified: branches/SAMBA_3_2/source/smbd/reply.c
===
--- branches/SAMBA_3_2/source/smbd/reply.c  2007-08-08 18:40:26 UTC (rev 
24278)
+++ branches/SAMBA_3_2/source/smbd/reply.c  2007-08-08 19:05:30 UTC (rev 
24279)
@@ -3284,9 +3284,6 @@
BOOL large_writeX;
NTSTATUS status;
 
-   char *inbuf, *outbuf;
-   int length, bufsize;
-
START_PROFILE(SMBwriteX);
 
if ((req-wct != 12)  (req-wct != 14)) {
@@ -,22 +3330,14 @@
return;
}
 
-   if (!reply_prep_legacy(req, inbuf, outbuf, length, bufsize)) {
-   reply_nterror(req, NT_STATUS_NO_MEMORY);
-   END_PROFILE(SMBwriteX);
-   return;
-   }
+   data = smb_base(req-inbuf) + smb_doff;
 
-   set_message(inbuf, outbuf, 6, 0, True);
-
-   data = smb_base(inbuf) + smb_doff;
-
-   if(CVAL(inbuf,smb_wct) == 14) {
+   if(req-wct == 14) {
 #ifdef LARGE_SMB_OFF_T

Re: svn commit: samba r24277 - in branches/SAMBA_4_0/source/dsdb/samdb/ldb_modules: .

2007-08-08 Thread Stefan (metze) Metzmacher 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

[EMAIL PROTECTED] schrieb:
 -DATA_BLOB *get_sd(struct ldb_module *module, TALLOC_CTX *mem_ctx, 
 -   const struct dsdb_class *objectclass) 
 +static DATA_BLOB *get_sd(struct ldb_module *module, TALLOC_CTX *mem_ctx, 
 +  const struct dsdb_class *objectclass) 
  {
   NTSTATUS status;
   DATA_BLOB *linear_sd;
   struct auth_session_info *session_info
   = ldb_get_opaque(module-ldb, sessionInfo);
 - struct security_descriptor *sd = sddl_decode(mem_ctx, 
 -  
 objectclass-defaultSecurityDescriptor,
 -  
 samdb_domain_sid(module-ldb));
 + struct security_descriptor *sd
 + = sddl_decode(mem_ctx, 
 +   objectclass-defaultSecurityDescriptor,
 +   samdb_domain_sid(module-ldb));
 +
   if (!session_info || !session_info-security_token) {
   return NULL;
   }

what I meant was something like this:

struct auth_session_info *session_info;
struct dom_sid *domsid;
struct security_descriptor *sd;

session_info = ldb_get_opaque(module-ldb, sessionInfo);
if (!session_info || !session_info-security_token) {
return NULL;
}

domsid = samdb_domain_sid(module-ldb);
if (!domsid) {
return NULL;
}

sd = sddl_decode(mem_ctx,
 objectclass-defaultSecurityDescriptor,
 domsid);
if (!sd) {
return NULL;
}

and maybe a more verbose error code than NULL would be good:-)

metze
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFGuhfmm70gjA5TCD8RAmQyAKCno4QAeBOXiMpTN3g8TqLeHrt4NQCgqf+o
hcuXPTkyHwGAnK+naDM2Yd8=
=h6mN
-END PGP SIGNATURE-

svn commit: samba r24280 - in branches: SAMBA_3_2/source/modules SAMBA_3_2_0/source/modules

2007-08-08 Thread vlendec 
Author: vlendec
Date: 2007-08-08 20:06:17 + (Wed, 08 Aug 2007)
New Revision: 24280

WebSVN: 
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=24280

Log:
Fix the build of vfs_afsacl.c
Modified:
   branches/SAMBA_3_2/source/modules/vfs_afsacl.c
   branches/SAMBA_3_2_0/source/modules/vfs_afsacl.c


Changeset:
Modified: branches/SAMBA_3_2/source/modules/vfs_afsacl.c
===
--- branches/SAMBA_3_2/source/modules/vfs_afsacl.c  2007-08-08 19:05:30 UTC 
(rev 24279)
+++ branches/SAMBA_3_2/source/modules/vfs_afsacl.c  2007-08-08 20:06:17 UTC 
(rev 24280)
@@ -531,7 +531,7 @@
 static uint32 nt_to_afs_dir_rights(const char *filename, const SEC_ACE *ace)
 {
uint32 result = 0;
-   uint32 rights = ace-info.mask;
+   uint32 rights = ace-access_mask;
uint8 flags = ace-flags;
 
struct static_dir_ace_mapping *m;
@@ -539,12 +539,12 @@
for (m = ace_mappings[0]; m-afs_rights != ; m++) {
if ( (ace-type == m-type) 
 (ace-flags == m-flags) 
-(ace-info.mask == m-mask) )
+(ace-access_mask == m-mask) )
return m-afs_rights;
}
 
DEBUG(1, (AFSACL FALLBACK: 0x%X 0x%X 0x%X %s %X\n,
- ace-type, ace-flags, ace-info.mask, filename, rights));
+ ace-type, ace-flags, ace-access_mask, filename, rights));
 
if (rights  (GENERIC_ALL_ACCESS|WRITE_DAC_ACCESS)) {
result |= PRSFS_READ | PRSFS_WRITE | PRSFS_INSERT |
@@ -572,7 +572,7 @@
 static uint32 nt_to_afs_file_rights(const char *filename, const SEC_ACE *ace)
 {
uint32 result = 0;
-   uint32 rights = ace-info.mask;
+   uint32 rights = ace-access_mask;
 
if (rights  (GENERIC_READ_ACCESS|FILE_READ_DATA)) {
result |= PRSFS_READ;
@@ -714,7 +714,7 @@
dacl = psd-dacl;
 
for (i = 0; i  dacl-num_aces; i++) {
-   SEC_ACE *ace = (dacl-ace[i]);
+   SEC_ACE *ace = (dacl-aces[i]);
const char *dom_name, *name;
enum lsa_SidType name_type;
char *p;

Modified: branches/SAMBA_3_2_0/source/modules/vfs_afsacl.c
===
--- branches/SAMBA_3_2_0/source/modules/vfs_afsacl.c2007-08-08 19:05:30 UTC 
(rev 24279)
+++ branches/SAMBA_3_2_0/source/modules/vfs_afsacl.c2007-08-08 20:06:17 UTC 
(rev 24280)
@@ -531,7 +531,7 @@
 static uint32 nt_to_afs_dir_rights(const char *filename, const SEC_ACE *ace)
 {
uint32 result = 0;
-   uint32 rights = ace-info.mask;
+   uint32 rights = ace-access_mask;
uint8 flags = ace-flags;
 
struct static_dir_ace_mapping *m;
@@ -539,12 +539,12 @@
for (m = ace_mappings[0]; m-afs_rights != ; m++) {
if ( (ace-type == m-type) 
 (ace-flags == m-flags) 
-(ace-info.mask == m-mask) )
+(ace-access_mask == m-mask) )
return m-afs_rights;
}
 
DEBUG(1, (AFSACL FALLBACK: 0x%X 0x%X 0x%X %s %X\n,
- ace-type, ace-flags, ace-info.mask, filename, rights));
+ ace-type, ace-flags, ace-access_mask, filename, rights));
 
if (rights  (GENERIC_ALL_ACCESS|WRITE_DAC_ACCESS)) {
result |= PRSFS_READ | PRSFS_WRITE | PRSFS_INSERT |
@@ -572,7 +572,7 @@
 static uint32 nt_to_afs_file_rights(const char *filename, const SEC_ACE *ace)
 {
uint32 result = 0;
-   uint32 rights = ace-info.mask;
+   uint32 rights = ace-access_mask;
 
if (rights  (GENERIC_READ_ACCESS|FILE_READ_DATA)) {
result |= PRSFS_READ;
@@ -714,7 +714,7 @@
dacl = psd-dacl;
 
for (i = 0; i  dacl-num_aces; i++) {
-   SEC_ACE *ace = (dacl-ace[i]);
+   SEC_ACE *ace = (dacl-aces[i]);
const char *dom_name, *name;
enum lsa_SidType name_type;
char *p;

svn commit: samba r24281 - in branches: SAMBA_3_0_25/source/libsmb SAMBA_3_2/source/libsmb SAMBA_3_2_0/source/libsmb

2007-08-08 Thread jra 
Author: jra
Date: 2007-08-08 23:56:55 + (Wed, 08 Aug 2007)
New Revision: 24281

WebSVN: 
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=24281

Log:
Fix bug found by Herb. The vuid entry in the cli_state structure gets
left as nonzero as returned by the failed cli_session_setup_spnego. When we 
then try
to authenticate as the user in cli_session_setup this returns an
error Bad userid (as seen in wireshark).
We should only leave cli-vuid != 0 on success. Looks like it's
getting set in the cli_session_setup_blob_receive() call and not
cleared again on error.
Jeremy.

Modified:
   branches/SAMBA_3_0_25/source/libsmb/cliconnect.c
   branches/SAMBA_3_2/source/libsmb/cliconnect.c
   branches/SAMBA_3_2_0/source/libsmb/cliconnect.c


Changeset:
Modified: branches/SAMBA_3_0_25/source/libsmb/cliconnect.c
===
--- branches/SAMBA_3_0_25/source/libsmb/cliconnect.c2007-08-08 20:06:17 UTC 
(rev 24280)
+++ branches/SAMBA_3_0_25/source/libsmb/cliconnect.c2007-08-08 23:56:55 UTC 
(rev 24281)
@@ -584,6 +584,7 @@
NT_STATUS_MORE_PROCESSING_REQUIRED)) {
DEBUG(0, (cli_session_setup_blob: recieve failed 
(%s)\n,
nt_errstr(cli_get_nt_error(cli)) ));
+   cli-vuid = 0;
return False;
}
}
@@ -770,6 +771,9 @@
 
ntlmssp_end(ntlmssp_state);
 
+   if (!NT_STATUS_IS_OK(nt_status)) {
+   cli-vuid = 0;
+   }
return nt_status;
 }
 

Modified: branches/SAMBA_3_2/source/libsmb/cliconnect.c
===
--- branches/SAMBA_3_2/source/libsmb/cliconnect.c   2007-08-08 20:06:17 UTC 
(rev 24280)
+++ branches/SAMBA_3_2/source/libsmb/cliconnect.c   2007-08-08 23:56:55 UTC 
(rev 24281)
@@ -583,6 +583,7 @@
NT_STATUS_MORE_PROCESSING_REQUIRED)) {
DEBUG(0, (cli_session_setup_blob: recieve failed 
(%s)\n,
nt_errstr(cli_get_nt_error(cli)) ));
+   cli-vuid = 0;
return False;
}
}
@@ -769,6 +770,9 @@
 
ntlmssp_end(ntlmssp_state);
 
+   if (!NT_STATUS_IS_OK(nt_status)) {
+   cli-vuid = 0;
+   }
return nt_status;
 }
 

Modified: branches/SAMBA_3_2_0/source/libsmb/cliconnect.c
===
--- branches/SAMBA_3_2_0/source/libsmb/cliconnect.c 2007-08-08 20:06:17 UTC 
(rev 24280)
+++ branches/SAMBA_3_2_0/source/libsmb/cliconnect.c 2007-08-08 23:56:55 UTC 
(rev 24281)
@@ -583,6 +583,7 @@
NT_STATUS_MORE_PROCESSING_REQUIRED)) {
DEBUG(0, (cli_session_setup_blob: recieve failed 
(%s)\n,
nt_errstr(cli_get_nt_error(cli)) ));
+   cli-vuid = 0;
return False;
}
}
@@ -769,6 +770,9 @@
 
ntlmssp_end(ntlmssp_state);
 
+   if (!NT_STATUS_IS_OK(nt_status)) {
+   cli-vuid = 0;
+   }
return nt_status;
 }

Build status as of Thu Aug 9 00:00:02 2007

2007-08-08 Thread build 
URL: http://build.samba.org/

--- /home/build/master/cache/broken_results.txt.old 2007-08-08 
00:01:39.0 +
+++ /home/build/master/cache/broken_results.txt 2007-08-09 00:02:05.0 
+
@@ -1,4 +1,4 @@
-Build status as of Wed Aug  8 00:00:01 2007
+Build status as of Thu Aug  9 00:00:02 2007
 
 Build counts:
 Tree Total  Broken Panic 
@@ -9,16 +9,16 @@
 distcc   2  0  0 
 ldb  31 4  0 
 libreplace   30 10 0 
-lorikeet-heimdal 27 12 0 
+lorikeet-heimdal 27 16 0 
 pidl 18 4  0 
 ppp  12 9  0 
 python   0  0  0 
 rsync32 13 0 
 samba-docs   0  0  0 
 samba-gtk2  2  0 
-samba4   29 25 3 
+samba4   29 26 4 
 samba_3_233 20 0 
 smb-build29 29 0 
-talloc   32 1  0 
+talloc   31 1  0 
 tdb  31 3  0