[Samba] Problem with LDAP failover config
Hi, I have working master slave OpenLDAP servers the Samba PDC works correctly when using either as the passdb backend. However, when configuring for LDAP failover as per this doc: http://samba.org/samba/docs/man/Samba-Guide/2000users.html Samba doesn't work the logs fill up with this: ldap_initialize: Bad parameter to an ldap routine Connection to LDAP server failed for the 1 try! This is the actual directive I'm using save for the FQDNs: passdb backend = ldapsam:ldap://master.example.com:1389 \ ldap://slave.example.com; Strace didn't produce anything useful. Version is Samba 3.0.23a-1.fc4.1 Probably something very silly but I'm out of ideas! Cheers, -- Ben Tisdall -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] libpthread warning while compiling samba 3.0 on Suse Linux (SLES 10)
I compile Samba for the first time on LINUX (SLES 10) and have a weird libpthread warning message. I dug the list to find some explanations about the way I have to handle this problem, without success. Below are the 'configure' parameters and the part of config.log about libpthread. Is there a way to not link libpthread to avoid this performance degradation ? What must I do with this warning ? ./configure --with-smbwrapper --with-quotas --with-msdfs --with-acl-support --with-winbind --with-smbmount --with-cifsmount --with-aio-support configure:66245: checking if libpthread is linked configure:66268: gcc -o conftest -O -D_SAMBA_BUILD_=3 -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE -Wl,-rpath,/usr/lib conftest.c -lcrypt -lresolv -lresolv -lnsl -ldl -lrt 5 configure:66274: $? = 0 configure:66281: result: yes configure:66284: WARNING: using libpthreads - this may degrade performance configure:66504: result: Using libraries: configure:66506: result: LIBS = -lcrypt -lresolv -lresolv -lnsl -ldl -lrt configure:66520: result: AUTH_LIBS = -lcrypt Thank you for your help. Pierre -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] How should guest access work with Samba 3 and User Mode Security???
Hi, Please can someone confirm to me how guest access should work on a Samba 3 Server configured for User Mode Security. Am I correct in thinking that shares configured as guest OK should be accessible by users without accounts on the server and hence they should not have to supply login name and password. (This used to work OK on Samba 2 and Share Mode security) I want to share out applications and a few other shares from my server without having to create accounts on the server for the users and so that they don't have to supply a username/password. I am running Samba samba-3.0.24-5 and here is my smb.conf file: Regards Gary [global] workgroup = DFGSRV server string = dfgsrv Samba Server %v printcap name = /etc/printcap load printers = yes printing = cups cups options = raw log file = /var/log/samba/%m.log max log size = 200 security = user password level = 8 username level = 8 socket options = SO_KEEPALIVE SO_BROADCAST TCP_NODELAY IPTOS_THROUGHPUT dns proxy = no log level = 9 deadtime = 30 oplocks = false level2 oplocks = false encrypt passwords = no idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 template shell = /bin/false winbind use default domain = no map to guest = Bad User [homes] comment = Home Directories browseable = yes writable = yes create mode = 0664 directory mode = 0775 [cdrom] path = /media/cdrom writeable = no browseable = yes guest ok = yes comment = dfgsrv CDROM Drive - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed.If you have received this e-mail in error please notify the sender immediately and delete this e-mail from your system.Please note that any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of Ricardo (save for reports and other documentation formally approved and signed for release to the intended recipient).Only Directors are authorised to enter into legally binding obligations on behalf of Ricardo. Ricardo may monitor outgoing and incoming e-mails and other telecommunications systems. By replying to this e-mail you give consent to such monitoring.The recipient should check e-mail and any attachments for the presence of viruses. Ricardo accepts no liability for any damage caused by any virus transmitted by this e-mail. Ricardo means Ricardo plc and its subsidiary companies. Ricardo plc is a public limited company registered in England with registered number 00222915. The registered office of Ricardo plc is Shoreham Technical Centre, Shoreham-by Sea, West Sussex, BN43 5FG. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problem with LDAP failover config
On 8/8/07, Ben Tisdall [EMAIL PROTECTED] wrote: Hi, I have working master slave OpenLDAP servers the Samba PDC works correctly when using either as the passdb backend. However, when configuring for LDAP failover as per this doc: http://samba.org/samba/docs/man/Samba-Guide/2000users.html Samba doesn't work the logs fill up with this: ldap_initialize: Bad parameter to an ldap routine Connection to LDAP server failed for the 1 try! This is the actual directive I'm using save for the FQDNs: passdb backend = ldapsam:ldap://master.example.com:1389 \ ldap://slave.example.com; Is 1389 the real port on the master ldap server? Have you configured the ldap server to use ldap ssl? John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problem with LDAP failover config
John Drescher wrote: Is 1389 the real port on the master ldap server? Yes (I have Scalix running it's own LDAP-like directory on the standard port). To further clarify: passdb backend = ldapsam:ldap://master.example.com:1389 And passdb backend = ldapsam:ldap://slave.example.com Both work individually, but not both at once. Have you configured the ldap server to use ldap ssl? Previously, but I'm currently testing without in the interest of simplicity, ie: ldap ssl = off Thanks. -- Ben Tisdall -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] How should guest access work with Samba 3 and User Mode Security???
Mansell, Gary wrote: Hi, Please can someone confirm to me how guest access should work on a Samba 3 Server configured for User Mode Security. Not sure if this can be done or not, but what i know is that security=user you need to provide with the username and password. http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/ServerType.html#id325823 Regards, Kaustubh Am I correct in thinking that shares configured as guest OK should be accessible by users without accounts on the server and hence they should not have to supply login name and password. (This used to work OK on Samba 2 and Share Mode security) I want to share out applications and a few other shares from my server without having to create accounts on the server for the users and so that they don't have to supply a username/password. I am running Samba samba-3.0.24-5 and here is my smb.conf file: Regards Gary [global] workgroup = DFGSRV server string = dfgsrv Samba Server %v printcap name = /etc/printcap load printers = yes printing = cups cups options = raw log file = /var/log/samba/%m.log max log size = 200 security = user password level = 8 username level = 8 socket options = SO_KEEPALIVE SO_BROADCAST TCP_NODELAY IPTOS_THROUGHPUT dns proxy = no log level = 9 deadtime = 30 oplocks = false level2 oplocks = false encrypt passwords = no idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 template shell = /bin/false winbind use default domain = no map to guest = Bad User [homes] comment = Home Directories browseable = yes writable = yes create mode = 0664 directory mode = 0775 [cdrom] path = /media/cdrom writeable = no browseable = yes guest ok = yes comment = dfgsrv CDROM Drive - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed.If you have received this e-mail in error please notify the sender immediately and delete this e-mail from your system.Please note that any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of Ricardo (save for reports and other documentation formally approved and signed for release to the intended recipient).Only Directors are authorised to enter into legally binding obligations on behalf of Ricardo. Ricardo may monitor outgoing and incoming e-mails and other telecommunications systems. By replying to this e-mail you give consent to such monitoring.The recipient should check e-mail and any attachments for the presence of viruses. Ricardo accepts no liability for any damage caused by any virus transmitted by this e-mail. Ricardo means Ricardo plc and its subsidiary companies. Ricardo plc is a public limited company registered in England with registered number 00222915. The registered office of Ricardo plc is Shoreham Technical Centre, Shoreham-by Sea, West Sussex, BN43 5FG. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problem with LDAP failover config
On 8/8/07, Ben Tisdall [EMAIL PROTECTED] wrote: John Drescher wrote: Is 1389 the real port on the master ldap server? Yes (I have Scalix running it's own LDAP-like directory on the standard port). To further clarify: passdb backend = ldapsam:ldap://master.example.com:1389 And passdb backend = ldapsam:ldap://slave.example.com Both work individually, but not both at once. I believe I have both servers listed on one line but I am using samba-3.0.24-X on 64 bit gentoo. John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problem with LDAP failover config
John Drescher wrote: On 8/8/07, Ben Tisdall [EMAIL PROTECTED] wrote: John Drescher wrote: Is 1389 the real port on the master ldap server? Yes (I have Scalix running it's own LDAP-like directory on the standard port). To further clarify: passdb backend = ldapsam:ldap://master.example.com:1389 And passdb backend = ldapsam:ldap://slave.example.com Both work individually, but not both at once. I believe I have both servers listed on one line but I am using samba-3.0.24-X on 64 bit gentoo. H, can you post your passdb backend line pls? Cheers. -- Ben Tisdall -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Permission problems with Samba Version 3.0.23d
Hello List members, i have a strange problem with my new Samba Server. It is the Version 3.0.23d. I have configured a share in which i want all users of a certain group be able to write in. This is the Configuration: [Agents] comment = Gemeinsames Laufwerk browseable = yes path = /samba/public writeable = yes write list = @agents, sonja, administrator, engesser, atzler admin users = administrator force create mode = 0770 force directory mode = 0770 create mask = 0770 directory mode = 0770 force group = agents nt acl support = yes inherit acls = yes oplocks = no But now i have the problem that all files that are copied on this share are generated as follows: -rwxr-xr-x I treid to change the create mask and force create mode options but i never got a write permission for the group. The server is used as PDC with LDAP Authentication and the clients are all W2000. I hope that you can help me. Regards, Dennis -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problem with LDAP failover config
On 8/8/07, Ben Tisdall [EMAIL PROTECTED] wrote: John Drescher wrote: H, can you post your passdb backend line pls? Later, I will not be at work for 3 to 6 hours as it is early in the morning here (GMT -5 timezone). No problem, I can't do anything until the users have left anyway, another ~9 hrs. If the email client does something weird there is one space between the entries. These are two different machines with the first being the PDC and it is in the dns but the second is not so I used the numerical ip for that one instead. passdb backend = ldapsam:ldap://sysserv0.radimg.pitt.edu ldap://192.168.1.230; John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] setfacl(1) - Can FreeBSD's ACLs contain groups from NT/AD domains ?
0n Mon, Aug 06, 2007 at 04:09:37PM +0200, Greg Byshenk wrote: sambaserver# setfacl -m u:ADDOMAIN\\gbytest:rwx,g:ADDOMAIN\\domain\ users:rx z-test/ sambaserver# getfacl z-test/ #file:z-test/ #owner:1361 #group:100 user::rwx user:gbytest:rwx group::r-x group:domain users:r-x mask::rwx other::r-x sambaserver# This is on 6-STABLE, but it has worked on CURRENT also (though I don't have a machine running now), configured using idmap_rid (and 'winbind use default domain = yes'). At some point in the past when I was testing, I saw the same sort of errors as above. This was before I set idmap_rid (and configured samba with experimental modules), so it may have been related to this change. Do the domain users/groups show up using 'id' and 'wbinfo'? OK, well this is interesting because after extensive testing of setting group permissions with setfacl(1) some groups work ... and some don't. And yes I can enumerate all the groups in AD e.g. #wbinfo -g | wc -l 2574 And id(1) does print the GIDs e.g #id -a uid=13340(myusername) gid=10513(domain users) groups=10513(domain users) So I am suspecting not all groups in the AD world are the same ? And why would I be able to assign group ACLs using some AD groups but not others ? -aW IMPORTANT: This email remains the property of the Australian Defence Organisation and is subject to the jurisdiction of section 70 of the CRIMES ACT 1914. If you have received this email in error, you are requested to contact the sender and delete the email. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Permission problems with Samba Version 3.0.23d
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Dennis Schwan wrote, On 08-08-2007 06:00: [Agents] comment = Gemeinsames Laufwerk browseable = yes path = /samba/public writeable = yes write list = @agents, sonja, administrator, engesser, atzler admin users = administrator force create mode = 0770 force directory mode = 0770 create mask = 0770 directory mode = 0770 force group = agents nt acl support = yes inherit acls = yes oplocks = no But now i have the problem that all files that are copied on this share are generated as follows: -rwxr-xr-x I treid to change the create mask and force create mode options but i never got a write permission for the group. Copy in this context is the act of add a new file or the act of duplicate an existent file in the share? I'm asking because sometimes, some aplications can do strange things with file permissions when they are duplicating an existent file that differs when they are creating it. The server is used as PDC with LDAP Authentication and the clients are all W2000. I hope that you can help me. Sorry if this sounds silly, but did you reload or restart or gave enough time to have the configs automatically reloaded by samba? You should check for filesystem ACLs, that could change the behaviour. You should also check the 'directory security mask' but as far as I can see there are no problems with your setup, I have a similar share (with similar permissions) and it is working fine. (I'm using Samba 3.0.24 from Debian etch). Kind regards, - -- Felipe Augusto van de Wiel [EMAIL PROTECTED] Coordenadoria de Tecnologia da Informação (CTI) - SEDU/PARANACIDADE http://www.paranacidade.org.br/ Phone: (+55 41 3350 3300) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGucEXCj65ZxU4gPQRCNQgAKChLGMajDa5RZ2bhfJLmkL6E5A1wgCeMhYP OQL/IvRtERkFPh/eHGlsum0= =H51d -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Can't connect to Windows 2000 Server v. 3.0.25
Hello list, I have a weird problem where I can easily connect to Windows 2003 Servers. Both Standard, Enterprise and R2. But I can't connect to any Windows 2000 Servers on the same net. A port scan shows that exactly the same ports are opened. Here is my smb.conf workgroup = CITY server string = Cube file sharing netbios name = cube security = USER encrypt passwords = yes Here is a debug 4 output of smbclient. [EMAIL PROTECTED]:~$ /usr/local/samba/bin/smbclient //boxwin3.box.se/C$ -U cnadmin -I 62.95.110.163 -d 4 lp_load: refreshing parameters Initialising global parameters params.c:pm_process() - Processing configuration file /usr/local/ samba/lib/smb.conf Processing section [global] doing parameter workgroup = CITY doing parameter server string = Cube file sharing doing parameter netbios name = cube handle_netbios_name: set global_myname to: CUBE doing parameter security = USER doing parameter encrypt passwords = yes pm_process() returned Yes Module '/usr/local/samba/lib/charset/CP850.so' loaded added interface ip=212.214.41.16 bcast=212.214.41.255 nmask=255.255.255.0 Client started (version 3.0.25b-SVN-build-23210). Connecting to 62.95.110.163 at port 445 session request ok Password: Doing spnego session setup (blob length=16) server didn't supply a full spnego negprot Got challenge flags: Got NTLMSSP neg_flags=0x628a8215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_CHAL_ACCEPT_RESPONSE NTLMSSP_NEGOTIATE_NTLM2 NTLMSSP_CHAL_TARGET_INFO NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x60088215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_NTLM2 NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x60088215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_NTLM2 NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH Domain=[BOXWIN3] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager] session setup ok tree connect failed: NT_STATUS_BAD_NETWORK_NAME Regards, Henrik -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] ACLs and winbind
I'm trying to allow XP clients to add ACLs in the homes share. It appears that I'm unable to do it unless I use winbind although I'm in a pure Samba/OpenLDAP environment. I have a PDC and BDC with Samba/OpenLDAP and a member Samba server with homes and profiles (below is its smb.conf) on which I have Posix ACLs. If I comment out the idmap lines I cannot add ACLs from XP in my home share though. I can browse and pick domain users and groups but cannot add them to the security tab of a file in a user's home share. Do I really need winbind? Regards, Thierry. workgroup = STARS netbios name = CAPELLA security = DOMAIN name resolve order = wins bcast wins server = castor netbios aliases = AHOMES APROFILES password server = ALDAP1 ALDAP2 log level = 2 idmap gid = 1-2 idmap uid = 1-2 [homes] comment = Home Directories valid users = %S read only = No browseable = No [Profiles] comment = Roaming Profile Share path = /export/profiles read only = No profile acls = Yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Questions about samba+LDAP
Hi, just three simple questions about samba+LDAP: Samba allows to configure several LDAP suffixes, ldap group suffix ldap idmap suffix ldap machine suffix ldap user suffix and the general ldap base with ldap suffix. But is there a way to configure a suffix for the sambaDomain objects? When I call pdbedit -L , it automatically creates a Domain for the machine, but directly under the ldap base, which is a little bit annoying, would like to have them in a subtree with ou=... Interestingly, the LDAP administration tool ldap-account-manager does keep the sambaDomains in a subtree separated with ou=..., but samba does not accept them. Second question: does pdbedit always create (and does samba always use) a sambaDomain object named after the netbios name? Third question: The configuration file for the smbldap tools allow to specify a slave LDAP just for the read access, and a master for write access, thus supporting LDAP replications. Does ldapsam support the same? regards Hadmut -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Enforcing Password Policies...
Dear Help, I'm currently running Samba with an LDAP passdb backend. I'm trying to figure out how to NOT allow a particular user to change their password (through Windows, or any interface). I've tried modifying the values for sambaPwdCanChange and sambaPwdMustChange for a particular user, but it seems like it only effects making them change their password, instead of whether or not they're ALLOWED to. Secondly, I've used pdbedit to edit the lockout policies when using a bad password (lockout duration = 30, bad lockout attempt = 5 and reset count minutes = 30). When I type in the wrong password 5 times for a user, it locks the account as it should. However, 30 minutes later (or more) it's still locked and the bad attempt count is not being reset. Is there something else I need to modify to make this functionality work? Any help would be most appreciated. Thank you! -Matt -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Questions about samba+LDAP
Third question: The configuration file for the smbldap tools allow to specify a slave LDAP just for the read access, and a master for write access, thus supporting LDAP replications. Does ldapsam support the same? regards Hadmut Hi Hadmut, I can at least help you with this one. The answer is definitely yes. I have my smb.conf set up like the following: passdb backend = ldapsam:ldaps://192.168.2.2 ldaps://192.168.2.3 Just separate the backup servers by spaces, and put the whole thing in quotes and you should be good to go! Hopefully that helps... -Matt -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Domain with public shares
I have a samba server setup with security = user (NT-domain). I use openldap for authentiation and that part is working fine. People can log in and see the files they have permission to. I need to have some public folders on the samba server that anybody can use (also non domain users (ie. WinXP Home users that can't join a domain)). And the printers should be public in the same way. Unfortunately this is not happening as I was hoping. Here is my smb.conf: --- [global] workgroup = jaegergaarden netbios name = mainserver security = user enable privileges = yes server string = Samba Server %v encrypt passwords = Yes admin users=root smbadmin ldap passwd sync = Yes passwd program = /usr/bin/passwd %u passwd chat = Changing password for*\nNew password* %n\n *Retype new password* %n\n log level = 0 syslog = 0 log file = /var/log/samba/log.%m max log size = 10 time server = Yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 Unix charset = UTF8 display charset = UTF8 logon drive = P: logon home = \\mainserver\%U logon path = domain logons = Yes domain master = Yes os level = 65 preferred master = Yes wins support = yes passdb backend = ldapsam:ldap://127.0.0.1/ ldap admin dn = cn=admin,dc=jaegergaarden,dc=skolesys,dc=org ldap suffix = dc=jaegergaarden,dc=skolesys,dc=org ldap group suffix = ou=Groups,ou=Samba ldap user suffix = ou=Users,ou=Samba ldap machine suffix = ou=Computers,ou=Samba add machine script = ss_hostmanager join_domain %u %D load printers = Yes create mask = 0640 directory mask = 0750 nt acl support = No printing = cups printcap name = cups deadtime = 10 guest account = nobody map to guest = Bad User dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd show add printer wizard = yes ; to maintain capital letters in shortcuts in any of the profile folders: preserve case = yes short preserve case = yes case sensitive = no [netlogon] path = /home/netlogon/ browseable = No read only = yes [homes] comment = Home Directories path = /skolesys/jaegergaarden.dk/users/%S/.windows browseable = yes read only = no create mode = 0600 directory mode = 0700 [profiles] path = /skolesys/jaegergaarden.dk/profiles read only = No create mask = 0600 directory mask = 0700 browseable = No guest ok = Yes profile acls = yes csc policy = disable force user = %U valid users = %U Domain Admins [printers] comment = Network Printers printer admin = @Print Operators guest ok = yes printable = yes path = /home/spool/ browseable = No read only = Yes printable = Yes print command = /usr/bin/lpr -P%p -r %s lpq command = /usr/bin/lpq -P%p lprm command = /usr/bin/lprm -P%p %j [print$] path = /home/printers guest ok = Yes browseable = Yes read only = Yes valid users = @Print Operators write list = @Print Operators create mask = 0664 directory mask = 0775 P.S. Profiles aren't working either, but let's take that another time Best regards Jakob Simon-Gaarde -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Enforcing Password Policies...
On Wednesday 08 August 2007 20:17, Matt Anderson wrote: Dear Help, I'm currently running Samba with an LDAP passdb backend. I'm trying to figure out how to NOT allow a particular user to change their password (through Windows, or any interface). I've tried modifying the values for sambaPwdCanChange and sambaPwdMustChange for a particular user, but it seems like it only effects making them change their password, instead of whether or not they're ALLOWED to. If you set sambaPwdCanChange in the future (e.g 1286597349 which corresponds to Saturday, October 9th 2010, 4:09:09 (GMT)) the user can not change its password until this date with windows. The problem is that he can still modify its LDAP password. You could add acls to your slapd.conf such that only your ldap admin dn has write acces to the userPassword attribute. In this case the only way to change the password is via samba. HTH, Thierry. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Domain with public shares
On Wednesday 08 August 2007, samba-list wrote: I need to have some public folders on the samba server that anybody can use Use a username map and set nobody = guest. -- Chris -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] SERIOUS PROBLEM - Root Account Locked
My root account keeps getting locked out automatically. I am running Samba 3.0.25b on a CentOS server, as PDC with LDAP backend. I have accounts set to lock after 8 un-successful login attempts. I zeroed out the bad password count, and then in less than a few seconds the account gets locked again and a /pdbedit -Lv -u root /yields the following: Unix username:root Logon time: 0 Logoff time: never Kickoff time: never Password last set:Wed, 01 Jan 1969 03:00:00 EST Password can change: Wed, 08 Jan 1969 03:00:00 EST Password must change: never Last bad password : Wed, 08 Aug 2007 13:51:14 EDT Bad password count : 8 If I enter w on the command line, it only shows that two (authorized) users are logged into the server. So I'm confident that no one from the outside is attempting to log in as root. Below is my conf file. If I go into LDAP Account Manager and unlock the account, it will stay unlocked for a few minutes (or seconds), then it is locked out again. With the account lock I cannot join machines to the domain, nor change domain permissions for users and groups. Any suggestions would be helpful. [global] unix charset = LOCALE workgroup = glastendernet netbios name = aster server string = Glastender Domain Controller running %v interfaces = eth1, lo, tun+ bind interfaces only = yes os level = 255 preferred master = yes local master = yes domain master = yes security = user time server = yes username map = /etc/samba/smbusers wins support = yes encrypt passwords = yes pam password change = yes name resolve order = wins bcast hosts winbind nested groups = no passdb backend = ldapsam:ldap://aster.glastender.com ldap passwd sync = Yes ldap suffix = dc=glastender,dc=com ldap admin dn = cn=Manager,dc=glastender,dc=com ldap ssl = no ldap group suffix = ou=Groups ldap user suffix = ou=People ldap machine suffix = ou=People ldap idmap suffix = ou=Idmap idmap backend = ldap:ldap://aster.glastender.com idmap uid = 1-2 idmap gid = 1-2 map acl inherit = yes add user script = /opt/IDEALX/sbin/smbldap-useradd -m %u #delete user script = /opt/IDEALX/sbin/smbldap-userdel %u add machine script = /opt/IDEALX/sbin/smbldap-useradd -w %u add group script = /opt/IDEALX/sbin/smbldap-groupadd -p %g #delete group script = /opt/IDEALX/sbin/smbldap-groupdel %g add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m %u %g delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x %u %g set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g %g %u domain logons = yes log file = /var/log/samba/log.%m log level = 0 syslog = 0 max log size = 50 #smb ports = 139 445 smb ports = 139 hosts allow = 127.0.0.1 172.16.0.0/255.255.0.0 192.168.100.0/255.255.255.0 # User profiles and home directories logon drive = U: logon path = \\%L\profiles\%U logon script = %U.bat large readwrite = no read raw = no write raw = no printcap name = /etc/printcap load printers = no printing = template shell = /bin/false winbind use default domain = yes -- *Jason Baker */IT Coordinator/ *Glastender Inc.* 5400 North Michigan Road Saginaw, Michigan 48604 USA 800.748.0423 Phone: 989.752.4275 ext. 228 Fax: 989.752. www.glastender.com http://www.glastender.com -BEGIN GEEK CODE BLOCK- Version: 3.1 GIT$ d- s: a C++$ LU+++$ P+ L++L !E--- W+++ N o? K? w !O M !V PS PE++ Y? PGP- t 5? X+ R+ tv+ b- DI-- D++ G e+ h--- r+++ y+++ --END GEEK CODE BLOCK-- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Questions about samba+LDAP
Hi Matt, On Wed, Aug 08, 2007 at 06:20:42PM +, Matt Anderson wrote: passdb backend = ldapsam:ldaps://192.168.2.2 ldaps://192.168.2.3 Well, I had already tried this (replication first, master second) but got an error message about missing write access. The problem seems to be that samba (in contrast to smbldap tools) does not distinguish between read and write access, but to always try the first one first and only if it does not exist the second one. regards Hadmut -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] LDAP Account Manager 2.0.0 released
LDAP Account Manager (LAM) 2.0.0 - August 8th, 2007 === LAM is a web frontend for managing accounts stored in an LDAP directory. Announcement: - This is the first release which requires PHP5. It includes two new translations (Simplified Chinese and Czech) and includes several bug fixes and minor improvements. Features: - * management of Unix user and group accounts (posixAccount/posixGroup) * management of Samba 2.x/3 user and host accounts (sambaAccount/sambaSamAccount) * management of Kolab 2 accounts (kolabInetorgPerson) * profiles for account creation * account creation via file upload * automatic creation/deletion of home directories * setting quotas * PDF output for all accounts * editor for organizational units (OU) * schema browser * tree view * multiple configuration files * multi-language support (Catalan, Chinese, Czech, Dutch, English, French, German, Hungarian, Italian, Japanese, Russian, Spanish) * support for LDAP+SSL Availability: - This software is available under the GNU General Public License V2.0. You can get the newest version at http://lam.sf.net. File formats: DEB, RPM, tar.gz There is also a FreeBSD port and Debian users may use the packages in Debian/unstable. Demo installation: -- You can try our demo installation online. http://lam.sf.net/live-demo/index.htm Support: If you find a bug please file a bug report. For questions or implementing new features please use the forum and feature request tracker at our Sourceforge homepage http://www.sf.net/projects/lam. Authors Copyright: Copyright (C) 2003 - 2007: Michael Duergner [EMAIL PROTECTED] Roland Gruber [EMAIL PROTECTED] Tilo Lutz [EMAIL PROTECTED] LAM is published under the GNU General Public License. The comlete list of licenses can be found in the copyright file. -- Best regards Roland Gruber LDAP Account Manager http://lam.sourceforge.net Want more? Get LDAP Account Manager Pro! http://lam.sourceforge.net/lamPro/index.htm signature.asc Description: OpenPGP digital signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Enforcing Password Policies...
The problem is that he can still modify its LDAP password. You could add acls to your slapd.conf such that only your ldap admin dn has write acces to the userPassword attribute. In this case the only way to change the password is via samba. HTH, Thierry. Hi Thierry, Modifying SambaPwdCanChange did help... but for some reason I can't set the date to more than 30 (or so) years in the future--not that I need more than that, I just thought it was interesting. BTW- I'm using eDirectory as the backend, which seems to be blocking Windows users OK. So thanks for your help on that. Anyone with any thoughts one why the account lockout isn't clearing? Thanks! -Matt -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] SERIOUS PROBLEM - Root Account Locked
Do you have a process (like a service or scheduled task) running on a client machine as user 'root' with an incorrect cached password? Jon Johnson Sutinen Consulting, Inc. www.sutinen.com Jason Baker wrote: My root account keeps getting locked out automatically. I am running Samba 3.0.25b on a CentOS server, as PDC with LDAP backend. I have accounts set to lock after 8 un-successful login attempts. I zeroed out the bad password count, and then in less than a few seconds the account gets locked again and a /pdbedit -Lv -u root /yields the following: Unix username:root Logon time: 0 Logoff time: never Kickoff time: never Password last set:Wed, 01 Jan 1969 03:00:00 EST Password can change: Wed, 08 Jan 1969 03:00:00 EST Password must change: never Last bad password : Wed, 08 Aug 2007 13:51:14 EDT Bad password count : 8 If I enter w on the command line, it only shows that two (authorized) users are logged into the server. So I'm confident that no one from the outside is attempting to log in as root. Below is my conf file. If I go into LDAP Account Manager and unlock the account, it will stay unlocked for a few minutes (or seconds), then it is locked out again. With the account lock I cannot join machines to the domain, nor change domain permissions for users and groups. Any suggestions would be helpful. [global] unix charset = LOCALE workgroup = glastendernet netbios name = aster server string = Glastender Domain Controller running %v interfaces = eth1, lo, tun+ bind interfaces only = yes os level = 255 preferred master = yes local master = yes domain master = yes security = user time server = yes username map = /etc/samba/smbusers wins support = yes encrypt passwords = yes pam password change = yes name resolve order = wins bcast hosts winbind nested groups = no passdb backend = ldapsam:ldap://aster.glastender.com ldap passwd sync = Yes ldap suffix = dc=glastender,dc=com ldap admin dn = cn=Manager,dc=glastender,dc=com ldap ssl = no ldap group suffix = ou=Groups ldap user suffix = ou=People ldap machine suffix = ou=People ldap idmap suffix = ou=Idmap idmap backend = ldap:ldap://aster.glastender.com idmap uid = 1-2 idmap gid = 1-2 map acl inherit = yes add user script = /opt/IDEALX/sbin/smbldap-useradd -m %u #delete user script = /opt/IDEALX/sbin/smbldap-userdel %u add machine script = /opt/IDEALX/sbin/smbldap-useradd -w %u add group script = /opt/IDEALX/sbin/smbldap-groupadd -p %g #delete group script = /opt/IDEALX/sbin/smbldap-groupdel %g add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m %u %g delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x %u %g set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g %g %u domain logons = yes log file = /var/log/samba/log.%m log level = 0 syslog = 0 max log size = 50 #smb ports = 139 445 smb ports = 139 hosts allow = 127.0.0.1 172.16.0.0/255.255.0.0 192.168.100.0/255.255.255.0 # User profiles and home directories logon drive = U: logon path = \\%L\profiles\%U logon script = %U.bat large readwrite = no read raw = no write raw = no printcap name = /etc/printcap load printers = no printing = template shell = /bin/false winbind use default domain = yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Default User in netlogon trouble
Hey Samba list, I have a Default User folder in the netlogon share on my samba PDC. I am having a very difficult time getting users to use this as their default profile. I think my basic understanding of how this is supposed to work might be flawed. My current understanding is as follows. When a user logs onto a domain for the first time Windows XP Pro SP2 machines first check the netlogon share. If they find a Default User folder there, then they download that and use it as the user's baseline profile. If they don't find it there, then they look on the local system under C:\Documents and Settings\Default User and create a profile for the user based on that profile. If they don't find a profile there, then there's nothing for Windows to use and you get some crazy error message about not having a profile to load. Windows uses *either* the Default User in the netlogon share or the Default User in C:\Documents and Settings on the local machine. It's either or, it does NOT combine these two folders in any way to make the baseline profile. Is this accurate? Thanks, - SG -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] SERIOUS PROBLEM - Root Account Locked
Do you have a process (like a service or scheduled task) running on a client machine as user 'root' with an incorrect cached password? No actually, this is what seems to be happening: I log into a windows xp pro workstation as Administrator and browse the network. I double-click on a network share, in this case a samba computer called HENBANE. If I view pdbedit -Lv -u root from another computer while I'm doing this, I can watch the bad login count rise from 0 to 8. I then get a message that pops up on the Windows workstation that says something to the effect of account locked. I added guest account = nobody to my smb.conf file and now I can browse the HENBANE share after being prompted for a username and password, but the bad password count for root now shows 2, and it rises higher each time I access a share that requires a username and password. *Jason Baker */IT Coordinator/ *Glastender Inc.* 5400 North Michigan Road Saginaw, Michigan 48604 USA 800.748.0423 Phone: 989.752.4275 ext. 228 Fax: 989.752. www.glastender.com http://www.glastender.com -BEGIN GEEK CODE BLOCK- Version: 3.1 GIT$ d- s: a C++$ LU+++$ P+ L++L !E--- W+++ N o? K? w !O M !V PS PE++ Y? PGP- t 5? X+ R+ tv+ b- DI-- D++ G e+ h--- r+++ y+++ --END GEEK CODE BLOCK-- Jonathan Johnson wrote: Do you have a process (like a service or scheduled task) running on a client machine as user 'root' with an incorrect cached password? Jon Johnson Sutinen Consulting, Inc. www.sutinen.com Jason Baker wrote: My root account keeps getting locked out automatically. I am running Samba 3.0.25b on a CentOS server, as PDC with LDAP backend. I have accounts set to lock after 8 un-successful login attempts. I zeroed out the bad password count, and then in less than a few seconds the account gets locked again and a /pdbedit -Lv -u root /yields the following: Unix username:root Logon time: 0 Logoff time: never Kickoff time: never Password last set:Wed, 01 Jan 1969 03:00:00 EST Password can change: Wed, 08 Jan 1969 03:00:00 EST Password must change: never Last bad password : Wed, 08 Aug 2007 13:51:14 EDT Bad password count : 8 If I enter w on the command line, it only shows that two (authorized) users are logged into the server. So I'm confident that no one from the outside is attempting to log in as root. Below is my conf file. If I go into LDAP Account Manager and unlock the account, it will stay unlocked for a few minutes (or seconds), then it is locked out again. With the account lock I cannot join machines to the domain, nor change domain permissions for users and groups. Any suggestions would be helpful. [global] unix charset = LOCALE workgroup = glastendernet netbios name = aster server string = Glastender Domain Controller running %v interfaces = eth1, lo, tun+ bind interfaces only = yes os level = 255 preferred master = yes local master = yes domain master = yes security = user time server = yes username map = /etc/samba/smbusers wins support = yes encrypt passwords = yes pam password change = yes name resolve order = wins bcast hosts winbind nested groups = no passdb backend = ldapsam:ldap://aster.glastender.com ldap passwd sync = Yes ldap suffix = dc=glastender,dc=com ldap admin dn = cn=Manager,dc=glastender,dc=com ldap ssl = no ldap group suffix = ou=Groups ldap user suffix = ou=People ldap machine suffix = ou=People ldap idmap suffix = ou=Idmap idmap backend = ldap:ldap://aster.glastender.com idmap uid = 1-2 idmap gid = 1-2 map acl inherit = yes add user script = /opt/IDEALX/sbin/smbldap-useradd -m %u #delete user script = /opt/IDEALX/sbin/smbldap-userdel %u add machine script = /opt/IDEALX/sbin/smbldap-useradd -w %u add group script = /opt/IDEALX/sbin/smbldap-groupadd -p %g #delete group script = /opt/IDEALX/sbin/smbldap-groupdel %g add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m %u %g delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x %u %g set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g %g %u domain logons = yes log file = /var/log/samba/log.%m log level = 0 syslog = 0 max log size = 50 #smb ports = 139 445 smb ports = 139 hosts allow = 127.0.0.1 172.16.0.0/255.255.0.0 192.168.100.0/255.255.255.0 # User profiles and home directories logon drive = U: logon path = \\%L\profiles\%U logon script = %U.bat large readwrite = no read raw = no write raw = no printcap name = /etc/printcap load printers = no printing = template shell = /bin/false winbind use default domain = yes --
[Samba] username map
Forgive me for being new - but you've got start somewhere. I've setup SAMBA on a Unix server that talks to AD. Almost everything works save for a user name map. From my configuration (names changed)below I can attach from windusr1 on PC1 to the Unix system and it sets up as unxusr1 no problems and clean. I can access all three shares. However, when I try to do the same thing from PC2 for appusrwin I am prompted for a name/password. No matter what I put in (windows ID/password or Unix ID/password, or combinations of these)I can't connect. The message in the log.smbd is domain_client_validate: unable to validate password for user appusru in domain XXXGLOBAL to Domain controller USORSDC00. Error was NT_STATUS_NO_SUCH_USER. Note that in reality the Unix ID and Windows are very similar, with the difference being that the Windows ID is the same as the Unix ID but with 2 more characters. What am I doing incorrectly? :: smb.conf :: [global] security = domain workgroup = XXXGLOBAL netbios name = unix01 password server = adserver01, adserver02 domain master = no local master = no preferred master = no username map = /usr/local/samba/lib/smb.users [homes] writeable = yes # +sysadmin is a Unix group which unxusr1 is a member valid users = +sysadmin wide links = no [trax] path = /var/data_files writeable = yes valid users = unxusr1, appusru wide links = no [test] path = /var/tmp writeable = yes valid users = unxusr1, appusru wide links = no :: smb.users :: unxusr1 = XXXGLOBAL\windusr1 appusru = XXXGLOBAL\appusrwin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] SERIOUS PROBLEM - Root Account Locked
This sounds like you have 'root = Administrator' in your /etc/samba/smbusers file. Is the password you are using for Administrator *different* from what is set for root in Samba (smbpasswd root to change)? That could be the issue. Note that typically, Linux and Samba use different password databases, so even though they map the same user name, the passwords may be different. Jon Johnson Sutinen Consulting, Inc. www.sutinen.com From: Jason Baker [mailto:[EMAIL PROTECTED] Sent: Wed 8/8/2007 1:51 PM To: Jonathan Johnson Cc: samba@lists.samba.org Subject: Re: [Samba] SERIOUS PROBLEM - Root Account Locked Do you have a process (like a service or scheduled task) running on a client machine as user 'root' with an incorrect cached password? No actually, this is what seems to be happening: I log into a windows xp pro workstation as Administrator and browse the network. I double-click on a network share, in this case a samba computer called HENBANE. If I view pdbedit -Lv -u root from another computer while I'm doing this, I can watch the bad login count rise from 0 to 8. I then get a message that pops up on the Windows workstation that says something to the effect of account locked. I added guest account = nobody to my smb.conf file and now I can browse the HENBANE share after being prompted for a username and password, but the bad password count for root now shows 2, and it rises higher each time I access a share that requires a username and password. Jason Baker IT Coordinator Glastender Inc. 5400 North Michigan Road Saginaw, Michigan 48604 USA 800.748.0423 Phone: 989.752.4275 ext. 228 Fax: 989.752. www.glastender.com http://www.glastender.com/ -BEGIN GEEK CODE BLOCK- Version: 3.1 GIT$ d- s: a C++$ LU+++$ P+ L++L !E--- W+++ N o? K? w !O M !V PS PE++ Y? PGP- t 5? X+ R+ tv+ b- DI-- D++ G e+ h--- r+++ y+++ --END GEEK CODE BLOCK-- Jonathan Johnson wrote: Do you have a process (like a service or scheduled task) running on a client machine as user 'root' with an incorrect cached password? Jon Johnson Sutinen Consulting, Inc. www.sutinen.com http://www.sutinen.com/ Jason Baker wrote: My root account keeps getting locked out automatically. I am running Samba 3.0.25b on a CentOS server, as PDC with LDAP backend. I have accounts set to lock after 8 un-successful login attempts. I zeroed out the bad password count, and then in less than a few seconds the account gets locked again and a /pdbedit -Lv -u root /yields the following: Unix username:root Logon time: 0 Logoff time: never Kickoff time: never Password last set:Wed, 01 Jan 1969 03:00:00 EST Password can change: Wed, 08 Jan 1969 03:00:00 EST Password must change: never Last bad password : Wed, 08 Aug 2007 13:51:14 EDT Bad password count : 8 If I enter w on the command line, it only shows that two (authorized) users are logged into the server. So I'm confident that no one from the outside is attempting to log in as root. Below is my conf file. If I go into LDAP Account Manager and unlock the account, it will stay unlocked for a few minutes (or seconds), then it is locked out again. With the account lock I cannot join machines to the domain, nor change domain permissions for users and groups. Any suggestions would be helpful. [global] unix charset = LOCALE workgroup = glastendernet netbios name = aster server string = Glastender Domain Controller running %v interfaces = eth1, lo, tun+ bind interfaces only = yes os level = 255 preferred master = yes local master = yes domain master = yes security = user time server = yes username map = /etc/samba/smbusers wins support = yes encrypt passwords = yes pam password change = yes name resolve order = wins bcast hosts winbind nested groups = no passdb backend = ldapsam:ldap://aster.glastender.com ldap passwd sync = Yes ldap suffix = dc=glastender,dc=com ldap admin dn = cn=Manager,dc=glastender,dc=com ldap ssl = no ldap group suffix = ou=Groups ldap user suffix = ou=People
Fwd: Re: [Samba] Domain with public shares
Hi. [sample] comment = Free for all path = /storage/everyone read only = No create mask = 0777 directory mask = 0777 guest ok = Yes This worked right away - thanks! Still having trouble with the printers. I can browse the printers, but after running through the Add printer wizard the status of the printer is Access denied :-( Her is my printers section: [printers] comment = Network Printers printer admin = @Print Operators guest ok = yes printable = yes path = /home/spool/ browseable = No read only = Yes print command = /usr/bin/lpr -P%p -r %s lpq command = /usr/bin/lpq -P%p lprm command = /usr/bin/lprm -P%p %j # print command = /usr/bin/lpr [EMAIL PROTECTED] -P%p -r %s # lpq command = /usr/bin/lpq [EMAIL PROTECTED] -P%p # lprm command = /usr/bin/lprm [EMAIL PROTECTED] -P%p %j # lppause command = /usr/sbin/lpc [EMAIL PROTECTED] hold %p %j # lpresume command = /usr/sbin/lpc [EMAIL PROTECTED] release %p %j # queuepause command = /usr/sbin/lpc [EMAIL PROTECTED] stop %p # queueresume command = /usr/sbin/lpc [EMAIL PROTECTED] start %p -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] ppolicy overlay (WAS: Enforcing Password Policies...)
On Wednesday 08 August 2007 20:17, Matt Anderson wrote: Dear Help, I'm currently running Samba with an LDAP passdb backend. I'm trying to figure out how to NOT allow a particular user to change their password (through Windows, or any interface). I've tried modifying the values for sambaPwdCanChange and sambaPwdMustChange for a particular user, but it seems like it only effects making them change their password, instead of whether or not they're ALLOWED to. With OpenLDAP one can use ldap passwd sync = only in smb.conf and let the smbk5pwd overlay synchronize the LM and NT passwords. If you add the ppolicy overlay you have a clean way to prevent password changes for some acounts (through Windows, or any interface). For instance one can use a pwdPolicy with pwdAllowUserChange: FALSE The only problem is that a Windows client reports a successful password change even though the password was not changed because of the above pwdPolicy. Regards, Thierry. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] home dir file permissions samba, winbind with ldap backend, AD Server 2003 R2 domain
I have samba 3.0.23 running as a clustered service on RHEL5 and I am wondering if it is okay that when I check the file permissions on the home directories they are numerical even if I reset the permissions. They stay in the long listing format until I restart the service and when I check again it looks like I typed ls -n instead of ls -s. I hadn't noticed it doing this before. It seems like everything works fine and the UIDs are correct I just want to make sure before I replace the RH9 samba server with it. Thanks so much! -sharol -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problem with LDAP failover config
John Drescher wrote: If the email client does something weird there is one space between the entries. These are two different machines with the first being the PDC and it is in the dns but the second is not so I used the numerical ip for that one instead. passdb backend = ldapsam:ldap://sysserv0.radimg.pitt.edu ldap://192.168.1.230; Thanks John, I'd already tried failed this way :( It turns out this appears to be related to newest Samba package as provided by Fedora Core 4 (3.0.23a-1.fc4.1) as using 3.0.25b compiled from the official Samba sources failover works fine. Unfortunately I'd already made a slightly embarrassing regression from 3.0.25b to the Fedora package on Monday due to resource utilisation issues I haven't yet had time to diagnose. All the more reason to get back on the case! Cheers, -- Ben Tisdall -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
svn commit: samba r24277 - in branches/SAMBA_4_0/source/dsdb/samdb/ldb_modules: .
Author: abartlet Date: 2007-08-08 06:37:37 + (Wed, 08 Aug 2007) New Revision: 24277 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=24277 Log: Tidyup as requested by metze. Andrew Bartlett Modified: branches/SAMBA_4_0/source/dsdb/samdb/ldb_modules/objectclass.c Changeset: Modified: branches/SAMBA_4_0/source/dsdb/samdb/ldb_modules/objectclass.c === --- branches/SAMBA_4_0/source/dsdb/samdb/ldb_modules/objectclass.c 2007-08-08 03:20:37 UTC (rev 24276) +++ branches/SAMBA_4_0/source/dsdb/samdb/ldb_modules/objectclass.c 2007-08-08 06:37:37 UTC (rev 24277) @@ -201,16 +201,18 @@ return LDB_SUCCESS; } -DATA_BLOB *get_sd(struct ldb_module *module, TALLOC_CTX *mem_ctx, - const struct dsdb_class *objectclass) +static DATA_BLOB *get_sd(struct ldb_module *module, TALLOC_CTX *mem_ctx, +const struct dsdb_class *objectclass) { NTSTATUS status; DATA_BLOB *linear_sd; struct auth_session_info *session_info = ldb_get_opaque(module-ldb, sessionInfo); - struct security_descriptor *sd = sddl_decode(mem_ctx, - objectclass-defaultSecurityDescriptor, - samdb_domain_sid(module-ldb)); + struct security_descriptor *sd + = sddl_decode(mem_ctx, + objectclass-defaultSecurityDescriptor, + samdb_domain_sid(module-ldb)); + if (!session_info || !session_info-security_token) { return NULL; } @@ -300,17 +302,21 @@ for (current = sorted; current; current = current-next) { ret = ldb_msg_add_string(msg, objectClass, current-objectclass); if (ret != LDB_SUCCESS) { - ldb_set_errstring(module-ldb, objectclass: could not re-add sorted objectclass to modify msg); + ldb_set_errstring(module-ldb, + objectclass: could not re-add sorted + objectclass to modify msg); talloc_free(mem_ctx); return ret; } /* Last one is the critical one */ if (schema !current-next) { const struct dsdb_class *objectclass - = dsdb_class_by_lDAPDisplayName(schema, current-objectclass); + = dsdb_class_by_lDAPDisplayName(schema, + current-objectclass); if (objectclass) { if (!ldb_msg_find_element(msg, objectCategory)) { - ldb_msg_add_string(msg, objectCategory, objectclass-defaultObjectCategory); + ldb_msg_add_string(msg, objectCategory, + objectclass-defaultObjectCategory); } if (!ldb_msg_find_element(msg, ntSecurityDescriptor)) { DATA_BLOB *sd = get_sd(module, mem_ctx, objectclass);
svn commit: lorikeet r780 - in trunk/heimdal/tests/kdc: .
Author: lha Date: 2007-08-08 07:08:30 + (Wed, 08 Aug 2007) New Revision: 780 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=lorikeetrev=780 Log: Merged with Heimdal svn revision 21858 Modified: trunk/heimdal/tests/kdc/check-iprop.in trunk/heimdal/tests/kdc/wait-kdc.sh Changeset: Modified: trunk/heimdal/tests/kdc/check-iprop.in === --- trunk/heimdal/tests/kdc/check-iprop.in 2007-08-08 04:57:56 UTC (rev 779) +++ trunk/heimdal/tests/kdc/check-iprop.in 2007-08-08 07:08:30 UTC (rev 780) @@ -67,6 +67,8 @@ rm -f mkey.file* rm -f messages.log + messages.log + echo Creating database ${kadmin} -l \ init \ @@ -88,33 +90,32 @@ ipdm= kdcpid= -trap kill \${ipdm} \${ipds} \${kdcpid}; echo killing ipropd slave + master; exit 1; EXIT + iprop-stats +trap echo 'killing ipropd s + m + kdc'; kill \${ipdm} \${ipds} \${kdcpid}; tail -10 messages.log iprop-stats; exit 1; EXIT echo Starting kdc ${kdc} kdcpid=$! -sh ${srcdir}/wait-kdc.sh -if [ $? != 0 ] ; then -kill ${kdcpid} -exit 1 -fi +sh ${srcdir}/wait-kdc.sh || exit 1 echo starting master ${ipropdmaster} --hostname=localhost -k ${keytab} \ --database=${objdir}/current-db ipdm=$! -sleep 2 +sh ${srcdir}/wait-kdc.sh ipropd-master || exit 1 echo starting slave KRB5_CONFIG=${objdir}/krb5-slave.conf \ ${ipropdslave} --hostname=slave -k ${keytab} localhost ipds=$! +sh ${srcdir}/wait-kdc.sh ipropd-slave || exit 1 -sleep 2 echo checking slave is up ${EGREP} 'iprop/[EMAIL PROTECTED]' iprop-stats /dev/null || exit 1 +# - checking: pushing lives changes + echo Add host ${kadmin} -l add --random-key --use-defaults host/[EMAIL PROTECTED] || exit 1 sleep 2 @@ -141,6 +142,17 @@ ${EGREP} 'iprop/[EMAIL PROTECTED]' iprop-stats /dev/null || exit 1 +# - checking: slave is missing changes while down + +echo doing changes while slave is down +${kadmin} -l cpw --random-password [EMAIL PROTECTED] /dev/null || exit 1 +${kadmin} -l cpw --random-password [EMAIL PROTECTED] /dev/null || exit 1 + +echo Makeing a copy of the master log file +cp ${objdir}/current.log ${objdir}/current.log.tmp + +# - checking: checking that master and slaves resyncs + echo starting slave again iprop-stats KRB5_CONFIG=${objdir}/krb5-slave.conf \ @@ -168,6 +180,8 @@ echo checking for replay problems ${EGREP} 'Entry already exists in database' messages.log exit 1 +# - checking: checking live truncation of master log + ${kadmin} -l cpw --random-password [EMAIL PROTECTED] /dev/null || exit 1 sleep 2 @@ -175,10 +189,9 @@ ${iproplog} truncate || exit 1 sleep 2 -trap EXIT +echo Killing master and slave +kill ${ipdm} ${ipds} -kill ${ipdm} ${ipds} ${kdcpid} - sleep 2 ${EGREP} ^master down at iprop-stats /dev/null || exit 1 @@ -188,4 +201,39 @@ ${iproplog} last-version master-last.tmp cmp master-last.tmp slave-last.tmp || exit 1 +# - checking: master going backward + +echo Going back to old version of the master log file +cp ${objdir}/current.log.tmp ${objdir}/current.log + +echo starting master +${ipropdmaster} --hostname=localhost -k ${keytab} \ +--database=${objdir}/current-db +ipdm=$! +sleep 4 + +echo starting slave + iprop-stats +KRB5_CONFIG=${objdir}/krb5-slave.conf \ +${ipropdslave} --hostname=slave -k ${keytab} localhost +ipds=$! +sleep 2 +echo checking slave is up again +${EGREP} 'iprop/[EMAIL PROTECTED]' iprop-stats /dev/null || exit 1 +echo checking for replay problems +${EGREP} 'Entry already exists in database' messages.log exit 1 + +echo pushing one change +${kadmin} -l cpw --random-password [EMAIL PROTECTED] /dev/null || exit 1 +sleep 2 + +trap EXIT +kill ${ipdm} ${ipds} ${kdcpid} + +echo compare versions on master and slave logs +KRB5_CONFIG=${objdir}/krb5-slave.conf \ +${iproplog} last-version slave-last.tmp +${iproplog} last-version master-last.tmp +cmp master-last.tmp slave-last.tmp || exit 1 + exit $ec Modified: trunk/heimdal/tests/kdc/wait-kdc.sh === --- trunk/heimdal/tests/kdc/wait-kdc.sh 2007-08-08 04:57:56 UTC (rev 779) +++ trunk/heimdal/tests/kdc/wait-kdc.sh 2007-08-08 07:08:30 UTC (rev 780) @@ -31,29 +31,30 @@ # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # -# $Id: wait-kdc.sh 18396 2006-10-10 10:30:09Z lha $ +# $Id: wait-kdc.sh 21858 2007-08-08 07:01:03Z lha $ # -log=${1:-messages.log} +name=${1:-KDC} +log=${2:-messages.log} t=0 waitsec=20 -echo Waiting for KDC to start, looking logfile ${log} +echo Waiting for ${name} to start, looking logfile ${log} while true ; do t=`expr ${t} + 2` sleep 2 echo Have waited $t seconds -if tail -3 ${log} | grep 'KDC started' /dev/null; then +if tail -30 ${log} | grep ${name} started /dev/null; then break fi -if tail -3
svn commit: samba r24278 - in branches/SAMBA_3_2/source/smbd: .
Author: vlendec Date: 2007-08-08 18:40:26 + (Wed, 08 Aug 2007) New Revision: 24278 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=24278 Log: Push down reply_prep_legacy in reply_write_and_X Remove the need for reply_prep_legacy for reply_pipe_write_and_X Modified: branches/SAMBA_3_2/source/smbd/pipes.c branches/SAMBA_3_2/source/smbd/reply.c Changeset: Modified: branches/SAMBA_3_2/source/smbd/pipes.c === --- branches/SAMBA_3_2/source/smbd/pipes.c 2007-08-08 06:37:37 UTC (rev 24277) +++ branches/SAMBA_3_2/source/smbd/pipes.c 2007-08-08 18:40:26 UTC (rev 24278) @@ -183,26 +183,29 @@ wrinkles to handle pipes. / -int reply_pipe_write_and_X(char *inbuf,char *outbuf,int length,int bufsize) +void reply_pipe_write_and_X(struct smb_request *req) { - smb_np_struct *p = get_rpc_pipe_p(SVAL(inbuf,smb_vwv2)); - uint16 vuid = SVAL(inbuf,smb_uid); - size_t numtowrite = SVAL(inbuf,smb_vwv10); + smb_np_struct *p = get_rpc_pipe_p(SVAL(req-inbuf,smb_vwv2)); + size_t numtowrite = SVAL(req-inbuf,smb_vwv10); int nwritten = -1; - int smb_doff = SVAL(inbuf, smb_vwv11); - BOOL pipe_start_message_raw = ((SVAL(inbuf, smb_vwv7) (PIPE_START_MESSAGE|PIPE_RAW_MODE)) == - (PIPE_START_MESSAGE|PIPE_RAW_MODE)); + int smb_doff = SVAL(req-inbuf, smb_vwv11); + BOOL pipe_start_message_raw = + ((SVAL(req-inbuf, smb_vwv7) + (PIPE_START_MESSAGE|PIPE_RAW_MODE)) +== (PIPE_START_MESSAGE|PIPE_RAW_MODE)); char *data; if (!p) { - return(ERROR_DOS(ERRDOS,ERRbadfid)); + reply_doserror(req, ERRDOS, ERRbadfid); + return; } - if (p-vuid != vuid) { - return ERROR_NT(NT_STATUS_INVALID_HANDLE); + if (p-vuid != req-vuid) { + reply_nterror(req, NT_STATUS_INVALID_HANDLE); + return; } - data = smb_base(inbuf) + smb_doff; + data = smb_base(req-inbuf) + smb_doff; if (numtowrite == 0) { nwritten = 0; @@ -214,9 +217,12 @@ * them (we don't trust the client). JRA. */ if(numtowrite 2) { - DEBUG(0,(reply_pipe_write_and_X: start of message set and not enough data sent.(%u)\n, - (unsigned int)numtowrite )); - return (UNIXERROR(ERRDOS,ERRnoaccess)); + DEBUG(0,(reply_pipe_write_and_X: start of +message set and not enough data +sent.(%u)\n, +(unsigned int)numtowrite )); + reply_unixerror(req, ERRDOS, ERRnoaccess); + return; } data += 2; @@ -226,17 +232,18 @@ } if ((nwritten == 0 numtowrite != 0) || (nwritten 0)) { - return (UNIXERROR(ERRDOS,ERRnoaccess)); + reply_unixerror(req, ERRDOS,ERRnoaccess); + return; } - - set_message(inbuf,outbuf,6,0,True); + reply_outbuf(req, 6, 0); + nwritten = (pipe_start_message_raw ? nwritten + 2 : nwritten); - SSVAL(outbuf,smb_vwv2,nwritten); + SSVAL(req-outbuf,smb_vwv2,nwritten); DEBUG(3,(writeX-IPC pnum=%04x nwritten=%d\n, p-pnum, nwritten)); - return chain_reply(inbuf,outbuf,length,bufsize); + chain_reply_new(req); } / Modified: branches/SAMBA_3_2/source/smbd/reply.c === --- branches/SAMBA_3_2/source/smbd/reply.c 2007-08-08 06:37:37 UTC (rev 24277) +++ branches/SAMBA_3_2/source/smbd/reply.c 2007-08-08 18:40:26 UTC (rev 24278) @@ -3289,35 +3289,39 @@ START_PROFILE(SMBwriteX); - if (!reply_prep_legacy(req, inbuf, outbuf, length, bufsize)) { - reply_nterror(req, NT_STATUS_NO_MEMORY); + if ((req-wct != 12) (req-wct != 14)) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); END_PROFILE(SMBwriteX); return; } - if ((CVAL(inbuf, smb_wct) != 12) (CVAL(inbuf, smb_wct) != 14)) { - reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + numtowrite = SVAL(req-inbuf,smb_vwv10); + smb_doff = SVAL(req-inbuf,smb_vwv11); + smblen = smb_len(req-inbuf); + large_writeX = ((req-wct == 14) (smblen 0x)); + + /* Deal with possible LARGE_WRITEX */ + if (large_writeX) {
svn commit: samba r24279 - in branches/SAMBA_3_2/source/smbd: .
Author: vlendec Date: 2007-08-08 19:05:30 + (Wed, 08 Aug 2007) New Revision: 24279 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=24279 Log: Remove reply_prep_legacy from reply_write_and_X Modified: branches/SAMBA_3_2/source/smbd/aio.c branches/SAMBA_3_2/source/smbd/reply.c Changeset: Modified: branches/SAMBA_3_2/source/smbd/aio.c === --- branches/SAMBA_3_2/source/smbd/aio.c2007-08-08 18:40:26 UTC (rev 24278) +++ branches/SAMBA_3_2/source/smbd/aio.c2007-08-08 19:05:30 UTC (rev 24279) @@ -284,11 +284,10 @@ */ BOOL schedule_aio_write_and_X(connection_struct *conn, - char *inbuf, char *outbuf, - int length, int len_outbuf, - files_struct *fsp, char *data, - SMB_OFF_T startpos, - size_t numtowrite) + struct smb_request *req, + files_struct *fsp, char *data, + SMB_OFF_T startpos, + size_t numtowrite) { struct aio_extra *aio_ex; SMB_STRUCT_AIOCB *a; @@ -306,7 +305,7 @@ /* Only do this on non-chained and non-chaining reads not using the * write cache. */ -if (chain_size !=0 || (CVAL(inbuf,smb_vwv0) != 0xFF) +if (chain_size !=0 || (CVAL(req-inbuf,smb_vwv0) != 0xFF) || (lp_write_cache_size(SNUM(conn)) != 0) ) { return False; } @@ -320,23 +319,25 @@ (mid = %u)\n, fsp-fsp_name, (double)startpos, (unsigned int)numtowrite, - (unsigned int)SVAL(inbuf,smb_mid) )); + (unsigned int)req-mid )); return False; } - inbufsize = smb_len(inbuf) + 4; - outbufsize = smb_len(outbuf) + 4; + inbufsize = smb_len(req-inbuf) + 4; + reply_outbuf(req, 6, 0); + outbufsize = smb_len(req-outbuf) + 4; if (!(aio_ex = create_aio_ex_write(fsp, inbufsize, outbufsize, - SVAL(inbuf,smb_mid { + req-mid))) { DEBUG(0,(schedule_aio_write_and_X: malloc fail.\n)); return False; } /* Copy the SMB header already setup in outbuf. */ - memcpy(aio_ex-inbuf, inbuf, inbufsize); + memcpy(aio_ex-inbuf, req-inbuf, inbufsize); /* Copy the SMB header already setup in outbuf. */ - memcpy(aio_ex-outbuf, outbuf, outbufsize); + memcpy(aio_ex-outbuf, req-outbuf, outbufsize); + TALLOC_FREE(req-outbuf); SCVAL(aio_ex-outbuf,smb_vwv0,0xFF); /* Never a chained reply. */ a = aio_ex-acb; @@ -344,7 +345,7 @@ /* Now set up the aio record for the write call. */ a-aio_fildes = fsp-fh-fd; - a-aio_buf = aio_ex-inbuf + (PTR_DIFF(data, inbuf)); + a-aio_buf = aio_ex-inbuf + (PTR_DIFF(data, req-inbuf)); a-aio_nbytes = numtowrite; a-aio_offset = startpos; a-aio_sigevent.sigev_notify = SIGEV_SIGNAL; @@ -633,11 +634,10 @@ } BOOL schedule_aio_write_and_X(connection_struct *conn, -char *inbuf, char *outbuf, -int length, int len_outbuf, -files_struct *fsp, char *data, -SMB_OFF_T startpos, -size_t numtowrite) + struct smb_request *req, + files_struct *fsp, char *data, + SMB_OFF_T startpos, + size_t numtowrite) { return False; } Modified: branches/SAMBA_3_2/source/smbd/reply.c === --- branches/SAMBA_3_2/source/smbd/reply.c 2007-08-08 18:40:26 UTC (rev 24278) +++ branches/SAMBA_3_2/source/smbd/reply.c 2007-08-08 19:05:30 UTC (rev 24279) @@ -3284,9 +3284,6 @@ BOOL large_writeX; NTSTATUS status; - char *inbuf, *outbuf; - int length, bufsize; - START_PROFILE(SMBwriteX); if ((req-wct != 12) (req-wct != 14)) { @@ -,22 +3330,14 @@ return; } - if (!reply_prep_legacy(req, inbuf, outbuf, length, bufsize)) { - reply_nterror(req, NT_STATUS_NO_MEMORY); - END_PROFILE(SMBwriteX); - return; - } + data = smb_base(req-inbuf) + smb_doff; - set_message(inbuf, outbuf, 6, 0, True); - - data = smb_base(inbuf) + smb_doff; - - if(CVAL(inbuf,smb_wct) == 14) { + if(req-wct == 14) { #ifdef LARGE_SMB_OFF_T
Re: svn commit: samba r24277 - in branches/SAMBA_4_0/source/dsdb/samdb/ldb_modules: .
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [EMAIL PROTECTED] schrieb: -DATA_BLOB *get_sd(struct ldb_module *module, TALLOC_CTX *mem_ctx, - const struct dsdb_class *objectclass) +static DATA_BLOB *get_sd(struct ldb_module *module, TALLOC_CTX *mem_ctx, + const struct dsdb_class *objectclass) { NTSTATUS status; DATA_BLOB *linear_sd; struct auth_session_info *session_info = ldb_get_opaque(module-ldb, sessionInfo); - struct security_descriptor *sd = sddl_decode(mem_ctx, - objectclass-defaultSecurityDescriptor, - samdb_domain_sid(module-ldb)); + struct security_descriptor *sd + = sddl_decode(mem_ctx, + objectclass-defaultSecurityDescriptor, + samdb_domain_sid(module-ldb)); + if (!session_info || !session_info-security_token) { return NULL; } what I meant was something like this: struct auth_session_info *session_info; struct dom_sid *domsid; struct security_descriptor *sd; session_info = ldb_get_opaque(module-ldb, sessionInfo); if (!session_info || !session_info-security_token) { return NULL; } domsid = samdb_domain_sid(module-ldb); if (!domsid) { return NULL; } sd = sddl_decode(mem_ctx, objectclass-defaultSecurityDescriptor, domsid); if (!sd) { return NULL; } and maybe a more verbose error code than NULL would be good:-) metze -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFGuhfmm70gjA5TCD8RAmQyAKCno4QAeBOXiMpTN3g8TqLeHrt4NQCgqf+o hcuXPTkyHwGAnK+naDM2Yd8= =h6mN -END PGP SIGNATURE-
svn commit: samba r24280 - in branches: SAMBA_3_2/source/modules SAMBA_3_2_0/source/modules
Author: vlendec Date: 2007-08-08 20:06:17 + (Wed, 08 Aug 2007) New Revision: 24280 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=24280 Log: Fix the build of vfs_afsacl.c Modified: branches/SAMBA_3_2/source/modules/vfs_afsacl.c branches/SAMBA_3_2_0/source/modules/vfs_afsacl.c Changeset: Modified: branches/SAMBA_3_2/source/modules/vfs_afsacl.c === --- branches/SAMBA_3_2/source/modules/vfs_afsacl.c 2007-08-08 19:05:30 UTC (rev 24279) +++ branches/SAMBA_3_2/source/modules/vfs_afsacl.c 2007-08-08 20:06:17 UTC (rev 24280) @@ -531,7 +531,7 @@ static uint32 nt_to_afs_dir_rights(const char *filename, const SEC_ACE *ace) { uint32 result = 0; - uint32 rights = ace-info.mask; + uint32 rights = ace-access_mask; uint8 flags = ace-flags; struct static_dir_ace_mapping *m; @@ -539,12 +539,12 @@ for (m = ace_mappings[0]; m-afs_rights != ; m++) { if ( (ace-type == m-type) (ace-flags == m-flags) -(ace-info.mask == m-mask) ) +(ace-access_mask == m-mask) ) return m-afs_rights; } DEBUG(1, (AFSACL FALLBACK: 0x%X 0x%X 0x%X %s %X\n, - ace-type, ace-flags, ace-info.mask, filename, rights)); + ace-type, ace-flags, ace-access_mask, filename, rights)); if (rights (GENERIC_ALL_ACCESS|WRITE_DAC_ACCESS)) { result |= PRSFS_READ | PRSFS_WRITE | PRSFS_INSERT | @@ -572,7 +572,7 @@ static uint32 nt_to_afs_file_rights(const char *filename, const SEC_ACE *ace) { uint32 result = 0; - uint32 rights = ace-info.mask; + uint32 rights = ace-access_mask; if (rights (GENERIC_READ_ACCESS|FILE_READ_DATA)) { result |= PRSFS_READ; @@ -714,7 +714,7 @@ dacl = psd-dacl; for (i = 0; i dacl-num_aces; i++) { - SEC_ACE *ace = (dacl-ace[i]); + SEC_ACE *ace = (dacl-aces[i]); const char *dom_name, *name; enum lsa_SidType name_type; char *p; Modified: branches/SAMBA_3_2_0/source/modules/vfs_afsacl.c === --- branches/SAMBA_3_2_0/source/modules/vfs_afsacl.c2007-08-08 19:05:30 UTC (rev 24279) +++ branches/SAMBA_3_2_0/source/modules/vfs_afsacl.c2007-08-08 20:06:17 UTC (rev 24280) @@ -531,7 +531,7 @@ static uint32 nt_to_afs_dir_rights(const char *filename, const SEC_ACE *ace) { uint32 result = 0; - uint32 rights = ace-info.mask; + uint32 rights = ace-access_mask; uint8 flags = ace-flags; struct static_dir_ace_mapping *m; @@ -539,12 +539,12 @@ for (m = ace_mappings[0]; m-afs_rights != ; m++) { if ( (ace-type == m-type) (ace-flags == m-flags) -(ace-info.mask == m-mask) ) +(ace-access_mask == m-mask) ) return m-afs_rights; } DEBUG(1, (AFSACL FALLBACK: 0x%X 0x%X 0x%X %s %X\n, - ace-type, ace-flags, ace-info.mask, filename, rights)); + ace-type, ace-flags, ace-access_mask, filename, rights)); if (rights (GENERIC_ALL_ACCESS|WRITE_DAC_ACCESS)) { result |= PRSFS_READ | PRSFS_WRITE | PRSFS_INSERT | @@ -572,7 +572,7 @@ static uint32 nt_to_afs_file_rights(const char *filename, const SEC_ACE *ace) { uint32 result = 0; - uint32 rights = ace-info.mask; + uint32 rights = ace-access_mask; if (rights (GENERIC_READ_ACCESS|FILE_READ_DATA)) { result |= PRSFS_READ; @@ -714,7 +714,7 @@ dacl = psd-dacl; for (i = 0; i dacl-num_aces; i++) { - SEC_ACE *ace = (dacl-ace[i]); + SEC_ACE *ace = (dacl-aces[i]); const char *dom_name, *name; enum lsa_SidType name_type; char *p;
svn commit: samba r24281 - in branches: SAMBA_3_0_25/source/libsmb SAMBA_3_2/source/libsmb SAMBA_3_2_0/source/libsmb
Author: jra Date: 2007-08-08 23:56:55 + (Wed, 08 Aug 2007) New Revision: 24281 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=24281 Log: Fix bug found by Herb. The vuid entry in the cli_state structure gets left as nonzero as returned by the failed cli_session_setup_spnego. When we then try to authenticate as the user in cli_session_setup this returns an error Bad userid (as seen in wireshark). We should only leave cli-vuid != 0 on success. Looks like it's getting set in the cli_session_setup_blob_receive() call and not cleared again on error. Jeremy. Modified: branches/SAMBA_3_0_25/source/libsmb/cliconnect.c branches/SAMBA_3_2/source/libsmb/cliconnect.c branches/SAMBA_3_2_0/source/libsmb/cliconnect.c Changeset: Modified: branches/SAMBA_3_0_25/source/libsmb/cliconnect.c === --- branches/SAMBA_3_0_25/source/libsmb/cliconnect.c2007-08-08 20:06:17 UTC (rev 24280) +++ branches/SAMBA_3_0_25/source/libsmb/cliconnect.c2007-08-08 23:56:55 UTC (rev 24281) @@ -584,6 +584,7 @@ NT_STATUS_MORE_PROCESSING_REQUIRED)) { DEBUG(0, (cli_session_setup_blob: recieve failed (%s)\n, nt_errstr(cli_get_nt_error(cli)) )); + cli-vuid = 0; return False; } } @@ -770,6 +771,9 @@ ntlmssp_end(ntlmssp_state); + if (!NT_STATUS_IS_OK(nt_status)) { + cli-vuid = 0; + } return nt_status; } Modified: branches/SAMBA_3_2/source/libsmb/cliconnect.c === --- branches/SAMBA_3_2/source/libsmb/cliconnect.c 2007-08-08 20:06:17 UTC (rev 24280) +++ branches/SAMBA_3_2/source/libsmb/cliconnect.c 2007-08-08 23:56:55 UTC (rev 24281) @@ -583,6 +583,7 @@ NT_STATUS_MORE_PROCESSING_REQUIRED)) { DEBUG(0, (cli_session_setup_blob: recieve failed (%s)\n, nt_errstr(cli_get_nt_error(cli)) )); + cli-vuid = 0; return False; } } @@ -769,6 +770,9 @@ ntlmssp_end(ntlmssp_state); + if (!NT_STATUS_IS_OK(nt_status)) { + cli-vuid = 0; + } return nt_status; } Modified: branches/SAMBA_3_2_0/source/libsmb/cliconnect.c === --- branches/SAMBA_3_2_0/source/libsmb/cliconnect.c 2007-08-08 20:06:17 UTC (rev 24280) +++ branches/SAMBA_3_2_0/source/libsmb/cliconnect.c 2007-08-08 23:56:55 UTC (rev 24281) @@ -583,6 +583,7 @@ NT_STATUS_MORE_PROCESSING_REQUIRED)) { DEBUG(0, (cli_session_setup_blob: recieve failed (%s)\n, nt_errstr(cli_get_nt_error(cli)) )); + cli-vuid = 0; return False; } } @@ -769,6 +770,9 @@ ntlmssp_end(ntlmssp_state); + if (!NT_STATUS_IS_OK(nt_status)) { + cli-vuid = 0; + } return nt_status; }
Build status as of Thu Aug 9 00:00:02 2007
URL: http://build.samba.org/ --- /home/build/master/cache/broken_results.txt.old 2007-08-08 00:01:39.0 + +++ /home/build/master/cache/broken_results.txt 2007-08-09 00:02:05.0 + @@ -1,4 +1,4 @@ -Build status as of Wed Aug 8 00:00:01 2007 +Build status as of Thu Aug 9 00:00:02 2007 Build counts: Tree Total Broken Panic @@ -9,16 +9,16 @@ distcc 2 0 0 ldb 31 4 0 libreplace 30 10 0 -lorikeet-heimdal 27 12 0 +lorikeet-heimdal 27 16 0 pidl 18 4 0 ppp 12 9 0 python 0 0 0 rsync32 13 0 samba-docs 0 0 0 samba-gtk2 2 0 -samba4 29 25 3 +samba4 29 26 4 samba_3_233 20 0 smb-build29 29 0 -talloc 32 1 0 +talloc 31 1 0 tdb 31 3 0