[Samba] Mystery Samba (3.4.1) and Win7
Hi! I read many threads and tried many solutions but I can't get Win7 (RTM, 64 bit) and Samba 3.4.1 to work together. I am still failing with the trusteeship problem during the first logon after domain join. Is there a working solution? regards Martin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Problem with net rpc .
Hi guys ... I have samba Version 3.0.33-3.7.el5_3.1 integrated with Openldap I have trying run the command *net rpc join -U root , * but show message Creation of workstation account failedUnable to join domain TEST.COM. The content my /var/log/messages Sep 15 09:32:08 amblivre smbd[4163]: [2009/09/15 09:32:08, 0] smbd/server.c:main(986) Sep 15 09:32:08 amblivre smbd[4163]: standard input is not a socket, assuming -D option Sep 15 09:32:08 amblivre smbd[4164]: [2009/09/15 09:32:08, 0] /builddir/build/BUILD/samba-3.0.33/source/lib/pidfile.c:pidfile_create(112) Sep 15 09:32:08 amblivre smbd[4164]: ERROR: smbd is already running. File /var/run/smbd.pid exists and process id 4017 is running. Sep 15 09:33:27 amblivre smbd[4178]: [2009/09/15 09:33:27, 0] rpc_server/srv_netlog_nt.c:get_md4pw(242) Sep 15 09:33:27 amblivre smbd[4178]: get_md4pw: Workstation AMBLIVRE$: no account in domain Sep 15 09:33:27 amblivre smbd[4178]: [2009/09/15 09:33:27, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(461) Sep 15 09:33:27 amblivre smbd[4178]: _net_auth2: failed to get machine password for account AMBLIVRE$: NT_STATUS_ACCESS_DENIED Sep 15 09:33:27 amblivre smbd[4178]: [2009/09/15 09:33:27, 0] rpc_server/srv_netlog_nt.c:get_md4pw(242) Sep 15 09:33:27 amblivre smbd[4178]: get_md4pw: Workstation AMBLIVRE$: no account in domain Sep 15 09:33:27 amblivre smbd[4178]: [2009/09/15 09:33:27, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(461) Sep 15 09:33:27 amblivre smbd[4178]: _net_auth2: failed to get machine password for account AMBLIVRE$: NT_STATUS_ACCESS_DENIED Sep 15 09:33:30 amblivre smbd[4179]: [2009/09/15 09:33:30, 0] passdb/pdb_interface.c:pdb_default_create_user(329) Somebody have any idea how resolve this problem ? Thanks all. -- Bruno Steven - Administrador de sistemas. LPIC-1 - LPI ID: lpi000119659 / Code: p2e4wz47e4 https://www.lpi.org/caf/Xamman/certification MCP-Windows 2003 - TranscriptID: 793804 / Access Code: 080089100 https://mcp.microsoft.com/authenticate/validatemcp.aspx -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Can I use net ads join without DNS
Hi Samba people
I'm trying to join a Solari10 server using Samba Version 3.0.33 server
to an ADS. But the ADS is not in DNS.
I thought I could get round this by putting the ADS IP in the servers
local hosts file, and telling the krb5.conf not to use dns but it
doesn't seem to work.
1. Can it be done ?
2. If it can how ?
Output of my net join ads, still seems to be using DNS
[r...@fgukshppay001] # /usr/sfw/sbin/net ads join -U admandymarr -d3
[2009/09/16 15:01:42, 3] param/loadparm.c:(5055)
lp_load: refreshing parameters
[2009/09/16 15:01:42, 3] param/loadparm.c:(1440)
Initialising global parameters
[2009/09/16 15:01:42, 3] param/params.c:(572)
params.c:pm_process() - Processing configuration file
/etc/sfw/smb.conf
[2009/09/16 15:01:42, 3] param/loadparm.c:(3794)
Processing section [global]
[2009/09/16 15:01:42, 2] lib/interface.c:(81)
added interface ip=10.193.69.100 bcast=10.193.69.255
nmask=255.255.255.0
[2009/09/16 15:01:42, 2] lib/interface.c:(81)
added interface ip=10.193.69.101 bcast=10.193.69.255
nmask=255.255.255.0
[2009/09/16 15:01:42, 2] lib/interface.c:(81)
added interface ip=172.30.61.177 bcast=172.30.61.255
nmask=255.255.255.0
[2009/09/16 15:01:42, 2] lib/interface.c:(81)
added interface ip=172.30.61.178 bcast=172.30.61.255
nmask=255.255.255.0
[2009/09/16 15:01:42, 2] lib/interface.c:(81)
added interface ip=10.193.69.102 bcast=10.193.69.255
nmask=255.255.255.0
[2009/09/16 15:01:42, 2] lib/interface.c:(81)
added interface ip=172.30.61.179 bcast=172.30.61.255
nmask=255.255.255.0
[2009/09/16 15:01:42, 2] lib/interface.c:(81)
added interface ip=192.168.1.2 bcast=192.168.1.255 nmask=255.255.255.0
[2009/09/16 15:01:42, 3] libsmb/namequery.c:(1495)
get_dc_list: preferred server list: , *
[2009/09/16 15:01:42, 3] libads/dns.c:(303)
ads_dns_lookup_srv: Failed to resolve
_ldap._tcp.dc._msdcs.FGPREPROD.COM (Error 0)
[2009/09/16 15:01:42, 3] libads/dns.c:(363)
ads_dns_lookup_srv: Failed to send DNS query (NT_STATUS_UNSUCCESSFUL)
[2009/09/16 15:01:42, 3] libsmb/namequery.c:(1495)
get_dc_list: preferred server list: , *
[2009/09/16 15:01:42, 3] libsmb/namequery.c:(966)
resolve_lmhosts: Attempting lmhosts lookup for name
FGPREPROD.COM0x1c
[2009/09/16 15:01:42, 3] libsmb/namequery.c:(863)
resolve_wins: Attempting wins lookup for name FGPREPROD.COM0x1c
[2009/09/16 15:01:42, 3] libsmb/namequery.c:(866)
resolve_wins: WINS server resolution selected and no WINS servers
listed.
[2009/09/16 15:01:42, 3] libsmb/namequery.c:(805)
name_resolve_bcast: Attempting broadcast lookup for name
FGPREPROD.COM0x1c
[2009/09/16 15:01:48, 3] libsmb/namequery.c:(1495)
get_dc_list: preferred server list: , *
[2009/09/16 15:01:48, 3] libsmb/namequery.c:(966)
resolve_lmhosts: Attempting lmhosts lookup for name FGPREPROD0x1c
[2009/09/16 15:01:48, 3] libsmb/namequery.c:(863)
resolve_wins: Attempting wins lookup for name FGPREPROD0x1c
[2009/09/16 15:01:48, 3] libsmb/namequery.c:(866)
resolve_wins: WINS server resolution selected and no WINS servers
listed.
[2009/09/16 15:01:48, 3] libsmb/namequery.c:(805)
name_resolve_bcast: Attempting broadcast lookup for name
FGPREPROD0x1c
[2009/09/16 15:01:55, 3] libsmb/namequery_dc.c:(162)
Could not look up dc's for domain FGPREPROD
admandymarr's password:
[2009/09/16 15:02:00, 3] libsmb/namequery.c:(1495)
get_dc_list: preferred server list: , *
[2009/09/16 15:02:00, 3] libads/dns.c:(303)
ads_dns_lookup_srv: Failed to resolve
_ldap._tcp.dc._msdcs.FGPREPROD.COM (Error 0)
[2009/09/16 15:02:00, 3] libads/dns.c:(363)
ads_dns_lookup_srv: Failed to send DNS query (NT_STATUS_UNSUCCESSFUL)
[2009/09/16 15:02:00, 3] libsmb/namequery.c:(1495)
get_dc_list: preferred server list: , *
[2009/09/16 15:02:00, 3] libsmb/namequery.c:(966)
resolve_lmhosts: Attempting lmhosts lookup for name
FGPREPROD.COM0x1c
[2009/09/16 15:02:00, 3] libsmb/namequery.c:(863)
resolve_wins: Attempting wins lookup for name FGPREPROD.COM0x1c
[2009/09/16 15:02:00, 3] libsmb/namequery.c:(866)
resolve_wins: WINS server resolution selected and no WINS servers
listed.
[2009/09/16 15:02:00, 3] libsmb/namequery.c:(805)
name_resolve_bcast: Attempting broadcast lookup for name
FGPREPROD.COM0x1c
[2009/09/16 15:02:06, 0] utils/net_ads.c:(286)
ads_connect: No logon servers
[2009/09/16 15:02:06, 1] utils/net_ads.c:(1470)
error on ads_startup: No logon servers
Failed to join domain: No logon servers
[2009/09/16 15:02:06, 2] utils/net.c:(1075)
return code = -1
My krb5.conf
[libdefaults]
default_realm = FGPREPROD.COM
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
FGPREPROD.COM = {
kdc = fgukcbradc001.XXDOMAINXX.com
admin_server = fgukcbradc001.XXDOMAINXX.com
}
[domain_realm]
.fgpreprod.com = FGPREPROD.COM
.subdomain.fgpreprod.com = FGPREPROD.COM
[logging]
default = FILE:/var/krb5/kdc.log
kdc = FILE:/var/krb5/kdc.log
kdc_rotate = {
period = 1d
version = 10
}
[appdefaults]
kinit = {
renewable = true
forwardable= true
}
My smb.conf
[global]
workgroup =
[Samba] ACL misbehavior moving from POSIX ACL - acl_xattr
List, I had Samba 3.0 running on Debian Lenny configured to use POSIX ACLs on ext3. They worked fine, or at least as fine as NT - POSIX mapping ever did. After testing 3.3 with acl_xattr on using a different machine, I decided to give it a whirl on the production server. And yes, I know it's experimental. I defined a share thusly: vfs objects = acl_xatt acl map full control = true inherit acls = yes map acl inherit = yes map read only = Permissions nt acl support = yes acl group control = true dos filemode = yes enable privileges = yes store dos attributes = yes This is identical to the setup on the test machine, which worked correctly. On the production machine, trying to set ACLs via XP's Explorer interface fails with a permission denied. The log: set_canon_ace_list: sys_acl_set_file type file failed for file TestDirectory/Test (Operation not supported). Having both POSIX ACL and the VFS object turned on produced some interest results, so last night I unmounted /samba, turned off -o acl, and remounted it. It now has user_xattr turned on, but -o acl is *off*. Restarted Samba, everything seemed to work. In the harsh light of users' morning, it appears that Samba is still trying to use the POSIX ACL layer to store ACLs, although that's a best guess based on the error message. How can I insist that Samba use the vfs object ACL module, instead of the POSIX acls? Thanks! Wes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Mystery Samba (3.4.1) and Win7
Hi Martin, On Wed, Sep 16, 2009 at 01:37:33PM +0200, Martin Hochreiter wrote: Hi! I read many threads and tried many solutions but I can't get Win7 (RTM, 64 bit) and Samba 3.4.1 to work together. I am still failing with the trusteeship problem during the first logon after domain join. Is there a working solution? Have you tried following the steps on http://wiki.samba.org/index.php/Windows7 ? 3.4.1 is really known to work as long as you do not start to modify your netlogon registry settings. Guenther -- Günther DeschnerGPG-ID: 8EE11688 Red Hat gdesch...@redhat.com Samba Team g...@samba.org pgpiAaUTmVmTQ.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Printing queues not clearing after server crash
We had a server crash last night and now the print queues (from the Windows clients) are not clearing after the job prints. I'm using Samba version 3.0.26a-0.9-1787-SUSE-SLES9 and CUPS cups-1.1.20-108.44. I'm thinking I've got a corrupt tdb file but not sure which one(s) to check. Advice / suggestions? Bob Dehn This communication and any attachments are confidential, protected by Communications Privacy Act 18 USCS § 2510, solely for the use of the intended recipient, and may contain legally privileged material. If you are not the intended recipient, please return or destroy it immediately. Thank you. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Can I use net ads join without DNS
On Wed, Sep 16, 2009 at 03:10:38PM +0100, andy.m...@bt.com wrote: Hi Samba people I'm trying to join a Solari10 server using Samba Version 3.0.33 server to an ADS. But the ADS is not in DNS. I thought I could get round this by putting the ADS IP in the servers local hosts file, and telling the krb5.conf not to use dns but it doesn't seem to work. 1. Can it be done ? 2. If it can how ? Can you try -S servername as an argument to the net ads join? Volker signature.asc Description: Digital signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ACL misbehavior moving from POSIX ACL - acl_xattr
On Wed, Sep 16, 2009 at 11:18:58AM -0400, Wes Deviers wrote: List, I had Samba 3.0 running on Debian Lenny configured to use POSIX ACLs on ext3. They worked fine, or at least as fine as NT - POSIX mapping ever did. After testing 3.3 with acl_xattr on using a different machine, I decided to give it a whirl on the production server. And yes, I know it's experimental. I defined a share thusly: vfs objects = acl_xatt acl map full control = true inherit acls = yes map acl inherit = yes map read only = Permissions nt acl support = yes acl group control = true dos filemode = yes enable privileges = yes store dos attributes = yes This is identical to the setup on the test machine, which worked correctly. On the production machine, trying to set ACLs via XP's Explorer interface fails with a permission denied. The log: set_canon_ace_list: sys_acl_set_file type file failed for file TestDirectory/Test (Operation not supported). Having both POSIX ACL and the VFS object turned on produced some interest results, so last night I unmounted /samba, turned off -o acl, and remounted it. It now has user_xattr turned on, but -o acl is *off*. Restarted Samba, everything seemed to work. In the harsh light of users' morning, it appears that Samba is still trying to use the POSIX ACL layer to store ACLs, although that's a best guess based on the error message. How can I insist that Samba use the vfs object ACL module, instead of the POSIX acls? You can't at the moment. Samba still requires the incoming ACL to be converted into an underlying file system ACL, as the underlying filesystem still must have the final decision on access decisions. The NT acl is stored as an extra layer of ACL metadata on top of this, which is also consulted. You could slot in a null ACL module underneath the acl_xattr layer that always allowed acl set and returned an allow everyone acl on read, but that isn't coded yet (shouldn't be too hard though). Currently if you want native NT ACLs only I suggest you use the NFSv4 module, which is pretty close to native Windows ACLs. Jeremy -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Can I use net ads join without DNS
Cheers Volker I used your option and I've also found the password server option in the smb.conf. Im running both and seem to have got a bit further. But now I'm getting a different error. I'm not sure if the problem is still DNS. The ADS server is not in DNS and in a different domain to my SAMBA server. Here is the error I'm now getting [r...@fgukshppay001] # /usr/sfw/sbin/net join ads -Uadmandymarr -Sfgukcbradc001 admandymarr's password: Bad option: ads Failed to join domain: Invalid parameter ADS join did not work, falling back to RPC... Could not connect to server fgukcbradc001 The username or password was not correct. [2009/09/16 17:58:00, 0] utils/net_rpc_join.c:(81) net_rpc_join_ok: failed to get schannel session key from server fgukcbradc001 for dom ain FGPREPROD. Error was NT_STATUS_ACCESS_DENIED Unable to join domain FGPREPROD. All is the same as original post except the following added to smb.conf password server = 10.193.33.133 -- which the ip of fgukcbradc001 the ADS server When I run a debug level 3 I can see the following after I enter the password admandymarr's password: [2009/09/16 17:55:14, 3] libads/ldap.c:(394) Connected to LDAP server 10.193.33.133 [2009/09/16 17:55:14, 3] libads/sasl.c:(291) ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2 [2009/09/16 17:55:14, 3] libads/sasl.c:(291) ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 [2009/09/16 17:55:14, 3] libads/sasl.c:(291) ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3 [2009/09/16 17:55:14, 3] libads/sasl.c:(291) ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10 [2009/09/16 17:55:14, 3] libads/sasl.c:(300) ads_sasl_spnego_bind: got server principal name = fgukcbradc0...@fgpreprod.com [2009/09/16 17:55:14, 3] libsmb/clikrb5.c:(593) ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache file found) [2009/09/16 17:55:14, 3] libsmb/clikrb5.c:(528) ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration Thu, 17 Sep 20 09 03:55:14 BST [2009/09/16 17:55:14, 3] libads/ldap.c:(394) Connected to LDAP server 10.193.33.133 [2009/09/16 17:55:14, 3] libads/sasl.c:(291) ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2 [2009/09/16 17:55:14, 3] libads/sasl.c:(291) ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 [2009/09/16 17:55:14, 3] libads/sasl.c:(291) ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3 [2009/09/16 17:55:14, 3] libads/sasl.c:(291) ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10 [2009/09/16 17:55:14, 3] libads/sasl.c:(300) ads_sasl_spnego_bind: got server principal name = fgukcbradc0...@fgpreprod.com [2009/09/16 17:55:14, 3] libsmb/clikrb5.c:(528) ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration Thu, 17 Sep 20 09 03:55:14 BST Bad option: ads Failed to join domain: Invalid parameter ADS join did not work, falling back to RPC... -Original Message- From: Volker Lendecke [mailto:volker.lende...@sernet.de] Sent: 16 September 2009 17:28 To: Marr,A,Andy,DGE62 C Cc: samba@lists.samba.org Subject: Re: [Samba] Can I use net ads join without DNS On Wed, Sep 16, 2009 at 03:10:38PM +0100, andy.m...@bt.com wrote: Hi Samba people I'm trying to join a Solari10 server using Samba Version 3.0.33 server to an ADS. But the ADS is not in DNS. I thought I could get round this by putting the ADS IP in the servers local hosts file, and telling the krb5.conf not to use dns but it doesn't seem to work. 1. Can it be done ? 2. If it can how ? Can you try -S servername as an argument to the net ads join? Volker -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Can I use net ads join without DNS
Also found in the debug output the following [2009/09/16 18:20:09, 8] libsmb/namequery.c:(1644) get_sorted_dc_list: attempting lookup for name FGPREPROD.COM (sitename NULL) using [ad s] Which I'm guessing is where its getting the: Bad option: ads Failed to join domain: Invalid parameter Error message. Seems to be pointing to DNS again. Cheers Andy -Original Message- From: Volker Lendecke [mailto:volker.lende...@sernet.de] Sent: 16 September 2009 17:28 To: Marr,A,Andy,DGE62 C Cc: samba@lists.samba.org Subject: Re: [Samba] Can I use net ads join without DNS On Wed, Sep 16, 2009 at 03:10:38PM +0100, andy.m...@bt.com wrote: Hi Samba people I'm trying to join a Solari10 server using Samba Version 3.0.33 server to an ADS. But the ADS is not in DNS. I thought I could get round this by putting the ADS IP in the servers local hosts file, and telling the krb5.conf not to use dns but it doesn't seem to work. 1. Can it be done ? 2. If it can how ? Can you try -S servername as an argument to the net ads join? Volker -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ACL misbehavior moving from POSIX ACL - acl_xattr
On Wednesday 16 September 2009 12:56:11 pm Jeremy Allison wrote: On Wed, Sep 16, 2009 at 11:18:58AM -0400, Wes Deviers wrote: SNIP How can I insist that Samba use the vfs object ACL module, instead of the POSIX acls? You can't at the moment. Samba still requires the incoming ACL to be converted into an underlying file system ACL, as the underlying filesystem still must have the final decision on access decisions. The NT acl is stored as an extra layer of ACL metadata on top of this, which is also consulted. You could slot in a null ACL module underneath the acl_xattr layer that always allowed acl set and returned an allow everyone acl on read, but that isn't coded yet (shouldn't be too hard though). Currently if you want native NT ACLs only I suggest you use the NFSv4 module, which is pretty close to native Windows ACLs. Jeremy Jeremy, As always, thank you for your reply! I'm confused now. I have a VirtualBox instance set up identically, except that the underlying filesystem (ext3) has never had -o acl set on it, only -o user_xattr. What I've been doing, which is dangerous but effective, is setting file creation mode to 666 and letting the Samba VFS ACL layer take care of everything. That's worked. As I understood the system under the new VFS module, Samba does its internal ACL checks and if those pass, it then attempts file operations as normal, which may or may not work depending on the real file permissions. If I have POSIX ACLs applied, those also have to agree; otherwise, the normal UGO permissions are what must work. I'm clear through this part. Where I'm confused is that on a machine that I do have working, there is no POSIX ACL support, but the Samba VFS layer works brilliantly. Inheritance, take ownership, everything works on the VFS layer without needing any POSIX ACLs. On the old server, I've taken a machine that was previously storing the Samba ACL metadata as POSIX mappings, pulled the POSIX mappings out from under it, and tried to get it to use the VFS module exclusively. All files/dirs are 666 or 777. According to my reading, since there are no POSIX extended ACLs, if the VFS layer passes an access, then it only should be compared against the standard UGO permissions. Testing on a virtual machine seemed to confirm this. I think you read my question as: Why am I denied access because of my POSIX ACLs, even though the VFS ACL module is in place? I'm clear on what's involved there, I think. What I was *trying* to make my question: Since I've turned POSIX ACLs *off* at the filesystem layer by removing the ACL mount option, why does Samba continue to want to store it's ACL metadata in the POSIX ACL layer instead of the VFS module? So, no Linux ACLs, and a+rwx on all files/directories. It works on one machine : ( Or, alternately, Does Samba, with vfs object = acl_xattr, store ACLs both as a user_xattr AND an ext3 ACL at the same time? My limited testing shows that *not* to be the case, but I'm certainly not the expert. Thanks again! Wes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ACL misbehavior moving from POSIX ACL - acl_xattr
On Wed, Sep 16, 2009 at 01:38:13PM -0400, Wes Deviers wrote: Or, alternately, Does Samba, with vfs object = acl_xattr, store ACLs both as a user_xattr AND an ext3 ACL at the same time? My limited testing shows that *not* to be the case, but I'm certainly not the expert. Yes it does (store ACLs both as a user_xattr AND an ext3 ACL at the same time). It's designed that way. You might be getting away with the use cases you're trying, but it won't work long term. If you want the underlying filesystem to ignore ACLs you'll need to write a module that does this (and doesn't pass down the ACL requests to the underlying file system). Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Domain Trusts
Hi, I am trying to get two Samba4 domain's linked in a trust over an openvpn tunnel. Everything seems to be setup fine and each domain recognizes the other domain when starting to create the trust. I am unable to get this to work though as when I go through the wizard and it creates the trust, the last screen says The operation failed. The error is: The stub received bad data.. I also get this error when using netdom to create the trust. This seems to happen no matter what type of trust I create. My question is, is this feature implemented yet? If so, has anybody been able to get it working or had a similar problem? If not, is anybody working on implementing this as a feature? If so, do you have an eta? Also how do I get samba4 to log? I have been unable to find any logs and putting 'log file = /var/log/samba/log.smbd' into /usr/local/samba/etc/smb.conf has no affect. Thanks, Charlie -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Help needed: valid users
Hi I'm using Samba 3.0.33 on Solaris10 and have the following problem. In the smb.conf I have workgroup = CORPROOT security = domain and users authenticated to CORPROOT domain can connect shares w/o problems, [homes] for example. Now I would like to create a share and restrict access to it just to a dozen of users or so. I tried valid users = +docs force user = usodocs where docs is a group in /etc/group and it didn't work. Looks like Samba is trying to look up the group docs on the domain controller in the CORPROOT domain. So, I tried this valid users = CORPROOT\user force user = usodocs it works. According to man page valid users = +docs should work. I must be missing something, but what? Is there any better/nicer way to achieve what I'm looking for? That is, to give a group of users full control over content of a share. I have several Linux Samba servers where I use POSIX ACLs to control read/write rights on the OS level and it works fine. I tried the same on the Solaris10 box with ZFS and its ACLs and it didn't work as expected (posted about it few weeks ago, no answers though) I would be very thankful for any help. BTW, anyone any idea how to attract attention to a post on this list? Virtual beer as attachment? ;-) My success rate is by now close to nothing. Thanks for your time. Regards, Chris -- Chris Osicki o...@osk.ch Dipl. Informatik-Ing. HTL -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ACL misbehavior moving from POSIX ACL - acl_xattr
Dear Jeremy Since I once thought about doing the same, I would like to know your views on the method that Wes describes. I quote: » What I've been doing, which is dangerous but effective, is setting file creation mode to 666 and letting the Samba VFS ACL layer take care of everything. That's worked. « » All files/dirs are 666 or 777. According to my reading, since there are no POSIX extended ACLs, if the VFS layer passes an access, then it only should be compared against the standard UGO permissions. « Thank you -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Help needed: valid users
Chris Osicki wrote: Hi I'm using Samba 3.0.33 on Solaris10 and have the following problem. In the smb.conf I have workgroup = CORPROOT security = domain and users authenticated to CORPROOT domain can connect shares w/o problems, [homes] for example. Now I would like to create a share and restrict access to it just to a dozen of users or so. I tried valid users = +docs force user = usodocs where docs is a group in /etc/group and it didn't work. Looks like Samba is trying to look up the group docs on the domain controller in the CORPROOT domain. So, I tried this valid users = CORPROOT\user force user = usodocs it works. According to man page valid users = +docs should work. I must be missing something, but what? Is there any better/nicer way to achieve what I'm looking for? That is, to give a group of users full control over content of a share. I have several Linux Samba servers where I use POSIX ACLs to control read/write rights on the OS level and it works fine. I tried the same on the Solaris10 box with ZFS and its ACLs and it didn't work as expected (posted about it few weeks ago, no answers though) I would be very thankful for any help. BTW, anyone any idea how to attract attention to a post on this list? Virtual beer as attachment? ;-) My success rate is by now close to nothing. Thanks for your time. Regards, Chris Don't use force user unless you really want everyone to look like that user when accessing the share. Quick documentation on the various options is available via SWAT. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problem with net rpc .
On Wednesday 16 September 2009 08:46:31 am Bruno Steven wrote: Hi guys ... I have samba Version 3.0.33-3.7.el5_3.1 integrated with Openldap I have trying run the command *net rpc join -U root , * but show message Creation of workstation account failedUnable to join domain TEST.COM. ... Have you created the LDAP posixAccount item for the machine account? When I did it, I kept forgetting that you do still have to create an entry with a posixAccount object class for the machine, just as if it were a normal, non- LDAP entry. Wes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] station can t join domain due to wins cache
Hello, A problem that might be usefull to mention (or not). Sometimes, I encountered a problem with some stations that couldn t join the samba domain. It was due to the wins cache. (the samba conf was configured to provide wins service) I had already joined the domain with those stations before during tests. The solution was to stop samba and erase the wins cache (by default on debian lenny /var/lib/samba/wins.dat). Then I had to restart samba and the file was regenerated. In my opinion, the best bet is probably to turn off wins service while stations join the domain but I am not an expert. -- Stephane Durieux -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Still problems with samba 3.4.1 / ldap and search for users ans machines
John H Terpstra - Samba Team wrote: Of over 100 LADP Samba installation I have completed over 80% successfully use: uid='username',ou=People,ou=Users,ldap_base_dn uid='machine',ou=Computers,ou=Users,ldap_base_dn Same here, though I use uid='username', ou=people, ldap_base_dn cn='machine', ou=hosts, ldap_base_dn and make the object structure classes contain ipHost, posixAccount, and sambaSamAccount, which effectively lets me share LDAP hosts resolution and Samba machine accounts under the same container :) (Yeah, I gotta be weird, I know...) If you follow chapter 5 of Samba3-ByExample, it should work for you too. http://www.samba.org/samba/docs/Samba3-ByExample.pdf That's the book I started with and it's great material. Thanks for writing it! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] 2.6.31-rc8: CIFS with 5 seconds hiccups
On Thu, 10 Sep 2009, Jeff Layton wrote: In any case, I think we need to look closely at what's happening at mount time. First, I'll need some other info: 1) output of /sbin/mount.cifs -V from both machines The 32 bit machine #/sbin/mount.cifs -V mount.cifs version: 1.5 mount -t cifs //chiprodfs2/company /mnt -ouser=clameter,domain=xxx 64 bit machine $ /sbin/mount.cifs -V mount.cifs version: 1.12-3.4.0 mount -t cifs //chiprodfs2/company /mnt -ouser=clameter,domain=w2k 3) wire captures from mount attempts on both machines. Try to mount the clameter dir on both boxes and do captures of each attempt. Maybe this time use -s 0 with tcpdump so we get all of the traffic. I cannot mount the clameter dir on the 32 bit box. Hangs. So I will mount /company. There may be crackable password hashes in the captures, so you may want to send them to me privately and not cc the list. Ok will follow. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] (64 bit dump) Re: 2.6.31-rc8: CIFS with 5 seconds hiccups
64 bit one-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] 2.6.31-rc8: CIFS with 5 seconds hiccups
On Tue, 15 Sep 2009, Jeff Layton wrote: Yow, that version of mount.cifs is really old. I wonder if it may be passing bad mount options to the kernel? Might be interesting to strace that. Something like: # strace -f -s 256 -e mount mount -t cifs //chiprodfs2/company /mnt -ouser=clameter,domain=xxx ...it'll probably have a cleartext password in it so you might want to doctor the options a bit before sending along if you do. Alternately, you might just want to try a newer version of mount.cifs and see whether that fixes this. Tried a newer version of mount.cifs without any change. I cannot mount the clameter dir on the 32 bit box. Hangs. So I will mount /company. Actually, the trace of a hanging mount would probably be interesting. Does the 32-bit capture that you sent represent a mount attempt that hung? Or was it successful? No it was successful. What's the devname that you're giving to the mount command for the clameter dir? If there's more than 1 path component after the hostname, then the problem may be in the old version of mount.cifs. Some of them had broken handling for path prefixes. its //machinename/company/clameter So two components. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] How to create a new share
This is a simple problem, I'm sure, but it's stumped me so far. I am using Samba version 2.2.3a on an IBM AIX server and I need to create a new share and cannot find how to do that from the documentation I have. The shares I have were set up by a person that is no longer employed with us and he didn't document his work so I'm stuck trying to do this. When I try to use the Create Share option and enter the name of the share in the box to the right, it doesn't create the share. There is something I'm missing. I would appreciate any help offered. Kim Confidentiality Notice: This e-mail, including all attachments is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited unless specifically provided under the New Mexico Inspection of Public Records Act. If you are not the intended recipient, please contact the sender and destroy all copies of this message. -- This email has been scanned by the Sybari - Antigen Email System. Confidentiality Notice: This e-mail,including all attachments is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review,use,disclosure or distribution is prohibited unless specifically provided under the New Mexico Inspection of Public Records Act. If you are not the intended recipient, please contact the sender and destroy all copies of this message. -- This email has been scanned by the MessageLabs Email Security System. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Can I use net ads join without DNS
On Wed, Sep 16, 2009 at 06:01:04PM +0100, andy.m...@bt.com wrote: Cheers Volker I used your option and I've also found the password server option in the smb.conf. Im running both and seem to have got a bit further. But now I'm getting a different error. I'm not sure if the problem is still DNS. The ADS server is not in DNS and in a different domain to my SAMBA server. Here is the error I'm now getting [r...@fgukshppay001] # /usr/sfw/sbin/net join ads -Uadmandymarr -Sfgukcbradc001 admandymarr's password: You might want to try net ads join instead of net join ads. Volker signature.asc Description: Digital signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ACL misbehavior moving from POSIX ACL - acl_xattr
On Wed, Sep 16, 2009 at 07:20:11PM +0100, Miguel Medalha wrote: All files/dirs are 666 or 777. According to my reading, since there are no POSIX extended ACLs, if the VFS layer passes an access, then it only should be compared against the standard UGO permissions. That's correct - but the problem isn't access, it's when the incoming ACL is set onto the underlying filesystem. Most ACLs can't be mapped onto ugw permissions. As I said, you need a vfs_acl_null module that will drop any set call, and will return Everyone:Full control on read. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Help needed: valid users
Chris Osicki wrote: Hi I'm using Samba 3.0.33 on Solaris10 and have the following problem. In the smb.conf I have workgroup = CORPROOT security = domain and users authenticated to CORPROOT domain can connect shares w/o problems, [homes] for example. Now I would like to create a share and restrict access to it just to a dozen of users or so. I tried valid users = +docs force user = usodocs where docs is a group in /etc/group and it didn't work. Looks like Samba is trying to look up the group docs on the domain controller in the CORPROOT domain. So, I tried this valid users = CORPROOT\user force user = usodocs it works. According to man page valid users = +docs should work. I must be missing something, but what? Is there any better/nicer way to achieve what I'm looking for? That is, to give a group of users full control over content of a share. I have several Linux Samba servers where I use POSIX ACLs to control read/write rights on the OS level and it works fine. I tried the same on the Solaris10 box with ZFS and its ACLs and it didn't work as expected (posted about it few weeks ago, no answers though) I would be very thankful for any help. BTW, anyone any idea how to attract attention to a post on this list? Virtual beer as attachment? ;-) My success rate is by now close to nothing. Thanks for your time. Regards, Chris Further to my earlier response, you need to ensure that the group has access to the share since Samba permissions cannot override Linux permissions. You may want to set the Linux permissions to 777 while testing. Leave off the force user and just try the valid users. Also, since you are using the + group prefix, this is strictly the Linux group that you are granting permission to. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] locking down ssh when using winbind
Hi all, I'm using samba with winbind which has been integrated with Active Directory. In the smb.conf file, I have template shell = /bin/bash winbind use default domain = yes to allow ssh but I don't want all the domain users to be able to ssh. Is there a way to only allow for example) domain\ssh_group which is an active directory group to be able to ssh into the server? This is my current pam.d/sshd file: auth required pam_nologin.so auth sufficient pam_stack.so service=system-auth auth sufficient pam_winbind.so accountsufficient pam_stack.so service=system-auth accountsufficient pam_winbind.so password required pam_stack.so service=system-auth sessionrequired pam_stack.so service=system-auth sessionrequired pam_loginuid.so -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ACL misbehavior moving from POSIX ACL - acl_xattr
All files/dirs are 666 or 777. According to my reading, since there are no POSIX extended ACLs, if the VFS layer passes an access, then it only should be compared against the standard UGO permissions. That's correct - but the problem isn't access, it's when the incoming ACL is set onto the underlying filesystem. Most ACLs can't be mapped onto ugw permissions. As I said, you need a vfs_acl_null module that will drop any set call, and will return Everyone:Full control on read. I am ignorant enough on these low-level matters. I almost understand your statement. But... consider the following: - At the filesystem level ALL the permissions are 666 or 777 - The above are ONLY seen by the VFS layer, not by the client side - The VFS module writes the real ACLs as extended attributes only (or some other method), always setting them as 666/777 at the filesystem level - Clients only see the ACLs provided to them *by the VFS layer* and never directly from the filesystem Wouldn't this provide any desired type of ACLs? What am I missing here? Thank you -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] locking down ssh when using winbind
You can restrict access to specific local and domain groups: #accountrequired pam_stack.so service=system-auth accountsufficient pam_succeed_if.so user ingroup users accountsufficient pam_succeed_if.so user ingroup webdevelopers Check here for more info: http://linux.die.net/man/8/pam_succeed_if Andrew Philipoff Infrastructure Coordinator Information Systems Department of Medicine, UCSF -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Luv Linux Sent: Wednesday, September 16, 2009 4:14 PM To: samba@lists.samba.org Subject: [Samba] locking down ssh when using winbind Hi all, I'm using samba with winbind which has been integrated with Active Directory. In the smb.conf file, I have template shell = /bin/bash winbind use default domain = yes to allow ssh but I don't want all the domain users to be able to ssh. Is there a way to only allow for example) domain\ssh_group which is an active directory group to be able to ssh into the server? This is my current pam.d/sshd file: auth required pam_nologin.so auth sufficient pam_stack.so service=system-auth auth sufficient pam_winbind.so accountsufficient pam_stack.so service=system-auth accountsufficient pam_winbind.so password required pam_stack.so service=system-auth sessionrequired pam_stack.so service=system-auth sessionrequired pam_loginuid.so -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba smime.p7s Description: S/MIME cryptographic signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] smbclient -M
Thank you very much, I'm quite surprised the messenger service is not running on the clients of that LAN, but I take it and check ASAP. The service is turned off on all our PCs, so I'm not sure if that's just our environment or the default. Since there's no authentication it could cause a lot of mischief if left enabled. However the smbclient manpage is misleading, it says: If they are not running WinPopup the message will be lost, and no error message will occur. This is a reference to Win9x which had to be running the WinPopup.exe program to receive messages. I'm not sure how this relates to the new Messenger service, but evidently these days it can tell if the message has been received or not. Assuming a documentation bug, I think there's a bug in the code anyway, because NT_STATUS_BAD_NETWORK_NAME is not the most obvious error message smbclient could give in that case... True, but then again it depends what is causing the problem. It may be obvious once you understand how the protocol works ;-) You could always submit a patch to smbclient to pick up that error and display a more helpful suggestion! Cheers, Adam. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba server masquerading as another...
[2009/09/14 17:35:14, 1] smbd/sesssetup.c:reply_spnego_kerberos(316) Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE! I think this means that when the client sent Samba the kerberos ticket (to prove it had authenticated) Samba was unable to verify it with the server that issued the ticket. At one point I noticed an error in nmbd.log file: [2009/09/14 17:11:50, 0] nmbd/nmbd_nameregister.c:register_name_response(130) register_name_response: server at IP 10.49.4.92 rejected our name registration of QALAB_SERVER20 IP 10.49.104.69 with error code 6. Indicating that we probably lost some sort of election to the real Win 2k3 server... however, the Fedora client via smbclient still happily connects without complaints with the QALAB_SERVER name... Perhaps the Win2003 server doesn't want to recognise the Samba server? Cheers, Adam. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] locking down ssh when using winbind
Thanks Andrew, The file didn't have the line = accountrequired pam_stack.so service=system-auth so changed it to the following, group's name in AD is domain\sshusers btw so I'm not sure if I have to input it as domain\sshusers or sshusers. But doesn't seem to work... What did I do wrong?: #auth required pam_nologin.so auth sufficient pam_stack.so service=system-auth auth sufficient pam_winbind.so accountsufficient pam_succeed_if.so user ingroup sshusers #accountsufficient pam_stack.so service=system-auth accountsufficient pam_winbind.so password required pam_stack.so service=system-auth sessionrequired pam_stack.so service=system-auth sessionrequired pam_loginuid.so On Wed, Sep 16, 2009 at 4:48 PM, Philipoff, Andrew aphilip...@medicine.ucsf.edu wrote: You can restrict access to specific local and domain groups: #accountrequired pam_stack.so service=system-auth accountsufficient pam_succeed_if.so user ingroup users accountsufficient pam_succeed_if.so user ingroup webdevelopers Check here for more info: http://linux.die.net/man/8/pam_succeed_if Andrew Philipoff Infrastructure Coordinator Information Systems Department of Medicine, UCSF -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Luv Linux Sent: Wednesday, September 16, 2009 4:14 PM To: samba@lists.samba.org Subject: [Samba] locking down ssh when using winbind Hi all, I'm using samba with winbind which has been integrated with Active Directory. In the smb.conf file, I have template shell = /bin/bash winbind use default domain = yes to allow ssh but I don't want all the domain users to be able to ssh. Is there a way to only allow for example) domain\ssh_group which is an active directory group to be able to ssh into the server? This is my current pam.d/sshd file: auth required pam_nologin.so auth sufficient pam_stack.so service=system-auth auth sufficient pam_winbind.so accountsufficient pam_stack.so service=system-auth accountsufficient pam_winbind.so password required pam_stack.so service=system-auth sessionrequired pam_stack.so service=system-auth sessionrequired pam_loginuid.so -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Can winbind authenticate users from two AD groups?
On the windows box, it doesn't display an error, it just shows the username and password prompt again. The samba log for the windows box is attached. I am noting that the student is correctly trying to log in using the STUDENT\Username form to identify that he belongs to the student domain. But the log shows that the workstation is being added to his credentials. No idea if that is casing the issue. If it helps, I can also provide the samb config file. Thanks! logfile: [2009/08/14 15:57:05, 3] smbd/process.c:process_smb(1549) Transaction 0 of length 137 (0 toread) [2009/08/14 15:57:05, 3] smbd/process.c:switch_message(1361) switch message SMBnegprot (pid 5608) conn 0x0 [2009/08/14 15:57:05, 3] smbd/sec_ctx.c:set_sec_ctx(324) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2009/08/14 15:57:05, 3] smbd/negprot.c:reply_negprot(568) Requested protocol [PC NETWORK PROGRAM 1.0] [2009/08/14 15:57:05, 3] smbd/negprot.c:reply_negprot(568) Requested protocol [LANMAN1.0] [2009/08/14 15:57:05, 3] smbd/negprot.c:reply_negprot(568) Requested protocol [Windows for Workgroups 3.1a] [2009/08/14 15:57:05, 3] smbd/negprot.c:reply_negprot(568) Requested protocol [LM1.2X002] [2009/08/14 15:57:05, 3] smbd/negprot.c:reply_negprot(568) Requested protocol [LANMAN2.1] [2009/08/14 15:57:05, 3] smbd/negprot.c:reply_negprot(568) Requested protocol [NT LM 0.12] [2009/08/14 15:57:05, 3] smbd/negprot.c:reply_nt1(392) using SPNEGO [2009/08/14 15:57:05, 3] smbd/negprot.c:reply_negprot(673) Selected protocol NT LM 0.12 [2009/08/14 15:57:05, 3] smbd/process.c:process_smb(1549) Transaction 1 of length 240 (0 toread) [2009/08/14 15:57:05, 3] smbd/process.c:switch_message(1361) switch message SMBsesssetupX (pid 5608) conn 0x0 [2009/08/14 15:57:05, 3] smbd/sec_ctx.c:set_sec_ctx(324) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2009/08/14 15:57:05, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1409) wct=12 flg2=0xc807 [2009/08/14 15:57:05, 2] smbd/sesssetup.c:setup_new_vc_session(1363) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2009/08/14 15:57:05, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1173) Doing spnego session setup [2009/08/14 15:57:05, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1208) NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows 2002 5.1] PrimaryDomain=[] [2009/08/14 15:57:05, 3] smbd/sesssetup.c:reply_spnego_negotiate(800) reply_spnego_negotiate: Got secblob of size 40 [2009/08/14 15:57:05, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62) Got NTLMSSP neg_flags=0xa2088207 [2009/08/14 15:57:05, 3] smbd/process.c:process_smb(1549) Transaction 2 of length 276 (0 toread) [2009/08/14 15:57:05, 3] smbd/process.c:switch_message(1361) switch message SMBsesssetupX (pid 5608) conn 0x0 [2009/08/14 15:57:05, 3] smbd/sec_ctx.c:set_sec_ctx(324) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2009/08/14 15:57:05, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1409) wct=12 flg2=0xc807 [2009/08/14 15:57:05, 2] smbd/sesssetup.c:setup_new_vc_session(1363) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2009/08/14 15:57:05, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1173) Doing spnego session setup [2009/08/14 15:57:05, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1208) NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows 2002 5.1] PrimaryDomain=[] [2009/08/14 15:57:05, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(745) Got user=[] domain=[] workstation=[UML-4F0C88A99EB] len1=1 len2=0 [2009/08/14 15:57:05, 3] auth/auth.c:check_ntlm_password(220) check_ntlm_password: Checking password for unmapped user []...@[uml-4f0c88a99eb] with the new password interface [2009/08/14 15:57:05, 3] auth/auth.c:check_ntlm_password(223) check_ntlm_password: mapped user is: [umladco]...@[uml-4f0c88a99eb] [2009/08/14 15:57:05, 3] smbd/sec_ctx.c:push_sec_ctx(224) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2009/08/14 15:57:05, 3] smbd/uid.c:push_conn_ctx(357) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2009/08/14 15:57:05, 3] smbd/sec_ctx.c:set_sec_ctx(324) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2009/08/14 15:57:05, 3] smbd/sec_ctx.c:pop_sec_ctx(432) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2009/08/14 15:57:05, 3] smbd/sec_ctx.c:push_sec_ctx(224) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2009/08/14 15:57:05, 3] smbd/uid.c:push_conn_ctx(357) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2009/08/14 15:57:05, 3] smbd/sec_ctx.c:set_sec_ctx(324) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2009/08/14 15:57:05, 3] smbd/sec_ctx.c:pop_sec_ctx(432) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2009/08/14 15:57:05, 3] auth/auth.c:check_ntlm_password(269) check_ntlm_password: guest authentication for user [] succeeded [2009/08/14 15:57:05, 3] smbd/sec_ctx.c:push_sec_ctx(224) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2009/08/14 15:57:05, 3]
Re: [Samba] locking down ssh when using winbind
You shouldn't need to define a domain, sshusers should be sufficient. Did you restart sshd? Andrew Philipoff Infrastructure Coordinator Information Systems Department of Medicine, UCSF From: samba-boun...@lists.samba.org [samba-boun...@lists.samba.org] On Behalf Of Luv Linux [luvlinux2...@gmail.com] Sent: Wednesday, September 16, 2009 6:16 PM To: samba@lists.samba.org Subject: Re: [Samba] locking down ssh when using winbind Thanks Andrew, The file didn't have the line = accountrequired pam_stack.so service=system-auth so changed it to the following, group's name in AD is domain\sshusers btw so I'm not sure if I have to input it as domain\sshusers or sshusers. But doesn't seem to work... What did I do wrong?: #auth required pam_nologin.so auth sufficient pam_stack.so service=system-auth auth sufficient pam_winbind.so accountsufficient pam_succeed_if.so user ingroup sshusers #accountsufficient pam_stack.so service=system-auth accountsufficient pam_winbind.so password required pam_stack.so service=system-auth sessionrequired pam_stack.so service=system-auth sessionrequired pam_loginuid.so On Wed, Sep 16, 2009 at 4:48 PM, Philipoff, Andrew aphilip...@medicine.ucsf.edu wrote: You can restrict access to specific local and domain groups: #accountrequired pam_stack.so service=system-auth accountsufficient pam_succeed_if.so user ingroup users accountsufficient pam_succeed_if.so user ingroup webdevelopers Check here for more info: http://linux.die.net/man/8/pam_succeed_if Andrew Philipoff Infrastructure Coordinator Information Systems Department of Medicine, UCSF -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Luv Linux Sent: Wednesday, September 16, 2009 4:14 PM To: samba@lists.samba.org Subject: [Samba] locking down ssh when using winbind Hi all, I'm using samba with winbind which has been integrated with Active Directory. In the smb.conf file, I have template shell = /bin/bash winbind use default domain = yes to allow ssh but I don't want all the domain users to be able to ssh. Is there a way to only allow for example) domain\ssh_group which is an active directory group to be able to ssh into the server? This is my current pam.d/sshd file: auth required pam_nologin.so auth sufficient pam_stack.so service=system-auth auth sufficient pam_winbind.so accountsufficient pam_stack.so service=system-auth accountsufficient pam_winbind.so password required pam_stack.so service=system-auth sessionrequired pam_stack.so service=system-auth sessionrequired pam_loginuid.so -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] [samba] Share authentication via AD
Hey folks, I've got a server setup that uses samba to join to the Windows 2k3 Active Directory. I've also created a shared folder on that server. The problem I'm experiencing is that I'm unable to authenticate to the share and thus browse it. The smb.conf file is: == [global] workgroup = domain server string = Samba Server Version %v security = ads local master = no preferred master = no load printers = yes cups options = raw idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 template shell = /bin/bash winbind use default domain = yes password server = AD Servers realm = Kerberos Realm winbind nested groups = yes [rpms] Comment = SLES 10 RPMs path = /srv/www/htdocs/sles read only = No force group = bob force user = bob create mask = 0664 == As far as the basics, the server is joined successfully to the domain and I can browse to it from a windows box. I know that winbind is functioning as I can login (via local or ssh) using my Active Directory username and password. Any help in identifying problems with this configuration would be appreciated. Thanks, Matt Delves -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Build status as of Wed Sep 16 06:00:02 2009
URL: http://build.samba.org/ --- /home/build/master/cache/broken_results.txt.old 2009-09-15 00:00:53.0 -0600 +++ /home/build/master/cache/broken_results.txt 2009-09-16 00:00:04.0 -0600 @@ -1,21 +1,21 @@ -Build status as of Tue Sep 15 06:00:02 2009 +Build status as of Wed Sep 16 06:00:02 2009 Build counts: Tree Total Broken Panic build_farm 0 0 0 -ccache 2 0 0 +ccache 3 1 0 distcc 0 0 0 -ldb 32 32 0 -libreplace 27 11 0 +ldb 31 31 0 +libreplace 30 12 0 lorikeet 0 0 0 -pidl 21 20 0 +pidl 23 22 0 ppp 0 0 0 -rsync31 11 0 +rsync32 11 0 samba-docs 0 0 0 samba-web0 0 0 -samba_3_current 7 6 0 -samba_3_master 29 29 4 -samba_3_next 28 27 1 +samba_3_current 1 1 0 +samba_3_master 30 30 5 +samba_3_next 29 28 1 samba_4_0_test 32 32 2 talloc 31 31 0 tdb 29 29 0
[SCM] Samba Shared Repository - branch v3-5-test updated - release-4-0-0alpha8-1462-gdbebf4d
The branch, v3-5-test has been updated via dbebf4d848e72fe1b9bf117e05240b95d89fc93b (commit) via 1a14264a24dbbcd8ba875ad6b27e1ae6f52215fe (commit) via ed246aa063f73c3b004b091222b96cc7b2c28d2b (commit) via 3e7ee606d775d5030345d7a92212e1aef1db7a6c (commit) via 26e355e2fd8e80670feaa39c008ac0daeb5c0769 (commit) via 393596d517e063e2489fa6eaf5282db5a5dbe7fb (commit) via 9dae7253753061b7d93bc1b4ab93bae1217d6f47 (commit) via 1a314a9f23b0acbd81254f387efb3f3ebc0c4e1b (commit) via 0740cbe875dab141b20a8a78d2d96a63d0dc5dcd (commit) via 27907616abbc5ac21daacc3d2bc42daeb0723cab (commit) via ffbcac88d059ac3940e9c13f4d01cc814c6d7494 (commit) via 56be28948e57a1daa4f05e8180872c99c4d59360 (commit) via fd35570a98197efd0170af55cc6e17694b1383ff (commit) via 8fe5c56595e4518a26599bcfa7822e1409bc1473 (commit) via 0c28f9975955fe09d0231a516d1dddffac034587 (commit) via cbf8282d8fd4d47d177987336a9e1b4d7956a05b (commit) via 0d47fb80a6b7d581f4aba4383ff4a45c637f9076 (commit) via 37646f55acea675a5884dc5a0a900a64d6391185 (commit) via 22eed3a782ff9cf9f6264e9102d8f2e9caf53bdb (commit) via c1124544392f49c447db52d2c78c0d44fb3a34d4 (commit) via 6663117d0af9e5ec9a3274ebd82735ce3cc80a78 (commit) via 24bcd5f04a2403786a025fba29950205aa28948d (commit) via 940e8235d7309105a989ce40fb3a6e8b62602d1e (commit) via 3955823823f6842943bfbdea38005adccc64cd88 (commit) via 26d712a9ac51d51ab9f04a7ba79995cf280930d3 (commit) via 7abb68ce1ea7cb1eae9dfc471191b58d4fafb825 (commit) via 10b90a19be6608c30226a26dc00bfffd632e8f94 (commit) via a0a9d7f1adfde440c596fc2929d66695df54adb4 (commit) via 5f121efcb1d777a41bad2c614919f9002c1cc296 (commit) via 3228f9c08ba8d1ef68f92e3bd2bebb95412875d9 (commit) via a5d9696c443310b81f8159346ef1a49569efbbcb (commit) via 06b5f6c62506351eaed64c6a7b2a297f2785f65f (commit) via a1be2f88c9936abcb3964042cd0cbb343dc6246b (commit) via 82b095cb0497d77abf3d620dcfb2713e7d7579fe (commit) via fc1ffc3e9988374676f073c6f7bed2aa5688929e (commit) via 3ac6a68c7161945b7b8f4a9f88c354b9684f52e4 (commit) via 46b364061aa0d93d4664f6da1897b7cd3018c745 (commit) via 7afd6b668b7fd784d9443969c52f7657f1e4b329 (commit) via 967ada8cfdccf54be10c98d1e7ab7beb2ea4a037 (commit) via bf4d572118bd7b0607243b8f3133a82bb2a9aa36 (commit) via f850bf6a91a061d432f87f7e5ca7bdb02f445129 (commit) via 1589de06498e122247003533bf0bffdc863154ef (commit) via a064a172454c8a7106dc14a9335e4016635c7359 (commit) via 526d1815a99867f1470a3f6404a5aaf93066b640 (commit) via de9679c73329cbfa070c18f970ae50d47789fab3 (commit) via 0c5598f9116caad2417986231ed4f4ec5a5afa48 (commit) via 7392444f3d4a4e75ac4a2bd0c187a9ae5c2b0f56 (commit) via 2a8286649912b7dac1545d7e12f3b1c9648d83f4 (commit) via 5ef46825593076f8025a921da79ce61aa4ec6a81 (commit) via 35e8f5801b7498078b9bfd8b2d65017dcb2bf465 (commit) via f7ef03aa089a161b62f31db474c87c7a7e772972 (commit) via fc525b0d3c3245454d6ecf5974eee57f31a717cd (commit) via 27c569b5476eb2f4f19d1801ac4be8c93ad1d898 (commit) via de96496b5a1c0cd57180e2579cc77fc70f3ec3e5 (commit) from 3f8202cd9e8cefb0cfea7a2245e941b0cf905d56 (commit) http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-5-test - Log - commit dbebf4d848e72fe1b9bf117e05240b95d89fc93b Author: Günther Deschner g...@samba.org Date: Wed Sep 16 07:53:26 2009 +0200 s3-schannel: add dump_NL_AUTH_SIGNATURE. Guenther (cherry picked from commit c5c04fcf90849d31ff4d0343dedec2c097823a7e) commit 1a14264a24dbbcd8ba875ad6b27e1ae6f52215fe Author: Günther Deschner g...@samba.org Date: Wed Sep 16 03:23:05 2009 +0200 schannel: remove last traces of gensec. Guenther (cherry picked from commit 5b86a0ac013173e9d00f2f1476fb3ee54463e930) commit ed246aa063f73c3b004b091222b96cc7b2c28d2b Author: Günther Deschner g...@samba.org Date: Wed Sep 16 02:09:06 2009 +0200 lib/crypto: link in AES crypto for s4 as well. Guenther (cherry picked from commit 310051c79de5c649847972cdc1ae565d81841ec5) commit 3e7ee606d775d5030345d7a92212e1aef1db7a6c Author: Günther Deschner g...@samba.org Date: Wed Sep 16 00:52:33 2009 +0200 s3-schannel: remove unused schannel_decode/schannel_encode. Guenther (cherry picked from commit 97d7a524abc4993f231357ef22c637994d2cdcb9) commit 26e355e2fd8e80670feaa39c008ac0daeb5c0769 Author: Günther Deschner g...@samba.org Date: Wed Sep 16 00:26:17 2009 +0200 schannel: fully share schannel sign/seal between s3 and 4. Guenther (cherry picked from commit 799f8d7e13cc712f32cdd779770e4868ad17486b) commit
[SCM] Samba Shared Repository - branch master updated - tevent-0-9-8-354-g94d83b6
The branch, master has been updated
via 94d83b62c943837b2b3a0ca8cc83e6d41f8e8733 (commit)
via 37bc80645358fc2e2eba465b451080b0d328c722 (commit)
from c5c04fcf90849d31ff4d0343dedec2c097823a7e (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 94d83b62c943837b2b3a0ca8cc83e6d41f8e8733
Author: Günther Deschner g...@samba.org
Date: Wed Sep 16 08:55:17 2009 +0200
s3-ntlmssp: add missing prototype.
Guenther
commit 37bc80645358fc2e2eba465b451080b0d328c722
Author: Günther Deschner g...@samba.org
Date: Wed Sep 16 08:54:31 2009 +0200
s3-dcerpc: remove more obsolete or duplicate headers.
Guenther
---
Summary of changes:
librpc/gen_ndr/ndr_ntlmssp.c |4 +-
librpc/gen_ndr/ndr_ntlmssp.h |1 +
source3/include/proto.h |2 +-
source3/include/rpc_dce.h | 44 +---
source3/rpc_client/cli_pipe.c | 44 ++--
source3/rpc_parse/parse_rpc.c |2 +-
source3/rpc_server/srv_pipe.c | 30 +-
source3/rpc_server/srv_pipe_hnd.c | 58 ++--
8 files changed, 72 insertions(+), 113 deletions(-)
Changeset truncated at 500 lines:
diff --git a/librpc/gen_ndr/ndr_ntlmssp.c b/librpc/gen_ndr/ndr_ntlmssp.c
index 2b4e70e..8e379bf 100644
--- a/librpc/gen_ndr/ndr_ntlmssp.c
+++ b/librpc/gen_ndr/ndr_ntlmssp.c
@@ -2279,7 +2279,7 @@ static const struct ndr_interface_call ntlmssp_calls[] = {
};
static const char * const ntlmssp_endpoint_strings[] = {
- ncacn_np:[\\pipe\\ntlmssp],
+ ncacn_np:[\\pipe\\ntlmssp],
};
static const struct ndr_interface_string_array ntlmssp_endpoints = {
@@ -2288,7 +2288,7 @@ static const struct ndr_interface_string_array
ntlmssp_endpoints = {
};
static const char * const ntlmssp_authservice_strings[] = {
- host,
+ host,
};
static const struct ndr_interface_string_array ntlmssp_authservices = {
diff --git a/librpc/gen_ndr/ndr_ntlmssp.h b/librpc/gen_ndr/ndr_ntlmssp.h
index de31c6c..ab095d1 100644
--- a/librpc/gen_ndr/ndr_ntlmssp.h
+++ b/librpc/gen_ndr/ndr_ntlmssp.h
@@ -50,6 +50,7 @@ void ndr_print_LM_RESPONSE(struct ndr_print *ndr, const char
*name, const struct
enum ndr_err_code ndr_push_LMv2_RESPONSE(struct ndr_push *ndr, int ndr_flags,
const struct LMv2_RESPONSE *r);
enum ndr_err_code ndr_pull_LMv2_RESPONSE(struct ndr_pull *ndr, int ndr_flags,
struct LMv2_RESPONSE *r);
void ndr_print_LMv2_RESPONSE(struct ndr_print *ndr, const char *name, const
struct LMv2_RESPONSE *r);
+void ndr_print_ntlmssp_LM_RESPONSE(struct ndr_print *ndr, const char *name,
const union ntlmssp_LM_RESPONSE *r);
enum ndr_err_code ndr_push_NTLM_RESPONSE(struct ndr_push *ndr, int ndr_flags,
const struct NTLM_RESPONSE *r);
enum ndr_err_code ndr_pull_NTLM_RESPONSE(struct ndr_pull *ndr, int ndr_flags,
struct NTLM_RESPONSE *r);
void ndr_print_NTLM_RESPONSE(struct ndr_print *ndr, const char *name, const
struct NTLM_RESPONSE *r);
diff --git a/source3/include/proto.h b/source3/include/proto.h
index 8af6dba..007ee9f 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -5712,7 +5712,7 @@ bool prs_data_blob(prs_struct *prs, DATA_BLOB *blob,
TALLOC_CTX *mem_ctx);
/* The following definitions come from rpc_parse/parse_rpc.c */
const char *get_pipe_name_from_iface(const struct ndr_syntax_id *interface);
-void init_rpc_hdr(RPC_HDR *hdr, enum RPC_PKT_TYPE pkt_type, uint8 flags,
+void init_rpc_hdr(RPC_HDR *hdr, enum dcerpc_pkt_type pkt_type, uint8 flags,
uint32 call_id, int data_len, int auth_len);
bool smb_io_rpc_hdr(const char *desc, RPC_HDR *rpc, prs_struct *ps, int
depth);
void init_rpc_context(RPC_CONTEXT *rpc_ctx, uint16 context_id,
diff --git a/source3/include/rpc_dce.h b/source3/include/rpc_dce.h
index fc2d880..3fd833c 100644
--- a/source3/include/rpc_dce.h
+++ b/source3/include/rpc_dce.h
@@ -22,49 +22,7 @@
#ifndef _DCE_RPC_H /* _DCE_RPC_H */
#define _DCE_RPC_H
-/* DCE/RPC packet types */
-
-enum RPC_PKT_TYPE {
- RPC_REQUEST = 0x00,/* Ordinary request. */
- RPC_PING = 0x01,/* Connectionless is server alive ? */
- RPC_RESPONSE = 0x02,/* Ordinary reply. */
- RPC_FAULT= 0x03,/* Fault in processing of call. */
- RPC_WORKING = 0x04,/* Connectionless reply to a ping when server
busy. */
- RPC_NOCALL = 0x05,/* Connectionless reply to a ping when server
has lost part of clients call. */
- RPC_REJECT = 0x06,/* Refuse a request with a code. */
- RPC_ACK = 0x07,/* Connectionless client to server code. */
- RPC_CL_CANCEL= 0x08,/* Connectionless cancel. */
- RPC_FACK = 0x09,/* Connectionless fragment ack. Both client and
server send. */
- RPC_CANCEL_ACK =
[SCM] Samba Shared Repository - branch master updated - tevent-0-9-8-359-ga0d8698
The branch, master has been updated
via a0d8698f6547a020ee0fba59704d2ebeb8c27763 (commit)
via de43e39487d8724c06883827e3eb2dbe6b42fc99 (commit)
via 828b9a48fde3839d88848d5e05e24c38ef6cfb7d (commit)
via 537ac20a92c70a4bebcb7662c7bbcb1daf745fb7 (commit)
via 6dab835fbb981b0bb1bac68407fd29fa3a18a53a (commit)
from 94d83b62c943837b2b3a0ca8cc83e6d41f8e8733 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit a0d8698f6547a020ee0fba59704d2ebeb8c27763
Author: Günther Deschner g...@samba.org
Date: Wed Sep 16 10:27:21 2009 +0200
s3-netapi: Fix Coverity #668: FORWARD_NULL.
Guenther
commit de43e39487d8724c06883827e3eb2dbe6b42fc99
Author: Günther Deschner g...@samba.org
Date: Wed Sep 16 10:26:28 2009 +0200
s3-netapi: Fix Coverity #669 FORWARD_NULL.
Guenthe
commit 828b9a48fde3839d88848d5e05e24c38ef6cfb7d
Author: Günther Deschner g...@samba.org
Date: Wed Sep 16 10:24:55 2009 +0200
s3-netapi: Fix Coverity #670: FORWARD_NULL.
Guenther
commit 537ac20a92c70a4bebcb7662c7bbcb1daf745fb7
Author: Günther Deschner g...@samba.org
Date: Wed Sep 16 10:15:46 2009 +0200
s3-eventlogadm: Fix Coverity #938: UNINIT.
Guenther
commit 6dab835fbb981b0bb1bac68407fd29fa3a18a53a
Author: Günther Deschner g...@samba.org
Date: Wed Sep 16 10:14:05 2009 +0200
s3-rpcclient: Fix Coverity #935: UNINIT.
Guenther
---
Summary of changes:
source3/lib/netapi/user.c |6 +++---
source3/rpcclient/cmd_lsarpc.c |2 +-
source3/utils/eventlogadm.c|2 +-
3 files changed, 5 insertions(+), 5 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/lib/netapi/user.c b/source3/lib/netapi/user.c
index 9fa3ddd..f95750f 100644
--- a/source3/lib/netapi/user.c
+++ b/source3/lib/netapi/user.c
@@ -466,7 +466,7 @@ WERROR NetUserAdd_r(struct libnetapi_ctx *ctx,
user_handle);
done:
- if (is_valid_policy_hnd(user_handle)) {
+ if (is_valid_policy_hnd(user_handle) pipe_cli) {
rpccli_samr_Close(pipe_cli, ctx, user_handle);
}
@@ -1696,7 +1696,7 @@ WERROR NetUserGetInfo_r(struct libnetapi_ctx *ctx,
}
done:
- if (is_valid_policy_hnd(user_handle)) {
+ if (is_valid_policy_hnd(user_handle) pipe_cli) {
rpccli_samr_Close(pipe_cli, ctx, user_handle);
}
@@ -1864,7 +1864,7 @@ WERROR NetUserSetInfo_r(struct libnetapi_ctx *ctx,
werr = WERR_OK;
done:
- if (is_valid_policy_hnd(user_handle)) {
+ if (is_valid_policy_hnd(user_handle) pipe_cli) {
rpccli_samr_Close(pipe_cli, ctx, user_handle);
}
diff --git a/source3/rpcclient/cmd_lsarpc.c b/source3/rpcclient/cmd_lsarpc.c
index b660cfa..752881c 100644
--- a/source3/rpcclient/cmd_lsarpc.c
+++ b/source3/rpcclient/cmd_lsarpc.c
@@ -1731,7 +1731,7 @@ static NTSTATUS cmd_lsa_retrieve_private_data(struct
rpc_pipe_client *cli,
struct lsa_String name;
struct lsa_DATA_BUF *val;
DATA_BLOB session_key;
- DATA_BLOB blob;
+ DATA_BLOB blob = data_blob_null;
char *secret;
if (argc 2) {
diff --git a/source3/utils/eventlogadm.c b/source3/utils/eventlogadm.c
index d134ea8..7fc04b0 100644
--- a/source3/utils/eventlogadm.c
+++ b/source3/utils/eventlogadm.c
@@ -91,7 +91,7 @@ static int DoWriteCommand( int argc, char **argv, bool
debugflag, char *exename
char linein[1024];
bool is_eor;
struct eventlog_Record_tdb ee;
- uint32_t record_number;
+ uint32_t record_number = 0;
TALLOC_CTX *mem_ctx = talloc_tos();
f1 = stdin;
--
Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated - tevent-0-9-8-360-g4c5854f
The branch, master has been updated via 4c5854fc2d8569cdf27fc6af543ad4a25a6f7a0b (commit) from a0d8698f6547a020ee0fba59704d2ebeb8c27763 (commit) http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 4c5854fc2d8569cdf27fc6af543ad4a25a6f7a0b Author: Matt Kraai mkr...@beckman.com Date: Tue Sep 15 13:09:10 2009 -0700 Ignore source4/dsdb/kcc/kcc_service_proto.h. --- Summary of changes: .gitignore |1 + 1 files changed, 1 insertions(+), 0 deletions(-) Changeset truncated at 500 lines: diff --git a/.gitignore b/.gitignore index 8425302..43f7846 100644 --- a/.gitignore +++ b/.gitignore @@ -138,6 +138,7 @@ source4/config.mk source4/coverage source4/data.mk source4/dsdb/common/proto.h +source4/dsdb/kcc/kcc_service_proto.h source4/dsdb/repl/drepl_service_proto.h source4/dsdb/samdb/samdb_proto.h source4/dsdb/schema/proto.h -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated - tevent-0-9-8-362-g033ced6
The branch, master has been updated
via 033ced60ac734161686bd3da685f2d7b056e17c8 (commit)
via 8f482ae663611ee2109395e4d24418e4c4f57160 (commit)
from 4c5854fc2d8569cdf27fc6af543ad4a25a6f7a0b (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 033ced60ac734161686bd3da685f2d7b056e17c8
Author: Stefan Metzmacher me...@samba.org
Date: Wed Sep 16 02:03:46 2009 +0200
libcli/auth: rewrite schannel sign/seal code to be more generic
This prepares support for HMAC-SHA256/AES.
metze
commit 8f482ae663611ee2109395e4d24418e4c4f57160
Author: Stefan Metzmacher me...@samba.org
Date: Wed Sep 16 02:36:49 2009 +0200
lib/crypto: include aes.h into crypto.h
metze
---
Summary of changes:
lib/crypto/crypto.h|2 +-
libcli/auth/schannel_proto.h | 21 +--
libcli/auth/schannel_sign.c| 297
source3/rpc_client/cli_pipe.c | 41 ---
source3/rpc_server/srv_pipe.c | 44 ---
source4/auth/gensec/schannel.c | 89 -
6 files changed, 264 insertions(+), 230 deletions(-)
Changeset truncated at 500 lines:
diff --git a/lib/crypto/crypto.h b/lib/crypto/crypto.h
index 0a43cbe..b5ea9c7 100644
--- a/lib/crypto/crypto.h
+++ b/lib/crypto/crypto.h
@@ -24,5 +24,5 @@
#include ../lib/crypto/sha256.h
#include ../lib/crypto/hmacsha256.h
#include ../lib/crypto/arcfour.h
-
+#include ../lib/crypto/aes.h
diff --git a/libcli/auth/schannel_proto.h b/libcli/auth/schannel_proto.h
index d31707d..eee7199 100644
--- a/libcli/auth/schannel_proto.h
+++ b/libcli/auth/schannel_proto.h
@@ -23,20 +23,15 @@
#ifndef _LIBCLI_AUTH_SCHANNEL_PROTO_H__
#define _LIBCLI_AUTH_SCHANNEL_PROTO_H__
-NTSTATUS schannel_unseal_packet(struct schannel_state *state,
+NTSTATUS netsec_incoming_packet(struct schannel_state *state,
TALLOC_CTX *mem_ctx,
+ bool do_unseal,
uint8_t *data, size_t length,
const DATA_BLOB *sig);
-NTSTATUS schannel_check_packet(struct schannel_state *state,
- TALLOC_CTX *mem_ctx,
- const uint8_t *data, size_t length,
- const DATA_BLOB *sig);
-NTSTATUS schannel_seal_packet(struct schannel_state *state,
- TALLOC_CTX *mem_ctx,
- uint8_t *data, size_t length,
- DATA_BLOB *sig);
-NTSTATUS schannel_sign_packet(struct schannel_state *state,
- TALLOC_CTX *mem_ctx,
- const uint8_t *data, size_t length,
- DATA_BLOB *sig);
+NTSTATUS netsec_outgoing_packet(struct schannel_state *state,
+ TALLOC_CTX *mem_ctx,
+ bool do_seal,
+ uint8_t *data, size_t length,
+ DATA_BLOB *sig);
+
#endif
diff --git a/libcli/auth/schannel_sign.c b/libcli/auth/schannel_sign.c
index e60b410..0672f67 100644
--- a/libcli/auth/schannel_sign.c
+++ b/libcli/auth/schannel_sign.c
@@ -24,58 +24,89 @@
#include ../libcli/auth/schannel.h
#include ../lib/crypto/crypto.h
-#define NETSEC_SIGN_SIGNATURE { 0x77, 0x00, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00
}
-#define NETSEC_SEAL_SIGNATURE { 0x77, 0x00, 0x7a, 0x00, 0xff, 0xff, 0x00, 0x00
}
+static void netsec_offset_and_sizes(struct schannel_state *state,
+ bool do_seal,
+ uint32_t *_min_sig_size,
+ uint32_t *_used_sig_size,
+ uint32_t *_checksum_length,
+ uint32_t *_confounder_ofs)
+{
+ uint32_t min_sig_size = 24;
+ uint32_t used_sig_size = 32;
+ uint32_t checksum_length = 8;
+ uint32_t confounder_ofs = 24;
+
+ if (do_seal) {
+ min_sig_size += 8;
+ }
+
+ if (_min_sig_size) {
+ *_min_sig_size = min_sig_size;
+ }
+
+ if (_used_sig_size) {
+ *_used_sig_size = used_sig_size;
+ }
+
+ if (_checksum_length) {
+ *_checksum_length = checksum_length;
+ }
+
+ if (_confounder_ofs) {
+ *_confounder_ofs = confounder_ofs;
+ }
+}
/***
Encode or Decode the sequence number (which is symmetric)
/
-static void netsec_deal_with_seq_num(struct schannel_state *state,
-const uint8_t packet_digest[8],
-uint8_t seq_num[8])
+static void
[SCM] Samba Shared Repository - branch master updated - tevent-0-9-8-364-g45cebf7
The branch, master has been updated
via 45cebf7f113c3ff3c1b029c591d879b992f8 (commit)
via 98f2a3b6a3a068e4d9741eed8a8648d85c318207 (commit)
from 033ced60ac734161686bd3da685f2d7b056e17c8 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 45cebf7f113c3ff3c1b029c591d879b992f8
Author: Andrew Tridgell tri...@samba.org
Date: Wed Sep 16 03:57:56 2009 -0700
s4-repl: raise a debug level
commit 98f2a3b6a3a068e4d9741eed8a8648d85c318207
Author: Andrew Tridgell tri...@samba.org
Date: Wed Sep 16 03:43:37 2009 -0700
s4-dsdb: treat uSNHighest as 0 if @REPLCHANGED doesn't exist
When a partition is first created it still needs a uSNHighest value
---
Summary of changes:
source4/dsdb/common/util.c |8
source4/dsdb/repl/drepl_out_pull.c |2 +-
2 files changed, 9 insertions(+), 1 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c
index c2636e1..633279e 100644
--- a/source4/dsdb/common/util.c
+++ b/source4/dsdb/common/util.c
@@ -2311,6 +2311,14 @@ int dsdb_load_partition_usn(struct ldb_context *ldb,
struct ldb_dn *dn, uint64_t
ret = ldb_wait(req-handle, LDB_WAIT_ALL);
}
+ if (ret == LDB_ERR_NO_SUCH_OBJECT) {
+ /* it hasn't been created yet, which means
+ an implicit value of zero */
+ *uSN = 0;
+ talloc_free(tmp_ctx);
+ return LDB_SUCCESS;
+ }
+
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return ret;
diff --git a/source4/dsdb/repl/drepl_out_pull.c
b/source4/dsdb/repl/drepl_out_pull.c
index b073d26..2793eec 100644
--- a/source4/dsdb/repl/drepl_out_pull.c
+++ b/source4/dsdb/repl/drepl_out_pull.c
@@ -109,7 +109,7 @@ static void dreplsrv_pending_op_callback(struct
dreplsrv_out_operation *op)
if (W_ERROR_IS_OK(rf-result_last_attempt)) {
rf-consecutive_sync_failures = 0;
rf-last_success= now;
- DEBUG(2,(dreplsrv_op_pull_source(%s)\n,
+ DEBUG(3,(dreplsrv_op_pull_source(%s)\n,
win_errstr(rf-result_last_attempt)));
goto done;
}
--
Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated - tevent-0-9-8-365-g89ed2af
The branch, master has been updated
via 89ed2af69d6d6adcaf64d4c576ee8ba41b27b8a5 (commit)
from 45cebf7f113c3ff3c1b029c591d879b992f8 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 89ed2af69d6d6adcaf64d4c576ee8ba41b27b8a5
Author: Bo Yang boy...@samba.org
Date: Wed Sep 16 22:03:57 2009 +0800
s3: Don't overwrite password in pam_winbind, subsequent pam modules
might use the old password and new password.
Signed-off-by: Bo Yang boy...@samba.org
---
Summary of changes:
nsswitch/pam_winbind.c |4
1 files changed, 0 insertions(+), 4 deletions(-)
Changeset truncated at 500 lines:
diff --git a/nsswitch/pam_winbind.c b/nsswitch/pam_winbind.c
index 4e84574..324bede 100644
--- a/nsswitch/pam_winbind.c
+++ b/nsswitch/pam_winbind.c
@@ -3059,8 +3059,6 @@ int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
ret = winbind_chauthtok_request(ctx, user, pass_old,
pass_new, pwdlastset_update);
if (ret) {
- _pam_overwrite(pass_new);
- _pam_overwrite(pass_old);
pass_old = pass_new = NULL;
goto out;
}
@@ -3089,8 +3087,6 @@ int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
member, cctype, 0,
error, info, policy,
NULL, username_ret);
- _pam_overwrite(pass_new);
- _pam_overwrite(pass_old);
pass_old = pass_new = NULL;
if (ret == PAM_SUCCESS) {
--
Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated - tevent-0-9-8-370-g53d6dd3
The branch, master has been updated
via 53d6dd3d52b36f65dcba8ff951f2febb995660ca (commit)
via d70e17171912c190b258848edb1ae627fe59cde4 (commit)
via fec33db90ebd998f17ed2d539d67abb448e09af2 (commit)
via 932690c093692b1e9fca4dfa75c7cd55ea4e63b1 (commit)
via e8e8e40505465c65bcf434373ae89c8bbf650f96 (commit)
from 89ed2af69d6d6adcaf64d4c576ee8ba41b27b8a5 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 53d6dd3d52b36f65dcba8ff951f2febb995660ca
Author: Nadezhda Ivanova nadezhda.ivan...@postpath.com
Date: Tue Sep 15 17:39:36 2009 -0700
security:idl Generated files
Signed-off-by: Andrew Bartlett abart...@samba.org
commit d70e17171912c190b258848edb1ae627fe59cde4
Author: Nadezhda Ivanova nadezhda.ivan...@postpath.com
Date: Mon Sep 14 19:44:41 2009 +0300
Owner and group defaulting.
Signed-off-by: Andrew Bartlett abart...@samba.org
commit fec33db90ebd998f17ed2d539d67abb448e09af2
Author: Zahari Zahariev zahari.zahar...@postpath.com
Date: Tue Sep 15 17:34:42 2009 -0700
Tests for descriptor inheritance
Signed-off-by: Nadezhda Ivanova nadezhda.ivan...@postpath.com
Signed-off-by: Andrew Bartlett abart...@samba.org
commit 932690c093692b1e9fca4dfa75c7cd55ea4e63b1
Author: Andrew Bartlett abart...@samba.org
Date: Tue Sep 15 22:02:36 2009 -0700
s4:kdc In the kpasswd server, don't use the client address in mk_priv
This code eventually calls into mk_priv in the Heimdal code, and if
the client is behind NAT, or somehow has an odd idea about it's own
network addresses, it will fail to accept this packet if we set an
address. It seems easiser not to. (Found by testing with NetAPP at
plugfest)
Andrew Bartlett
commit e8e8e40505465c65bcf434373ae89c8bbf650f96
Author: Andrew Bartlett abart...@samba.org
Date: Tue Sep 15 22:00:45 2009 -0700
s4:rpc_server netgotiate max xmit size with RPC client
Testing against NetAPP showed that clients can object to being told a
larger max xmit fragment size than they negotiated. Choose the
minimum of the server and client values.
Andrew Bartlett
---
Summary of changes:
libcli/security/security_descriptor.c |2 +-
libcli/security/security_descriptor.h |3 +
librpc/gen_ndr/ndr_security.c | 50 +
librpc/gen_ndr/ndr_security.h |3 +
librpc/gen_ndr/security.h | 13 +
librpc/idl/security.idl| 34 +
source4/dsdb/samdb/ldb_modules/config.mk | 12 +
source4/dsdb/samdb/ldb_modules/descriptor.c| 459 +++
source4/dsdb/samdb/ldb_modules/objectclass.c | 65 +-
source4/kdc/kpasswdd.c |8 +
source4/lib/ldb/tests/python/sec_descriptor.py | 1610
source4/libcli/security/config.mk |2 +-
source4/libcli/security/create_descriptor.c| 117 ++
source4/rpc_server/dcerpc_server.c |4 +-
source4/scripting/python/samba/provision.py|1 +
source4/selftest/knownfail |1 +
source4/selftest/tests.sh |3 +-
17 files changed, 2325 insertions(+), 62 deletions(-)
create mode 100644 source4/dsdb/samdb/ldb_modules/descriptor.c
create mode 100644 source4/lib/ldb/tests/python/sec_descriptor.py
create mode 100644 source4/libcli/security/create_descriptor.c
Changeset truncated at 500 lines:
diff --git a/libcli/security/security_descriptor.c
b/libcli/security/security_descriptor.c
index f18a326..dbe1160 100644
--- a/libcli/security/security_descriptor.c
+++ b/libcli/security/security_descriptor.c
@@ -50,7 +50,7 @@ struct security_descriptor
*security_descriptor_initialise(TALLOC_CTX *mem_ctx)
return sd;
}
-static struct security_acl *security_acl_dup(TALLOC_CTX *mem_ctx,
+struct security_acl *security_acl_dup(TALLOC_CTX *mem_ctx,
const struct security_acl *oacl)
{
struct security_acl *nacl;
diff --git a/libcli/security/security_descriptor.h
b/libcli/security/security_descriptor.h
index c535f5d..a377ef5 100644
--- a/libcli/security/security_descriptor.h
+++ b/libcli/security/security_descriptor.h
@@ -61,4 +61,7 @@ struct security_ace *security_ace_create(TALLOC_CTX *mem_ctx,
uint32_t access_mask,
uint8_t flags);
+struct security_acl *security_acl_dup(TALLOC_CTX *mem_ctx,
+ const struct security_acl *oacl);
+
#endif /* __SECURITY_DESCRIPTOR_H__ */
diff --git a/librpc/gen_ndr/ndr_security.c b/librpc/gen_ndr/ndr_security.c
index c227170..0bc039d 100644
--- a/librpc/gen_ndr/ndr_security.c
+++ b/librpc/gen_ndr/ndr_security.c
@@ -850,6
[SCM] Samba Shared Repository - branch master updated - tevent-0-9-8-371-g42e393a
The branch, master has been updated
via 42e393af28340bb18cc4a9b47a08df2be870441e (commit)
from 53d6dd3d52b36f65dcba8ff951f2febb995660ca (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 42e393af28340bb18cc4a9b47a08df2be870441e
Author: Günther Deschner g...@samba.org
Date: Mon Aug 17 17:57:47 2009 +0200
s3-rpcclient: fix netr_LogonGetCapabilities command.
Guenther
---
Summary of changes:
source3/rpcclient/cmd_netlogon.c | 11 +--
1 files changed, 5 insertions(+), 6 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
index aa49321..ae76652 100644
--- a/source3/rpcclient/cmd_netlogon.c
+++ b/source3/rpcclient/cmd_netlogon.c
@@ -1127,11 +1127,9 @@ static NTSTATUS cmd_netlogon_capabilities(struct
rpc_pipe_client *cli,
level = atoi(argv[1]);
}
-#if 0
+ ZERO_STRUCT(return_authenticator);
+
netlogon_creds_client_authenticator(cli-dc, credential);
-#else
- ZERO_STRUCT(credential);
-#endif
status = rpccli_netr_LogonGetCapabilities(cli, mem_ctx,
cli-desthost,
@@ -1140,13 +1138,14 @@ static NTSTATUS cmd_netlogon_capabilities(struct
rpc_pipe_client *cli,
return_authenticator,
level,
capabilities);
-#if 0
+
if (!netlogon_creds_client_check(cli-dc,
return_authenticator.cred)) {
DEBUG(0,(credentials chain check failed\n));
return NT_STATUS_ACCESS_DENIED;
}
-#endif
+
+ printf(capabilities: 0x%08x\n, capabilities.server_capabilities);
return status;
}
--
Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated - tevent-0-9-8-374-g8302346
The branch, master has been updated
via 83023462f95f60ecfd3019abe896cca1d2aed771 (commit)
via 44e44310d1871fe94728573fa162a454caba3d12 (commit)
via 5ddde4e19dfb6a65d9b5b5cf11d5742e2b82e02b (commit)
from 42e393af28340bb18cc4a9b47a08df2be870441e (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 83023462f95f60ecfd3019abe896cca1d2aed771
Author: Günther Deschner g...@samba.org
Date: Tue Sep 15 02:53:21 2009 +0200
libcli/auth: remove trailing whitespace.
Guenther
commit 44e44310d1871fe94728573fa162a454caba3d12
Author: Günther Deschner g...@samba.org
Date: Mon Aug 31 20:21:40 2009 +0200
s3-netlogon: support validation level 6 in netr_SamLogon calls.
Guenther
commit 5ddde4e19dfb6a65d9b5b5cf11d5742e2b82e02b
Author: Günther Deschner g...@samba.org
Date: Mon Aug 31 20:20:52 2009 +0200
s3-netlogon: match all logon levels in netr_SamLogon calls.
Guenther
---
Summary of changes:
libcli/auth/smbencrypt.c | 144 ++--
source3/include/proto.h|4 +
source3/rpc_server/srv_netlog_nt.c | 19 +
source3/rpc_server/srv_pipe_hnd.c | 51 +
4 files changed, 146 insertions(+), 72 deletions(-)
Changeset truncated at 500 lines:
diff --git a/libcli/auth/smbencrypt.c b/libcli/auth/smbencrypt.c
index eaa1b6f..a3182cd 100644
--- a/libcli/auth/smbencrypt.c
+++ b/libcli/auth/smbencrypt.c
@@ -1,4 +1,4 @@
-/*
+/*
Unix SMB/CIFS implementation.
SMB parameters and setup
Copyright (C) Andrew Tridgell 1992-1998
@@ -6,17 +6,17 @@
Copyright (C) Jeremy Allison 1995-2000.
Copyright (C) Luke Kennethc Casson Leighton 1996-2000.
Copyright (C) Andrew Bartlett abart...@samba.org 2002-2003
-
+
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
-
+
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
-
+
You should have received a copy of the GNU General Public License
along with this program. If not, see http://www.gnu.org/licenses/.
*/
@@ -47,8 +47,8 @@ void SMBencrypt_hash(const uint8_t lm_hash[16], const uint8_t
*c8, uint8_t p24[2
/*
This implements the X/Open SMB password encryption
- It takes a password ('unix' string), a 8 byte crypt key
- and puts 24 bytes of encrypted password into p24
+ It takes a password ('unix' string), a 8 byte crypt key
+ and puts 24 bytes of encrypted password into p24
Returns False if password must have been truncated to create LM hash
*/
@@ -58,7 +58,7 @@ bool SMBencrypt(const char *passwd, const uint8_t *c8,
uint8_t p24[24])
bool ret;
uint8_t lm_hash[16];
- ret = E_deshash(passwd, lm_hash);
+ ret = E_deshash(passwd, lm_hash);
SMBencrypt_hash(lm_hash, c8, p24);
return ret;
}
@@ -68,7 +68,7 @@ bool SMBencrypt(const char *passwd, const uint8_t *c8,
uint8_t p24[24])
* @param passwd password in 'unix' charset.
* @param p16 return password hashed with md4, caller allocated 16 byte buffer
*/
-
+
bool E_md4hash(const char *passwd, uint8_t p16[16])
{
size_t len;
@@ -82,7 +82,7 @@ bool E_md4hash(const char *passwd, uint8_t p16[16])
mdfour(p16, (const uint8_t *)passwd, strlen(passwd));
return false;
}
-
+
len -= 2;
mdfour(p16, (const uint8_t *)wpwd, len);
@@ -101,7 +101,7 @@ void E_md5hash(const uint8_t salt[16], const uint8_t
nthash[16], uint8_t hash_ou
{
struct MD5Context tctx;
uint8_t array[32];
-
+
memset(hash_out, '\0', 16);
memcpy(array, salt, 16);
memcpy(array[16], nthash, 16);
@@ -117,7 +117,7 @@ void E_md5hash(const uint8_t salt[16], const uint8_t
nthash[16], uint8_t hash_ou
* @return false if password was 14 characters, and therefore may be
incorrect, otherwise true
* @note p16 is filled in regardless
*/
-
+
bool E_deshash(const char *passwd, uint8_t p16[16])
{
bool ret = true;
@@ -134,19 +134,19 @@ bool E_deshash(const char *passwd, uint8_t p16[16])
ret = false;
}
- ZERO_STRUCT(dospwd);
+ ZERO_STRUCT(dospwd);
return ret;
}
/**
- * Creates the MD4 and DES (LM) Hash of the users password.
+ * Creates the MD4 and DES (LM) Hash of the users password.
* MD4 is of the NT Unicode, DES is of the DOS UPPERCASE password.
* @param passwd password in 'unix' charset.
* @param nt_p16
[SCM] Samba Shared Repository - branch master updated - tevent-0-9-8-375-g503d035
The branch, master has been updated
via 503d0358140fbf56bd83090f143272aeb770baa9 (commit)
from 83023462f95f60ecfd3019abe896cca1d2aed771 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 503d0358140fbf56bd83090f143272aeb770baa9
Author: Günther Deschner g...@samba.org
Date: Thu Sep 17 00:21:01 2009 +0200
spnego: share spnego_parse.
Guenther
---
Summary of changes:
libcli/auth/spnego.h | 70 ++
libcli/auth/spnego_parse.c | 407 +++
source3/Makefile.in|2 +-
source3/include/ads.h |6 +
source3/include/includes.h |1 -
source3/include/proto.h|6 -
source3/include/spnego.h | 81 ---
source3/libads/sasl.c |1 +
source3/libsmb/cliconnect.c|1 +
source3/libsmb/clifsinfo.c |1 +
source3/libsmb/clispnego.c | 15 +-
source3/libsmb/spnego.c| 362
source3/rpc_client/cli_pipe.c |1 +
source3/rpc_server/srv_pipe.c |1 +
source3/smbd/negprot.c |1 +
source3/smbd/seal.c|1 +
source3/smbd/sesssetup.c |1 +
source3/smbd/smb2_sesssetup.c |1 +
source3/utils/ntlm_auth.c | 43 ++--
source4/auth/gensec/config.mk |2 +-
source4/auth/gensec/spnego.c |2 +-
source4/auth/gensec/spnego.h | 65 --
source4/auth/gensec/spnego_parse.c | 408
23 files changed, 527 insertions(+), 952 deletions(-)
create mode 100644 libcli/auth/spnego.h
create mode 100644 libcli/auth/spnego_parse.c
delete mode 100644 source3/include/spnego.h
delete mode 100644 source3/libsmb/spnego.c
delete mode 100644 source4/auth/gensec/spnego.h
delete mode 100644 source4/auth/gensec/spnego_parse.c
Changeset truncated at 500 lines:
diff --git a/libcli/auth/spnego.h b/libcli/auth/spnego.h
new file mode 100644
index 000..250ffed
--- /dev/null
+++ b/libcli/auth/spnego.h
@@ -0,0 +1,70 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ RFC2478 Compliant SPNEGO implementation
+
+ Copyright (C) Jim McDonough j...@us.ibm.com 2003
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see http://www.gnu.org/licenses/.
+*/
+
+#define OID_SPNEGO 1.3.6.1.5.5.2
+#define OID_NTLMSSP 1.3.6.1.4.1.311.2.2.10
+#define OID_KERBEROS5_OLD 1.2.840.48018.1.2.2
+#define OID_KERBEROS5 1.2.840.113554.1.2.2
+
+#define SPNEGO_DELEG_FLAG0x01
+#define SPNEGO_MUTUAL_FLAG 0x02
+#define SPNEGO_REPLAY_FLAG 0x04
+#define SPNEGO_SEQUENCE_FLAG 0x08
+#define SPNEGO_ANON_FLAG 0x10
+#define SPNEGO_CONF_FLAG 0x20
+#define SPNEGO_INTEG_FLAG0x40
+#define SPNEGO_REQ_FLAG 0x80
+
+enum spnego_negResult {
+ SPNEGO_ACCEPT_COMPLETED = 0,
+ SPNEGO_ACCEPT_INCOMPLETE = 1,
+ SPNEGO_REJECT = 2,
+ SPNEGO_NONE_RESULT = 3
+};
+
+struct spnego_negTokenInit {
+ const char **mechTypes;
+ int reqFlags;
+ DATA_BLOB mechToken;
+ DATA_BLOB mechListMIC;
+ char *targetPrincipal;
+};
+
+struct spnego_negTokenTarg {
+ uint8_t negResult;
+ const char *supportedMech;
+ DATA_BLOB responseToken;
+ DATA_BLOB mechListMIC;
+};
+
+struct spnego_data {
+ int type;
+ struct spnego_negTokenInit negTokenInit;
+ struct spnego_negTokenTarg negTokenTarg;
+};
+
+enum spnego_message_type {
+ SPNEGO_NEG_TOKEN_INIT = 0,
+ SPNEGO_NEG_TOKEN_TARG = 1,
+};
+
+#include auth/gensec/spnego_proto.h
diff --git a/libcli/auth/spnego_parse.c b/libcli/auth/spnego_parse.c
new file mode 100644
index 000..27e5774
--- /dev/null
+++ b/libcli/auth/spnego_parse.c
@@ -0,0 +1,407 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ RFC2478 Compliant SPNEGO implementation
+
+ Copyright (C) Jim McDonough j...@us.ibm.com 2003
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the
[SCM] Samba Shared Repository - branch master updated - tevent-0-9-8-376-g43e198c
The branch, master has been updated
via 43e198c188367bfe747ea52ae74679ac8bbc41dc (commit)
from 503d0358140fbf56bd83090f143272aeb770baa9 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 43e198c188367bfe747ea52ae74679ac8bbc41dc
Author: Günther Deschner g...@samba.org
Date: Thu Sep 17 01:39:12 2009 +0200
spnego: add spnego_proto.h.
Guenther
---
Summary of changes:
libcli/auth/spnego.h |2 +-
libcli/{smb/smb_common.h = auth/spnego_proto.h} | 18 +-
2 files changed, 10 insertions(+), 10 deletions(-)
copy libcli/{smb/smb_common.h = auth/spnego_proto.h} (60%)
Changeset truncated at 500 lines:
diff --git a/libcli/auth/spnego.h b/libcli/auth/spnego.h
index 250ffed..08350a4 100644
--- a/libcli/auth/spnego.h
+++ b/libcli/auth/spnego.h
@@ -67,4 +67,4 @@ enum spnego_message_type {
SPNEGO_NEG_TOKEN_TARG = 1,
};
-#include auth/gensec/spnego_proto.h
+#include ../libcli/auth/spnego_proto.h
diff --git a/libcli/smb/smb_common.h b/libcli/auth/spnego_proto.h
similarity index 60%
copy from libcli/smb/smb_common.h
copy to libcli/auth/spnego_proto.h
index d6186ab..5fd5e59 100644
--- a/libcli/smb/smb_common.h
+++ b/libcli/auth/spnego_proto.h
@@ -1,9 +1,9 @@
/*
Unix SMB/CIFS implementation.
- SMB and SMB2 common header
+ RFC2478 Compliant SPNEGO implementation
- Copyright (C) Stefan Metzmacher 2009
+ Copyright (C) Jim McDonough j...@us.ibm.com 2003
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -15,14 +15,14 @@
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
+
You should have received a copy of the GNU General Public License
along with this program. If not, see http://www.gnu.org/licenses/.
*/
-#ifndef __LIBCLI_SMB_SMB_COMMON_H__
-#define __LIBCLI_SMB_SMB_COMMON_H__
-
-#include ../libcli/smb/smb2_constants.h
-#include ../libcli/smb/smb2_create_blob.h
-
-#endif
+ssize_t spnego_read_data(TALLOC_CTX *mem_ctx, DATA_BLOB data, struct
spnego_data *token);
+ssize_t spnego_write_data(TALLOC_CTX *mem_ctx, DATA_BLOB *blob, struct
spnego_data *spnego);
+bool spnego_free_data(struct spnego_data *spnego);
+bool spnego_write_mech_types(TALLOC_CTX *mem_ctx,
+const char **mech_types,
+DATA_BLOB *blob);
--
Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated - tevent-0-9-8-377-g9195595
The branch, master has been updated
via 919559573cf9484beeeb31aaaff844349972634d (commit)
from 43e198c188367bfe747ea52ae74679ac8bbc41dc (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 919559573cf9484beeeb31aaaff844349972634d
Author: Volker Lendecke v...@samba.org
Date: Thu Sep 17 02:06:30 2009 +0200
s3:vfs: Fix the build of vfs_tsmsm after the VFS rewrite
---
Summary of changes:
source3/modules/vfs_tsmsm.c |6 +++---
1 files changed, 3 insertions(+), 3 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/modules/vfs_tsmsm.c b/source3/modules/vfs_tsmsm.c
index b510432..7c63b8c 100644
--- a/source3/modules/vfs_tsmsm.c
+++ b/source3/modules/vfs_tsmsm.c
@@ -314,7 +314,7 @@ static ssize_t tsmsm_pread(struct vfs_handle_struct
*handle, struct files_struct
}
static ssize_t tsmsm_pwrite(struct vfs_handle_struct *handle, struct
files_struct *fsp,
- void *data, size_t n, SMB_OFF_T offset) {
+ const void *data, size_t n, SMB_OFF_T offset) {
ssize_t result;
bool notify_online = tsmsm_aio_force(handle, fsp);
@@ -367,7 +367,7 @@ static struct vfs_fn_pointers tsmsm_fns = {
.connect_fn = tsmsm_connect,
.fs_capabilities = tsmsm_fs_capabilities,
.aio_force = tsmsm_aio_force,
- .aio_return = tsmsm_aio_return,
+ .aio_return_fn = tsmsm_aio_return,
.pread = tsmsm_pread,
.pwrite = tsmsm_pwrite,
.sendfile = tsmsm_sendfile,
@@ -379,5 +379,5 @@ NTSTATUS vfs_tsmsm_init(void);
NTSTATUS vfs_tsmsm_init(void)
{
return smb_register_vfs(SMB_VFS_INTERFACE_VERSION,
- tsmsm, vfs_fns);
+ tsmsm, tsmsm_fns);
}
--
Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated - tevent-0-9-8-378-g277597d
The branch, master has been updated
via 277597de8548d6bcc65e7eff40b238415659eb17 (commit)
from 919559573cf9484beeeb31aaaff844349972634d (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 277597de8548d6bcc65e7eff40b238415659eb17
Author: Abhidnya Chirmule achir...@in.ibm.com
Date: Wed Sep 16 07:22:32 2009 +0200
To set file create/birth time in GPFS. Signed-off-by: Abhidnya Chirmule
achir...@in.ibm.com
---
Summary of changes:
source3/modules/vfs_gpfs.c | 42 ++
1 files changed, 42 insertions(+), 0 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/modules/vfs_gpfs.c b/source3/modules/vfs_gpfs.c
index 3660bb2..dbed897 100644
--- a/source3/modules/vfs_gpfs.c
+++ b/source3/modules/vfs_gpfs.c
@@ -1059,6 +1059,47 @@ static int vfs_gpfs_lstat(struct vfs_handle_struct
*handle,
return 0;
}
+static int vfs_gpfs_ntimes(struct vfs_handle_struct *handle,
+const struct smb_filename *smb_fname,
+ struct smb_file_time *ft)
+{
+
+struct gpfs_winattr attrs;
+int ret;
+char *path = NULL;
+NTSTATUS status;
+
+ret = SMB_VFS_NEXT_NTIMES(handle, smb_fname, ft);
+if(ret == -1){
+DEBUG(1,(vfs_gpfs_ntimes: SMB_VFS_NEXT_NTIMES failed\n));
+return -1;
+}
+
+if(null_timespec(ft-create_time)){
+DEBUG(10,(vfs_gpfs_ntimes:Create Time is NULL\n));
+return 0;
+}
+
+status = get_full_smb_filename(talloc_tos(), smb_fname, path);
+if (!NT_STATUS_IS_OK) {
+errno = map_errno_from_nt_status(status);
+return -1;
+}
+
+attrs.winAttrs = 0;
+attrs.creationTime.tv_sec = ft-create_time.tv_sec;
+attrs.creationTime.tv_nsec = ft-create_time.tv_nsec;
+
+ret = set_gpfs_winattrs(CONST_DISCARD(char *, path),
+GPFS_WINATTR_SET_CREATION_TIME, attrs);
+if(ret == -1){
+DEBUG(1,(vfs_gpfs_ntimes: set GPFS ntimes failed %d\n,ret));
+ return -1;
+}
+return 0;
+
+}
+
static struct vfs_fn_pointers vfs_gpfs_fns = {
.kernel_flock = vfs_gpfs_kernel_flock,
.setlease = vfs_gpfs_setlease,
@@ -1079,6 +1120,7 @@ static struct vfs_fn_pointers vfs_gpfs_fns = {
.stat = vfs_gpfs_stat,
.fstat = vfs_gpfs_fstat,
.lstat = vfs_gpfs_lstat,
+ .ntimes = vfs_gpfs_ntimes,
};
NTSTATUS vfs_gpfs_init(void);
--
Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated - tevent-0-9-8-384-g35f4b88
The branch, master has been updated
via 35f4b88c7c6a16664efef95d441389e3d2bc8c4c (commit)
via 8bebce45d33babc22dea4bb10f661ea502d8bbdd (commit)
via 3f835eb9478b30bb91593c2a0073b72e696076f2 (commit)
via 91d3d3c6a23ffba755ac4b72d668fb247340fc24 (commit)
via fc1ac736d6c7b1e647890255d4217609f45dcb77 (commit)
via 1cfac63fa4335b45b9c722316a45b2b187de78a0 (commit)
from 277597de8548d6bcc65e7eff40b238415659eb17 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 35f4b88c7c6a16664efef95d441389e3d2bc8c4c
Author: Kamen Mazdrashki kamen.mazdras...@postpath.com
Date: Thu Sep 17 06:03:47 2009 +0300
w32err: use WERR_DC_NOT_FOUND name instead of
WERR_DOMAIN_CONTROLLER_NOT_FOUND
Signed-off-by: Günther Deschner g...@samba.org
commit 8bebce45d33babc22dea4bb10f661ea502d8bbdd
Author: Kamen Mazdrashki kamen.mazdras...@postpath.com
Date: Thu Sep 17 05:59:08 2009 +0300
w32err: Set hex format values for all errors
Signed-off-by: Günther Deschner g...@samba.org
commit 3f835eb9478b30bb91593c2a0073b72e696076f2
Author: Kamen Mazdrashki kamen.mazdras...@postpath.com
Date: Thu Sep 17 05:53:40 2009 +0300
w32err: Re-define errors with numeric values
Signed-off-by: Günther Deschner g...@samba.org
commit 91d3d3c6a23ffba755ac4b72d668fb247340fc24
Author: Kamen Mazdrashki kamen.mazdras...@postpath.com
Date: Thu Sep 17 05:08:34 2009 +0300
w32err: Sorting error codes in ascending order
Signed-off-by: Günther Deschner g...@samba.org
commit fc1ac736d6c7b1e647890255d4217609f45dcb77
Author: Kamen Mazdrashki kamen.mazdras...@postpath.com
Date: Thu Sep 17 04:53:02 2009 +0300
w32err: NERR_ codes grouped together
Signed-off-by: Günther Deschner g...@samba.org
commit 1cfac63fa4335b45b9c722316a45b2b187de78a0
Author: Kamen Mazdrashki kamen.mazdras...@postpath.com
Date: Thu Sep 17 04:28:28 2009 +0300
w32err: WERR_CLASS_NOT_REGISTERED updated
Error code move to COM/OLE group.
Error value changed to as REGDB_E_CLASSNOTREG in Windows
Signed-off-by: Günther Deschner g...@samba.org
---
Summary of changes:
libcli/util/doserr.c |2 +-
libcli/util/werror.h | 283 +-
source3/libnet/libnet_join.c |4 +-
3 files changed, 146 insertions(+), 143 deletions(-)
Changeset truncated at 500 lines:
diff --git a/libcli/util/doserr.c b/libcli/util/doserr.c
index 6af1972..5e74138 100644
--- a/libcli/util/doserr.c
+++ b/libcli/util/doserr.c
@@ -179,7 +179,6 @@ static const struct werror_code_struct dos_errs[] =
{ WERR_INVALID_USER_BUFFER, WERR_INVALID_USER_BUFFER },
{ WERR_NO_TRUST_SAM_ACCOUNT, WERR_NO_TRUST_SAM_ACCOUNT },
{ WERR_INVALID_PRINTER_COMMAND, WERR_INVALID_PRINTER_COMMAND },
- { WERR_CLASS_NOT_REGISTERED, WERR_CLASS_NOT_REGISTERED },
{ WERR_NO_SHUTDOWN_IN_PROGRESS, WERR_NO_SHUTDOWN_IN_PROGRESS },
{ WERR_SHUTDOWN_ALREADY_IN_PROGRESS,
WERR_SHUTDOWN_ALREADY_IN_PROGRESS },
{ WERR_SEC_E_ENCRYPT_FAILURE, WERR_SEC_E_ENCRYPT_FAILURE },
@@ -217,6 +216,7 @@ static const struct werror_code_struct dos_errs[] =
{ WERR_UNKNOWN_PRINT_MONITOR, WERR_UNKNOWN_PRINT_MONITOR },
{ WERR_PASSWORD_RESTRICTION, WERR_PASSWORD_RESTRICTION },
{ WERR_WRONG_PASSWORD, WERR_WRONG_PASSWORD },
+ { WERR_CLASS_NOT_REGISTERED, WERR_CLASS_NOT_REGISTERED },
{ NULL, W_ERROR(0) }
};
diff --git a/libcli/util/werror.h b/libcli/util/werror.h
index f82879c..d64746b 100644
--- a/libcli/util/werror.h
+++ b/libcli/util/werror.h
@@ -74,139 +74,130 @@ typedef uint32_t WERROR;
/* these are win32 error codes. There are only a few places where
these matter for Samba, primarily in the NT printing code */
-#define WERR_OK W_ERROR(0)
-#define WERR_BADFUNC W_ERROR(1)
-#define WERR_BADFILE W_ERROR(2)
-#define WERR_ACCESS_DENIED W_ERROR(5)
-#define WERR_BADFID W_ERROR(6)
-#define WERR_NOMEM W_ERROR(8)
-#define WERR_GENERAL_FAILURE W_ERROR(31)
-#define WERR_NOT_SUPPORTED W_ERROR(50)
-#define WERR_DUP_NAME W_ERROR(52)
-#define WERR_BAD_NETPATH W_ERROR(53)
-#define WERR_BAD_NET_RESP W_ERROR(58)
-#define WERR_UNEXP_NET_ERR W_ERROR(59)
-#define WERR_DEVICE_NOT_EXIST W_ERROR(55)
-#define WERR_PRINTQ_FULL W_ERROR(61)
-#define WERR_NO_SPOOL_SPACE W_ERROR(62)
-#define WERR_NO_SUCH_SHARE W_ERROR(67)
-#define WERR_FILE_EXISTS W_ERROR(80)
-#define WERR_BAD_PASSWORD W_ERROR(86)
-#define WERR_INVALID_PARAM W_ERROR(87)
-#define WERR_CALL_NOT_IMPLEMENTED W_ERROR(120)
-#define WERR_SEM_TIMEOUT W_ERROR(121)
-#define WERR_INSUFFICIENT_BUFFER W_ERROR(122)
-#define WERR_INVALID_NAME W_ERROR(123)
-#define WERR_UNKNOWN_LEVEL W_ERROR(124)
-#define WERR_OBJECT_PATH_INVALID W_ERROR(161)
-#define WERR_ALREADY_EXISTS W_ERROR(183)
-#define
