Re: [Samba] Samba4 using existing DNS and LDAP
Thank you Matthieu, I have been using Samba3 (and 2) for years, with an openLDAP backend for authentication. This is working fine, my directory includes a number of local settings for my specific needs. Now I would like to move to Samba4. I understand that Samba4 comes with its own DNS and LDAP servers. By provisioning Samba4 with --dns-backend=NONE and including the necessary to my existing DNS zone, is that enough to get rid of the DNS server included with Samba4? Well you can use the bind-dlz plugins so that samba use bind instead of its own internal server. Another option is to configure your global DNS to use Samba as the source of authority just for the domain of your AD. What kind of updates does Samba need to perform to DNS? The one at the provisioning and the machine name that join the domain (this is already taken care of by DHCP). Is there anything I oversee? What about this question? What reccords are added in the DNS by Samba, beside all the SRV reccords? Now regarding LDAP, is there a way to tell Samba to replicate the directory from my existing openLDAP? No. Our LDAP Server support schema upgrade so if the stuff that you have in your OL has a schema that is compatible to Samba you can update Samba's schema and then load the data by export/import in Samba. Another way of doing is by using overlays in OL to present in the desired way the information coming from both OL and Samba 4. I have seen that, but that was after I posted my question. I think I will resolve to keep both Samba and OL in parallel and update the accounts on bot at same time (it's just a minor change in the existing scripts used to update OL). Best regards, Olivier -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Status of SWAT2?
Hi, I was wondering what the status of SWAT2 is? Since coming out of a google summer of code, is it now mature enough for commercial deployment? Also, if I would like to modify the UI of SWAT2 while retaining all its functionality, how would I go about doing it? Thanks, -Ram -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] TLS between winbind and openldap
Hi No, I did not try LDAPS because it is deprecated. That's why I tried StartTLS. I had far more headaches when searching for idmap related configuration. I found a working workaround before you answer me, which seems to be working (see my previous message). However, I'd rather not use environment variables, if possible. I need some more time to validate it. I disabled /root/ldaprc, and replaced these settings by environment variables as described in ldap.conf(5) manpages. Environment Variables LDAPNOINIT disable all defaulting LDAPCONF path of a configuration file LDAPRC basename of ldaprc file in $HOME or $CWD LDAPoption-name Set option-name as from ldap.conf The environment variables are exported from /etc/default/winbind : # Winbind configuration #WINBINDD_OPTS=-n export LDAPTLS_CERT=/etc/ssl/certs/omv-domain-local.crt export LDAPTLS_KEY=/etc/ssl/private/omv-domain-local.key I reproduced for you the broken configuration in order to show logs from openLDAP and winbind. Here is the log from Winbind when I run it from command line (SID obsfucated). The mapping is initiated by wbinfo -i user root@omv:~# winbindd -i -d idmap:10 winbindd version 3.5.6 started. Copyright Andrew Tridgell and the Samba Team 1992-2010 initialize_winbindd_cache: clearing cache and re-creating with version number 1 [LDAP] ldap_build_search_req ATTRS: currentTime [LDAP] ldap_build_search_req ATTRS: supportedSASLMechanisms [LDAP] ldap_build_search_req ATTRS: highestCommittedUSN [LDAP] ldap_build_search_req ATTRS: * idmap_sid_to_uid: sid = [S-1-5-21-2758072649-2694028996-xx-1116], domain = '' idmap_backends_sid_to_unixid: domain = '', sid = [S-1-5-21-2758072649-2694028996-xx-1116] idmap_find_domain called for domain '' idmap_init_default_domain: calling static_init_idmap calling idmap_tdb_init Successfully added idmap alloc backend 'tdb' Successfully added idmap backend 'tdb' Successfully added idmap backend 'passdb' Successfully added idmap backend 'nss' idmap_init: using 'ldap' as remote backend idmap backend ldap not found Successfully added idmap alloc backend 'ldap' Successfully added idmap backend 'ldap' Filter: [((objectClass=sambaIdmapEntry)(sambaSID=S-1-5-21-2758072649-2694028996-xx-1116))] [LDAP] ldap_build_search_req ATTRS: supportedControl [LDAP] ldap_build_search_req ATTRS: sambaSID uidNumber gidNumber objectClass Mapped S-1-5-21-2758072649-2694028996-xx-1116 - 16777217 (1) idmap_sid_to_gid: sid = [S-1-5-21-2758072649-2694028996-xx-513], domain = '' idmap_backends_sid_to_unixid: domain = '', sid = [S-1-5-21-2758072649-2694028996-xx-513] idmap_find_domain called for domain '' Filter: [((objectClass=sambaIdmapEntry)(sambaSID=S-1-5-21-2758072649-2694028996-xx-513))] [LDAP] ldap_build_search_req ATTRS: sambaSID uidNumber gidNumber objectClass Mapped S-1-5-21-2758072649-2694028996-xx-513 - 16777216 (2) As you can see, this is working like a charm. Here are the logs from winbind and openLDAP when winbind runs as a service. The mapping is initiated by wbinfo -i user. I changed /etc/default/winbind to show logs: root@omv:~# cat /etc/default/winbind # Winbind configuration WINBINDD_OPTS=-d idmap:10 -i root@omv:~# service winbind start Starting the Winbind daemon: winbindwinbindd version 3.5.6 started. Copyright Andrew Tridgell and the Samba Team 1992-2010 initialize_winbindd_cache: clearing cache and re-creating with version number 1 [LDAP] ldap_build_search_req ATTRS: currentTime [LDAP] ldap_build_search_req ATTRS: supportedSASLMechanisms [LDAP] ldap_build_search_req ATTRS: highestCommittedUSN [LDAP] ldap_build_search_req ATTRS: * idmap_sid_to_uid: sid = [S-1-5-21-2758072649-2694028996-xx-1116], domain = '' idmap_backends_sid_to_unixid: domain = '', sid = [S-1-5-21-2758072649-2694028996-xx-1116] idmap_find_domain called for domain '' idmap_init_default_domain: calling static_init_idmap calling idmap_tdb_init Successfully added idmap alloc backend 'tdb' Successfully added idmap backend 'tdb' Successfully added idmap backend 'passdb' Successfully added idmap backend 'nss' idmap_init: using 'ldap' as remote backend idmap backend ldap not found Successfully added idmap alloc backend 'ldap' Successfully added idmap backend 'ldap' Filter: [((objectClass=sambaIdmapEntry)(sambaSID=S-1-5-21-2758072649-2694028996-xx-1116))] [LDAP] TLS: can't connect: Error in the push function.. Failed to issue the StartTLS instruction: Connect error Connection to LDAP server failed for the 1 try! [LDAP] TLS: can't connect: Error in the push function.. Failed to issue the StartTLS instruction: Connect error Connection to LDAP server failed for the 2 try! [LDAP] TLS: can't connect: Error in the push function.. Failed to issue the StartTLS instruction: Connect error Connection to LDAP server failed for the 3 try! [...continues until timeout...] To have more details, I have to show logs frop openLDAP produced at the same time: root@omv:~# slapd -d 1
[Samba] samba4 and squid with NTLM auth
Hi. Samba-4.0.7 FreeBSD 10.0-CURRENT Besides serving files I'm using Samba to authenticate users in the Windows AD with squid. After having issues with samba 3.6.16 I decided to see if samba4 will fit me more. I was surprised, but I found that Samba 4 is fully functional in my environment and is nearly production-ready. After that I tried to setup squid to use samba for NTLM authentication. I found something that may be a bug, but may be also a misconfiguration of some sort. In short words - it doesn't work. To describe what's not working, I should say that in my configuration squid is authorizing user in two stages: - ntlm_auth is authenticating user - external squid helper is authorizing user's access to an URL using a supplied by ntlm_auth name and the group membership information from the AD. It turns out that for some reason ntlm_auth authenticates user just fine, but then it is supplying squid with some sort of corrupted username: squid access log: 1375868558.129 1957 192.168.7.71 TCP_DENIED/403 2338 GET http://www.ru/rus/index.php %a0%92%03\r%08 HI ER_NONE/- text/html This [...] is actually my username - 'emz', but looks it's authenticated by ntlm_auth. Squid also thinks that this username has been just authenticated, and tries to look it's group membership information. Squid cache log: support_member.cc(124): pid=12390 :2013/08/07 15:42:38| kerberos_ldap_group: INFO: User ═.. . is not member of group@domain Internet Users - Crystal@NULL Considering that everything is fine when using samba 3.5.x, I suppose the answer is is samba software. Is this some bug or a misconfiguration ? Thanks. Eugene. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] How to use --simple-bind-dn in samba-tool
Hi, I understand that using options -H and --simple-bind-dn one could run samba-tool remotely. But how should I specify the DN to use for simple bind? I tried many syntaxes: cn=Administrator cn=Administrator@domain domain all with the Administrator password, but it always fail with: Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS - Simple Bind Failed: NT_STATUS_LOGON_FAILURE Failed to connect to 'ldap://fbsd35.cs.ait.ac.th/' with backend 'ldap': (null) Can I use the command ldapsearch (from openLdap distribution) to access the LDAP directory maintained by Samba? If yes, what is the syntax in term of binding? Thakns in advance, Olivier -- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 internal DNS - how to modify SOA record
Thank you for you emails. Unfortunately samba tool can't update SOA records. I'll stick to Dmitry's action plan Cheers 2013/8/7 Matthieu Patou m...@samba.org On 08/06/2013 02:34 PM, Rustam K. wrote: Hello, I have the very same problem, does anybody know a way? I am thinking of converting to BIND, modifying and then converting it back to Internal DNS implementation. Did you had a look at samba-tool dns update to do this ? Kai has a good experience in DNS related things in Samba I just put him in this thread just in case he has some insights. Matthieu. Hello. How could one modify a SOA record in rc3? For example, NS part (not NS record) of SOA record points to an absent Windows server. This effectively breaks DNS updates, since there is no such server and if corresponding A record is added, update requests from clients will come unsigned. Editing it directly via LDAP breaks Samba (some sort of checksum/hash?) MMC snap-in says Zone not loaded by DNS server, so it is not possible to use it either. samba-tool dns add|delete|update can't operate on SOA record. Maybe someone could give a link to some document describing dnsRecord, so one could forge a valid record and just change dnsRecord in DC=@ using some LDAP tool? Thanks in advance. -- Matthieu Patou Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/**mailman/options/sambahttps://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 4 empty password
Hello, We are trying to setup a SAMBA-Server with users that have empty passwords. We are using: Samba 4.0.8 Kernel 3.10.5 Slackware 14.0 x64 When we set a password the login successes! That's what we get when trying to login: [2013/08/07 13:31:46, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: AS-REQ media1@BC from ipv4:10.0.99.100:62078 for krbtgt/BC@BC [2013/08/07 13:31:46, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Client sent patypes: 128 [2013/08/07 13:31:46, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Looking for PKINIT pa-data -- media1@BC [2013/08/07 13:31:46, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Looking for ENC-TS pa-data -- media1@BC [2013/08/07 13:31:46, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: No preauth found, returning PREAUTH-REQUIRED -- media1@BC [2013/08/07 13:31:46, 3] ../source4/smbd/service_stream.c:63(stream_terminate_connection) Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' [2013/08/07 13:31:46, 3] ../source4/smbd/process_single.c:114(single_terminate) single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED] [2013/08/07 13:31:46, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: AS-REQ media1@BC from ipv4:10.0.99.100:62079 for krbtgt/BC@BC [2013/08/07 13:31:46, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Client sent patypes: encrypted-timestamp, 128 [2013/08/07 13:31:46, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Looking for PKINIT pa-data -- media1@BC [2013/08/07 13:31:46, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Looking for ENC-TS pa-data -- media1@BC [2013/08/07 13:31:46, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Failed to decrypt PA-DATA -- media1@BC (enctype aes256-cts-hmac-sha1-96) error Decrypt integrity check failed for checksum type hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96 [2013/08/07 13:31:46, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Failed to decrypt PA-DATA -- media1@BC [2013/08/07 13:31:46, 3] ../source4/smbd/service_stream.c:63(stream_terminate_connection) Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' [2013/08/07 13:31:46, 3] ../source4/smbd/process_single.c:114(single_terminate) single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED] [2013/08/07 13:31:46, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: AS-REQ media1@BC from ipv4:10.0.99.100:62080 for krbtgt/BC@BC [2013/08/07 13:31:46, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Client sent patypes: encrypted-timestamp, 128 [2013/08/07 13:31:46, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Looking for PKINIT pa-data -- media1@BC [2013/08/07 13:31:46, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Looking for ENC-TS pa-data -- media1@BC [2013/08/07 13:31:46, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Failed to decrypt PA-DATA -- media1@BC (enctype aes256-cts-hmac-sha1-96) error Decrypt integrity check failed for checksum type hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96 [2013/08/07 13:31:46, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Failed to decrypt PA-DATA -- media1@BC [2013/08/07 13:31:46, 3] ../source4/smbd/service_stream.c:63(stream_terminate_connection) Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' [2013/08/07 13:31:46, 3] ../source4/smbd/process_single.c:114(single_terminate) single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED] Does somebody know what we can do??? Thanks a lot in advance Oliver -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Issues with print command group membership
Hi, I have a Samba print share set up, with a print command specified that just cats the file to /dev/ulpt0. This share is accessed by the guest Samba account, which I have set to be the 'smbguest' username. I can manually run the print command as root, and the file prints. I can manually run the print command as 'smbguest' (through sudo) and the file prints. However, when run the command through Samba itself (by printing over the network from another machine), I get: cannot create /dev/ulpt0: Permission denied This is the same message I would get if I don't have write permissions to the device. The device itself has the following permissions: $ ls -l /dev/ulpt* crw-rw 1 root print0, 142 Aug 5 22:31 /dev/ulpt0 The 'smbguest' account is in the 'print' group, as evidenced below: $ groups smbguest smbguest smbguestgroup print so it should be able to write to ulpt0. In fact, it can, when the command is run through sudo -u smbguest ... However, when the Samba 'print command' itself is run, the group membership *only* includes the 'smbguest' group. I altered the print command to write a log message including the output of `groups`, and it writes merely 'smbguest', rather than the above three groups. Is there a general explanation for this, or is this just some weird Samba idiosyncrasy? I would expect, since Samba is running the command as the user 'smbguest', that it would have full group membership, but all my evidence points to that not being the case. Or maybe there is something more fundamental I'm missing? I have also tried using 'force group = print', but that does not seem to have any effect for me. I was following the advice from this post: http://askubuntu.com/questions/251536/samba-guest-account-not-in-group Is it a bug? Something I don't understand? Any help would be appreciated, thanks. -John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Debian Package Updates
On 5 August 2013 01:28, Andrew Bartlett abart...@samba.org wrote: On Fri, 2013-08-02 at 14:41 +0100, Dominic Evans wrote: The debian package of samba4 is still sitting at 4.0.3 in experimental. Please could someone (Andrew?) upload an updated package now that we are up to 4.0.7? http://packages.qa.debian.org/s/samba4.html We have toiled mightily, and have new experimental packages. They are stuck in the NEW queue, and have been for a month: http://ftp-master.debian.org/new.html (This is because we have additional package names, as part of the merge with the 'samba' package). So the new packages have now made it into experimental http://packages.qa.debian.org/s/samba/news/20130806T230018Z.html However, it isn't obvious what the upgrade step(s) should be from an existing `samba4` install to these packages. They don't appear to have specified Conflicts/Replaces with the samba4 packages, and it appears like a `sudo apt-get install -t experimental samba` would be partially installing alongside the existing samba4 binaries? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 using existing DNS and LDAP
On 08/07/2013 12:02 AM, Olivier Nicole wrote: Thank you Matthieu, I have been using Samba3 (and 2) for years, with an openLDAP backend for authentication. This is working fine, my directory includes a number of local settings for my specific needs. Now I would like to move to Samba4. I understand that Samba4 comes with its own DNS and LDAP servers. By provisioning Samba4 with --dns-backend=NONE and including the necessary to my existing DNS zone, is that enough to get rid of the DNS server included with Samba4? Well you can use the bind-dlz plugins so that samba use bind instead of its own internal server. Another option is to configure your global DNS to use Samba as the source of authority just for the domain of your AD. What kind of updates does Samba need to perform to DNS? The one at the provisioning and the machine name that join the domain (this is already taken care of by DHCP). Is there anything I oversee? What about this question? What reccords are added in the DNS by Samba, beside all the SRV reccords? Well it depends, pretty much anything client asks to update, with bind-dlz or the internal DNS server DDNS from the client are controlled by the same kind of ACLs as a Windows client would have in a Windows AD domain. So most of the time clients update A, and PTR records but some also set SRV records (windows server with terminal server for instance) and well maybe exchange is setting up the MX record (I don't know). As long as ACL didn't prevent to do so you are able to do it. That's great plus if you compare to the quite limited ACL that bind 9.x has builtin. Now regarding LDAP, is there a way to tell Samba to replicate the directory from my existing openLDAP? No. Our LDAP Server support schema upgrade so if the stuff that you have in your OL has a schema that is compatible to Samba you can update Samba's schema and then load the data by export/import in Samba. Another way of doing is by using overlays in OL to present in the desired way the information coming from both OL and Samba 4. I have seen that, but that was after I posted my question. I think I will resolve to keep both Samba and OL in parallel and update the accounts on bot at same time (it's just a minor change in the existing scripts used to update OL). You might want to have a script that is polling samba from time to time to see if OL needs update, the dirsync control is designed for that. There is a small test/demo script in source4/scripting/devel/demodirsync.py Matthieu. -- Matthieu Patou Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] How to use --simple-bind-dn in samba-tool
On Wed, 2013-08-07 at 17:16 +0700, Olivier Nicole wrote: Hi, I understand that using options -H and --simple-bind-dn one could run samba-tool remotely. But how should I specify the DN to use for simple bind? I tried many syntaxes: cn=Administrator cn=Administrator@domain domain all with the Administrator password, but it always fail with: Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS - Simple Bind Failed: NT_STATUS_LOGON_FAILURE Failed to connect to 'ldap://fbsd35.cs.ait.ac.th/' with backend 'ldap': (null) Can I use the command ldapsearch (from openLdap distribution) to access the LDAP directory maintained by Samba? If yes, what is the syntax in term of binding? In general, you shouldn't need --simple-bind-dn, because Samba supports much more secure ways to authenticated, such as NTLM and Kerberos. Just specify -U administrator For the record, for other non-AD servers that don't do SASL and so can't use -U, --simple-bind-dn takes a DN, so cn=admin,dc=example,dc=com might be the admin DN on an OpenLDAP server. (this applies more to the ldb* commands that samba-tool, which probably shouldn't show this option except it comes from common code). I hope this helps, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Debian Package Updates
On Wed, 2013-08-07 at 17:58 +0100, Dominic Evans wrote: On 5 August 2013 01:28, Andrew Bartlett abart...@samba.org wrote: On Fri, 2013-08-02 at 14:41 +0100, Dominic Evans wrote: The debian package of samba4 is still sitting at 4.0.3 in experimental. Please could someone (Andrew?) upload an updated package now that we are up to 4.0.7? http://packages.qa.debian.org/s/samba4.html We have toiled mightily, and have new experimental packages. They are stuck in the NEW queue, and have been for a month: http://ftp-master.debian.org/new.html (This is because we have additional package names, as part of the merge with the 'samba' package). So the new packages have now made it into experimental http://packages.qa.debian.org/s/samba/news/20130806T230018Z.html However, it isn't obvious what the upgrade step(s) should be from an existing `samba4` install to these packages. They don't appear to have specified Conflicts/Replaces with the samba4 packages, and it appears like a `sudo apt-get install -t experimental samba` would be partially installing alongside the existing samba4 binaries? We do have conflicts/Replaces set, and when the bulk of the packaging work was done this was tested upgrading from both. From here, the best approach would be to tell us what errors you get, and we can add some more as required. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 empty password
On Wed, 2013-08-07 at 13:56 +, Fink Oliver wrote: Hello, We are trying to setup a SAMBA-Server with users that have empty passwords. We are using: Samba 4.0.8 Kernel 3.10.5 Slackware 14.0 x64 When we set a password the login successes! That's what we get when trying to login: Kerberos: Looking for ENC-TS pa-data -- media1@BC [2013/08/07 13:31:46, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Failed to decrypt PA-DATA -- media1@BC (enctype aes256-cts-hmac-sha1-96) error Decrypt integrity check failed for checksum type hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96 [2013/08/07 13:31:46, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Failed to decrypt PA-DATA -- media1@BC This means the KDC had a different hash to the one the user encrypted the time with. Aside from the flag 'ACB_NOPWREQ' (which does *not* mean no password required, it actually means no password requirements, ie no minimum length), the KDC doesn't know the length (even zero length) of the password, it just performs calculations based on the stored hash. How did you set the 'empty' password in Samba? Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 and squid with NTLM auth
On Wed, 2013-08-07 at 15:57 +0600, Eugene M. Zheganin wrote: Hi. Samba-4.0.7 FreeBSD 10.0-CURRENT Besides serving files I'm using Samba to authenticate users in the Windows AD with squid. After having issues with samba 3.6.16 I decided to see if samba4 will fit me more. I was surprised, but I found that Samba 4 is fully functional in my environment and is nearly production-ready. After that I tried to setup squid to use samba for NTLM authentication. I found something that may be a bug, but may be also a misconfiguration of some sort. In short words - it doesn't work. To describe what's not working, I should say that in my configuration squid is authorizing user in two stages: - ntlm_auth is authenticating user - external squid helper is authorizing user's access to an URL using a supplied by ntlm_auth name and the group membership information from the AD. It turns out that for some reason ntlm_auth authenticates user just fine, but then it is supplying squid with some sort of corrupted username: squid access log: 1375868558.129 1957 192.168.7.71 TCP_DENIED/403 2338 GET http://www.ru/rus/index.php %a0%92%03\r%08 HI ER_NONE/- text/html This [...] is actually my username - 'emz', but looks it's authenticated by ntlm_auth. Squid also thinks that this username has been just authenticated, and tries to look it's group membership information. Squid cache log: support_member.cc(124): pid=12390 :2013/08/07 15:42:38| kerberos_ldap_group: INFO: User ═.. . is not member of group@domain Internet Users - Crystal@NULL Considering that everything is fine when using samba 3.5.x, I suppose the answer is is samba software. Is this some bug or a misconfiguration ? Certainly this looks like an missing NULL terminator, if if it as you describe. Can you operate ntlm_auth manually (operate one ntlm_auth in client mode, another in squid-2.5-ntlmssp mode and copy the blobs back and forth), and demonstrate it? This will avoid all the complexity of squid, and help isolate the issue. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via f6d1578 drs-cracknames: Add some debugs in the torture to know better which test has failed via 3de2547 Remove the knownfail flag on cracknames as it didn't fail anymore via 7fe4630 drs-cracksname: fix problems that prevented to pass our torture tests via 029e80d drs-crackname: Fix error code so that we have the same as windows via 552b4f3 drs-cracknames: When cracking NT4 names we should just look at netbios for the match via aa17a2c drs-crackname: Fix cracknames for the format UNKNOWN when the data is actually a GUID via beead4d drs-cracknames: Reorganise the cracknames list so that similar format names are group together via 2f7d772 Add Notes related to DRSUAPI via b67085d s4-netlogon: honnor DS_RETURN_DNS_NAME flag via 927a103 s4-netlogon: do not add \ it has already be done in the fill_netlogon_samlogon_response via 5300984 torture: Quiet a warning about set but not used variable via 0eb304d torture-drsuapi: Make the name of the dc variable from 8b1a214 s3-netlogon: Connecting with the system token should be sufficient. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit f6d157858feeb8b59eb353a1a237fe9e359a5dcf Author: Matthieu Patou m...@matws.net Date: Tue Jul 30 16:09:00 2013 -0700 drs-cracknames: Add some debugs in the torture to know better which test has failed Signed-off-by: Matthieu Patou m...@matws.net Reviewed-By: Andrew Bartlett abarl...@samba.org Autobuild-User(master): Matthieu Patou m...@samba.org Autobuild-Date(master): Wed Aug 7 08:10:58 CEST 2013 on sn-devel-104 commit 3de2547e29cd29ff4a48cadaf392129d7893d77a Author: Matthieu Patou m...@matws.net Date: Sun Jun 30 20:45:28 2013 -0700 Remove the knownfail flag on cracknames as it didn't fail anymore Signed-off-by: Matthieu Patou m...@matws.net Reviewed-by: Andrew Bartlett abarl...@samba.org commit 7fe4630bad232c09e29739beedda2e2fb63747ed Author: Matthieu Patou m...@matws.net Date: Sun Jun 30 20:44:22 2013 -0700 drs-cracksname: fix problems that prevented to pass our torture tests Some of the problems where also reported by Microsoft testing tools Signed-off-by: Matthieu Patou m...@matws.net Reviewed-by: Andrew Bartlett abarl...@samba.org commit 029e80da9d1ab5096cd0981110b588245f8fd50d Author: Matthieu Patou m...@matws.net Date: Sun Jun 30 02:04:20 2013 -0700 drs-crackname: Fix error code so that we have the same as windows Signed-off-by: Matthieu Patou m...@matws.net Reviewed-by: Andrew Bartlett abarl...@samba.org commit 552b4f3e022dca594e1dada7979fe351eee8cf9b Author: Matthieu Patou m...@matws.net Date: Sun Jun 30 02:03:02 2013 -0700 drs-cracknames: When cracking NT4 names we should just look at netbios for the match Looking at dnsRoot will yield a result for domain.tld\username when it shouldn't work. Signed-off-by: Matthieu Patou m...@matws.net Reviewed-by: Andrew Bartlett abarl...@samba.org commit aa17a2c01dbab2e522a8aed7943963bab5b9 Author: Matthieu Patou m...@matws.net Date: Sat Jun 29 16:02:32 2013 -0700 drs-crackname: Fix cracknames for the format UNKNOWN when the data is actually a GUID The cannonical crackname expect a / or it returns DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR, when doing UNKNOWN format it's not an error to not have a / in the name to crack it's just a sign the name is not a cannonical one. Signed-off-by: Matthieu Patou m...@matws.net Reviewed-by: Andrew Bartlett abarl...@samba.org commit beead4d431b4d0cdd5e9f58fef481848d9daeaff Author: Matthieu Patou m...@matws.net Date: Fri Jun 28 01:11:46 2013 -0700 drs-cracknames: Reorganise the cracknames list so that similar format names are group together It makes easier when reviewing failed test case in DRSR testsuite Signed-off-by: Matthieu Patou m...@matws.net Reviewed-by: Andrew Bartlett abarl...@samba.org commit 2f7d772583c8cdb6f7fc2b96addc54b9f9b12cd1 Author: Matthieu Patou m...@matws.net Date: Thu Jun 27 23:58:41 2013 -0700 Add Notes related to DRSUAPI Signed-off-by: Matthieu Patou m...@matws.net Reviewed-by: Andrew Bartlett abarl...@samba.org commit b67085de7fdfb41c42c71438f2e4b5474b3b111a Author: Matthieu Patou m...@matws.net Date: Tue Sep 27 14:06:03 2011 -0400 s4-netlogon: honnor DS_RETURN_DNS_NAME flag Reviewed-By: Andrew Bartlett abarl...@samba.org commit 927a1030d78c25dbc43b6470f9ffe8b5fe664835 Author: Matthieu Patou m...@matws.net Date: Mon Sep 26 18:54:04 2011 -0400 s4-netlogon: do not add \\ it has already be done in the fill_netlogon_samlogon_response Reviewed-By: Andrew Bartlett abarl...@samba.org commit 530098440ee34b6fc23c2786b2df411978d15c97
[SCM] Samba Shared Repository - branch v3-6-test updated
The branch, v3-6-test has been updated via 9ef80fc Ensure gpfs kernel leases are wrapped in a become_root()/unbecome_root() pair. via 3630254 Wrap setting leases in become_root()/unbecome_root() to ensure correct delivery of signals. from b085c39 Fix bug 9678 - Windows 8 Roaming profiles fail http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-test - Log - commit 9ef80fcff6e0d03e30bd675cd7ebfc88608e81d6 Author: Ralph Wuerthner ral...@de.ibm.com Date: Wed Jul 31 16:33:48 2013 -0700 Ensure gpfs kernel leases are wrapped in a become_root()/unbecome_root() pair. Ensures correct lease owner for signal delivery. Signed-off-by: Ralph Wuerthner ral...@de.ibm.com Reviewed-by: Jeremy Allison j...@samba.org Reviewed-by: Simo Sorce i...@samba.org Autobuild-User(master): Jeremy Allison j...@samba.org Autobuild-Date(master): Thu Aug 1 03:57:11 CEST 2013 on sn-devel-104 The last 2 patches address bug #10064 - Linux kernel oplock breaks can miss signals. commit 363025491d97171e130a7b8dd03296b9559799a0 Author: Jeremy Allison j...@samba.org Date: Wed Jul 31 16:32:20 2013 -0700 Wrap setting leases in become_root()/unbecome_root() to ensure correct delivery of signals. Remove workaround for Linux kernel bug https://bugzilla.kernel.org/show_bug.cgi?id=43336 as we don't need to set capabilities when we're already root. Signed-off-by: Jeremy Allison j...@samba.org Reviewed-by: Simo Sorce i...@samba.org --- Summary of changes: source3/modules/vfs_gpfs.c |6 ++ source3/smbd/oplock_linux.c | 33 - 2 files changed, 26 insertions(+), 13 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/modules/vfs_gpfs.c b/source3/modules/vfs_gpfs.c index 7bc2832..4aad679 100644 --- a/source3/modules/vfs_gpfs.c +++ b/source3/modules/vfs_gpfs.c @@ -97,7 +97,13 @@ static int vfs_gpfs_setlease(vfs_handle_struct *handle, files_struct *fsp, return -1; if (config-leases) { + /* +* Ensure the lease owner is root to allow +* correct delivery of lease-break signals. +*/ + become_root(); ret = set_gpfs_lease(fsp-fh-fd,leasetype); + unbecome_root(); } if (ret 0) { diff --git a/source3/smbd/oplock_linux.c b/source3/smbd/oplock_linux.c index 02bd32a..82523f2 100644 --- a/source3/smbd/oplock_linux.c +++ b/source3/smbd/oplock_linux.c @@ -75,26 +75,33 @@ int linux_set_lease_sighandler(int fd) int linux_setlease(int fd, int leasetype) { int ret; + int saved_errno; + + /* +* Ensure the lease owner is root to allow +* correct delivery of lease-break signals. +*/ + + become_root(); /* First set the signal handler. */ if (linux_set_lease_sighandler(fd) == -1) { - return -1; + saved_errno = errno; + ret = -1; + goto out; } ret = fcntl(fd, F_SETLEASE, leasetype); - if (ret == -1 errno == EACCES) { - set_effective_capability(LEASE_CAPABILITY); - /* -* Bug 8974 - work around Linux kernel bug -* https://bugzilla.kernel.org/show_bug.cgi?id=43336. -* fcntl(F_SETLEASE) resets signal number when -* called multiple times -*/ - if (linux_set_lease_sighandler(fd) == -1) { - return -1; - } - ret = fcntl(fd, F_SETLEASE, leasetype); + if (ret == -1) { + saved_errno = errno; } + out: + + unbecome_root(); + + if (ret == -1) { + errno = saved_errno; + } return ret; } -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-0-test updated
The branch, v4-0-test has been updated via 9439729 Ensure gpfs kernel leases are wrapped in a become_root()/unbecome_root() pair. via f17721e Wrap setting leases in become_root()/unbecome_root() to ensure correct delivery of signals. via c3a6b78 Add torture tests to raw.eas to check sending Windows invalid names in the middle of an EA list. via fee1915 Reply with correct trans2 message on a setpathinfo with a bad EA name. via 050c42d Ensure we do pathname processing before SD and EA processing in NTTRANS_CREATE. via 515f122 Ensure we can't create a file using NTTRANS with an invalid EA list. via 6a5fed3 Ensure we can't create a file using TRANS2_OPEN with an invalid EA list. via 64e27e2 Add error map of STATUS_INVALID_EA_NAME - ERRDOS, ERRbadfile via 76996fe Add the ability to send an NTSTATUS result back with a trans2 reply so we can return a parameter block with an error code. via 2f76ebd Ensure we can't create a file using SMB2_CREATE with an invalid EA list. via f89d994 Ensure we never return an EA name to a Windows client it can't handle. via 8f40e36 Ensure set_ea cannot set invalid Windows EA names. via 1f902e4 Add ea_list_has_invalid_name() function. from c358417 Fix bug 9678 - Windows 8 Roaming profiles fail http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-0-test - Log - commit 9439729feefdd0b962f1a4b9012e973b231cc569 Author: Ralph Wuerthner ral...@de.ibm.com Date: Wed Jul 31 16:33:48 2013 -0700 Ensure gpfs kernel leases are wrapped in a become_root()/unbecome_root() pair. Ensures correct lease owner for signal delivery. Signed-off-by: Ralph Wuerthner ral...@de.ibm.com Reviewed-by: Jeremy Allison j...@samba.org Reviewed-by: Simo Sorce i...@samba.org Autobuild-User(master): Jeremy Allison j...@samba.org Autobuild-Date(master): Thu Aug 1 03:57:11 CEST 2013 on sn-devel-104 The last 2 patches address bug #10064 - Linux kernel oplock breaks can miss signals. Autobuild-User(v4-0-test): Karolin Seeger ksee...@samba.org Autobuild-Date(v4-0-test): Wed Aug 7 13:15:02 CEST 2013 on sn-devel-104 commit f17721ee7e3457d591497c2f62834a706d218794 Author: Jeremy Allison j...@samba.org Date: Wed Jul 31 16:32:20 2013 -0700 Wrap setting leases in become_root()/unbecome_root() to ensure correct delivery of signals. Remove workaround for Linux kernel bug https://bugzilla.kernel.org/show_bug.cgi?id=43336 as we don't need to set capabilities when we're already root. Signed-off-by: Jeremy Allison j...@samba.org Reviewed-by: Simo Sorce i...@samba.org commit c3a6b78ab1cec783d53d551fd9c063aad680f0fb Author: Jeremy Allison j...@samba.org Date: Tue Jul 9 16:37:48 2013 -0700 Add torture tests to raw.eas to check sending Windows invalid names in the middle of an EA list. Add torture tests to probe the set of invalid Windows EA names. Bug 9992 - Windows error 0x800700FE when copying files with xattr names containing : Signed-off-by: Jeremy Allison j...@samba.org Reviewed-by: Andrew Bartlett abart...@samba.org Autobuild-User(master): Andrew Bartlett abart...@samba.org Autobuild-Date(master): Fri Jul 19 11:50:25 CEST 2013 on sn-devel-104 commit fee1915a2e24272506eef8272589a366c6b2711b Author: Jeremy Allison j...@samba.org Date: Tue Jul 16 09:14:12 2013 -0700 Reply with correct trans2 message on a setpathinfo with a bad EA name. Bug 9992 - Windows error 0x800700FE when copying files with xattr names containing : Signed-off-by: Jeremy Allison j...@samba.org Reviewed-by: Andrew Bartlett abart...@samba.org commit 050c42d282ddcd311a3484a6cf041b7172eca62b Author: Jeremy Allison j...@samba.org Date: Tue Jul 16 11:05:10 2013 -0700 Ensure we do pathname processing before SD and EA processing in NTTRANS_CREATE. Bug 9992 - Windows error 0x800700FE when copying files with xattr names containing : Signed-off-by: Jeremy Allison j...@samba.org Reviewed-by: Andrew Bartlett abart...@samba.org commit 515f1227d42a7aa8adee6a11539eb2720508509a Author: Jeremy Allison j...@samba.org Date: Tue Jul 9 15:54:39 2013 -0700 Ensure we can't create a file using NTTRANS with an invalid EA list. Bug 9992 - Windows error 0x800700FE when copying files with xattr names containing : Signed-off-by: Jeremy Allison j...@samba.org Reviewed-by: Andrew Bartlett abart...@samba.org commit 6a5fed3e3492c5932f8c2e82a9288997a684b550 Author: Jeremy Allison j...@samba.org Date: Tue Jul 9 15:59:53 2013 -0700 Ensure we can't create a file using TRANS2_OPEN with an invalid EA list. Bug 9992 - Windows error 0x800700FE when copying files with xattr names containing : Signed-off-by: Jeremy
[SCM] Samba Shared Repository - branch v4-1-test updated
The branch, v4-1-test has been updated via 099fd4c Ensure gpfs kernel leases are wrapped in a become_root()/unbecome_root() pair. via 224ea46 Wrap setting leases in become_root()/unbecome_root() to ensure correct delivery of signals. via cd0f88d Add torture tests to raw.eas to check sending Windows invalid names in the middle of an EA list. via 7f52ae9 Reply with correct trans2 message on a setpathinfo with a bad EA name. via e413edd Ensure we do pathname processing before SD and EA processing in NTTRANS_CREATE. via 12d06fb Ensure we can't create a file using NTTRANS with an invalid EA list. via b22b1bc Ensure we can't create a file using TRANS2_OPEN with an invalid EA list. via 2b165a1 Add error map of STATUS_INVALID_EA_NAME - ERRDOS, ERRbadfile via 65d4a4c Add the ability to send an NTSTATUS result back with a trans2 reply so we can return a parameter block with an error code. via d3b9f6c Ensure we can't create a file using SMB2_CREATE with an invalid EA list. via dc2320a Ensure we never return an EA name to a Windows client it can't handle. via 36bca02 Ensure set_ea cannot set invalid Windows EA names. via a6df18d Add ea_list_has_invalid_name() function. from 4bf25ec nsswitch: Add OPT_KRB5CCNAME to avoid an error message. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-1-test - Log - commit 099fd4c85e151bd7f9ec45fbea7365625de1ac3f Author: Ralph Wuerthner ral...@de.ibm.com Date: Wed Jul 31 16:33:48 2013 -0700 Ensure gpfs kernel leases are wrapped in a become_root()/unbecome_root() pair. Ensures correct lease owner for signal delivery. Signed-off-by: Ralph Wuerthner ral...@de.ibm.com Reviewed-by: Jeremy Allison j...@samba.org Reviewed-by: Simo Sorce i...@samba.org Autobuild-User(master): Jeremy Allison j...@samba.org Autobuild-Date(master): Thu Aug 1 03:57:11 CEST 2013 on sn-devel-104 The last 2 patches address bug #10064 - Linux kernel oplock breaks can miss signals. Autobuild-User(v4-1-test): Karolin Seeger ksee...@samba.org Autobuild-Date(v4-1-test): Wed Aug 7 14:56:04 CEST 2013 on sn-devel-104 commit 224ea469aa324161495b7727dc3f49d848bb9836 Author: Jeremy Allison j...@samba.org Date: Wed Jul 31 16:32:20 2013 -0700 Wrap setting leases in become_root()/unbecome_root() to ensure correct delivery of signals. Remove workaround for Linux kernel bug https://bugzilla.kernel.org/show_bug.cgi?id=43336 as we don't need to set capabilities when we're already root. Signed-off-by: Jeremy Allison j...@samba.org Reviewed-by: Simo Sorce i...@samba.org commit cd0f88d6188fb14817c6fbcf7ba80b58ccd6365f Author: Jeremy Allison j...@samba.org Date: Tue Jul 9 16:37:48 2013 -0700 Add torture tests to raw.eas to check sending Windows invalid names in the middle of an EA list. Add torture tests to probe the set of invalid Windows EA names. Bug 9992 - Windows error 0x800700FE when copying files with xattr names containing : Signed-off-by: Jeremy Allison j...@samba.org commit 7f52ae982617026a0d09571baa98fdff7c4d6dda Author: Jeremy Allison j...@samba.org Date: Tue Jul 16 09:14:12 2013 -0700 Reply with correct trans2 message on a setpathinfo with a bad EA name. Bug 9992 - Windows error 0x800700FE when copying files with xattr names containing : Signed-off-by: Jeremy Allison j...@samba.org commit e413edd57d1911b24dbc767eac4d27fe8358f77e Author: Jeremy Allison j...@samba.org Date: Tue Jul 16 11:05:10 2013 -0700 Ensure we do pathname processing before SD and EA processing in NTTRANS_CREATE. Bug 9992 - Windows error 0x800700FE when copying files with xattr names containing : Signed-off-by: Jeremy Allison j...@samba.org commit 12d06fb3c631f19bee122a2c5edf214000a2e01f Author: Jeremy Allison j...@samba.org Date: Tue Jul 9 15:54:39 2013 -0700 Ensure we can't create a file using NTTRANS with an invalid EA list. Bug 9992 - Windows error 0x800700FE when copying files with xattr names containing : Signed-off-by: Jeremy Allison j...@samba.org commit b22b1bc0fcf4977ac2ebd2a26a44856b1351e975 Author: Jeremy Allison j...@samba.org Date: Tue Jul 9 15:59:53 2013 -0700 Ensure we can't create a file using TRANS2_OPEN with an invalid EA list. Bug 9992 - Windows error 0x800700FE when copying files with xattr names containing : Signed-off-by: Jeremy Allison j...@samba.org commit 2b165a12ed488579f4e845f4fc8183edfbe4e396 Author: Jeremy Allison j...@samba.org Date: Wed Jul 10 12:18:36 2013 -0700 Add error map of STATUS_INVALID_EA_NAME - ERRDOS, ERRbadfile (from Windows2012 tests). Bug 9992 - Windows error 0x800700FE when copying files with xattr names containing :