[Samba] Encryption

2009-12-01 Thread Cameron Laird 
What are the prospects for "smb transport encryption"?  Where can I learn
more?
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Simple question regarding smbpasswd

2009-05-11 Thread Cameron Laird 
On Mon, May 11, 2009 at 4:03 PM, Ryan Novosielski wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> David Markey wrote:
>...
> > echo -e "newpassword\nnewpassword\n" | smbpasswd -a -s dmarkey
>
> It's essentially the same format that you'd use on the command line if
> you were a user, but without the visual prompts.
>
   ... I personally prefer

smbpasswd -a -s dmarkey HERE
$NEW_PASS
$NEW_PASS
HERE

most days.  I also recognize that reasonable people can have different
styles.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Automating the Samba Install

2009-05-03 Thread Cameron Laird 
There were a couple of defects in the reply I made earlier.  I correct them
in this repost.

On Sun, May 3, 2009 at 3:23 PM, Cameron Laird wrote:

> I want to make sure we're clear.
>
> There's little Samba content to this conversation now.  You reasonably
> decided that you wanted to script Samba-based actions, noticed that net(8)
> has an annoying interface, and correctly chose Expect to help with the
> automation.  Since then, it's just been details of Expect.
>
> I gave you a sample simplification.  You applied it to a couple of segments
> of your script.  You have the behavior you want in the second segment, but
> not the first.
>
> You appear to claim, "When I attempt to spawn something in quotes ... I
> don't get any output back ..."  I regard that as unproven, and will set it
> aside for now.  HOWEVER, I can easily imagine that 'OFFICE\Domain Admins'
> introduces complications.
>
> Where you have
> "OFFICE\Domain Admins"
> please try
> "OFFICE\\Domain Admins"
> or
> {OFFICE\Domain Admins}
> Either should move you equally far forward.
>...
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Automating the Samba Install

2009-05-01 Thread Cameron Laird 
Expect is simply indispensable for much network and system management http://www.ibm.com/developerworks/aix/library/au-expect/ >.  It's easy to
misapply, though; briefly, your Expect script has far better intentions than
implementation.
Where you have
spawn /usr/bin/net rpc rights list accounts -S smbsrv -U root
expect -re "(^.*)$"
sleep 2
send "$MYPASSWD\r"
expect eof
for example, my first recommendation would be
log_user 0
spawn net rpc rights list accounts -S smbsrv -U root
expect assword:
send $MYPASSWD\r
expect eof
puts $expect_out(buffer)
While I'm not certain of your requirements for this script, my version
should get you farther, and will be more reliable.
Let me know if you want me to rewrite the first half, too.
On Fri, May 1, 2009 at 12:02 PM, Todd E Thomas wrote:

> Hey all,
>
> I'm coloring outside the lines a little bit here but I would like to
> automate the install of a samba pdc. Within that script to install I would
> like to assign rights to a group. Here is an example of a few steps:
>
> # Create Unix group:
> groupadd domadmins
>
> # Map unix group to samba groups:
> net groupmap add ntgroup="Domain Admins" unixgroup=domadmins rid=512 type=d
>
> # Assign rights to samba group:
> net rpc rights grant 'OFFICE\Domain Admins' \
>SeMachineAccountPrivilege SeTakeOwnershipPrivilege \
>SeBackupPrivilege SeRestorePrivilege SeRemoteShutdownPrivilege \
>SePrintOperatorPrivilege SeAddUsersPrivilege \
>SeDiskOperatorPrivilege \
>-S smbsrv -U root
>
> Our script does this and a whole lot more, all successful but the above is
> where we are having the problem. Creating the Unix group and mapping unix to
> samba groups are both successful. We've opted to use expect as nothing else
> seems appropriate or works.
>
> We are failing on automating assigning rights. We know that the expect
> script is communicating with net command just fine because the 'net rpc
> rights list ...' does return information. However, the 'net rpc rights grant
> ...' with its quotes and backslashes characters doesn't seem to be working.
>
> Here's the expect script:
> ---
> #!/usr/bin/expect
>
> set MYPASSWD "mypasswd"
>
> # why doesn't this work?
> #spawn /usr/bin/net rpc rights grant \\\"OFFICE\\\Domain Admins\\\"
> SeMachineAccountPrivilege SeTakeOwnershipPrivilege SeBackupPrivilege
> SeRestorePrivilege SeRemoteShutdownPrivilege SePrintOperatorPrivilege
> SeAddUsersPrivilege SeDiskOperatorPrivilege -S smbsrv -U root
>
> # try evaluating arguments first?
>
> set netargs "rpc rights grant \\\"OFFICEDomain Admins\\\"
> SeMachineAccountPrivilege SeTakeOwnershipPrivilege SeBackupPrivilege
> SeRestorePrivilege SeRemoteShutdownPrivilege SePrintOperatorPrivilege
> SeAddUsersPrivilege SeDiskOperatorPrivilege -S smbsrv -U root"
> eval spawn /usr/bin/net $netargs
>
> expect -re "(^.*)$"
> sleep 10
> send "$MYPASSWD\r"
> puts "\n\tJust slept and sent password, but don't get response Password:
> until after this puts statement\n\tIs the spawn not handling quotes and
> backslash correctly?"
> expect eof
>
> puts "\nconfirm if rights grant worked, note there are no quotes or
> backslash in this rpc rights command\n"
> spawn /usr/bin/net rpc rights list accounts -S smbsrv -U root
> expect -re "(^.*)$"
> sleep 2
> send "$MYPASSWD\r"
> expect eof
> ---
>
> Save the script as e1.exp, chmod 755 e1.exp, invoke as ./e1.exp. Of course
> we are running this as root. Here's example of output:
> ---
> spawn /usr/bin/net rpc rights grant "OFFICE\Domain Admins"
> SeMachineAccountPrivilege SeTakeOwnershipPrivilege SeBackupPrivilege
> SeRestorePrivilege SeRemoteShutdownPrivilege SePrintOperatorPrivilege
> SeAddUsersPrivilege SeDiskOperatorPrivilege -S smbsrv -U root
>
>Just slept and sent password, but don't get response Password: until
> after this puts statement
>Is the spawn not handling quotes and backslash correctly?
> Password:
>
> confirm if rights grant worked, note there are no quotes or backslash in
> this rpc rights command
>
> spawn /usr/bin/net rpc rights list accounts -S smbsrv -U root
> Password:
> BUILTIN\Print Operators
> No privileges assigned
>
> BUILTIN\Account Operators
> No privileges assigned
>
> BUILTIN\Backup Operators
> No privileges assigned
>
> BUILTIN\Server Operators
> No privileges assigned
>
> BUILTIN\Administrators
> SeMachineAccountPrivilege
> SeTakeOwnershipPrivilege
> SeBackupPrivilege
> SeResto

[Samba] Sun ONE and Samba

2009-03-15 Thread Cameron Laird 
Has anyone had success using Sun ONE as an LDAP (authentication)
back-end to Samba (preferably 4.0, but 3.3 would be fine)?

I've found people who've tried and given up.

Sun itself hasn't provided answers, but I haven't given up on them;
I'll keep reformulating my questions, and asking again.

One speculation on my part is that, if I can just figure out where in
Sun ONE the LANMAN passwords are kept, I could write my own PAM and
get somewhere.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Searching a mailman archive (was: [Samba] Complex [homes])

2009-03-10 Thread Cameron Laird 
I need help with this advice.

It's very meaningful to me to learn that a particular subject has
already arisen.  However, I don't understand "... search the list".
I've looked all around https://lists.samba.org/mailman/listinfo/samba >, and not discovered a
search facility.  When you write "search the list", do you mean
something like the results provided by http://www.google.com/search?as_q=include&as_sitesearch=lists.samba.org
>?  I have the feeling you know a better way to search than I do.

On Tue, Mar 10, 2009 at 11:18 AM, Miguel Medalha  wrote:
   ...
> That question has already been solved in previous posts. Please search the
> list.
>
> The solution lies with the use of the "include" parameter.
   ...
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Sun One feasible for Samba

2009-02-24 Thread Cameron Laird 
Is Sun ONE a feasible LDAP repository for use with recent Samba
(presumably 3.3)?  I've sought tutorials, mailing-list threads, and so
on, and found only marginally-related information.  My impression is
that, yes, it's possible in principle, but will require customization
of the Sun ONE schema that's documented no place public.

I did come across http://lists.samba.org/archive/samba-technical/2005-January/039343.html
>.  I assume I'd need to update this, and also account for
sambaConfig.

Any definite results or conclusions are a big help, as I don't have
direct control over the Sun ONE instance; it's the responsibility of a
different group under the same employer.  Unless I hear particularly
encouraging words, I'll create my own OpenLDAP instance, use *it* to
back Samba, and do my best to synchronize the OpenLDAP repository with
the authoritative content from Sun ONE.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba