[Samba] OT: 1 year samba dev exp looking for a samba job
Hi, I spent 1 year doing samba development for my previous company, and now I am looking for an opportunity to continue in this area because I like it very much. Part time or full time, perminent or contract, all fine for me. Please reply to me if anybody/company is interested, and I will forward you my resume. Thanks for reading. Looking forward to hearing from you! Chere - Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3b3 + ADS
For your freebsd box: Did you install openldap? You can do that from the ports tree. Then after configure, make sure you get HAVE_LDAP, HAVE_LDAP_H in config.h. If not, try to give the ldap header and library paths to the configure script. On Wednesday 30 July 2003 04:18 pm, Will Froning wrote: I've been trying for a couple of days to get ADS support built into Samba 3. I've been searching the archives for something that will help me out, but nothing seems to work. Here's what I've tried, first on FreeBSD 4.8: FreeBSD 4.8 Samba 3b3, ./configure --with-ads --with-krb5=/usr (I installed FBSD krb5 from /usr/src/kerberos5) works like a charm. make works and I see all the fancy ads stuff fly by the screen like it's compiling. I then test source/bin/net ads - ADS support not compiled in. I then try it with MIT krb5 and samba fails to compile (--with-krb5=/usr/local). I try heimdal krb5 and that compiles, but same ADS support not compiled in message pops up. So I give up and try Solaris 8. I try the --with-krb5=/usr --with-ads and that can't find the libs, so I install MIT krb5 and it finds krb5-config and compiles, but same mesg. I'm at a total loss on what's going on here. Am I missing some super major step? Any help is greatly appreciated. Please CC me on the reply, I wil also be checking the online archive to see if I've missed a post. Thanks, Will -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Joining samba to AD domain with a non-admin user
Well, I know that the user I am using does not have rights to delete from LDAP, neither joining a windows box nor samba. So I am careful enough to delete the account from ADS first. Otherwise, it will fail at deleteing the computer account for both Win and samba. Secondly, using -U or not with net ads join does not make a difference. I did debug through there to find that it is the ldap_add_s fails. However, I do not see how my kerberos user principal is being used for the LDAP connection, though different principal does make the difference. I guess it's the bind to LDAP call? But the ads.auth.user_name is always root, which is the Unix account I am working on, and ads.auth.password always . On Friday 18 July 2003 01:29 pm, Antti Andreimann wrote: Ühel kenal päeval (reede, 18. juuli 2003 03:12) kirjutas Chere Zhou: So my question is, is this supported, or broken, or am I using it wrong? Well it is supported, but not extensively tested with different users. Therefore it is great that You are actually trying this feature out. The failure happens during ldap_add_s called from ads_add_machine_acct(). The failure in ldap_add_s seems to indicate that AD is refusing to add the machine account maybe due to insufficent rights, but maybe because there is already an account for the machine. Do You get any other error messages as well? Failure to delete the account prior to adding for instance? I do kinit before the net ads join command. However I haven't found where the kerberos ticket was used before the failure although the ticket does make a difference. The first thing that comes to my mind is that maybe You should try net ads join -U username. This way the net command will get a brand new ticket from AD. It should use kerberos cache othervise and actually both ways should work, but maybe there is some unknown bug. Another thing that You could try is to remove the machine account from AD by hand (if it exists) prior to joining it with samba. I am looking forward to receiving Your feed-back if and how any of those suggestions worked. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Joining samba to AD domain with a non-admin user
I need help to resolve this issue. I saw that Andrew put a patch by Antti to enable users without full admin access to join samba into an AD domain. I am playing with it and always get Insufficient access. Using the same user, I can join a Windows box into the domain just fine. The user is a member of domain users, but not domain admins. I can use a user in domain admins to join the AD domain fine too. I tried with beta3, and it's the same as alpha24 and alpha21 (a21 did not have Antti's patch). So my question is, is this supported, or broken, or am I using it wrong? The failure happens during ldap_add_s called from ads_add_machine_acct(). I do kinit before the net ads join command. However I haven't found where the kerberos ticket was used before the failure although the ticket does make a difference. Thanks, Chere -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba on a Windows 2003 Domain
You will need to upgrade to samba3.0 (which is currently in beta), and use the new ADS feature to join the 2003 domain. On Tuesday 01 July 2003 11:59 am, Chuck Holley wrote: We are currently running samba 2.2.1, and we are in the process of migrating from an NT to 2003 domain. Will samba be able to act as a member server and continue to serve files? Chuck Holley, MCP, CCNA LAN Administrator FitnessQuest Inc. Canton, OH -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] FreeBSD + winbindd + PAM
Hi, Did you fix this problem? I want to do the same thing, but I can not get nsswith to configure correctly yet. pw user show gives no such user. Can you tell me how you hooked up winbind and nsswitch? PAM should not be needed if you just use smbd, and this is what I want to do first. Thanks, Chere On Tuesday 10 June 2003 11:07 am, Guy Antony Halse wrote: On Tue 2003-06-10 (20:02), chris Bouchet wrote: #getent passwd ? if this works you should see all the users including the domain ones. This works on FreeBSD 5.1-BETA. FreeBSD 4.x's implementation of nsswitch is incompatable with libnss_winbind (or any other shared object based nss library), hence the need to get it to work with PAM rather than NSS. - Guy -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Windows 2000 Domain Local Users Groups
Check ftp://ftp.samba.org/pub/tridge/misc/samba_22_local_group.patch It gets local groups, but not universal groups. On Friday 13 June 2003 02:13 pm, Tom Dickson wrote: Does winbind support (in samba 2) retrieving Domain Local Users and Groups from a Windows 2000 server in Native mode? My setup has winbind seeing the Global users, but not the Universal or Local ones. My guess is that Samba 3 is what I need here, but I was wondering if there are any quick hacks to get 2.2 working until 3 goes gold. -Tom -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] win bind authentication
NT_STATUS_NO_LOGON_SERVERS (PAM: 4) [2003/06/12 09:29:17, 10] nsswitch/winbindd.c:client_write(469) client_write: wrote 1300 bytes. [2003/06/12 09:29:17, 10] nsswitch/winbindd.c:winbind_client_read(422) client_read: read 0 bytes. Need 1312 more for a full request. [2003/06/12 09:29:17, 5] nsswitch/winbindd.c:winbind_client_read(427) read failed on sock 16, pid 10953: EOF -Original Message- From: Chere Zhou [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 11, 2003 5:25 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [Samba] win bind authentication I looked back at your message, and it seems that you can ping, can list users and groups, but -t and user login always fail, is that right? That's kind of strange to me. Did you do -t and user login with the password server set too? Maybe you should bump up debug level and send us the logs. On Wednesday 11 June 2003 12:51 pm, Tod B. Schmidt wrote: I can ping the winbindd and I have tried both with and without the password server set. -Tod -Original Message- From: Chere Zhou [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 11, 2003 2:42 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [Samba] win bind authentication Is wbinfo -p fine? if not, restart winbindd. If still not, try put password server = pdc-name into your smb.conf and restart again. On Wednesday 11 June 2003 11:09 am, Tod B. Schmidt wrote: Yes, I can do kinit and then log into my win2k machines with smbclient fine, but cannot log into my samba accounts from my win2k box. I think the fact that winbind -t fails is significant, but I can join the domain fine, so I am not sure what is happening here. [EMAIL PROTECTED] etc]# net join [2003/06/11 14:01:38, 0] libads/ldap.c:ads_join_realm(1352) Host account for maildev already exists - deleting old account Joined 'MAILDEV' to realm 'TNCTEST.ORG' [EMAIL PROTECTED] etc]# wbinfo -t checking the trust secret via RPC calls failed error code was NT_STATUS_UNSUCCESSFUL (0xc001) Could not check secret Also, when I list wbinfo -u or getent passwd I get entries that start with TNCTEST and not TNCTEST.ORG, not sure if that is important. Kerberos will not authenticate against the realm TNCTEST so I think it has to be TNCTEST.ORG Thanks, Tod Schmidt -Original Message- From: Brandon Lederer [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 11, 2003 1:41 PM To: '[EMAIL PROTECTED]'; [EMAIL PROTECTED] Subject: RE: [Samba] win bind authentication You guys got the encryption on? -Original Message- From: Tod B. Schmidt [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 11, 2003 12:38 PM To: [EMAIL PROTECTED] Subject: Re: [Samba] winbind authentication I am getting this same error when trying to authenticate. Very frustrating because everything else works, wbinfo, getent. I can login to Win2K server wth kerberos, but I always see NT_STATUS_NO_LOGON_SERVERS when trying to authenticate. [EMAIL PROTECTED] etc]# wbinfo -a user+password plaintext password authentication failed error code was NT_STATUS_NO_LOGON_SERVERS (0xc05e) error messsage was: No logon servers Could not authenticate user user+password with plaintext password challenge/response password authentication failed error code was NT_STATUS_NO_LOGON_SERVERS (0xc05e) error messsage was: No logon servers Could not authenticate user user+password with challenge/response The only other thing that fails is wbinfo -t [EMAIL PROTECTED] etc]# wbinfo -t checking the trust secret via RPC calls failed error code was NT_STATUS_UNSUCCESSFUL (0xc001) Could not check secret I have joined the computer to the domain but am just beating my head against this issue. Any thoughts out there? TIA, T Schmidt I am having the same issue. I am running Samba 3 Alpha 24 trying to connect to a W2K3 Server with AD. If I getent or chown I can see all my domain users, but sshd, login, etc (PAM apps) cant see the accounts. When I try to login to the console as a AD user or SSH I get the following in /var/log/messages Jun 2 20:38:58 gonzo pam_winbind[1900]: request failed: No logon servers, PAM error was 4, NT error was NT_STATUS_NO_LOGON_SERVERS The issue is when I do wbinfo I can see everything My config is as follows: [global] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Authentication
Yes, you still need winbindd. Better yet, you need to configure nsswitch and pam. On Thursday 12 June 2003 07:24 am, Chip Bell wrote: I'm not sure if I'm clear. I have a win2k native domain. I want to add a samba file server so users can access it through network neighborhood. I set up the Kerberos stuff, I can do that from the linux box fine. Do I STILL need to do the winbind stuff in order for users to not have to authenticate to the samba box? Thanks for your help. Newbie here... -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] idmap mapping questions
Do you have nsswitch and pam working correctly with winbind? You need to configure nsswitch and pam for that. On Thursday 12 June 2003 04:04 am, Raphaël Berghmans wrote: Hi, I've setup a samba 3 server. The mapping between SID and uid is done by idmap. When a user create a file on the server, the owner of this file cannot be resolved by Linux (the uid cannot be resolved to the human name). Then in smb.conf list (for example : printer admin) I've to setup the uid of a user and not his real name otherwise the user is considered as unknown ! How to deal with the access permission to the files and directories if the mapping (SID - uid) change or if the idmap.tdb is corrupted ? Thank you for your help. Regards, -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] win bind authentication
Is wbinfo -p fine? if not, restart winbindd. If still not, try put password server = pdc-name into your smb.conf and restart again. On Wednesday 11 June 2003 11:09 am, Tod B. Schmidt wrote: Yes, I can do kinit and then log into my win2k machines with smbclient fine, but cannot log into my samba accounts from my win2k box. I think the fact that winbind -t fails is significant, but I can join the domain fine, so I am not sure what is happening here. [EMAIL PROTECTED] etc]# net join [2003/06/11 14:01:38, 0] libads/ldap.c:ads_join_realm(1352) Host account for maildev already exists - deleting old account Joined 'MAILDEV' to realm 'TNCTEST.ORG' [EMAIL PROTECTED] etc]# wbinfo -t checking the trust secret via RPC calls failed error code was NT_STATUS_UNSUCCESSFUL (0xc001) Could not check secret Also, when I list wbinfo -u or getent passwd I get entries that start with TNCTEST and not TNCTEST.ORG, not sure if that is important. Kerberos will not authenticate against the realm TNCTEST so I think it has to be TNCTEST.ORG Thanks, Tod Schmidt -Original Message- From: Brandon Lederer [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 11, 2003 1:41 PM To: '[EMAIL PROTECTED]'; [EMAIL PROTECTED] Subject: RE: [Samba] win bind authentication You guys got the encryption on? -Original Message- From: Tod B. Schmidt [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 11, 2003 12:38 PM To: [EMAIL PROTECTED] Subject: Re: [Samba] winbind authentication I am getting this same error when trying to authenticate. Very frustrating because everything else works, wbinfo, getent. I can login to Win2K server wth kerberos, but I always see NT_STATUS_NO_LOGON_SERVERS when trying to authenticate. [EMAIL PROTECTED] etc]# wbinfo -a user+password plaintext password authentication failed error code was NT_STATUS_NO_LOGON_SERVERS (0xc05e) error messsage was: No logon servers Could not authenticate user user+password with plaintext password challenge/response password authentication failed error code was NT_STATUS_NO_LOGON_SERVERS (0xc05e) error messsage was: No logon servers Could not authenticate user user+password with challenge/response The only other thing that fails is wbinfo -t [EMAIL PROTECTED] etc]# wbinfo -t checking the trust secret via RPC calls failed error code was NT_STATUS_UNSUCCESSFUL (0xc001) Could not check secret I have joined the computer to the domain but am just beating my head against this issue. Any thoughts out there? TIA, T Schmidt I am having the same issue. I am running Samba 3 Alpha 24 trying to connect to a W2K3 Server with AD. If I getent or chown I can see all my domain users, but sshd, login, etc (PAM apps) cant see the accounts. When I try to login to the console as a AD user or SSH I get the following in /var/log/messages Jun 2 20:38:58 gonzo pam_winbind[1900]: request failed: No logon servers, PAM error was 4, NT error was NT_STATUS_NO_LOGON_SERVERS The issue is when I do wbinfo I can see everything My config is as follows: [global] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] win bind authentication
I looked back at your message, and it seems that you can ping, can list users and groups, but -t and user login always fail, is that right? That's kind of strange to me. Did you do -t and user login with the password server set too? Maybe you should bump up debug level and send us the logs. On Wednesday 11 June 2003 12:51 pm, Tod B. Schmidt wrote: I can ping the winbindd and I have tried both with and without the password server set. -Tod -Original Message- From: Chere Zhou [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 11, 2003 2:42 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [Samba] win bind authentication Is wbinfo -p fine? if not, restart winbindd. If still not, try put password server = pdc-name into your smb.conf and restart again. On Wednesday 11 June 2003 11:09 am, Tod B. Schmidt wrote: Yes, I can do kinit and then log into my win2k machines with smbclient fine, but cannot log into my samba accounts from my win2k box. I think the fact that winbind -t fails is significant, but I can join the domain fine, so I am not sure what is happening here. [EMAIL PROTECTED] etc]# net join [2003/06/11 14:01:38, 0] libads/ldap.c:ads_join_realm(1352) Host account for maildev already exists - deleting old account Joined 'MAILDEV' to realm 'TNCTEST.ORG' [EMAIL PROTECTED] etc]# wbinfo -t checking the trust secret via RPC calls failed error code was NT_STATUS_UNSUCCESSFUL (0xc001) Could not check secret Also, when I list wbinfo -u or getent passwd I get entries that start with TNCTEST and not TNCTEST.ORG, not sure if that is important. Kerberos will not authenticate against the realm TNCTEST so I think it has to be TNCTEST.ORG Thanks, Tod Schmidt -Original Message- From: Brandon Lederer [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 11, 2003 1:41 PM To: '[EMAIL PROTECTED]'; [EMAIL PROTECTED] Subject: RE: [Samba] win bind authentication You guys got the encryption on? -Original Message- From: Tod B. Schmidt [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 11, 2003 12:38 PM To: [EMAIL PROTECTED] Subject: Re: [Samba] winbind authentication I am getting this same error when trying to authenticate. Very frustrating because everything else works, wbinfo, getent. I can login to Win2K server wth kerberos, but I always see NT_STATUS_NO_LOGON_SERVERS when trying to authenticate. [EMAIL PROTECTED] etc]# wbinfo -a user+password plaintext password authentication failed error code was NT_STATUS_NO_LOGON_SERVERS (0xc05e) error messsage was: No logon servers Could not authenticate user user+password with plaintext password challenge/response password authentication failed error code was NT_STATUS_NO_LOGON_SERVERS (0xc05e) error messsage was: No logon servers Could not authenticate user user+password with challenge/response The only other thing that fails is wbinfo -t [EMAIL PROTECTED] etc]# wbinfo -t checking the trust secret via RPC calls failed error code was NT_STATUS_UNSUCCESSFUL (0xc001) Could not check secret I have joined the computer to the domain but am just beating my head against this issue. Any thoughts out there? TIA, T Schmidt I am having the same issue. I am running Samba 3 Alpha 24 trying to connect to a W2K3 Server with AD. If I getent or chown I can see all my domain users, but sshd, login, etc (PAM apps) cant see the accounts. When I try to login to the console as a AD user or SSH I get the following in /var/log/messages Jun 2 20:38:58 gonzo pam_winbind[1900]: request failed: No logon servers, PAM error was 4, NT error was NT_STATUS_NO_LOGON_SERVERS The issue is when I do wbinfo I can see everything My config is as follows: [global] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
only the first wins server works?
If I have 2 wins server set in smb.conf like the following: wins server = 172.16.0.61, 172.16.10.8 I can verify that only the first works, the second does not, because the 2 wins servers have different contents in them, one for some domains and the other for some other domains. I have trusted domains in both of the wins servers. The domains are w2k domains, so the trust works through DNS, but I joined samba 3.0 as an NT4 server. So my question is, is this by design of how WINS suppose to work, or otherwise a problem in samba? I am using cvs HEAD code of Mar. 19th. Chere
Re: [Samba] Samba 3.0 - a bunch of really high level questions
4) trust relationships in 2000 environment. Is it possible, what needs to be done. This is undocumented at this time. Sorry, we will get around to it soon. Trust relationships behave exactly as for NT4 - modulo bugs, for the member server. For the PDC, we only provide an NT4 PDC, and have not yet compleated all that is required to trust other domains. I am using 3.0alpha21. Trusts in a win2k domain (ADS mode) seem to work, but I do not see any trusted domain if join the domain using NT4 mode. This is fixed in HEAD, but I do need to fix my 3.0a21 version for it. abartlet and jht, any hint for me of where to look at? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
domain trusts with security=domain does not work for 3.0a21?
Hello, I verified that when I use security=ads, the domain trusts work. But when I use security=domain and join the w2k domain using net rpc join, I don't see any trusted domain. I checked with wbinfo -m, wbinfo --sequence and finally add ACL entries for a file served by samba. I see that if I use HEAD, security=domain, doing wbinfo -m gives a list of domains I expected. So my question is, what have been done to fix this? I would like to merge the code back if possible. I can not upgrade to HEAD, because there are too many changes. 3.0a21 works for us, well, mostly. Thanks in advance! Chere
[Patch] fix for sids new to winbind always map to a uid
Since the current sid_to_uid does not check for sid type, but sid_to_gid
does, and for the purpose of supporting foreign sids, I needed to switch the
order of calling sid_to_uid and sid_to_gid in posix_acl.c.
If anybody had similar problem as me, this patch should help you. The
original problem was posted earlier with the title 3.0a21: add a new group
using ACL results in a new user in winbindd idmap.
--- smbd/posix_acls.c.orig Wed Mar 19 16:59:53 2003
+++ smbd/posix_acls.c Wed Mar 19 17:00:46 2003
@@ -1003,12 +1003,12 @@
if (nt4_compatible_acls())
psa-flags |= SEC_ACE_FLAG_INHERIT_ONLY;
- } else if (sid_to_uid( current_ace-trustee,
current_ace-unix_ug.uid, sid_type)) {
- current_ace-owner_type = UID_ACE;
- current_ace-type = SMB_ACL_USER;
} else if (sid_to_gid( current_ace-trustee,
current_ace-unix_ug.gid, sid_type)) {
current_ace-owner_type = GID_ACE;
current_ace-type = SMB_ACL_GROUP;
+ } else if (sid_to_uid( current_ace-trustee,
current_ace-unix_ug.uid, sid_type)) {
+ current_ace-owner_type = UID_ACE;
+ current_ace-type = SMB_ACL_USER;
} else {
fstring str;
This patch works better than doing a lookup_sid first, because lookup_sid
will fail for foreign sids.
Chere
how to patch 3.0a21 for the lastest security hole?
I am guessing that older version of 3.0 should have the flaw patched by 2.2.8 too. I can not upgrade to HEAD yet. If my 3.0a21 has the flaw, can someone point me to what files I need to look for a merge? Thanks, Chere
Fixed: Re: 3.0a21: add a new group using ACL results in a new userin winbindd idmap
Although nobody replied to me, I still think this applies to HEAD and is a
general problem.
The reason behind this problem, is that when you add a new group or user not
known to winbindd_idmap.tdb through ACL, the code in posix_acl.c does the
following (line 1006):
} else if (sid_to_uid( current_ace-trustee,
current_ace-unix_ug.uid, sid_type)) {
current_ace-owner_type = UID_ACE;
current_ace-type = SMB_ACL_USER;
} else if (sid_to_gid( current_ace-trustee,
current_ace-unix_ug.gid, sid_type)) {
current_ace-owner_type = GID_ACE;
current_ace-type = SMB_ACL_GROUP;
} else {
which means, it tries to map the sid to a uid first, if fails, then try gid.
However, since the following code in sid_to_uid() is commented out:
/* (tridge) I commented out the slab of code below in order to support
foreign SIDs
Do we really need to validate the type of SID we have in this case?
*/
#if 0
fstring dom_name, name;
enum SID_NAME_USE name_type;
*sidtype = SID_NAME_UNKNOWN;
/*
* First we must look up the name and decide if this is a user sid.
*/
if ( (!winbind_lookup_sid(psid, dom_name, name, name_type)) ||
(name_type != SID_NAME_USER) ) {
BOOL result;
DEBUG(10,(sid_to_uid: winbind lookup for sid %s failed -
trying local.\n,
sid_to_string(sid_str, psid) ));
become_root();
result = local_sid_to_uid(puid, psid, sidtype);
unbecome_root();
return result;
}
/*
* Ensure this is a user sid.
*/
if (name_type != SID_NAME_USER) {
DEBUG(10,(sid_to_uid: winbind lookup succeeded but SID is
not a uid (%u)\n,
(unsigned int)name_type ));
return False;
}
#endif
A new SID will always successfully map to uid.
The fix would be, either uncomment the above code in sid_to_uid(), or in
posix_acl.c, because calling sid_to_uid(), call lookup_sid() first to find
out the name type (user or group).
Is there any other options?
Chere
On Wednesday 05 March 2003 06:57 pm, Chere Zhou wrote:
I am in an ADS domain. From a Windows client, create a file, add a group
to the file using ACLs (new means the group is not in winbindd database
yet), the group is mapped as a user in the winbindd_idmap.tdb. The group
is not any special type, just a normal group (not local, not universal).
Anyone knows about this problem?
Thanks,
Chere
Re: lookup_sid for a domain local group results in SID_NAME_UNKNOWN
# wbinfo -n localg
S-1-5-21-606747145-117609710-725345543-3244 8
So I guess the type is 8.
Chere
On Wednesday 12 March 2003 05:34 pm, Chere Zhou wrote:
I am not sure whether it counts or not but my domain is in native mode. I
want to know what other people's experiences are with domain local groups.
I have a domain local group called localg. sid_to_gid() fails because
the returned name_type is SID_NAME_UNKNOWN. I traced it down using gdb,
and the result from winbindd_request(LOOKUPSID) is:
dom_name = ZHOU, '\000' repeats 251 times,
name = localg, '\000' repeats 249 times, type = 8},
From smb.h:
/* SID Types */
enum SID_NAME_USE
{
SID_NAME_USE_NONE = 0,/* NOTUSED */
SID_NAME_USER= 1, /* user */
SID_NAME_DOM_GRP = 2, /* domain group */
SID_NAME_DOMAIN = 3, /* domain: don't know what this is */
SID_NAME_ALIAS = 4, /* local group */
SID_NAME_WKN_GRP = 5, /* well-known group */
SID_NAME_DELETED = 6, /* deleted account: needed for c2 rating */
SID_NAME_INVALID = 7, /* invalid account */
SID_NAME_UNKNOWN = 8 /* oops. */
};
So what SID_NAME_ALIAS is for (comment says local group)?
Is it safe to just change the above to the following without any other code
change?
SID_NAME_LOCAL_GRP = 8,
SID_NAME_UNKNOWN = 9
Chere
[Samba] Re: How to verify the domain secret is good or bad?
On Tuesday 11 March 2003 01:23 pm, Scott Prive wrote: - Original Message - From: Chere Zhou [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Tuesday, March 11, 2003 3:40 PM Subject: How to verify the domain secret is good or bad? I know there is the command wbinfo -t. But when it says that could not check secret, how do I know it's the secret is bad, or something else wrong, like winbind went crazy maybe? Also, sometimes I saw problems like wbinfo -t just says secret is bad, when all the daemons were running. It sure was good at some point before. So my question is, in what condition that the secret can go bad? How do I check it? The pdc-secret thing is something I don't completely understand, but I *do* know that secret-testing is done loosely over the network. A bad secret does not mean conclusively that the secret is bad... it means that the test was not successful. So you can get secret is bad if for example the network is congested, etc. and the compare did not occur in time. Sometimes I've joined a domain and still got this error. If I wait 60 seconds are re-run wbinfo -t, I get a 'secret is good'. Also, I believe the secret can go bad if you change hostname or some other info. I'm not entirely sure what all the possible failures are. -Scott So, if I do not do anything like change hostname, ip or anything like that, my secret should potentially always be good? That's good to know. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] How to verify the domain secret is good or bad?
I know there is the command wbinfo -t. But when it says that could not check secret, how do I know it's the secret is bad, or something else wrong, like winbind went crazy maybe? Also, sometimes I saw problems like wbinfo -t just says secret is bad, when all the daemons were running. It sure was good at some point before. So my question is, in what condition that the secret can go bad? How do I check it? Thanks in advance. Chere -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: bug or typo in smbd/service.c: make_connection_snum(line 530)?
Thanks for the explanation. That helps.
On Tuesday 11 March 2003 12:52 am, Andrew Bartlett wrote:
On Tue, 2003-03-11 at 12:16, Chere Zhou wrote:
The block reads:
if (conn-force_user || conn-force_group) {
/* groups stuff added by ih */
conn-ngroups = 0;
conn-groups = NULL;
/* Find all the groups this uid is in and
store them. Used by change_to_user() */
initialise_groups(conn-user, conn-uid, conn-gid);
get_current_groups(conn-gid,
conn-ngroups,conn-groups);
conn-nt_user_token = create_nt_token(conn-uid,
conn-gid, conn-ngroups, conn-groups,
guest);
}
I think the if should be ( ! (conn-force_user || conn-force_group)),
since the force_user and force_group processing should be all done just
before this block of code. Otherwise I don't understand the logic here.
I think this is related to my earlier posting with the subject of 3.0a21
and HEAD: only primary group of a domain user is set on smbd.
If force_user or force_group is not set, then we don't use these
values. Instead we use the values attached to the vuid.
Andrew Bartlett
Fixed: Re: 3.0a21 and HEAD: only primary group of a domain user isset on smbd
Turns out that because I do not have nsswitch, I need to hack sys_getgrouplist to query winbind for domain users. Did not have to do that for 2.2.x. I should have said that I am on FreeBSD. Anyway, thanks for all the answers. Chere On Tuesday 04 March 2003 11:48 pm, Andrew Bartlett wrote: On Wed, 2003-03-05 at 12:27, Chere Zhou wrote: Dear list, I know that on 2.2.5, when we get user info from winbindd, we also initialize group information based on the group list got from winbind, and do a setgroups for the process, so that all of the groups the user is a member of is set on the smbd. Now on 3.0a21 and HEAD, I do not see any setgroup operation from winbind, and the smbd process only got the primary group of the Win2k domain user. So it fails when a file permission is checked for other groups the user is a member of. I can see that sec_ctx.c is about the only place that calls sys_setgroups now, when the Unix group info has only the primary group. At the same place the NT token has about 9 groups for my test user. Can somebody explain why we are not doing what 2.2.5 was doing? Is there any design issue related to this? If you update you HEAD checkout, you will find that I have fixed this 'issue'. The problem is that the Win2k server does not report any groups for these users in LDAP, and as such we only use the 'primaryGid' attribute from the Active Directory query. There are however alternative queries that can be made, and I have implemented logic to detect this situation (it occurs mainly in child domains, we think). Unfortunately this change is only in HEAD, not Samba 3.0 at this stage. Andrew Bartlett
Re: How to verify the domain secret is good or bad?
On Tuesday 11 March 2003 01:23 pm, Scott Prive wrote: - Original Message - From: Chere Zhou [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Tuesday, March 11, 2003 3:40 PM Subject: How to verify the domain secret is good or bad? I know there is the command wbinfo -t. But when it says that could not check secret, how do I know it's the secret is bad, or something else wrong, like winbind went crazy maybe? Also, sometimes I saw problems like wbinfo -t just says secret is bad, when all the daemons were running. It sure was good at some point before. So my question is, in what condition that the secret can go bad? How do I check it? The pdc-secret thing is something I don't completely understand, but I *do* know that secret-testing is done loosely over the network. A bad secret does not mean conclusively that the secret is bad... it means that the test was not successful. So you can get secret is bad if for example the network is congested, etc. and the compare did not occur in time. Sometimes I've joined a domain and still got this error. If I wait 60 seconds are re-run wbinfo -t, I get a 'secret is good'. Also, I believe the secret can go bad if you change hostname or some other info. I'm not entirely sure what all the possible failures are. -Scott So, if I do not do anything like change hostname, ip or anything like that, my secret should potentially always be good? That's good to know.
How to verify the domain secret is good or bad?
I know there is the command wbinfo -t. But when it says that could not check secret, how do I know it's the secret is bad, or something else wrong, like winbind went crazy maybe? Also, sometimes I saw problems like wbinfo -t just says secret is bad, when all the daemons were running. It sure was good at some point before. So my question is, in what condition that the secret can go bad? How do I check it? Thanks in advance. Chere
Re: 3.0a21 and HEAD: only primary group of a domain user is set onsmbd
After managed to compile HEAD on my box, I don't see that my problem is fixed on HEAD. For a user that belongs to 5 groups in an ADS domain, smbd got only the primary group. Here is something from the log: [2003/03/10 13:01:58, 3] smbd/process.c:switch_message(676) switch message SMBntcreateX (pid 11923) [2003/03/10 13:01:58, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (1, 1) - sec_ctx_stack_ndx = 0 [2003/03/10 13:01:58, 5] auth/auth_util.c:debug_nt_user_token(516) NT user token of user S-1-5-21-606747145-117609710-725345543-1005 contains 9 SIDs SID[ 0]: S-1-5-21-606747145-117609710-725345543-1005 SID[ 1]: S-1-5-21-606747145-117609710-725345543-513 SID[ 2]: S-1-1-0 SID[ 3]: S-1-5-2 SID[ 4]: S-1-5-11 SID[ 5]: S-1-5-21-606747145-117609710-725345543-3173 SID[ 6]: S-1-5-21-606747145-117609710-725345543-512 SID[ 7]: S-1-5-21-606747145-117609710-725345543-3186 SID[ 8]: S-1-5-21-606747145-117609710-725345543-3187 [2003/03/10 13:01:58, 5] auth/auth_util.c:debug_unix_user_token(530) UNIX token of user 1 Primary group is 1 and contains 2 supplementary groups Group[ 0]: 1 Group[ 1]: 1 [2003/03/10 13:01:58, 5] smbd/uid.c:change_to_user(203) change_to_user uid=(0,1) gid=(0,1) I would expect primary group is 1, and contains 5 or 6 groups, 1, 10001, 10002, 10003 etc. Is this problem familiar to anyone working on Samba 3.0? Chere On Tuesday 04 March 2003 11:48 pm, Andrew Bartlett wrote: On Wed, 2003-03-05 at 12:27, Chere Zhou wrote: Dear list, I know that on 2.2.5, when we get user info from winbindd, we also initialize group information based on the group list got from winbind, and do a setgroups for the process, so that all of the groups the user is a member of is set on the smbd. Now on 3.0a21 and HEAD, I do not see any setgroup operation from winbind, and the smbd process only got the primary group of the Win2k domain user. So it fails when a file permission is checked for other groups the user is a member of. I can see that sec_ctx.c is about the only place that calls sys_setgroups now, when the Unix group info has only the primary group. At the same place the NT token has about 9 groups for my test user. Can somebody explain why we are not doing what 2.2.5 was doing? Is there any design issue related to this? If you update you HEAD checkout, you will find that I have fixed this 'issue'. The problem is that the Win2k server does not report any groups for these users in LDAP, and as such we only use the 'primaryGid' attribute from the Active Directory query. There are however alternative queries that can be made, and I have implemented logic to detect this situation (it occurs mainly in child domains, we think). Unfortunately this change is only in HEAD, not Samba 3.0 at this stage. Andrew Bartlett
bug or typo in smbd/service.c: make_connection_snum(line 530)?
The block reads:
if (conn-force_user || conn-force_group) {
/* groups stuff added by ih */
conn-ngroups = 0;
conn-groups = NULL;
/* Find all the groups this uid is in and
store them. Used by change_to_user() */
initialise_groups(conn-user, conn-uid, conn-gid);
get_current_groups(conn-gid, conn-ngroups,conn-groups);
conn-nt_user_token = create_nt_token(conn-uid, conn-gid,
conn-ngroups,
conn-groups,
guest);
}
I think the if should be ( ! (conn-force_user || conn-force_group)), since
the force_user and force_group processing should be all done just before this
block of code. Otherwise I don't understand the logic here.
I think this is related to my earlier posting with the subject of 3.0a21 and
HEAD: only primary group of a domain user is set on smbd.
Re: 3.0a21 and HEAD: only primary group of a domain user is set onsmbd
Do you mean that I probably will need both your change and Ken's patch? Now I remember that I checked on SAMBA_3_0 but not HEAD, as I thought they should be pretty similar. I will check HEAD out. Thanks A. Bertlett. Chere On Tuesday 04 March 2003 11:52 pm, Andrew Bartlett wrote: On Wed, 2003-03-05 at 14:38, Ken Cross wrote: The behavior you're seeing is because LDAP is being used to get the group membership rather that RPC. Last month I posted a patch to fix this, but to my knowledge it hasn't been incorporated. (I'm not bitching, just explaining...) Your patch fixed a slightly different issue, this issue was fixed in HEAD recently. Andrew Bartlett
3.0a21: add a new group using ACL results in a new user in winbinddidmap
I am in an ADS domain. From a Windows client, create a file, add a group to the file using ACLs (new means the group is not in winbindd database yet), the group is mapped as a user in the winbindd_idmap.tdb. The group is not any special type, just a normal group (not local, not universal). Anyone knows about this problem? Thanks, Chere
3.0a21 and HEAD: only primary group of a domain user is set on smbd
Dear list, I know that on 2.2.5, when we get user info from winbindd, we also initialize group information based on the group list got from winbind, and do a setgroups for the process, so that all of the groups the user is a member of is set on the smbd. Now on 3.0a21 and HEAD, I do not see any setgroup operation from winbind, and the smbd process only got the primary group of the Win2k domain user. So it fails when a file permission is checked for other groups the user is a member of. I can see that sec_ctx.c is about the only place that calls sys_setgroups now, when the Unix group info has only the primary group. At the same place the NT token has about 9 groups for my test user. Can somebody explain why we are not doing what 2.2.5 was doing? Is there any design issue related to this? Thanks a lot! Chere
Re: [PATCH] More CLDAP changes (last round hopefully)
This patch works for me. Thanks a lot!
But I do have to manually edit the file, because long lines got wrapped in
the email.
Chere
On Thursday 27 February 2003 12:20 pm, Anthony Liguori wrote:
Last round of changes to the Samba CLDAP code. Every byte is now
accounted for in the response packet so we shouldn't have anymore parsing
errors. It should apply cleanly against HEAD.
Index: source/utils/net_ads_cldap.c
===
RCS file: /cvsroot/samba/source/utils/net_ads_cldap.c,v
retrieving revision 1.6
diff -u -r1.6 net_ads_cldap.c
--- source/utils/net_ads_cldap.c12 Nov 2002 23:15:52 - 1.6
+++ source/utils/net_ads_cldap.c26 Feb 2003 22:57:53 -
@@ -2,6 +2,7 @@
Samba Unix/Linux SMB client library
net ads cldap functions
Copyright (C) 2001 Andrew Tridgell ([EMAIL PROTECTED])
+ Copyright (C) 2003 Jim McDonough ([EMAIL PROTECTED])
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -23,60 +24,69 @@
#ifdef HAVE_ADS
+struct netlogon_string {
+ uint32 comp_len;
+ char **component;
+ uint8 extra_flag;
+};
+
struct cldap_netlogon_reply {
- uint32 version;
+ uint32 type;
uint32 flags;
GUID guid;
- char *domain;
- char *server_name;
- char *domain_flatname;
- char *server_flatname;
- char *dns_name;
- uint32 unknown2[2];
-};
+ struct netlogon_string forest;
+ struct netlogon_string domain;
+ struct netlogon_string hostname;
-/*
- pull a length prefixed string from a packet
- return number of bytes consumed
-*/
-static unsigned pull_len_string(char **ret, const char *p)
-{
- unsigned len = *p;
- (*ret) = NULL;
- if (len == 0) return 1;
- (*ret) = smb_xstrndup(p+1, len);
- return len+1;
-}
+ struct netlogon_string netbios_domain;
+ struct netlogon_string netbios_hostname;
+
+ struct netlogon_string user_name;
+ struct netlogon_string site_name;
+
+ struct netlogon_string unk0;
+
+ uint32 version;
+ uint16 lmnt_token;
+ uint16 lm20_token;
+};
/*
- pull a dotted string from a packet
- return number of bytes consumed
+ These strings are rather interesting... They are composed of a series
of
+ length encoded strings, terminated by either 1) a zero length string or
2)
+ a 0xc0 byte with what appears to be a one byte flags immediately
following.
*/
-static unsigned pull_dotted_string(char **ret, const char *p)
+static unsigned pull_netlogon_string(struct netlogon_string *ret,const
char *d)
{
- char *s;
- unsigned len, total_len=0;
+ char *s, *p = (char *)d;
- (*ret) = NULL;
+ ZERO_STRUCTP(ret);
- while ((len = pull_len_string(s, p)) 1) {
- if (total_len) {
- char *s2;
- asprintf(s2, %s.%s, *ret, s);
- SAFE_FREE(*ret);
- (*ret) = s2;
+ do {
+ unsigned len = (unsigned char)*p;
+ p++;
+
+ if (len 0 len != 0xc0) {
+ ret-component = realloc(ret-component,
+++ret-comp_len *
+sizeof(char *));
+
+ ret-component[ret-comp_len - 1] =
+ smb_xstrndup(p, len);
+ p += len;
} else {
- (*ret) = s;
+ if (len == 0xc0) {
+ ret-extra_flag = *p;
+ p++;
+ };
+ break;
}
- total_len += len;
- p += len;
- }
+ } while (1);
- return total_len + 1;
+ return (p - d);
}
-
/*
do a cldap netlogon query
*/
@@ -190,19 +200,25 @@
p = os3.data;
- reply-version = IVAL(p, 0); p += 4;
+ reply-type = IVAL(p, 0); p += 4;
reply-flags = IVAL(p, 0); p += 4;
+
memcpy(reply-guid.info, p, GUID_SIZE);
p += GUID_SIZE;
- p += pull_dotted_string(reply-domain, p);
- p += 2; /* 0xc018 - whats this? */
- p += pull_len_string(reply-server_name, p);
- p += 2; /* 0xc018 - whats this? */
- p += pull_len_string(reply-domain_flatname, p);
- p += 1;
- p += pull_len_string(reply-server_flatname, p);
- p += 2;
- p += pull_len_string(reply-dns_name, p);
+
+ p += pull_netlogon_string(reply-forest, p);
+ p += pull_netlogon_string(reply-domain, p);
+ p += pull_netlogon_string(reply-hostname, p);
+ p +=
3.0a21: scripting with smbpasswd - bug or feature
I noticed that on samba 2.x, as root we can do smbpasswd -a -s user passwd without being prompt of anything. This is not working on 3.0a21. I will need to type in the password twice using the above command. Is this a feature to not allow passwords to be seen, or a bug that should be fixed? Chere
Re: [PATCH] Re: 3.0a21: net ads lookup for a child domain gotmessy output
How about this new patch (as in the attachment). The change I made from your
patch, is to add the while loop in pull_c_zero_string which was adopted from
pull_dotted_string. Now my domains are all happy. Otherwise, a grandchild
domain complains.
I am posting this to samba-technical list, since I though it was what you
intended to do, and we might get more testing of this.
Chere
On Monday 24 February 2003 01:21 pm, Anthony Liguori wrote:
Lotus Notes won't let me send patches to the samba-technical list anymore
(I've got to get a forwarding account it seems) but I haven't tested this
patch enough to apply it to HEAD anyway.
I know it works with your traffic though as I used your dumps as test data.
This patch gives a _lot_ more information and makes various fixes.
Note: the patch you submitted to the list doesn't actually work for domain
controllers without forests. The 0xc0 stuff are deliminators for these
strings.
Let me know how this patch works out for you:
(See attached file: net_ads_lookup.patch)
Anthony Liguori
Linux/Active Directory Interoperability
Linux Technology Center (LTC) - IBM Austin
E-mail: [EMAIL PROTECTED]
Phone: (512) 838-1208
Tie Line: 678-1208
--- utils/net_ads_cldap.c.orig Mon Feb 24 14:27:29 2003
+++ utils/net_ads_cldap.c Tue Feb 25 11:27:50 2003
@@ -24,15 +24,25 @@
#ifdef HAVE_ADS
struct cldap_netlogon_reply {
- uint32 version;
+ uint32 type;
uint32 flags;
GUID guid;
char *domain;
- char *server_name;
- char *domain_flatname;
- char *server_flatname;
- char *dns_name;
- uint32 unknown2[2];
+
+ char *dns_domain;
+ uint8 domain_flag;
+ char *dns_hostname;
+ uint8 hostname_flag;
+
+ char *netbios_domain;
+ char *netbios_hostname;
+
+ char *user_name;
+ char *site_name;
+
+ uint32 version;
+ uint16 lmnt_token;
+ uint16 lm20_token;
};
@@ -76,6 +86,33 @@
return total_len + 1;
}
+static unsigned pull_c_zero_string(char **ret, uint8 *flag,
+ const unsigned char *p)
+{
+ unsigned len = 0, total_len=0;
+ char *s;
+
+ *ret = NULL;
+
+ /* TODO: see what happends when a domain controller name == 0xc0 */
+ while (*p != 0xc0) {
+ len = pull_len_string(s, p);
+if (total_len) {
+char *s2;
+asprintf(s2, %s.%s, *ret, s);
+SAFE_FREE(*ret);
+(*ret) = s2;
+} else {
+(*ret) = s;
+}
+total_len += len;
+p += len;
+ }
+
+ *flag = p[1];
+
+ return (total_len + 2);
+}
/*
do a cldap netlogon query
@@ -190,19 +227,27 @@
p = os3.data;
- reply-version = IVAL(p, 0); p += 4;
+ reply-type = IVAL(p, 0); p += 4;
reply-flags = IVAL(p, 0); p += 4;
+
memcpy(reply-guid.info, p, GUID_SIZE);
p += GUID_SIZE;
p += pull_dotted_string(reply-domain, p);
- p += 2; /* 0xc018 - whats this? */
- p += pull_len_string(reply-server_name, p);
- p += 2; /* 0xc018 - whats this? */
- p += pull_len_string(reply-domain_flatname, p);
- p += 1;
- p += pull_len_string(reply-server_flatname, p);
- p += 2;
- p += pull_len_string(reply-dns_name, p);
+
+ p += pull_c_zero_string(reply-dns_domain, reply-domain_flag, p);
+ p += pull_c_zero_string(reply-dns_hostname, reply-hostname_flag,p);
+
+ p += pull_dotted_string(reply-netbios_domain, p);
+ p += pull_dotted_string(reply-netbios_hostname, p);
+
+ p += pull_len_string(reply-user_name, p);
+ p += pull_len_string(reply-site_name, p);
+
+ p += 2; /* is this two empty strings? */
+
+ reply-version = IVAL(p, 0);
+ reply-lmnt_token = SVAL(p, 4);
+ reply-lm20_token = SVAL(p, 6);
data_blob_free(os1);
data_blob_free(os2);
@@ -219,10 +264,12 @@
static void cldap_reply_free(struct cldap_netlogon_reply *reply)
{
SAFE_FREE(reply-domain);
- SAFE_FREE(reply-server_name);
- SAFE_FREE(reply-domain_flatname);
- SAFE_FREE(reply-server_flatname);
- SAFE_FREE(reply-dns_name);
+ SAFE_FREE(reply-dns_domain);
+ SAFE_FREE(reply-dns_hostname);
+ SAFE_FREE(reply-netbios_domain);
+ SAFE_FREE(reply-netbios_hostname);
+ SAFE_FREE(reply-user_name);
+ SAFE_FREE(reply-site_name);
}
/*
@@ -246,7 +293,6 @@
if (ret != 0) {
return ret;
}
-
ret = recv_cldap_netlogon(sock, reply);
close(sock);
@@ -254,15 +300,51 @@
return -1;
}
- d_printf(Version: 0x%x\n, reply.version);
+ d_printf(Response Type: 0x%x\n, reply.type);
d_printf(GUID: );
print_guid(reply.guid);
- d_printf(Flags: 0x%x\n, reply.flags);
- d_printf(Domain: %s\n, reply.domain);
- d_printf(Server Name: %s\n, reply.server_name);
- d_printf(Flatname: %s\n, reply.domain_flatname);
- d_printf(Server Name2: %s\n, reply.server_flatname);
- d_printf(DNS Name: %s\n, reply.dns_name);
+ d_printf(Flags:\n
+ \tIs a PDC: %s\n
+ \tIs a GC of the forest: %s\n
+ \tIs an LDAP server: %s\n
+ \tSupports DS:%s\n
+ \tIs running a KDC:
[PATCH] Re: 3.0a21: net ads lookup for a child domain got messyoutput
With the following patch, it works for me now. However, there are still
mysteries like what 0xc018 and 0xc022 means in the received netlogon
responses. My fix is to split the domain into forest and domain, where
the new domain is the child/grandchild under forest. The ultimate domain
name should be domain+'.'+forest.
Even if this does not go into the sources eventually, I hope it can be
helpful for other people who had the same problem as I did.
Chere
--- utils/net_ads_cldap.c.orig Fri Feb 21 15:34:18 2003
+++ utils/net_ads_cldap.c Mon Feb 24 11:27:47 2003
@@ -27,6 +27,7 @@
uint32 version;
uint32 flags;
GUID guid;
+char *forest;
char *domain;
char *server_name;
char *domain_flatname;
@@ -42,11 +43,13 @@
*/
static unsigned pull_len_string(char **ret, const char *p)
{
- unsigned len = *p;
+ unsigned char len = *p;
(*ret) = NULL;
if (len == 0) return 1;
+ if ((len == 0xc0) ((unsigned char)(*(p+1)) == 0x18))
+ return 1;
(*ret) = smb_xstrndup(p+1, len);
- return len+1;
+ return (unsigned)(len+1);
}
/*
@@ -194,8 +197,13 @@
reply-flags = IVAL(p, 0); p += 4;
memcpy(reply-guid.info, p, GUID_SIZE);
p += GUID_SIZE;
- p += pull_dotted_string(reply-domain, p);
- p += 2; /* 0xc018 - whats this? */
+ p += pull_dotted_string(reply-forest, p);
+ if ((unsigned char)*p == 0xc0)
+ p += 2; /* 0xc018 - whats this? */
+ else {
+ p += pull_dotted_string(reply-domain, p);
+ p += 1;
+ }
p += pull_len_string(reply-server_name, p);
p += 2; /* 0xc018 - whats this? */
p += pull_len_string(reply-domain_flatname, p);
@@ -218,6 +226,7 @@
*/
static void cldap_reply_free(struct cldap_netlogon_reply *reply)
{
+ SAFE_FREE(reply-forest);
SAFE_FREE(reply-domain);
SAFE_FREE(reply-server_name);
SAFE_FREE(reply-domain_flatname);
@@ -258,6 +267,7 @@
d_printf(GUID: );
print_guid(reply.guid);
d_printf(Flags: 0x%x\n, reply.flags);
+ d_printf(Forest root: %s\n, reply.forest);
d_printf(Domain: %s\n, reply.domain);
d_printf(Server Name: %s\n, reply.server_name);
d_printf(Flatname: %s\n, reply.domain_flatname);
Re: net ads join core dump in ldap_get_values_len
After merging libads/ldap.c from SAMBA_3_0 to my copy of 3.0a21 source code, problem solved. Thanks. Chere On Tuesday 18 February 2003 02:18 pm, Chere Zhou wrote: Hello, I am using 3.0a21. If I use kinit user@DOMAIN with a user that does not have privilege to join a machine into the domain, I get core dump using net ads join. This happens when the computer account does not exist in the domain. If the computer account exists in the domain, I get the following which is perfectly fine: [2003/02/18 13:51:59, 0] libads/ldap.c:ads_join_realm(1325) Host account for chere-2 already exists - deleting old account [2003/02/18 13:51:59, 0] libads/ldap.c:ads_join_realm(1329) Failed to delete host 'chere-2' from the 'ZHOU.COM' realm. ads_join_realm: Insufficient access The net ads join core dump shows: Assertion failed: (entry != NULL), function ldap_get_values_len, file getvalues.c, line 93. Abort (core dumped) A gdb back trace is: #0 0x28455cff in kill () from /usr/lib/libc.so.5 #1 0x284a7e32 in abort () from /usr/lib/libc.so.5 #2 0x2848600f in __assert () from /usr/lib/libc.so.5 #3 0x28252de1 in ldap_get_values_len () from /usr/local/lib/libldap.so.2 #4 0x814b9d3 in ads_pull_sid (ads=0x8249380, msg=0x0, field=0x819b0a1 objectSid, sid=0xbfbff518) at libads/ldap.c:1598 #5 0x814b542 in ads_set_machine_sd (ads=0x8249380, hostname=0x81b9b90 chere-2, dn=0x81f0440 cn=chere-2,cn=Computers,dc=ZHOU,dc=COM) at libads/ldap.c:1431 #6 0x814a7ec in ads_add_machine_acct (ads=0x8249380, hostname=0x81b9b90 chere-2, org_unit=0x8165ca8 Computers) at libads/ldap.c:1085 #7 0x814b015 in ads_join_realm (ads=0x8249380, hostname=0x81b9a30 CHERE-2, org_unit=0x8165ca8 Computers) at libads/ldap.c:1334 #8 0x806d945 in net_ads_join (argc=0, argv=0x81b906c) at utils/net_ads.c:648 #9 0x806b196 in net_run_function (argc=1, argv=0x81b9068, table=0xbfbff7e0, usage_fn=0x806c1f0 net_ads_usage) at utils/net.c:97 #10 0x806e6dc in net_ads (argc=1, argv=0x81b9068) at utils/net_ads.c:1040 #11 0x806b196 in net_run_function (argc=2, argv=0x81b9064, table=0x819ee94, usage_fn=0x806f3fc net_help) at utils/net.c:97 #12 0x806c17b in main (argc=3, argv=0xbfbffb5c) at utils/net.c:555 #13 0x806b035 in _start () I have some problems building cvs version on my platform. So I want to know if this is fixed in cvs. fixed means it returns a meaningful message instead of core dump. If yes, please point me to the place I should look at. Thanks a lot ! Chere
net ads join core dump in ldap_get_values_len
Hello, I am using 3.0a21. If I use kinit user@DOMAIN with a user that does not have privilege to join a machine into the domain, I get core dump using net ads join. This happens when the computer account does not exist in the domain. If the computer account exists in the domain, I get the following which is perfectly fine: [2003/02/18 13:51:59, 0] libads/ldap.c:ads_join_realm(1325) Host account for chere-2 already exists - deleting old account [2003/02/18 13:51:59, 0] libads/ldap.c:ads_join_realm(1329) Failed to delete host 'chere-2' from the 'ZHOU.COM' realm. ads_join_realm: Insufficient access The net ads join core dump shows: Assertion failed: (entry != NULL), function ldap_get_values_len, file getvalues.c, line 93. Abort (core dumped) A gdb back trace is: #0 0x28455cff in kill () from /usr/lib/libc.so.5 #1 0x284a7e32 in abort () from /usr/lib/libc.so.5 #2 0x2848600f in __assert () from /usr/lib/libc.so.5 #3 0x28252de1 in ldap_get_values_len () from /usr/local/lib/libldap.so.2 #4 0x814b9d3 in ads_pull_sid (ads=0x8249380, msg=0x0, field=0x819b0a1 objectSid, sid=0xbfbff518) at libads/ldap.c:1598 #5 0x814b542 in ads_set_machine_sd (ads=0x8249380, hostname=0x81b9b90 chere-2, dn=0x81f0440 cn=chere-2,cn=Computers,dc=ZHOU,dc=COM) at libads/ldap.c:1431 #6 0x814a7ec in ads_add_machine_acct (ads=0x8249380, hostname=0x81b9b90 chere-2, org_unit=0x8165ca8 Computers) at libads/ldap.c:1085 #7 0x814b015 in ads_join_realm (ads=0x8249380, hostname=0x81b9a30 CHERE-2, org_unit=0x8165ca8 Computers) at libads/ldap.c:1334 #8 0x806d945 in net_ads_join (argc=0, argv=0x81b906c) at utils/net_ads.c:648 #9 0x806b196 in net_run_function (argc=1, argv=0x81b9068, table=0xbfbff7e0, usage_fn=0x806c1f0 net_ads_usage) at utils/net.c:97 #10 0x806e6dc in net_ads (argc=1, argv=0x81b9068) at utils/net_ads.c:1040 #11 0x806b196 in net_run_function (argc=2, argv=0x81b9064, table=0x819ee94, usage_fn=0x806f3fc net_help) at utils/net.c:97 #12 0x806c17b in main (argc=3, argv=0xbfbffb5c) at utils/net.c:555 #13 0x806b035 in _start () I have some problems building cvs version on my platform. So I want to know if this is fixed in cvs. fixed means it returns a meaningful message instead of core dump. If yes, please point me to the place I should look at. Thanks a lot ! Chere
Re: Limitations of Samba-2.2.x as a domain member talking to an AD domain controller
I had this similar question too. Apparently a Domain local group in the ADS does not show up on my Samba 2.2.5. Not sure what else would be. If nobody knows all of it, perhaps those who ever encountered any problem with this situation can just contribute, then we can assemble a list. Chere --- On Thu, Jan 23, 2003 at 10:54:19AM -0800, Richard Sharpe wrote: Can anyone point me at documentation on the limitations of a downlevel server being a member server in an AD network? The specific case I am thinking of is a Samba-2.2.x-based server. I don't have any documentation but I can tell you that you should have no problems if you install your domain controller with permissions compatible with pre-Windows 2000 machines. As far as I can work out this just adds the Everyone SID to the builtin Pre-Windows 2000 Compatible Access group. If this sid isn't present you'll have all sorts of weird problems to do with anonymous access to the LSA and SAM rpc pipes. Tim.
Re: [Samba] Why ADS if I can join the ADS domain as an NT 4 server?
Yeah, I know that kerberos and LDAP is involved. I guess kerberos means better security. I am wondering what are other benefits for kerberos and LDAP, for a member server in ADS. Chere On Friday 17 January 2003 05:01 pm, Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, 17 Jan 2003, Chere Zhou wrote: Hello, all, I can not easily find an answer to this question: why do we need samba 3.0 to join an ADS, if samba 2.x can join the ADS domain just as well, even though the PDC is in native mode? What's the benefit for samba 3.0 to be a member of ADS? What restrictions I have if joining samba 2.x to the domain as an NT4 server? Samba 3.0 will speak kerberos LDAP when communicating with a Win2k DC. cheers, jerry - -- Hewlett-Packard- http://www.hp.com SAMBA Team -- http://www.samba.org GnuPG Key http://www.plainjoe.org/gpg_public.asc ISBN 0-672-32269-2 SAMS Teach Yourself Samba in 24 Hours 2ed You can never go home again, Oatman, but I guess you can shop there. --John Cusack - Grosse Point Blank (1997) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.0 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iD8DBQE+KKd+IR7qMdg1EfYRAik7AKDkf/iV5Z5bTpSpWLkkrE7szJvQNwCeJrpR ROMNBedpKdiOFJJkX3MkzaI= =GnR2 -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] 3.0alpha21 performance degraded comparing to 2.2.5
I tested using the same hardware for windows client and the server, same setup and configuration. Network bandwidth was gigabits. I built both 2.2.5 and 3.0alpha21 from source. Here are my numbers for a single windows 2000 client, single samba server test. For reads, 2.2.5 gets 120 Mbps, while 3.0a21 gets only 80Mbps, which is a 33% decrease. Writing to samba, 3.0a21 gets a 15% decrease over 2.2.5. Samba performance is very important to us here. So please help me to make it better. Anybody know tricks to make samba 3.0alpha21 faster? Thanks in advance, Chere -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
3.0alpha21 performance degraded comparing to 2.2.5
I tested using the same hardware for windows client and the server, same setup and configuration. Network bandwidth was gigabits. I built both 2.2.5 and 3.0alpha21 from source. Here are my numbers for a single windows 2000 client, single samba server test. For reads, 2.2.5 gets 120 Mbps, while 3.0a21 gets only 80Mbps, which is a 33% decrease. Writing to samba, 3.0a21 gets a 15% decrease over 2.2.5. Samba performance is very important to us here. So please help me to make it better. Anybody know tricks to make samba 3.0alpha21 faster? Thanks in advance, Chere
[Samba] samba3.0alpha21: why these messages for most commands? Please.
I am sure that I don't have any special code page or coding related settings in smb.conf -- they are all the default values. Whenever I start testparm, smbstatus, or net command, I get: Conversion from UCS-2LE to CP850 not supported Conversion from UTF8 to CP850 not supported Conversion from ASCII to CP850 not supported Conversion from CP850 to UCS-2LE not supported Conversion from CP850 to UTF8 not supported Conversion from CP850 to ASCII not supported Conversion from CP850 to UTF8 not supported Conversion from UTF8 to CP850 not supported What can I do to make them disappear? What should be the default setting for US? Thanks, Chere -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] smbpasswd has password length problem with the 2.2.7 security patch
I am using samba 2.2.5, and the following patch Jerry outlined in his 2.2.7 release notes. I tested it against a W2k server (in mixed mode) which had a simple one char admin password, worked fine. Recently I found that if the password is longer than 1 char, using smbpasswd -j dom -r svr -U admin, and then input password, I get NT_STATUS_LOGON_FAILURE. If I remove the patch, or keep the password as just 1 char, smbpasswd works fine. I know the patch was originally for 2.2.6. But since Jerry outlined a simple one for older versions and 2.2.6, I only applied the simple patch as below. Can somebody tell me what other changes I need to make for 2.2.5? Anybody has a similar problem? The following is a snippet of Jerry's 2.2.7 release email: Patch for Samba versions 2.2.2 to 2.2.6 - --- The following patch applies cleanly to the above Samba versions and will fix the vulnerability for sites that do not wish to upgrade to 2.2.7 at this time. cut here- libsmb/smbencrypt.c.origTue Nov 19 17:21:57 2002 +++ libsmb/smbencrypt.c Tue Nov 19 17:22:12 2002 @@ -63,7 +63,7 @@ if(len 128) len = 128; /* Password must be converted to NT unicode - null terminated. */ - dos_struni2((char *)wpwd, (const char *)passwd, 256); + dos_struni2((char *)wpwd, (const char *)passwd, len); /* Calculate length in bytes */ len = strlen_w((const smb_ucs2_t *)wpwd) * sizeof(int16); - ---cut here- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Subject: [samba]Error join NT domain
You should try to run smbpasswd -j DTWX -r slaver -U administrator It will prompt for the NT domain's administrator's password. You can also use any username who is in the domain admins group in your domain. This is a much cleaner way to join than using smbpasswd without username and creating the machine account manually, which is tricky. Also make sure slaver is the PDC's real netbios name. I found that an alias does not work. If you can join this way but still want to do the way you did it, let me know. I saw some scenarios and probably can help you debug it. Good luck, Chere --- You wrote: SUBJECT: [samba]Error join NT domain when I join NT domain by the command :smbpasswd -j DTWX -slaver,Then the results show as followed [root@root] #smbpasswd -j DTWX -slaver cli_nt auth2 :Error NT_STATUS_NO_TRUST_SAM_ACCOUNT Failed to change passwd f or domain DTWX Unable to join domain DTWX [root@root] # smbstatus no locked file noted:here DOM is DTWX., DOMPDC is slaver. I have created the machine accout and joined the samba's netbios name(fang) in the PDC. samba version 2.3I can't understand the means of no locked file, I have been tired and don,t know what to do the next step, If anyone knows anything about this , please help me out or point me in the right direction and tell me what i should do Thanks, my email : [EMAIL PROTECTED] this my samba configurator: -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Does anyone have winbind working on Freebsd?
I went through this whole thing a couple of months ago. The problem is that you don't have a good nsswitch working on FreeBSD. The nsswitch on FreeBSD does not do dynamic loadable modules, as the way Linux do. The manual you followed is for Linux users. Richard Sharpe gave me a hint to fix this. Basically you need to change source code, so that smbd knows to check with winbind for the domain user. However, no other daemons on your FreeBSD box will be able to use the domain user, as if you have a good nsswitch. Last time I checked, there is nobody in the FreeBSD community working on improving nsswitch. Let me know if you need further help. Chere From: Brent Ross (Edm) [EMAIL PROTECTED] To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Date: Wed, 20 Nov 2002 12:29:13 -0700 Subject: [Samba] Does anyone have winbind working on Freebsd? I have been trying to setup a Samba 2.2.6 server on FreeBSD 4.7. I want to use my NT4 domain for authentication of users. It looks like everything is setup properly as far as winbind is concerned, see below for results using wbinfo. I am still prompted for a password when trying to connect to the samba share. I cannot list the shares using smbclient -L servername -Udomain+username either, I get a server timeout error and the following error in my log.smbd: error connecting to 10.110.22.7:445 (Invalid argument) Using getent passwd only returns the unix users, not any domain users. I configured samba using --with-winbind and --with-winbind-auth-challenge, and followed Unified logons between NT and Unix using winbind. Joined the samba server to my NT domain successfully. Freebsd 4.7 does not have a /lib folder so at the step for copying libnss_winbind.so to the /lib folder, I am copying to /usr/local/lib. I have also tried using the following folders: /usr/lib /usr/compat/linux/usr/lib /usr/compat/linux/lib but it still doesn't work. Does anyone have any idea why I am receiving the above error? I'm sure if I could correct the error this would all work, and if I could get getent passwd to show my domain users as well as just the local unix users, again this would be working. TIA for any help. wbinfo -t returns Secret is good wbinfo -u returns a list of all my domain users wbinfo -g returns a list of all domain groups wbinfo -a mydomain+myuser%mypassword returns success for both plaintext and challenge/response Here's my smb.conf: # Samba config file created using SWAT # from 10.110.22.40 (10.110.22.40) # Date: 2002/11/16 15:19:26 # Global parameters [global] workgroup = MYDOMAIN security = DOMAIN encrypt passwords = Yes password server = * winbind uid = 1-2 winbind gid = 1-2 winbind separator = + winbind enum users = yes winbind enum groups = yes log level = 2 wins server = 192.168.0.7 [work] path = /usr/work valid users = Domain Users read only = No Here's my log.smbd: [2002/11/16 15:59:13, 2] param/loadparm.c:do_section(3055) Processing section [work] [2002/11/16 15:59:13, 2] lib/interface.c:add_interface(81) added interface ip=10.110.22.78 bcast=10.110.23.255 nmask=255.255.254.0 [2002/11/16 15:59:48, 2] smbd/reply.c:reply_special(92) netbios connect: name1=EDM-GEO name2=EDM-02 [2002/11/16 15:59:48, 2] smbd/reply.c:reply_special(111) netbios connect: local=edm-geo remote=edm-02 [2002/11/16 15:59:48, 2] libsmb/namequery.c:name_query(421) Got a positive name query response from 10.110.22.7 ( 10.110.22.7 ) [2002/11/16 15:59:48, 2] lib/util_sock.c:open_socket_out(874) error connecting to 10.110.22.7:445 (Invalid argument) [2002/11/16 15:59:54, 2] smbd/service.c:make_connection(331) Invalid username/password for work [nobody] [2002/11/16 15:59:56, 2] smbd/service.c:make_connection(331) Invalid username/password for work [nobody] [2002/11/16 16:00:47, 2] smbd/server.c:exit_server(461) Closing connections -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] How can I read and write a file at the same time?
My usage scenario is one Samba 2.2.5 installed on FreeBSD as server, and 2 windows 2000 boxes as clients, both mapping to the same share as the same user to Samba server. While one Windows box is writing a file, I start reading on the other Windows box. It always fails even I have locking, oplocks all as no in the config. Does anybody know if there is a way to make this work, or the reasons that this should never work? Thanks, Chere -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] some log files do not roll over, some do
Hello, everyone, I set max log size = 100 in smb.conf. Now my log.nmbd is 127666 bytes for days and I don't see it get moved to smb.conf.old, although samba.log got moved a couple of times now. I haven't seen log.smbd to grow big enough yet, but sure log.winbindd got rolled over once. So my question is, how does log-file-roll-over suppose to work? Do I need to add some code in nmbd for log.nmbd to be taken care of? Thanks, Chere -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Suggestion: maybe no need to add SMB_ACL_GROUP_OBJ in ensure_canon_entry_valid()
Samba team members, Consider the user wanted to change group name, by doing file properties-security-Advanced-select groupA-click on view/edit-change-select groupB. Then after parsing the DACL, we got an SMB_ACL_GROUP ace with groupB, but no SMB_ACL_GROUP_OBJ. However, in unpack_canon_ace(), after the call to ensure_canon_entry_valid(), a new SMB_ACL_GROUP_OBJ with groupA will be added. I think the correct behavior would be to modify the existing ALLOW_ACE SMB_ACL_GROUP ace to SMB_ACL_GROUP_OBJ, instead of adding the file's current gid as SMB_ACL_GROUP_OBJ ace. Can somebody tell me why this approach might be wrong? Otherwise I will try to patch posix_acl.c. Thanks, Chere -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] NTFS file property - primary group ID instead of DACL
When I change file property - security from Windows, I can see both from packet sniffer and Samba code, that there are 4 types of security information: Owner ID Reference Primary Group ID Reference Discretionary ACL Reference System ACL Reference So if I want to change the primary group name on a file, by right click on the file-property-security-advanced-select the group-view/edit-change, I got the Discretionary ACL Reference in the packet. My question is, how do I trigger the Primary Group ID Reference in the packet? What should I do from the client side? Thanks, Chere -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] NTLM version?
Hi, Anybody can tell me what version of NTLM do we support in 2.2.5, 3.0a20 and after 3.0 is out? If not version numbers, what features? Chere -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Is this a DOS behavior, or a bug?
I have a parent directory /foo with permission as 0777, which is a samba share. As root on Unix, I created a sub-directory /foo/bar, and a file /foo/bar2, both with permission as 0400. Now login to samba as Unix user nobody, I can delete the directory bar but not the file bar2. Is this a bug, or an expected behavior? Chere -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
