Re: [Samba] SAMBA Kerberos misunderstanding
Hi, On Thu, Feb 22, 2007 at 03:59:00PM +1000, Bradley Schatz wrote: > Thanks Mark, > > I did the following: > > net ads keytab ADD HTTP/foundry.example.local > > It placed the following in my keytab: > > klist -k: > > 2 HTTP/foundry.example.local/[EMAIL PROTECTED] > 2 HTTP/foundry.example.local/[EMAIL PROTECTED] > 2 HTTP/foundry.example.local/[EMAIL PROTECTED] > > > The following appears to have done the right thing: > > net ads keytab ADD HTTP > > klist -k > > 2 HTTP/[EMAIL PROTECTED] > 2 HTTP/[EMAIL PROTECTED] > > > However, I am still no closer than I started: > > kinit -k -t /etc/krb5.keytab HTTP/foundry.example.local > kinit(v5): Client not found in Kerberos database while getting initial > credentials > I do not understand, why you want to gain a TGT for a service principal. This would be possible in a MIT Kerberos environment. In an Active Directory environment it would also be possible if you created HTTP/foundry.example.local as a user principal name. But it is not necessary for kerberizing apache. - Mark -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] SAMBA Kerberos misunderstanding
Hi, On Wed, Feb 21, 2007 at 06:41:42PM +1000, Bradley Schatz wrote: > Hi Mark, > > For some background, I am actually trying to set up a http kerberos service > so that I can use mod_auth_krb in apache2. > > Would net ads join createupn=http/foundry.example.local do the trick? no. That command only creates a user principal name for the machine account. So that you could obtain kerberos tickets as http/foundry.example.local, i.e. you could become the identity of http/foundry.example.local. If you want to kerberize apache, you need to create a service principal on the active directory controller: HTTP/foundry.example.local (note: HTTP is uppercase). And you need to create a keytab file for apache. This can be done by samba via net ads keytab ADD HTTP/foundry.example.com This would add some HTTP entries to /etc/krb5.keytab. Typically apache is not running as root, so it cannot read /etc/krb5.keytab. Therefore you should move the HTTP entries to a separate keytab file wich apache can read. This could be done by ktutil or by setting the environment variable "KRB5_KTNAME". > > I am on 3.0.22, which does not support this syntax. Any work-arounds? "createupn" was a new feature in 3.0.23a... - Mark > > On 2/21/07, Mark Proehl <[EMAIL PROTECTED]> wrote: > > > >Hi, > > > >try > > > > net ads join createupn=host/foundry.example.local > > > >- Mark > > > >On Tue, Feb 20, 2007 at 05:57:47PM +1000, Bradley Schatz wrote: > >> I suspect I might be grossly misunderstanding kerberos and AD here, but > >I > >> cant seem to grok the following. > >> > >> net ads join integrates my linux samba server (named foundry) into an AD > >> domain and all works fine. The samba server is using the kerberos > >keytab. > >> > >> [EMAIL PROTECTED]:~ # kinit -k -t /etc/krb5.keytab foundry$ > >> [EMAIL PROTECTED]:~ # kinit -k -t /etc/krb5.keytab > >> host/foundry.example.local > >> kinit(v5): Client not found in Kerberos database while getting initial > >> credentials > >> > >> Why can't kinit find the service host/foundry.example.local in the AD > >> Kerberos database? It seems to be in the local linux server keylist: > >> > >> [EMAIL PROTECTED]:~ # klist -k > >> Keytab name: FILE:/etc/krb5.keytab > >> KVNO Principal > >> > >> > >-- > >> 2 host/[EMAIL PROTECTED] > >> 2 host/[EMAIL PROTECTED] > >> cut ... > >> > >> What am I missing here? > >> > >> Thanks, > >> > >> Bradley > >-- > >To unsubscribe from this list go to the following URL and read the > >instructions: https://lists.samba.org/mailman/listinfo/samba > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba -- Mit freundlichen Grüßen, Mark Pröhl ___creating IT solutions Mark Proehl phone +49(0)7071 9457-591 Senior Solutions Engineerfax +49(0)7071 9457-411 CAx Professional Services science + computing ag [EMAIL PROTECTED] Hagellocher Weg 71-75 [EMAIL PROTECTED] D-72070 Tuebingen, Germany www.science-computing.de -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] SAMBA Kerberos misunderstanding
Hi, try net ads join createupn=host/foundry.example.local - Mark On Tue, Feb 20, 2007 at 05:57:47PM +1000, Bradley Schatz wrote: > I suspect I might be grossly misunderstanding kerberos and AD here, but I > cant seem to grok the following. > > net ads join integrates my linux samba server (named foundry) into an AD > domain and all works fine. The samba server is using the kerberos keytab. > > [EMAIL PROTECTED]:~ # kinit -k -t /etc/krb5.keytab foundry$ > [EMAIL PROTECTED]:~ # kinit -k -t /etc/krb5.keytab host/foundry.example.local > kinit(v5): Client not found in Kerberos database while getting initial > credentials > > Why can't kinit find the service host/foundry.example.local in the AD > Kerberos database? It seems to be in the local linux server keylist: > > [EMAIL PROTECTED]:~ # klist -k > Keytab name: FILE:/etc/krb5.keytab > KVNO Principal > > -- > 2 host/[EMAIL PROTECTED] > 2 host/[EMAIL PROTECTED] > cut ... > > What am I missing here? > > Thanks, > > Bradley -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] PAM authentication to Active Directory
Hi, On Wed, Nov 15, 2006 at 06:03:37PM -, Gautier, B (Bob) wrote: > ... > I'm not entirely clear what you want to do, but you could look > at using just pam_krb5 (i.e. use AD's Kerberos functionality > for authentication) - that way, you won't need a domain join. pam_krb5 should validate the users ticket granting ticket. Otherwise authentication ist not secure. Validation is performed by requesting a service ticket (for the host principal) an decrypting that ticket with a key from the keytab (/etc/krb5.keytab). So pam_krb5 needs a keytab file to operate securely. One of the easiest way to get that keytab is samba's "net ads join" - Mark -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba3.023c host can't join 2003AD on Freebsd6.1 AMD64
On Fri, Oct 20, 2006 at 03:56:06PM +0800, Zhou,Alan wrote: > Hi > ??I installed Samba 3.0.23c on the freebsd 6.1 via ports, I have > configure krb5.conf and nsswitch.conf, when I execute ???kinit [EMAIL > PROTECTED] system response ???kinit: NOTICE: ticket renewable lifetime is 10 > hours??? > ??But when I execute ???net ads join ???U [EMAIL PROTECTED] system > response > ?? > ???[2006/10/20 09:21:41, 0] utils/net_ads.c:ads_startup(281) > ads_connect: Response too big for UDP, retry with TCP??? The kdc reply is too big to fit in one UDP packet. This happans if the authorization data in that reply is too big. This may be the case, if administrator belongs to a large number of groups (>32). If that is the case, you could try to join with another userid, one that belongs to a smaller number of groups. - Mark -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] idmap backend ad and trusted domains?
On Thu, Jul 27, 2006 at 03:02:16PM -0400, simo wrote: > On Thu, 2006-07-27 at 20:53 +0200, Mark Proehl wrote: > > On Thu, Jul 27, 2006 at 04:57:39PM +0200, Mark Proehl wrote: > > > Hi, > > > > > > is "idmap backend = ad" with "winbind nss info = sfu" supposed to work > > > with trusted domains? > > > > > > - Mark > > > > my problem is this: > > > > vm1:~ # wbinfo -S S-1-5-21-4038355506-4058439304-2375676978-500 > > 13 > > vm1:~ # wbinfo -S S-1-5-21-4038355506-4058439304-2375676978-500 > > 13 > > vm1:~ # wbinfo -S S-1-5-21-450098887-3131224273-1459421348-500 > > Could not convert sid S-1-5-21-450098887-3131224273-1459421348-500 to uid > > > > both domains are w2k3r2 domains. Samba is 3.0.23a. I suspect that > > winbind does not follow the ldap referral from it's own dc to the dc > > of the trusted domain. > > Seem this is a known bug: > https://bugzilla.samba.org/show_bug.cgi?id=3661 > > Simo. > Thank you, this is the same problem that I am facing. But I noticed another problem: idmap_ad in 3.0.23a seems to ignore the UNIX attributes (eg. unixHomeDirectory and loginShell). This has been working with W2K3 and SFU-3.5, but with W2K3-R2 the user entry only gets default template values for these attributes. - Mark -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] idmap backend ad and trusted domains?
On Thu, Jul 27, 2006 at 04:57:39PM +0200, Mark Proehl wrote: > Hi, > > is "idmap backend = ad" with "winbind nss info = sfu" supposed to work > with trusted domains? > > - Mark my problem is this: vm1:~ # wbinfo -S S-1-5-21-4038355506-4058439304-2375676978-500 13 vm1:~ # wbinfo -S S-1-5-21-4038355506-4058439304-2375676978-500 13 vm1:~ # wbinfo -S S-1-5-21-450098887-3131224273-1459421348-500 Could not convert sid S-1-5-21-450098887-3131224273-1459421348-500 to uid both domains are w2k3r2 domains. Samba is 3.0.23a. I suspect that winbind does not follow the ldap referral from it's own dc to the dc of the trusted domain. Or is there a problem with my setup: [global] workgroup = W2K3 realm = EXAMPLE.COM security = ADS use kerberos keytab = Yes log level = 10 panic action = sleep 1 idmap backend = ad idmap uid = 1-100 idmap gid = 1-100 winbind cache time = 10 winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind nss info = sfu -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] idmap backend ad and trusted domains?
Hi, is "idmap backend = ad" with "winbind nss info = sfu" supposed to work with trusted domains? - Mark -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Join ADS problem
you should not run the daeomons while joining. The daemon log files don't provide any information about the join process. You should run the net command with a higher debug level, e.g. net ads join -d 3 On Mon, May 22, 2006 at 10:39:01AM +0200, diego Pelizzi wrote: > Problem with join to Active Directory > > > [EMAIL PROTECTED] samba]# net ads join -S 10.0.0.1 -U Administrator > Administrator's password: > [2006/05/22 10:24:05, 0] libads/ldap.c:ads_join_realm(1640) > ads_add_machine_acct (clust): Type or value exists > ads_join_realm: Type or value exists > > [EMAIL PROTECTED] samba]# kinit [EMAIL PROTECTED] > Password for [EMAIL PROTECTED]: > > As you can see kerberors seems works well, but when i tried to join to ADS > routput is: Type or value exists. > I checked the computer folder in Active Directory, but there isn't the samba > server. > > > winbindd.log > [2006/05/22 10:23:17, 1] libsmb/cliconnect.c:cli_session_setup_kerberos(544) > spnego_gen_negTokenTarg failed: No credentials cache found > [2006/05/22 10:23:17, 1] libsmb/clikrb5.c:ads_krb5_mk_req(323) > krb5_cc_get_principal failed (No credentials cache found) > [2006/05/22 10:23:17, 1] libsmb/cliconnect.c:cli_session_setup_kerberos(544) > spnego_gen_negTokenTarg failed: No credentials cache found > [2006/05/22 10:23:17, 1] libsmb/clikrb5.c:ads_krb5_mk_req(323) > krb5_cc_get_principal failed (No credentials cache found) > [2006/05/22 10:23:17, 1] libsmb/cliconnect.c:cli_session_setup_kerberos(544) > spnego_gen_negTokenTarg failed: No credentials cache found > [2006/05/22 10:23:17, 1] libsmb/clikrb5.c:ads_krb5_mk_req(323) > krb5_cc_get_principal failed (No credentials cache found) > [2006/05/22 10:23:17, 1] libsmb/cliconnect.c:cli_session_setup_kerberos(544) > spnego_gen_negTokenTarg failed: No credentials cache found > [2006/05/22 10:23:17, 1] libsmb/clikrb5.c:ads_krb5_mk_req(323) > krb5_cc_get_principal failed (No credentials cache found) > [2006/05/22 10:23:17, 1] libsmb/cliconnect.c:cli_session_setup_kerberos(544) > spnego_gen_negTokenTarg failed: No credentials cache found > [2006/05/22 10:28:18, 1] libsmb/clikrb5.c:ads_krb5_mk_req(323) > krb5_cc_get_principal failed (No credentials cache found) > [2006/05/22 10:28:18, 1] libsmb/cliconnect.c:cli_session_setup_kerberos(544) > spnego_gen_negTokenTarg failed: No credentials cache found > > ### smbd.log > 2006/05/22 08:24:11, 0] smbd/server.c:main(760) > smbd version 3.0.8pre1-0.pre1.3 started. > Copyright Andrew Tridgell and the Samba Team 1992-2004 > [2006/05/22 08:24:11, 1] libsmb/clikrb5.c:ads_krb5_mk_req(323) > krb5_cc_get_principal failed (No credentials cache found) > [2006/05/22 08:24:11, 0] printing/nt_printing.c:nt_printing_init(383) > nt_printing_init: error checking published printers: WERR_ACCESS_DENIED > [2006/05/22 08:56:10, 0] smbd/server.c:main(760) > smbd version 3.0.8pre1-0.pre1.3 started. > Copyright Andrew Tridgell and the Samba Team 1992-2004 > [2006/05/22 08:56:11, 1] libsmb/clikrb5.c:ads_krb5_mk_req(323) > krb5_cc_get_principal failed (No credentials cache found) > > > > My config: > Fedora Core3 > samba-3.0.8-0.pre1.3 > > #/etc/krb5.conf > [libdefaults] > default_realm = COROD.LOCAL > dns_lookup_realm = false > dns_lookup_kdc = false > > [realms] > COROD.LOCAL = { > kdc = 10.0.0.1:88 > admin_server = 10.0.0.1:749 > default_domain = corod.local > } > > [domain_realm] > .corod.local = COROD.LOCAL > corod.local = COROD.LOCAL > > [kdc] > profile = /var/kerberos/krb5kdc/kdc.conf > > # /etc/samba/smb.conf > [global] > workgroup = COROD > security = ADS > realm = COROD.LOCAL > netbios name = CLUST > os level = 20 > log file = /var/log/samba/%m.log > max log size = 50 > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > dns proxy = No > ldap ssl = no > force create mode = 0700 > create mode = 0770 > directory mode = 0770 > force directory mode = 0770 > load printers = no > > > Thanks in advance for any help. > > > - > Yahoo! Mail: gratis 1GB per i messaggi, antispam, antivirus, POP3 > > - > Yahoo! Messenger with Voice: chiama da PC a telefono a tariffe esclusive > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net rpc join fails the first time but succeeds the second
Hi, if you create a new user with luseradd, is this new user immediately available? Or do you have to wait some time between the following two commands: > /usr/sbin/luseradd -g "Domain Computers" -c "Machine" -s /bin/false -d /dev/null -n -M testuser > id testuser Mark On Fri, May 19, 2006 at 01:13:21PM +0200, Felipe Alfaro Solana wrote: > Hi. > > I'm having some trouble when trying to join a SAMBA machine, acting as > a member server, to a NT-style domain server managed by a SAMBA PDC > using an LDAP back-end. Both machines are running samba-3.0.10-1.4E.6 > on Red Hat Enterprise Linux 4.1 Update 3 for AMD64. > > When trying to add the member server to the domain, it fails with an > error message. However, if I try to add it again, the operation > succeeds. > > The first try to add the member server fails with this error message: > > [EMAIL PROTECTED] ~]# net rpc join CENTRAL -U Administrator%password > [2006/05/19 13:01:08, 0] utils/net_rpc_join.c:net_rpc_join_newstyle(319) > Error domain join verification (reused connection): NT_STATUS_ACCESS_DENIED > > Unable to join domain CENTRAL. > > I can see the SAMBA machine account has been created: > > [EMAIL PROTECTED] ~]# pdbedit -L > Administrator:0:Domain Administrator > member$:10001:Machine > > Then, immediately, I try to add the member server, once again: > > [EMAIL PROTECTED] ~]# net rpc join CENTRAL -U Administrator%password > Joined domain CENTRAL. > > Both, the member server and PDC are using nss_ldap. > Thus: > > [EMAIL PROTECTED] ~]# id Administrator > uid=0(root) gid=0(root) groups=0(root) > > The smb.conf for the PDC is: > > [global] > > # Store SAMBA data into an LDAP backend > passdb backend = ldapsam:ldap://ldap/ > ldap admin dn = cn=Directory Manager > ldap suffix = dc=central > ldap user suffix = ou=People > ldap machine suffix = ou=Computers > ldap group suffix = ou=Groups > > # Scripts for managing users and computers > add user script = /usr/sbin/luseradd -g "Domain Users" %u > delete user script = /usr/sbin/luserdel -r %u > add group script = /usr/sbin/lgroupadd %g > delete group script = /usr/sbin/groupdel %g > add user to group script = /usr/sbin/lgroupmod -A %u %g > delete user from group script = /usr/sbin/lgroupmod -R %u %g > add machine script = /usr/sbin/luseradd -g "Domain Computers" -c > "Machine" -s /bin/false -d /dev/null -n -M "%u" > > workgroup = CENTRAL > netbios name = NDS1 > server string = CENTRAL Samba Domain Controller > > load printers = no > > log file = /var/log/samba/%m.log > > security = user > encrypt passwords = yes > > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > > os level = 35 > local master = yes > domain master = yes > preferred master = yes > domain logons = yes > logon path = > > wins support = yes > > The smb.conf for the member server is: > > [global] > > workgroup = CENTRAL > server string = CENTRAL File Server > netbios name = FS1 > log file = /var/log/samba/%m.log > max log size = 50 > security = domain > encrypt passwords = yes > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > > Any ideas? > Thank you very much. > -- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba log and cups
Hi, if your samba is compiled without libcups, then you should not set printing = CUPS. >From the smb.conf manual page: "For printing = CUPS : If SAMBA is compiled against libcups, then printcap = cups uses the CUPS API to submit jobs, etc." If samba is not compiled against libcups, how should it be able to use the cups api? Mark On Thu, May 18, 2006 at 05:56:44PM +0200, Emilio Casbas wrote: > We've seen a lot of lines in samba log with the message; > > [2006/05/18 17:49:15, 0] printing/pcap.c:pcap_cache_reload(149) > Unable to open printcap file CUPS for read! > > Our smbd isn´t compiled with CUPS why we are using a customized "print > command" > however, we are using CUPS as printer system with; > printing = CUPS > printcap name = CUPS > > All system is working well, the only problem is the samba log what it's > filling with > that message. > > samba version is samba-3.0.20 > any ideas? > > Thanks. > Emilio C. > > -- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] why is idmap uid / gid needed for ACLs?
Hi, why do I have to specify idmap uid and idmap gid ranges to have filesystem ACLs working? My environment is a samba controlled domain. All Unix account information is stored in LDAP. In samba-3.0.14a it was possible to use winbind in "netlogon proxy only" mode (i.e. no ranges for idmap uid / gid) so that filesystem acls could be set from XP. 3.0.22 refuses to set ACLs until I configure a dummy range. That dummy range is never used. I actually made the following settins: idmap uid = 8-8 idmap gid = 8-8 Mark -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] SerNet.de Release and krb problems
Hello, the same problem happens to me with a RHEL4 system. Another point is that using "net ads join" with existing kerberos credentials is not working: [EMAIL PROTECTED] tmp]# kinit Administrator Password for [EMAIL PROTECTED]: [EMAIL PROTECTED] tmp]# klist -5 Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [EMAIL PROTECTED] Valid starting ExpiresService principal 05/09/06 16:07:35 05/10/06 02:07:36 krbtgt/[EMAIL PROTECTED] renew until 05/10/06 16:07:35 [EMAIL PROTECTED] tmp]# /usr/bin/net ads join root's password: ... (It should not ask for root's password, but use the name "Administrator" from the kerberos credential cache instead). On Mon, May 08, 2006 at 10:37:18PM -0500, Matt Sellers wrote: > Hello All, > > Im using a fresh install of CentOS 4.3 fully updated with the > latest > Samba packages from SerNet.de > > http://enterprisesamba.org/index.php?id=64 > > While I have used Samba/Winbind for quite some time, Im have a > peculiar > problem with these RPM's. When I try to "net ads join -U > " to > join of ADS realm, I get this error... > > [EMAIL PROTECTED] sernet-samba]# net -V > Version 3.0.22-SerNet-RedHat > [EMAIL PROTECTED] sernet-samba]# net ads join -U msellers > msellers's password: > [2006/05/08 23:02:12, 0] utils/net_ads.c:ads_startup(191) > ads_connect: Program lacks support for encryption type > [EMAIL PROTECTED] sernet-samba]# > > While I do have the latest krb5 libs installed from the CentOS > repo, its > my understanding that Sernet statically compiles their own > kerberos > libraries for compatibility, at least what their site says ldd /usr/bin/smbd looks like Sernet's package is linked against the system kerberos library (MIT kerberos): [EMAIL PROTECTED] tmp]# rpm -qf /usr/sbin/smbd samba3-3.0.22-26 [EMAIL PROTECTED] tmp]# rpm -qi samba3 Name: samba3 Relocations: (not relocatable) Version : 3.0.22Vendor: Service Network GmbH, Goettingen Release : 26Build Date: Fri 31 Mar 2006 01:30:19 PM CEST Install Date: Mon 08 May 2006 12:56:45 PM CEST Build Host: opi Group : Productivity/Networking/Samba Source RPM: samba3-3.0.22-26.src.rpm Size: 44867747 License: GNU GPL Signature : (none) Packager: SerNet Samba Team <[EMAIL PROTECTED]> URL : http://www.samba.org Summary : An SMB/CIFS file server Description : Samba is a suite of programs which work together to allow clients to access Unix filespace and printers via the SMB/CIFS protocol. [EMAIL PROTECTED] tmp]# ldd /usr/sbin/smbd | grep krb libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x00319000) libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x002c7000) [EMAIL PROTECTED] tmp]# but it also seems to have some parts of heimdal included: [EMAIL PROTECTED] tmp]# strings /usr/sbin/smbd | grep -i heimd heimdal_long_version heimdal_version Heimdal 0.7.2 @(#)$Version: Heimdal 0.7.2 by root on opi (i686-pc-linux-gnu) Fri Mar 31 05:23:15 EST 2006 $ [EMAIL PROTECTED] tmp]# I don't know if that is the reason for the problem, but linking against two differnt kerberos libraries might cause trouble. Mark > > I have successfully compiled samba from source on CentOS, but > have never > gotten these SerNet binaries to work. Can anybody point me in > the > direction to fix this, or explain? > > Thanks all :-) > > -- > Matt Sellers > [EMAIL PROTECTED] > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] getting rid of lmhashes?
On Thu, Mar 02, 2006 at 09:52:47PM +0100, Mark Proehl wrote: > On Thu, Mar 02, 2006 at 02:35:50PM -0600, Gerald (Jerry) Carter wrote: > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA1 > > > > Mark Proehl wrote: > > > > > I am aware, that both hashes are equivalent to clear text passwords > > > and must be protected therefore. But cracking passwords with tools > > > like john is much faster, if the lm hashes are available, so i think > > > there should be an option to disable them. > > > > If you use passwords >14 characters in length, I'm sure the > > lanman hashes are not generated. I would need to dig through > > the code to remember how to prevent them from being generated > > in other scenarios. Maybe later. > > [EMAIL PROTECTED]:~> smbpasswd > Old SMB password: [qwert123] > New SMB password: [qwertzuiop12345] > Retype new SMB password: [qwertzuiop12345] > Password changed for user mark > [EMAIL PROTECTED]:~> ldapsearch -LLL uid=mark sambaLMPassword > sambaNTPassword > SASL/GSSAPI authentication started > SASL username: [EMAIL PROTECTED] > SASL SSF: 56 > SASL installing layers > dn: uid=mark,ou=people,dc=example,dc=com > sambaNTPassword: 1A1B11A0FE8352FB618F1B59A7CA3D2B > > [EMAIL PROTECTED]:~> > > cool! but forcing users to passwords > 14 chars is not that easy... > > are you shure that there is no other way to disable lanman hashes? > > Mark I created a patch that introduces a new parameter "disable lanman hash" (attached). Is pdb_set_lanman_passwd in passdb/pdb_get_set.c the only function that has to be modified? Please tell me what you think about this patch. Id did some testing and will do some more testing with this patch tomorrow. Mark diff -Naur samba-3.0.21c.org/source/param/loadparm.c samba-3.0.21c/source/param/loadparm.c --- samba-3.0.21c.org/source/param/loadparm.c 2006-02-20 21:33:21.0 +0100 +++ samba-3.0.21c/source/param/loadparm.c 2006-03-02 22:15:26.148858000 +0100 @@ -279,6 +279,7 @@ BOOL bKernelOplocks; BOOL bAllowTrustedDomains; BOOL bLanmanAuth; + BOOL bDisableLanmanHash; BOOL bNTLMAuth; BOOL bUseSpnego; BOOL bClientLanManAuth; @@ -868,6 +869,7 @@ {"unix password sync", P_BOOL, P_GLOBAL, &Globals.bUnixPasswdSync, NULL, NULL, FLAG_ADVANCED}, {"restrict anonymous", P_INTEGER, P_GLOBAL, &Globals.restrict_anonymous, NULL, NULL, FLAG_ADVANCED}, {"lanman auth", P_BOOL, P_GLOBAL, &Globals.bLanmanAuth, NULL, NULL, FLAG_ADVANCED}, + {"disable lanman hash", P_BOOL, P_GLOBAL, &Globals.bDisableLanmanHash, NULL, NULL, FLAG_ADVANCED}, {"ntlm auth", P_BOOL, P_GLOBAL, &Globals.bNTLMAuth, NULL, NULL, FLAG_ADVANCED}, {"client NTLMv2 auth", P_BOOL, P_GLOBAL, &Globals.bClientNTLMv2Auth, NULL, NULL, FLAG_ADVANCED}, {"client lanman auth", P_BOOL, P_GLOBAL, &Globals.bClientLanManAuth, NULL, NULL, FLAG_ADVANCED}, @@ -1511,6 +1513,7 @@ Globals.bClientLanManAuth = True; /* Do use the LanMan hash if it is available */ Globals.bClientPlaintextAuth = True;/* Do use a plaintext password if is requested by the server */ Globals.bLanmanAuth = True; /* Do use the LanMan hash if it is available */ + Globals.bDisableLanmanHash = False; Globals.bNTLMAuth = True; /* Do use NTLMv1 if it is available (otherwise NTLMv2) */ Globals.bClientNTLMv2Auth = False; /* Client should not use NTLMv2, as we can't tell that the server supports it. */ /* Note, that we will use NTLM2 session security (which is different), if it is available */ @@ -1852,6 +1855,7 @@ FN_GLOBAL_BOOL(lp_allow_trusted_domains, &Globals.bAllowTrustedDomains) FN_GLOBAL_INTEGER(lp_restrict_anonymous, &Globals.restrict_anonymous) FN_GLOBAL_BOOL(lp_lanman_auth, &Globals.bLanmanAuth) +FN_GLOBAL_BOOL(lp_disable_lanman_hash, &Globals.bDisableLanmanHash) FN_GLOBAL_BOOL(lp_ntlm_auth, &Globals.bNTLMAuth) FN_GLOBAL_BOOL(lp_client_plaintext_auth, &Globals.bClientPlaintextAuth) FN_GLOBAL_BOOL(lp_client_lanman_auth, &Globals.bClientLanManAuth) diff -Naur samba-3.0.21c.org/source/passdb/pdb_get_set.c samba-3.0.21c/source/passdb/pdb_get_set.c --- samba-3.0.21c.org/source/passdb/pdb_get_set.c 2005-10-18 04:45:02.0 +0200 +++ samba-3.0.21c/source/passdb/pdb_get_set.c 2006-03-02 22:32:50.466762336 +0100 @@ -977,7 +977,7 @@ data_blob_clear_free(&sampass->private_u.lm_pw); - if (pwd) { + if (pwd && !lp_disable_lanman_hash()) { sampass->private_u.lm_pw = data_blob(pwd, LM_HASH_LEN); } else { sampass->private_u.lm_pw = data_blob(NULL, 0); -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] getting rid of lmhashes?
On Thu, Mar 02, 2006 at 02:35:50PM -0600, Gerald (Jerry) Carter wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Mark Proehl wrote: > > > I am aware, that both hashes are equivalent to clear text passwords > > and must be protected therefore. But cracking passwords with tools > > like john is much faster, if the lm hashes are available, so i think > > there should be an option to disable them. > > If you use passwords >14 characters in length, I'm sure the > lanman hashes are not generated. I would need to dig through > the code to remember how to prevent them from being generated > in other scenarios. Maybe later. [EMAIL PROTECTED]:~> smbpasswd Old SMB password: [qwert123] New SMB password: [qwertzuiop12345] Retype new SMB password: [qwertzuiop12345] Password changed for user mark [EMAIL PROTECTED]:~> ldapsearch -LLL uid=mark sambaLMPassword sambaNTPassword SASL/GSSAPI authentication started SASL username: [EMAIL PROTECTED] SASL SSF: 56 SASL installing layers dn: uid=mark,ou=people,dc=example,dc=com sambaNTPassword: 1A1B11A0FE8352FB618F1B59A7CA3D2B [EMAIL PROTECTED]:~> cool! but forcing users to passwords > 14 chars is not that easy... are you shure that there is no other way to disable lanman hashes? Mark -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] getting rid of lmhashes?
Hi Jerry, thanks for your reply. On Thu, Mar 02, 2006 at 11:17:58AM -0600, Gerald (Jerry) Carter wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Mark Proehl wrote: > > Hi, > > > > is there a way of disabling the creation of the (insecure) lm-hash in > > the passdb backend of a samba3-pdc? > > IIRC setting 'lanman auth = no' might do this. Or > alternatively just enforce password length > 14 characters. > i've already tried 'lanman auth = no'. But the lm hashes still exist in my backend, and are modified by user password changes. here is an example: myhost:~ # testparm -sv | grep lanman Load smb config files from /usr/local/samba/lib/smb.conf Processing section "[homes]" Loaded services file OK. WARNING: passdb expand explicit = yes is deprecated Server role: ROLE_DOMAIN_PDC lanman auth = No client lanman auth = No myhost:~ # smbpasswd -U mark New SMB password: [qwert] Retype new SMB password: [qwert] myhost:~ # [EMAIL PROTECTED]:~> ldapsearch -LLL uid=mark sambaLMPassword sambaNTPassword SASL/GSSAPI authentication started SASL username: [EMAIL PROTECTED] SASL SSF: 56 SASL installing layers dn: uid=mark,ou=people,dc=example,dc=com sambaLMPassword: 5422A4CDB0F1C794AAD3B435B51404EE sambaNTPassword: BB8DEE57B13255F1AA58846079D98447 [EMAIL PROTECTED]:~> [EMAIL PROTECTED]:~> smbpasswd Old SMB password: [qwert] New SMB password: [qwert123] Retype new SMB password: [qwert123] Password changed for user mark [EMAIL PROTECTED]:~> [EMAIL PROTECTED]:~> ldapsearch -LLL uid=mark sambaLMPassword sambaNTPassword SASL/GSSAPI authentication started SASL username: [EMAIL PROTECTED] SASL SSF: 56 SASL installing layers dn: uid=mark,ou=people,dc=example,dc=com sambaLMPassword: 3E21EA326BDFFA1C1AA818381E4E281B sambaNTPassword: 02DD45A60E87ED15BA143B2A95A3D5DF [EMAIL PROTECTED]:~> As you see, both ntlm and lm hash are modified after the user password change. I am aware, that both hashes are equivalent to clear text passwords and must be protected therefore. But cracking passwords with tools like john is much faster, if the lm hashes are available, so i think there should be an option to disable them. Mark -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] getting rid of lmhashes?
Hi, is there a way of disabling the creation of the (insecure) lm-hash in the passdb backend of a samba3-pdc? Mark -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] samba-3.0.14a binaries for HP-UX-11.0
Hi, im looking for a binary package of samba with a libnss_winbind.1 for HP-UX-11.0 The depot files in http://de.samba.org/samba/ftp/Binary_Packages/hp/samba-3.0.14a look good, but there are these three requierements: OpenLdap 2.1.3 (http://hpux.cs.utah.edu) OpenSSL 0.9.7d (http://hpux.cs.utah.edu) LibIconv 1.9.2 (http://hpux.cs.utah.edu) I was unable to locate this Packages on the HP site. Can anybody point me to a location, where I can find these required files? Thanks, Mark -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smbpasswd and LDAP backend
Hello, you have to set unix password sync = No ldap passwd sync = Yes and use an LDAP-server that supports the password modify extended operation (like OpenLDAP). A password change via smbpasswd will update all userPassword attributes of the LDAP entry Mark -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Cannot access share when symlinks and widelinks disabled
Hi, I did some testing with 3.0.6rc2. My smb.conf looks like this: [global] log level = 3 wide links = No follow symlinks = No [test] path = /tmp When connecting \\myserver\test from XP-Box I get "access denied" Accesing the share with smbclient works, but I can't list any files: root # smbclient '\\localhost\test' Password: Domain=[TEST] OS=[Unix] Server=[Samba 3.0.6rc2] smb: \> dir NT_STATUS_ACCESS_DENIED listing * 36990 blocks of size 524288. 8924 blocks available After setting follow symlinks = yes, it works Mark PS: some lines from log.smbd: [2004/08/09 17:57:33, 3] smbd/vfs.c:reduce_name(834) reduce_name [*] [/tmp] [2004/08/09 17:57:33, 3] smbd/vfs.c:reduce_name(939) reduce_name: * reduced to * [2004/08/09 17:57:33, 3] smbd/vfs.c:reduce_name(834) reduce_name [./] [/tmp] [2004/08/09 17:57:33, 3] smbd/vfs.c:reduce_name(932) reduce_name: denied: file path name ./ is a symlink [2004/08/09 17:57:33, 3] smbd/error.c:error_packet(105) error string = Permission denied [2004/08/09 17:57:33, 3] smbd/error.c:error_packet(129) error packet at smbd/trans2.c(1427) cmd=50 (SMBtrans2) NT_STATUS_ACCESS_DENIED -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] RE: Microsoft hotfix MS04-011, breaks Samba password change.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tuesday 04 May 2004 19:01, Javid Abdul-AJAVID1 wrote: > Till now, I used ./smbpasswd -j -r as unix root ( after > creating domain machine acct in winodws domain) > > With Samba-3.0 , net join command I need to have windowns domain password ( > I don't have access windows domain) > The samba 3 command "net rpc oldjoin" works in the same way as smbpasswd -j -r in samba 2 did. You don't have to type the root password Mark -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFAmRWtYsNblx7LJSMRAvkjAJ97AfW+DWwacP8NCJb4Sqg67e/LYACfSGKu jvydPxPXfH7085Ute4i59+Q= =Rh+D -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] HOW-TO (mini): Samba in an ADS environment
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Bob, I read your mini howto. You suggest to delete /etc/krb5.keytab. But this file is needed by other kerberized services on the unix server, eg. sshd. Is it possible to use the same keytab file for samba and the other services? What happens to other kerberized services if samba changes the server key? Mark On Friday 30 April 2004 18:44, Bob Rasey wrote: > I've just completed this little document and posted on my blog. > > http://bob.rasey.net/archives/000137.html > > Really, I did it for myself, but I pitched my voice to the Samba > community at large (current and potential) in hopes it might help some > other poor schmuck trying to do the same thing. > > Many thanks to the Samba team for a great product and some extremely > helpful documentation. > > If you have any questions, comments or suggestions regarding the > document, please contact me via email as I don't subscribe to this list. > > Bob Rasey -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFAko+6YsNblx7LJSMRAm19AJwJMTM8VPTj8acvrUQuDCzBJY4uSQCdFRrE 4naNFviLgesyRbzFGGyJFuM= =ql4l -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] samba and symlinks
Hello, I am using samba in a heterogeneous UNIX/NT environment. Samba exports file systems that contain many symlinks. My users want to access the symlinked files from windows explorer, i.e. the symlinks need to be followed by samba. For security reasons, symlinks pointing to locations outside the share must not be followed. According to the samba documentation I have to set these parameters in smb.conf: follow symlinks = yes wide links = no Accessing symlinks from windows explorer does not work on all kinds of symlinks, because samba wrongly treats them as wide links. Furthermore, it seems to be impossible to delete a directory with windows explorer, if that directory is a symlink in the UNIX file system. Samba tries to rmdir that symlink and fails. I have created a test scenario, with a very simple smb.conf: [global] passdb backend = smbpasswd log level = 3 log file = /var/samba/log.%m follow symlinks = yes wide links = no [test] path = /tmp/test readonly = no The [test] share has the following contents: bash-2.05b$ ls -lR /tmp/test lrwxrwxrwx 1 mark mark 10 Mar 21 16:04 /tmp/test -> TEST/test/ bash-2.05b$ ls -lR /tmp/TEST /tmp/TEST: drwxr-xr-x 4 mark mark 100 Mar 21 11:13 test /tmp/TEST/test: drwxr-xr-x 2 mark mark 40 Mar 21 11:13 directory -rw-r--r-- 1 mark mark 0 Mar 21 11:13 file drwxr-xr-x 3 mark mark 60 Mar 21 11:13 subdir1 /tmp/TEST/test/directory: /tmp/TEST/test/subdir1: drwxr-xr-x 2 mark mark 240 Mar 21 11:19 subdir2 /tmp/TEST/test/subdir1/subdir2: lrwxrwxrwx 1 mark mark 5 Mar 21 16:04 badlinktoetc_1 -> /etc/ lrwxrwxrwx 1 mark mark 40 Mar 21 16:04 badlinktoetc_2 -> ../../../../../../../../../../../../etc/ lrwxrwxrwx 1 mark mark 11 Mar 21 16:04 badlinktopasswd_1 -> /etc/passwd lrwxrwxrwx 1 mark mark 46 Mar 21 16:04 badlinktopasswd_2 -> ../../../../../../../../../../../../etc/passwd lrwxrwxrwx 1 mark mark 16 Mar 21 16:04 goodlinktodirectory_1 -> ../../directory/ lrwxrwxrwx 1 mark mark 20 Mar 21 16:04 goodlinktodirectory_2 -> /tmp/test/directory/ lrwxrwxrwx 1 mark mark 25 Mar 21 16:04 goodlinktodirectory_3 -> /tmp/TEST/test/directory/ lrwxrwxrwx 1 mark mark 10 Mar 21 16:04 goodlinktofile_1 -> ../../file lrwxrwxrwx 1 mark mark 14 Mar 21 16:04 goodlinktofile_2 -> /tmp/test/file lrwxrwxrwx 1 mark mark 19 Mar 21 16:04 goodlinktofile_3 -> /tmp/TEST/test/file Note that the path /tmp/test itself is a symlink. When I browse through that [test] share with windows explorer, I would expect all bad* files to be denied, while all good* files should be accessible. Heres what really happens, when klicking to each file: badlinktoetc_1denied badlinktoetc_2denied badlinktopasswd_1 denied badlinktopasswd_2 denied goodlinktodirectory_1 denied goodlinktodirectory_2 denied goodlinktodirectory_3 allowed goodlinktofile_1 denied goodlinktofile_2 denied goodlinktofile_3 allowed This was tested with samba-3.0.3pre1, the older versions behave similiar (2.2.7, 2.2.8a, 3.0.2a). I've made a small patch, which I think solves a part of the problem. That patch is included here: https://bugzilla.samba.org/show_bug.cgi?id=1188. After applying that patch, symlinks to relative paths (like "goodlinktodirectory_1" in my example) do work. Mark Proehl -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba