Re: ***SPAM*** [Samba] LDAP logonHours problem
time ago I fiddled alot with sambaLogonHours. The 2 main problems I can rethink of where the Sunday are the first 6 FF, but the first hour is the most RIGHT bit of this FF sambaLogonHours is in UTC so you have to calc with your timezone (and that is weired with daylight saving times, because I believe the bits must be shuffled when daylight saving time changes) This was all try and error, did not found a documentation wich was precise enough. No warranties. - Original Message - From: "Peter Molnar" <[EMAIL PROTECTED]> To: Sent: Tuesday, November 27, 2007 12:18 AM Subject: ***SPAM*** [Samba] LDAP logonHours problem > Hi! > > I have a problem according to the logonHours setting in my Samba Domain. > > Users are in LDAP, and everyone has a logonHours attribute, which could be: > > - login is possible at any time > - login is only possible between 7AM and 12PM(mindnight), 7h-24h in 24 > hours format, I'm going to use 24h format here in this post. > > Samba manual states than logonHours is a 168 bit mask, starting with > Sunday 0h-1h, each bit represents an hour of the week, converted into > Hex. > > Therefore: > > For 'any time' login, I'm using > "FF" This works, users who > have this in logonHours, can log in at any time. > > For logins limited to 7h-24h, I'm using: > 01010101010101 > > Here comes the problem, the limited users cannot log in before 10h, > they get the error "out of login time". Samba log says the same, and > the timestamp there is correct. > > Saturday in the morning, i've tried setting different logonHours > attributes on my own account, to see which one shold be 1 to let me > log in at that time (between 7h and 8h) > > Surprisingly, I got this: "40" > > Well, it's 6 hours earier than I expected, but OK, let's try this > mask: "7FFFC07FFFC07FFFC07FFFC07FFFC07FFFC07FFFC0" > > It worked in the morning but in the afternoon, it didn't. > > What could be the problem? My calculations are bad, or timezone > problem (Hungary, central european time, UTC+1)? Can anyone please > send me a working logonHours string, or calculate the correct string > for logins 7h-24h. > > Until we figure out what's wrong, can I override the LDAP logonHours > attributes from smb.conf, to allow everyone to log in, at any time? > > Regards, > Peter > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] nmbd name expired for permanent entry
I have a permanent entry made in wins.dat for server SAMIDA-S01. However after a while a wins query (nmblookup -U localhost -R SAMIDA-S01) gets responded with name_query failed. Debug says the name is expired but the database dump has it as permament. SAMIDA-S01 is a PDC of an other domain in another network. A debug 10 output: [2007/07/10 15:06:05, 10] lib/util_sock.c:read_udp_socket(294) read_udp_socket: lastip 127.0.0.1 lastport 32806 read: 50 [2007/07/10 15:06:05, 10] libsmb/nmblib.c:parse_nmb(506) parse_nmb: packet id = 23836 [2007/07/10 15:06:05, 5] libsmb/nmblib.c:read_packet(755) Received a packet of len 50 from (127.0.0.1) port 32806 [2007/07/10 15:06:05, 4] libsmb/nmblib.c:debug_nmb_packet(112) nmb packet from 127.0.0.1(32806) header: id=23836 opcode=Query(0) response=No header: flags: bcast=No rec_avail=No rec_des=Yes trunc=No auth=No header: rcode=0 qdcount=1 ancount=0 nscount=0 arcount=0 question: q_name=SAMIDA-S01<00> q_type=32 q_class=1 [2007/07/10 15:06:05, 3] nmbd/nmbd_winsserver.c:wins_process_name_query_request(1892) wins_process_name_query: name query for name SAMIDA-S01<00> from IP 127.0.0.1 [2007/07/10 15:06:05, 3] nmbd/nmbd_winsserver.c:wins_process_name_query_request(1916) wins_process_name_query: name query for name SAMIDA-S01<00> - name expired. Returning fail. [2007/07/10 15:06:05, 4] nmbd/nmbd_packets.c:reply_netbios_packet(940) reply_netbios_packet: sending a reply of packet type: wins_query SAMIDA-S01<00> to ip 127.0.0.1 for id 23836 [2007/07/10 15:06:05, 4] libsmb/nmblib.c:debug_nmb_packet(112) nmb packet from 127.0.0.1(32806) header: id=23836 opcode=Query(0) response=Yes header: flags: bcast=No rec_avail=Yes rec_des=Yes trunc=No auth=Yes header: rcode=3 qdcount=0 ancount=1 nscount=0 arcount=0 answers: nmb_name=SAMIDA-S01<00> rr_type=10 rr_class=1 ttl=0 [2007/07/10 15:06:05, 5] libsmb/nmblib.c:send_udp(777) Sending a packet of len 56 to (127.0.0.1) on port 32806 [2007/07/10 15:06:05, 4] nmbd/nmbd_workgroupdb.c:find_workgroup_on_subnet(171) find_workgroup_on_subnet: workgroup search for HS on subnet 172.17.20.1: found. [2007/07/10 15:06:05, 10] nmbd/nmbd_sendannounce.c:announce_myself_to_domain_master_browser(382) announce_myself_to_domain_master_browser: t (1184072764) - last(1184071881) < 900 [2007/07/10 15:06:05, 4] nmbd/nmbd_workgroupdb.c:dump_workgroups(282) dump_workgroups() dump workgroup on subnet 172.17.20.1: netmask= 255.255.224.0: ENX(2) current master browser = COMPILE-SERVER- HEUFT(3) current master browser = OFFICE_GATEWAY HSAW(4) current master browser = HSAW-S01 HS(1) current master browser = HS-DC2 HS-DC2 40849b1b (HS-DC2) TDN-N07 40011003 (TDN-N07) TFE_WX1 40011403 () [2007/07/10 15:06:05, 4] nmbd/nmbd_workgroupdb.c:dump_workgroups(282) dump_workgroups() dump workgroup on subnet UNICAST_SUBNET: netmask=172.17.20.1: SAMIDA(6) current master browser = SAMIDA-S01 HSBB(5) current master browser = HSBB-S01 HSAW(4) current master browser = HSAW-S01 HEUFT(3) current master browser = OFFICE_GATEWAY ENX(2) current master browser = COMPILE-SERVER- HS(1) current master browser = UNKNOWN HS-DC2 40819b1b (HS-DC2) HS-DC1 8d9b0b (HS-DC1) TDN-N0711003 (Eser, Peter (Verleih)) TFE_WX111403 () [2007/07/10 15:06:05, 4] nmbd/nmbd_winsserver.c:wins_write_database(2353) wins_write_database: Dump of WINS name list. HS-DC1<00> TTL = PERMANENT172.19.72.10 66 HSBB-S01<00>TTL = PERMANENT 172.19.0.4 66 SAMIDA-S01<00> TTL = PERMANENT 172.18.0.1 66 HS-DC2<00> TTL = PERMANENT 172.17.20.1 66 TFE_WX1<00> TTL = Fri Jul 13 22:42:49 2007 172.17.6.96 64 HS<00> TTL = PERMANENT 255.255.255.255 e4 TDN-N07<20> TTL = Sat Jul 14 02:22:05 2007 172.17.17.65 64 *<20> TTL = PERMANENT 172.17.20.1 64 HSAW-TX<00> TTL = Tue Jul 10 16:19:05 2007 172.17.0.4 4 SAMIDA-S02$<03> TTL = Wed Jul 11 02:39:37 2007 172.18.0.2 64 HSAW-S01<00>TTL = PERMANENT 172.17.16.5 66 HS<1c> TTL = PERMANENT 172.17.20.1 172.19.72.10 e4 SAMIDA-S02<20> TTL = PERMANENT 172.18.0.2 66 HSBB<1b>TTL = PERMANENT 172.19.0.4 64 HSBB-S02<00>TTL = PERMANENT 172.19.0.3 66 TFE-COMPILE<03> TTL = Fri Jul 13 14:59:37 2007 172.17.20.2 64 HSAW<1b>TTL = PERMANENT 172.17.16.5 64 HSAW-S02<00>TTL = PERMANENT 172.17.16.1 66 HSBB<00>TTL = PERMANENT 255.255.255.255 e4 SAMIDA_S02<00>
Re: [Samba] machine account want use algorithm than sambanextrid
Ah, ok. Now the whole story is that we store all our user information in a database and mirror the informations on the fly to the ldap tree, also things in sambaSamAccount. So if a user gets created, also sambaSamAccount becomes created and filled directly, idmap becomes also filled... I now tested to change the machine account sid afterwards. Thought that after modifying the sid the client computer cannot log in anymore, but it works. So if nobody vetos I will go this way :) Many Thanks - Original Message - From: "simo" <[EMAIL PROTECTED]> To: "Peter Eser" <[EMAIL PROTECTED]> Cc: Sent: Wednesday, June 27, 2007 3:15 PM Subject: Re: [Samba] machine account want use algorithm than sambanextrid > On Wed, 2007-06-27 at 15:11 +0200, Peter Eser wrote: > > Many thanks for the reply. > > My thought (from the docs) was that samba use the algorithm for sid > > building. > > That's was wrong guess? > > It used to, but we changed that some time ago. > Simo. > > -- > Simo Sorce > Samba Team GPL Compliance Officer > email: [EMAIL PROTECTED] > http://samba.org > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] machine account want use algorithm than sambanextrid
Many thanks for the reply. My thought (from the docs) was that samba use the algorithm for sid building. That's was wrong guess? - Original Message - From: "simo" <[EMAIL PROTECTED]> To: "Peter Eser" <[EMAIL PROTECTED]> Cc: Sent: Wednesday, June 27, 2007 3:04 PM Subject: Re: [Samba] machine account want use algorithm than sambanextrid > On Wed, 2007-06-27 at 15:00 +0200, Peter Eser wrote: > > Was questioned before with no answer, but have the same problem: > > > > With Samba 3.0.25 with ldap backend, what can i do for using algorithm "rid > > = > > 2*uid + 1000", when samba create samba attributes (sambasid) of computer > > account, instead of SambaNextRid from SambaDomainName entry ? > > > > Background: > > I create a machine account with smbldap-tools. After that a uidNumber was > > given to the machine. > > If the machine logs on the first time a samba gives a SID to the machine > > using SambaNextRid. > > If I leave the SambaNextRid base to 1000 after a while adding machines the > > machine SIDs are in > > the range of the user/group SIDs, so it would be better to use the algorithm > > than SambaNextRid. > > You shouldn't let smbldap tools create the SID. > Samba can very well do it on its own, and that's the preferred and best > way. All is need is the posixAccount to attach the sambaSamAccount > to ... > > Simo. > > -- > Simo Sorce > Samba Team GPL Compliance Officer > email: [EMAIL PROTECTED] > http://samba.org > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] PDC-BDC fallback no netlogon
I have a Samba 3.025a PDC and BDC with LDAP running. If I simulate a BDC crash the Client connects the PDC, but the netlogon share is not accessed. This happens only at the first login at the PDC. The second login is ok. It seems that the client does not even try to access the netlogon share. Log (level 2) for the first login on the PDC: [2007/06/26 11:11:49, 2] lib/smbldap.c:smbldap_open_connection(785) smbldap_open_connection: connection opened [2007/06/26 11:11:51, 2] passdb/pdb_ldap.c:init_sam_from_ldap(545) init_sam_from_ldap: Entry found for user: pes [2007/06/26 11:11:51, 2] passdb/pdb_ldap.c:init_group_from_ldap(2158) init_group_from_ldap: Entry found for group: 1060 [2007/06/26 11:11:51, 2] auth/auth.c:check_ntlm_password(309) check_ntlm_password: authentication for user [pes] -> [pes] -> [pes] succeeded [2007/06/26 11:11:51, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2916) Returning domain sid for domain HS -> S-1-5-21-247265-2382055081-4215993616 [2007/06/26 11:11:51, 2] passdb/pdb_ldap.c:init_sam_from_ldap(545) init_sam_from_ldap: Entry found for user: pes [2007/06/26 11:11:51, 2] passdb/pdb_ldap.c:init_group_from_ldap(2158) init_group_from_ldap: Entry found for group: 1060 [2007/06/26 11:11:51, 2] passdb/pdb_ldap.c:init_group_from_ldap(2158) init_group_from_ldap: Entry found for group: 1060 Log for the second login: [2007/06/26 11:14:22, 2] passdb/pdb_ldap.c:init_sam_from_ldap(545) init_sam_from_ldap: Entry found for user: pes [2007/06/26 11:14:22, 2] passdb/pdb_ldap.c:init_group_from_ldap(2158) init_group_from_ldap: Entry found for group: 1060 [2007/06/26 11:14:22, 2] auth/auth.c:check_ntlm_password(309) check_ntlm_password: authentication for user [pes] -> [pes] -> [pes] succeeded [2007/06/26 11:14:22, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2916) Returning domain sid for domain HS -> S-1-5-21-247265-2382055081-4215993616 [2007/06/26 11:14:22, 2] passdb/pdb_ldap.c:init_sam_from_ldap(545) init_sam_from_ldap: Entry found for user: pes [2007/06/26 11:14:22, 2] passdb/pdb_ldap.c:init_group_from_ldap(2158) init_group_from_ldap: Entry found for group: 1060 [2007/06/26 11:14:22, 2] auth/auth.c:check_ntlm_password(309) check_ntlm_password: authentication for user [pes] -> [pes] -> [pes] succeeded [2007/06/26 11:14:22, 2] passdb/pdb_ldap.c:init_sam_from_ldap(545) init_sam_from_ldap: Entry found for user: pes [2007/06/26 11:14:22, 2] passdb/pdb_ldap.c:init_group_from_ldap(2158) init_group_from_ldap: Entry found for group: 1060 [2007/06/26 11:14:22, 1] smbd/service.c:make_connection_snum(1033) tdn-n07 (172.17.17.65) connect to service netlogon initially as user pes (uid=1290, gid=1060) (pid 11984) [2007/06/26 11:14:22, 2] passdb/pdb_ldap.c:init_group_from_ldap(2158) init_group_from_ldap: Entry found for group: 1060 [2007/06/26 11:14:24, 2] smbd/open.c:open_file(391) pes opened file pes.vbs read=Yes write=No (numopen=1) [2007/06/26 11:14:24, 2] smbd/open.c:open_file(391) pes opened file pes.vbs read=Yes write=No (numopen=2) [2007/06/26 11:14:24, 2] smbd/close.c:close_normal_file(399) pes closed file pes.vbs (numopen=1) NT_STATUS_OK [2007/06/26 11:14:24, 2] smbd/close.c:close_normal_file(399) pes closed file pes.vbs (numopen=0) NT_STATUS_OK [2007/06/26 11:14:34, 1] smbd/service.c:close_cnum(1230) tdn-n07 (172.17.17.65) closed connection to service netlogon The Domain controllers are on different networks, both run as wins server. The client has 2 wins server entries. Client is Windows XP. Also the environment variable LOGONSERVER is on the old (BDC) value. Seems that XP does some caching? Any hints welcome... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] machine account want use algorithm than sambanextrid
Was questioned before with no answer, but have the same problem: With Samba 3.0.25 with ldap backend, what can i do for using algorithm "rid = 2*uid + 1000", when samba create samba attributes (sambasid) of computer account, instead of SambaNextRid from SambaDomainName entry ? Background: I create a machine account with smbldap-tools. After that a uidNumber was given to the machine. If the machine logs on the first time a samba gives a SID to the machine using SambaNextRid. If I leave the SambaNextRid base to 1000 after a while adding machines the machine SIDs are in the range of the user/group SIDs, so it would be better to use the algorithm than SambaNextRid. Thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] nsswitch wins reverse lookup
For all interested: We solved the issue for us with patching nsswitch/wins.c Seems there is no gethostbyaddr support in the original (why not?). Found an old solaris patch (lost the name originator) and modified it to run with 3.0.24 for our purposes. Here's the patch, mainly the new function _nss_wins_gethostbyaddr_r against 3.0.24: *** nsswitch/wins.c.org 2007-05-08 08:51:30.0 +0200 +++ nsswitch/wins.c 2007-05-08 11:42:14.0 +0200 @@ -125,8 +125,6 @@ return ret; } -#ifdef HAVE_NS_API_H - static NODE_STATUS_STRUCT *lookup_byaddr_backend(char *addr, int *count) { int fd; @@ -150,6 +148,8 @@ return status; } +#ifdef HAVE_NS_API_H + /* IRIX version */ int init(void) @@ -375,4 +375,105 @@ return _nss_wins_gethostbyname_r( name, he, buffer, buflen, h_errnop); } + + /*** * + gethostbyaddr() + **/ + NSS_STATUS + _nss_wins_gethostbyaddr_r(const char *addr, int length, int type, + struct hostent *he, char *buffer, size_t buflen, + int *errnop, int *h_errnop) + { + enum { AddressStringSize = 16 }; + char **host_addresses, **host_aliases; + char address_string[AddressStringSize]; + NODE_STATUS_STRUCT *status; + int i, rc, count, true_count; + size_t namelen; + + memset(he, '\0', sizeof(*he)); + + /* I don't think you can do WINS over IPV6 - fv */ + if (length != INADDRSZ || type != AF_INET) { +return NSS_STATUS_NOTFOUND; + } + + rc = snprintf(address_string, AddressStringSize, "%d.%d.%d.%d", +(uchar) addr[0], (uchar) addr[1], (uchar) addr[2], +(uchar) addr[3]); + if (rc < 0 || rc > AddressStringSize) { +return NSS_STATUS_NOTFOUND; + } + + status = lookup_byaddr_backend(address_string, &count); + if (!status) { +return NSS_STATUS_NOTFOUND; + } + + true_count = 0; + for (i=0;ih_addr_list = host_addresses; + buffer += 2 * INADDRSZ; + buflen -= 2 * INADDRSZ; + host_addresses[0] = buffer; + host_addresses[1] = NULL; + memcpy(buffer, addr, INADDRSZ); + buffer += INADDRSZ; + buflen -= INADDRSZ; + he->h_addrtype = AF_INET; + he->h_length = INADDRSZ; + + if (true_count == 1) { +he->h_aliases = host_addresses + 1; + } else { +host_aliases = (char **)buffer; +he->h_aliases = host_aliases; +host_aliases[true_count-1] = NULL; +buffer += true_count * INADDRSZ; +buflen -= true_count * INADDRSZ; + } + + true_count = 0; + for (i=0;ih_name = buffer; +} else { + *host_aliases = buffer; + host_aliases++; +} +namelen = strlen(status[i].name); +if (buflen < namelen + 1) { + /* no ENOMEM error type?! */ + return NSS_STATUS_NOTFOUND; +} +memcpy(buffer, &status[i].name, namelen); +buffer += namelen; +*buffer = '\0'; +buffer++; +buflen -= namelen + 1; +true_count++; + } + + if (status) +free(status); + + return NSS_STATUS_SUCCESS; + } + #endif Take care!! The if: (status[i].flags & 0x80 || !(status[i].type == 0x20 || status[i].type == 0x00 ) ) is modified for our purposes by try and error, I don't know what flags and type would be the correct ones (I think they come from windows (e.g. NetBios Client type=)?). Perhaps it helps someone > Nobody an idea, need more information from me? > > Getting reverse lookups to work is important for me. > Has somebody reverse lookups over wins working? > > Many thanks > > > >I don't get reverse lookups (gethostbyaddr) over winbind wins to work. > >Normal lookups work and also wbinfo -I gives back a netbios name for an IP. > > > >my entry in nsswitch.conf is hosts: files dns wins > >(dns reverse lookups ar ok) > > > >The wins server is also samba and runs on another server. > > > >Many thanks for any help... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] nsswitch wins reverse lookup
Nobody an idea, need more information from me? Getting reverse lookups to work is important for me. Has somebody reverse lookups over wins working? Many thanks >I don't get reverse lookups (gethostbyaddr) over winbind wins to work. >Normal lookups work and also wbinfo -I gives back a netbios name for an IP. > >my entry in nsswitch.conf is hosts: files dns wins >(dns reverse lookups ar ok) > >The wins server is also samba and runs on another server. > >Many thanks for any help... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] nsswitch wins reverse lookup
I don't get reverse lookups (gethostbyaddr) over winbind wins to work. Normal lookups work and also wbinfo -I gives back a netbios name for an IP. my entry in nsswitch.conf is hosts: files dns wins (dns reverse lookups ar ok) The wins server is also samba and runs on another server. Many thanks for any help... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] locale profile migration
We want to migrate (merge) 2 NT4 Domains into a new Samba Domain. All user have locale profiles (and shall retain them, no roaming profiles). Has someone any hints for migration of the old profiles? (I know it's more a MS question but all I can find is migration to AD) Thanks for any help, Peter Eser -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] howto force file deletion with restricted permissions
with delete readonly = yes I have a workaround, but then all users can delete a file with restricted permissions, not only the owner of the directory. Nobody any idea? thanks,Peter >Hi, > >I'm running recent samba with acls and ldap >(no force user or force group). >Now I have a problem with file deletion. >If a user A gives user B write permission on a directory >and user B restricts the permission of his files in the directory of A >(e.g. r, can be done via windows), then user A is not able to >delete this files in his directory via Samba. Under linux the user >can use rm -f to delete anyway. >Somebody know a solution for this? > >man thanks,Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] howto force file deletion with restricted permissions
Hi, I'm running recent samba with acls and ldap (no force user or force group). Now I have a problem with file deletion. If a user A gives user B write permission on a directory and user B restricts the permission of his files in the directory of A (e.g. r, can be done via windows), then user A is not able to delete this files in his directory via Samba. Under linux the user can use rm -f to delete anyway. Somebody know a solution for this? man thanks,Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba