RE: [Samba] Real-time file synchronisation

[Thomas E. Keiser]

The OpenAFS windows client has finally gotten stable in the past year.
My department here uses the AFS client on windows rather extensively.  I
experimented a while ago with software distribution of a large windows
application (Pro/Engineer) over AFS with pretty good results.  So, you get
the same local caching benefits that unix clients get for software
distribution.  Another major benefit is that cache invalidation only
happens when you release a new version to the read-only replicas.  Plus,
clients automatically load-balance across all fileservers containing the
read-only volume replicas they're looking for.

Regards,

Tom Keiser
[EMAIL PROTECTED]


On Fri, 1 Oct 2004, Chris Ricks wrote:

> Hmm.I can appreciate that AFS is an excellent technology, but I'm a bit
> confused as to you suggesting it, given that we're dealing with Windows
> boxes on the client side. Could you point me to some info that gives an
> example of the solution you're recommending?
>
>
> Best regards,
>
>
>
> Chris
>
>
>
>   _
>
> From: Umberto Zanatta [mailto:[EMAIL PROTECTED]
> Sent: Friday, 1 October 2004 5:01 AM
> To: Chris Ricks
> Cc: [EMAIL PROTECTED]
> Subject: Re: [Samba] Real-time file synchronisation
>
>
>
> I've read all answers, but you should do it by distribuited file systems.
>
> You should try AFS; it's easy to install and works well.
>
> uz.
>
> Il giorno ven, 01-10-2004 alle 00:50 +1000, Chris Ricks ha scritto:
>
>
> Hi all!
>
> I'm looking for a method of doing the following, given that I'm taking care
> of a network with a Samba 3.0.6 box (running Mandrake 10.0) acting as a PDC
> for about 15 W2K boxes:
>
> . There is a share full of program files and data files on the Samba box
> . These files are currently synchronized at logon - all movement is from the
> server to the clients via a logon script using XCOPY /D
>
> I want to engineer a solution that would allow updates of the share to have
> changes propagated out to clients as the share is updated without the users
> being made aware. Essentially, the software vendor is demanding that
> everyone run their software from the network share as to ensure consistency,
> but I hardly think a 300 MB application with 15 MB (!!) executables (about 8
> of them) is really suitable for being "deployed" in that fashion.
>
> All comments appreciated!
>
> Best regards,
>
> Chris
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
>


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] How to activate DCE/DFS for SAMBA?

[Thomas E. Keiser]

On Tue, 13 Apr 2004, Williams, Derrick wrote:

>
>
> We would like to know how we can patch Samba 3.0.0 to use OSF DFS on
> AIX. What is the best source to obtain patches or a distribution that
> will allow us to access OSF DFS shares?
>

Paul Henson maintains a series of patches for doing DCE/DFS integration
with samba.  However, the latest supported version of samba appears to be
2.2.8.  Keep in mind that if you want to do encrypted passwords, you will
also need his sec_auth daemon that runs on the DCE security servers, and
provides support for getting DCE credentials using NTLM auth among other
things.

http://www.csupomona.edu/~henson/www/projects/dce_patches/samba/
http://www.csupomona.edu/~henson/www/projects/sec_auth/

If you really want to do samba 3 with MS kerb auth against a DFS to SMB
gateway, that will definitely require some new code in sec_auth, and an
updated patch to samba.  Perhaps someone more familiar with DCE/DFS would
care to comment?

Regards,

Tom Keiser
[EMAIL PROTECTED]

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] cross-realm spnego issue in 3.0.2rc1

[Thomas E. Keiser]

Hi,

I just installed 3.0.2rc1 for testing, and I came across a problem with
cross-realm authentication.  I joined samba to our active directory
domain, and I can see that it has host and cifs principals in windows
kerberos.  Our organization's primary kerberos realm (CEDE.PSU.EDU) is an
MIT kerb5 realm, and we have a one-way non-transitive trust such that
windows (server 2003) kerberos (WIN.CEDE.PSU.EDU) is slaved to our MIT
realm.  We have a cross-realm test account called 'krbtest' that has a
kerberos principal mapping defined in AD.  The test sun server's name is
'alcor'.  If I do the following, everything works as expected:


kinit [EMAIL PROTECTED]
smbclient //alcor/krbtest -k

Furthermore, if I do the following, everything is still ok:

kinit [EMAIL PROTECTED]
smbclient //alcor/krbtest -k

However, my own account is not a kerberos mapped principal in AD for
security reasons.  If I do the following, the results are troubling:

kinit [EMAIL PROTECTED]
smbclient //alcor/tkeiser -k

Obviously, this should fail since cross-realm trust into AD requires an
explicit principal mapping (we don't turn on the map all principals
option).  However, instead of dealing with this gracefully, smbd
segfaults!  Interestingly, if I do a klist afterwards, I've managed to
acquire a cross-realm tgt and a service ticket for [EMAIL PROTECTED]
even though my prinipal isn't mapped.  Here's a snippet of debug level 10
output from smbd:


[2004/01/28 02:23:56, 3] smbd/process.c:(685)
  switch message SMBsesssetupX (pid 27145)
[2004/01/28 02:23:56, 3] smbd/sec_ctx.c:(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/01/28 02:23:56, 5] auth/auth_util.c:(486)
  NT user token: (NULL)
[2004/01/28 02:23:56, 5] auth/auth_util.c:(505)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2004/01/28 02:23:56, 5] smbd/uid.c:(218)
  change_to_root_user: now uid=(0,0) gid=(0,0)
[2004/01/28 02:23:56, 3] smbd/sesssetup.c:(638)
  wct=12 flg2=0xc801
[2004/01/28 02:23:56, 3] smbd/sesssetup.c:(518)
  Doing spnego session setup
[2004/01/28 02:23:56, 3] smbd/sesssetup.c:(549)
  NativeOS=[Unix] NativeLanMan=[Samba] PrimaryDomain=[]
[2004/01/28 02:23:56, 3] smbd/sesssetup.c:(427)
  Got OID 1 2 840 48018 1 2 2
[2004/01/28 02:23:56, 3] smbd/sesssetup.c:(427)
  Got OID 1 3 6 1 4 1 311 2 2 10
[2004/01/28 02:23:56, 3] smbd/sesssetup.c:(430)
  Got secblob of size 492
[2004/01/28 02:23:56, 10] passdb/secrets.c:(698)
  secrets_named_mutex: got mutex for replay cache mutex
[2004/01/28 02:23:56, 10] libads/kerberos_verify.c:(323)
  ads_verify_ticket: enc type [18] failed to decrypt with error Bad
encryption type
[2004/01/28 02:23:56, 10] libads/kerberos_verify.c:(323)
  ads_verify_ticket: enc type [16] failed to decrypt with error Bad
encryption type
[2004/01/28 02:23:56, 10] libads/kerberos_verify.c:(316)
  ads_verify_ticket: enc type [23] decrypted message !
[2004/01/28 02:23:56, 10] passdb/secrets.c:(710)
  secrets_named_mutex: released mutex for replay cache mutex
[2004/01/28 02:23:56, 10] libsmb/clikrb5.c:(386)
  Got KRB5 session key of length 16
[2004/01/28 02:23:56, 0] lib/fault.c:(36)
  ===
[2004/01/28 02:23:56, 0] lib/fault.c:(37)
  INTERNAL ERROR: Signal 11 in pid 27145 (3.0.2rc1)
  Please read the appendix Bugs of the Samba HOWTO collection
[2004/01/28 02:23:56, 0] lib/fault.c:(39)
  ===
[2004/01/28 02:23:56, 0] lib/util.c:(1400)
  PANIC: internal error


In case it matters, the build environment is Solaris 9 9/03 and Sun ONE
Studio 8.  My optimization flags were "-x03 -xarch=v8plusa -xchip=ultra2".
I linked against openldap 2.1.22, mit-krb5 1.3.1, and cups 1.1.20 all from
blastwave.com's pkg-get archive.  The configure flags were:

--with-pam --with-acl-support --with-ads --with-ldap --with-krb5=/opt/csw

I attached to smbd with dbx in follow child on fork mode, and here's what
I got:

Attached to process 27186
[EMAIL PROTECTED] ([EMAIL PROTECTED]) stopped in _libc_poll at 0xfed1ca1c
0xfed1ca1c: _libc_poll+0x0004:  ta  %icc,%g0 + 8
(dbx) cont
detaching from process 27186
Attached to process 27621
[EMAIL PROTECTED] ([EMAIL PROTECTED]) stopped in __fork at 0xfeeb5ec8
0xfeeb5ec8: __fork+0x0008:  bgeu__fork+0x30
(dbx) cont
[EMAIL PROTECTED] ([EMAIL PROTECTED]) signal SEGV (no mapping at the fault address) in
get_auth_data_from_tkt at 0xcc92c
0x000cc92c: get_auth_data_from_tkt+0x0018:  ld  [%i4], %i2
(dbx) gdb on
(dbx) bt
current thread: [EMAIL PROTECTED]
=>[1] get_auth_data_from_tkt(0xffbfe518, 0x468350, 0x10, 0xffbfd5c4, 0x0,
0x469848), at 0xcc92c
  [2] ads_verify_ticket(0x0, 0x3d2b10, 0xffbfe4ec, 0x390400, 0xffbfe50c,
0xffbfe4e0), at 0x21ccd4
  [3] reply_spnego_kerberos(0x0, 0x4276b0, 0x447b00, 0xffbfe530, 0x0,
0xffbfe5d4), at 0x9705c
  [4] reply_spnego_negotiate(0x0, 0x4276b0, 0x447b00, 0x278, 0x2,
0xffbfe5e8), at 0x97b94
  [5] reply_sesssetup_and_X_spnego(0x0, 0x4276b0,