Re: Samba 2.2.X, PAM and Kerberos5

[Bogdan Iamandei]

Steve Langasek wrote:
[...]
> 
> As far as it goes, your above configuration looks correct.  Have you
> checked wherever your syslog auth  facility logs to, to see if pam_krb5
> is logging any information that might be useful?

Hmm, although it seems it supports the "debug" switch, the module seems 
mute as a fish.


> 
> Are you using the Solaris pam_krb5 module, or a third-party module?

The "original" (apparently in more than one way) Solaris module. I'll be 
compiling and packaging the MIT kerberos today and then try the whole 
thing against that one. I'll let you know how this goes.

> I'm not sure why the 'appdata_ptr == NULL' check is there, but I seem to
> remember that it's true that Solaris does not honor the appdata_ptr
> field.  If Samba now depends on sane handling of appdata_ptr, then it's
> likely that this won't work on Solaris.

Grrr!! wonderful. Mkay then, I think that this little Solaris 
(mis)feature would be nice to be at least mentioned somewhere in the 
docs, in case some other masochist considers going down this path. :)


Thanks,
Bogdan.

-- 
I have seen things you people wouldn't believe.  Attack ships on fire
off the shoulder of Orion.  I watched C-beams glitter in the dark
near the Tannhauser Gate.  All those moments will be lost in time,
like tears in rain.  Time to die.

Re: sessionid.tdb Corruption

[Jeremy Allison]

On Wed, May 15, 2002 at 04:30:13PM +0930, [EMAIL PROTECTED] wrote:
> Hi,
> 
> I just experienced tdb corruption with sessionid.tdb running samba 2.2.2 on
> Solaris 8 with the result that no new connections were being allowed. I
> renamed the corrupt file, samba automatically created a fresh one and now it
> all seems to be functioning correctly. I apologise if this has already been
> fixed, but I couldn't find any reference to a fix anywhere and due to the
> nature it isn't really possible for me to test this with the latest version.

Hmmm. There have actually been several fixes to the tdb code and
the tdb database code between 2.2.2 and 2.2.4. I would seriously
recommend upgrading if at all possible.

Jeremy

Re: Fix warnings from Solaris Compiles of CVS 2_2

[Gerald Carter]

On Wed, 15 May 2002, Richard Bollinger wrote:

> Here's the changes required to elimenate all of the compiler's warnings
> issued while compiling CVS 2_2 with cc: WorkShop Compilers 5.0 98/12/15
> C 5.0 on sparc-sun-solaris2.8.  Most of them seem reasonable; though
> someone might want to take a closer look.  The changes don't apparently
> affect generated code.

Yeah.  I have been meaning to fix these. Thanks.  I'll take a look.
There just casts basically IIRC.








cheers, jerry
 -
 Hewlett-Packard http://www.hp.com
 SAMBA Team   http://www.samba.org
 --http://www.plainjoe.org
 "Sam's Teach Yourself Samba in 24 Hours" 2ed.  ISBN 0-672-32269-2
 --"I never saved anything for the swim back." Ethan Hawk in Gattaca--

Fix warnings from Solaris Compiles of CVS 2_2

[Richard Bollinger]

Here's the changes required to elimenate all of the compiler's warnings issued while 
compiling CVS
2_2 with
cc: WorkShop Compilers 5.0 98/12/15 C 5.0 on sparc-sun-solaris2.8.  Most of them seem 
reasonable;
though someone might want to take a closer look.  The changes don't apparently affect 
generated
code.

Rich Bollinger

--- ../source/rpc_client/cli_login.c Tue Mar 19 07:56:55 2002
+++ ./rpc_client/cli_login.c Wed May 15 15:00:07 2002
@@ -52,7 +52,7 @@
   / Long-term Session key **/

   /* calculate the session key */
-  cred_session_key(&clnt_chal, &srv_chal, (char *)mach_pwd, cli->sess_key);
+  cred_session_key(&clnt_chal, &srv_chal, (uchar *)mach_pwd, cli->sess_key);
   memset((char *)cli->sess_key+8, '\0', 8);

   /*** Authenticate 2 /
--- ../source/libsmb/cli_netlogon.c Thu Apr 18 07:46:04 2002
+++ ./libsmb/cli_netlogon.c Wed May 15 15:11:21 2002
@@ -443,7 +443,7 @@
   0, /* param_ctrl */
   0xdead, 0xbeef, /* LUID? */
   username, cli->clnt_name_slash,
-  cli->sess_key, lm_owf_user_pwd,
+  (char *)cli->sess_key, lm_owf_user_pwd,
   nt_owf_user_pwd);

 break;
@@ -455,8 +455,8 @@

 generate_random_buffer(chal, 8, False);

-SMBencrypt(password, chal, local_lm_response);
-SMBNTencrypt(password, chal, local_nt_response);
+SMBencrypt((const uchar *)password, chal, local_lm_response);
+SMBNTencrypt((const uchar *)password, chal, local_nt_response);

 init_id_info2(&ctr.auth.id2, lp_workgroup(),
   0, /* param_ctrl */
--- ../source/lib/kanji.c Tue Mar 19 07:48:55 2002
+++ ./lib/kanji.c Wed May 15 15:03:22 2002
@@ -1249,7 +1249,7 @@
 const unsigned char *sp;
 unsigned char *dp;

-sp = from;
+sp = (const uchar *)from;
 dp = (unsigned char*) cvtbuf;
 while (*sp && (((char *)dp)- cvtbuf < sizeof(cvtbuf)-7)) {
  if (is_kana(*sp)) {
@@ -1321,7 +1321,7 @@
 const unsigned char *sp;
 unsigned char *dp;

-sp = from;
+sp = (const uchar *)from;
 dp = (unsigned char*) cvtbuf;
 while (*sp && (((char *)dp) - cvtbuf < sizeof(cvtbuf)-4)) {
  if (*sp >= 0x80) {
--- ../source/lib/messages.c Wed Mar 27 07:17:40 2002
+++ ./lib/messages.c Wed May 15 14:42:07 2002
@@ -474,7 +474,7 @@
   lock the messaging tdb based on a string - this is used as a primitive form of mutex
   between smbd instances.
 */
-BOOL message_named_mutex(char *name, unsigned int timeout)
+BOOL message_named_mutex(const char *name, unsigned int timeout)
 {
  TDB_DATA key;
  int ret;
@@ -482,7 +482,7 @@
  if (!message_init())
  return False;

- key.dptr = name;
+ key.dptr = (char *)name;
  key.dsize = strlen(name)+1;

  if (timeout) {
--- ../source/smbd/oplock.c Fri Apr 19 07:16:33 2002
+++ ./smbd/oplock.c Wed May 15 15:07:36 2002
@@ -133,7 +133,7 @@
  * Read a loopback udp message.
  */
  msg_len = sys_recvfrom(oplock_sock, &buffer[OPBRK_CMD_HEADER_LEN],
- buffer_len - OPBRK_CMD_HEADER_LEN, 0, (struct sockaddr *)&from, &fromlen);
+ buffer_len - OPBRK_CMD_HEADER_LEN, 0, (struct sockaddr *)&from, (uint *)&fromlen);

  if(msg_len < 0) {
  DEBUG(0,("receive_local_message. Error in recvfrom. (%s).\n",strerror(errno)));
--- ../source/libsmb/smbencrypt.c Fri Mar 22 07:16:33 2002
+++ ./libsmb/smbencrypt.c Wed May 15 14:53:18 2002
@@ -59,7 +59,7 @@
  int16 wpwd[129];

  /* Password cannot be longer than 128 characters */
- len = strlen(passwd);
+ len = strlen((const char *)passwd);
  if(len > 128)
  len = 128;
  /* Password must be converted to NT unicode - null terminated. */
--- ../source/rpc_server/srv_netlog_nt.c Thu Mar 28 07:46:34 2002
+++ ./rpc_server/srv_netlog_nt.c Wed May 15 14:56:29 2002
@@ -223,7 +223,7 @@

  /* from client / server challenges and md4 password, generate sess key */
  cred_session_key(&p->dc.clnt_chal, &p->dc.srv_chal,
- (char *)p->dc.md4pw, p->dc.sess_key);
+ (uchar *)p->dc.md4pw, p->dc.sess_key);

  /* Save the machine account name. */
  fstrcpy(p->dc.mach_acct, mach_acct);
--- ../source/rpc_server/srv_spoolss_nt.c Fri May 10 07:16:53 2002
+++ ./rpc_server/srv_spoolss_nt.c Wed May 15 15:41:30 2002
@@ -7960,6 +7960,5 @@
  return WERR_UNKNOWN_LEVEL;
  }

- return WERR_ACCESS_DENIED;
 }

--- ../source/nsswitch/winbind_nss.c Mon May 13 07:16:12 2002
+++ ./nsswitch/winbind_nss.c Wed May 15 15:21:37 2002
@@ -867,7 +867,7 @@
  }

  ret = fill_pwent(result, &pw_cache[ndx_pw_cache],
- &buffer, &buflen);
+ &buffer, (int *)&buflen);

  /* Out of memory - try again */

@@ -917,7 +917,7 @@

  if (ret == NSS_STATUS_SUCCESS) {
  ret = fill_pwent(result, &response.data.pw,
- &buffer, &buflen);
+ &buffer, (int *)&buflen);

  if (ret == NSS_STATUS_TRYAGAIN) {
  keep_response = True;
@@ -930,7 +930,7 @@

  /* We've been called again */

- r

Re: SMB Keep-alive.

[David Collier-Brown]

"Christopher R. Hertel" wrote:
> Samba sends NBTSS Keep-Alive's every 6 minutes.  Last night, just to
> test things out, I mapped a share between two Windows boxes.  The server
> is a W/95 box, and the client is running W/98.  Unless my sister-in-law
> rebooted the W/98 box (possible) it seems that W/95 does *not* send the
> keep-alives.  I need to check the setup to be sure, but
> I caught no packets in the capture.

Thta's my understanding as well: NT 3.5 servers
apparently did, as they cleaned up from 
a roomfull of lost clients during 
power-flicker day (:-))

--dave
-- 
David Collier-Brown,   | Always do right. This will gratify 
Performance & Engineering  | some people and astonish the rest.
Americas Customer Engineering, |  -- Mark Twain
(905) 415-2849 | [EMAIL PROTECTED]

Re: SMB Keep-alive.

[Christopher R. Hertel]

David Collier-Brown wrote:
:
> Samba optionally sends it to see if the client has crashed,
> and can clean up if so.

Just checking the docs, it appears we have this turned on by default and
set to 300 seconds.

Chris -)-

-- 
Christopher R. Hertel -)-   University of Minnesota
[EMAIL PROTECTED]  Networking and Telecommunications Services

Re: SMB Keep-alive.

[Christopher R. Hertel]

David Collier-Brown wrote:
:
> Samba optionally sends it to see if the client has crashed,
> and can clean up if so.

>From what I see in the traces, it appears that Samba sends the
keep-alive, and the client simply discards it.  At the TCP level,
however, an ACK is generated.  I assume, then, that what Samba is
looking for is an error on the socket.

Chris -)-

-- 
Christopher R. Hertel -)-   University of Minnesota
[EMAIL PROTECTED]  Networking and Telecommunications Services

Re: SMB Keep-alive.

[David Collier-Brown]

"Christopher R. Hertel" wrote:
> 
> I have not seen SMB Keep-Alive used except in a few odd instances in
> which it is used to trick Windows into behaving properly.
> 
> Does anyone know if SMB Keep-Alive is actually used in practice?

Samba optionally sends it to see if the client has crashed,
and can clean up if so.

--dave
-- 
David Collier-Brown,   | Always do right. This will gratify 
Performance & Engineering  | some people and astonish the rest.
Americas Customer Engineering, |  -- Mark Twain
(905) 415-2849 | [EMAIL PROTECTED]

Re: SMB Keep-alive.

[Christopher R. Hertel]

Richard Sharpe wrote:
> 
> On Tue, 14 May 2002, Christopher R.Hertel wrote:
> 
> > On Wed, May 15, 2002 at 10:07:07AM +1000, Tim Potter wrote:
> > > On Tue, May 14, 2002 at 03:10:00PM -0500, Christopher R. Hertel
> > > wrote:
> > >
> > > > I have not seen SMB Keep-Alive used except in a few odd
> > > > instances in which it is used to trick Windows into behaving
> > > > properly.
> > > >
> > > > Does anyone know if SMB Keep-Alive is actually used in
> > > > practice?
> > >
> > > Doesn't smbclient have to respond to keepalives or else the
> > > connection dies?
> >
> > Ethereal (the version I'm using, at least--I have not had time to
> > update lately and it is a bit out of date) reports these packets
> > as "NBSS Continuation Messages" and does *not* break down the
> > fields properly.  I am running 0.8.17.
> 
> Ummm, that is seriously out of date. Please update. The later
> versions understand significant parts of MSRPC.

Well, there was a reason I warned folks that I was using an out-of-date
version of Ethereal.  I was prodded into updating and the newer version
most certainly does figure things out better.

What I am seeing now...

Samba sends NBTSS Keep-Alive's every 6 minutes.  Last night, just to
test things out, I mapped a share between two Windows boxes.  The server
is a W/95 box, and the client is running W/98.  Unless my sister-in-law
rebooted the W/98 box (possible) it seems that W/95 does *not* send the
keep-alives.  I need to check the setup to be sure, but
I caught no packets in the capture.

Chris -)-

-- 
Christopher R. Hertel -)-   University of Minnesota
[EMAIL PROTECTED]  Networking and Telecommunications Services

Re: SV_TYPE_PRINTQ_SERVER flag always true?

[James Guzicki - IMG]

I'm not quite sure it is a bug, at least on Samba's end, since it appears 
to be doing exactly what it is coded to do.  The bug may be that it is not 
configurable, but that's not my decision :)  As for why it is a problem 
*deep breath* - For WinNT/2K clients, when they want to browse for a 
printer on the network using the 'Add Printer' option, they ask the Master 
Browser for a list of all servers that have the SV_TYPE_PRINT flag 
true.  The NT/2K clients than talk to each server it has gotten back and 
asks for the listing of printers for it.  This has caused a large increase 
in time for browsing for printers (from about 5 seconds to almost a minute 
with only about 15 samba servers in the workgroup so far).  Only 2 or 3 of 
the 40 or so Samba servers that we will soon have are going to have 
printers on them.  Now, I wouldn't discount the fact that this could be a 
problem with NT/2K, since this behavior is not seen on 9x boxes.  However, 
any windows box that does not share printers does not set this flag with 
the Browse Master.  It would seem to me that if the Samba server is not 
sharing out printers, it shouldn't set this flag either.  In any case, 
since we never plan to print through Samba except for the 2 or 3 servers 
(we use Novell for all other printing)  I have no problem commenting out 
this flag in the Samba code and compiling it.  But maybe this is something 
that might possibly want to make it's way into smb.conf?  I just wanted to 
know more or less if what I was doing seemed reasonable and whether or not 
it might break something else. I have checked as much as I can and it 
doesn't seem like it will, but I wanted to be safe.  Thanks.

James Guzicki - IMG

At 10:02 AM 5/15/02 +1000, Tim Potter wrote:


>Just out of curiosity, why is this a problem?
>
>It does sound like a bug though.
>
>
>Tim.

Re: Samba 2.2.X, PAM and Kerberos5

[Mike Gerdts]

On Wed, 2002-05-15 at 10:23, Steve Langasek wrote:
> I'm not sure why the 'appdata_ptr == NULL' check is there, but I seem to
> remember that it's true that Solaris does not honor the appdata_ptr
> field.  If Samba now depends on sane handling of appdata_ptr, then it's
> likely that this won't work on Solaris.

As I was looking at implementing Kerberos, I found the Solaris pam_krb5
to be so bug-ridden that I had pretty much rejected it.

Bug 4464325 - su dumps core when pam_krb5 is enabled.  

Reported 5/29/2001, fixed on Solaris 8 with 109805-05 (2/21/2002)

Bug  - pam_krb5.so.1 dumps core in pam_sm_setcred

Reported 9/26/2001, fixed in Solaris 9 build 54, no fix for Solaris
8 as of 5/15/2002

Service order 62638039 - in.rshd dumps core after configuring Kerberos

Case was closed stating it was a documentation error.  I was never
told that this case was going to be closed.  I only found out it was
closed after the fact.  No fix or workaround was even suggested. 
Really nice to see that network facing services that must run as
root can be caused to core dump due to a "documentation error".

Bug 4507496 - pam_krb5 is confused between pam_authenticate and
pam_setcred

Reported 10/12/2001, not fixed as of 5/15/2002

Note that none of these problems are fixed for Solaris 7 (SEAM 1.0).
Using pam_krb5 1.31 from Redhat 7.1 resolved every one of these issues.

And now to wander offtopic (and vent) a bit...

Sun's kerberos implementation has several other issues that made me
quite leary of using any parts of it.  I tried to work with Sun to
resolve these issues for Solaris 7 and 8, but they were unable to find
the time to work on Solaris 7 or 8 in favor of new development on 9.

If you are using a Sun kerberos implementation, be sure that you have an
empty /.k5login.  Else, [EMAIL PROTECTED] can
telnet/rsh/whatever to root on any other host without giving a password
and without the standard remote root login restrictions that one would
expect to be controlled by /etc/default/login.  See krb5_auth_rules(5)
from SEAM for details.  As a result of this unexpected behavior I
requested the following as part of a service call, but got no response.

 Could you please file two RFE's?

1) Update each "Sun Enterprise Authentication Mechanism x.y.z"
Guide"  with the warning mentioned above.  There should also be a
mention of this difference in the "SEAM Interoperability with MIT"
section of "SEAM x.y.z Installation and Release Notes".

2) Update telned(1M), rlogind(1M) and rshd(1M) to include the
warning and update the SEE ALSO section of each of the man pages to
refer to krb5_auth_rules(5).

Mike

Re: Samba 2.2.X, PAM and Kerberos5

[Steve Langasek]

Hello,

On Wed, May 15, 2002 at 04:20:36PM +1000, Bogdan Iamandei wrote:

>   I am trying to put together the latest samba 2.2 from CVS, PAM
> and Kerberos5 on a Solaris8 platform. Although it does compile fine,
> attempting to make it work through pam_krb5 fails miserably.

> I have configured the /etc/pam.conf to read:
> # Samba Auth
> samba   auth  required/usr/lib/security/pam_krb5.so.1
> samba   account   required/usr/lib/security/pam_krb5.so.1
> samba   session   required/usr/lib/security/pam_krb5.so.1
> samba   password  required/usr/lib/security/pam_krb5.so.1
> #

> The messages I receive in the logs are like this:

> [2002/05/15 15:30:27, 0] passdb/pampass.c:smb_pam_conv(125)
>  smb_pam_conv: PAM on this system is broken - appdata_ptr == NULL !
> [2002/05/15 15:30:27, 0] passdb/pampass.c:smb_pam_passcheck(827)
>  smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User username !

> For some reason - it appears that only samba has this problem, proftpd
> or telnet or just about any other application work fine against
> pam_krb5.

> My questions are:

> 0). Are the lines in my pam.conf correct?
> 1). Is this a bug or a feature? :)
> 2). Is the Sun's PAM/Kerberos5 implementation b0rken?
> 3). If 2) is true - how comes the other applications are not failing?:)
> 4). Any ideeas on how to circumvent this... unpleasant b0rkeness?

As far as it goes, your above configuration looks correct.  Have you
checked wherever your syslog auth  facility logs to, to see if pam_krb5
is logging any information that might be useful?

Are you using the Solaris pam_krb5 module, or a third-party module?

I'm not sure why the 'appdata_ptr == NULL' check is there, but I seem to
remember that it's true that Solaris does not honor the appdata_ptr
field.  If Samba now depends on sane handling of appdata_ptr, then it's
likely that this won't work on Solaris.

Steve Langasek
postmodern programmer



msg00811/pgp0.pgp
Description: PGP signature

Re: compile issue on openbsd 2.9

[Gerald Carter]

On Tue, 14 May 2002, David Bear wrote:

> 
> solved by changing DYNEXP in make file to -Bdynamic
> or something like that.  see the ld man page for openbsd for details...
> at least its still compiling and linking;-)

Thanks.  I'll get this cleaned up later today hopefully.
That value was actually in a patch submitted by a FreeBSD
person. :-)  Strange that it doesn't work on OpenBSD







cheers, jerry
 -
 Hewlett-Packard http://www.hp.com
 SAMBA Team   http://www.samba.org
 --http://www.plainjoe.org
 "Sam's Teach Yourself Samba in 24 Hours" 2ed.  ISBN 0-672-32269-2
 --"I never saved anything for the swim back." Ethan Hawk in Gattaca--

Re: Question for someone

[Andrew Bartlett]

"Bonomo, Mike" wrote:
> 
> Hello all:
> Our Corporate office does not want us to run unsupported software.
> We do like and want to use Samba, so the question is: Is there a company
> that can provide support contracts for Samba running on Suns boxes?

Some of the companies in http://us2.samba.org/samba/support/ may still
be around, but other then SerNet (www.sernet.de) I've not dealt with any
of them, so can't really say much :-).

Andrew Bartlett
-- 
Andrew Bartlett [EMAIL PROTECTED]
Manager, Authentication Subsystems, Samba Team  [EMAIL PROTECTED]
Student Network Administrator, Hawker College   [EMAIL PROTECTED]
http://samba.org http://build.samba.org http://hawkerc.net

Re: VFS error - turns out to be vps_ops.rename failure .. help

[Alexander Bokovoy]

On Tue, May 14, 2002 at 09:32:44AM -0500, Gerald Carter wrote:
> AB,
> 
> This is already fixed in SAMBA_2_2, correct?  Can you verify?
> This code has already been changed.
I've talked about HEAD. I'll look into SAMBA_2_2 later this week but it
seems to be OK. 
-- 
/ Alexander Bokovoy
Software architect and analyst // SaM-Solutions Ltd.
---
Mix a little foolishness with your serious plans; it's lovely to be silly
at the right moment.
-- Horace