Re: CVS update: samba/source/rpc_server
On Wed, Jun 05, 2002 at 11:34:43PM -0500, Gerald Carter wrote: > > I'm writing some test routines for the print notification stuff and it's > > rather a lot of mucking around. Can I do this after 2.2.5 ships and > > before HEAD printing gets blown away? > > Please don't mess with 2.2 printing before 2.2.5 ships, unless you have a > lot of time to do regression testing. I'm not keen to change anything in 2.2 either. I'm planning to merge after 2.2. Tim.
Re: CVS update: samba/source/rpc_server
On Thu, 6 Jun 2002, Tim Potter wrote: > On Wed, Jun 05, 2002 at 06:26:33PM -0700, Jeremy Allison wrote: > > > > Modified Files: > > > srv_spoolss_nt.c > > > Log Message: > > > Moved some notify related constants into srv_spoolss_nt.c since > > > they're only used there. > > > > > > Added a PRINTER_NOTIFY_VERSION constant. > > > > Please add these to 2.2.x - HEAD printing may well > > get blown away in the mega-merge once 2.2.5 ships... > > I'm writing some test routines for the print notification stuff and it's > rather a lot of mucking around. Can I do this after 2.2.5 ships and > before HEAD printing gets blown away? Please don't mess with 2.2 printing before 2.2.5 ships, unless you have a lot of time to do regression testing. Jeremy, I don't want to add anything else into 2.2 period. We should sync up HEAD now. Even the new Win2k rpcs I'm working on will go into APP_HEAD and HEAD (not 2.2). jerry
Problem copying files from Win2k Novell client to Samba (repost)
The original message was posted by Dan Barrett: http://lists.samba.org/pipermail/samba-technical/2002-May/036397.html I'm getting reports of similar problems. Nobody responded before - can anyone help? Wade. -- /==\ | Wade Turland | Locked Bag 1797 | | Unix Administrator| Penrith South DC NSW 1797 | | University of Western Sydney | Phone: +61 2 4736 0806 | | Room V137 (Kingswood) | Fax: +61 2 4736 0010 | \==/ When I heated my home with oil, I used an average of 800 gallons a year. I have found that I can keep comfortably warm for an entire winter with slightly over half that quantity of beer. -- Dave Barry, "Postpetroleum Guzzler"
Re: known BUG "multi-byte character set in usernames"
On Wed, Jun 05, 2002 at 04:19:32PM -0700, Jeremy Allison wrote: > On Thu, Jun 06, 2002 at 12:12:45AM +0200, Juergen Hasch wrote: > > > > the patch works fine for except for one thing. In the acl security selection > > list (showing a list of all available users and groups) the german umlaut > > characters are wrong. This is because the unix charset is sent to the windows > > client, as no conversion back takes place. > > The acl dialogue itself is ok. > > > > I haven't found out yet, where the conversion back to dos code page should > > take place. Do you have an idea ? > > Can you CVS update SAMBA_2_2 - I've just applied a patch I think > should fix this. works fine over here. tested with winbind on suse linux 8.0, xfs-acls, against a german w2ksrv and a german w2k client. so great! thanks a lot for fixing "german umlaute" before 2.2.5. bye, guenther -- Guenther Deschner [EMAIL PROTECTED] SuSE Linux AGGnuPG: 8EE11688 Berliner Str. 27 phone: +49 (0) 30 / 430944778 D-13507 Berlin fax: +49 (0) 30 / 43732804 msg01252/pgp0.pgp Description: PGP signature
Fw: Printing via RPC Calls in 2.2.5-pre -- drum roll -- it works :)
[whoops -- reposted in plain text] I hope working printing RPCs won't be too shocking for people! (Although I have seen one wierd behaviour on XP ...) I've briefly tested the 2.2.5-pre code on a Mandrake 8.2 server (100 MHz, 64 Mb ram), sharing an Epson Photo 790 inkjet printer. This server was configured with 2.2.3a code, then ran 2.2.4, then 2.2.3a, and now 2.2.5-pre (cvs update from Sunday June 2. Since the upgrade to 2.2.5-pre I have tried: File sharing with encrypted passwords and user level security, which worked as expected. I've uploaded a 9X driver to the server from a Windows XP client. I've tested the printer with Windows XP client -- printer properties can now be viewed without crashing XP spools service. On XP pages print. *** odd thing *** Even though I've taken "Epson Status Monitor 3" out of my Start Up folder, I have had a couple of "communication error" dialogues from it after or before (depending on the document complexity) my print outs. The box says "Check all connections and make sure all devices are on. If the power was turned off during printing, cancel the print job. If the error does not clear, see your manual." It has a greyed out section for ink levels (which don't seem to be monitorable over the network). It has a button labeled "Stop" that changes to "OK" after the print has completed. (I have EPSON Printer Status Agent2 running as a service.) *** end odd thing *** Printer "default page size" changed from the XP client, and remembered after a reboot. Printer properties and printing from Windows 98 SE tested with no problems. Speed of communication with the printer is a *lot* better since I turned the logging level down from 10 to 1. All this has made me brave enough to put my shiny new rpms on to a test server sharing an HP laser to NT4 clients. I'll report back tomorrow. I hope this is useful information, Steven
Printing via RPC Calls in 2.2.5-pre -- drum roll -- it works :)
I hope working printing RPCs won't be too shocking for people! (Although I have seen one wierd behaviour on XP ...) I've briefly tested the 2.2.5-pre code on a Mandrake 8.2 server (100 MHz, 64 Mb ram), sharing an Epson Photo 790 inkjet printer. This server was configured with 2.2.3a code, then ran 2.2.4, then 2.2.3a, and now 2.2.5-pre (cvs update from Sunday June 2. Since the upgrade to 2.2.5-pre I have tried: File sharing with encrypted passwords and user level security, which worked as expected. I've uploaded a 9X driver to the server from a Windows XP client. I've tested the printer with Windows XP client -- printer properties can now be viewed without crashing XP spools service. On XP pages print. *** odd thing *** Even though I've taken "Epson Status Monitor 3" out of my Start Up folder, I have had a couple of "communication error" dialogues from it after or before (depending on the document complexity) my print outs. The box says "Check all connections and make sure all devices are on. If the power was turned off during printing, cancel the print job. If the error does not clear, see your manual." It has a greyed out section for ink levels (which don't seem to be monitorable over the network). It has a button labeled "Stop" that changes to "OK" after the print has completed. (I have EPSON Printer Status Agent2 running as a service.) *** end odd thing *** Printer "default page size" changed from the XP client, and remembered after a reboot. Printer properties and printing from Windows 98 SE tested with no problems. Speed of communication with the printer is a *lot* better since I turned the logging level down from 10 to 1. All this has made me brave enough to put my shiny new rpms on to a test server sharing an HP laser to NT4 clients. I'll report back tomorrow. I hope this is useful information, Steven
Re: known BUG "multi-byte character set in usernames"
On Thu, Jun 06, 2002 at 12:12:45AM +0200, Juergen Hasch wrote: > > the patch works fine for except for one thing. In the acl security selection > list (showing a list of all available users and groups) the german umlaut > characters are wrong. This is because the unix charset is sent to the windows > client, as no conversion back takes place. > The acl dialogue itself is ok. > > I haven't found out yet, where the conversion back to dos code page should > take place. Do you have an idea ? Can you CVS update SAMBA_2_2 - I've just applied a patch I think should fix this. Cheers, Jeremy.
Re: Access control to SAM / _samr_query_sec_obj
- Original Message - From: "Jeremy Allison" <[EMAIL PROTECTED]> Sent: Wednesday, June 05, 2002 8:07 PM Subject: Re: Access control to SAM / _samr_query_sec_obj > Nice patch. I do have one request though. I've (for years) > been removing magic numerical constants from Samba (like > the "0xf003f" in the patch above). We know what these numbers > are in SEC_ACL terms - can you please change the numbers to > a list of #defined constants : > > ie. The 0x20010 above should map to : > > READ_CONTROL_ACCESS plus a new constant that specifies READ > access to a SAMR, probably something like SAMR_READ_ACCESS > (as it's a specific right). > > Thanks, > > Jeremy. > Ok, I've removed all the numerical constants and have added them as #defines in rpc_samr.h. The names are partly based upon information I got from ACL tools. As the SDs contained numerical constants as well, that part is included as well, so it is a patch against a fresh samba HEAD cvs from 31.5.02 Kai --- ./samba-orig/source/include/rpc_samr.h Wed Jan 30 07:08:15 2002 +++ ./samba/source/include/rpc_samr.h Thu Jun 6 00:37:50 2002 @@ -145,6 +145,170 @@ #define SAMR_CONNECT 0x39 #define SAMR_SET_USERINFO 0x3A +//Access bits to the SAM-object +#define SAMR_ACCESS_UNKNOWN_10x0001 +#define SAMR_ACCESS_SHUTDOWN_SERVER 0x0002 +#define SAMR_ACCESS_UNKNOWN_40x0004 +#define SAMR_ACCESS_UNKNOWN_80x0008 +#define SAMR_ACCESS_ENUM_DOMAINS 0x0010 +#define SAMR_ACCESS_OPEN_DOMAIN 0x0020 + +#define SAMR_ALL_ACCESS ( STANDARD_RIGHTS_REQUIRED_ACCESS | \ + SAMR_ACCESS_OPEN_DOMAIN | \ + SAMR_ACCESS_ENUM_DOMAINS| \ + SAMR_ACCESS_UNKNOWN_8 | \ + SAMR_ACCESS_UNKNOWN_4 | \ + SAMR_ACCESS_SHUTDOWN_SERVER | \ + SAMR_ACCESS_UNKNOWN_1 ) + +#define SAMR_READ( STANDARD_RIGHTS_READ_ACCESS | \ + SAMR_ACCESS_ENUM_DOMAINS ) + +#define SAMR_WRITE ( STANDARD_RIGHTS_WRITE_ACCESS| \ + SAMR_ACCESS_UNKNOWN_8 | \ + SAMR_ACCESS_UNKNOWN_4 | \ + SAMR_ACCESS_SHUTDOWN_SERVER ) + +#define SAMR_EXECUTE ( STANDARD_RIGHTS_EXECUTE_ACCESS | \ + SAMR_ACCESS_OPEN_DOMAIN | \ + SAMR_ACCESS_UNKNOWN_1 ) + +//Access bits to Domain-objects +#define DOMAIN_ACCESS_LOOKUP_INFO_1 0x1 +#define DOMAIN_ACCESS_SET_INFO_1 0x2 +#define DOMAIN_ACCESS_LOOKUP_INFO_2 0x4 +#define DOMAIN_ACCESS_SET_INFO_2 0x8 +#define DOMAIN_ACCESS_CREATE_USER0x00010 +#define DOMAIN_ACCESS_CREATE_GROUP 0x00020 +#define DOMAIN_ACCESS_CREATE_ALIAS 0x00040 +#define DOMAIN_ACCESS_UNKNOWN_80 0x00080 +#define DOMAIN_ACCESS_ENUM_ACCOUNTS 0x00100 +#define DOMAIN_ACCESS_OPEN_ACCOUNT 0x00200 +#define DOMAIN_ACCESS_SET_INFO_3 0x00400 + +#define DOMAIN_ALL_ACCESS ( STANDARD_RIGHTS_REQUIRED_ACCESS | \ + DOMAIN_ACCESS_SET_INFO_3| \ +DOMAIN_ACCESS_OPEN_ACCOUNT | \ +DOMAIN_ACCESS_ENUM_ACCOUNTS | \ +DOMAIN_ACCESS_UNKNOWN_80| \ +DOMAIN_ACCESS_CREATE_ALIAS | \ +DOMAIN_ACCESS_CREATE_GROUP | \ +DOMAIN_ACCESS_CREATE_USER | \ +DOMAIN_ACCESS_SET_INFO_2| \ +DOMAIN_ACCESS_LOOKUP_INFO_2 | \ +DOMAIN_ACCESS_SET_INFO_1| \ +DOMAIN_ACCESS_LOOKUP_INFO_1 ) + +#define DOMAIN_READ( STANDARD_RIGHTS_READ_ACCESS | \ + DOMAIN_ACCESS_UNKNOWN_80| \ +DOMAIN_ACCESS_LOOKUP_INFO_2 ) + +#define DOMAIN_WRITE ( STANDARD_RIGHTS_WRITE_ACCESS| \ + DOMAIN_ACCESS_SET_INFO_3| \ +DOMAIN_ACCESS_CREATE_ALIAS | \ +DOMAIN_ACCESS_CREATE_GROUP | \ +DOMAIN_ACCESS_CREATE_USER | \ +DOMAIN_ACCESS_SET_INFO_2| \ +DOMAIN_ACCESS_SET_INFO_1 ) + +#define DOMAIN_EXECUTE ( STANDARD_RIGHTS_EXECUTE_ACCESS | \ + DOMAIN_ACCESS_OPEN_ACCOUNT | \ +DOMAIN_ACCESS_ENUM_ACCOUNTS | \ +DOMAIN_ACCESS_LOOKUP_INFO_1 ) + +//Access bits to User-objects +#define USER_ACCESS_GET_NAME_ETC 0x1 +#define USER_ACCESS_GET_LOCALE 0x2 +#define USER_ACCESS_SET_LOC_COM 0x4 +#define USER_ACCESS_GET_LOGONINFO0x8 +#define USER_ACCESS_UNKNOWN_10 0x00010 +#define USER_ACCESS_SET_ATTRIBUTES 0x00020 +#define USER_ACCESS_CHANGE_PASSWORD 0x00040 +#define USER_ACCESS_SET_PASSWORD 0x00080 +#define USER_ACCESS_GET_GROUPS 0x00100 +#define USER_ACCESS_UNKNOWN_200 0x00200 +#define USER_ACCESS_UNKNOWN_400
Re: known BUG "multi-byte character set in usernames"
Am Mittwoch, 5. Juni 2002 23:48 schrieb Jeremy Allison:
> On Sun, Jun 02, 2002 at 07:44:02PM +0200, Juergen Hasch wrote:
> > Hi Jerry,
> >
> > Am Sonntag, 2. Juni 2002 03:15 schrieb Gerald Carter:
> > > On Fri, 31 May 2002, Juergen Hasch wrote:
> > > > Now I never would have brought this up because I don't care to much
> > > > for 2.2 and I was just curious when I made the patches. But since
> > > > someone asked :-) The names/groups are transferred by rpc and
> > > > converted from unicode like this: unistr2_to_ascii(t,
> > > > &info1.str[j].uni_acct_name, sizeof(pstring)); Adding the line
> > > > dos_to_unix(t);
> > > > makes the umlaute appear.
> > > > Now the charset conversion may be totally wrong there, I believed it
> > > > to be *easiest* patch.
> > >
> > > please send me thispatch for 2.2 if you ave it. Thanks.
> >
> > I believe the most simple patch would be:
> >
> > --- lib/util_unistr.c.orig Tue Apr 2 18:27:59 2002
> > +++ lib/util_unistr.c Sun Jun 2 14:01:57 2002
> > @@ -311,7 +311,7 @@
> >
> > /***
> > Convert a (little-endian) UNISTR2 structure to an ASCII string
> > - Warning: this version does DOS codepage.
> > + Warning: this version does UNIX codepage.
> > /
> >
> > void unistr2_to_ascii(char *dest, const UNISTR2 *str, size_t maxlen)
> > @@ -335,7 +335,7 @@
> >
> > for (p = dest; (p-dest < maxlen-3) && (src - str->buffer <
> > str->uni_str_len) && *src; src++) {
> > uint16 ucs2_val = SVAL(src,0);
> > - uint16 cp_val = ucs2_to_doscp[ucs2_val];
> > + uint16 cp_val = ucs2_to_unixcp[ucs2_val];
> >
> > if (cp_val < 256)
> > *p++ = (char)cp_val;
> >
> > However, unistr2_to_ascii is used in the printing stuff, too and I don't
> > want to mess with this mess :-)
> > A less radical patch is attached therefore, adding a new function
> > unistr2_to_unix which returns the unix charset instead of the dos
> > codepage. Also unistr2_tdup is changed to call unistr2_to_unix. It is
> > only used in nsswitch/winbind_rpc.c.
>
> I've just committed a modified version of this patch to SAMBA_2_2,
> if you could test it out I'd appreciate it.
>
> Thanks a *lot* for this patch !
>
> Jeremy.
the patch works fine for except for one thing. In the acl security selection
list (showing a list of all available users and groups) the german umlaut
characters are wrong. This is because the unix charset is sent to the windows
client, as no conversion back takes place.
The acl dialogue itself is ok.
I haven't found out yet, where the conversion back to dos code page should
take place. Do you have an idea ?
...Juergen
Re: known BUG "multi-byte character set in usernames"
On Sun, Jun 02, 2002 at 07:44:02PM +0200, Juergen Hasch wrote:
> Hi Jerry,
> Am Sonntag, 2. Juni 2002 03:15 schrieb Gerald Carter:
> > On Fri, 31 May 2002, Juergen Hasch wrote:
> > > Now I never would have brought this up because I don't care to much for
> > > 2.2 and I was just curious when I made the patches. But since someone
> > > asked :-) The names/groups are transferred by rpc and converted from
> > > unicode like this: unistr2_to_ascii(t, &info1.str[j].uni_acct_name,
> > > sizeof(pstring)); Adding the line
> > > dos_to_unix(t);
> > > makes the umlaute appear.
> > > Now the charset conversion may be totally wrong there, I believed it to
> > > be *easiest* patch.
> >
> > please send me thispatch for 2.2 if you ave it. Thanks.
>
> I believe the most simple patch would be:
>
> --- lib/util_unistr.c.orig Tue Apr 2 18:27:59 2002
> +++ lib/util_unistr.c Sun Jun 2 14:01:57 2002
> @@ -311,7 +311,7 @@
>
> /***
> Convert a (little-endian) UNISTR2 structure to an ASCII string
> - Warning: this version does DOS codepage.
> + Warning: this version does UNIX codepage.
> /
>
> void unistr2_to_ascii(char *dest, const UNISTR2 *str, size_t maxlen)
> @@ -335,7 +335,7 @@
>
> for (p = dest; (p-dest < maxlen-3) && (src - str->buffer <
> str->uni_str_len) && *src; src++) {
> uint16 ucs2_val = SVAL(src,0);
> - uint16 cp_val = ucs2_to_doscp[ucs2_val];
> + uint16 cp_val = ucs2_to_unixcp[ucs2_val];
>
> if (cp_val < 256)
> *p++ = (char)cp_val;
>
> However, unistr2_to_ascii is used in the printing stuff, too and I don't want
> to mess with this mess :-)
> A less radical patch is attached therefore, adding a new function
> unistr2_to_unix which returns the unix charset instead of the dos codepage.
> Also unistr2_tdup is changed to call unistr2_to_unix. It is only used in
> nsswitch/winbind_rpc.c.
I've just committed a modified version of this patch to SAMBA_2_2,
if you could test it out I'd appreciate it.
Thanks a *lot* for this patch !
Jeremy.
Re: Ref: Bad File Descriptors
On Thu, May 30, 2002 at 08:40:16AM -0500, Eric Meyer wrote: > Samba Team, > In reference to the problem described by Wolfgang below - We are > experiencing the exact same thing. > We are using Mandrake 8.2 with 2.4.18 kernel and Samba 2.2.3a. Our Samba > shares are on a partition using Reiserfs. Clients are running WinXP and > Win2000. All clients are experiencing "Bad File Descriptor" errors. Below is > an example from the one of our clients log file. > [2002/05/29 17:00:42, 0] smbd/fileio.c:seek_file(53) seek_file: sys_lseek > failed. Error was Bad file descriptor Is this reproducible ? If so can you give me instructions on how to do this on a RedHat 7.2 or 7.3 system ? Thanks, Jeremy.
RE: [PATCH] Clean up samba-3.0 for POSIX-96
On Wed, 5 Jun 2002, Gerald Carter wrote: > On Wed, 5 Jun 2002, Green, Paul wrote: > > > I re-ran configure and make after this change, and both work ok. This patch > > is against the 2.2.4 sources prior to my previous change (I assume that's > > where you backed the file up to). > > > > If my changes were applied to the 3.0 tree, then this change needs to be > > made there too. > > I don't see the need for adding the same check in three places. > If we just make the original check for HAV_SYS_SOCKIO_H after the > "include config.h" line made if the else branchy of $ifdef > AUTOCONF_TEST, then it appears to serve the original intent > of your patch. Did I miss something here? Sorry. I must be smoking something today. I see it now... jerry
RE: [PATCH] Clean up samba-3.0 for POSIX-96
On Wed, 5 Jun 2002, Green, Paul wrote: > I re-ran configure and make after this change, and both work ok. This patch > is against the 2.2.4 sources prior to my previous change (I assume that's > where you backed the file up to). > > If my changes were applied to the 3.0 tree, then this change needs to be > made there too. I don't see the need for adding the same check in three places. If we just make the original check for HAV_SYS_SOCKIO_H after the "include config.h" line made if the else branchy of $ifdef AUTOCONF_TEST, then it appears to serve the original intent of your patch. Did I miss something here? jerry - Hewlett-Packard http://www.hp.com SAMBA Team http://www.samba.org --http://www.plainjoe.org "Sam's Teach Yourself Samba in 24 Hours" 2ed. ISBN 0-672-32269-2 --"I never saved anything for the swim back." Ethan Hawk in Gattaca--
Re: Access control to SAM / _samr_query_sec_obj
On Wed, Jun 05, 2002 at 07:51:53PM +0200, Kai Krueger wrote:
> This is the first version of the patch to implement access control to SAM.
>
> It implements checks of the desired access in all open functions (those that create
>handles)
> against the appropriate default SDs of the previous patch and associates the granted
>access bits
> with the handle. These granted access bits are then used in the other functions to
>check if the
> current handle (user) is allowed to run the function.
>
> However, I'm not sure if the nt_user_token works correctly, especially if root by
>default
> belongs to the administrators alias. So to stop the patch braking write access to
>the sam,
> I've commented out all return nt_status_access_denied. I haven't had the possibility
>to test
> the nt_user_token, as the attempts to join my win2k workstation to the samba PDC
> always fails :(
> In effect the patch therefore currently doesn't do much except logging but can be
>used for
> testing. If it works, the changes are then minimal.
>
> But the patch should at least be enough to see if it is conceptionally acceptable,
>so any
> comments or improvements are welcome.
>
> Kai
>
>
>
> --- ./samba-orig/source/rpc_server/srv_samr_nt.c Fri May 31 19:51:43 2002
> +++ ./samba/source/rpc_server/srv_samr_nt.c Wed Jun 5 10:12:39 2002
> @@ -52,9 +52,47 @@
> /* for use by the \PIPE\samr policy */
> DOM_SID sid;
> uint32 status; /* some sort of flag. best to record it. comes from opnum 0x39 */
> + uint32 acc_granted;
> DISP_INFO disp_info;
> };
>
> +struct generic_mapping sam_generic_mapping = {
> + 0x20010,
> + 0x2000e,
> + 0x20021,
> + 0xf003f
> +};
Nice patch. I do have one request though. I've (for years)
been removing magic numerical constants from Samba (like
the "0xf003f" in the patch above). We know what these numbers
are in SEC_ACL terms - can you please change the numbers to
a list of #defined constants :
ie. The 0x20010 above should map to :
READ_CONTROL_ACCESS plus a new constant that specifies READ
access to a SAMR, probably something like SAMR_READ_ACCESS
(as it's a specific right).
Thanks,
Jeremy.
Re: Access control to SAM / _samr_query_sec_obj
This is the first version of the patch to implement access control to SAM.
It implements checks of the desired access in all open functions (those that create
handles)
against the appropriate default SDs of the previous patch and associates the granted
access bits
with the handle. These granted access bits are then used in the other functions to
check if the
current handle (user) is allowed to run the function.
However, I'm not sure if the nt_user_token works correctly, especially if root by
default
belongs to the administrators alias. So to stop the patch braking write access to the
sam,
I've commented out all return nt_status_access_denied. I haven't had the possibility
to test
the nt_user_token, as the attempts to join my win2k workstation to the samba PDC
always fails :(
In effect the patch therefore currently doesn't do much except logging but can be used
for
testing. If it works, the changes are then minimal.
But the patch should at least be enough to see if it is conceptionally acceptable, so
any
comments or improvements are welcome.
Kai
--- ./samba-orig/source/rpc_server/srv_samr_nt.c Fri May 31 19:51:43 2002
+++ ./samba/source/rpc_server/srv_samr_nt.c Wed Jun 5 10:12:39 2002
@@ -52,9 +52,47 @@
/* for use by the \PIPE\samr policy */
DOM_SID sid;
uint32 status; /* some sort of flag. best to record it. comes from opnum 0x39 */
+ uint32 acc_granted;
DISP_INFO disp_info;
};
+struct generic_mapping sam_generic_mapping = {
+ 0x20010,
+ 0x2000e,
+ 0x20021,
+ 0xf003f
+};
+
+struct generic_mapping dom_generic_mapping = {
+ 0x20084,
+ 0x2047a,
+ 0x20301,
+ 0xf07ff
+};
+
+struct generic_mapping usr_generic_mapping = {
+ 0x2031a,
+ 0x20044,
+ 0x20041,
+ 0xf07ff
+};
+
+struct generic_mapping grp_generic_mapping = {
+ 0x20010,
+ 0x2000e,
+ 0x20001,
+ 0xf001f
+};
+
+struct generic_mapping ali_generic_mapping = {
+ 0x20004,
+ 0x20013,
+ 0x20008,
+ 0xf001f
+};
+
+static NTSTATUS samr_make_dom_obj_sd(TALLOC_CTX *ctx, SEC_DESC **psd, size_t
+*sd_size);
+
/***
Create a samr_info struct.
/
@@ -352,17 +390,45 @@
NTSTATUS _samr_open_domain(pipes_struct *p, SAMR_Q_OPEN_DOMAIN *q_u,
SAMR_R_OPEN_DOMAIN *r_u)
{
- struct samr_info *info;
+ structsamr_info *info;
+ SEC_DESC *psd = NULL;
+ uint32acc_granted;
+ uint32acc_required;
+ uint32des_access = q_u->flags;
+ size_tsd_size;
+ NTSTATUS status;
r_u->status = NT_STATUS_OK;
/* find the connection policy handle. */
- if (!find_policy_by_hnd(p, &q_u->pol, NULL))
+ if (!find_policy_by_hnd(p, &q_u->pol, (void**)&info))
return NT_STATUS_INVALID_HANDLE;
+ /*check if function is granted*/
+ acc_granted = info->acc_granted;
+ acc_required = 0x0020; //SAMR: open domain
+ if ((acc_granted & acc_required) != acc_required)
+ {
+ DEBUG(2,("_samr_open_domain: ACCESS should be DENIED (granted: %#010x; required:
+%#010x)\n",
+ acc_granted, acc_required));
+ //return NT_STATUS_ACCESS_DENIED;
+ }
+
+ /*check if access can be granted as requested by client. */
+ samr_make_dom_obj_sd(p->mem_ctx, &psd, &sd_size);
+ se_map_generic(&des_access,&dom_generic_mapping);
+ if(!se_access_check(psd,p->pipe_user.nt_user_token, des_access, &acc_granted,
+&status))
+ {
+ DEBUG(2,("_samr_open_domain: ACCESS should be DENIED (requested: %#010x)\n",
+ des_access));
+ //return r_u->status = status;
+ }
+
+
/* associate the domain SID with the (unique) handle. */
if ((info = get_samr_info_by_sid(&q_u->dom_sid.sid))==NULL)
return NT_STATUS_NO_MEMORY;
+ info->acc_granted = acc_granted;
/* get a (unique) handle. open a policy on it. */
if (!create_policy_hnd(p, &r_u->domain_pol, free_samr_info, (void *)info))
@@ -525,10 +591,49 @@
}
/***
+ samr_make_grp_obj_sd
+ /
+
+static NTSTATUS samr_make_grp_obj_sd(TALLOC_CTX *ctx, SEC_DESC **psd, size_t
+*sd_size)
+{
+ extern DOM_SID global_sid_World;
+ DOM_SID adm_sid;
+ DOM_SID act_sid;
+
+ SEC_ACE ace[3];
+ SEC_ACCESS mask;
+
+ SEC_ACL *psa = NULL;
+
+ sid_copy(&adm_sid, &global_sid_Builtin);
+ sid_append_rid(&adm_sid, BUILTIN_ALIAS_RID_ADMINS);
+
+ sid_copy(&act_sid, &global_sid_Builtin);
+ sid_append_rid(&act_sid, BUILTIN_ALIAS_RID_ACCOUNT_OPS);
+
+ //basic access for every one
+ init_sec_access(&mask, 0x20011);
+ init_sec_ace(&ace[0], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
+
+ //full access for builtin aliases Administrators and Account Operators
+ init_sec_access(&mask, 0xf001f);
+ init_sec_ace(&ace[1], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
+ init_sec_ace(&ace[2], &act_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
RE: [PATCH] Clean up samba-3.0 for POSIX-96
Gerald (Jerry) Carter [mailto:[EMAIL PROTECTED]] writes:
> On Fri, 31 May 2002 [EMAIL PROTECTED] wrote:
>
> > source/lib/interfaces.c conditionally include sys/time.h and
> > sys/sockio.h (autoconf macros
> already exist)
>
> This change broke SAMBA_2_2. The reason is that lib/interfaces.c
> is used in the autoconf test so sys/sockio.h would never be
> included. Any thoughts? I've removed it from 2.2. for now
> and will look into it some more.
Try this patch. I copied the #include of sys/sockio.h inside of the 3
ifdef'd regions that need it. This kind of even makes sense, because now on
systems that don't implement any of the 3 ways of determining the
interfaces, they don't need sys/sockio.h. (And we don't implement any of
the 3 ways, and don't have this header). This should be a safe patch for
everyone.
Now that I see what is going on, and where I went wrong, I can't help but
notice that there is another HAVE_xxx macro referenced before #include
"config.h" (HAVE_SYS_TIME_H). I took a brief look at configure, and it does
not appear to ever set HAVE_SYS_TIME_H. But I also see some logic about
site-config files, so perhaps that's a way. At any rate, since I don't need
to change this, and since it is presumably not harming anyone, I have left
it alone. There are also some other HAVE_xxx macros after the #include of
"config.h" but again, I left these alone.
I re-ran configure and make after this change, and both work ok. This patch
is against the 2.2.4 sources prior to my previous change (I assume that's
where you backed the file up to).
If my changes were applied to the 3.0 tree, then this change needs to be
made there too.
### START OF PATCH ###
--- oldsamba>source>lib>interfaces.cWed Jun 5 12:57:57 2002
+++ newsamba>source>lib>interfaces.cWed Jun 5 12:58:11 2002
@@ -44,10 +44,6 @@
#endif
#include
-#ifndef SIOCGIFCONF
-#include
-#endif
-
#ifdef AUTOCONF_TEST
struct iface_struct {
char name[16];
@@ -81,6 +77,10 @@ struct iface_struct {
#if HAVE_IFACE_IFCONF
+#ifndef SIOCGIFCONF
+#include
+#endif
+
/* this works for Linux 2.2, Solaris 2.5, SunOS4, HPUX 10.20, OSF1
V4.0, Ultrix 4.4, SCO Unix 3.2, IRIX 6.4 and FreeBSD 3.2.
@@ -153,6 +153,10 @@ static int _get_interfaces(struct iface_
#elif HAVE_IFACE_IFREQ
+#ifndef SIOCGIFCONF
+#include
+#endif
+
#ifndef I_STR
#include
#endif
@@ -247,6 +251,10 @@ static int _get_interfaces(struct iface_
}
#elif HAVE_IFACE_AIX
+
+#ifndef SIOCGIFCONF
+#include
+#endif
/***
*
this one is for AIX (tested on 4.2)
### END OF PATCH ###
Thanks
PG
--
Paul Green, Senior Technical Consultant, Stratus Technologies.
Voice: +1 978-461-7557; FAX: +1 978-461-3610; Video on request.
[Fwd: smbd 2.2.4 Solaris 8 on intel (PR#24507)]
Better forward this bug to the technical list. Anyone using samba on >2 processors machine? -Forwarded Message- From: [EMAIL PROTECTED] To: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: smbd 2.2.4 Solaris 8 on intel (PR#24507) Date: 05 Jun 2002 09:29:30 -0700 I am not even sure how to describe this issue. We have a University labratory environment with 150 or so Windows computers that connect to our samba server. We have smbd 2.2.2 running on a Solaris 8 Sparc computer without an issue :-) We wish to move the smb services to a quad intel machine running Solaris 8. We first started with 2.2.4 compiled with the same options as on the sparc machine. Sparc options ./configure --prefix=/public/sparc/samba-2.2.2 --sysconfdir=/etc/localhost/samba-2.2.2 --with-configdir=/etc/localhost/samba-2.2.2 --with-privatedir=/etc/localhost/samba-2.2.2/private --with-lockdir=/var/run --with-pam --with-acl-support --with-quotas --with-automount But we got hundreds of Signal 11 (segmentation faults). Even the nmbd died from this. We then switched back to 2.2.2, but had the same results. After some extensive trouble shooting, it appeared to be the --with-quotas option that was causing the problem, so we recompiled 2.2.4 with the following options > env CFLAGS='-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -march=i686 -O2 -funroll-loops -fexpensive-optimizations' \ > CPPFLAGS='-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -march=i686 -O2 -funroll-loops -fexpensive-optimizations' \ > ./configure --prefix=/package/samba-2.2.4 \ > --sysconfdir=/etc/localhost/samba-2.2.4 \ > --with-configdir=/etc/localhost/samba-2.2.4 \ > --with-privatedir=/etc/localhost/samba-2.2.4/private \ > --with-logfilebase=/var/log/samba-2.2.4 \ > --with-lockdir=/var/log/samba-2.2.4/locks \ > --with-piddir=/var/log/samba-2.2.4 \ > --with-acl-support \ > --with-automount \ > --with-pam \ > --sharedstatedir=/var/samba-2.2.4 With only two Win2k machines using this server, we were unable to reproduce the segmentation faults. We fineshed the configuration, and then we switched smb services to this machine. 1. stop nmbd on current server 2. start smbd on new server 3. start nmbd on new server As clients connect to the netbios name, they gradually learn of the new server. The connections to the old server taper off, and the connections to the new server start to build. Almost immediately, the logs include the segmentation fault error message (signal 11). Incidentally, compiling without any CFLAGS, CPPFLAGS does not make any difference to this problem, nor does using Suns supplied gcc with the Sun as/ld or if we use gcc3.0.4 with gnu as/ld. I have a level 3 logs at http://remora.csc.uvic.ca/smbbug/c-oswego.log http://remora.csc.uvic.ca/smbbug/c-cooper.log http://remora.csc.uvic.ca/smbbug/smb.conf Any assistance/test we can do to help out is of course available. thanks, -- Evan Rempel <[EMAIL PROTECTED]> 250.721.8296 Senior Programmer Analyst University of Victoria -- Simo Sorce -- Una scelta di liberta': Software Libero. A choice of freedom: Free Software. http://www.softwarelibero.it
Re: SPAM on samba-technical
> > > please consider some spam protection, > > Going over the log files it seems that about 80 messages a day are being > blocked by spews. The RBL is blocking maybe 5-6 per day. I added > spamcop to the list tody and it seems to be blocking a lot more mail. > 211.117.176.60 is DNSbl listed. by korea.services.net Blocked due to spam, see http://korea.services.net/blocked.phtml 211.223.191.177 is DNSbl listed. by korea.services.net Blocked due to spam, see http://korea.services.net/blocked.phtml i think it's time to add "korea.services.net" - sad for korean posters, but ...
[PATCH] Stackable VFS interface for HEAD
Hi! Attached is latest version of stackable VFS interface, as described in my talk on SambaXP (http://www.sambaxp.org/samba_XP_2002/archive.html) Changes: - 'vfs path' option added to specify path where modules reside. You can use this to simplify 'vfs object' line. - conn->vfs_private changed to void**. Each module receives different module_id during vfs_init call which is an index to conn->vfs_private[] array so that module-specific data can be stored in conn->vfs_private[module_id] -- / Alexander Bokovoy Software architect and analyst // SaM-Solutions Ltd. --- If you give Congress a chance to vote on both sides of an issue, it will always do it. -- Les Aspin, D., Wisconsin samba-3.0-cascaded-vfs.1.1.patch.bz2 Description: BZip2 compressed data
netatalk.c
hi there!
this is simple netatalk vfs module against stackable VFS
interface.
regards,
--
Alexey Kotovich
/* Software developer, SaM-Solutions Ltd. */
-- fortune says --
Why use Windows, since there is a door?
/*
* AppleTalk VFS module for Samba.
*
* Copyright (C) Alexey Kotovich, 2002
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
#include "config.h"
#include
#include
#ifdef HAVE_UTIME_H
#include
#endif
#ifdef HAVE_DIRENT_H
#include
#endif
#ifdef HAVE_FCNTL_H
#include
#endif
#include
#include
#include
#include
#define APPLEDOUBLE ".AppleDouble"
#define APPLEPARENT ".Parent"
#define ADOUBLEMODE 0777
#define HEADERMODE 0775
#define AID_DATA 1
#define AID_RESOURCE 2
#define AID_REALNAME 3
#define AID_COMMENT 4
#define AID_ICON_MONO 5
#define AID_ICON_COLOR 6
#define AID_INFO_FILE 7 /* for v1? */
//#define AID_INFO_FILE 8 /* for v2 */
#define AID_INFO_FINDER 9
#define AID_INFO_MAC 10
#define AID_INFO_PRODOS 11
#define AID_INFO_MSDOS 12
#define AID_AFP_NAME 13
#define AID_AFP_INFO 14
#define AID_AFP_DID 15 /* directory ID */
#define FILE_TYPE "TEXT"
#define FILE_CREATOR "UNIX"
#define MAX_ENTRIES 16
#define ADOUBLE_MAGIC {0x00, 0x05, 0x16, 0x07}
#define ADOUBLE_VERSION1 {0x00, 0x01, 0x00, 0x00}
#define ADOUBLE_VERSION2 {0x00, 0x02, 0x00, 0x00}
#define ADOUBLE_LOCK {0x00, 0x00, 0x01, 0xa0}
#define ADOUBLE_MAX_FNAME 255
#define ADOUBLE_MAX_COMMENT 200
#define ADOUBLE_COMMENT "created by Samba"
typedef uint8 a_uint8;
typedef uint8 a_uint16[2];
typedef uint8 a_uint32[4];
typedef uint8 a_int8;
typedef uint8 a_int16[2];
typedef uint8 a_int32[4];
typedef struct adouble_entry
{
a_uint32 eid;
a_uint32 offset;
a_uint32 length;
size_t item_size;
void *item;
} a_entry;
#define ADOUBLE_ENTRY_SIZE 12
typedef struct adouble_header
{
a_uint32 magic;
a_uint32 version;
a_uint8 empty[16];
a_uint16 num_entries;
a_entry entries[MAX_ENTRIES];
} a_header;
#define ADOUBLE_HEADER_SIZE 26
#define ADOUBLE_HEADER_FULL_SIZE (26 + (MAX_ENTRIES * 12))
typedef struct adouble_file_info
{
a_int32 date_create;
a_int32 date_modify;
a_int32 date_backup;
a_int32 date_access;
} a_filei;
#define ADOUBLE_FILEI_SIZE 16
typedef struct adouble_file_attr
{
a_uint8 empty[3];
a_uint8 attrs;
} a_filea;
#define ADOUBLE_FILEA_SIZE 4
typedef struct adouble_finder_info
{
a_uint8 file_type[4];
a_uint8 file_creator[4];
a_uint16 flags1;
a_int16 file_y_pos; /* location in the folder */
a_int16 file_x_pos;
a_int16 file_folder; /* window */
/* extended finder info */
a_int16 icon_id;
a_int16 empty[3];
a_int8 flags2;
a_int8 flags3;
a_int16 comment_id;
a_int32 home_id; /* home directory ID */
} a_finderi;
#define ADOUBLE_FINDERI_SIZE 32
#define MAX_UINT16 65536U
#define MAX_UINT32 4294967296U
#define MAX_INT16 32767
#define MIN_INT16 -32768
#define MAX_INT32 2147483647
#define MIN_INT32 -2147483647
#define UINT16_BE
#define UINT32_BE
#define UINT32_LE
#ifdef UINT16_BE
static __inline__ void uint16_be_encode(uint8 *field, uint16 value)
{
field[0] = (value >> 8) & 0xff;
field[1] = value & 0xff;
}
#endif
#ifdef UINT32_BE
static __inline__ void uint32_be_encode(uint8 *field, uint32 value)
{
field[0] = (value >> 24) & 0xff;
field[1] = (value >> 16) & 0xff;
field[2] = (value >> 8) & 0xff;
field[3] = value & 0xff;
}
#endif
#ifdef INT16_BE
static __inline__ void int16_be_encode(uint8 *field, int16 value)
{
uint16 u_value = value >= 0 ? value : value + MAX_UINT16;
field[0] = (u_value >> 8) & 0xff;
field[1] = value & 0xff;
}
#endif
#ifdef INT32_BE
static __inline__ void int32_be_encode(uint8 *field, int32 value)
{
uint32 u_value = value >= 0 ? value : value + MAX_UINT32;
field[0] = (u_value >> 24) & 0xff;
field[1] = (u_value >> 16) & 0xff;
field[2] = (u_value >> 8) & 0xff;
field[3] = u_value & 0xff;
}
#endif
#ifdef UIN16_LE
static __inline__ uint16 uint16_le_encode(uint8 *field)
{
return (uint16) field[1] << 8 | (uint16) field[0];
}
#endif
#ifdef UINT32_LE
static __inline__ uint32 uint32_le_encode(uint8 *field)
{
uint16 big = 0;
uint16 little = 0;
uint32 u_value = 0;
big= (uint16) (field[1] << 8) | (uint16) (field[0]);
little = (uint16) (field[2] << 8) | (uint16) (field[3]);
u_value |= little;
if (big != 0)
u_value |= (uint32) (big << 8);
return u_value;
}
#endif
#ifdef INT16_LE
static __inline__ int1
RE: --with-acl-support (2.2.4
OK so you can set and view ACLs using setfacl/getfacl ('setfacl -m d:o::rwx
/tmp' 'getfacl /tmp' ? ie the kernel patches worked successfully ?)
If so then ACLs are indeed enabled. I would then start the compilation
afresh - Samba should pick up on the ACLs automatically.
Are you using winbindd for authentication ?
A caveat to remember once you are up and running with ACLs is that only the
owner and root can alter ACLs through the Windows Explorer editor. For
administration purposes I create a protected, hidden share with 'force user
= root'.
> -Original Message-
> From: Nieminen, Jooel [mailto:[EMAIL PROTECTED]]
> Sent: 05 June 2002 08:08
> To: Noel Kelly
> Subject: VS: --with-acl-support (2.2.4
>
>
> yeah.
> pathced my kernel and installed the other stuff...
> there is some "stupid" thing which is undocumented with samba.
> when running make after configure it says that it is
> compiling with acl
> support!
> but, anyhow putting my server together and trying to use more
> access than
> usual unix produces access denied message.
> the same thing it did with trustees acl.
> well, getting pretty frustrated with samba in total.
> had to build my own package instead of using rpm and thus
> getting everything
> in unstandardized mess.
> if this is where linux still is with compability with windows
> networks...
> poor, really poor and too sticky.
>
> is there any clear documentation on this anywhere?
> I didn't get any page on web which would have instructed on
> enabling acl's
> with samba...
>
> you probably are wrong guy to cry to but have to dump my
> thoughts somewhere.
>
> cheers,
> Jooel
>
> -Alkuperäinen viesti-
> Lähettäjä: Noel Kelly [mailto:[EMAIL PROTECTED]]
> Lähetetty: 5. kesäkuuta 2002 0955
> Vastaanottaja: 'Nieminen, Jooel'; '[EMAIL PROTECTED]'
> Aihe: RE: --with-acl-support (2.2.4
>
>
> Are you using an ACL enabled kernel ?
>
> If not you need to either patch your existing kernel
> (acl.bestbits.at) or
> you can use the XFS filesystem from SGI (oss.sgi.com). If you want to
> reinstall the whole system then SGI actually produce an
> adapted RH installer
> to run in conjunction with the usual media which gives you
> XFS out of the
> box (the ACL utlities are a bit dated though and you will
> need to update
> them after installation I found as they do not function properly with
> defaults.)
>
> Noel
>
>
> -Original Message-
> From: Nieminen, Jooel [mailto:[EMAIL PROTECTED]]
> Sent: 05 June 2002 06:55
> To: '[EMAIL PROTECTED]'
> Subject: --with-acl-support (2.2.4
>
>
> mm...
> am I understanding something really wrong or is there
> something that I've
> missed.
> samba-2.2.4 configure --with-acl-support outputs these lines
> along others:
>
> checking whether to support ACLs... checking for acl_get_file
> in -lacl... no
> checking for ACL support... no
>
> normal?
>
>
>
> ---
> Incoming mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.368 / Virus Database: 204 - Release Date: 29/05/2002
>
> ---
> Incoming mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.368 / Virus Database: 204 - Release Date: 29/05/2002
>
>
VL: --with-acl-support (2.2.4)
I don't know about you guys, but samba did configure with acl-support when I added the "unneeded" devel packages of acl. -Alkuperäinen viesti-Lähettäjä: Nieminen, Jooel Lähetetty: 5. kesäkuuta 2002 0855Vastaanottaja: '[EMAIL PROTECTED]'Aihe: --with-acl-support (2.2.4 mm... am I understanding something really wrong or is there something that I've missed. samba-2.2.4 configure --with-acl-support outputs these lines along others: checking whether to support ACLs... checking for acl_get_file in -lacl... nochecking for ACL support... no normal?
