RE: FreeSwan VPN using Samba
Title: RE: FreeSwan VPN using Samba Hi guys, I don't have that much experience with freeswan and samba playing together. Just a thought: I had been testing freeswan for several day's and found ipsec as is to have some shortcomings. ( not shooting at freeswan here :-) ) I don't know if you can apply this in your environment, but wouldn't combining a tunneling protocol and ipsec be your solution ? If you use GRE or L2TP you will obtain an interface which you can use for routing etc. (one of the things i didn't manage to get working 100 % with ipsec alone). (overhead by using a tunneling protocol inside ipsec is minimal, CISCO has a document describing this) Greets, Lapers Stefan -Original Message- From: Alex @ Avantel Systems [SMTP:[EMAIL PROTECTED]] Sent: maandag 29 juli 2002 23:59 To: [EMAIL PROTECTED] Subject: Re: FreeSwan VPN using Samba Steve Sounds like we were working on similar projects. Same task, same problems but we had it working pretty well. Haven't looked at it recently but as I recall we resolved the problem you describe *without* a patch to samba! If you bind to the interface ipsec*, you should get the behaviour you are looking for. interfaces = ipsec* eth1 lo bind interfaces only = yes We had other problems though and if you can add to my understanding of those that would be cool. See http://www.avantel.ca/samba.html Can anyone add something to that . . . And AFAIK samba wins does still not replicate so the problem persists today. Cheers; Alex Vandenham Avantel Systems On July 29, 2002 12:12 pm, you wrote: Greetings. Early in 2000, I was involved with a project to bring out of the box, installable, VPNs to a shrink-wrap RedHat linux. The project ended because the leader, a brilliant idea man, was a paranoid freak. However, I was fascinated by the idea of bringing together a Windows Workgroup over a secure VPN using FreeSwan and Samba. All of the messages and web pages I looked at for making this happen with Samba indicated ways to hack around in the config file. None of the solutions ever worked thoroughly and the indication was that you had to live with it when it didn't. The real problem was with the Samba code. I don't remember which Samba release I worked on to make this happen but I do know it was the release that was included with RedHat 6.1. I had to make some specific configuration adjustments and small modifications to two of the core Samba modules. A WINS server is, of course, necessary for cross-subnet browsing and I use Samba for this. I had Win95, Win98, WinME, and Win2000 machines on this network but no Win2000 or WinNT Servers. All of this worked great. I have recently configured a three-network VPN using RedHat 7.3, FreeSwan 1.97, and Samba 2.2.3a. I waited so long to upgrade because I was afraid that the latest release of Samba included with RedHat would still have the problem. It did. Consider this network: Network NORTH eth0 20.30.40.50 RedHat 7.3 eth1 10.1.10.254 ipsec 10.1.10.254 - 10.1.11.254 ipsec 10.1.10.254 - 10.1.20.254 -- Workgroup NORTH -- 10.1.10.254 DMB WINS 10.1.10.1 Win2000 10.1.10.11 Win2000 10.1.10.12 Win98 Network WEST Network EAST --- eth0 30.40.50.60 RedHat 7.3 eth0 40.50.60.70 RedHat 7.3 eth1 10.1.11.254eth1 10.1.20.254 -- -- ipsec 10.1.11.254 - 10.1.10.254 ipsec 10.1.20.254 - 10.1.10.254 ipsec 10.1.11.254 - 10.1.20.254 ipsec 10.1.20.254 - 10.1.11.254 -- -- Workgroup WEST Workgroup EAST -- -- 10.1.11.254 DMB 10.1.20.254 DMB 10.1.11.1 Win2000 Svr 10.1.20.1 Win98 10.1.11.2 WinME 10.1.20.2 SUSe 8.0 10.1.11.3 Win2000 Pro 10.1.20.3 Win98 10.1.20.4 SUSe 8.0 As you can see, there are ipsec tunnels between each network. The problem was in the synchronization of Domain Master Browsers. Even when BIND INTERFACES ONLY was set to YES, Samba would not bind to the INTERFACES listed but to the first interface, eth0. Therefore, the source IP for the DMB Sync communications was for the external interface. Since there was no ipsec route for this, the sync failed. The solution to this problem was, when BIND INTERFACES ONLY is set to YES, Samba should bind outgoing packets to the first valid INTERFACES ip address. At least, this appeared to be the solution used in another part of nmbd_packets.c. queue_query_name() was using this method. I simply moved this to create_and_init_netbios_packet(). A similar change was needed in open_socket_out() in module util_sock.c. Attached is the patch file samba-2.2.3a-socketbinding.patch and the spec file I used to create the new RPM samba-slc.spec. This network is working perfectly. All
Re: SNIA CIFS TR
Don't you think it's kind of funny that Leach and Naik aren't even mentioned in the acknowledgements? And they put a Copyright 2001, 2002 SNIA in there? This document is a big turd. There are major grammatical errors, technical inaccuracies, and huge holes that aren't even mentioned (what's the number of seconds between 1601 and 1970 again?). How about this gem on page 1: Adoption of a common file sharing protocol having modern semantics such as shared files, byte-range locking, coherent caching, change notification, replicated storage, etc. would provide important benifits to the Internet community. What a load of crap! Who's going to run a CIFS server on the internet? DCE on top of Transactions on top of SMB in front of empty 4 byte NetBIOS headers? No thanks! Don't you think it would be worth mentioning that SMB_COM_COPY doesn't even work? There's *nothing* about DCE/RPC in here except for some incomprehensible banter about PDUs. The only stuff that's accurate is the original Leach/Naik content. The few corrections I submitted have not been fixed so why bother to contibute anything? This document is an excuse for the different shadowy clicks to get their little two-bit extensions in. And the funny thing is the extensions will never be implemented by Windows servers so they're nearly pointless. I wish someone would do a real analysis and write some practical documentation. Sorry. Needed to be said, Mike On Mon, 29 Jul 2002 14:50:26 -0500 Christopher R. Hertel [EMAIL PROTECTED] wrote: Mike, I sent a message to your ml.com address. The SNIA CIFS TR is at: -- A program should be written to model the concepts of the task it performs rather than the physical world or a process because this maximizes the potential for it to be applied to tasks that are conceptually similar and more importantly to tasks that have not yet been conceived.
recent cvs-samba-3.0s and bugs or features
Hi list, again, I have to ask a question about problems using samba 3.0 - although I know that the cvs sources are not for production... ;-) I have a version of mid-july up and running, with the accounts in smbpasswd. However, I have two problems, one with group mappings, one with adding windows 2000 clients to the domain. I have my unix group users mapped to Power Users with smbgroupedit. As we use German windows 2000 clients, this group is named Hauptbenutzer on the machines. But the domain group seams not to be in the local group (Power Users is not listed in Hauptbenutzer). Is it necessary that the domain group exists at the time the client is added to the domain? The machines joined the domain when I had a samba 2.2-pdc, so I didn't have a power users group at that time. Do I have to re-join the domain, so that the clients can add the domein group to their local group? That's how I understand the howto from samba-3.0. The second question is about joining the domain. Has the code providing this functionality been broken in recent cvs-versions? I don't get my machines into the domain any more, while the machines I had in my 2.2-domain still work fine. BTW, will I still have to use the roor-account to add machines to the domain? So, basically, I would like to know if these things SHOULD work, so that I can continue finding the problem, trying new cvs-versions etc Thank You, CU, Lars.
Regression: smbclient fails with protocol negotiation failed
I just noticed that 'smbclient -L some_server' fails with the message protocol negotiation failed when some_server is running samba 2.2.5 The version of smbclient doesn't matter, and it works OK against a 2.2.2 server i still have around. Other aspects like mounting shares and stuff works, nor does the Network Neighborhood in Windows seem to suffer. If there's anything I can do to help debug this further I'd be glad to help. Regards, Fredrik -- It is easy to be blinded to the essential uselessness of computers by the sense of accomplishment you get from getting them to work at all. - Douglas Adams Fredrik Öhrn Chalmers University of Technology [EMAIL PROTECTED] Sweden
Nigerian 419 scam - Re: (no subject)
Ernst Cozijnsen wrote: I tought open-source was a non profit thing?. hehehehe Please do not repost spam! As funny as this scam may sound, this scam is run by organized crime, and the some of the perpetrators are known to be murderers and worse. This is known as a Nigerian 419 scam, and most countries have task forces that want to be notified about these e-mails. If the scammer receives a traceable e-mail, they will use that information to steal the identity of the person. The money scam mentioned in the spam is only a small part of the scam. In addition to financial loss, you risk life and limb for you or your family if you correspond with anyone associated with this scam. -John [EMAIL PROTECTED] Personal Opinion Only
Re: Hunting down bottlenecks in samba 2.2.5 + OpenLDAP
On Tue, 30 Jul 2002, Fredrik Ohrn wrote: source don't print anything. Does anyone have suggestions why/how samba triggers this lengthy search? As always: Use Google first, ask questions later. The crulpit here is the initgroups function, apparently nss_ldap is borked on Solaris. I'll move over to the correct mailinglist. :) Regards, Fredrik -- It is easy to be blinded to the essential uselessness of computers by the sense of accomplishment you get from getting them to work at all. - Douglas Adams Fredrik Öhrn Chalmers University of Technology [EMAIL PROTECTED] Sweden
How do I compile 64 bit Samba on Solaris 8?
I haven't found any docs on how to do this. Can someone point me in the right direction? I've got Forte compiler 6.2 and the sun linker and assembler in my path, but not gcc. Is it an option I give to configure? Do I have to use gcc? - Protect yourself from spam, use http://sneakemail.com
RE: How do I compile 64 bit Samba on Solaris 8?
Regarding compiling on solaris: 1) make sure the environment variable CC is set to the proper compiler. If gcc then $CC needs 'gcc' and if Forte on Sun then $CC=cc . 2) ensure the proper paths, the Sun Companion CD puts gcc in /opt/sfw/bin/gcc . 3) LD_LIBRARY_PATH must include non-standard Solaris libs, /usr/local/lib is NOT standard on Solaris. 4) If you have Forte your PATH should be something like /opt/SUNWspro/bin ahead of everything, and /opt/sfw/bin or /usr/local/bin last . LD_LIBRARY_PATH should likewise have /opt/SUNWspro/lib ahead of everything else. There was also just recently a patch posted for smbwrapper for samba, if your compile is failing with that email me and I'll send it along. Hope that helps, anyone feel free to add corrections to the above, I am still learning these myself! -Dave +-- + David M. Dennis + Network Administrator, IT + Seattle University + 206-296-5543, x5543 +-- -Original Message- From: John Emmert [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 30, 2002 10:18 AM To: [EMAIL PROTECTED] Subject: How do I compile 64 bit Samba on Solaris 8? I haven't found any docs on how to do this. Can someone point me in the right direction? I've got Forte compiler 6.2 and the sun linker and assembler in my path, but not gcc. Is it an option I give to configure? Do I have to use gcc? - Protect yourself from spam, use http://sneakemail.com
Re: How do I compile 64 bit Samba on Solaris 8?
On Tue, Jul 30, 2002 at 03:38:59PM -0700, Dennis, David M. wrote:
Dave == Dennis, David M [EMAIL PROTECTED] writes:
Dave Regarding compiling on solaris: 1) make sure the environment
Dave variable CC is set to the proper compiler. If gcc then $CC
Dave needs 'gcc' and if Forte on Sun then $CC=cc .
Dave 2) ensure the proper paths, the Sun Companion CD puts gcc in
Dave /opt/sfw/bin/gcc .
Dave 3) LD_LIBRARY_PATH must include non-standard Solaris libs,
Dave /usr/local/lib is NOT standard on Solaris.
Might be best to unset LD_LIBRARY_PATH
Dave 4) If you have Forte your PATH should be something like
Dave /opt/SUNWspro/bin ahead of everything, and /opt/sfw/bin or
Dave /usr/local/bin last . LD_LIBRARY_PATH should likewise have
Dave /opt/SUNWspro/lib ahead of everything else.
Dave There was also just recently a patch posted for smbwrapper
Dave for samba, if your compile is failing with that email me and
Dave I'll send it along.
Dave Hope that helps, anyone feel free to add corrections to the
Dave above, I am still learning these myself!
John I haven't found any docs on how to do this. Can someone
John point me in the right direction? I've got Forte compiler 6.2
John and the sun linker and assembler in my path, but not gcc. Is
John it an option I give to configure? Do I have to use gcc?
I believe I've posted instructions on this several times in the past.
Assuming that you have cc in your PATH and the CC=cc
A. For Bourne/Korn Shells
1. For Sun's Forte compiler
CC=cc CPPFLAGS='-D__EXTENSIONS__' CFLAGS='-xarch=v9a' \
./configure args-to-configure
2. For gcc 3.x or better
CC=gcc CPPFLAGS='-D__EXTENSIONS__' CFLAGS='-m64' \
./configure args-to-configure
B. For Csh and derivatives
1. For Sun's Forte compiler
setenv CC cc \
setenv CPPFLAGS '-D__EXTENSIONS__' \
setenv CFLAGS '-xarch=v9a' \
./configure args-to-configure
2. For gcc 3.x or better
setenv CC gcc\
setenv CPPFLAGS '-D__EXTENSIONS__' \
setenv CFLAGS '-m64' \
./configure args-to-configure
The CPPFLAGS='-D__EXTENSIONS__' is necessary because configure doesn't
(yet) include crypt.h and crypt gets the wrong prototype in a 64-bit
application, leading to a SIGSEGV in swat
If you experience difficulties linking some shared objects, it's
because the definition of SHLD doesn't include CFLAGS. The workaround
is
make SHLD='${CC} ${CFLAGS}'
when building Samba
You could also use '-xarch=v9' or 'xarch=v9b' for UltraSparc III or
'-xarch=native64' instead of '-xarch=v9a'
--
Eric M. Boehm /\ ASCII Ribbon Campaign
[EMAIL PROTECTED] \ / No HTML or RTF in mail
X No proprietary word-processing
Respect Open Standards / \ files in mail
Puzzled about missing locking requests in the NetBench single usertest
Hi, I have a complete trace of a netbench single user run. This is from NetBench 7.0.2. The overall result claims that there were 560 lock file calls and 553 unlock file calls. I can only find 32 lock and unlock requests (in total that is, not each) on the wire. These should not be confused with OpLock break requests and responses, which I also see. This seems to be a problem. Has anyone seen anything like that? Regards - Richard Sharpe, [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED]
More interesting NetBench anomalies ...
Hi, Having looked at the NetBench run a bit more, a couple of extra anomalies disturb me: 1. The report claims 25,774 write calls, but I can only find 3885 on the wire. 2. The report claims 32,749 read calls, but I find 40,074. 3. The report claims 163.471 MBytes of data Transferred, yet a full capture is larger than 334 MBytes (that capture dropped a few frames). Regards - Richard Sharpe, [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED]
Winbindd weirdness
ftp://ftp.motherwell.com.au/pub/incoming/winbindd.log.bz G'day folks, We're running 2.2.5 on a Solaris 7 box powered by an Ultra 10, 512M RAM. The distribution was built from source using Sun Workshop v5. The box sees a fair bit of developer activity, but not a huge number of users, so it seemed the perfect beast for trialing the pam_winbind/winbindd authentication mechanism. The build went reasonably smoothly, and produced stuff that Solaris 7 was happy with. A configuration was arrived at that worked - the smb.conf from the 2.0.7 days was modified to include winbind, nsswitch.conf changed to suit, the winbindd library added to /usr/lib, the pam_winbind library added to /usr/lib/security, /etc/pam.conf modified to match. I took myself out of /etc/passwd and let the PAM/winbindd combination authenticate me against our local PDC. No problems, smiles all round! After a while (about a week), strange things started to occur. I'd try to log in as myself(telnet, ssh), but pam/winbindd didn't like my password (and I made sure my account didn't get locked out on the PDC), 10 minutes later it let me in (still running the same winbindd process). On another occassion I su - to my username (as superuser) and it gave me another PDC users uid! On top of this at least once a day the winbindd process becomes a CPU hog and doesn't allow anyone in. It has to be killed and restarted. It doesn't seem to be time related - it'll run over a weekend without a worry - but seems to be triggered by whatever the developers are up to. Anyhoo. I've captured a weird moment or two in ftp://ftp.motherwell.com.au/pub/incoming/winbindd.log.bz by appending -d 100 -i to the winbindd daemon. Hope the info helps iron out bugs for the future releases. Matt McC Digital Janitor PS If the file isn't there when you look (in 5 days time it'll get erased by a cron job), mail me directly and I'll forward you a copy (~700k)
