Re: Samba 3.0a19 breaks winbind helpers?
Henrik Nordstrom wrote: > > Haven't tested yet.. we are using 3.0a18 which seems to work fine as > far as I can tell.. Thats probably from before I last played games with the interface :-) > Lets hope we can get the versioning issue finally sorted out with the > Samba team before Squid-2.6 (in at least 6 months I would guess).. > > For Squid-2.5 I guess we will have to speficy which Samba versions are > known to work with the helpers. The current stable code uses the interface Squid expects - that's in Samba 2.2.4 and above. Samba 2.2 is in feature freeze, and I would not expect any changes to this interface, In particular becouse of it's use by squid. > Andrew: Do you think there will be fundamental changes to the winbindd > API in the next 6 months, or do you think it will be sufficient for > our purposes to just make use of new headers when there is a revised > API? Yes, there will be - I need to create a 'privilaged' pipe for squid to use, so that we don't give arbitary users access to this resource. Hoever, this in in Samba 3.0 only - 2.2 will remian as it is, to avoid breaking Squid. To get current Samba 3.0 working should only *require* a new header, but you might also want to fill in the 'workstation' feild, and allow long challanges - this might be sufficient to get NTLMv2 going (or it might not...). That's why I'm so keen to sort out this helper issue. If only I had the time to implement it... If sombody on the squid side wants to pick up this project, I'm more than happy to give a hand. The specifications are: - Use Samba's NTLMSSP code. Needs seperation from the surrounding code in clispnego.c and smbd/sesssetup.c - Also needs 'ascii' support added. Currently all-unicode. - Seperate Samba-supplied binary, called ntlm_auth - Use a Popt interface, so that we can specify --squid-2.5 for the current squid protocol etc. - Have a command-line challange-response interface - takes --username=abartlet --domain=FOO --lm-resp=ASDGADF (hex encoded, 24 bytes) --nt-resp=AADFAFG1232 (hex encoded >=24 bytes) - returns NT_STATUS_... on stdout, 0 or 1 to exit code - Have a similar 'plaintext' inteface (option not to have password on cmd line) The idea is that this can be a stable, long-term interface that Samba can provide, to squid and other projects Any takers? > Regards > Henrik > > On Sunday 08 September 2002 02.30, Jerry Murdock wrote: > > Is anyone running these together successfully? > > > > Looks like the api change Andrew has been warning about happened. > > > > If so, I will update the FAQ, probably should be in release note as > > well. > > > > Jerry -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net
Re: sed: can't read ./../examples/VFS/block/Makefile.in: No suchfile or directory
Sorry forgot to commit configure after configure.in but to solve this problem you only need to execute autoconf anyway. Committed now. Thanks, Simo. On Sat, 2002-09-07 at 18:43, Stefan (metze) Metzmacher wrote: > Hi Simo, > > you removed this files...please fix this > > creating ../examples/VFS/Makefile > creating ../examples/VFS/block/Makefile > > creating ../examples/VFS/netatalk/Makefile > sed: can't read ./../examples/VFS/netatalk/Makefile.in: No such file or > directory > > > metze > - > Stefan "metze" Metzmacher <[EMAIL PROTECTED]> -- Simo Sorce - [EMAIL PROTECTED] Samba Team - http://www.samba.org
Re: lp_sam_backend
Here comes version 3: 1.) change lp_sam_backend syntax to sam backend = plugin[|domain_name][:options] this was needed as ',' is a list seperator. The syntax is probably going to change again soon, but not tonight 2.) Added some DEBUG(). They are still in a total mess though 3.) I've actually tested the parsing code now and fixed (hopefully) all of the sig_segv. i.e. it should work now To compile this patch via bin/samtest, you need a change in the Makefile so that samtest includes passdb/secrets.o and passdb/machine_sid.c Kai > Here comes the next version with the following changes: > > 1.) use SAM_ASSERT() some more > 2.) implement context_sam_update_domain I forgot last time > 3.) change the way context_sam_update_* and context_sam_delete_* find > their sam_methods. Use current_sam_methods from the handle > > Kai > > >> Hi, >> >> This patch is a combination of patches to the sam. >> >> 1.) change sam_init() to include a domain sid as an in parameter. It >> is used to tell the backend module for which domain it is responsible. >> >> 2.) implement the rest of the context_sam_* functions >> >> 3.) several style and debug cleanups >> >> 4.) change the loading routines of the sam backend parameter from >> smb.conf. The format is now sam backend = >> sam_moduleA[,domain_nameA][:options] >> sam_moduleB[,domain_nameB][:options] >> [sam_moduleB,builtin_domain[:options]] >> >> >> The patch compiles, but is untested so any coments are welcome. >> >> Kai > Index: examples/sam/sam_skel.c === RCS file: /cvsroot/samba/examples/sam/sam_skel.c,v retrieving revision 1.3 diff -u -r1.3 sam_skel.c --- examples/sam/sam_skel.c 6 Sep 2002 13:00:37 - 1.3 +++ examples/sam/sam_skel.c 7 Sep 2002 23:08:19 - @@ -189,7 +189,7 @@ return NT_STATUS_NOT_IMPLEMENTED; } -NTSTATUS sam_init(const SAM_CONTEXT *sam_context, SAM_METHODS **sam_method, const char *location) +NTSTATUS sam_init(const SAM_CONTEXT *sam_context, SAM_METHODS **sam_method, const +DOM_SID *domain, const char *module_params) { NTSTATUS nt_status; @@ -250,8 +250,8 @@ } else DEBUG(0, ("sam_skel: Debug class number of 'sam_skel': %d\n", sam_skel_debug_level)); DEBUG(0, ("Initializing sam_skel\n")); - if (location) - DEBUG(10, ("Location: %s\n", location)); + if (module_params) + DEBUG(10, ("Module parameters for the domain %s: %s\n", +sid_string_static(domain), module_params)); return NT_STATUS_OK; } Index: source/include/sam.h === RCS file: /cvsroot/samba/source/include/sam.h,v retrieving revision 1.6 diff -u -r1.6 sam.h --- source/include/sam.h6 Sep 2002 13:00:37 - 1.6 +++ source/include/sam.h7 Sep 2002 23:08:20 - @@ -259,13 +259,20 @@ void (*free_private_data)(void **); } SAM_METHODS; -typedef NTSTATUS (*sam_init_function)(const SAM_CONTEXT *, SAM_METHODS **, const char *); +typedef NTSTATUS (*sam_init_function)(const SAM_CONTEXT *, SAM_METHODS **, const +DOM_SID *domain, const char *); struct sam_init_function_entry { - char *name; + char *module_name; /* Function to create a member of the sam_methods list */ sam_init_function init; }; + +typedef struct sam_backend_entry { + char*module_name; + char*module_params; + char*domain_name; + DOM_SID *domain_sid; +} SAM_BACKEND_ENTRY; #endif /* _SAM_H */ Index: source/sam/interface.c === RCS file: /cvsroot/samba/source/sam/interface.c,v retrieving revision 1.7 diff -u -r1.7 interface.c --- source/sam/interface.c 6 Sep 2002 13:21:54 - 1.7 +++ source/sam/interface.c 7 Sep 2002 23:08:22 - @@ -26,6 +26,8 @@ #undef DBGC_CLASS #define DBGC_CLASS DBGC_SAM +extern DOM_SID global_sid_Builtin; + /** List of various built-in sam modules */ const struct sam_init_function_entry builtin_sam_init_functions[] = { @@ -53,8 +55,7 @@ tmp_methods = context->methods; - while (tmp_methods) - { + while (tmp_methods) { if (sid_equal(domainsid, &(tmp_methods->domain->private.sid))) { (*sam_method) = tmp_methods; @@ -79,8 +80,7 @@ tmp_methods = context->methods; - while (tmp_methods) - { + while (tmp_methods) { if (strcmp(domainname, tmp_methods->domain->private.name)) { (*sam_method) = tmp_methods; @@ -99,7 +99,7 @@ SAM_METHODS *tmp_methods; NTSTATUSnt_status; - DEBUG(5,("context_sam_get_sec_desc: %d\n", __LINE__)); + DEBUG(5,("context_sam_get_sec_desc: %d\n", __LINE__)); if (!NT_STATUS_IS_OK(nt_status = sam_get_methods_by_sid(context, &tmp_methods, s
Re: lp_sam_backends() syntax
On Sat, Sep 07, 2002 at 11:50:29PM +0200, Kai Krueger wrote: > > otherwise: > > > > sam backends = backend1:options|domain_name1 \ > > backend2:options|domain_name2 > > I'm against haveing domain_name as the last part of the string, because if > domain_name it is the last part with a '|' seperator, then there may not be > a '|' in the string before. This causes a restriction on options I don't > like. The other posibility to use the last '|' in the string is imho not > nice either, as this would mean, you can't obmit the domain name anymore as > soon as there is a | in the options string. > This would cause a dependency of the syntax of sam backend on the options > stirng, which is imho confusing I don't think it would be really useful to have the possibility to omit the last domain name. Especially since currently there are no situations in which we would have to use multiple domains. It's not worth to break backwards compatibility to do that. Imho, we should make the backend name, domain name, and options mandatory when multiple domains are specified. The options field then can contain a | because we can search backwards for the |; this only means that the domain name can't contain a |, which would be the case anyway. Jelmer
Re: lp_sam_backends() syntax
> Hi Kai, Metze, Andrew, > > Would this work as syntax for lp_sam_backends() ? > > When there's only one backend specified > > sam backends = backend:options this should work > > otherwise: > > sam backends = backend1:options|domain_name1 \ > backend2:options|domain_name2 I'm against haveing domain_name as the last part of the string, because if domain_name it is the last part with a '|' seperator, then there may not be a '|' in the string before. This causes a restriction on options I don't like. The other posibility to use the last '|' in the string is imho not nice either, as this would mean, you can't obmit the domain name anymore as soon as there is a | in the options string. This would cause a dependency of the syntax of sam backend on the options stirng, which is imho confusing Kai
lp_sam_backends() syntax
Hi Kai, Metze, Andrew, Would this work as syntax for lp_sam_backends() ? When there's only one backend specified sam backends = backend:options otherwise: sam backends = backend1:options|domain_name1 \ backend2:options|domain_name2 Jelmer -- Jelmer Vernooij http://samba.org/~jelmer/ Samba Team http://www.samba.org/ Running Samba version 2.2.3a-6 for Debian
Re: Maximum number of mounts
OS/2 did not have the 10 concurrent connection limit although it did have configuration options (in IBMLAN.INI) for maxsessions (one per uid that the server gave out) and maxconnections (one per tid that the server gave out) as well as a parm that controlled the maximum connections (tids) per client. All of these parms can be easily be raised but none of them are likely to be your problem. If the failure is from a single Linux workstation you may have hit the maximum deviceless mount limit in 2.4 based kernels (this would not affect smbclient and it is not clear whether you are using smbclient or smbfs from your note).Prior to Linux 2.5 each mount of a network device (and some other special purpose devices) took up one of only 255 "deviceless" mount numbers - it is fairly easy to run out if you are running multiple network filesystems but this would be clearly visible when you type "mount" and see about 250 mounts that have no associated local device. From: Simo Sorce <[EMAIL PROTECTED]> To: root <[EMAIL PROTECTED]> Cc: [EMAIL PROTECTED] Date: 07 Sep 2002 02:15:19 +0200 I think you are mounting against a workstation. Keep in mind microsoft permit only 10 concurrent access to their workstation OS Steve French Senior Software Engineer Linux Technology Center - IBM Austin phone: 512-838-2294 email: [EMAIL PROTECTED]
Re: lp_sam_backend
Here comes the next version with the following changes: 1.) use SAM_ASSERT() some more 2.) implement context_sam_update_domain I forgot last time 3.) change the way context_sam_update_* and context_sam_delete_* find their sam_methods. Use current_sam_methods from the handle Kai > Hi, > > This patch is a combination of patches to the sam. > > 1.) change sam_init() to include a domain sid as an in parameter. It is > used to tell the backend module for which domain it is responsible. > > 2.) implement the rest of the context_sam_* functions > > 3.) several style and debug cleanups > > 4.) change the loading routines of the sam backend parameter from > smb.conf. The format is now sam backend = > sam_moduleA[,domain_nameA][:options] > sam_moduleB[,domain_nameB][:options] [sam_moduleB,builtin_domain[:options]] > > > The patch compiles, but is untested so any coments are welcome. > > Kai Index: examples/sam/sam_skel.c === RCS file: /cvsroot/samba/examples/sam/sam_skel.c,v retrieving revision 1.3 diff -u -r1.3 sam_skel.c --- examples/sam/sam_skel.c 6 Sep 2002 13:00:37 - 1.3 +++ examples/sam/sam_skel.c 7 Sep 2002 12:57:45 - @@ -189,7 +189,7 @@ return NT_STATUS_NOT_IMPLEMENTED; } -NTSTATUS sam_init(const SAM_CONTEXT *sam_context, SAM_METHODS **sam_method, const char *location) +NTSTATUS sam_init(const SAM_CONTEXT *sam_context, SAM_METHODS **sam_method, const +DOM_SID *domain, const char *module_params) { NTSTATUS nt_status; @@ -250,8 +250,8 @@ } else DEBUG(0, ("sam_skel: Debug class number of 'sam_skel': %d\n", sam_skel_debug_level)); DEBUG(0, ("Initializing sam_skel\n")); - if (location) - DEBUG(10, ("Location: %s\n", location)); + if (module_params) + DEBUG(10, ("Module parameters for the domain %s: %s\n", +sid_string_static(domain), module_params)); return NT_STATUS_OK; } Index: source/include/sam.h === RCS file: /cvsroot/samba/source/include/sam.h,v retrieving revision 1.6 diff -u -r1.6 sam.h --- source/include/sam.h6 Sep 2002 13:00:37 - 1.6 +++ source/include/sam.h7 Sep 2002 12:57:46 - @@ -259,13 +259,20 @@ void (*free_private_data)(void **); } SAM_METHODS; -typedef NTSTATUS (*sam_init_function)(const SAM_CONTEXT *, SAM_METHODS **, const char *); +typedef NTSTATUS (*sam_init_function)(const SAM_CONTEXT *, SAM_METHODS **, const +DOM_SID *domain, const char *); struct sam_init_function_entry { - char *name; + char *module_name; /* Function to create a member of the sam_methods list */ sam_init_function init; }; + +typedef struct sam_backend_entry { + char*module_name; + char*module_params; + char*domain_name; + DOM_SID *domain_sid; +} SAM_BACKEND_ENTRY; #endif /* _SAM_H */ Index: source/sam/interface.c === RCS file: /cvsroot/samba/source/sam/interface.c,v retrieving revision 1.7 diff -u -r1.7 interface.c --- source/sam/interface.c 6 Sep 2002 13:21:54 - 1.7 +++ source/sam/interface.c 7 Sep 2002 12:57:48 - @@ -26,6 +26,8 @@ #undef DBGC_CLASS #define DBGC_CLASS DBGC_SAM +extern DOM_SID global_sid_Builtin; + /** List of various built-in sam modules */ const struct sam_init_function_entry builtin_sam_init_functions[] = { @@ -53,8 +55,7 @@ tmp_methods = context->methods; - while (tmp_methods) - { + while (tmp_methods) { if (sid_equal(domainsid, &(tmp_methods->domain->private.sid))) { (*sam_method) = tmp_methods; @@ -79,8 +80,7 @@ tmp_methods = context->methods; - while (tmp_methods) - { + while (tmp_methods) { if (strcmp(domainname, tmp_methods->domain->private.name)) { (*sam_method) = tmp_methods; @@ -99,7 +99,7 @@ SAM_METHODS *tmp_methods; NTSTATUSnt_status; - DEBUG(5,("context_sam_get_sec_desc: %d\n", __LINE__)); + DEBUG(5,("context_sam_get_sec_desc: %d\n", __LINE__)); if (!NT_STATUS_IS_OK(nt_status = sam_get_methods_by_sid(context, &tmp_methods, sid))) { DEBUG(4,("sam_get_methods_by_sid failed\n")); @@ -112,7 +112,7 @@ } if (!NT_STATUS_IS_OK(nt_status = tmp_methods->sam_get_sec_desc(tmp_methods, access_token, sid, sd))) { - DEBUG(4,("context_sam_get_sec_desc for %s in backend %s failed\n", sid_string_static(sid), tmp_methods->backendname)); + DEBUG(4,("sam_get_sec_desc for %s in backend %s failed\n", +sid_string_static(sid), tmp_methods->backendname)); return nt_status; } @@ -125,7 +125,7 @@ NTSTATUSnt_status;
Windows Clients cannot logon to samba PDC
Hello all, I am trying to make samba acting as a PDC for my windows clients but I am getting errors like "The System cannot log you on now because the domain LINUX is not available" I have tried to logon with a win2k and winnt clients all giving me the same error. When verifying the Samba-HOWTO I found an error like but it's telling to delete the private/WORKGROUP.SID restart smbd and the rejoin the domain. But I could not find the file "WORKGROUP.SID" nor "LINUX.SID" Is there something that I am doing wrong? I am using Samaba 2.2 on a RedHat 7.3 I did verify if the machine account was created and it seems to be ok.. For the "add user script" is it the same as the "add machine script" ? I have tried to create the machine account manually also but still give me the same error.. [global] # On-the-fly Creation of Machine trust Accounts add user script = /usr/sbin/useradd -d /dev/nul -g 100 -s /bin/flase -M %u workgroup = Linux netbios name = Samba server string = Samba Server hosts allow = 131.107.2. 127. log file = /var/log/samba/%m.log security = user encrypt passwords = yes smb passwd file = /etc/samba/smbpasswd unix password sync = Yes passwd program = /usr/bin/passwd %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n *passwd:*all*authentication*tokens*updated*successfully* pam password change = yes username map = /etc/samba/smbusers obey pam restrictions = yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 local master = yes os level = 64 domain master = yes preferred master = yes domain logons = yes dns proxy = no [netlogon] comment = Network Logon Service path = /etc/samba/netlogon guest ok = yes writable = no share modes = no write list = root Thanks in advance, Didier Hung Wan Luk FRCI, Sibotie House L'Anse Courtois Pailles Tel: 230-2869636 Fax: 230-2869629
yet another version of lib/gencache.c
This is much more SMB_ASSERT-ed version of lib/gencache.c :) Any comments are, of course, appreciated. -- cheers, ++ |Rafal 'Mimir' Szczesniak <[EMAIL PROTECTED]> | |*BSD, GNU/Linux and Samba / |__/ /* Unix SMB/CIFS implementation. Generic, persistent and shared between processes cache mechanism for use by various parts of the Samba code Copyright (C) Rafal Szczesniak2002 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. */ #include "includes.h" #undef DBGC_CLASS #define DBGC_CLASS DBGC_TDB #define TIMEOUT_LEN 12 #define CACHE_DATA_FMT "%12d; %s" static TDB_CONTEXT *cache; /** * @file gencache.c * @brief Generic, persistent and shared between processes cache mechanism *for use by various parts of the Samba code * **/ /** * Cache initialisation function. Opens cache tdb file or creates * it if does not exist. * * @return true on successful initialisation of the cache or * false on failure **/ BOOL gencache_init(void) { char* cache_fname; /* skip file open if it's already opened */ if (cache) return True; asprintf(&cache_fname, "%s/%s", lp_lockdir(), "gencache.tdb"); DEBUG(5, ("Opening cache file at %s\n", cache_fname)); cache = tdb_open_log(cache_fname, 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0644); SAFE_FREE(cache_fname); if (!cache) { DEBUG(0, ("Attempt to open the cache file has failed.\n")); return False; } return True; } /** * Cache shutdown function. Closes opened cache tdb file. * * @return true on successful closing the cache or * false on failure during cache shutdown **/ BOOL gencache_shutdown(void) { /* tdb_close routine returns 0 on successful close */ if (!cache) return False; DEBUG(5, ("Closing cache file\n")); return tdb_close(cache) ? False : True; } /** * Add one entry to the cache file. * (it part of tridge's proposed API) * * @param key string that represents a key of this entry * @param value text representation value being cached * @param timeout time when the value is expired * * @return true when entry is successfuly stored or * false on the attempt's failure **/ BOOL gencache_add(const char *keystr, const char *value, time_t timeout) { int ret; TDB_DATA keybuf, databuf; char* valstr = NULL; /* fail completely if get null pointers passed */ SMB_ASSERT(keystr && valstr); if (!gencache_init()) return False; asprintf(&valstr, CACHE_DATA_FMT, (int)timeout, value); keybuf.dptr = strdup(keystr); keybuf.dsize = strlen(keystr); databuf.dptr = strdup(valstr); databuf.dsize = strlen(valstr); DEBUG(10, ("Adding cache entry with key = %s; value = %s and timeout = %s (%d seconds %s)\n", keybuf.dptr, value, ctime(&timeout), (int)(timeout - time(NULL)), timeout > time(NULL) ? "ahead" : "in the past")); ret = tdb_store(cache, keybuf, databuf, TDB_INSERT); SAFE_FREE(valstr); SAFE_FREE(keybuf.dptr); SAFE_FREE(databuf.dptr); return ret == 0 ? True : False; } /** * Set existing entry to the cache file. * (it part of tridge's proposed API) * * @param key string that represents a key of this entry * @param value text representation value being cached * @param timeout time when the value is expired * * @return true when entry is successfuly set or * false on the attempt's failure **/ BOOL gencache_set(const char *keystr, const char *valstr, time_t timeout) { int ret = -1; TDB_DATA keybuf, databuf; char *old_valstr, *datastr; time_t old_timeout; /* fail completely if get null pointers passed */ SMB_ASSERT(keystr && valstr); if (!gencache_init()) return False; /* * Check whether entry exists in the cache * Don't verify gencache_get exit code, since the entry may be expired */ gencache_get(keystr, &old_valstr, &old_timeout); if (!(old_valstr && old_timeout)) return False; DEBUG(10, ("Setting cache entry with key = %s; old value = %s and old timeout = %s\n", keystr, old_valstr, ctime(&old_timeout))); asprintf(&datastr, CACHE_DATA_FMT, (int)timeout, valstr); keybuf.dptr = strdup(keystr); keybuf.dsize = strlen(keystr); databuf.dptr = strdup(datastr); databuf.dsize = strl
Re: trusted domains patch n+3
On Sat, Sep 07, 2002 at 12:54:47PM +0200, Simo Sorce wrote: > I tested yesterday against w2k, if you passa bogis domain name it simply > ignore and try against the local sam. And that's what we can do as well. The thing is that it tries against local sam instead of returning error. This is what make_user_info_map is for. We can put our domain name into auth_usersupplied_info.domain and behave just like you tested. We can be even more secure and refuse some connections. > > On Sat, Sep 07, 2002 at 02:11:05AM +0200, Simo Sorce wrote: > > > Ok, that was clear, what I want to ask, is: why should we try to logon a > > > user that provides bad information? Shouldn't we simply deny it with an > > > error? How do NT behaves in such situations? > > > > In case of incorrect credentials passed when attempting to connect, > > NT prompts you to enter username and password. Just like completely > > new logon to remote server's SAM. > > > > > > > > -- > > cheers, > > ++ > > |Rafal 'Mimir' Szczesniak <[EMAIL PROTECTED]> | > > |*BSD, GNU/Linux and Samba / > > |__/ > -- > Simo Sorce - [EMAIL PROTECTED] > Xsec s.r.l. > via Durando 10 Ed. G - 20158 - Milano > tel. +39 02 2399 7130 - fax: +39 02 700 442 399 -- cheers, ++ |Rafal 'Mimir' Szczesniak <[EMAIL PROTECTED]> | |*BSD, GNU/Linux and Samba / |__/
Re: trusted domains patch n+3
I tested yesterday against w2k, if you passa bogis domain name it simply ignore and try against the local sam. Simo. On Sat, 2002-09-07 at 12:47, Rafal Szczesniak wrote: > On Sat, Sep 07, 2002 at 02:11:05AM +0200, Simo Sorce wrote: > > Ok, that was clear, what I want to ask, is: why should we try to logon a > > user that provides bad information? Shouldn't we simply deny it with an > > error? How do NT behaves in such situations? > > In case of incorrect credentials passed when attempting to connect, > NT prompts you to enter username and password. Just like completely > new logon to remote server's SAM. > > > > -- > cheers, > ++ > |Rafal 'Mimir' Szczesniak <[EMAIL PROTECTED]> | > |*BSD, GNU/Linux and Samba / > |__/ -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: trusted domains patch n+3
On Sat, Sep 07, 2002 at 02:11:05AM +0200, Simo Sorce wrote: > Ok, that was clear, what I want to ask, is: why should we try to logon a > user that provides bad information? Shouldn't we simply deny it with an > error? How do NT behaves in such situations? In case of incorrect credentials passed when attempting to connect, NT prompts you to enter username and password. Just like completely new logon to remote server's SAM. -- cheers, ++ |Rafal 'Mimir' Szczesniak <[EMAIL PROTECTED]> | |*BSD, GNU/Linux and Samba / |__/
re: lp_sam_backend
Hi, This patch is a combination of patches to the sam. 1.) change sam_init() to include a domain sid as an in parameter. It is used to tell the backend module for which domain it is responsible. 2.) implement the rest of the context_sam_* functions 3.) several style and debug cleanups 4.) change the loading routines of the sam backend parameter from smb.conf. The format is now sam backend = sam_moduleA[,domain_nameA][:options] sam_moduleB[,domain_nameB][:options] [sam_moduleB,builtin_domain[:options]] The patch compiles, but is untested so any coments are welcome. Kai Index: examples/sam/sam_skel.c === RCS file: /cvsroot/samba/examples/sam/sam_skel.c,v retrieving revision 1.3 diff -u -r1.3 sam_skel.c --- examples/sam/sam_skel.c 6 Sep 2002 13:00:37 - 1.3 +++ examples/sam/sam_skel.c 7 Sep 2002 09:49:26 - @@ -189,7 +189,7 @@ return NT_STATUS_NOT_IMPLEMENTED; } -NTSTATUS sam_init(const SAM_CONTEXT *sam_context, SAM_METHODS **sam_method, const char *location) +NTSTATUS sam_init(const SAM_CONTEXT *sam_context, SAM_METHODS **sam_method, const +DOM_SID *domain, const char *module_params) { NTSTATUS nt_status; @@ -250,8 +250,8 @@ } else DEBUG(0, ("sam_skel: Debug class number of 'sam_skel': %d\n", sam_skel_debug_level)); DEBUG(0, ("Initializing sam_skel\n")); - if (location) - DEBUG(10, ("Location: %s\n", location)); + if (module_params) + DEBUG(10, ("Module parameters for the domain %s: %s\n", +sid_string_static(domain), module_params)); return NT_STATUS_OK; } Index: source/include/sam.h === RCS file: /cvsroot/samba/source/include/sam.h,v retrieving revision 1.6 diff -u -r1.6 sam.h --- source/include/sam.h6 Sep 2002 13:00:37 - 1.6 +++ source/include/sam.h7 Sep 2002 09:49:27 - @@ -259,13 +259,20 @@ void (*free_private_data)(void **); } SAM_METHODS; -typedef NTSTATUS (*sam_init_function)(const SAM_CONTEXT *, SAM_METHODS **, const char *); +typedef NTSTATUS (*sam_init_function)(const SAM_CONTEXT *, SAM_METHODS **, const +DOM_SID *domain, const char *); struct sam_init_function_entry { - char *name; + char *module_name; /* Function to create a member of the sam_methods list */ sam_init_function init; }; + +typedef struct sam_backend_entry { + char*module_name; + char*module_params; + char*domain_name; + DOM_SID *domain_sid; +} SAM_BACKEND_ENTRY; #endif /* _SAM_H */ Index: source/sam/interface.c === RCS file: /cvsroot/samba/source/sam/interface.c,v retrieving revision 1.7 diff -u -r1.7 interface.c --- source/sam/interface.c 6 Sep 2002 13:21:54 - 1.7 +++ source/sam/interface.c 7 Sep 2002 09:49:30 - @@ -26,6 +26,8 @@ #undef DBGC_CLASS #define DBGC_CLASS DBGC_SAM +extern DOM_SID global_sid_Builtin; + /** List of various built-in sam modules */ const struct sam_init_function_entry builtin_sam_init_functions[] = { @@ -53,8 +55,7 @@ tmp_methods = context->methods; - while (tmp_methods) - { + while (tmp_methods) { if (sid_equal(domainsid, &(tmp_methods->domain->private.sid))) { (*sam_method) = tmp_methods; @@ -79,8 +80,7 @@ tmp_methods = context->methods; - while (tmp_methods) - { + while (tmp_methods) { if (strcmp(domainname, tmp_methods->domain->private.name)) { (*sam_method) = tmp_methods; @@ -99,7 +99,7 @@ SAM_METHODS *tmp_methods; NTSTATUSnt_status; - DEBUG(5,("context_sam_get_sec_desc: %d\n", __LINE__)); + DEBUG(5,("context_sam_get_sec_desc: %d\n", __LINE__)); if (!NT_STATUS_IS_OK(nt_status = sam_get_methods_by_sid(context, &tmp_methods, sid))) { DEBUG(4,("sam_get_methods_by_sid failed\n")); @@ -112,7 +112,7 @@ } if (!NT_STATUS_IS_OK(nt_status = tmp_methods->sam_get_sec_desc(tmp_methods, access_token, sid, sd))) { - DEBUG(4,("context_sam_get_sec_desc for %s in backend %s failed\n", sid_string_static(sid), tmp_methods->backendname)); + DEBUG(4,("sam_get_sec_desc for %s in backend %s failed\n", +sid_string_static(sid), tmp_methods->backendname)); return nt_status; } @@ -125,7 +125,7 @@ NTSTATUSnt_status; DEBUG(5,("context_sam_set_sec_desc: %d\n", __LINE__)); - + if (!NT_STATUS_IS_OK(nt_status = sam_get_methods_by_sid(context, &tmp_methods, sid))) { DEBUG(4,("sam_get_methods_by_sid failed\n")); return nt_status; @@ -137,7 +137,7 @@ } if (!NT_STATUS_IS_OK
Ethereal now dissects the Kerberos AP-REQ and AP-REP messages AFAIK
Hi, Ethereal now seems to dissect these two message types, so we get to see quite a bit of the stuff in Windows AD type authenticates. Regards - Richard Sharpe, [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED]