Re: mangling scheme

[Simo Sorce]

On Mon, 2002-09-09 at 08:33, Lucas Correia Villa Real wrote:
 Hi,
 
 Recently I did find a little trouble in a program: it creates links
 to the most recently used files, but using the not-so-'default' Win9X
 mangling scheme, that is, 'program files' becomes 'progra~1' and not
 'progr~-1'.

This seem to me the correct behaviour, why do you think it should be
progr~1 ?

 I did a search over the samba archives and noticed some patches and 
 discussions about performance and even about non-compliance between 
 Win9x and WinNT mangling methods. Is there a working* patch to do 
 that kind of stuff? If not, can someone point me to the algorithms
 used by Win9X/NT to do that? Will such a patch be welcome by Samba?

I extendedly tested the w2k alghorithms, that I suppose are the same as
NT, and they seem to use the 6chars+~1 through ~5 and then they start to
produce a poor hash based name like prA9BF~1 that is clearly a 2 bytes
lenght hex representation. The exact alghorithm is not known to me, but
we tested that it is really poor and prone to lot of name collisions.
We implemented a new mangling alghorithm for HEAD called hash2 that is
pretty good. Look at smbd/mangle_hash2.c if you are curious.

About patches they are always welcome, but to be accepted they need to
address a real problem and get it the right way, what do you have in
mind exactly?

 Thanks in advance,
 Lucas
 
 * performance is not a problem in my target network, so anything will
 be really welcome :)

I have some code for a tdb based persistent mangling db that could help
but it is not ready yet and broken in little pieces part of new code and
part of code from an older not very good implementation.

Simo.

-- 
Simo Sorce - [EMAIL PROTECTED]
Xsec s.r.l.
via Durando 10 Ed. G - 20158 - Milano
tel. +39 02 2399 7130 - fax: +39 02 700 442 399



signature.asc
Description: This is a digitally signed message part

Re: mangling scheme

[Lucas Correia Villa Real]

On 09 Sep 2002 09:27:21 +0200
Simo Sorce [EMAIL PROTECTED] wrote:

 On Mon, 2002-09-09 at 08:33, Lucas Correia Villa Real wrote:
  Hi,
  
  Recently I did find a little trouble in a program: it creates links
  to the most recently used files, but using the not-so-'default' Win9X
  mangling scheme, that is, 'program files' becomes 'progra~1' and not
  'progr~-1'.
 
 This seem to me the correct behaviour, why do you think it should be
 progr~1 ?

Sorry, I think I was misunderstood here. What the program do is to 
address 'program files' into 'progra~1', the same way as the WinNT 
server was doing, but with Samba the same entry become 'progr~-1',
using the hash1 algorithm.

  I did a search over the samba archives and noticed some patches and 
  discussions about performance and even about non-compliance between 
  Win9x and WinNT mangling methods. Is there a working* patch to do 
  that kind of stuff? If not, can someone point me to the algorithms
  used by Win9X/NT to do that? Will such a patch be welcome by Samba?
 
 I extendedly tested the w2k alghorithms, that I suppose are the same as
 NT, and they seem to use the 6chars+~1 through ~5 and then they start to
 produce a poor hash based name like prA9BF~1 that is clearly a 2 bytes
 lenght hex representation. The exact alghorithm is not known to me, but
 we tested that it is really poor and prone to lot of name collisions.
 We implemented a new mangling alghorithm for HEAD called hash2 that is
 pretty good. Look at smbd/mangle_hash2.c if you are curious.

 About patches they are always welcome, but to be accepted they need to
 address a real problem and get it the right way, what do you have in
 mind exactly?

I just got the sources, and as far as I could see, that's exactly what I 
was looking for. I will put it in action today.

 I have some code for a tdb based persistent mangling db that could help
 but it is not ready yet and broken in little pieces part of new code and
 part of code from an older not very good implementation.

Thanks for your attention, if I feel I will need to use a different scheme
I will try to give a look at it.

Lucas

Re: mangling scheme

[Simo Sorce]

However this is a strange behaviour, generally apps should not try to
guess by it's own the mangling scheme but ask the system to tell them
which is the short name other wise the application is poorly made.

Have you migrated an installation by chance? That may explain the
problem, many installations do save 8.3 paths in registry after the
system has told them which is the mangled name, so may be you can simply
tweak your registry to reflect the correct name.

Simo.

On Mon, 2002-09-09 at 10:26, Lucas Correia Villa Real wrote:
 On 09 Sep 2002 09:27:21 +0200
 Simo Sorce [EMAIL PROTECTED] wrote:
 
  On Mon, 2002-09-09 at 08:33, Lucas Correia Villa Real wrote:
   Hi,
   
   Recently I did find a little trouble in a program: it creates links
   to the most recently used files, but using the not-so-'default' Win9X
   mangling scheme, that is, 'program files' becomes 'progra~1' and not
   'progr~-1'.
  
  This seem to me the correct behaviour, why do you think it should be
  progr~1 ?
 
 Sorry, I think I was misunderstood here. What the program do is to 
 address 'program files' into 'progra~1', the same way as the WinNT 
 server was doing, but with Samba the same entry become 'progr~-1',
 using the hash1 algorithm.
 
   I did a search over the samba archives and noticed some patches and 
   discussions about performance and even about non-compliance between 
   Win9x and WinNT mangling methods. Is there a working* patch to do 
   that kind of stuff? If not, can someone point me to the algorithms
   used by Win9X/NT to do that? Will such a patch be welcome by Samba?
  
  I extendedly tested the w2k alghorithms, that I suppose are the same as
  NT, and they seem to use the 6chars+~1 through ~5 and then they start to
  produce a poor hash based name like prA9BF~1 that is clearly a 2 bytes
  lenght hex representation. The exact alghorithm is not known to me, but
  we tested that it is really poor and prone to lot of name collisions.
  We implemented a new mangling alghorithm for HEAD called hash2 that is
  pretty good. Look at smbd/mangle_hash2.c if you are curious.
 
  About patches they are always welcome, but to be accepted they need to
  address a real problem and get it the right way, what do you have in
  mind exactly?
 
 I just got the sources, and as far as I could see, that's exactly what I 
 was looking for. I will put it in action today.
 
  I have some code for a tdb based persistent mangling db that could help
  but it is not ready yet and broken in little pieces part of new code and
  part of code from an older not very good implementation.
 
 Thanks for your attention, if I feel I will need to use a different scheme
 I will try to give a look at it.
 
 Lucas
-- 
Simo Sorce - [EMAIL PROTECTED]
Xsec s.r.l.
via Durando 10 Ed. G - 20158 - Milano
tel. +39 02 2399 7130 - fax: +39 02 700 442 399



signature.asc
Description: This is a digitally signed message part

NTLMSSP SMB/CIFS clients (was:: Samba 3.0a19 breaks winbind helpers?)

[Jim McDonough]

The only CIFS/SMB client that does NTLMSSP is Win2k, and it does
unicode.  The other clients just use standard Session Setups, where we
support ASCII and Unicode as negotiated (in HEAD, ASCII/multibyte only
in 2.2)
Be careful: have you seen/tested every CIFS client there is?  Steve's CIFS
VFS does NTLMSSP (though it does also do Unicode).


Jim McDonough
IBM Linux Technology Center
Samba Team
6 Minuteman Drive
Scarborough, ME 04074
USA

[EMAIL PROTECTED]
[EMAIL PROTECTED]

Phone: (207) 885-5565
IBM tie-line: 776-9984

PR #s 25271, 25273, 25445 security=domain does not work onSolaris

[Tim Allen]

The first bug submission was rejected, as SPAM
The second was rejected, no reason given.
The third one is still incoming.

I have posted to this group in the past and been told that the behavior
I'm seeing is not correct. My main file server (Samba/Linux) does not
behave this way (similar smb.conf). Can anyone advise me what's wrong
with my bug submissions. I don't want to waste anyone's time but this is
either a program bug or a documentation bug (I've read the FAQs, docs,
and mailing list archives- did I miss something?). Does someone need to
sponsor my bug.

http://bugs.samba.org/?findid=25271  

http://bugs.samba.org/?findid=25273 

http://bugs.samba.org/?findid=25445

Re: Mapping between POSIX and NT ACLs

[Andreas Gruenbacher]

Hello,

here is an improved version of the patch.

--Andreas.

--- samba-2.2.5.orig/source/smbd/posix_acls.c   2002-06-19 03:13:48.0 
+0200
+++ samba-2.2.5/source/smbd/posix_acls.c2002-09-09 16:23:54.0 +0200
 -346,7 +346,23 
if ((ace-perms  ALL_ACE_PERMS) == ALL_ACE_PERMS) {
nt_mask = UNIX_ACCESS_RWX;
} else if ((ace-perms  ALL_ACE_PERMS) == (mode_t)0) {
+#ifdef OLD_MAPPING
+   /* Windows NT refuses to display ACEs with no permissions in them (but
+  they are perfectly legal with Windows 2000). If the ACE has empty
+  permissions we cannot use 0, so we map UNIX_ACCESS_NONE to 
+WRITE_OWNER
+  which we ignore when set an ACL. */
nt_mask = UNIX_ACCESS_NONE;
+#else
+   /* With the new mapping it has become feasible to convert the entry to
+  DENY/.../FULL, which isn't so wrong anymore since we drop
+  ALLOW/Everone/NONE ACEs anyway. The only problem: This will mask off
+  permissions from the owner if he is member of the group with no
+  permissions. Perhaps it's better to fix the code that does that
+  masking off? */
+   *pacl_type = SEC_ACE_TYPE_ACCESS_DENIED;
+   nt_mask = UNIX_ACCESS_RWX | GENERIC_ALL_ACCESS;
+   
+#endif
} else {
nt_mask |= ((ace-perms  S_IRUSR) ? UNIX_ACCESS_R : 0 );
nt_mask |= ((ace-perms  S_IWUSR) ? UNIX_ACCESS_W : 0 );
 -678,6 +694,43 
return True;
 }
 
+static void check_owning_objs(canon_ace *ace, DOM_SID *pfile_owner_sid, 
DOM_SID *pfile_grp_sid)
+{
+   BOOL got_user_obj, got_group_obj;
+   canon_ace *current_ace;
+   int i, entries;
+   
+   entries = count_canon_ace_list(ace);
+   got_user_obj = False;
+   got_group_obj = False;
+
+   for (i=0, current_ace = ace; i  entries; i++, current_ace = 
current_ace-next) {
+   if (current_ace-type == SMB_ACL_USER_OBJ)
+   got_user_obj = True;
+   else if (current_ace-type == SMB_ACL_GROUP_OBJ)
+   got_group_obj = True;
+   }
+   if (got_user_obj  got_group_obj) {
+   print_canon_ace_list( ACL had owning user/group entries, ace);
+   return;
+   } else {
+   print_canon_ace_list( Faking owning user/group entries, ace);
+   }
+
+   for (i=0, current_ace = ace; i  entries; i++, current_ace = 
current_ace-next) {
+   if (!got_user_obj  current_ace-owner_type == UID_ACE 
+   sid_equal(current_ace-trustee, pfile_owner_sid)) {
+   current_ace-type = SMB_ACL_USER_OBJ;
+   got_user_obj = True;
+   }
+   if (!got_group_obj  current_ace-owner_type == GID_ACE 
+   sid_equal(current_ace-trustee, pfile_grp_sid)) {
+   current_ace-type = SMB_ACL_GROUP_OBJ;
+   got_group_obj = True;
+   }
+   }
+}
+
 /
  Unpack a SEC_DESC into two canonical ace lists.
 /
 -688,6 +741,8 
canon_ace **ppfile_ace, 
canon_ace **ppdir_ace,
SEC_ACL *dacl)
 {
+   extern DOM_SID global_sid_Creator_Owner;
+   extern DOM_SID global_sid_Creator_Group;
extern DOM_SID global_sid_World;
extern struct generic_mapping file_generic_mapping;
BOOL all_aces_are_inherit_only = (fsp-is_directory ? True : False);
 -805,15 +860,27 
/*
 * Try and work out if the SID is a user or group
 * as we need to flag these differently for POSIX.
+* Note what kind of a POSIX ACL this should map to.
 */
 
if( sid_equal(current_ace-trustee, global_sid_World)) {
current_ace-owner_type = WORLD_ACE;
current_ace-unix_ug.world = -1;
+   current_ace-type = SMB_ACL_OTHER;
+   } else if (sid_equal(current_ace-trustee, 
+global_sid_Creator_Owner)) {
+   current_ace-owner_type = UID_ACE;
+   current_ace-unix_ug.world = -1;
+   current_ace-type = SMB_ACL_USER_OBJ;
+   } else if (sid_equal(current_ace-trustee, 
+global_sid_Creator_Group)) {
+   current_ace-owner_type = GID_ACE;
+   current_ace-unix_ug.world = -1;
+   current_ace-type = SMB_ACL_GROUP_OBJ;
} else if (sid_to_uid( current_ace-trustee, 
current_ace-unix_ug.uid, 
sid_type)) {
current_ace-owner_type = 

Re: NTLMSSP SMB/CIFS clients (was:: Samba 3.0a19 breaks winbind helpers?)

[Andrew Bartlett]

Jim McDonough wrote:
 
 The only CIFS/SMB client that does NTLMSSP is Win2k, and it does
 unicode.  The other clients just use standard Session Setups, where we
 support ASCII and Unicode as negotiated (in HEAD, ASCII/multibyte only
 in 2.2)
 Be careful: have you seen/tested every CIFS client there is?  Steve's CIFS
 VFS does NTLMSSP (though it does also do Unicode).

Yes, I should avoid generalisations... :-)

Andrew,

-- 
Andrew Bartlett [EMAIL PROTECTED]
Manager, Authentication Subsystems, Samba Team  [EMAIL PROTECTED]
Student Network Administrator, Hawker College   [EMAIL PROTECTED]
http://samba.org http://build.samba.org http://hawkerc.net

Re: System documentation of Samba

[David Collier-Brown]

Volker Lendecke wrote:
 Sorry, David, but that description is not completely correct. The Solaris fcntl
 scaling problem does *not* happen on files that are shared to users, it happens
 on the internal Samba .tdb-files. 

Thanks, I didn't realize that both of these were
aspects of the same problem. I was only following
the one.

--dave
-- 
David Collier-Brown,   | Always do right. This will gratify 
Performance  Engineering  | some people and astonish the rest.
Americas Customer Engineering, |  -- Mark Twain
(905) 415-2849 | [EMAIL PROTECTED]

Re: PR #s 25271, 25273, 25445 security=domain does not work onSolaris

[David Collier-Brown]

Tim Allen wrote:
 I have posted to this group in the past and been told that the behavior
 I'm seeing is not correct. My main file server (Samba/Linux) does not
 behave this way (similar smb.conf). 

And the symptom was:
| I have posted to the user groups and think I have found a bug. Our
| RHL6.2 box running samba 2.0.6 is a member of our NT domain. An NT
user
| (say jbloggs) cannot browse the unix/samba box unless there is a
| corresponding unix user (jbloggs) on the unix box; this is the
expected
| (and correct??!) behavior. We have added samba 2.2.2 to one of our
Sun
| boxes (Solaris 8) and now we appear to have to add users to the
| smbusers file in addition to (or instead of) just having a
| corresponding unix user. I will supply further information
(smb.conf,
| log files, whatever) as requested.

You normally need a Unix user, but if you wish to use
the NT form of encrypted passwords, you also have
to have an entry for the user in the smbpasswd file.
As security=domain requires encrypted passwords,
I'm afraid you're stuck with it!

I run inside a firewall, and so don't use domains.


--dave (security = user) c-b
-- 
David Collier-Brown,   | Always do right. This will gratify 
Performance  Engineering  | some people and astonish the rest.
Americas Customer Engineering, |  -- Mark Twain
(905) 415-2849 | [EMAIL PROTECTED]

Re: NTLMSSP SMB/CIFS clients (was:: Samba 3.0a19 breaks winbindhelpers?)

[Richard Sharpe]

On Mon, 9 Sep 2002, Jim McDonough wrote:

 
 The only CIFS/SMB client that does NTLMSSP is Win2k, and it does
 unicode.  The other clients just use standard Session Setups, where we
 support ASCII and Unicode as negotiated (in HEAD, ASCII/multibyte only
 in 2.2)
 Be careful: have you seen/tested every CIFS client there is?  Steve's CIFS
 VFS does NTLMSSP (though it does also do Unicode).

actually, smbclient in head also does NTLMSSP!

Regards
-
Richard Sharpe, [EMAIL PROTECTED], [EMAIL PROTECTED], 
[EMAIL PROTECTED]

Re: PR #s 25271, 25273, 25445 security=domain does not work onSolaris

[Eric Boehm]

On Mon, Sep 09, 2002 at 11:36:51AM -0400, David Collier-Brown wrote:
 David == David Collier-Brown [EMAIL PROTECTED] writes:
 Tim == Tim Allen [EMAIL PROTECTED] writes:

Tim I have posted to this group in the past and been told that
Tim the behavior I'm seeing is not correct. My main file server
Tim (Samba/Linux) does not behave this way (similar smb.conf).

Tim And the symptom was: I have posted to the user groups and
Tim think I have found a bug. Our RHL6.2 box running samba 2.0.6
Tim is a member of our NT domain. An NT user (say jbloggs) cannot
Tim browse the unix/samba box unless there is a corresponding
Tim unix user (jbloggs) on the unix box; this is the expected
Tim (and correct??!) behavior. We have added samba 2.2.2 to one
Tim of our Sun boxes (Solaris 8) and now we appear to have to add
Tim users to the smbusers file in addition to (or instead of)
Tim just having a corresponding unix user. I will supply further
Tim information (smb.conf, log files, whatever) as requested.

David  You normally need a Unix user, but if you wish to use
David the NT form of encrypted passwords, you also have to have
David an entry for the user in the smbpasswd file.  As
David security=domain requires encrypted passwords, I'm afraid
David you're stuck with it!


Are you sure about this? I've been running 2.0.7 for a couple of years
with security = domain and I don't need to create an smbusers
file. The only time I run into problems is if the Windows user does
not have a UNIX account. As long as the userid exists in the Windows
domain and NIS domain, it works fine (with encrypted passwords).

I am also running 2.2.5 with the same configuration.

It might be worthwhile to see Tim's smb.conf or a level 3 or level 5
log of a failed access.

Here's the relevant portion of mine

workgroup  = AMERICASE
security   = domain
password server= ZRTPD01T ZRTPD0P0 NRTPDE11
# 
wins server= 47.156.160.179
encrypt passwords  = yes 

-- 
Eric M. Boehm  /\  ASCII Ribbon Campaign
[EMAIL PROTECTED]   \ /  No HTML or RTF in mail
X   No proprietary word-processing
Respect Open Standards / \  files in mail

Re: PR #s 25271, 25273, 25445 security=domain does not work onSolaris

[Richard Sharpe]

On Mon, 9 Sep 2002, Eric Boehm wrote:

 On Mon, Sep 09, 2002 at 11:36:51AM -0400, David Collier-Brown wrote:
  David == David Collier-Brown [EMAIL PROTECTED] writes:
  Tim == Tim Allen [EMAIL PROTECTED] writes:
 
 DavidYou normally need a Unix user, but if you wish to use
 David the NT form of encrypted passwords, you also have to have
 David an entry for the user in the smbpasswd file.  As
 David security=domain requires encrypted passwords, I'm afraid
 David you're stuck with it!
 
 
 Are you sure about this? I've been running 2.0.7 for a couple of years
 with security = domain and I don't need to create an smbusers
 file. The only time I run into problems is if the Windows user does
 not have a UNIX account. As long as the userid exists in the Windows
 domain and NIS domain, it works fine (with encrypted passwords).

Well, its a fact that you need a UNIX user/account. In your case, the 
UID/account info is in NIS. Works great. If you are not using NIS, then 
you need a local account.

Regards
-
Richard Sharpe, [EMAIL PROTECTED], [EMAIL PROTECTED], 
[EMAIL PROTECTED]

RE: PR #s 25271, 25273, 25445 security=domain does not work onSolaris

[Javid Abdul-AJAVID1]

yes, i agree with Eric,
I havent had any issues as long as unix accunt exist in nis domain, and
samba is memeber server in nt domain
my setup, solaris6, samba 2 0 7 and  2 2 5, clients w2k

-Original Message-
From: Eric Boehm [mailto:[EMAIL PROTECTED]]
Sent: Monday, September 09, 2002 12:24 PM
To: [EMAIL PROTECTED]
Cc: Tim Allen; [EMAIL PROTECTED]
Subject: Re: PR #s 25271, 25273, 25445 security=domain does not work
onSolaris


On Mon, Sep 09, 2002 at 11:36:51AM -0400, David Collier-Brown wrote:
 David == David Collier-Brown [EMAIL PROTECTED] writes:
 Tim == Tim Allen [EMAIL PROTECTED] writes:

Tim I have posted to this group in the past and been told that
Tim the behavior I'm seeing is not correct. My main file server
Tim (Samba/Linux) does not behave this way (similar smb.conf).

Tim And the symptom was: I have posted to the user groups and
Tim think I have found a bug. Our RHL6.2 box running samba 2.0.6
Tim is a member of our NT domain. An NT user (say jbloggs) cannot
Tim browse the unix/samba box unless there is a corresponding
Tim unix user (jbloggs) on the unix box; this is the expected
Tim (and correct??!) behavior. We have added samba 2.2.2 to one
Tim of our Sun boxes (Solaris 8) and now we appear to have to add
Tim users to the smbusers file in addition to (or instead of)
Tim just having a corresponding unix user. I will supply further
Tim information (smb.conf, log files, whatever) as requested.

David  You normally need a Unix user, but if you wish to use
David the NT form of encrypted passwords, you also have to have
David an entry for the user in the smbpasswd file.  As
David security=domain requires encrypted passwords, I'm afraid
David you're stuck with it!


Are you sure about this? I've been running 2.0.7 for a couple of years
with security = domain and I don't need to create an smbusers
file. The only time I run into problems is if the Windows user does
not have a UNIX account. As long as the userid exists in the Windows
domain and NIS domain, it works fine (with encrypted passwords).

I am also running 2.2.5 with the same configuration.

It might be worthwhile to see Tim's smb.conf or a level 3 or level 5
log of a failed access.

Here's the relevant portion of mine

workgroup  = AMERICASE
security   = domain
password server= ZRTPD01T ZRTPD0P0 NRTPDE11
# 
wins server= 47.156.160.179
encrypt passwords  = yes 

-- 
Eric M. Boehm  /\  ASCII Ribbon Campaign
[EMAIL PROTECTED]   \ /  No HTML or RTF in mail
X   No proprietary word-processing
Respect Open Standards / \  files in mail

Re: RE: PR #s 25271, 25273, 25445 security=domain does notwork onSolaris

[Tim Allen]

I have run smbpasswd -NT_DOMAIN -r PDC -U Administrator 

It indicated success and the machine account shows up on the NT box.

log.smb:
[2002/09/06 16:31:35, 1] lib/debug.c:debug_message(245)
  INFO: Debug class all level = 101   (pid 3713 from pid 3713)
[2002/09/06 16:31:35, 2] param/loadparm.c:do_section(2902)
  Processing section [NewBusiness]
  doing parameter path = /var/NewBusiness
  doing parameter read only = No
[2002/09/06 16:31:35, 2] param/loadparm.c:do_section(2902)
  Processing section [Statements]
  doing parameter path = /var/Statements
  doing parameter read only = No
[2002/09/06 16:31:35, 4] param/loadparm.c:lp_load(3343)
  pm_process() returned Yes
[2002/09/06 16:31:35, 7] param/loadparm.c:lp_servicenumber(3440)
  lp_servicenumber: couldn't find homes
[2002/09/06 16:31:35, 3] param/loadparm.c:lp_add_ipc(1932)
  adding IPC service IPC$
[2002/09/06 16:31:35, 3] param/loadparm.c:lp_add_ipc(1932)
  adding IPC service ADMIN$
[2002/09/06 16:31:35, 7] param/loadparm.c:lp_servicenumber(3440)
  lp_servicenumber: couldn't find printers
[2002/09/06 16:31:35, 7] param/loadparm.c:lp_servicenumber(3440)
  lp_servicenumber: couldn't find printers
[2002/09/06 16:31:35, 6] param/loadparm.c:lp_file_list_changed(2203)
  lp_file_list_changed()
  file /usr/local/samba/lib/smb.conf - /usr/local/samba/lib/smb.conf 
last mod_time: Fri Sep  6 16:30:51 2002
  
[2002/09/06 16:31:35, 2] lib/interface.c:add_interface(85)
  added interface ip=172.16.11.28 bcast=172.16.11.255
nmask=255.255.255.0
[2002/09/06 16:31:35, 5] lib/hash.c:hash_table_init(70)
  Hash size = 521.
[2002/09/06 16:31:35, 6] lib/charset.c:codepage_initialise(339)
  codepage_initialise: client code page = 850
[2002/09/06 16:31:35, 5] lib/charset.c:load_client_codepage(196)
  load_client_codepage: loading codepage 850.
  Adding chars 0x85 0xb7 (l-u = True) (u-l = True)
  Adding chars 0xa0 0xb5 (l-u = True) (u-l = True)
  Adding chars 0x83 0xb6 (l-u = True) (u-l = True)
  Adding chars 0xc6 0xc7 (l-u = True) (u-l = True)
  Adding chars 0x84 0x8e (l-u = True) (u-l = True)
  Adding chars 0x86 0x8f (l-u = True) (u-l = True)
  Adding chars 0x91 0x92 (l-u = True) (u-l = True)
  Adding chars 0x87 0x80 (l-u = True) (u-l = True)
  Adding chars 0x8a 0xd4 (l-u = True) (u-l = True)
  Adding chars 0x82 0x90 (l-u = True) (u-l = True)
  Adding chars 0x88 0xd2 (l-u = True) (u-l = True)
  Adding chars 0x89 0xd3 (l-u = True) (u-l = True)
  Adding chars 0x8d 0xde (l-u = True) (u-l = True)
  Adding chars 0xa1 0xd6 (l-u = True) (u-l = True)
  Adding chars 0x8c 0xd7 (l-u = True) (u-l = True)
  Adding chars 0x8b 0xd8 (l-u = True) (u-l = True)
  Adding chars 0xd0 0xd1 (l-u = True) (u-l = True)
  Adding chars 0xa4 0xa5 (l-u = True) (u-l = True)
  Adding chars 0x95 0xe3 (l-u = True) (u-l = True)
  Adding chars 0xa2 0xe0 (l-u = True) (u-l = True)
  Adding chars 0x93 0xe2 (l-u = True) (u-l = True)
  Adding chars 0xe4 0xe5 (l-u = True) (u-l = True)
  Adding chars 0x94 0x99 (l-u = True) (u-l = True)
  Adding chars 0x9b 0x9d (l-u = True) (u-l = True)
  Adding chars 0x97 0xeb (l-u = True) (u-l = True)
  Adding chars 0xa3 0xe9 (l-u = True) (u-l = True)
  Adding chars 0x96 0xea (l-u = True) (u-l = True)
  Adding chars 0x81 0x9a (l-u = True) (u-l = True)
  Adding chars 0xec 0xed (l-u = True) (u-l = True)
  Adding chars 0xe7 0xe8 (l-u = True) (u-l = True)
  Adding chars 0x9c 0x0 (l-u = False) (u-l = False)
[2002/09/06 16:31:35, 5] lib/util_unistr.c:load_unicode_map(532)
  load_unicode_map: loading unicode map for codepage 850.
[2002/09/06 16:31:35, 3] smbd/server.c:main(731)
  loaded services
[2002/09/06 16:31:35, 3] smbd/server.c:main(739)
  Becoming a daemon.
[2002/09/06 16:31:35, 8] lib/util.c:fcntl_lock(1267)
  fcntl_lock 5 34 0 1 2
[2002/09/06 16:31:35, 8] lib/util.c:fcntl_lock(1307)
  fcntl_lock: Lock call successful
[2002/09/06 16:31:35, 5] smbd/connection.c:claim_connection(157)
  claiming  10
[2002/09/06 16:31:35, 3] lib/util_sock.c:open_socket_in(839)
  bind succeeded on port 139
[2002/09/06 16:31:35, 5] lib/util_sock.c:print_socket_options(111)
  socket option SO_KEEPALIVE = 8
[2002/09/06 16:31:35, 5] lib/util_sock.c:print_socket_options(111)
  socket option SO_REUSEADDR = 4
[2002/09/06 16:31:35, 5] lib/util_sock.c:print_socket_options(111)
  socket option SO_BROADCAST = 0
[2002/09/06 16:31:35, 5] lib/util_sock.c:print_socket_options(111)
  socket option TCP_NODELAY = 0
[2002/09/06 16:31:35, 5] lib/util_sock.c:print_socket_options(111)
  socket option IPTOS_LOWDELAY = 0
[2002/09/06 16:31:35, 5] lib/util_sock.c:print_socket_options(111)
  socket option IPTOS_THROUGHPUT = 0
[2002/09/06 16:31:35, 5] lib/util_sock.c:print_socket_options(111)
  socket option SO_SNDBUF = 16384
[2002/09/06 16:31:35, 5] lib/util_sock.c:print_socket_options(111)
  socket option SO_RCVBUF = 24576
[2002/09/06 16:31:35, 5] lib/util_sock.c:print_socket_options(109)
  Could not test socket option SO_SNDLOWAT.
[2002/09/06 16:31:35, 5] lib/util_sock.c:print_socket_options(109)
  Could not test socket 

Re: RE: PR #s 25271, 25273, 25445 security=domain does notwork onSolaris

[Tim Allen]

I have noticed something possibly related; If a machine account already
exists and I attempt to do the smbpasswd -j DOM -r pdc -U Administrator
I think the domain service dies on the PDC, this is repeatable but we're
on an old copy of NT (SP4). I have compiled and am in the process of
installing 2.2.5.

 Javid Abdul-AJAVID1 [EMAIL PROTECTED] 09/09 2:30 PM 
yes, i agree with Eric,
I havent had any issues as long as unix accunt exist in nis domain,
and
samba is memeber server in nt domain
my setup, solaris6, samba 2 0 7 and  2 2 5, clients w2k

-Original Message-
From: Eric Boehm [mailto:[EMAIL PROTECTED]] 
Sent: Monday, September 09, 2002 12:24 PM
To: [EMAIL PROTECTED] 
Cc: Tim Allen; [EMAIL PROTECTED] 
Subject: Re: PR #s 25271, 25273, 25445 security=domain does not work
onSolaris


On Mon, Sep 09, 2002 at 11:36:51AM -0400, David Collier-Brown wrote:
 David == David Collier-Brown [EMAIL PROTECTED] writes:
 Tim == Tim Allen [EMAIL PROTECTED] writes:

Tim I have posted to this group in the past and been told that
Tim the behavior I'm seeing is not correct. My main file server
Tim (Samba/Linux) does not behave this way (similar smb.conf).

Tim And the symptom was: I have posted to the user groups and
Tim think I have found a bug. Our RHL6.2 box running samba 2.0.6
Tim is a member of our NT domain. An NT user (say jbloggs) cannot
Tim browse the unix/samba box unless there is a corresponding
Tim unix user (jbloggs) on the unix box; this is the expected
Tim (and correct??!) behavior. We have added samba 2.2.2 to one
Tim of our Sun boxes (Solaris 8) and now we appear to have to add
Tim users to the smbusers file in addition to (or instead of)
Tim just having a corresponding unix user. I will supply further
Tim information (smb.conf, log files, whatever) as requested.

David  You normally need a Unix user, but if you wish to use
David the NT form of encrypted passwords, you also have to have
David an entry for the user in the smbpasswd file.  As
David security=domain requires encrypted passwords, I'm afraid
David you're stuck with it!


Are you sure about this? I've been running 2.0.7 for a couple of years
with security = domain and I don't need to create an smbusers
file. The only time I run into problems is if the Windows user does
not have a UNIX account. As long as the userid exists in the Windows
domain and NIS domain, it works fine (with encrypted passwords).

I am also running 2.2.5 with the same configuration.

It might be worthwhile to see Tim's smb.conf or a level 3 or level 5
log of a failed access.

Here's the relevant portion of mine

workgroup  = AMERICASE
security   = domain
password server= ZRTPD01T ZRTPD0P0 NRTPDE11
# 
wins server= 47.156.160.179
encrypt passwords  = yes 

-- 
Eric M. Boehm  /\  ASCII Ribbon Campaign
[EMAIL PROTECTED]   \ /  No HTML or RTF in mail
X   No proprietary word-processing
Respect Open Standards / \  files in mail

Sanity check.

[Christopher R. Hertel]

Just a quick sanity check, if any of you have the time.  In my book I'm
trying to describe the MaxBufferSize and MaxRawSize fields in the NegProt
response.  I neither want or need to go into great depth, but I do need to
be as close to correct in my descriptions as SMB allows.  If anyone has
any constructive criticism on the notes below please send it along.

Looking forward to your replies.

Chris -)-


MaxBufferSize

MaxBufferSize is the size (in bytes) of the largest message that the
server can receive.  Keep in mind that the transport layer will
fragment and defragment packets as necessary. It is, therefore,
possible to send very large SMBs and let the lower layers worry about
ensuring safe, fast, reliable delivery.

How big can an SMB message be?

In the NT LM 0.12 dialect, the MaxBufferSize field is an unsigned
longword. As described much earlier on, however, the Length field in
the NBT SESSION MESSAGE is 17-bits wide and the naked transport header
has a 24-bit Length field. So the session headers place slightly more
reasonable limits on the maximum size of a single SMB message.

MaxRawSize

This is the maximum size of a raw data buffer.

The X/Open doc describes the READ RAW and WRITE RAW SMBs, which were
introduced with the Extended 1.0 version of SMB (the MICROSOFT
NETWORKS 3.0 and LANMAN1.0 dialects). These were a speed hack. For a
large read or write operation, the first message would be a proper
SMB, but subsequent messages would be sent in raw mode, with no SMB
or session header. The raw blocks could be as large as MaxRawSize
bytes in length. Once again, the transport layer was expected to take
care of fragmentation/defragmentation and the re-sending of any lost
packets.

Raw mode is not used much any more. Among other things, it conflicts
with message signing because there the raw messages have no header in
which to put the MAC signature. Thus, the field is considered obsolete.


-- 
Samba Team -- http://www.samba.org/ -)-   Christopher R. Hertel
jCIFS Team -- http://jcifs.samba.org/   -)-   ubiqx development, uninq.
ubiqx Team -- http://www.ubiqx.org/ -)-   [EMAIL PROTECTED]
OnLineBook -- http://ubiqx.org/cifs/-)-   [EMAIL PROTECTED]