Re: [PATCH] sam backend parameter

[Andrew Bartlett]

[EMAIL PROTECTED] wrote:
> 
> On Thu, Oct 03, 2002 at 04:06:37PM +1000, Andrew Bartlett wrote:
> >
> > The use of multiple backends in passdb has acknowledged issues, and I'm
> > not particularly fussed if you feel it should not ship with this
> > functionality enabled.  However, please do note that this *is* being
> > used at present, and cannot be 'just removed'.  (We map our non-passdb
> > users into the system via this method).  Volker has some solutions to
> > this issue however, which look very neat.  I'll need to check if they
> > actually catch it all the cases.
> 
> Well it's not being used really, as it's not in a production
> release. We don't make guarentees until it gets into a production
> release. What "non-passdb" users are being mapped into the system
> via this method ?  Surely as a PDC we need passdb entries for every
> user we're exporting ?

I mean it's being used by code.

The problem is mainly on the fileserver:  For the DC side of things,
every user is in the SAM, or they can't really do much.  But on the
fileserver side, we have the problem that a user may select to view the
Owner or the ACL entries of a file.

This file may have a completely arbitrary owner.  

- Winbind user?  Fine.  (we simply lookup the uid->sid with wibnind, and
we simply proxy requests for the name->sid/sid->name to the DC)

- passdb user?  Again, OK.  
In 2.2, we just used an algorithmic mapping of all such users.  Remember
'2*uid+1000'?  :-)  Names were then looked up in the system get{pw,gr}*
calls

In HEAD, we tried to make this a bit smarter.  This may or may not have
been a good thing, because it can be slow.  We do getpwuid(uid), then
lookup that name in the passdb.  The returned SID is sent to the client.

For names, it's a bit easier, we lookup the SID in passdb then return
the name.  The reverse for name->sid.  I did it this way to allow for
arbitrary RIDs.

- not in either... Not so pretty:

The tricky bit is users not in passdb.  The code that deals with this is
hideous, particularly because we don't have a unified groupdb/passdb,
and mostly because I wanted to support arbitrary RIDs. (Hence one of the
reasons I started trying to rewrite this).  

We need to allocate this 'unknown' user or group a RID.  We need to
ensure it does not conflict with other users, and that it 'maps back'.  

Why?  Well, there are system accounts etc, and there are users who
appear in the system via NIS etc.  The 2.2 code maps these to
SIDs/Names, and I took this as a requirement that we must do the same in
3.0

The addition of 'unixsam' was designed to put common code together. 
Other parts of passdb had to deal with making a SAM entry from a passwd
struct, so I merged the code.  I had considered a complete merge with
smbpasswd, but never got that far.  Volker has noted a number of areas
in the auth code that could be simplified by exploiting this.

This also assisted in moving our calls to Get_Pwnam() into a very small
number of places.  It is very rarely called now.

If required, this code could be split back out again, however we still
have the issue of RID allocation.  (the cascading change did not affect
this, it is noted for completeness).  

The rids in HEAD are allocated by '2*uid+lp_algorithmic_rid_base()', to
allow the administrator to 'push' the algorithmic space 'out of the
way'.  We should look into 'automatic' RID allocation, but I am wary of
inflicting this on all our file-server users.

Andrew Bartlett

-- 
Andrew Bartlett [EMAIL PROTECTED]
Manager, Authentication Subsystems, Samba Team  [EMAIL PROTECTED]
Student Network Administrator, Hawker College   [EMAIL PROTECTED]
http://samba.org http://build.samba.org http://hawkerc.net

Re: [PATCH] sam backend parameter

[jra]

On Thu, Oct 03, 2002 at 04:06:37PM +1000, Andrew Bartlett wrote:
> 
> The use of multiple backends in passdb has acknowledged issues, and I'm
> not particularly fussed if you feel it should not ship with this
> functionality enabled.  However, please do note that this *is* being
> used at present, and cannot be 'just removed'.  (We map our non-passdb
> users into the system via this method).  Volker has some solutions to
> this issue however, which look very neat.  I'll need to check if they
> actually catch it all the cases.

Well it's not being used really, as it's not in a production
release. We don't make guarentees until it gets into a production
release. What "non-passdb" users are being mapped into the system
via this method ?  Surely as a PDC we need passdb entries for every
user we're exporting ?

Jeremy.

Re: [PATCH] sam backend parameter

[Andrew Bartlett]

[EMAIL PROTECTED] wrote:
> 
> On Thu, Oct 03, 2002 at 03:36:48PM +1000, Andrew Bartlett wrote:
> > Simo Sorce wrote:
> > >
> > > Multi domain DC is never going to happen in samba, it just doesn't make
> > > sense, as the protocols used (eg. SMB) will not be able to support such
> > > thing, so please let's stop to talk about multi-DC samba.
> >
> > I'm not so sure on this one.
> >
> > Some parts of the protocol might need to be told 'if not specified, use
> > this', but I'm not sure the statement holds across everything.
> >
> > For example, I don't see any reason why we can't 'pretend' that any
> > secondary domain is a 'trusted domain'.  This would allow (for example)
> > a resource DC, which has each machine in it, but no users, and an
> > organizational DC to coexist nicely.  (This is quite a common setup,
> > btw).
> 
> But not on the same machine.

Sorry, I meant to indicate that resource domains are common, and that I
like the idea that a resource DC could actually handle the
authentication itself.

> > For the rare cases where clients contact the trusted domain directly, we
> > could have either a separate Samba on another IP, or they could contact
> > the remote DC directly.
> 
> That's the point. All this multi-domain stuff is "rare".
> I don't want the complexity in mainline Samba. I don't
> think Simo, Gerry, Volker or JF do either.
> 
> Let just remove the multi-domain stuff for now and try
> and get 3.0 in a shippable state.

The 'new SAM' stuff is not being proposed for 3.0!  Certainly not yet,
we have a *lot* of work to do, before it gets there!

Also, *please* don't confuse that with the multi-backend stuff.  That
has a very different purpose, and was not included in the new SAM design
for exactly the reasons people don't want it in passdb.

The use of multiple backends in passdb has acknowledged issues, and I'm
not particularly fussed if you feel it should not ship with this
functionality enabled.  However, please do note that this *is* being
used at present, and cannot be 'just removed'.  (We map our non-passdb
users into the system via this method).  Volker has some solutions to
this issue however, which look very neat.  I'll need to check if they
actually catch it all the cases.

(In particular, we have the nasty requiremnt that we map NIS users and
the like to and from names).

Andrew Bartlett

-- 
Andrew Bartlett [EMAIL PROTECTED]
Manager, Authentication Subsystems, Samba Team  [EMAIL PROTECTED]
Student Network Administrator, Hawker College   [EMAIL PROTECTED]
http://samba.org http://build.samba.org http://hawkerc.net

Re: [PATCH] sam backend parameter

[jra]

On Thu, Oct 03, 2002 at 03:36:48PM +1000, Andrew Bartlett wrote:
> Simo Sorce wrote:
> > 
> > Multi domain DC is never going to happen in samba, it just doesn't make
> > sense, as the protocols used (eg. SMB) will not be able to support such
> > thing, so please let's stop to talk about multi-DC samba.
> 
> I'm not so sure on this one.
> 
> Some parts of the protocol might need to be told 'if not specified, use
> this', but I'm not sure the statement holds across everything.
> 
> For example, I don't see any reason why we can't 'pretend' that any
> secondary domain is a 'trusted domain'.  This would allow (for example)
> a resource DC, which has each machine in it, but no users, and an
> organizational DC to coexist nicely.  (This is quite a common setup,
> btw).  

But not on the same machine.

> For the rare cases where clients contact the trusted domain directly, we
> could have either a separate Samba on another IP, or they could contact
> the remote DC directly.

That's the point. All this multi-domain stuff is "rare".
I don't want the complexity in mainline Samba. I don't
think Simo, Gerry, Volker or JF do either.

Let just remove the multi-domain stuff for now and try
and get 3.0 in a shippable state.

Jeremy.

Re: [PATCH] sam backend parameter

[Andrew Bartlett]

Simo Sorce wrote:
> 
> Multi domain DC is never going to happen in samba, it just doesn't make
> sense, as the protocols used (eg. SMB) will not be able to support such
> thing, so please let's stop to talk about multi-DC samba.

I'm not so sure on this one.

Some parts of the protocol might need to be told 'if not specified, use
this', but I'm not sure the statement holds across everything.

For example, I don't see any reason why we can't 'pretend' that any
secondary domain is a 'trusted domain'.  This would allow (for example)
a resource DC, which has each machine in it, but no users, and an
organizational DC to coexist nicely.  (This is quite a common setup,
btw).  

The advantage is that this one installation could have the
'organizational' users in replicated LDAP, so it would not need to make
external connections for authentication.

For the rare cases where clients contact the trusted domain directly, we
could have either a separate Samba on another IP, or they could contact
the remote DC directly.

I see this as a powerful way to push Samba into places that it currently
can't go, and I would like a chance to explore it.

Andrew Bartlett
-- 
Andrew Bartlett [EMAIL PROTECTED]
Manager, Authentication Subsystems, Samba Team  [EMAIL PROTECTED]
Student Network Administrator, Hawker College   [EMAIL PROTECTED]
http://samba.org http://build.samba.org http://hawkerc.net

Re: [PATCH] sam backend parameter

[Jelmer Vernooij]

On Thu, Oct 03, 2002 at 12:16:53AM +0200, Simo Sorce wrote about 'Re: [PATCH] sam 
backend parameter':
> yes a thing I'm not sure has ever been a good idea.
> to be able to have sam2sam that is really read a backend + store all
> info into another backend we may take several ways.

> We never need the 2 backend to be loaded at the same time to do the
> operation, we may easily read all the accounts chnage the backend and
> store them into the new one, or simply make custom code to load 2
> different backends, and use theyr calls.

> It's easy to have 2 structures calle backend1 and backend2 that holds
> the functon pointers for 2 backends.

> Al the context things always seemed to me overcomplicated even for
> multiple backend code.
the context stuff has been in passdb since the beginning and is not
at all used for multiple backends - multiple backends are achieved by
having multiple 'methods' structs in one context. 

Next to that, a 'multidb' backend will have to use multiple contexts. 

We don't want to spoil global name space with the variables
sam_context contains.

If we are removing multiple domain support, we could remove
sam_methods perhaps and move all the functions in sam_methods to 
sam_context, but sam_context definitely has to stay...

Jelmer

> On Wed, 2002-10-02 at 23:56, Jelmer Vernooij wrote:
> > > - what is all the context thing needed for?
> > Sometimes we need multiple contexts. For example, when doing sam2sam.
> > Please notice that passdb has this as well...

-- 
Jelmer Vernooij <[EMAIL PROTECTED]> - http://nl.linux.org/~jelmer/
Development And Underdevelopment: http://library.thinkquest.org/C0110231/
Listening to 
 07:18:45 up 12 min,  4 users,  load average: 0.09, 0.05, 0.01

Re: Explaining the new SAM

[Andrew Bartlett]

Jean Francois Micouleau wrote:

> It's getting clear that you are reinventing something we already have.
> All your SAM api is simply the SAMR server pipe code. Why do you want to
> implement a new api as we already have one ?

I have a history of doing this - and I intend to continue...

It could be argued that the AuthRewrite was just a duplication of the
NETLOGON code.  Indeed, my original plans on that front called for the
use of NETLOGON to perform the operations.

However, I find the idea that the rest of Samba should call MS-defined
SAMR APIs less than appealing.  (As you well know, this is the approach
taken by Samba-TNG).  Instead, I prefer to construct an API that meets
the needs of the various 'users' (be it SAMR, the auth subsystem,
lanman.c etc) without using MS defined wire structures, and to which we
can add a little more flexibility.

For example, the auth subsystem allows the use of 'security=server',
which I could not force through the NETLOGON interface.  Similarly, I
expect that there will be other cases where we will want information
about a user that cannot be easily (or efficiently) extracted from SAMR
calls.  

Finally, I don't think that smbpasswd etc should have to go so far out
of their way (linking our rpc client and server code) in order to
perform their operations.

I prefer to take one step back, and construct an API that is influenced
by, but not dictated by, the SAMR pipe.

Andrew Bartlett

-- 
Andrew Bartlett [EMAIL PROTECTED]
Manager, Authentication Subsystems, Samba Team  [EMAIL PROTECTED]
Student Network Administrator, Hawker College   [EMAIL PROTECTED]
http://samba.org http://build.samba.org http://hawkerc.net

Re: [PATCH] sam backend parameter

[Andrew Bartlett]

Simo Sorce wrote:

> Plus I have some questions about the current sam interface:
> 
> - what is all the context thing needed for?

I don't like global variables, and this allows us to construct seperate
contexts for operations like sam2sam, and testing, without fiddiling
with global variables.

> - what is the handle thing needed for ?

Same as the SAM_ACCOUNT in pdb.  

> - what is access desired meant to do ? Authorization is a different
> thing then storage, a backend is a storage!

The SAM interface layer is the 'choke point'.  If we do not wan't nasty
races, then we must reterive things like the security descriptor with
the data it applies to.  This implies that the ACL checking code must
resise either in the SAM backend, or the SAM interface.  If we export it
above this layer, we *will* get places where we don't check it properly.

> - why do we insist to have a thing called unix accounts? It just does
> not make sense to me. We need "real" users/groups mapping instead
> (opposed to created on the fly by winbind based accounts).

I'm not sure what you mean here - the current code doesn't even know
about unix accounts.

Andrew Bartlett

-- 
Andrew Bartlett [EMAIL PROTECTED]
Manager, Authentication Subsystems, Samba Team  [EMAIL PROTECTED]
Student Network Administrator, Hawker College   [EMAIL PROTECTED]
http://samba.org http://build.samba.org http://hawkerc.net

Re: [PATCH] sam backend parameter

[Luke Howard]

>No, the idea is that one SAM backend would know about only one domain,
>but that we could have multiple domains, each with their own backend. 
>For smbd it doesn't make much sense, except that I was looking at
>handling 'builtin' stuff by abstraction into a separate 'domain' this
>way.  (I favor putting special cases into modules, rather than in
>interfaces).

FWIW, this is what Active Directory does (cf. builtinDomain in the
schema).

-- Luke

--
Luke Howard | PADL Software Pty Ltd | www.padl.com

Re: [PATCH] sam backend parameter

[Andrew Bartlett]

Gerald Carter wrote:
> 
> On Wed, 2 Oct 2002 [EMAIL PROTECTED] wrote:
> 
> > > The other cases for 'multiple domain' support involve the way these
> > > users are reflected back into unix by winbindd, which might be running
> > > on a system that has multiple, independent smbd instances on separate
> > > IPs.
> 
> OK.  I just caught this.  One winbnidd install serving multiple smbd
> installations on the same host?  This seems like complicating the
> a corner case requirement.  My concern is about the ongoing maintainence
> and administration of the code.
> 
> Code that is only understood by one person is unmaintainable code.
> Nothing against you mind you.  If i was the only one who understand
> how our printer change notify code worked for example, I would argue
> the same point.
> 
> It could also be that the only one person understands it phenomena
> it partly our fault as well for not digging in earlier.  Water under
> the bridge at this point.  Well work on it better in the future :-)

The only reason we have this code at all is becouse it *is* simple. 
Current problems with how to specify it in smb.conf aside, the relevent
code is not long, nor complex.  We would need almost as many lines of
code if we were to kill it, becouse we need to verify these things
anyway.  (That a sensible 'domain' or 'domain sid' has been passed).

Andrew Bartlett

-- 
Andrew Bartlett [EMAIL PROTECTED]
Manager, Authentication Subsystems, Samba Team  [EMAIL PROTECTED]
Student Network Administrator, Hawker College   [EMAIL PROTECTED]
http://samba.org http://build.samba.org http://hawkerc.net

Re: ACL inheritance mess with win2k clients...

[Jim McDonough]

Perhaps I should clear up the access pattern.  On 2k->samba acl sets, If
the tree looks like this:

/a/b/c/d/e (where e is a file, the rest are dirs)

a set on /a which says "reset child permissions..." generates set_secdescs
like this:

/a/b/c/d/e

/a/b/c/d/e
/a/b/c/d

/a/b/c/d/e
/a/b/c/d
/a/b/c

/a/b/c/d/e
/a/b/c/d
/a/b/c
/a/b

/a/b/c/d/e
/a/b/c/d
/a/b/c/
/a/b
/a

/a/b/c/d/e
/a/b/c/d
/a/b/c/
/a/b
/a

The same thing happens to NT, but the final group of set's have different
ACLs...

Jim McDonough
IBM Linux Technology Center
Samba Team
6 Minuteman Drive
Scarborough, ME 04074
USA

[EMAIL PROTECTED]
[EMAIL PROTECTED]

Phone: (207) 885-5565
IBM tie-line: 776-9984

Re: ACL inheritance mess with win2k clients...

[Jim McDonough]

>> Using a 2k client, that same checkbox is named "reset permissions on all
>> child objects and enable propagation of inheritable permissions", and it
>> causes the following behavior:  for each file/dir in a tree, it
propagates
>> the current permissions from parent to the child (so far so good), but
it
>> does it from the deepest point up, so what we get is:
>>
>> /a/b/c/d/e gets /a/b/c/d's current permissions
>> /a/b/c/d gets /a/b/c's current permissions
>> /a/b/c gets /a/b's current permissions
>> /a/b gets /a's current permissions
>> /a gets set as you said.
>>
>> When 2k does this to NT, it all works ok.  the 2k client is explicitly
>> setting everything the way you want.  Something is telling him to do it
>> differently with us.  I first suspected ACL revisions, but I did
eliminate
>> that pretty quickly (two lines of change).  Any ideas here?
>
>So when a W2K client does this to a NT server, what pattern of ACL
>set operations gets done ?
The same acl gets applied to all, so the same set is done in this order:
/a/b/c/d/e
/a/b/c/d
/a/b/c
/a/b
/a

So they all end up with the same thing.  It still even tries to set the
auto-inherited bit.


Jim McDonough
IBM Linux Technology Center
Samba Team
6 Minuteman Drive
Scarborough, ME 04074
USA

[EMAIL PROTECTED]
[EMAIL PROTECTED]

Phone: (207) 885-5565
IBM tie-line: 776-9984

Re: ACL inheritance mess with win2k clients...

[jra]

On Tue, Oct 01, 2002 at 04:36:18PM -0400, Jim McDonough wrote:
> Setting ACLs from an NT4 client, checking the box that says "reset
> permission on child objects", everything seems to work fine.  I'm using
> current SAMBA_2_2.
> 
> Using a 2k client, that same checkbox is named "reset permissions on all
> child objects and enable propagation of inheritable permissions", and it
> causes the following behavior:  for each file/dir in a tree, it propagates
> the current permissions from parent to the child (so far so good), but it
> does it from the deepest point up, so what we get is:
> 
> /a/b/c/d/e gets /a/b/c/d's current permissions
> /a/b/c/d gets /a/b/c's current permissions
> /a/b/c gets /a/b's current permissions
> /a/b gets /a's current permissions
> /a gets set as you said.
> 
> When 2k does this to NT, it all works ok.  the 2k client is explicitly
> setting everything the way you want.  Something is telling him to do it
> differently with us.  I first suspected ACL revisions, but I did eliminate
> that pretty quickly (two lines of change).  Any ideas here?

So when a W2K client does this to a NT server, what pattern of ACL
set operations gets done ?

Jeremy.

Re: ACL inheritance mess with win2k clients...

[jra]

On Wed, Oct 02, 2002 at 06:07:00PM -0400, ZINKEVICIUS,MATT (HP-Loveland,ex1) wrote:
> I think he would win the quarter :-) Never setting those bits is exactly
> what tells the client that we're using NT4 style inheritance. See my NT
> security semantics patch which set these bits when appropriate.

Ok, maybe I'm being dumb here... but I thought the problem is the
client is treating us as though we were W2K, not NT ? So we don't
want to set them... right ?

Jeremy.

Re: [PATCH] sam backend parameter

[Simo Sorce]

yes a thing I'm not sure has ever been a good idea.
to be able to have sam2sam that is really read a backend + store all
info into another backend we may take several ways.

We never need the 2 backend to be loaded at the same time to do the
operation, we may easily read all the accounts chnage the backend and
store them into the new one, or simply make custom code to load 2
different backends, and use theyr calls.

It's easy to have 2 structures calle backend1 and backend2 that holds
the functon pointers for 2 backends.

Al the context things always seemed to me overcomplicated even for
multiple backend code.

Simo.

On Wed, 2002-10-02 at 23:56, Jelmer Vernooij wrote:
> > - what is all the context thing needed for?
> Sometimes we need multiple contexts. For example, when doing sam2sam.
> Please notice that passdb has this as well...
> 
> Jelmer
> 
> -- 
> Jelmer Vernooij <[EMAIL PROTECTED]> - http://nl.linux.org/~jelmer/
> Development And Underdevelopment: http://library.thinkquest.org/C0110231/
> Listening to 
>  23:55:29 up 11:49, 10 users,  load average: 0.27, 0.39, 0.39
-- 
Simo Sorce - [EMAIL PROTECTED]
Xsec s.r.l.
via Durando 10 Ed. G - 20158 - Milano
tel. +39 02 2399 7130 - fax: +39 02 700 442 399



signature.asc
Description: This is a digitally signed message part

RE: ACL inheritance mess with win2k clients...

[ZINKEVICIUS,MATT (HP-Loveland,ex1)]

I think he would win the quarter :-) Never setting those bits is exactly
what tells the client that we're using NT4 style inheritance. See my NT
security semantics patch which set these bits when appropriate.

--Matt

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, October 02, 2002 2:15 PM
> To: Eric Lee Steadle
> Cc: Jim McDonough; [EMAIL PROTECTED]
> Subject: Re: ACL inheritance mess with win2k clients...
> 
> 
> On Wed, Oct 02, 2002 at 04:05:45PM -0400, Eric Lee Steadle wrote:
> > >Ok - so how does the W2K client "know" it's talking to a W2K or NT
> > >server ? Any idea what criteria a W2K client uses to check ?
> > 
> > 
> > Well, I'm pretty sure it (the client) checks for one or 
> more w2k specific
> > flags: SE_DACL_AUTO_INHERITED, or perhaps 
> SE_DACL_PROTECTED. Jim said that the
> > client sets the SE_DACL_AUTO_INHERITED flag, (which is not 
> honored by Samba,
> > nor would it be by NT4) then it queries for those flags 
> again. I'd bet a
> > quarter that it (the client) is trying to determine what 
> ACL inheritence
> > mechanism is being used by the server.
> 
> You'd lose that quarter Samba never sets any of these flags, so
> the client cannot be using their presense to determine if we support
> W2K or NT ACLs.
> 
> Jeremy.
> 

Re: [PATCH] sam backend parameter

[Jelmer Vernooij]

> - what is all the context thing needed for?
Sometimes we need multiple contexts. For example, when doing sam2sam.
Please notice that passdb has this as well...

Jelmer

-- 
Jelmer Vernooij <[EMAIL PROTECTED]> - http://nl.linux.org/~jelmer/
Development And Underdevelopment: http://library.thinkquest.org/C0110231/
Listening to 
 23:55:29 up 11:49, 10 users,  load average: 0.27, 0.39, 0.39

Re: [PATCH] sam backend parameter

[Simo Sorce]

Multi domain DC is never going to happen in samba, it just doesn't make
sense, as the protocols used (eg. SMB) will not be able to support such
thing, so please let's stop to talk about multi-DC samba.

Also, the winbindd argument is bogus. Winbind will not use at all the
sam interface to look for user name->uid mapping, it should just ask the
simgle domain present on the interfaces of the machine to resolve the
names, exactly in the same way it currently do against NT domains, and
then just call the SID mapping code do resolve the uid.

The SID mapping code should be the only shared code beetween winbind and
the account management system. We need to evolve the current
winbind_idmap code to become the new SID Mapping System.

LAst I find it really dummy to think at nuiltin as a separate domain. It
isn't at all, and makes things bad.

Every single backend module should contain the entire domain, every
domain has "normal" SIDs and some special SID, we do not need to threat
special entirely into the interface, we can easily handle them inside
the backend. Ther's no problem to do so, except if someone want at all
cost try to support multiple domain in sam interface, a thing many of us
already said is not going to happen anyway.
Buitin are intimately connected to the rest of the domain, having to
heavily switch operations between two backends makes really little
sense, and bultin accounts are also very few, you cannot add bultin
accounts, and least but not last, builtin grops will contain users as
members, what sense does it make to have builtin groups to contain SID
of foreign domains (as it will be most probably shared beetwen domains)
what security problmes does it pose to have all thi promiscuity?
What happen when in one domain we want to change some builtin account
proprty to something differnt than what other domains will like?
I really think that even in a ipothetical multi-DC environment a
separate "builtin" backend is a plain worng solution.

Plus I have some questions about the current sam interface:

- what is all the context thing needed for?
- what is the handle thing needed for ?
- what is access desired meant to do ? Authorization is a different
thing then storage, a backend is a storage!
- why do we insist to have a thing called unix accounts? It just does
not make sense to me. We need "real" users/groups mapping instead
(opposed to created on the fly by winbind based accounts).

Simo.

On Wed, 2002-10-02 at 16:47, Jelmer Vernooij wrote:
> On Wed, Oct 02, 2002 at 09:19:47AM -0500, Gerald Carter wrote about 'Re: [PATCH] sam 
>backend parameter':
> > On Tue, 1 Oct 2002, Eddie Lania wrote:
> 
> > > Like I've said, I'm not a developer, but maybe the "multiple domain
> > > support" parameter could be extended with the backend method? Like this:
> 
> > > "multiple domain support = DOMA:backendA, DOMB:backendB, etc"
> > Can someone please explain the purpose of supporting accounts from 
> > different domains in a single SAM ?  Why would we ever want to do 
> > this?
> Builtin or multi-domain DC afaik - Kai and Andrew know all the how's
> and why's.
> 
> 
> Jelmer
> 
> -- 
> Jelmer Vernooij  <[EMAIL PROTECTED]>
> Pending (unfinished) patches 
>http://samba.org/~jelmer/diffs.php
-- 
Simo Sorce - [EMAIL PROTECTED]
Xsec s.r.l.
via Durando 10 Ed. G - 20158 - Milano
tel. +39 02 2399 7130 - fax: +39 02 700 442 399



signature.asc
Description: This is a digitally signed message part

Re: smbclient bug in 2.2.5

[jra]

On Wed, Oct 02, 2002 at 02:23:04PM -0700, Andrew Morgan wrote:
> 
> Works here.  Thanks for the quick response!
> 
> Will this make it into the 2.2.6 release?

Already did :-).

Thanks,

Jeremy.

Re: smbclient bug in 2.2.5

[Andrew Morgan]

Works here.  Thanks for the quick response!

Will this make it into the 2.2.6 release?

Andy

On Wed, 2 Oct 2002 [EMAIL PROTECTED] wrote:

> On Wed, Oct 02, 2002 at 09:26:08AM -0700, Andrew Morgan wrote:
> >
> > I think I've found a bug in the smbclient program in 2.2.5.  Smbclient
> > hard-codes the name_type to 0x20 (File Server) for all netbios queries,
> > but calling 'smbclient -M machine' should use a name_type of 0x03
> > (Messenger) instead.
> >
> > When sending a message to a machine, it is not necessary for the machine
> > to be running file sharing.  Our client machines have file sharing turned
> > off and do not register 0x20 with the WINS server.  I'm not sure when this
> > behavior changed, but the smbclient program from samba 2.0.10 works
> > correctly.
>
> Try this patch - I'm going to commit to all branches...
>
> Jeremy.
>
> Index: client/client.c
> ===
> RCS file: /data/cvs/samba/source/client/client.c,v
> retrieving revision 1.148.2.30
> diff -u -r1.148.2.30 client.c
> --- client/client.c 27 Aug 2002 14:49:19 -  1.148.2.30
> +++ client/client.c 2 Oct 2002 20:46:31 -
> @@ -2422,8 +2422,9 @@
>  }
>
>  /
> -handle a message operation
> + Handle a message operation.
>  /
> +
>  static int do_message_op(void)
>  {
> struct in_addr ip;
> @@ -2435,7 +2436,15 @@
> make_nmb_name(&called , desthost, name_type);
>
> zero_ip(&ip);
> -   if (have_ip) ip = dest_ip;
> +   if (have_ip)
> +   ip = dest_ip;
> +   else if (name_type != 0x20) {
> +   /* We must do our own resolve name here as the nametype is #0x3, not 
>#0x20. */
> +   if (!resolve_name(desthost, &ip, name_type)) {
> +   DEBUG(0,("Cannot resolve name %s#0x%x\n", desthost, 
>name_type));
> +   return 1;
> +   }
> +   }
>
> if (!(cli=cli_initialise(NULL)) || (cli_set_port(cli, port) == 0) || 
>!cli_connect(cli, desthost, &ip)) {
> DEBUG(0,("Connection to %s failed\n", desthost));
>

Re: Explaining the new SAM

[Jean Francois Micouleau]

On Wed, 2 Oct 2002, Andrew Bartlett wrote:

> Gerald Carter wrote:
> >
> > On Wed, 2 Oct 2002, Andrew Bartlett wrote:
> >
> > > > This seems like a lot of duplication of code and can lead to
> > > > "There's a bug in SAM1 but not SAM2".  If the access checks
> > > > will always be the same, why push them into the SAM module and
> > > > force each write to cut-n-paste security descriptor code.
> > >
> > > Yes, I am worried about that a bit.  The main issue is that I would like
> > > a single read from LDAP - so we don't get a race there.  But we could do
> > > it 'after the fact', and get each module to pass up the security
> > > descriptor to the SAM interface layer.
> >
> > Ahhhok I see now.  But it still seems like a lot of duplicated
> > code.
>
> I'm starting to agree that putting it in the interface is a 'good
> thing'.  If the backend wants to double-check, then that's fine, but the
> intereface should be handed back a sec desc to check itself.  (A SAM
> that really wants to get around this can return an allow-all sec desc if
> it must...).  This does make it harder for module writers to 'stuff up'.
>
> > Taking another perspective, i'm still not convinced why a security
> > descriptor on each SAM object is needed.  What do we gain by it
> > at the cost of added complexity?
>
> NT allows these to be set remotely on each SAM object.  In particular
> the 'user cannot change password' is implemented in terms of an NT ACL
> on the user in the SAM.
>
> > > > So a SAM is a passdb with ACL's.  What else?
> > >
> > > Groups and policies thown in, but it's not really meant to be that
> >
> > By policies you mean "rights" like "backup files" ?
>
> Also 'max password age' etc.
>
> > > massive.  One step at a time and such things.  Also a move to NTTIME in
> > > the interfaces, and an attempt to cope with a wider scope of problems.
> >
> > What "wider scope of problems"?  Without knowing what you are trying to
> > address, it's pretty hard to comment.
>
> Mostly to cope with all the things that can be set over the SAMR pipe.
> (most of which are above).  I think we are also meddiling a little in
> the LSA pipe too, which may or may not be a good thing...
>
> It may well make sense to store all the replication stuff in the same
> backend, to avoid having to run muliple synronistation setups.  (ie if
> LDAP is doing all the SAM stuff, make it keep the LSA secrets too).  I'm
> still thinking on this stuff, but that's the kind of longer-term I'm
> looking for.


It's getting clear that you are reinventing something we already have.
All your SAM api is simply the SAMR server pipe code. Why do you want to
implement a new api as we already have one ?

J.F.

Re: smbclient bug in 2.2.5

[jra]

On Wed, Oct 02, 2002 at 09:26:08AM -0700, Andrew Morgan wrote:
> 
> I think I've found a bug in the smbclient program in 2.2.5.  Smbclient
> hard-codes the name_type to 0x20 (File Server) for all netbios queries,
> but calling 'smbclient -M machine' should use a name_type of 0x03
> (Messenger) instead.
> 
> When sending a message to a machine, it is not necessary for the machine
> to be running file sharing.  Our client machines have file sharing turned
> off and do not register 0x20 with the WINS server.  I'm not sure when this
> behavior changed, but the smbclient program from samba 2.0.10 works
> correctly.

Try this patch - I'm going to commit to all branches...

Jeremy.

Index: client/client.c
===
RCS file: /data/cvs/samba/source/client/client.c,v
retrieving revision 1.148.2.30
diff -u -r1.148.2.30 client.c
--- client/client.c 27 Aug 2002 14:49:19 -  1.148.2.30
+++ client/client.c 2 Oct 2002 20:46:31 -
@@ -2422,8 +2422,9 @@
 }

 /
-handle a message operation
+ Handle a message operation.
 /
+
 static int do_message_op(void)
 {
struct in_addr ip;
@@ -2435,7 +2436,15 @@
make_nmb_name(&called , desthost, name_type);

zero_ip(&ip);
-   if (have_ip) ip = dest_ip;
+   if (have_ip)
+   ip = dest_ip;
+   else if (name_type != 0x20) {
+   /* We must do our own resolve name here as the nametype is #0x3, not 
+#0x20. */
+   if (!resolve_name(desthost, &ip, name_type)) {
+   DEBUG(0,("Cannot resolve name %s#0x%x\n", desthost, 
+name_type));
+   return 1;
+   }
+   }

if (!(cli=cli_initialise(NULL)) || (cli_set_port(cli, port) == 0) || 
!cli_connect(cli, desthost, &ip)) {
DEBUG(0,("Connection to %s failed\n", desthost));

Re: ACL inheritance mess with win2k clients...

[jra]

On Wed, Oct 02, 2002 at 04:05:45PM -0400, Eric Lee Steadle wrote:
> >Ok - so how does the W2K client "know" it's talking to a W2K or NT
> >server ? Any idea what criteria a W2K client uses to check ?
> 
> 
> Well, I'm pretty sure it (the client) checks for one or more w2k specific
> flags: SE_DACL_AUTO_INHERITED, or perhaps SE_DACL_PROTECTED. Jim said that the
> client sets the SE_DACL_AUTO_INHERITED flag, (which is not honored by Samba,
> nor would it be by NT4) then it queries for those flags again. I'd bet a
> quarter that it (the client) is trying to determine what ACL inheritence
> mechanism is being used by the server.

You'd lose that quarter Samba never sets any of these flags, so
the client cannot be using their presense to determine if we support
W2K or NT ACLs.

Jeremy.

RE: ACL inheritance mess with win2k clients...

[Eric Lee Steadle]

>Ok - so how does the W2K client "know" it's talking to a W2K or NT
>server ? Any idea what criteria a W2K client uses to check ?


Well, I'm pretty sure it (the client) checks for one or more w2k specific
flags: SE_DACL_AUTO_INHERITED, or perhaps SE_DACL_PROTECTED. Jim said that the
client sets the SE_DACL_AUTO_INHERITED flag, (which is not honored by Samba,
nor would it be by NT4) then it queries for those flags again. I'd bet a
quarter that it (the client) is trying to determine what ACL inheritence
mechanism is being used by the server.


Brown says (p. 227)

"If you want to determine whether a particular ACL is participating in a
Windows 2000 style automatic inheritence synchronization ccheme, look for the
following bits in the control word of the security descriptor by calling
GetSecurityDescriptorControl:
SE_DACL_AUTO_INHERITED
SE_SACL_AUTO_INHERITED



A security descriptor for securable objects looks like this:
typedef struct _SECURITY_DESCRIPTOR {
  BYTE  Revision;
  BYTE  Sbz1;
  SECURITY_DESCRIPTOR_CONTROL Control;
  PSID Owner;
  PSID Group;
  PACL Sacl;
  PACL Dacl;
} SECURITY_DESCRIPTOR, *PISECURITY_DESCRIPTOR;


The SECURITY_DESCRIPTOR_CONTROL member is a bitfield (16 bits) whose
parameters qualify the meaning of the fields in the security descriptor.

One of these bits is SE_DACL_AUTO_INHERITED.



According to MSDN documentation for SECURITY_DESCRIPTOR_CONTROL:

"SE_DACL_AUTO_INHERITED (Windows 2000 or later): Indicates a security
descriptor in which the DACL is set up to support automatic propagation of
inheritable ACEs to existing child objects.
For Windows 2000 ACLs that support auto inheritance, this bit is always set.
It is used to distinguish these ACLs from Windows NT 4.0 ACLs that do not
support auto-inheritance. Protected servers can call the
ConvertToAutoInheritPrivateObjectSecurity function to convert a security
descriptor and set this flag.

This bit is not set in security descriptors for Windows NT versions 4.0 and
earlier, which do not support automatic propagation of inheritable ACEs."

So MS servers keep track of it in their security descriptor control structure,
which I imagine is stored in the file system security database on disk.




All evidence points to SE_DACL_AUTO_INHERITED.
So if it's not working when set appropriately, then I'd say there's another
problem. Maybe with the inheritence mechanism itself? Or mabye both
SE_DACL_AUTO_INHERITED AND SE_SACL_AUTO_INHERITED must be set?


ERX






>-Original Message-
>From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
>Sent: Wednesday, October 02, 2002 3:23 PM
>To: Eric Lee Steadle
>Cc: Jim McDonough; [EMAIL PROTECTED]
>Subject: Re: ACL inheritance mess with win2k clients...
>
>
>On Wed, Oct 02, 2002 at 03:05:52PM -0400, Eric Lee Steadle wrote:
>> Yep. Exactly what I've observed and exactly as documented by MS.
>>
>> >He tries to set it to an NT server, also...but
>> >somehow he realizes that it doesn't get set and changes all the acls to
>> >match, rather than relying on inheritance.
>>
>> Because the client knows that NT4 servers don't do acl inheritence
>propogation
>> for him, but 2k servers do. This behavior is documented pretty
>well in Keith
>> Brown's book.
>
>Ok - so how does the W2K client "know" it's talking to a W2K or NT
>server ? Any idea what criteria a W2K client uses to check ?
>
>Jeremy.

RE: ACL inheritance mess with win2k clients...

[Jim McDonough]

>Because the client knows that NT4 servers don't do acl inheritence
propogation
>for him, but 2k servers do. This behavior is documented pretty well in
Keith
Yeah, I figured as much...but how do we make him realize WE don't do acl
inheritance propogation?


Jim McDonough
IBM Linux Technology Center
Samba Team
6 Minuteman Drive
Scarborough, ME 04074
USA

[EMAIL PROTECTED]
[EMAIL PROTECTED]

Phone: (207) 885-5565
IBM tie-line: 776-9984

Re: ACL inheritance mess with win2k clients...

[jra]

On Wed, Oct 02, 2002 at 03:05:52PM -0400, Eric Lee Steadle wrote:
> Yep. Exactly what I've observed and exactly as documented by MS.
> 
> >He tries to set it to an NT server, also...but
> >somehow he realizes that it doesn't get set and changes all the acls to
> >match, rather than relying on inheritance.
> 
> Because the client knows that NT4 servers don't do acl inheritence propogation
> for him, but 2k servers do. This behavior is documented pretty well in Keith
> Brown's book.

Ok - so how does the W2K client "know" it's talking to a W2K or NT
server ? Any idea what criteria a W2K client uses to check ?

Jeremy.

RE: ACL inheritance mess with win2k clients...

[Eric Lee Steadle]

>-OriginThis behavior is documented pretty 
>well in Keith
>> Brown's book.
>
>Which one?


Oops, sorry...

"Programming Windows Security"
Keith Brown
Addison Wesley 
2000

p. 211 starts the discussion of NT4 acl inheritence. 
p. 215 talks about w2k. 

Repost: usrmgr fails to get local groups?

[Eddie Lania]

Hello,

Usrmgr.exe (UserManager for domains for windows nt) is unable to start
because it can't find the group (it says).
I hope that this problem can be solved soon.
Even while I shutted down Samba, deleted all tdb files and restarted Samba,
it still doesn't work.

Some technical information:

Compiled from cvs on 1 October 2002 at 23:20h CET.

RedHat 7.0 kernel, 2.2.19-7.0.16
openldap-2.0.21-0.7.1
nss_ldap-189-1.7
krb5-libs-1.2.2-14
krb5-devel-1.2.2-14
gcc version 2.96 2731 (Red Hat Linux 7.1 2.96-85)

/etc/pam.d/samba and /etc/nsswitch.conf configured as required.

Configure options used:

--sbindir=/usr/local/samba/bin \
--with-logfilebase=/var/log/samba \
--with-krb5=/usr/kerberos \
--with-smbmount \
--with-pam \
--with-acl-support


Output of smbgroupedit -vs

NT group (SID) -> Unix group
System Operators (S-1-5-32-549) -> Server Operators
Replicator (S-1-5-21-3705070864-1991026996-600314423-1457) -> Replicator
Account Operators (S-1-5-21-3705070864-1991026996-600314423-1449) -> Account
Operators
Replicators (S-1-5-32-552) -> Replicator
Guests (S-1-5-32-546) -> Guests
Power Users (S-1-5-32-547) -> Power Users
Print Operators (S-1-5-32-550) -> Print Operators
Administrators (S-1-5-32-544) -> Administrators
Account Operators (S-1-5-32-548) -> Account Operators
Domain Users (S-1-5-21-3705070864-1991026996-600314423-1403) -> Domain Users
Domain Admins (S-1-5-21-3705070864-1991026996-600314423-1401) -> Domain
Admins
Server Operators (S-1-5-21-3705070864-1991026996-600314423-1451) -> Server
Operators
Users (S-1-5-21-3705070864-1991026996-600314423-1443) -> Users
Domain Guests (S-1-5-21-3705070864-1991026996-600314423-1405) -> Domain
Guests
Administrators (S-1-5-21-3705070864-1991026996-600314423-1441) ->
Administrators
Print Operators (S-1-5-21-3705070864-1991026996-600314423-1453) -> Print
Operators
Guests (S-1-5-21-3705070864-1991026996-600314423-1445) -> Guests
Backup Operators (S-1-5-32-551) -> Backup Operators
Users (S-1-5-32-545) -> Users
Backup Operators (S-1-5-21-3705070864-1991026996-600314423-1455) -> Backup
Operators
Domain Users (S-1-5-21-3705070864-1991026996-600314423-513) -> Domain Users
Power Users (S-1-5-21-3705070864-1991026996-600314423-1447) -> Power Users
Domain Admins (S-1-5-21-3705070864-1991026996-600314423-512) -> Domain
Admins
Domain Guests (S-1-5-21-3705070864-1991026996-600314423-514) -> Domain
Guests

Eddie.


> Hello,
>
> I compiled samba from cvs this morning.
> Now, using usrmgr.exe (svrtools for windows NT), it is unable to find the
> local groups?
>
> Anyone noticed this yet?
>
>
> Eddie.

RE: ACL inheritance mess with win2k clients...

[Richard Sharpe]

On Wed, 2 Oct 2002, Eric Lee Steadle wrote:

> Yep. Exactly what I've observed and exactly as documented by MS.
> 
> >He tries to set it to an NT server, also...but
> >somehow he realizes that it doesn't get set and changes all the acls to
> >match, rather than relying on inheritance.
> 
> Because the client knows that NT4 servers don't do acl inheritence propogation
> for him, but 2k servers do. This behavior is documented pretty well in Keith
> Brown's book.

Which one?

Regards
-
Richard Sharpe, [EMAIL PROTECTED], [EMAIL PROTECTED], 
[EMAIL PROTECTED]

RE: ACL inheritance mess with win2k clients...

[Eric Lee Steadle]

Yep. Exactly what I've observed and exactly as documented by MS.

>He tries to set it to an NT server, also...but
>somehow he realizes that it doesn't get set and changes all the acls to
>match, rather than relying on inheritance.

Because the client knows that NT4 servers don't do acl inheritence propogation
for him, but 2k servers do. This behavior is documented pretty well in Keith
Brown's book.


ERX



>-Original Message-
>From: Jim McDonough [mailto:[EMAIL PROTECTED]]
>Sent: Wednesday, October 02, 2002 2:50 PM
>To: [EMAIL PROTECTED]
>Cc: [EMAIL PROTECTED]
>Subject: RE: ACL inheritance mess with win2k clients...
>
>
>
>>Maybe this one is set improperly?
>>
>>SE_DACL_AUTO_INHERITED
>Well, the 2k client tries to set it, but we don't honor it, and when he
>queries, it's not set.  He tries to set it to an NT server, also...but
>somehow he realizes that it doesn't get set and changes all the acls to
>match, rather than relying on inheritance.
>
>Jim McDonough
>IBM Linux Technology Center
>Samba Team
>6 Minuteman Drive
>Scarborough, ME 04074
>USA
>
>[EMAIL PROTECTED]
>[EMAIL PROTECTED]
>
>Phone: (207) 885-5565
>IBM tie-line: 776-9984
>

RE: ACL inheritance mess with win2k clients...

[Jim McDonough]

>Maybe this one is set improperly?
>
>SE_DACL_AUTO_INHERITED
Well, the 2k client tries to set it, but we don't honor it, and when he
queries, it's not set.  He tries to set it to an NT server, also...but
somehow he realizes that it doesn't get set and changes all the acls to
match, rather than relying on inheritance.

Jim McDonough
IBM Linux Technology Center
Samba Team
6 Minuteman Drive
Scarborough, ME 04074
USA

[EMAIL PROTECTED]
[EMAIL PROTECTED]

Phone: (207) 885-5565
IBM tie-line: 776-9984

RE: Compile warnings.

[Green, Paul]

Generally these errors are not very interesting. However, patches are always
welcome to make them go away.  My experience is that it is a good idea to
test any such patches on a couple of different platforms before submitting
them, as these messages often are due to subtle incompatibilities between
headers on different implementations (e.g, "const char *" vs. "char *").

Thanks
PG


-Original Message-
From: Eddie Lania [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, October 02, 2002 4:10 AM
To: [EMAIL PROTECTED]
Subject: Compile warnings.


Compiled from cvs on 2 October 2002 at 09:48h CET.

RedHat 7.0 kernel, 2.2.19-7.0.16
openldap-2.0.21-0.7.1
nss_ldap-189-1.7
krb5-libs-1.2.2-14
krb5-devel-1.2.2-14
gcc version 2.96 2731 (Red Hat Linux 7.1 2.96-85)

Configure options used:

--sbindir=/usr/local/samba/bin \
--with-logfilebase=/var/log/samba \
--with-krb5=/usr/kerberos \
--with-smbmount \
--with-pam \
--with-acl-support

Warnings:

Compiling smbd/mangle_hash2.c
smbd/mangle_hash2.c: In function `cache_insert':
smbd/mangle_hash2.c:172: warning: assignment makes pointer from integer
without a cast
smbd/mangle_hash2.c: In function `is_mangled':
smbd/mangle_hash2.c:263: warning: initialization makes pointer from integer
without a cast

Compiling libsmb/clispnego.c
libsmb/clispnego.c: In function `spnego_gen_negTokenTarg':
libsmb/clispnego.c:330: warning: passing arg 1 of `krb5_get_ticket' discards
qualifiers from pointer target type

Compiling passdb/secrets.c
passdb/secrets.c: In function `secrets_fetch':
passdb/secrets.c:61: warning: assignment discards qualifiers from pointer
target type
passdb/secrets.c: In function `secrets_store':
passdb/secrets.c:77: warning: assignment discards qualifiers from pointer
target type
passdb/secrets.c:79: warning: assignment discards qualifiers from pointer
target type
passdb/secrets.c: In function `secrets_delete':
passdb/secrets.c:93: warning: assignment discards qualifiers from pointer
target type
passdb/secrets.c: In function `secrets_lock_trust_account_password':
passdb/secrets.c:218: warning: passing arg 2 of `tdb_lock_bystring' discards
qualifiers from pointer target type
passdb/secrets.c:220: warning: passing arg 2 of `tdb_unlock_bystring'
discards qualifiers from pointer target type
passdb/secrets.c: In function `secrets_get_trusted_domains':
passdb/secrets.c:509: warning: assignment makes pointer from integer without
a cast
passdb/secrets.c: In function `secrets_named_mutex':
passdb/secrets.c:610: warning: passing arg 1 of `tdb_set_lock_alarm'
discards qualifiers from pointer target type

Compiling lib/util_str.c
lib/util_str.c: In function `str_list_make':
lib/util_str.c:1160: warning: passing arg 3 of `next_token' discards
qualifiers from pointer target type

Compiling lib/util.c
lib/util.c: In function `smb_xstrndup':
lib/util.c:1832: warning: initialization makes pointer from integer without
a cast

Compiling lib/gencache.c
lib/gencache.c: In function `gencache_get':
lib/gencache.c:248: warning: initialization makes pointer from integer
without a cast
lib/gencache.c: In function `gencache_iterate':
lib/gencache.c:303: warning: assignment makes pointer from integer without a
cast

Compiling libads/ldap.c
libads/ldap.c: In function `ads_do_paged_search':
libads/ldap.c:443: warning: passing arg 2 of `str_list_copy' from
incompatible pointer type
libads/ldap.c: In function `ads_do_search':
libads/ldap.c:669: warning: passing arg 2 of `str_list_copy' from
incompatible pointer type

Compiling libads/ldap_printer.c
libads/ldap_printer.c: In function `ads_mod_printer_entry':
libads/ldap_printer.c:80: warning: passing arg 4 of `ads_mod_strlist' from
incompatible pointer type
libads/ldap_printer.c:96: warning: passing arg 4 of `ads_mod_strlist' from
incompatible pointer type
libads/ldap_printer.c:99: warning: passing arg 4 of `ads_mod_strlist' from
incompatible pointer type

Compiling libads/kerberos.c
libads/kerberos.c: In function `kerberos_kinit_password':
libads/kerberos.c:80: warning: passing arg 6 of
`krb5_get_init_creds_password' discards qualifiers from pointer target type

Compiling utils/net_ads.c
utils/net_ads.c: In function `net_ads_printer_info':
utils/net_ads.c:722: warning: passing arg 4 of `ads_find_printer_on_server'
discards qualifiers from pointer target type
utils/net_ads.c: In function `net_ads_printer_publish':
utils/net_ads.c:774: warning: assignment discards qualifiers from pointer
target type
utils/net_ads.c: In function `net_ads_printer_remove':
utils/net_ads.c:812: warning: assignment discards qualifiers from pointer
target type

Compiling utils/net_cache.c
utils/net_cache.c: In function `parse_timeout':
utils/net_cache.c:85: warning: assignment makes pointer from integer without
a cast

Re: Explaining the new SAM

[Stefan (metze) Metzmacher]

At 23:21 02.10.2002 +1000, Andrew Bartlett wrote:
>Gerald Carter wrote:
> >
> > On Wed, 2 Oct 2002, Andrew Bartlett wrote:
> >
> > > > This seems like a lot of duplication of code and can lead to
> > > > "There's a bug in SAM1 but not SAM2".  If the access checks
> > > > will always be the same, why push them into the SAM module and
> > > > force each write to cut-n-paste security descriptor code.
> > >
> > > Yes, I am worried about that a bit.  The main issue is that I would like
> > > a single read from LDAP - so we don't get a race there.  But we could do
> > > it 'after the fact', and get each module to pass up the security
> > > descriptor to the SAM interface layer.
> >
> > Ahhhok I see now.  But it still seems like a lot of duplicated
> > code.
>
>I'm starting to agree that putting it in the interface is a 'good
>thing'.  If the backend wants to double-check, then that's fine, but the
>intereface should be handed back a sec desc to check itself.  (A SAM
>that really wants to get around this can return an allow-all sec desc if
>it must...).  This does make it harder for module writers to 'stuff up'.

what's about a BOOL flag in the SAM_METHODS struct :
BOOL access_check_intern;

if False the interface should handle the sec_check.
if True the backend will handle it.

And double access check isn't a good way!
(we want to handle large domains, and for this we have to be as fast as 
possible)


> > Taking another perspective, i'm still not convinced why a security
> > descriptor on each SAM object is needed.  What do we gain by it
> > at the cost of added complexity?
>
>NT allows these to be set remotely on each SAM object.  In particular
>the 'user cannot change password' is implemented in terms of an NT ACL
>on the user in the SAM.

We didn't have to store a SEC_DESC on each entry. We can use a default, but 
we have to be able to store it on each entry if the admin changes it 
explicit on the entry.


> > > > So a SAM is a passdb with ACL's.  What else?
> > >
> > > Groups and policies thown in, but it's not really meant to be that
> >
> > By policies you mean "rights" like "backup files" ?
>
>Also 'max password age' etc.
>
> > > massive.  One step at a time and such things.  Also a move to NTTIME in
> > > the interfaces, and an attempt to cope with a wider scope of problems.
> >
> > What "wider scope of problems"?  Without knowing what you are trying to
> > address, it's pretty hard to comment.
>
>Mostly to cope with all the things that can be set over the SAMR pipe.
>(most of which are above).  I think we are also meddiling a little in
>the LSA pipe too, which may or may not be a good thing...
>
>It may well make sense to store all the replication stuff in the same
>backend, to avoid having to run muliple synronistation setups.  (ie if
>LDAP is doing all the SAM stuff, make it keep the LSA secrets too).  I'm
>still thinking on this stuff, but that's the kind of longer-term I'm
>looking for.

that would be fine:-)


>Andrew Bartlett
>
>--
>Andrew Bartlett [EMAIL PROTECTED]
>Manager, Authentication Subsystems, Samba Team  [EMAIL PROTECTED]
>Student Network Administrator, Hawker College   [EMAIL PROTECTED]
>http://samba.org http://build.samba.org http://hawkerc.net


metze
-
Stefan "metze" Metzmacher <[EMAIL PROTECTED]>

Re: Recent Upgrade to Fix SNAP Server Problem

[jra]

On Thu, Oct 03, 2002 at 01:05:00AM +1000, Andrew Bartlett wrote:
> Irving Carrion wrote:
> > 
> > Greetings!
> > 
> > We just recently upgraded from Samba 2.2.3a to 2.999+3.0cvs20 and are
> > having a few problems.  The "domain admin group" that used to work in
> > the previous version no longer does. According to the docs
> > smb.conf.5.html the command is still there and still active.  Obviously
> > I have missed something... can anyone relay some info my way.
> 
> You are trusting our documentation...?

To comment on this Yes, you *should* trust our documentation
(I don't want Andrew to make people lose confidence in this). We
put a lot of work into making the docs accurate - but only for
*production* releases.

That currently means we're finishing the docs for 2.2.6. In fact,
missing docs are considered a show-stopper for a production release
and we won't ship without them.

Just to clear that up.

Jeremy.

Re: [PATCH] sam backend parameter

[Gerald Carter]

On Wed, 2 Oct 2002 [EMAIL PROTECTED] wrote:

> > The other cases for 'multiple domain' support involve the way these
> > users are reflected back into unix by winbindd, which might be running
> > on a system that has multiple, independent smbd instances on separate
> > IPs.  

OK.  I just caught this.  One winbnidd install serving multiple smbd
installations on the same host?  This seems like complicating the 
a corner case requirement.  My concern is about the ongoing maintainence
and administration of the code. 

Code that is only understood by one person is unmaintainable code.
Nothing against you mind you.  If i was the only one who understand
how our printer change notify code worked for example, I would argue 
the same point.

It could also be that the only one person understands it phenomena
it partly our fault as well for not digging in earlier.  Water under 
the bridge at this point.  Well work on it better in the future :-)





cheers, jerry
 -
 Hewlett-Packard http://www.hp.com
 SAMBA Team   http://www.samba.org
 --http://www.plainjoe.org
 "SAMS Teach Yourself Samba in 24 Hours" 2ed.   ISBN 0-672-32269-2
 --"I never saved anything for the swim back." Ethan Hawk in Gattaca--

RE: Recent Upgrade to Fix SNAP Server Problem

[Irving Carrion]

Does anyone know what the below log means:

[2002/10/02 12:44:37, 0]
rpc_server/srv_util.c:get_domain_user_groups(342)
  get_domain_user_groups: primary gid of user [root] is not a Domain
group !
  get_domain_user_groups: You should fix it, NT doesn't like that

Our users are unable to login now.  Windows error says "Make sure your
username and domain are correct"  
It is CORRECT.

Any help highly appreciated.

Thanks!
IRV



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Andrew
Bartlett
Sent: Wednesday, October 02, 2002 11:05 AM
To: Irving Carrion
Cc: [EMAIL PROTECTED]
Subject: Re: Recent Upgrade to Fix SNAP Server Problem

Irving Carrion wrote:
> 
> Greetings!
> 
> We just recently upgraded from Samba 2.2.3a to 2.999+3.0cvs20 and are
> having a few problems.  The "domain admin group" that used to work in
> the previous version no longer does. According to the docs
> smb.conf.5.html the command is still there and still active.
Obviously
> I have missed something... can anyone relay some info my way.

You are trusting our documentation...?

> Also testparm has reported that I am using "wins support" and "wins
> server" commands in the smb.conf file, but I am NOT.  All I have is "
> wins support = Yes".

Known issue

> Any info on the postscript error below would help but not critical at
> this point.
> 
> I'm running testparm on my smb.conf and I get the following errors:
> 
> ///ERRORS BEGIN
> Unknown parameter encountered: "domain admin group"
> Ignoring unknown parameter "domain admin group"

See smbgroupedit.  It handles this stuff for now.

Andrew Bartlett

-- 
Andrew Bartlett [EMAIL PROTECTED]
Manager, Authentication Subsystems, Samba Team  [EMAIL PROTECTED]
Student Network Administrator, Hawker College   [EMAIL PROTECTED]
http://samba.org http://build.samba.org http://hawkerc.net

Re: [PATCH] sam backend parameter

[jra]

On Thu, Oct 03, 2002 at 12:30:30AM +1000, Andrew Bartlett wrote:
> Gerald Carter wrote:
> > 
> > On Tue, 1 Oct 2002, Eddie Lania wrote:
> > 
> > > Like I've said, I'm not a developer, but maybe the "multiple domain
> > > support" parameter could be extended with the backend method? Like this:
> > >
> > > "multiple domain support = DOMA:backendA, DOMB:backendB, etc"
> > 
> > Can someone please explain the purpose of supporting accounts from
> > different domains in a single SAM ?  Why would we ever want to do
> > this?
> 
> No, the idea is that one SAM backend would know about only one domain,
> but that we could have multiple domains, each with their own backend. 
> For smbd it doesn't make much sense, except that I was looking at
> handling 'builtin' stuff by abstraction into a separate 'domain' this
> way.  (I favor putting special cases into modules, rather than in
> interfaces).
> 
> The other cases for 'multiple domain' support involve the way these
> users are reflected back into unix by winbindd, which might be running
> on a system that has multiple, independent smbd instances on separate
> IPs.  

Use vmware or virtual hosts for this. It's not something that Samba
needs to be architectured around.

> In any case, the syntax will need to get much clearer if this is to stay
> around for long.  (idra seems determined to kill it).  

Me too. This is too ugly to live. I also don't agree that BUILTIN
should be handled as a separate domain.

The multiple domain stuff really has to go, as Gerry says, why would
anyone want to do that ?

Jeremy.

smbclient bug in 2.2.5

[Andrew Morgan]

I think I've found a bug in the smbclient program in 2.2.5.  Smbclient
hard-codes the name_type to 0x20 (File Server) for all netbios queries,
but calling 'smbclient -M machine' should use a name_type of 0x03
(Messenger) instead.

When sending a message to a machine, it is not necessary for the machine
to be running file sharing.  Our client machines have file sharing turned
off and do not register 0x20 with the WINS server.  I'm not sure when this
behavior changed, but the smbclient program from samba 2.0.10 works
correctly.

Thanks,
Andy

Samba 3.0 Alpha 21 cvs + LDAP

[Dennis Lattka]

I can't get smbd to bind with the LDAP server to authenticate.

Configured using the following:

./configure  --prefix=/usr --localstatedir=/var 
--with-configdir=/etc/samba --with-fhs --with-swatdir=/usr/share/swat 
--enable-cups --with-pam --with-pam_smbpass --with-ldapsam --with-syslog 
--with-acl-support

testparm show the following:

 testparm   
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[printers]"
Processing section "[home]"
Loaded services file OK.
Press enter to see a dump of your service definitions

# Global parameters
[global]
workgroup = AVLSI
netbios name = DEVEL
netbios aliases = Devel
obey pam restrictions = Yes
smb passwd file =
passdb backend = ldapsam, ldap://ldap.example.com
pam password change = Yes
passwd program = /usr/sbin/ldappasswd
unix password sync = Yes
lanman auth = No
log level = 3
syslog = 3
log file = /var/log/samba
name resolve order = dns wins bcast
time server = Yes
logon path = \\home\home\user\%U\WINDOWS
logon drive = U:
logon home = \\home\home\user\%U
domain logons = Yes
domain master = True
dns proxy = No
wins support = Yes
ldap suffix = dc=example,dc=com
ldap machine suffix = ou=System,dc=example,dc=com
ldap user suffix = ou=People,dc=example,dc=com
ldap admin dn = cn=Manager,dc=example,dc=com
ldap ssl = start tls
ldap passwd sync = Yes
oplocks = No
level2 oplocks = No

[homes]
comment = Home Directories
read only = No
browseable = No

[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No

[home]
comment = Home Directories
path = /home/
guest ok = Yes
hosts allow = 10.0.0.0/255.255.0.0

I've run smbpasswd -w password which works and then tried smbpasswd root 
with the following message:

 smbpasswd root
New SMB password:
Retype new SMB password:
Loading ldap://ldap.example.com failed!
Failed to find entry for user root.
Failed to modify password entry for user root

also setting the logging to 0 or 1 or 3 seems to make no difference. I 
must be missing some little detail here because others appear to be able 
to set this up. Please help. Thank you.

Dennis

Re: Recent Upgrade to Fix SNAP Server Problem

[Andrew Bartlett]

Irving Carrion wrote:
> 
> Greetings!
> 
> We just recently upgraded from Samba 2.2.3a to 2.999+3.0cvs20 and are
> having a few problems.  The "domain admin group" that used to work in
> the previous version no longer does. According to the docs
> smb.conf.5.html the command is still there and still active.  Obviously
> I have missed something... can anyone relay some info my way.

You are trusting our documentation...?

> Also testparm has reported that I am using "wins support" and "wins
> server" commands in the smb.conf file, but I am NOT.  All I have is "
> wins support = Yes".

Known issue

> Any info on the postscript error below would help but not critical at
> this point.
> 
> I'm running testparm on my smb.conf and I get the following errors:
> 
> ///ERRORS BEGIN
> Unknown parameter encountered: "domain admin group"
> Ignoring unknown parameter "domain admin group"

See smbgroupedit.  It handles this stuff for now.

Andrew Bartlett

-- 
Andrew Bartlett [EMAIL PROTECTED]
Manager, Authentication Subsystems, Samba Team  [EMAIL PROTECTED]
Student Network Administrator, Hawker College   [EMAIL PROTECTED]
http://samba.org http://build.samba.org http://hawkerc.net

Recent Upgrade to Fix SNAP Server Problem

[Irving Carrion]

Greetings!

We just recently upgraded from Samba 2.2.3a to 2.999+3.0cvs20 and are
having a few problems.  The "domain admin group" that used to work in
the previous version no longer does. According to the docs
smb.conf.5.html the command is still there and still active.  Obviously
I have missed something... can anyone relay some info my way.

Also testparm has reported that I am using "wins support" and "wins
server" commands in the smb.conf file, but I am NOT.  All I have is "
wins support = Yes".

Any info on the postscript error below would help but not critical at
this point.

I'm running testparm on my smb.conf and I get the following errors:

///ERRORS BEGIN
Unknown parameter encountered: "domain admin group"
Ignoring unknown parameter "domain admin group"

WARNING: The "postscript" option is deprecated

ERROR: both 'wins support = true' and 'wins server = ' cannot be
set in the smb.conf file. nmbd will abort with this setting. ///ERRORS
END


Any help would be Gratefully appreciated!!!

IRV

Re: [PATCH] sam backend parameter

[Jelmer Vernooij]

On Wed, Oct 02, 2002 at 09:19:47AM -0500, Gerald Carter wrote about 'Re: [PATCH] sam 
backend parameter':
> On Tue, 1 Oct 2002, Eddie Lania wrote:

> > Like I've said, I'm not a developer, but maybe the "multiple domain
> > support" parameter could be extended with the backend method? Like this:

> > "multiple domain support = DOMA:backendA, DOMB:backendB, etc"
> Can someone please explain the purpose of supporting accounts from 
> different domains in a single SAM ?  Why would we ever want to do 
> this?
Builtin or multi-domain DC afaik - Kai and Andrew know all the how's
and why's.


Jelmer

-- 
Jelmer Vernooij  <[EMAIL PROTECTED]>
Pending (unfinished) patches http://samba.org/~jelmer/diffs.php

Re: [PATCH] sam backend parameter

[Andrew Bartlett]

Gerald Carter wrote:
> 
> On Tue, 1 Oct 2002, Eddie Lania wrote:
> 
> > Like I've said, I'm not a developer, but maybe the "multiple domain
> > support" parameter could be extended with the backend method? Like this:
> >
> > "multiple domain support = DOMA:backendA, DOMB:backendB, etc"
> 
> Can someone please explain the purpose of supporting accounts from
> different domains in a single SAM ?  Why would we ever want to do
> this?

No, the idea is that one SAM backend would know about only one domain,
but that we could have multiple domains, each with their own backend. 
For smbd it doesn't make much sense, except that I was looking at
handling 'builtin' stuff by abstraction into a separate 'domain' this
way.  (I favor putting special cases into modules, rather than in
interfaces).

The other cases for 'multiple domain' support involve the way these
users are reflected back into unix by winbindd, which might be running
on a system that has multiple, independent smbd instances on separate
IPs.  

In any case, the syntax will need to get much clearer if this is to stay
around for long.  (idra seems determined to kill it).  

Andrew Bartlett

-- 
Andrew Bartlett [EMAIL PROTECTED]
Manager, Authentication Subsystems, Samba Team  [EMAIL PROTECTED]
Student Network Administrator, Hawker College   [EMAIL PROTECTED]
http://samba.org http://build.samba.org http://hawkerc.net

Re: register_message_flags: tdb_fetch failed

[Gerald Carter]

On Tue, 1 Oct 2002, Eddie Lania wrote:

> Does somebody knows what is causing this problem?
> 
> [2002/10/01 09:32:28, 1, effective(500, 500), real(0, 0)]
> smbd/ipc.c:api_fd_reply(284)
>   api_fd_reply: INVALID PIPE HANDLE: 76e3
> [2002/10/01 09:32:30, 1, effective(500, 500), real(0, 0)]
> smbd/service.c:make_connection_snum(681)
>   192.168.168.35 (192.168.168.35) connect to service eddie initially as user
> eddie (uid=500, gid=500) (pid 30099)
> [2002/10/01 09:32:44, 1, effective(0, 0), real(0, 0)]
> smbd/service.c:close_cnum(852)
>   192.168.168.35 (192.168.168.35) closed connection to service eddie
> [2002/10/01 09:39:29, 0, effective(0, 0), real(0, 0)]
> lib/util_sock.c:read_socket_data(418)
>   read_socket_data: recv failure for 4. Error = Connection reset by peer

Have you tried removing the volatile TDB's and erstarting Samba?
Just a guess



cheers, jerry
 -
 Hewlett-Packard http://www.hp.com
 SAMBA Team   http://www.samba.org
 --http://www.plainjoe.org
 "SAMS Teach Yourself Samba in 24 Hours" 2ed.   ISBN 0-672-32269-2
 --"I never saved anything for the swim back." Ethan Hawk in Gattaca--

Re: [PATCH] sam backend parameter

[Gerald Carter]

On Tue, 1 Oct 2002, Eddie Lania wrote:

> Like I've said, I'm not a developer, but maybe the "multiple domain
> support" parameter could be extended with the backend method? Like this:
> 
> "multiple domain support = DOMA:backendA, DOMB:backendB, etc"

Can someone please explain the purpose of supporting accounts from 
different domains in a single SAM ?  Why would we ever want to do 
this?


cheers, jerry

 -
 Hewlett-Packard http://www.hp.com
 SAMBA Team   http://www.samba.org
 --http://www.plainjoe.org
 "SAMS Teach Yourself Samba in 24 Hours" 2ed.   ISBN 0-672-32269-2
 --"I never saved anything for the swim back." Ethan Hawk in Gattaca--

Re: Explaining the new SAM

[Andrew Bartlett]

Gerald Carter wrote:
> 
> On Wed, 2 Oct 2002, Andrew Bartlett wrote:
> 
> > > This seems like a lot of duplication of code and can lead to
> > > "There's a bug in SAM1 but not SAM2".  If the access checks
> > > will always be the same, why push them into the SAM module and
> > > force each write to cut-n-paste security descriptor code.
> >
> > Yes, I am worried about that a bit.  The main issue is that I would like
> > a single read from LDAP - so we don't get a race there.  But we could do
> > it 'after the fact', and get each module to pass up the security
> > descriptor to the SAM interface layer.
> 
> Ahhhok I see now.  But it still seems like a lot of duplicated
> code.

I'm starting to agree that putting it in the interface is a 'good
thing'.  If the backend wants to double-check, then that's fine, but the
intereface should be handed back a sec desc to check itself.  (A SAM
that really wants to get around this can return an allow-all sec desc if
it must...).  This does make it harder for module writers to 'stuff up'.

> Taking another perspective, i'm still not convinced why a security
> descriptor on each SAM object is needed.  What do we gain by it
> at the cost of added complexity?

NT allows these to be set remotely on each SAM object.  In particular
the 'user cannot change password' is implemented in terms of an NT ACL
on the user in the SAM.

> > > So a SAM is a passdb with ACL's.  What else?
> >
> > Groups and policies thown in, but it's not really meant to be that
> 
> By policies you mean "rights" like "backup files" ?

Also 'max password age' etc.

> > massive.  One step at a time and such things.  Also a move to NTTIME in
> > the interfaces, and an attempt to cope with a wider scope of problems.
> 
> What "wider scope of problems"?  Without knowing what you are trying to
> address, it's pretty hard to comment.

Mostly to cope with all the things that can be set over the SAMR pipe. 
(most of which are above).  I think we are also meddiling a little in
the LSA pipe too, which may or may not be a good thing...  

It may well make sense to store all the replication stuff in the same
backend, to avoid having to run muliple synronistation setups.  (ie if
LDAP is doing all the SAM stuff, make it keep the LSA secrets too).  I'm
still thinking on this stuff, but that's the kind of longer-term I'm
looking for.

Andrew Bartlett

-- 
Andrew Bartlett [EMAIL PROTECTED]
Manager, Authentication Subsystems, Samba Team  [EMAIL PROTECTED]
Student Network Administrator, Hawker College   [EMAIL PROTECTED]
http://samba.org http://build.samba.org http://hawkerc.net

Re: DatabaseFS VFS module

[Gerald Carter]

On Tue, 1 Oct 2002, Eric Lorimer wrote:

> I don't have a problem if someone wants to include this in 
> examples/VFS. I'll try to keep the web site updated as often 
> as possible, though.

Eric, 

I would rather keep it at your site for the simple reason of 
maintaince. I did however place a copy of yoru annonucement 
mail in the README.OtherModules file.  This way, you don't have to 
wait on us to integrate patches you send. :-)




cheers, jerry
 -
 Hewlett-Packard http://www.hp.com
 SAMBA Team   http://www.samba.org
 --http://www.plainjoe.org
 "SAMS Teach Yourself Samba in 24 Hours" 2ed.   ISBN 0-672-32269-2
 --"I never saved anything for the swim back." Ethan Hawk in Gattaca--

Re: Explaining the new SAM

[Gerald Carter]

On Wed, 2 Oct 2002, Andrew Bartlett wrote:

> > This seems like a lot of duplication of code and can lead to
> > "There's a bug in SAM1 but not SAM2".  If the access checks
> > will always be the same, why push them into the SAM module and
> > force each write to cut-n-paste security descriptor code.
> 
> Yes, I am worried about that a bit.  The main issue is that I would like
> a single read from LDAP - so we don't get a race there.  But we could do
> it 'after the fact', and get each module to pass up the security
> descriptor to the SAM interface layer.

Ahhhok I see now.  But it still seems like a lot of duplicated 
code.  

Taking another perspective, i'm still not convinced why a security
descriptor on each SAM object is needed.  What do we gain by it
at the cost of added complexity?

> > So a SAM is a passdb with ACL's.  What else?
> 
> Groups and policies thown in, but it's not really meant to be that

By policies you mean "rights" like "backup files" ?

> massive.  One step at a time and such things.  Also a move to NTTIME in
> the interfaces, and an attempt to cope with a wider scope of problems.

What "wider scope of problems"?  Without knowing what you are trying to 
address, it's pretty hard to comment.

> Mostly it's a rework so we could move further forward then passdb could
> reasonably be streached.  It sounds big, but it really isn't...






cheers, jerry
 -
 Hewlett-Packard http://www.hp.com
 SAMBA Team   http://www.samba.org
 --http://www.plainjoe.org
 "SAMS Teach Yourself Samba in 24 Hours" 2ed.   ISBN 0-672-32269-2
 --"I never saved anything for the swim back." Ethan Hawk in Gattaca--

usrmgr fails to get local groups?

[Eddie Lania]

Hello,

I compiled samba from cvs this morning.
Now, using usrmgr.exe (svrtools for windows NT), it is unable to find the
local groups?

Anyone noticed this yet?


Eddie.

Re: Samba 3.0 alpha and LDAP: some questions

[Andrew Bartlett]

PINTO ELIA wrote:
> 
> Hi all
> 
> We are migrating from an AS/U(Advanced Server for Unix)/NT environment  to
> Samba/NT, using the Samba 3.0 alpha19.
> We have implemented a domain with Samba acting as both PDC and BDC. Also we
> use  OpenLDAP as Samba backend in multimaster replication  to realize the
> sam syncronization between  PDC and BDC. At the moment  not all our
> requirement are satisfied. We'd like to have your help to overcome the
> obstacles. Following are the questions raised during our implementation:
> 
> 1)   Samba schema does not include the Domain groups and the
> domain SID. Is it scheduled to include these in the Samba schema? I think
> that is useful (no local
> Secrets.tdb and group_mapping.tdb to replicate via rsync)

We are activly looking at these issues, and the best way to solve them
in both the long and short term.  

> 2)  About BDC, could I update the user accounts when the PDC is
> down? Is the BDC read-only like NT for the SAM?

Yes, the BDC is considerd read-only.  If you really have a mulimaster
replication scheme, then you could 'flip' the BDC up to a PDC for that
period, but windows clients won't attempt to send updates to a BDC. 
pdbedit/smbpasswd etc don't actually know about this, so would attempt
to update regardless.

> 3)  We have dumped the Sam database from the AS/U server to
> fully migrate our environment to Samba.  We've seen that some machine
> accounts and interdomain trust account  have the lanman password length = 0,
> lm password null and  ntpasswd not null.

This is correct.  Samba only sets both for historical reasons.  It sets
them to the same value too...

>  How the Samba  would  interpret that behaviors?  That means  we
> should put "NO PASSWORDxxx...",  or "disabled" for those accounts? I have
> also found that after removing lmPassword from the SAMBA LDAP interdomain
> trust account  (with ldapmodify ) the trust seems to work but is this the
> right thing to do ?

In Samba 3.0, this should be fine.  I put a bit of work into ensuring
that 'magic' tests on the value on the LM password no longer apply.  

> 4)  What does mean the acctFlag for "MNS logon account" ?

No idea...

> We hope you could kindly give us some suggestion. At the end of our project
> we'll like to public our experiences if could be contribute to the Samba
> community.

I look forward to hearing how you go.

Andrew Bartlett

-- 
Andrew Bartlett [EMAIL PROTECTED]
Manager, Authentication Subsystems, Samba Team  [EMAIL PROTECTED]
Student Network Administrator, Hawker College   [EMAIL PROTECTED]
http://samba.org http://build.samba.org http://hawkerc.net

Samba 3.0a20+LDAP-backend group-builit and mapping questions

[Ignacio Coupeau]

I'm been playing with the groups and LDAP (passdb backend) and found two 
problems:

1. When -as local admin in a XP domain member ws-, from the 
administrative tools (control pannel) I select "add a group" an ldap 
search is performed, like:

 > ldapsam_search_one_user: searching
 >  for:[(&(uid=Administrators)(objectclass=sambaAccount))]

I have the groups defined in samba-pdc and several maps also:

> bin/smbgroupedit -l | grep -A 1 Admin
> Administrators
> SID   : S-1-5-32-544
> --
> Domain Admins
> SID   : S-1-5-21-298858960-1863792627-3661451959-512
> -

and the groups don't be found at all (nor builtin nor defined). Of 
course, if I provide an user present in the ldap base, is added 
perfectly. This issue is only with (domain, non-local) groups.

2. After intend to add a new group in XP from the domain, all the 
database are searched:
> base="o=smb,dc=unav,dc=es" scope=2 filter="(&(uid=*)(objectClass=sambaAccount))"  
> ... and enumerated:
> [2002/10/03 00:27:05, 2] passdb/pdb_ldap.c:ldapsam_setsampwent(1218)
>   ldapsam_setsampwent: 27303 entries in the base!

(BTW: I selected "Group" no "Group and users" in the object class to 
search from XP).

Is this a know issue?
if so, Some link?

Note: the PDC has pam and nsswitch for unix accounting.

Thanks,
Ignacio
-- 

Ignacio Coupeau, Ph.D. e-mail: [EMAIL PROTECTED]
CTI, Director  fax:948 425619
University of Navarra  voice:  948 425600
Pamplona, SPAINhttp://www.unav.es/cti/

Samba 3.0 alpha and LDAP: some questions

[PINTO ELIA]

Hi all

We are migrating from an AS/U(Advanced Server for Unix)/NT environment  to
Samba/NT, using the Samba 3.0 alpha19.
We have implemented a domain with Samba acting as both PDC and BDC. Also we
use  OpenLDAP as Samba backend in multimaster replication  to realize the
sam syncronization between  PDC and BDC. At the moment  not all our
requirement are satisfied. We'd like to have your help to overcome the
obstacles. Following are the questions raised during our implementation:

1)   Samba schema does not include the Domain groups and the
domain SID. Is it scheduled to include these in the Samba schema? I think
that is useful (no local
Secrets.tdb and group_mapping.tdb to replicate via rsync)
2)  About BDC, could I update the user accounts when the PDC is
down? Is the BDC read-only like NT for the SAM?
3)  We have dumped the Sam database from the AS/U server to
fully migrate our environment to Samba.  We've seen that some machine
accounts and interdomain trust account  have the lanman password length = 0,
lm password null and  ntpasswd not null.
 How the Samba  would  interpret that behaviors?  That means  we
should put "NO PASSWORDxxx...",  or "disabled" for those accounts? I have
also found that after removing lmPassword from the SAMBA LDAP interdomain
trust account  (with ldapmodify ) the trust seems to work but is this the
right thing to do ? 
4)  What does mean the acctFlag for "MNS logon account" ?


We hope you could kindly give us some suggestion. At the end of our project
we'll like to public our experiences if could be contribute to the Samba
community.
 

Testing and the 'new SAM'

[Andrew Bartlett]

Some more jottings on bits of the 'new SAM' stuff.

Testing
===

Testing is vital in any piece of software, and Samba is certainly no
exception. In designing this new subsystem, we have taken care to ensure
it is easily tested, independent of outside protocols.

To this end, Jelmer has constructed 'samtest'.  

This utility (see torture/samtest.c) is structured like rpcclient, but
instead operates on the SAM subsystem.  It creates a 'custom' SAM
context, that may be distinct from the default values used by the rest
of the system, and can load a separate configuration file.  

A small number of commands are currently implemented, but these have
already proved vital in testing.   I expect SAM module authors will find
it particularly valuable.

Example useage:

bin/samtest

> context ads:ldap://192.168.1.96
(this loads a new context, using the new ADS module.  The paramater is
the 'location' of the ldap server)

> lookup_name DOMAIN abartlet
(returns a sid).

> quit

Because the 'new SAM' is NT ACL based, there will be a command to
specify an arbitrary NT ACL, but for now it uses 'system' by default.

sam_ads
===

This is the first of the SAM modules to be committed to the tree -
mainly because I needed to coordinate work with metze (who authored most
of it).  This module aims to use Samba's libads code to provide an
Active Directory LDAP client, suitable for use on a mixed-mode DC. 
While it is currently being tested against Win2k servers (with a
password in the smb.conf file) it is expected to eventually use a
(possibly modified) OpenLDAP server.  We hope that this will assist in
the construction of an Samba AD DC.

We also intend to construct a Samba 2.2/3.0 compatible ldap module,
again using libads code.

Andrew Bartlett

-- 
Andrew Bartlett [EMAIL PROTECTED]
Manager, Authentication Subsystems, Samba Team  [EMAIL PROTECTED]
Student Network Administrator, Hawker College   [EMAIL PROTECTED]
http://samba.org http://build.samba.org http://hawkerc.net

fsp->modified - What's it for ?

[Nir Livni]

I am using samba-2.2.1a
 
I was wondering what is the usage of the 
field fsp->modified.
I saw it is changed to True when I write 
to a file, but does not change when I truncate a file.
Moreover - It is never checked for its 
content.
 
Thanks,
Nir

Compile warnings.

[Eddie Lania]

Compiled from cvs on 2 October 2002 at 09:48h CET.

RedHat 7.0 kernel, 2.2.19-7.0.16
openldap-2.0.21-0.7.1
nss_ldap-189-1.7
krb5-libs-1.2.2-14
krb5-devel-1.2.2-14
gcc version 2.96 2731 (Red Hat Linux 7.1 2.96-85)

Configure options used:

--sbindir=/usr/local/samba/bin \
--with-logfilebase=/var/log/samba \
--with-krb5=/usr/kerberos \
--with-smbmount \
--with-pam \
--with-acl-support

Warnings:

Compiling smbd/mangle_hash2.c
smbd/mangle_hash2.c: In function `cache_insert':
smbd/mangle_hash2.c:172: warning: assignment makes pointer from integer
without a cast
smbd/mangle_hash2.c: In function `is_mangled':
smbd/mangle_hash2.c:263: warning: initialization makes pointer from integer
without a cast

Compiling libsmb/clispnego.c
libsmb/clispnego.c: In function `spnego_gen_negTokenTarg':
libsmb/clispnego.c:330: warning: passing arg 1 of `krb5_get_ticket' discards
qualifiers from pointer target type

Compiling passdb/secrets.c
passdb/secrets.c: In function `secrets_fetch':
passdb/secrets.c:61: warning: assignment discards qualifiers from pointer
target type
passdb/secrets.c: In function `secrets_store':
passdb/secrets.c:77: warning: assignment discards qualifiers from pointer
target type
passdb/secrets.c:79: warning: assignment discards qualifiers from pointer
target type
passdb/secrets.c: In function `secrets_delete':
passdb/secrets.c:93: warning: assignment discards qualifiers from pointer
target type
passdb/secrets.c: In function `secrets_lock_trust_account_password':
passdb/secrets.c:218: warning: passing arg 2 of `tdb_lock_bystring' discards
qualifiers from pointer target type
passdb/secrets.c:220: warning: passing arg 2 of `tdb_unlock_bystring'
discards qualifiers from pointer target type
passdb/secrets.c: In function `secrets_get_trusted_domains':
passdb/secrets.c:509: warning: assignment makes pointer from integer without
a cast
passdb/secrets.c: In function `secrets_named_mutex':
passdb/secrets.c:610: warning: passing arg 1 of `tdb_set_lock_alarm'
discards qualifiers from pointer target type

Compiling lib/util_str.c
lib/util_str.c: In function `str_list_make':
lib/util_str.c:1160: warning: passing arg 3 of `next_token' discards
qualifiers from pointer target type

Compiling lib/util.c
lib/util.c: In function `smb_xstrndup':
lib/util.c:1832: warning: initialization makes pointer from integer without
a cast

Compiling lib/gencache.c
lib/gencache.c: In function `gencache_get':
lib/gencache.c:248: warning: initialization makes pointer from integer
without a cast
lib/gencache.c: In function `gencache_iterate':
lib/gencache.c:303: warning: assignment makes pointer from integer without a
cast

Compiling libads/ldap.c
libads/ldap.c: In function `ads_do_paged_search':
libads/ldap.c:443: warning: passing arg 2 of `str_list_copy' from
incompatible pointer type
libads/ldap.c: In function `ads_do_search':
libads/ldap.c:669: warning: passing arg 2 of `str_list_copy' from
incompatible pointer type

Compiling libads/ldap_printer.c
libads/ldap_printer.c: In function `ads_mod_printer_entry':
libads/ldap_printer.c:80: warning: passing arg 4 of `ads_mod_strlist' from
incompatible pointer type
libads/ldap_printer.c:96: warning: passing arg 4 of `ads_mod_strlist' from
incompatible pointer type
libads/ldap_printer.c:99: warning: passing arg 4 of `ads_mod_strlist' from
incompatible pointer type

Compiling libads/kerberos.c
libads/kerberos.c: In function `kerberos_kinit_password':
libads/kerberos.c:80: warning: passing arg 6 of
`krb5_get_init_creds_password' discards qualifiers from pointer target type

Compiling utils/net_ads.c
utils/net_ads.c: In function `net_ads_printer_info':
utils/net_ads.c:722: warning: passing arg 4 of `ads_find_printer_on_server'
discards qualifiers from pointer target type
utils/net_ads.c: In function `net_ads_printer_publish':
utils/net_ads.c:774: warning: assignment discards qualifiers from pointer
target type
utils/net_ads.c: In function `net_ads_printer_remove':
utils/net_ads.c:812: warning: assignment discards qualifiers from pointer
target type

Compiling utils/net_cache.c
utils/net_cache.c: In function `parse_timeout':
utils/net_cache.c:85: warning: assignment makes pointer from integer without
a cast

Temporary admin user

[Andreas Moroder]

Hello,

today few people of our IT staff are "admin users" in smb.conf. This is a
dangerous situation, on the other side, they must be able to do things normal
users can not. Because we use win98 on the clients it is not possible to switch
user at runtime like its possible to do with Xp.

What about the following proposal:

- add a attribute to the usernames listed in "admin users". The users with this
attribute are not admin by default, but are candidates

- add a message type to smbcontrol to enable or disable the admin mode.

Bye
Andreas





Dr. Andreas Moroder
Sanitätsbetrieb Brixen - Azienda Sanitaria di Bressanone
   www.sb-brixen.it-  www.as-bressanone.it