RE: Unable to authenticate with security=ADS
Ok. Well I had the same problem when I was starting to setup SAMBA 3.0. But I dont remember what I did to fix it. I remeber that the main problem that I had was with the nss_ldap module, remember that you need to have the passwd and group info available to the samba daemon. I have 2 setups to get this info from Active Directory and OpenLDAP. But you must be certain at least that you have a entry in the /etc/passwd to get the uid data for the W2K user that you are using to share the storage in Samba. Just to be sure, I assume that you /etc/krb5.conf is configured to see the kerberos "realm" for Active Directory. I think that the klist tickets command is supposed to be tested in the W2K machine and noy in the unix box. On Wed, 2002-11-13 at 14:50, ZINKEVICIUS,MATT (HP-Loveland,ex1) wrote: > > -Original Message- > > From: José Alberto Patiño Limón [mailto:jalbertop@;aranea.com.mx] > > Sent: Wednesday, November 13, 2002 12:05 PM > > To: '[EMAIL PROTECTED]' > > Subject: Re: Unable to authenticate with security=ADS > > > > Did you try to run net ads join first and after run the smbd and nmbd > > daemons later? > > > > Try it. But now use net ads leave first to delete the computer account > > in AD. > > Thanks. I tried that and it didn't help. > > Also, another oddity is that if I try to access the share using the IP > address as the server name it fails slighty differently: > > [2002/11/13 13:30:54, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(551) > Doing spnego session setup > [2002/11/13 13:30:54, 3] smbd/sesssetup.c:reply_spnego_negotiate(259) > Got OID 1 2 840 48018 1 2 2 > [2002/11/13 13:30:54, 3] smbd/sesssetup.c:reply_spnego_negotiate(259) > Got OID 1 3 6 1 4 1 311 2 2 10 > [2002/11/13 13:30:54, 3] smbd/sesssetup.c:reply_spnego_negotiate(266) > Got secblob of size 1179 > [2002/11/13 13:30:54, 1] libads/kerberos_verify.c:ads_verify_ticket(91) > krb5_parse_name(HOST/charlie@) failed (Malformed representation of > principal) > [2002/11/13 13:30:54, 1] smbd/sesssetup.c:reply_spnego_kerberos(134) > Failed to verify incoming ticket! > > Anybody?? :-) > > --Matt
RE: Trying to join a Solaris 8 box to Windows 2000 AD.
On Thu, 2002-11-14 at 09:20, [EMAIL PROTECTED] wrote: > Sorry Andrew, I may have mislead you here. In the pre CVS version I tried > timegm would not compile under Solaris without changing timegm to mktime in > ldap.c. With the newer CVS version I have not made any mods to ldap.c (as > you stated earlier this was a bug that was fixed) and all compiled OK with > mods to the > Configure commands as detailed earlier. > With the new CVS code unmodified timegm I get the Clock Skew problem. > You say I have a 10+ hour problem, but where and how, and how can this be > rectified.? Well, if you modified that function incorrectly, then you could get problems with the fact that AEDST != GMT :-). You might want to double-check that actually. See if the problem 'goes away' if you set the system time zone to GMT... Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part
RE: Trying to join a Solaris 8 box to Windows 2000 AD.
Sorry Andrew, I may have mislead you here. In the pre CVS version I tried timegm would not compile under Solaris without changing timegm to mktime in ldap.c. With the newer CVS version I have not made any mods to ldap.c (as you stated earlier this was a bug that was fixed) and all compiled OK with mods to the Configure commands as detailed earlier. With the new CVS code unmodified timegm I get the Clock Skew problem. You say I have a 10+ hour problem, but where and how, and how can this be rectified.? TIA Clive - Clive Elsum BAppSc, RHCE Systems Engineer - Information Technology Group CSIRO Atmospheric Research PMB 1, Aspendale, Victoria, Australia 3195 Phone : (+61 3) 9239 4509 Fax:(+61 3) 9239 E-mail [EMAIL PROTECTED] - -Original Message- From: Andrew Bartlett [mailto:abartlet@;samba.org] Sent: Thursday, 14 November 2002 9:03 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: Trying to join a Solaris 8 box to Windows 2000 AD. On Thu, 2002-11-14 at 08:23, [EMAIL PROTECTED] wrote: > I can still not get net ads working with Solaris 8. > With the new CVS code and the mod to timegm in ldap.c The ned ads command > now fails with Clock Skew, Preauthentication failed, invalid credentials Well, if you modified that function, then you probably now have a +10 hour problem in the time. Samba uses the time the ldap server sends to avoid time skew problems, hence having those timegm() functions in the first place... Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net
RE: Trying to join a Solaris 8 box to Windows 2000 AD.
On Thu, 2002-11-14 at 08:23, [EMAIL PROTECTED] wrote: > I can still not get net ads working with Solaris 8. > With the new CVS code and the mod to timegm in ldap.c The ned ads command > now fails with Clock Skew, Preauthentication failed, invalid credentials Well, if you modified that function, then you probably now have a +10 hour problem in the time. Samba uses the time the ldap server sends to avoid time skew problems, hence having those timegm() functions in the first place... Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part
Re: smbwrapper broken by global_myname changes
On Wed, Nov 13, 2002 at 10:38:08PM +0100, Stefan (metze) Metzmacher wrote: > Hi Jeremy, > > smbwrapper is broken. by the global_* patches. Fixed in HEAD and 3.0. Jeremy
smbwrapper broken by global_myname changes
Hi Jeremy, smbwrapper is broken. by the global_* patches. metze Linking bin/smbcacls Compiling smbwrapper/smbsh.c smbwrapper/smbsh.c: In function `main': smbwrapper/smbsh.c:39: warning: initialization discards qualifiers from pointer target type Compiling smbwrapper/shared.c Linking bin/smbsh Compiling smbwrapper/smbw.c with -fPIC smbwrapper/smbw.c:30: `global_myname' redeclared as different kind of symbol include/proto.h:775: previous declaration of `global_myname' smbwrapper/smbw.c: In function `smbw_init': smbwrapper/smbw.c:64: warning: assignment from incompatible pointer type smbwrapper/smbw.c: In function `smbw_find_workgroup': smbwrapper/smbw.c:262: warning: assignment discards qualifiers from pointer target type smbwrapper/smbw.c: In function `smbw_parse_path': smbwrapper/smbw.c:323: warning: passing arg 1 of `next_token' from incompatible pointer type smbwrapper/smbw.c:331: warning: passing arg 1 of `next_token' from incompatible pointer type smbwrapper/smbw.c:338: warning: passing arg 1 of `next_token' from incompatible pointer type smbwrapper/smbw.c: In function `get_envvar_auth_data': smbwrapper/smbw.c:413: warning: assignment discards qualifiers from pointer target type make: *** [smbwrapper/smbw.po] Error 1 metze - Stefan "metze" Metzmacher <[EMAIL PROTECTED]>
RE: Trying to join a Solaris 8 box to Windows 2000 AD.
I can still not get net ads working with Solaris 8. With the new CVS code and the mod to timegm in ldap.c The ned ads command now fails with Clock Skew, Preauthentication failed, invalid credentials even though the Machines are sync'd in time. Previous failure message when mktime was substituted for timegm was Preauthentication failed, invalid credentials. Any help on this would be appreciated. Thanks in advance Clive - Clive Elsum BAppSc, RHCE Systems Engineer - Information Technology Group CSIRO Atmospheric Research PMB 1, Aspendale, Victoria, Australia 3195 Phone : (+61 3) 9239 4509 Fax:(+61 3) 9239 E-mail [EMAIL PROTECTED] - -Original Message- From: [EMAIL PROTECTED] [mailto:Clive.Elsum@;csiro.au] Sent: Wednesday, 13 November 2002 3:53 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: Trying to join a Solaris 8 box to Windows 2000 AD. Andrew, I got the latest CVS code. Had to copy the alpha20 versions of configure.* to get this version to configure. I had to remove the AUTHLIBS=@AUTHLIBS@ statement from the Makefile. The timegm problem has gone away. The latest gdb output. GNU gdb 5.0 Copyright 2000 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "sparc-sun-solaris2.8"... /usr/local/samba/lib/19461: No such file or directory. Attaching to program `/proc/19461/object/a.out', process 19461 Reading symbols from /usr/lib/libsec.so.1...done. Loaded symbols for /usr/lib/libsec.so.1 Reading symbols from /usr/lib/libgen.so.1...done. Loaded symbols for /usr/lib/libgen.so.1 Reading symbols from /usr/lib/libresolv.so.2...done. Loaded symbols for /usr/lib/libresolv.so.2 Reading symbols from /usr/lib/libsocket.so.1...done. Loaded symbols for /usr/lib/libsocket.so.1 Reading symbols from /usr/lib/libnsl.so.1...done. Loaded symbols for /usr/lib/libnsl.so.1 Reading symbols from /usr/lib/libdl.so.1...done. Loaded symbols for /usr/lib/libdl.so.1 Reading symbols from /usr/local/krb5/lib/libkrb5.so.3...done. Loaded symbols for /usr/local/krb5/lib/libkrb5.so.3 Reading symbols from /usr/local/krb5/lib/libcom_err.so.3...done. Loaded symbols for /usr/local/krb5/lib/libcom_err.so.3 Reading symbols from /usr/local/krb5/lib/libk5crypto.so.3...done. Loaded symbols for /usr/local/krb5/lib/libk5crypto.so.3 Reading symbols from /usr/local/krb5/lib/libgssapi_krb5.so.2 Reading symbols from /usr/local/lib/libgcc_s.so.1...done. Loaded symbols for /usr/local/lib/libgcc_s.so.1 Reading symbols from /usr/local/ssl/lib/libssl.so.0.9.6...done. Loaded symbols for /usr/local/ssl/lib/libssl.so.0.9.6 Reading symbols from /usr/local/ssl/lib/libcrypto.so.0.9.6...done. Loaded symbols for /usr/local/ssl/lib/libcrypto.so.0.9.6 Reading symbols from /usr/platform/SUNW,Ultra-5_10/lib/libc_psr.so.1...done. Loaded symbols for /usr/platform/SUNW,Ultra-5_10/lib/libc_psr.so.1 Retry #1: Retry #2: Retry #3: Retry #4: [New LWP 1] Symbols already loaded for /usr/lib/libsec.so.1 Symbols already loaded for /usr/lib/libgen.so.1 Symbols already loaded for /usr/lib/libresolv.so.2 Symbols already loaded for /usr/lib/libsocket.so.1 Symbols already loaded for /usr/lib/libnsl.so.1 Symbols already loaded for /usr/lib/libdl.so.1 Symbols already loaded for /usr/local/krb5/lib/libkrb5.so.3 Symbols already loaded for /usr/local/krb5/lib/libcom_err.so.3 Symbols already loaded for /usr/local/krb5/lib/libk5crypto.so.3 Symbols already loaded for /usr/local/krb5/lib/libgssapi_krb5.so.2 Symbols already loaded for /usr/local/ldap/lib/liblber.so.2 Symbols already loaded for /usr/local/ldap/lib/libldap.so.2 Symbols already loaded for /usr/lib/libpam.so.1 Symbols already loaded for /usr/lib/libc.so.1 Symbols already loaded for /usr/lib/libmp.so.2 Symbols already loaded for /usr/local/lib/libgcc_s.so.1 Symbols already loaded for /usr/local/ssl/lib/libssl.so.0.9.6 Symbols already loaded for /usr/local/ssl/lib/libcrypto.so.0.9.6 Symbols already loaded for /usr/platform/SUNW,Ultra-5_10/lib/libc_psr.so.1 0xff01b844 in _waitid () from /usr/lib/libc.so.1 #0 0xff01b844 in _waitid () from /usr/lib/libc.so.1 No symbol table info available. #1 0xfefd5d00 in _waitpid () from /usr/lib/libc.so.1 No symbol table info available. #2 0xff01113c in system () from /usr/lib/libc.so.1 No symbol table info available. #3 0x61268 in smb_panic (why=0xf31a8 "internal error") at lib/util.c:1344 cmd = 0x193c00 "/usr/openwin/bin/xterm -display :0.0 -e gdb -x /usr/local/gdbcmds /proc/19461/object/a.out 19461 || gdb -x /usr/local/gdbcmds /proc/19461/object/a.out 19461 | mail root" result = 1653760 #4 0x4f4ac in fault_report (sig=11) at lib/fault.c:4
RE: Unable to authenticate with security=ADS
> -Original Message- > From: José Alberto Patiño Limón [mailto:jalbertop@;aranea.com.mx] > Sent: Wednesday, November 13, 2002 12:05 PM > To: '[EMAIL PROTECTED]' > Subject: Re: Unable to authenticate with security=ADS > > Did you try to run net ads join first and after run the smbd and nmbd > daemons later? > > Try it. But now use net ads leave first to delete the computer account > in AD. Thanks. I tried that and it didn't help. Also, another oddity is that if I try to access the share using the IP address as the server name it fails slighty differently: [2002/11/13 13:30:54, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(551) Doing spnego session setup [2002/11/13 13:30:54, 3] smbd/sesssetup.c:reply_spnego_negotiate(259) Got OID 1 2 840 48018 1 2 2 [2002/11/13 13:30:54, 3] smbd/sesssetup.c:reply_spnego_negotiate(259) Got OID 1 3 6 1 4 1 311 2 2 10 [2002/11/13 13:30:54, 3] smbd/sesssetup.c:reply_spnego_negotiate(266) Got secblob of size 1179 [2002/11/13 13:30:54, 1] libads/kerberos_verify.c:ads_verify_ticket(91) krb5_parse_name(HOST/charlie@) failed (Malformed representation of principal) [2002/11/13 13:30:54, 1] smbd/sesssetup.c:reply_spnego_kerberos(134) Failed to verify incoming ticket! Anybody?? :-) --Matt
Re: Unable to authenticate with security=ADS
On Tue, 2002-11-12 at 23:59, ZINKEVICIUS,MATT (HP-Loveland,ex1) wrote: > Howdy gang, > I am trying to use samba 3.0 to authenticate using kerberos/ldap to my ADS > server. It's not working. I am mostly going by tridge's ADS-HOWTO. > > My Setup: > - Win2k ADS server (dc-native.home.sln) > - Realm name is HOME.SLN > - Linux running samba 3.0alpha21cvs from a couple days ago > (charlie.home.sln) > - MIT kerberos5 1.2.6 > - OpenLDAP 2.1.5 > - krb5.conf and smb.conf are attached > > Here is what I am doing: > > 1. Start smbd/nmbd > 2. Run "kdestroy" to empty the ticket cache > 3. Run "net ads join -UAdministrator". It says it joined the realm > successfully. > 4. Run "klist" (not "klist tickets" as mentioned in the HOWTO which errors > out) > Did you try to run net ads join first and after run the smbd and nmbd daemons later? Try it. But now use net ads leave first to delete the computer account in AD. > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: [EMAIL PROTECTED] > > Valid starting ExpiresService principal > 11/12/02 21:49:53 11/13/02 07:49:53 [EMAIL PROTECTED] > 11/12/02 21:49:53 11/13/02 07:49:53 dc-native$@HOME.SLN > 11/12/02 21:49:55 11/13/02 07:49:53 [EMAIL PROTECTED] > > 5. Attempt to connect to a share from the dc-native box, which requests a > password :-( > > The interesting (at least to me) part of log.smbd is: > > [2002/11/12 21:50:38, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(551) > Doing spnego session setup > [2002/11/12 21:50:38, 3] smbd/sesssetup.c:reply_spnego_negotiate(259) > Got OID 1 2 840 48018 1 2 2 > [2002/11/12 21:50:38, 3] smbd/sesssetup.c:reply_spnego_negotiate(259) > Got OID 1 3 6 1 4 1 311 2 2 10 > [2002/11/12 21:50:38, 3] smbd/sesssetup.c:reply_spnego_negotiate(266) > Got secblob of size 1339 > [2002/11/12 21:50:38, 3] libads/kerberos_verify.c:ads_verify_ticket(125) > krb5_rd_req with auth failed (Decrypt integrity check failed) > [2002/11/12 21:50:38, 1] smbd/sesssetup.c:reply_spnego_kerberos(134) > Failed to verify incoming ticket! > [2002/11/12 21:50:38, 3] smbd/error.c:error_packet(94) > error string = No such file or directory > [2002/11/12 21:50:38, 3] smbd/error.c:error_packet(113) > error packet at smbd/sesssetup.c(136) cmd=115 (SMBsesssetupX) > NT_STATUS_LOGON_FAILURE > > Anybody have any idea what I am doing wrong? Full level 10 log available is > that helps. > > Matt Zinkevicius > Software Engineer > Network Storage Array Solutions > Hewlett-Packard > >
Re: Suggestion for change in the vfs_ops structure?
On Wed, Nov 13, 2002 at 06:09:05PM +1100, Andrew Bartlett wrote: > On Wed, 2002-11-13 at 17:28, Kris Van Hees wrote: > > Well, that is not the case, since for the underlying filesystem it is usually a > > very valid name. The fact is just that they would resolve to different targets. > > The Samba server (let's assume it is a Solaris box) would natively resolve it > > to something that includes its sysname (sun4x_58 for example) whereas for the > > Windows client it would need to resolve to something like i386_win2k. And in > > most cases, both would exist as targets, so it would not appear as a broken > > symbolic link. > > Well, it really depends on what you are trying to do - provide AFS to > clients over samba, or provide a service to clients over Samba. If you > really want full AFS semantics, why not use the native AFS client? What I am doing (at this stage) is providing all or part of the AFS filespace as a share to Windows clients by means of Samba, with support for the @sys translation that AFS supports because otherwise the translation would be done in the AFS client code itself, for the wrong architecture. It is very similar to the existing NFS-to-AFS translator, which provides for sharing the AFS filespace through NFS. The difference there is that it could be implemented as part of AFS itself. > If you want to provide a service, with @sys as an extra feature, then I > think that MSDFS provides a way to do this. > > If you really want AFS semantics and are willing to put in the legwork, > then I would suggest you write a VFS module that actually implements AFS > directly, ie not via the kernel. Given the complexity of the AFS client code, that would be an enormous task. You'd end up with a VFS module that is likely to be larger than Samba itself. Fortunately, no one really wants a full fledged implementation of the AFS semantics in Samba (that I know of). > AFS ACLs and the like are so different to Unix that bypassing that layer > really does start to make sense, and you don't need nearly as many hacks > to get the right individual semantics. > > However, you can do your translation stuff with just a standard VFS > module - the main challenge would be memory management. In the way that > the audit module just passes along parameters, your module could pass on > modified (and separately allocated) parameters to the default functions. It seems we went full circle on this, because that is what I originally talked about... I implemented this and it won't work because the VFS functions can't modify the pathnames that are passed to them (due to the const qualifier on them - and the calling code often if not always passes in a copied string by means of the dos_to_unix_static() functions that is called on them). It seems that an additional function as I proposed before to handle translation of the pathname (vfs_redirect() for lack of a better name) would be useful, because it is both flexible, and it allows for calling code to also explicitly get a translated pathname where needed. Or the alternative... changing the RESOLVE_DFSPATH() macro (and related macros) to also check whether there is a vfs_redirect() function defined for the current connection and if so, calling it, might do the trick. I like the first alternative better though, because it seems more generic and it makes it possible to internally resolve the pathnames that contain @sys to their true values, while still allowing the client to keep thinking that the unmodified one is the true one (in case the Windows client actually cares if what it gets back might be a different pathname than it requested). That also covers the fact that e.g. on Unix in AFS if you cd @sys, pwd will show the @sys component rather than the translated name. > Or take a different approach: Tell the kernel what your arch is. Why > can't the kernel do the correct translation for you? Because if you have multiple clients connecting to your Samba server, they may all have different architectures, thereby all needing their own sysname value to be substituted for @sys. > Well, I think you will have trouble getting that information to Samba - > that's my point. Samba can only really tell the difference between > major client versions. You could use the name in the session setup, but > I'm not sure that changes between service packs. Initially I am using the Samba-based detection of the remote architecture (for which I added a check to detect WinXP as distinct from Win2K), but we are going to use a metafile operation initiated by the client (e.g. writing to a symbolic (virtual) filename) to set the sysname value to an arbitrary value, as override for the default one that is based on the Samba detection code. That allows for the flexibility that is needed for this. Kris msg04436/pgp0.pgp Description: PGP signature
VFS/recycle doesn't work when space available is really big!
Hi,
When our filesystem was expanded beyond the 128 Gb limit the VFS/recycle
code stopped functioning. I looked at the code and I think the variable
"fsize"and "space_available" should be typed as SMB_BIG_UINT. Its not
likely that either will ever become negative which currently
"space_available" did when it's value became real big.
I've attached the patch as a cdiff.
--
René Nieuwenhuizen
Afdeling Informatietechnologie
Centraal Planbureau
Bezoekadres: Van Stolkweg 14, 2585 JR Den Haag
Postadres: Postbus 80510, 2508 GM Den Haag
T (070) 3383 342
F (070) 3383 350
I http://www.cpb.nl/nl/general/org/afdelingen/it/
--
Aan dit bericht kunnen geen rechten worden ontleend.
Het bericht is alleen bestemd voor de geadresseerde.
Indien dit bericht niet voor u is bestemd, verzoeken wij u dit onmiddellijk aan
ons te melden en de inhoud van het bericht te vernietigen.
This message shall not constitute any obligations.
This message is intended solely for the addressee.
If you have received this message in error, please inform us immediately and
delete its contents.
*** recycle.c.1 Wed Oct 9 22:27:14 2002
--- recycle.c Wed Nov 13 13:03:11 2002
***
*** 51,57
char*exclude; /* which files to exclude */
char*exclude_dir; /* which directories to exclude */
char*noversions;/* which files to exclude from versioning */
! SMB_OFF_T max_size; /* maximum file size to be saved */
} recycle_bin_struct;
/* Global Variables */
--- 51,57
char*exclude; /* which files to exclude */
char*exclude_dir; /* which directories to exclude */
char*noversions;/* which files to exclude from versioning */
! SMB_BIG_UINT max_size; /* maximum file size to be saved */
} recycle_bin_struct;
/* Global Variables */
***
*** 297,308
* @param fname file name
* @return size in bytes
**/
! static SMB_OFF_T recycle_get_file_size(connection_struct *conn, const char *fname)
{
SMB_STRUCT_STAT st;
if (default_vfs_ops.stat(conn,fname,&st) != 0) {
DEBUG(0,("stat for %s returned %s\n",fname,strerror(errno)));
! return (SMB_OFF_T)0;
}
return(st.st_size);
}
--- 297,308
* @param fname file name
* @return size in bytes
**/
! static SMB_BIG_UINT recycle_get_file_size(connection_struct *conn, const char *fname)
{
SMB_STRUCT_STAT st;
if (default_vfs_ops.stat(conn,fname,&st) != 0) {
DEBUG(0,("stat for %s returned %s\n",fname,strerror(errno)));
! return (SMB_BIG_UINT)0;
}
return(st.st_size);
}
***
*** 434,440
char *base, *ext;
int i=1, len, addlen;
SMB_BIG_UINT dfree,dsize,bsize;
! SMB_OFF_T fsize,space_avail;
BOOL exist;
int rc;
--- 434,440
char *base, *ext;
int i=1, len, addlen;
SMB_BIG_UINT dfree,dsize,bsize;
! SMB_BIG_UINT fsize,space_avail;
BOOL exist;
int rc;
Re: vampire a win2k-dc
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 This is Funny... 4 Words one message and each message.. is about 1 minutes :) Volker Lendecke ´£¨ì: |On Wed, Nov 13, 2002 at 10:14:20AM +0100, Volker Lendecke wrote: | |>On Wed, Nov 13, 2002 at 08:12:24PM +1100, Andrew Bartlett wrote: |> |>>Isn't that the problem - can you run pwdump on a Native Mode DC? |> |>No idea. Will try :-) | | |Ok, works :-) | |Volker -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAj3SGu4ACgkQrsgVPALCFFwSHQCfTTMX7fD2ROTHt3Jg2zkZcxnx Pr8An0gPG68lmMQyBJ4OvN4HKVed8vOa =MZSh -END PGP SIGNATURE-
Re: vampire a win2k-dc
On Wed, Nov 13, 2002 at 10:14:20AM +0100, Volker Lendecke wrote: > On Wed, Nov 13, 2002 at 08:12:24PM +1100, Andrew Bartlett wrote: > > Isn't that the problem - can you run pwdump on a Native Mode DC? > > No idea. Will try :-) Ok, works :-) Volker msg04433/pgp0.pgp Description: PGP signature
Re: vampire a win2k-dc
On Wed, Nov 13, 2002 at 08:12:24PM +1100, Andrew Bartlett wrote: > Isn't that the problem - can you run pwdump on a Native Mode DC? No idea. Will try :-) Volker msg04432/pgp0.pgp Description: PGP signature
Re: vampire a win2k-dc
On Wed, 2002-11-13 at 19:53, Volker Lendecke wrote: > On Tue, Nov 12, 2002 at 03:41:47PM +0100, Guenther Deschner wrote: > > is it true, that a win2k dc will insist on setting up a secure channel > > before ever transmitting password-hashes (with net rpc vampire)? > > Obviously yes. I had to notice that lately. That's where the latest patches > from tridge are aimed at. You could try pwdump for the passwords though. Isn't that the problem - can you run pwdump on a Native Mode DC? Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part
Re: vampire a win2k-dc
On Tue, Nov 12, 2002 at 03:41:47PM +0100, Guenther Deschner wrote: > is it true, that a win2k dc will insist on setting up a secure channel > before ever transmitting password-hashes (with net rpc vampire)? Obviously yes. I had to notice that lately. That's where the latest patches from tridge are aimed at. You could try pwdump for the passwords though. Volker msg04430/pgp0.pgp Description: PGP signature
RE: Segfault with "net ads password"
James,
I know you aren't going to be thrilled to hear me say this, but when you
don't get a response from the list, it is an indication that whoever knows
or owns the code in question is probably away from the list or otherwise
distracted. Asking again is probably not going to help much. I know it
isn't easy, but I suggest that you take a deep breath and start inserting
additional DEBUG** statements to work your way thru the logic of the code.
In my experience, finding these sorts of problems when you don't know the
source code, but do know the programming language and the general system
calls involved takes about a day or two of hard work. If you have a nice
repeatable test case, then count yourself lucky. By struggling through and
debugging it yourself, you will learn a lot about the modules and the code
involved, and that can be worth the trouble.
**DEBUG is the Samba macro for printing out info into the log file. While
cryptic at first glance, a few minutes of study should reveal how it works,
and permit you to add more of them in key places.
Oh, and thanks for your patience. By the way, sending HTML mail to this
list is generally a poor idea; anyone reading the mail in digest form will
see the raw HTML and probably ignore the mail. Even some ordinary mail
programs still don't deal with HTML mail. This alone might cause some
people to ignore your otherwise clearly-written posts. Note that there is
nothing in your letter that requires the use of HTML. Perhaps you can
adjust your mail client to send text instead.
HTH
PG
--
Paul Green, Senior Technical Consultant, Stratus Technologies.
Voice: +1 (978) 461-7557; FAX: +1 (978) 461-3610
Speaking from Stratus not for Stratus
-Original Message-
From: James Willard [mailto:james@;whispering.org]
Sent: Monday, November 11, 2002 6:48 PM
To: [EMAIL PROTECTED]
Subject: FW: Segfault with "net ads password"
Hi All,
I'm still having the issues I've described below. I've tried to give as much
detail as possible, and I'm hoping to help fix this segfault bug in what
will become Samba 3. I don't believe that this problem is isolated to me and
I do believe that it does affect every other user. Please help me and allow
me to help the Samba project.
Thanks,
James Willard
[EMAIL PROTECTED]
-Original Message-
From: [EMAIL PROTECTED]
[mailto:samba-technical-admin@;lists.samba.org] On Behalf Of James Willard
Sent: Friday, November 01, 2002 6:04 PM
To: 'Esh, Andrew'; [EMAIL PROTECTED]
Subject: RE: Segfault with "net ads password"
Andrew,
It seems like you're right about the null pointer. Given the code block you
mentioned, I rebuilt with --enable-krb5developer and ran gdb over it again
with a breakpoint at net_ads_password() and displaying ads, ads->auth, and
ads->auth.kdc_server. The following is the output from gdb at the line just
before line 885 where kerberos_set_password() is called:
3: ads->auth = {realm = 0x0, password = 0x0, user_name = 0x0, kdc_server =
0x0, flags = 0, time_offset = 0}
2: ads->auth.kdc_server = 0x0
1: ads = (ADS_STRUCT *) 0x81af8e0
And of course, the call itself... null values and all...
(usernames/passwords substituted)
(gdb)
kerberos_set_password (kpasswd_server=0x0, auth_principal=0x815c560
[EMAIL PROTECTED],
auth_password=0x815c57c "Adminpass", target_principal=0xbbe5
[EMAIL PROTECTED],
new_password=0x81535a0 "User", time_offset=0) at libads/krb5_setpw.c:470
470 return krb5_set_password(kpasswd_server, target_principal,
new_password, time_offset);
Ok, this officially goes beyond my abilities... who maintains the "net ads"
portion of Samba that could help me look into this further?
Thanks,
James Willard
[EMAIL PROTECTED]
-Original Message-
From: Esh, Andrew [mailto:AEsh@;tricord.com]
Sent: Friday, November 01, 2002 4:54 PM
To: 'James Willard'; [EMAIL PROTECTED]
Subject: RE: Segfault with "net ads password"
Importance: High
Looks like this bit of code is failing:
utils/net_ads.c, lines 877-886, function "net_ads_password"
/* use the realm so we can eventually change passwords for users
in realms other than default */
if (!(ads = ads_init(realm, NULL, NULL))) return -1;
asprintf(&prompt, "Enter new password for %s:", argv[0]);
new_password = getpass(prompt);
ret = kerberos_set_password(ads->auth.kdc_server, auth_principal,
auth_password, argv[0], new_password,
ads->auth.time_offset);
the last line is reached with "ads->auth.kdc_server" as a bad (null?)
pointer. The "ads_init" function creates the ads structure and zeroes it.
It doesn't appear to me as though "ads_init" initializes ads->auth, and I
don't see where else it gets set.
-Original Message-
From: James Willard [mailto:james@;whispering.org]
Sent: Friday, November 01, 2002 2:23 PM
To: [EMAIL PROTECTED]
Subject: RE: Segfault with "net ads password"
And as a follow-up to myself... The following is a backtrace from gdb:
Program receiv
