Re: witch dialect i can use
On Fri, 2002-11-22 at 04:50, Christopher R. Hertel wrote: Ick. A server? Pocket PC doesn't come with server software? How odd... I want to run this server on raw TCP/IP at port 445,I want this server to have the following Function: 1 It can announce itself in the lan network.. In which way? If you are running on port 445 (naked TCP transport) then you probably don't want to announce to the old-style browse lists. You'll need to figure out how a service announces itself to Active Directory. This way you will never be able to communicate to an XP Home, Windows 9x or Windos NT OS and in a home environment or a business environment that is based on NT4 Domains, Novel NDS, Iplanet directory services, samba domains, simple workgroup ... 4 Explore in the shared tree.( support find first / find next operation ) 5 Support common file operation Client can copy , move create file or directories on the server get file information etc. If you are writing a server, consider the clients. Many of them will be Windows boxes (although, if you are running on port 445 only then you can forget about W/9x, W/NT, and possibly W/Me... as far as I know the only Windows clients that can talk to 445 are W2K and WXP). -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
[PATCH] handle configure --with-configdir right
Hi Jelmer, here's the part of my previeus patch for 3_0 it fixes the configure --with-configdir metze - Stefan metze Metzmacher [EMAIL PROTECTED] diff -Npur --exclude=CVS --exclude=*.bak --exclude=*.o --exclude=*.po --exclude=.#* 3_0/source/Makefile.in 3_0-fix/source/Makefile.in --- 3_0/source/Makefile.in Mon Nov 18 22:30:50 2002 +++ 3_0-fix/source/Makefile.in Fri Nov 22 10:23:55 2002 @@ -56,8 +56,11 @@ INSTALLPERMS = 0755 # These can be overridden by command line switches (see smbd(8)) # or in smb.conf (see smb.conf(5)) LOGFILEBASE = @logfilebase@ -CONFIGFILE = $(LIBDIR)/smb.conf -LMHOSTSFILE = $(LIBDIR)/lmhosts +CONFIGDIR = @configdir@ +CONFIGFILE = $(CONFIGDIR)/smb.conf +LMHOSTSFILE = $(CONFIGDIR)/lmhosts + +# did we need this anymore? it's not in HEAD DRIVERFILE = $(LIBDIR)/printers.def # This is where smbpasswd et al go PRIVATEDIR = @privatedir@
Re: [PATCH] add 'modules path' and handle 'configure --with-configdir' right
the patch doesn't compile fine. - I forgot to add dyn_MODULESDIR to include/dynconfig.h - in param/loadparm.c szModulesPath shold be char * not char ** - add a warning to modules/Makefile.ext_modules.in : that the users should be careful with editing this file If you want me to send a new patch tell me. metze
Re: [PATCH] add 'modules path' and handle 'configure --with-configdir' right
At 12:00 22.11.2002 +0100, Stefan (metze) Metzmacher wrote: If you want me to send a new patch tell me. anyway I'll send a new patch with a few more fixes. But we have to discuss on IRC... metze - Stefan metze Metzmacher [EMAIL PROTECTED]
Re: [PATCH] handle configure --with-configdir right
At 11:39 22.11.2002 +0100, Stefan (metze) Metzmacher wrote: Hi Jelmer, here's the part of my previeus patch for 3_0 it fixes the configure --with-configdir I'll send a new patch latter witch fixes a bit more But we have to discuss on IRC... metze - Stefan metze Metzmacher [EMAIL PROTECTED]
Re: [PATCH] add 'modules path' and handle 'configure --with-configdir' right
On Fri, Nov 22, 2002 at 11:36:48AM +0100, Stefan (metze) Metzmacher wrote: Hi Jelmer, here's a patch that added the 'modules path' parameter. lp_modules_path() is prefixed to all lp_modules() witch are not start with '/' (not absolute pathes) the default for lp_modules_path() is selectable by ./configure --with-modulesdir=/modules or $(LIBDIR)/samba (when --with-fhs) or $(LIBDIR) make installmodules install the modules to lp_modules_path() make modules now makes proto_exist Thanks a lot! These were on my todo list.I'll take a look at it later today (when I get back home, I'm currently at school) there's a new file modules/Makefile.ext_modules.in: here can extern modules be added then they're also catches by 'make modules' I'm not so sure about this one - we should rather have a mechanism with which external developers can compile modules without requiring the samba source code - and they can always add their module to Makefile.in and add it to $MODULES there. Jelmer
Re: [PATCH] add 'modules path' and handle 'configure --with-configdir' right
At 13:21 22.11.2002 +0100, Jelmer Vernooij wrote: On Fri, Nov 22, 2002 at 11:36:48AM +0100, Stefan (metze) Metzmacher wrote: Hi Jelmer, here's a patch that added the 'modules path' parameter. lp_modules_path() is prefixed to all lp_modules() witch are not start with '/' (not absolute pathes) the default for lp_modules_path() is selectable by ./configure --with-modulesdir=/modules or $(LIBDIR)/samba (when --with-fhs) or $(LIBDIR) make installmodules install the modules to lp_modules_path() make modules now makes proto_exist Thanks a lot! These were on my todo list.I'll take a look at it later today (when I get back home, I'm currently at school) :-) there's a new file modules/Makefile.ext_modules.in: here can extern modules be added then they're also catches by 'make modules' I'm not so sure about this one - we should rather have a mechanism with which external developers can compile modules without requiring the samba source code - and they can always add their module to Makefile.in and add it to $MODULES there. but if the Makefile.in is updated it's possible to get conflicts... most module need include/proto.h so I think we need the source code, but if you have a better solution it'd be fine too. --- Stefan Metzmacher [EMAIL PROTECTED]
Bug ?
Title: Bug ? Hi Im using samba 2.0.7, on Solaris 8. Im having problems with samba. On the log file under /usr/local/samba/var/log.pcname, I have the following error: [2002/11/22 14:15:12, 0] smbd/files.c:file_new(85) ERROR! Out of file structures [2002/11/22 14:15:12, 0] smbd/files.c:file_new(85) ERROR! Out of file structures [2002/11/22 14:15:12, 0] smbd/files.c:file_new(85) ERROR! Out of file structures [2002/11/22 14:15:12, 0] smbd/files.c:file_new(85) ERROR! Out of file structures To resolve this immediately, I normally kill smbd process, with pkill 9 smbd. Do you have any patches to correct this problem ? PS: I need an urgently answer Gonçalo ___ Gonçalo Mendes Ramos Unix System Administrator IT Department NEC Portugal S.A. Direcção Geral de Desenvolvimento Avenida Dr. Mario Sacramento, n. 177 3810-106 AVEIRO PORTUGAL Phone: (+351) 234 372 075 Mobile: (+351) 914 644 883 Fax: (+351) 234 372 021 E-mail: [EMAIL PROTECTED] Web: http://www.nec.pt
Modify location of printerdriverfiles
Hello, Samba-Team, hello samba-freaks! Hey! World-Hello-Day was yesterday, but today is although a good day to say hello! My question/problem: I like to use a samba-server as printer-server for about 500 users with ~ 40 different printers. The client OS is NT4 or XP. The problem I encountered is that there are printerdrivers out there which use for different models dlls with the same name but the dlls are not compatible - great!! - ! So only the last installed printer works ok, because the dll for the other model is overwritten during driverinstall. My question: Is there a tool, which allows save tempering with the *.tdb, to change the path to the driverfiles or to change the behavior to rpc getdriverinfo? This way it would be possible to create an own driver-directory-structur and all those printerdriver related problems are gone... Greetings Ralf
Re: trusted domains n+4 and related stuff
On Thu, Nov 21, 2002 at 07:48:48PM -0500, [EMAIL PROTECTED] wrote:
Mimir,
Thanks for the patch!
A few comments:
- in ipstr_list_add you try to be too fancy. I suspect the chunking
stuff is to try to second guess the malloc implementation and
allocate in bigger lumps? Don't do that unless there is good
profiling evidence to suggest that it is needed. It is too easy to
get wrong and just complicates the code.
hmm. ok.
- in ipstr_list_add you do this:
if (ipstr)
safe_strcat(ipstr, :, sizeof(ipstr));
else
return NULL;
but ipstr is a fstring, so it can never be null. Only pointers can be
NULL, and ipstr is an array (arrays can never be NULL in C).
Yes! Thank you for this catch. That was a legacy after the previous
version of this code (which had char* ipstr in it). It's good to get
someone other's pair of eyes over it...
A simpler varient of that function would be something like this
(untested code warning ...)
char* ipstr_list_add(char **ipstr_list, const struct in_addr *ip)
{
char *new_str = NULL;
if (*ipstr_list) {
asprintf(new_str, %s:%s, *ipstr_list, inet_ntoa(*ip));
free(*ipstr_list);
} else {
new_str = strdup(inet_ntoa(*ip));
}
*ipstr_list = new_str;
return new_str;
}
Believe it or not, but that was my initial design :-)
The reason why I gave it up was too frequent allocation (with asprintf)
and freeing. Anyway if you think it has more advantages, then, sure,
let it be.
and yes, I know its not terribly allocator efficient, but it has the
big advantage of being simple. I doubt allocator efficiency matters in
this function as the lists will typically be very short. Also note
that I removed the redundent ipstr_size argument. As the strings are
null terminated it isn't needed (unless you're playing allocator
efficiency games).
I basically assumed it's better to avoid to frequent use of allocation
operations.
Similarly, ipstr_list_make() can be made much simpler.
- I think it might be better to use ',' instead of ':' for IP list
separation. It doesn't matter now, but when we come to do IPv6 then
it might matter, as iirc IPv6 uses ':' inside the string
representation of addresses.
Good point. You're right.
The parse function also tries to play allocation games.
For the same reason (look above).
A simpler
function might be something like this:
int ipstr_list_parse(const char* ipstr_list, struct in_addr** ip_list)
{
int count;
for (ip_list=NULL, count=0; ipstr_list; count++) {
struct in_addr a;
if (inet_aton(ipstr_list, a) == -1) break;
*ip_list = Realloc(*ip_list, (count+1) * sizeof(struct in_addr));
if (!ip_list) {
return -1;
}
(*ip_list)[count] = a;
ipstr_list = strchr(ipstr_list, ':');
if (ipstr_list) ipstr_list++;
}
return count;
}
Looks clear. I've modified the code and I'm starting to make a few tests.
The rest of the patch looks good!
Nice to hear :)
--
cheers,
++
|Rafal 'Mimir' Szczesniak [EMAIL PROTECTED] |
|*BSD, GNU/Linux and Samba /
|__/
Re: Fixed: OpLocks caused the corruptions/slowness (Was: How Samba let us down)
jra == jra [EMAIL PROTECTED] writes: jra Clients commonly ignore oplock breaks because of network problems jra (borderline hubs etc.). Many people are suffering from network jra hardware that performs adequately in light use situations and jra fails under heavy load. I myself have ended up junking hubs with jra this problem. I *still* don't understand how flaky hardware could be the problem. TCP connections are supposed to be reliable. If flaky hardware is eating packets, then surely the sender, failing to get a timely ACK will resend? I can understand a flaky client getting the break and not responding with the appropriate action, but I don't understand how a hardware level problem can break TCP communication, except in the obvious and persistent way of not having a connection at all. Please someone, wump me with a clue stick. I have seen the problem on a small (two or three host) 100Mbit switched network. -- Russell Senior ``I've seen every kind of critter God ever made, [EMAIL PROTECTED] and I ain't never seen a meaner, lower, more stinkin' yellow hypocrite than you!'' -- Burl Ives as Rufus Hennessy
Re: [Samba] Bug ?
On Fri, Nov 22, 2002 at 02:22:03PM -, Goncalo Ramos wrote: Hi I'm using samba 2.0.7, on Solaris 8. I'm having problems with samba. On the log file under /usr/local/samba/var/log.pcname, I have the following error: [2002/11/22 14:15:12, 0] smbd/files.c:file_new(85) ERROR! Out of file structures [2002/11/22 14:15:12, 0] smbd/files.c:file_new(85) ERROR! Out of file structures [2002/11/22 14:15:12, 0] smbd/files.c:file_new(85) ERROR! Out of file structures [2002/11/22 14:15:12, 0] smbd/files.c:file_new(85) ERROR! Out of file structures To resolve this immediately, I normally kill smbd process, with pkill -9 smbd. Do you have any patches to correct this problem ? 2.0.x Samba has a hard coded limit to the number of open files. If you want to continue using it, change the value in include/local.h and recompile. Samba 2.2.x makes this limit dynamic, you might want to upgrade. Jeremy.
(fwd from jerry@theashergroup.com) Suggestion: describe (or link to) how to verify your distributions
I'll write up a short page describing how to use them, unless Jerry particularly wants to do it. - Forwarded message from [EMAIL PROTECTED] - From: [EMAIL PROTECTED] Subject: Suggestion: describe (or link to) how to verify your distributions Date: Fri, 22 Nov 2002 20:21:38 GMT To: [EMAIL PROTECTED] Hi folks, Thanks for all your work. Thanks for taking the time to secure it and to distribute it in a secure fashion. Today as I downloaded your new version, aware of the openssh trojan and aware that MD5 signatures hosted on the same server doesn't verify anything, I was pleased to find a digital signature for samba. A suggestion though. In addition to providing the digital signature it would be great if you could include a few links or a page or two describing how to use it. I ask this, because I can't figure out how to get PGP to use your signature. And having visited CERT, PGP, GPG, and using google, I am still stumped as to what to do with this detached digital signature. You folks are one of the most important projects around. It's terrific that you are distributing digital signatures, you could improve on that a bit by distributing information on how to use that digital signature. Thank you, Jerry Asher - End forwarded message - -- Martin msg04549/pgp0.pgp Description: PGP signature
Re: (fwd from jerry@theashergroup.com) Suggestion: describe (or link to) how to verify your distributions
On Fri, Nov 22, 2002 at 12:56:39PM -0800, Martin Pool wrote: I'll write up a short page describing how to use them, unless Jerry particularly wants to do it. In five words or less, from the gpg manpage: $ gpg --verify samba-2.2.7.tar.gz.asc samba-2.2.7.tar.gz -- Steve Langasek postmodern programmer msg04550/pgp0.pgp Description: PGP signature
Re: (fwd from jerry@theashergroup.com) Suggestion: describe (or link to) how to verify your distributions
On 22 Nov 2002, Steve Langasek [EMAIL PROTECTED] wrote: On Fri, Nov 22, 2002 at 12:56:39PM -0800, Martin Pool wrote: I'll write up a short page describing how to use them, unless Jerry particularly wants to do it. In five words or less, from the gpg manpage: $ gpg --verify samba-2.2.7.tar.gz.asc samba-2.2.7.tar.gz Yeah, sure, but: What does this all mean? Why should I care? Where do I get GPG? Where do I get the samba codesigning key? How do I import it? How do I know I got the right one? What do I do if it doesn't verify? etc... -- Martin
(fwd from jerry@theashergroup.com) security suggestion continued...
- Forwarded message from [EMAIL PROTECTED] - From: [EMAIL PROTECTED] Subject: security suggestion continued... Date: Fri, 22 Nov 2002 21:01:35 GMT To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Following up my prior message, I actually found a nice reference on how to verify samba distributions. That reference was written by David Lechnyr and can be found http://hr.uoregon.edu/davidrl/samba.html I've appended David's content below. Anyway my point being that somewhere on your download pages, it would be very helpful to describe how to use your signatures. And it turns out, I don't believe one can use the gui version of free PGP to do this. Maybe with the command line version of pgp... Thanks, Jerry From http://hr.uoregon.edu/davidrl/samba.html Installing Samba It's important to run the latest version of Samba. For example, a security hole has been discovered in versions 2.2.2 through 2.2.6 of Samba that could potentially allow an attacker to gain root access on the target machine. It pays to stay up to date ;-) Download the files: $ wget http://us1.samba.org/samba/ftp/samba-2.2.7.tar.gz $ wget http://us1.samba.org/samba/ftp/samba-2.2.7.tar.gz.asc These days, it's strongly recommended that you verify the PGP signature for any source file before installing it. Download the Samba PGP Public Key file from http://us1.samba.org/samba/ftp/samba-pubkey.asc and run: $ gpg --import samba-pubkey.asc $ gpg --verify samba-2.2.7.tar.gz.asc If you receive a message like, Good signature from Samba Distribution Verification Key... then all is well. The warnings about trust relationships can be ignored. An example of what you would not want to see would be: gpg: Signature made Mon Aug 26 19:06:30 2002 PDT using RSA key ID 628E0A02 gpg: BAD signature from Samba Distribution Verification Key - End forwarded message - -- Martin
Re: (fwd from jerry@theashergroup.com) Suggestion: describe (or link to) how to verify your distributions
On 22 Nov 2002, Martin Pool [EMAIL PROTECTED] wrote: On 22 Nov 2002, Steve Langasek [EMAIL PROTECTED] wrote: On Fri, Nov 22, 2002 at 12:56:39PM -0800, Martin Pool wrote: I'll write up a short page describing how to use them, unless Jerry particularly wants to do it. In five words or less, from the gpg manpage: $ gpg --verify samba-2.2.7.tar.gz.asc samba-2.2.7.tar.gz Yeah, sure, but: What does this all mean? Why should I care? Where do I get GPG? Where do I get the samba codesigning key? How do I import it? How do I know I got the right one? What do I do if it doesn't verify? etc... Before you reply: I know the answers to these, but probably many people don't. Merely saying how to run the command is not a complete solution -- using GPG without understanding at least the basics is worse than not using it at all. -- Martin
Re: Samba 2.7 and SNAP Server
On Sat, 2002-11-23 at 02:15, Irving Carrion wrote: I hope someone can extend some advice to help us solve our problem. A couple of months ago we were told to upgrade to SAMBA 3.0 so that the SNAP server could read the domain users in SAMBA PDC. It works... it worked GREAT!! The problem lies that there are some basic functionalities that don't work like for example allowing the client (w2k) to change his/her own password. Also, many clients are told that there passwords will expire in NUM amount of days. These are some of the problems we're experiencing. That's interesting - I wasn't aware of bugs in that area. I've read on the mailing lists that most of these problems have been solved in the latest CVS version. We currently run debian so we rely on the package maintainer to put out the latest version. Currently the latest version of SAMBA on Debian is 2.999+3.0.alpha20-3. None of these problems have been fixed in this version. My questions are: 1. Does Samba 2.7 have SNAP support? Not as far as I know. (and It's 2.2.7). 2. Is compiling the latest CVS my only solution? Probably - the Debian folks were waiting for Jerry to release another 'official' alpha, but he has since been busy with things like the 2.2.7 release. 3. Can anyone think of anything else we could do? For the password expiry, you can set the 'does not expire' flag on each account (It's X in the account flags) or use pdbedit to change the 'max password age' to some really large value, and remove the relevant attributes from LDAP. (Falling back to defaults). (I intend to rework this before 3.0, so that the default 'max password age' is some really large value, making it work like smbpasswd). I'm not sure what would cause users to be unable to change their passwords. P.S. I purposely posted this on the technical list of SAMBA as I don't think a regular user would know whether SAMBA 2.7 has SNAP support. Please forgive me if this was a mistake. I certainly don't mind 3.0 questions being here, while it's in alpha, and while the questions are more than simple config stuff. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part
Re: Fixed: OpLocks caused the corruptions/slowness (Was: How Samba let us down)
On Fri, Nov 22, 2002 at 08:44:34AM -0800, Russell Senior wrote: jra == jra [EMAIL PROTECTED] writes: jra Clients commonly ignore oplock breaks because of network problems jra (borderline hubs etc.). Many people are suffering from network jra hardware that performs adequately in light use situations and jra fails under heavy load. I myself have ended up junking hubs with jra this problem. I *still* don't understand how flaky hardware could be the problem. TCP connections are supposed to be reliable. If flaky hardware is eating packets, then surely the sender, failing to get a timely ACK will resend? I can understand a flaky client getting the break and not responding with the appropriate action, but I don't understand how a hardware level problem can break TCP communication, except in the obvious and persistent way of not having a connection at all. Please someone, wump me with a clue stick. Duplex problems are a simple example like setting full-duplex on a half-duplex switch might. A bad cable or NIC could cause intermitten problem as well. Yes packets would get retransmitted, but who's to say the retransmitted packets won't get dropped as well? -- David W. Chapman Jr. [EMAIL PROTECTED] Raintree Network Services, Inc. www.inethouston.net [EMAIL PROTECTED] FreeBSD Committer www.FreeBSD.org
Re: (fwd from jerry@theashergroup.com) Suggestion: describe (or link to) how to verify your distributions
On Fri, Nov 22, 2002 at 01:08:39PM -0800, Martin Pool wrote: Yeah, sure, but: What does this all mean? Why should I care? Where do I get GPG? Where do I get the samba codesigning key? How do I import it? How do I know I got the right one? What do I do if it doesn't verify? I always wondered if someone uploaded a tarball with a trojan, what's preventing them from updating the .asc file as well? -- David W. Chapman Jr. [EMAIL PROTECTED] Raintree Network Services, Inc. www.inethouston.net [EMAIL PROTECTED] FreeBSD Committer www.FreeBSD.org
Re: (fwd from jerry@theashergroup.com) Suggestion: describe (or link to) how to verify your distributions
On Fri, Nov 22, 2002 at 03:16:09PM -0600, David W. Chapman Jr. wrote: Where do I get the samba codesigning key? How do I import it? How do I know I got the right one? What do I do if it doesn't verify? I always wondered if someone uploaded a tarball with a trojan, what's preventing them from updating the .asc file as well? This is why you can't necessarily ignore the message that says: gpg: WARNING: This key is not certified with a trusted signature! The samba team needs to get more people to sign the distribution key so this message becomes less frequent. Tim.
Re: (fwd from jerry@theashergroup.com) Suggestion: describe (or link to) how to verify your distributions
On Fri, Nov 22, 2002 at 03:16:09PM -0600, David W. Chapman Jr. wrote: On Fri, Nov 22, 2002 at 01:08:39PM -0800, Martin Pool wrote: Yeah, sure, but: What does this all mean? Why should I care? Where do I get GPG? Where do I get the samba codesigning key? How do I import it? How do I know I got the right one? What do I do if it doesn't verify? I always wondered if someone uploaded a tarball with a trojan, what's preventing them from updating the .asc file as well? It's a cryptographic signature that can only be produced using a specific key. Assuming that the key belongs to the party whose name is on it, and assuming that the key is well-protected from theft, and assuming that the algorithms used by PGP haven't been broken, you can be assured that the signature was made by the person it claims to have come from. Asking about, I've been pointed to http://gnupg.org/gph/en/manual.html as a general intro to GPG. -- Steve Langasek postmodern programmer msg04559/pgp0.pgp Description: PGP signature
Re: (fwd from jerry@theashergroup.com) Suggestion: describe (or linkto) how to verify your distributions
On Fri, 22 Nov 2002, David W. Chapman Jr. wrote: On Fri, Nov 22, 2002 at 01:08:39PM -0800, Martin Pool wrote: Yeah, sure, but: What does this all mean? Why should I care? Where do I get GPG? Where do I get the samba codesigning key? How do I import it? How do I know I got the right one? What do I do if it doesn't verify? I always wondered if someone uploaded a tarball with a trojan, what's preventing them from updating the .asc file as well? Hackers don't have the intelligence to think of that :-) (tongue firmly in cheek :-) Regards - Richard Sharpe, rsharpe[at]ns.aus.com, rsharpe[at]samba.org, sharpe[at]ethereal.com, http://www.richardsharpe.com
Re: (fwd from jerry@theashergroup.com) Suggestion: describe (or link to) how to verify your distributions
On Sat, Nov 23, 2002 at 08:29:57AM +1100, Tim Potter wrote: On Fri, Nov 22, 2002 at 03:16:09PM -0600, David W. Chapman Jr. wrote: Where do I get the samba codesigning key? How do I import it? How do I know I got the right one? What do I do if it doesn't verify? I always wondered if someone uploaded a tarball with a trojan, what's preventing them from updating the .asc file as well? This is why you can't necessarily ignore the message that says: gpg: WARNING: This key is not certified with a trusted signature! The samba team needs to get more people to sign the distribution key so this message becomes less frequent. Hmm. I see nine signatures already, and I have a full trust relationship to the key which traverses multiple paths through the keyring, the shortest of which is only three hops long, despite never having met a member of the Samba Team. All in all, a well-connected key, and I think if there are people who get this error and actually care about it :), the problem is more likely to lie on their end of the web of trust. -- Steve Langasek postmodern programmer msg04561/pgp0.pgp Description: PGP signature
Re: (fwd from jerry@theashergroup.com) Suggestion: describe (or link to) how to verify your distributions
On 22 Nov 2002, Steve Langasek [EMAIL PROTECTED] wrote: Hmm. I see nine signatures already, and I have a full trust relationship to the key which traverses multiple paths through the keyring, the shortest of which is only three hops long, despite never having met a member of the Samba Team. All in all, a well-connected key, and I think if there are people who get this error and actually care about it :), the problem is more likely to lie on their end of the web of trust. According to samba.html, the distribution key is http://us1.samba.org/samba/ftp/samba-pubkey.asc gpg: key 2F87AF6F: public key Samba Distribution Verification Key [EMAIL PROTECTED] This has only a single signature, from Jerry. mbp@toey ~% gpg --list-sig 2F87AF6F pub 1024D/2F87AF6F 2002-10-15 Samba Distribution Verification Key [EMAIL PROTECTED] sig 3 2F87AF6F 2002-10-15 Samba Distribution Verification Key [EMAIL PROTECTED] sig D83511F6 2002-10-15 Gerald W. Carter [EMAIL PROTECTED] sub 1024g/4A271F85 2002-10-15 [expires: 2004-10-14] sig 2F87AF6F 2002-10-15 Samba Distribution Verification Key [EMAIL PROTECTED] Jerry's key is pretty well signed, but perhaps not strongly connected to the world at large. I don't know of any way to get GPG to automatically download signatures for the web of trust, so unless people happen to have Jerry's key and those of the people who certify him it is likely to be untrusted. I think it would be good to get other developers to sign the distribution key. Perhaps we might also get organizations like CERT or AusCERT to sign the key (if they will), because administrators are likely to already have their pubkeys. Jerry, if you can call Sundeep's desk then I will listen to your voice and sign your key. -- Martin msg04562/pgp0.pgp Description: PGP signature
Re: (fwd from jerry@theashergroup.com) Suggestion: describe (or link to) how to verify your distributions
Incidentally, this form is pretty useful when trying to establish the
validity of a key. It would be nice if it were available from a GUI.
gpg --list-sig A0B3E88B|awk '/id not found/ { print $2 }' |sort -u |xargs gpg
--recv-key
--
Martin
msg04563/pgp0.pgp
Description: PGP signature
Re: (fwd from jerry@theashergroup.com) Suggestion: describe (or linkto) how to verify your distributions
On Sat, 23 Nov 2002, Richard Sharpe wrote: Hackers don't have the intelligence to think of that :-) (tongue firmly in cheek :-) The ones that do probably have more intelligence than to sign the hack with a key they've put on a key server. Evidentairy bonuses like that are the things an investigator's dreams are made of. Before you go to the steal some sap's key thing, understand that relating multiple incidents also may lead to better evidence, and in turn to the bad guy. I want this system dusted for keys and key prints! ;) Paul - Paul D. Robertson My statements in this message are personal opinions [EMAIL PROTECTED] which may have no basis whatsoever in fact.
Re: (fwd from jerry@theashergroup.com) Suggestion: describe (or link to) how to verify your distributions
On Fri, Nov 22, 2002 at 02:31:21PM -0800, Martin Pool wrote: According to samba.html, the distribution key is http://us1.samba.org/samba/ftp/samba-pubkey.asc gpg: key 2F87AF6F: public key Samba Distribution Verification Key [EMAIL PROTECTED] Then perhaps this should be refreshed from the copy that's on the public keyservers, which is where I imported it from? mbp@toey ~% gpg --list-sig 2F87AF6F pub 1024D/2F87AF6F 2002-10-15 Samba Distribution Verification Key [EMAIL PROTECTED] sig 3 2F87AF6F 2002-10-15 Samba Distribution Verification Key [EMAIL PROTECTED] sig D83511F6 2002-10-15 Gerald W. Carter [EMAIL PROTECTED] sub 1024g/4A271F85 2002-10-15 [expires: 2004-10-14] sig 2F87AF6F 2002-10-15 Samba Distribution Verification Key [EMAIL PROTECTED] Jerry's key is pretty well signed, but perhaps not strongly connected to the world at large. Ah, well, he at least has good connectivity to other Samba Team members. And to other people from valinux.com that I don't recognize. :) I don't know of any way to get GPG to automatically download signatures for the web of trust, so unless people happen to have Jerry's key and those of the people who certify him it is likely to be untrusted. You write a shell script that walks the signature list and grabs from the keyserver, I suppose. I think it would be good to get other developers to sign the distribution key. Perhaps we might also get organizations like CERT or AusCERT to sign the key (if they will), because administrators are likely to already have their pubkeys. Do you have key IDs for CERT and AusCERT? I'm interested to see how well-connected they are (would hate for people to substitute unfounded faith in one key for a similar faith in another, at least). Debian being what it is, most of my trust paths to the world pass through people, not through organizations... :) -- Steve Langasek postmodern programmer msg04565/pgp0.pgp Description: PGP signature
reload smb.conf terminate connections
Hi. I'm developing a command line tool (a GUI is following) for easily sharing local directories as an unprivileged user. I've almost finished it, but there is one thing that's still bothering me. After adding shares smbd reloads its config file (via SIGHUP). Under Windows new shares appear immediately. If removing a share, samba reloads the smb.conf but it has no effect on established connections. I can still access the share even though it has been removed. If a client copies a file the connection should be killed. Smbstatus provides the necessary information I need. I could search for a share name which I just removed and kill all those pids - with the side effect that other connections that are handled by that child process will be terminated, too. :-( Can I access those functions through a samba library? I don't want to call the smbstatus program directly - if possible. How do you think I could solve the problem best? Martin -- http://www.linux-fuer-alle.de/
Re: [PATCH] add 'modules path' and handle 'configure --with-configdir' right
On Fri, Nov 22, 2002 at 01:21:21PM +0100, Jelmer Vernooij wrote: here's a patch that added the 'modules path' parameter. lp_modules_path() is prefixed to all lp_modules() witch are not start with '/' (not absolute pathes) the default for lp_modules_path() is selectable by ./configure --with-modulesdir=/modules or $(LIBDIR)/samba (when --with-fhs) or $(LIBDIR) make installmodules install the modules to lp_modules_path() make modules now makes proto_exist Thanks a lot! These were on my todo list.I'll take a look at it later today (when I get back home, I'm currently at school) There's already a directory for architecture specific library files - libexec. We haven't needed to use this so much before so it probably isn't supported in configure.in. How about $(LIBEXECDIR)/modules as a location for the vfs modules? Tim.
Possible bug (memory leak) in serving return code from tdb_fetch().
Hi.
I have analyzed code of the function:
static struct printjob *print_job_find(int jobid)
{
static struct printjob pjob;
TDB_DATA ret;
ret = tdb_fetch(tdb, print_key(jobid));
if (!ret.dptr || ret.dsize != sizeof(pjob)) return NULL;
memcpy(pjob, ret.dptr, sizeof(pjob));
free(ret.dptr);
return pjob;
}
from the file printing\printing.c.
The function tdb_fetch() makes malloc() if ret.dptr != NULL.
If record was found, but we got a different size, we are going to return
NULL.
In this case we shell get memory leak.
I suggest the following function code:
static struct printjob *print_job_find(int jobid)
{
static struct printjob pjob;
TDB_DATA ret;
ret = tdb_fetch(tdb, print_key(jobid));
if (ret.dptr == NULL) return NULL;
if (ret.dsize != sizeof(pjob)){
free(ret.dptr);
return NULL;
}
memcpy(pjob, ret.dptr, sizeof(pjob));
free(ret.dptr);
return pjob;
}
The same thing also happens in the files:
Lib/messages.c function: static BOOL message_recv
Nsswith/winbindd_cache.cfunction: static uint32
cached_sequence_number
Regards
Arcady
Re: (fwd from jerry@theashergroup.com) Suggestion: describe (or link to) how to verify your distributions
On 22 Nov 2002, Steve Langasek [EMAIL PROTECTED] wrote: On Fri, Nov 22, 2002 at 03:16:09PM -0600, David W. Chapman Jr. wrote: On Fri, Nov 22, 2002 at 01:08:39PM -0800, Martin Pool wrote: Yeah, sure, but: What does this all mean? Why should I care? Where do I get GPG? Where do I get the samba codesigning key? How do I import it? How do I know I got the right one? What do I do if it doesn't verify? I always wondered if someone uploaded a tarball with a trojan, what's preventing them from updating the .asc file as well? The signature file can only be produced by somebody who has the private key, which (I hope) only resides on well-secured machines separate from the distribution machine. For example it might be on a PC at Jerry's house. It's a cryptographic signature that can only be produced using a specific key. Assuming that the key belongs to the party whose name is on it, and assuming that the key is well-protected from theft, and assuming that the algorithms used by PGP haven't been broken, you can be assured that the signature was made by the person it claims to have come from. So the failure modes are: 1 - Somebody breaks into Jerry or some other signer's PC, and from there to samba.org. Equivalently, Jerry's laptop is stolen by somebody smart enough to understand what they found. (Don't take keys to DEFCON!) 2 - Somebody uploads an invalid .asc file, but nobody actually checks it, or at least nobody raises the alarm for some time. 3 - Somebody changed the .tgz, .asc, and also the key stored on the same keyserver. The key is signed with what look like plausible signatures. Again, this will eventually be detected, but perhaps not until some trouble is caused. 4 - GPG is broken. (By far the least likely.) -- Martin
Re: Fixed: OpLocks caused the corruptions/slowness (Was: How Samba let us down)
David == David W Chapman [EMAIL PROTECTED] writes: jra Clients commonly ignore oplock breaks because of network problems jra (borderline hubs etc.). Many people are suffering from network jra hardware that performs adequately in light use situations and jra fails under heavy load. I myself have ended up junking hubs with jra this problem. Russell I *still* don't understand how flaky hardware could be the Russell problem. TCP connections are supposed to be reliable. If Russell flaky hardware is eating packets, then surely the sender, Russell failing to get a timely ACK will resend? I can understand a Russell flaky client getting the break and not responding with the Russell appropriate action, but I don't understand how a hardware Russell level problem can break TCP communication, except in the Russell obvious and persistent way of not having a connection at all. Russell Please someone, wump me with a clue stick. David Duplex problems are a simple example like setting full-duplex David on a half-duplex switch might. David A bad cable or NIC could cause intermitten problem as well. David Yes packets would get retransmitted, but who's to say the David retransmitted packets won't get dropped as well? Uh, RFC793, section 2.6 maybe? I think people would notice a total network failure, so I am excluding that possibility. -- Russell Senior ``I've seen every kind of critter God ever made, [EMAIL PROTECTED] and I ain't never seen a meaner, lower, more stinkin' yellow hypocrite than you!'' -- Burl Ives as Rufus Hennessy
Re: Fixed: OpLocks caused the corruptions/slowness (Was: How Samba let us down)
David Duplex problems are a simple example like setting full-duplex David on a half-duplex switch might. David A bad cable or NIC could cause intermitten problem as well. David Yes packets would get retransmitted, but who's to say the David retransmitted packets won't get dropped as well? Uh, RFC793, section 2.6 maybe? I think people would notice a total network failure, so I am excluding that possibility. No, I'm not talking about things that would cause total network failures, just packet errors that would cascade the way a broadcast storm would for non switched ethernet. -- David W. Chapman Jr. [EMAIL PROTECTED] Raintree Network Services, Inc. www.inethouston.net [EMAIL PROTECTED] FreeBSD Committer www.FreeBSD.org
Shared roaming profiles for all users (XP)?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hiya. Is there anyway to make non changable roaming profiles for all users with XP workstations, and Samba 3.0HEAD from CVS acting as a PDC? I'm setting up a bunch of workstations for an internet cafe, and all users need to basically have the same settings (i.e. desktop icons, Internet Explorer settings, start menu items, etc.) as others, yet not be able to change them. I tried setting the profile dir to the same for all users, and making it read only, but I'm experiencing two problems - (1) XP will refuse to load the profile if its read-only, and (2) XP won't load the profile if it wasn't created by the same user. I'm also finding cookies in IE sometimes aren't being properly set, people can't view hotmail attachments, MSN messenger refuses to work, and a bunch of other oddities. Anyway past this? I remember back when I was using Windows 2K Server as a PDC, it was possible to have this. R - -- - Ryan Verner [EMAIL PROTECTED] PGP: 5819 DE5D B5AE 9381 7E60 5B4C 45CC 64DF D3CC EB07 ICQ: 76626240 IRC: xf / irc.oublinet.net PH: +61 415 297 303 EQ: Mummer (Bard), Tholuxe In the beginning the Universe was created. This has made a lot of people very angry and has been widely regarded as a bad move. -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (Darwin) iD8DBQE93vn6Rcxk39PM6wcRAlLtAJ9+8KPtdDGQw27x++GlCUfgIT3S1ACfcbyA +LW8vjjixLAmmlFKUgifuvA= =BWPV -END PGP SIGNATURE-
Re: Shared roaming profiles for all users (XP)?
On Sat, 2002-11-23 at 15:57, John H Terpstra wrote: On Sat, 23 Nov 2002, xfesty wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hiya. Is there anyway to make non changable roaming profiles for all users with XP workstations, and Samba 3.0HEAD from CVS acting as a PDC? I documented the exact process for you earlier today. Please refer to the expressly clear instructions given for creating a mandatory profile for Windows XP. If you do not follow this process you will not achieve what you need. A mandatory profile is precisely what you need - a profile that no user can change. It can not be read-only, but it is not writable. To be writable NTUser needs to ba a .DAT file, the .MAN extension blocks writability. To be usable by a group of users the profile needs to be set so that the ACE includes that group. The group can either be a global group, or the global/local group called Everyone. I'm interested in how this lot works - the .man stops NT uploading the changes - but does it still need write permissions or not? I'm just worried about users deliberately messing with their profiles. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part
