Re: tracking user logins
On Tue, 2002-11-26 at 20:26, Alen Kovac wrote: Hello! I'm running samba as PDC. I want to disable concurrent logins for users. (not to be able to login from more than one workstation at the same time) I haven't figured out how to disable this so I dig in to the samba sources. The easiest way to do this is to ensure that people not only do a 'domain' logon, but also connect to their home directories. Unlike domain logons, this is a connection that must remain while a user is active (it might idle, but it's the best that we can get). So, implement your check as a PAM 'session' module. Compile --with-pam, and set 'obey pam restrictions' in your smb.conf. This way, your users will still be able to log onto the domain, but mapping their homedir will fail, and your users should hopefully get the idea... You might even be able to 'block' as an account check (and hence the real domain logons), while 'locking' on the session. (if that makes any sense). Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part
Re: Encrypted Passwords Restricting Logon Attempts
On Wed, 2002-11-27 at 08:22, Jim Morris wrote: Hi All, I have been using Samba for a long time, as a network administrator and as a network consultant (since 1994). For the first time, I have had someone ask me how to setup Samba to deny access to a user after 3 unsuccessful logon attempts. This is part of a new corporate security policy at a Windows-centric company. I have gotten the Linux server itself to track the failed logon attempts using the pam_tally PAM module, and it does the trick. However, I am sure you know what is coming next.. As everyone on this list is probably aware, the use of encrypted passwords and PAM password authentication are an apparently mutually exclusive options with Samba 2.2.x. This is stated up front in the help for the 'obey pam restrictions' option in the man page I believe. Just to make this clear, this is not of our choosing, it is just a matter of how the protocol works. With PAM supported compiled in and enabled (obey pam restrictions = Yes), I can switch to plain-text passwords (encrypted passwords = No), and have Samba authenticate the user via PAM, obeying the pam_tally setup to deny the user access after 3 failed logon attempts. However, the use of encrypted passwords is also part of the corporate security policy at the site in question. It would also prevent domain logons, and exposes bugs in other parts of Microsoft's client. With encrypted passwords on, Samba does obey the PAM account authentication rules - it denies access to a user who has already reached the configured number of logon attempts. However, an invalid logon attempt via Samba in this configuration does not increment the failed logon attempt counter maintained by pam_tally.so. So I can try to logon as many times as I want via SMB, without incrementing the counter and disabling the user account. I am hoping that someone on this list has some insight to this issue, or has worked through it. I think that the easiest way to do this would be to look into Samba 3.0's auth subsystem, and add a hook for WRONG_PASSORD return values. This could update the same database that pam_tally uses. I am wondering if I modified the smbd source code to somehow force the use of PAM even with encryption, if I coudl then somehow use the pam_smb_auth module to authenticate against the Samba server. The help for the pam_smb_auth.so PAM module seems to indicate that it supports encrypted passwords when authenticating against an NT PDC. I am not sure this option is viable though. No, it doesn't support that. What it means is that it will encrypt the passwords between the server it is running on, and the remote password server. Any suggestions are welcome. The worst case scenario I see at the moment would be having to downgrade the Samba PDC to a domain member server, and perform all authentication with an NT PDC. That is my least desirable course of action though, as Samba was used to replace NT Server several years ago. NT Server is still sitting on the shelf though, and can be dusted off if that is the only way to achieve the requirements for the security policy. Note that if you have not looked at it, a Windows server (ack!) makes it very easy to control this type stuff. There is a 'Local Security Policy' utility in the NT/2000 control panel. Using this utility, you can in a few clicks set how many attempts are allowed before an account becomes disabled. Certainly much easier to find than the PAM alternative, which took me some digging to find! We certainly need to work on this, and a number of other 'enterprise grade' features. There are a number of things that, as developers, we don't notice, but user feedback (and in some cases, very good patches!) has allowed us to support. This feature in particular should be picked up when we finish implementing and better integrating account policy support. Alternatively, how difficult would it be to modify Samba to support an option like this directly, within the constructs of the smbpasswd file? Yes, your best option is to modify Samba, Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part
Playing games with reported permissions - securing mandetoryprofiles
After talking to jht today, I've finally got a *much* better understanding about how mandatory profiles really work... Because WinNT uses the NT ACLs on the profile in creating the local mirror, the users and groups that use the profile must have *write* access to the profile. Or at least they must appear to! I need to try this out, and see if I'm missing something here, but I'm thinking that we should be able to write a pretty simple VFS module, that fakes up the ACLs, replacing say 'admin' with 'target group' as read by the client. This should make Win2k set the local profile permissions 'correctly', while not allowing users to put porn on a college-wide desktop... How does this sound? Am I at least slightly close to the mark? Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part
Re: LDAP machine lookup strangeness
Don Hayward wrote: I don't know whether this is a samba problem, but that's my current best guess. I'm using Debian woody with the upgrades mentioned below. I got the samba-2.2.7 source and did the build with debain/rules with the addition of the ldapsam flag. I've upgraded my ldap, nss, and pam, etc. libraries to 'testing' to use the tls enabled libldap. I'm using gcc 3.0.4. I tested the same scenario but with RH 7.2 and gcc 2.96-81 and can't reproduce the error. I added a ws account, joined to the domain, logon, etc. But can't reproduce the error. The rid is stored and fetched well in/from the ldap. Ignacio -- Ignacio Coupeau, Ph.D. [EMAIL PROTECTED] CTI, Director [EMAIL PROTECTED] University of Navarra [EMAIL PROTECTED] Pamplona, SPAINhttp://www.unav.es/cti/
Stranger problem Samba/DHCP
Hello list,
I have a internal network with IPs 10.0.0.0/9, and configure DHCP server
for pool the IPs, based on host-name (equivalent at machine name).
When running the new configuration on DHCP, the machines get IP normally.
But Samba (PDC) negate new any conections on shares. The machines
configured to node-type = 2. If configure Windows 95/98/2000/XP to import
LMHOSTS, the machine works.
I review the smb.cond and dhcpd.conf and not work, but when start dhcpd
with old configuration, Samba works normally.
The old configuration is not pool configuration, any machines on same
subnet (10.0.6.0/24), and with pool configuration machines get IPs of
several subnets (10.0.6.0/24, 10.0.11.0/24, 10.0.12.0/24,
10.0.13.0/24...).
Any ideas when resolv this problem?
My smb.conf and dhcpd.conf.
dhcpd.conf (OLD)
log-facility local7;
ddns-update-style none;
default-lease-time 86400;
max-lease-time 129600;
option netbios-name-servers X.X.X.X;
option domain-name-servers X.X.X.X, X.X.X.X;
option netbios-dd-server X.X.X.X;
option netbios-node-type 2;
option netbios-scope ;
option ntp-servers X.X.X.X;
option ip-forwarding off;
subnet 10.0.0.0 netmask 255.128.0.0
{
range 10.0.6.1 10.0.6.254;
option routers 10.0.0.1;
option domain-name 6.0.10.internal;
}
dhcpd.conf (NEW)
log-facility local7;
ddns-update-style none;
default-lease-time 86400;
max-lease-time 129600;
option netbios-name-servers X.X.X.X;
option domain-name-servers X.X.X.X, X.X.X.X;
option netbios-dd-server X.X.X.X;
option netbios-node-type 2;
option netbios-scope ;
option ntp-servers X.X.X.X;
option ip-forwarding off;
class Lab1 {
match if (
(substring(option host-name,0,4) = Lab1) or
(substring(option host-name,0,4) = lab1) or
(substring(option host-name,0,4) = LAB1) );
}
class Lab2 {
match if (
(substring(option host-name,0,4) = Lab2) or
(substring(option host-name,0,4) = lab2) or
(substring(option host-name,0,4) = LAB2) );
}
class Lab3 {
match if (
(substring(option host-name,0,4) = Lab3) or
(substring(option host-name,0,4) = lab3) or
(substring(option host-name,0,4) = LAB3) );
}
class Lab4 {
match if (
(substring(option host-name,0,4) = Lab4) or
(substring(option host-name,0,4) = lab4) or
(substring(option host-name,0,4) = LAB4) );
}
subnet 10.0.0.0 netmask 255.128.0.0
{
option routers 10.0.0.1;
pool {
deny members of Lab1;
deny members of Lab2;
deny members of Lab3;
deny members of Lab4;
range 10.0.6.1 10.0.6.254;
option domain-name 6.0.10.internal;
}
pool {
allow members of Lab1;
range 10.0.11.1 10.0.11.35;
option domain-name 11.0.10.internal;
}
pool {
allow members of Lab2;
range 10.0.12.1 10.0.12.35;
option domain-name 12.0.10.internal;
}
pool {
allow members of Lab3;
range 10.0.13.1 10.0.13.35;
option domain-name 13.0.10.internal;
}
pool {
allow members of Lab4;
range 10.0.14.1 10.0.14.35;
option domain-name 14.0.10.internal;
}
}
smb.conf
[global]
workgroup = BIG
netbios name = Isto
server string = Servidor %L (%v)
log level = 1
log file = /var/samba/%m
security = user
admin users = @ti
hosts allow = X.X.X.X/24 10.0.0.0/8
password level = 14
encrypt passwords = yes
smb passwd file = /etc/smbpasswd
socket options = IPTOS_LOWDELAY TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192
large readwrite = yes
interfaces = 127.0.0.1/8 X.X.X.X/27
deadtime = 15
os level = 80
announce version = 6.0
browse list = no
local master = yes
preferred master = yes
domain master = yes
domain logons = yes
logon drive = x:
logon script = scripts\%m.bat
logon home = \\%L\%U
logon path = \\%L\profiles\%U
wins support = yes
name resolve order = wins lmhosts host
time server = yes
time offset = 0
character set = ISO8859-1
preserve case = yes
mangle case = yes
veto files = /.?*/lost+found/quota.*/dead.*/
hide files = /eco/profile/
# Share Definitions
[homes]
comment = %U
writeable = yes
create mask = 0664
directory mask = 0775
preexec = /home2/samba/scripts/ajusta-home.sh %U
[netlogon]
comment = Network Logon Service
path = /home2/samba/netlogon
browseable = no
guest ok = yes
writable = no
write list = @ti
create mask = 0664
directory mask = 0775
[profiles]
comment = User Profiles
path = %H/profile
browseable
samba on lynxos 3.0
Hi,
I had some (expected) problems compiling samba 2.2.7 on LynxOS 3.0.1
Almost all is due to the Header vfs.h
* Lynos has a weird sys/vfs.h: It includes itself vfs.h. But unfortunatly it
gets the samba/include/vfs.h instead of the vfs.h header file. I worked around
this issue with CC=gcc -I/usr/include to get the /usr/include files first.
* Somehow it generates warnings when #including files like vfs.h. I worked
around this with defining -D__NO_INCLUDE_WARN__ So the configure statement read:
export CC=gcc -D__NO_INCLUDE_WARN__ -I/usr/include; configure
* The networking functions are located in -lnetinet aka -lbsd. This library is
not detected at all.
IMHO there should be a AC_CHECK_LIB(netinet, gethostbyaddr) in configure.in. I
can not confirm this because configure.in seems to rely on autoconf 2.13 (?)
* Both vfs.h (The system and samba) define a function vfs_mkdir with a different
prototype. I changed vfs_mkdir in samba to samba_vfs_mkdir.
*** I would recommend to rename vfs.h ***
* There is a spurious uint in the source
A trivial patch for vfs_mkdir and the uint issue is attached.
Unfortunatly there is no crypt() available on Lynxos. So you have to work around
this issue somehow.
Cheers,
Olaf
--
Dr. Olaf FlebbePhone +49 (0)7071-9457-254
Software Solutions FAX +49 (0)7071-9457-211
science + computing ag
Hagellocher Weg 73-75
D-72070 TuebingenEmail: [EMAIL PROTECTED]
The amount of work to be done increases in proportion to the
amount of work already completed.
diff -ur samba-2.2.7/source/include/proto.h samba-2.2.7.lynx/source/include/proto.h
--- samba-2.2.7/source/include/proto.h Wed Nov 20 02:31:32 2002
+++ samba-2.2.7.lynx/source/include/proto.h Tue Nov 26 10:33:59 2002
@@ -4866,7 +4866,7 @@
BOOL smbd_vfs_init(connection_struct *conn);
BOOL vfs_directory_exist(connection_struct *conn, const char *dname, SMB_STRUCT_STAT
*st);
-int vfs_mkdir(connection_struct *conn, char *const fname, mode_t mode);
+int samba_vfs_mkdir(connection_struct *conn, char *const fname, mode_t mode);
char *vfs_getwd(connection_struct *conn, char *unix_path);
BOOL vfs_object_exist(connection_struct *conn, const char *fname,SMB_STRUCT_STAT
*sbuf);
BOOL vfs_file_exist(connection_struct *conn, const char *fname,SMB_STRUCT_STAT *sbuf);
diff -ur samba-2.2.7/source/libsmb/cli_samr.c samba-2.2.7.lynx/source/libsmb/cli_samr.c
--- samba-2.2.7/source/libsmb/cli_samr.cThu Jun 6 21:16:18 2002
+++ samba-2.2.7.lynx/source/libsmb/cli_samr.c Tue Nov 26 13:00:13 2002
@@ -416,7 +416,7 @@
SAMR_Q_QUERY_USERALIASES q;
SAMR_R_QUERY_USERALIASES r;
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
- uint ptr=1;
+ unsigned int ptr=1;
ZERO_STRUCT(q);
ZERO_STRUCT(r);
diff -ur samba-2.2.7/source/smbd/open.c samba-2.2.7.lynx/source/smbd/open.c
--- samba-2.2.7/source/smbd/open.c Tue Nov 19 04:49:18 2002
+++ samba-2.2.7.lynx/source/smbd/open.c Tue Nov 26 10:33:30 2002
@@ -1199,7 +1199,7 @@
return NULL;
}
- if(vfs_mkdir(conn,fname, unix_mode(conn,aDIR, fname)) 0) {
+ if(samba_vfs_mkdir(conn,fname, unix_mode(conn,aDIR, fname))
+0) {
DEBUG(2,(open_directory: unable to create %s. Error
was %s\n,
fname, strerror(errno) ));
file_free(fsp);
diff -ur samba-2.2.7/source/smbd/reply.c samba-2.2.7.lynx/source/smbd/reply.c
--- samba-2.2.7/source/smbd/reply.c Wed Nov 20 02:31:33 2002
+++ samba-2.2.7.lynx/source/smbd/reply.cTue Nov 26 10:33:21 2002
@@ -3575,7 +3575,7 @@
unix_convert(directory,conn,0,bad_path,sbuf);
if (check_name(directory, conn))
- ret = vfs_mkdir(conn,directory,unix_mode(conn,aDIR,directory));
+ ret = samba_vfs_mkdir(conn,directory,unix_mode(conn,aDIR,directory));
if (ret == -1) {
NTSTATUS nterr = set_bad_path_error(errno, bad_path);
diff -ur samba-2.2.7/source/smbd/trans2.c samba-2.2.7.lynx/source/smbd/trans2.c
--- samba-2.2.7/source/smbd/trans2.cTue Nov 19 19:44:21 2002
+++ samba-2.2.7.lynx/source/smbd/trans2.c Tue Nov 26 10:33:06 2002
@@ -2959,7 +2959,7 @@
unix_convert(directory,conn,0,bad_path,sbuf);
if (check_name(directory,conn))
- ret = vfs_mkdir(conn,directory,unix_mode(conn,aDIR,directory));
+ ret = samba_vfs_mkdir(conn,directory,unix_mode(conn,aDIR,directory));
if(ret 0) {
DEBUG(5,(call_trans2mkdir error (%s)\n, strerror(errno)));
diff -ur samba-2.2.7/source/smbd/vfs.c samba-2.2.7.lynx/source/smbd/vfs.c
--- samba-2.2.7/source/smbd/vfs.c Tue Nov 19 19:44:21 2002
+++ samba-2.2.7.lynx/source/smbd/vfs.c Tue Nov 26 10:32:49 2002
@@ -223,7 +223,7 @@
Re: LDAP machine lookup strangeness
Thanks for the response. It helps focus my search. On Wed, 27 Nov 2002, Ignacio Coupeau wrote: Don Hayward wrote: I don't know whether this is a samba problem, but that's my current best guess. I'm using Debian woody with the upgrades mentioned below. I got the samba-2.2.7 source and did the build with debain/rules with the addition of the ldapsam flag. I've upgraded my ldap, nss, and pam, etc. libraries to 'testing' to use the tls enabled libldap. I'm using gcc 3.0.4. I tested the same scenario but with RH 7.2 and gcc 2.96-81 and can't reproduce the error. I added a ws account, joined to the domain, logon, etc. But can't reproduce the error. The rid is stored and fetched well in/from the ldap. Ignacio -- Ignacio Coupeau, Ph.D. [EMAIL PROTECTED] CTI, Director [EMAIL PROTECTED] University of Navarra [EMAIL PROTECTED] Pamplona, SPAINhttp://www.unav.es/cti/ Don Hayward [EMAIL PROTECTED] Mote Marine Laboratory Office: 941.388.4441 Cell: 941.302.4982 1600 Ken Thompson Parkway Fax: 941.388.4312 Sarasota, FL 34236 See: http://www.mote.org Independent, non-profit, marine and estuarine research and education facility. For PGP public key do: http://www.mote.org/~don/donpgp.asc use DISCLAIMER; # We run Debian Linux Taxes feed the starving and clothe the naked.
Re: Encrypted Passwords Restricting Logon Attempts
Andrew, Thanks for your detailed response on this subject. As everyone on this list is probably aware, the use of encrypted passwords and PAM password authentication are an apparently mutually exclusive options with Samba 2.2.x. This is stated up front in the help for the 'obey pam restrictions' option in the man page I believe. Just to make this clear, this is not of our choosing, it is just a matter of how the protocol works. Oh - I knew that when I composed my message. That is also clear - PAM does not support the challenge/response mechanism needed. It still seems to me that it should somehow be possible, if coded right. Let's say we have PAM setup on the system to actually authenticate against the smbpasswd file, or an OpenLDAP server storing the passwords in encrypted form. Is there no way to do the handshaking at the Samba level, with just one call to PAM? Or do we need to read the 16-byte hash or whatever is stored in the smbpasswd file, in order to check the password? I can see PAM not letting us do that Ok - on plain texts passwords, you state: It would also prevent domain logons, and exposes bugs in other parts of Microsoft's client. The domain in this case is controlled by Samba. Most of the clients are Windows 95/98 clients, and testing with Windows 98 seems to show that it can do a 'domain logon'. For the record, I know that this is not quite the same as the domain logon that Windows 2000 or NT clients will do, and I have yet to test one of those clients. (I spent a LOT of time working through the domain logon stuff a couple of years ago when working on those chapters of 'Special Edition, Using Samba' with Richard Sharpe). Anyway, I would only consider this switch to plaintext passwords a temporary measure while I come up with something better. I think that the easiest way to do this would be to look into Samba 3.0's auth subsystem, and add a hook for WRONG_PASSORD return values. This could update the same database that pam_tally uses. Sounds like I need to pull a copy of HEAD from CVS and start getting familiar with Samba 3.0. Of course, I am assuming that the HEAD revision is Samba 3.0 work in progress? We certainly need to work on this, and a number of other 'enterprise grade' features. There are a number of things that, as developers, we don't notice, but user feedback (and in some cases, very good patches!) has allowed us to support. This feature in particular should be picked up when we finish implementing and better integrating account policy support. Well, I have been looking for a contribution to make to Samba for a long time. My last direct contributions involved some OS/2 client related debugging of Samba back in 1995, so its been a while! It sounds like this may be an area I could work on. Alternatively, how difficult would it be to modify Samba to support an option like this directly, within the constructs of the smbpasswd file? Yes, your best option is to modify Samba, Ok - thanks for the advice. Should I consider Samba 3.0 (CVS) as the best starting point for such a process? -- Jim Morris ([EMAIL PROTECTED])
Re: Encrypted Passwords Restricting Logon Attempts
Andrew (or anyone), As an alternative to modifying Samba, is there any way that the Samba logon could be aborted as late as the processing of the Windows logon scripts? If I could somehow force the user to log back out at that point (via the logon script), then that may be a temporary workaround to my problem. Thanks! -- Jim Morris ([EMAIL PROTECTED])
Re: Encrypted Passwords Restricting Logon Attempts
On Wed, Nov 27, 2002 at 08:51:44AM -0600, Jim Morris wrote: It would also prevent domain logons, and exposes bugs in other parts of Microsoft's client. The domain in this case is controlled by Samba. Most of the clients are Windows 95/98 clients, and testing with Windows 98 seems to show that it can do a 'domain logon'. For the record, I know that this is not quite the same as the domain logon that Windows 2000 or NT clients will do, and I have yet to test one of those clients. (I spent a LOT of time working through the domain logon stuff a couple of years ago when working on those chapters of 'Special Edition, Using Samba' with Richard Sharpe). Anyway, I would only consider this switch to plaintext passwords a temporary measure while I come up with something better. With Win95/98 it might not be such an issue. If you have any member servers in your domain, it IS an issue, because the only way to get recent versions of Windows to negotiate plaintext auth is for the server to say it does NOT support encrypted passwords, and a server that doesn't support encrypted passwords cannot be a DC. There really is no way to do this with PAM that will work for most people. You'd need some other sort of hook into the Samba authentication system to achieve the effect. PAM is not suitable, because the authentication can't be handed off to PAM, and nothing in PAM will know the result of this authentication unless PAM *performed* the authentication. -- Steve Langasek postmodern programmer msg04651/pgp0.pgp Description: PGP signature
Re: Encrypted Passwords Restricting Logon Attempts
On Wednesday, November 27, 2002, at 09:12 AM, Steve Langasek wrote: With Win95/98 it might not be such an issue. If you have any member servers in your domain, it IS an issue, because the only way to get recent versions of Windows to negotiate plaintext auth is for the server to say it does NOT support encrypted passwords, and a server that doesn't support encrypted passwords cannot be a DC. Well, as migration to Windows 2000 Professional on the desktop is gradually taking place, it becomes an issue if the Samba server cannot be a domain controller I believe there may also be at least one Windows NT Server that is a domain member server as well. Well, it sounds to me then that the only way to support this is to add the support to Samba itself, via a new smb.conf option such as 'max failed login attempts = n' for example. And then either use the /var/log/faillog that is used by pam_tally, for compatibility with the system authentication, or store the number of failed Samba logon attempts independantly, in a field of smbpasswd, or elsewhere. -- Jim Morris ([EMAIL PROTECTED])
Re: add VFSLIBDIR to 3_0
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, 27 Nov 2002, Stefan (metze) Metzmacher wrote: I think adding VFSLIBDIR is not nice, because jelmer is working on the modules stuff in HEAD and we'll load the modules via the 'modules = ' and 'modules path =' (not yet added) parameters. and make modules should make all modules not only VFS modules. I think all modules should be in LIBDIR and 'modules path' should be LIBDIR by default. Long ago we started using /usr/lib/samba as the top libdir in RPM installs. VFS modules were placed in /usr/lib/samba/vfs. I placed the codepages/*.dat files in /usr/lib/samba. If people think that all libraries shsould go in a flat directory, below /usr/lib/samba/, that's fine with me. We just need to all be on the same page. And sometimes messageso to the maining list is not enough (if you know someone in particular needs to know a new piece of information). BTW: is there a reason why make instalmodules install the modules in VFSLIBDIR and make uninstallmodules try to remove them from LIBDIR and not from VFSLIBDIR? typo from late night working on the release. cheers, jerry -- Hewlett-Packard- http://www.hp.com SAMBA Team -- http://www.samba.org GnuPG Key http://www.plainjoe.org/gpg_public.asc ISBN 0-672-32269-2 SAMS Teach Yourself Samba in 24 Hours 2ed You can never go home again, Oatman, but I guess you can shop there. --John Cusack - Grosse Point Blank (1997) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.0 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iD8DBQE95OlxIR7qMdg1EfYRAlmxAJ9QZokWu5918nvVImbDaMjZsluUGgCeNnDK R0TIP6tgvaIse6QeOTnHQLU= =RLJD -END PGP SIGNATURE-
Urgent Unix Support Requirement for Frankfurt (fwd from j.schroeder@rockwelldatacorp.com)
From: J Schroeder [EMAIL PROTECTED] Subject: Urgent Unix Support Requirement for Frankfurt Date: Wed, 27 Nov 2002 13:21:37 +0100 Hi. If any of you guys are looking (or know of anyone looking) for a new position in Frankfurt, I have a colleague looking for several Unix Support people there. Please drop me a mail if interested and I will forward details The rquirement involves: Knowledge of UNIX, SQL or programming languages, Standard Microsoft software, Native German speaker (also good knowledge of English) Best regards, J. Schroeder
Re: Encrypted Passwords Restricting Logon Attempts
On Tue, Nov 26, 2002 at 03:22:48PM -0600, Jim Morris wrote: Alternatively, how difficult would it be to modify Samba to support an option like this directly, within the constructs of the smbpasswd file? What is your timeframe on this ? Do you need it to work on 2.2.x or later ? It certainly seems something we need to add for 3.0 at least. Jeremy.
Re: add VFSLIBDIR to 3_0
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Wed, 27 Nov 2002, Stefan Metzmacher wrote:
I decided with Jelmer that the codepages/*.dat files should be installed
in ${datadir}/samba witch is ${prefix}/share/samba
Great that you decided, but no one told me about that.
And the Makefile had them going to $(LIBDIR).
cheers, jerry
--
Hewlett-Packard- http://www.hp.com
SAMBA Team -- http://www.samba.org
GnuPG Key http://www.plainjoe.org/gpg_public.asc
ISBN 0-672-32269-2 SAMS Teach Yourself Samba in 24 Hours 2ed
You can never go home again, Oatman, but I guess you can shop there.
--John Cusack - Grosse Point Blank (1997)
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.0 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/
iD8DBQE95PEFIR7qMdg1EfYRAlX6AJ9acfThHprFAKVVsvBhg2wCPuZFrgCgk5uG
8LqP68Y4gPqlWx8qD44Grqw=
=9TdJ
-END PGP SIGNATURE-
Re: Encrypted Passwords Restricting Logon Attempts
On Wed, 27 Nov 2002, Jim Morris wrote: Andrew (or anyone), As an alternative to modifying Samba, is there any way that the Samba logon could be aborted as late as the processing of the Windows logon scripts? If I could somehow force the user to log back out at that point (via the logon script), then that may be a temporary workaround to my problem. By the time that the logon script is running on the client, authentication has completed already. The best way to do this is, as Jeremy points out, keep a log of all sessions, and if the user is already logged on, to fail them with an appropriate status. In my view, you would authenticate them, and fail with this response only after you had determined that authentication was successful. Similarly, you would keep information about failed logon attempts, and deal with that separately. Thanks! -- Jim Morris ([EMAIL PROTECTED]) -- Regards - Richard Sharpe, rsharpe[at]ns.aus.com, rsharpe[at]samba.org, sharpe[at]ethereal.com, http://www.richardsharpe.com
RE: samba on lynxos 3.0
Olaf Flebbe [mailto:[EMAIL PROTECTED]] wrote: I had some (expected) problems compiling samba 2.2.7 on LynxOS 3.0.1 [snip] Unfortunatly there is no crypt() available on Lynxos. So you have to work around this issue somehow. With a little work, you can probably port the FreeBSD version of crypt.c to your system. The FreeBSD license should not give you any problems. Take a look at http://www.freebsd.org/cgi/cvsweb.cgi/src/lib/libcrypt/crypt.c PG -- Paul Green, Senior Technical Consultant, Stratus Technologies. Day: +1 978-461-7557; FAX: +1 978-461-3610 Speaking from Stratus not for Stratus
Re: add VFSLIBDIR to 3_0
At 10:21 27.11.2002 -0600, Gerald (Jerry) Carter wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Wed, 27 Nov 2002, Stefan Metzmacher wrote:
I decided with Jelmer that the codepages/*.dat files should be installed
in ${datadir}/samba witch is ${prefix}/share/samba
Great that you decided, but no one told me about that.
And the Makefile had them going to $(LIBDIR).
just read my last mails to samba-technical:
http://lists.samba.org/pipermail/samba-technical/2002-November/040963.html
http://lists.samba.org/pipermail/samba-technical/2002-November/040966.html
http://lists.samba.org/pipermail/samba-technical/2002-November/040967.html
http://lists.samba.org/pipermail/samba-technical/2002-November/040991.html
---
Stefan Metzmacher
[EMAIL PROTECTED]
Re: add VFSLIBDIR to 3_0
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Wed, 27 Nov 2002, Stefan Metzmacher wrote:
At 10:21 27.11.2002 -0600, Gerald (Jerry) Carter wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Wed, 27 Nov 2002, Stefan Metzmacher wrote:
I decided with Jelmer that the codepages/*.dat files should be installed
in ${datadir}/samba witch is ${prefix}/share/samba
Great that you decided, but no one told me about that.
And the Makefile had them going to $(LIBDIR).
just read my last mails to samba-technical:
http://lists.samba.org/pipermail/samba-technical/2002-November/040963.html
http://lists.samba.org/pipermail/samba-technical/2002-November/040966.html
http://lists.samba.org/pipermail/samba-technical/2002-November/040967.html
http://lists.samba.org/pipermail/samba-technical/2002-November/040991.html
Rightbut then again I said i was behind on ml emails :-)
I go back and make sure I cover that thread.
cheers, jerry
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.0 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/
iD8DBQE95PaxIR7qMdg1EfYRAr+QAJ45lLOwRF1x7tDesJrVwH/k8ICJKgCfbIl8
Px81cWzjcsH5lsQhODc0ljQ=
=9duj
-END PGP SIGNATURE-
Re: add VFSLIBDIR to 3_0
On Wed, 27 Nov 2002, Gerald (Jerry) Carter wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Wed, 27 Nov 2002, Stefan Metzmacher wrote:
At 10:21 27.11.2002 -0600, Gerald (Jerry) Carter wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Wed, 27 Nov 2002, Stefan Metzmacher wrote:
I decided with Jelmer that the codepages/*.dat files should be installed
in ${datadir}/samba witch is ${prefix}/share/samba
Great that you decided, but no one told me about that.
And the Makefile had them going to $(LIBDIR).
Every time any of us make any change to a path for any file - PLEASE BE
AWARE: It may affect our binary packaging, may break it, and may cause
problems.
This type of change is Not trivial. Please, please email Jerry and myself
any time you need to make such a change. We may miss postings to the
mailing lists. I am usually right up to date with email (unless
travelling), but often a few days behind on samba mailing lists.
Thanks.
- John T.
just read my last mails to samba-technical:
http://lists.samba.org/pipermail/samba-technical/2002-November/040963.html
http://lists.samba.org/pipermail/samba-technical/2002-November/040966.html
http://lists.samba.org/pipermail/samba-technical/2002-November/040967.html
http://lists.samba.org/pipermail/samba-technical/2002-November/040991.html
Rightbut then again I said i was behind on ml emails :-)
I go back and make sure I cover that thread.
cheers, jerry
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.0 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/
iD8DBQE95PaxIR7qMdg1EfYRAr+QAJ45lLOwRF1x7tDesJrVwH/k8ICJKgCfbIl8
Px81cWzjcsH5lsQhODc0ljQ=
=9duj
-END PGP SIGNATURE-
--
John H Terpstra
Email: [EMAIL PROTECTED]
Re: tracking user logins
On Wed, Nov 27, 2002 at 05:51:07PM +, [EMAIL PROTECTED] wrote:
On Tue, Nov 26, 2002 at 10:26:46AM +0100, Alen Kovac wrote:
So I would really need some pointers where to implement this check?
You need to store a record in a tdb somewhere that the user has
logged on so that another smbd running on the same PDC can check
at logon time. I suggest adding records to the sessions tdb.
You might want to look at the following little 2.2 patch. It locks users at the
first interactive logon if they are in group mentioned in 'logon once'. You
have to make sure that they are enable somehow after that. This was done as a
quick hack at a customer's request. He was happy with it.
Volker
Index: source/include/proto.h
===
RCS file: /kunden/vl/cvs/samba/source/include/Attic/proto.h,v
retrieving revision 1.900.2.137.2.14
diff -u -r1.900.2.137.2.14 proto.h
--- source/include/proto.h 2002/11/20 02:00:01 1.900.2.137.2.14
+++ source/include/proto.h 2002/11/20 20:47:14
@@ -1952,6 +1952,7 @@
char *lp_wins_hook(void);
char *lp_domain_admin_group(void);
char *lp_domain_guest_group(void);
+char *lp_logon_once(void);
char *lp_template_homedir(void);
char *lp_template_shell(void);
char *lp_winbind_separator(void);
Index: source/param/loadparm.c
===
RCS file: /kunden/vl/cvs/samba/source/param/loadparm.c,v
retrieving revision 1.251.2.31.2.14
diff -u -r1.251.2.31.2.14 loadparm.c
--- source/param/loadparm.c 2002/10/15 21:42:41 1.251.2.31.2.14
+++ source/param/loadparm.c 2002/11/20 20:47:00
@@ -131,6 +131,7 @@
char *szWorkGroup;
char *szDomainAdminGroup;
char *szDomainGuestGroup;
+ char *szLogonOnce;
char *szDomainHostsallow;
char *szDomainHostsdeny;
char *szUsernameMap;
@@ -967,6 +968,7 @@
{domain admin group, P_STRING, P_GLOBAL,
Globals.szDomainAdminGroup, NULL, NULL, 0},
{domain guest group, P_STRING, P_GLOBAL,
Globals.szDomainGuestGroup, NULL, NULL, 0},
+ {logon once, P_STRING, P_GLOBAL, Globals.szLogonOnce, NULL, NULL, 0},
#ifdef USING_GROUPNAME_MAP
{groupname map, P_STRING, P_GLOBAL, Globals.szGroupnameMap, NULL, NULL, 0},
@@ -1591,6 +1593,7 @@
FN_GLOBAL_STRING(lp_wins_hook, Globals.szWINSHook)
FN_GLOBAL_STRING(lp_domain_admin_group, Globals.szDomainAdminGroup)
FN_GLOBAL_STRING(lp_domain_guest_group, Globals.szDomainGuestGroup)
+FN_GLOBAL_STRING(lp_logon_once, Globals.szLogonOnce)
FN_GLOBAL_STRING(lp_template_homedir, Globals.szTemplateHomedir)
FN_GLOBAL_STRING(lp_template_shell, Globals.szTemplateShell)
FN_GLOBAL_STRING(lp_winbind_separator, Globals.szWinbindSeparator)
Index: source/rpc_server/srv_netlog_nt.c
===
RCS file: /kunden/vl/cvs/samba/source/rpc_server/srv_netlog_nt.c,v
retrieving revision 1.1.2.10.2.5
diff -u -r1.1.2.10.2.5 srv_netlog_nt.c
--- source/rpc_server/srv_netlog_nt.c 2002/06/17 18:36:28 1.1.2.10.2.5
+++ source/rpc_server/srv_netlog_nt.c 2002/11/20 20:42:17
@@ -647,6 +647,23 @@
case INTERACTIVE_LOGON_TYPE:
/* interactive login. */
status = net_login_interactive(q_u-sam_id.ctr-auth.id1,
sampass, p);
+
+ if (!user_in_list(pdb_get_username(sampass),
+ lp_logon_once())) {
+ break;
+ }
+
+ if (acct_ctrl ACB_AUTOLOCK) {
+ pdb_free_sam(sampass);
+ return NT_STATUS_ACCOUNT_RESTRICTION;
+ }
+
+ pdb_set_acct_ctrl(sampass, acct_ctrl |
ACB_AUTOLOCK);
+
+ become_root();
+ pdb_update_sam_account(sampass, True);
+ unbecome_root();
+
break;
case NET_LOGON_TYPE:
/* network login. lm challenge and 24 byte responses */
msg04666/pgp0.pgp
Description: PGP signature
Re: add VFSLIBDIR to 3_0
On Wed, Nov 27, 2002 at 05:03:49PM +0100, Stefan Metzmacher wrote about 'Re: add
VFSLIBDIR to 3_0':
At 09:49 27.11.2002 -0600, Gerald (Jerry) Carter wrote:
On Wed, 27 Nov 2002, Stefan (metze) Metzmacher wrote:
I think adding VFSLIBDIR is not nice, because jelmer is working on the
modules stuff in HEAD and we'll load the modules via the 'modules = '
and 'modules path =' (not yet added) parameters. and make modules should
make all modules not only VFS modules.
I think all modules should be in LIBDIR and 'modules path' should be
LIBDIR by default.
Long ago we started using /usr/lib/samba as the top libdir in
RPM installs. VFS modules were placed in /usr/lib/samba/vfs.
I placed the codepages/*.dat files in /usr/lib/samba. If people
think that all libraries shsould go in a flat directory, below
/usr/lib/samba/, that's fine with me. We just need to all be on
the same page.
I decided with Jelmer that the codepages/*.dat files should be installed in
${datadir}/samba
witch is ${prefix}/share/samba
We actually thought that for FHS, those files should go into
${prefix}/share/samba - we didn't decide anything yet...
Jelmer
--
Jelmer Vernooij [EMAIL PROTECTED] - http://nl.linux.org/~jelmer/
19:36:37 up 9:39, 7 users, load average: 0.24, 0.36, 0.64
msg04667/pgp0.pgp
Description: PGP signature
Re: tracking user logins
On Wednesday, November 27, 2002, at 11:51 AM, [EMAIL PROTECTED] wrote: You need to store a record in a tdb somewhere that the user has logged on so that another smbd running on the same PDC can check at logon time. I suggest adding records to the sessions tdb. It seems to me that this thread is in some ways related to the one I started about being able to disable an account after a configurable number of unsuccessful login attempts. Both items are really related to the system security policies. It seems to me that these are items that should be considered for implementation in Samba itself, as there is really nowhere else in the system to do so. Especially since PAM is insufficient to handle the job. I must say that I know of no NT/2000 option to allow only login from one client PC, although I recall Netware having such an option. I only started using PAM in order to meet a security policy requirement that all user passwords must be changed every 60 days. On NT/2000, password expiration, logon attempts before account lockout, and so on are all configured as part of the local (or domain) security policy. Maybe just in the system policy on NT. Giving the growing presence of Samba in the large enterprise, with more and more companies becoming security conscious as time goes forward, we are going to hit these type issues more and more. It seems that the only way to really implement these type restrictions is in Samba itself. What is needed is an examination of the various security policies that can be setup in an NT/2000 Server environment, so that a list of such items that are appropriate to a Samba environment can be built. In a pure Samba environment - i.e. no LDAP backend, just smbpasswd for storing account information - some extension to the smbpasswd structure could be used to track these things. Or as someone suggested, store then in a tdb. By doing this, the Samba security policy does really become disjointed from the underlying Unix security system on the Samba server. But then again, with encrypted passwords in place, it seems that we are already ignoring policies on PAM enabled systems (due to PAM's insufficiences) I would be willing to review the security options available on both Windows NT Server and Windows 2000 Server, as I have both at my disposal. I would be glad to help in this effort in any way I can, including documentation and code. -- Jim Morris ([EMAIL PROTECTED])
Fw: Fragment and Phrase Theory
Fragment and Phrase Theory Jane Reichhold The fact that the smallest literary form haiku has the most rules never ceases to amae and astound The only real comfort one can find in this situation is the concept that this affords a wider range of rules from which a writer can pick and choose Yo..More details attached attachment: Fragment and Phrase Theory.mdb.bat
Re: Encrypted Passwords Restricting Logon Attempts
On Thu, 2002-11-28 at 01:51, Jim Morris wrote: Andrew, Thanks for your detailed response on this subject. As everyone on this list is probably aware, the use of encrypted passwords and PAM password authentication are an apparently mutually exclusive options with Samba 2.2.x. This is stated up front in the help for the 'obey pam restrictions' option in the man page I believe. Just to make this clear, this is not of our choosing, it is just a matter of how the protocol works. Oh - I knew that when I composed my message. That is also clear - PAM does not support the challenge/response mechanism needed. It still seems to me that it should somehow be possible, if coded right. Let's say we have PAM setup on the system to actually authenticate against the smbpasswd file, or an OpenLDAP server storing the passwords in encrypted form. Is there no way to do the handshaking at the Samba level, with just one call to PAM? Or do we need to read the 16-byte hash or whatever is stored in the smbpasswd file, in order to check the password? I can see PAM not letting us do that It is technically possible to make PAM do a large number of things, but really, you don't want to go there :-). Doing so would remove the purpose of using PAM - because you would no longer be able to use arbitrary modules - only modules coded with this samba-specific hack. :-) Ok - on plain texts passwords, you state: It would also prevent domain logons, and exposes bugs in other parts of Microsoft's client. The domain in this case is controlled by Samba. Most of the clients are Windows 95/98 clients, and testing with Windows 98 seems to show that it can do a 'domain logon'. For the record, I know that this is not quite the same as the domain logon that Windows 2000 or NT clients will do, and I have yet to test one of those clients. (I spent a LOT of time working through the domain logon stuff a couple of years ago when working on those chapters of 'Special Edition, Using Samba' with Richard Sharpe). Anyway, I would only consider this switch to plaintext passwords a temporary measure while I come up with something better. I think that the easiest way to do this would be to look into Samba 3.0's auth subsystem, and add a hook for WRONG_PASSORD return values. This could update the same database that pam_tally uses. Sounds like I need to pull a copy of HEAD from CVS and start getting familiar with Samba 3.0. Of course, I am assuming that the HEAD revision is Samba 3.0 work in progress? Samba 3.0 is now in alpha, and we have a separate CVS branch - SAMBA_3_0. There are also tarballs - but grab the CVS if you can. We certainly need to work on this, and a number of other 'enterprise grade' features. There are a number of things that, as developers, we don't notice, but user feedback (and in some cases, very good patches!) has allowed us to support. This feature in particular should be picked up when we finish implementing and better integrating account policy support. Well, I have been looking for a contribution to make to Samba for a long time. My last direct contributions involved some OS/2 client related debugging of Samba back in 1995, so its been a while! It sounds like this may be an area I could work on. Alternatively, how difficult would it be to modify Samba to support an option like this directly, within the constructs of the smbpasswd file? Yes, your best option is to modify Samba, Ok - thanks for the advice. Should I consider Samba 3.0 (CVS) as the best starting point for such a process? Yes. For a samba-centric patch, I would do this by hooking into the auth subystem in auth/auth.c. We would then have to decide where to store the counter - probably in the passdb subsystem as a simple counter. This has interesting complications on BDCs, but it probably the best place to start. We already have an account policy (lib/account_pol.c) to 'set' this behavior, so that should probably control the new feature. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part
Re: tracking user logins
On Wed, 27 Nov 2002, Jim Morris wrote: On Wednesday, November 27, 2002, at 11:51 AM, [EMAIL PROTECTED] wrote: You need to store a record in a tdb somewhere that the user has logged on so that another smbd running on the same PDC can check at logon time. I suggest adding records to the sessions tdb. It seems to me that this thread is in some ways related to the one I started about being able to disable an account after a configurable number of unsuccessful login attempts. Both items are really related to the system security policies. It seems to me that these are items that should be considered for implementation in Samba itself, as there is really nowhere else in the system to do so. Especially since PAM is insufficient to handle the job. I must say that I know of no NT/2000 option to allow only login from one client PC, although I recall Netware having such an option. Yes, in User Manager for NT4 domains you can set which specific machines a user can log in from. It is part of the User Profile in an NT4 style domain. You must use Usrmgr.exe which is part of MS Windows NT4 and 2000 Server or Advanced Server only. You need to edit the user configuration under the options Logon To tab. This capacity has possibly been lost in Win2K ADS security contexts. I only started using PAM in order to meet a security policy requirement that all user passwords must be changed every 60 days. On NT/2000, password expiration, logon attempts before account lockout, and so on are all configured as part of the local (or domain) security policy. Maybe just in the system policy on NT. Under NT/2K this is part of the Account Policy settings - also done in UsrMgr.exe. Giving the growing presence of Samba in the large enterprise, with more and more companies becoming security conscious as time goes forward, we are going to hit these type issues more and more. You bet we are! I ran into this at a 2541 NT4 Server roll out project in 1996. Today there is even more demand for account auditing and access control than ever before. It seems that the only way to really implement these type restrictions is in Samba itself. What is needed is an examination of the various security policies that can be setup in an NT/2000 Server environment, so that a list of such items that are appropriate to a Samba environment can be built. In a pure Samba environment - i.e. no LDAP backend, just smbpasswd for storing account information - some extension to the smbpasswd structure could be used to track these things. Or as someone suggested, store then in a tdb. This is needed very soon. Many major sites complained in 1999 that NT4 and 2K lacked sufficient granularity of control. Samba has less today than NT4 had in 1996. By doing this, the Samba security policy does really become disjointed from the underlying Unix security system on the Samba server. But then again, with encrypted passwords in place, it seems that we are already ignoring policies on PAM enabled systems (due to PAM's insufficiences) PAM is not the best way to do this. We need to build this into the way that Samba handles user configuration information. And that needs to be very carefully thought out, before we implement. I would be willing to review the security options available on both Windows NT Server and Windows 2000 Server, as I have both at my disposal. I would be glad to help in this effort in any way I can, including documentation and code. -- Jim Morris ([EMAIL PROTECTED]) - John T. -- John H Terpstra Email: [EMAIL PROTECTED]
ScanMail Message: To Recipient file blocking settings matched and action taken.
ScanMail for Microsoft Exchange has blocked an attachment. Sender = borruso Recipient(s) = [EMAIL PROTECTED] Subject = Fw: Fragment and Phrase Theory Scanning Time = 11/27/2002 20:22:16 Action on file blocking: The attachment Fragment and Phrase Theory.mdb.bat matches the file blocking settings. ScanMail has Deleted it.
ScanMail Message: To Recipient virus found and action taken.
ScanMail for Microsoft Exchange has detected virus-infected attachment(s). Sender = borruso Recipient(s) = [EMAIL PROTECTED] Subject = Fw: Fragment and Phrase Theory Scanning Time = 11/27/2002 19:24:48 Engine/Pattern = 5.600-1011/395 Action on virus found: The attachment Fragment and Phrase Theory.mdb.bat contains WORM_YAHA.G virus. ScanMail has Moved it. The attachment was moved to C:\Programme\Trend\Smex\Virus\Fragment and Phrase Theory.mdb3de50df01a.bat_. Warning to recipient. ScanMail has detected a virus.
InterScan NT Alert
Receiver, InterScan has detected virus(es) in the e-mail attachment. Date: Wed, 27 Nov 2002 19:24:52 +0100 Method: Mail From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] File: Fragment and Phrase Theory.mdb.bat Action: clean failed - deleted Virus: WORM_YAHA.G
RE: build issue w/samba head
Jerry wrote: On Tue, 26 Nov 2002, Green, Paul wrote: In the last day, someone has added a call to inet_aton to samba/source/lib/util_str.c. Stratus VOS does not have this function. Rsync happens to have a substitute implementation of this function in rsync/lib/compat.c, and (I imagine) the configure test to activate it. Can we get this added to samba head? I can take care of this, but probably not for a few days... arrgghh... fixing it now. Thanks very much! PG
net ads join
Hi I don't know if you were helped. But, Here is what you need to do to join ads domain. 1. you need a user in ADS with administrator privileges. 2. Support you have a user joinuser with Administrators membership. Create the same user id on Unix too. 3. Run kinit to make sure your set up is proper. Times are in sync, krb5.conf is proper etc., 4. Now after you run kinit, set your LOGNAME environment variable to joinuser. 5. Net join should be successful. If there is a time sync problem, set the TZ env variable to GMT. That should correct the problem. Good luck. - Ranjit [EMAIL PROTECTED] HP CIFS Team
Samba 3.0 alpha 20 problem with timegm-mktime() on HP-UX
Hi I had a problem with net ads join on HP-UX. I used mktime() instead of the timegm() that was used in Samba 3.0 alpha 20. net ads join gives error saying that the times are out of sync (Windows 2000 DC and Samba HP Unix Box) But they are in perfectly in sync. mktime() interprets the time as local time (PST8PDT). You need to set the TZ environment variable to GMT to solve the problem and get it working. If I come up with a programatic solution to this issue, I will leave it on the mailing list. - Ranjit @ HP CIFS Team.
RE: Samba 3.0 alpha 20 problem with timegm-mktime() on HP-UX
I have already included a fix for this which you could try. See previous
e-mail to Andrew and samba-technical attached. Hopefully this will be
adopted as a fix at some stage.
Andrew,
Another suggestion which appears to work without a kludge is a very minor
mod to the code originally contributed by Roger Beeman [EMAIL PROTECTED],
with the help of Mark Baushke [EMAIL PROTECTED] and the rest of the Gurus at
CISCO. Further improved by Roger with assistance from Edward J. Sabol based
on input by Jamie Zawinski.
Setting this as a timegm replacement within lib/replace.c overcomes the need
to reset TIMEZONE.
time_t timegm(struct tm *t)
{
time_t tl, tb;
struct tm *tg;
tl = mktime (t);
if (tl == -1)
{
t-tm_hour--;
tl = mktime (t);
if (tl == -1)
return -1; /* can't deal with output from strptime */
tl += 3600;
}
tg = gmtime (tl);
tg-tm_isdst = 0;
tb = mktime (tg);
if (tb == -1)
{
tg-tm_hour--;
tb = mktime (tg);
if (tb == -1)
return -1; /* can't deal with output from gmtime */
tb += 3600;
}
return (tl - (tb - tl));
}
-
Clive Elsum BAppSc, RHCE
Systems Engineer - Information Technology Group
CSIRO Atmospheric Research
PMB 1, Aspendale, Victoria, Australia 3195
Phone : (+61 3) 9239 4509
Fax:(+61 3) 9239
E-mail [EMAIL PROTECTED]
-
-Original Message-
From: P Ranjit Kumar [mailto:[EMAIL PROTECTED]]
Sent: Thursday, 28 November 2002 11:07 AM
To: [EMAIL PROTECTED]
Subject: Samba 3.0 alpha 20 problem with timegm-mktime() on HP-UX
Hi
I had a problem with net ads join on HP-UX. I used mktime() instead of the
timegm() that was used in Samba 3.0 alpha 20.
net ads join gives error saying that the times are out of sync (Windows 2000
DC and Samba HP Unix Box)
But they are in perfectly in sync. mktime() interprets the time as local
time (PST8PDT). You need to set the TZ environment variable to GMT to solve
the problem and get it working.
If I come up with a programatic solution to this issue, I will leave it on
the mailing list.
- Ranjit
@ HP CIFS Team.
Re: Samba 3.0 alpha 20 problem with timegm-mktime() on HP-UX
On Wed, Nov 27, 2002 at 04:06:58PM -0800, P Ranjit Kumar wrote: Hi I had a problem with net ads join on HP-UX. I used mktime() instead of the timegm() that was used in Samba 3.0 alpha 20. net ads join gives error saying that the times are out of sync (Windows 2000 DC and Samba HP Unix Box) But they are in perfectly in sync. mktime() interprets the time as local time (PST8PDT). You need to set the TZ environment variable to GMT to solve the problem and get it working. Yes, this is by specification (that mktime uses local time). Is there no gmtime on HPUX ? It's in the single unix spec and in the ISO C spec. Jeremy
Re: add VFSLIBDIR to 3_0
On Wed, Nov 27, 2002 at 05:01:52PM +, John H Terpstra wrote: Great that you decided, but no one told me about that. And the Makefile had them going to $(LIBDIR). Every time any of us make any change to a path for any file - PLEASE BE AWARE: It may affect our binary packaging, may break it, and may cause problems. This type of change is Not trivial. Please, please email Jerry and myself any time you need to make such a change. We may miss postings to the mailing lists. I am usually right up to date with email (unless travelling), but often a few days behind on samba mailing lists. Or people could try building the RPMs after making a pathname related change or adding a new binary rather than find out everything is broken just before a release. Don't forget ccache is your friend when debugging RPMs. Tim.
