spoolname smbprn.XXXXXX.aaaaaa

2002-11-28 Thread Schmieg Friedemann 
Hello There,

since a samba update from 2.0.5. to 2.2.5 (AIX)  we have new spooling names
like smbprn.XX.aa instead of the previous NT file name. We are
printing in a shell for creating pdf - files and after that we are searching
for the master document in our PDM system to check in the pdf as a scondary
file format. But of course with the new spool file name we lost all
information about the file and can't identify it any more in the database.

Is there a way to get the old filename back? We kept the smb.conf unchanged.


Regards, F. Schmieg

problem with Samba 2.2.3a (Suse dist)

2002-11-28 Thread Rafael Moll Campello 



> 
Hi,> I have a problem with Samba 2.2.3a (Suse dist). We have a server , 
with => DHCP and Samba.We have migrated from Caldera 2.1.The clients are 
=> Win95/98.All the thinghs seems to be Ok, but in a few minutes , the 
=> clients lost the share units in Samba if nobody are using the units.I 
=> modified samba.conf with:> [global]> 
deadtime=3D0> keep alive =3D 30> > in order to resolve the 
problem, but I can=B4t do it. The clients lost => the conection even if 
some programs have files open. If you click over => the unit with the 
Explorer , reconnect it easily. We don=B4t have net => problems: ping 
work nice, and the network wires are tested and ok.We => dont have any 
problems with the old dist (Caldera).> I use the same samba.conf  
with Suse dist that Caldera in order to test => , but nothing 
change...> Any idea?> Thanks> > 
/---/> The harware are:> Pentium IV 2,5=20> QDI 
Platinix 2D/533 Mhz> 512 Mb DDR Ram=20> Hd Seagate 40 Gb 7200 rpm 
Barracuda.> > The samba.conf file are:> > # 
/etc/samba/smb.conf ist the main samba configuration file. Cf. the> # 
manual page of smb.conf and the included documantation in> # 
/usr/share/doc/packages/samba in order to understand the options> # 
listed here and many more features.> #> # Lines in this example 
which starts with ; and # are ignored comment> # ones. # indicates a 
comment and ; a deactivated example line.> #> # We suggest to use 
the command 'testparm' after any changes you made.> #> # Copyright 
(c) 1999 - 2001 SuSE GmbH Nuernberg, Germany.> #> # Please send 
bugfixes or comments to [EMAIL PROTECTED].> #> 
[global]>  workgroup 
=3D OFICINA>  server 
string =3D TLC SMB 
SERVER>  log file 
=3D 
/var/log/samba/smb.%m.%U>  
debug level=3D2>  
max log size =3D 
50>  security =3D 
user>  encrypt 
passwords =3D yes>  
smb passwd file =3D 
/etc/samba/smbpasswd>  
username map =3D 
/etc/samba/smbusers>  
socket options =3D TCP_NODELAY IPTOS_THROUGHPUT => SO_RCVBUF=3D4096 
SO_SNDBUF=3D4096>  
getwd cache =3D 
yes>  read size =3D 
65536>  read 
prediction =3D yes>  
read raw =3D no>  
write raw =3D no>  
max xmit =3D 16384>  
deadtime=3D0>   
keep alive =3D 30> 
>  local master =3D 
yes>  os level =3D 
33>  domain master 
=3D yes>  preferred 
master =3D yes>  
domain logons =3D 
yes>  logon script 
=3D %U.bat>  include 
=3D 
/etc/samba/%m.conf>  
include =3D 
/etc/samba/%U.conf>  
include =3D 
/etc/samba/generic.conf>  
default case =3D 
upper>  case 
sensitive =3D no> > # Where to store roving profiles (only for 
Win95 and WinNT)> #    %L 
substitutes for this servers netbios name, %U is username> 
#    You must uncomment the [Profiles] 
share below> ;   logon path =3D \\%L\Profiles\%U> 
;   wins support =3D yes> > # WINS Server - Tells the 
NMBD components of Samba to be a WINS Client> 
#   Note: Samba can be either a WINS Server, 
or a WINS Client, but => NOT=20> both> ;   wins 
server =3D w.x.y.z> > # WINS Proxy - Tells Samba to answer name 
resolution queries on> # behalf of a non WINS capable client, for this to 
work there must be> # at least one  WINS Server on the network. The 
default is NO.> ;   wins proxy =3D yes> > # DNS 
Proxy - tells Samba whether or not to try to resolve NetBIOS names> # via 
DNS nslookups. The built-in default for versions 1.9.17 is yes,> # this 
has been changed in version 1.9.18 to no.> dns 
proxy =3D no> > # Case Preservation can be handy - system default 
is _no_> # NOTE: These can be set on a per share basis> ;  
preserve case =3D no> ;  short preserve case =3D no> # 
Default case is normally upper case for all DOS files> ;  default 
case =3D lower> # Be very careful with case sensitivity - it can break 
things!> ;  case sensitive =3D no> > 
>#=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=> 
=3D=3D=3D=3D Share Definitions => 
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=> 
=3D=3D=3D=3D=3D> [homes]> comment =3D Home 
Directories> ; this gives access to a 'Public' sub-directory in each 
user's home...> ; (it is named 'public' as it is intended to be used by 
other sharing> ; technologies (like NetWare, appletalk) too and may get 
disclosed due> ; to weak protocols! -- hmm, even less secure than NFS? 
:)> path =3D 
/apps/users/%U> browseable =3D 
no> writable =3D 
yes> create mask =3D 0750> > # 
Un-comment the following and create the netlogon directory for Domain => 
Logons>   [netlogon]> comment 
=3D Samba Network Logon Service> path =3D 
/logon> guest ok =3D 
no> writable =3D 
no> browsable =3D 
no> root preexec =3D /usr/bin/hala.pl %U 
%h> > > # Un-comment the following to provide a specific 
roving profile share> # the default is to use the user's home 
direc

Smb passwords > 8 chars

2002-11-28 Thread Olaf Flebbe 
Hi,

samba 2.2.7

A samba server with encrypted paawords on Solaris8 does not correctly handle 
passwords containing more than eight characters. A local smbclient can correctly 
handle this situation, but NT 4.0 and W2K cannot connect to a share protected 
with encrypted password 9 chars long. The newly ported LynxOS Server shows the 
same problem ;-)

Samba servers on Linux/ix86, Freebsd/x86, IRIX 6.5, HPUX 11, AIX 4.3 does not 
show this problem.

The smbpasswd file of account with an password "aphrodite" looks like this on 
Solaris and LynxOS:

xx:5:CB9B5D52CBF7BC80417EAF50CFAC29C3:E91112581298671EAD07824AE921468A:[UX 
   ]:LCT-3DE5D705:

on the other OS'es it looks like:

xx:5:CB9B5D52CBF7BC80CEC18980D4FFADA7:0121676CCD7DF90E0D4269315DC0A151:[UX 
   ]:LCT-3DE5D6FC:

Or have I missed a crucial patch on Solaris8? It is on a quite recent 
maintenance release.

Olaf
--
  Dr. Olaf FlebbePhone +49 (0)7071-9457-254
  Software Solutions FAX   +49 (0)7071-9457-211
  science + computing ag
  Hagellocher Weg 73-75
  D-72070 TuebingenEmail: [EMAIL PROTECTED]

  The amount of work to be done increases in proportion to the
  amount of work already completed.

2nd attempt: Modify location of printerdriverfiles

2002-11-28 Thread "Kätzler, Ralf" 
Hi!

Maybe this time someone can give me a hint - or is my english that bad - so that 
nobody can catch the point - or my question is posted to the false list?
Please each answer is welcome! Thank you!

>Hello, Samba-Team, hello samba-freaks!
>
>My question/problem:
>I like to use a samba-server as printer-server for about >500 users with ~ 40 
>different printers.
>The client OS is NT4 or XP. The problem I encountered is that there are 
>printerdrivers out there which use for different models dlls with the same name but 
>the dlls are not
>compatible - great!! - ! So only the last installed printer works flawless, because 
>the dll for the other model is overwritten during driverinstall.
>My question: Is there a tool, which allows save tempering with the *.tdb, to change 
>the path to the driverfiles or to change the behavior to rpc "getdriverinfo"?
>This way it would be possible to create an own driver-directory-structur and all 
>those printerdriver related problems are gone...
>
>Greetings
>Ralf

Btw.: Redhat 8.0 and latest Samba.
Calling the printermanufactor is hopeless. The only answer I got is: This must be a 
problem  with your OS... thanks for your help. :(

Greetings
Ralf

Re: 2nd attempt: Modify location of printerdriverfiles

2002-11-28 Thread Simo Sorce 
That would change nearly nothnig, because the printer drivers will be
copyed in the same structure on the client and there you will find the
same naming problem.

It is a known windows problem (just faces some day ago with drivers for
2 HP laser printers on a windows 98 :-/)

If the Printer Manufacturer tell you so she is both right an wrong.

Right it is an OS problem, A windows OS problem.

Wrong the manufacter must know this issue and try not to make drivers
with overlapping names.


However you may try just a workaround. If any of your clients will use
only one printer, you may try some symlink + macro expansion tricks to
use different directories, but it may not work or corrupt badly your
printer settings and prnting related tdb file, so at your own risk:

- you may use a macro expansion on the print$ share path and then make a
number of directories that match that macro expansion

eg:
path = /usr/share/samba/%G/drivers

and have a pool of printers per group or other parameter.

Simo.

On Thu, 2002-11-28 at 11:21, "Kätzler, Ralf" wrote:
> Hi!
> 
> Maybe this time someone can give me a hint - or is my english that bad - so that 
>nobody can catch the point - or my question is posted to the false list?
> Please each answer is welcome! Thank you!
> 
> >Hello, Samba-Team, hello samba-freaks!
> >
> >My question/problem:
> >I like to use a samba-server as printer-server for about >500 users with ~ 40 
>different printers.
> >The client OS is NT4 or XP. The problem I encountered is that there are 
>printerdrivers out there which use for different models dlls with the same name but 
>the dlls are not
> >compatible - great!! - ! So only the last installed printer works flawless, because 
>the dll for the other model is overwritten during driverinstall.
> >My question: Is there a tool, which allows save tempering with the *.tdb, to change 
>the path to the driverfiles or to change the behavior to rpc "getdriverinfo"?
> >This way it would be possible to create an own driver-directory-structur and all 
>those printerdriver related problems are gone...
> >
> >Greetings
> >Ralf
> 
> Btw.: Redhat 8.0 and latest Samba.
> Calling the printermanufactor is hopeless. The only answer I got is: This must be a 
>problem  with your OS... thanks for your help. :(
> 
> Greetings
> Ralf
-- 
Simo Sorce - [EMAIL PROTECTED]
Xsec s.r.l.
via Durando 10 Ed. G - 20158 - Milano
tel. +39 02 2399 7130 - fax: +39 02 700 442 399



signature.asc
Description: This is a digitally signed message part

RE RE: 2nd attempt: Modify location of printerdriverfiles

2002-11-28 Thread "Kätzler, Ralf" 
I think the workaround will not work. I can´t predict which user on which machine will 
use which printer.
Our users have in most case max. two networkprinters connected - for our luck long 
physikal ways prevent the "need" to connect to more printers.
We have created a small script which erases all printerrelated registry-entries and 
files on the client.
A user or admin can run this script and the client is clean for a new 
printer-installation. This way we work around the naming-problem on the client. (The 
users *theoretical* know which printers cannot be installed at the same time).
Of course this works not on the printserver :)).

If there is no other solution, we have to "fight" another skirmish with HP ... maybe 
we can convince them to take more care when naming there files..
... on the other hand maybe someone is happy to implement the needed variables to the 
samba-core?? :)
The moto would be: Power is nothing without control

Simo: Thanks for your answer.

Have a nice day.
Ralf

> -Ursprüngliche Nachricht-
> Von: Simo Sorce [mailto:[EMAIL PROTECTED]]
> Gesendet: Donnerstag, 28. November 2002 11:34
> An: Kätzler, Ralf
> Cc: [EMAIL PROTECTED]
> Betreff: Re: 2nd attempt: Modify location of printerdriverfiles
> 
> 
> That would change nearly nothnig, because the printer drivers will be
> copyed in the same structure on the client and there you will find the
> same naming problem.
> 
> It is a known windows problem (just faces some day ago with 
> drivers for
> 2 HP laser printers on a windows 98 :-/)
> 
> If the Printer Manufacturer tell you so she is both right an wrong.
> 
> Right it is an OS problem, A windows OS problem.
> 
> Wrong the manufacter must know this issue and try not to make drivers
> with overlapping names.
> 
> 
> However you may try just a workaround. If any of your clients will use
> only one printer, you may try some symlink + macro expansion tricks to
> use different directories, but it may not work or corrupt badly your
> printer settings and prnting related tdb file, so at your own risk:
> 
> - you may use a macro expansion on the print$ share path and 
> then make a
> number of directories that match that macro expansion
> 
> eg:
> path = /usr/share/samba/%G/drivers
> 
> and have a pool of printers per group or other parameter.
> 
> Simo.
>

Re: RE RE: 2nd attempt: Modify location of printerdriverfiles

2002-11-28 Thread Simo Sorce 
Uhm not sure either if this will work, but you could try to use %S as
substitution

This way you may have a directory for each printer name ...
of course if you rename a printer you may get into troubles, but it is
unlikely that you like changing printer names every day :-)


Here it is a list of macros you may think to try:

   These substitutions are mostly noted in  the  descriptions
   below,  but  there  are  some  general substitutions which
   apply whenever they might be relevant. These are:

   %S the name of the current service, if any.

   %P the root directory of the current service, if  any.

   %u user name of the current service, if any.

   %g primary group name of %u.

   %U session  user  name  (the user name that the client
  wanted, not necessarily the same as  the  one  they
  got).

   %G primary group name of %U.

   %H the home directory of the user given by %u.

   %v the Samba version.

   %h the Internet hostname that Samba is running on.

   %m the  NetBIOS  name of the client machine (very use-
  ful).

   %L the NetBIOS name of the server. This allows you  to
  change  your  config based on what the client calls
  you. Your server can have a "dual personality".

  Note that this  paramater  is  not  available  when
  Samba  listens  on  port  445, as clients no longer
  send this information

   %M the Internet name of the client machine.


   %N the name of your NIS home directory  server.   This
  is  obtained  from  your NIS auto.map entry. If you
  have not compiled Samba with  the  --with-automount
  option then this value will be the same as %L.

   %p the  path of the service's home directory, obtained
  from your NIS  auto.map  entry.  The  NIS  auto.map
  entry is split up as "%N:%p".

   %R the selected protocol level after protocol negotia-
  tion. It can be one  of  CORE,  COREPLUS,  LANMAN1,
  LANMAN2 or NT1.

   %d The process id of the current server process.

   %a the  architecture  of the remote machine. Only some
  are recognized, and those may not be 100% reliable.
  It  currently  recognizes Samba, WfWg, Win95, WinNT
  and  Win2k.  Anything  else  will   be   known   as
  "UNKNOWN". If it gets it wrong then sending a level
  3 log to [EMAIL PROTECTED]
   mailto:[EMAIL PROTECTED]> should allow it to be
  fixed.

   %I The IP address of the client machine.

   %T the current date and time.

   %$(envvar)
  The value of the environment variable envar.

   There are some quite creative things that can be done with
   these substitutions and other smb.conf options.





On Thu, 2002-11-28 at 12:16, "Kätzler, Ralf" wrote:
> I think the workaround will not work. I can´t predict which user on which machine 
>will use which printer.
> Our users have in most case max. two networkprinters connected - for our luck long 
>physikal ways prevent the "need" to connect to more printers.
> We have created a small script which erases all printerrelated registry-entries and 
>files on the client.
> A user or admin can run this script and the client is clean for a new 
>printer-installation. This way we work around the naming-problem on the client. (The 
>users *theoretical* know which printers cannot be installed at the same time).
> Of course this works not on the printserver :)).
> 
> If there is no other solution, we have to "fight" another skirmish with HP ... maybe 
>we can convince them to take more care when naming there files..
> ... on the other hand maybe someone is happy to implement the needed variables to 
>the samba-core?? :)
> The moto would be: Power is nothing without control
> 
> Simo: Thanks for your answer.
> 
> Have a nice day.
> Ralf
> 
> > -Ursprüngliche Nachricht-
> > Von: Simo Sorce [mailto:[EMAIL PROTECTED]]
> > Gesendet: Donnerstag, 28. November 2002 11:34
> > An: Kätzler, Ralf
> > Cc: [EMAIL PROTECTED]
> > Betreff: Re: 2nd attempt: Modify location of printerdriverfiles
> > 
> > 
> > That would change nearly nothnig, because the printer drivers will be
> > copyed in the same structure on the client and there you will find the
> > same naming problem.
> > 
> > It is a known windows problem (just faces some day ago with 
> > drivers for
> > 2 HP laser printers on a windows 98 :-/)
> > 
> > If the Printer Manufacturer tell you so she is both right an wrong.
> > 
> > Right it is an OS problem, A windows OS problem.
> > 
> > Wrong the manufacter must know this issue and try not to make drivers
> > with overlapping names.
> > 
> > 
> > However you may try just a workaround. If any of your clients

Re: 2nd attempt: Modify location of printerdriverfiles

2002-11-28 Thread Gerald (Jerry) Carter 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Thu, 28 Nov 2002, "Kätzler, Ralf" wrote:

> I like to use a samba-server as printer-server for about >500 users with
> ~ 40 different printers. The client OS is NT4 or XP. The problem I
> encountered is that there are printerdrivers out there which use for
> different models dlls with the same name but the dlls are not compatible

Can you give more details on how you came up with this conclusion?

> - great!! - ! So only the last installed printer works flawless, because
> the dll for the other model is overwritten during driverinstall. My

This is basically a Windows design flaw which driver manufacturers have to 
very careful with.

> question: Is there a tool, which allows save tempering with the *.tdb,
> to change the path to the driverfiles or to change the behavior to rpc
> "getdriverinfo"? This way it would be possible to create an own
> driver-directory-structur and all those printerdriver related problems
> are gone...

No.  Not really, but what you would need to do is to modify the 
DRIVER_INFO_3 structure to reflect where you placed the files.

> Calling the printermanufactor is hopeless. The only answer I got is:
> This must be a problem with your OS... thanks for your help. :(

Was this HP?  If so contact me off list.




cheers, jerry
 --
 Hewlett-Packard- http://www.hp.com
 SAMBA Team -- http://www.samba.org
 GnuPG Key   http://www.plainjoe.org/gpg_public.asc
 ISBN 0-672-32269-2 "SAMS Teach Yourself Samba in 24 Hours" 2ed
 "You can never go home again, Oatman, but I guess you can shop there."  
--John Cusack - "Grosse Point Blank" (1997)

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.0 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/

iD8DBQE95iMjIR7qMdg1EfYRAmkWAJ9zynR81D2ZwbabzanjNkun01J3QACfdYAA
fIhCGZWa/nmZXLFTXUNvA8U=
=9lxJ
-END PGP SIGNATURE-

Re: Encrypted Passwords & Restricting Logon Attempts

2002-11-28 Thread Gerald (Jerry) Carter 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Wed, 27 Nov 2002, Jim Morris wrote:

> Now their corporate headquarters has identified this issue (unlimited 
> login attempts allowed) as the primary violation on a recent security 
> audit of the network in this branch office of the company.  I think 
> they have only given the local MIS guy a few days to achieve compliance.
> 
>  From a personal standpoint, 3.0 is soon enough.  For the company
> involved, I think they may end up switching to plaintext passwords as a
> temporary solution.  I've had a conversation with them today, and it
> sounds like the local guys are willing to do that for the
> short-term.


That's funny!  Switching to plain text passwords to be in compliance with 
a security audit :-)  I'm choking on the irony of it all!




cheers, jerry
 --
 Hewlett-Packard- http://www.hp.com
 SAMBA Team -- http://www.samba.org
 GnuPG Key   http://www.plainjoe.org/gpg_public.asc
 ISBN 0-672-32269-2 "SAMS Teach Yourself Samba in 24 Hours" 2ed
 "You can never go home again, Oatman, but I guess you can shop there."  
--John Cusack - "Grosse Point Blank" (1997)

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.0 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/

iD8DBQE95iQMIR7qMdg1EfYRAgZVAJ4mckVPwZGbpTwhz5jZ8mCO4koxiACg7KcZ
lyOdKNmyK3kjYpNcq9ZNr+w=
=qQcu
-END PGP SIGNATURE-

RE: tracking user logins

2002-11-28 Thread Boyce, Nick 
On Wednesday, November 27, 2002, at 19:55  PM, Jim Morris wrote:

> I must say that I know of no NT/2000 option to allow only login from 
> one client PC, although I recall Netware having such an option.

Agreed again.  (I think you meant something different from the facility John
Terpestra referred to - on NT/2K you can specify which machines, perhaps
only one, that a user account can use, but you can't specify "Maximum number
of concurrent sessions"; on Netware you can do both.)

> Giving the growing presence of Samba in the large enterprise, with more 
> and more companies becoming security conscious as time goes forward, we 
> are going to hit these type issues more and more.

Mmm.  I've only *just* managed to demonstrate to the Powers-That-Be around
here the full horror of an unswitched LAN with unencrypted passwords and a
sniffer ... so _now_ changes are underway.   Password encryption *with*
failed login tallying *will* be part of security policy ..

> ... What is needed is an examination of the various 
> security policies that can be setup in an NT/2000 Server environment, 
> so that a list of such items that are appropriate to a Samba 
> environment can be built.  

I'd just like to add a vote for another item for this list - something which
can be done on Netware, VMS, and on some Unixen, but not NT/2K (AFAIK) -
allow a password expiry "grace" period to be configured if desired - a
period of time after a password has expired, during which a user account can
still login but is forced straight into a password-change dialog.  This
allows for those occasions when (e.g.) someone is away for a whole month,
during which their password expires.

> ...  I would be glad to help in this effort in any way I can, 
> including documentation and code.

Likewise, but only for documentation ..

Nick Boyce
EDS Southwest Solution Centre, Bristol, UK

Re: Encrypted Passwords & Restricting Logon Attempts

2002-11-28 Thread Jim Morris 
On Thursday, November 28, 2002, at 08:11  AM, Gerald (Jerry) Carter 
wrote:

That's funny!  Switching to plain text passwords to be in compliance 
with
a security audit :-)  I'm choking on the irony of it all!

Yes - very ironic isn't it? ;-)

Well, this is a private, closed LAN, in an industrial settings 
(basically a foundry-like facility with computers in offices and 
control rooms).  I don't think there is much concern about employees 
technically astute enough to use a packet sniffer to capture passwords. 
  Anyway, the local MIS guy at this facility plans to use plaintext 
passwords until I can give him a better solution, and just not say 
anything to the corporate headquarters guys about exactly HOW he 
complied with the policy to restrict login attempts to 3.

Anyway, if you are here in the US - have a great Thanksgiving - I've 
got to go get my turkey going. If you aren't, have a great day anyway!

 --
Jim Morris ([EMAIL PROTECTED])

Re: tracking user logins

2002-11-28 Thread Jim Morris 
On Thursday, November 28, 2002, at 08:36  AM, Boyce, Nick wrote:


Agreed again.  (I think you meant something different from the 
facility John
Terpestra referred to - on NT/2K you can specify which machines, 
perhaps
only one, that a user account can use, but you can't specify "Maximum 
number
of concurrent sessions"; on Netware you can do both.)

Yes - what I was talking about, and the original poster in this thread, 
was restricting the NUMBER of logons, not necessarily where the logons 
come from.

Mmm.  I've only *just* managed to demonstrate to the Powers-That-Be 
around
here the full horror of an unswitched LAN with unencrypted passwords 
and a
sniffer ... so _now_ changes are underway.   Password encryption *with*
failed login tallying *will* be part of security policy ..

Well - sounds like you are going to put yourself into the same 
situation I have been talking about in the thread 'Encrypted Passwords 
& Restricting Logon Attempts' over the past day or so.  If you have 
followed that thread, you know that there is no way to do the tallying 
with current versions of Samba.  I implemented PAM support for the 
company I am consulting for in order to expire passwords every 60 days 
- PAM allows for no grace period, but does allow for a warning period. 
During the logon script execution on the PC's, I implemented a process 
to throw up the user's web browser if they are within that warning 
period, prior to expiration. They are given a change to go to a web 
page and change their Samba password, or told that they can do it 
through the Windows Control Panel as well. I would have just invoked 
the Control Panel option to change passwords, but did not know how to 
do so. Plus, there are Win95/98/NT/2000 boxes to support, and each one 
has a different way to set the Windows networking password.

... What is needed is an examination of the various
security policies that can be setup in an NT/2000 Server environment,
so that a list of such items that are appropriate to a Samba
environment can be built.


I'd just like to add a vote for another item for this list - something 
which
can be done on Netware, VMS, and on some Unixen, but not NT/2K (AFAIK) 
-
allow a password expiry "grace" period to be configured if desired - a
period of time after a password has expired, during which a user 
account can
still login but is forced straight into a password-change dialog.  This
allows for those occasions when (e.g.) someone is away for a whole 
month,
during which their password expires.

That sounds great. Right now, the problem they are having is that many 
PC's are left on for days or weeks at a time. Or people will be on 
vacation when  their password expires. So in those cases, they suddenly 
loose access to network resources, without seeing the expiration 
warning, since that is only displayed during the logon process.  
Having a chance to change the password on the next logon after it 
expires would be great. PAM won't give me this flexibility right now.
 --
Jim Morris ([EMAIL PROTECTED])

Re: Smb passwords > 8 chars

2002-11-28 Thread Gerald (Jerry) Carter 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Thu, 28 Nov 2002, Olaf Flebbe wrote:

> A samba server with encrypted paawords on Solaris8 does not correctly
> handle passwords containing more than eight characters. A local
> smbclient can correctly handle this situation, but NT 4.0 and W2K cannot
> connect to a share protected with encrypted password 9 chars long. The
> newly ported LynxOS Server shows the same problem ;-)
> 

Make sure REPLACE_GETPASS is defined in config.h.  I tested this on 
Solaris 8 prior to release and everything was working fine.




cheers, jerry
 --
 Hewlett-Packard- http://www.hp.com
 SAMBA Team -- http://www.samba.org
 GnuPG Key   http://www.plainjoe.org/gpg_public.asc
 ISBN 0-672-32269-2 "SAMS Teach Yourself Samba in 24 Hours" 2ed
 "You can never go home again, Oatman, but I guess you can shop there."  
--John Cusack - "Grosse Point Blank" (1997)

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.0 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/

iD8DBQE95iRrIR7qMdg1EfYRAjVtAJ43/SJUdfNMX5RIEgjMMfiHjsnFdACdGZCn
kIbA7CJxUJG89M2hzVyJ/Z0=
=UE/f
-END PGP SIGNATURE-

Re: Smb passwords > 8 chars

2002-11-28 Thread Olaf Flebbe 


Make sure REPLACE_GETPASS is defined in config.h.  I tested this on 
Solaris 8 prior to release and everything was working fine.




cheers, jerry
 --
 Hewlett-Packard- http://www.hp.com
 SAMBA Team -- http://www.samba.org
 GnuPG Key   http://www.plainjoe.org/gpg_public.asc
 ISBN 0-672-32269-2 "SAMS Teach Yourself Samba in 24 Hours" 2ed
 "You can never go home again, Oatman, but I guess you can shop there."  
--John Cusack - "Grosse Point Blank" (1997)

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.0 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/

iD8DBQE95iRrIR7qMdg1EfYRAjVtAJ43/SJUdfNMX5RIEgjMMfiHjsnFdACdGZCn
kIbA7CJxUJG89M2hzVyJ/Z0=
=UE/f
-END PGP SIGNATURE-

OH forgive me... The solaris server I tested was 2.2.4. And yes, it works 
correctly with 2.2.7.

I tried the REPLACE_GETPASS with lynxos, and it seems to work now. Thank you 
very much.


Olaf

--
  Dr. Olaf FlebbePhone +49 (0)7071-9457-254
  Software Solutions FAX   +49 (0)7071-9457-211
  science + computing ag
  Hagellocher Weg 73-75
  D-72070 TuebingenEmail: [EMAIL PROTECTED]

  The amount of work to be done increases in proportion to the
  amount of work already completed.

Re: samba on lynxos 3.0

2002-11-28 Thread Olaf Flebbe 


Unfortunatly there is no crypt() available on Lynxos. So you have to
work around this issue somehow.


With a little work, you can probably port the FreeBSD version of crypt.c to
your system. The FreeBSD license should not give you any problems.


Hi,

The freebsd sources are not particulary useful because the DES algorithm seems 
to be missing in libcrypt. Anyway, I used the fcrypt.c from the libdes package.

Olaf

--
  Dr. Olaf FlebbePhone +49 (0)7071-9457-254
  Software Solutions FAX   +49 (0)7071-9457-211
  science + computing ag
  Hagellocher Weg 73-75
  D-72070 TuebingenEmail: [EMAIL PROTECTED]

  The amount of work to be done increases in proportion to the
  amount of work already completed.

Re: spoolname smbprn.XXXXXX.aaaaaa

2002-11-28 Thread jra 
On Thu, Nov 28, 2002 at 09:27:08AM +0100, Schmieg Friedemann wrote:
> Hello There,
> 
> since a samba update from 2.0.5. to 2.2.5 (AIX)  we have new spooling names
> like smbprn.XX.aa instead of the previous NT file name. We are
> printing in a shell for creating pdf - files and after that we are searching
> for the master document in our PDM system to check in the pdf as a scondary
> file format. But of course with the new spool file name we lost all
> information about the file and can't identify it any more in the database.
> 
> Is there a way to get the old filename back? We kept the smb.conf unchanged.

The NT filename is still being stored in the printing tdb, but
isn't exposed to the filesystem I'm afraid. You'd need to hack
the printing/printing.c source to do this, sorry.

Jeremy.

DOMAIN SID

2002-11-28 Thread gnu_is_not_unix 
Hi !

Where the DOMAIN SID is stored when the LDAP backend is used ?

greetz
boka

---
Hackman i De Vito pokażą Ci, co znaczy prawdziwa miłość... do pieniędzy!
SKOK w kinach - od 29 listopada < http://film.wp.pl/p/film.html?id=1782 >

Kerberos login sniffer and cracker for Windows 2000/XP (fwd)

2002-11-28 Thread Achim Dreyer 
Hy,

This could be useful. Haven't tried it thou'..


Regards,
Achim Dreyer

--
A. Dreyer, Senior SysAdmin (UNIX&Network) / Internet Security Consultant


-- Forwarded message --
Date: Thu, 28 Nov 2002 07:06:15 +0100
From: Arne Vidstrom <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Kerberos login sniffer and cracker for Windows 2000/XP

Hi all,

I've coded a simple Kerberos login sniffer and cracker for Windows 2000/XP
that you might find useful. You can find it for download at:

http://ntsecurity.nu/toolbox/kerbcrack/

Regards /Arne

unsubscribe me please

2002-11-28 Thread Johan . SEGERS 

unsubscribe me please

Re: unsubscribe me please

2002-11-28 Thread Rafal Szczesniak 
On Thu, Nov 28, 2002 at 05:44:21PM +0100, [EMAIL PROTECTED] wrote:
> 
> unsubscribe me please

You can easily do it yourself using web interface at
http://lists.samba.org if you don't like doing it via email.


-- 
cheers,
++
|Rafal 'Mimir' Szczesniak <[EMAIL PROTECTED]>   |
|*BSD, GNU/Linux and Samba  /
|__/

RE: Samba 3.0 alpha 20 problem with timegm->mktime() on HP-UX

2002-11-28 Thread Andrew Bartlett 
On Thu, 2002-11-28 at 11:17, [EMAIL PROTECTED] wrote:
> I have already included a fix for this which you could try. See previous
> e-mail to Andrew and samba-technical attached. Hopefully this will be
> adopted as a fix at some stage.

I got tridge to have a look at that patch, and he did some work on a
replacement.  (He didn't see exactly what it was trying to do).  What
was more interesting was seeing his IRC comments while coding a
replacement...  It seems POSIX is quite brain-dead in this area -
ignoring daylight savings, normalising the time struct, and generally
being 'helpful' :-).  (Of course, GMT is never on daylight savings).

Andrew Bartlett

-- 
Andrew Bartlett [EMAIL PROTECTED]
Manager, Authentication Subsystems, Samba Team  [EMAIL PROTECTED]
Student Network Administrator, Hawker College   [EMAIL PROTECTED]
http://samba.org http://build.samba.org http://hawkerc.net



signature.asc
Description: This is a digitally signed message part

Re: unsubscribe me please

2002-11-28 Thread Marcus Grando 

View mail headers.

List-Unsubscribe: 
,


Regards

On Thu, 28 Nov 2002 [EMAIL PROTECTED] wrote:

> 
> unsubscribe me please
> 
> 

-- 
Marcus Grando

2nd attempt: Modify location of printerdriverfiles

2002-11-28 Thread Kurt Pfeifle 


Message: 2 
>

Subject: 2nd attempt: Modify location of printerdriverfiles 
Date: Thu, 28 Nov 2002 11:21:47 +0100 
From:  <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]> 
>

Hi! Maybe this time someone can give me a hint - or is my english that 
bad - so that nobody can catch the point - or my question is posted to 
the false list? Please each answer is welcome! Thank you!
>


Hello, Samba-Team, hello samba-freaks!

My question/problem:
I like to use a samba-server as printer-server for about >500 users
with ~ 40 different printers.
The client OS is NT4 or XP. The problem I encountered is that there are
printerdrivers out there which use for different models dlls with the
same name but the dlls are not compatible - great!! - ! So only the

>>last installed printer works flawless, because the dll for the other
>>model is overwritten during

driverinstall.



My question: Is there a tool, which allows save tempering with the
*.tdb, to change the path to the driverfiles or to change the behavior
to rpc "getdriverinfo"?



This way it would be possible to create an own
driver-directory-structur and all those printerdriver related problems
are gone...




Greetings
Ralf



Btw.: Redhat 8.0 and latest Samba.
Calling the printermanufactor is hopeless. The only answer I got is: =
This must be a problem  with your OS... thanks for your help.  [:(] 

Greetings
Ralf


Hi, Ralf,

may I suggest a radically different approach to your problem?

* Let the Windows Clients use a PostScript driver, to produce
  PostScript as their print output sent towards the Samba print
  server (just like any Linux or Unix Client would also use
  PostScript to send to the server...)

* make the Unix printing subsystem which is underneath Samba
  convert the incoming PostScript files to the native print
  format of the target printers (would likely be PCL?
  I understand you have mainly HP models?)

* You're afraid, that this would just mean a *Generic* PostScript
  driver for the clients? With no Simplex/Duplex selection,
  no paper tray choice? But you need them to be able to set up
  their jobs, ringing all the bells and whistles of the printers?

  --> Not possible with traditional spooling systems!

  --> But perfectly supported by CUPS (which uses "PPD" files to
  describe how to control the print options for PostScript and
  non-PostScript devices alike...

  CUPS PPDs are working perfectly on Windows
  clients who use Adobe PostScript drivers (or the new CUPS
  PostScript driver for Windows NT/2K/XP). Clients can use
  them to setup the job to their liking and CUPS will use
  the received job options to make the (PCL-, ESC/P- or
  PostScript-) printer behave as required.

* You want to have the additional benefit of page count logging
  and accounting? In this case the CUPS PostScript driver
  is the best choice (better than the Adobe one).

* You want to make the drivers downloadable for the clients?
  "cupsaddsmb" is your friend. It will setup the [print$]
  share on the Samba host to be ready to serve the clients
  for a "point and print" driver installation...

"What strings are attached?", I hear you asking...

You are right, there are some. But, given the sheer CPU power
you can buy nowadays in German supermarkets, these can be
overcome easily.

The strings: Well, if the
CUPS/Samba side will have to print a *lot* onto 40 printers
serving 500 users, you probably will need to set up a second
server (which can do automatic load balancing with the first
one, plus a degree of fail-over mechanism). Converting the
incoming PostScript jobs, "interpreting" them for
non-PostScript printers, amounts to the work of a "RIP"
(Raster Image Processor) done in software. This requires
more CPU and RAM than for the mere "raw spooling" task
your current setup is solving... It all depends on the
avarage and peak printing load the server should be
able to handle

If you want, I can point you to or give you more more
info in private mail.

Cheers,
Kurt

Re: DOMAIN SID

2002-11-28 Thread Bradley W. Langhorst 
On Thu, 2002-11-28 at 11:38, [EMAIL PROTECTED] wrote:
> Hi !
> 
> Where the DOMAIN SID is stored when the LDAP backend is used ?
> 
it's in one of the tdb files...
if you put a text file MACHINE.SID in your conf area it still gets
imported (if i remember correctly)

brad
-- 
Bradley W. Langhorst <[EMAIL PROTECTED]>

Re: [PATCH] add 'modules path' and handle 'configure --with-configdir' right

2002-11-28 Thread Jelmer Vernooij 
On Tue, Nov 26, 2002 at 08:06:07AM +0100, Stefan (metze) Metzmacher wrote about 'Re: 
[PATCH] add 'modules path' and handle 'configure --with-configdir' right':
> here's the next version of the patch. (it's now attached :-)

I've applied a part of your patch, but I'm waiting with the
lp_modules_dir() stuff until we've resolved the problems around the
new module system - the loading of charset modules and ab's comments.

> I added --with-sambadatadir  witch is default ${datadir}/samba (--with-fhs) 
> or ${datadir}
> ${datadir} is ${prefix}/share by default, so $(sambadatadir) is 
> ${prefix}/share/samba or ${prefix}/share.

> the valid.dat ... files are now installed to sambadatadir

> I'm happy with this patch, but NOT with the name 'sambadatadir' DOES 
> ANYBODY HAVE ABETTER IDEA?
Need a new capslock key? ;-) Would the name datadir be ok to you - is
there anyone who has problems with putting the *.dat files not in the 
libdir ?

How's your winsdb stuff btw?

Jelmer



msg04706/pgp0.pgp
Description: PGP signature

Re: DOMAIN SID

2002-11-28 Thread Rafal Szczesniak 
On Thu, Nov 28, 2002 at 01:23:31PM -0500, Bradley W. Langhorst wrote:
> On Thu, 2002-11-28 at 11:38, [EMAIL PROTECTED] wrote:
> > Hi !
> > 
> > Where the DOMAIN SID is stored when the LDAP backend is used ?
> > 
> it's in one of the tdb files...

secrets.tdb, namely.


-- 
cheers,
++
|Rafal 'Mimir' Szczesniak <[EMAIL PROTECTED]>   |
|*BSD, GNU/Linux and Samba  /
|__/

Porting guide Samba 2.2.x -> 3.0

2002-11-28 Thread Rainer Link 
Folks,

unfortunately I wasn't able to follow the 3.0 development nor this ML 
very closely. Does a porting guide from 2.2.x to 3.0 exist?

I've just discovered that the following code

void send_message(pstring msg) {
[..]
unix_to_dos(msg);

len = strlen(msg);

if (!cli_message_start(cli, remote_machine, username, &grp_id)) {
DEBUG(0,("message start: %s", cli_errstr(cli)));
return;
}
[..]

does not compile anymore with Samba 3.0 alpha 20, as the unix_to_dos 
function seems to be removed. Any equivalent available?

Thanks!

best regards,
Rainer Link
OpenAntiVirus.org

Re: DOMAIN SID

2002-11-28 Thread Andrew Bartlett 
On Fri, 2002-11-29 at 05:23, Bradley W. Langhorst wrote:
> On Thu, 2002-11-28 at 11:38, [EMAIL PROTECTED] wrote:
> > Hi !
> > 
> > Where the DOMAIN SID is stored when the LDAP backend is used ?
> > 
> it's in one of the tdb files...

Just as a note - it has been proposed that in Samba HEAD we should store
it in LDAP - I would like to see a 'domain' record that contains things
like this, account policies - so we don't need to worry about TDBs for
basic PDC/BDC operation.

Andrew Bartlett

-- 
Andrew Bartlett [EMAIL PROTECTED]
Manager, Authentication Subsystems, Samba Team  [EMAIL PROTECTED]
Student Network Administrator, Hawker College   [EMAIL PROTECTED]
http://samba.org http://build.samba.org http://hawkerc.net



signature.asc
Description: This is a digitally signed message part