Re: please report to samba-technical@samba.org
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 14 Jan 2003, Tim Potter wrote: On Mon, Jan 13, 2003 at 08:40:55AM -0500, Green, Paul wrote: [2003/01/08 08:26:20, 0] rpc_parse/parse_spoolss.c:spoolss_io_devmode(607) spoolss_io_devmode: Unknown specversion in devicemode [0x0] [2003/01/08 08:26:20, 0] rpc_parse/parse_spoolss.c:spoolss_io_devmode(608) spoolss_io_devmode: please report to [EMAIL PROTECTED]! Umm, what OS? What version of Samba? Who/what is the client (Windows version xyz?) What were the clients doing to make this happen? (if you know)... Can you make a test case? Even better would be a capture (either with tcpdump or Microsoft netmon) of this exchange. This is from rpcclient i'm fairly sure. False alarm. cheers, jerry -- Hewlett-Packard- http://www.hp.com SAMBA Team -- http://www.samba.org GnuPG Key http://www.plainjoe.org/gpg_public.asc ISBN 0-672-32269-2 SAMS Teach Yourself Samba in 24 Hours 2ed You can never go home again, Oatman, but I guess you can shop there. --John Cusack - Grosse Point Blank (1997) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.0 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iD8DBQE+KCxYIR7qMdg1EfYRAiZ1AKDSvHqsKvHKxbTcwSDL+jBkwf9rrQCcDPqR afSvgDn/oGYLh1QdjsaT7Dc= =rVkx -END PGP SIGNATURE-
False positive from net ads testjoin
Samba critters:
Running with SAMBA_3_0, the following sequence gives incorrect results
from the last net ads testjoin:
# net ads testjoin -P
ERROR: Unable to fetch machine password
# net ads join -U ...
Joined 'KJCTST' to realm 'WIN2DOM.LOCAL'
# net ads testjoin -P
Join is OK
# net ads leave
Removed 'KJCTST' from realm 'WIN2DOM.LOCAL'
# net ads testjoin -P
[2003/01/17 13:40:03, 0] libads/kerberos.c:ads_kinit_password(133)
kerberos_kinit_password KJCTST$@WIN2DOM.LOCAL failed: Client not
found in Kerberos database
Join is OK
If the purpose of net ads testjoin is to determine whether the join is
currently valid, it's returning the wrong results.
The following is a fix, though it may not be the Best Fix:
# cvs diff -pu net_ads.c
Index: net_ads.c
===
RCS file: /cvsroot/samba/source/utils/net_ads.c,v
retrieving revision 1.37.2.10
diff -p -u -r1.37.2.10 net_ads.c
--- net_ads.c 15 Jan 2003 18:57:41 - 1.37.2.10
+++ net_ads.c 17 Jan 2003 18:48:24 -
@@ -586,6 +586,11 @@ static int net_ads_join_ok(void)
return -1;
}
+if (!ads-auth.user_name || !ads-auth.realm ||
+ads_kinit_password(ads)) {
+return -1;
+}
+
ads_destroy(ads);
return 0;
}
Ken
disk_free routines
Hi, I've been working with samba for a few days (2.2.7a), trying to get it to use my dfree program. I've added a global option dfree command = /usr/local/samba/bin/dfree, and testparms displays that line. I had been trying to get it to call my program, but it never seems to call it (I have it output the free space to stdout and to a log file). The log file is never created though. So I added some DEBUG statements into disk_free (smbd/dfree.c) to see if those routines are ever being called, and I couldn't find any output in log.smbd referring to the statements I added. Going on with this for a while, I figured the best thing to do is try to find out when the disk_free routines are supposed to be called. Looking through the code I haven't found anything obvious as to why they wouldn't be called. So I'm really quite stumped. Anybody have any information on how often the disk_free routines get called, and what triggers them to be called? TIA, Ron
Re: --with-cracklib (phase 2)
[Q] Do we want to be able to configure the dictionnary name within the smb.conf (char *) or hard-coded in cracklib? Perhaps we want to be able to specify multiple directories (char **). npasswd uses (char **) (mutliple). I have no preference. I forgot to mention the following info: - cracklib-original (Alec): the path is hard-coded and supports 1 dictionnary. - npasswd is not hard-coded and supports multiple directories. Voila! Pierre B.
Re: --with-cracklib (phase 2)
On Sat, 2003-01-18 at 08:20, Pierre Belanger wrote:
Hi,
Here's what I've done so far:
- Added a simple API in cracklib for Samba, works great.
- Sent an email to Alec Muffett, author of cracklib asking
him if he can add this new API that doesn't use
getuid() getpwuid().
- Sent an email to Chris Hoover, author of npasswd asking
him a few questions about his work and also if he could
add the new API in the npasswd's cracklib distribution.
Note: npasswd's cracklib is modified to do a much better
check (mangle). He added some code from Crack
which Alec never added in cracklib. npasswd's new
cracklib API does not use getuid / getpwuid which
is what we need but it doesn't check againts the
username fullusername info. I think this is really
important.
Issues questions:
- Will we ever see more work on cracklib, nothing changed
since 1997. We know we need to add an API that doesn't
use getuid() / getpwuid(). If Alec and/or Chris don't
want to add an API that doesn't use the get{pw}uid(),
we can:
1- Add a patch to cracklib in a contrib directory, link
Samba with libcrack.a
2- Commit an API in Samba, still link with libcrack.a
for the rest of the functionnalities.
3- Commit a samba-cracklib in SAMBA_X_Y , i.e. fully
integrate samba-cracklib in Samba (no more
fprintf(stderr,...), etc), when possible use Samba's
string functions instead of cracklib's original.
Don't use sprintf, use Samba's snprintf, etc.
Yes, if cracklib using stdout/stderr as it stands, then we have no
choice but to either isolated it to a 'helper' program, or integrate it
into Samba. I think I prefer integration.
[Q] What do you think is the best to do? I don't like #1.
#2 is possible, we'll probably endup with our own re-written
fascist.c .
Assuming the license is compatible, then I think this is the best course
of action.
Some meat now, not a big piece!
Added the following code in smbd/chgpassword.c ~ line 973 :
#ifdef CRACKLIB
if (msg = NewFascistCheck(new_passwd, CRACKLIB_DICTPATH,
pdb_get_username(hnd), pdb_get_fullname(hnd))) {
DEBUG(0, (Can't change password -
Cracklib returns: %s\n, msg));
return NT_STATUS_ACCESS_DENIED;
/*return NT_STATUS_PASSWORD_RESTRICTION; */
}
}
#endif
[Q] Do we want to be able to configure the dictionnary name
within the smb.conf (char *) or hard-coded in cracklib?
Perhaps we want to be able to specify multiple directories
(char **). npasswd uses (char **) (mutliple). I have
no preference.
Given the number of platforms we run on, then configuring the dictionary
name would be 'a good idea'. I don't see the need for multiple
dictionaries.
As you probably all know, I'm no Windows protocol guru!
[Q] Is NT_STATUS_ACCESS_DENIED the right value to return
when cracklib finds the password in the dictionary?
No, we should match what NT returns. You figure this out by grabbing
CVS ethereal, and decoding the password change.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/mschap/mschap/mschapsrvchangepassword.asp
Gives you a good idea what MS's internal functions do here - and this
maps quite well to the wire actually.
In this case NT_STATUS_PASSWORD_RESTRICTION would be a good choice.
[Q] Is it possible to send back a real message? It could
be The specified password is invalid. Please choose
a password not based on a dictionnary word or
password not long enough - minimum X characters, etc.
It's not possible, the protocol just doesn't have a place for it. :-(.
When I change my password here @ work (with a Windows
backend domain controller), I can't take any of my
previous ~ 3 passwords. I do get an understand error
message. Is everything needed to send back a good
error message already in Samba? If so, how? if not,
well I might need to install a good sniffer and read
a few more documents to understand windows protocol
unless someone here already knows how to do this.
I would like to see what it's doing - grab CVS ethereal and decode the
password change, see what goes where.
It's quite possible that the password restriction is being partially
enforced on the local machine.
Andrew Bartlett
Any other comments are welcome.
Thank you *very much* - enjoy the weekend.
Pierre B.
--
Andrew Bartlett [EMAIL PROTECTED]
Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED]
Student Network Administrator, Hawker College [EMAIL PROTECTED]
http://samba.org http://build.samba.org http://hawkerc.net
signature.asc
Description: This is a digitally signed message part
Re: --with-cracklib (phase 2)
Hello,
Issues questions:
- Will we ever see more work on cracklib, nothing changed
since 1997. We know we need to add an API that doesn't
use getuid() / getpwuid(). If Alec and/or Chris don't
want to add an API that doesn't use the get{pw}uid(),
we can:
1- Add a patch to cracklib in a contrib directory, link
Samba with libcrack.a
2- Commit an API in Samba, still link with libcrack.a
for the rest of the functionnalities.
3- Commit a samba-cracklib in SAMBA_X_Y , i.e. fully
integrate samba-cracklib in Samba (no more
fprintf(stderr,...), etc), when possible use Samba's
string functions instead of cracklib's original.
Don't use sprintf, use Samba's snprintf, etc.
Yes, if cracklib using stdout/stderr as it stands, then we have no
choice but to either isolated it to a 'helper' program, or integrate it
into Samba. I think I prefer integration.
integration also means to add at least the packer program
needed to create the dictionnary with a simple index. Might
as well put them all in .../samba/bin/cracktools/... ???
Well, if we integrate everything, how about smbcracklib
or smb-cracklib with options to pack, unpack, etc ? Something
like:
Cracklib equiv.
-D Dictionnary path (could be taken from smb.conf ?)
-P pack dictionnary packer
-U unpack dictionnary unpacker
-l test passwords testlib
-d turn on debugging (if needed)
-w print position of a word teststr
-n print word at a specific positiontestnum
I have no preference to what should be included or not, but
the packer feature must be included.
[Q] What do you think is the best to do? I don't like #1.
#2 is possible, we'll probably endup with our own re-written
fascist.c .
Assuming the license is compatible, then I think this is the best
course of action.
Is there a licence Guru that can give us a confirmation?
The LICENCE is attached in this mail.
I don't see a problem with the following words in the LICENCE:
plus the right to make reasonable modifications
We're not going to make that many modifications.
Some meat now, not a big piece!
Added the following code in smbd/chgpassword.c ~ line 973 :
#ifdef CRACKLIB
if (msg = NewFascistCheck(new_passwd, CRACKLIB_DICTPATH,
pdb_get_username(hnd), pdb_get_fullname(hnd))) {
DEBUG(0, (Can't change password -
Cracklib returns: %s\n, msg));
return NT_STATUS_ACCESS_DENIED;
/*return NT_STATUS_PASSWORD_RESTRICTION; */
}
}
#endif
[Q] Do we want to be able to configure the dictionnary name
within the smb.conf (char *) or hard-coded in cracklib?
Perhaps we want to be able to specify multiple directories
(char **). npasswd uses (char **) (mutliple). I have
no preference.
Given the number of platforms we run on, then configuring the dictionary
name would be 'a good idea'. I don't see the need for multiple
dictionaries.
I agree on both of your comments.
[Q] Is NT_STATUS_ACCESS_DENIED the right value to return
when cracklib finds the password in the dictionary?
No, we should match what NT returns. You figure this out by grabbing
CVS ethereal, and decoding the password change.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/mschap/mschap/mschapsrvchangepassword.asp
Gives you a good idea what MS's internal functions do here - and this
maps quite well to the wire actually.
In this case NT_STATUS_PASSWORD_RESTRICTION would be a good choice.
Thanx for the info.
[Q] Is it possible to send back a real message? It could
be The specified password is invalid. Please choose
a password not based on a dictionnary word or
password not long enough - minimum X characters, etc.
It's not possible, the protocol just doesn't have a place for it. :-(.
Too bad ;-) How about trying to send a POPUP Window on the Windows
machine? I guess it's possible if the user is already logged in,
but if the user is not logged in yet, i.e. I'm talking about the
situation when you first boot up your computer and you're forced
to change your password *NOW* before you can actually login
on the network.
When I change my password here @ work (with a Windows
backend domain controller), I can't take any of my
previous ~ 3 passwords. I do get an understand error
message. Is everything needed to send back a good
error message already in Samba? If so, how? if not,
well I might need to install a good sniffer and read
a few more documents to understand windows protocol
unless someone here already knows how to do this.
I would like to see what it's doing - grab CVS ethereal and decode the
password change, see what goes where.
Will do once cracklib is ready to be integrated. I think I do have
plenty of work to do now ;-)
It's quite possible that the password restriction is being partially
enforced on
Re: --with-cracklib (phase 2)
On Sat, 2003-01-18 at 09:32, Pierre Belanger wrote:
Hello,
Issues questions:
- Will we ever see more work on cracklib, nothing changed
since 1997. We know we need to add an API that doesn't
use getuid() / getpwuid(). If Alec and/or Chris don't
want to add an API that doesn't use the get{pw}uid(),
we can:
1- Add a patch to cracklib in a contrib directory, link
Samba with libcrack.a
2- Commit an API in Samba, still link with libcrack.a
for the rest of the functionnalities.
3- Commit a samba-cracklib in SAMBA_X_Y , i.e. fully
integrate samba-cracklib in Samba (no more
fprintf(stderr,...), etc), when possible use Samba's
string functions instead of cracklib's original.
Don't use sprintf, use Samba's snprintf, etc.
Yes, if cracklib using stdout/stderr as it stands, then we have no
choice but to either isolated it to a 'helper' program, or integrate it
into Samba. I think I prefer integration.
integration also means to add at least the packer program
needed to create the dictionnary with a simple index. Might
as well put them all in .../samba/bin/cracktools/... ???
Well, if we integrate everything, how about smbcracklib
or smb-cracklib with options to pack, unpack, etc ? Something
like:
Cracklib equiv.
-D Dictionnary path (could be taken from smb.conf ?)
-P pack dictionnary packer
-U unpack dictionnary unpacker
-l test passwords testlib
-d turn on debugging (if needed)
-w print position of a word teststr
-n print word at a specific positiontestnum
I have no preference to what should be included or not, but
the packer feature must be included.
[Q] What do you think is the best to do? I don't like #1.
#2 is possible, we'll probably endup with our own re-written
fascist.c .
Assuming the license is compatible, then I think this is the best
course of action.
Is there a licence Guru that can give us a confirmation?
The LICENCE is attached in this mail.
I don't see a problem with the following words in the LICENCE:
plus the right to make reasonable modifications
We're not going to make that many modifications.
The artistic license is not compatible with the GPL. As such we cannot
distribute Samba with this code, but we may link to this code under the
'operating system exception'.
As such, I would suggest that we either look into GPL-compatible code of
a similar nature or we instead create a separate project to produce a
stand-alone executable interface (much like the one heimdal kerberos
uses), and have samba know how to use it.
Some meat now, not a big piece!
Added the following code in smbd/chgpassword.c ~ line 973 :
#ifdef CRACKLIB
if (msg = NewFascistCheck(new_passwd, CRACKLIB_DICTPATH,
pdb_get_username(hnd), pdb_get_fullname(hnd))) {
DEBUG(0, (Can't change password -
Cracklib returns: %s\n, msg));
return NT_STATUS_ACCESS_DENIED;
/*return NT_STATUS_PASSWORD_RESTRICTION; */
}
}
#endif
In the meantime, I'll probably use this for my private installation, but
it's looking like this will be a bit more difficult than we originally
hoped.
[Q] Do we want to be able to configure the dictionnary name
within the smb.conf (char *) or hard-coded in cracklib?
Perhaps we want to be able to specify multiple directories
(char **). npasswd uses (char **) (mutliple). I have
no preference.
Given the number of platforms we run on, then configuring the dictionary
name would be 'a good idea'. I don't see the need for multiple
dictionaries.
I agree on both of your comments.
[Q] Is NT_STATUS_ACCESS_DENIED the right value to return
when cracklib finds the password in the dictionary?
No, we should match what NT returns. You figure this out by grabbing
CVS ethereal, and decoding the password change.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/mschap/mschap/mschapsrvchangepassword.asp
Gives you a good idea what MS's internal functions do here - and this
maps quite well to the wire actually.
In this case NT_STATUS_PASSWORD_RESTRICTION would be a good choice.
Thanx for the info.
[Q] Is it possible to send back a real message? It could
be The specified password is invalid. Please choose
a password not based on a dictionnary word or
password not long enough - minimum X characters, etc.
It's not possible, the protocol just doesn't have a place for it. :-(.
Too bad ;-) How about trying to send a POPUP Window on the Windows
machine? I guess it's possible if the user is already logged in,
but if the user is not logged in yet, i.e. I'm talking about the
situation when you first boot up your computer and you're forced
How do I enable groupname map functionality?
I can see code in Samba 2.2.7a in source/smbd/groupname.c to do groupname map functionality. I see #ifdef USING_GROUPNAME_MAP but I don't see any option to configure to enable this. Is this feature available or is it still under development. -- Eric M. Boehm /\ ASCII Ribbon Campaign [EMAIL PROTECTED] \ / No HTML or RTF in mail X No proprietary word-processing Respect Open Standards / \ files in mail
Re: How do I enable groupname map functionality?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, 17 Jan 2003, Eric Boehm wrote: I can see code in Samba 2.2.7a in source/smbd/groupname.c to do groupname map functionality. I see #ifdef USING_GROUPNAME_MAP This is all removed in Samba 3.0. It has probably bit rotted since I think it was written around 2.0. I would recommend staying away form it. cheers, jerry -- Hewlett-Packard- http://www.hp.com SAMBA Team -- http://www.samba.org GnuPG Key http://www.plainjoe.org/gpg_public.asc ISBN 0-672-32269-2 SAMS Teach Yourself Samba in 24 Hours 2ed You can never go home again, Oatman, but I guess you can shop there. --John Cusack - Grosse Point Blank (1997) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.0 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iD8DBQE+KCj5IR7qMdg1EfYRAqZeAJ9OoZc78LdvDk6ozVDkJSu5RcXjuwCgoAdq 77mkub0KJGv93WooKP2iWu0= =+wqC -END PGP SIGNATURE-
