Re: please report to samba-technical@samba.org
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 14 Jan 2003, Tim Potter wrote: On Mon, Jan 13, 2003 at 08:40:55AM -0500, Green, Paul wrote: [2003/01/08 08:26:20, 0] rpc_parse/parse_spoolss.c:spoolss_io_devmode(607) spoolss_io_devmode: Unknown specversion in devicemode [0x0] [2003/01/08 08:26:20, 0] rpc_parse/parse_spoolss.c:spoolss_io_devmode(608) spoolss_io_devmode: please report to [EMAIL PROTECTED]! Umm, what OS? What version of Samba? Who/what is the client (Windows version xyz?) What were the clients doing to make this happen? (if you know)... Can you make a test case? Even better would be a capture (either with tcpdump or Microsoft netmon) of this exchange. This is from rpcclient i'm fairly sure. False alarm. cheers, jerry -- Hewlett-Packard- http://www.hp.com SAMBA Team -- http://www.samba.org GnuPG Key http://www.plainjoe.org/gpg_public.asc ISBN 0-672-32269-2 SAMS Teach Yourself Samba in 24 Hours 2ed You can never go home again, Oatman, but I guess you can shop there. --John Cusack - Grosse Point Blank (1997) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.0 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iD8DBQE+KCxYIR7qMdg1EfYRAiZ1AKDSvHqsKvHKxbTcwSDL+jBkwf9rrQCcDPqR afSvgDn/oGYLh1QdjsaT7Dc= =rVkx -END PGP SIGNATURE-
False positive from net ads testjoin
Samba critters: Running with SAMBA_3_0, the following sequence gives incorrect results from the last net ads testjoin: # net ads testjoin -P ERROR: Unable to fetch machine password # net ads join -U ... Joined 'KJCTST' to realm 'WIN2DOM.LOCAL' # net ads testjoin -P Join is OK # net ads leave Removed 'KJCTST' from realm 'WIN2DOM.LOCAL' # net ads testjoin -P [2003/01/17 13:40:03, 0] libads/kerberos.c:ads_kinit_password(133) kerberos_kinit_password KJCTST$@WIN2DOM.LOCAL failed: Client not found in Kerberos database Join is OK If the purpose of net ads testjoin is to determine whether the join is currently valid, it's returning the wrong results. The following is a fix, though it may not be the Best Fix: # cvs diff -pu net_ads.c Index: net_ads.c === RCS file: /cvsroot/samba/source/utils/net_ads.c,v retrieving revision 1.37.2.10 diff -p -u -r1.37.2.10 net_ads.c --- net_ads.c 15 Jan 2003 18:57:41 - 1.37.2.10 +++ net_ads.c 17 Jan 2003 18:48:24 - @@ -586,6 +586,11 @@ static int net_ads_join_ok(void) return -1; } +if (!ads-auth.user_name || !ads-auth.realm || +ads_kinit_password(ads)) { +return -1; +} + ads_destroy(ads); return 0; } Ken
disk_free routines
Hi, I've been working with samba for a few days (2.2.7a), trying to get it to use my dfree program. I've added a global option dfree command = /usr/local/samba/bin/dfree, and testparms displays that line. I had been trying to get it to call my program, but it never seems to call it (I have it output the free space to stdout and to a log file). The log file is never created though. So I added some DEBUG statements into disk_free (smbd/dfree.c) to see if those routines are ever being called, and I couldn't find any output in log.smbd referring to the statements I added. Going on with this for a while, I figured the best thing to do is try to find out when the disk_free routines are supposed to be called. Looking through the code I haven't found anything obvious as to why they wouldn't be called. So I'm really quite stumped. Anybody have any information on how often the disk_free routines get called, and what triggers them to be called? TIA, Ron
Re: --with-cracklib (phase 2)
[Q] Do we want to be able to configure the dictionnary name within the smb.conf (char *) or hard-coded in cracklib? Perhaps we want to be able to specify multiple directories (char **). npasswd uses (char **) (mutliple). I have no preference. I forgot to mention the following info: - cracklib-original (Alec): the path is hard-coded and supports 1 dictionnary. - npasswd is not hard-coded and supports multiple directories. Voila! Pierre B.
Re: --with-cracklib (phase 2)
On Sat, 2003-01-18 at 08:20, Pierre Belanger wrote: Hi, Here's what I've done so far: - Added a simple API in cracklib for Samba, works great. - Sent an email to Alec Muffett, author of cracklib asking him if he can add this new API that doesn't use getuid() getpwuid(). - Sent an email to Chris Hoover, author of npasswd asking him a few questions about his work and also if he could add the new API in the npasswd's cracklib distribution. Note: npasswd's cracklib is modified to do a much better check (mangle). He added some code from Crack which Alec never added in cracklib. npasswd's new cracklib API does not use getuid / getpwuid which is what we need but it doesn't check againts the username fullusername info. I think this is really important. Issues questions: - Will we ever see more work on cracklib, nothing changed since 1997. We know we need to add an API that doesn't use getuid() / getpwuid(). If Alec and/or Chris don't want to add an API that doesn't use the get{pw}uid(), we can: 1- Add a patch to cracklib in a contrib directory, link Samba with libcrack.a 2- Commit an API in Samba, still link with libcrack.a for the rest of the functionnalities. 3- Commit a samba-cracklib in SAMBA_X_Y , i.e. fully integrate samba-cracklib in Samba (no more fprintf(stderr,...), etc), when possible use Samba's string functions instead of cracklib's original. Don't use sprintf, use Samba's snprintf, etc. Yes, if cracklib using stdout/stderr as it stands, then we have no choice but to either isolated it to a 'helper' program, or integrate it into Samba. I think I prefer integration. [Q] What do you think is the best to do? I don't like #1. #2 is possible, we'll probably endup with our own re-written fascist.c . Assuming the license is compatible, then I think this is the best course of action. Some meat now, not a big piece! Added the following code in smbd/chgpassword.c ~ line 973 : #ifdef CRACKLIB if (msg = NewFascistCheck(new_passwd, CRACKLIB_DICTPATH, pdb_get_username(hnd), pdb_get_fullname(hnd))) { DEBUG(0, (Can't change password - Cracklib returns: %s\n, msg)); return NT_STATUS_ACCESS_DENIED; /*return NT_STATUS_PASSWORD_RESTRICTION; */ } } #endif [Q] Do we want to be able to configure the dictionnary name within the smb.conf (char *) or hard-coded in cracklib? Perhaps we want to be able to specify multiple directories (char **). npasswd uses (char **) (mutliple). I have no preference. Given the number of platforms we run on, then configuring the dictionary name would be 'a good idea'. I don't see the need for multiple dictionaries. As you probably all know, I'm no Windows protocol guru! [Q] Is NT_STATUS_ACCESS_DENIED the right value to return when cracklib finds the password in the dictionary? No, we should match what NT returns. You figure this out by grabbing CVS ethereal, and decoding the password change. http://msdn.microsoft.com/library/default.asp?url=/library/en-us/mschap/mschap/mschapsrvchangepassword.asp Gives you a good idea what MS's internal functions do here - and this maps quite well to the wire actually. In this case NT_STATUS_PASSWORD_RESTRICTION would be a good choice. [Q] Is it possible to send back a real message? It could be The specified password is invalid. Please choose a password not based on a dictionnary word or password not long enough - minimum X characters, etc. It's not possible, the protocol just doesn't have a place for it. :-(. When I change my password here @ work (with a Windows backend domain controller), I can't take any of my previous ~ 3 passwords. I do get an understand error message. Is everything needed to send back a good error message already in Samba? If so, how? if not, well I might need to install a good sniffer and read a few more documents to understand windows protocol unless someone here already knows how to do this. I would like to see what it's doing - grab CVS ethereal and decode the password change, see what goes where. It's quite possible that the password restriction is being partially enforced on the local machine. Andrew Bartlett Any other comments are welcome. Thank you *very much* - enjoy the weekend. Pierre B. -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part
Re: --with-cracklib (phase 2)
Hello, Issues questions: - Will we ever see more work on cracklib, nothing changed since 1997. We know we need to add an API that doesn't use getuid() / getpwuid(). If Alec and/or Chris don't want to add an API that doesn't use the get{pw}uid(), we can: 1- Add a patch to cracklib in a contrib directory, link Samba with libcrack.a 2- Commit an API in Samba, still link with libcrack.a for the rest of the functionnalities. 3- Commit a samba-cracklib in SAMBA_X_Y , i.e. fully integrate samba-cracklib in Samba (no more fprintf(stderr,...), etc), when possible use Samba's string functions instead of cracklib's original. Don't use sprintf, use Samba's snprintf, etc. Yes, if cracklib using stdout/stderr as it stands, then we have no choice but to either isolated it to a 'helper' program, or integrate it into Samba. I think I prefer integration. integration also means to add at least the packer program needed to create the dictionnary with a simple index. Might as well put them all in .../samba/bin/cracktools/... ??? Well, if we integrate everything, how about smbcracklib or smb-cracklib with options to pack, unpack, etc ? Something like: Cracklib equiv. -D Dictionnary path (could be taken from smb.conf ?) -P pack dictionnary packer -U unpack dictionnary unpacker -l test passwords testlib -d turn on debugging (if needed) -w print position of a word teststr -n print word at a specific positiontestnum I have no preference to what should be included or not, but the packer feature must be included. [Q] What do you think is the best to do? I don't like #1. #2 is possible, we'll probably endup with our own re-written fascist.c . Assuming the license is compatible, then I think this is the best course of action. Is there a licence Guru that can give us a confirmation? The LICENCE is attached in this mail. I don't see a problem with the following words in the LICENCE: plus the right to make reasonable modifications We're not going to make that many modifications. Some meat now, not a big piece! Added the following code in smbd/chgpassword.c ~ line 973 : #ifdef CRACKLIB if (msg = NewFascistCheck(new_passwd, CRACKLIB_DICTPATH, pdb_get_username(hnd), pdb_get_fullname(hnd))) { DEBUG(0, (Can't change password - Cracklib returns: %s\n, msg)); return NT_STATUS_ACCESS_DENIED; /*return NT_STATUS_PASSWORD_RESTRICTION; */ } } #endif [Q] Do we want to be able to configure the dictionnary name within the smb.conf (char *) or hard-coded in cracklib? Perhaps we want to be able to specify multiple directories (char **). npasswd uses (char **) (mutliple). I have no preference. Given the number of platforms we run on, then configuring the dictionary name would be 'a good idea'. I don't see the need for multiple dictionaries. I agree on both of your comments. [Q] Is NT_STATUS_ACCESS_DENIED the right value to return when cracklib finds the password in the dictionary? No, we should match what NT returns. You figure this out by grabbing CVS ethereal, and decoding the password change. http://msdn.microsoft.com/library/default.asp?url=/library/en-us/mschap/mschap/mschapsrvchangepassword.asp Gives you a good idea what MS's internal functions do here - and this maps quite well to the wire actually. In this case NT_STATUS_PASSWORD_RESTRICTION would be a good choice. Thanx for the info. [Q] Is it possible to send back a real message? It could be The specified password is invalid. Please choose a password not based on a dictionnary word or password not long enough - minimum X characters, etc. It's not possible, the protocol just doesn't have a place for it. :-(. Too bad ;-) How about trying to send a POPUP Window on the Windows machine? I guess it's possible if the user is already logged in, but if the user is not logged in yet, i.e. I'm talking about the situation when you first boot up your computer and you're forced to change your password *NOW* before you can actually login on the network. When I change my password here @ work (with a Windows backend domain controller), I can't take any of my previous ~ 3 passwords. I do get an understand error message. Is everything needed to send back a good error message already in Samba? If so, how? if not, well I might need to install a good sniffer and read a few more documents to understand windows protocol unless someone here already knows how to do this. I would like to see what it's doing - grab CVS ethereal and decode the password change, see what goes where. Will do once cracklib is ready to be integrated. I think I do have plenty of work to do now ;-) It's quite possible that the password restriction is being partially enforced on
Re: --with-cracklib (phase 2)
On Sat, 2003-01-18 at 09:32, Pierre Belanger wrote: Hello, Issues questions: - Will we ever see more work on cracklib, nothing changed since 1997. We know we need to add an API that doesn't use getuid() / getpwuid(). If Alec and/or Chris don't want to add an API that doesn't use the get{pw}uid(), we can: 1- Add a patch to cracklib in a contrib directory, link Samba with libcrack.a 2- Commit an API in Samba, still link with libcrack.a for the rest of the functionnalities. 3- Commit a samba-cracklib in SAMBA_X_Y , i.e. fully integrate samba-cracklib in Samba (no more fprintf(stderr,...), etc), when possible use Samba's string functions instead of cracklib's original. Don't use sprintf, use Samba's snprintf, etc. Yes, if cracklib using stdout/stderr as it stands, then we have no choice but to either isolated it to a 'helper' program, or integrate it into Samba. I think I prefer integration. integration also means to add at least the packer program needed to create the dictionnary with a simple index. Might as well put them all in .../samba/bin/cracktools/... ??? Well, if we integrate everything, how about smbcracklib or smb-cracklib with options to pack, unpack, etc ? Something like: Cracklib equiv. -D Dictionnary path (could be taken from smb.conf ?) -P pack dictionnary packer -U unpack dictionnary unpacker -l test passwords testlib -d turn on debugging (if needed) -w print position of a word teststr -n print word at a specific positiontestnum I have no preference to what should be included or not, but the packer feature must be included. [Q] What do you think is the best to do? I don't like #1. #2 is possible, we'll probably endup with our own re-written fascist.c . Assuming the license is compatible, then I think this is the best course of action. Is there a licence Guru that can give us a confirmation? The LICENCE is attached in this mail. I don't see a problem with the following words in the LICENCE: plus the right to make reasonable modifications We're not going to make that many modifications. The artistic license is not compatible with the GPL. As such we cannot distribute Samba with this code, but we may link to this code under the 'operating system exception'. As such, I would suggest that we either look into GPL-compatible code of a similar nature or we instead create a separate project to produce a stand-alone executable interface (much like the one heimdal kerberos uses), and have samba know how to use it. Some meat now, not a big piece! Added the following code in smbd/chgpassword.c ~ line 973 : #ifdef CRACKLIB if (msg = NewFascistCheck(new_passwd, CRACKLIB_DICTPATH, pdb_get_username(hnd), pdb_get_fullname(hnd))) { DEBUG(0, (Can't change password - Cracklib returns: %s\n, msg)); return NT_STATUS_ACCESS_DENIED; /*return NT_STATUS_PASSWORD_RESTRICTION; */ } } #endif In the meantime, I'll probably use this for my private installation, but it's looking like this will be a bit more difficult than we originally hoped. [Q] Do we want to be able to configure the dictionnary name within the smb.conf (char *) or hard-coded in cracklib? Perhaps we want to be able to specify multiple directories (char **). npasswd uses (char **) (mutliple). I have no preference. Given the number of platforms we run on, then configuring the dictionary name would be 'a good idea'. I don't see the need for multiple dictionaries. I agree on both of your comments. [Q] Is NT_STATUS_ACCESS_DENIED the right value to return when cracklib finds the password in the dictionary? No, we should match what NT returns. You figure this out by grabbing CVS ethereal, and decoding the password change. http://msdn.microsoft.com/library/default.asp?url=/library/en-us/mschap/mschap/mschapsrvchangepassword.asp Gives you a good idea what MS's internal functions do here - and this maps quite well to the wire actually. In this case NT_STATUS_PASSWORD_RESTRICTION would be a good choice. Thanx for the info. [Q] Is it possible to send back a real message? It could be The specified password is invalid. Please choose a password not based on a dictionnary word or password not long enough - minimum X characters, etc. It's not possible, the protocol just doesn't have a place for it. :-(. Too bad ;-) How about trying to send a POPUP Window on the Windows machine? I guess it's possible if the user is already logged in, but if the user is not logged in yet, i.e. I'm talking about the situation when you first boot up your computer and you're forced
How do I enable groupname map functionality?
I can see code in Samba 2.2.7a in source/smbd/groupname.c to do groupname map functionality. I see #ifdef USING_GROUPNAME_MAP but I don't see any option to configure to enable this. Is this feature available or is it still under development. -- Eric M. Boehm /\ ASCII Ribbon Campaign [EMAIL PROTECTED] \ / No HTML or RTF in mail X No proprietary word-processing Respect Open Standards / \ files in mail
Re: How do I enable groupname map functionality?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, 17 Jan 2003, Eric Boehm wrote: I can see code in Samba 2.2.7a in source/smbd/groupname.c to do groupname map functionality. I see #ifdef USING_GROUPNAME_MAP This is all removed in Samba 3.0. It has probably bit rotted since I think it was written around 2.0. I would recommend staying away form it. cheers, jerry -- Hewlett-Packard- http://www.hp.com SAMBA Team -- http://www.samba.org GnuPG Key http://www.plainjoe.org/gpg_public.asc ISBN 0-672-32269-2 SAMS Teach Yourself Samba in 24 Hours 2ed You can never go home again, Oatman, but I guess you can shop there. --John Cusack - Grosse Point Blank (1997) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.0 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iD8DBQE+KCj5IR7qMdg1EfYRAqZeAJ9OoZc78LdvDk6ozVDkJSu5RcXjuwCgoAdq 77mkub0KJGv93WooKP2iWu0= =+wqC -END PGP SIGNATURE-