[patch] winbindd: try to fix 'restrict anonymous=1'
hp CR1501 and friends
This patch tries to make winbindd cope with the security option
'restrict anonymous=1' on NT4 and W2kS. When this option is set, the
DC disallows SAMR calls on unauthenticated connections, but does allow
LSA translations between names and sids.
Obviously winbindd can't be fully functional in this case, but it
ought to be able to still do these operations -- in particular, with
this patch wbinfo -n works, while it does not work without it.
I'm not sure this is right yet but I'd appreciate comments. If this
is correct, I think it ought to be ported to HEAD and 3.0 as well.
It seems to work for me. As Tim suggested I used both built in
(Administrator) and otherwise (jrhacker) SIDs for testing.
This partially reverts the cached failure case, and possibly causes
winbindd to hammer on dcs that just don't want to talk to it. You can
imagine a more detailed fix that specifically detects the ra=1 case
and handles it by using only LSA. From what I know, it doesn't seem
specifically handling that, though perhaps it would be so in HEAD.
Incidentally, gdb remote mode absolutely rocks for debugging appliances.
Thanks to Tim for patient help.
Index: nsswitch/winbindd_cache.c
===
RCS file: /data/cvs/samba/source/nsswitch/winbindd_cache.c,v
retrieving revision 1.5.2.8
diff -u -r1.5.2.8 winbindd_cache.c
--- nsswitch/winbindd_cache.c 31 Oct 2002 23:56:32 - 1.5.2.8
+++ nsswitch/winbindd_cache.c 20 Jan 2003 10:43:58 -
@@ -201,7 +201,8 @@
refresh the domain sequence number. If force is True
then always refresh it, no matter how recently we fetched it
*/
-static void refresh_sequence_number(struct winbindd_domain *domain, BOOL force)
+static NTSTATUS refresh_sequence_number(struct winbindd_domain *domain,
+ BOOL force)
{
NTSTATUS status;
unsigned time_diff;
@@ -210,7 +211,7 @@
/* see if we have to refetch the domain sequence number */
if (!force (time_diff lp_winbind_cache_time())) {
- return;
+ return NT_STATUS_OK;
}
status = wcache-backend-sequence_number(domain, domain-sequence_number);
@@ -238,6 +239,8 @@
DEBUG(10, (refresh_sequence_number: seq number is now %d\n,
domain-sequence_number));
+
+ return status;
}
/*
@@ -276,8 +279,18 @@
TDB_DATA data;
struct cache_entry *centry;
TDB_DATA key;
+ NTSTATUS result;
- refresh_sequence_number(domain, False);
+ result = refresh_sequence_number(domain, False);
+
+ /* Treat an access denied result from refresh_sequence_number as a
+ cache miss. Access denied is returned when the domain
+ controller disallows anonymous access. Perhaps we should treat
+ any error as a miss although that might increase the time it
+ takes winbindd to determine if a domain controller is down. */
+
+ if (NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED))
+ return NULL;
va_start(ap, format);
smb_xvasprintf(kstr, format, ap);
@@ -738,9 +751,15 @@
do_query:
ZERO_STRUCTP(sid);
- /* Return status value returned by seq number check */
+ /* If the seq number check indicated that there is a problem
+* with this DC, then return that status... except for
+* access_denied. This is special because the dc may be in
+* restrict anonymous = 1 mode, in which case it will deny
+* most unauthenticated operations, but *will* allow the LSA
+* name-to-sid that we try as a fallback. */
- if (!NT_STATUS_IS_OK(domain-last_status))
+ if (!(NT_STATUS_IS_OK(domain-last_status)
+ || NT_STATUS_EQUAL(domain-last_status, NT_STATUS_ACCESS_DENIED)))
return domain-last_status;
status = cache-backend-name_to_sid(domain, name, sid, type);
@@ -784,9 +803,16 @@
do_query:
*name = NULL;
- /* Return status value returned by seq number check */
- if (!NT_STATUS_IS_OK(domain-last_status))
+ /* If the seq number check indicated that there is a problem
+* with this DC, then return that status... except for
+* access_denied. This is special because the dc may be in
+* restrict anonymous = 1 mode, in which case it will deny
+* most unauthenticated operations, but *will* allow the LSA
+* sid-to-name that we try as a fallback. */
+
+ if (!(NT_STATUS_IS_OK(domain-last_status)
+ || NT_STATUS_EQUAL(domain-last_status, NT_STATUS_ACCESS_DENIED)))
return domain-last_status;
status = cache-backend-sid_to_name(domain, mem_ctx, sid, name, type);
--
Martin
Re: smbc_lseek in libsmbclient
On Sunday 19 January 2003 23:36, Tuomas Niinimäki wrote: Greetings, I'm having problems with smbc_lseek. It seems like 'whence' parameter gets corrupted for some reason. The offset is 8 bytes (on my system) when you compiled samba. I guess you did not compile your testcase with -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 to make sure it is 8 bytes on compile time. Please try this and report back. Yours, Tom
Bug in mod_ntlm_winbind with samba 2.2.5
I have downloaded mod_ntlm_winbind somwhere from the samba-site. Seems that it is not maintained (any more). Does anyone know of an alternative module for mod_ntlm_winbind that works ? If not, I'd like to maintain this module (What do I have to do ?) However, I found a bug in the ntlmssp.c file, line 150 (or 224, see explanation) 148:unsigned o = little_endian_word(off); 149:unsigned l = little_endian_word(len) / 2; /* Unicode! */ 150:if (l max) 151:return -1; 152:if (o = srclen) 153:return -1; 154:if (o + l srclen) 155:return -1; The function [ntlm_msg3_getusername] (line 219) calls the function [ntlm_extract_unicode] with the max-parameter assigned to MAX_USERLEN. MAX_USERLEN has the value 21 (20 characters for username). The problem is, that the username is in unicode, so the line 150 should be something like the following (?): 149:unsigned l = little_endian_word(len) / 2; /* Unicode! */ 150:if (l max*2) 151:return -1; regards, Georg Weber Senior Engineer - Software DevelopmentInfineon Technologies IFDA IT RDMicroelectronic Design Centers phone: +43 4242 305-6065 Austria GmbH fax:+43 4242 3020-6065Siemensstr. 2, 9500 Villach, Austria mailto: [EMAIL PROTECTED] http://www.infineon.com/ezmvi
RE: Unnecessary NetBIOS domain lookups - fix to ads_init
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Tue, 14 Jan 2003, Ken Cross wrote:
Here's the actual patch to fix the problem below (same patch for
SAMBA_3_0 and HEAD):
# cvs diff -r SAMBA_3_0 -pu ads_struct.c
Index: ads_struct.c
===
RCS file: /cvsroot/samba/source/libads/ads_struct.c,v
retrieving revision 1.13.2.3
diff -p -u -r1.13.2.3 ads_struct.c
--- ads_struct.c1 Oct 2002 18:26:00 - 1.13.2.3
+++ ads_struct.c14 Jan 2003 10:23:24 -
@@ -94,10 +94,10 @@ ADS_STRUCT *ads_init(const char *realm,
/* we need to know if this is a foreign realm to know if we can
use lp_ads_server() */
- if (realm strcasecmp(lp_realm(), realm) != 0) {
+ if (realm *realm strcasecmp(lp_realm(), realm) != 0) {
ads-server.foreign = 1;
}
- if (workgroup strcasecmp(lp_workgroup(), workgroup) != 0) {
+ if (workgroup *workgroup strcasecmp(lp_workgroup(),
workgroup) != 0) {
ads-server.foreign = 1;
}
Looks good to me. I'll apply it to HEAD/SAMBA_3_0.
If those tests set ads-server.foreign to 1, then it will use NetBIOS to
try to find the domain. But there are places in the code where realm
and/or workgroup are not null, but are empty strings. In this case, I
don't think the test should succeed. I changed ads_init to the
following:
For my own edification, do you remember what places the realm/workgroup
was being set to ?
cheers, jerry
--
Hewlett-Packard- http://www.hp.com
SAMBA Team -- http://www.samba.org
GnuPG Key http://www.plainjoe.org/gpg_public.asc
ISBN 0-672-32269-2 SAMS Teach Yourself Samba in 24 Hours 2ed
You can never go home again, Oatman, but I guess you can shop there.
--John Cusack - Grosse Point Blank (1997)
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.0 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/
iD8DBQE+LDoVIR7qMdg1EfYRAuDMAJ98Tn0u3ARfC9dxXeqmdNjVH/ajGACfXH4+
TH5N6SZ08E+S3pyIFtrCcoo=
=PQ53
-END PGP SIGNATURE-
Re: Random problem with file locking
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sat, 11 Jan 2003, Hans-Joerg Wolff wrote: Hi, every now and then I find in the logfiles the following messages from samba (v2.2.7): [2003/01/05 15:02:35, 0] tdb/tdbutil.c:tdb_log(531) tdb(/var/lock/samba/locks/locking.tdb): tdb_oob len -2320 beyond eof at 8192 [2003/01/05 15:02:35, 0] tdb/tdbutil.c:tdb_log(531) tdb(/var/lock/samba/locks/locking.tdb): tdb_free: left read failed at 4294964952 (4096) This seems not to be related to the current v2.2.7, this problem resides for quite while in the code... Looks like a LFS thing if I were to wager a guess. Have you tried 2.2.7a (since it fixed the LFS bugs in 2.2.7). cheers, jerry -- Hewlett-Packard- http://www.hp.com SAMBA Team -- http://www.samba.org GnuPG Key http://www.plainjoe.org/gpg_public.asc ISBN 0-672-32269-2 SAMS Teach Yourself Samba in 24 Hours 2ed You can never go home again, Oatman, but I guess you can shop there. --John Cusack - Grosse Point Blank (1997) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.0 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iD8DBQE+LDodIR7qMdg1EfYRAqErAJsGavCVkaTfbauhDGjLrDnHaa/SNwCgsMNe PWRmELEeVPx0KqGDpRmXa6Q= =bdzW -END PGP SIGNATURE-
Re: SetPrinter call failed
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 9 Jan 2003, Meik Hellmund wrote: I'm trying to add printer drivers to samba using cupsaddsmb (CUPS1.1.18). This fails on samba3-alpha21 which comes with Debian/unstable. I installed the samba cvs version from today but with the same result. The problem is a rpcclient call: ~#rpcclient localhost -U root -c 'setdriver pp1 pp1' -d3 lp_load: refreshing parameters Initialising global parameters Password: Connecting to host=localhost share=IPC$ Connecting to 127.0.0.1 at port 445 Doing spnego session setup (blob length=58) got OID=1 3 6 1 4 1 311 2 2 10 got principal=NONE lsa_io_sec_qos: length c does not match size 8 SetPrinter call failed! result was NT_STATUS_UNSUCCESSFUL This is independent of whether printers/drivers named pp1 really exist, you can use arbitrary strings instead of pp1, so you should be able to reproduce this without cups or printer drivers. I can provide more debug info and try anything needed to help. Any help is greatly appreciated. I need to spend some time with CUPS. I'll try to do that some when I get back in the office next week. chers, jerry -- Hewlett-Packard- http://www.hp.com SAMBA Team -- http://www.samba.org GnuPG Key http://www.plainjoe.org/gpg_public.asc ISBN 0-672-32269-2 SAMS Teach Yourself Samba in 24 Hours 2ed You can never go home again, Oatman, but I guess you can shop there. --John Cusack - Grosse Point Blank (1997) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.0 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iD8DBQE+LDojIR7qMdg1EfYRAs3XAJ4tltvsDkRMquVFzLgozfRJRxD3UwCg8DY8 UKjSNs2TmQTq3Kn6rBOy/sg= =tQa+ -END PGP SIGNATURE-
Re: DOS mode bits missing from Folders
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 14 Jan 2003, Esh, Andrew wrote: I have a question about the following piece of code in HEAD smbd/dosmode.c, at line 139: if (S_ISDIR(sbuf-st_mode)) result = aDIR | (result aRONLY); This causes the DOS mode HSA Hidden, System, and Archive bits to be stripped off if a folder is being processed. This makes it impossible to store these bits on a Samba server. Windows allows them to be stored for folders, except for the S System bit. Why are these bits being stripped off folders? Shouldn't it be: if (S_ISDIR(sbuf-st_mode)) result |= aDIR; When I made that change, folders began to retain DOS bits like the ones stored on Windows do. The e(X)exute bits are special on folders. For example, if you remove the archive (user 'x' bit) from a directory, you will not be able to change to that directory. The DOS mode bit stuff really needs a better solution. cheers, jerry -- Hewlett-Packard- http://www.hp.com SAMBA Team -- http://www.samba.org GnuPG Key http://www.plainjoe.org/gpg_public.asc ISBN 0-672-32269-2 SAMS Teach Yourself Samba in 24 Hours 2ed You can never go home again, Oatman, but I guess you can shop there. --John Cusack - Grosse Point Blank (1997) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.0 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iD8DBQE+LDpKIR7qMdg1EfYRAvkiAJ9cA8Gm9t9iPSBeYudtluJxJRuZ6ACfT3k7 ExM1uo7m6Eaf5RGXO6Y8wLQ= =WSgs -END PGP SIGNATURE-
Re: PAM and winbind on AIX 5.2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 14 Jan 2003, Bjorn Roden wrote: I have managed to get pam_winbind.so (2.2.7a) to work on IBM AIX 5.2 but the sys_getpwnam() subroutine still need a user to be defined in the /etc/passwd file. Is it nessessary to port winbind_nss to AIX as a loadable authentication module (sort of similar to nss)? Yup. cheers, jerry -- Hewlett-Packard- http://www.hp.com SAMBA Team -- http://www.samba.org GnuPG Key http://www.plainjoe.org/gpg_public.asc ISBN 0-672-32269-2 SAMS Teach Yourself Samba in 24 Hours 2ed You can never go home again, Oatman, but I guess you can shop there. --John Cusack - Grosse Point Blank (1997) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.0 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iD8DBQE+LDpPIR7qMdg1EfYRAhpbAJsGhXFwIrgj7QpAG0E1d6Bys/ZqdACgmXVE I4dbsmH/vJhL/e1ai81V4vE= =xpFe -END PGP SIGNATURE-
RE: DOS mode bits missing from Folders
The e(X)exute bits are special on folders. For example, if you remove the archive (user 'x' bit) from a directory, you will not be able to change to that directory. The DOS mode bit stuff really needs a better solution. Yes, thanks. The problem is: The code change I am suggesting is in the interpretation of the bits after they have been read, and are about to be represented in a reply to Windows. Below the routine in question, there may be idiosyncrasies. There also may be a different storage method than utilizing the Unix mode bits. In my particular case, I've used a meta-info system that works like extended attributes. All the bits get read back fine, but this function strips off all but the Directory and the Read-Only bit. This is simply the wrong place to be handling implementation issues. If there is a need to strip bits, it should be pushed closer to the file system, so it can be avoided by VFS modules which reference a file system that doesn't have bit storage problems. Change it or don't, it's your code. My code is fixed. --- Andrew C. Eshmail:[EMAIL PROTECTED] Adaptec, Inc. 2905 Northwest Blvd., Suite 20763-557-9005 (main) Plymouth, MN 55441-2644 USA 763-551-6418 (direct)
Re: Core dump of net -- fix to ldap.c
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Got it.
cheers, jerry
On Sat, 18 Jan 2003, Ken Cross wrote:
# cvs diff -pu ldap.c
Index: ldap.c
===
RCS file: /cvsroot/samba/source/libads/ldap.c,v
retrieving revision 1.55.2.13
diff -p -u -r1.55.2.13 ldap.c
--- ldap.c 3 Jan 2003 08:28:02 - 1.55.2.13
+++ ldap.c 18 Jan 2003 14:44:33 -
@@ -1430,6 +1430,11 @@ ADS_STATUS ads_set_machine_sd(ADS_STRUCT
if (!ADS_ERR_OK(ret)) return ret;
msg = ads_first_entry(ads, res);
+if (!msg) { /* KJC */
+ret = ADS_ERROR(LDAP_NO_RESULTS_RETURNED);
+ goto ads_set_sd_error;
+ }
+
ads_pull_sid(ads, msg, attrs[1], sid);
if (!(ctx = talloc_init(sec_io_desc))) {
ret = ADS_ERROR(LDAP_NO_MEMORY);
Ken
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.0 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/
iD8DBQE+LDoMIR7qMdg1EfYRAu6cAJoDfC5DN+dImCB1LVc5RsGVtqgXiACfRv5U
enyINr76pmIRP+/qKspwenM=
=eOSS
-END PGP SIGNATURE-
Re: changes to passdb backend defaults in 3.0 alpha21
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, 20 Dec 2002, Steve Langasek wrote: The following code appears in source/params/loadparm.c from 3.0alpha21: #ifdef WITH_LDAP_SAMCONFIG string_set(Globals.szLdapServer, localhost); Globals.ldap_port = 636; Globals.szPassdbBackend = str_list_make(ldapsam unixsam, NULL); #else Globals.szPassdbBackend = str_list_make(smbpasswd unixsam, NULL); #endif /* WITH_LDAP_SAMCONFIG */ Would it be possible to revert this change with respect to the 'passdb backend' default? This is a very awkward default for packagers who wish to enable LDAP support in their binaries, but still need to serve the needs of users who are not (yet) using LDAP. I just checked and this is still in SAMBA_3_0. You really don't need to get LDAP support. It's for a the 2.2 compatible parameters. The intent is to work like Samba 2.2 in the sense that with you enable LDAP support, that what you get. Or am I missing the gist of your question. cheers, jerry -- Hewlett-Packard- http://www.hp.com SAMBA Team -- http://www.samba.org GnuPG Key http://www.plainjoe.org/gpg_public.asc ISBN 0-672-32269-2 SAMS Teach Yourself Samba in 24 Hours 2ed You can never go home again, Oatman, but I guess you can shop there. --John Cusack - Grosse Point Blank (1997) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.0 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iD8DBQE+LDooIR7qMdg1EfYRAiwZAJ9d3uIcO3EHw9SKx7RYL8b9tDcVtACg5WQF A8E+j0g/o0kdKmQHQC8pYPY= =kRjt -END PGP SIGNATURE-
Re: --with-cracklib (phase 2)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, 17 Jan 2003, Pierre Belanger wrote: Too bad ;-) How about trying to send a POPUP Window on the Windows machine? I guess it's possible if the user is already logged in, but if the user is not logged in yet, i.e. I'm talking about the situation when you first boot up your computer and you're forced to change your password *NOW* before you can actually login on the network. I think the usename has already been registered at this point (USERNAME0x03) and the messenger service is already running. cheers, jerry -- Hewlett-Packard- http://www.hp.com SAMBA Team -- http://www.samba.org GnuPG Key http://www.plainjoe.org/gpg_public.asc ISBN 0-672-32269-2 SAMS Teach Yourself Samba in 24 Hours 2ed You can never go home again, Oatman, but I guess you can shop there. --John Cusack - Grosse Point Blank (1997) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.0 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iD8DBQE+LDpEIR7qMdg1EfYRAmJcAJ9V9f9rqf/t0r17V8p/ROdoNBEm6QCfeK40 6l3Y8UtxoeryVyhqgn5nsvo= =6NGj -END PGP SIGNATURE-
Re: changes to passdb backend defaults in 3.0 alpha21
On Mon, Jan 20, 2003 at 12:04:24PM -0600, Gerald (Jerry) Carter wrote: The following code appears in source/params/loadparm.c from 3.0alpha21: #ifdef WITH_LDAP_SAMCONFIG string_set(Globals.szLdapServer, localhost); Globals.ldap_port = 636; Globals.szPassdbBackend = str_list_make(ldapsam unixsam, NULL); #else Globals.szPassdbBackend = str_list_make(smbpasswd unixsam, NULL); #endif /* WITH_LDAP_SAMCONFIG */ Would it be possible to revert this change with respect to the 'passdb backend' default? This is a very awkward default for packagers who wish to enable LDAP support in their binaries, but still need to serve the needs of users who are not (yet) using LDAP. I just checked and this is still in SAMBA_3_0. You really don't need to get LDAP support. It's for a the 2.2 compatible parameters. The intent is to work like Samba 2.2 in the sense that with you enable LDAP support, that what you get. Or am I missing the gist of your question. Yes, sorry, this was clarified for me on IRC after I posted. I misunderstood the --with-ldapsam option to mean enable the LDAP backend, not enable 2.2 ldap compat. The consensus on IRC, as I understood it, was that it would be beneficial to have another option to configure that would enforce the LDAP dependency -- so that a failure to locate LDAP libs would cause the build to error out instead of giving misbuilt binaries. Do you agree? -- Steve Langasek postmodern programmer msg05440/pgp0.pgp Description: PGP signature
heimdal stuff
Hi Jeremy, since your last updates I have the following problem: [08:15:20] metze Compiling smbd/server.c [08:15:20] metze In file included from include/includes.h:830, [08:15:20] metze from smbd/server.c:23: [08:15:20] metze include/proto.h:1539: parse error before `*' [08:15:20] metze include/proto.h:1539: warning: function declaration isn't a prototype [08:15:20] metze include/proto.h:1540: parse error before `*' [08:15:20] metze include/proto.h:1540: warning: function declaration isn't a prototype [08:15:20] metze make: *** [smbd/server.o] Error 1 these are the lines from proto.h [08:15:49] metze void setup_kaddr( krb5_address *pkaddr, struct sockaddr *paddr); [08:15:49] metze void setup_kaddr( krb5_address *pkaddr, struct sockaddr *paddr); [08:16:22] metze I have configure --without-ads and krb5_address is no valid datatype :-( but make proto catches the function prototype metze - Stefan metze Metzmacher [EMAIL PROTECTED]
