Re: Trusted domains' users and Samba
On Wed, Feb 05, 2003 at 08:03:02PM +0100, "Szilvásy Zoltán" wrote: > Hi! > > I have an environment containing two NT4 domains, eg. DOM1 and DOM2. > DOM1 and DOM2 are trusted. There's a machine running Debian Woody, on > which I installed Samba, and made it to be a member of an NT4 domain > (DOM1) using Samba-howtos. I configured Samba to use Winbind for looking > up user names. > I have to set up this Debian as all users from DOM1 and DOM2 are enabled > to use it. But my problem, that Winbind only sees the users from domain > the Samba is in (DOM1). How can I tell to Samba (or Winbind) to collect > all users from all trusted domains? This should be enabled by default. Could you give more details about your configuration ? Such as result of running 'testparm', some logfiles, etc. -- cheers, ++ |Rafal 'Mimir' Szczesniak <[EMAIL PROTECTED]> | |*BSD, GNU/Linux and Samba / |__/
wtf: "Make her Smile bho c qpalx"
Someone is kidnapping my mailaddress - and someone has an open smtp-server ... Sorry, but there are always some kiddies out there with enough time for funny things. >100% Money Back Guarantee! >Permanent Larger Erections > >http://shaggweb.com/?/index.html >lhjr > cmwhhkb uamrt eihlebh pqkyjxt >azhuldwqzeo ijicoqyjjb ce tgjly >q >d >hlekx g qh >mczxrbg
Re: Gencache fails to open gencache.tdb
On Thu, Feb 06, 2003 at 05:46:46PM +1100, Andrew Bartlett wrote:
> On Thu, 2003-02-06 at 10:10, Tim Potter wrote:
> > On Thu, Feb 06, 2003 at 12:06:04AM +0100, Rafal Szczesniak wrote:
> >
> > > > Attached patch can be seen as proposal to discuss behavior of gencache in
> > > > case when it is used in applications running under non-priviledged
> > > > accounts so that O_RDWR|O_CREAT always fails against system-wide
> > > > lock_path("gencache.tdb") (which is usually created by smbd/nmbd).
> > > >
> > > > The patch adds error resistence and tries to re-open gencache.tdb in
> > > > O_RDONLY mode if O_RDWR|O_CREAT failed. This allows the application to use
> > > > existing entries but forbids cache updates.
> > >
> > > I understand your idea, but it's useful only when another root-privileged
> > > process is able to update the cache contents (like parent process ?).
> > > Otherwise, only per-user cache makes sense when it comes to being useful.
> >
> > It is actually slightly useful. If you are a user process running on a
> > Samba server, then you can share the up to date cache data that is
> > generated by smbd and nmbd. You're right though in the fact that you
> > can't update it or expire old entries.
> >
> > I still think it's useful though.
>
> One of the problems is that gencache can be used to store all sorts of
> information. For example I want to move netlogon_unigroup.tdb into it,
> and possibly more sensitive information in future.
Exactly. And implementing a sort of access control is far too much
for such simple mechanism.
> My worry is that we could leak information this way. I'm also told that
> there could be issues with the ability to 'block' smbd with byte-range
> read-locking on that database.
You mean the process that does read from gencache.tdb file could block
it and thus prevent from writing to this particular byte-range ?
--
cheers,
++
|Rafal 'Mimir' Szczesniak <[EMAIL PROTECTED]> |
|*BSD, GNU/Linux and Samba /
|__/
Error during interdomain trust setup in 3.0 and HEAD
It seems that when I try to setup one-way non-transitive trust between W2K domain and Samba DOMAIN, Samba send some incorrect response, and W2K PDS domain manager displays message that incorrect parameter was specified. There is nothing unusual in the log file, except that W2K is first trying to logon to Samba PDC as its W2K domain administrator, which is not authenticated by Samba and then is mapped to nobody account. But I think, that's OK because TNG behaves the same way. If I run Samba TNG instead of 3.0 or HEAD, then setup domain trust from W2K domain to it, then replace TNG with 3.0 or HEAD again, I can easily verify trust on W2K PDC, and all works fine. But I can't setup it! I believe this should be known issue for developers, because I heard the same from other people too. Is it possible to have some workaround except switching to TNG to setup the trust? Is it going to be fixed in near future? Best regards, Anton -- Anton Voronin Intersvyaz JSC http://www.chelcom.ru +7 (3512) 655199
Re: Gencache fails to open gencache.tdb
On Thu, 2003-02-06 at 10:10, Tim Potter wrote:
> On Thu, Feb 06, 2003 at 12:06:04AM +0100, Rafal Szczesniak wrote:
>
> > > Attached patch can be seen as proposal to discuss behavior of gencache in
> > > case when it is used in applications running under non-priviledged
> > > accounts so that O_RDWR|O_CREAT always fails against system-wide
> > > lock_path("gencache.tdb") (which is usually created by smbd/nmbd).
> > >
> > > The patch adds error resistence and tries to re-open gencache.tdb in
> > > O_RDONLY mode if O_RDWR|O_CREAT failed. This allows the application to use
> > > existing entries but forbids cache updates.
> >
> > I understand your idea, but it's useful only when another root-privileged
> > process is able to update the cache contents (like parent process ?).
> > Otherwise, only per-user cache makes sense when it comes to being useful.
>
> It is actually slightly useful. If you are a user process running on a
> Samba server, then you can share the up to date cache data that is
> generated by smbd and nmbd. You're right though in the fact that you
> can't update it or expire old entries.
>
> I still think it's useful though.
One of the problems is that gencache can be used to store all sorts of
information. For example I want to move netlogon_unigroup.tdb into it,
and possibly more sensitive information in future.
My worry is that we could leak information this way. I'm also told that
there could be issues with the ability to 'block' smbd with byte-range
read-locking on that database.
Andrew Bartlett
--
Andrew Bartlett [EMAIL PROTECTED]
Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED]
Student Network Administrator, Hawker College [EMAIL PROTECTED]
http://samba.org http://build.samba.org http://hawkerc.net
signature.asc
Description: This is a digitally signed message part
slides available
I gave a couple of Samba related talks at LCA in January, and thought some people here might be interested in seeing the slides. They are at http://samba.org/ftp/samba/slides/net_analysis.pdf http://samba.org/ftp/samba/slides/vfs.pdf Cheers, Tridge
Re: Gencache fails to open gencache.tdb
On Thu, Feb 06, 2003 at 12:06:04AM +0100, Rafal Szczesniak wrote:
> > Attached patch can be seen as proposal to discuss behavior of gencache in
> > case when it is used in applications running under non-priviledged
> > accounts so that O_RDWR|O_CREAT always fails against system-wide
> > lock_path("gencache.tdb") (which is usually created by smbd/nmbd).
> >
> > The patch adds error resistence and tries to re-open gencache.tdb in
> > O_RDONLY mode if O_RDWR|O_CREAT failed. This allows the application to use
> > existing entries but forbids cache updates.
>
> I understand your idea, but it's useful only when another root-privileged
> process is able to update the cache contents (like parent process ?).
> Otherwise, only per-user cache makes sense when it comes to being useful.
It is actually slightly useful. If you are a user process running on a
Samba server, then you can share the up to date cache data that is
generated by smbd and nmbd. You're right though in the fact that you
can't update it or expire old entries.
I still think it's useful though.
Tim.
Re: Gencache fails to open gencache.tdb
On Wed, Feb 05, 2003 at 08:01:51PM +0200, Alexander Bokovoy wrote:
> Hi all!
>
> Attached patch can be seen as proposal to discuss behavior of gencache in
> case when it is used in applications running under non-priviledged
> accounts so that O_RDWR|O_CREAT always fails against system-wide
> lock_path("gencache.tdb") (which is usually created by smbd/nmbd).
>
> The patch adds error resistence and tries to re-open gencache.tdb in
> O_RDONLY mode if O_RDWR|O_CREAT failed. This allows the application to use
> existing entries but forbids cache updates.
I understand your idea, but it's useful only when another root-privileged
process is able to update the cache contents (like parent process ?).
Otherwise, only per-user cache makes sense when it comes to being useful.
> Simo proposed to have per-account gencache.tdb in such case
> (~/.smb/gencache.tdb?) but I'm not sure it is good to put such behavior
> into the level where gencache exists (lib/). Any other thoughts?
Look above. The other question is what do we expect non-privileged account
to be able to do with samba daemons ?
--
cheers,
++
|Rafal 'Mimir' Szczesniak <[EMAIL PROTECTED]> |
|*BSD, GNU/Linux and Samba /
|__/
Re: called name not present SOLVED
sorry to trouble the group on this one. The problem was twofold 1) in my smb.conf on machine at 120.183 I hand the entry "dns proxy = yes" AND 2) a very old and outdated DNS entry that needs to be removed. whoa.. On Wed, Feb 05, 2003 at 12:35:26PM -0600, Christopher R. Hertel wrote: > On Wed, Feb 05, 2003 at 10:57:10AM -0800, Richard Sharpe wrote: > > On Wed, 5 Feb 2003, David Bear wrote: > > > > > I've encountered a strange error. I have samba 2.2.7 installed on > > > freebsd 4.7. I've run testparm on the smb.conf and don't see any > > > errors. I can connect to a service from a windows 2k machine using > > > standard net use commands. > > > > > > HOWEVER, when I try to use smbclient from another machine to view my > > > bsd samba, I get the following error: > > > > > > > > > bash-2.05a$ smbclient -L //npcenter > > > added interface ip=129.219.120.183 bcast=129.219.120.191 > > > nmask=255.255.255.192 > > > session request to NPCENTER failed (Called name not present) > > > Password: > > > Anonymous login successful > > > Domain=[CUI] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager] > > > tree connect failed: NT_STATUS_DUPLICATE_NAME > > > == > > > > Hmmm, I am not aware of any version of Samba claiming to be Windows 5.0 or > > Windows 2000 LAN Manager. > > > > Are you sure that you are connecting to a Samba server, and not, say, a > > Win2K server by some accident? > > Richard is being polite. :) > > That definitley shows that you've connected to a W2K machine. The best > guess is that the name NPCENTER is in use by both machines, and that the > W2K system is answering first when the query goes out (either that, or you > are using WINS and the W2K system has registered that name in the NBNS > database). > > The NT_STATUS_DUPLICATE_NAME error code seems to confirm this, but I'm not > sure. > > A tcpdump trace showing ports 137 and 139 would help. > > Chris -)- > > -- > Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel > jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. > ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] > OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED] -- David Bear College of Public Programs/ASU Mail Code 0803
RE: Trusted domains' users and Samba
It should be connecting to the trusted domain by default. 1. What does wbinfo --sequence show you? 2. What version of samba are you running? -Original Message- From: "Szilvásy Zoltán" [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 05, 2003 11:03 AM To: [EMAIL PROTECTED] Subject: Trusted domains' users and Samba Hi! I have an environment containing two NT4 domains, eg. DOM1 and DOM2. DOM1 and DOM2 are trusted. There's a machine running Debian Woody, on which I installed Samba, and made it to be a member of an NT4 domain (DOM1) using Samba-howtos. I configured Samba to use Winbind for looking up user names. I have to set up this Debian as all users from DOM1 and DOM2 are enabled to use it. But my problem, that Winbind only sees the users from domain the Samba is in (DOM1). How can I tell to Samba (or Winbind) to collect all users from all trusted domains? Thx: Zoltan SZILVASY
Re: called name not present
On Wed, Feb 05, 2003 at 12:52:40PM -0600, Christopher R. Hertel wrote: > On Wed, Feb 05, 2003 at 11:35:22AM -0700, David Bear wrote: > > > Are you sure that you are connecting to a Samba server, and not, say, a > > > Win2K server by some accident? > > > > Yes, I thought that was strange as well, yet, here's what nmblookup > > finds. > > > > bash-2.05a$ winsq npcenter > > querying npcenter on 129.219.13.105 > > 129.219.120.138 npcenter<00> > > Looking up status of 129.219.120.138 > > NPCENTER<00> - M > > NPCENTER<03> - M > > NPCENTER<20> - M > > ..__MSBROWSE__. <01> - M > > NPCGROUP<00> - M > > NPCGROUP<1b> - M > > NPCGROUP<1d> - M > > NPCGROUP<1e> - M > > > > is there a way to use smbclient with an ip address to bypass any name > > resolution differences that may be happening between windows and unix? > > Which host is at 129.219.120.138, a W2K system or the Samba server? > Again, a trace would help. > > The -I option can be used to specify a unicast destination. > 129.219.120.138 is the bsdbox -- its the samba server. here's something to add to the plot. 1) my samba server at 129.219.120.183 seems to have a problem correctly resolving the netbios name npcenter. It can connect using the ip address of 129.219.120.138. 2) another samba server in the same subnet correctly resolves the netbios name npcenter -- finds the right machine and connects. 3) another samba server in a differnet subnet/differnet building/differnet broadcast region successfully connects to the npcenter netbios name 4) so it would seem there is a configuration error on my samba machine at 120.183 -- however, the returned line from smbclient -L ... nonymous login successful Domain=[CUI] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager] tree connect failed: NT_STATUS_DUPLICATE_NAME ... would indicate a connection was made to a machine in a TOTALLY different subnet and domain. the CUI domain is in a very different building/different subnet. things are getting curiouser and curiouser.. > Chris -)- > > -- > Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel > jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. > ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] > OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED] -- David Bear College of Public Programs/ASU Mail Code 0803
Trusted domains' users and Samba
Hi! I have an environment containing two NT4 domains, eg. DOM1 and DOM2. DOM1 and DOM2 are trusted. There's a machine running Debian Woody, on which I installed Samba, and made it to be a member of an NT4 domain (DOM1) using Samba-howtos. I configured Samba to use Winbind for looking up user names. I have to set up this Debian as all users from DOM1 and DOM2 are enabled to use it. But my problem, that Winbind only sees the users from domain the Samba is in (DOM1). How can I tell to Samba (or Winbind) to collect all users from all trusted domains? Thx: Zoltan SZILVASY
Re: called name not present
On Wed, Feb 05, 2003 at 11:35:22AM -0700, David Bear wrote: > > Are you sure that you are connecting to a Samba server, and not, say, a > > Win2K server by some accident? > > Yes, I thought that was strange as well, yet, here's what nmblookup > finds. > > bash-2.05a$ winsq npcenter > querying npcenter on 129.219.13.105 > 129.219.120.138 npcenter<00> > Looking up status of 129.219.120.138 > NPCENTER<00> - M > NPCENTER<03> - M > NPCENTER<20> - M > ..__MSBROWSE__. <01> - M > NPCGROUP<00> - M > NPCGROUP<1b> - M > NPCGROUP<1d> - M > NPCGROUP<1e> - M > > is there a way to use smbclient with an ip address to bypass any name > resolution differences that may be happening between windows and unix? Which host is at 129.219.120.138, a W2K system or the Samba server? Again, a trace would help. The -I option can be used to specify a unicast destination. Chris -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: called name not present
On Wed, Feb 05, 2003 at 10:57:10AM -0800, Richard Sharpe wrote: > On Wed, 5 Feb 2003, David Bear wrote: > > > I've encountered a strange error. I have samba 2.2.7 installed on > > freebsd 4.7. I've run testparm on the smb.conf and don't see any > > errors. I can connect to a service from a windows 2k machine using > > standard net use commands. > > > > HOWEVER, when I try to use smbclient from another machine to view my > > bsd samba, I get the following error: > > > > > > bash-2.05a$ smbclient -L //npcenter > > added interface ip=129.219.120.183 bcast=129.219.120.191 > > nmask=255.255.255.192 > > session request to NPCENTER failed (Called name not present) > > Password: > > Anonymous login successful > > Domain=[CUI] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager] > > tree connect failed: NT_STATUS_DUPLICATE_NAME > > == > > Hmmm, I am not aware of any version of Samba claiming to be Windows 5.0 or > Windows 2000 LAN Manager. > > Are you sure that you are connecting to a Samba server, and not, say, a > Win2K server by some accident? Yes, I thought that was strange as well, yet, here's what nmblookup finds. bash-2.05a$ winsq npcenter querying npcenter on 129.219.13.105 129.219.120.138 npcenter<00> Looking up status of 129.219.120.138 NPCENTER<00> - M NPCENTER<03> - M NPCENTER<20> - M ..__MSBROWSE__. <01> - M NPCGROUP<00> - M NPCGROUP<1b> - M NPCGROUP<1d> - M NPCGROUP<1e> - M is there a way to use smbclient with an ip address to bypass any name resolution differences that may be happening between windows and unix? -- David Bear College of Public Programs/ASU Mail Code 0803
Re: called name not present
On Wed, Feb 05, 2003 at 10:57:10AM -0800, Richard Sharpe wrote: > On Wed, 5 Feb 2003, David Bear wrote: > > > I've encountered a strange error. I have samba 2.2.7 installed on > > freebsd 4.7. I've run testparm on the smb.conf and don't see any > > errors. I can connect to a service from a windows 2k machine using > > standard net use commands. > > > > HOWEVER, when I try to use smbclient from another machine to view my > > bsd samba, I get the following error: > > > > > > bash-2.05a$ smbclient -L //npcenter > > added interface ip=129.219.120.183 bcast=129.219.120.191 > > nmask=255.255.255.192 > > session request to NPCENTER failed (Called name not present) > > Password: > > Anonymous login successful > > Domain=[CUI] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager] > > tree connect failed: NT_STATUS_DUPLICATE_NAME > > == > > Hmmm, I am not aware of any version of Samba claiming to be Windows 5.0 or > Windows 2000 LAN Manager. > > Are you sure that you are connecting to a Samba server, and not, say, a > Win2K server by some accident? Richard is being polite. :) That definitley shows that you've connected to a W2K machine. The best guess is that the name NPCENTER is in use by both machines, and that the W2K system is answering first when the query goes out (either that, or you are using WINS and the W2K system has registered that name in the NBNS database). The NT_STATUS_DUPLICATE_NAME error code seems to confirm this, but I'm not sure. A tcpdump trace showing ports 137 and 139 would help. Chris -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: called name not present
On Wed, 5 Feb 2003, David Bear wrote: > I've encountered a strange error. I have samba 2.2.7 installed on > freebsd 4.7. I've run testparm on the smb.conf and don't see any > errors. I can connect to a service from a windows 2k machine using > standard net use commands. > > HOWEVER, when I try to use smbclient from another machine to view my > bsd samba, I get the following error: > > > bash-2.05a$ smbclient -L //npcenter > added interface ip=129.219.120.183 bcast=129.219.120.191 > nmask=255.255.255.192 > session request to NPCENTER failed (Called name not present) > Password: > Anonymous login successful > Domain=[CUI] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager] > tree connect failed: NT_STATUS_DUPLICATE_NAME > == Hmmm, I am not aware of any version of Samba claiming to be Windows 5.0 or Windows 2000 LAN Manager. Are you sure that you are connecting to a Samba server, and not, say, a Win2K server by some accident? Regards - Richard Sharpe, rsharpe[at]ns.aus.com, rsharpe[at]samba.org, sharpe[at]ethereal.com, http://www.richardsharpe.com
smb.conf doc diffs
has anyone compiled a list of new config parms between samba 2.0.x and 2.2? AND has anyone made a list of parameters with different semantics between the versions? -- David Bear College of Public Programs/ASU Mail Code 0803
called name not present
I've encountered a strange error. I have samba 2.2.7 installed on freebsd 4.7. I've run testparm on the smb.conf and don't see any errors. I can connect to a service from a windows 2k machine using standard net use commands. HOWEVER, when I try to use smbclient from another machine to view my bsd samba, I get the following error: bash-2.05a$ smbclient -L //npcenter added interface ip=129.219.120.183 bcast=129.219.120.191 nmask=255.255.255.192 session request to NPCENTER failed (Called name not present) Password: Anonymous login successful Domain=[CUI] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager] tree connect failed: NT_STATUS_DUPLICATE_NAME == The other strange symptom is when I connect using the windows machine a proper log is created in the samba logging directory. However, no log is created for the samba box (running red hat) that attempts to use smbclient -L. this is strange. any thoughts? -- David Bear College of Public Programs/ASU Mail Code 0803
Gencache fails to open gencache.tdb
Hi all!
Attached patch can be seen as proposal to discuss behavior of gencache in
case when it is used in applications running under non-priviledged
accounts so that O_RDWR|O_CREAT always fails against system-wide
lock_path("gencache.tdb") (which is usually created by smbd/nmbd).
The patch adds error resistence and tries to re-open gencache.tdb in
O_RDONLY mode if O_RDWR|O_CREAT failed. This allows the application to use
existing entries but forbids cache updates.
Simo proposed to have per-account gencache.tdb in such case
(~/.smb/gencache.tdb?) but I'm not sure it is good to put such behavior
into the level where gencache exists (lib/). Any other thoughts?
--
/ Alexander Bokovoy
---
It's not reality or how you perceive things that's important -- it's
what you're taking for it...
--- samba-3.0.tag/source/lib/gencache.c.orig_alt2003-01-27 22:02:24 +0200
+++ samba-3.0.tag/source/lib/gencache.c 2003-02-05 18:24:06 +0200
@@ -28,9 +28,13 @@
#define TIMEOUT_LEN 12
#define CACHE_DATA_FMT "%12u/%s"
+typedef enum {
+GENCACHE_RDRW,
+GENCACHE_RDONLY
+} gencache_access_t;
static TDB_CONTEXT *cache;
-
+static gencache_access_t cache_type;
/**
* @file gencache.c
* @brief Generic, persistent and shared between processes cache mechanism
@@ -64,6 +68,15 @@
cache = tdb_open_log(cache_fname, 0, TDB_DEFAULT,
O_RDWR|O_CREAT, 0644);
+cache_type = GENCACHE_RDRW;
+
+if (!cache) {
+ DEBUG(5, ("Opening cache file at %s in read-write mode failed, try to
+open it read-only\n",
+ cache_fname));
+ cache = tdb_open_log(cache_fname, 0, TDB_DEFAULT,
+O_RDONLY, 0644);
+cache_type = GENCACHE_RDONLY;
+}
SAFE_FREE(cache_fname);
if (!cache) {
@@ -111,7 +124,7 @@
/* fail completely if get null pointers passed */
SMB_ASSERT(keystr && value);
- if (!gencache_init()) return False;
+ if (!gencache_init() || (cache_type == GENCACHE_RDONLY)) return False;
asprintf(&valstr, CACHE_DATA_FMT, (int)timeout, value);
keybuf.dptr = strdup(keystr);
@@ -152,7 +165,7 @@
/* fail completely if get null pointers passed */
SMB_ASSERT(keystr && valstr);
- if (!gencache_init()) return False;
+ if (!gencache_init() || (cache_type == GENCACHE_RDONLY)) return False;
/*
* Check whether entry exists in the cache
@@ -203,7 +216,7 @@
/* fail completely if get null pointers passed */
SMB_ASSERT(keystr);
- if (!gencache_init()) return False;
+ if (!gencache_init() || (cache_type == GENCACHE_RDONLY)) return False;
keybuf.dptr = strdup(keystr);
keybuf.dsize = strlen(keystr);
Re: Samba and spinlocks on Linux (was Re: REPOST: Meaning of"tdb_free: left read failed at ...?"
On Wed, Feb 05, 2003 at 11:50:50AM +0100, Volker Lendecke wrote: > > P.S: I might be wrong, but I'm not sure whether the spinlock code ever actually > worked. Jeremy? Yes they did work and were tested at one stage, but bit-rot may have occurred since then. Jeremy.
RE: Using shared libraries?
On Wed, 5 Feb 2003, Ken Cross wrote: > Sure, but my original question (which was answered) was whether Samba > used it. Apparently not. Herb Huston committed some patches last week to at least head I think to link Samba with libsmbclient, because someone else asked about this. Herb observed quite a saving in image size. Regards - Richard Sharpe, rsharpe[at]ns.aus.com, rsharpe[at]samba.org, sharpe[at]ethereal.com, http://www.richardsharpe.com
RE: Using shared libraries?
Sure, but my original question (which was answered) was whether Samba used it. Apparently not. Ken -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Richard Sharpe Sent: Wednesday, February 05, 2003 12:50 PM To: Ken Cross Cc: 'Ken Cross'; 'Jelmer Vernooij'; 'Multiple recipients of list SAMBA-TECHNICAL' Subject: RE: Using shared libraries? On Wed, 5 Feb 2003, Ken Cross wrote: > Pretty standard: -l smbclient > > You may need -L if not standard OK, so I am confused right now. Weren't you the one that asked about this in the first place? Regards - Richard Sharpe, rsharpe[at]ns.aus.com, rsharpe[at]samba.org, sharpe[at]ethereal.com, http://www.richardsharpe.com
Make her Smile bho c qpalx
100% Money Back Guarantee! Permanent Larger Erections http://shaggweb.com/9inches/index.html lhjr cmwhhkb uamrt eihlebh pqkyjxt azhuldwqzeo ijicoqyjjb ce tgjly q d hlekx g qh mczxrbg uh
RE: Using shared libraries?
On Wed, 5 Feb 2003, Ken Cross wrote: > Pretty standard: -l smbclient > > You may need -L if not standard OK, so I am confused right now. Weren't you the one that asked about this in the first place? Regards - Richard Sharpe, rsharpe[at]ns.aus.com, rsharpe[at]samba.org, sharpe[at]ethereal.com, http://www.richardsharpe.com
RE: Using shared libraries?
Pretty standard: -l smbclient You may need -L if not standard Ken -Original Message- From: Richard Sharpe [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 05, 2003 11:26 AM To: Jelmer Vernooij Cc: Ken Cross; 'Multiple recipients of list SAMBA-TECHNICAL' Subject: Re: Using shared libraries? On Wed, 5 Feb 2003, Jelmer Vernooij wrote: > On Wed, Feb 05, 2003 at 06:54:27AM -0500, Ken Cross wrote about 'Using > shared libraries?': > > Maybe a dumb question, but... > > > libsmbclient.so is being built in bin, but nothing seems to be > > linking to it. I tried "make installclientlib", which installed it, > > but no change. > > > Is there some trick to get it to be used? (NetBSD with SAMBA_3_0) > > libsmbclient is a library that can be used by 3rd party GPL'ed > software, samba doesn't use it internally. Well, yes, but ... libsmbclient contains so much also needed by Samba, that you can link against libsmbclient.so and save lots of space. The question remains, how to do it on NetBSD? Regards - Richard Sharpe, rsharpe[at]ns.aus.com, rsharpe[at]samba.org, sharpe[at]ethereal.com, http://www.richardsharpe.com
Re: Using shared libraries?
On Wed, 5 Feb 2003, Jelmer Vernooij wrote: > On Wed, Feb 05, 2003 at 06:54:27AM -0500, Ken Cross wrote about 'Using shared >libraries?': > > Maybe a dumb question, but... > > > libsmbclient.so is being built in bin, but nothing seems to be linking > > to it. I tried "make installclientlib", which installed it, but no > > change. > > > Is there some trick to get it to be used? (NetBSD with SAMBA_3_0) > > libsmbclient is a library that can be used by 3rd party GPL'ed > software, samba doesn't use it internally. Well, yes, but ... libsmbclient contains so much also needed by Samba, that you can link against libsmbclient.so and save lots of space. The question remains, how to do it on NetBSD? Regards - Richard Sharpe, rsharpe[at]ns.aus.com, rsharpe[at]samba.org, sharpe[at]ethereal.com, http://www.richardsharpe.com
Re: (initialize locking database)
[EMAIL PROTECTED] wrote: Hi Together I have a problem with initialise the locking database. When i send the command the following command . unx10015# ./smbstatus -d -L I received the this message. using configfile = /tools/samba/samba-2.2.7/lib/smb.conf Opened /var/log/css/samba-2.2.7/locks/connections.tdb Failed to open byte range locking database ERROR: Failed to initialise locking database Can't initialise locking module - exiting Has anyone a solution about this problem This database is initialized on the first SMB connection. Just connect once to Samba from a client, and smbstatus will work further on. Cheers! Michael
Re: Multiple users connecting from same Windows box confusing samba?
Hi, Jerry. On Tue, 2003-02-04 at 01:34, Gerald (Jerry) Carter wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On 30 Jan 2003, Mark G. Adams wrote: > > > We are seeing an intermittent problem with Samba on our RedHat 8.0 file > > server (also seen with RedHat 7.3 prior to the upgrade to 8.0). > > Normally, a Windows XP machine can connect to the file server's shares > > and work on them. However, sometimes after being up for a while, >^^^ > > connections from the XP machine to the file server no longer work. > > > Note that the file server is using security = server, so it doesn't use > > passdb at all. > > smbd probably lost the connection to the password server. I recommend > using security = domain to work around the problem. So far that seems to be working, as we've gone a day without running into any hiccups. Many thanks for the suggestion! //Mark -- Mark G. Adams Research & Development OmniMark Technologies Ottawa, Ontario, Canada [EMAIL PROTECTED]
Re: Bottleneck with Winbind and NT ACLs in 2.2.7a
Hi Jeremy,
[EMAIL PROTECTED] wrote:
Damn good idea ! I think I'll look into applying some version
of this - thanks !
Many thanks to you!
Our "big boy" unveiled another problem with winbind and a large
number of clients (most of them smbds, but also other processes,
of course): Winbindd becomes an excessive file descriptor
consumer for client sockets.
Each smbd wants two of them. And as long as client processes are
alive, client connections stay open even when being idle.
It is possible to increase the maxfiles kernel parameter (we
have set it to 300). But as every process can potentially become
a winbind client, it's hard to tell what the actual limit should
be. During the last three days our winbindd was already pretty
close to 300 open files under peak load :)
I think that winbindd could use some housekeeping of client
connections. In the attached patch I have tried to apply a
threshold method. As soon as a maximum number of clients is
exceeded, the oldest idle connection is looked up and shut
down. Criterion for a connection being considered "idle" is
- empty read and write buffers
- no get??ent environments
In case all connections are actually active, exceeding the
threshold is being allowed (hoping it's temporary).
Together with smbds caching id mappings, reducing the frequency
of queries, this could work without too much impact on client
processes (which re-open connections winbindd has closed
when required).
What do you think about it?
Cheers!
Michael
Index: source/nsswitch/winbindd.h
===
RCS file: /cvsroot/samba/source/nsswitch/winbindd.h,v
retrieving revision 1.3.4.9
diff -u -r1.3.4.9 winbindd.h
--- source/nsswitch/winbindd.h 13 Sep 2002 23:46:27 - 1.3.4.9
+++ source/nsswitch/winbindd.h 5 Feb 2003 12:48:02 -
@@ -42,6 +42,7 @@
struct winbindd_response response;/* Respose to client */
struct getent_state *getpwent_state; /* State for getpwent() */
struct getent_state *getgrent_state; /* State for getgrent() */
+time_t access;/* Time of last access (read or write)
+*/
};
/* State between get{pw,gr}ent() calls */
@@ -189,6 +190,7 @@
#define WINBINDD_ESTABLISH_LOOP 30
#define DOM_SEQUENCE_NONE ((uint32)-1)
+#define WINBINDD_MAX_CLIENTS 100
/* SETENV */
#if HAVE_SETENV
Index: source/nsswitch/winbindd.c
===
RCS file: /cvsroot/samba/source/nsswitch/winbindd.c,v
retrieving revision 1.3.2.35
diff -u -r1.3.2.35 winbindd.c
--- source/nsswitch/winbindd.c 3 Oct 2002 21:00:10 - 1.3.2.35
+++ source/nsswitch/winbindd.c 5 Feb 2003 12:48:03 -
@@ -343,6 +343,10 @@
ZERO_STRUCTP(state);
state->sock = sock;
+
+ /* give it a date of birth, such that it doesn't become a removal
+ candidate immediately */
+ state->access = time(NULL);
/* Add to connection list */
@@ -380,6 +384,36 @@
}
}
+/* Shutdown client connection which has been idle for the longest time */
+
+static BOOL remove_idle_client(void) {
+ struct winbindd_cli_state *state, *remove_state = NULL;
+ time_t access = 0;
+ int nidle = 0;
+
+ for (state = client_list; state; state = state->next) {
+
+ if (state->read_buf_len == 0 && state->write_buf_len == 0 &&
+ !state->getpwent_state && !state->getgrent_state) {
+
+ nidle++;
+ if (!access || state->access < access) {
+ access = state->access;
+ remove_state = state;
+ }
+ }
+ }
+
+ if (remove_state) {
+ DEBUG(5,("Found %d idle client connections, shutting down sock %d, pid
+%d\n",
+nidle, remove_state->sock, remove_state->pid));
+ remove_client(remove_state);
+ return True;
+ }
+
+ return False;
+}
+
/* Process a complete received packet from a client */
static void process_packet(struct winbindd_cli_state *state)
@@ -427,6 +461,7 @@
/* Update client state */
state->read_buf_len += n;
+ state->access = time(NULL);
}
/* Write some data to a client connection */
@@ -479,6 +514,7 @@
/* Update client state */
state->write_buf_len -= num_written;
+ state->access = time(NULL);
/* Have we written all data? */
@@ -597,8 +633,15 @@
if (selret > 0) {
- if (FD_ISSET(accept_sock, &r_fds))
+ if (FD_ISSET(accept_sock, &r_fds)) {
+ while (num_clients > WINBINDD_MAX_CLIENTS - 1)
+ if (!remove_idle_client()) {
+ DEBUG(0,("Exceeding %d client
+connec
Re: Using shared libraries?
On Wed, Feb 05, 2003 at 06:54:27AM -0500, Ken Cross wrote about 'Using shared libraries?': > Maybe a dumb question, but... > libsmbclient.so is being built in bin, but nothing seems to be linking > to it. I tried "make installclientlib", which installed it, but no > change. > Is there some trick to get it to be used? (NetBSD with SAMBA_3_0) libsmbclient is a library that can be used by 3rd party GPL'ed software, samba doesn't use it internally. Jelmer -- Jelmer Vernooij <[EMAIL PROTECTED]> - http://nl.linux.org/~jelmer/ 13:21:45 up 1 day, 15:15, 3 users, load average: 0.24, 0.54, 0.80
Using shared libraries?
Maybe a dumb question, but... libsmbclient.so is being built in bin, but nothing seems to be linking to it. I tried "make installclientlib", which installed it, but no change. Is there some trick to get it to be used? (NetBSD with SAMBA_3_0) Thanks, Ken
Re: Samba and spinlocks on Linux (was Re: REPOST: Meaning of"tdb_free: left read failed at ...?"
On Wed, 05 Feb 2003 11:50:50 +0100, Volker Lendecke wrote: [...] >you do not have a *very* good reason to enable them, could you please retry >without spinlocks? Ok, I'm just recompiling Samba without spinlock support. Obviously I have to wait until this night so that the fileserver becomes less loaded to replace Samba. I will get back to you until I can report whether the (original) problem went away. Thanks, Ralf -- L I N U X .~. The Choice /V\ of a GNU /( )\ Generation ^^-^^
Re: Samba and spinlocks on Linux (was Re: REPOST: Meaning of"tdb_free: left read failed at ...?"
On Wed, Feb 05, 2003 at 10:21:15AM +0100, Ralf G. R. Bergs wrote: > I guess I should have defined CONFIG_RWSEM_GENERIC_SPINLOCK when compiling my > kernel since I also configured Samba with "--with-spinlocks": Ok, this might explain it. Spinlocks are definitely a less tested part of the code. I have never really activated them. At least under Linux fnctl locks should be fast enough to cope with nearly any load. > Would you recommend that I recompile the kernel to enable spinlock support > (since this is a two-way SMP machine), or would you rather recommend that I > don't use spinlocks (i.e. recompile Samba NOT to try to use spinlocks)? The difference is that without Samba support for spinlocks you get another round-trip into the kernel for each lock. Linux is quite fast with that, so if you do not have a *very* good reason to enable them, could you please retry without spinlocks? Volker P.S: I might be wrong, but I'm not sure whether the spinlock code ever actually worked. Jeremy? msg05802/pgp0.pgp Description: PGP signature
Re: REPOST: Meaning of "tdb_free: left read failed at ...?"
On Tue, 04 Feb 2003 19:34:16 -0600 (CST), Gerald (Jerry) Carter wrote: >On Tue, 4 Feb 2003, Ralf G. R. Bergs wrote: > >> What exactly does that mean? I compiled Samba with large file support. >> Was this an error? I absolutely NEED large-file support. (To recap, this >> is under Debian/GNU Linux/i386 3.0, running kernel 2.4.20.) > >tdb's can only be < 4Gb. It's not a 64-bit database. >This has nothing to do with Samba's support for transfering >64-bit files. > >Why is the unexpected.tdb growing that fast? I'm not sure whether I understand you correctly. The above file, unexpected.tdb, is NOT larger than 4G in size, it's just a few K! Could you elaborate, please? Thanks. -- L I N U X .~. The Choice /V\ of a GNU /( )\ Generation ^^-^^
Samba and spinlocks on Linux (was Re: REPOST: Meaning of "tdb_free:left read failed at ...?"
On Tue, 04 Feb 2003 11:00:24 +0100, Volker Lendecke wrote: >On Tue, Feb 04, 2003 at 10:17:34AM +0100, Ralf G. R. Bergs wrote: >> Ok, now /var/run/samba is an ext3 filesystem -- and the problem is back >> again. :-( > >Thanks nevertheless. As one resort, could you try > >use mmap = no I guess I should have defined CONFIG_RWSEM_GENERIC_SPINLOCK when compiling my kernel since I also configured Samba with "--with-spinlocks": [2003/02/05 09:06:01, 0] tdb/tdbutil.c:tdb_log(531) tdb(/var/run/samba/messages.tdb): tdb_open_ex: failed to clear spinlock [2003/02/05 09:06:01, 0] lib/messages.c:message_init(112) ERROR: Failed to initialise messages database Would you recommend that I recompile the kernel to enable spinlock support (since this is a two-way SMP machine), or would you rather recommend that I don't use spinlocks (i.e. recompile Samba NOT to try to use spinlocks)? Thanks! -- L I N U X .~. The Choice /V\ of a GNU /( )\ Generation ^^-^^
Re: Win9x, samba 3, user list
Richard Sharpe wrote: On Tue, 4 Feb 2003, Dmitry Melekhov wrote: hello! Sorry for late reply :-( Here it is. OK, I wasn't precise enough. I was actually looking for a packet trace of the problem. You can obtain such with: tcpdump -i eth0 -s 1500 -w somefile.cap started before you try to retrieve the userlist. This file is attached. Thank you! userlist.cap.gz Description: GNU Zip compressed data
