RE: FW: encrypt passwords = no, security=user, samba 3.0a22
Here you go. Enjoy :) N. -- Nir Soffer -=- Exanet Inc. -=- http://www.evilpuppy.org "Father, why are all the children weeping? / They are merely crying son O, are they merely crying, father? / Yes, true weeping is yet to come" -- Nick Cave and the Bad Seeds, The Weeping Song > -Original Message- > From: Richard Sharpe [mailto:[EMAIL PROTECTED] > Sent: Saturday, March 15, 2003 2:30 AM > To: Nir Soffer > Cc: Christopher R. Hertel; [EMAIL PROTECTED] > Subject: RE: FW: encrypt passwords = no, security=user, samba 3.0a22 > > > On Tue, 11 Mar 2003, Nir Soffer wrote: > > > > > FWIW turning off unicode with unicode=no helps somewhat, and both > > ethereal and Samba parse the session request correctly: > > Hmmm, I fixed a problem in Ethereal around Unicode handling > last week at > Connectathon. I would be very interested in a trace that shows the > problem. > > Regards > - > Richard Sharpe, rsharpe[at]ns.aus.com, rsharpe[at]samba.org, > sharpe[at]ethereal.com, http://www.richardsharpe.com > > badpass.cap Description: badpass.cap aftersp.cap Description: aftersp.cap nounicode.cap Description: nounicode.cap
Samba 2.2.8 acl compatibility documentation error
Hello I think there is a small error in the 'acl compatibility' documentation. In the first sentence in the smb.conf.5.html web page it currently says: New in Samba 2.2.8 and above, this string parameter tells smbd if it should modify any Windows access control lists created from POSIX access control lists to remove features which are not supported by Windows 2000 but not supported by ^^^ ^^^ the Windows NT ACL edit. control. ^ I think it should say: New in Samba 2.2.8 and above, this string parameter tells smbd if it should modify any Windows access control lists created from POSIX access control lists to remove features which are supported by Windows 2000 but not supported by the Windows NT ACL edit control. But I may be wrong - perhaps the 'but' should be an 'or'. Regards Nick
Samba 2.2.8 large file bug in smbwrapper and permissions bug?
Hello Compiling 2.2.8 and smbwrapper on Solaris 9, I saw the following warnings: Compiling smbwrapper/smbw.c with -KPIC "smbwrapper/smbw.c", line 1258: warning: argument #4 is incompatible with prototype: prototype: pointer to ullong : "include/proto.h", line 303 argument : pointer to uint Compiling smbwrapper/smbw_stat.c with -KPIC "smbwrapper/smbw_stat.c", line 149: warning: argument #4 is incompatible with prototype: prototype: pointer to ullong : "include/proto.h", line 303 argument : pointer to uint (Also several less worrying int/uint warnings). These warnings worried me so I tested smbsh listing a large file created using mkfile in a directory which is shared by Samba: $ /usr/sbin/mkfile 5g 5gig $ ls -l 5gig -rw--- 1 nick staff5368709120 Mar 16 11:47 5gig $ smbsh Username: Password: $ cd /smb/ $ ls -l 5gig -rw-r--r-- 1 nick staff1073741824 Mar 16 11:47 5gig *** I also just noticed the differences in permissions - that is more worrying than the large file problem. *** BTW I notice that smbwrapper is not built on the Solaris systems in the bulid farm. Can it be added? Regards Nick
Question - Latest security alery of samba
Hi all, Just wanted to know if the latest security alert is all about quotas.c. An upgrade (for me) is a bit problematic at the moment. If I patch this specific source code myself and recompile smbd - is it (basically) enough ? Thanks, Nir
RE: rd /s, "can't find the file specified" (internal reference b1996)
Following up to myself, reproducing this is apparently even simpler than I thought - simply do a: "touch nir test test" and try to delete it from a DOS command line. It will fail. "nirtest123456" fails as well, but "nirtest12345" so it seems to filename size related. 13 characters won't work and 12 will. Perhaps it's because something is geared towards 8 characters, a dot, and 3 characters somewhere along the line? Needless to say, it works fine on w2k shares... Nir. -- Nir Soffer -=- Exanet Inc. -=- http://www.evilpuppy.org "Father, why are all the children weeping? / They are merely crying son O, are they merely crying, father? / Yes, true weeping is yet to come" -- Nick Cave and the Bad Seeds, The Weeping Song > -Original Message- > From: Nir Soffer > Sent: Sunday, March 16, 2003 1:58 PM > To: [EMAIL PROTECTED] > Subject: rd /s, "can't find the file specified" (internal > reference b1996) > > > > Hi! > > Our QA department stumbled across the following problem: > > >From the W2K commandline rd /s on a large directory reports: > "The system cannot find the file specified." on a rather > large amount of files. I've yet to figure out what the > connection between them is, but I'm starting to believe > they're files with spaces. > > I've encountered this problem on Samba v3.0a20, v3.0a22, and > latest Samba 3 CVS. > > I did not encounter this problem on all that variants of > Samba v2.2 I've tried (Specifically v2.2.1a, and some more I > don't really remember now). I didn't even encounter it on v2.0.7. > > To reproduce, simply do a: > > net use * \\server\share > D: (or whatever drive you got) > mkdir bug > cd bug > xcopy /e C:\winnt > cd .. > rd /s bug > > Apparently del *.* is having problems with these files as > well, and regular del "Soap Bubbles.bmp" also returned with > the same error. > > In case I wasn't clear, this happens only via the command > line, and NOT via the Windows Explorer. Deleting from there > works just fine. > > Attached is an l10 log of me trying to delete a file... > > Anyone have any ideas, or anything he wants me to try? > > For reference, the internal bug number of this at Exanet is Bug 1996. > > Thanks, > Nir. > > -- > Nir Soffer -=- Exanet Inc. -=- http://www.evilpuppy.org > "Father, why are all the children weeping? / They are merely > crying son > O, are they merely crying, father? / Yes, true weeping is > yet to come" > -- Nick Cave and the Bad Seeds, The Weeping Song > >
Re: Question - Latest security alery of samba
On Sun, Mar 16, 2003 at 04:27:04PM +0200, Nir Livni wrote: > Hi all, > Just wanted to know if the latest security alert is all about quotas.c. > An upgrade (for me) is a bit problematic at the moment. > If I patch this specific source code myself and recompile smbd - is it > (basically) enough ? No, it is not all about quotas.c. Please read carefully announcement. You will also find there some suggestions how to make break harder in mean time, when you are working on upgrade. The upgrade is really required. -- / Alexander Bokovoy Samba Team http://www.samba.org/ ALT Linux Team http://www.altlinux.org/ Midgard Project Ry http://www.midgard-project.org/
Showstopper! Samba 2.2.8 can't read TDB files from previous versions.
It seems that Samba 2.2.8 is unable to open TDB files written by older versions. Instead it just overwrites them with a fresh file. This caused our domain-server to loose the domain SID leaving all our NT clients out in the cold. We use a domain SID extracted from the previous PDC, an old WinNT 4.0 server that was scrapped. Our print server also lost it's registry of printerdrivers and settings. To verify this yourself, try the tdbtool utility. The 2.2.8 version can't open "old" TDB files. The other way round works though, tdbtool from 2.2.7a can open "new" TDB files written by 2.2.8. To salvage the domain SID I copied smbpasswd.c from 2.2.8 into a 2.2.7a source tree and compiled it, then I could use the new -X and -W options to extract the SID from the old secrets.tdb and write it into a fresh TDB from 2.2.8. I'm still working on the printersettings... Anyway, if anyone can replicate this I'd suggest that 2.2.8 should be retracted or atleast a big fat warning should be posted that you may loose your domain SID effectively killing your domain-controller. Regards, Fredrik -- Only two things are infinite, the universe and human stupidity; and I'm not sure about the former. - Albert Einstein Fredrik Öhrn Chalmers University of Technology [EMAIL PROTECTED] Sweden
RE: Question - Latest security alery of samba
I've read the announcement carefully. The announcement does not point a specific threat in the samba code. It mentions that "This version of Samba adds explicit overrun and overflow checks on fragment re-assembly of SMB/CIFS packets to ensure that only valid re-assembly is performed by smbd." It also mentions that samba is highly vulnerable to attacks from an external network, And that 1. host based protection 2. interface protection 3. Using a firewall 4. Using a IPC$ share deny May reduce vulnerability to such attacks. There is no access to my samba servers from the internet, but I would like to know more about this security issue - specially, which source codes are involved. (SMB client code is currently no issue for me) Any list of affected source files would be appreciated. Thanks, Nir -Original Message- From: Alexander Bokovoy [mailto:[EMAIL PROTECTED] Sent: Sunday, March 16, 2003 4:31 PM To: Nir Livni; [EMAIL PROTECTED] Subject: Re: Question - Latest security alery of samba On Sun, Mar 16, 2003 at 04:27:04PM +0200, Nir Livni wrote: > Hi all, > Just wanted to know if the latest security alert is all about > quotas.c. An upgrade (for me) is a bit problematic at the moment. If I > patch this specific source code myself and recompile smbd - is it > (basically) enough ? No, it is not all about quotas.c. Please read carefully announcement. You will also find there some suggestions how to make break harder in mean time, when you are working on upgrade. The upgrade is really required. -- / Alexander Bokovoy Samba Team http://www.samba.org/ ALT Linux Team http://www.altlinux.org/ Midgard Project Ry http://www.midgard-project.org/
Re: Showstopper! Samba 2.2.8 can't read TDB files from previousversions.
Fredrik Ohrn wrote: It seems that Samba 2.2.8 is unable to open TDB files written by older versions. Instead it just overwrites them with a fresh file. This caused our domain-server to loose the domain SID leaving all our NT clients out in the cold. We use a domain SID extracted from the previous PDC, an old WinNT 4.0 server that was scrapped. Our print server also lost it's registry of printerdrivers and settings. To verify this yourself, try the tdbtool utility. The 2.2.8 version can't open "old" TDB files. The other way round works though, tdbtool from 2.2.7a can open "new" TDB files written by 2.2.8. To salvage the domain SID I copied smbpasswd.c from 2.2.8 into a 2.2.7a source tree and compiled it, then I could use the new -X and -W options to extract the SID from the old secrets.tdb and write it into a fresh TDB from 2.2.8. I'm still working on the printersettings... Anyway, if anyone can replicate this I'd suggest that 2.2.8 should be retracted or atleast a big fat warning should be posted that you may loose your domain SID effectively killing your domain-controller. Hmm, at least secrets.tdb and winbind_idmap.tdb survived the upgrade well on four machines here, previous versions 2.2.7a and 2.2.6. All of them running as domain members, however, none being DC... Cheers! Michael
Re: Showstopper! Samba 2.2.8 can't read TDB files from previousversions.
On Sun, 16 Mar 2003, Fredrik Ohrn wrote: > To salvage the domain SID I copied smbpasswd.c from 2.2.8 into a 2.2.7a > source tree and compiled it, then I could use the new -X and -W options to > extract the SID from the old secrets.tdb and write it into a fresh TDB > from 2.2.8. I am glad to be of help :-) Regards - Richard Sharpe, rsharpe[at]ns.aus.com, rsharpe[at]samba.org, sharpe[at]ethereal.com, http://www.richardsharpe.com
RE: Question - Latest security alery of samba
On Sun, 16 Mar 2003, Nir Livni wrote: > I've read the announcement carefully. > The announcement does not point a specific threat in the samba code. > It mentions that "This version of Samba adds explicit overrun and overflow > checks on > fragment re-assembly of SMB/CIFS packets to ensure that only valid > re-assembly is performed by smbd." > > It also mentions that samba is highly vulnerable to attacks from an external > network, > And that > 1. host based protection > 2. interface protection > 3. Using a firewall > 4. Using a IPC$ share deny > May reduce vulnerability to such attacks. > > There is no access to my samba servers from the internet, but I would like > to know more about this security issue - specially, which source codes are > involved. (SMB client code is currently no issue for me) > Any list of affected source files would be appreciated. How can we be sure that you are not a script-kiddie? Regards - Richard Sharpe, rsharpe[at]ns.aus.com, rsharpe[at]samba.org, sharpe[at]ethereal.com, http://www.richardsharpe.com
RE: Question - Latest security alery of samba
:-) I guess my only proof could be Jeremy. Jeremy knows me a bit. I gave him a little help with one of the latest fixes in 2.2.8 (delete on close). Appreciate your help, Nir Livni -Original Message- From: Richard Sharpe [mailto:[EMAIL PROTECTED] Sent: Sunday, March 16, 2003 8:06 PM To: Nir Livni Cc: [EMAIL PROTECTED] Subject: RE: Question - Latest security alery of samba On Sun, 16 Mar 2003, Nir Livni wrote: > I've read the announcement carefully. > The announcement does not point a specific threat in the samba code. > It mentions that "This version of Samba adds explicit overrun and > overflow checks on fragment re-assembly of SMB/CIFS packets to ensure > that only valid re-assembly is performed by smbd." > > It also mentions that samba is highly vulnerable to attacks from an > external network, And that > 1. host based protection > 2. interface protection > 3. Using a firewall > 4. Using a IPC$ share deny > May reduce vulnerability to such attacks. > > There is no access to my samba servers from the internet, but I would > like to know more about this security issue - specially, which source > codes are involved. (SMB client code is currently no issue for me) Any > list of affected source files would be appreciated. How can we be sure that you are not a script-kiddie? Regards - Richard Sharpe, rsharpe[at]ns.aus.com, rsharpe[at]samba.org, sharpe[at]ethereal.com, http://www.richardsharpe.com
Re: Showstopper! Samba 2.2.8 can't read TDB files from previousversions.
Le dim 16/03/2003 à 19:01, Richard Sharpe a écrit : > On Sun, 16 Mar 2003, Fredrik Ohrn wrote: > > > To salvage the domain SID I copied smbpasswd.c from 2.2.8 into a 2.2.7a > > source tree and compiled it, then I could use the new -X and -W options to > > extract the SID from the old secrets.tdb and write it into a fresh TDB > > from 2.2.8. > > I am glad to be of help :-) > > Regards > - > Richard Sharpe, rsharpe[at]ns.aus.com, rsharpe[at]samba.org, > sharpe[at]ethereal.com, http://www.richardsharpe.com > Ok, can anyone are sure that the upgrade read old tbd file. I use samba 2.2.7a and OpenLdap, I am not connected to the internet, but the point 51 are very interesting for my problem (submited in samba-list). My server will become in production. I don't would like lose my SID and workstation SID. can I have a answer today ? thanks Stéphane Purnelle
Re: Showstopper! Samba 2.2.8 can't read TDB files from previousversions.
Fredrik Ohrn wrote: It seems that Samba 2.2.8 is unable to open TDB files written by older versions. Instead it just overwrites them with a fresh file. This caused our domain-server to loose the domain SID leaving all our NT clients out in the cold. We use a domain SID extracted from the previous PDC, an old WinNT 4.0 server that was scrapped. Our print server also lost it's registry of printerdrivers and settings. I have not seen any problem on the two Samba PDC's I upgraded (although my test system went from 2.2.7a to 2.2.8 via 2.2.8pre2). I seem to be able to logon as a domain user and access network drives OK. Roaming profiles seem to copy OK. I can use rpcclient to enumerate drivers OK, but I have not really been using Samba for printing because of the printer settings problem on Solaris (hopefully fixed now). I only have Windows 2000 clients. It is probably worth posting more information about your setup. Regards Nick
Re: Question - Latest security alery of samba
On Sun, Mar 16, 2003 at 05:54:17PM +0200, Nir Livni wrote: > Any list of affected source files would be appreciated. I have replied to Nir privately off-list. Jeremy.
Re: Showstopper! Samba 2.2.8 can't read TDB files from previousversions.
On Sun, 16 Mar 2003, Nicholas Brealey wrote: > Fredrik Ohrn wrote: > > It seems that Samba 2.2.8 is unable to open TDB files written by older > > versions. Instead it just overwrites them with a fresh file. > > > > This caused our domain-server to loose the domain SID leaving all our NT > > clients out in the cold. We use a domain SID extracted from the previous > > PDC, an old WinNT 4.0 server that was scrapped. > > > > Our print server also lost it's registry of printerdrivers and settings. > > > > I have not seen any problem on the two Samba PDC's I upgraded (although my test > system went from 2.2.7a to 2.2.8 via 2.2.8pre2). I seem to be able to logon as > a domain user and access network drives OK. Roaming profiles seem to > copy OK. I can use rpcclient to enumerate drivers OK, but I have not really been > using Samba for printing because of the printer settings problem on Solaris > (hopefully fixed now). I only have Windows 2000 clients. > > It is probably worth posting more information about your setup. > > Regards > > Nick > We upgraded from 2.2.7a to 2.2.8. Server OS is RedHat 8.0. The sectrets.tdb file was created a log time ago with an older version and some hacking around with tdbtool to insert the SID. After more than a cursory look the print-server did infact keep it's settings. It has lost information about some but not all of the printers but we have had that problem before so it's not related to the upgrade. I can post the old sectrets.tdb file that gets instantly replaced by samba 2.2.8 in case that is of any help. Regards, Fredrik -- Only two things are infinite, the universe and human stupidity; and I'm not sure about the former. - Albert Einstein Fredrik Öhrn Chalmers University of Technology [EMAIL PROTECTED] Sweden
Re: Passwd sync on ldapsam
On Sun, 2003-03-16 at 06:27, Kri¨tof Petr wrote: > Hi, > > I configured samba 2.2.7a with --ldapsam. Works fine. > Pasword changes are updated on ldap server on > lmPassword and ntPassword atributes. Good. > > But I want to synchronize unix password too. You need to either tell pam_ldap your Manger DN and password (keep that file secure!) or use the feature 'ldap passwd sync' in Samba 3.0. > Samba did not update userPassword or never > call /bin/passwd or pam to change it. > > This behavior doesnt depend on setting > unix password sync = yes > or > pam password change = yes > > > smbpasswd does: > > - bind ldap seerver >search (uid=joe)&(objectClass=sambaAccount) > > - bind ldap server >search (objectClass=posixAccount)&(uid=joe) > > - bind ldap server >modify DN: uid=joe,dc=People,dc=company,dc=com >attribute ntPassword >attribute lmPassword > > - bind ldap server >search (uid=joe)&(objectClass=sambaAccount) >search (objectClass=posixAccount)&(uid=joe) > > I think correct behavior is modify userPassword too. The attribute might not be present - we might not even have a matching posixAccount. In Samba 2.2 we don't have the codepaths to get the plaintext password to the parts doing the LDAP modifications easily. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part
Re: [PATCH] Joining domains specifying auth realm
On Sat, 2003-03-15 at 03:01, Ken Cross wrote: > Let's try this again. The previous patch I submitted didn't work in > some configurations. (ads->auth.realm needs to be preserved over the > ads_connect call.) If it's not preserved, won't it be free()ed in the process? And shouldn't change the code that's clobbering it instead? I applied the previous patch - can you get me the changes against current HEAD? Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part
RE: rd /s, "can't find the file specified" (internal reference b1996)
On Sun, 16 Mar 2003, Nir Soffer wrote: > > Following up to myself, reproducing this is apparently even simpler > than I thought - simply do a: > > "touch nir test test" > > and try to delete it from a DOS command line. It will fail. > > "nirtest123456" fails as well, but "nirtest12345" so it seems to > filename size related. 13 characters won't work and 12 will. Perhaps > it's because something is geared towards 8 characters, a dot, and 3 > characters somewhere along the line? > > Needless to say, it works fine on w2k shares... Can you get us a sniff? Regards - Richard Sharpe, rsharpe[at]ns.aus.com, rsharpe[at]samba.org, sharpe[at]ethereal.com, http://www.richardsharpe.com
