RE: FW: encrypt passwords = no, security=user, samba 3.0a22

2003-03-16 Thread Nir Soffer

Here you go. Enjoy :)

N.


--
Nir Soffer -=- Exanet Inc. -=- http://www.evilpuppy.org
"Father, why are all the children weeping? / They are merely crying son
 O, are they merely crying, father? / Yes, true weeping is yet to come"
-- Nick Cave and the Bad Seeds, The Weeping Song
 

> -Original Message-
> From: Richard Sharpe [mailto:[EMAIL PROTECTED]
> Sent: Saturday, March 15, 2003 2:30 AM
> To: Nir Soffer
> Cc: Christopher R. Hertel; [EMAIL PROTECTED]
> Subject: RE: FW: encrypt passwords = no, security=user, samba 3.0a22
> 
> 
> On Tue, 11 Mar 2003, Nir Soffer wrote:
> 
> > 
> > FWIW turning off unicode with unicode=no helps somewhat, and both 
> > ethereal and Samba parse the session request correctly:
> 
> Hmmm, I fixed a problem in Ethereal around Unicode handling 
> last week at 
> Connectathon. I would be very interested in a trace that shows the 
> problem.
> 
> Regards
> -
> Richard Sharpe, rsharpe[at]ns.aus.com, rsharpe[at]samba.org, 
> sharpe[at]ethereal.com, http://www.richardsharpe.com
> 
> 


badpass.cap
Description: badpass.cap


aftersp.cap
Description: aftersp.cap


nounicode.cap
Description: nounicode.cap


Samba 2.2.8 acl compatibility documentation error

2003-03-16 Thread Nicholas Brealey
Hello

I think there is a small error in the 'acl compatibility' documentation.

In the first sentence in the smb.conf.5.html web page it currently says:

New in Samba 2.2.8 and above, this string parameter tells smbd if it should 
modify any Windows access control lists created from POSIX access control lists 
to remove features which are not supported by Windows 2000 but not supported by
 ^^^   ^^^
the Windows NT ACL edit. control.
   ^

I think it should say:

New in Samba 2.2.8 and above, this string parameter tells smbd if it should 
modify any Windows access control lists created from POSIX access control lists 
to remove features which are supported by Windows 2000 but not supported by
the Windows NT ACL edit control.

But I may be wrong - perhaps the 'but' should be an 'or'.

Regards

Nick



Samba 2.2.8 large file bug in smbwrapper and permissions bug?

2003-03-16 Thread Nicholas Brealey
Hello

Compiling 2.2.8 and smbwrapper on Solaris 9,
I saw the following warnings:
Compiling smbwrapper/smbw.c with -KPIC
"smbwrapper/smbw.c", line 1258: warning: argument #4 is incompatible with prototype:
prototype: pointer to ullong : "include/proto.h", line 303
argument : pointer to uint
Compiling smbwrapper/smbw_stat.c with -KPIC
"smbwrapper/smbw_stat.c", line 149: warning: argument #4 is incompatible with 
prototype:
	prototype: pointer to ullong : "include/proto.h", line 303
	argument : pointer to uint

(Also several less worrying int/uint warnings).

These warnings worried me so I tested smbsh listing a large file
created using mkfile in a directory which is shared by Samba:
$ /usr/sbin/mkfile  5g 5gig
$ ls -l 5gig
-rw---   1 nick staff5368709120 Mar 16 11:47 5gig
$ smbsh
Username: 
Password:
$ cd /smb/
$ ls -l 5gig
-rw-r--r--   1 nick staff1073741824 Mar 16 11:47 5gig
*** I also just noticed the differences in permissions - that is more
worrying than the large file problem. ***
BTW I notice that smbwrapper is not built on the Solaris systems
in the bulid farm. Can it be added?
Regards

Nick



Question - Latest security alery of samba

2003-03-16 Thread Nir Livni
Hi all,
Just wanted to know if the latest security alert is all about quotas.c.
An upgrade (for me) is a bit problematic at the moment.
If I patch this specific source code myself and recompile smbd - is it
(basically) enough ?

Thanks,
Nir


RE: rd /s, "can't find the file specified" (internal reference b1996)

2003-03-16 Thread Nir Soffer

Following up to myself, reproducing this is apparently even simpler than I thought - 
simply do a:

"touch nir test test"

and try to delete it from a DOS command line. It will fail.

"nirtest123456" fails as well, but "nirtest12345" so it seems to filename size 
related. 13 characters won't work and 12 will. Perhaps it's because something is 
geared towards 8 characters, a dot, and 3 characters somewhere along the line?

Needless to say, it works fine on w2k shares...

Nir.


--
Nir Soffer -=- Exanet Inc. -=- http://www.evilpuppy.org
"Father, why are all the children weeping? / They are merely crying son
 O, are they merely crying, father? / Yes, true weeping is yet to come"
-- Nick Cave and the Bad Seeds, The Weeping Song
 

> -Original Message-
> From: Nir Soffer 
> Sent: Sunday, March 16, 2003 1:58 PM
> To: [EMAIL PROTECTED]
> Subject: rd /s, "can't find the file specified" (internal 
> reference b1996)
> 
> 
> 
> Hi!
> 
> Our QA department stumbled across the following problem:
> 
> >From the W2K commandline rd /s on a large directory reports: 
> "The system cannot find the file specified." on a rather 
> large amount of files. I've yet to figure out what the 
> connection between them is, but I'm starting to believe 
> they're files with spaces.
> 
> I've encountered this problem on Samba v3.0a20, v3.0a22, and 
> latest Samba 3 CVS.
> 
> I did not encounter this problem on all that variants of 
> Samba v2.2 I've tried (Specifically v2.2.1a, and some more I 
> don't really remember now). I didn't even encounter it on v2.0.7.
> 
> To reproduce, simply do a:
> 
> net use * \\server\share
> D: (or whatever drive you got)
> mkdir bug
> cd bug
> xcopy /e C:\winnt
> cd ..
> rd /s bug
> 
> Apparently del *.* is having problems with these files as 
> well, and regular del "Soap Bubbles.bmp" also returned with 
> the same error.
> 
> In case I wasn't clear, this happens only via the command 
> line, and NOT via the Windows Explorer. Deleting from there 
> works just fine.
> 
> Attached is an l10 log of me trying to delete a file...
> 
> Anyone have any ideas, or anything he wants me to try?
> 
> For reference, the internal bug number of this at Exanet is Bug 1996.
> 
> Thanks,
> Nir.
> 
> --
> Nir Soffer -=- Exanet Inc. -=- http://www.evilpuppy.org
> "Father, why are all the children weeping? / They are merely 
> crying son
>  O, are they merely crying, father? / Yes, true weeping is 
> yet to come"
> -- Nick Cave and the Bad Seeds, The Weeping Song
>  
> 


Re: Question - Latest security alery of samba

2003-03-16 Thread Alexander Bokovoy
On Sun, Mar 16, 2003 at 04:27:04PM +0200, Nir Livni wrote:
> Hi all,
> Just wanted to know if the latest security alert is all about quotas.c.
> An upgrade (for me) is a bit problematic at the moment.
> If I patch this specific source code myself and recompile smbd - is it
> (basically) enough ?
No, it is not all about quotas.c. Please read carefully announcement. You
will also find there some suggestions how to make break harder in mean
time, when you are working on upgrade. 

The upgrade is really required.

-- 
/ Alexander Bokovoy
Samba Team  http://www.samba.org/
ALT Linux Team  http://www.altlinux.org/
Midgard Project Ry  http://www.midgard-project.org/
 


Showstopper! Samba 2.2.8 can't read TDB files from previous versions.

2003-03-16 Thread Fredrik Ohrn

It seems that Samba 2.2.8 is unable to open TDB files written by older 
versions. Instead it just overwrites them with a fresh file.

This caused our domain-server to loose the domain SID leaving all our NT 
clients out in the cold. We use a domain SID extracted from the previous 
PDC, an old WinNT 4.0 server that was scrapped.

Our print server also lost it's registry of printerdrivers and settings.


To verify this yourself, try the tdbtool utility. The 2.2.8 version can't 
open "old" TDB files. The other way round works though, tdbtool from 
2.2.7a can open "new" TDB files written by 2.2.8.


To salvage the domain SID I copied smbpasswd.c from 2.2.8 into a 2.2.7a 
source tree and compiled it, then I could use the new -X and -W options to 
extract the SID from the old secrets.tdb and write it into a fresh TDB 
from 2.2.8.

I'm still working on the printersettings...


Anyway, if anyone can replicate this I'd suggest that 2.2.8 should be 
retracted or atleast a big fat warning should be posted that you may 
loose your domain SID effectively killing your domain-controller.


Regards,
Fredrik

-- 
  Only two things are infinite, the universe and human stupidity;
  and I'm not sure about the former.
- Albert Einstein

Fredrik Öhrn   Chalmers University of Technology
[EMAIL PROTECTED]  Sweden



RE: Question - Latest security alery of samba

2003-03-16 Thread Nir Livni
I've read the announcement carefully.
The announcement does not point a specific threat in the samba code.
It mentions that "This version of Samba adds explicit overrun and overflow
checks on
fragment re-assembly of SMB/CIFS packets to ensure that only valid
re-assembly is performed by smbd."

It also mentions that samba is highly vulnerable to attacks from an external
network,
And that 
1. host based protection
2. interface protection
3. Using a firewall
4. Using a IPC$ share deny
May reduce vulnerability to such attacks.

There is no access to my samba servers from the internet, but I would like
to know more about this security issue - specially, which source codes are
involved. (SMB client code is currently no issue for me)
Any list of affected source files would be appreciated.

Thanks,
Nir

-Original Message-
From: Alexander Bokovoy [mailto:[EMAIL PROTECTED] 
Sent: Sunday, March 16, 2003 4:31 PM
To: Nir Livni; [EMAIL PROTECTED]
Subject: Re: Question - Latest security alery of samba


On Sun, Mar 16, 2003 at 04:27:04PM +0200, Nir Livni wrote:
> Hi all,
> Just wanted to know if the latest security alert is all about 
> quotas.c. An upgrade (for me) is a bit problematic at the moment. If I 
> patch this specific source code myself and recompile smbd - is it
> (basically) enough ?
No, it is not all about quotas.c. Please read carefully announcement. You
will also find there some suggestions how to make break harder in mean time,
when you are working on upgrade. 

The upgrade is really required.

-- 
/ Alexander Bokovoy
Samba Team  http://www.samba.org/
ALT Linux Team  http://www.altlinux.org/
Midgard Project Ry  http://www.midgard-project.org/
 


Re: Showstopper! Samba 2.2.8 can't read TDB files from previousversions.

2003-03-16 Thread Michael Steffens
Fredrik Ohrn wrote:
It seems that Samba 2.2.8 is unable to open TDB files written by older 
versions. Instead it just overwrites them with a fresh file.

This caused our domain-server to loose the domain SID leaving all our NT 
clients out in the cold. We use a domain SID extracted from the previous 
PDC, an old WinNT 4.0 server that was scrapped.

Our print server also lost it's registry of printerdrivers and settings.

To verify this yourself, try the tdbtool utility. The 2.2.8 version can't 
open "old" TDB files. The other way round works though, tdbtool from 
2.2.7a can open "new" TDB files written by 2.2.8.

To salvage the domain SID I copied smbpasswd.c from 2.2.8 into a 2.2.7a 
source tree and compiled it, then I could use the new -X and -W options to 
extract the SID from the old secrets.tdb and write it into a fresh TDB 
from 2.2.8.

I'm still working on the printersettings...

Anyway, if anyone can replicate this I'd suggest that 2.2.8 should be 
retracted or atleast a big fat warning should be posted that you may 
loose your domain SID effectively killing your domain-controller.
Hmm, at least secrets.tdb and winbind_idmap.tdb survived the upgrade
well on four machines here, previous versions 2.2.7a and 2.2.6. All
of them running as domain members, however, none being DC...
Cheers!
Michael


Re: Showstopper! Samba 2.2.8 can't read TDB files from previousversions.

2003-03-16 Thread Richard Sharpe
On Sun, 16 Mar 2003, Fredrik Ohrn wrote:

> To salvage the domain SID I copied smbpasswd.c from 2.2.8 into a 2.2.7a 
> source tree and compiled it, then I could use the new -X and -W options to 
> extract the SID from the old secrets.tdb and write it into a fresh TDB 
> from 2.2.8.

I am glad to be of help :-)

Regards
-
Richard Sharpe, rsharpe[at]ns.aus.com, rsharpe[at]samba.org, 
sharpe[at]ethereal.com, http://www.richardsharpe.com



RE: Question - Latest security alery of samba

2003-03-16 Thread Richard Sharpe
On Sun, 16 Mar 2003, Nir Livni wrote:

> I've read the announcement carefully.
> The announcement does not point a specific threat in the samba code.
> It mentions that "This version of Samba adds explicit overrun and overflow
> checks on
> fragment re-assembly of SMB/CIFS packets to ensure that only valid
> re-assembly is performed by smbd."
> 
> It also mentions that samba is highly vulnerable to attacks from an external
> network,
> And that 
> 1. host based protection
> 2. interface protection
> 3. Using a firewall
> 4. Using a IPC$ share deny
> May reduce vulnerability to such attacks.
> 
> There is no access to my samba servers from the internet, but I would like
> to know more about this security issue - specially, which source codes are
> involved. (SMB client code is currently no issue for me)
> Any list of affected source files would be appreciated.

How can we be sure that you are not a script-kiddie?

Regards
-
Richard Sharpe, rsharpe[at]ns.aus.com, rsharpe[at]samba.org, 
sharpe[at]ethereal.com, http://www.richardsharpe.com



RE: Question - Latest security alery of samba

2003-03-16 Thread Nir Livni
:-)
I guess my only proof could be Jeremy.
Jeremy knows me a bit.
I gave him a little help with one of the latest fixes in 2.2.8 (delete on
close).

Appreciate your help,
Nir Livni

-Original Message-
From: Richard Sharpe [mailto:[EMAIL PROTECTED] 
Sent: Sunday, March 16, 2003 8:06 PM
To: Nir Livni
Cc: [EMAIL PROTECTED]
Subject: RE: Question - Latest security alery of samba


On Sun, 16 Mar 2003, Nir Livni wrote:

> I've read the announcement carefully.
> The announcement does not point a specific threat in the samba code. 
> It mentions that "This version of Samba adds explicit overrun and 
> overflow checks on fragment re-assembly of SMB/CIFS packets to ensure 
> that only valid re-assembly is performed by smbd."
> 
> It also mentions that samba is highly vulnerable to attacks from an 
> external network, And that
> 1. host based protection
> 2. interface protection
> 3. Using a firewall
> 4. Using a IPC$ share deny
> May reduce vulnerability to such attacks.
> 
> There is no access to my samba servers from the internet, but I would 
> like to know more about this security issue - specially, which source 
> codes are involved. (SMB client code is currently no issue for me) Any 
> list of affected source files would be appreciated.

How can we be sure that you are not a script-kiddie?

Regards
-
Richard Sharpe, rsharpe[at]ns.aus.com, rsharpe[at]samba.org, 
sharpe[at]ethereal.com, http://www.richardsharpe.com


Re: Showstopper! Samba 2.2.8 can't read TDB files from previousversions.

2003-03-16 Thread Stéphane Purnelle
Le dim 16/03/2003 à 19:01, Richard Sharpe a écrit :
> On Sun, 16 Mar 2003, Fredrik Ohrn wrote:
> 
> > To salvage the domain SID I copied smbpasswd.c from 2.2.8 into a 2.2.7a 
> > source tree and compiled it, then I could use the new -X and -W options to 
> > extract the SID from the old secrets.tdb and write it into a fresh TDB 
> > from 2.2.8.
> 
> I am glad to be of help :-)
> 
> Regards
> -
> Richard Sharpe, rsharpe[at]ns.aus.com, rsharpe[at]samba.org, 
> sharpe[at]ethereal.com, http://www.richardsharpe.com
> 

Ok, can anyone are sure that the upgrade read old tbd file.
I use samba 2.2.7a and OpenLdap, I am not connected to the internet, but
the point 51 are very interesting for my problem (submited in
samba-list). My server will become in production. I don't would like
lose my SID and workstation SID.

can I have a answer today ?

thanks

Stéphane Purnelle




Re: Showstopper! Samba 2.2.8 can't read TDB files from previousversions.

2003-03-16 Thread Nicholas Brealey
Fredrik Ohrn wrote:
It seems that Samba 2.2.8 is unable to open TDB files written by older 
versions. Instead it just overwrites them with a fresh file.

This caused our domain-server to loose the domain SID leaving all our NT 
clients out in the cold. We use a domain SID extracted from the previous 
PDC, an old WinNT 4.0 server that was scrapped.

Our print server also lost it's registry of printerdrivers and settings.

I have not seen any problem on the two Samba PDC's I upgraded (although my test
system went from 2.2.7a to 2.2.8 via 2.2.8pre2). I seem to be able  to logon as 
a domain user and access network drives OK. Roaming profiles seem to
copy OK. I can use rpcclient to enumerate drivers OK, but I have not really been
using Samba for printing because of the printer settings problem on Solaris
(hopefully fixed now). I only have Windows 2000 clients.

It is probably worth posting more information about your setup.

Regards

Nick



Re: Question - Latest security alery of samba

2003-03-16 Thread jra
On Sun, Mar 16, 2003 at 05:54:17PM +0200, Nir Livni wrote:

> Any list of affected source files would be appreciated.

I have replied to Nir privately off-list.

Jeremy.


Re: Showstopper! Samba 2.2.8 can't read TDB files from previousversions.

2003-03-16 Thread Fredrik Ohrn
On Sun, 16 Mar 2003, Nicholas Brealey wrote:

> Fredrik Ohrn wrote:
> > It seems that Samba 2.2.8 is unable to open TDB files written by older 
> > versions. Instead it just overwrites them with a fresh file.
> > 
> > This caused our domain-server to loose the domain SID leaving all our NT 
> > clients out in the cold. We use a domain SID extracted from the previous 
> > PDC, an old WinNT 4.0 server that was scrapped.
> > 
> > Our print server also lost it's registry of printerdrivers and settings.
> > 
> 
> I have not seen any problem on the two Samba PDC's I upgraded (although my test
> system went from 2.2.7a to 2.2.8 via 2.2.8pre2). I seem to be able  to logon as 
> a domain user and access network drives OK. Roaming profiles seem to
> copy OK. I can use rpcclient to enumerate drivers OK, but I have not really been
> using Samba for printing because of the printer settings problem on Solaris
> (hopefully fixed now). I only have Windows 2000 clients.
> 
> It is probably worth posting more information about your setup.
> 
> Regards
> 
> Nick
> 

We upgraded from 2.2.7a to 2.2.8. Server OS is RedHat 8.0. The 
sectrets.tdb file was created a log time ago with an older version and 
some hacking around with tdbtool to insert the SID.

After more than a cursory look the print-server did infact keep it's 
settings. It has lost information about some but not all of the printers 
but we have had that problem before so it's not related to the upgrade.

I can post the old sectrets.tdb file that gets instantly replaced by samba 
2.2.8 in case that is of any help.


Regards,
Fredrik

-- 
  Only two things are infinite, the universe and human stupidity;
  and I'm not sure about the former.
- Albert Einstein

Fredrik Öhrn   Chalmers University of Technology
[EMAIL PROTECTED]  Sweden



Re: Passwd sync on ldapsam

2003-03-16 Thread Andrew Bartlett
On Sun, 2003-03-16 at 06:27, Kri¨tof Petr wrote: 
> Hi,
> 
> I configured samba 2.2.7a with --ldapsam. Works fine.
> Pasword changes are updated on ldap server on
> lmPassword and ntPassword atributes. Good.
> 
> But I want to synchronize unix password too.

You need to either tell pam_ldap your Manger DN and password 
(keep that file secure!) or use the feature 'ldap passwd sync' in
Samba 3.0.

> Samba did not update userPassword or never
> call /bin/passwd or pam to change it.
> 
> This behavior doesnt depend on setting
> unix password sync = yes
> or
> pam password change = yes
> 
> 
> smbpasswd does:
> 
> - bind ldap seerver
>search (uid=joe)&(objectClass=sambaAccount)
> 
> - bind ldap server
>search (objectClass=posixAccount)&(uid=joe)
> 
> - bind ldap server
>modify DN: uid=joe,dc=People,dc=company,dc=com
>attribute ntPassword
>attribute lmPassword
> 
> - bind ldap server
>search (uid=joe)&(objectClass=sambaAccount)
>search (objectClass=posixAccount)&(uid=joe)
> 
> I think correct behavior is modify userPassword too.

The attribute might not be present - we might not even have a matching
posixAccount.  In Samba 2.2 we don't have the codepaths to get the 
plaintext password to the parts doing the LDAP modifications easily.

Andrew Bartlett

-- 
Andrew Bartlett [EMAIL PROTECTED]
Manager, Authentication Subsystems, Samba Team  [EMAIL PROTECTED]
Student Network Administrator, Hawker College   [EMAIL PROTECTED]
http://samba.org http://build.samba.org http://hawkerc.net


signature.asc
Description: This is a digitally signed message part


Re: [PATCH] Joining domains specifying auth realm

2003-03-16 Thread Andrew Bartlett
On Sat, 2003-03-15 at 03:01, Ken Cross wrote:
> Let's try this again.  The previous patch I submitted didn't work in
> some configurations.  (ads->auth.realm needs to be preserved over the
> ads_connect call.)

If it's not preserved, won't it be free()ed in the process?

And shouldn't change the code that's clobbering it instead?

I applied the previous patch - can you get me the changes against
current HEAD?

Andrew Bartlett

-- 
Andrew Bartlett [EMAIL PROTECTED]
Manager, Authentication Subsystems, Samba Team  [EMAIL PROTECTED]
Student Network Administrator, Hawker College   [EMAIL PROTECTED]
http://samba.org http://build.samba.org http://hawkerc.net


signature.asc
Description: This is a digitally signed message part


RE: rd /s, "can't find the file specified" (internal reference b1996)

2003-03-16 Thread Richard Sharpe
On Sun, 16 Mar 2003, Nir Soffer wrote:

> 
> Following up to myself, reproducing this is apparently even simpler 
> than I thought - simply do a:
> 
> "touch nir test test"
> 
> and try to delete it from a DOS command line. It will fail.
> 
> "nirtest123456" fails as well, but "nirtest12345" so it seems to 
> filename size related. 13 characters won't work and 12 will. Perhaps 
> it's because something is geared towards 8 characters, a dot, and 3 
> characters somewhere along the line?
> 
> Needless to say, it works fine on w2k shares...

Can you get us a sniff?

Regards
-
Richard Sharpe, rsharpe[at]ns.aus.com, rsharpe[at]samba.org, 
sharpe[at]ethereal.com, http://www.richardsharpe.com