RE: rd /s, can't find the file specified (internal reference b1996)

2003-03-17 Thread Nir Soffer 

Enjoy.

From a very very fast look, it looks like something with file mangling, but IANA 
Samba Expert.

baddosdel.cap is against Samba-CVS (From yesterday)
gooddosdel.cap is against my personal W2K workstation.

--
Nir Soffer -=- Exanet Inc. -=- http://www.evilpuppy.org
Father, why are all the children weeping? / They are merely crying son
 O, are they merely crying, father? / Yes, true weeping is yet to come
-- Nick Cave and the Bad Seeds, The Weeping Song
 

 -Original Message-
 From: Richard Sharpe [mailto:[EMAIL PROTECTED]
 Sent: Monday, March 17, 2003 9:23 AM
 To: Nir Soffer
 Cc: [EMAIL PROTECTED]
 Subject: RE: rd /s, can't find the file specified (internal 
 reference b1996)
 
 
 On Sun, 16 Mar 2003, Nir Soffer wrote:
 
  
  Following up to myself, reproducing this is apparently even simpler 
  than I thought - simply do a:
  
  touch nir test test
  
  and try to delete it from a DOS command line. It will fail.
  
  nirtest123456 fails as well, but nirtest12345 so it seems to 
  filename size related. 13 characters won't work and 12 
 will. Perhaps 
  it's because something is geared towards 8 characters, a dot, and 3 
  characters somewhere along the line?
  
  Needless to say, it works fine on w2k shares...
 
 Can you get us a sniff?
 
 Regards
 -
 Richard Sharpe, rsharpe[at]ns.aus.com, rsharpe[at]samba.org, 
 sharpe[at]ethereal.com, http://www.richardsharpe.com
 
 


baddosdel.cap
Description: baddosdel.cap


gooddosdel.cap
Description: gooddosdel.cap

AW: could not find domain entry for domain @xxxxx

2003-03-17 Thread schmieder, holger 
Thank you for your feedback,

the command gives us all Domain-Controllers and the name of the Domain. But
what are the 1C-Adresses ??? -What does 1C mean ?

BTW: We have another problem now: some Workstations get during the first
logon the message: could not connect to domain controller After some more
restarts the workstation is able to logon. In the case of the error the
logon-server is the own workstation insted of on of the domain controllers.

Do you have any ideas.

Tank you verry much,
Holger

-Ursprüngliche Nachricht-
Von: Christopher R. Hertel [mailto:[EMAIL PROTECTED]
Gesendet: Donnerstag, 13. März 2003 23:33
An: schmieder, holger
Cc: '[EMAIL PROTECTED]'
Betreff: Re: could not find domain entry for domain @x


schmieder, holger wrote:
 
 Have anybody seen that problem ? We have that in an NT40Serverfarm with
 samba 2.2.7a as BDC.
 
 during the start of winbind we saw also following message:
 could not get sid of domain ...
 
 The users get access to there shares but the policies dont work corectly
 
 We have an IP-Segmented network, the server are in there own net, wins is
 running on the NT40 PDC.
 
 Thanks for every idea
 
 Holger

We would need a lot more information.  First thing to try is this:

$ nmblookup -R -U wins server IP domain#1C

That checks to see that all of the 1C IP addresses for your WINS database.

Chris -)-

-- 
Samba Team -- http://www.samba.org/ -)-   Christopher R. Hertel
jCIFS Team -- http://jcifs.samba.org/   -)-   ubiqx development, uninq.
ubiqx Team -- http://www.ubiqx.org/ -)-   [EMAIL PROTECTED]
OnLineBook -- http://ubiqx.org/cifs/-)-   [EMAIL PROTECTED]
Diese Mail wurde im Hause SCHMIEDER it-solutions GmbH auf Viren überprüft !

could not find domain entry for domain @xxxxx

2003-03-17 Thread schmieder, holger 
Thank you for your feedback,

the command gives us all Domain-Controllers and the name of the Domain. But
what are the 1C-Adresses ??? -What does 1C mean ?

BTW: We have another problem now: some Workstations get during the first
logon the message: could not connect to domain controller After some more
restarts the workstation is able to logon. In the case of the error the
logon-server is the own workstation insted of on of the domain controllers.

Do you have any ideas.

Tank you verry much,
Holger

-Ursprüngliche Nachricht-
Von: Christopher R. Hertel [mailto:[EMAIL PROTECTED]
Gesendet: Donnerstag, 13. März 2003 23:33
An: schmieder, holger
Cc: '[EMAIL PROTECTED]'
Betreff: Re: could not find domain entry for domain @x


schmieder, holger wrote:
 
 Have anybody seen that problem ? We have that in an NT40Serverfarm with
 samba 2.2.7a as BDC.
 
 during the start of winbind we saw also following message:
 could not get sid of domain ...
 
 The users get access to there shares but the policies dont work corectly
 
 We have an IP-Segmented network, the server are in there own net, wins is
 running on the NT40 PDC.
 
 Thanks for every idea
 
 Holger

We would need a lot more information.  First thing to try is this:

$ nmblookup -R -U wins server IP domain#1C

That checks to see that all of the 1C IP addresses for your WINS database.

Chris -)-

-- 
Samba Team -- http://www.samba.org/ -)-   Christopher R. Hertel
jCIFS Team -- http://jcifs.samba.org/   -)-   ubiqx development, uninq.
ubiqx Team -- http://www.ubiqx.org/ -)-   [EMAIL PROTECTED]
OnLineBook -- http://ubiqx.org/cifs/-)-   [EMAIL PROTECTED]
Diese Mail wurde im Hause SCHMIEDER it-solutions GmbH auf Viren überprüft !

Re: typos in SAMBA_3_0 CVS

2003-03-17 Thread Tim Potter 
On Mon, Mar 17, 2003 at 11:22:54AM +0100, [EMAIL PROTECTED] wrote:

 i tried to compile the current CVS today and found a typo and missing
 arguments.
 
 i append a small diff, that fixes these problems..

Hi - someone forgot their janitorial duties with regard to the
smbwrapper support.  I've merged the changes in.


Thanks,

Tim.

Re: typos in SAMBA_3_0 CVS

2003-03-17 Thread Andrew Bartlett 
On Mon, 2003-03-17 at 22:56, Tim Potter wrote:
 On Mon, Mar 17, 2003 at 11:22:54AM +0100, [EMAIL PROTECTED] wrote:
 
  i tried to compile the current CVS today and found a typo and missing
  arguments.
  
  i append a small diff, that fixes these problems..
 
 Hi - someone forgot their janitorial duties with regard to the
 smbwrapper support.  I've merged the changes in.

Yep - I'm about 2 weeks behind on janitorial duties :-(

Andrew Bartlett

-- 
Andrew Bartlett [EMAIL PROTECTED]
Manager, Authentication Subsystems, Samba Team  [EMAIL PROTECTED]
Student Network Administrator, Hawker College   [EMAIL PROTECTED]
http://samba.org http://build.samba.org http://hawkerc.net


signature.asc
Description: This is a digitally signed message part

2.2.8 compile problem

2003-03-17 Thread gnu_is_not_unix 
Hi !




I have a problem with compiling samba 2.2.8 on rh 7.3 (all 
erratas applyed, kernel 2.4.20 with ac2 patch).




When i do rpm -ba samba.spec, i have error:




checking whether struct passwd has pw_age... no


checking for poptGetContext in -lpopt... no


checking whether to use included popt... ./popt


checking configure summary... configure: error: summary failure. 
Aborting config


bd: Bad exit status from /var/tmp/rpm-tmp.77044 (%build)






RPM build errors:


Bad exit status from /var/tmp/rpm-tmp.77044 (%build)




I have popt installed in my system ...




greetz


gnu...


--
W nowym KONTAKCIE moesz WSTAWI swoje ZDJCIE! A oprcz tego rozmawia
on-line, wysya smsy, e-maile, pliki. Kontakt czy si te z ICQ i GG
oraz jako jedyny CZYTA wiadomoci! cignij za friko  http://kontakt.wp.pl

RE: [PATCH] Joining domains specifying auth realm

2003-03-17 Thread Ken Cross 
Andrew:

Patch to HEAD below -- sorry, should have realized that.

The reason I had to change it was that ads_set_machine_password uses
ads-auth.realm to build the principal name.  Should that be
ads-config.realm?

Ken


Ken Cross

Network Storage Solutions
Phone 865.675.4070 ext 31
[EMAIL PROTECTED] 

 -Original Message-
 From: Andrew Bartlett [mailto:[EMAIL PROTECTED] 
 Sent: Sunday, March 16, 2003 11:24 PM
 To: Ken Cross
 Cc: 'Multiple recipients of list SAMBA-TECHNICAL'; 'Andrew Bartlett'
 Subject: Re: [PATCH] Joining domains specifying auth realm
 
 
 On Sat, 2003-03-15 at 03:01, Ken Cross wrote:
  Let's try this again.  The previous patch I submitted 
 didn't work in 
  some configurations.  (ads-auth.realm needs to be 
 preserved over the 
  ads_connect call.)
 
 If it's not preserved, won't it be free()ed in the process?
 
 And shouldn't change the code that's clobbering it instead?
 
 I applied the previous patch - can you get me the changes 
 against current HEAD?
 
 Andrew Bartlett
 
 -- 
 Andrew Bartlett [EMAIL PROTECTED]
 Manager, Authentication Subsystems, Samba Team  [EMAIL PROTECTED]
 Student Network Administrator, Hawker College   [EMAIL PROTECTED]
 http://samba.org http://build.samba.org http://hawkerc.net
 
--- /tmp/samba/source/utils/net_ads.c   Sat Mar 15 21:14:05 2003
+++ utils/net_ads.c Mon Mar 17 08:26:50 2003
@@ -109,6 +107,9 @@ static int net_ads_info(int argc, const 
d_printf(LDAP port: %d\n, ads-ldap_port);
d_printf(Server time: %s\n, http_timestring(ads-config.current_time));
 
+   d_printf(KDC server: %s\n, ads-auth.kdc_server );   /* KJC */
+   d_printf(Server time offset: %d\n, ads-auth.time_offset );  /* KJC */
+
return 0;
 }
 
@@ -124,7 +125,7 @@ static ADS_STRUCT *ads_startup(void)
ADS_STATUS status;
BOOL need_password = False;
BOOL second_time = False;
-   char *realm;
+   char *realm, *realm_save = NULL;

ads = ads_init(NULL, NULL, opt_host);
 
@@ -154,14 +156,26 @@ retry:
/*
 * If the username is of the form [EMAIL PROTECTED], 
 * extract the realm and convert to upper case.
+* This is only used to establish the connection.
 */
+   realm_save = ads-auth.realm;
if ((realm = strchr(ads-auth.user_name, '@'))) {
*realm++ = '\0';
-   ads-auth.realm = strdup(realm);
+   ads-auth.realm = realm;
strupper(ads-auth.realm);
}
 
status = ads_connect(ads);
+
+   /*
+* Restore the realm name.  If there wasn't one,
+* default to the configuration realm.
+*/
+   if( realm_save == NULL )
+   realm_save = strdup(ads-config.realm);
+
+   ads-auth.realm = realm_save;
+
if (!ADS_ERR_OK(status)) {
if (!need_password  !second_time) {
need_password = True;

Proposal for smbd failing more gracefully when ngroups NGROUPS_MAX

2003-03-17 Thread Michael Steffens 
Hello,

The [Samba] number of groups of NT account causes authentication
problems thread discussed the problem of dealing with NT users,
which are members of more domain global groups than the OS running
Samba can cope with.
Limits do vary, some have 16, or 20, or 32, with some platforms it's
tunable, with others it isn't, or only with very much trouble.
How about making smbd a bit more tolerant concerning groups? If the
total number returned by winbind for a given user exceeds maximum,
it may drop all but the primary group.
This would at least allow to cope with such users in setups where
access control is only done via valid users, plus force group
for common access.
Users who got their supplementary groups stripped this way would not
be able to utilize their memberships when using ACLs. This should
represent a fail-to-close, except when others is having more
privileges than specific groups.
Would this be acceptable? It's is not ideal, of course, but maybe
better than no way of dealing with such users?
Attached is a little patch implementing this in 2.2.8.

Cheers!
Michael


Index: source/nsswitch/wb_client.c
===
RCS file: /cvsroot/samba/source/nsswitch/wb_client.c,v
retrieving revision 1.5.2.19
diff -u -r1.5.2.19 wb_client.c
--- source/nsswitch/wb_client.c 13 Sep 2002 23:46:27 -  1.5.2.19
+++ source/nsswitch/wb_client.c 17 Mar 2003 14:11:29 -
@@ -325,6 +325,15 @@
ngroups++;
}
 
+   /* Omit supplementary groups when exceeding maximum */
+
+   if (ngroups  groups_max()) {
+   DEBUG(1,(number of group memberships (%d) for user %s exceeds 
maximum %d, restricting to gid %d\n,
+   ngroups, user, groups_max(), gid));
+   groups[0] = gid;
+   ngroups = 1;
+   }
+
/* Set the groups */
 
if (sys_setgroups(ngroups, groups) == -1) {
Index: source/smbd/sec_ctx.c
===
RCS file: /cvsroot/samba/source/smbd/sec_ctx.c,v
retrieving revision 1.7.2.19
diff -u -r1.7.2.19 sec_ctx.c
--- source/smbd/sec_ctx.c   16 Jul 2002 01:09:44 -  1.7.2.19
+++ source/smbd/sec_ctx.c   17 Mar 2003 14:11:29 -
@@ -343,7 +343,7 @@
gain_root();
 
 #ifdef HAVE_SETGROUPS
-   sys_setgroups(ngroups, groups);
+   sys_setgroups((ngroups  groups_max() ? 0 : ngroups), groups);
 #endif
 
ctx_p-ngroups = ngroups;
@@ -419,7 +419,7 @@
prev_ctx_p = sec_ctx_stack[sec_ctx_stack_ndx];
 
 #ifdef HAVE_SETGROUPS
-   sys_setgroups(prev_ctx_p-ngroups, prev_ctx_p-groups);
+   sys_setgroups((prev_ctx_p-ngroups  groups_max() ? 0 : prev_ctx_p-ngroups), 
prev_ctx_p-groups);
 #endif
 
become_id(prev_ctx_p-uid, prev_ctx_p-gid);

Possible memory leakage in Samba code

2003-03-17 Thread Menny Hamburger 
Hello,

I was reviewing the code of del_share_entry function (.../locking/locking.c) that is 
suppose
to return the entry deleted when supplied with a ppse pointer. If there are a number 
of entries
that satisfy the share_mode_identical criteria (more than one), memdup will be called 
more then 
once, thus losing the pointer stored previously in the *ppse.
What is the chance that such a scenario could occur?

Thanks,
Menny

Menny Hamburger 
System Engineering 
Exanet Inc.
www.exanet.com
Email: [EMAIL PROTECTED]
Phone: +972 9 9717763
Fax: +972 9 9717778
Mobile: +972 55 679763

RE: [PATCH] Joining domains specifying auth realm

2003-03-17 Thread Ken Cross 
BTW, the patch also includes two more lines of output for net ads info
-- the KDC server and server time offset.  I find them useful for
helping to automate the join process.  

Ken


Ken Cross

Network Storage Solutions
Phone 865.675.4070 ext 31
[EMAIL PROTECTED] 

 -Original Message-
 From: 
 [EMAIL PROTECTED]
  
 [mailto:[EMAIL PROTECTED]
 amba.org] On Behalf Of Ken Cross
 Sent: Monday, March 17, 2003 8:48 AM
 To: 'Andrew Bartlett'
 Cc: 'Multiple recipients of list SAMBA-TECHNICAL'
 Subject: RE: [PATCH] Joining domains specifying auth realm
 
 
 Andrew:
 
 Patch to HEAD below -- sorry, should have realized that.
 
 The reason I had to change it was that ads_set_machine_password uses
 ads-auth.realm to build the principal name.  Should that be 
 ads-config.realm?
 
 Ken
 
 
 Ken Cross
 
 Network Storage Solutions
 Phone 865.675.4070 ext 31
 [EMAIL PROTECTED] 
 
  -Original Message-
  From: Andrew Bartlett [mailto:[EMAIL PROTECTED]
  Sent: Sunday, March 16, 2003 11:24 PM
  To: Ken Cross
  Cc: 'Multiple recipients of list SAMBA-TECHNICAL'; 'Andrew Bartlett'
  Subject: Re: [PATCH] Joining domains specifying auth realm
  
  
  On Sat, 2003-03-15 at 03:01, Ken Cross wrote:
   Let's try this again.  The previous patch I submitted
  didn't work in
   some configurations.  (ads-auth.realm needs to be
  preserved over the
   ads_connect call.)
  
  If it's not preserved, won't it be free()ed in the process?
  
  And shouldn't change the code that's clobbering it instead?
  
  I applied the previous patch - can you get me the changes
  against current HEAD?
  
  Andrew Bartlett
  
  -- 
  Andrew Bartlett [EMAIL PROTECTED]
  Manager, Authentication Subsystems, Samba Team  [EMAIL PROTECTED]
  Student Network Administrator, Hawker College   [EMAIL PROTECTED]
  http://samba.org http://build.samba.org http://hawkerc.net

Unable to build Samba 2.2.8 libsmbclient on HP-UX 11.00

2003-03-17 Thread Eric Boehm 
Hello,

I am having problems building Samba 2.2.8 on HP-UX 11.00.

I am using the ANSI C compiler,

/opt/ansic/bin/cc:
 LINT A.11.01.25171.GP CXREF A.11.01.25171.GP
HP92453-01 A.11.01.25171.GP HP C Compiler
 $   Sep  8 2000 23:13:51 $ 

My configure line is

CC=cc CFLAGS='+DA2.0W' ./configure  --with-automount --with-libsmbclient --with-winbind

I get the following errors

Linking libsmbclient non-shared library bin/libsmbclient.a
Linking libsmbclient shared library bin/libsmbclient.sl
ld: (Warning) Cannot make undefined symbol ISSECURE symbolic. Symbol was refer
enced from file /usr/lib/pa20_64/libsec.sl
ld: Unsatisfied protected symbol ISSECURE in file libsmb/libsmbclient.po
ld: Unsatisfied protected symbol ISSECURE in file lib/charcnv.po

[deleted lines]

ld: Unsatisfied protected symbol ISSECURE in file ubiqx/ubi_sLinkList.po
ld: Unsatisfied protected symbol ISSECURE in file ubiqx/debugparse.po
1 warnings.
83 errors.
make: *** [bin/libsmbclient.sl] Error 1

Any ideas?

-- 
Eric M. Boehm  /\  ASCII Ribbon Campaign
[EMAIL PROTECTED]   \ /  No HTML or RTF in mail
X   No proprietary word-processing
Respect Open Standards / \  files in mail

Re: [SECURITY] Samba 2.2.8 available for download

2003-03-17 Thread Willi Mann 
Is 3.0 also vulnerable?

Willi Mann

From: Gerald (Jerry) Carter [EMAIL PROTECTED]
To: [EMAIL PROTECTED], [EMAIL PROTECTED],
[EMAIL PROTECTED]
Subject: [SECURITY] Samba 2.2.8 available for download
This release provides an important security fix outlined in the 
release notes that follow. This is the latest stable release of 
Samba and the version that all production Samba servers should be 
running for all current bug-fixes.

Re: [SECURITY] Samba 2.2.8 available for download

2003-03-17 Thread jra 
On Mon, Mar 17, 2003 at 08:13:15PM +0100, Willi Mann wrote:
 Is 3.0 also vulnerable?

3.0 is not released yet. 3.0 alphas are vulnerable, the
SAMBA_3_0 code in CVS is not.

Jeremy.

Re: typos in SAMBA_3_0 CVS

2003-03-17 Thread jra 
On Mon, Mar 17, 2003 at 11:22:57PM +1100, Andrew Bartlett wrote:
 
 Yep - I'm about 2 weeks behind on janitorial duties :-(

That's very dangerous. What happens then is someone fixes
it differently in 3.0, and then we have a problem. 

Remember, if a fix is obviously applicable to 3.0 it should
*not* be checked into HEAD until the same change is ready
to be checked into 3.0.

Jeremy.

[PATCH] autogen.sh

2003-03-17 Thread Willi Mann 
Hi!

This patch fixes autogen.sh on systems which have only autoconf-2.53 
installed. It makes it simple to add other autoconf versions which might 
occur in the future (TESTAUTOCONF/HEADER var). I've only tested it on 
RedHat 7.3 with 3.0 branch, so please review it carefully before you 
apply it.

Willi Mann



--- autogen.sh  10 Feb 2003 17:31:25 -  1.1.2.2
+++ autogen.sh  17 Mar 2003 20:32:43 -
@@ -2,29 +2,46 @@
 # Run this script to build samba from CVS.

-## first try the default names
-AUTOHEADER=autoheader
-AUTOCONF=autoconf
-
-if which $AUTOCONF  /dev/null
-then
-:
-else
-echo $0: need autoconf 2.53 or later to build samba from CVS 2
-exit 1
-fi
-##
-## what version do we need?
-##
-if [ `$AUTOCONF --version | head -1 | cut -d.  -f 2` -lt 53 ]; then
+## insert all possible names
+TESTAUTOHEADER=autoheader autoheader-2.53
+TESTAUTOCONF=autoconf autoconf-2.53
+
+AUTOHEADERFOUND=0
+AUTOCONFFOUND=0
+
-   ## maybe it's installed under a different name (e.g. RedHat 7.3)
+for i in $TESTAUTOHEADER;
+do
+   if which $i  /dev/null
+   then
+  if [ `$i --version | head -1 | cut -d.  -f 2` -ge 53 ]; then
+   AUTOHEADER=$i
+   AUTOHEADERFOUND=1
+   break;
+ fi;
+fi;
+done
-   AUTOCONF=autoconf-2.53
-   AUTOHEADER=autoheader-2.53
+for i in $TESTAUTOCONF;
+do
+if which $i  /dev/null
+then
+   if [ `$i --version | head -1 | cut -d.  -f 2` -ge 53 ]; then
+AUTOCONF=$i
+AUTOCONFFOUND=1
+break;
+   fi;
+fi;
+done;
+
+if [ $AUTOCONFFOUND == 0 -o $AUTOHEADERFOUND == 0 ]; then
+   
+echo $0: need autoconf 2.53 or later to build samba from CVS 2
+exit 1
 fi
+
 echo $0: running $AUTOHEADER
 $AUTOHEADER || exit 1

winbind vs. pam/nss alternatives

2003-03-17 Thread Steven French 




From a quick check of a couple of distributions it looks like winbind is
not included as part of the logon (pam/nss) configuration choices although
users who know what they are doing could manually configure it by hand
editing files after the installation of Samba.

Discounting the esoteric, useless or insecure options for pam/nss, leaves a
few common choices (for remote authentication/user information) which
distributions seem to offer:

pam_ldap/nss_ldap or
pam_kerberos/nss_ldap
and the older pam_smb? (pam_ntdom?)

Given that rather meagre list, winbind looks more appealing among other
reasons because it can handle these operations via a choice of multiple
network protocols, and also because it presumably performs better.

A couple of obvious questions:
1) Is winbind likely to be preferable (e.g. due to better performance with
the new dual daemon approach) than pam_ldap/nss_ldap?
2) In particular is it likely to be better than the alternatives for the
case of the common kerberized client applications (not just nfs v4 and
eventually the cifs vfs clients)
3) Could winbind easily handle some of the nss lookups via ldap ala rfc
2307 schema (if it matters anymore - it is just an experimental RFC) as a
fallback choice if the ldap server did not store user/group info in the
ActiveDirectory style.  It looks like winbindd_ cache.c already handles two
backends winbindd_ads and winbindd_rpc  With the addition of ldap to
winbind, it seems odd to have to worry about the older pam_ldap/nss_ldap
which has a much, much smaller installed base (ie lots more domain
controllers than RFC2307 compliant security servers)
4) Is the reason that winbind doesn't appear particular important for
distributions because it is (relatively) hard to configure (smb.conf,
machine joining the domain etc.)? or that they haven't recognized winbind
improvements?



Steve French
Senior Software Engineer
Linux Technology Center - IBM Austin
phone: 512-838-2294
email: [EMAIL PROTECTED]

Weird problems with Samba 2.2.8 under Solaris 8 + latest kernel patch

2003-03-17 Thread Pierre Belanger 
Hello all,

This weekend, we upgraded our Samba servers to 2.2.8 (pre3
according to the include/version.h -- CVS synced this past
Saturday afternoon, EDT). I compiled this new release for
the following Solaris/kernel :
  Solaris 6 : kernel patch 105181-33
  Solaris 7 : kernel patch 106541-23
  Solaris 8 : kernel patch 108528-19
Prior to Solaris 8 108528-19, that was installed yesterday
*not by me* , we were running 108528-12. Solaris 8 with
kernel patch 108518-19 + latest Samba is causing us troubles.
ps : nothing changed in our smb.conf file / we had no problems
before (the fcntl() bug was not an issue for us, we only have
around ~ 150 concurrent connections on that machine).
There's no problems on the other boxes (Solaris 6  7), note
that we have much less connections on those boxes.
[Q] Is there anyone on this list running with the latest
Solaris 8 (108528-19) kernel patch and with Samba 2.2.8?
After receiving a few complains, I decided to dig into the log
files. Here's what I found:
1- Many dptr_close() errors, more than usually.

  log.wcanomp1775:[2003/03/17 14:04:09, 0] smbd/dir.c:dptr_close(277)
  log.wcanomp1775:  Invalid key 256 given to dptr_close
2- Many oplock_break errors, much more than we had:

  [2003/03/17 15:32:49, 0] smbd/oplock.c:oplock_break(791)
  oplock_break: end of file from client
  oplock_break failed for file New Lisp/mbold.lsp (dev = 3d8000a,
  inode = 1467387, file_id = 15).
  [2003/03/17 15:32:49, 0] smbd/oplock.c:oplock_break(879)
  oplock_break: client failure in break - shutting down this smbd.
  [2003/03/17 15:32:49, 1] smbd/service.c:close_cnum(677)
  wcanomp2081 (10.10.92.33) closed connection to service imews
  [2003/03/17 15:32:49, 1] smbd/service.c:close_cnum(677)
  wcanomp2081 (10.10.92.33) closed connection to service site_doc
  [2003/03/17 15:32:49, 1] smbd/service.c:close_cnum(677)
  wcanomp2081 (10.10.92.33) closed connection to service docoss
  [2003/03/17 15:34:24, 1] smbd/service.c:make_connection(636)
  wcanomp2081 (10.10.92.33) connect to service site_doc as user imews
  (uid=2138, gid=240) (pid 4863)
  [2003/03/17 15:35:10, 0] smbd/oplock.c:request_oplock_break(1011)
  request_oplock_break: no response received to oplock break request to
  pid 4858 on port 56392 for dev = 3d8000a, inode = 825700, file_id = 15
  [2003/03/17 15:35:10, 0] smbd/open.c:open_mode_check(652)
  open_mode_check: exlusive oplock left by process 4858 after break !
  For file C 1505A/AA1710-W.dwg, dev = 3d8000a, inode = 825700. Deleting
  it to continue...
  [2003/03/17 15:35:10, 0] smbd/open.c:open_mode_check(656)
  open_mode_check: Existent process 4858 left active oplock.
  [2003/03/17 15:36:59, 1] smbd/service.c:make_connection(636)
  wcanomp2081 (10.10.92.33) connect to service site_doc as user imews
  (uid=2138, gid=240) (pid 4883)
  [2003/03/17 15:36:59, 0] smbd/dir.c:dptr_close(277)
  Invalid key 256 given to dptr_close
  [2003/03/17 15:36:59, 0] smbd/dir.c:dptr_close(277)
  Invalid key 257 given to dptr_close
  [2003/03/17 15:37:10, 0] smbd/oplock.c:process_local_message(397)
  process_local_message: Received unsolicited break reply - dumping
  info.
  [2003/03/17 15:37:10, 0] smbd/oplock.c:process_local_message(412)
  process_local_message: unsolicited oplock break reply from pid 4863,
  port 56392, dev = 3d8000a, inode = 825700, file_id = 15
  [2003/03/17 15:38:02, 1] smbd/service.c:close_cnum(677)
  wcanomp2081 (10.10.92.33) closed connection to service site_doc
  [2003/03/17 15:38:09, 1] smbd/service.c:make_connection(636)
  wcanomp2081 (10.10.92.33) connect to service site_doc as user imews
  (uid=2138, gid=240) (pid 4904)
  [2003/03/17 15:41:22, 1] smbd/service.c:close_cnum(677)
  wcanomp2081 (10.10.92.33) closed connection to service imews
  [2003/03/17 15:41:22, 1] smbd/service.c:close_cnum(677)
  wcanomp2081 (10.10.92.33) closed connection to service docoss
I will downgrade tonight to the previous version that we were
running prior to the upgrade, it says 2.2.8pre1 but I remember
taken that from CVS around February the 5th, according to the
installation date!!!
I wish I would have more time for this but I don't :-( I'll find
time tomorrow to let you know if the downgrade helped or not.
Cheers,
Pierre B.

ldapsam_nua and SAMBA_3_0 CVS

2003-03-17 Thread [EMAIL PROTECTED] 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

hi,

i tried a lot of things with the current SAMBA_3_0 today.
everything is working fine, except, the ldapsam_nua passdb backend.

i've all accounts in the ldap tree and i want to provide 2 machines
running FreeBSD. one is used to be the PDC and one the BDC and nothing
more. no writing or reading of files only the domain logons.
the disadvantage is, that nss_ldap still isn't working with FreeBSD.

so i need the ldapsam_nua because i don't want to use NIS or want to put
all accounts to the local files too.

now i'm a little bit confused because everything i tried ends up with the
following message:

auth/auth_util.c:get_user_groups_from_local_sam(687)
  user XXX does not have a unix identity!

i searched a little bit in the source (but i'm not a real programmer).
normally there should be a message like:

  user has posixAcccount attributes

from 'get_unix_attributes' in pdb_ldap.c
but it seemes to me that this function is not invoked, because i get
nothing about posix in the logs.
and yes, the ldap entry really has posixAccount attributes like uidNumber,
gidNumber, homeDirectory, userPassword, gecos ...

i don't know how to fix this problem.
maybe someone of the core-developers can have a look at this.

thanks in advance
joerg

- --
  _/_/_/_/ _/_/_/   _/  _/  _/_/   Joerg Pulz
 _/   _/_/ _/_/  _/_/ _/   _/  TU Muenchen
_/   _/_/ _/ _/_/ _/  _/   ZWE-FRM-II
   _/_/_/   _/_/_/   _/  _/  _/ _/_/_/ Lichtenbergstrasse 1
  _/   _/_/ _/  _/_/   85747 Garching
 _/   _/  _/   _/  _/  _/  Tel.: +49 (0)89-289-14708
_/   _/_/ _/  _/ _/_/_/_/  Fax : +49 (0)89-289-14666
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE+djevSPOsGF+KA+MRApzmAJ9cnBCEmqZhR1PHjL5+OG630GDxtgCeN25Y
klDwFe/2O9iOotfHmN/M9EA=
=NzYR
-END PGP SIGNATURE-

Problem in listing print drivers in WinXP

2003-03-17 Thread Sanjay . Wangoo 

Hi,

I am facing strange problem with Windows-XP
and samba 2.2.7a. Every thing was working just fine
with Win2000, but with WinXP I am not able to see the
list of drivers that I already installed with Win2000.
So if I look at printer property of any printer on samba server
(from My Network Places) they show only driver associated with
that particular printer but not the complete list of drivers.
I have the printer name entry in the printcap file.

Also I am not able to upload new driver on the printer share
on samba server, as New Driver option in the advance tab
of spooler property is disabled, unless I modify show add printer wizard
= No
to show add printer wizard = yes. Actually I do not want to
create printers from windows add printer wizard. I create them
manually or though my scripts and allow only upload driver feature
from windows client (WinXP/2k,9x/Me).

I posted this to [EMAIL PROTECTED] earlier in order to find the answer
without disturbing Samba team, but I received no response, so now bothering
you.

Thanks for your help.
-Sanjay

Following is the result from testparm.

Load smb config files from
/usr/local/config/current/smb.conf
Processing section [print$]
Processing section [share]
Processing section [printers]
Processing section [DQ]
Loaded services file OK.
Press enter to see a dump of your service definitions
# Global parameters
[global]
  coding system =
  client code page = 850
  code page directory =
/usr/local/resources/codepages
  workgroup = myworkgroup
  netbios name = printserver
  netbios aliases =
  netbios scope =
  server string = Print Server
  interfaces = eth0 127.0.0.1
  bind interfaces only = Yes
  security = USER
  encrypt passwords = Yes
  update encrypted = No
  allow trusted domains = Yes
  hosts equiv =
  min passwd length = 5
  map to guest = Never
  null passwords = No
  obey pam restrictions = No
  password server =
  smb passwd file = /usr/local/private/smbpasswd
  root directory =
  pam password change = No
  passwd program = /usr/bin/passwd
  passwd chat = *new*password* %n\n *new*password*
%n\n
*changed*
  passwd chat debug = No
  username map = /etc/samba/smbusers
  password level = 0
  username level = 0
  unix password sync = No
  restrict anonymous = No
  lanman auth = Yes
  use rhosts = No
  admin log = No
  log level = 3
  syslog = 1
  syslog only = No
  log file = /var/samba/[EMAIL PROTECTED]
  max log size = 5000
  timestamp logs = Yes
  debug hires timestamp = No
  debug pid = No
  debug uid = No
  protocol = NT1
  large readwrite = Yes
  max protocol = NT1
  min protocol = CORE
  read bmpx = No
  read raw = Yes
  write raw = Yes
  nt smb support = Yes
  nt pipe support = Yes
  nt status support = Yes
  announce version = 4.9
  announce as = NT
  max mux = 50
  max xmit = 16644
  name resolve order = lmhosts host wins bcast
  max ttl = 259200
  max wins ttl = 518400
  min wins ttl = 21600
  time server = No
  unix extensions = No
  change notify timeout = 60
  deadtime = 0
  getwd cache = Yes
  keepalive = 300
  lpq cache time = 10
  max smbd processes = 0
  max disk size = 0
  max open files = 1
  name cache timeout = 660
  read size = 16384
  socket options = TCP_NODELAY SO_RCVBUF=8192
SO_SNDBUF=8192
  stat cache size = 50
  use mmap = Yes
  total print jobs = 0
  load printers = Yes
  printcap name = %$(PRINTCAP)
  disable spoolss = No
  enumports

Re: ldapsam_nua and SAMBA_3_0 CVS

2003-03-17 Thread Andrew Bartlett 
On Tue, 2003-03-18 at 08:01, [EMAIL PROTECTED] wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 hi,
 
 i tried a lot of things with the current SAMBA_3_0 today.
 everything is working fine, except, the ldapsam_nua passdb backend.
 
 i've all accounts in the ldap tree and i want to provide 2 machines
 running FreeBSD. one is used to be the PDC and one the BDC and nothing
 more. no writing or reading of files only the domain logons.
 the disadvantage is, that nss_ldap still isn't working with FreeBSD.
 
 so i need the ldapsam_nua because i don't want to use NIS or want to put
 all accounts to the local files too.
 
 now i'm a little bit confused because everything i tried ends up with the
 following message:
 
 auth/auth_util.c:get_user_groups_from_local_sam(687)
   user XXX does not have a unix identity!

NUA accounts are a real hack, and are only suitable for use with
machines - we need to get the group list for domain logins, and that
comes from getgrouplist().

Andrew Bartlett

-- 
Andrew Bartlett [EMAIL PROTECTED]
Manager, Authentication Subsystems, Samba Team  [EMAIL PROTECTED]
Student Network Administrator, Hawker College   [EMAIL PROTECTED]
http://samba.org http://build.samba.org http://hawkerc.net


signature.asc
Description: This is a digitally signed message part

cvs updating failure

2003-03-17 Thread David Bear 
sorry to be stupid on cvs -- its always worked as documented on the
web site.. but now its not.

after I do

$cvs -d :pserver:[EMAIL PROTECTED]:/cvsroot login

$ cvs update -d -P
? source/myconf.sh
cvs server: Updating .
P Manifest
cvs [update aborted]: cannot open .new.Manifest: Permission denied

Was trying to get current 2.2.x in order to fix new buffer overflow
issue.  

what am I doing wrong?

-- 
David Bear
College of Public Programs/ASU
Mail Code 0803

ldap delete user?

2003-03-17 Thread Volker Lendecke 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi!

While looking at HEAD / ldapsam_delete_sam_account a bit closer I
found that we completely delete the user. Would it not be better just
to remove the samba-specific attributes and let the 'delete user
script' do the rest? Hmm. srv_samr_nt.c works the other way
round... Has anybody ever tried this?

Volker

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Key-ID D32186CF, Fingerprint available: phone +49 551 370

iD8DBQE+djuaOmSXH9Mhhs8RAvA8AKCI0jLcN5OPeAx+a1YIXkgUXAO3LwCgkRA4
c05ackxlk3yo5aQV1mXIQmw=
=EZzJ
-END PGP SIGNATURE-

[PATCH] groups in ldap

2003-03-17 Thread Volker Lendecke 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi!

Here's my first attempt at putting the group mapping into ldap. It
should apply to HEAD.

Comments? Especially the schema might be discussed, this is my very
first attempt at LDAP schema design.

Volker

P.S.: smbgroupedit *really* needs to be rewritten :-)

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Key-ID D32186CF, Fingerprint available: phone +49 551 370

iD8DBQE+dkijOmSXH9Mhhs8RArcTAJ9Y7WBbbNd3KrPi6HHG2OhsYwRwQQCghEww
wp4Z47jdiawpj8Jioj7HHDc=
=TAq9
-END PGP SIGNATURE-

Index: examples/LDAP/samba.schema
===
RCS file: /data/cvs/samba/examples/LDAP/samba.schema,v
retrieving revision 1.9
diff -u -r1.9 samba.schema
--- examples/LDAP/samba.schema  14 Jan 2003 16:03:27 -  1.9
+++ examples/LDAP/samba.schema  17 Mar 2003 22:12:24 -
@@ -111,6 +111,19 @@
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
 
 ##
+## group mapping attributes
+##
+attributetype ( 1.3.6.1.4.1.7165.2.1.19 NAME 'ntGroupType'
+   DESC 'NT Group Type'
+   EQUALITY caseIgnoreIA5Match
+   SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.20 NAME 'ntSid'
+   DESC 'Security ID'
+   EQUALITY caseIgnoreIA5Match
+   SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
+
+##
 ## The smbPasswordEntry objectclass has been depreciated in favor of the
 ## sambaAccount objectclass
 ##
@@ -138,6 +151,11 @@
logoffTime $ kickoffTime $ pwdCanChange $ pwdMustChange $ acctFlags $ 
displayName $ smbHome $ homeDrive $ scriptPath $ profilePath $
description $ userWorkstations $ primaryGroupID $ domain ))
+
+objectclass ( 1.3.6.1.4.1.7165.2.2.4 NAME 'sambaGroupMapping' SUP top AUXILIARY
+   DESC 'Samba Group Mapping'
+   MUST ( gidNumber $ ntSid $ ntGroupType ) 
+   MAY  ( displayName $ description ))
 
 ##
 ## Used for Winbind experimentation
Index: source/passdb/pdb_ldap.c
===
RCS file: /data/cvs/samba/source/passdb/pdb_ldap.c,v
retrieving revision 1.81
diff -u -r1.81 pdb_ldap.c
--- source/passdb/pdb_ldap.c17 Mar 2003 22:09:06 -  1.81
+++ source/passdb/pdb_ldap.c17 Mar 2003 22:12:29 -
@@ -786,8 +786,11 @@
if (attribute == NULL || *attribute == '\0')
return;
 
-   if (value == NULL || *value == '\0')
+#if 0
+   /* Why do we need this??? -- vl */
+   if (value == NULL || *value == '\0')
return;
+#endif
 
if (mods == NULL) 
{
@@ -1987,6 +1990,495 @@
/* No need to free any further, as it is talloc()ed */
 }
 
+static const char *group_attr[] = {gid, ntSid, ntGroupType,
+  gidNumber,
+  displayName, description,
+  NULL };
+  
+static int ldapsam_search_one_group (struct ldapsam_privates *ldap_state,
+const char *filter,
+LDAPMessage ** result)
+{
+   int scope = LDAP_SCOPE_SUBTREE;
+   int rc;
+
+   DEBUG(2, (ldapsam_search_one_group: searching for:[%s]\n, filter));
+
+   rc = ldapsam_search(ldap_state, lp_ldap_suffix (), scope,
+   filter, group_attr, 0, result);
+
+   if (rc != LDAP_SUCCESS) {
+   DEBUG(0, (ldapsam_search_one_group: 
+ Problem during the LDAP search: %s\n,
+ ldap_err2string(rc)));
+   DEBUG(3, (ldapsam_search_one_group: Query was: %s, %s\n,
+ lp_ldap_suffix(), filter));
+   }
+
+   return rc;
+}
+
+static BOOL init_group_from_ldap(struct ldapsam_privates *ldap_state,
+GROUP_MAP *map, LDAPMessage *entry)
+{
+   pstring temp;
+
+   if (ldap_state == NULL || map == NULL || entry == NULL ||
+   ldap_state-ldap_struct == NULL) {
+   DEBUG(0, (init_group_from_ldap: NULL parameters found!\n));
+   return False;
+   }
+
+   if (!get_single_attribute(ldap_state-ldap_struct, entry, gidNumber,
+ temp)) {
+   DEBUG(0, (Mandatory attribute gidNumber not found\n));
+   return False;
+   }
+   DEBUG(2, (Entry found for group: %s\n, temp));
+
+   map-gid = (uint32)atol(temp);
+
+   if (!get_single_attribute(ldap_state-ldap_struct, entry, ntSid,
+ temp)) {
+   DEBUG(0, (Mandatory attribute ntSid not found\n));
+   return False;
+   }
+   string_to_sid(map-sid, temp);
+
+   if (!get_single_attribute(ldap_state-ldap_struct, entry, ntGroupType,
+ temp)) {
+   DEBUG(0, (Mandatory attribute

Re: cvs updating failure

2003-03-17 Thread Rafal Szczesniak 
On Mon, Mar 17, 2003 at 03:01:38PM -0700, David Bear wrote:
 sorry to be stupid on cvs -- its always worked as documented on the
 web site.. but now its not.
 
 after I do
 
 $cvs -d :pserver:[EMAIL PROTECTED]:/cvsroot login
 
 $ cvs update -d -P

Why don't you checkout the source tree first, before updating ?


cheers,
-- 
 Rafal Szczesniak  mimir[at]diament.ists.pwr.wroc.pl
 Samba Team member mimir[at]samba.org
+-+
 *BSD, GNU/Linux and Samba  http://www.samba.org
+-+

Re: ldap delete user?

2003-03-17 Thread Guenther Deschner 
hello volker,

On Mon, Mar 17, 2003 at 11:08:09PM +0100, Volker Lendecke wrote:
 Hi!
 
 While looking at HEAD / ldapsam_delete_sam_account a bit closer I
 found that we completely delete the user. Would it not be better just
 to remove the samba-specific attributes and let the 'delete user
 script' do the rest? Hmm. srv_samr_nt.c works the other way
 round... Has anybody ever tried this?

no. but SuSE ships a diff for 2_2 for quite some time now with another
smb.conf option that helps users not to delete their posix-account by
coincidence.

thanks,
guenther

-- 
Guenther Deschner [EMAIL PROTECTED]
SuSE Linux AGGnuPG: 8EE11688
Berliner Str. 27  phone:  +49 (0) 30 / 430944778
D-13507 Berlin   fax:  +49 (0) 30 / 43732804
--- source/include/proto.h
+++ source/include/proto.h  2002/05/13 10:58:13
@@ -1965,6 +1965,7 @@
 char *lp_ldap_admin_dn(void);
 int lp_ldap_port(void);
 int lp_ldap_ssl(void);
+BOOL lp_ldap_del_only_sam(void);
 char *lp_add_share_cmd(void);
 char *lp_change_share_cmd(void);
 char *lp_delete_share_cmd(void);
--- source/param/loadparm.c
+++ source/param/loadparm.c 2002/05/13 10:34:46
@@ -215,6 +215,7 @@
 #ifdef WITH_LDAP_SAM
int ldap_port;
int ldap_ssl;
+   BOOL ldap_del_only_sam;
char *szLdapServer;
char *szLdapSuffix;
char *szLdapFilter;
@@ -1033,6 +1034,7 @@
{ldap filter, P_STRING, P_GLOBAL, Globals.szLdapFilter, NULL, NULL, 0},
{ldap admin dn, P_STRING, P_GLOBAL, Globals.szLdapAdminDn, NULL, NULL, 0},
{ldap ssl, P_ENUM, P_GLOBAL, Globals.ldap_ssl, NULL, enum_ldap_ssl, 0},
+   {ldap del only sam attr, P_BOOL, P_GLOBAL, Globals.ldap_del_only_sam, NULL, 
NULL, 0},
 #endif /* WITH_LDAP_SAM */
 
{Miscellaneous Options, P_SEP, P_SEPARATOR},
@@ -1418,6 +1420,7 @@
string_set(Globals.szLdapAdminDn, );
Globals.ldap_port = 636;
Globals.ldap_ssl = LDAP_SSL_ON;
+   Globals.ldap_del_only_sam = False;
 #endif /* WITH_LDAP_SAM */
 /* these parameters are set to defaults that are more appropriate
for the increasing samba install base:
@@ -1605,6 +1608,7 @@
 FN_GLOBAL_STRING(lp_ldap_admin_dn, Globals.szLdapAdminDn)
 FN_GLOBAL_INTEGER(lp_ldap_port, Globals.ldap_port)
 FN_GLOBAL_INTEGER(lp_ldap_ssl, Globals.ldap_ssl)
+FN_GLOBAL_BOOL(lp_ldap_del_only_sam, Globals.ldap_del_only_sam)
 #endif /* WITH_LDAP_SAM */
 FN_GLOBAL_STRING(lp_add_share_cmd, Globals.szAddShareCommand)
 FN_GLOBAL_STRING(lp_change_share_cmd, Globals.szChangeShareCommand)
--- source/passdb/pdb_ldap.c
+++ source/passdb/pdb_ldap.c2002/05/14 08:39:12
@@ -960,7 +960,90 @@
entry = ldap_first_entry (ldap_struct, result);
dn = ldap_get_dn (ldap_struct, entry);
 
-   rc = ldap_delete_s (ldap_struct, dn);
+   if ( lp_ldap_del_only_sam() ){
+   /* LDAP attributes that are used (and only needed) by sambaAccount */
+   char *sam_attrs[] = { lmPassword, ntPassword, pwdLastSet, 
logonTime,
+   logoffTime, kickoffTime, pwdCanChange, 
pwdMustChange, acctFlags, 
+   displayName, smbHome, homeDrive, scriptPath, 
profilePath, 
+   userWorkstations, primaryGroupID, domain, rid, 
NULL };
+   char *oc_values[] = { sambaAccount, NULL };
+   BerElement *ptr;
+   char *name = NULL;
+   int act_mod = 0;
+   LDAPMod *mods[sizeof(sam_attrs)/sizeof(char*)];
+   int i;
+
+   for(i=0; i  ( sizeof(sam_attrs)/sizeof(char*) ); i++ ){
+   mods[i] = NULL;
+   }
+   DEBUG (3, (Deleting only SAM attributes\n));
+   /* Find out which attributes from the list above have to be deleted */
+   for( name = ldap_first_attribute( ldap_struct, entry, ptr ); name != 
NULL;
+   name = ldap_next_attribute( ldap_struct, entry, ptr ) ){
+   char **act_attr = NULL;
+   for( act_attr = sam_attrs; *act_attr != NULL; act_attr++ ){
+   /* if an attribute is in the above list AND actually 
set in the entry, put it 
+  into the LDAPMod-Array */ 
+   if(strcmp(*act_attr, name) == 0){
+   DEBUG (10, (DelAttr %s\n, name));
+   mods[act_mod] = (LDAPMod*) 
malloc(sizeof(LDAPMod));
+   if(! mods[act_mod] ){
+   DEBUG(0, (pdb_delete_sam_account: out 
of memory!\n));
+   if( name ){
+   ldap_memfree(name);
+   name = NULL;
+

Re: winbind vs. pam/nss alternatives

2003-03-17 Thread Luke Howard 

3) Could winbind easily handle some of the nss lookups via ldap ala rfc
2307 schema (if it matters anymore - it is just an experimental RFC) as a

While there are probably more domain controllers than RFC 2307-compliant 
LDAP servers, it is the de facto LDAP nameservice schema for the UNIX
platform, and is thus unlikely to disappear overnight. Many large 
organisations have deployed this schema (they are our customers).

-- Luke

--
Luke Howard | PADL Software Pty Ltd | www.padl.com

Re: cvs updating failure

2003-03-17 Thread David Bear 
On Mon, Mar 17, 2003 at 11:38:40PM +0100, Rafal Szczesniak wrote:
 On Mon, Mar 17, 2003 at 03:01:38PM -0700, David Bear wrote:
  sorry to be stupid on cvs -- its always worked as documented on the
  web site.. but now its not.
  
  after I do
  
  $cvs -d :pserver:[EMAIL PROTECTED]:/cvsroot login
  
  $ cvs update -d -P
 
 Why don't you checkout the source tree first, before updating ?

becuase I already have the source tree from a previous checkout that I
have been updating.

-- 
David Bear
College of Public Programs/ASU
Mail Code 0803

Re: winbind vs. pam/nss alternatives

2003-03-17 Thread Steven French 




While there are probably more domain controllers than RFC 2307-compliant
LDAP servers, it is the de facto LDAP nameservice schema for the UNIX
platform, and is thus unlikely to disappear overnight. Many large
organisations have deployed this schema (they are our customers).

I agree, but was thinking about ease of use, and longer term whether we
could have the
logon/caching/performance intensive UID/GID caching leveraged by the four
and five
main alternatives (winbind already supports two) and whether the caching
code for
a particular pam/nss daemon was already significantly better than winbind.
Seems
like extending one or the other pam/nss pair could be done in theory so the
client
logon daemon could autodetect RFC 2307 vs. AD vs. DCE/RPC and take away
some
of the configuration headache of moving a machine around to different
security
domains in heterogeneous environments.

The other thing that seems a little unusual is the idea of using pam_ldap
for authentication
(on the other hand nss_ldap makes more sense to me) because intuitively it
seems like
I need Kerberos tickets anyway (for nfs v4 client and eventually cifs
client) so why
don't I just get my TGT in the pam module (ala pam_winbind or pam_kerberos)
and only
use nss_ldap or nss_winbind (or a convergence of the two that autosenses
the server
schema).   The ldap client presumably prefers binding via Kerberos anyway
so seems
like Kerberos authentication is going to occur in any case.

Today Linux (and a few other Unix platforms) can require manual
reconfiguration
to switch to a different type of logon server, e.g. if an RFC 2307 server
is ever
replaced by Samba or Windows or vice versa even though PAM/NSS has
quite a bit of flexibility.  What are the implications if different users
from
different security domains (one Kerberized  RFC 2307 and one Samba or AD)
on the same physical client

I don't know how easily RFC 2307 could be reconciled with ActiveDirectory
on the
OpenLDAP side to make the issue on the client almost moot, but in the
meantime.

Steve French
Senior Software Engineer
Linux Technology Center - IBM Austin
phone: 512-838-2294
email: [EMAIL PROTECTED]

Re: winbind vs. pam/nss alternatives

2003-03-17 Thread Luke Howard 

I agree, but was thinking about ease of use, and longer term whether we
could have the
logon/caching/performance intensive UID/GID caching leveraged by the four
and five
main alternatives (winbind already supports two) and whether the caching
code for
a particular pam/nss daemon was already significantly better than winbind.

We have always argued that caching of nameservice information should be 
performed by a provider-agnostic mechanism, such as nscd. We agree that
the existing implementation of nscd is flawed in that it does not cache
enumerations, and to that end we suggest that one may run a caching LDAP
proxy on each client machine and have nss_ldap communicate with it via
domain sockets (ldapi://).

Seems
like extending one or the other pam/nss pair could be done in theory so the
client
logon daemon could autodetect RFC 2307 vs. AD vs. DCE/RPC and take away
some
of the configuration headache of moving a machine around to different
security
domains in heterogeneous environments.

As I see it, daemon architecture notwithstanding, winbindd and nss_ldap
cater to different problem spaces. That could change if winbindd supported
RFC 2307, admiteddly.

The other thing that seems a little unusual is the idea of using pam_ldap
for authentication
(on the other hand nss_ldap makes more sense to me) because intuitively it
seems like
I need Kerberos tickets anyway (for nfs v4 client and eventually cifs
client) so why
don't I just get my TGT in the pam module (ala pam_winbind or pam_kerberos)
and only
use nss_ldap or nss_winbind (or a convergence of the two that autosenses
the server
schema).   The ldap client presumably prefers binding via Kerberos anyway
so seems
like Kerberos authentication is going to occur in any case.

Not everyone uses Kerberos; particularly on UNIX, the deployment cost for a
long time has been quite high (no integrated directory and authentication
server, perceived complexity, etc), and many organisations have chosen to
deploy LDAP-based authentication solutions. I for a long time argued that
LDAP was not an authentication protocol, and that a pam_ldap module should
not exist, but in the end there was a demonstrable need for such a module.

Today Linux (and a few other Unix platforms) can require manual
reconfiguration
to switch to a different type of logon server, e.g. if an RFC 2307 server
is ever
replaced by Samba or Windows or vice versa even though PAM/NSS has
quite a bit of flexibility.  What are the implications if different users
from
different security domains (one Kerberized  RFC 2307 and one Samba or AD)
on the same physical client

As long as you can avoid namespace collision, there is no problem with this.
Of course, avoiding namespace collision is difficult without a hierchical
namespace, and thus requires some administrative collusion.

I don't know how easily RFC 2307 could be reconciled with ActiveDirectory
on the
OpenLDAP side to make the issue on the client almost moot, but in the
meantime.

There are schema conflicts between RFC 2307 and Active Directory. Microsoft
chose to resolve this in their Services for UNIX product by renaming some
attributes and object classes (moreso in subsequent versions). We have had
to address similar issues in our domain controller implementation, albeit
less aggressively.

-- Luke

--
Luke Howard | PADL Software Pty Ltd | www.padl.com

security patches for latest vul for 2.0.10

2003-03-17 Thread tony shepherd 
Folks

I know 2.0.10 is *old*, but we are still using it internally (we have 
simple needs and it provides them nicely).  Are there patches available 
that we can apply to the 2.0.10 code that will address the latest security 
vul?  It mentioned in the advisory to ask here for th

I know we have to upgrade to the latest code stream, but I would prefer not 
to do that in a rush (which is what we have to do here).

thanks

tony

Re: 2.2.8 compile problem

2003-03-17 Thread Martin Pool 
On 17 Mar 2003, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:

 checking whether to use included popt... ./popt
 
 
 checking configure summary... configure: error: summary failure. 
 Aborting config

Have a look in config.log.  If you can't work out what's wrong from
that, post the *relevant* sections to the [EMAIL PROTECTED] users
list.

-- 
Martin

overmalloc_safe_strcpy?

2003-03-17 Thread Martin Pool 
For developer mode, this seems to be the same as safe_strcpy: we
clobber the specified region at runtime.  Otherwise, it skips the
static CHECK_STRING_SIZE call.

I think this is meant to allow you to call it passing the address of
an array whose size is less than the maxlength passed to safe_strcpy.
CHECK_STRING_SIZE would normally trap on this because it expects
either a string pointer, or an exact fit?

Is that right?  If so I'll add a comment to this effect -- and perhaps
a plea not to use it in new code.

-- 
Martin

Re: overmalloc_safe_strcpy?

2003-03-17 Thread Andrew Bartlett 
On Tue, Mar 18, 2003 at 04:11:23PM +1100, Martin Pool wrote:
 For developer mode, this seems to be the same as safe_strcpy: we
 clobber the specified region at runtime.  Otherwise, it skips the
 static CHECK_STRING_SIZE call.
 
 I think this is meant to allow you to call it passing the address of
 an array whose size is less than the maxlength passed to safe_strcpy.
 CHECK_STRING_SIZE would normally trap on this because it expects
 either a string pointer, or an exact fit?
 
 Is that right?  If so I'll add a comment to this effect -- and perhaps
 a plea not to use it in new code.

Correct.  The only user is nmbd now - because I changed the stat cache
to use pointers into the overmalloc()ed buffer.  

It's a pity that we can't tell what's behind a pointer, but it's a 
start. :-)

Andrew Bartlett

Re: ldap delete user?

2003-03-17 Thread Andrew Bartlett 
On Tue, 2003-03-18 at 09:08, Volker Lendecke wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 Hi!
 
 While looking at HEAD / ldapsam_delete_sam_account a bit closer I
 found that we completely delete the user. Would it not be better just
 to remove the samba-specific attributes and let the 'delete user
 script' do the rest? Hmm. srv_samr_nt.c works the other way
 round... Has anybody ever tried this?

It very much depends on your point of view - is Samba a tacked on part
of the rest of the world, or the whole world with other stuff tacked
onto us?  

I think we probably should make it an option - I like the idea that the
delete will be atomic - ie no race between deleting the user in pdb_ldap
and the delete user script running.

By default we should probably just remove the Samba entries.  There was
a similar discussion on the samba-tng mailing lists a few months back.

Andrew Bartlett

-- 
Andrew Bartlett [EMAIL PROTECTED]
Manager, Authentication Subsystems, Samba Team  [EMAIL PROTECTED]
Student Network Administrator, Hawker College   [EMAIL PROTECTED]
http://samba.org http://build.samba.org http://hawkerc.net


signature.asc
Description: This is a digitally signed message part

Re: ldap delete user?

2003-03-17 Thread Volker Lendecke 
Hi, Guenther!

On Tue, Mar 18, 2003 at 12:17:21AM +0100, Guenther Deschner wrote:
 no. but SuSE ships a diff for 2_2 for quite some time now with another
 smb.conf option that helps users not to delete their posix-account by
 coincidence.

Why don't you use the make_a_mod function?

Volker


pgp0.pgp
Description: PGP signature