sid/guid-conversion in ads
hello, sorry for being off-topic but has anyone ever achieved to work with the LDAP_SERVER_EXTENDED_DN_OID Control in active directory? according to the sdk this control should do all sid_to_string conversions on the server side and thus extending the distinguishedName (something i need in a openldap/ads-syncronisation project) with string-representations of SID and GUID. i tried advanced server sp1 and sp2 without any luck. i could not even get any conversion done with that control nativly with ldp.exe. thanks for any any help, guenther the msdn docu: (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netdir/ldap/ldap_server_extended_dn_oid.asp) -- Guenther Deschner [EMAIL PROTECTED] SuSE Linux AGGnuPG: 8EE11688 Berliner Str. 27 phone: +49 (0) 30 / 430944778 D-13507 Berlin fax: +49 (0) 30 / 43732804 pgp0.pgp Description: PGP signature
Re: [PATCH] groups in ldap
I have to object to this code sorry. We need group handling in ldap for sure, but not group mapping (mapping should be a very secondary part of group support, like username map for users. Using the group mapping approach will make very hard for us to upgrade to the right way in future. Simo. On Tue, 2003-03-18 at 07:58, Andrew Bartlett wrote: On Tue, 2003-03-18 at 09:14, Volker Lendecke wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi! Here's my first attempt at putting the group mapping into ldap. It should apply to HEAD. Comments? Especially the schema might be discussed, this is my very first attempt at LDAP schema design. Well, on a 30-second reading, I have to say it looks good! Thanks for putting the time into this, Andrew Bartlett -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. - http://www.xsec.it via Durando 10 Ed. G - 20158 - Milano mobile: +39 329 328 7702 tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: [PATCH] groups in ldap
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Using the group mapping approach will make very hard for us to upgrade to the right way in future. What kind of schema would you prefer to put groups into LDAP in a compatible way? Volker -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Key-ID D32186CF, Fingerprint available: phone +49 551 370 iD8DBQE+dudDOmSXH9Mhhs8RAibwAJ9ML3KwV0BWGHjbP2PngS5OtKSUOwCfTicD RGsJtCkOr2oEUI4fd93CWpQ= =XlK0 -END PGP SIGNATURE-
Re: [PATCH] groups in ldap
A schema similar to the one used for users, so that you can create groups, with groups members, and optionally a field for gid mapping perhaps. The point is that we should separate firmly the SID-UGID mapping into a separate thing, and group/users should have only SIDs. IDMAP will think of mapping the whole thing, and on (file) systems that may support SIDs directly IDMAP will probably be completely bypassed and will not exist. Simo. On Tue, 2003-03-18 at 10:30, Volker Lendecke wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Using the group mapping approach will make very hard for us to upgrade to the right way in future. What kind of schema would you prefer to put groups into LDAP in a compatible way? Volker -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Key-ID D32186CF, Fingerprint available: phone +49 551 370 iD8DBQE+dudDOmSXH9Mhhs8RAibwAJ9ML3KwV0BWGHjbP2PngS5OtKSUOwCfTicD RGsJtCkOr2oEUI4fd93CWpQ= =XlK0 -END PGP SIGNATURE- -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. - http://www.xsec.it via Durando 10 Ed. G - 20158 - Milano mobile: +39 329 328 7702 tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: [PATCH] groups in ldap
On Tue, 2003-03-18 at 10:47, Volker Lendecke wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A schema similar to the one used for users, But if you look at sambaAccount, it firmly ties 'uid' with 'rid', which conflicts your point below. Yes, I know :-( so that you can create groups, with groups members, and optionally a field for gid mapping perhaps. You want a memberSid that can occur multiple times? random thoughts: That's a good point. I would say yes, but I know this will be useful for samba only, or through winbindd. In my opinion a PDC should use winbindd locally and provide groups functionality. I also know that will not work nicely if you do not want to use winbindd locally, as you will be required to make groups have same members for local machine and samba. But at that point you can simply go on with the current way. We may also use a switch in the conf to tell samba which of the 2 (passdb or system) to look for group membership until the new code is ready. Simo. -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. - http://www.xsec.it via Durando 10 Ed. G - 20158 - Milano mobile: +39 329 328 7702 tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: [PATCH] groups in ldap
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 But if you look at sambaAccount, it firmly ties 'uid' with 'rid', which conflicts your point below. No, it doesn't. 'uid' is 'username' in ldap-speak. Yes, I know. And I meant it this way. I only assumed that under Unix we have a one-to-one mapping between username and numeric uid. We should not store the 'gid' as part of SambaGroup. That really is idmap's problem (which might refer back to exactly the same record - but they need to be conceptually seperated). We need a STRUCTURAL object to attach to. Should we make the sambaGroupMapping structural? This would make it stand-alone, but we could then not tie it to a posixGroup. If we make it AUXILIARY, we need another STRUCTURAL object to attach to. Which one? Volker -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Key-ID D32186CF, Fingerprint available: phone +49 551 370 iD8DBQE+dvKGOmSXH9Mhhs8RAh5hAKCEiHOiamLuIMo6ILh3NgRZjo0XVACgkYIs gwcHufTHz9NTNx/LSLmti30= =cg3e -END PGP SIGNATURE-
Re: [PATCH] groups in ldap
On Tue, 2003-03-18 at 21:18, Volker Lendecke wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 But if you look at sambaAccount, it firmly ties 'uid' with 'rid', which conflicts your point below. No, it doesn't. 'uid' is 'username' in ldap-speak. Yes, I know. And I meant it this way. I only assumed that under Unix we have a one-to-one mapping between username and numeric uid. We should not store the 'gid' as part of SambaGroup. That really is idmap's problem (which might refer back to exactly the same record - but they need to be conceptually seperated). We need a STRUCTURAL object to attach to. Should we make the sambaGroupMapping structural? This would make it stand-alone, but we could then not tie it to a posixGroup. If we make it AUXILIARY, we need another STRUCTURAL object to attach to. Which one? Why not both? ie, have a 'structural' that contains nothing, and hang the 'real' class off that if we don't have anything else to hang it off. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part
Compilation problem : Samba 2.2.8 ACL on Debian Woody
Hello. Samba 2.2.8 with ACL support on Debian Woody won't compile, and I haven't found why. Searched for hours, asked on #samba-technical (freenode), but no solution... Versions : Debian Woody r1 ( security upgrades) Samba 2.2.8 (the same problem occurred with 2.2.7a) Linux Kernel 2.4.20 (from ftp.kernel.org) linux-2.4.20-xattr+acl+trusted-0.8.55.diff.gz (Yes, I've enabled the right options; getfacl and setfacl work perfectly) Sid libacl libattr : deb-src [...] sid [...] sources.list apt-get source -b attr dpkg -i libattr1*.deb apt-get source -b acl dpkg -i libacl1*.deb acl*.deb I use the Sid libraries because Samba doesn't detect ACL support with the Woody libraries (yes, -dev installed). Making as explained in packaging/Debian/README, with only one difference: I've added --with-acl-support to the debian/rules file. When starting debian/rules binary or dpkg-buildpackage, the ./configure works well, but : Compiling smbd/server.c In file included from include/smb.h:463, from include/includes.h:683, from smbd/server.c:22: include/vfs.h:111: parse error before `acl_t' include/vfs.h:112: parse error before `acl_entry_t' [...] include/vfs.h:115: warning: no semicolon at end of struct or union include/vfs.h:116: parse error before `*' include/vfs.h:116: `acl_t' declared as function returning a function include/vfs.h:116: warning: data definition has no type or storage class include/vfs.h:117: parse error before `acl_permset_t' [...] In file included from include/includes.h:683, from smbd/server.c:22: include/smb.h:481: field `vfs_ops' has incomplete type In file included from include/includes.h:743, from smbd/server.c:22: include/proto.h:852: parse error before `the_acl' include/proto.h:853: parse error before `entry_d' [...] include/proto.h:858: parse error before `permset' include/proto.h:858: `sys_acl_clear_perms' redeclared as different kind of symbol include/vfs.h:117: previous declaration of `sys_acl_clear_perms' [...] The main parts of the discussion on IRC : waider acl_t and acl_entry_t should be defined in /usr/include/sys/acl.h yeiazel waider: I think they are (I don't understand C well :) waider is this in config.h #define HAVE_POSIX_ACLS 1 yeiazel yes waider hmm, seems like it should work then. Thanks a lot for any answer... -- Sebastien Munch - Adelux [EMAIL PROTECTED] - http://www.adelux.fr
error message.
Hye, I have installed a printer SHARP on a LAN network. I have an HPserver 10.20 with SAMBA 2.0.6 and I have this error messages in nmbd logs : [2003/03/18 18:27:22, 0] nmbd/nmbd_incomingrequests.c:(222) process_name_registration_request: unicast name registration request received for name SC08954D00 from IP 10.68.1.102 on subnet UNICAST_SUBNET. Error - should be sent to WINS server [2003/03/18 18:27:27, 0] nmbd/nmbd_incomingrequests.c:(222) Thank you for help. Hassen CHAKER
RE: error message.
Sounds like someone at ip 10.68.1.102 has YOUR samba servers ip address as it's primary wins server. Don -Original Message- From: Hassen Chaker [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 18, 2003 12:43 To: [EMAIL PROTECTED] Subject: error message. Hye, I have installed a printer SHARP on a LAN network. I have an HPserver 10.20 with SAMBA 2.0.6 and I have this error messages in nmbd logs : [2003/03/18 18:27:22, 0] nmbd/nmbd_incomingrequests.c:(222) process_name_registration_request: unicast name registration request received for name SC08954D00 from IP 10.68.1.102 on subnet UNICAST_SUBNET. Error - should be sent to WINS server [2003/03/18 18:27:27, 0] nmbd/nmbd_incomingrequests.c:(222) Thank you for help. Hassen CHAKER
Re: error message.
I think that this is a simple misconfiguration. Something to be handled on the [EMAIL PROTECTED] list, not on the samba-technical list (which is for detailed developer discussion). Also, version 2.0.6 is *way* out of date. 2.2.8 is the current production release. It appears that the problem is that node SC08954D at IP address 10.68.1.102 thinks that your Samba server is the WINS server. If you have not configured Samba to be the WINS server, then node SC08954D is probably misconfigured, and is sending name registrations to the wrong system. Chris -)- On Tue, Mar 18, 2003 at 06:43:02PM +0100, Hassen Chaker wrote: Hye, I have installed a printer SHARP on a LAN network. I have an HPserver 10.20 with SAMBA 2.0.6 and I have this error messages in nmbd logs : [2003/03/18 18:27:22, 0] nmbd/nmbd_incomingrequests.c:(222) process_name_registration_request: unicast name registration request received for name SC08954D00 from IP 10.68.1.102 on subnet UNICAST_SUBNET. Error - should be sent to WINS server [2003/03/18 18:27:27, 0] nmbd/nmbd_incomingrequests.c:(222) Thank you for help. Hassen CHAKER -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: Browsing across subnets without WINS
On Tue, Mar 18, 2003 at 07:34:45AM -0500, David Collier-Brown -- Customer Engineering wrote: Guys, is this an expected behavior? Unless you have WINS up (which causes issues with multihomed machines), one seemingly cannot synchronize browse lists across subnets. Samba's WINS does a good job of handling multi-homed systems. Microsoft's design for multi-homed WINS entries is ugly...but it should work. More... --dave Pedro Guedes wrote: Browsing across subnets is well documented on the 2 main books about Samba (the o´reilly one and the John D. Blair older one - the first of all). I usually do not use WINS, even on W2K because it does not work correctly on multihomed servers. I have heard many reports (and seen a few traces) of bugs in W2K's WINS implementation. It binds on only one interface (the primary one if one can state correctly which one it is - on 99% of the cases the one on the lowest PCI slot). Samba's WINS can be set to bind to which ever interfaces you like. One can read a couple of white papers from microsoft stating just that, I think this is due to the NetBIOS name coupled to the machine in contrast to the name coupled to the IP interface, even in the NeBT world. NetBIOS names are assigned to services or applications. Not to interfaces or devices. That's the way NetBIOS works. So that's right in the sense that the NetBIOS name is never bound to the interface. What I tried to do is make samba win browse master elections (in subnets away from the subnet where the PDC resides - it always wins and without any local NT4 Backup Domain Controlller or W2K Domain controller) based on the idea of the Unix server being always on-line should always take the role despite the presence of W98 W2K Professional always coming and going. Yes, but having Samba become the *local* master browser doesn't help much. The idea is to change browse lists with the domain master browser (the PDC or FSMO on W2K) so that browsing accross subnets works for everybody. ...but the DMB can't be contacted unless you can find the name via WINS. In fact Samba becomes the master browser on the LAN due to higher values on election based on the setting os level. It wins over W2K Professional (the highest Windows on the LAN). Right. But Despite settings of remote announce ,remote browse sync, entries like 192.168.5.20ISLA#1B in lmhosts to talk to the PDC/FSMO (I known it says it only works with other samba server) what the Domain Master Browser receives is only the samba server itself, no neighbours listed at all. Remote Announce sends the Samba server's announcement directly to the DMB, so the DMB will know about the Samba server. That's what you are seeing. Remote Browse Sync only works between Samba servers. I have, since the early samba releases, noted this behaviour. So, what I do is make W2K Professional force and win browse master election when it boots. (look at HKLM\System\CurrentControlSet\Services\Browser\ for the values MaintainServerList - yes IsDomaiMasterBrowser - yes This way browse lists always propagate correctly to the Domain Master Browser. This samba behaviour (or lack of it) is quite unfortunate Samba's browsing behavior is a *superset* of Windows behavior. since the W2K Professionals are always coming and going making subnets browsing quite unstable. It is strange that the samba servers have such poor behaviour despite their phenomenal growth in the integration Unix/Windows arena. A little bit more could be written about this. If you have any sugestions they would be welcome. This matter truly deserves an article somewhere. In O´reilly web pages, on Linux/Windows Magazines. Maybe a better writer than me could write a paper on it. I am currently finishing the Browsing section of my book. See: http://ubiqx.org/cifs/Browsing.html I'll be finishing as much as I can in the next week or so. See also: ftp://ftp.microsoft.com/developr/drg/CIFS/cifsbrow.txt ...and also read the discussions of browsing parameters in the smb.conf manual pages. Basically, though Samba does a good job with browsing. Better than many Windows implementations. The key thing is that synchronising complete browse lists with a DMB will *not* work unless the LMBs know where to find the DMB. WINS is typically the way that is done. I don't know whether adding a #1B entry to the lmhosts file will signal Samba that it needs to browse sync with the given entry. If Samba is not aware of a WINS server it *may* not try to sync with any DMBs. *This is pure supposition on my part.* I don't know that part of the code as well as I should (yet). In any case, make sure you have lmhosts name resulotion enabled. I *have* seen a problem with browsing between Samba and Windows systems. I was not able to resolve the problem at the time because it was a problem in a computer
bug in ldap group stuff?
I'm pretty sure this /was/ working, which is why I'm posting it here rather than to [EMAIL PROTECTED] I'm doing a net rpc vampire, using ldap as a backend, and I have a simple add group script which creates a group in LDAP and prints out the GID of the group it's created for samba to hoover up. However, the primaryGroupID appears to be set to some completely random number instead of the correct GID - for example, this account should have a primaryGroupID of Domain Users: dn: uid=waider,ou=People,dc=company,dc=ie objectClass: posixAccount objectClass: account objectClass: sambaAccount uidNumber: 1126 gidNumber: 1000 homeDirectory: /home/waider uid: waider rid: 1181 primaryGroupID: 513 displayName: Ronan Waide cn: Ronan Waide description: yadda smbHome: \\srv1\waider homeDrive: H: profilePath: \\pdc\profiles\waider logonTime: 1046707306 logoffTime: 1040143165 kickoffTime: 2147483647 pwdLastSet: 1044452015 acctFlags: [U ] But the Domain Users group entry looks like this: dn: gid=Domain Users,ou=Group,dc=company,dc=ie objectClass: posixGroup cn: Domain Users gidNumber: 1002 getent group Domain Users returns this: Domain Users:x:1002: So why is Samba setting the primaryGroupID to 513? Cheers, Waider. -- [EMAIL PROTECTED] / Yes, it /is/ very personal of me. if you can't live the lie, let it die/and if you can't live a life filled with strife/honey, just say oops/and jump through hoops/and get to the end of the line - FLC, Bear Hug (Come Find Yourself)
Re: bug in ldap group stuff?
On March 18, [EMAIL PROTECTED] said: So why is Samba setting the primaryGroupID to 513? Okay, I had made two basic errors here. One is that the above is an RID, not a GID. The second was not double-checking my scripts' output. The groupadd script was spitting out some garbage before the GID, which Samba was reading as GID 0 and thus disregarding. Perhaps the code that checks this case should log a warning! Actually, it appears there's a hole in the documentation as well; the primary group doesn't get mapped for me because I haven't set the set primary group script, for which there appears to be no fallback. set primary group script understands %u and %g as user and group respectively. Cheers, Waider. -- [EMAIL PROTECTED] / Yes, it /is/ very personal of me. my head's having a party right now, but I'm not there. - Aoife Morrison
Re: Browsing across subnets without WINS
It's been a while since I looked at this stuff but at the time, WINS replication was not available with samba, and there was no apparent solution to browsing multiple subnets when the 'workgroup' name was different on each subnet. That caused a problem for use of samba in WAN VPNs as documented at; http://www.avantel.ca/samba.html That same problem, as far as I have been able to determine, still exists. Any comments/corrections/suggestions welcome. Alex Vandenham Avantel Systems = On March 18, 2003 12:51 pm, you wrote: On Tue, Mar 18, 2003 at 07:34:45AM -0500, David Collier-Brown -- Customer Engineering wrote: Guys, is this an expected behavior? Unless you have WINS up (which causes issues with multihomed machines), one seemingly cannot synchronize browse lists across subnets. Samba's WINS does a good job of handling multi-homed systems. Microsoft's design for multi-homed WINS entries is ugly...but it should work. More... --dave Pedro Guedes wrote: Browsing across subnets is well documented on the 2 main books about Samba (the o´reilly one and the John D. Blair older one - the first of all). I usually do not use WINS, even on W2K because it does not work correctly on multihomed servers. I have heard many reports (and seen a few traces) of bugs in W2K's WINS implementation. It binds on only one interface (the primary one if one can state correctly which one it is - on 99% of the cases the one on the lowest PCI slot). Samba's WINS can be set to bind to which ever interfaces you like. One can read a couple of white papers from microsoft stating just that, I think this is due to the NetBIOS name coupled to the machine in contrast to the name coupled to the IP interface, even in the NeBT world. NetBIOS names are assigned to services or applications. Not to interfaces or devices. That's the way NetBIOS works. So that's right in the sense that the NetBIOS name is never bound to the interface. What I tried to do is make samba win browse master elections (in subnets away from the subnet where the PDC resides - it always wins and without any local NT4 Backup Domain Controlller or W2K Domain controller) based on the idea of the Unix server being always on-line should always take the role despite the presence of W98 W2K Professional always coming and going. Yes, but having Samba become the *local* master browser doesn't help much. The idea is to change browse lists with the domain master browser (the PDC or FSMO on W2K) so that browsing accross subnets works for everybody. ...but the DMB can't be contacted unless you can find the name via WINS. In fact Samba becomes the master browser on the LAN due to higher values on election based on the setting os level. It wins over W2K Professional (the highest Windows on the LAN). Right. But Despite settings of remote announce ,remote browse sync, entries like 192.168.5.20ISLA#1B in lmhosts to talk to the PDC/FSMO (I known it says it only works with other samba server) what the Domain Master Browser receives is only the samba server itself, no neighbours listed at all. Remote Announce sends the Samba server's announcement directly to the DMB, so the DMB will know about the Samba server. That's what you are seeing. Remote Browse Sync only works between Samba servers. I have, since the early samba releases, noted this behaviour. So, what I do is make W2K Professional force and win browse master election when it boots. (look at HKLM\System\CurrentControlSet\Services\Browser\ for the values MaintainServerList - yes IsDomaiMasterBrowser - yes This way browse lists always propagate correctly to the Domain Master Browser. This samba behaviour (or lack of it) is quite unfortunate Samba's browsing behavior is a *superset* of Windows behavior. since the W2K Professionals are always coming and going making subnets browsing quite unstable. It is strange that the samba servers have such poor behaviour despite their phenomenal growth in the integration Unix/Windows arena. A little bit more could be written about this. If you have any sugestions they would be welcome. This matter truly deserves an article somewhere. In O´reilly web pages, on Linux/Windows Magazines. Maybe a better writer than me could write a paper on it. I am currently finishing the Browsing section of my book. See: http://ubiqx.org/cifs/Browsing.html I'll be finishing as much as I can in the next week or so. See also: ftp://ftp.microsoft.com/developr/drg/CIFS/cifsbrow.txt ...and also read the discussions of browsing parameters in the smb.conf manual pages. Basically, though Samba does a good job with browsing. Better than many Windows implementations. The key thing is that synchronising complete browse lists with a DMB will *not* work unless
Re: Browsing across subnets without WINS
Thank you, kind sir! --dave Christopher R. Hertel wrote: On Tue, Mar 18, 2003 at 07:34:45AM -0500, David Collier-Brown -- Customer Engineering wrote: Guys, is this an expected behavior? Unless you have WINS up (which causes issues with multihomed machines), one seemingly cannot synchronize browse lists across subnets. Samba's WINS does a good job of handling multi-homed systems. Microsoft's design for multi-homed WINS entries is ugly...but it should work. More... --dave Pedro Guedes wrote: Browsing across subnets is well documented on the 2 main books about Samba (the o´reilly one and the John D. Blair older one - the first of all). I usually do not use WINS, even on W2K because it does not work correctly on multihomed servers. I have heard many reports (and seen a few traces) of bugs in W2K's WINS implementation. It binds on only one interface (the primary one if one can state correctly which one it is - on 99% of the cases the one on the lowest PCI slot). Samba's WINS can be set to bind to which ever interfaces you like. One can read a couple of white papers from microsoft stating just that, I think this is due to the NetBIOS name coupled to the machine in contrast to the name coupled to the IP interface, even in the NeBT world. NetBIOS names are assigned to services or applications. Not to interfaces or devices. That's the way NetBIOS works. So that's right in the sense that the NetBIOS name is never bound to the interface. What I tried to do is make samba win browse master elections (in subnets away from the subnet where the PDC resides - it always wins and without any local NT4 Backup Domain Controlller or W2K Domain controller) based on the idea of the Unix server being always on-line should always take the role despite the presence of W98 W2K Professional always coming and going. Yes, but having Samba become the *local* master browser doesn't help much. The idea is to change browse lists with the domain master browser (the PDC or FSMO on W2K) so that browsing accross subnets works for everybody. ...but the DMB can't be contacted unless you can find the name via WINS. In fact Samba becomes the master browser on the LAN due to higher values on election based on the setting os level. It wins over W2K Professional (the highest Windows on the LAN). Right. But Despite settings of remote announce ,remote browse sync, entries like 192.168.5.20ISLA#1B in lmhosts to talk to the PDC/FSMO (I known it says it only works with other samba server) what the Domain Master Browser receives is only the samba server itself, no neighbours listed at all. Remote Announce sends the Samba server's announcement directly to the DMB, so the DMB will know about the Samba server. That's what you are seeing. Remote Browse Sync only works between Samba servers. I have, since the early samba releases, noted this behaviour. So, what I do is make W2K Professional force and win browse master election when it boots. (look at HKLM\System\CurrentControlSet\Services\Browser\ for the values MaintainServerList - yes IsDomaiMasterBrowser - yes This way browse lists always propagate correctly to the Domain Master Browser. This samba behaviour (or lack of it) is quite unfortunate Samba's browsing behavior is a *superset* of Windows behavior. since the W2K Professionals are always coming and going making subnets browsing quite unstable. It is strange that the samba servers have such poor behaviour despite their phenomenal growth in the integration Unix/Windows arena. A little bit more could be written about this. If you have any sugestions they would be welcome. This matter truly deserves an article somewhere. In O´reilly web pages, on Linux/Windows Magazines. Maybe a better writer than me could write a paper on it. I am currently finishing the Browsing section of my book. See: http://ubiqx.org/cifs/Browsing.html I'll be finishing as much as I can in the next week or so. See also: ftp://ftp.microsoft.com/developr/drg/CIFS/cifsbrow.txt ...and also read the discussions of browsing parameters in the smb.conf manual pages. Basically, though Samba does a good job with browsing. Better than many Windows implementations. The key thing is that synchronising complete browse lists with a DMB will *not* work unless the LMBs know where to find the DMB. WINS is typically the way that is done. I don't know whether adding a #1B entry to the lmhosts file will signal Samba that it needs to browse sync with the given entry. If Samba is not aware of a WINS server it *may* not try to sync with any DMBs. *This is pure supposition on my part.* I don't know that part of the code as well as I should (yet). In any case, make sure you have lmhosts name resulotion enabled. I *have* seen a problem with browsing between Samba and Windows systems. I was not able to resolve the problem at the time because it was a problem in a computer lab at a conference and I did not have either
how to patch 3.0a21 for the lastest security hole?
I am guessing that older version of 3.0 should have the flaw patched by 2.2.8 too. I can not upgrade to HEAD yet. If my 3.0a21 has the flaw, can someone point me to what files I need to look for a merge? Thanks, Chere
problem with domain joins and pdb_ldap (patch included)
Hello,
I think, I have found the following problem with 3.0alpha22 and CVS
HEAD:
- a machine account is created in the unix database (here ldap and
pam_ldap/nss_ldap).
- In smb.conf passdb backend = ldapsam unixsam is used.
- A W2K machine (with the account's name) joins the domain.
- during joining, w2k searches for the account, finds it, asks for the
account flags and gets ACB_WSTRUST (from pdb_fill_sam_pw), which is
fine, sets the password of the machine accounts and tells us, it has
joined the domain. pdb_ldap adds sambaAccount and the passwords to the
directory object (but not acctFlags).
- After reboot, w2k says it can't find the domain or the credentials of
the machine account are wrong, because pdb_ldap returns ACB_NORMAL in
the account flags, which will make get_md4pw fail.
- ironicly: when you join the domain again, it will work, because now
pdb_ldap returns ACB_NORMAL and W2K changes that, so that it will be
written to the directory.
The attached patch does the same in pdb_ldap.c what is done in
pdb_fill_sam_pw: return ACB_WSTRUST, if there is a $ at the end of the
account name.
Any feedback is welcome.
Greetings
Peter
--
Peter H. Ganten [EMAIL PROTECTED]
univention_ GmbH
--- ../samba-3.0alpha22.orig/source/passdb/pdb_ldap.c 2003-02-01 17:39:00.0
+0100
+++ source/passdb/pdb_ldap.c2003-03-19 03:23:24.0 +0100
@@ -1167,15 +1167,20 @@
}
if (!get_single_attribute (ldap_state-ldap_struct, entry, acctFlags, temp))
{
- acct_ctrl |= ACB_NORMAL;
+ if (username[strlen(username)-1] != '$') {
+ acct_ctrl |= ACB_NORMAL;
+ }
+ else {
+ acct_ctrl |= ACB_WSTRUST;
+ DEBUG(10,(setting machine trust account flag for %s\n,
username));
+ }
} else {
acct_ctrl = pdb_decode_acct_ctrl(temp);
if (acct_ctrl == 0)
acct_ctrl |= ACB_NORMAL;
-
- pdb_set_acct_ctrl(sampass, acct_ctrl, PDB_SET);
}
+ pdb_set_acct_ctrl(sampass, acct_ctrl, PDB_SET);
pdb_set_hours_len(sampass, hours_len, PDB_SET);
pdb_set_logon_divs(sampass, logon_divs, PDB_SET);
using apt-get to update samba
I am using redhat 7.3 and was hoping some 'maintainer god' somewhere was packaging samba with the latest security fix. So I used red carpet on one system, and apt-get update on another to update to samba 2.2.8 (think this was version with the security patch in it) Well, apt-get and redcarpet both ran and updated me to Get:2 http://apt.freshrpms.net redhat/7.3/en/i386/updates samba-common 2.2.7-2.7.3 [2420kB] Get:3 http://apt.freshrpms.net redhat/7.3/en/i386/updates samba 2.2.7-2.7.3 [2577kB] Get:4 http://apt.freshrpms.net redhat/7.3/en/i386/updates file 3.39-8.7x [176kB] Get:5 http://apt.freshrpms.net redhat/7.3/en/i386/updates samba-client 2.2.7-2.7.3 [1950kB] I'm confused. Are these patched samba with the latest security fixes? -- David Bear College of Public Programs/ASU Mail Code 0803
Re: rd /s, can't find the file specified (internal reference b1996)
On Sun, Mar 16, 2003 at 06:47:44PM +0200, Nir Soffer wrote: Following up to myself, reproducing this is apparently even simpler than I thought - simply do a: touch nir test test and try to delete it from a DOS command line. It will fail. nirtest123456 fails as well, but nirtest12345 so it seems to filename size related. 13 characters won't work and 12 will. Perhaps it's because something is geared towards 8 characters, a dot, and 3 characters somewhere along the line? Needless to say, it works fine on w2k shares... I can't reproduce this at all on a recent (CVS) build of SAMBA_3_0. Can you give me more details on *exactly* how you reproduce it please ? Jeremy.
RE: rd /s, can't find the file specified (internal reference b1996)
I've tried this also, and I can't reproduce it on HEAD, 3.0alpha-17 or 3.0alpha-19 -Marc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 18, 2003 6:44 PM To: Nir Soffer Cc: [EMAIL PROTECTED] Subject: Re: rd /s, can't find the file specified (internal reference b1996) On Sun, Mar 16, 2003 at 06:47:44PM +0200, Nir Soffer wrote: Following up to myself, reproducing this is apparently even simpler than I thought - simply do a: touch nir test test and try to delete it from a DOS command line. It will fail. nirtest123456 fails as well, but nirtest12345 so it seems to filename size related. 13 characters won't work and 12 will. Perhaps it's because something is geared towards 8 characters, a dot, and 3 characters somewhere along the line? Needless to say, it works fine on w2k shares... I can't reproduce this at all on a recent (CVS) build of SAMBA_3_0. Can you give me more details on *exactly* how you reproduce it please ? Jeremy.
Re: Browsing across subnets without WINS
Alex @ Avantel wrote: It's been a while since I looked at this stuff but at the time, WINS replication was not available with samba, and there was no apparent solution to browsing multiple subnets when the 'workgroup' name was different on each subnet. That caused a problem for use of samba in WAN VPNs as documented at; http://www.avantel.ca/samba.html That same problem, as far as I have been able to determine, still exists. Any comments/corrections/suggestions welcome. The first comment/correction/suggestion is that there needs to be a *lot* better understanding of the workings of the NBT namespace. You don't need WINS replication (but JF has been working on it). WINS replication simply means that you have two WINS servers with the same data. That gives you redundancy, but that's all. So how does redundancy help with browsing? It doesn't. As for the workgroup name being different on each subnet... That's the way Browsing works. Really. Promise. As for the workgroup name being different on different subnets... combining browse lists from multiple workgroups has *nothing* to do with WINS replication. With Windows, the only way that the browse list for workgroup A gets combined with the browselist for workgroup B is if there is a subnet somewhere that has a Local Master Browser for A *and* an LMB for B on the same subnet. Browselists from separate workgroups are combined when the LMBs on a subnet exchange information. That combined lists are then uploaded to the DMBs and re-propogated. If all of your DMBs are Samba-based, then you can use Samba's 'enhanced browsing' and 'remote browse sync' options to improve things. Read up on these options in the smb.conf documentation. I hope that makes a little more sense. I've seen the Avantel docs and, well, that's why I am writing a book about how this stuff actually works. Chris -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Compiling samba 2.2.8 on HP-UX 11.00 - conflicting definition ofsnprintf
Hi all, I'm trying to compile samba 2.2.8 on a HP-UX 11.00 system. I've run the configure script without any arguments, but when I run 'make' I get the following error: Compiling lib/snprintf.c lib/snprintf.c:777: conflicting types for `vsnprintf' /var/bin/../lib/gcc-lib/hppa2.0w-hp-hpux11.00/3.0/include/stdio.h:494: previous declaration of `vsnprintf' lib/snprintf.c:792: conflicting types for `snprintf' /var/bin/../lib/gcc-lib/hppa2.0w-hp-hpux11.00/3.0/include/stdio.h:493: previous declaration of `snprintf' *** Error exit code 1 I did some searching on the mailing list and found other people having the same problem with other versions of samba, but I didn't find any solutions. When I ran configure the following was reported about the printf functions: checking for asprintf declaration... no checking for vasprintf declaration... no checking for vsnprintf declaration... yes checking for snprintf declaration... yes [...] checking for vsnprintf... yes checking for snprintf... yes checking for asprintf... no checking for vasprintf... no One suggestion I saw was to comment out line 492 and 493 of the stdio.h from the HP-UX include directory, but I'm not too keen on mucking around with the HP files. Is it possible to not redefine the snprintf functions and just use the one that comes with HP-UX? Any help is appreciated. Adam Fox Attention: The information contained in this message and or attachments is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any system and destroy any copies. Any views expressed in this message are those of the individual sender and may not necessarily reflect the views of The Gribbles Group. Thank You. Whilst every effort has been made to ensure that this e-mail message and any attachments are free from viruses, you should scan this message and any attachments. Under no circumstances do we accept liability for any loss or damage which may result from your receipt of this message or any attachment.
Re: Compiling samba 2.2.8 on HP-UX 11.00 - conflicting definitionof snprintf
On Wed, Mar 19, 2003 at 04:09:19PM +1030, Adam Fox wrote: When I ran configure the following was reported about the printf functions: checking for asprintf declaration... no checking for vasprintf declaration... no checking for vsnprintf declaration... yes checking for snprintf declaration... yes The real question is why is the check for the asprintf and vasprintf declarations failing? According to your post they seem to be in stdio.h and this is where configure checks for them. Ditto for the functions themselves. Why are they not being detected by configure? Perhaps you can find out by looking through the config.log output. Tim.
Re: Compilation problem : Samba 2.2.8 ACL on Debian Woody
Sebastien, On Tue, Mar 18, 2003 at 05:23:14PM +0100, Sebastien Munch wrote: Samba 2.2.8 with ACL support on Debian Woody won't compile, and I haven't found why. Searched for hours, asked on #samba-technical (freenode), but no solution... Have you tried Christian Perrier's ACL-enabled packages at http://www.perrier.eu.org/debian ? -- Steve Langasek postmodern programmer pgp0.pgp Description: PGP signature
RE: rd /s, can't find the file specified (internal reference b1996)
On Mon, 17 Mar 2003, Nir Soffer wrote: Enjoy. OK, now that I have looked at both traces in more detail, here is what is happening: The bad trace, perhaps the one from UNIX, is returning exactly the same short name for each of those files, 0123456789AB. The client tries to use the short name, and the server obviouly gets confused. In the second case, the short names are all correct looking names, or the form 012345~1, 012345~2 etc. Have you modified Samba's name mangling code to do silly things? From a very very fast look, it looks like something with file mangling, but IANA Samba Expert. baddosdel.cap is against Samba-CVS (From yesterday) gooddosdel.cap is against my personal W2K workstation. -- Nir Soffer -=- Exanet Inc. -=- http://www.evilpuppy.org Father, why are all the children weeping? / They are merely crying son O, are they merely crying, father? / Yes, true weeping is yet to come -- Nick Cave and the Bad Seeds, The Weeping Song -Original Message- From: Richard Sharpe [mailto:[EMAIL PROTECTED] Sent: Monday, March 17, 2003 9:23 AM To: Nir Soffer Cc: [EMAIL PROTECTED] Subject: RE: rd /s, can't find the file specified (internal reference b1996) On Sun, 16 Mar 2003, Nir Soffer wrote: Following up to myself, reproducing this is apparently even simpler than I thought - simply do a: touch nir test test and try to delete it from a DOS command line. It will fail. nirtest123456 fails as well, but nirtest12345 so it seems to filename size related. 13 characters won't work and 12 will. Perhaps it's because something is geared towards 8 characters, a dot, and 3 characters somewhere along the line? Needless to say, it works fine on w2k shares... Can you get us a sniff? Regards - Richard Sharpe, rsharpe[at]ns.aus.com, rsharpe[at]samba.org, sharpe[at]ethereal.com, http://www.richardsharpe.com -- Regards - Richard Sharpe, rsharpe[at]ns.aus.com, rsharpe[at]samba.org, sharpe[at]ethereal.com, http://www.richardsharpe.com baddosdel.cap Description: baddosdel.cap gooddosdel.cap Description: gooddosdel.cap
RE: rd /s, can't find the file specified (internal reference b1996)
On Mon, 17 Mar 2003, Nir Soffer wrote: Enjoy. OK, now that I have looked at both traces in more detail, here is what is happening: The bad trace, perhaps the one from UNIX, is returning exactly the same short name for each of those files, 0123456789AB. The client tries to use the short name, and the server obviouly gets confused. In the second case, the short names are all correct looking names, or the form 012345~1, 012345~2 etc. Have you modified Samba's name mangling code to do silly things? Not at all. I used straight up vanilla from CVS. I'll take another look at the configuration, maybe I have it configured to stupidity-mode when it comes to mangling, or something... Nir. -- Nir Soffer -=- Exanet Inc. -=- http://www.evilpuppy.org Father, why are all the children weeping? / They are merely crying son O, are they merely crying, father? / Yes, true weeping is yet to come -- Nick Cave and the Bad Seeds, The Weeping Song
RE: rd /s, can't find the file specified (internal reference b1996)
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 19, 2003 4:44 AM To: Nir Soffer Cc: [EMAIL PROTECTED] Subject: Re: rd /s, can't find the file specified (internal reference b1996) On Sun, Mar 16, 2003 at 06:47:44PM +0200, Nir Soffer wrote: Following up to myself, reproducing this is apparently even simpler than I thought - simply do a: touch nir test test and try to delete it from a DOS command line. It will fail. nirtest123456 fails as well, but nirtest12345 so it seems to filename size related. 13 characters won't work and 12 will. Perhaps it's because something is geared towards 8 characters, a dot, and 3 characters somewhere along the line? Needless to say, it works fine on w2k shares... I can't reproduce this at all on a recent (CVS) build of SAMBA_3_0. Can you give me more details on *exactly* how you reproduce it please ? What I did was simply do, on the unix side: mkdir b1996 cd b1996 touch nirtest123456 touch nirtest12345 and on the W2K side use a command line prompt, map the drive using net use, and try to rd /s b1996 That's all I did... I sent traces to the list and rsharpe, and those traces indicate it has something to do with mangling, so I'm going to take a closer look at my configuration and see if I did anything there... Thanks, Nir. -- Nir Soffer -=- Exanet Inc. -=- http://www.evilpuppy.org Father, why are all the children weeping? / They are merely crying son O, are they merely crying, father? / Yes, true weeping is yet to come -- Nick Cave and the Bad Seeds, The Weeping Song
suse ve samba ayarlari
merhaba bende suse 8.1 kurulu ayarlarini bir turlu yapamadim networkte linux makinam gozukuyo nobody user i tanimli ama linux e cift tikladigimda erismek icin sifre soruyor ve bu yuzdende paylasim alanini goremiyorum bana tam olarak ayarlarini hakkinda bilgi verebilirmisiniz lientler 98 yuklu samba versionu ise 2.2.5
