Re: modules: BOOL vs. int
> And I want it to be equal for all smb_register_*() fn's > >> int auth_sam_init(void) > >> { > >> smb_register_auth("samstrict_dc", auth_init_samstrict_dc, > >> AUTH_INTERFACE_VERSION); > >> smb_register_auth("samstrict", auth_init_samstrict, > >> AUTH_INTERFACE_VERSION); > >> smb_register_auth("sam", auth_init_sam, AUTH_INTERFACE_VERSION); > >> return True; > >> } > >When would you want the function to fail ? If registering one of the > >functions fails? > ok don't fail but a warning would be good The register functions already give warnings when things are failing. ok fine :-) metze - Stefan "metze" Metzmacher <[EMAIL PROTECTED]>
Re: generating core dumps in winbindd and smbd
On Fri, 2003-03-28 at 17:17, Tim Potter wrote: > On Thu, Mar 27, 2003 at 09:41:55PM -0800, Richard Sharpe wrote: > > > On Fri, 28 Mar 2003, Tim Potter wrote: > > > > > I was poking around in the segv signal handling code today as I'm in a > > > situation where an actual core dump would be handy to have. > > > > > > The intent of the current code looks like core dumps are to be made in > > > $LOGDIR/corefiles but the dump_core() function is never executed as the > > > argument to fault_setup() is never used. > > > > > > Do we want to keep the existing behaviour or shall I fix it to do what > > > was intended? > > > > I would say do what was intended. I often need core files :-( > > It would also be nice to have a core-- filename for the > core dump but I'm not sure how portable that is. Isn't that what the mkdir() stuff is about? Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part
Re: generating core dumps in winbindd and smbd
On Thu, Mar 27, 2003 at 09:41:55PM -0800, Richard Sharpe wrote: > On Fri, 28 Mar 2003, Tim Potter wrote: > > > I was poking around in the segv signal handling code today as I'm in a > > situation where an actual core dump would be handy to have. > > > > The intent of the current code looks like core dumps are to be made in > > $LOGDIR/corefiles but the dump_core() function is never executed as the > > argument to fault_setup() is never used. > > > > Do we want to keep the existing behaviour or shall I fix it to do what > > was intended? > > I would say do what was intended. I often need core files :-( It would also be nice to have a core-- filename for the core dump but I'm not sure how portable that is.
Re: generating core dumps in winbindd and smbd
On Fri, 28 Mar 2003, Tim Potter wrote: > I was poking around in the segv signal handling code today as I'm in a > situation where an actual core dump would be handy to have. > > The intent of the current code looks like core dumps are to be made in > $LOGDIR/corefiles but the dump_core() function is never executed as the > argument to fault_setup() is never used. > > Do we want to keep the existing behaviour or shall I fix it to do what > was intended? I would say do what was intended. I often need core files :-( Regards - Richard Sharpe, rsharpe[at]ns.aus.com, rsharpe[at]samba.org, sharpe[at]ethereal.com, http://www.richardsharpe.com
generating core dumps in winbindd and smbd
I was poking around in the segv signal handling code today as I'm in a situation where an actual core dump would be handy to have. The intent of the current code looks like core dumps are to be made in $LOGDIR/corefiles but the dump_core() function is never executed as the argument to fault_setup() is never used. Do we want to keep the existing behaviour or shall I fix it to do what was intended? Tim.
RE: encrypt passwords=no, security=yes, samba 2.2.8,W2K user aut h fails
--On Thursday, March 27, 2003 10:06:08 AM -0500 "MCCALL,DON (HP-USA,ex1)" <[EMAIL PROTECTED]> wrote: Hi tony, based on your log file, it sure does APPEAR that you have NOT turned off encrypted passwords, as samba is trying to open /usr/local/samba/private/smbpasswd. It should only do that if it negotiated encrypted passwords in the negot prot call, which it should only be able to do if encrypted passwords is set to yes. I note that you are including ANOTHER smb.conf file at the end of your global section; please check there and see if you have an encrypt passwords = yes, and/or include the contents of that smb.conf file as well in your next message to the list, ok? include=/etc/sfw/local-smb.conf local-smb.conf is an empty file. I don't have another encrypt passwords = yes anywhere in the config file. What is weird is that I can eventually authenticate after I change the username I try to authenticate with and then change back again. So, this looks like a bug? I wonder whether it only effects Solaris systems. I would have thought others would have fallen across it. I can't code, but I can provide logs and testing. Please let me know if I can help at all. tony -Original Message- From: tony shepherd [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 25, 2003 21:31 To: [EMAIL PROTECTED] Cc: tony.shepherd Subject: BUG: encrypt passwords=no, security=yes, samba 2.2.8, W2K user auth fails folks ** I am not on this mail list. Can all replied please be Cc'ed to me as well. ** I have come across the following bug using samba 2.2.8 (in the throws of upgrading from 2.0.10 to fix security vul). I discovered this bug using a W2K system; it was not present when testing with win98. I am running the samba server on a solaris 9 system. I am using "encrypt passwords = no" and "security=user" and using the Unix passwords for authentication. Registry modification have been made to the windows system. To replicate the bug, I do the following: * log onto w2k system as user ts74081, passwd: fred * try and open the share: \\huey\ts74081. As my password is different between the windows system and the samba server, it prompts me for a username/password pair. I give the correct values but I still get rejected. * I then try to access the share as a different user (one that does not exist on the system): username fred, passwd fred. Naturally it fails. * I then try again with the proper username/password pair and I get authenticated correctly and the share is made available. If I do not try and authenticate as a different user before retrying with the proper username, it will continue to fail to authenticate. I have attached debug 3 logs of the above scenario as well as the smb.conf I am using. If I change the security parameter to "security=share", the above bug does not show itself. thanks tony
Re: use sendfile problems with Windows 95
On Thu, 27 Mar 2003, Pierre Belanger wrote: > Hi, > > I turned on "use sendfile", not too long after (on the next > "logon") someone called me. His Windows 95 was having trouble > opening files on the server. He can "explore" the shared volume > but when trying to open a file, his computer hangs and needs > to reboot. I've been using "sendfile" myself with Samba under > Solaris 8 with NT & 2000 & XP since a long time with no trouble > at all. > > I tested with another Windows 95 box -- same problem. Even > after ~ 5 min. the box is still hanged. > > I'm wondering if Windows 98/ME are also affected by this? > I don't have access to Windows ME "boxes" but I might find > a Windows 98 box... I'll post when I am able to test. > > I generated a level 10 log file, it's 155KB (gzip -9). Someone > wants to look at it? (I did not want to post this hughe file > here). Can you get us a sniff? Regards - Richard Sharpe, rsharpe[at]ns.aus.com, rsharpe[at]samba.org, sharpe[at]ethereal.com, http://www.richardsharpe.com
Re: [patch] uppercase workgroup in browse request
On Thu, 27 Mar 2003, Stephan Kulow wrote: > Am Thursday 27 March 2003 03:43 schrieb Christopher R. Hertel: > > Stephan Kulow wrote: > > > Hi! > > > > > > I noticed a difference between testsmbc "smb://MYGRP" and testsmbc > > > "smb://mygrp" (it doesn't make a difference for SAMBA servers, but it > > > does for XP and for winME) So please apply the included patch. > > > > Hang on... > > > > Do I read this correctly? Are we forgetting to up-case the workgroup name? > > (...it always helps to provide a little clue along with the patch.) :) > > > > Samba decodes NetBIOS names and then performs a case-insensitive comparison > > on the original name. Windows (the versions I've tested) simply compares > > the wire-format strings. That's faster, but it's also case sensitive. I > > don't currently have any ME or XP systems to test. > > > I don't understand. You seem to agree with the patch, still it's not applied. The patch has been applied. It has just not been pushed back to CVS yet :-) Regards - Richard Sharpe, rsharpe[at]ns.aus.com, rsharpe[at]samba.org, sharpe[at]ethereal.com, http://www.richardsharpe.com
bug in pjob_store (3.0alpha20)
Before I send all the details, I thought I'd check to see if this is a known problem. I've got version 3.0 alpha20 running on a FreeBSD -current box. When I try to print from a Win2000 box, smbd encounters an internal error. Gdb shows pjob_store() is calling pjob_store_notify() with a bad old_data.dptr pointer. (gdb) p old_data $1 = {dptr = 0x800 , dsize = 0} (gdb) frame #9 0x081a4ce4 in pjob_store (snum=6, jobid=3, pjob=0xbfbfec90) at printing/printing.c:582 582 pjob_store_notify( snum, jobid, (struct printjob *)old_data.dptr, pjob ); I've got, use client driver = yes, in my smb.conf file. Shall I provide more details, or is this a known problem? mike
extended ACL problems for default group w/ 2.2.7a & 2.2.8
We're having problems on Samba 2.2.7a and 2.2.8, IBM JFS 1.1.1, Linux version 2.4.20, bestbits ACLs, etc. The problem is seen with Windows 2000 and Windows XP clients. I get different permissions for the default group on new files & directories depending on if the directory tree is xcopied or is moved via drag & drop in the GUI. According to level 10 samba logs and ethereal traces the difference that causes this problem is that the xcopy triggers serveral transaction2 SET_FILE_INFORMATION level 1004 calls. Samba does a chmod on the file or directory while processing this call. Nothing in this call looks to me like it should be changing the permissions. I tried the same test against a Windows 2000 server and found the resulting permissions are the same for both trees regardless of the copy method. Items from smb.conf [acl-test] comment = Temp Space to test ACL path = /home/group/new inherit acls = yes nt acl support = yes We don't have any mention of mask, mode, etc. in the smb.conf Comparison of the ACLs: [EMAIL PROTECTED] d1]# getfacl smtest # file: smtest # owner: bmarsh # group: bmarsh user::rwx group::--- group:admin:rwx mask::rwx other::--- default:user::rwx default:group::--- default:group:admin:rwx default:mask::rwx default:other::--- [EMAIL PROTECTED] d1]# getfacl smtestx # file: smtestx # owner: bmarsh # group: bmarsh user::rwx group::rwx group:admin:rwx mask::rwx other::--x default:user::rwx default:group::--- default:group:admin:rwx default:mask::rwx default:other::--- ACL on the parent directory of smtest & smtestx: [EMAIL PROTECTED] new]# getfacl d1 # file: d1 # owner: bmarsh # group: bmarsh user::rwx group::--- group:admin:rwx mask::rwx other::--- default:user::rwx default:group::--- default:group:admin:rwx default:mask::rwx default:other::--- How the directories were created: Y:\>xcopy smtest y:\d1\smtestx /s /e (I use the new dir smtestX for xcopy) Does Y:\d1\smtestx specify a file name or directory name on the target (F = file, D = directory)? d smtest\t1.txt 1 File(s) copied Then I drag and drop the same directory onto the same server to get smtest Thanks, Bill Marshall
Re: Patch for Bad Password Attempt Lockout, samba3.0a22.
On Fri, 2003-03-28 at 06:58, David Collier-Brown -- Customer Engineering wrote: >Remember, this opens up a new vulnerability, to denial > of service attacks. See, for example > http://www.uksecurityonline.com/threat/password.php > >If you're implementing this, implement the approved strategy, > also use by NT, of locking it for a settable period, and > not locking out priveledged accounts. > >From > http://calnetad.berkeley.edu/documentation/technical/uc_domain_policy.html > > Account lockout duration > Sets the number of minutes an account will be locked out. >Allowable values are 0 (account is lockout out until >administrator unlocks it) or between 1 and 9 minutes. > > WARNING: Setting this value to 0 (until administrator > unlocks) may allow a potential denial of service attack. > It is important to note that the built-in Administrator >account cannot be locked out. Once these issues are sorted, I'm inclined to apply this patch! Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part
Re: Patch for Bad Password Attempt Lockout, samba3.0a22.
On Fri, 2003-03-28 at 07:40, Simo wrote: > You can already do that through pam_tally, what does your approach add ? We can't correctly trigger pam_tally from the encrypted password check. Also, the pam_tally is dodgy - it doesn't correctly handle 'oh, they got it right'. (It makes assumptions about the way applications call PAM). Andrew, -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part
Re: OPLOCK and locking problems: (Resource deadlock avoided)
On Fri, 2003-03-28 at 07:34, [EMAIL PROTECTED] wrote: > On Sun, Mar 23, 2003 at 02:23:45PM +1100, Andrew Bartlett wrote: > > Earlier this week, I had a serious meltdown of Samba HEAD at my site. > > (A < 100 concurrent user, domain logon and homedir setup). > > > > All the users share a single mandatory profile, which they think they > > can write two, but can't. (due to file permissions). They think they > > can due to the use of 'vfs_fake_perms.so'. In any case, no matter what > > the client thinks, I'm told this should not happen: > > > > I've attached the first 6 mins on the log, but by the time it got to 11 > > AM I'm told it got impossible to use the system. As smbds got caught up > > in waiting for oplocks, I think the clients decided to reconnect. This > > created even more load, and by 12PM when I got onto the system, there > > were way more smbd processes than machines to account for them. > > > > The load at 12PM was 20, and just logging into the system with SSH took > > *ages*. > > > > Unfortunately I was unable to get an strace or gdb the culprit, as I had > > to get the system back up and going again. > > > > There is a slight possibility of tdb corruption (I should have removed > > the locking tdb after the last crash), but no segfaulting processes. > > (This has occurred before, but I had blamed that). > > > > By the end of the logfile, we have multiple smbds all sending oplock > > replies to processes that don't expect them, connections being reset and > > all hell breaking loose... > > > > Personally, I suspect a tdb bug as the root cause, but our UDP based > > oplock handling can't get off the hook either. > > Are you running the Solaris kernel scalabel-fcntl patch ? If not, > that was your problem, not the Samba code. Nope, RedHat 8, kernel 2.4.18. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part
Re: Patch for Bad Password Attempt Lockout, samba3.0a22.
You can already do that through pam_tally, what does your approach add ? Simo. On Thu, 2003-03-27 at 15:34, Jianliang Lu wrote: > I have implemented the "bad password attempt lockout" policy. If an user > attempt with the bad password more than the count setted in the policy, then > his account will be auto-locked, like what did NT. The implementation is only > for LDAP passdb backend. > To do this, I have to introduce a new integer attribute in > samba.schema, "badPwAttempt". > Folllowing are the patches, any comments? -- Simo Sorce- [EMAIL PROTECTED] Samba Team- http://www.samba.org Italian Site - http://samba.xsec.it
Re: OPLOCK and locking problems: (Resource deadlock avoided)
On Sun, Mar 23, 2003 at 02:23:45PM +1100, Andrew Bartlett wrote: > Earlier this week, I had a serious meltdown of Samba HEAD at my site. > (A < 100 concurrent user, domain logon and homedir setup). > > All the users share a single mandatory profile, which they think they > can write two, but can't. (due to file permissions). They think they > can due to the use of 'vfs_fake_perms.so'. In any case, no matter what > the client thinks, I'm told this should not happen: > > I've attached the first 6 mins on the log, but by the time it got to 11 > AM I'm told it got impossible to use the system. As smbds got caught up > in waiting for oplocks, I think the clients decided to reconnect. This > created even more load, and by 12PM when I got onto the system, there > were way more smbd processes than machines to account for them. > > The load at 12PM was 20, and just logging into the system with SSH took > *ages*. > > Unfortunately I was unable to get an strace or gdb the culprit, as I had > to get the system back up and going again. > > There is a slight possibility of tdb corruption (I should have removed > the locking tdb after the last crash), but no segfaulting processes. > (This has occurred before, but I had blamed that). > > By the end of the logfile, we have multiple smbds all sending oplock > replies to processes that don't expect them, connections being reset and > all hell breaking loose... > > Personally, I suspect a tdb bug as the root cause, but our UDP based > oplock handling can't get off the hook either. Are you running the Solaris kernel scalabel-fcntl patch ? If not, that was your problem, not the Samba code. Jeremy.
Re: use sendfile problems with Windows 95
On Thu, Mar 27, 2003 at 03:01:55PM -0500, Pierre Belanger wrote: > Hi, > > I turned on "use sendfile", not too long after (on the next > "logon") someone called me. His Windows 95 was having trouble > opening files on the server. He can "explore" the shared volume > but when trying to open a file, his computer hangs and needs > to reboot. I've been using "sendfile" myself with Samba under > Solaris 8 with NT & 2000 & XP since a long time with no trouble > at all. > > I tested with another Windows 95 box -- same problem. Even > after ~ 5 min. the box is still hanged. > > I'm wondering if Windows 98/ME are also affected by this? > I don't have access to Windows ME "boxes" but I might find > a Windows 98 box... I'll post when I am able to test. > > I generated a level 10 log file, it's 155KB (gzip -9). Someone > wants to look at it? (I did not want to post this hughe file > here). A log file won't help I don't think. It looks like sendfile is simply overwhelming the Win95 box's ability to process incoming TCP. Windows 95 is broken in many subtle and not-so-subtle ways w.r.t. SMB networking I'm afraid. Turning off sendfile might be your only option. Jeremy.
Re: sesssetup.c, encrypted passwords and unicode
I posted some further analysis of this problem to the list a while back. I've got some captures. Basically, different Windows clients that can provide plaintext upper-case don't quite get it right. At least, they are not all formatting things the same way. I don't have time just now to look more deeply into this. If anyone else does, let me know and I'll forward my info. Chris -)- On Thu, Mar 27, 2003 at 09:36:48PM +0200, Nir Soffer wrote: > > Hi there! I've been trying to get Samba 3.0 to use plaintext passwords and unicode > for a while now. > > The first thing I stumbled on was solved, it was a service pack that needed to be > applied to w2k. (Thanks!) > > This is the second thing I stumbled on: > In line 613 of sesssetup.c (latest CVS) there is the following code snippet: > } else { > pstring pass; > srvstr_pull(inbuf, pass, smb_buf(inbuf), > sizeof(pass), passlen1, STR_TERMINATE); > plaintext_password = data_blob(pass, strlen(pass)+1); > } > > >From what (limited) understanding I have, passlen1 in this case is the non-unicode > >password, and passlen2 is the unicode password. The code pull the wrong passlen, > >and consequently the wrong password was checked against the database. ( a password > >with a length of 0) > > Changing the code to use passlen2 basically allowed me to login, but I'm pretty sure > this is not the correct fix (I would think that one should first check if the > connection is unicode or not). > > Just FYI, > Thanks :) > > Nir. > > > -- > Nir Soffer -=- Exanet Inc. -=- http://www.evilpuppy.org > "Father, why are all the children weeping? / They are merely crying son > O, are they merely crying, father? / Yes, true weeping is yet to come" > -- Nick Cave and the Bad Seeds, The Weeping Song > -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
use sendfile problems with Windows 95
Hi, I turned on "use sendfile", not too long after (on the next "logon") someone called me. His Windows 95 was having trouble opening files on the server. He can "explore" the shared volume but when trying to open a file, his computer hangs and needs to reboot. I've been using "sendfile" myself with Samba under Solaris 8 with NT & 2000 & XP since a long time with no trouble at all. I tested with another Windows 95 box -- same problem. Even after ~ 5 min. the box is still hanged. I'm wondering if Windows 98/ME are also affected by this? I don't have access to Windows ME "boxes" but I might find a Windows 98 box... I'll post when I am able to test. I generated a level 10 log file, it's 155KB (gzip -9). Someone wants to look at it? (I did not want to post this hughe file here). Here's the first place where the communication breaks: [2003/03/27 14:53:01, 6] lib/util_sock.c:write_socket(521) write_socket(5,1588) wrote 1588 [2003/03/27 14:53:47, 0] lib/util_sock.c:read_data(436) read_data: read failure for 4. Error = Connection reset by peer [2003/03/27 14:53:47, 10] lib/util_sock.c:receive_smb(609) receive_smb: length < 0 ! [2003/03/27 14:53:47, 3] smbd/process.c:timeout_processing(1105) receive_smb error (Connection reset by peer) exiting I'll check on Microsoft's web site for any "patches"! Regards, Pierre B.
Re: Patch for Bad Password Attempt Lockout, samba3.0a22.
Remember, this opens up a new vulnerability, to denial of service attacks. See, for example http://www.uksecurityonline.com/threat/password.php If you're implementing this, implement the approved strategy, also use by NT, of locking it for a settable period, and not locking out priveledged accounts. From http://calnetad.berkeley.edu/documentation/technical/uc_domain_policy.html Account lockout duration Sets the number of minutes an account will be locked out. Allowable values are 0 (account is lockout out until administrator unlocks it) or between 1 and 9 minutes. WARNING: Setting this value to 0 (until administrator unlocks) may allow a potential denial of service attack. It is important to note that the built-in Administrator account cannot be locked out. --dave Jianliang Lu wrote: I have implemented the "bad password attempt lockout" policy. If an user attempt with the bad password more than the count setted in the policy, then his account will be auto-locked, like what did NT. The implementation is only for LDAP passdb backend. To do this, I have to introduce a new integer attribute in samba.schema, "badPwAttempt". Folllowing are the patches, any comments? Jianliang Lu TieSse s.p.a. Via Jervis, 60. 10015 Ivrea (To) - Italy [EMAIL PROTECTED] [EMAIL PROTECTED] --- samba-3.0alpha22-orig/source/auth/auth_sam.c Mon Feb 17 16:31:06 2003 +++ samba-3.0alpha22-orig/source/auth/auth_sam.c.fix Thu Mar 27 12:40:10 2003 @@ -326,6 +326,12 @@ return NT_STATUS_ACCOUNT_DISABLED; } + /* Quit if the account was locked out. */ + if (acct_ctrl & ACB_AUTOLOCK) { + DEBUG(1,("Account for user '%s' was locked out.\n", pdb_get_username(sampass))); + return NT_STATUS_ACCOUNT_LOCKED_OUT; + } + /* Test account expire time */ kickoff_time = pdb_get_kickoff_time(sampass); @@ -414,6 +420,7 @@ NTSTATUS nt_status; uint8 user_sess_key[16]; const uint8* lm_hash; + uint32 account_policy_lockout, badpwattempt; if (!user_info || !auth_context) { return NT_STATUS_UNSUCCESSFUL; @@ -448,10 +455,43 @@ nt_status = sam_password_ok(auth_context, mem_ctx, sampass, user_info, user_sess_key); if (!NT_STATUS_IS_OK(nt_status)) { + if (NT_STATUS_EQUAL(nt_status,NT_STATUS_WRONG_PASSWORD)) { + badpwattempt = (uint32)pdb_get_bad_pw_attempt(sampass) + 1; + if (!pdb_set_bad_pw_attempt(sampass, badpwattempt, PDB_CHANGED)) + DEBUG(1, ("Failed to set 'badPwAttempt' for user % s. \n", + user_info->internal_username.str)); + account_policy_get(AP_BAD_ATTEMPT_LOCKOUT, &account_policy_lockout); + if (badpwattempt >= account_policy_lockout) +if (!pdb_set_acct_ctrl (sampass, + pdb_get_acct_ctrl(sampass) |ACB_AUTOLOCK, + PDB_CHANGED)) { + DEBUG(1, ("Failed to set 'disabled' flag for user % s. \n", + user_info->internal_username.str)); + } + + become_root(); + if (!pdb_update_sam_account(sampass)) { + DEBUG(1, ("Failed to modify entry for user % s.\n", + user_info->internal_username.str)); + unbecome_root(); +} + } pdb_free_sam(&sampass); return nt_status; } + if (!pdb_set_bad_pw_attempt(sampass, 0, PDB_CHANGED)) + DEBUG(1, ("Failed to set 'badPwAttempt' for user % s. \n", + user_info->internal_username.str)); + if (!pdb_set_logon_time(sampass, time(NULL), PDB_CHANGED)) + DEBUG(1, ("auth_sam.c : pdb_set_logon_time fialed!\n")); + + become_root(); + if(!pdb_update_sam_account(sampass)) + DEBUG(1, ("Failed to modify entry for user % s.\n", + user_info->internal_username.str)); + unbecome_root(); + if (!NT_STATUS_IS_OK(nt_status = make_server_info_sam(server_info, sampass))) { DEBUG(0,("check_sam_security: make_server_info_sam() failed with '%s'\n", nt_errstr(nt_status))); return nt_status; --- samba-3.0alpha22-orig/source/passdb/passdb.c Mon Feb 24 16:12:31 2003 +++ samba-3.0alpha22-orig/source/passdb/passdb.c.fix Thu Mar 27 12:40:10 2003 @@ -60,6 +60,7 @@ memset(user->private.hours, 0xff, user->private.hours_len); /* available at all hours */ user->private.unknown_5 = 0x; /* don't know */ user->private.unknown_6 = 0x04ec; /* don't know */ + user->private.bad_pw_attempt = 0; /* bad password attemp count */ /* Some parts of samba strlen their pdb_get...() returns, so this keeps the interface unchanged for now. */ --- samba-3.0alpha22-orig/source/passdb/pdb_get_set.c Thu Jan 9 20:05:59 2003 +++ samba-3.0alpha22-orig/source/passdb/pdb_get_set.c.fix Thu Mar 27 12:40:10 2003 @@ -172,6 +172,14 @@ return (NULL); } +uint32 pdb_get_bad_pw_attempt (const SAM_ACCOUNT *sampass) +{ + if (sampass) + return (sampass->private.bad_pw_attempt); + else + return (-1);
RE: [Samba] print$ share problem URGENT - BUG
Whoops! "extract" is really "expand". "expand /?" at the command prompt shows the options for expanding files with the trailing underscore. I use expand -r *.??_ which creates new, renamed, expanded files from the compressed ones. A word of warning: some compressed files do not have the original name embedded within the file. This will created expanded files with the underscore removed, not replaced with the original last character. In these situations, one must refer to the .INF file to discover the true name. What would be great is if someone wrote a simple Win32 program that parses the .INF print driver installation file, expanding the files as necessary, getting files from the local workstation and uploading them into the appropriate [print$] share directory, and doing the adddriver and setdriver RPCs. That way print driver installation would be free of the hoops imposed by drivers & show add printer wizard goofiness. Thanks, Peter Hurley [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, March 27, 2003 8:18 AM To: [EMAIL PROTECTED] Subject: RE: [Samba] print$ share problem URGENT - BUG Heya, I'm looking at having to do the same thing... a couple of manufacturer's drivers either fail to install on samba, or install incorrectly. I'm using a W2k pro client but have no extract command. Is this a program that comes with w2k or something you got from somewhere else? Btw, thanks for explaining the {2227a280-3aea...} messages. Googling turned up lots of hits, but the only suggested solution was to delete the key from the client's registry (which didn't seem like a good idea to me). I didn't know that InProcServer was depended on by some driver installations. Realizing that samba as a print-server w/ automatic driver download has more hurdles than getting a devmode set... Thanks for letting me know about extract, ~ Daniel On Wednesday, March 26, 2003 5:45 PM Peter Hurley wrote: > I do not know why your logs are showing an smb_panic(), but > the failure > to make a connection to {2227a280-3aea} is because the printer > driver is attempting to open the "Printers" InProcServer on the remote > print server. > > ***Snippet from logs*** > [2003/03/26 14:33:08, 0] smbd/service.c:make_connection(252) > donglesvr (10.217.7.11) couldn't find service > ::{2227a280-3aea-1069-a2de-08002b30309d} > *** > > Since the print server is a Samba machine (that has no registry or > capability to run InProcServers), that service doesn't exist. I had > this happen to me when trying to add additional drivers from my W2k > workstation to our 2.2.7a Samba server for a new HP2200 > network printer. > > The solution I used was to add them manually via rpcclient on > the Samba > server itself. It took me quite a while. Basically the process is: > 1) expand the driver files on your local W2k workstation, via the > "extract" command line utility. > 2) copy the driver files up to the appropriate directory on the > [print$] share. See section 6.2.1 of the Samba HOWTO for the > directory > structure. > Basically, NT4/W2K/XP drivers go in W32X86 and 95/98/Me go into WIN40. > 3) on the samba server, run rpcclient. > 4) at the rpcclient prompt, use "adddriver" to install the files into > the appropriate architecture location. The tricky part of this is > looking at the *.INF file to determine what parameters go where in the > adddriver command. The format is: > > adddriver "Architecture" "LongPrinterName:DriverFile:DataFile: > ConfigFile:HelpFile:LanguageMonitorFile:DataType:ListOfFiles" > > See rpcclient() man page for list of Architectures. > The ListOfFiles are the files not already specified in the other > parameters. > > For example, > > adddriver "Windows NT x86" "HP LaserJet 2200 Series PCL 6: > HPBF3222.DLL:HPBF3224.PMD:HPBF3220.DLL:HPBF3220.HLP:HPBMMON.DLL:RAW: > HPBAFD32.DLL,HPBFTM32.DLL,HPDOMON.DLL,HPBHEALR.DLL" > > 5) when you have added the driver successfully, then you use the > "setdriver" command (still at the rpcclient prompt) to associate the > printer share with the driver. > > For example, > > setdriver "hp2200" "HP LaserJet 2200 Series PCL 6" > > Now automatic driver download should work. > > This process was so painful, eventually I'm going to look at the > Imprints package to see if that works (there's a reference to this > package in section 6.3 of the Samba HOWTO). > > Thanks, > > Peter Hurley > [EMAIL PROTECTED] > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > On Behalf Of Stéphane Purnelle > Sent: Wednesday, March 26, 2003 4:33 PM > To: [EMAIL PROTECTED]; samba US; samba-tech > Subject: Re: [Samba] print$ share problem URGENT - BUG > > Why I have no answer for my questions ? > > I repeat the situation : > RedHat 8.0 with samba 2.2.8 compiled wiwth ldapsam and acl-support > I need the print$ share and this sys
sesssetup.c, encrypted passwords and unicode
Hi there! I've been trying to get Samba 3.0 to use plaintext passwords and unicode for a while now. The first thing I stumbled on was solved, it was a service pack that needed to be applied to w2k. (Thanks!) This is the second thing I stumbled on: In line 613 of sesssetup.c (latest CVS) there is the following code snippet: } else { pstring pass; srvstr_pull(inbuf, pass, smb_buf(inbuf), sizeof(pass), passlen1, STR_TERMINATE); plaintext_password = data_blob(pass, strlen(pass)+1); } >From what (limited) understanding I have, passlen1 in this case is the non-unicode >password, and passlen2 is the unicode password. The code pull the wrong passlen, and >consequently the wrong password was checked against the database. ( a password with a >length of 0) Changing the code to use passlen2 basically allowed me to login, but I'm pretty sure this is not the correct fix (I would think that one should first check if the connection is unicode or not). Just FYI, Thanks :) Nir. -- Nir Soffer -=- Exanet Inc. -=- http://www.evilpuppy.org "Father, why are all the children weeping? / They are merely crying son O, are they merely crying, father? / Yes, true weeping is yet to come" -- Nick Cave and the Bad Seeds, The Weeping Song
Re: Weird problems with Samba 2.2.8 under Solaris 8 + latest kernelpatch
Hi, Quick follow up... the problem was on another server. After the last reboot, not too long ago, "fast-ethernet" negotiation between the Cisco switch and the Sun server did not work properly. Cisco switch negotiated at 100Mbps/full and the Sun server in half duplex. Pierre B. Pierre Belanger wrote: Hello all, This weekend, we upgraded our Samba servers to 2.2.8 (pre3 according to the include/version.h -- CVS "synced" this past Saturday afternoon, EDT). I compiled this new release for the following Solaris/kernel : Solaris 6 : kernel patch 105181-33 Solaris 7 : kernel patch 106541-23 Solaris 8 : kernel patch 108528-19 Prior to Solaris 8 108528-19, that was installed yesterday *not by me* , we were running 108528-12. Solaris 8 with kernel patch 108518-19 + latest Samba is causing us troubles. ps : nothing changed in our smb.conf file / we had no problems before (the fcntl() bug was not an issue for us, we only have around ~ 150 concurrent connections on that machine). There's no problems on the other boxes (Solaris 6 & 7), note that we have much less connections on those boxes. [Q] Is there anyone on this list running with the latest Solaris 8 (108528-19) kernel patch and with Samba 2.2.8? After receiving a few complains, I decided to dig into the log files. Here's what I found: 1- Many dptr_close() errors, more than usually. log.wcanomp1775:[2003/03/17 14:04:09, 0] smbd/dir.c:dptr_close(277) log.wcanomp1775: Invalid key 256 given to dptr_close 2- Many oplock_break errors, much more than we had: [2003/03/17 15:32:49, 0] smbd/oplock.c:oplock_break(791) oplock_break: end of file from client oplock_break failed for file New Lisp/mbold.lsp (dev = 3d8000a, inode = 1467387, file_id = 15). [2003/03/17 15:32:49, 0] smbd/oplock.c:oplock_break(879) oplock_break: client failure in break - shutting down this smbd. [2003/03/17 15:32:49, 1] smbd/service.c:close_cnum(677) wcanomp2081 (10.10.92.33) closed connection to service imews [2003/03/17 15:32:49, 1] smbd/service.c:close_cnum(677) wcanomp2081 (10.10.92.33) closed connection to service site_doc [2003/03/17 15:32:49, 1] smbd/service.c:close_cnum(677) wcanomp2081 (10.10.92.33) closed connection to service docoss [2003/03/17 15:34:24, 1] smbd/service.c:make_connection(636) wcanomp2081 (10.10.92.33) connect to service site_doc as user imews (uid=2138, gid=240) (pid 4863) [2003/03/17 15:35:10, 0] smbd/oplock.c:request_oplock_break(1011) request_oplock_break: no response received to oplock break request to pid 4858 on port 56392 for dev = 3d8000a, inode = 825700, file_id = 15 [2003/03/17 15:35:10, 0] smbd/open.c:open_mode_check(652) open_mode_check: exlusive oplock left by process 4858 after break ! For file C 1505A/AA1710-W.dwg, dev = 3d8000a, inode = 825700. Deleting it to continue... [2003/03/17 15:35:10, 0] smbd/open.c:open_mode_check(656) open_mode_check: Existent process 4858 left active oplock. [2003/03/17 15:36:59, 1] smbd/service.c:make_connection(636) wcanomp2081 (10.10.92.33) connect to service site_doc as user imews (uid=2138, gid=240) (pid 4883) [2003/03/17 15:36:59, 0] smbd/dir.c:dptr_close(277) Invalid key 256 given to dptr_close [2003/03/17 15:36:59, 0] smbd/dir.c:dptr_close(277) Invalid key 257 given to dptr_close [2003/03/17 15:37:10, 0] smbd/oplock.c:process_local_message(397) process_local_message: Received unsolicited break reply - dumping info. [2003/03/17 15:37:10, 0] smbd/oplock.c:process_local_message(412) process_local_message: unsolicited oplock break reply from pid 4863, port 56392, dev = 3d8000a, inode = 825700, file_id = 15 [2003/03/17 15:38:02, 1] smbd/service.c:close_cnum(677) wcanomp2081 (10.10.92.33) closed connection to service site_doc [2003/03/17 15:38:09, 1] smbd/service.c:make_connection(636) wcanomp2081 (10.10.92.33) connect to service site_doc as user imews (uid=2138, gid=240) (pid 4904) [2003/03/17 15:41:22, 1] smbd/service.c:close_cnum(677) wcanomp2081 (10.10.92.33) closed connection to service imews [2003/03/17 15:41:22, 1] smbd/service.c:close_cnum(677) wcanomp2081 (10.10.92.33) closed connection to service docoss I will "downgrade" tonight to the previous version that we were running prior to the upgrade, it says "2.2.8pre1" but I remember taken that from CVS around February the 5th, according to the installation date!!! I wish I would have more time for this but I don't :-( I'll "find" time tomorrow to let you know if the downgrade helped or not. Cheers, Pierre B.
Patch for Bad Password Attempt Lockout, samba3.0a22.
I have implemented the "bad password attempt lockout" policy. If an user attempt with the bad password more than the count setted in the policy, then his account will be auto-locked, like what did NT. The implementation is only for LDAP passdb backend. To do this, I have to introduce a new integer attribute in samba.schema, "badPwAttempt". Folllowing are the patches, any comments? Jianliang Lu TieSse s.p.a. Via Jervis, 60. 10015 Ivrea (To) - Italy [EMAIL PROTECTED] [EMAIL PROTECTED] --- samba-3.0alpha22-orig/source/auth/auth_sam.cMon Feb 17 16:31:06 2003 +++ samba-3.0alpha22-orig/source/auth/auth_sam.c.fixThu Mar 27 12:40:10 2003 @@ -326,6 +326,12 @@ return NT_STATUS_ACCOUNT_DISABLED; } + /* Quit if the account was locked out. */ + if (acct_ctrl & ACB_AUTOLOCK) { + DEBUG(1,("Account for user '%s' was locked out.\n", pdb_get_username(sampass))); + return NT_STATUS_ACCOUNT_LOCKED_OUT; + } + /* Test account expire time */ kickoff_time = pdb_get_kickoff_time(sampass); @@ -414,6 +420,7 @@ NTSTATUS nt_status; uint8 user_sess_key[16]; const uint8* lm_hash; + uint32 account_policy_lockout, badpwattempt; if (!user_info || !auth_context) { return NT_STATUS_UNSUCCESSFUL; @@ -448,10 +455,43 @@ nt_status = sam_password_ok(auth_context, mem_ctx, sampass, user_info, user_sess_key); if (!NT_STATUS_IS_OK(nt_status)) { + if (NT_STATUS_EQUAL(nt_status,NT_STATUS_WRONG_PASSWORD)) { + badpwattempt = (uint32)pdb_get_bad_pw_attempt(sampass) + 1; + if (!pdb_set_bad_pw_attempt(sampass, badpwattempt, PDB_CHANGED)) + DEBUG(1, ("Failed to set 'badPwAttempt' for user % s. \n", + user_info->internal_username.str)); + account_policy_get(AP_BAD_ATTEMPT_LOCKOUT, &account_policy_lockout); + if (badpwattempt >= account_policy_lockout) + if (!pdb_set_acct_ctrl (sampass, + pdb_get_acct_ctrl(sampass) |ACB_AUTOLOCK, + PDB_CHANGED)) { + DEBUG(1, ("Failed to set 'disabled' flag for user % s. \n", + user_info->internal_username.str)); + } + + become_root(); + if (!pdb_update_sam_account(sampass)) { + DEBUG(1, ("Failed to modify entry for user % s.\n", + user_info->internal_username.str)); + unbecome_root(); +} + } pdb_free_sam(&sampass); return nt_status; } + if (!pdb_set_bad_pw_attempt(sampass, 0, PDB_CHANGED)) + DEBUG(1, ("Failed to set 'badPwAttempt' for user % s. \n", +user_info->internal_username.str)); + if (!pdb_set_logon_time(sampass, time(NULL), PDB_CHANGED)) + DEBUG(1, ("auth_sam.c : pdb_set_logon_time fialed!\n")); + + become_root(); + if(!pdb_update_sam_account(sampass)) + DEBUG(1, ("Failed to modify entry for user % s.\n", +user_info->internal_username.str)); + unbecome_root(); + if (!NT_STATUS_IS_OK(nt_status = make_server_info_sam(server_info, sampass))) { DEBUG(0,("check_sam_security: make_server_info_sam() failed with '%s'\n", nt_errstr(nt_status))); return nt_status; --- samba-3.0alpha22-orig/source/passdb/passdb.cMon Feb 24 16:12:31 2003 +++ samba-3.0alpha22-orig/source/passdb/passdb.c.fixThu Mar 27 12:40:10 2003 @@ -60,6 +60,7 @@ memset(user->private.hours, 0xff, user->private.hours_len); /* available at all hours */ user->private.unknown_5 = 0x; /* don't know */ user->private.unknown_6 = 0x04ec; /* don't know */ + user->private.bad_pw_attempt = 0; /* bad password attemp count */ /* Some parts of samba strlen their pdb_get...() returns, so this keeps the interface unchanged for now. */ --- samba-3.0alpha22-orig/source/passdb/pdb_get_set.c Thu Jan 9 20:05:59 2003 +++ samba-3.0alpha22-orig/source/passdb/pdb_get_set.c.fix Thu Mar 27 12:40:10 2003 @@ -172,6 +172,14 @@ return (NULL); } +uint32 pdb_get_bad_pw_attempt (const SAM_ACCOUNT *sampass) +{ + if (sampass) + return (sampass->private.bad_pw_attempt); + else + return (-1); +} + /** * Get
Re: security tab on shares not showing up in SAMBA_3_0
On Thu, 27 Mar 2003, Gerald (Jerry) Carter wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > John, > > I just confirmed that the security tab on a share is missing > with a recent build of SAMBA_3_0. I'll look into this (unless > someone has an immediate idea). Thanks. I was beginning to think it was something I was doing. Argh! - John T. -- John H Terpstra Email: [EMAIL PROTECTED]
Re: modules: BOOL vs. int
On Thu, Mar 27, 2003 at 02:29:11PM +0100, Stefan (metze) Metzmacher wrote about 'Re: modules: BOOL vs. int': > And I want it to be equal for all smb_register_*() fn's > >> int auth_sam_init(void) > >> { > >> smb_register_auth("samstrict_dc", auth_init_samstrict_dc, > >> AUTH_INTERFACE_VERSION); > >> smb_register_auth("samstrict", auth_init_samstrict, > >> AUTH_INTERFACE_VERSION); > >> smb_register_auth("sam", auth_init_sam, AUTH_INTERFACE_VERSION); > >> return True; > >> } > >When would you want the function to fail ? If registering one of the > >functions fails? > ok don't fail but a warning would be good The register functions already give warnings when things are failing. Jelmer -- Jelmer Vernooij <[EMAIL PROTECTED]> ~/.plan: create seperate include files smb_register_vfs() pgp0.pgp Description: PGP signature
Re: modules: BOOL vs. int
Not that this is "correct" or anything... just my 2cents. I tend in my own code to return negative integers to indicate warnings or errors, with different negative values having different meaning (as needed). That way, I can simply check for < 0 on return. If I want to get specific about what the error was I can look more carefully at the return value. I spent a little time programming in Icon. Interesting language. Every function returns a status code in addition to all other data. Chris -)- On Thu, Mar 27, 2003 at 02:29:11PM +0100, Stefan (metze) Metzmacher wrote: > At 12:12 27.03.2003 +0100, Jelmer Vernooij wrote: > >> I noticed that all smb_register_*() fn's return BOOL > >> and the init_module() fn's returns int > >> so this is wrong: > >I don't have problems with this. We only need the return value in > >smb_probe_module() to check for failure, and False is defined to be > >equal to 0. The current way is more flexible. Some functions return a > >BOOL, but others return an int (such as in rpc). > > You're right but I think its confusing > > can't we name the return var > BOOL when we use True or False > or!!! > int when we use 0 or -1 > > because int 0 means often success and BOOL False (int 0) means failure > (this is confusing and cries for bugs!!!) > > And just for a better coding style :-) > > And I want it to be equal for all smb_register_*() fn's > >> int auth_sam_init(void) > >> { > >> smb_register_auth("samstrict_dc", auth_init_samstrict_dc, > >> AUTH_INTERFACE_VERSION); > >> smb_register_auth("samstrict", auth_init_samstrict, > >> AUTH_INTERFACE_VERSION); > >> smb_register_auth("sam", auth_init_sam, AUTH_INTERFACE_VERSION); > >> return True; > >> } > >When would you want the function to fail ? If registering one of the > >functions fails? > > ok don't fail but a warning would be good > > > > metze > - > Stefan "metze" Metzmacher <[EMAIL PROTECTED]> > -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
security tab on shares not showing up in SAMBA_3_0
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 John, I just confirmed that the security tab on a share is missing with a recent build of SAMBA_3_0. I'll look into this (unless someone has an immediate idea). cheers, jerry -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.0 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iD8DBQE+gzMMIR7qMdg1EfYRAqiHAJ0b5tQyuAHy3carW+vFU7GJ1I1PigCg8r0H +AKWx7bdn0uNVXVELgrm1uI= =v9zk -END PGP SIGNATURE-
Re: [patch] uppercase workgroup in browse request
On Thu, Mar 27, 2003 at 05:43:55PM +0100, Stephan Kulow wrote: > Am Thursday 27 March 2003 03:43 schrieb Christopher R. Hertel: > > Stephan Kulow wrote: > > > Hi! > > > > > > I noticed a difference between testsmbc "smb://MYGRP" and testsmbc > > > "smb://mygrp" (it doesn't make a difference for SAMBA servers, but it > > > does for XP and for winME) So please apply the included patch. > > > > Hang on... > > > > Do I read this correctly? Are we forgetting to up-case the workgroup name? > > (...it always helps to provide a little clue along with the patch.) :) > > > > Samba decodes NetBIOS names and then performs a case-insensitive comparison > > on the original name. Windows (the versions I've tested) simply compares > > the wire-format strings. That's faster, but it's also case sensitive. I > > don't currently have any ME or XP systems to test. > > > I don't understand. You seem to agree with the patch, still it's not applied. I don't understand. I asked for clarification. :) There's a question above. I asked "Do I read this correctly?". So, what is your intention with this patch? What was the problem you were detecting? You never specified. Before I dig into the patch I want to know what you are trying to accomplish. Chris -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: [patch] uppercase workgroup in browse request
Am Thursday 27 March 2003 03:43 schrieb Christopher R. Hertel: > Stephan Kulow wrote: > > Hi! > > > > I noticed a difference between testsmbc "smb://MYGRP" and testsmbc > > "smb://mygrp" (it doesn't make a difference for SAMBA servers, but it > > does for XP and for winME) So please apply the included patch. > > Hang on... > > Do I read this correctly? Are we forgetting to up-case the workgroup name? > (...it always helps to provide a little clue along with the patch.) :) > > Samba decodes NetBIOS names and then performs a case-insensitive comparison > on the original name. Windows (the versions I've tested) simply compares > the wire-format strings. That's faster, but it's also case sensitive. I > don't currently have any ME or XP systems to test. > I don't understand. You seem to agree with the patch, still it's not applied. Greetings, Stephan
2.2.8 - can't view/change permissions from NT clients
We were using 2.0.6 on a SunOS 5.6 server, using domain security in an NT domain, and have upgraded to 2.2.8 for the security fix. Now, when the file permissions are displayed on an NT client, ACL's are only shown for user/group/other if there are R,W, or X permissions. If u, g, or o have no rights, the ACL is not displayed for them. Example, in 2.0.6, with a file with r--r- permissions (440), the NT permissions display would have an ACL for the owner with R permissions, an ACL for the group with R permissions, and the Everyone group would show as O for no permissions. In 2.2.8 with the same file, the NT permissions dialog only shows an ACL line for the owner, and an ACL line for the group, but NO ACL line for Everyone since they have no permissions If a file had r permissions, there won't be an ACL line for the group either. In addition, we can't "Add" an ACL for the ones not displayed - In other words, in the first example, we couldn't Add the Everyone group with R prrmissions to give world read. Is this normal behavior in 2.2.8, or should we see the same displays as before? How can we get the displays to show as before, or what might we have missed?
Stop in build 2.2.8 on FreeBSD 5.0 from ports
Building from the ports collection it stops in 'nsswitch/pam_winbind.po' every time. Stop in bulid for 5.0-RELEASE Not sure if this is a known bug for 5.0. Same problem with both my freshly installed 5.0 boxes. Tariq. . . . Linking bin/winbindd Compiling nsswitch/pam_winbind.c with -fPIC -DPIC nsswitch/pam_winbind.c: In function `_make_remark': nsswitch/pam_winbind.c:90: warning: assignment discards qualifiers from pointer target type nsswitch/pam_winbind.c: In function `_winbind_read_password': nsswitch/pam_winbind.c:277: `PAM_AUTHTOK_RECOVER_ERR' undeclared (first use in this function) nsswitch/pam_winbind.c:277: (Each undeclared identifier is reported only once nsswitch/pam_winbind.c:277: for each function it appears in.) nsswitch/pam_winbind.c:298: warning: assignment discards qualifiers from pointer target type nsswitch/pam_winbind.c:306: warning: assignment discards qualifiers from pointer target type nsswitch/pam_winbind.c:312: warning: assignment discards qualifiers from pointer target type gmake: *** [nsswitch/pam_winbind.po] Error 1 *** Error code 2 Stop in /usr/ports/net/samba. *** Error code 1 Stop in /usr/ports/net/samba. $ ---
I: new smb.conf.5 build system is coming
Hi all! I'm commiting a new framework for working with smb.conf(5) Docbook sources into HEAD docs/docbook/smbdotconf/. It is not yet ready for production (most of parameters not yet converted to new meta-information description system) but infrastructure is there and should allow more easily maintain smb.conf(5). docs/docbook/smbdotconf/ not yet used for actual Samba documentation generation but I plan switch somewhere later next week or so when (hopefully) all information will be updated and other components of SGML documentation will be converted to XML too (most of them already prepared but not all). I'm including doc/docbook/smbdotconf/README below with more detailed description of structure and internals of new framework. --- DocBook XML 4.2 source code for smb.conf(5) documentation for Samba 3.0 Author of the document: Alexander Bokovoy <[EMAIL PROTECTED]> Welcome to new smb.conf(5) documentation build system! This directory contains a new incarnation of Samba's smb.conf(5) Docbook XML 4.2 sources. Note that the output might be unsatisfying untill all smb.conf(5) parameters will converted to new format (see Chapter 4 for details). Content --- 0. Prerequisites 1. Structure 2. XSLT stylesheets 3. Usage 4. Current status of converted parameters Prerequisites - In order to compile smb.conf(5) documentation from Docbook XML 4.2 sources you'll need: - a working libxml2 and libxslt installation, together with xsltproc utility - a locally installed Docbook XSL 4.2 or higher - a working xmlcatalog to eliminate Web access for Docbook XSL The latter requisite is important: we do not specify local copies of Docbook XSL stylesheets in our XSLTs because of real nightmare in their location in most distributions. Fortunately, libxml2 provides standard way to access locally installed external resources via so-called 'xmlcatalog' tool. It is working in RedHat, Mandrake, ALT Linux, and some other distributions but wasn't at the moment of this writting (Late March'03) in Debian. Structure - smb.conf(5) sources consist of a number of XML files distributed across a number of subdirectories. Each subdirectory represents a group of smb.conf(5) parameters dedicated to one specific task as described in Samba's loadparm.c source file (and shown in SWAT). Each XML file in subdirectories represents one parameter description, together with some additional meta-information about it. Complete list of meta-information attributes attribute description --- namesmb.conf(5) parameter name context G for global, S for services basic set to 1 if loadparm.c's decription wizard includes appropriate flag for advancedthis parameter (FLAG_BASIC, developer FLAG_ADVANCED, FLAG_WIZARD, FLAG_DEVELOPER) --- Main XML file for smb.conf(5) is smb.conf.5.xml. It contains a general stub for man page and several XML instructions to include: - a list of global parameters (auto-generated); - a list of service parameters (auto-generated); - a complete list of alphabetically sorted parameters (auto-generated). XSLT stylesheets In order to combine and build final version of smb.conf(5) we apply a set of XSLT stylesheets to smb.conf(5) sources. Following is the complete description of existing stylesheets in smb.conf(5) source tree: 1. [expand-smb.conf.xsl] Main driver, produces big XML source with all smaller components combined. The resulted tree is then feed to Docbook XSL for final producing. This stylesheet performs two main transformations: - Replaces tag by one; - Generates and tags for each . The latter step needs some explanation. We generate automatically and tags based on meta-information about parameter. This way all anchors have predictable names (capitalized parameter name with all spaces supressed) and we really don't need to dublicate data. There was only one exception to the generation rule in smb.conf.5.sgml: "use spnego" parameter had anchor SPNEGO which is now unified to USESPNEGO. This also fixes a bug in SWAT which was unable to find SPNEGO achnor. 2. [generate-context.xsl] An utility stylesheet which main purpose is to produce a list of parameters which are applicable for selected context (global or service). The generate-context.xsl is run twice to generate both parameters.global.xml and parameters.service.xml which are included then by smb.conf.5.xml. This stylesheet relies on parameters.all.xml file which is generated by [generate-file-list.sh] shell script. The parameters.all.xml file contains a complete list of include instructions for XS
RE: encrypt passwords=no, security=yes, samba 2.2.8, W2K user auth fails
Hi tony, based on your log file, it sure does APPEAR that you have NOT turned off encrypted passwords, as samba is trying to open /usr/local/samba/private/smbpasswd. It should only do that if it negotiated encrypted passwords in the negot prot call, which it should only be able to do if encrypted passwords is set to yes. I note that you are including ANOTHER smb.conf file at the end of your global section; please check there and see if you have an encrypt passwords = yes, and/or include the contents of that smb.conf file as well in your next message to the list, ok? include=/etc/sfw/local-smb.conf > -Original Message- > From: tony shepherd [mailto:[EMAIL PROTECTED] > Sent: Tuesday, March 25, 2003 21:31 > To: [EMAIL PROTECTED] > Cc: tony.shepherd > Subject: BUG: encrypt passwords=no, security=yes, samba > 2.2.8, W2K user > auth fails > > > folks > > ** > I am not on this mail list. Can all replied please be Cc'ed > to me as well. > ** > > I have come across the following bug using samba 2.2.8 (in > the throws of > upgrading from 2.0.10 to fix security vul). > > I discovered this bug using a W2K system; it was not present > when testing > with win98. I am running the samba server on a solaris 9 system. > > I am using "encrypt passwords = no" and "security=user" and > using the Unix > passwords for authentication. Registry modification have > been made to the > windows system. > > To replicate the bug, I do the following: > > * log onto w2k system as user ts74081, passwd: fred > * try and open the share: \\huey\ts74081. As my password is > different > between the windows system and the samba server, it prompts me for a > username/password pair. I give the correct values but I > still get rejected. > * I then try to access the share as a different user (one > that does not > exist on the system): username fred, passwd fred. Naturally > it fails. > * I then try again with the proper username/password pair and I get > authenticated correctly and the share is made available. > > > If I do not try and authenticate as a different user before > retrying with > the proper username, it will continue to fail to authenticate. > > I have attached debug 3 logs of the above scenario as well as > the smb.conf > I am using. > > If I change the security parameter to "security=share", the > above bug does > not show itself. > > > thanks > > tony > >
Re: LDAP Coding??
On Thu, Mar 27, 2003 at 12:44:55PM +0100, Volker Lendecke wrote: > Why does my LDAP server deny the following request? Ok, this seems to be something specific to OpenLDAP 2.0. With 2.1.16 just compiled this works as expected. Could this be called a bug? Volker pgp0.pgp Description: PGP signature
Re: modules: BOOL vs. int
At 12:12 27.03.2003 +0100, Jelmer Vernooij wrote: > I noticed that all smb_register_*() fn's return BOOL > and the init_module() fn's returns int > so this is wrong: I don't have problems with this. We only need the return value in smb_probe_module() to check for failure, and False is defined to be equal to 0. The current way is more flexible. Some functions return a BOOL, but others return an int (such as in rpc). You're right but I think its confusing can't we name the return var BOOL when we use True or False or!!! int when we use 0 or -1 because int 0 means often success and BOOL False (int 0) means failure (this is confusing and cries for bugs!!!) And just for a better coding style :-) And I want it to be equal for all smb_register_*() fn's > int auth_sam_init(void) > { > smb_register_auth("samstrict_dc", auth_init_samstrict_dc, > AUTH_INTERFACE_VERSION); > smb_register_auth("samstrict", auth_init_samstrict, > AUTH_INTERFACE_VERSION); > smb_register_auth("sam", auth_init_sam, AUTH_INTERFACE_VERSION); > return True; > } When would you want the function to fail ? If registering one of the functions fails? ok don't fail but a warning would be good metze - Stefan "metze" Metzmacher <[EMAIL PROTECTED]>
Re: Next alpha of 3.0 planned for Friday
In <[EMAIL PROTECTED]>, [EMAIL PROTECTED] wrote: >> This is just a heads up for everyone. I'm planning >> the 3.0alpha23 release for this Friday. If you have code >> that needs to be merged of commited to the SAMBA_3_0 cvs tree, >> please get in checked in by 8am EST on Friday of the week. Would someone take a look at CIDR-like notation problem by Mr. Takeda (and following mail by me) ? If this is right, example config described in securing-samba.sgml will not work as expected. (http://lists.samba.org/pipermail/samba-technical/2003-March/042993.html) Tomoki AONO ([EMAIL PROTECTED])
Re: LDAP Coding??
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 > profilePath:: IA== > [EMAIL PROTECTED]:~/ldif$ ldapmodify -x -D cn=admin,dc=samba,dc=org -w secret -f > test.ldif > modifying entry "uid=vl,dc=kampf,dc=de" > ldap_modify: Invalid syntax Ooops. I had wanted to edit this completely... Volker -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Key-ID D32186CF, Fingerprint available: phone +49 551 370 iD8DBQE+guRpOmSXH9Mhhs8RAlbtAKCA8Rz+z9YFj14NPp/PqSAnx8G7qgCdG+wr P+o2yPwPhTq5MM2eqtNjGlA= =EGpG -END PGP SIGNATURE-
LDAP Coding??
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi (lukeh?)! Why does my LDAP server deny the following request? ldapmodify sends this IA== (base64 for blank) as '04 01 20' according to ethereal. If I have a non-base64 value, say 'xxx', in 'profilePath' this works perfecly fine. This is a standard debian woody, so I have slapd 2.0.23. I'm still seeing this as my error, or could this also be an OpenLDAP bug? Thanks! Volker [EMAIL PROTECTED]:~/ldif$ ldapsearch -x uid=vl profilePath version: 2 # # filter: uid=vl # requesting: profilePath # # vl, samba, org dn: uid=vl,dc=samba,dc=org profilePath:: IA== # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 [EMAIL PROTECTED]:~/ldif$ cat test.ldif dn: uid=vl,dc=samba,dc=org changetype: modify delete: profilePath profilePath:: IA== [EMAIL PROTECTED]:~/ldif$ ldapmodify -x -D cn=admin,dc=samba,dc=org -w secret -f test.ldif modifying entry "uid=vl,dc=kampf,dc=de" ldap_modify: Invalid syntax additional info: modify: delete values failed ldif_record() = 21 [EMAIL PROTECTED]:~/ldif$ -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Key-ID D32186CF, Fingerprint available: phone +49 551 370 iD8DBQE+guPQOmSXH9Mhhs8RAj0eAJoDQkBwFmwJdJkqfDSTOF5Pr10rIgCeM2zI LLqc4ungKdauZaSCqD+4LTw= =yC2n -END PGP SIGNATURE-
Re: modules: BOOL vs. int
On Thu, Mar 27, 2003 at 08:23:43AM +0100, Stefan (metze) Metzmacher wrote about 'modules: BOOL vs. int': > Hi Jelmer, > I noticed that all smb_register_*() fn's return BOOL > and the init_module() fn's returns int > so this is wrong: I don't have problems with this. We only need the return value in smb_probe_module() to check for failure, and False is defined to be equal to 0. The current way is more flexible. Some functions return a BOOL, but others return an int (such as in rpc). > int pdb_xml_init(void) > { > return smb_register_passdb("xml", xmlsam_init, > PASSDB_INTERFACE_VERSION); > } > and here we really should check the return values, > and print out warnings or fail when the registration didn' success. > int auth_sam_init(void) > { > smb_register_auth("samstrict_dc", auth_init_samstrict_dc, > AUTH_INTERFACE_VERSION); > smb_register_auth("samstrict", auth_init_samstrict, > AUTH_INTERFACE_VERSION); > smb_register_auth("sam", auth_init_sam, AUTH_INTERFACE_VERSION); > return True; > } When would you want the function to fail ? If registering one of the functions fails? jelmer -- Jelmer Vernooij <[EMAIL PROTECTED]> - http://nl.linux.org/~jelmer/ 12:05:12 up 19:53, 10 users, load average: 0.31, 0.33, 0.30 pgp0.pgp Description: PGP signature
Re: Next alpha of 3.0 planned for Friday
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, Metze! ... using usrmgr.exe against pdb_ldap > I'll look at it today. I have just tried it. I successfully set a user's description via usrmgr.exe. I do however have problems with certain values. If for example I want to store just a space into 'description' I get 'invalid syntax'. If doing this via 'ldapmodify', the attribute ends up in a base64 coded value of IA==. I think I have to put some more work into LDAP coding Volker -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Key-ID D32186CF, Fingerprint available: phone +49 551 370 iD8DBQE+gtZfOmSXH9Mhhs8RAoebAJ46os88Tke6jyKvX9mTwqkR32sM+gCffoZC t7mYKxcnL+xOLNn8Bs2J1b4= =yNuY -END PGP SIGNATURE-
Re: Next alpha of 3.0 planned for Friday
On Thu, Mar 27, 2003 at 07:08:21AM +0100, Stefan (metze) Metzmacher wrote: > I'm not sure if the new LDAP modify stuff works without problems. > I have problems with that I can't change user entries via usrmgr.exe > the LDAP server returns 'can't add attribute' > (here the attribute should be modified) > > and before this changes all works well (I hvae not touched the ldap server) > > It would be nice if this could be fixed till alpha23 > I'll look at it today. Volker pgp0.pgp Description: PGP signature