Re: status of unixsam and guest passdb backends?
On Mon, Mar 31, 2003 at 10:23:16AM +1000, Andrew Bartlett wrote: Guestsam is in there to provide the only useful thing unixsam did - ensuring that the guest account really was the guest, and had the guest RID. It also helped with some Win2k behavior that assumed the presence of the guest account. Could you update smb.conf(5) to this effect? Thanks. Sure. Andrew, also put your changes into new smb.conf(5) doc in HEAD (docs/docbook/smbdotconf/) so that data wouldn't be unsychronized. I'm expecting to finish HEAD conversion to Docbook XML late this week. -- / Alexander Bokovoy --- You know, of course, that the Tasmanians, who never committed adultery, are now extinct. - M. Somerset Maugham
net rpc samsync patch
Small patch to stop net rpc samsync from copying an empty comment when
syncing group data.
Cheers,
Waider.
Index: source/utils/net_rpc_samsync.c
===
RCS file: /cvsroot/samba/source/utils/net_rpc_samsync.c,v
retrieving revision 1.20
diff -u -r1.20 net_rpc_samsync.c
--- source/utils/net_rpc_samsync.c 30 Mar 2003 16:46:28 - 1.20
+++ source/utils/net_rpc_samsync.c 31 Mar 2003 09:09:46 -
@@ -521,7 +521,10 @@
map.sid = group_sid;
map.sid_name_use = SID_NAME_DOM_GRP;
fstrcpy(map.nt_name, name);
- fstrcpy(map.comment, comment);
+
+if (delta-hdr_grp_desc.buffer) {
+fstrcpy(map.comment, comment);
+}
map.priv_set.count = 0;
map.priv_set.set = NULL;
--
[EMAIL PROTECTED] / Yes, it /is/ very personal of me.
it's this new keyboard. damn thing types faster than i do. i wish i knew
where my old one went. it was connected to the computer when i went to bed
last night. - Nikolai Kingsley
hide files problem
Hi ! I want to hide files with names beginning with . So I have added following lines to my smb.conf (2.2.8): ? ? ? ? hide dot files = yes ? ? ? ? hide files = /.* When user changes options in folder options to show hide files and folders, he can see all files/folders beginning with . greetz boka -- Opatom bankowym mwimy NIE! Za eKONTO w mBanku! http://pasazfin.wp.pl/mbank.html
When the keep-alive packet sent out,rfc1002 says different things!!
Hello everyone, When I am programming a samba client in freeDOS,using wattcp, I found a strange thing, which is not the same as rfc1002 claims.In rfc 1002,see below: NetBIOS Working Group [Page 72] RFC 1002 March 1987 5.2.2.2. RECEIVED PACKET PROCESSING These are packets received after a session has been established. PROCEDURE session_packet(packet) /* * processing initiated by receipt of a session service * packet for a session in the data transfer phase. */ BEGIN CASE packet type OF SESSION MESSAGE: BEGIN process message header; read in user data; reset and restart keep-alive timer; // note this! deliver data to user; END /* session message */ SESSION KEEP ALIVE: discard packet; END /* case */ END /* procedure */ So,during I write data or read data to server, it seems that server will not send me any keep-alive packet because he will reset the timer.But in fact,during I raw write a very large piece data to server(not matter windows or linux),it will send me a keep-alive occasionally,leading my defendless code crash. I REALLY don't understand why they don't obey the rules,or do I mistake rfc1002? Urgently hope for your kindly help,thank you
Samba 2.2.8 - Snap Server Support
Hello All! I've looked threw some docs of 2.2.8 and haven't yet seen anything. Please forgive me if I may have missed something. Is there SNAP Server support in Samba 2.2.8? If not, is there any plans to support it in the future? I am aware that samba 3.0 has this functionality. I was provided with a patch that seems to work just fine. I can pass this along to anyone interested. Many thanks to the Samba Team and all of it's developers world-wide for a great product.
Re: Patch for Bad Password Attempt Lockout, samba3.0a22.
On Fri, 2003-03-28 at 23:55, Jianliang Lu wrote: Now the users of admin users will not be locked. admin users not the appropriate choice here. Better would be the members of the 'domain admins' group. The interesting bit is finding this out at the right point in time... Yes, I agree with you. But until the privilege of domain admins does not work I can only use the admin users as the workaround to administrator's group. In attach is the new patch file. About lockout duration, I will implement next time. I think that we should extend another attribute to record the lockout time. We also need to check that the account policy has been set, and that it's not 0 (which I assume is the 'don't lock out' value). '0' means forever. we can always put the max number like 9.. to that. As soon as the user logon with the correct password the bad attempt count will be reset to 0. Also, I'm worried about the writes this will cause on the backend. An LDAP write can be quite expensive, and for the LDAP case this means that the master ldap server will be hit for every logon attempt. Yes, but I don't know how to implement it differently. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net Jianliang Lu TieSse s.p.a. Via Jervis, 60. 10015 Ivrea (To) - Italy [EMAIL PROTECTED] [EMAIL PROTECTED]
Re: When the keep-alive packet sent out,rfc1002 says differentthings!!
On Mon, 2003-03-31 at 19:42, [EMAIL PROTECTED] wrote: Hello everyone, When I am programming a samba client in freeDOS,using wattcp, I found a strange thing, which is not the same as rfc1002 claims. In rfc 1002,see below: So,during I write data or read data to server, it seems that server will not send me any keep-alive packet because he will reset the timer.But in fact,during I raw write a very large piece data to server(not matter windows or linux),it will send me a keep-alive occasionally,leading my defendless code crash. I REALLY don't understand why they don't obey the rules,or do I mistake rfc1002? Urgently hope for your kindly help,thank you See www.ubiqx.org/cifs for a description of this horrid protocol... Also, make sure you understand - the standard is what Microsoft does, not what what any RFC says. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part
[PATCH] fix some vfs bugs
Hi Alexander, here're the following fixes: 1.) fix the logic when overloading vfs functions, the last vfs object should be called at first! 2.) let vfs_load_old_plugin() return the vfs_op_tuple * (Now this function has really no effect! :-) metze - Stefan metze Metzmacher [EMAIL PROTECTED] vfs-fix-01.diff Description: Binary data
[PATCH] fix the format of the new backtrace output
Hi all, here's a small formatting fix to the new backtrace output in smb_panic() metze - Stefan metze Metzmacher [EMAIL PROTECTED] backtrace.diff Description: Binary data
Re: New modules system and vfs_done
At 12:25 31.03.2003 +0200, Simo Sorce wrote: On Mon, 2003-03-31 at 03:30, Andrew Bartlett wrote: As per my recent commit, the new (VFS) modules system completely breaks on tree disconnect! We need to separate the different cases - the compat and the central modules, and provide either a flag or a function pointer to the correct way to shut down a module. I have a patch for that, ab will look at it later this week. It would be nice if you don't touch the vfs_done() function calls (I want to remove the vfs_init() and vfs_done() fn's for the new modules) and the shut down stuff should be in vfs_disconnect() ! The code in conn_close is really in the wrong place - it's dealing with the VFS, not the connection. And how should a internal module 'end' it's operations anyway? We don't seem to have that coded up at all... Eh, the shutdown stuff was just a thing, I was thinking yesterday ... I agree we should have to way to startup and shutdown the modules, as we have to way to load it (preload and fork). This is mandatory for modules that uses databases or other repository they connect to through a socket or other communication mechanism. metze - Stefan metze Metzmacher [EMAIL PROTECTED]
Re: New modules system and vfs_done
At 13:02 31.03.2003 +0200, Simo Sorce wrote: Eh, the shutdown stuff was just a thing, I was thinking yesterday ... I agree we should have to way to startup and shutdown the modules, as we have to way to load it (preload and fork). to - two this is what my patch is about :-) the old modules will have conn-vfs_private and the new modules will have conn-vfs_handles but I think there's no way to beware old modules from recompiling :-( metze - Stefan metze Metzmacher [EMAIL PROTECTED]
SID related debug messages
Hi,
the attached enhancements of SID related debug messages were quite
useful for me for tracking down where strange SIDs winbindd
complained about are coming from.
Being there I found that my suspicous SIDs are included in the
user token from DC on domain client validation, in the other
sids section. Is this the place where W2k SID history lives?
Cheers!
Michael
Index: source/nsswitch/winbindd_group.c
===
RCS file: /cvsroot/samba/source/nsswitch/winbindd_group.c,v
retrieving revision 1.3.4.25
diff -u -r1.3.4.25 winbindd_group.c
--- source/nsswitch/winbindd_group.c14 Oct 2002 03:00:14 - 1.3.4.25
+++ source/nsswitch/winbindd_group.c31 Mar 2003 11:46:32 -
@@ -290,7 +290,10 @@
sid_append_rid(group_sid, group_rid);
if (!winbindd_lookup_name_by_sid(group_sid, dom_name, group_name,
name_type)) {
- DEBUG(1, (could not lookup sid\n));
+ fstring temp;
+
+ sid_to_string(temp, group_sid);
+ DEBUG(1, (could not lookup sid %s\n, temp));
return WINBINDD_ERROR;
}
Index: source/nsswitch/winbindd_util.c
===
RCS file: /cvsroot/samba/source/nsswitch/winbindd_util.c,v
retrieving revision 1.7.4.26
diff -u -r1.7.4.26 winbindd_util.c
--- source/nsswitch/winbindd_util.c 4 Mar 2003 23:35:50 - 1.7.4.26
+++ source/nsswitch/winbindd_util.c 31 Mar 2003 11:46:32 -
@@ -262,7 +262,7 @@
domain = find_domain_from_sid(sid);
if (!domain) {
- DEBUG(1,(Can't find domain from sid\n));
+ DEBUG(1,(Can't find domain from sid %s\n, sid_string_static(sid)));
return False;
}
Index: source/smbd/password.c
===
RCS file: /cvsroot/samba/source/smbd/password.c,v
retrieving revision 1.186.2.71
diff -u -r1.186.2.71 password.c
--- source/smbd/password.c 4 Mar 2003 23:36:00 - 1.186.2.71
+++ source/smbd/password.c 31 Mar 2003 11:46:32 -
@@ -1667,6 +1667,16 @@
sid_append_rid(ptok-user_sids[i], info3.gids[i].g_rid);
}
+ if (DEBUGLVL(10)) {
+ dbgtext(info3 group sids for %s in domain %s\n, user,
domain);
+ for (i = 0; i info3.num_groups2; i++) {
+ fstring temp;
+
+ sid_to_string(temp, ptok-user_sids[i]);
+ dbgtext([%d] %s\n, i, temp);
+ }
+ }
+
/* Universal group memberships for other domains are
stored in the info3.other_sids field. We also need to
do sid filtering here. */
@@ -1674,6 +1684,16 @@
for (i = 0; i info3.num_other_sids; i++)
sid_copy(ptok-user_sids[info3.num_groups2 + i],
info3.other_sids[i].sid);
+
+ if (DEBUGLVL(10)) {
+ dbgtext(info3 other sids for %s in domain %s\n, user,
domain);
+ for (i = 0; i info3.num_other_sids; i++) {
+ fstring temp;
+
+ sid_to_string(temp, ptok-user_sids[info3.num_groups2
+ i]);
+ dbgtext([%d] %s\n, i, temp);
+ }
+ }
*pptoken = ptok;
}
Re: Samba 2.2.8 - Snap Server Support
On Mon, 2003-03-31 at 19:18, [EMAIL PROTECTED] wrote: Hello All! I've looked threw some docs of 2.2.8 and haven't yet seen anything. Please forgive me if I may have missed something. Is there SNAP Server support in Samba 2.2.8? If not, is there any plans to support it in the future? I am aware that samba 3.0 has this functionality. Sorry, no that code never made it back into 2.2, as far as I know. I was provided with a patch that seems to work just fine. I can pass this along to anyone interested. Many thanks to the Samba Team and all of it's developers world-wide for a great product. -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part
RE: Samba 2.2.8 - Snap Server Support
Is the Samba Team interested in supporting SNAP for 2.x versions? If so I can provide the patch. Thanks!! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andrew Bartlett Sent: Monday, March 31, 2003 7:07 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: Samba 2.2.8 - Snap Server Support On Mon, 2003-03-31 at 19:18, [EMAIL PROTECTED] wrote: Hello All! I've looked threw some docs of 2.2.8 and haven't yet seen anything. Please forgive me if I may have missed something. Is there SNAP Server support in Samba 2.2.8? If not, is there any plans to support it in the future? I am aware that samba 3.0 has this functionality. Sorry, no that code never made it back into 2.2, as far as I know. I was provided with a patch that seems to work just fine. I can pass this along to anyone interested. Many thanks to the Samba Team and all of it's developers world-wide for a great product. -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net
Re: SID related debug messages
On Mon, Mar 31, 2003 at 01:56:45PM +0200, Michael Steffens wrote: the attached enhancements of SID related debug messages were quite useful for me for tracking down where strange SIDs winbindd complained about are coming from. Being there I found that my suspicous SIDs are included in the user token from DC on domain client validation, in the other sids section. Is this the place where W2k SID history lives? I'm not sure where the SID history lives. As far as I can work out the other SIDs section seems to be where membership of universal groups from trusted domains is contained. Tim.
Re: status of unixsam and guest passdb backends?
On Mon, 2003-03-31 at 18:52, Alexander Bokovoy wrote: On Mon, Mar 31, 2003 at 10:23:16AM +1000, Andrew Bartlett wrote: Guestsam is in there to provide the only useful thing unixsam did - ensuring that the guest account really was the guest, and had the guest RID. It also helped with some Win2k behavior that assumed the presence of the guest account. Could you update smb.conf(5) to this effect? Thanks. Sure. Andrew, also put your changes into new smb.conf(5) doc in HEAD (docs/docbook/smbdotconf/) so that data wouldn't be unsychronized. I'm expecting to finish HEAD conversion to Docbook XML late this week. I was wondering about that... Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part
RE: Samba 2.2.8 - Snap Server Support
These are prebuilt NAS (network attached storage) servers with html gui interfaces to configure. For more info go to http://www.snapappliance.com/. We buy 'em 'cause they're compact, stable, network ready, and have lots of disk space. -Original Message- From: Paul Reilly [mailto:[EMAIL PROTECTED] Sent: Monday, March 31, 2003 8:51 AM To: Irving Carrion Subject: RE: Samba 2.2.8 - Snap Server Support Is the Samba Team interested in supporting SNAP for 2.x versions? If so I can provide the patch. What is SNAP ? What functionaility does it provide? Paul
Re: New modules system and vfs_done
On Mon, 2003-03-31 at 03:30, Andrew Bartlett wrote: As per my recent commit, the new (VFS) modules system completely breaks on tree disconnect! We need to separate the different cases - the compat and the central modules, and provide either a flag or a function pointer to the correct way to shut down a module. The code in conn_close is really in the wrong place - it's dealing with the VFS, not the connection. And how should a internal module 'end' it's operations anyway? We don't seem to have that coded up at all... Eh, the shutdown stuff was just a thing, I was thinking yesterday ... I agree we should have to way to startup and shutdown the modules, as we have to way to load it (preload and fork). This is mandatory for modules that uses databases or other repository they connect to through a socket or other communication mechanism. Simo. -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. - http://www.xsec.it via Durando 10 Ed. G - 20158 - Milano mobile: +39 329 328 7702 tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: New modules system and vfs_done
On Mon, 2003-03-31 at 12:25, Simo Sorce wrote: Eh, the shutdown stuff was just a thing, I was thinking yesterday ... I agree we should have to way to startup and shutdown the modules, as we have to way to load it (preload and fork). to - two This is mandatory for modules that uses databases or other repository they connect to through a socket or other communication mechanism. Simo. -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. - http://www.xsec.it via Durando 10 Ed. G - 20158 - Milano mobile: +39 329 328 7702 tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Defaults for 'profile path' etc to in 3.0?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi! Given our 'rich' SAM backends I'd like to ask for your opinion on changing the defaults for 'profile path' and 'logon home' to to have workstation-local profiles be the default. NT does this, and we change so much in the PDC anyway. The reason why I'm asking: It has hit me several times now after doing a 'net rpc vampire' for testing purposes that suddenly the users got server-based profiles when before they had local profiles. Volker -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Key-ID D32186CF, Fingerprint available: phone +49 551 370 iD8DBQE+iCcMOmSXH9Mhhs8RAo3aAJ4oECHtGD4yFFiu1U2BrhdcqAwJWwCdHs4n D3tnh88xo1opWHHB8yJLvUA= =GzQn -END PGP SIGNATURE-
Re: Defaults for 'profile path' etc to in 3.0?
At 13:31 31.03.2003 +0200, Volker Lendecke wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi! Given our 'rich' SAM backends I'd like to ask for your opinion on changing the defaults for 'profile path' and 'logon home' to to have workstation-local profiles be the default. NT does this, and we change so much in the PDC anyway. The reason why I'm asking: It has hit me several times now after doing a 'net rpc vampire' for testing purposes that suddenly the users got server-based profiles when before they had local profiles. I would say it's ok to change it metze - Stefan metze Metzmacher [EMAIL PROTECTED]
Re: Defaults for 'profile path' etc to in 3.0?
On Mon, 2003-03-31 at 21:55, Stefan (metze) Metzmacher wrote: At 13:31 31.03.2003 +0200, Volker Lendecke wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi! Given our 'rich' SAM backends I'd like to ask for your opinion on changing the defaults for 'profile path' and 'logon home' to to have workstation-local profiles be the default. NT does this, and we change so much in the PDC anyway. The reason why I'm asking: It has hit me several times now after doing a 'net rpc vampire' for testing purposes that suddenly the users got server-based profiles when before they had local profiles. I would say it's ok to change it I think we should have a ./configure option for it, certainly. We have managed to keep option compatibility with 2.2 (even having a --with-ldapsam that sets the old defaults), so I would oppose changing the defaults. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part
Re: New modules system and vfs_done
On Mon, Mar 31, 2003 at 11:30:42AM +1000, Andrew Bartlett wrote about 'New modules system and vfs_done': As per my recent commit, the new (VFS) modules system completely breaks on tree disconnect! We need to separate the different cases - the compat and the central modules, and provide either a flag or a function pointer to the correct way to shut down a module. if(handle-handle == NULL) then we're using a central module. I've got a patch that fixes all this, which I'll apply later today. The code in conn_close is really in the wrong place - it's dealing with the VFS, not the connection. And how should a internal module 'end' it's operations anyway? We don't seem to have that coded up at all... Problem is we can't assume a plugin is ever going to be unloaded - not all operating systems support dlclose() and plugins might be linked in statically. Jelmer -- Jelmer Vernooij [EMAIL PROTECTED] ~/.plan: create seperate include files look at coolo's patches pgp0.pgp Description: PGP signature
RE: Samba 2.2.8 - Snap Server Support
Currently the snap has a hard time reading Samba's domain users / groups correctly. The patch (I did not write the code) simply fixes this problem. It works fine on W2k servers, but I think it runs on a windows appliance operating system. Not sure though. -Original Message- From: Paul Reilly [mailto:[EMAIL PROTECTED] Sent: Monday, March 31, 2003 9:26 AM To: Irving Carrion Subject: RE: Samba 2.2.8 - Snap Server Support These are prebuilt NAS (network attached storage) servers with html gui interfaces to configure. For more info go to http://www.snapappliance.com/. I see... But does samba not work with these already? What does your code do ? Paul
RE: [SECURITY] Samba 2.2.8 available for download
Andrew Bartlett [mailto:[EMAIL PROTECTED] wrote: On Mon, 2003-03-31 at 06:12, Green, Paul wrote: Green, Paul [mailto:[EMAIL PROTECTED] wrote: The 2.2.8 release notes say: A buffer overrun condition exists in the SMB/CIFS packet fragment re-assembly code in smbd which would allow an attacker to cause smbd to overwrite arbitrary areas of memory in its own process address space. This could allow a skilled attacker to inject binary specific exploit code into smbd. I have written a short test case (available upon request) to confirm that Stratus VOS, when running on the HP PA-RISC hardware, is not susceptible to such an attack. While such an attack can indeed be used to insert code onto the VOS stack, as soon as the processor attempts to begin executing the code it will take a no-execute permission fault or an invalid-page fault. Therefore, the last sentence of this warning in the 2.2.8 release notes about inject[ing] binary specific exploit code into smbd does not apply to VOS on HP PA-RISC. As other experts have noted, there are probably other OS/Hardware combinations that are also immune to this attack. I hope other maintainers will post such information so that we can have a public record, and not needlessly scare our customers. I would not be so confident. You don't need to modify the code that will be executed, or cause a jump to your exploit to cause mischief. If you can overwrite an arbitrary position in memory, I'm sure you can find some variable that is critical to Samba's internal state, and go from there. I agree with your comment, but in my defense, I was trying to respond to the comment in the release notes about injecting binary-specific exploit code. That can't happen on VOS when it is running on PA-RISC. We're in the process of porting VOS to the Intel Pentium family, and one of the things we're investigating is how to prevent this same attack on that chip. We're reasonably confident we'll be able to prevent this attack there, too. I think most of the attempts to attack Samba on VOS would result in denial of service, but I agree it is possible that someone could get Samba to bypass one of its internal checks. I'm far more concerned about the issue of injecting binary-specific code, because a successful attack of that type would open up the entire resources of the machine to the attacker. Having said all this, because some of my customers are interested in receiving the 2.2.x version of Samba for VOS, and because the 2.2.x version has the fix for the buffer overruns, and also because 3.0 is not yet ready for prime time, I hope that the patches I'm submitting to 2.2.x will be applied. I'm willing to apply them myself, and monitor the build farm for any fallout, if I'm granted access. plug I've been porting Samba to VOS since version 2.0.5, working on POSIX and open-source software since 1996, and been a software developer since 1969. I have extensive experience in operating systems and compilers and have been the architect and lead developer for the Stratus VOS POSIX environment. I have made it a rule to test all patches on both VOS and Solaris before submitting them to samba-technical. I'm also the maintainer of the ports of Perl and OpenSSL to VOS, among others. /plug Thanks PG -- Paul Green, Senior Technical Consultant, Stratus Technologies, Maynard, MA USA Voice: +1 978-461-7557; FAX: +1 978-461-3610
[PATCH] fix vfs objecta order
Hi Alexander, here's the small fix witchh corrects the vfs objects order metze - Stefan metze Metzmacher [EMAIL PROTECTED] vfs-fix-02.diff Description: Binary data
Re: Patch for Bad Password Attempt Lockout, samba3.0a22.
Now the users of Domain Admins will not be locked. But until we have not
the right provilege for Domain Admins, I will continue to use the admin
users for administrator's use (like add machine, user manager for domain...).
In attach is the new patch.
Jianliang Lu
TieSse s.p.a.
Via Jervis, 60. 10015 Ivrea (To) - Italy
[EMAIL PROTECTED]
[EMAIL PROTECTED]
--- auth_sam.c. Thu Mar 20 16:31:34 2003
+++ auth_sam.c.fix Mon Mar 31 17:23:09 2003
@@ -326,6 +326,12 @@
return NT_STATUS_ACCOUNT_DISABLED;
}
+ /* Quit if the account was locked out. */
+ if (acct_ctrl ACB_AUTOLOCK) {
+ DEBUG(1,(Account for user '%s' was locked out.\n,
pdb_get_username(sampass)));
+ return NT_STATUS_ACCOUNT_LOCKED_OUT;
+ }
+
/* Test account expire time */
kickoff_time = pdb_get_kickoff_time(sampass);
@@ -414,6 +420,8 @@
NTSTATUS nt_status;
uint8 user_sess_key[16];
const uint8* lm_hash;
+ uint32 account_policy_lockout, badpwattempt;
+ GROUP_MAP map;
if (!user_info || !auth_context) {
return NT_STATUS_UNSUCCESSFUL;
@@ -448,10 +456,45 @@
nt_status = sam_password_ok(auth_context, mem_ctx, sampass, user_info,
user_sess_key);
if (!NT_STATUS_IS_OK(nt_status)) {
+ if (NT_STATUS_EQUAL(nt_status,NT_STATUS_WRONG_PASSWORD)) {
+ badpwattempt = (uint32)pdb_get_bad_pw_attempt(sampass) + 1;
+ if (!pdb_set_bad_pw_attempt(sampass, badpwattempt,
PDB_CHANGED))
+ DEBUG(1, (Failed to set 'badPwAttempt' for
user % s. \n,
+
user_info-internal_username.str));
+ account_policy_get(AP_BAD_ATTEMPT_LOCKOUT,
account_policy_lockout);
+ if (!get_group_map_from_ntname(Domain Admins, map,
MAPPING_WITHOUT_PRIV))
+ DEBUG(1, (auth_sam.c: Failed to get groupmap for
Domain Admins));
+ if ((badpwattempt = account_policy_lockout)
!user_in_list(user_info-internal_username.str, lp_admin_users(-1), NULL, 0)
!user_in_group_list(user_info-internal_username.str, gidtoname(map.gid), NULL, 0))
+ if (!pdb_set_acct_ctrl (sampass,
+
pdb_get_acct_ctrl(sampass) |ACB_AUTOLOCK,
+
PDB_CHANGED)) {
+ DEBUG(1, (Failed to set 'disabled' flag for
user % s. \n,
+
user_info-internal_username.str));
+ }
+
+ become_root();
+ if (!pdb_update_sam_account(sampass)) {
+ DEBUG(1, (Failed to modify entry for user % s.\n,
+
user_info-internal_username.str));
+ unbecome_root();
+}
+ }
pdb_free_sam(sampass);
return nt_status;
}
+ if (!pdb_set_bad_pw_attempt(sampass, 0, PDB_CHANGED))
+ DEBUG(1, (Failed to set 'badPwAttempt' for user % s. \n,
+user_info-internal_username.str));
+ if (!pdb_set_logon_time(sampass, time(NULL), PDB_CHANGED))
+ DEBUG(1, (auth_sam.c : pdb_set_logon_time fialed!\n));
+
+ become_root();
+ if(!pdb_update_sam_account(sampass))
+ DEBUG(1, (Failed to modify entry for user % s.\n,
+user_info-internal_username.str));
+ unbecome_root();
+
if (!NT_STATUS_IS_OK(nt_status = make_server_info_sam(server_info, sampass)))
{
DEBUG(0,(check_sam_security: make_server_info_sam() failed with
'%s'\n, nt_errstr(nt_status)));
return nt_status;
Samba-3.0alpha23 available on samba.org mirrors
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 We've just posted another snapshot of the SAMBA_3_0 cvs tree for download. This is a non-production release provided for testing only. Note that this release **does** contain the security fixes included in the Samba 2.2.8 release. The source code can be downloaded from : http://download.samba.org/samba/ftp/alpha/ The uncompressed tarball and patch file have been signed using GnuPG. The Samba public key is available at http://download.samba.org/samba/ftp/samba-pubkey.asc Binary packages for RedHat have been released and can be found at http://download.samba.org/samba/ftp/Binary_Packages/ Others will be available as they are submitted by volunteers. A simplified version of the CVS log of updates since 3.0alpha22 can be found in the the download directory under the name ChangeLog-3.0alpha22-alpha23. The release notes follow. As always, all bugs are our responsibility. --Enjoy The Samba Team - WHATS NEW IN Samba 3.0 alpha23 30th March 2003 == This is a pre-release of Samba 3.0. This is NOT a stable release. Use at your own risk. The purpose of this alpha release is to get wider testing of the major new pieces of code in the current Samba 3.0 development tree. We have officially ceased development on the 2.2.x release of Samba and are concentrating on Samba 3.0. To reduce the time before the final Samba 3.0 release we need as many people as possible to start testing these alpha releases, and hopefully giving us some high quality feedback on what needs fixing. Note that Samba 3.0 is not feature complete yet. There is a more coding we have planned, but unless we get what we have done already more widely tested we will have a hard time doing a stable release in a reasonable time frame. Major new features: - --- - - Active Directory support. This release is able to join a ADS realm as a member server and authenticate users using LDAP/kerberos. - - Unicode support. Samba will now negotiate UNICODE on the wire and internally there is now a much better infrastructure for multi-byte and UNICODE character sets. - - New authentication system. The internal authentication system has been almost completely rewritten. Most of the changes are internal, but the new auth system is also very configurable. - - new filename mangling system. The filename mangling system has been completely rewritten. An internal database now stores mangling maps persistently. This needs lots of testing. - - new net command. A new net command has been added. It is somewhat similar to the net command in windows. Eventually we plan to replace a bunch of other utilities (such as smbpasswd) with subcommands in net, at the moment only a few things are implemented. - - Samba now negotiates NT-style status32 codes on the wire. This improves error handling a lot. - - better w2k printing support including publishing printer attributes in active directory - - new loadable RPC modules - - new dual-daemon winbindd support for better performance - - support for migrating from a Windows NT 4.0 domain - - support for establishing trust relationships with Windows NT 4.0 domain controllers Plus lots of other changes! Reporting bugs Development Discussion - --- Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.freenode.net. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. Changes in alpha23: - --- LDAP Group Mapping -- pdbedit -i -e sets all SAM_ACCOUNT elements to CHANGED to satisfy the new pdb_ldap.c handling. pdbedit -g transfers group mappings. I made this separate from the user database, as current installations have to live with a split backend. So, if you are running 3_0 alphas with LDAP as a backend and upgrade to 3.0alpha23, you must call root# pdbedit -i tdbsam -e ldapsam -g to transfer your group mapping database to LDAP. All groups must be represented as posixGroup objects in the directory and you must adapt your LDAP schema to support the sambaGroupMapping before running this command. Refer to examples/LDAP/samba.schema for details on the objectclass. Parameters -- Modified Parameters (see smb.conf(5) for details): * passdb backend Added Parameters * ldap del only sam attr * ldap delete dn ChangeLog - See cvs log for SAMBA_3_0 for complete details. There are many smaller numerous changes that would clutter the release notes. 0)
Re: Problems with ACLs in 2.2.8
i'm also seeing some aberrant ACL-setting behavior in samba 2.2.8. more-
over, the new Creator Owner and Creator Group semantics are bewildering,
although i can understand if, in that sense, they're just mimicking NT
behavior all the more closely. at any rate, below's a patch that purports
to do the following:
1. the hunk for util_sid.c make the Creator Owner and Creator Group
icons show up appropriately in my NT-permissions-chooser thingy
2. the first three hunks for posix_acls.c allows one to drop entries from
an ACL without having samba re-insert the ``missing'' ACEs behind the
scenes with the share-default perms. this may or may not address your
concern
3. the fourth hunk excepts Creator Owner and Creator Group from being
dropped from the incoming ACL as ``non-mappable SIDs''
4. the fifth hunk corrects for the fact that--according to the ``-s''
option description from the setfacl(1) man page of Solaris 2.6, anyway--
Solaris needs a default ``CLASS_OBJ'' entry if it has any other default
ACL entries
5. the sixth hunk makes use of the mask_perms mode that set_canon_ace_list()
munges all the way through but then does nothing with. this isn't required
for correct functionality, though, i don't think
6. the seventh hunk (in NT4-compatible mode) abridges the code to elide
the non-default ACL entry for the group owner if the group owner has no
permissions, since i thought this might allay confusion, as indicated by
the CPP macro name used there. again, this isn't required for correct
functionality
none of these are meant to be applied to anybody's samba source tree; i'm
just trying to point out some areas that may need attention
i think, however, for my purposes, i'm just going to drop in the old 2.2.7
posix_acls.c, since i find named ACEs with non-bogus perms in both parenthe-
sized slots in the NT-permissions-thingy display much less confusing, if a
bit misleading
--buck
On Tue, Mar 25, 2003 at 01:39:22AM +, Jan Houstek wrote:
Hi all!
I posted this in [EMAIL PROTECTED] but there were no reactions.
Particulary I'm interested if anyone observe the same behavior.
-- Honza Houstek
--
server:
linux 2.4.19 with xfs 1.2 and its ACL
libacl 2.0.19
samba 2.2.8 compiled from source with --with-acl-support
acting as PDC
interesting parts of smb.conf
create mask = 0600
directory mask = 0700
[testshare]
path = /data/testshare
readonly = No
client:
1) Windows XP, servicepack 1.2a
2) smbmount from another linux box
server:~# getfacl /data/testshare/testdir
# file: testdir
# owner: testuser
# group: users
user::rwx
group::---
group:somegroup:r-x
group:anothergroup:rwx
mask::rwx
other::---
default:user::rwx
default:group::---
default:group:somegroup:r-x
default:group:anothergroup:rwx
default:mask::rwx
default:other::---
server:~# umask 007
server:~# mkdir /data/testshare/testdir/test1
server:~# getfacl /data/testshare/testdir/test1
# file: test1
# owner: root
# group: root
user::rwx
group::---
group:somegroup:r-x
group:anothergroup:rwx
mask::rwx
other::---
default:user::rwx
default:group::---
default:group:somegroup:r-x
default:group:anothergroup:rwx
default:mask::rwx
default:other::---
On windows:
logon to domain as testuser
create test2 in testdir (right mouse button - New - Folder)
server:~# getfacl /data/testshare/testdir/test2
# file: test2
# owner: testuser
# group: users
user::rwx
group::rwx# !!! problem !!!
group:somegroup:r-x
group:anothergroup:rwx
mask::rwx
other::---
default:user::rwx
default:group::---
default:group:somegroup:r-x
default:group:anothergroup:rwx
default:mask::rwx
default:other::---
--- samba-2.2.8/source/lib/util_sid.c.orig Fri Mar 14 16:34:47 2003
+++ samba-2.2.8/source/lib/util_sid.c Mon Mar 31 07:50:10 2003
@@ -64,7 +64,8 @@
{0, (enum SID_NAME_USE)0, NULL}};
static known_sid_users creator_owner_users[] = {
- { 0, SID_NAME_ALIAS, Creator Owner },
+ { 0, SID_NAME_WKN_GRP, Creator Owner },
+ { 1, SID_NAME_WKN_GRP, Creator Group },
{0, (enum SID_NAME_USE)0, NULL}};
static known_sid_users nt_authority_users[] = {
--- samba-2.2.8/source/smbd/posix_acls.c.orig Fri Mar 14 16:34:49 2003
+++ samba-2.2.8/source/smbd/posix_acls.cMon Mar 31 09:10:10 2003
@@ -653,6 +653,7 @@
* we would get mask instead of group. Let's do it via ACL.
*/
+#if RETAIN_ACE_IF_MISSING_FROM_INCOMING_ACL
if (setting_acl (!got_user || !got_grp || !got_other)) {
SMB_ACL_ENTRY_T entry;
@@ -701,6 +702,7 @@
fsp-fsp_name));
}
}
+#endif /* RETAIN_ACE_IF_MISSING_FROM_INCOMING_ACL */
if (!got_user) {
RE: Samba 2.2.8 - Snap Server Support
Irving, Applying patches to your Snap Server is probably not a good idea, and usually impossible since the box doesn't have a compiler or the smbd source we use. If you're putting in a patched binary, that also may have unintended effects. I just don't want you to get your box in an unsupported state (since we do have free tech support for our customers). Please let me know the: 1) SnapServer model you have 2) The OS it's running 3) Where the patch came from 4) How you applied it Maybe you can also explain to me the problems that you were having. Is it using the Snap against a Samba PDC? If so, is the Samba PDC the place where you applied the patch? Also, the SnapServer is either BSD or Linux based, depending on the model. -Marc -- Marc Kaplan Software Quality Assurance Engineer SnapAppliance - Network Attached Storage Division 408-879-8769 -Original Message- From: Irving Carrion [mailto:[EMAIL PROTECTED] Sent: Monday, March 31, 2003 6:30 AM To: 'Paul Reilly' Cc: [EMAIL PROTECTED] Subject: RE: Samba 2.2.8 - Snap Server Support Currently the snap has a hard time reading Samba's domain users / groups correctly. The patch (I did not write the code) simply fixes this problem. It works fine on W2k servers, but I think it runs on a windows appliance operating system. Not sure though. -Original Message- From: Paul Reilly [mailto:[EMAIL PROTECTED] Sent: Monday, March 31, 2003 9:26 AM To: Irving Carrion Subject: RE: Samba 2.2.8 - Snap Server Support These are prebuilt NAS (network attached storage) servers with html gui interfaces to configure. For more info go to http://www.snapappliance.com/. I see... But does samba not work with these already? What does your code do ? Paul
Re: When the keep-alive packet sent out,rfc1002 says differentthings!!
On Mon, Mar 31, 2003 at 08:07:16PM +1000, Andrew Bartlett wrote:
On Mon, 2003-03-31 at 19:42, [EMAIL PROTECTED] wrote:
Hello everyone, When I am programming a samba client in freeDOS,using
wattcp, I found a strange thing, which is not the same as rfc1002 claims.
In rfc 1002,see below:
So,during I write data or read data to server, it seems that server will
not send me any keep-alive packet because he will reset the timer.But
in fact,during I raw write a very large piece data to server(not
matter windows or linux),it will send me a keep-alive
occasionally,leading my defendless code crash.
I REALLY don't understand why they don't obey the rules, or do I
mistake rfc1002?
Urgently hope for your kindly help,thank you
See www.ubiqx.org/cifs for a description of this horrid protocol...
Also, make sure you understand - the standard is what Microsoft does,
not what what any RFC says.
Also note that you may have trouble with ReadRaw and WriteRaw. Microsoft
published documentation regarding these SMBs a long time ago and never
suggested that there might be licensing issues. Just about a year ago,
however, they coughed up some patents which may or may not apply to
implementations of ReadRaw and WriteRaw. See:
http://us3.samba.org/samba/ms_license.html
That said, the problem you are experiencing, if I understand correctly, is
that the server is sending keep-alives during a WriteRaw from your client
because the server-side keep-alive timer is not reset.
Two solutions:
1) Send an SMB ECHO just before doing the WriteRaw. That will reset the
timer.
2) Handle the keep-alive.
For case #2, the keep-alive will contain the bytes { 0x85, 0, 0, 0 } and
that's it. You should be able to recognize those and simply discard them.
Chris -)-
--
Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel
jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq.
ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED]
OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
RE: Samba 2.2.8 - Snap Server Support
Thanks for your response! The patch that I applied was applied to the Samba Server not the Snap. It was a patch given to me by someone on this list (I'll have to look for his name to give him proper credit). It was written for Samba Version 2.2.3 but it is working for me in version 2.2.6. We have 2 snap servers that don't work correctly (although worked fine with w2k server and Samba 3.0). They are: Snap Server 2000 20gig mirror Dell Power Vault 705N (I understand they resell snap) 80 gig mirror Without the patch, both tend to not read users/groups with Samba 2.2.x PDC's. I don't know what operating systems the snaps have. Also, after speaking to Quantum support, they don't support anything other than W2k PDC's. The tech I spoke with didn't even know what Samba was. The patch is working great, I just wanted to make sure of SNAP compatibility with 2.2.8 before upgrading. If not, I may just have to compile from source again. Thanks! P.S. I can provide you with the patch if you need it. -Original Message- From: Marc Kaplan [mailto:[EMAIL PROTECTED] Sent: Monday, March 31, 2003 12:46 PM To: 'Irving Carrion'; 'Paul Reilly' Cc: [EMAIL PROTECTED] Subject: RE: Samba 2.2.8 - Snap Server Support Irving, Applying patches to your Snap Server is probably not a good idea, and usually impossible since the box doesn't have a compiler or the smbd source we use. If you're putting in a patched binary, that also may have unintended effects. I just don't want you to get your box in an unsupported state (since we do have free tech support for our customers). Please let me know the: 1) SnapServer model you have 2) The OS it's running 3) Where the patch came from 4) How you applied it Maybe you can also explain to me the problems that you were having. Is it using the Snap against a Samba PDC? If so, is the Samba PDC the place where you applied the patch? Also, the SnapServer is either BSD or Linux based, depending on the model. -Marc -- Marc Kaplan Software Quality Assurance Engineer SnapAppliance - Network Attached Storage Division 408-879-8769 -Original Message- From: Irving Carrion [mailto:[EMAIL PROTECTED] Sent: Monday, March 31, 2003 6:30 AM To: 'Paul Reilly' Cc: [EMAIL PROTECTED] Subject: RE: Samba 2.2.8 - Snap Server Support Currently the snap has a hard time reading Samba's domain users / groups correctly. The patch (I did not write the code) simply fixes this problem. It works fine on W2k servers, but I think it runs on a windows appliance operating system. Not sure though. -Original Message- From: Paul Reilly [mailto:[EMAIL PROTECTED] Sent: Monday, March 31, 2003 9:26 AM To: Irving Carrion Subject: RE: Samba 2.2.8 - Snap Server Support These are prebuilt NAS (network attached storage) servers with html gui interfaces to configure. For more info go to http://www.snapappliance.com/. I see... But does samba not work with these already? What does your code do ? Paul
RE: Samba 2.2.8 - Snap Server Support
Ok, so the patch was to a Samba PDC, now this all makes more sense to me :). This is not something that our organization has ever tracked, but I'm glad the Samba community could help you in providing a fix to the PDC. Since we've never tracked it (The Tech was right, it is not officially supported), I cannot tell you whether the patch will still apply against 2.2.8 -- but I would guess so since it was written for 2.2.3 and it works for 2.2.6. -Marc -Original Message- From: Irving Carrion [mailto:[EMAIL PROTECTED] Sent: Monday, March 31, 2003 10:14 AM To: 'Marc Kaplan'; 'Paul Reilly' Cc: [EMAIL PROTECTED] Subject: RE: Samba 2.2.8 - Snap Server Support Thanks for your response! The patch that I applied was applied to the Samba Server not the Snap. It was a patch given to me by someone on this list (I'll have to look for his name to give him proper credit). It was written for Samba Version 2.2.3 but it is working for me in version 2.2.6. We have 2 snap servers that don't work correctly (although worked fine with w2k server and Samba 3.0). They are: Snap Server 2000 20gig mirror Dell Power Vault 705N (I understand they resell snap) 80 gig mirror Without the patch, both tend to not read users/groups with Samba 2.2.x PDC's. I don't know what operating systems the snaps have. Also, after speaking to Quantum support, they don't support anything other than W2k PDC's. The tech I spoke with didn't even know what Samba was. The patch is working great, I just wanted to make sure of SNAP compatibility with 2.2.8 before upgrading. If not, I may just have to compile from source again. Thanks! P.S. I can provide you with the patch if you need it. -Original Message- From: Marc Kaplan [mailto:[EMAIL PROTECTED] Sent: Monday, March 31, 2003 12:46 PM To: 'Irving Carrion'; 'Paul Reilly' Cc: [EMAIL PROTECTED] Subject: RE: Samba 2.2.8 - Snap Server Support Irving, Applying patches to your Snap Server is probably not a good idea, and usually impossible since the box doesn't have a compiler or the smbd source we use. If you're putting in a patched binary, that also may have unintended effects. I just don't want you to get your box in an unsupported state (since we do have free tech support for our customers). Please let me know the: 1) SnapServer model you have 2) The OS it's running 3) Where the patch came from 4) How you applied it Maybe you can also explain to me the problems that you were having. Is it using the Snap against a Samba PDC? If so, is the Samba PDC the place where you applied the patch? Also, the SnapServer is either BSD or Linux based, depending on the model. -Marc -- Marc Kaplan Software Quality Assurance Engineer SnapAppliance - Network Attached Storage Division 408-879-8769 -Original Message- From: Irving Carrion [mailto:[EMAIL PROTECTED] Sent: Monday, March 31, 2003 6:30 AM To: 'Paul Reilly' Cc: [EMAIL PROTECTED] Subject: RE: Samba 2.2.8 - Snap Server Support Currently the snap has a hard time reading Samba's domain users / groups correctly. The patch (I did not write the code) simply fixes this problem. It works fine on W2k servers, but I think it runs on a windows appliance operating system. Not sure though. -Original Message- From: Paul Reilly [mailto:[EMAIL PROTECTED] Sent: Monday, March 31, 2003 9:26 AM To: Irving Carrion Subject: RE: Samba 2.2.8 - Snap Server Support These are prebuilt NAS (network attached storage) servers with html gui interfaces to configure. For more info go to http://www.snapappliance.com/. I see... But does samba not work with these already? What does your code do ? Paul
Request - security patch for 2.0.6
Is there a plan for a patch for 2.0.6 to address the security bug announced 3/14/03? If not, I am requesting such a patch, as upgrading to 2.2.8 will cause difficulty in our environment. (the Take Ownership overloading no longer works in 2.2.8, so emply ACE's don';t show up in the permission dialog in NT) The release notes for 2.2.8 says As this is a security issue, patches for this flaw specific to earlier versions of Samba will be posted on the [EMAIL PROTECTED] mailing list as requested.
FW: encrypt passwords=no, security=yes, samba 2.2.8, W2K user aut h fails
Sorry, forgot to cc the list...
Jerry, you made some comments around the code I modified, maybe you
could take a look at this and comment??
Don
-Original Message-
From: MCCALL,DON (HP-USA,ex1)
Sent: Monday, March 31, 2003 16:30
To: 'tony shepherd'; MCCALL,DON (HP-USA,ex1);
'[EMAIL PROTECTED]'
Subject: RE: encrypt passwords=no, security=yes, samba 2.2.8, W2K user
aut h fails
Hi Tony,
Problem appears to be a result of your having
null passwords = no
map to guest = bad user
AND
encrypt passwords = no
What appears to be happening is that reply.c only checks the smbpasswd file
to see if you have a 'bad user', and with encrypt passwords = NO, you won't
have an smbpasswd file, and it never goes to check the /etc/passwd or nis
store, etc, for this map to guest=bad user case.
Since it's ALREADY failed password_ok, what it's doing at this time is
trying to decide if it has the 'bad password' or the 'bad user' case, since
the return from password_ok doesn't differentiate. Since it never finds the
username in smbpasswd (since that doesn't exist), it assumes that the
problem is NOT a bad password, but a bad USER, and goes off to try to use
guest.
in your log file, this actually works, your sessionsetupx succeeds, but you
are mapped to the guest user. ( Registered username ts74081 for guest
access) Later on, the actual share (home share for ts7481 I am assuming)
tconX fails because the guest account has a null password, and you didn't
specify guest ok for homes.
For reasons completely unknown to me, win2k is NOT ever sending the password
you type in UNTIL
you try a different user, which generates an SMBulogoff() request, so the
next negotprot,sesssetupX sequence starts, and THEN the win2k client sends
the appropriate password,
and you get authenticated appropriately (instead of being mapped to
guest...)
My guess is that the original attempt to connect to the share used your
current username with a null password, which set up the vc, and from then
on, all the sessionsetups are on that vc, no more negot.prot's are made,
until an SMBulogoff is done. Since win2k was successful in it's initial
attempt at sessionsetupX with a null password (because you got mapped to
guest as a bad user), it won't send a real password, even though it's ASKING
FOR ONE, until you force an SMBulogoff, and a complete resetup of the vc,
etc... (which is what using another username does)
Win2k REALLY doesn't like using cleartext passwords, apparently (grin).
I can make this problem go away by changing reply.c so that it checks the
/etc/passwd/nis store for a user instead of smbpasswd when encrypted
passwords = no; my diffs are listed below if you want to try it.
I'm copying the samba_technical list in hopes that someone smarter than I
(practically everyone) will know more about what's going on and do an
appropriate fix for this. This diff is on a 2.2.8 code base.
# diff reply.c reply.original.c
1028c1028
if (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_USER
lp_encrypted_pass
words())
---
if (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_USER)
1054,1062d1053
/* add mccall */
if (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_USER
!lp_encrypted_pas
swords() sys_getpwnam(user))
{
/* delete_nt_token(ptok); */
DEBUG(1,(Rejecting user '%s': authentication failed\n, user));
END_PROFILE(SMBsesssetupX);
return ERROR_BOTH(NT_STATUS_LOGON_FAILURE,ERRSRV,ERRbadpw);
}
/* end add mccall */
-Original Message-
From: tony shepherd [mailto:[EMAIL PROTECTED]
Sent: Sunday, March 30, 2003 22:49
To: MCCALL,DON (HP-USA,ex1)
Cc: tony.shepherd
Subject: RE: encrypt passwords=no, security=yes, samba 2.2.8, W2K user
aut h fails
Hi Don
attached are the files requested. Thanks for looking at this for me.
Solaris must be tweaking something that is not showing up
under other OS's.
tony
--On Friday, March 28, 2003 06:13:14 AM -0800 MCCALL,DON
(HP-USA,ex1)
[EMAIL PROTECTED] wrote:
Hi Tony,
Can't make it happen here on my HP-UX system, and I don't
have a Solaris
system to test on. But if you want to get me a log level
10 debug of
the issue, and the output of testparm, I'll see if I can
spot anything.
Send the log and testparm off list, and compressed, ok?
Don
-Original Message-
From: tony shepherd [mailto:[EMAIL PROTECTED]
Sent: Thursday, March 27, 2003 23:31
To: MCCALL,DON (HP-USA,ex1); [EMAIL PROTECTED]
Subject: RE: encrypt passwords=no, security=yes, samba
2.2.8, W2K user
aut h fails
--On Thursday, March 27, 2003 10:06:08 AM -0500 MCCALL,DON
(HP-USA,ex1)
[EMAIL PROTECTED] wrote:
Hi tony,
based on your log file, it sure does APPEAR that you have
NOT turned off
encrypted passwords,
as samba is trying to open
/usr/local/samba/private/smbpasswd. It should
only do that if it negotiated encrypted passwords in the
negot prot call,
which it should
Samba performance
Samba Performance testing == 1.0 Architecture: - Server: CPU: Intel(R) Pentium(R) III CPU family 1266MHz Memory: 1GB Kernel: Linux 2.4.18 File System: xfs-1.1 Samba version: 3.0-alpha19 Network: 1 GB point to point Client: 1/2 GB memory and 1.6 GHZ Pentium 1.1 Introduction: - We have been trying to measure samba performance. The following are our observations. 1.2 Is it samba ? - We wanted to find out for sure whether samba was the bottleneck. So we did the following experiment. 1. dbench (to measure disk TP) 2. tbench (to measure TCP/IP TP) 3. dbench+tbench: In this experiment we wanted to find out whether system, not samba was the limitation. For each number of clients dbench and tbench was stated simultaneously. 4. nbench with clients_oplocks.txt trace (to measure samba TP) The results are as follows Num dbench tbenchdbench tbench min(1,2) nbench clients alonealone(simul (simul tbench) dbench) (1)(2) 1 77.152 20.915 77.1373 19.7312 19.7312 11.5006 4 106.174 40.6007 71.2576 33.9155 33.9155 19.3349 8 93.378 56.4977 63.2581 43.745 43.745 19.8468 12 81.908 60.8616 59.0883 43.675 43.675 19.2888 16 56.834 63.6999 52.1449 41.5259 41.5259 19.3474 20 63.398 64.9676 50.9493 41.776 41.776 19.1162 24 61.818 66.6186 50.223 41.8949 41.8949 18.9119 28 55.442 67.3411 49.1058 41.5549 41.5549 19.0702 32 54.318 69.2981 47.8511 41.9139 41.9139 18.8018 36 54.986 70.1524 45.6686 41.3715 41.3715 18.3617 40 46.994 70.8444 45.2621 41.459 41.459 18.2381 44 41.702 69.8389 42.6287 41.0206 41.0206 18.1785 48 45.988 69.8389 40.4743 40.3336 40.3336 18.1683 The nbench experiment measures samba performance with the same work load trace used for other experiments. As can be seen nbench TP is much smaller than minimum of (1) and (2) which implies that samba is the performance bottleneck. (The disk configuration for the above experiment was a 11 drive RAID 5 with LVM) 1.3 Where in Samba and what is the limitation ?: We observe that our system is severely CPU limited. Here is the summary of top -d 1 trace of CPU usage during the period 16 nbench clients were active.(2 drive RAID 0 + LVM) UserSystem Total Mean34.60447761 64.14477612 98.74925373 Median 35.263.799.9 Stdev 0.070189292 0.076303659 0.06342686 So it seems that more CPU time is spent in the system. Is this compatible with what we saw in earlier Samba versions ? Then we used the Samba build in profiling facility to get some information about performance intensive code paths. We discovered that the time spent on stat calls was excessive. The time was more than the time spent on read or write calls! Here are the time consuming system calls Namenum calls time(us) Min(us) Max(us) - --- -- -- syscall_opendir 189841 369136560 396806 syscall_readdir 2329741 402250420 312880 syscall_open194256 150164226 0 1245872 syscall_close 133504 419837470 475361 syscall_read320496 880930840 350440 syscall_write 149776 906659260 382059 syscall_stat1335959 145079345 0 336839 syscall_unlink 33520 101113573 0 1132776 Here are the time consuming Trans2 calls Trans2_findfirst57184 201725472 0 430785 Trans2_qpathinfo147536 255836025 0 412576 and the time consuming SMB calls SMBntcreateX175984 952635310 346844 SMBdskattr 27344 632755720 351798 SMBreadX320496 905934190 350444 SMBwriteX 149776 925847210 382067 SMBunlink 33520 101522665 0 1132787 SMBclose133696 661404910 475414 and cache statistics are Statcache *** lookups:398768 misses: 41 hits: 398727 Writecache ** read_hits: 0 abutted_writes: 0 total_writes: 149776 non_oplock_writes: 149776 direct_writes: 149776 init_writes:0 flushed_writes[SEEK]: 0 flushed_writes[READ]: 0 flushed_writes[WRITE]: 0 flushed_writes[READRAW]:0 flushed_writes[OPLOCK_RELEASE]: 0 flushed_writes[CLOSE]: 0 flushed_writes[SYNC]: 0 flushed_writes[SIZECHANGE]: 0 num_perfect_writes: 0 num_write_caches: 0 allocated_write_caches: 0 For the above experiment 16
Re: Samba performance
Please resend with a mailer that doesn't wrap at 80 columns :-). Jeremy.
Re: Samba performance
On Mon, Mar 31, 2003 at 10:41:25PM +, [EMAIL PROTECTED] wrote: Please resend with a mailer that doesn't wrap at 80 columns :-). Jeremy. Looks more like 55 c -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: Samba performance
On Mon, Mar 31, 2003 at 10:41:25PM +, [EMAIL PROTECTED] wrote: Please resend with a mailer that doesn't wrap at 80 columns :-). Jeremy. Looks more like 60 columns. -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
RE: encrypt passwords=no, security=yes, samba 2.2.8,W2K user aut h fails
How do bug fixes work? Do they go through some sort of review? Who
decides whether they get put into the next release?
As Sun is now distributing Samba as part of the OS (started in Solaris 9),
we are tracking this issue as bugID: #4839885.
tony
--On Monday, March 31, 2003 04:29:57 PM -0500 MCCALL,DON (HP-USA,ex1)
[EMAIL PROTECTED] wrote:
From: MCCALL,DON (HP-USA,ex1) [EMAIL PROTECTED]
To: 'tony shepherd' [EMAIL PROTECTED],
MCCALL,DON (HP-USA,ex1) [EMAIL PROTECTED],
'[EMAIL PROTECTED]' [EMAIL PROTECTED]
Subject: RE: encrypt passwords=no, security=yes, samba 2.2.8, W2K user
aut h fails Date-Sent: Tuesday, April 01, 2003 07:29:57 AM
Hi Tony,
Problem appears to be a result of your having
null passwords = no
map to guest = bad user
AND
encrypt passwords = no
What appears to be happening is that reply.c only checks the smbpasswd
file to see if you have a 'bad user', and with encrypt passwords = NO,
you won't have an smbpasswd file, and it never goes to check the
/etc/passwd or nis store, etc, for this map to guest=bad user case.
Since it's ALREADY failed password_ok, what it's doing at this time is
trying to decide if it has the 'bad password' or the 'bad user' case,
since the return from password_ok doesn't differentiate. Since it never
finds the username in smbpasswd (since that doesn't exist), it assumes
that the problem is NOT a bad password, but a bad USER, and goes off to
try to use guest.
in your log file, this actually works, your sessionsetupx succeeds, but
you are mapped to the guest user. ( Registered username ts74081 for guest
access) Later on, the actual share (home share for ts7481 I am assuming)
tconX fails because the guest account has a null password, and you didn't
specify guest ok for homes.
For reasons completely unknown to me, win2k is NOT ever sending the
password you type in UNTIL
you try a different user, which generates an SMBulogoff() request, so the
next negotprot,sesssetupX sequence starts, and THEN the win2k client sends
the appropriate password,
and you get authenticated appropriately (instead of being mapped to
guest...)
My guess is that the original attempt to connect to the share used your
current username with a null password, which set up the vc, and from then
on, all the sessionsetups are on that vc, no more negot.prot's are made,
until an SMBulogoff is done. Since win2k was successful in it's initial
attempt at sessionsetupX with a null password (because you got mapped to
guest as a bad user), it won't send a real password, even though it's
ASKING FOR ONE, until you force an SMBulogoff, and a complete resetup of
the vc, etc... (which is what using another username does)
Win2k REALLY doesn't like using cleartext passwords, apparently (grin).
I can make this problem go away by changing reply.c so that it checks the
/etc/passwd/nis store for a user instead of smbpasswd when encrypted
passwords = no; my diffs are listed below if you want to try it.
I'm copying the samba_technical list in hopes that someone smarter than I
(practically everyone) will know more about what's going on and do an
appropriate fix for this. This diff is on a 2.2.8 code base.
# diff reply.c reply.original.c
1028c1028
if (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_USER
lp_encrypted_pass
words())
---
if (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_USER)
1054,1062d1053
/* add mccall */
if (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_USER
!lp_encrypted_pas
swords() sys_getpwnam(user))
{
/* delete_nt_token(ptok); */
DEBUG(1,(Rejecting user '%s': authentication failed\n,
user)); END_PROFILE(SMBsesssetupX);
return ERROR_BOTH(NT_STATUS_LOGON_FAILURE,ERRSRV,ERRbadpw);
}
/* end add mccall */
-Original Message-
From: tony shepherd [mailto:[EMAIL PROTECTED]
Sent: Sunday, March 30, 2003 22:49
To: MCCALL,DON (HP-USA,ex1)
Cc: tony.shepherd
Subject: RE: encrypt passwords=no, security=yes, samba 2.2.8, W2K user
aut h fails
Hi Don
attached are the files requested. Thanks for looking at this for me.
Solaris must be tweaking something that is not showing up
under other OS's.
tony
--On Friday, March 28, 2003 06:13:14 AM -0800 MCCALL,DON
(HP-USA,ex1)
[EMAIL PROTECTED] wrote:
Hi Tony,
Can't make it happen here on my HP-UX system, and I don't
have a Solaris
system to test on. But if you want to get me a log level
10 debug of
the issue, and the output of testparm, I'll see if I can
spot anything.
Send the log and testparm off list, and compressed, ok?
Don
-Original Message-
From: tony shepherd [mailto:[EMAIL PROTECTED]
Sent: Thursday, March 27, 2003 23:31
To: MCCALL,DON (HP-USA,ex1); [EMAIL PROTECTED]
Subject: RE: encrypt passwords=no, security=yes, samba
2.2.8, W2K user
aut h fails
--On Thursday, March 27, 2003 10:06:08 AM -0500 MCCALL,DON
(HP-USA,ex1)
[EMAIL PROTECTED] wrote:
Hi tony,
based on your log file, it sure does APPEAR that you have
NOT turned
Re: Samba performance
Jeremy, I apologise for the format hassle. Hope this works. Cheers Ravi Please resend with a mailer that doesn't wrap at 80 columns :-). Jeremy. Samba Performance testing == 1.0 Architecture: - Server: CPU: Intel(R) Pentium(R) III CPU family 1266MHz Memory: 1GB Kernel: Linux 2.4.18 File System: xfs-1.1 Samba version: 3.0-alpha19 Network: 1 GB point to point Client: 1/2 GB memory and 1.6 GHZ Pentium 1.1 Introduction: - We have been trying to measure samba performance. The following are our observations. 1.2 Is it samba ? - We wanted to find out for sure whether samba was the bottleneck. So we did the following experiment. 1. dbench (to measure disk TP) 2. tbench (to measure TCP/IP TP) 3. dbench+tbench: In this experiment we wanted to find out whether system, not samba was the limitation. For each number of clients dbench and tbench was stated simultaneously. 4. nbench with clients_oplocks.txt trace (to measure samba TP) The results are as follows Num dbench tbench dbench tbench min(1,2) nbench clis alonealone(simul (simul tbench) dbench) (1)(2) 177.152 20.91577.1373 19.7312 19.7312 11.5006 4 106.174 40.6007 71.2576 33.9155 33.9155 19.3349 893.378 56.4977 63.2581 43.745 43.74519.8468 12 81.908 60.8616 59.0883 43.675 43.67519.2888 16 56.834 63.6999 52.1449 41.525 41.52519.3474 20 63.398 64.96750.9493 41.776 41.77619.1162 24 61.818 66.6186 50.22341.8949 41.8949 18.9119 28 55.442 67.3411 49.1058 41.5549 41.5549 19.0702 32 54.318 69.2981 47.8511 41.9139 41.9139 18.8018 36 54.986 70.1524 45.6686 41.3715 41.3715 18.3617 40 46.994 70.8444 45.2621 41.459 41.45918.2381 44 41.702 69.8389 42.6287 41.0206 41.0206 18.1785 48 45.988 69.8389 40.4743 40.3336 40.3336 18.1683 The nbench experiment measures samba performance with the same work load trace used for other experiments. As can be seen nbench TP is much smaller than minimum of (1) and (2) which implies that samba is the performance bottleneck. (The disk configuration for the above experiment was a 11 drive RAID 5 with LVM) 1.3 Where in Samba and what is the limitation ?: We observe that our system is severely CPU limited. Here is the summary of top -d 1 trace of CPU usage during the period 16 nbench clients were active.(2 drive RAID 0 + LVM) UserSystem Total Mean34.60447761 64.14477612 98.74925373 Median 35.263.799.9 Stdev 0.070189292 0.076303659 0.06342686 So it seems that more CPU time is spent in the system. Is this compatible with what we saw in earlier Samba versions ? Then we used the Samba build in profiling facility to get some information about performance intensive code paths. We discovered that the time spent on stat calls was excessive. The time was more than the time spent on read or write calls! Here are the time consuming system calls Namenum calls time(us) Min(us) Max(us) - --- -- -- syscall_opendir 189841 369136560 396806 syscall_readdir 2329741 402250420 312880 syscall_open194256 150164226 0 1245872 syscall_close 133504 419837470 475361 syscall_read320496 880930840 350440 syscall_write 149776 906659260 382059 syscall_stat1335959 145079345 0 336839 syscall_unlink 33520 101113573 0 1132776 Here are the time consuming Trans2 calls Trans2_findfirst57184 201725472 0 430785 Trans2_qpathinfo147536 255836025 0 412576 and the time consuming SMB calls SMBntcreateX175984 952635310 346844 SMBdskattr 27344 632755720 351798 SMBreadX320496 905934190 350444 SMBwriteX 149776 925847210 382067 SMBunlink 33520 101522665 0 1132787 SMBclose133696 661404910 475414 and cache statistics are Statcache *** lookups:398768 misses: 41 hits: 398727 Writecache ** read_hits: 0 abutted_writes: 0 total_writes: 149776 non_oplock_writes: 149776 direct_writes: 149776 init_writes:0 flushed_writes[SEEK]: 0 flushed_writes[READ]: 0 flushed_writes[WRITE]: 0 flushed_writes[READRAW]:0 flushed_writes[OPLOCK_RELEASE]: 0 flushed_writes[CLOSE]:
only the first wins server works?
If I have 2 wins server set in smb.conf like the following: wins server = 172.16.0.61, 172.16.10.8 I can verify that only the first works, the second does not, because the 2 wins servers have different contents in them, one for some domains and the other for some other domains. I have trusted domains in both of the wins servers. The domains are w2k domains, so the trust works through DNS, but I joined samba 3.0 as an NT4 server. So my question is, is this by design of how WINS suppose to work, or otherwise a problem in samba? I am using cvs HEAD code of Mar. 19th. Chere
: When the keep-alive packet sent out,rfc1002 says different things!!
Thank you all.
For the case 1.there will be many echo overhead.And I have no way to know the server
timeout when I am in client, so I can't determinate when to send echo packet.
For case 2, I have though over it. suppose there is such a situation:
when I WriteRaw data to server and server will send me a writeRaw OK
response.And almost the same time,keep-alive is sent.Now I take the stuff out from
socket buffer, which is a mixture of writeRaw OK and keep-alive packet. And it is
worse when it happens during the ReadRaw, as you know, the data in the ReadRaw has no
protocol header, when a keep-alive packet is inserted into the stream, or if the raw
data might be also something like {0x85 0 0 0},simply discarding will do the wrong
thing. (although the possibility is very low.)
--
: Christopher R. Hertel [mailto:[EMAIL PROTECTED]
: 200341 2:07
: Andrew Bartlett
: Aladdin Cai(_; [EMAIL PROTECTED]
: Re: When the keep-alive packet sent out,rfc1002 says different things!!
On Mon, Mar 31, 2003 at 08:07:16PM +1000, Andrew Bartlett wrote:
On Mon, 2003-03-31 at 19:42, [EMAIL PROTECTED] wrote:
Hello everyone, When I am programming a samba client in freeDOS,using
wattcp, I found a strange thing, which is not the same as rfc1002 claims.
In rfc 1002,see below:
So,during I write data or read data to server, it seems that server will
not send me any keep-alive packet because he will reset the timer.But
in fact,during I raw write a very large piece data to server(not
matter windows or linux),it will send me a keep-alive
occasionally,leading my defendless code crash.
I REALLY don't understand why they don't obey the rules, or do I
mistake rfc1002?
Urgently hope for your kindly help,thank you
See www.ubiqx.org/cifs for a description of this horrid protocol...
Also, make sure you understand - the standard is what Microsoft does,
not what what any RFC says.
Also note that you may have trouble with ReadRaw and WriteRaw. Microsoft
published documentation regarding these SMBs a long time ago and never
suggested that there might be licensing issues. Just about a year ago,
however, they coughed up some patents which may or may not apply to
implementations of ReadRaw and WriteRaw. See:
http://us3.samba.org/samba/ms_license.html
That said, the problem you are experiencing, if I understand correctly, is
that the server is sending keep-alives during a WriteRaw from your client
because the server-side keep-alive timer is not reset.
Two solutions:
1) Send an SMB ECHO just before doing the WriteRaw. That will reset the
timer.
2) Handle the keep-alive.
For case #2, the keep-alive will contain the bytes { 0x85, 0, 0, 0 } and
that's it. You should be able to recognize those and simply discard them.
Chris -)-
--
Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel
jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq.
ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED]
OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: only the first wins server works?
On Mon, Mar 31, 2003 at 04:04:30PM -0800, Chere Zhou wrote: If I have 2 wins server set in smb.conf like the following: wins server = 172.16.0.61, 172.16.10.8 I can verify that only the first works, the second does not, because the 2 wins servers have different contents in them, one for some domains and the other for some other domains. I have trusted domains in both of the wins servers. The domains are w2k domains, so the trust works through DNS, but I joined samba 3.0 as an NT4 server. So my question is, is this by design of how WINS suppose to work, or otherwise a problem in samba? I am using cvs HEAD code of Mar. 19th. WINS is badly designed. The original NBNS design was better. Samba has to be compatible with WINS, though, so we're stuck with Microsoft's design. That said... The 'wins server' parameter handles *two* different new features. The first is WINS failover, and the second is multi-namespace. WINS failover (which is what your line above is using) allows Samba to try a second WINS server if the first WINS server fails. So, the way you have things written, if 172.16.0.61 gets crushed by a falling asteroid, Samba will use 172.16.0.8. That only works if the two WINS servers are synchronized. Otherwise, they will have separate (and incompatible) namespaces. The other new feature is multi-namespace. If you use a colon (:) to separate the IP addresses, the second WINS server will be used if the first could not resolve the NetBIOS name to an address. Note that it is dangerous to have a single node using multiple namespaces. NBT was not designed to work that way, and conflicts can occur. Chris -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Samba 3.0 HEAD - Print share problem.
Hi all, I'm trying to get the latest CVS version running on solaris 8, and it seems that it has some problems with the print shares. Namely - when I try to connect via smbclient to a shared printer, it passes the auth phase only to come up with an error message like: tree connect failed: NT_STATUS_BAD_DEVICE_TYPE Worse, it appears that W2K/WXP clients are getting either blue-screens because of it, or they simply reboot as soon as the user tries to add a printer shared on this server. I was running 3.0 alpha 18 - without a problem, so there's something fishy with this HEAD version. Any ideea of what might cause this thing? If you need more info, I can send the debug logs/configs/whatever, just ask. Cheers, Ino!~ -- I have seen things you people wouldn't believe. Attack ships on fire off the shoulder of Orion. I watched C-beams glitter in the dark near the Tannhauser Gate. All those moments will be lost in time, like tears in rain. Time to die.
RE: (fwd) amigasamba?
CL! On Thu, 2003-03-13 at 23:08, Ulf Bertilsson wrote: I look into this in a few days. Use www.birrabrothers.com/tiger/data/samba as mirror I'm on vacation and don't have the info here. Yes, now everything is fine. -- Uber Amiga rulez ;D
RE: How to verify the domain secret is good or bad?
By default machine account passwords are changed ever 7 days in MS world. you can change this via the machine password timeout smb.conf parameter. Hope this helps, Don -Original Message- From: Joey Collins [mailto:[EMAIL PROTECTED] Sent: Sunday, March 30, 2003 20:10 To: Gerald (Jerry) Carter Cc: Chere Zhou; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: How to verify the domain secret is good or bad? Gerald (Jerry) Carter wrote: [snip] Also, sometimes I saw problems like wbinfo -t just says secret is bad, when all the daemons were running. It sure was good at some point before. Samba periodially changes the password on the server. secrets.tdb should be in sync with this. Hi, Why does Samba do this? Does the secret expire after a certain period of time or is this done as a safety precaution? thanks, Joey.
Re: Samba 2.2.8 - Snap Server Support
On Mon, Mar 31, 2003 at 09:30:07AM -0500, Irving Carrion wrote: Currently the snap has a hard time reading Samba's domain users / groups correctly. The patch (I did not write the code) simply fixes this problem. It works fine on W2k servers, but I think it runs on a windows appliance operating system. Not sure though. Yes please, can we look at the patch. Thanks, Jeremy.
