only the first wins server works?
If I have 2 wins server set in smb.conf like the following: wins server = 172.16.0.61, 172.16.10.8 I can verify that only the first works, the second does not, because the 2 wins servers have different contents in them, one for some domains and the other for some other domains. I have trusted domains in both of the wins servers. The domains are w2k domains, so the trust works through DNS, but I joined samba 3.0 as an NT4 server. So my question is, is this by design of how WINS suppose to work, or otherwise a problem in samba? I am using cvs HEAD code of Mar. 19th. Chere
domain trusts with security=domain does not work for 3.0a21?
Hello, I verified that when I use security=ads, the domain trusts work. But when I use security=domain and join the w2k domain using net rpc join, I don't see any trusted domain. I checked with wbinfo -m, wbinfo --sequence and finally add ACL entries for a file served by samba. I see that if I use HEAD, security=domain, doing wbinfo -m gives a list of domains I expected. So my question is, what have been done to fix this? I would like to merge the code back if possible. I can not upgrade to HEAD, because there are too many changes. 3.0a21 works for us, well, mostly. Thanks in advance! Chere
[Patch] fix for sids new to winbind always map to a uid
Since the current sid_to_uid does not check for sid type, but sid_to_gid does, and for the purpose of supporting foreign sids, I needed to switch the order of calling sid_to_uid and sid_to_gid in posix_acl.c. If anybody had similar problem as me, this patch should help you. The original problem was posted earlier with the title 3.0a21: add a new group using ACL results in a new user in winbindd idmap. --- smbd/posix_acls.c.orig Wed Mar 19 16:59:53 2003 +++ smbd/posix_acls.c Wed Mar 19 17:00:46 2003 @@ -1003,12 +1003,12 @@ if (nt4_compatible_acls()) psa-flags |= SEC_ACE_FLAG_INHERIT_ONLY; - } else if (sid_to_uid( current_ace-trustee, current_ace-unix_ug.uid, sid_type)) { - current_ace-owner_type = UID_ACE; - current_ace-type = SMB_ACL_USER; } else if (sid_to_gid( current_ace-trustee, current_ace-unix_ug.gid, sid_type)) { current_ace-owner_type = GID_ACE; current_ace-type = SMB_ACL_GROUP; + } else if (sid_to_uid( current_ace-trustee, current_ace-unix_ug.uid, sid_type)) { + current_ace-owner_type = UID_ACE; + current_ace-type = SMB_ACL_USER; } else { fstring str; This patch works better than doing a lookup_sid first, because lookup_sid will fail for foreign sids. Chere
how to patch 3.0a21 for the lastest security hole?
I am guessing that older version of 3.0 should have the flaw patched by 2.2.8 too. I can not upgrade to HEAD yet. If my 3.0a21 has the flaw, can someone point me to what files I need to look for a merge? Thanks, Chere
Fixed: Re: 3.0a21: add a new group using ACL results in a new userin winbindd idmap
Although nobody replied to me, I still think this applies to HEAD and is a general problem. The reason behind this problem, is that when you add a new group or user not known to winbindd_idmap.tdb through ACL, the code in posix_acl.c does the following (line 1006): } else if (sid_to_uid( current_ace-trustee, current_ace-unix_ug.uid, sid_type)) { current_ace-owner_type = UID_ACE; current_ace-type = SMB_ACL_USER; } else if (sid_to_gid( current_ace-trustee, current_ace-unix_ug.gid, sid_type)) { current_ace-owner_type = GID_ACE; current_ace-type = SMB_ACL_GROUP; } else { which means, it tries to map the sid to a uid first, if fails, then try gid. However, since the following code in sid_to_uid() is commented out: /* (tridge) I commented out the slab of code below in order to support foreign SIDs Do we really need to validate the type of SID we have in this case? */ #if 0 fstring dom_name, name; enum SID_NAME_USE name_type; *sidtype = SID_NAME_UNKNOWN; /* * First we must look up the name and decide if this is a user sid. */ if ( (!winbind_lookup_sid(psid, dom_name, name, name_type)) || (name_type != SID_NAME_USER) ) { BOOL result; DEBUG(10,(sid_to_uid: winbind lookup for sid %s failed - trying local.\n, sid_to_string(sid_str, psid) )); become_root(); result = local_sid_to_uid(puid, psid, sidtype); unbecome_root(); return result; } /* * Ensure this is a user sid. */ if (name_type != SID_NAME_USER) { DEBUG(10,(sid_to_uid: winbind lookup succeeded but SID is not a uid (%u)\n, (unsigned int)name_type )); return False; } #endif A new SID will always successfully map to uid. The fix would be, either uncomment the above code in sid_to_uid(), or in posix_acl.c, because calling sid_to_uid(), call lookup_sid() first to find out the name type (user or group). Is there any other options? Chere On Wednesday 05 March 2003 06:57 pm, Chere Zhou wrote: I am in an ADS domain. From a Windows client, create a file, add a group to the file using ACLs (new means the group is not in winbindd database yet), the group is mapped as a user in the winbindd_idmap.tdb. The group is not any special type, just a normal group (not local, not universal). Anyone knows about this problem? Thanks, Chere
Re: lookup_sid for a domain local group results in SID_NAME_UNKNOWN
# wbinfo -n localg S-1-5-21-606747145-117609710-725345543-3244 8 So I guess the type is 8. Chere On Wednesday 12 March 2003 05:34 pm, Chere Zhou wrote: I am not sure whether it counts or not but my domain is in native mode. I want to know what other people's experiences are with domain local groups. I have a domain local group called localg. sid_to_gid() fails because the returned name_type is SID_NAME_UNKNOWN. I traced it down using gdb, and the result from winbindd_request(LOOKUPSID) is: dom_name = ZHOU, '\000' repeats 251 times, name = localg, '\000' repeats 249 times, type = 8}, From smb.h: /* SID Types */ enum SID_NAME_USE { SID_NAME_USE_NONE = 0,/* NOTUSED */ SID_NAME_USER= 1, /* user */ SID_NAME_DOM_GRP = 2, /* domain group */ SID_NAME_DOMAIN = 3, /* domain: don't know what this is */ SID_NAME_ALIAS = 4, /* local group */ SID_NAME_WKN_GRP = 5, /* well-known group */ SID_NAME_DELETED = 6, /* deleted account: needed for c2 rating */ SID_NAME_INVALID = 7, /* invalid account */ SID_NAME_UNKNOWN = 8 /* oops. */ }; So what SID_NAME_ALIAS is for (comment says local group)? Is it safe to just change the above to the following without any other code change? SID_NAME_LOCAL_GRP = 8, SID_NAME_UNKNOWN = 9 Chere
Re: bug or typo in smbd/service.c: make_connection_snum(line 530)?
Thanks for the explanation. That helps. On Tuesday 11 March 2003 12:52 am, Andrew Bartlett wrote: On Tue, 2003-03-11 at 12:16, Chere Zhou wrote: The block reads: if (conn-force_user || conn-force_group) { /* groups stuff added by ih */ conn-ngroups = 0; conn-groups = NULL; /* Find all the groups this uid is in and store them. Used by change_to_user() */ initialise_groups(conn-user, conn-uid, conn-gid); get_current_groups(conn-gid, conn-ngroups,conn-groups); conn-nt_user_token = create_nt_token(conn-uid, conn-gid, conn-ngroups, conn-groups, guest); } I think the if should be ( ! (conn-force_user || conn-force_group)), since the force_user and force_group processing should be all done just before this block of code. Otherwise I don't understand the logic here. I think this is related to my earlier posting with the subject of 3.0a21 and HEAD: only primary group of a domain user is set on smbd. If force_user or force_group is not set, then we don't use these values. Instead we use the values attached to the vuid. Andrew Bartlett
Fixed: Re: 3.0a21 and HEAD: only primary group of a domain user isset on smbd
Turns out that because I do not have nsswitch, I need to hack sys_getgrouplist to query winbind for domain users. Did not have to do that for 2.2.x. I should have said that I am on FreeBSD. Anyway, thanks for all the answers. Chere On Tuesday 04 March 2003 11:48 pm, Andrew Bartlett wrote: On Wed, 2003-03-05 at 12:27, Chere Zhou wrote: Dear list, I know that on 2.2.5, when we get user info from winbindd, we also initialize group information based on the group list got from winbind, and do a setgroups for the process, so that all of the groups the user is a member of is set on the smbd. Now on 3.0a21 and HEAD, I do not see any setgroup operation from winbind, and the smbd process only got the primary group of the Win2k domain user. So it fails when a file permission is checked for other groups the user is a member of. I can see that sec_ctx.c is about the only place that calls sys_setgroups now, when the Unix group info has only the primary group. At the same place the NT token has about 9 groups for my test user. Can somebody explain why we are not doing what 2.2.5 was doing? Is there any design issue related to this? If you update you HEAD checkout, you will find that I have fixed this 'issue'. The problem is that the Win2k server does not report any groups for these users in LDAP, and as such we only use the 'primaryGid' attribute from the Active Directory query. There are however alternative queries that can be made, and I have implemented logic to detect this situation (it occurs mainly in child domains, we think). Unfortunately this change is only in HEAD, not Samba 3.0 at this stage. Andrew Bartlett
Re: How to verify the domain secret is good or bad?
On Tuesday 11 March 2003 01:23 pm, Scott Prive wrote: - Original Message - From: Chere Zhou [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Tuesday, March 11, 2003 3:40 PM Subject: How to verify the domain secret is good or bad? I know there is the command wbinfo -t. But when it says that could not check secret, how do I know it's the secret is bad, or something else wrong, like winbind went crazy maybe? Also, sometimes I saw problems like wbinfo -t just says secret is bad, when all the daemons were running. It sure was good at some point before. So my question is, in what condition that the secret can go bad? How do I check it? The pdc-secret thing is something I don't completely understand, but I *do* know that secret-testing is done loosely over the network. A bad secret does not mean conclusively that the secret is bad... it means that the test was not successful. So you can get secret is bad if for example the network is congested, etc. and the compare did not occur in time. Sometimes I've joined a domain and still got this error. If I wait 60 seconds are re-run wbinfo -t, I get a 'secret is good'. Also, I believe the secret can go bad if you change hostname or some other info. I'm not entirely sure what all the possible failures are. -Scott So, if I do not do anything like change hostname, ip or anything like that, my secret should potentially always be good? That's good to know.
How to verify the domain secret is good or bad?
I know there is the command wbinfo -t. But when it says that could not check secret, how do I know it's the secret is bad, or something else wrong, like winbind went crazy maybe? Also, sometimes I saw problems like wbinfo -t just says secret is bad, when all the daemons were running. It sure was good at some point before. So my question is, in what condition that the secret can go bad? How do I check it? Thanks in advance. Chere
Re: 3.0a21 and HEAD: only primary group of a domain user is set onsmbd
After managed to compile HEAD on my box, I don't see that my problem is fixed on HEAD. For a user that belongs to 5 groups in an ADS domain, smbd got only the primary group. Here is something from the log: [2003/03/10 13:01:58, 3] smbd/process.c:switch_message(676) switch message SMBntcreateX (pid 11923) [2003/03/10 13:01:58, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (1, 1) - sec_ctx_stack_ndx = 0 [2003/03/10 13:01:58, 5] auth/auth_util.c:debug_nt_user_token(516) NT user token of user S-1-5-21-606747145-117609710-725345543-1005 contains 9 SIDs SID[ 0]: S-1-5-21-606747145-117609710-725345543-1005 SID[ 1]: S-1-5-21-606747145-117609710-725345543-513 SID[ 2]: S-1-1-0 SID[ 3]: S-1-5-2 SID[ 4]: S-1-5-11 SID[ 5]: S-1-5-21-606747145-117609710-725345543-3173 SID[ 6]: S-1-5-21-606747145-117609710-725345543-512 SID[ 7]: S-1-5-21-606747145-117609710-725345543-3186 SID[ 8]: S-1-5-21-606747145-117609710-725345543-3187 [2003/03/10 13:01:58, 5] auth/auth_util.c:debug_unix_user_token(530) UNIX token of user 1 Primary group is 1 and contains 2 supplementary groups Group[ 0]: 1 Group[ 1]: 1 [2003/03/10 13:01:58, 5] smbd/uid.c:change_to_user(203) change_to_user uid=(0,1) gid=(0,1) I would expect primary group is 1, and contains 5 or 6 groups, 1, 10001, 10002, 10003 etc. Is this problem familiar to anyone working on Samba 3.0? Chere On Tuesday 04 March 2003 11:48 pm, Andrew Bartlett wrote: On Wed, 2003-03-05 at 12:27, Chere Zhou wrote: Dear list, I know that on 2.2.5, when we get user info from winbindd, we also initialize group information based on the group list got from winbind, and do a setgroups for the process, so that all of the groups the user is a member of is set on the smbd. Now on 3.0a21 and HEAD, I do not see any setgroup operation from winbind, and the smbd process only got the primary group of the Win2k domain user. So it fails when a file permission is checked for other groups the user is a member of. I can see that sec_ctx.c is about the only place that calls sys_setgroups now, when the Unix group info has only the primary group. At the same place the NT token has about 9 groups for my test user. Can somebody explain why we are not doing what 2.2.5 was doing? Is there any design issue related to this? If you update you HEAD checkout, you will find that I have fixed this 'issue'. The problem is that the Win2k server does not report any groups for these users in LDAP, and as such we only use the 'primaryGid' attribute from the Active Directory query. There are however alternative queries that can be made, and I have implemented logic to detect this situation (it occurs mainly in child domains, we think). Unfortunately this change is only in HEAD, not Samba 3.0 at this stage. Andrew Bartlett
bug or typo in smbd/service.c: make_connection_snum(line 530)?
The block reads: if (conn-force_user || conn-force_group) { /* groups stuff added by ih */ conn-ngroups = 0; conn-groups = NULL; /* Find all the groups this uid is in and store them. Used by change_to_user() */ initialise_groups(conn-user, conn-uid, conn-gid); get_current_groups(conn-gid, conn-ngroups,conn-groups); conn-nt_user_token = create_nt_token(conn-uid, conn-gid, conn-ngroups, conn-groups, guest); } I think the if should be ( ! (conn-force_user || conn-force_group)), since the force_user and force_group processing should be all done just before this block of code. Otherwise I don't understand the logic here. I think this is related to my earlier posting with the subject of 3.0a21 and HEAD: only primary group of a domain user is set on smbd.
Re: 3.0a21 and HEAD: only primary group of a domain user is set onsmbd
Do you mean that I probably will need both your change and Ken's patch? Now I remember that I checked on SAMBA_3_0 but not HEAD, as I thought they should be pretty similar. I will check HEAD out. Thanks A. Bertlett. Chere On Tuesday 04 March 2003 11:52 pm, Andrew Bartlett wrote: On Wed, 2003-03-05 at 14:38, Ken Cross wrote: The behavior you're seeing is because LDAP is being used to get the group membership rather that RPC. Last month I posted a patch to fix this, but to my knowledge it hasn't been incorporated. (I'm not bitching, just explaining...) Your patch fixed a slightly different issue, this issue was fixed in HEAD recently. Andrew Bartlett
3.0a21: add a new group using ACL results in a new user in winbinddidmap
I am in an ADS domain. From a Windows client, create a file, add a group to the file using ACLs (new means the group is not in winbindd database yet), the group is mapped as a user in the winbindd_idmap.tdb. The group is not any special type, just a normal group (not local, not universal). Anyone knows about this problem? Thanks, Chere
3.0a21 and HEAD: only primary group of a domain user is set on smbd
Dear list, I know that on 2.2.5, when we get user info from winbindd, we also initialize group information based on the group list got from winbind, and do a setgroups for the process, so that all of the groups the user is a member of is set on the smbd. Now on 3.0a21 and HEAD, I do not see any setgroup operation from winbind, and the smbd process only got the primary group of the Win2k domain user. So it fails when a file permission is checked for other groups the user is a member of. I can see that sec_ctx.c is about the only place that calls sys_setgroups now, when the Unix group info has only the primary group. At the same place the NT token has about 9 groups for my test user. Can somebody explain why we are not doing what 2.2.5 was doing? Is there any design issue related to this? Thanks a lot! Chere
Re: [PATCH] More CLDAP changes (last round hopefully)
This patch works for me. Thanks a lot! But I do have to manually edit the file, because long lines got wrapped in the email. Chere On Thursday 27 February 2003 12:20 pm, Anthony Liguori wrote: Last round of changes to the Samba CLDAP code. Every byte is now accounted for in the response packet so we shouldn't have anymore parsing errors. It should apply cleanly against HEAD. Index: source/utils/net_ads_cldap.c === RCS file: /cvsroot/samba/source/utils/net_ads_cldap.c,v retrieving revision 1.6 diff -u -r1.6 net_ads_cldap.c --- source/utils/net_ads_cldap.c12 Nov 2002 23:15:52 - 1.6 +++ source/utils/net_ads_cldap.c26 Feb 2003 22:57:53 - @@ -2,6 +2,7 @@ Samba Unix/Linux SMB client library net ads cldap functions Copyright (C) 2001 Andrew Tridgell ([EMAIL PROTECTED]) + Copyright (C) 2003 Jim McDonough ([EMAIL PROTECTED]) This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -23,60 +24,69 @@ #ifdef HAVE_ADS +struct netlogon_string { + uint32 comp_len; + char **component; + uint8 extra_flag; +}; + struct cldap_netlogon_reply { - uint32 version; + uint32 type; uint32 flags; GUID guid; - char *domain; - char *server_name; - char *domain_flatname; - char *server_flatname; - char *dns_name; - uint32 unknown2[2]; -}; + struct netlogon_string forest; + struct netlogon_string domain; + struct netlogon_string hostname; -/* - pull a length prefixed string from a packet - return number of bytes consumed -*/ -static unsigned pull_len_string(char **ret, const char *p) -{ - unsigned len = *p; - (*ret) = NULL; - if (len == 0) return 1; - (*ret) = smb_xstrndup(p+1, len); - return len+1; -} + struct netlogon_string netbios_domain; + struct netlogon_string netbios_hostname; + + struct netlogon_string user_name; + struct netlogon_string site_name; + + struct netlogon_string unk0; + + uint32 version; + uint16 lmnt_token; + uint16 lm20_token; +}; /* - pull a dotted string from a packet - return number of bytes consumed + These strings are rather interesting... They are composed of a series of + length encoded strings, terminated by either 1) a zero length string or 2) + a 0xc0 byte with what appears to be a one byte flags immediately following. */ -static unsigned pull_dotted_string(char **ret, const char *p) +static unsigned pull_netlogon_string(struct netlogon_string *ret,const char *d) { - char *s; - unsigned len, total_len=0; + char *s, *p = (char *)d; - (*ret) = NULL; + ZERO_STRUCTP(ret); - while ((len = pull_len_string(s, p)) 1) { - if (total_len) { - char *s2; - asprintf(s2, %s.%s, *ret, s); - SAFE_FREE(*ret); - (*ret) = s2; + do { + unsigned len = (unsigned char)*p; + p++; + + if (len 0 len != 0xc0) { + ret-component = realloc(ret-component, +++ret-comp_len * +sizeof(char *)); + + ret-component[ret-comp_len - 1] = + smb_xstrndup(p, len); + p += len; } else { - (*ret) = s; + if (len == 0xc0) { + ret-extra_flag = *p; + p++; + }; + break; } - total_len += len; - p += len; - } + } while (1); - return total_len + 1; + return (p - d); } - /* do a cldap netlogon query */ @@ -190,19 +200,25 @@ p = os3.data; - reply-version = IVAL(p, 0); p += 4; + reply-type = IVAL(p, 0); p += 4; reply-flags = IVAL(p, 0); p += 4; + memcpy(reply-guid.info, p, GUID_SIZE); p += GUID_SIZE; - p += pull_dotted_string(reply-domain, p); - p += 2; /* 0xc018 - whats this? */ - p += pull_len_string(reply-server_name, p); - p += 2; /* 0xc018 - whats this? */ - p += pull_len_string(reply-domain_flatname, p); - p += 1; - p += pull_len_string(reply-server_flatname, p); - p += 2; - p += pull_len_string(reply-dns_name, p); + + p += pull_netlogon_string(reply-forest, p); + p += pull_netlogon_string(reply-domain, p); + p += pull_netlogon_string(reply-hostname, p); + p +=
3.0a21: scripting with smbpasswd - bug or feature
I noticed that on samba 2.x, as root we can do smbpasswd -a -s user passwd without being prompt of anything. This is not working on 3.0a21. I will need to type in the password twice using the above command. Is this a feature to not allow passwords to be seen, or a bug that should be fixed? Chere
Re: [PATCH] Re: 3.0a21: net ads lookup for a child domain gotmessy output
How about this new patch (as in the attachment). The change I made from your patch, is to add the while loop in pull_c_zero_string which was adopted from pull_dotted_string. Now my domains are all happy. Otherwise, a grandchild domain complains. I am posting this to samba-technical list, since I though it was what you intended to do, and we might get more testing of this. Chere On Monday 24 February 2003 01:21 pm, Anthony Liguori wrote: Lotus Notes won't let me send patches to the samba-technical list anymore (I've got to get a forwarding account it seems) but I haven't tested this patch enough to apply it to HEAD anyway. I know it works with your traffic though as I used your dumps as test data. This patch gives a _lot_ more information and makes various fixes. Note: the patch you submitted to the list doesn't actually work for domain controllers without forests. The 0xc0 stuff are deliminators for these strings. Let me know how this patch works out for you: (See attached file: net_ads_lookup.patch) Anthony Liguori Linux/Active Directory Interoperability Linux Technology Center (LTC) - IBM Austin E-mail: [EMAIL PROTECTED] Phone: (512) 838-1208 Tie Line: 678-1208 --- utils/net_ads_cldap.c.orig Mon Feb 24 14:27:29 2003 +++ utils/net_ads_cldap.c Tue Feb 25 11:27:50 2003 @@ -24,15 +24,25 @@ #ifdef HAVE_ADS struct cldap_netlogon_reply { - uint32 version; + uint32 type; uint32 flags; GUID guid; char *domain; - char *server_name; - char *domain_flatname; - char *server_flatname; - char *dns_name; - uint32 unknown2[2]; + + char *dns_domain; + uint8 domain_flag; + char *dns_hostname; + uint8 hostname_flag; + + char *netbios_domain; + char *netbios_hostname; + + char *user_name; + char *site_name; + + uint32 version; + uint16 lmnt_token; + uint16 lm20_token; }; @@ -76,6 +86,33 @@ return total_len + 1; } +static unsigned pull_c_zero_string(char **ret, uint8 *flag, + const unsigned char *p) +{ + unsigned len = 0, total_len=0; + char *s; + + *ret = NULL; + + /* TODO: see what happends when a domain controller name == 0xc0 */ + while (*p != 0xc0) { + len = pull_len_string(s, p); +if (total_len) { +char *s2; +asprintf(s2, %s.%s, *ret, s); +SAFE_FREE(*ret); +(*ret) = s2; +} else { +(*ret) = s; +} +total_len += len; +p += len; + } + + *flag = p[1]; + + return (total_len + 2); +} /* do a cldap netlogon query @@ -190,19 +227,27 @@ p = os3.data; - reply-version = IVAL(p, 0); p += 4; + reply-type = IVAL(p, 0); p += 4; reply-flags = IVAL(p, 0); p += 4; + memcpy(reply-guid.info, p, GUID_SIZE); p += GUID_SIZE; p += pull_dotted_string(reply-domain, p); - p += 2; /* 0xc018 - whats this? */ - p += pull_len_string(reply-server_name, p); - p += 2; /* 0xc018 - whats this? */ - p += pull_len_string(reply-domain_flatname, p); - p += 1; - p += pull_len_string(reply-server_flatname, p); - p += 2; - p += pull_len_string(reply-dns_name, p); + + p += pull_c_zero_string(reply-dns_domain, reply-domain_flag, p); + p += pull_c_zero_string(reply-dns_hostname, reply-hostname_flag,p); + + p += pull_dotted_string(reply-netbios_domain, p); + p += pull_dotted_string(reply-netbios_hostname, p); + + p += pull_len_string(reply-user_name, p); + p += pull_len_string(reply-site_name, p); + + p += 2; /* is this two empty strings? */ + + reply-version = IVAL(p, 0); + reply-lmnt_token = SVAL(p, 4); + reply-lm20_token = SVAL(p, 6); data_blob_free(os1); data_blob_free(os2); @@ -219,10 +264,12 @@ static void cldap_reply_free(struct cldap_netlogon_reply *reply) { SAFE_FREE(reply-domain); - SAFE_FREE(reply-server_name); - SAFE_FREE(reply-domain_flatname); - SAFE_FREE(reply-server_flatname); - SAFE_FREE(reply-dns_name); + SAFE_FREE(reply-dns_domain); + SAFE_FREE(reply-dns_hostname); + SAFE_FREE(reply-netbios_domain); + SAFE_FREE(reply-netbios_hostname); + SAFE_FREE(reply-user_name); + SAFE_FREE(reply-site_name); } /* @@ -246,7 +293,6 @@ if (ret != 0) { return ret; } - ret = recv_cldap_netlogon(sock, reply); close(sock); @@ -254,15 +300,51 @@ return -1; } - d_printf(Version: 0x%x\n, reply.version); + d_printf(Response Type: 0x%x\n, reply.type); d_printf(GUID: ); print_guid(reply.guid); - d_printf(Flags: 0x%x\n, reply.flags); - d_printf(Domain: %s\n, reply.domain); - d_printf(Server Name: %s\n, reply.server_name); - d_printf(Flatname: %s\n, reply.domain_flatname); - d_printf(Server Name2: %s\n, reply.server_flatname); - d_printf(DNS Name: %s\n, reply.dns_name); + d_printf(Flags:\n + \tIs a PDC: %s\n + \tIs a GC of the forest: %s\n + \tIs an LDAP server: %s\n + \tSupports DS:%s\n + \tIs running a KDC:
[PATCH] Re: 3.0a21: net ads lookup for a child domain got messyoutput
With the following patch, it works for me now. However, there are still mysteries like what 0xc018 and 0xc022 means in the received netlogon responses. My fix is to split the domain into forest and domain, where the new domain is the child/grandchild under forest. The ultimate domain name should be domain+'.'+forest. Even if this does not go into the sources eventually, I hope it can be helpful for other people who had the same problem as I did. Chere --- utils/net_ads_cldap.c.orig Fri Feb 21 15:34:18 2003 +++ utils/net_ads_cldap.c Mon Feb 24 11:27:47 2003 @@ -27,6 +27,7 @@ uint32 version; uint32 flags; GUID guid; +char *forest; char *domain; char *server_name; char *domain_flatname; @@ -42,11 +43,13 @@ */ static unsigned pull_len_string(char **ret, const char *p) { - unsigned len = *p; + unsigned char len = *p; (*ret) = NULL; if (len == 0) return 1; + if ((len == 0xc0) ((unsigned char)(*(p+1)) == 0x18)) + return 1; (*ret) = smb_xstrndup(p+1, len); - return len+1; + return (unsigned)(len+1); } /* @@ -194,8 +197,13 @@ reply-flags = IVAL(p, 0); p += 4; memcpy(reply-guid.info, p, GUID_SIZE); p += GUID_SIZE; - p += pull_dotted_string(reply-domain, p); - p += 2; /* 0xc018 - whats this? */ + p += pull_dotted_string(reply-forest, p); + if ((unsigned char)*p == 0xc0) + p += 2; /* 0xc018 - whats this? */ + else { + p += pull_dotted_string(reply-domain, p); + p += 1; + } p += pull_len_string(reply-server_name, p); p += 2; /* 0xc018 - whats this? */ p += pull_len_string(reply-domain_flatname, p); @@ -218,6 +226,7 @@ */ static void cldap_reply_free(struct cldap_netlogon_reply *reply) { + SAFE_FREE(reply-forest); SAFE_FREE(reply-domain); SAFE_FREE(reply-server_name); SAFE_FREE(reply-domain_flatname); @@ -258,6 +267,7 @@ d_printf(GUID: ); print_guid(reply.guid); d_printf(Flags: 0x%x\n, reply.flags); + d_printf(Forest root: %s\n, reply.forest); d_printf(Domain: %s\n, reply.domain); d_printf(Server Name: %s\n, reply.server_name); d_printf(Flatname: %s\n, reply.domain_flatname);
Re: net ads join core dump in ldap_get_values_len
After merging libads/ldap.c from SAMBA_3_0 to my copy of 3.0a21 source code, problem solved. Thanks. Chere On Tuesday 18 February 2003 02:18 pm, Chere Zhou wrote: Hello, I am using 3.0a21. If I use kinit user@DOMAIN with a user that does not have privilege to join a machine into the domain, I get core dump using net ads join. This happens when the computer account does not exist in the domain. If the computer account exists in the domain, I get the following which is perfectly fine: [2003/02/18 13:51:59, 0] libads/ldap.c:ads_join_realm(1325) Host account for chere-2 already exists - deleting old account [2003/02/18 13:51:59, 0] libads/ldap.c:ads_join_realm(1329) Failed to delete host 'chere-2' from the 'ZHOU.COM' realm. ads_join_realm: Insufficient access The net ads join core dump shows: Assertion failed: (entry != NULL), function ldap_get_values_len, file getvalues.c, line 93. Abort (core dumped) A gdb back trace is: #0 0x28455cff in kill () from /usr/lib/libc.so.5 #1 0x284a7e32 in abort () from /usr/lib/libc.so.5 #2 0x2848600f in __assert () from /usr/lib/libc.so.5 #3 0x28252de1 in ldap_get_values_len () from /usr/local/lib/libldap.so.2 #4 0x814b9d3 in ads_pull_sid (ads=0x8249380, msg=0x0, field=0x819b0a1 objectSid, sid=0xbfbff518) at libads/ldap.c:1598 #5 0x814b542 in ads_set_machine_sd (ads=0x8249380, hostname=0x81b9b90 chere-2, dn=0x81f0440 cn=chere-2,cn=Computers,dc=ZHOU,dc=COM) at libads/ldap.c:1431 #6 0x814a7ec in ads_add_machine_acct (ads=0x8249380, hostname=0x81b9b90 chere-2, org_unit=0x8165ca8 Computers) at libads/ldap.c:1085 #7 0x814b015 in ads_join_realm (ads=0x8249380, hostname=0x81b9a30 CHERE-2, org_unit=0x8165ca8 Computers) at libads/ldap.c:1334 #8 0x806d945 in net_ads_join (argc=0, argv=0x81b906c) at utils/net_ads.c:648 #9 0x806b196 in net_run_function (argc=1, argv=0x81b9068, table=0xbfbff7e0, usage_fn=0x806c1f0 net_ads_usage) at utils/net.c:97 #10 0x806e6dc in net_ads (argc=1, argv=0x81b9068) at utils/net_ads.c:1040 #11 0x806b196 in net_run_function (argc=2, argv=0x81b9064, table=0x819ee94, usage_fn=0x806f3fc net_help) at utils/net.c:97 #12 0x806c17b in main (argc=3, argv=0xbfbffb5c) at utils/net.c:555 #13 0x806b035 in _start () I have some problems building cvs version on my platform. So I want to know if this is fixed in cvs. fixed means it returns a meaningful message instead of core dump. If yes, please point me to the place I should look at. Thanks a lot ! Chere
net ads join core dump in ldap_get_values_len
Hello, I am using 3.0a21. If I use kinit user@DOMAIN with a user that does not have privilege to join a machine into the domain, I get core dump using net ads join. This happens when the computer account does not exist in the domain. If the computer account exists in the domain, I get the following which is perfectly fine: [2003/02/18 13:51:59, 0] libads/ldap.c:ads_join_realm(1325) Host account for chere-2 already exists - deleting old account [2003/02/18 13:51:59, 0] libads/ldap.c:ads_join_realm(1329) Failed to delete host 'chere-2' from the 'ZHOU.COM' realm. ads_join_realm: Insufficient access The net ads join core dump shows: Assertion failed: (entry != NULL), function ldap_get_values_len, file getvalues.c, line 93. Abort (core dumped) A gdb back trace is: #0 0x28455cff in kill () from /usr/lib/libc.so.5 #1 0x284a7e32 in abort () from /usr/lib/libc.so.5 #2 0x2848600f in __assert () from /usr/lib/libc.so.5 #3 0x28252de1 in ldap_get_values_len () from /usr/local/lib/libldap.so.2 #4 0x814b9d3 in ads_pull_sid (ads=0x8249380, msg=0x0, field=0x819b0a1 objectSid, sid=0xbfbff518) at libads/ldap.c:1598 #5 0x814b542 in ads_set_machine_sd (ads=0x8249380, hostname=0x81b9b90 chere-2, dn=0x81f0440 cn=chere-2,cn=Computers,dc=ZHOU,dc=COM) at libads/ldap.c:1431 #6 0x814a7ec in ads_add_machine_acct (ads=0x8249380, hostname=0x81b9b90 chere-2, org_unit=0x8165ca8 Computers) at libads/ldap.c:1085 #7 0x814b015 in ads_join_realm (ads=0x8249380, hostname=0x81b9a30 CHERE-2, org_unit=0x8165ca8 Computers) at libads/ldap.c:1334 #8 0x806d945 in net_ads_join (argc=0, argv=0x81b906c) at utils/net_ads.c:648 #9 0x806b196 in net_run_function (argc=1, argv=0x81b9068, table=0xbfbff7e0, usage_fn=0x806c1f0 net_ads_usage) at utils/net.c:97 #10 0x806e6dc in net_ads (argc=1, argv=0x81b9068) at utils/net_ads.c:1040 #11 0x806b196 in net_run_function (argc=2, argv=0x81b9064, table=0x819ee94, usage_fn=0x806f3fc net_help) at utils/net.c:97 #12 0x806c17b in main (argc=3, argv=0xbfbffb5c) at utils/net.c:555 #13 0x806b035 in _start () I have some problems building cvs version on my platform. So I want to know if this is fixed in cvs. fixed means it returns a meaningful message instead of core dump. If yes, please point me to the place I should look at. Thanks a lot ! Chere
Re: Limitations of Samba-2.2.x as a domain member talking to an AD domain controller
I had this similar question too. Apparently a Domain local group in the ADS does not show up on my Samba 2.2.5. Not sure what else would be. If nobody knows all of it, perhaps those who ever encountered any problem with this situation can just contribute, then we can assemble a list. Chere --- On Thu, Jan 23, 2003 at 10:54:19AM -0800, Richard Sharpe wrote: Can anyone point me at documentation on the limitations of a downlevel server being a member server in an AD network? The specific case I am thinking of is a Samba-2.2.x-based server. I don't have any documentation but I can tell you that you should have no problems if you install your domain controller with permissions compatible with pre-Windows 2000 machines. As far as I can work out this just adds the Everyone SID to the builtin Pre-Windows 2000 Compatible Access group. If this sid isn't present you'll have all sorts of weird problems to do with anonymous access to the LSA and SAM rpc pipes. Tim.
3.0alpha21 performance degraded comparing to 2.2.5
I tested using the same hardware for windows client and the server, same setup and configuration. Network bandwidth was gigabits. I built both 2.2.5 and 3.0alpha21 from source. Here are my numbers for a single windows 2000 client, single samba server test. For reads, 2.2.5 gets 120 Mbps, while 3.0a21 gets only 80Mbps, which is a 33% decrease. Writing to samba, 3.0a21 gets a 15% decrease over 2.2.5. Samba performance is very important to us here. So please help me to make it better. Anybody know tricks to make samba 3.0alpha21 faster? Thanks in advance, Chere