sid/guid-conversion in ads
hello, sorry for being off-topic but has anyone ever achieved to work with the LDAP_SERVER_EXTENDED_DN_OID Control in active directory? according to the sdk this control should do all sid_to_string conversions on the server side and thus extending the distinguishedName (something i need in a openldap/ads-syncronisation project) with string-representations of and . i tried advanced server sp1 and sp2 without any luck. i could not even get any conversion done with that control nativly with ldp.exe. thanks for any any help, guenther the msdn docu: (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netdir/ldap/ldap_server_extended_dn_oid.asp) -- Guenther Deschner [EMAIL PROTECTED] SuSE Linux AGGnuPG: 8EE11688 Berliner Str. 27 phone: +49 (0) 30 / 430944778 D-13507 Berlin fax: +49 (0) 30 / 43732804 pgp0.pgp Description: PGP signature
Re: ldap delete user?
hello volker,
On Mon, Mar 17, 2003 at 11:08:09PM +0100, Volker Lendecke wrote:
> Hi!
>
> While looking at HEAD / ldapsam_delete_sam_account a bit closer I
> found that we completely delete the user. Would it not be better just
> to remove the samba-specific attributes and let the 'delete user
> script' do the rest? Hmm. srv_samr_nt.c works the other way
> round... Has anybody ever tried this?
no. but SuSE ships a diff for 2_2 for quite some time now with another
smb.conf option that helps users not to delete their posix-account by
coincidence.
thanks,
guenther
--
Guenther Deschner [EMAIL PROTECTED]
SuSE Linux AGGnuPG: 8EE11688
Berliner Str. 27 phone: +49 (0) 30 / 430944778
D-13507 Berlin fax: +49 (0) 30 / 43732804
--- source/include/proto.h
+++ source/include/proto.h 2002/05/13 10:58:13
@@ -1965,6 +1965,7 @@
char *lp_ldap_admin_dn(void);
int lp_ldap_port(void);
int lp_ldap_ssl(void);
+BOOL lp_ldap_del_only_sam(void);
char *lp_add_share_cmd(void);
char *lp_change_share_cmd(void);
char *lp_delete_share_cmd(void);
--- source/param/loadparm.c
+++ source/param/loadparm.c 2002/05/13 10:34:46
@@ -215,6 +215,7 @@
#ifdef WITH_LDAP_SAM
int ldap_port;
int ldap_ssl;
+ BOOL ldap_del_only_sam;
char *szLdapServer;
char *szLdapSuffix;
char *szLdapFilter;
@@ -1033,6 +1034,7 @@
{"ldap filter", P_STRING, P_GLOBAL, &Globals.szLdapFilter, NULL, NULL, 0},
{"ldap admin dn", P_STRING, P_GLOBAL, &Globals.szLdapAdminDn, NULL, NULL, 0},
{"ldap ssl", P_ENUM, P_GLOBAL, &Globals.ldap_ssl, NULL, enum_ldap_ssl, 0},
+ {"ldap del only sam attr", P_BOOL, P_GLOBAL, &Globals.ldap_del_only_sam, NULL,
NULL, 0},
#endif /* WITH_LDAP_SAM */
{"Miscellaneous Options", P_SEP, P_SEPARATOR},
@@ -1418,6 +1420,7 @@
string_set(&Globals.szLdapAdminDn, "");
Globals.ldap_port = 636;
Globals.ldap_ssl = LDAP_SSL_ON;
+ Globals.ldap_del_only_sam = False;
#endif /* WITH_LDAP_SAM */
/* these parameters are set to defaults that are more appropriate
for the increasing samba install base:
@@ -1605,6 +1608,7 @@
FN_GLOBAL_STRING(lp_ldap_admin_dn, &Globals.szLdapAdminDn)
FN_GLOBAL_INTEGER(lp_ldap_port, &Globals.ldap_port)
FN_GLOBAL_INTEGER(lp_ldap_ssl, &Globals.ldap_ssl)
+FN_GLOBAL_BOOL(lp_ldap_del_only_sam, &Globals.ldap_del_only_sam)
#endif /* WITH_LDAP_SAM */
FN_GLOBAL_STRING(lp_add_share_cmd, &Globals.szAddShareCommand)
FN_GLOBAL_STRING(lp_change_share_cmd, &Globals.szChangeShareCommand)
--- source/passdb/pdb_ldap.c
+++ source/passdb/pdb_ldap.c2002/05/14 08:39:12
@@ -960,7 +960,90 @@
entry = ldap_first_entry (ldap_struct, result);
dn = ldap_get_dn (ldap_struct, entry);
- rc = ldap_delete_s (ldap_struct, dn);
+ if ( lp_ldap_del_only_sam() ){
+ /* LDAP attributes that are used (and only needed) by sambaAccount */
+ char *sam_attrs[] = { "lmPassword", "ntPassword", "pwdLastSet",
"logonTime",
+ "logoffTime", "kickoffTime", "pwdCanChange",
"pwdMustChange", "acctFlags",
+ "displayName", "smbHome", "homeDrive", "scriptPath",
"profilePath",
+ "userWorkstations", "primaryGroupID", "domain", "rid",
NULL };
+ char *oc_values[] = { "sambaAccount", NULL };
+ BerElement *ptr;
+ char *name = NULL;
+ int act_mod = 0;
+ LDAPMod *mods[sizeof(sam_attrs)/sizeof(char*)];
+ int i;
+
+ for(i=0; i < ( sizeof(sam_attrs)/sizeof(char*) ); i++ ){
+ mods[i] = NULL;
+ }
+ DEBUG (3, ("Deleting only SAM attributes\n"));
+ /* Find out which attributes from the list above have to be deleted */
+ for( name = ldap_first_attribute( ldap_struct, entry, &ptr ); name !=
NULL;
+ name = ldap_next_attribute( ldap_struct, entry, ptr ) ){
+ char **act_attr = NULL;
+ for( act_attr = sam_attrs; *act_attr != NULL; act_attr++ ){
+ /* if an attribute is in the above list AND actually
set in the entry, put it
+ into the LDAPMod-Array */
+ if(strcmp(*act_attr, name) == 0){
+ DEBUG (10, ("DelAttr %s\n", name));
+ m
Re: smb.conf inside ldap
hi, On Tue, Mar 04, 2003 at 04:05:26PM +0100, Stefan Voelkel wrote: > Hello, > > I would like to hold the smb.conf inside an ldap server. > > Is there any work going on in implementing a ldap-config-file-backend? not that i know. but there was some effort in samba-tng for this. you might have a look in their mail-archives (must be two years ago). maybe i still have the schema somewhere... thanks, guenther -- Guenther Deschner [EMAIL PROTECTED] SuSE Linux AGGnuPG: 8EE11688 Berliner Str. 27 phone: +49 (0) 30 / 430944778 D-13507 Berlin fax: +49 (0) 30 / 43732804 pgp0.pgp Description: PGP signature
Re: Patches for winbindd over TCP and a "failover port" option
hi, On Tue, Feb 18, 2003 at 05:57:55PM +0200, Nir Soffer wrote: > Our product uses Samba as a component. In our product we were forced to > modify certain parts of Samba, namely: > > Winbindd running over TCP (to a remote host) this sounds very interesting. > Smbd listening to an additional "failover" port. > Allow listening on non-broadcast interfaces. > > All these changes are very minimal. In order to comply with the GPL and > provide the community with what little code we've modified, attached is > the patch file between this version and Samba 3.0a20. you have forgotten to add that patchfile :) thanks, guenther -- Guenther Deschner [EMAIL PROTECTED] SuSE Linux AGGnuPG: 8EE11688 Berliner Str. 27 phone: +49 (0) 30 / 430944778 D-13507 Berlin fax: +49 (0) 30 / 43732804 msg06182/pgp0.pgp Description: PGP signature
Re: msdfs referrals at share-level
hello shirish,
On Fri, Feb 07, 2003 at 05:13:50PM -0800, Shirish Kalele wrote:
> Hi Guenther,
>
> I'll try and take a look at it Monday.
>
> Is the fix for the dfs-enum pipe attached as well?
yes. i'll add it again just to be sure.
> I'm not sure I understand your description of the fix.
oh sorry, maybe i'll describe my test setup a bit.
i have in smb.conf two msdfs roots, one of them acts as a proxy:
[dfsroot1]
path = /tmp/dfs-real
msdfs root = yes
[dfsroot2]
path = /tmp/empty
msdfs root = yes
msdfs proxy = \unimak\tmp2
without the fix i can just see the first dfsroot (and not even all the
entrypaths that exist under that root):
mthelena:~ # rpcclient localhost -N -c "dfsenum 3"
entrypath: \\MTHELENA\dfsroot1
comment:
state: 1
num_storages: 1
storage[0] servername: mthelena
storage[0] sharename: dfsroot1
with the fix i do see my second dfsroot and i get all storage information
about
the other entrypaths that are created as symlinks and i even get
information
about the proxy destination of [dfsroot2]:
mthelena:~ # rpcclient localhost -N -c "dfsenum 3"
entrypath: \\MTHELENA\dfsroot1
comment:
state: 1
num_storages: 1
storage[0] servername: mthelena
storage[0] sharename: dfsroot1
entrypath: \\MTHELENA\dfsroot1\linkone
comment:
state: 1
num_storages: 1
storage[0] servername: win2ksrv
storage[0] sharename: data
entrypath: \\MTHELENA\dfsroot1\linktwo
comment:
state: 1
num_storages: 1
storage[0] servername: smbsrv
storage[0] sharename: test
entrypath: \\MTHELENA\dfsroot1\linkthree
comment:
state: 1
num_storages: 2
storage[0] servername: unimak2
storage[0] sharename: tmp2
storage[1] servername: unimak
storage[1] sharename: tmp
entrypath: \\MTHELENA\dfsroot2
comment:
state: 1
num_storages: 1
storage[0] servername: unimak2
storage[0] sharename: tmp2
is that fix correct?
thanks,
guenther
--
Guenther Deschner [EMAIL PROTECTED]
SuSE Linux AGGnuPG: 8EE11688
Berliner Str. 27 phone: +49 (0) 30 / 430944778
D-13507 Berlin fax: +49 (0) 30 / 43732804
--- source/msdfs/msdfs.c2002-12-30 00:30:15.0 +0100
+++ source/msdfs/msdfs.c2003-02-07 14:19:37.0 +0100
@@ -851,7 +851,9 @@
ref->ttl = REFERRAL_TTL;
if (*lp_msdfs_proxy(snum) != '\0') {
pstrcpy(ref->alternate_path, lp_msdfs_proxy(snum));
- *jn_count = 1;
+ pstrcpy(jn[cnt].service_name, lp_servicename(snum));
+ cnt++;
+ *jn_count = cnt;
return True;
}
msg05918/pgp0.pgp
Description: PGP signature
Re: msdfs referrals at share-level
hi,
On Sat, Feb 08, 2003 at 05:30:21PM -0800, Richard Sharpe wrote:
> On Fri, 7 Feb 2003, Guenther Deschner wrote:
>
> > now that the msdfs-proxy is in cvs (thanks again for taking a deeper
> > look on that) i still have a small fix for the dfsenum-pipe that just prints
> > the first dfsroot and then stops. with that fix it'll show you all
> > dfsenum-infolevels.
> >
> > attached you'll find a backport of the msdfs-proxy for 2_2, maybe you
> > could have a quick look and comment on that one too.
>
> Hmmm, how is this any different from having a normal MSDFS share set up
> in Samba, say to \\server1\share1, and doing:
>
> ln -s "msdfs:server1\share2,server2\share3,..." /path/to/share1/share1
>
> Just what does this msdfs-proxy stuff do that you can't do with the
> existing code?
as far as i have understood (shirish, please correct me if i'm wrong):
the msdfs implementation in samba is close to nt4-semantics, where a
dfsroot is just a share. only in that share you can create volumes that
contain junctions to other storage locations but you cannot make a
dfs-root behave as a direct redirect itself. since dfs-volumes are
implemented as symlinks that are masqueraded as directories to the client,
you cannot just point to a "path" in a share-definition that is itself a
symlink. thus
ln -s "msdfs:server1\\share1" /tmp/volume1
[dfsproxy]
path = /tmp/volume1
msdfs root = yes
will not work without a "msdfs proxy".
bye,
guenther
--
Guenther Deschner [EMAIL PROTECTED]
SuSE Linux AGGnuPG: 8EE11688
Berliner Str. 27 phone: +49 (0) 30 / 430944778
D-13507 Berlin fax: +49 (0) 30 / 43732804
msg05917/pgp0.pgp
Description: PGP signature
Re: missing config.h.in for CVS SAMBA_3_0?
hi, just call autogen.sh and it will be recreated. bye, guenther On Fri, Feb 07, 2003 at 08:21:21AM -0500, Richard Bollinger wrote: > Double checked cvsweb - its config.h.in is gone? > > I got this message this morning when I updated my CVS tracking copy: > cvs server: source/include/config.h.in is no longer in the repository > > Did someone do an oops, adding both config.h and config.h.in to .cvsignore? > -- Guenther Deschner [EMAIL PROTECTED] SuSE Linux AGGnuPG: 8EE11688 Berliner Str. 27 phone: +49 (0) 30 / 430944778 D-13507 Berlin fax: +49 (0) 30 / 43732804 msg05892/pgp0.pgp Description: PGP signature
Re: msdfs referrals at share-level
hi, now that the msdfs-proxy is in cvs (thanks again for taking a deeper look on that) i still have a small fix for the dfsenum-pipe that just prints the first dfsroot and then stops. with that fix it'll show you all dfsenum-infolevels. attached you'll find a backport of the msdfs-proxy for 2_2, maybe you could have a quick look and comment on that one too. thanks again, guenther On Mon, Oct 14, 2002 at 12:15:17PM -0700, Shirish Kalele wrote: > Hi, > > This is cool. Which Windows clients have you tested with? > > As for the patch, it might be better if you coded this such that a > self-referral either pointed to itself, or to the proxied share. Having > something like 'msdfs proxy = server\share' in smb.conf, and sending that > whenever a self-referral was to be sent would be better than the hack you > have where you manipulate the client's requested path to become the msdfs > link to the proxy. imho, anyway. This might also make it easier to code the > NETDFS interface to this proxy stuff. > > Cheers, > Shirish > > - Original Message - > From: "Guenther Deschner" <[EMAIL PROTECTED]> > To: "Shirish Kalele" <[EMAIL PROTECTED]> > Cc: <[EMAIL PROTECTED]>; "Thomas Wiebach" <[EMAIL PROTECTED]> > Sent: Monday, October 14, 2002 6:36 AM > Subject: Re: msdfs referrals at share-level > > > hello shirish, > > we made some more experiments with the dfs-code and now have a running > solution for our smb-proxy, without breaking msdfs (well, i didn't had a > look on the dfs_rpc-pipe for now...) > > you can now have a samba-share behave like an mdfs-symlink. > if you set a share to "msdfs proxy = yes" and declare the link in its > path to "msdfs link name = linkname" the clients will reveive correct > referrals already when they access the share :) > > since we are planning to use this patch in production, it would be very > nice if you could comment on this. > > -8<--snip--8<-- > add to smb.conf: > [global] > host msdfs = yes > > [dfs-fake] > path = /export/dfs-fake > msdfs root = yes > msdfs proxy = yes > msdfs link name = "linkname" > > create a link: > > ln -s msdfs:unimak\\storage /export/dfs-fake/linkname > ->8--snap-->8-- > > thanks a lot, > guenther > > > On Thu, Sep 05, 2002 at 09:50:51AM -0700, Shirish Kalele wrote: > > Hi, > > > > Clients do request dfs referrals for every share they connect to. In a dfs > > reply for a share, you could try and send a different sharename and see > what > > happens. I don't know if clients will be able to handle this. Look for > > self_referral in the setup_dfs_referral() code to find out where to start > > making changes. > > > > Let me know how the clients take it.. > > > > Thanks, > > Shirish > > > > - Original Message - > > From: "Guenther Deschner" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Wednesday, September 04, 2002 2:48 PM > > Subject: msdfs referrals at share-level > > > > hello everybody, > > > > as far as i have looked into msdfs.c it seems to be impossible to send > > a client a dfs-referral at the share level (\\fileserver\msdfs-link). > > > > maybe there is another way to "proxy" a request to \\samba\thisshare to > > \\anothersamba\thatshare ? > > > > i currently want to migrate a couple of nt-servers transparently for > > clients. the basic idea is to setup one samba-server that offers faked > > file-service via netbios-aliases and dfs-redirects to the real > > samba-fileserver. unfortunatly touching the clients is a no-go. > > > > old setup with *nt*: > > > > client -> //fileserver/share1 > > > > planned setup with *samba*: > > > > client -> //fileserver/share1 where share1 -> msdfs:samba-file\whatever > > > > any help is much appreciated. > > > > bye, > > guenther > > -- > > Guenther Deschner [EMAIL PROTECTED] > > SuSE Linux AGGnuPG: 8EE11688 > > Berliner Str. 27 phone: +49 (0) 30 / 430944778 > > D-13507 Berlin fax: +49 (0) 30 / 43732804 > > > > > > -- > Guenther Deschner [EMAIL PROTECTED] > SuSE Linux AG
domain local groups with winbindd in mixed-mode
hello everybody, just a short question: is there any technical reason why domain local groups are only implemented in winbind with native-mode win2k domains and disabled in mixed-modes? thanks a lot, -- Guenther Deschner [EMAIL PROTECTED] SuSE Linux AGGnuPG: 8EE11688 Berliner Str. 27 phone: +49 (0) 30 / 430944778 D-13507 Berlin fax: +49 (0) 30 / 43732804 msg04927/pgp0.pgp Description: PGP signature
a very small fix for python
hello everybody, make python_ext in HEAD is broken... bye, guenther -- Guenther Deschner [EMAIL PROTECTED] SuSE Linux AGGnuPG: 8EE11688 Berliner Str. 27 phone: +49 (0) 30 / 430944778 D-13507 Berlin fax: +49 (0) 30 / 43732804 --- source/python/py_tdbpack.c 2002-12-09 11:05:11.0 +0100 +++ source/python/py_tdbpack.c 2002-12-09 11:04:19.0 +0100 @@ -28,7 +28,7 @@ /* This module is supposed to be standalone, however for portability it would be good to use the FUNCTION_MACRO preprocessor define. */ -#include "config.h" +#include "../include/config.h" #ifdef HAVE_FUNCTION_MACRO #define FUNCTION_MACRO (__FUNCTION__) msg04840/pgp0.pgp Description: PGP signature
Re: vampire a win2k-dc
hi volker, On Wed, Nov 13, 2002 at 09:53:06AM +0100, Volker Lendecke wrote: > On Tue, Nov 12, 2002 at 03:41:47PM +0100, Guenther Deschner wrote: > > is it true, that a win2k dc will insist on setting up a secure channel > > before ever transmitting password-hashes (with net rpc vampire)? > > Obviously yes. I had to notice that lately. That's where the latest patches > from tridge are aimed at. You could try pwdump for the passwords though. ok. i see. but isn't there some sort of support for secure channel in tng ? thanks, guenther -- Guenther Deschner [EMAIL PROTECTED] SuSE Linux AGGnuPG: 8EE11688 Berliner Str. 27 phone: +49 (0) 30 / 430944778 D-13507 Berlin fax: +49 (0) 30 / 43732804 msg04508/pgp0.pgp Description: PGP signature
allocating uids with winbind
hi,
since some days i observe something odd:
recent CVS-winbinds in HEAD and 3_0 are no longer able to allocate
u|gids if you start from scratch (with an empty idmap).
server_state.uid_high and server_state.gid_high seem not to be passed down
and allocate_id writes zero high-watermarks into the idmap. in consequence
the checks (if hwm > server_state.{g|u}id_high) fails and winbind fails
allocating u|gids with "{g|u}id-range full".
i can workaround it but is anyone else seeing this too?
thanks,
guenther
--
Guenther Deschner [EMAIL PROTECTED]
SuSE Linux AGGnuPG: 8EE11688
Berliner Str. 27 phone: +49 (0) 30 / 430944778
D-13507 Berlin fax: +49 (0) 30 / 43732804
msg04498/pgp0.pgp
Description: PGP signature
vampire a win2k-dc
hi, is it true, that a win2k dc will insist on setting up a secure channel before ever transmitting password-hashes (with net rpc vampire)? thanks, guenther -- Guenther Deschner [EMAIL PROTECTED] SuSE Linux AGGnuPG: 8EE11688 Berliner Str. 27 phone: +49 (0) 30 / 430944778 D-13507 Berlin fax: +49 (0) 30 / 43732804 msg04402/pgp0.pgp Description: PGP signature
recent python changes
hi, a very small fix for the Makefile... bye, guenther -- Guenther Deschner [EMAIL PROTECTED] SuSE Linux AGGnuPG: 8EE11688 Berliner Str. 27 phone: +49 (0) 30 / 430944778 D-13507 Berlin fax: +49 (0) 30 / 43732804 --- Makefile.in 2002-11-05 22:28:04.0 +0100 +++ Makefile.in 2002-11-05 22:28:08.0 +0100 @@ -917,7 +917,7 @@ echo Use the option --with-python to configure python; \ exit 1; fi PYTHON_OBJS="$(PYTHON_OBJS)" PYTHON_CFLAGS="$(CFLAGS) $(CPPFLAGS) $(FLAGS)" \ -x1 LIBS="$(LIBS)" \ + LIBS="$(LIBS)" \ $(PYTHON) python/setup.py build python_install: $(PYTHON_OBJS) msg04293/pgp0.pgp Description: PGP signature
Re: Documentation: pdbedit and account policies
and some more cleanups. On Thu, Oct 24, 2002 at 02:45:46PM +0200, Guenther Deschner wrote: > hi, > > the manpage for pdbedit has no entries for the account-policy- > -switches -P and -V. attached diff works against 3_0 and HEAD. > > bye, > guenther -- Guenther Deschner [EMAIL PROTECTED] SuSE Linux AGGnuPG: 8EE11688 Berliner Str. 27 phone: +49 (0) 30 / 430944778 D-13507 Berlin fax: +49 (0) 30 / 43732804 --- docs/docbook/manpages/pdbedit.8.sgml2002-10-24 14:35:36.0 +0200 +++ docs/docbook/manpages/pdbedit.8.sgml2002-10-24 14:56:59.0 +0200 @@ -21,8 +21,8 @@ -u username -f fullname -h homedir - -d drive - -s script + -D drive + -S script -p profile -a -m @@ -30,7 +30,10 @@ -i passdb-backend -e passdb-backend -b passdb-backend - -D debuglevel + -d debuglevel + -s configfile + -P account-policy + -V value @@ -160,7 +163,7 @@ - -d drive + -D drive This option can be used while adding or modifing a user account. It will specify the windows drive letter to be used to map the home directory. @@ -172,7 +175,7 @@ - -s script + -S script This option can be used while adding or modifing a user account. It will specify the user's logon script path. @@ -268,6 +271,49 @@ Example: pdbedit -b xml:/root/pdb-backup.xml -l + + + -d debuglevel + debuglevel is an integer +from 0 to 10. + + + + + -s configfile + Specifies the location of the all important + smb.conf file. + + + + + -P account-policy + Choose an account +policy. + Valid policies are: minimum password age, reset count minutes, +disconnect time, + user must logon to change password, password history, lockout +duration, min password length, + maximum password age and bad lockout attempt. + + Example: pdbedit -P "bad lockout +attempt" + + account policy value for bad lockout attempt is 0 + + + + + + + -V account-policy-value + Sets an account policy to a specified value. + This option may only be used in conjunction + with the -P option. + + Example: pdbedit -P "bad lockout attempt" -V +3 + + account policy value for bad lockout attempt was 0 + account policy value for bad lockout attempt is now 3 + + + + msg03899/pgp0.pgp Description: PGP signature
Documentation: pdbedit and account policies
hi, the manpage for pdbedit has no entries for the account-policy- -switches -P and -V. attached diff works against 3_0 and HEAD. bye, guenther -- Guenther Deschner [EMAIL PROTECTED] SuSE Linux AGGnuPG: 8EE11688 Berliner Str. 27 phone: +49 (0) 30 / 430944778 D-13507 Berlin fax: +49 (0) 30 / 43732804 --- docs/docbook/manpages/pdbedit.8.sgml2002-10-24 14:35:36.0 +0200 +++ docs/docbook/manpages/pdbedit.8.sgml2002-10-24 14:35:18.0 +0200 @@ -31,6 +31,8 @@ -e passdb-backend -b passdb-backend -D debuglevel + -P account-policy + -V value @@ -268,6 +270,36 @@ Example: pdbedit -b xml:/root/pdb-backup.xml -l + + + -P account-policy + Display an account policy + Valid policies are: minimum password age, reset count minutes, +disconnect time, + user must logon to change password, password history, lockout +duration, min password length, + maximum password age and bad lockout attempt. + + Example: pdbedit -P "bad lockout +attempt" + + account policy value for bad lockout attempt is 0 + + + + + + + -V account-policy-value + Sets an account policy to a specified value. + This option may only be used in conjunction + with the -P option. + + Example: pdbedit -P "bad lockout attempt" -V +3 + + account policy value for bad lockout attempt was 0 + account policy value for bad lockout attempt is now 3 + + + + msg03898/pgp0.pgp Description: PGP signature
Re: [PATCH] Heimdal build fix
hi luke,
i have tried your patch with heimdal-0.5 and heimdal-0.4e
and added some rough configure.in-checks so that you can choose now
between your kerberbos implementation:
--with-krb5impl={heimdal,mit}Choose Kerberos 5 implementation
(default=mit)
--with-krb5libs=DIR Locate Kerberos 5 libs (default=/usr)
--with-krb5includes=DIR Locate Kerberos 5 includes (default=/usr/)
if you have choosen heimdal and configure finds your libs/includes,
HAVE_HEIMDAL is going to be set.
i also had to add $(LIBADS_OBJ) $(LIBADS_SERVER_OBJ) on several occasions
in the Makefile to link the missing krb5_set_real_time-function
(i think this should not be the long-term solution.)
everything compiles fine now (with heimdal-0.5, because 0.4e does not have
AP_OPTS_USE_SUBKEY), net ads and smbclient do work *correctly* towards
win2k advanced server, but smbd and winbindd do *not* correctly retrieve
their ticket in ads-mode. while smbd fails with:
libads/kerberos_verify.c:ads_verify_ticket(192)
krb5_rd_req with auth failed (Unknown error -1765328203)
winbind immediately panics.
i suspect that heimdal cannot correctly handle the des-cbc-md5-enctype
that ads uses when the machine is joined to the domain, but i am really
not a kerberos expert...
it would be great to finally have samba3 working with heimdal.
thanks a lot,
guenther
On Wed, Oct 09, 2002 at 05:56:17PM +1000, Luke Howard wrote:
> We're using a custom version of Heimdal, so I may have left out
> a few things that prevent it from building on a normal system.
> Please let me know if I have and I'll fix the patch. It is also
> untested right now, so you may wish to wait until I've had time
> to test it before applying it. :-)
>
> There is no auto-detection; you must configure with -DHEIMDAL.
> You may also need to comment out the /usr/kerberos check in
> configure.in if building on a RedHat system.
>
> regards,
>
> -- Luke
--
Guenther Deschner [EMAIL PROTECTED]
SuSE Linux AGGnuPG: 8EE11688
Berliner Str. 27 phone: +49 (0) 30 / 430944778
D-13507 Berlin fax: +49 (0) 30 / 43732804
--- source/include/includes.h 18 Sep 2002 19:06:58 - 1.280
+++ source/include/includes.h 9 Oct 2002 07:51:53 -
@@ -397,6 +397,9 @@
#endif
#if HAVE_KRB5_H
+#ifdef HAVE_HEIMDAL
+#define __MD5_H__
+#endif
#include
#else
#undef HAVE_KRB5
@@ -410,6 +413,12 @@
#include
#else
#undef HAVE_LDAP
+#endif
+
+#if HAVE_GSSAPI_H
+#include
+#else
+#undef HAVE_KRB5
#endif
#if HAVE_GSSAPI_GSSAPI_H
--- source/libads/kerberos_verify.c 4 Oct 2002 07:41:56 - 1.3
+++ source/libads/kerberos_verify.c 9 Oct 2002 07:51:54 -
@@ -24,6 +24,27 @@
#ifdef HAVE_KRB5
+#if defined(HAVE_HEIMDAL) && !defined(XAD)
+/*
+ * This function is not in the Heimdal mainline.
+ */
+krb5_error_code krb5_set_real_time(krb5_context context,
+ int32_t seconds, int32_t microseconds)
+{
+ krb5_error_code ret;
+ int32_t sec, usec;
+
+ ret = krb5_us_timeofday(context, &sec, &usec);
+ if (ret)
+ return ret;
+
+ context->kdc_sec_offset = seconds - sec;
+ context->kdc_usec_offset = microseconds - usec;
+
+ return 0;
+}
+#endif /* HAVE_HEIMDAL && !XAD */
+
/*
verify an incoming ticket and parse out the principal name and
authorization_data if available
@@ -36,10 +57,14 @@
krb5_keytab keytab = NULL;
krb5_data packet;
krb5_ticket *tkt = NULL;
+#ifdef HAVE_HEIMDAL
+ krb5_salt salt;
+#else
krb5_data salt;
krb5_encrypt_block eblock;
+#endif /* HAVE_HEIMDAL */
int ret, i;
- krb5_keyblock * key;
+ krb5_keyblock *key;
krb5_principal host_princ;
char *host_princ_s;
extern pstring global_myname;
@@ -48,6 +73,9 @@
krb5_data password;
krb5_enctype *enctypes = NULL;
+#ifdef XAD
+ /* We would rather use the keytab. */
+#else
if (!secrets_init()) {
DEBUG(1,("secrets_init failed\n"));
return NT_STATUS_LOGON_FAILURE;
@@ -61,6 +89,7 @@
password.data = password_s;
password.length = strlen(password_s);
+#endif /* XAD */
ret = krb5_init_context(&context);
if (ret) {
@@ -92,39 +121,68 @@
return NT_STATUS_LOGON_FAILURE;
}
+#ifdef HAVE_HEIMDAL
+ ret = krb5_get_pw_salt(context, host_princ, &salt);
+ if (ret) {
+ DEBUG(1,("krb5_get_pw_salt failed (%s)\n", error_message(ret)));
+ return NT_STATUS_LOGON_FAILURE;
+ }
+#else
ret = krb5_principal2salt(context, host_princ, &salt);
if (ret) {
DEBUG(1,("krb5_principal2salt failed (%s)\n", error_message(ret)));
Re: msdfs referrals at share-level
hi,
On Mon, Oct 14, 2002 at 09:15:41AM -0500, Gerald Carter wrote:
> On Mon, 14 Oct 2002, Guenther Deschner wrote:
>
> > ops. patch is against 2_2 - cvs.
>
> Thanks. But please patch against HEAD. I'm not going to add any
> newfunctionality to SAMBA_2_2.
right. here is the diff (that needs review) against HEAD.
thanks,
guenther
--
Guenther Deschner [EMAIL PROTECTED]
SuSE Linux AGGnuPG: 8EE11688
Berliner Str. 27 phone: +49 (0) 30 / 430944778
D-13507 Berlin fax: +49 (0) 30 / 43732804
--- source/param/loadparm.c Wed Oct 9 21:17:05 2002
+++ source/param/loadparm.c Mon Oct 14 16:33:08 2002
@@ -386,6 +386,8 @@
BOOL bInheritPerms;
BOOL bInheritACLS;
BOOL bMSDfsRoot;
+ BOOL bMSDfsProxy;
+ char *bMSDfsLinkName;
BOOL bUseClientDriver;
BOOL bDefaultDevmode;
BOOL bNTAclSupport;
@@ -508,6 +510,8 @@
False, /* bInheritPerms */
False, /* bInheritACLS */
False, /* bMSDfsRoot */
+ False, /* bMSDfsProxy */
+ NULL, /* bMSDfsLinkName */
False, /* bUseClientDriver */
False, /* bDefaultDevmode */
True, /* bNTAclSupport */
@@ -1079,6 +1083,8 @@
{"msdfs root", P_BOOL, P_LOCAL, &sDefault.bMSDfsRoot, NULL, NULL, FLAG_SHARE},
+ {"msdfs proxy", P_BOOL, P_LOCAL, &sDefault.bMSDfsProxy, NULL, NULL,
+FLAG_SHARE},
+ {"msdfs link name", P_STRING, P_LOCAL, &sDefault.bMSDfsLinkName, NULL, NULL,
+FLAG_SHARE},
{"host msdfs", P_BOOL, P_GLOBAL, &Globals.bHostMSDfs, NULL, NULL,
FLAG_ADVANCED | FLAG_DEVELOPER},
{"Winbind options", P_SEP, P_SEPARATOR},
@@ -1730,6 +1736,8 @@
FN_LOCAL_STRING(lp_veto_oplocks, szVetoOplockFiles)
FN_LOCAL_STRING(lp_driverlocation, szPrinterDriverLocation)
FN_LOCAL_BOOL(lp_msdfs_root, bMSDfsRoot)
+FN_LOCAL_BOOL(lp_msdfs_proxy, bMSDfsProxy)
+FN_LOCAL_STRING(lp_msdfs_link_name, bMSDfsLinkName)
FN_LOCAL_BOOL(lp_autoloaded, autoloaded)
FN_LOCAL_BOOL(lp_preexec_close, bPreexecClose)
FN_LOCAL_BOOL(lp_rootpreexec_close, bRootpreexecClose)
--- source/msdfs/msdfs.cTue Jul 2 08:34:24 2002
+++ source/msdfs/msdfs.cMon Oct 14 16:49:57 2002
@@ -600,12 +600,38 @@
int reply_size = 0;
char *pathnamep = pathname;
+ struct connection_struct conns;
+ struct connection_struct* conn = &conns;
+ int snum;
+ pstring conn_path;
+ struct dfs_path dpi;
+
+ struct junction_map junction2;
+ parse_dfs_path(pathname, &dpi);
+ pstrcpy(junction2.service_name, dpi.servicename);
+ snum = lp_servicenumber(junction2.service_name);
+ create_conn_struct(conn, snum, conn_path);
+
+
ZERO_STRUCT(junction);
/* get the junction entry */
if (!pathnamep)
return -1;
+if (lp_msdfs_proxy(SNUM(conn))) {
+ DEBUG(10,("running in proxy mode\n"));
+ pstrcpy(pathnamep, "\\");
+ pstrcat(pathnamep, dpi.hostname);
+ pstrcat(pathnamep, "\\");
+ pstrcat(pathnamep, dpi.servicename);
+ pstrcat(pathnamep, "\\");
+ pstrcat(pathnamep, (char *) lp_msdfs_link_name(SNUM(conn)));
+} else {
+ DEBUG(10,("running in normal mode\n"));
+ }
+
+
/* Trim pathname sent by client so it begins with only one backslash.
Two backslashes confuse some dfs clients
*/
@@ -631,6 +657,17 @@
}
}
+if ( lp_msdfs_proxy(SNUM(conn)) ) {
+ DEBUG(10,("running in proxy mode\n"));
+ pstrcpy ( pathnamep, "\\" );
+ pstrcat ( pathnamep, dpi.hostname);
+ pstrcat ( pathnamep, "\\" );
+ pstrcat ( pathnamep, dpi.servicename);
+} else {
+ DEBUG(10,("running in normal mode\n"));
+ }
+
+
/* create the referral depeding on version */
DEBUG(10,("max_referral_level :%d\n",max_referral_level));
if(max_referral_level<2 || max_referral_level>3)
msg03694/pgp0.pgp
Description: PGP signature
Re: msdfs referrals at share-level
ops. patch is against 2_2 - cvs.
On Mon, Oct 14, 2002 at 03:36:04PM +0200, Guenther Deschner wrote:
> hello shirish,
>
> we made some more experiments with the dfs-code and now have a running
> solution for our smb-proxy, without breaking msdfs (well, i didn't had a
> look on the dfs_rpc-pipe for now...)
>
> you can now have a samba-share behave like an mdfs-symlink.
> if you set a share to "msdfs proxy = yes" and declare the link in its
> path to "msdfs link name = linkname" the clients will reveive correct
> referrals already when they access the share :)
>
> since we are planning to use this patch in production, it would be very
> nice if you could comment on this.
>
> -8<--snip--8<--
> add to smb.conf:
> [global]
> host msdfs = yes
>
> [dfs-fake]
> path = /export/dfs-fake
> msdfs root = yes
> msdfs proxy = yes
> msdfs link name = "linkname"
>
> create a link:
>
> ln -s msdfs:unimak\\storage /export/dfs-fake/linkname
> ->8--snap-->8--
>
> thanks a lot,
> guenther
>
>
> On Thu, Sep 05, 2002 at 09:50:51AM -0700, Shirish Kalele wrote:
> > Hi,
> >
> > Clients do request dfs referrals for every share they connect to. In a dfs
> > reply for a share, you could try and send a different sharename and see what
> > happens. I don't know if clients will be able to handle this. Look for
> > self_referral in the setup_dfs_referral() code to find out where to start
> > making changes.
> >
> > Let me know how the clients take it..
> >
> > Thanks,
> > Shirish
> >
> > - Original Message -
> > From: "Guenther Deschner" <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
> > Sent: Wednesday, September 04, 2002 2:48 PM
> > Subject: msdfs referrals at share-level
> >
> > hello everybody,
> >
> > as far as i have looked into msdfs.c it seems to be impossible to send
> > a client a dfs-referral at the share level (\\fileserver\msdfs-link).
> >
> > maybe there is another way to "proxy" a request to \\samba\thisshare to
> > \\anothersamba\thatshare ?
> >
> > i currently want to migrate a couple of nt-servers transparently for
> > clients. the basic idea is to setup one samba-server that offers faked
> > file-service via netbios-aliases and dfs-redirects to the real
> > samba-fileserver. unfortunatly touching the clients is a no-go.
> >
> > old setup with *nt*:
> >
> > client -> //fileserver/share1
> >
> > planned setup with *samba*:
> >
> > client -> //fileserver/share1 where share1 -> msdfs:samba-file\whatever
> >
> > any help is much appreciated.
> >
> > bye,
> > guenther
> > --
> > Guenther Deschner [EMAIL PROTECTED]
> > SuSE Linux AGGnuPG: 8EE11688
> > Berliner Str. 27 phone: +49 (0) 30 / 430944778
> > D-13507 Berlin fax: +49 (0) 30 / 43732804
> >
> >
>
> --
> Guenther Deschner [EMAIL PROTECTED]
> SuSE Linux AGGnuPG: 8EE11688
> Berliner Str. 27 phone: +49 (0) 30 / 430944778
> D-13507 Berlin fax: +49 (0) 30 / 43732804
> --- source/param/loadparm.c Thu Oct 10 00:26:52 2002
> +++ source/param/loadparm.c Mon Oct 14 14:21:08 2002
> @@ -408,6 +408,8 @@
> BOOL bInheritPerms;
> BOOL bInheritACLS;
> BOOL bMSDfsRoot;
> + BOOL bMSDfsProxy;
> + char *bMSDfsLinkName;
> BOOL bUseClientDriver;
> BOOL bDefaultDevmode;
> BOOL bNTAclSupport;
> @@ -533,6 +535,8 @@
> False, /* bInheritPerms */
> False, /* bInheritACLS */
> False, /* bMSDfsRoot */
> + False, /* bMSDfsProxy */
> + NULL, /* bMSDfsLinkName */
> False, /* bUseClientDriver */
> False, /* bDefaultDevmode */
> True, /* bNTAclSupport */
> @@ -1107,6 +,8 @@
> {"MSDfs options", P_SEP, P_SEPARATOR},
>
> {"msdfs root", P_BOOL, P_LOCAL, &sDefault.bMSDfsRoot, NULL, NULL, FLAG_SHARE},
> + {"msdfs proxy", P_BOOL, P_LOCAL, &sDefault.bMSDfsProxy, NU
Re: msdfs referrals at share-level
hello shirish,
we made some more experiments with the dfs-code and now have a running
solution for our smb-proxy, without breaking msdfs (well, i didn't had a
look on the dfs_rpc-pipe for now...)
you can now have a samba-share behave like an mdfs-symlink.
if you set a share to "msdfs proxy = yes" and declare the link in its
path to "msdfs link name = linkname" the clients will reveive correct
referrals already when they access the share :)
since we are planning to use this patch in production, it would be very
nice if you could comment on this.
-8<--snip--8<--
add to smb.conf:
[global]
host msdfs = yes
[dfs-fake]
path = /export/dfs-fake
msdfs root = yes
msdfs proxy = yes
msdfs link name = "linkname"
create a link:
ln -s msdfs:unimak\\storage /export/dfs-fake/linkname
->8--snap-->8--
thanks a lot,
guenther
On Thu, Sep 05, 2002 at 09:50:51AM -0700, Shirish Kalele wrote:
> Hi,
>
> Clients do request dfs referrals for every share they connect to. In a dfs
> reply for a share, you could try and send a different sharename and see what
> happens. I don't know if clients will be able to handle this. Look for
> self_referral in the setup_dfs_referral() code to find out where to start
> making changes.
>
> Let me know how the clients take it..
>
> Thanks,
> Shirish
>
> - Original Message -
> From: "Guenther Deschner" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Wednesday, September 04, 2002 2:48 PM
> Subject: msdfs referrals at share-level
>
> hello everybody,
>
> as far as i have looked into msdfs.c it seems to be impossible to send
> a client a dfs-referral at the share level (\\fileserver\msdfs-link).
>
> maybe there is another way to "proxy" a request to \\samba\thisshare to
> \\anothersamba\thatshare ?
>
> i currently want to migrate a couple of nt-servers transparently for
> clients. the basic idea is to setup one samba-server that offers faked
> file-service via netbios-aliases and dfs-redirects to the real
> samba-fileserver. unfortunatly touching the clients is a no-go.
>
> old setup with *nt*:
>
> client -> //fileserver/share1
>
> planned setup with *samba*:
>
> client -> //fileserver/share1 where share1 -> msdfs:samba-file\whatever
>
> any help is much appreciated.
>
> bye,
> guenther
> --
> Guenther Deschner [EMAIL PROTECTED]
> SuSE Linux AGGnuPG: 8EE11688
> Berliner Str. 27 phone: +49 (0) 30 / 430944778
> D-13507 Berlin fax: +49 (0) 30 / 43732804
>
>
--
Guenther Deschner [EMAIL PROTECTED]
SuSE Linux AGGnuPG: 8EE11688
Berliner Str. 27 phone: +49 (0) 30 / 430944778
D-13507 Berlin fax: +49 (0) 30 / 43732804
--- source/param/loadparm.c Thu Oct 10 00:26:52 2002
+++ source/param/loadparm.c Mon Oct 14 14:21:08 2002
@@ -408,6 +408,8 @@
BOOL bInheritPerms;
BOOL bInheritACLS;
BOOL bMSDfsRoot;
+ BOOL bMSDfsProxy;
+ char *bMSDfsLinkName;
BOOL bUseClientDriver;
BOOL bDefaultDevmode;
BOOL bNTAclSupport;
@@ -533,6 +535,8 @@
False, /* bInheritPerms */
False, /* bInheritACLS */
False, /* bMSDfsRoot */
+ False, /* bMSDfsProxy */
+ NULL, /* bMSDfsLinkName */
False, /* bUseClientDriver */
False, /* bDefaultDevmode */
True, /* bNTAclSupport */
@@ -1107,6 +,8 @@
{"MSDfs options", P_SEP, P_SEPARATOR},
{"msdfs root", P_BOOL, P_LOCAL, &sDefault.bMSDfsRoot, NULL, NULL, FLAG_SHARE},
+ {"msdfs proxy", P_BOOL, P_LOCAL, &sDefault.bMSDfsProxy, NULL, NULL,
+FLAG_SHARE},
+ {"msdfs link name", P_STRING, P_LOCAL, &sDefault.bMSDfsLinkName, NULL, NULL,
+FLAG_SHARE},
{"host msdfs", P_BOOL, P_GLOBAL, &Globals.bHostMSDfs, NULL, NULL, 0},
#endif
@@ -1754,6 +1760,8 @@
FN_LOCAL_STRING(lp_veto_oplocks, szVetoOplockFiles)
FN_LOCAL_STRING(lp_driverlocation, szPrinterDriverLocation)
FN_LOCAL_BOOL(lp_msdfs_root, bMSDfsRoot)
+FN_LOCAL_BOOL(lp_msdfs_proxy, bMSDfsProxy)
+FN_LOCAL_STRING(lp_msdfs_link_name, bMSDfsLinkName)
FN_LOCAL_BOOL(lp_autoloaded, autoloaded)
FN_LOCAL_BOOL(lp_preexec_close, bPreexecClose)
FN_LOCAL_BOOL(lp_rootpreexec_close, bRootpreexecCl
[PATCH] net_ads_user/group with selectable container
hi,
attached is a patch for the net-tool that makes the default
dn-component "cn=Users" selectable with a "-c|--container"-switch
upon creation of groups and users in ADS.
the patch applies to HEAD and 3_0.
bye,
guenther
--
Guenther Deschner [EMAIL PROTECTED]
SuSE Linux AGGnuPG: 8EE11688
Berliner Str. 27 phone: +49 (0) 30 / 430944778
D-13507 Berlin fax: +49 (0) 30 / 43732804
diff -Nur source/utils/net.c source/utils/net.c
--- source/utils/net.c Fri Sep 27 09:42:34 2002
+++ source/utils/net.c Tue Oct 1 12:22:00 2002
@@ -68,6 +68,7 @@
int opt_port = 0;
int opt_maxusers = -1;
char *opt_comment = "";
+char *opt_container = "cn=Users";
int opt_flags = -1;
int opt_jobid = 0;
int opt_timeout = 0;
@@ -459,6 +460,7 @@
{"myname", 'n', POPT_ARG_STRING, &opt_requester_name},
{"conf",'s', POPT_ARG_STRING, &servicesf},
{"server", 'S', POPT_ARG_STRING, &opt_host},
+ {"container", 'c', POPT_ARG_STRING, &opt_container},
{"comment", 'C', POPT_ARG_STRING, &opt_comment},
{"maxusers",'M', POPT_ARG_INT,&opt_maxusers},
{"flags", 'F', POPT_ARG_INT,&opt_flags},
diff -Nur source/utils/net.h source/utils/net.h
--- source/utils/net.h Tue Jun 25 04:29:09 2002
+++ source/utils/net.h Tue Oct 1 12:19:51 2002
@@ -38,10 +38,8 @@
extern int opt_maxusers;
extern char *opt_comment;
+extern char *opt_container;
extern int opt_flags;
-
-extern char *opt_comment;
-
extern char *opt_target_workgroup;
extern int opt_long_list_entries;
extern int opt_reboot;
diff -Nur source/utils/net_ads.c source/utils/net_ads.c
--- source/utils/net_ads.c Tue Sep 17 14:15:52 2002
+++ source/utils/net_ads.c Tue Oct 1 12:33:44 2002
@@ -255,7 +255,7 @@
goto done;
}
- status = ads_add_user_acct(ads, argv[0], opt_comment);
+ status = ads_add_user_acct(ads, argv[0], opt_container, opt_comment);
if (!ADS_ERR_OK(status)) {
d_printf("Could not add user %s: %s\n", argv[0],
@@ -431,7 +431,7 @@
goto done;
}
- status = ads_add_group_acct(ads, argv[0], opt_comment);
+ status = ads_add_group_acct(ads, argv[0], opt_container, opt_comment);
if (ADS_ERR_OK(status)) {
d_printf("Group %s added\n", argv[0]);
diff -Nur source/utils/net_help.c source/utils/net_help.c
--- source/utils/net_help.c Tue Sep 24 20:10:30 2002
+++ source/utils/net_help.c Tue Oct 1 13:01:50 2002
@@ -69,13 +69,13 @@
"\n\tDelete specified user\n");
d_printf("\nnet user INFO [misc. options] [targets]"\
"\n\tList the domain groups of the specified user\n");
- d_printf("\nnet user ADD [password] [-F user flags] [misc.
options]"\
+ d_printf("\nnet user ADD [password] [-F user flags] [-c
+container] [misc. options]"\
" [targets]\n\tAdd specified user\n");
net_common_methods_usage(argc, argv);
net_common_flags_usage(argc, argv);
- d_printf(
-"\t-C or --comment=\tdescriptive comment (for add only)\n");
+ d_printf("\t-C or --comment=\tdescriptive comment (for add only)\n");
+ d_printf("\t-c or --container=\tLDAP container, defaults to
+cn=Users (for add in ADS only)\n");
return -1;
}
@@ -85,12 +85,12 @@
"\n\tList user groups\n\n");
d_printf("net group DELETE [misc. options] [targets]"\
"\n\tDelete specified group\n");
- d_printf("\nnet group ADD [-C comment]"\
+ d_printf("\nnet group ADD [-C comment] [-c container]"\
" [misc. options] [targets]\n\tCreate specified group\n");
net_common_methods_usage(argc, argv);
net_common_flags_usage(argc, argv);
- d_printf(
-"\t-C or --comment=\tdescriptive comment (for add only)\n");
+ d_printf("\t-C or --comment=\tdescriptive comment (for add only)\n");
+ d_printf("\t-c or --container=\tLDAP container, defaults to
+cn=Users (for add in ADS only)\n");
return -1;
}
diff -Nur source/libads/ldap_user.c source/libads/ldap_user.c
--- source/libads/ldap_user.c Wed Aug 7 12:33:22 2002
+++ source/libads/ldap_user.c Tue Oct 1 12:46:08 2002
@@ -38,7 +38,7 @@
}
ADS_STATUS ads_add_user_acct(ADS_STRUCT *ads, const char *user,
-const char *
msdfs referrals at share-level
hello everybody, as far as i have looked into msdfs.c it seems to be impossible to send a client a dfs-referral at the share level (\\fileserver\msdfs-link). maybe there is another way to "proxy" a request to \\samba\thisshare to \\anothersamba\thatshare ? i currently want to migrate a couple of nt-servers transparently for clients. the basic idea is to setup one samba-server that offers faked file-service via netbios-aliases and dfs-redirects to the real samba-fileserver. unfortunatly touching the clients is a no-go. old setup with *nt*: client -> //fileserver/share1 planned setup with *samba*: client -> //fileserver/share1 where share1 -> msdfs:samba-file\whatever any help is much appreciated. bye, guenther -- Guenther Deschner [EMAIL PROTECTED] SuSE Linux AGGnuPG: 8EE11688 Berliner Str. 27 phone: +49 (0) 30 / 430944778 D-13507 Berlin fax: +49 (0) 30 / 43732804 msg02877/pgp0.pgp Description: PGP signature
cvs dead?
hello, just wanted to let you know that pserver.samba.org refuses cvs-connections. maybe the server has died? bye, guenther -- Guenther Deschner [EMAIL PROTECTED] SuSE Linux AGGnuPG: 8EE11688 Berliner Str. 27 phone: +49 (0) 30 / 430944778 D-13507 Berlin fax: +49 (0) 30 / 43732804 msg02413/pgp0.pgp Description: PGP signature
Re: [PATCH] pdb_ldap fix
hello everyone,
and anotherone...
- "dislplayName", "homeDrive",
+ "displayName", "homeDrive",
bye,
guenther
On Thu, Jun 27, 2002 at 01:55:47PM +0200, Stefan (metze) Metzmacher wrote:
> Hi Andrew,
>
> I catch the next BUG:-)
>
> userWorkstation -> userWorkstations
>
>
> metze
> -
> Stefan "metze" Metzmacher <[EMAIL PROTECTED]>
> diff -Npur --exclude=CVS HEAD/source/passdb/pdb_ldap.c
>HEAD-pdb/source/passdb/pdb_ldap.c
> --- HEAD/source/passdb/pdb_ldap.c Wed Jun 26 07:30:07 2002
> +++ HEAD-pdb/source/passdb/pdb_ldap.c Thu Jun 27 13:50:03 2002
> @@ -142,7 +142,7 @@ char *attr[] = {"uid", "pwdLastSet", "lo
> "dislplayName", "homeDrive",
> "smbHome", "scriptPath",
> "profilePath", "description",
> - "userWorkstation", "rid",
> + "userWorkstations", "rid",
> "primaryGroupID", "lmPassword",
> "ntPassword", "acctFlags",
> "domain", "description", NULL };
--
Guenther Deschner [EMAIL PROTECTED]
SuSE Linux AGGnuPG: 8EE11688
Berliner Str. 27 phone: +49 (0) 30 / 430944778
D-13507 Berlin fax: +49 (0) 30 / 43732804
msg01671/pgp0.pgp
Description: PGP signature
Re: Samba as BDC in windows domain?
hello paul, On Tue, Jun 11, 2002 at 04:00:08PM +0100, Paul Reilly wrote: > > I've been reading about setting up Samba as a PDC with LDAP storage. > However if I am to do this it needs to co-exist with the exisitng windows > NT domain using windows NT PDC's. Everything I've read so far says you > can't have a Samba BDC unless it's in a Samba PDC controlled domain. Is this > correct? Is there *any_possible_way* of having a Samba BDC get SAM updates > from a windows NT PDC ? > > If not, is there any other way to sync an OpenLDAP server against a NT PDC ? > well, if you really consider *any_possible_way* you might have a look at http://acctsync.sourceforge.net/ i never used or tested this, but this could (with a considerable amount of work) be possibly expanded to match a "NT pdc synchronizes to samba bdc in ldap"-mechanism. anyone had a closer look at this? bye, guenther -- Guenther Deschner [EMAIL PROTECTED] SuSE Linux AGGnuPG: 8EE11688 Berliner Str. 27 phone: +49 (0) 30 / 430944778 D-13507 Berlin fax: +49 (0) 30 / 43732804 msg01361/pgp0.pgp Description: PGP signature
Re: known BUG "multi-byte character set in usernames"
On Wed, Jun 05, 2002 at 04:19:32PM -0700, Jeremy Allison wrote: > On Thu, Jun 06, 2002 at 12:12:45AM +0200, Juergen Hasch wrote: > > > > the patch works fine for except for one thing. In the acl security selection > > list (showing a list of all available users and groups) the german umlaut > > characters are wrong. This is because the unix charset is sent to the windows > > client, as no conversion back takes place. > > The acl dialogue itself is ok. > > > > I haven't found out yet, where the conversion back to dos code page should > > take place. Do you have an idea ? > > Can you CVS update SAMBA_2_2 - I've just applied a patch I think > should fix this. works fine over here. tested with winbind on suse linux 8.0, xfs-acls, against a german w2ksrv and a german w2k client. so great! thanks a lot for fixing "german umlaute" before 2.2.5. bye, guenther -- Guenther Deschner [EMAIL PROTECTED] SuSE Linux AGGnuPG: 8EE11688 Berliner Str. 27 phone: +49 (0) 30 / 430944778 D-13507 Berlin fax: +49 (0) 30 / 43732804 msg01252/pgp0.pgp Description: PGP signature
[guenther.deschner@suse.de: Re: known BUG "multi-byte character set in usernames"]
oh. sorry, should have gone to the list...
bye,
guenther
- Forwarded message from Guenther Deschner <[EMAIL PROTECTED]> -
Date: Sun, 2 Jun 2002 12:50:23 +0200
From: Guenther Deschner <[EMAIL PROTECTED]>
To: Gerald Carter <[EMAIL PROTECTED]>
Subject: Re: known BUG "multi-byte character set in usernames"
User-Agent: Mutt/1.4i
X-Operating-System: Linux 2.4.18-4GB i686
hi gerry,
On Sat, Jun 01, 2002 at 08:15:21PM -0500, Gerald Carter wrote:
> On Fri, 31 May 2002, Juergen Hasch wrote:
>
> > Now I never would have brought this up because I don't care to much for 2.2
> > and I was just curious when I made the patches. But since someone asked :-)
> > The names/groups are transferred by rpc and converted from unicode like this:
> > unistr2_to_ascii(t, &info1.str[j].uni_acct_name, sizeof(pstring));
> > Adding the line
> > dos_to_unix(t);
> > makes the umlaute appear.
> > Now the charset conversion may be totally wrong there, I believed it to be
> > *easiest* patch.
>
> please send me thispatch for 2.2 if you ave it. Thanks.
well, here is at least my slightly modified version of juergens patch
against CVS 2_2.
it still lacks support to resolve names containing "umlaute" to gids/sids
i cannot chgrp to e.g. MYDOMAIN+Domänen-Admins on linux, while it works
fine now from the security tab. the "umlaute" do appear everywhere.
thanks juergen!
it would be great if this could be solved for 2.2.5.
bye,
guenther
- End forwarded message -
--
Guenther Deschner [EMAIL PROTECTED]
SuSE Linux AGGnuPG: 8EE11688
Berliner Str. 27 phone: +49 (0) 30 / 430944778
D-13507 Berlin fax: +49 (0) 30 / 43732804
--- source/nsswitch/winbindd_rpc.c Thu May 30 16:25:50 2002
+++ source/nsswitch/winbindd_rpc.c Sat May 25 23:49:43 2002
@@ -63,7 +63,7 @@
uint32 count = 0, start=i;
int j;
TALLOC_CTX *ctx2;
-
+ pstring t;
ctr.sam.info1 = &info1;
ctx2 = talloc_init_named("winbindd dispinfo");
@@ -92,8 +92,14 @@
}
for (j=0;jname)))
@@ -300,10 +307,15 @@
got_user_pol = False;
user_info->group_rid = ctr->info.id21->group_rid;
- user_info->acct_name = unistr2_tdup(mem_ctx,
- &ctr->info.id21->uni_user_name);
- user_info->full_name = unistr2_tdup(mem_ctx,
- &ctr->info.id21->uni_full_name);
+
+ unistr2_to_ascii(t, &ctr->info.id21->uni_user_name, sizeof(pstring));
+ dos_to_unix(t);
+ user_info->acct_name = talloc_strdup(mem_ctx, t);
+
+ unistr2_to_ascii(t, &ctr->info.id21->uni_full_name, sizeof(pstring));
+ dos_to_unix(t);
+ user_info->full_name = talloc_strdup(mem_ctx, t);
+
done:
/* Clean up policy handles */
--- source/libsmb/cli_samr.cThu May 30 16:30:33 2002
+++ source/libsmb/cli_samr.cSat May 25 23:30:51 2002
@@ -569,6 +569,7 @@
unistr2_to_ascii((*dom_groups)[i].acct_name,
&r.uni_grp_name[name_idx],
sizeof(fstring) - 1);
+ dos_to_unix((*dom_groups)[i].acct_name);
name_idx++;
}
@@ -647,6 +648,7 @@
unistr2_to_ascii((*dom_groups)[i].acct_name,
&r.uni_grp_name[name_idx],
sizeof(fstring) - 1);
+ dos_to_unix((*dom_groups)[i].acct_name);
name_idx++;
}
@@ -938,6 +940,7 @@
fstring tmp;
unistr2_to_ascii(tmp, &r.uni_name[i], sizeof(tmp) - 1);
+ dos_to_unix(tmp);
(*names)[i] = talloc_strdup(mem_ctx, tmp);
(*name_types)[i] = r.type[i];
}
--- source/rpcclient/cmd_samr.c Sun Apr 7 10:10:35 2002
+++ source/rpcclient/cmd_samr.c Thu May 30 16:38:36 2002
@@ -35,9 +35,11 @@
fstring temp;
unistr2_to_ascii(temp, &usr->uni_user_name, sizeof(temp)-1);
+ dos_to_unix(temp);
printf("\tUser Name :\t%s\n", temp);
unistr2_to_ascii(temp, &usr->uni_full_name, sizeof(temp)-1);
+ dos_to_unix(temp);
printf("\tFull Name :\t%s\n", temp);
unistr2_to_ascii(temp, &usr->uni_home_dir, sizeof(temp)-1);
--- source/nsswitch/winbindd_util.c Fri May 17 16:12:36 2002
+++ source/nsswitch/winbindd_util.c Fri May 31 15:27:44 2002
@@ -281,6 +281,7 @@
if ((rv = N
known BUG "multi-byte character set in usernames"
hello, smb.conf-manpage of 2.2.5pre and HEAD states the bug of "multi-byte character sets in usernames": -8<--snip--8<-- BUG: There is currently a bug in the implementation of security = domain with respect to multi-byte character set usernames. The communication with a Domain Controller must be done in UNICODE and Samba currently does not widen multi-byte user names to UNICODE correctly, thus a multi- byte username will not be recognized correctly at the Domain Controller. This issue will be addressed in a future release. ->8--snap-->8-- will this bug be solved in the near future? in 2.2.5 or HEAD? the main problem with this is that you get crippled wellknown domain-groups with winbind (on suse linux 8, kernel 2.4.18, samba-2_2) and german NT-servers where rid200 (Domain Admins) is Domänen-Admins, and rid202 is Domänen-Gäste. now wbinfo -g cuts out the UTF8 chars and will show you e.g. DOMAIN+Domnen-Admins, DOMAIN+Domnen-Gste, etc. now you cannot set XFS-ACLs properly since neither DOMAIN+Domnen-Admins nor DOMAIN+Domänen-Admins does resolve back ... a simple (and ugly) workaround is to create the three domain-groups in question in /etc/group. with that you still have to keep an eye on the correct winbind-gid mapping and rid200 appears crippled in security tab. is there any other workaround for this? thanks, guenther -- Guenther Deschner [EMAIL PROTECTED] SuSE Linux AGGnuPG: 8EE11688 Berliner Str. 27 phone: +49 (0) 30 / 430944778 D-13507 Berlin fax: +49 (0) 30 / 43732804 msg01094/pgp0.pgp Description: PGP signature
Re: User Manager for Domains / RAS callback problem
hi, at least with samba3-alpha15 it was possible to use usermgr and to change almost any values without error-message. user specific attributes were stored correctly with ldapsam-backend as long as group.mapping was done properly. unfortunately usermgr broke again with alpha17 (and current CVS), because SAMR_R_QUERY_SEC_OBJ fails :( i could not clearly find the cause, but i suspect recent changes of the NT-security-descriptor-code. maybe you try an earlier samba3-tarball. hth, guenther On Thu, Apr 25, 2002 at 12:15:51PM -0400, Alex Keahan wrote: > I have a Samba (post-2.2.3) domain controller and a Win2K RAS server. I want users >to be able to log in to the Win2K box (RAS), get authenticated against the Samba PDC, >and called back by the RAS server. > > Unfortunately, the only way to assign a callback number to a domain user is through >the "User Manager for Domains", which was written for Windows NT. I don't have any >NT servers around, but I have copied the usrmgr files from another NT server, and it >seems to run perfectly under Win2K. > > There are two problems however: > > 1) When I run the UMfD as a regular user, I cannot change any user properties and >get an "access denied" error > > 2) When I run the UMfD as "root", I also cannot change any user properties, but this >time it claims that "The group name could not be found." > > According to the UMfD, the only group that the user whose properties I am trying to >change belongs to is "Users". > > Is there a solution to this? Does samba support the dialin and callback >properties? If so, how can I set the callback number; otherwise, how can I help >implementing it? I am willing to reverse engineer the way NT does this, if need be. > > Thanks, > > AGK > > > __ > Your favorite stores, helpful shopping tools and great gift ideas. Experience the >convenience of buying online with Shop@Netscape! http://shopnow.netscape.com/ > > Get your own FREE, personal Netscape Mail account today at >http://webmail.netscape.com/ > > -- Guenther Deschner [EMAIL PROTECTED] SuSE Linux Solutions AG GnuPG: 8EE11688 Berliner Str. 27 phone: +49 (0) 30 / 430944778 D-13507 Berlin fax: +49 (0) 30 / 43732804 msg00401/pgp0.pgp Description: PGP signature
