spam - was Re: [unprintable]
I sent a request to the list administrator to find out if non-subscribers from the few domains that are sending this junk could be selectively blocked late last week. Many mail administrators are reportely blocking almost all Korean and Chinese address ranges because of the recent increase of this spew. -John [EMAIL PROTECTED] Personal Opinion Only > On Tue, 09 Apr 2002 08:17:17 -0400 > David Collier-Brown <[EMAIL PROTECTED]> wrote: > > > Hmmn, methinks we need a better spam filter... > > > > --dave
Re: [Samba] WinNT offline file attribute
Shirish Kalele wrote: > > As I understood it (and I could be wrong), indicating offline wasn't > a problem, the problem was finding out if a file was offline. I'm > sure Damir could code up a custom fix to make Samba do it (using > ioctl's or whatever) and distribute the fix as his patch. But I > don't see how there could be a generic fix. I remember there was > talk of such a thing. The other part of the problem is identifying if the version of Windows that the client is running will honor the offline bit. It it does not, then such a client would cause the entire shelved file system to be swapped in and out. -John [EMAIL PROTECTED] Personal Opinion Only
Re: [Samba] WinNT offline file attribute
Shirish Kalele wrote: > John E. Malmberg wrote: > >>The other part of the problem is identifying if the version of Windows >>that the client is running will honor the offline bit. >> > > How would this help? Also, how are Windows servers that support offlining > different in this scenario? > > Seems like setting the bit would alleviate the problem from some of the > clients, as opposed to all (which happens today). If the client does not support the offline bit, then the SAMBA file server should not serve shelved files to it. Also has anyone verified how a Windows 2000 system (The first to admit support for the offline bit) uses this information? It might be placing expectations on the fileserver that SAMBA does not yet know how to meet. -John [EMAIL PROTECTED] Personal Opinion Only
Re: [Samba] WinNT offline file attribute
Damir Dezeljin wrote: >>Also has anyone verified how a Windows 2000 system (The first to admit >>support for the offline bit) uses this information? > > WinNT sp6a, Win2k, WinXP, Win.Net* suport file offline attribute. The only > thing that windows (explorer) do is that them don't try to open the file > to get an file icon or any other data (ex. MS Word files informations). > > The shared folders with offline files works the sam way (a client know of > offline attribute set and don't try to open any offline file). > > The easiest solution will be to define an entire share (in smb.conf) to be > offline - to export offline file attribute for all files. This aproach > doesn't causes any overhead for calling ioctl or something similar (ex. > check for an offline extended attribute). Yes, making an entire share have the shelved attribute is easy, but it does not make sure that the client will honor it. Does Windows NT/2000 do any tests when serving shelved files, or does it just assume that the client will do the right thing? The PRE-Microsoft shelving or HSM products used a client resident application to request files to be unshelved. Protocol of the request is propriety to the product. But to Repeat: The SMBD process must not make files with the offline attribute visible to clients that do not support it. This means that SMBD must find out that information somehow. Until this issue is solved, it is not save to serve shelved files. -John [EMAIL PROTECTED] Personal Opinion Only
Re: [Samba] WinNT offline file attribut
On Thu, 25 Apr 2002, Illtud Daniel wrote: > "John E. Malmberg" wrote: > > > Does Windows NT/2000 do any tests when serving shelved files, or does it > > just assume that the client will do the right thing? > > I have OTG's DX2000 HSM software running on NT. We can serve > HSM'd directories with the normal windows sharing to PCs > or SFM/MacServerIP for Mac clients. There are some issues > with the Macs tending to want to access the icon information > (thus fetching the files), but I'm fairly sure that the > mac file sharing services certainly aren't aware of any offline > attributes. There are two ways to handle HSM, swap part of the file or swap all of the file. If the HSM software leaves the part of the file most frequently accessed on the disk, then Windows clients may be able to access the portion of the file for it's icon and be happy. This requires that the HSM software either statistically know what parts of the file are frequently accessed or to make assumptions. Eitehr way is overhead. This would make Windows files happy. I am not sure about the Mac's, as they may expect a different file format, or the resource fork may be a factor. > > Really? I hope not! We've got ADIC engineers coming in on Monday > to install AMASS (HSM on Solaris) on a Solaris 8 box here, and > we've indicated to them that we'll be using samba and netatalk > to serve the shelved directory to PCs & Macs, and they haven't > objected. I'll call my ADIC tech contact and see if he can > clarify. How HSM's work is proprietary, and I have never been sucessful in getting information as to their algorithms, but it appears that they leave only a stub file on the real disk. How much is left is the real question. For the non-PC uses that I am familiar with, there does not seem to be much reason to leave any part of the file on the disk once it is shelved. So that means with out considering a product like SAMBA, a UNIX based HSM program would not need to contain the algorithms to just swap part of a file. Also if the data that has been shelved has not been overwritten on the disk, and the file is requested to be unshelved, I would expect that the HSM software would know to just use the data. The question that none of the Windows based HSM vendors would give me an answer on was: Is there any way to make sure that a copy of all files shelved and unshelved exists on the storage robot, and how do I restore things when the real disk fails. I would think that question should be easy to answer. It should be possible to get close to a current restore by putting in a new disk, and letting the HSM restore the files as needed with a minimal number of commands. > I'll be trying samba (and netatalk) on a HSM'd volume on Monday, so > I should be able to report back, if there's interest. I am sure that there is interest. Because of the caching issue, unless you have enough files so that they all do not fit on the disk, you may not notice a performance problem. -John [EMAIL PROTECTED] Personal Opinion Only
Re: [Samba] WinNT offline file attribute
Damir Dezeljin wrote: > John Malmberg wrote: >> The SMBD process must not make files with the offline attribute >> visible to clients that do not support it. This means that SMBD >> must find out that information somehow. > > No. This isn't correct. It is HSM product's thing to do triger > read/open/write events and then it can put processes (threads) which > access files to sleep - HSM product must implement a kernel module > that has to triger open,... events. Client that doesn't know > anythink about offline attributes just try to open files to get file > icons. That is exactly the problem. The Windows Explorer on the older platforms will try to open files that are shelved. That will bog down the shelving system. > This is the second problem, because WinNT LANMAN server has a pool > of processes and every connection to a LANMAN server got its own > thread. This behaviour has its benefits - you can block an > individual connection to LANMAN server whilest the second instance > of Windows explorer on the same client can stil browse the share (it > got its own thread) - samba asign 1 thread 1 client accessing a > single share - this cause that if the thread is put to sleep, > windows "hangs" until the thread is unsleeped (you can't start any > other Windows explorer, nor you can't use a windows explorer which > is already started) - workaraound is that you can close the three > browsing window in Windows explorer and you can browse only the > current folder. > I do not understand how any of this logic is relevant to the problem. The reason that the Windows client causes a shelved file to be inadvertantly opened is not important. The number of threads involved is not important to the problem either. SAMBA's being single threaded per process is a totally different issue than the shelved attribute. I can reproduce the problems that you are mentioning simply by putting a CD-ROM changer on a Windows NT system. No network involved at all. If one Explorer window has to wait for the CD-ROMs to switch, all explorer windows will freeze until it is done. -John [EMAIL PROTECTED] Personal Opinion Only
Re: [Samba] WinNT offline file attribut
Illtud Daniel wrote: > "John E. Malmberg" wrote: > >> On Thu, 25 Apr 2002, Illtud Daniel wrote: > > >> The question that none of the Windows based HSM vendors would give >> me an answer on was: Is there any way to make sure that a copy of >> all files shelved and unshelved exists on the storage robot, and >> how do I restore things when the real disk fails. I would think >> that question should be easy to answer. > > Now I'm confused. It may be because that before coming to this > thread my HSM terminology was different to yours. I use 'migrated' > for when a file is written to tape (or optical, whatever). 'fetched' > for getting it back and writing it to the stub file, 'purged' for > removing the file from the extended volume and replacing it with a > stub file. You purge only migrated files (for obvious reasons), and > a file open on the stub will trigger a fetch. Ok, your terms are more precise than mine. > To answer your questions with regard to OTG DX2000: How do you know > that a copy of all files shelved exists on the robot? Assuming you > mean 'shelved' to be 'migrated & purged' and 'unshelved' to mean > 'migrated but not purged', then you don't know, you trust. You can > run tape reports to list what's on each tape, but bugs > notwithstanding, if a file's been migrated, then it should be on the > tapes. DX can backup its internal database (stub file -> tape > location) to file which you can stick somewhere safe. In event of > distaster, you can rebuild the stubs by just restoring from this file. > You can read about this on OTG's website: > http://www.otg.com/KnowledgeBase/default.htm try 'dxdrivedump.exe' - > that knowledge base will give you a lot of info on how DX does stuff. Yes, I would want to make sure that all files exist on a tape after they have have been in existance for a period of time. HSM software should be doing disk space management in the background, not necessarily shelving and purging files on demand. HSM directories are by nature usually read only archives, so the HSM software should be able to migrate but not purge in the background so that if it needs free space in a hurry, it does not have to do a migrate and purge to get it. >> >> I am sure that there is interest. Because of the caching issue, >> unless you have enough files so that they all do not fit on the >> disk, you may not notice a performance problem. > > :) We'll force them to tape, don't worry! The disk is 1.44TB, so yes, > we'll have a job filling it, but you can set policies to ensure that > migrating starts when your disk reaches 0.01% full, or to migrate as > soon as a file appears on the volume, and to force a purge (stubify) > of all files. Yes you can force a purge, but if the HSM software is smart, it will do anything it can to avoid going to the robot to retreive a file, so even if it claims to have replaced a file with a stub, the file may still be resident on the disk. So when a file is opened, the HSM software just swaps the stub with the actual file that is still on the disk becasue the migration process did not really delete the file. So unless you cause the HSM software to overwrite the files that had been "purged", you will not see the performance impact. Virtual memory works the same way. When my process is over it's quota, some pages get moved from my address space and put on the free or modified lists to be used by other processes. If my process accesses those pages, if the page is still on the free list or the modified list, I get the same page back instead of having to go to the disk and wait for it. > By the way, we're moving to ADICs AMASS because we've had problems > with DX2000 which have never been resolved (including loss of > hundreds of gigs of content, which isn't fun). An open HSM solution > would be a godsend. Unfortunately the number of users that need an HSM system is small, and with the size of hard drives shrinking fast, getting smaller. The cost of the robot hardware is the gating factor. Now using a gzip archive instead of a robot, may make it more economically feasable. -John [EMAIL PROTECTED] Personal Opinion Only
Re: Please unsubscribe me from the mailing list
The unsubscribe information for the Samba Technical list are contained in every message. Do not ever follow the unsubscribe information from spam. It will only cause more spam to be sent to you. -John [EMAIL PROTECTED] Personal Opinion Only Suhasini Rao wrote: > Please unsubscribe.
Attachments - Re: [PATCH] winbind id assignment module
Andrew Bartlett wrote: > Mike Gerdts wrote: > >>I am confused on list etiquette... I thought that samba-technical was >>one that everyone complained about attachments 'cause it screwed up the >>-digest version. > > They complain about binary attachments, and html mail. Patches havn't > caused an issue as far as I know. Works best if you can convince your > mailer to attach it (as yours did) in a 'text/...' format, as then it > doesn't get encoded etc. Mozilla .99 is not handling the last attachment well, but that is it's problem. It is continuously trying to reformat it to fit the preview window. One of the problem with attachments is that many e-mail clients can not control what format the attachment is encoded with. IMHO, it is better to post inline, and send an attachment as a personal E-mail on request. Isn't there a separate mailing list for patches? In that case, it is better to discuss the patch and it's implications here, but send the patch to the appropriate patch mailing list. Users of that list are probably more likely to use a mail client that deals with attachments. Is there a FAQ entry to point people at? -John [EMAIL PROTECTED] Personal Opinion Only
Re: Pages in a printjob
> On Fri, May 24, 2002 at 02:55:58PM +0200, Wichert Akkerman wrote: >I'm working on a system where customers have to pay for pages they >print, and as such it is essential that I have the pagecount of >a printjob before I send it to the printer. This is a difficult thing to do accurately. For plain text, it is bad, as you must take into account imbedded escape sequences which can vary widely with printers, line wraps, and normal line counts and form feeds. For PostScript printers, the only way to get an accurate count is to query the printer at the end of the print job. And guess what? The query is printer model specific. Graphic bit maps may not be possible to estimate where the page breaks are. A Microsoft Windows program can give a pagecount because it sends the print job to the Windows spooling system as metadata, that is rendered by the driver. If the print job is sent as raw data to the printer, then all of this is bypassed, and the spooler has no idea how many pages are really being printed. If you could charge by the killobyte sent to the printer, that could probably done accurately. With laserprinters under heavy load, the ink density of the page as a direct relationship to the rate that you go through some expensive printer supplies. -John [EMAIL PROTECTED] Personal Opinion Only
tabs and formating - was Re: [PATCH] winbind id assignment module
Mike Gerdts wrote: > On Sat, 2002-05-18 at 20:54, Andrew Bartlett wrote: > >>This looks *much* better. >> >>I'm not sure on the 'reload' functionality, but I suppose its a good >>idea. Other than minor things like indenting, (Try 8-space tabs) I >>think this is well on its way to inclusion. > > As for spacing... I tried to follow the standard that I saw in the file > already. I used 4 character tabs, but they should have expanded out > OK. I thought that others were using 4 character tabs as well because > sections of winbindd_idmap.c have tabs expanded to four characters. In > any case, the next version that goes out will get rid of any expanded > tabs and any necessary reformatting for prettiness will take place. Almost all terminal emulators and printing devices assume that the tab character stops on 8 character boundaries. Some editors will locally override it. So be aware that if you have set your tab stops to 4 characters, it will probably show up as 8 characters on many systems. Using all spaces instead of tabs solves that problem, but it really is convenient to have tabs there when using the arrow keys to navigate in a file. There does not seem to be a style book for coding on the SAMBA project. -John [EMAIL PROTECTED] Personal Opinion Only
Re: (BRMA) Mensagem não autorizada
Will the subscriber(s) that use the transgil.com.br mail server please get the settings fixed not to report virus warnings to mailing lists? Virus auto-responders should never give warnings to mail received from outside of the company. The headers are usually forged so the warnings are useless. -John [EMAIL PROTECTED] Personal Opinion Only [EMAIL PROTECTED] wrote: > Mensagem não autorizada > > Virus Encontrado no email de saida
Re: archive bit in xattr possible/exist?
David Orman wrote: > I know it is possible to use "map archive" to keep track of archive > bits, but this is not very useful if you have real UNIX users. I.e. I > can't have samba arbitrarily playing with the execute bits. > > Does anyone know of any attempted implementation of archive bits through > extended attributes? This would probably need a VFS layer, to get and > set them appropriately. Samba 2.0.6 for OpenVMS. > If no one has looked into this is there a better/different way of > tracking archive bits? Tracking the bit to meaningfully give the state is operating system dependent. And may even depend on optional backup products installed. OpenVMS has the last recorded backup date as an attribute for the file, so SAMBA 2.0.6 for OpenVMS has it implemented as a O.S. specific hack to report the backup state of the file. At this time, SAMBA 2.0.6 for OpenVMS does not allow the client to manipulate the backup date, as there is no public A.P.I. to do it. A VFS layer may be a way to do this. -John [EMAIL PROTECTED] Personal Opinion Only
Re: archive bit in xattr possible/exist?
David Orman wrote: > I know it is possible to use "map archive" to keep track of archive > bits, but this is not very useful if you have real UNIX users. I.e. I > can't have samba arbitrarily playing with the execute bits. > > Does anyone know of any attempted implementation of archive bits through > extended attributes? This would probably need a VFS layer, to get and > set them appropriately. Samba 2.0.6 for OpenVMS. > If no one has looked into this is there a better/different way of > tracking archive bits? Tracking the bit to meaningfully give the state is operating system dependent. And may even depend on optional backup products installed. OpenVMS has the last recorded backup date as an attribute for the file, so SAMBA 2.0.6 for OpenVMS has it implemented as a O.S. specific hack to report the backup state of the file. At this time, SAMBA 2.0.6 for OpenVMS does not allow the client to manipulate the backup date, as there is no public A.P.I. to do it. A VFS layer may be a way to do this. -John [EMAIL PROTECTED] Personal Opinion Only
Re: What is the case for preserving case under Samba ...
Jay Ts wrote: > > You mean, you want case-sensitive clients to receive preserve-cased > filenames, and non-case-sensitive clients to receive default-cased > filenames ... correct? > > That is, there are: > > - local Unix processes, on the Samba host, and ... > - NFS clients, which "want" the case to be preserved. > - SMB/CIFS (and other) clients, which do not care about case - Non UNIX SAMBA hosts on case insensitive file systems. > > and that the idea here is to provide each with what works best for them. -John [EMAIL PROTECTED] Personal Opinion Only
Re: Two diffs to add paramater self-checking
Gerald Carter wrote: > On Sun, 21 Jul 2002, Andrew Bartlett wrote: > >>To restate: "unix password sync = yes" and "encrypt passwords = no" is >>a valid combination. > > OK. I'll bite. This might for for NT clients, but it won't for win9x > right. Since we have upper cased passwords, there's no way of knowing > what the user intended the password to be (for the old and new passwords). Not a problem on OpenVMS implementations. The password is not case sensitive. -John [EMAIL PROTECTED] Personal Opinion Only
Re: multiple nmbd claiming the same netbios name?
Simo Sorce wrote: > it is simply not possible that multiple nmbd have the same name > netbios dictate that a machine have to defend it's name and if > everything works correctly only one machine (or better said ethernet > interface) should have a name. I am not sure of the mechanism, but it is possible for a multiple machines to share a netbios alias, in addition to their own name. The Advanced Server (Pathworks) product for OpenVMS has that capability and does not require special clients to take advantage of this. -John [EMAIL PROTECTED] Personal Opinion Only
Re: WANTED: defaults for 'panic action' for various systems
Andrew Bartlett wrote: > I've added support to Samba so that it's stderr is always redirected to > it's logfile. > > I'm hoping that this will allow us to create a default for 'panic > action' that can get user's the debugging information they need when > smbd crashes. In particular, it could give us vital clues in some of > the unreproducable crashes we get from time to time. > So, the challange is out: Provide a patch that implements a configure > test to find the appropriate debugger, invokes it in a secure way and > outputs it's work to stderr. From there it will end up in the currently > open logfile. Please provide an option to simply not intercept the signals that cause a panic. The SAMBA signal handler is interfering with platforms like OpenVMS that have a built in "panic action" handler. When you intercept a fatal signal, instead of getting a stack dump like you want to provide, I get a stack dump telling me that that SAMBA deliberately exited from the signal handler, and I do not get much in the way of a clue as to why the signal handler was invoked. Since I can not run the configure scripts, it makes it easier for me if the default action is to assume that the operating system has a "panic action" handler that will produce a traceback dump. -John [EMAIL PROTECTED] Personal Opinion Only
Nigerian 419 scam - Re: (no subject)
Ernst Cozijnsen wrote: > I tought open-source was a non profit thing?. hehehehe Please do not repost spam! As funny as this scam may sound, this scam is run by organized crime, and the some of the perpetrators are known to be murderers and worse. This is known as a Nigerian 419 scam, and most countries have task forces that want to be notified about these e-mails. If the scammer receives a traceable e-mail, they will use that information to steal the identity of the person. The money scam mentioned in the spam is only a small part of the scam. In addition to financial loss, you risk life and limb for you or your family if you correspond with anyone associated with this scam. -John [EMAIL PROTECTED] Personal Opinion Only
"case sensitive" parameter - was Re: Any help would be greatly appreciated...
Tim Potter wrote: > On Thu, Aug 15, 2002 at 12:29:32AM -0500, Gerald (Jerry) Carter wrote: > > Can't we get rid of the case sensitive option?. It just seems to cause > people lots of uncessary pain. Strangely enough, having "case_sensitive = yes", makes SAMBA more responsive for case insensitive file systems. It probably would be better to have SAMBA allow the VFS level to do the file name matching, so that it can be taylored to the file system. The OpenVMS file api that is eventually called by readdir() accepts a wildcard mask. So if a vfs_wild_reeaddir() existed, it would do the wildcard matching and the wildcard file lookup could be optimized to the file system. -John [EMAIL PROTECTED] Personal Opinion Only
Re: Samba for VMS
Richard Sharpe wrote: > > I notice that the latest Samba for VMS (2.2.4) says that it requires > TCP/IP Services for OpenVMS (possibly means the old UCX). > > The older version of Samba for VMS was able to work with several other > TCP/IP packages, esp those with UCX emulation. In reality only those with UCX emulation. SAMBA actually just uses the standard socket library, and on OpenVMS the standard socket library uses the equivalent of dlsymbol() pull in the actual TCP/IP routines. > Does anyone know if the current version can work with other versions as > well? Like Multinet, TCPWARE, etc While it would require a formal test to insure compliance, Multinet and TCPWARE provide the HP/Compaq TCPIP API and try to maintain binary compatability. The author of the 2.2.4 port has not volunteered much information on their port to the samba-vms mailing list other than an FTP location. I have not had a chance to look it over the source. -John [EMAIL PROTECTED] Personal Opinion Only
Re: load balancing question
Stephan Stapel wrote: > Dear people on the list! > > I hope it's ok to ask a feature question on this core-feature list. > What I would like to know is whether there are some efforts on > implementing load balancing features into samba or some experiences/ > experiments in this area. As standard-Windows doesn't offer these > features, adding them would give samba-based systems yet another > (very big) advantage over a standard nt server system. Just that you > know why I'm asking for this. We have the problem to serve 3d scenes > as well as image data to about 100 render nodes running under Windows > NT. When starting to render, all machines are asking at exactly the > same time for exactly the same data, which might be about 500 > megabytes per machine. Action like this results into a server load of > about 30-50 which isn't really satisfactory... Load balancing can be implemented with out making any changes to Samba, and has been. Load balancing on TCP/IP generally requires having a "metric" server on each host that feeds information to a DNS that understands how to round robin connection requests. The next issue that you run into is simultaneous access to the disks. Since this is read only data, you could replicate it before the rendering, but I am guessing that there is some reason that you are not replicating the data. If your platform allows simultaneous access to disks, then the load broker should be sufficient. If not, then you need to do more research. If you do not have multiple hosts sharing simulaneous access to the disks, then there probably is not much to gain by load sharing them from multiple servers, as only one host will really be doing all of the work. But again, there is nothing in Samba that prevents using existing load sharing techniques, if the underlying platform supports it. Now a server load of 30-50 to a machine is not excessive to some classes of machines, and if they are really all hitting the same data, then file system caching will help. Many of the systems my employer sells can handle that type of load easily, they also support simultaneous disk access from multiple hosts. What actually would help more is a custom protocol that used multicast packets which would reduce the total amount of network traffic. -John [EMAIL PROTECTED] Personal Opinion Only
Re: load balancing question
Javid Abdul-AJAVID1 wrote: > MSDFS is filey system right, how will it help to load balance samba > connections > what criteria does it rely to load balance ( like memory, or no of > connetions etc.. ) MSDFS does not really load balance. MSDFS distributes the subdirectories of a directory between multiple servers transparently to the clients. So if each of your clients is accessing different files from different directories, then MSDFS can improve your performance. If all the clients are accessing the same files in the same directory, than you will need to either get a large enough single server, or you will need a file system that supports multiple hosts with a direct connection concurrent access to the disks. This is not really a SAMBA issue, because if the underlying filesystem and hosts support this, then SAMBA will transparently. I have received reports of SAMBA 1.19.x being used on a shared disk access OpenVMS cluster. There are also commercial LANMAN servers for some of these platforms, including those of my employer that run as a single process instead of the multiple process model of SAMBA. I do not know of any competative benchmarks between the commercial LANMAN servers and SAMBA. Such benchmarks could be difficult to instrument properly, and are highly dependent on the skill of the system administrator for each system, and the quality of the compilers for that platform. So it really depends on the specific client load as to what the best solution for you would be. It may require a more detailed engineering than could be done in a mailing list. The multiple SAMBA processes may not be the bottleneck for your proposed process. If the platorm knows how to share the code segment in memory, and the disks have good caching, the overhead for the processes may not be significant. -John [EMAIL PROTECTED] Personal Opinion Only
Re: load balancing question
Richard Sharpe wrote: > On Tue, 8 Oct 2002, René Nieuwenhuizen wrote: > >>Richard Sharpe wrote: >> >> >>>On Mon, 7 Oct 2002, John E. Malmberg wrote: >>> >>>>Javid Abdul-AJAVID1 wrote: >>>> >>>>>MSDFS is filey system right, how will it help to load balance samba >>>>>connections >>>>> >>>>MSDFS does not really load balance. MSDFS distributes the >>>>subdirectories of a directory between multiple servers transparently to >>>>the clients. >>>> >>Wouldn't it be easy to run a script on the msdfs-root that monitors the >>load on different machines and that recreates the referrals based on >>this load. > > Sure, but it seems better to defer the re-ordering of the referrals until > someone asks :-) That's what we plan to do, and then try to do policy > based stuff, like if this machine has more capacity currently, hand out it > at the top of the list, and order them by power as well, like P4s before > PIIIs etc. In order for that to work the underlying cluster file system must support simultaneous access from the multiple hosts. If you have that, then you do not need to deal with the MSDFS feature. If you do not have that, then you can not load balance between servers, unless you completely replicate all of the data. And that will only help if all the access is read only. There are only a limited number of Operating Systems / File Systems that support simultaneous shared access from multiple hosts, like OpenVMS clusters do. And I am not aware of any of them that will support the number of hosts or the distance that OpenVMS does. Most of the systems on UNIX use a primary / secondary relationship where only one host is ever directly accessing the filesystems, and the other hosts are using a network type interconnection to access the files. These primary / secondary systems are good for fail-over cases, but not load balancing. Any file access from a secondary is much slower and resource intensive than access from the primary. Also switching the file serving from the primary to a secondary is not a cost free operation. So redirectly clients to a secondary server usually will mean that the data must travel on the wire twice, unless the secondary server has a good caching mechanism. So it all comes down to what the underlying platform supports for shared simultaneous disk access. Or finding out the exact requirements for the project to see what all the options are. -John [EMAIL PROTECTED] Personal Opinion Only
Re: load balancing question
Volker Lendecke wrote: > On Tue, Oct 08, 2002 at 07:29:44AM -0400, John E. Malmberg wrote: > >>So it all comes down to what the underlying platform supports for shared >>simultaneous disk access. > > Even that will not help. Load Balancing SMB will not work due to the locking > stuff across connections. If you could get tdb's work (fast!) across nodes, > then we might have a chance. Why would the TDBs not work if they were located storage actively shared between all of the hosts? All the hosts would be reading and updating the information in the same tdb. -John [EMAIL PROTECTED] Personal Opinion Only
Re: load balancing question
To clear up some confustion in this thread. A DFS will only help distribute the load if the clients are accessing files in different directories. \\host\share\dir1\ would be served by host_1 \\host\share\dir2\ would be served by host_2 \\host\share\dir3\ would be served by host_3 If all the clients are reading the same file say in \host\share\dir1\ then using the DFS does not help at all. All the requests will be handled by host_1. If you have a fail-over disk system that is common to the three hosts, then dir1, dir2, dir3 can be moved from one host to another as needed, but the move is time consuming, and still one host at a time. In a shared access disk system such as in an OpenVMS cluster, you have the following: \\host\share\dir1\ would be served by host_1, host_2, and host_3, ... \\host\share\dir2\ would be served by host_1, host_2, and host_3, ... \\host\share\dir3\ would be served by host_1, host_2, and host_3, ... With an I.P. alias, clients can be connected to any host and still have access. This will load share. And DFS has no involvement in the scheme, and provides no advantage. DFS only helps if the clients are reading files out of different directories, which is not how I am interpreting the information in the post that started this thread. DFS can be enhanced to allow a better fail over mechanism for the platforms that do not support simultaneous access to a common disk. But that is not load balancing. All clients accessing the same directory are either all on the same host, or one host will have direct access, and the rest will be taking a second indirect path through the network. Locking is an issue. Samba 2.0.6 for OpenVMS uses file system locking, and the slower share locking. I am not sure about the 2.2.4 port. -John [EMAIL PROTECTED] Personal Opinion Only
Re: load balancing question
Javid Abdul-AJAVID1 wrote: > Why dont we chose a mechanism to connect to the host itself > like static dns rounrobin ,each connection will round robin'ed' > or some dynamic round robin utilies Well, you are the only one that really knows the requirements of your application. You seem to be asking more questions each time, with out giving us any more detail on what you really need to be done. So far though you have not offered any insights to us on the data patterns of the clients to determine if the load can be distributed. With out that information from you, it is not possible to make any recomendations. Are all of the files in the same directory? Your first post implied that they were, but most of the solutions that you seem to want to look at are not compatable with that assumption. Are the clients all accessing the same files? Same as above. Are the clients modifying the files? And then referencing the modified files? How often is the server updating the files? You have not indicated the platform for the servers, or anything that really allows any estimation about how much data is being moved. We do not know how fault tolerant the application needs to be, or how much downtime costs. We also do not know what you are wanting to use as a host for the SAMBA server. Some hosts and filesystems allow you to transparently distribute the load under all conditions. Other hosts and file systems will only allow you to distribute the load if your application meets certain requirements. We must assume that the clients must be running Microsoft Windows, as if they were running a different operating system, there are other file sharing systems that could be used. All of these factors are important to know, and maybe a few others. And unless we have the answers to those questions, there is no way that any of us can know if the advise we are giving is applicable. We do not even know if your application would even tax a single host running SAMBA, or if SAMBA is even a good fit for what you need to do. -John [EMAIL PROTECTED] Personal Opinion Only
Re: load balancing question
Javid Abdul-AJAVID1 wrote: > I didnt start this thread, i was just suggesting LSF as good load balancing > techqnique for samba Please pardon my confusion. > But you have raised valid questions for the person who started this. > thanks' It seems the gating factor for any type of performance in SAMBA may be getting the locking working. Currently it is a tdb, but it may need to be a part of a VFS plug in so that a platform can optimize it. -John [EMAIL PROTECTED] Personal Opinion Only
Re: why doesn't the kernel enforce oplocks? (was: Re: [Samba] Re:How Samba let us down)
Ben Johnson wrote: I guess what I am thinking about is how difficult it seems to be for programs to actually cooperate with one another well enough to avoid corrupting files. I know from experience that using flock() effectively for making anything trustworthy that's more complicated than creating lock files can be very difficult if not impossible. A kernel supported api for locking files (maybe with timeouts and mutex values) that actually enforced the file locks, instead of relying on applications to be friendly to one another might (I think would) make programming some user space apps a lot easier. Samba could take advantage of such an api to make oplocks safe even when the files in the filesystem are being accessed and modified by other applications on the system. It could also leverage such an api to help poorly written Windows applications from corrupting their own files. Samba 2.0.6 does use kernel supported file locks on OpenVMS. Lock files are not used. I Have not checked the 2.2.4 port to OpenVMS to see if they incorporated this. The issue is support in the host platform, not in SAMBA. There is nothing that Samba can do to change this behavior. If you are using an Open Source operating system, you can change it's method of locking. -John [EMAIL PROTECTED] Personal Opinion Only
Re: RPC message service?
Gareth Davies wrote: Original Message - From: "Christopher R. Hertel" <[EMAIL PROTECTED]> A curious article: http://www.wired.com/news/technology/0,1282,55795,00.html It says that the Messenger Service Spammers are using port 135, which means that they're not using regular WinPOPUP stuff (the <03> names on port 139). I do, in fact, see connect attempts to port 135 in my home firewall logs. (I think they should be called slimewalls.) When it is coming from any major U.S. ISP, a copy of the firewall logs, along with the time and timezone e-mailed to the abuse@ and the security@ seems to stop it for a while. I'm guessing that they're doing something RPC-related that has, basically, the same effect. I'm just curious to know what it is... They are they are using Windows messenger.. net send "message goes here" It looks like the author of the spamware issued a press release and conned a bunch of reporters into giving them free advertising. I have not followed the latest link, but they are hawking the spamware for between $300 U.S.D. and $700 a copy. There was also a report that someone was offering $2000 U.S.D for a program to send such spam. Here is a great opportunity for Samba Developer's, especially published authors to get their name in print while delivering a clue to these reporters about what the real story is. -John [EMAIL PROTECTED] Personal Opinion Only
Re: ldap_nua requires guest exist and have rid 501?
Andrew Bartlett wrote: Because the Guest account is a 'well known' account, and as such should have a fixed RID. This is enforced via the passdb backend because to do otherwise would have nasty consequences when mapping back and forth between uids and RIDs. (We are working hard to ensure that there is only one point at which uids and RIDs are mapped, and currently this is in the passdb.) On a related note, does SAMBA still use the guest account in place of the (unkown) internal user for enumerating shares? An NT client can not browse a SAMBA server with the guest account disabled, but having a guest account enabled is not required on an NT account to do the same thing. -John [EMAIL PROTECTED] Personal Opinion Only
Re: ldap_nua requires guest exist and have rid 501?
Andrew Bartlett wrote: On Tue, 2002-11-12 at 13:16, John E. Malmberg wrote: On a related note, does SAMBA still use the guest account in place of the (unkown) internal user for enumerating shares? An NT client can not browse a SAMBA server with the guest account disabled, but having a guest account enabled is not required on an NT account to do the same thing. A Samba server must have a guest account, and (now) it must have RID 501. I'm not sure the guest account is 'disabled' on NT, it is just that the groups it is given membership of changes. IE on NT, the restrictanonymous setting can remove 'guest' from domain users, and 'everyone'. The GUEST account can definitely be disabled on an NT workstation. You can not access shares through it when it is disabled, yet browsing works. You can enable it and then access shares through the guest account. SAMBA should work the same way, but does not. This puts a minor security hole in SAMBA that is not present in Microsoft Windows NT. Microsoft advises that the guest account be disabled if you are concerned about security, and on NT Servers it is disabled by default. -John [EMAIL PROTECTED] Personal Opinion Only
Re: ldap_nua requires guest exist and have rid 501?
Andrew Bartlett wrote: In Samba, access by the guest user is determined per-share, so I'm not sure exactly what you mean here. The NT behavior is that if the guest account is enabled, than if any shares have the "everyone" group associated with them, then the shares can be accessed from any LANMAN client on the network. The security log will log that the guest account was used to access the account. And the "everyone" group includes anyone on the network, not just the workgroup or the domain. If you set the disable flag for the guest account, then none of the shares will be accessable unless the user belongs to a group that is otherwise allowed access to the share. The execption is getting the browse list. This still works even if the guest account is disabled. And the security log does not register this as a guest access. This has bitten several OpenVMS users as they disable or do not create guest account because they do not plan to allow "everyone" on to access their shares. It has turned out to be one of the causes of the most common problems reported. Having the SAMBA guest account have different visible functionality than what is the visible behavior of Windows NT is going to be a continuing source of confusion. It would be better to have a different name for the internal uses that are not directly visible, and have the guest account just be used for guest access. More politically correct and accurate. There are many sites that have security standards that prohibit a guest account from being enabled. So while it may be technically correct that the NT "GUEST" account is used for some functions based on observations, the practice is not consistent with what Microsoft has been telling NT Administrators. -John [EMAIL PROTECTED] Personal Opinion Only
Re: ldap_nua requires guest exist and have rid 501?
Andrew Bartlett wrote: On Tue, 2002-11-12 at 16:10, John E. Malmberg wrote: The exception is much more than that - all sorts of things go over IPC$, and they are protected by their individual ACLs. Enumerating users, all sorts of things. Domain logons are a particular thing that occour initially as guest (pipe-level authentication is done on netlogon, likewise password changes are as guest). Why should I be surprised that the implementation is not consistent with what they teach at the Microsoft NT System Administration class. There are many sites that have security standards that prohibit a guest account from being enabled. So what does 'ident' or 'echo' or 'time' run as? Each runs on their own non-privileged account. If the ident service gets compromized, the cracker has no access to anything else on the machine. Same with "echo" or "time". Of course this depends on the TCPIP program in use, and many of these well know services are usually not implemented. Or even SMTP, BIND, IMAP. Even if a security hole is found in one of these, the privileges are limited. It is not usual on an OpenVMS system for TCP/IP services to run from the root account or with root privileges. That is the point of the guest account, Samba needs a user to become, an unprivileged user that cannot break the entire system if Samba were to accidentally allow file access, for example. So you propose having 2 accounts? We have the 'guest ok' parameter, NT ACLs and the 'restrict anonymous' parameter for controlling thing kind of thing, I think adding an new smb.conf option would just break every site out there! It may need to be something that is better documented especially for OpenVMS users as they appear to have a different view of account management. I have a better understanding of this now than I did before. The guest account is not really a guest account. So it all really is a matter of the mapping between a NT security model and the host security model. On most other systems, we use the 'nobody' account, which already exists and requires no further configuration. The default configuration for 3.0 has a 'unixsam' backend, which maps this to the 501 rid. So by default, this looks exactly like NT. The NOBODY account only exists if some UNIX compatable protocols such as NFS are enabled. It can not be relied to exist on an OpenVMS system. So while it may be technically correct that the NT "GUEST" account is used for some functions based on observations, the practice is not consistent with what Microsoft has been telling NT Administrators. It is consistent with what occurs on the wire, and really, that's the best we can do. The behaviour that I would need to implement on OpenVMS to make SMBD behave as the System Administrators expect is: To have a SAMBA_GUEST account, but when it is used as an attempt to access a share, the SMBD server would pay attention to the "disabled" flag. When it is used for the other functions, the "disabled" flag would be ignored. You indicate that SAMBA is using the "Guest Ok" parameter for this function. So I to make OpenVMS behave as the System administrators expect, when SNMD checks the "Guest Ok" parameter on the share, the guest account also needs the "enabled" flag set. I wonder how difficult this would be to implement. I would like to post a summary of this thread on the SAMBA-VMS list. I am currently trying to learn enough LINUX to NFS map my VMS development disk to a LINUX system and use RSYNC on LINUX to get live updates on SAMBA, so I can start doing active development again since my move. -John [EMAIL PROTECTED] Personal Opinion Only
Re: NetBEUI as main protocol
Jason Hihn wrote: I've a need for Samba to work over NetBEUI. We have a file server here that only speaks that way to bar out TCP-based hackers, There is a popular misconception that you can use NetBeui in this way. There is no security advantage in use NetBEUI in this manor. It is just as easy to block the NetBios TCP/IP ports at the router between your private network and the one where the hackers are. If the hackers are on the local network, the NetBios exploits work just as well on NetBeui based networks as TCP/IP based networks. You get the same level of security if you control the router. You have no additional security if you do not control the router. Routers can be configured to bridge NetBeui. The only advantage that I can see to running NetBeui is that a network recovery disk for most PCs using MS-DOS can fit on a high density floppy. For small networks, NetBeui is more responsive than TCP/IP, but because it is a broadcast protocol, it does not scale well. and now I need to move files between hat and the Linux box. Changing it to use TCP is out of my authority too. I've scoured the archives, and the most I could come up with is a 1 year-old post saying that it was working, but with some patches, and only for printing. I am wondering if SAMBA can go over NetBEUI yet? I realize I'll probably have to re-compile my kernel (easy enough), but what if anything has to be done on the SAMBA side? It probably will take some sort of layer to translate the NetBios over NetBeui so that it looked like TCP/IP to SAMBA. I do not know how much work that would be. -John [EMAIL PROTECTED] Personal Opinion Only
Re: NetBEUI as main protocol
Christopher R. Hertel wrote: On Mon, Dec 09, 2002 at 09:26:24PM -0500, John E. Malmberg wrote: Jason Hihn wrote: I've a need for Samba to work over NetBEUI. We have a file server here that only speaks that way to bar out TCP-based hackers, There is a popular misconception that you can use NetBeui in this way. We use it that way here at the University. But not to isolate LAN traffic from the public Internet. There is no security advantage in use NetBEUI in this manor. Hmmm? Ok, attacks are limited to people that you share a router leg with. On a broadband ISP that could be several subnets that appear to be on separate lines but are not. The most likely exploit would be the WIN-POPUP spam. But who knows what other holes that a virus might be able to exploit. Since the subnets rarely connect to each other, the symptom of duplicate traffic from the "router on a stick" configuration usually does not apply. ISPs do this, but a campus LAN would not. It is just as easy to block the NetBios TCP/IP ports at the router between your private network and the one where the hackers are. I have hundreds of routers. Some people want those ports open, others not. Ouch. Managmenet nightmare. I really don't want to maintain a per-port security configuration database. Yours is clearly a different case than the typical small home or small business LAN. -John [EMAIL PROTECTED] Personal Opinion Only
Re: NetBEUI as main protocol
Jason Hihn wrote: Good comments, all of them. I hate to say it, but it really comes down to the fact that you are trying to hide behind a protocol, instead of doing a proper firewall for your LAN. No offense intended None is taken. *I* did not set it up this way, and I had thought of some of the very same points that people have raised. I do not yet have config control of the box, but I'll be have it eventually. Until then I have to convince those that do have control that putting TCP/IP on it is no less as safe. If you know for sure that you are the only network connected to that physical port of the ISP's router, than the router will likely provide you with the protection that you want. Note that even if you own a complete CLASS C address block, an ISP can put several subnets on the same router port. They share all broadcast packets. That includes ARP (Address resolution protocol) packets that are used to map I.P. addresses to your adapters. On a large ISP, this traffic from other users can be enough to bog down your network. And if someone else is accidently makes an I.P. configuration error, it could break both of your networks. All good reasons to have your own firewall. Now broadband ISPs also typically have filters in their cable modems, or equivalent that when it is working will also block the netbeui traffic. ARP traffic by nature can not be blocked by a cable modem. But be aware that the filters are not always on. Also you may want to look at NAT or (I.P. Masqurade for LINUX). It allows you to only pay for the number of Public I.P. addresses that you need from your ISP, instead of a whole netblock. If that is applicable, it could be a cost savings to your company. -John [EMAIL PROTECTED] Personal Opinion Only
Re: NetBEUI as main protocol
John E. Malmberg wrote: Jason Hihn wrote: Good comments, all of them. I hate to say it, but it really comes down to the fact that you are trying to hide behind a protocol, instead of doing a proper firewall for your LAN. No offense intended None is taken. *I* did not set it up this way, and I had thought of some of the very same points that people have raised. I do not yet have config control of the box, but I'll be have it eventually. Until then I have to convince those that do have control that putting TCP/IP on it is no less as safe. Here is something that may help. http://slashdot.org/articles/02/12/14/153215.shtml?tid=172 -John [EMAIL PROTECTED] Personal Opinion Only
Returning the size of the file to Clients
This was just brought up on the samba-vms list. Samba makes calls on behalf of the client to return a file size. The problem for this on OpenVMS, is that some of the text file sizes include the record information. When these files are sent to the client they are converted to a byte stream format like UNIX uses. But this results in a file that is a slightly different size than the physical size of the file, usually smaller. Only some applications, such as wordpad seem to be sensitive to this, as others use the amount of data transferred. It has been reported that wordpad adds garbage bytes to the end of the buffer for the difference. The 2.2.4 port of Samba to OpenVMS solves this by reading the entire file in order to give the correct size. This of course creates a big performance hit when displaying a directory. Is there anyway to differentiate for when the Client is opening a file for an application, and when a directory is being listed? I am also going to look to see if there is a more optimal way to calculate the size of these text files. Thanks, -John [EMAIL PROTECTED] Personal Opinion Only
Re: OT Recent virus
ian j hart wrote: Can someone confirm the MIME headers included name="Movie_0074.mpeg.pif" filename="Movie_0074.mpeg.pi" ie filename missing f No, because one of my postmasters that this list goes through has a scanner that removed the virus and replaced it with a text file. It appears that the original virus came from uky.edu, and I sent a report to that postmaster. The second virus came from bellsouth.net, possibly a secondary infection. Reports to their support contacts have been made. The third came from comcast.net. A report has been made to that postmaster. And really, only the samba.org virus scanner should be making reports to the mailing list. If you are not samba.org, and you recognize your postmaster's virus scanner, please get them to fix it. Virus scanners and any other automatic responders should never send out messages to mailing lists. Just think what would happen if everyone that had a virus scanner bounced a message back to this list. It would probably take a day just to delete them all to get to the real messages. And since viruses typically are forging the from: part of the message, having a virus scanner bounce a message back automatically is bad. It is not going to the source, but most likely to someone who is not infected. It is appropriate for a samba.org virus scanner to make notifications. Unfortunately, it appears to be detecting the virus after it has been e-mail out. -John [EMAIL PROTECTED] Personal Opinion Only
Re: OT Recent virus
David Brodbeck wrote: From: John E. Malmberg [mailto:[EMAIL PROTECTED]] Virus scanners and any other automatic responders should never send out messages to mailing lists. In my own mail filters, the way I've been doing this is to never auto-respond to a message set "Precendence: bulk" or "Precedence: list". Is this correct, or is there a better way? I would assume so. I would expect that if a virus scanner was any good, it would be set that way by default. -John [EMAIL PROTECTED] Personal Opinion Only
Re: improved dos attribute handling
Ola Lundqvist wrote: Hello again. This is the next issue for which I have created a patch. There is a problem with the current dos filemode option. The problem is that you can only set read only but not remove it again. You can of course not because you do no longer have write permissions to the file. My fix change the behaviour to check the directory and file for permissions. If the user has write permission to the dir and (is owner of file, or member of group or part of group) of the file the read-only can be removed. The code is tested but not for very long time. Right now just a week in a production server. I have not checked if it is possible to bypass something but I do not think so. I think I have catched all cases, but checking is good. You are aware that this can introduce a security hole because the way that DOS / Windows handles the Readonly bit is quite different than in a POSIX or UNIX environment. In the Microsoft Windows and DOS environment, the Readonly attribute means that no one has write or delete access to the file, not even the Administrator or "root" account. If your platform supports ACLs, the Readonly bit is supposed to overide them also. So unless you change the security model of the host platform, it is not possible to have the Readonly attribute behave the way that it does in a Microsoft Windows environment. Now you can determine if the file is "Readonly" to the client, and use the bit to report this. But it is not possible to for a POSIX host to allow the client to change this attribute and have it have the same effect. The model of simulating a "Readonly" bit by removing Write and delete access from the Owner, Group, and World bits is ignoring that "root" or "setuid root" programs can still write to the file, and does not take into account that ACLs can still grant write access. The problem with this, is that while you can allow the client to remove the write/delete bits from a file that they have permission to change the permission on, it is not good to have the client put the write permissions back on. You simply do not know what the Group and World settings were prior to the Readonly attribute being set. If you have a file that starts out: W:readonly, G:readonly, O:read-write, and the client sets the "Readonly" bit, then the result is obvious. When the client clears Readonly bit, then if you just add "Write and Delete" access to the owner, everthing is back to normal. However if the file starts out: W:readonly, G:read-write, and O:read-write, and when the client sets the "Readonly" bit, write access is removed from the Group, and Owner. But what happens when you just set the O: write+delete settings when the client clears the "Readonly" bit, the other members of the group still will not have write access to the file. A similar situation will exist in the event that the file started out with W:write+delete access. Now with ACLs implemented on the host platform, even this simulation will not work. The "Readonly" bit based on solely on the protection mask becomes totally misleading. You can set it or clear it, but it may have no effect on access to the file by either the host programs or to clients. With ACLs, you can create a SAMBA_READONLY entry, and then use that to simulate the READONLY bit. But it must be applied in such a way that gives it priority over all ACEs. Because it is a "DENY" if present ACE, on OpenVMS, it would require that all user accounts have that identifier granted to them. But because "root" privilege still overides the ACL, it is still not the same as on an Microsoft server. If you are not concerned about having the "Readonly" attribute apply to access from the host system, it becomes much easier to implement. But it is almost impossible to implement correctly, and all close simulations have drawbacks. So any hack to improve "Readonly" for a particular group of users, may not be correct for another group of users, and must be customizable. And as a preemption for the comment that a Microsoft Windows Administrative account can overide the "Readonly" attribute. It can not. What it can do is turn the attribute off, but it can not write or delete the file until that attribute is removed. -John [EMAIL PROTECTED] Personal Opinion Only
Re: wtf: "Make her Smile bho c qpalx"
[posted and mailed] Kätzler, Ralf wrote: Someone is kidnapping my mailaddress Spammers will do that. Maybe the bogofilters will catch the next one, but the filter automagic learning works best when people do not quote the spam. With bogofilter type filters, quoting the spam will lessen the weight of the keywords extracted, as they will have shown up in a mail marked legitimate. The spammers have found a way around many of the filters by sending minimal text and a link to a picture of their spam message as they are assuming that people have allowed the mail programs to automatically open pictures on external links. There is not enough text in the spam for the filter to use in most cases. - and someone has an open smtp-server ... Sorry, but there are always some kiddies out there with enough time for funny things. The spam came from the address 203.58.28.51. Abuse contact it tpg.com.au http://www.samspade.org/t/rbl?a=203.58.28.51&r=on 203.58.28.51 (mail.domane.com.au) listed in SPAMCOP(127.0.0.2) BOPM(127.1.0.20) SpamCop Blacklist (SPAMCOP): Blocked - see http://spamcop.net/bl.shtml?203.58.28.51 Blitzed Open Proxy Monitor (BOPM): open proxy - see http://blitzed.org/proxy/?ip=203.58.28.51 The address used to send the spam is an open proxy, not an open smtp-server, but the effect is the same. When an I.P. address is listed in BOPM, or proxies.relays.monkeys.com, it is likely that all the e-mail from it will be spam. When the spammers find one of these open-proxies, they send as much spam as they can through it in bursts. For the other customers of the ISP with an open-proxy, during these spam runs, this creates a denial of service attack. So it is puzzling why the ISPs are not closing these open-proxies as soon as they are reported. The web page used for the main part of the spam is hosted by qwest.net. The contact address is [EMAIL PROTECTED] The product advertised is likely either a placebo or a drug that is not legal to sell in the U.S. -John [EMAIL PROTECTED] Personal Opinion Only
Re: password quality script aka --with-cracklib replacement
Richard Sharpe wrote: On Fri, 14 Feb 2003, Andrew Bartlett wrote: Anybody doing this 'must change password every x days' thing has to store the decrypted password, or else your users change from password1 to password2 to password3 then back to password1. Hmmm, I am not sure of that. What is wrong with storing the history of password hashes back to some number. Sure, there can be collisions, but they should be infrequent, and it will prevent them from re-using the same passwd within the horizon of the hashes kept. OpenVMS stores the password hashes back a configurable amount of time, the default is one year per user. The storage time needs to be timed based, not number of changes. OpenVMS does not have the security hole where a user is forbidden to change a password for a period of time from the last change, so that a user must notify the system administrator when they think a recently changed password was compromised. Frequent password changes also lead to passwords that are more easily cracked by social engineering methods. Usually if you have learned a past password, a human can figure out all future passwords. -John [EMAIL PROTECTED] Personal Opinion Only
Re: password quality script aka --with-cracklib replacement
John H Terpstra wrote: On Thu, 13 Feb 2003, John E. Malmberg wrote: The storage time needs to be timed based, not number of changes. Usually, minimum time till change is again permitted as well as ultimate password expiry if not changed time 'usually dat or # days based. I consider that a security hole. A user should be able to change their password at any time. They do not want to admit that someone may have seen them enter their password. OpenVMS does not have the security hole where a user is forbidden to change a password for a period of time from the last change, so that a user must notify the system administrator when they think a recently changed password was compromised. Frequent password changes also lead to passwords that are more easily cracked by social engineering methods. Usually if you have learned a past password, a human can figure out all future passwords. From my site auditing work I could not agree with this generalization. It might be the case with < 10% of the people I had exposure to. But then this would be moderated if the site has a documented password security and change policy. You are right about over generalizations. It really depends on the population of users that you are auditing, and if you are running a crack program, how successfull you are in finding out what the passwords are. I have had to provide the backup support for a help desk, and one of the platforms required the help desk operators to log in as the users. The proper procedure on other platforms would be to temporarily override the password with a new one, but that was not practical here, so the users would give their passwords to the help desk operators. One of the latest trends to try to get people to have a secure password is to compare so many characters from new password for the last N. That requires storing several plain text passwords. Not good. But some one seems to think so. But I doubt that password guessing is the cause of most security problems, inspite of all the focus on them. Nor do I think that industrial spies really spend much time trying to bypass computer controls. Cheap low tech human engineering works most of the time, and it is cheaper to bribe a disgruntled employee than to hire a professional cracker. And sometimes when you make the security policies too tight, and the users do not think they need to be, they will bypass them behind your back in ways that can not be easily detected. -John [EMAIL PROTECTED] Personal Opinion Only
Re: improved dos attribute handling
Ola Lundqvist wrote: Sorry. I'm not subscribed to this list so I could not preserve the reply-to header. Please Cc: me if you want me to know the mail. :) Bcc: by request. On the other hand, with the current setup users must have administrative rights to modify read-only bit. This is a problem because in a windows environment (with users used to windows stuff) there is no such thing as file owners. There is such a thing as file owners in a domain file server. This will show up in the file properties on Windows under the security properties. As long as your patch is a selectable behavior, there are probably a lot of systems that could use it. I just wanted to make clear that it does have side effects when you are not running in an appliance mode, or if your users are in multiple UNIX groups. I do not run UNIX, I run OpenVMS. It uses a UIC based protection model that is similar to UNIX but there might be some differences that are important that I may be overlooking. I can give users write access to a file with out giving them write access to the entire directory. Write access to the directory implies that they can add and remove files. So adding the world write permission back to a file that the user owns when the READONLY bit is cleared will allow every other user on the system write access to that file, if they know it's path. Does UNIX require you to have write access to a directory to modify a file that you have write access to? You simply do not know what the Group and World settings were prior to the Readonly attribute being set. And that is why I check the directory permissions. Iff the user has write access to the directory and is member of the file it can modify the permissions. As I pointed out above, at least on OpenVMS, that is not a valid assumption as to what the users wishes are for the world and group access. Just because they have permission to set them does not mean that they mean to. -John [EMAIL PROTECTED] Personal Opinion Only
Re: Well, the large file offset stuff in smbclient seems to work
Michael B. Allen wrote: Richard Sharpe <[EMAIL PROTECTED]> wrote: Just reporting that the large file offset code in smbclient and libsmb now seems to work. I have been chasing a weird problem with 20+ second delays in completing writes at times, and have got to 130 GB in a file. Heading towards 350GB and later 1TB. Wouldn't anything after 4GB be redundant? No. Strange effects can happen at many different file sizes. If you do not test it, you do not know that it works. The weakness may not be in smbclient or libsmb though. -John [EMAIL PROTECTED] Personal Opinion Only
Re: Well, the large file offset stuff in smbclient seems to work
Michael B. Allen wrote: No. Strange effects can happen at many different file sizes. If you do not test it, you do not know that it works. Can you give me a specific example? I've written a client and I never tested it past 5-6GB. You have me worried now :-/ There may not be a problem in your client. But problems may show up in file systems and the support C library calls. In older systems, bits were precious, so there may be many fields that do not have enough, and now backwards compatability may be showing it's age. Sometimes it is found in a device driver that because at the time a 1GB disk was unimaginable, that the bits above there were used for flags. Some algorithms are sound but do not scale well, hence the unexplained slowdowns. Every 4 bit nybble barrier can be an issue, and the signed/unsigned usage may also be an issue. The granualarity of blocks in the file system. Once you get past 4GB, I would expect the next hiccup may be at the 1TB level and then every power of 2 beyond that. How many people are dealing with files larger than 4G on a regular basis? You can not test every thing though. :-) -John [EMAIL PROTECTED] Personal Opinion Only
Re: Problems with the lack of a real RO bit with Samba ...
Richard Sharpe wrote: Now, Windows has a RO bit and ACLS, and you can have ACLs on the file that give everyone WRITE access, while the RO bit gives no one WRITE access. My question is, is anyone aware of any real application that would be confused if the RO bit were synthesized by setting an appropriate ACL on the file? The Windows NT 4.0 "replication" Service is confused by the way that the RO bit works now. It copies the attribute to the destination directory, and then has problem because it can not deal with the fact that it no longer has permission to modify the file, even if it does not have to change the file. I do not know if Windows 2000 has that feature. I have seen reports on this list of applications playing with the Archive bit and getting confused when it does not work right. The same may be true of the Readonly bit. However since SAMBA is not doing it the Microsoft Windows way, there will likely be confusion no matter what you do. I recommend erring on the side of compatability with Microsoft Windows. I am aware that this could mean that if an inappropriate ACL were added to the file, perhaps by mistake (when setting ACLs on all files in a tree), the RO bit could disappear. On OpenVMS, You can give some entries in an ACL a "PROTECTED" attribute. Then it is harder to have such accidents. Of course that makes "PROTECTED" attributes a pain to work with at times. -John [EMAIL PROTECTED] Personal Opinion Only
Re: Problems with the lack of a real RO bit with Samba ...
Richard Sharpe wrote: On Wed, 19 Feb 2003, Ken Cross wrote: Yes, it could have significant impact. Is there are problem with the current way it's set (RO == owner "r" mode)? That does not match the way it works on an NT server. And there is a significant difference. In our file system, UNIX permission bits are synthesized from ACLs on the file objects :-) Can you give me an idea of the 'significant impact'? I am trying to convince our file system guys that we need a separate RO attribute to accompany the other attributes (like Hidden, System, etc). RO is special. On Windows NT, It has precedence over all other attributes. Even "Administrator" access can not override RO. So for the filesystem to work correctly with SAMBA as PC users would expect, not only do you need a RO permision, you need logic to make sure that it overrides all other ACLs that would otherwise grant write access. It is probably sufficient to leave that "root" can override readonly, but nothing else should be able to, or it will not function as PC users expect. I am assuming that this is a LINUX filesystem that you are designing? -John [EMAIL PROTECTED] Personal Opinion Only
Re: Problems with the lack of a real RO bit with Samba ...
Richard Sharpe wrote: On Wed, 19 Feb 2003, John E. Malmberg wrote: I am assuming that this is a LINUX filesystem that you are designing? Nope. I am not designing it, but we are doing a file system that supports Windows and UNIX access, along with high-bandwidth IO. Now I am curious. Is this an open-source project or a private one? -John [EMAIL PROTECTED] Personal Opinion Only
Reposting spam poisons the spam filter.
Please do not repost spam to the mailing list. When spam gets through, it gets flagged by a list administrator so that the filter learns about it. When you repost the spam, it causes all the learning of the filter for that spam to be erased, allowing more spam like it to get through. -John [EMAIL PROTECTED] Personal Opinion Only
Re: scalability of print_queue_update
Martin Pool wrote: Alternatively we might say that 40,000 jobs is a silly number to have queued. :-) Probably, but it would be good to know that it would work. What I am curious about is if you have a solution to a question I posed about a year ago. On Windows, the print job number appears to be an unsigned 16 bit number if I remember correctly. On OpenVMS, the print job number is an unsigned 32 bit number. This number range is also shared with batch jobs. Is there any way for SAMBA to accomodate 32 bit print job IDs? -John [EMAIL PROTECTED] Personal Opinion Only
Re: Applications that want 8.3 names
Richard Sharpe wrote: > >Is anyone aware of Windows applications that will only deal with 8.3 >namesand cannot deal with long file names? > erx wrote: Most "setup.exe" programs are stubs that are 16-bit executables, and want 8.3 filenames. And some of the ones that can handle storing long filenames expect that when they extract the files, they will get the same 8.3 alias that they had originally, which does not happen because Microsoft has several different algorithms for generating the alias. One of the installers in the Windows NT 4.0 Resource kit has this problem. -John [EMAIL PROTECTED] Personal Opinion Only
Re: very interesting!
Simo Sorce wrote: It would be really nice to have this feature! 90% of time I attach a gdb to get a backtrace, it wuold also speed up development imho. The interception of the signal by smb_panic() disables this feature on OpenVMS. If the operating system has a build in backtrace handler, it is better for the application to crash instead of intercepting the signal and calling smb_panic(). If you are conditionalizing the code, please keep this in mind. -John [EMAIL PROTECTED] Personal Opinion Only
Re: [SECURITY] Samba 2.2.8 available for download
Paul Green wrote about potential vulnerabilities in getting a stack overflow to execute arbitrary code by an attacker. Many hardware platforms do have the protection that you describe, but it depends on the software to set up the protection. Also someone would need to have intimate knowlege of your platform to be able to write such an attack. The non-x86 platforms are probably less likely to be attacked in this manor from a virus. It may cause an application crash. And if you have someone internal that has the skill to do this, they probably are already privileged enough that they would have no problem compromising a system and covering their tracks. -John [EMAIL PROTECTED] Personal Opinion Only