Re: New modules system and vfs_done
On Mon, 2003-03-31 at 03:30, Andrew Bartlett wrote: As per my recent commit, the new (VFS) modules system completely breaks on tree disconnect! We need to separate the different cases - the compat and the central modules, and provide either a flag or a function pointer to the correct way to shut down a module. The code in conn_close is really in the wrong place - it's dealing with the VFS, not the connection. And how should a internal module 'end' it's operations anyway? We don't seem to have that coded up at all... Eh, the shutdown stuff was just a thing, I was thinking yesterday ... I agree we should have to way to startup and shutdown the modules, as we have to way to load it (preload and fork). This is mandatory for modules that uses databases or other repository they connect to through a socket or other communication mechanism. Simo. -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. - http://www.xsec.it via Durando 10 Ed. G - 20158 - Milano mobile: +39 329 328 7702 tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: New modules system and vfs_done
On Mon, 2003-03-31 at 12:25, Simo Sorce wrote: Eh, the shutdown stuff was just a thing, I was thinking yesterday ... I agree we should have to way to startup and shutdown the modules, as we have to way to load it (preload and fork). to - two This is mandatory for modules that uses databases or other repository they connect to through a socket or other communication mechanism. Simo. -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. - http://www.xsec.it via Durando 10 Ed. G - 20158 - Milano mobile: +39 329 328 7702 tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: Patch for Bad Password Attempt Lockout, samba3.0a22.
You can already do that through pam_tally, what does your approach add ? Simo. On Thu, 2003-03-27 at 15:34, Jianliang Lu wrote: I have implemented the bad password attempt lockout policy. If an user attempt with the bad password more than the count setted in the policy, then his account will be auto-locked, like what did NT. The implementation is only for LDAP passdb backend. To do this, I have to introduce a new integer attribute in samba.schema, badPwAttempt. Folllowing are the patches, any comments? -- Simo Sorce- [EMAIL PROTECTED] Samba Team- http://www.samba.org Italian Site - http://samba.xsec.it
Re: very interesting!
On Fri, 2003-03-21 at 08:12, Martin Pool wrote: On 20 Mar 2003, Richard Sharpe [EMAIL PROTECTED] wrote: On Fri, 21 Mar 2003, Martin Pool wrote: I just noticed this in the libc manual. http://www.gnu.org/manual/glibc-2.2.5/html_node/Backtraces.html It could be pretty cool to have this built in to smb_panic(). But is it portable? It would of course have to be only used conditionally. But there's no reason why it couldn't be ifdefd. For the server I work on where gdb is not normally installed it would be highly useful. It would be really nice to have this feature! 90% of time I attach a gdb to get a backtrace, it wuold also speed up development imho. -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. - http://www.xsec.it via Durando 10 Ed. G - 20158 - Milano mobile: +39 329 328 7702 tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: Extended Attributes and Hidden, System, Archive attrs?
On Fri, 2003-03-21 at 09:44, Olaf Frczyk wrote: Hi, I remember some time ago several people were discussing about putting the Hidden, System, Archive, Read-Only bits in EAs. Has it been done in 3.0? No, not yet. It will be available on on system the supports EAs btw, so we need to make the code so that it support both the old and this method. Will it be in 2.2.x serie? I think it will not. But I think Jeremy can better answer you on this one. Simo. -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. - http://www.xsec.it via Durando 10 Ed. G - 20158 - Milano mobile: +39 329 328 7702 tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: [PATCH] groups in ldap
I have to object to this code sorry. We need group handling in ldap for sure, but not group mapping (mapping should be a very secondary part of group support, like username map for users. Using the group mapping approach will make very hard for us to upgrade to the right way in future. Simo. On Tue, 2003-03-18 at 07:58, Andrew Bartlett wrote: On Tue, 2003-03-18 at 09:14, Volker Lendecke wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi! Here's my first attempt at putting the group mapping into ldap. It should apply to HEAD. Comments? Especially the schema might be discussed, this is my very first attempt at LDAP schema design. Well, on a 30-second reading, I have to say it looks good! Thanks for putting the time into this, Andrew Bartlett -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. - http://www.xsec.it via Durando 10 Ed. G - 20158 - Milano mobile: +39 329 328 7702 tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: [PATCH] groups in ldap
A schema similar to the one used for users, so that you can create groups, with groups members, and optionally a field for gid mapping perhaps. The point is that we should separate firmly the SID-UGID mapping into a separate thing, and group/users should have only SIDs. IDMAP will think of mapping the whole thing, and on (file) systems that may support SIDs directly IDMAP will probably be completely bypassed and will not exist. Simo. On Tue, 2003-03-18 at 10:30, Volker Lendecke wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Using the group mapping approach will make very hard for us to upgrade to the right way in future. What kind of schema would you prefer to put groups into LDAP in a compatible way? Volker -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Key-ID D32186CF, Fingerprint available: phone +49 551 370 iD8DBQE+dudDOmSXH9Mhhs8RAibwAJ9ML3KwV0BWGHjbP2PngS5OtKSUOwCfTicD RGsJtCkOr2oEUI4fd93CWpQ= =XlK0 -END PGP SIGNATURE- -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. - http://www.xsec.it via Durando 10 Ed. G - 20158 - Milano mobile: +39 329 328 7702 tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: [PATCH] groups in ldap
On Tue, 2003-03-18 at 10:47, Volker Lendecke wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A schema similar to the one used for users, But if you look at sambaAccount, it firmly ties 'uid' with 'rid', which conflicts your point below. Yes, I know :-( so that you can create groups, with groups members, and optionally a field for gid mapping perhaps. You want a memberSid that can occur multiple times? random thoughts: That's a good point. I would say yes, but I know this will be useful for samba only, or through winbindd. In my opinion a PDC should use winbindd locally and provide groups functionality. I also know that will not work nicely if you do not want to use winbindd locally, as you will be required to make groups have same members for local machine and samba. But at that point you can simply go on with the current way. We may also use a switch in the conf to tell samba which of the 2 (passdb or system) to look for group membership until the new code is ready. Simo. -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. - http://www.xsec.it via Durando 10 Ed. G - 20158 - Milano mobile: +39 329 328 7702 tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
RE: (fwd) amigasamba?
CL! On Thu, 2003-03-13 at 23:08, Ulf Bertilsson wrote: I look into this in a few days. Use www.birrabrothers.com/tiger/data/samba as mirror I'm on vacation and don't have the info here. -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. - http://www.xsec.it via Durando 10 Ed. G - 20158 - Milano mobile: +39 329 328 7702 tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: Error messages generated by passdb/pdb_smbpasswd.c are(almost) useless
It seem very clear to me Richard. An smbpasswd entry has a single UID field, if there you find something that's not a number then the entry is malformed. What's unclear? Printing the line may clobber the logs, as a malformed entry may contain just anything like control chars, I agree that telling the entry line number could be a good idea. Simo. On Fri, 2003-03-14 at 07:55, Richard Sharpe wrote: Hi, Someone asked me what some messages like getsmbfilepwent: malformed password entry (uid not number) meant when using the smbpasswd command. Not knowing, I went searching the source code to find: if (!isdigit(*p)) { DEBUG(0, (getsmbfilepwent: malformed password entry (uid not number)\n)); continue; This is very little help in pinpointing the problems, as it does not tell us what the routine was looking at that caused the problem. Perhaps including the string it was processing would have been more useful! Regards - Richard Sharpe, rsharpe[at]ns.aus.com, rsharpe[at]samba.org, sharpe[at]ethereal.com, http://www.richardsharpe.com -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. - http://www.xsec.it via Durando 10 Ed. G - 20158 - Milano mobile: +39 329 328 7702 tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: New approach for winbind to match Windows to UNIX users andback
On Thu, 2003-03-13 at 01:32, Andrew Bartlett wrote: On Thu, 2003-03-13 at 10:38, Michael Fair wrote: I haven't done much work in this are yet so please feel free to correct me as you see fit, but as I understand it, part of the problem we face is that the equivalents of the UID and a GID in UNIX, are mapped to the same address space in Windows. I was working on some unrelated ACL stuff and thought about the potential of practically eliminating the use of an ACL on a UID and only using ACLs on groups. I think this is a very good idea. We would effectivly create a 'user private group' for every winbindd user. And if they turned out to be a group, then we just populate them with members! This is an approach I have proposed back last summer to Jeremy and Tridge at Jeremy's, and that would have also cured the problem that all distribution that automatically create a private group for a user have, but seem they was not convinced so I didn't pushed the idea anymore :-) This helps us particularly with the problem that we don't know the type of a SID without a lookup - a lookup that may well fail. Exactly! This would also solve a nasty problem we have that we don't know the 'real' primary group of every user for NT4 domains, when doing a getgrent(). Instead we assume 'domain users'. This would allow us to always know that value. No, that's not right, we must have a Primary Group in local passdb and use Domain Users as a fallback. Simo. -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: Samba 3.0 Alpha22 + AD Domain, RedHat Kerberos Problems
the fact is that, imho, MS can't (haven't looked too colsely, but I had to change the password too as tridge howto on ads say). When you make a server be an ADS it simply makes an upgrade and it does not have the clear text password to do all the other encryptions. Simo. On Tue, 2003-03-11 at 18:06, Herb Lewis wrote: We had this same problem at connectathon. All I had to do was Go to the ADS machine, login as the user, and change the password. The current released version of MIT kerberos worked fine after that. It appears that MS does not create all the required encryption types for the password until the first change. Andrew Bartlett wrote: The issue is that the password of the user you are connecting to Samba with does not have the 'upgraded' password types. This occurs if the user hasn't changed their password since the ADS upgrade. The 'best' solution is to get a newer kerberos library, but MIT hasn't released the latest kerberos, so it's up to you to get their snapshots, or a recent heimdal. Andrew Bartlett -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: Restricting delete on a share?
Jeremy, the best way you can accomplish this is to build a custom VFS module. It is really easy to build such module and you only need to intercept and discard any unlink operation. regards, Simo. On Mon, 2003-03-10 at 07:04, Jeremy M. Dolan wrote: Hi all. Management here wants to restrict users from deleting files via Samba. NTFS is able to restrict just delete permissions, but still allow new files to be created and old ones changed. But I've come to the conclusion this isn't possible with standard UNIX file permissions, and unfortunately Red Hat does not yet support ACLs on any file systems. In Samba's documentation I don't see any indication that a delete=no type option exists for shares, which surprised me. Am I missing something? If not, is there perhaps a compile-time directive to disallow file deletion? Otherwise, could someone perhaps point me to what I'd want to change in the source to accomplish this? Thanks. -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
HEAD: PDC or BDC?
I'm curious at why we think a server should be considered a PDC if security id server, domain or ads. I think there is something wrong here .. I think the 'server' or 'domain' security + lp_domain_logons() should make a BDC, and that 'ads' + lp_domain_logons() should simply give an error until we are able to make up a compatible AD DC. Am I wrong? Or is there any futher resoning that make the current code right? static void set_server_role(void) { server_role = ROLE_STANDALONE; switch (lp_security()) { case SEC_SHARE: if (lp_domain_logons()) DEBUG(0, (Server's Role (logon server) conflicts with share-level security\n)); break; case SEC_SERVER: case SEC_DOMAIN: case SEC_ADS: if (lp_domain_logons()) { server_role = ROLE_DOMAIN_PDC; break; } server_role = ROLE_DOMAIN_MEMBER; break; case SEC_USER: if (lp_domain_logons()) { if (Globals.bDomainMaster) /* auto or yes */ server_role = ROLE_DOMAIN_PDC; else server_role = ROLE_DOMAIN_BDC; } break; default: DEBUG(0, (Server's Role undefined due to unknown security mode\n)); break; Simo. -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: Detecting Windows OS Version through Samba
We have a specific exapansion variable that may be used inside smb.conf to be replaced by remote OS signature, I cannot remember how it works out which OS is on the other side or how accurate it is. Look into smb.conf and search for %a Simo. On Wed, 2003-03-05 at 18:52, Agis Andreou wrote: Hello everyone, I have a samba server and several wannabe clients on a different subnet. Is there a way to determine their windows os version through the network, (without actually asking their owners or trying to physicaly locate the hosts)? if i am not mistaken the info i'm looking for is exposed at least during the browser election proccess, but that is not enough since i am on a different subnet. NetBIOS is open to those machines. Is there a cmd line utility or source code for solaris/bsd/linux or windows that can be used for that purpose? thanx, Agis -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: IDMAP backend
I agree, Stefan suggestions are good. Simo. On Fri, 2003-02-21 at 07:52, Stefan (metze) Metzmacher wrote: Hi Jim, Anthony, It's nice to see that someone is working on the idmap backend stuff :-) But I'm REALLY NOT FINE with a parameter name 'winbind backend' for this!!! winbind backends are RPC and ADS. we should name this parameter 'idmap backend' or something like that. please, please change this fast! :-) otherwise it will be bad to change this parameter because everyone has it in his smb.conf and has to change this. also we should seperate the idmap stuff from winbind, so that we can use it in pdb and other subsystems of samba also. metze - Stefan metze Metzmacher [EMAIL PROTECTED] -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: [PATCH] fix vfstest.c
On Wed, 2003-02-19 at 22:35, Stefan (metze) Metzmacher wrote: torture/vfstest.c we should use conn_new() instead of use malloc() Right! Applied. Simo. -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: interesting fact about StrCaseCmp
Look at other parts in the code, a nice idea is to compare character by character until the string is an ASCII one, as soon as we detect a non ascii character we revert to the standard method and re-compare the strings, Tridge has gained very good optimizations with this twchnique. Simo. On Tue, 2003-02-18 at 01:35, Martin Pool wrote: On 18 Feb 2003, Andrew Bartlett [EMAIL PROTECTED] wrote: Possibly only for long strings? But then that is probably micro-optimization. If we really cared about optimizing this function, then we would compare character-by-character rather than converting both strings to uppercase first. This is a bit hard for some wierd encodings I know, but it ought to be possible to do it in charcnv.c. The case where we compare, for example, a thousand-character string to the empty string is ridiculously slow at the moment. I don't know if this is a problem for Samba overall or not, so I'm not touching it at the moment. int StrCaseCmp(const char *s, const char *t) { pstring buf1, buf2; unix_strupper(s, strlen(s)+1, buf1, sizeof(buf1)); unix_strupper(t, strlen(t)+1, buf2, sizeof(buf2)); return strcmp(buf1,buf2); } -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: Samba 3.0: vfs_netatalk.c
Have you checked we do not have a replacement function? Generally we do such function sys_something when we found system missing a needed function. Simo. On Tue, 2003-02-11 at 22:00, Anthony Liguori wrote: One catch is that there is a difference between BSD and System V implementations, but that's something that should be handle-able with ./configure. It seems to me that in either case the data could be sorted using the binary tree stuff or by qsort(). This should be fairly do-able. On some systems, scandir() doesn't even exist. I think the only reason why there's been any discussion as to whether this is a problem is because of the fact that it's a module. I think the general sentiment has been that even modules need to be concerned about portability unless there's good reason. Anthony Liguori Linux/Active Directory Interoperability Linux Technology Center (LTC) - IBM Austin E-mail: [EMAIL PROTECTED] Phone: (512) 838-1208 Tie Line: 678-1208 Christopher R. Hertel [EMAIL PROTECTED] Sent by: To: [EMAIL PROTECTED] samba-technical-bounces+aliguor=us.ibm.com@listcc: s.samba.org Subject: Re: Samba 3.0: vfs_netatalk.c 02/11/2003 02:52 PM Paul Green wrote: Anthony Liguori [mailto:aliguor at us.ibm.com] wrote: scandir() (and it's [alpha|version]sort() brethren) is a BSD/Linux-ism and therefore isn't very portable. Since this is in a VFS module (and therefore only optional) I guess this is ok. then Herb Lewis [mailto:herb at sgi.com] found this info: IRIX: scandir, scandir64, alphasort, alphasort64 BSD: scandir, alphasort I just checked and neither scandir* nor alphasort* are in POSIX-1996 or POSIX-2001. I'm not trying to build vfs_netatalk here on VOS, but if I was, it looks like I'd be writing some code first. I don't consider these functions portable either. My vote is for sticking with functions in POSIX if at all possible. PG I have not been following this thread closely, but it occurs to me that we have tools that would make this easy to implement by hand. If I understand the docs, the goal is to create an array of pointers to directory entry structures (the latter allocated via malloc()). One catch is that there is a difference between BSD and System V implementations, but that's something that should be handle-able with ./configure. It seems to me that in either case the data could be sorted using the binary tree stuff or by qsort(). This should be fairly do-able. Chris -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED] -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: LSA Privileges
On Sun, 2003-02-09 at 11:52, Simo Sorce wrote: Yes, that what I , and before me Jean Francois, tought about that. Furthermore I think the while it is certainly a possibility that MS programmers made the transfer by string as a mistake, in realty I think it has been on purpose, so that they could add new priveleges easily if needed. Replying to myself lokking at the trace again I see that user's privileges are passed always as strings not numbers. It may really be that they always use strings not numbers. So s/string-number pair/string/ I think our best bet could be to keep the string-number pair we receive from a PDC intact and associate to this pair a second number internal to samba. An interface that is able to map samba internal privilege number to windows string-number pair one should be provided so that if we discover new privilege names besides the ones we already know we can easily map them to a samba own privilege if needed (or map a known unused one to a samba one so that admins can manipulate it easily through windows interfaces). Finally, we will need an admin interface for privileges. The two possible ways to do this are a local 'net privilege' command that manipulates directly via pdb, or a remote command like 'net rpc privilege' that manipulates via MSRPC. The advantage of 'net rpc privilege' is that it will work against remote servers. The advantage of a local command is that it will work when smbd is not running. Or maybe we should have 'net rpc privilege' and a local edit via pdbedit? Yes, it seem the best solution. Simo -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: A Union of two directories
On Tue, 2003-02-04 at 11:03, David Lee wrote: On Tue, 4 Feb 2003, Stefan (metze) Metzmacher wrote: It would be fine to have config options for match witch files should be taken from with directory. something like this: dir1 path = /home/samba dir1 mode = readonly dir1 files = *.c,*.h,configure,Makefile dir1 exclude files = *.o dir2 path = /home/%m/samba dir2 mode = write dir2 files = *.o dir2 exclude files = *.c,*.h and something simular for directories I think the easiest thing is to have a background common read-only directory only few parameter needed: background path = /home/common background write_over = yes|no all the files present here will be seen as read-only by everyone. if you open the file read-write you may choose to either fail the open or copy over the file to the user directory and use that file instead. In this situation only files _not_ present in user directory are taken from the background dir, so that user created one are in foreground. Simo. -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: A Union of two directories
The best thing you can do is to make a custom VFS module. Look in the source and example/VFS directoryes of samba source code. Good Luck, Simo. On Mon, 2003-02-03 at 15:29, Arthur Barrett wrote: Hi All! I am new to Samba and this group and I have a question... My company wants to make a custom version of Samba which is capable of creating a share which is actually a union of two directories. ie: instead of the share \\samba\arthur being /home/arthur, we want the share \\samba\arthur to be the union of the two directories /home/common and /home/arthur Why? It's all to do with version control and limitations in other software. The idea is to create a reserved checkout in a single directory. ie: all the read only code is in /home/common and the checked out code is in /home/arthur, but the silly end product software wants all the files in 1 directory (\\samba\arthur). Oh woe is me! So my question is: which source code file is the one that actually opens files in the unix file system ? Additionally - is anyone else interested in the result ? Regards, Arthur Barrett -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: REPOST: Meaning of tdb_free: left read failed at ...?
On Sun, 2003-02-02 at 15:58, Ralf G. R. Bergs wrote: On Sun, 02 Feb 2003 14:47:11 +0100, Simo Sorce wrote: you can try to delete unexpected.tdb it does not hold any vital information. The problem has reappeared even after I removed the above file: Feb 2 11:18:29 Fileserver nmbd[22451]: [2003/02/02 11:18:29, 0] tdb/tdbutil.c:tdb_log(531) Feb 2 11:18:29 Fileserver nmbd[22451]: tdb (/var/run/samba/unexpected.tdb): tdb_oob len -2320 beyond eof at 24576 Feb 2 11:18:29 Fileserver nmbd[22451]: [2003/02/02 11:18:29, 0] tdb/tdbutil.c:tdb_log(531) Feb 2 11:18:29 Fileserver nmbd[22451]: tdb (/var/run/samba/unexpected.tdb): tdb_free: left read failed at 4294964952 (4096) [...] do they reside on an nfs mount? or any other alternative filesystem? They? Does what reside on an NFS mount? sorry I mean the tdb files. I have only shares with local XFS filesystems (as large as 250G.) what kernel? what samba version? The system in question is a Debian i386 stable (3.0) system, kernel is 2.4.20 release (with some patches such as EVMS and XFS, but EVMS is NOT in use for shares exported via Samba!!), Samba is 2.2.7a (a Debian package that I created myself.) I would try again with a standard ext2/3 file system. Just compile and install all samba related file under a well tested file system like ext2/3, I have had no problem with XFS, but 2.4.20 may have broke something subtle, who knows? bye, Simo -- Simo Sorce- [EMAIL PROTECTED] Samba Team- http://www.samba.org Italian Site - http://samba.xsec.it
Re: Bug in nmbd_become_dmb.c (CVS 1.7 3.somehting) [patch]
the old user security = share obviously it makes no sense to use the user security option if you have a server role. Simo. On Tue, 2003-01-28 at 10:15, Volker Lendecke wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 server role = share|server|member|PDC|BDC|ADS So what would 'server role = share' be? Volker -- Simo Sorce- [EMAIL PROTECTED] Samba Team- http://www.samba.org Italian Site - http://samba.xsec.it
Re: Bug in nmbd_become_dmb.c (CVS 1.7 3.somehting) [patch]
I still think we _need_ to introduce a server role paramter, leaving the other active for tuning, but so that new admins will not get mad to have a decent configuration. server role = share|server|member|PDC|BDC|ADS or something like that. Simo. On Mon, 2003-01-27 at 23:20, Steve Langasek wrote: On Mon, Jan 27, 2003 at 03:08:52PM -0600, Gerald (Jerry) Carter wrote: On Wed, 22 Jan 2003, Damjan Zobo Cvetko wrote: I dont know if this is the rigth list for this.. I'm using the latest samba 3.x. from CVS.. (because of the wins replication) I have it set up as master browser, but it wont register itself (to the WINS server running in the same nmbd) as DMB (WROKGROUP#1b..) Why not just set domain master = yes domain logons = yes ? By not setting domain logons, you've created a box that Windows clients will believe to be a PDC but one that will not be listed in the DOMAIN#1c list of addresses. /* Do the domain master names. */ - if(lp_server_role() == ROLE_DOMAIN_PDC) + if (lp_domain_master() == True) { I don't think i will commit this patch unless you can further convince me. It's a change from Samba's previous behavior. If there's ever anything else on the network that needs the #1b name, it will be broken by Samba registering the #1b name. Period. It doesn't matter whether the option to enable this is called 'domain master = yes' or 'domain logons = yes'; if the user enables the corresponding setting in a domain with a preexisting PDC, it will break one way or the other. So changing the meaning of the option doesn't really protect against this, but it does break configurations that previously worked for people who need DMBs but don't need logon servers. Much better, IMHO, would be to leave the code as it was in 2.2, but make sure 3.0's *documentation* strongly encourages using 'domain logons' instead of 'domain master'. Granted, in all the cases I've seen, enabling 'domain logons' in addition to 'domain master' hasn't done any harm; but is it really worth gratuitiously breaking users' 2.2 configs to get this point across? FWIW, this is the third time I've seen this issue come up with the 3.0 alphas. -- Simo Sorce- [EMAIL PROTECTED] Samba Team- http://www.samba.org Italian Site - http://samba.xsec.it
RE: Samba 2.999+3.0.alpha21-3 User Dissapears
uhmm I'm interested in this one. but I have not understood what happened, exactly. launch pdbedit with -d 5 option so that you get debugging on stdout and maybe use tee to store a log of your operations plus logs. thanks, Simo. On Tue, 2003-01-14 at 23:38, Irving Carrion wrote: Sorry, tdb backend. -Original Message- From: Jelmer Vernooij [mailto:[EMAIL PROTECTED]] On Behalf Of Jelmer Vernooij Sent: Tuesday, January 14, 2003 2:59 PM To: Irving Carrion Cc: [EMAIL PROTECTED] Subject: Re: Samba 2.999+3.0.alpha21-3 User Dissapears On Tue, Jan 14, 2003 at 01:27:50PM -0500, Irving Carrion wrote about 'RE: Samba 2.999+3.0.alpha21-3 User Dissapears': Here what's even more puzzling. If I run: pdbedit -lv username The user appears wow, great! But if I do: pdbedit -lv allusers.txt and then vi allusers.txt I don't see the user in that list. Any hints anyone? What backend are you using? (This sounds like a bug in your backend) Jelmer -Original Message- From: IRVING Hello All! After users began complaining about not being able to access some network resources, I noticed that some of the users are missing in samba using command: pdbedit -lv S, I retry and create that user again using command: smbpasswd -a hisusername This does not add the user. So instead I use command: pdbedit -a -u hisusername and this also does not work. So I look in /var/log/samba and look at smbd.log. Nothing there tells me anything special under debug = 3 except that this user isn't mapped. I don't know how these users got removed and why. I've also tried: smbpasswd -e hisusername to enable but this produces no positive results. I don't know what is left to try as I'm all out of ideas. Any help much appreciated! -- Simo Sorce- [EMAIL PROTECTED] Samba Team- http://www.samba.org Italian Site - http://samba.xsec.it
Re: delete on close problems
On Mon, 2003-01-06 at 13:48, Nir Livni wrote: if user B opens the file for read (and SHARE_READ | SHARE_DELETE) and only then user A opens the file for DELETE_ON_CLOSE, both open requests succeed. 1. Is this behaviour normal ? Unfortunately there's no way to tell something is normal if not testing the same against an NT/2k server. If the same happens there, then it is normal. Simo. -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: Patch for unix extensions
On Wed, 2003-01-01 at 21:35, Steve Langasek wrote: On Wed, Jan 01, 2003 at 01:01:19PM +0100, Simo Sorce wrote: My idea was this: let make it so taht if unix extensions are enabled, then we NEVER resolve the links if we permit link creation. If we do not want to have it so rigid, we may also add a proper option, something like wide unix symlinks with all the proper warnings and normally disabled. Then if you do a normal call, the link will be honoured only if inside the exported file system. This way the trick cannot work, and unix applications (or setups) that rely on symlinks to work well are happy. If symlinks will never be resolved outside of the exported share, why do you need to resolve them on the server at all? A Unix client is equally capable of resolving this symlink on the server. They ARE resolved for normal CIFS clients that does not ask for UNIX extensions. -- Simo Sorce- [EMAIL PROTECTED] Samba Team- http://www.samba.org Italian Site - http://samba.xsec.it
Re: [PATCH] parametric options
On Thu, 2003-01-02 at 14:26, Stefan (metze) Metzmacher wrote: At 00:10 03.01.2003 +1100, Andrew Bartlett wrote: Talloc doesn't work that way, and should not be made to work that way. If you want that, then you have malloc() and free(). I think it would be a nice (and usefull!) to have talloc_free() and talloc_realloc_strdup() Does anybody else has an opinion on that??? If you want to use talloc you do not want to manage memory If you want to manage memory you do not want to use talloc Simo. -- Simo Sorce- [EMAIL PROTECTED] Samba Team- http://www.samba.org Italian Site - http://samba.xsec.it
Re: Patch for unix extensions
On Thu, 2003-01-02 at 18:00, [EMAIL PROTECTED] wrote: On Wed, Jan 01, 2003 at 01:01:19PM +0100, Simo Sorce wrote: My idea was this: let make it so taht if unix extensions are enabled, then we NEVER resolve the links if we permit link creation. So if unix extensions are true, then all opens set O_NOFOLLOW. yes Ok if O_NOFOLLOW is defined and exists in the kernel - otherwise it's a nasty security hole waiting to happen. shit happens ;-) Simo. -- Simo Sorce- [EMAIL PROTECTED] Samba Team- http://www.samba.org Italian Site - http://samba.xsec.it
Re: Patch for unix extensions
My idea was this: let make it so taht if unix extensions are enabled, then we NEVER resolve the links if we permit link creation. If we do not want to have it so rigid, we may also add a proper option, something like wide unix symlinks with all the proper warnings and normally disabled. Then if you do a normal call, the link will be honoured only if inside the exported file system. This way the trick cannot work, and unix applications (or setups) that rely on symlinks to work well are happy. Simo. On Tue, 2002-12-31 at 20:48, [EMAIL PROTECTED] wrote: On Tue, Dec 31, 2002 at 10:36:33AM +0100, Simo Sorce wrote: Jeremy, in case of unix extensions, shouldn't we pass the symlink as is and not resolve it? Yes we do - if the client uses the UNIX extensions to readlink. The problem is a UNIX extension client could set a symlink on the server (which in a UNIX -- UNIX scenario would never be resolved on the server, but read and resolved on the clients filesystem) and then do a normal SMB open call on it to escape the restrictions of exporting only a small part of the servers filesystem. I think a proper unix-like file system should be able to return links. It can. I just can't trust the client to do this. Jeremy. -- Simo Sorce- [EMAIL PROTECTED] Samba Team- http://www.samba.org Italian Site - http://samba.xsec.it
Re: Patch for unix extensions
On Tue, 2002-12-31 at 03:29, [EMAIL PROTECTED] wrote: Sorry, I have some problems with this patch. It allows a client to add a symlink to a Samba share which points to a file elsewhere on the server disk. For example : create a symlink from /home/myhome/p - /etc/passwd. Now as Samba resolves names on the *server* not the client, anyone opening /home/myhome/p using smbclient or a Windows client will get /etc/passwd. This (IMHO) is not desirable. Jeremy, in case of unix extensions, shouldn't we pass the symlink as is and not resolve it? We may have a parameter that when set permit link creations and also returns link as is instead of resolving them. I think a proper unix-like file system should be able to return links. Simo. -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: BUG, PATCH: Signed/unsigned mismatch causes Samba to missdisk-full condition.
Thank you, I've fixed it in HEAD, 3.0 and 2.2 cvs branches Simo. On Tue, 2002-12-31 at 10:07, Ray Simard wrote: This was discovered, and the correction tested, on a, i386 Linux box, kernel 2.4.18. Samba version is 2.7.7a, patched from 2.2.6 pristine source. In smbd/reply.c reply_writebraw: The return value from write_file is compared to numtowrite, an unsigned value. If the write failed, returning -1, the comparison sees it as the max unsigned value, and the failure isn't detected. The Windoze box user sees no write error, but the file later turns out to have zero size or content. Later on a debug message about a presumed mis-estimate of the write size is logged at level 3 or above, but otherwise ignored. This mismatch is apparently an oversight, since similar writes and checks elsewhere in the same file properly cast the unsigned numtowrite to signed before checking. This merely brings this case into agreement with them. The FIXME? message is just a suggestion to handle the off chance that future changes to the code might cause some confusion there. No code changes there. This change has been compiled and tested, and works as expected. (If this isn't the right way to submit a patch, please enlighten me. This one is so short that I don't imagine it should be a problem.) --- reply.c Tue Dec 31 00:45:00 2002 +++ reply.c Tue Dec 31 00:48:27 2002 @@ -2673,5 +2673,5 @@ fsp-fnum, (double)startpos, (int)numtowrite, (int)nwritten, (int)write_through)); - if (nwritten numtowrite) { + if (nwritten (ssize_t) numtowrite) { END_PROFILE(SMBwritebraw); return(UNIXERROR(ERRHRD,ERRdiskfull)); @@ -2707,5 +2707,5 @@ exit_server(secondary writebraw failed); } - +/* FIXME? Pedantically defensive progrmming might call for a second check for (nwritten 0) here. */ if (tcount nwritten+numtowrite) { DEBUG(3,(Client overestimated the write %d %d %d\n, Ray Simard [EMAIL PROTECTED] -- Simo Sorce- [EMAIL PROTECTED] Samba Team- http://www.samba.org Italian Site - http://samba.xsec.it
Re: pdbedit segfaults in SAMBA_3_0
On Sat, 2002-12-21 at 22:26, Bradley W. Langhorst wrote: On Tue, 2002-12-17 at 04:06, Simo Sorce wrote: Can you send a backtrace? Mine does not segfault (tough I'm using head not 3.0) Simo. simo: how are you testing it? I just rebuilt from SAMBA_3.0 (no debian patches or anything) when i type pdbedit it segfaults however if i provide a username it seems to work okay. (which makes sense given the backtrace...) I think it just needs this patch (or something like it that fits with how you all do things). It seem this one have been fixed in HEAD: if (user_name == NULL) { user_name = poptGetArg(pc); } -- Simo Sorce- [EMAIL PROTECTED] Samba Team- http://www.samba.org Italian Site - http://samba.xsec.it
Re: Bug in reply_write_and_X?
On Wed, 2002-12-11 at 03:24, Conrad Minshall wrote: My client maps NT_STATUS_DISK_FULL to EFBIG, but really this should be done by observing some Windows server. With W2K/NTFS I had no success - using SMB_SET_FILE_END_OF_FILE_INFO doesn't generate a sparse file so I fill up the disk before hitting any filesize limit. Maybe setting FILE_ATTRIBUTE_SPARSE would do it. Another approach... is there a Windoze/filesystem combo with a filesize limit of 4G or less? That would make this easy. Try with a FAT filesystem, it should have a limit of 2 or 4 GB Simo. -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: patch submission procedure help
Scott, samba-techincal is ok for patches, but please send them in diff -u format next time, so that they are easier to handle. Simo. On Wed, 2002-12-11 at 21:05, Scott Hammond wrote: Hello, Im a newbie developer and Ive submitted a patch to this list a few days ago. Is this the best method to submit fixes, or what procedure should I follow? Will someone review my fix and add it to the code? http://lists.samba.org/pipermail/samba-technical/2002-December/041226.html Thank you, Scott __ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: A registry editor taking shape ...
On Mon, 2002-12-09 at 10:56, Richard Sharpe wrote: Hi, A registry editor, editreg, is slowly taking shape in Samba-head. The goal is to be able to do things like: - delete keys and values - add keys and values - change keys and values - Change the SIDS/SecDescs applied to keys. - write out the changes tree - create a tree from scratch A very nice tool, it will be. What would be useful is some thoughts on how the interface should be constructed, as in command-line, or a .reg file of commands, etc. I would say: both And maybe it would be very nice if you can make out of it a library like in the case of smbclient so that a gtk interface similar to regedit can be built. :-) Simo. -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: Handling of 8,3 names on a NetApp
seem a poor hashing algorithm like the one present in w2k. Simo. On Tue, 2002-12-03 at 07:19, Richard Sharpe wrote: Hi, It seems that netapp generates something approaching line noise for 8,3 names after a certain number of names that differ after char 8 have been created: smb: \usr10\home\rsharpe\ntap\ altname thisisalong.fil THISIS~1.FIL smb: \usr10\home\rsharpe\ntap\ altname thisisalona.fil THISIS~2.FIL smb: \usr10\home\rsharpe\ntap\ altname thisisalonb.fil THISIS~3.FIL smb: \usr10\home\rsharpe\ntap\ altname thisisalonc.fil THISIS~4.FIL smb: \usr10\home\rsharpe\ntap\ altname thisisalond.fil THISIS~5.FIL smb: \usr10\home\rsharpe\ntap\ altname thisisalone.fil ~CVWO000.FIL smb: \usr10\home\rsharpe\ntap\ altname thisisalonf.fil ~DVWO000.FIL smb: \usr10\home\rsharpe\ntap\ altname thisisalonh.fil ~EVWO000.FIL Regards - Richard Sharpe, rsharpe[at]ns.aus.com, rsharpe[at]samba.org, sharpe[at]ethereal.com, http://www.richardsharpe.com -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: dir_check_ftype fixes??
I also have a bug report about problems with xcopy and 2.2.7 I think we should really check if it is something we break. Simo. On Mon, 2002-12-02 at 13:02, [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, Steve all! In dir.c Jeremy added the following fix: revision 1.48.4.21 date: 2002/09/10 01:58:58; author: jra; state: Exp; lines: +18 -3 Added final Steve French patch for requiredattributes with old dir listings. Added regression test in smbtorture (in HEAD) also. Jeremy. I have a case where this breaks an unattended w2k install, or shorter: an xcopy /S. What were you trying to fix, and what happens if I back out this? Volker -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Key-ID D32186CF, Fingerprint available: phone +49 551 370 iD8DBQE960veOmSXH9Mhhs8RAsbGAJsHThjxAqAnlrpzXrSh7SZVTB2FhgCfVeKh kNIM+YUqH1YzfAb1KH7rdts= =RD86 -END PGP SIGNATURE- -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: 2nd attempt: Modify location of printerdriverfiles
That would change nearly nothnig, because the printer drivers will be copyed in the same structure on the client and there you will find the same naming problem. It is a known windows problem (just faces some day ago with drivers for 2 HP laser printers on a windows 98 :-/) If the Printer Manufacturer tell you so she is both right an wrong. Right it is an OS problem, A windows OS problem. Wrong the manufacter must know this issue and try not to make drivers with overlapping names. However you may try just a workaround. If any of your clients will use only one printer, you may try some symlink + macro expansion tricks to use different directories, but it may not work or corrupt badly your printer settings and prnting related tdb file, so at your own risk: - you may use a macro expansion on the print$ share path and then make a number of directories that match that macro expansion eg: path = /usr/share/samba/%G/drivers and have a pool of printers per group or other parameter. Simo. On Thu, 2002-11-28 at 11:21, Kätzler, Ralf wrote: Hi! Maybe this time someone can give me a hint - or is my english that bad - so that nobody can catch the point - or my question is posted to the false list? Please each answer is welcome! Thank you! Hello, Samba-Team, hello samba-freaks! My question/problem: I like to use a samba-server as printer-server for about 500 users with ~ 40 different printers. The client OS is NT4 or XP. The problem I encountered is that there are printerdrivers out there which use for different models dlls with the same name but the dlls are not compatible - great!! - ! So only the last installed printer works flawless, because the dll for the other model is overwritten during driverinstall. My question: Is there a tool, which allows save tempering with the *.tdb, to change the path to the driverfiles or to change the behavior to rpc getdriverinfo? This way it would be possible to create an own driver-directory-structur and all those printerdriver related problems are gone... Greetings Ralf Btw.: Redhat 8.0 and latest Samba. Calling the printermanufactor is hopeless. The only answer I got is: This must be a problem with your OS... thanks for your help. :( Greetings Ralf -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: RE RE: 2nd attempt: Modify location of printerdriverfiles
Uhm not sure either if this will work, but you could try to use %S as substitution This way you may have a directory for each printer name ... of course if you rename a printer you may get into troubles, but it is unlikely that you like changing printer names every day :-) Here it is a list of macros you may think to try: These substitutions are mostly noted in the descriptions below, but there are some general substitutions which apply whenever they might be relevant. These are: %S the name of the current service, if any. %P the root directory of the current service, if any. %u user name of the current service, if any. %g primary group name of %u. %U session user name (the user name that the client wanted, not necessarily the same as the one they got). %G primary group name of %U. %H the home directory of the user given by %u. %v the Samba version. %h the Internet hostname that Samba is running on. %m the NetBIOS name of the client machine (very use- ful). %L the NetBIOS name of the server. This allows you to change your config based on what the client calls you. Your server can have a dual personality. Note that this paramater is not available when Samba listens on port 445, as clients no longer send this information %M the Internet name of the client machine. %N the name of your NIS home directory server. This is obtained from your NIS auto.map entry. If you have not compiled Samba with the --with-automount option then this value will be the same as %L. %p the path of the service's home directory, obtained from your NIS auto.map entry. The NIS auto.map entry is split up as %N:%p. %R the selected protocol level after protocol negotia- tion. It can be one of CORE, COREPLUS, LANMAN1, LANMAN2 or NT1. %d The process id of the current server process. %a the architecture of the remote machine. Only some are recognized, and those may not be 100% reliable. It currently recognizes Samba, WfWg, Win95, WinNT and Win2k. Anything else will be known as UNKNOWN. If it gets it wrong then sending a level 3 log to [EMAIL PROTECTED] URL:mailto:[EMAIL PROTECTED] should allow it to be fixed. %I The IP address of the client machine. %T the current date and time. %$(envvar) The value of the environment variable envar. There are some quite creative things that can be done with these substitutions and other smb.conf options. On Thu, 2002-11-28 at 12:16, Kätzler, Ralf wrote: I think the workaround will not work. I can´t predict which user on which machine will use which printer. Our users have in most case max. two networkprinters connected - for our luck long physikal ways prevent the need to connect to more printers. We have created a small script which erases all printerrelated registry-entries and files on the client. A user or admin can run this script and the client is clean for a new printer-installation. This way we work around the naming-problem on the client. (The users *theoretical* know which printers cannot be installed at the same time). Of course this works not on the printserver :)). If there is no other solution, we have to fight another skirmish with HP ... maybe we can convince them to take more care when naming there files.. ... on the other hand maybe someone is happy to implement the needed variables to the samba-core?? :) The moto would be: Power is nothing without control Simo: Thanks for your answer. Have a nice day. Ralf -Ursprüngliche Nachricht- Von: Simo Sorce [mailto:[EMAIL PROTECTED]] Gesendet: Donnerstag, 28. November 2002 11:34 An: Kätzler, Ralf Cc: [EMAIL PROTECTED] Betreff: Re: 2nd attempt: Modify location of printerdriverfiles That would change nearly nothnig, because the printer drivers will be copyed in the same structure on the client and there you will find the same naming problem. It is a known windows problem (just faces some day ago with drivers for 2 HP laser printers on a windows 98 :-/) If the Printer Manufacturer tell you so she is both right an wrong. Right it is an OS problem, A windows OS problem. Wrong the manufacter must know this issue and try not to make drivers with overlapping names. However you may try just a workaround. If any of your clients will use only one printer, you may try some symlink + macro expansion tricks
Re: Problemas
For help requests please write to [EMAIL PROTECTED] mailing list and possibily write in english, you will have higher probability that someone will be able to read and understand your question. I'm Italian, but my knowledge of spanish (portuguese?) is not good at all and I do not think to understand the question in deep. regards, Simo. On Tue, 2002-11-26 at 07:35, Ivan Malecki wrote: Tengo un samba de PDC en la red, y los ordenadores corriendo un w2k, mi problema es que lo tengo todos en un dominio, y cuando quiero que un w2k se una al dominio, no me deja, llegue a leer que hasta la version de samba TNG no se podria hacer, pero no me lo creo, pienso que solo es un problema de relacion de confianza. les copio el goblal de samba para que se lo miren. [global] #Seguridad security = domain encrypt passwords = yes status = yes password server = Oktopus Escaliburd nt acl support = yes #Os level y Programas de autentificación de password. os level = 85 smb passwd file = /etc/samba/smbpasswd passwd program = /usr/bin/passwd %u #Grupo de trabajo y parametros de dominio workgroup = vuelolibre domain logons = yes domain master = yes #Soporte a servidor de wins wins support = yes #Configuracion de Log log level = 2 log file = /var/log/samba.log %m max log size = 2000 debug timestamp = yes #Configuracion de alta automatica de usuario add user script = /usr/sbin/adduser -n -g machines -c machine -d /dev/null -s /bin/false %m$ -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: vfs interface - ioctl question
On Mon, 2002-11-25 at 23:52, Anu Engineer wrote: Hi , I have been looking at the SAMBA VFS layer, and I have a request for a function to be added to the interface. I would like to propose an ioctl like function where file system defined parameters can be passed back and forth between SAMBA and physical file-system. This will be useful in cases where the file system supports some features over and above ordinary Unix file systems. For example, Creation Time, if we have an ioctl call we can use that to set and get creation time on files with minimum modification to samba. The right thing is to support all the features an NTFS support. We are already planning to radically change the interface to be more flexible and, above all to make the ntfs-posix translation a module so that it can be replaced for richer or different then posix file systems. I propose something of the form int vfs_ioctl( struct connection_struct * conn, struct files_struct * fsp, ...); or something like int vfs_ioctl ( struct connection_struct * conn, struct files_struct * fsp, ulong cmd, void * inbuf,size_t in_size, void* outbuf, size_t out_size). of course I realize the nightmare of maintaining an IOCTL list, but I am hoping in the case of SAMBA it would not be as bad as something like an OS, and this feature will be used to add extensions to SAMBA so that the capabilities of underlying file systems can be reflected more accurately in SAMBA. I'm not sure this is a good idea. How would you like to use these ioctl then? Simo. -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: witch dialect i can use
On Fri, 2002-11-22 at 04:50, Christopher R. Hertel wrote: Ick. A server? Pocket PC doesn't come with server software? How odd... I want to run this server on raw TCP/IP at port 445,I want this server to have the following Function: 1 It can announce itself in the lan network.. In which way? If you are running on port 445 (naked TCP transport) then you probably don't want to announce to the old-style browse lists. You'll need to figure out how a service announces itself to Active Directory. This way you will never be able to communicate to an XP Home, Windows 9x or Windos NT OS and in a home environment or a business environment that is based on NT4 Domains, Novel NDS, Iplanet directory services, samba domains, simple workgroup ... 4 Explore in the shared tree.( support find first / find next operation ) 5 Support common file operation Client can copy , move create file or directories on the server get file information etc. If you are writing a server, consider the clients. Many of them will be Windows boxes (although, if you are running on port 445 only then you can forget about W/9x, W/NT, and possibly W/Me... as far as I know the only Windows clients that can talk to 445 are W2K and WXP). -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: Write down the migration document
If you're not in hurry wait for samba 3.0, otherwise you may use pwdum plus the utility richard sharpe has just released to change the SID in the profiles to have a smoother transition. Btw you cannot yet move only the PDC or the BDC to samba, it is an all or nothing situation On Fri, 2002-11-08 at 18:10, Tommaso Di Donato wrote: Hi to all! First, thank you very muche to all af you for your work... Now, let's talk about serious things... ;) I'm working for migrate my Microsoft NT4 PDC (and possibly also the BDC) to a Samba server.. In the past I did a lot of tests, using stable versions... It worked perfectly for network in which clients were Win98 only! But if I want to migrate win2k clients, things are not so easy... I would like to make everything as transparent as possible for the clients (my lan at work is about 100 win2k...I can't change them one by one by hand...) So, now I downloaded samba3.0alpha20, and I prepared a small LAN to test the things out... If I can do the trick, I would like to write down a small paper (how I did it, directly from Frankenstein Jr).. Can someone help me? For SAmba 2.2.x I used pwdump to extract user and machine accounts, pstools to grab domain sid, etc. But when I log on a Win2K, I can't use my old profile (because of RID, I think). Lurking and asking, I discovered that there is a command, net rpc vampire, that should extract all the infos from the old PDC. Is it right? If so, what are the steps? I can't find the sintax for the command in man pages... thank you very much, to all of you. Bye Tommaso Di Donato -- Simo Sorce - [EMAIL PROTECTED] Samba Team - http://www.samba.org
Re: net rpc vampire migration
Richard, do you confirm NTUSER.DAT files works ok after that change? Simo. On Tue, 2002-11-05 at 18:56, Richard Sharpe wrote: On Tue, 5 Nov 2002, Guillaume LACHENAL wrote: I've just downloaded HEAD from cvs and code is currently under compilation on my personal testing box (no hardware at work, it s a pity ...) Just one question while my P200 is under heavy load : does the vampire code allow a migration of computer accounts ? That is what it is for. You might also be interested in the profiles tool I put up recently which seems to allow you to fix NTUSER.DAT so that it has the correct SIDs. Regards - Richard Sharpe, [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], http://www.richardsharpe.com -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: Samba PDCs/BDCs and Trusts WAS: auth to two diff PDCs? (success, sort of)
There's another poor man way. Use the classic smbpasswd file and use rsync to sync the file periodically with a cron (of course you'll miss the ability to have things promptly synced but generally this is a good enough solution for many environments). Simo. On Tue, 2002-10-29 at 17:23, Steve Langasek wrote: On Tue, Oct 29, 2002 at 11:10:22AM -0500, Collins, Kevin wrote: Steven Langasek wrote: Having one PDC and two BDCs also gives you greater fault-tolerance than having three domains with a single PDC each. Samba+LDAP can give you this fault tolerance; it can't give you trust relationships today, without a lot of finagling. Steve Langasek postmodern programmer I understand the role of/need for the BDC, I'm just concerned about flooding the WAN connections with replication traffic and not being able to send things like e-mail or project files. I can control the replication in NT, but I need to know if I can do the same in SAMBA. With all the tweaks god knows there should be. :-) The only pre-packaged BDC implementation for Samba that I know of is based on LDAP. With LDAP, only changes are replicated across the link, so you have no excess traffic associated with keeping the DCs in sync. Samba sorta skipped over the NT4 technology and went straight to an ActiveDirectory approach to management... :) I've thought about the LDAP course too but haven't given it enough serious thought yet. You know of a good HOWTO? There is a Samba-PDC-LDAP HOWTO included with the Samba documentation. You can also find Ignacio Coupeau's step-by-step guide at http://www.unav.es/cti/ldap-smb/ldap-smb-2_2-howto.html. Steve Langasek postmodern programmer -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: Winbind doesnt enumerate more than one group from an AD domain
On Fri, 2002-10-25 at 21:55, Gerald (Jerry) Carter wrote: Domain local groups existed under Windows NT 4.0. They were just available among DC's of the domain. See my other post in response to JF. To my knowledge (derived from some doc on msdn) they are a different thing. local groups (same as NT) does exist in w2k and are different from domain local groups. I'm sorry I'm not able anymore to find the article on msdn :-( Simo. -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: why doesn't the kernel enforce oplocks? (was: Re: [Samba] Re:How Samba let us down)
On Thu, 2002-10-24 at 20:48, Ben Johnson wrote: samba and vi aren't written to cooperate for example. should these be written to cooperate? that would mean the authors of each would have to cooperate. it seems like it would be easier to have the kernel force cooperation. By cooperation jra means they should use locks the right way. And then the klernel forces cooperation. I dunno if vi cooperates, but samba surely can cooperate, as samba respect locks. Simo. -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: SMBClient - Messenger service
We are always interested in things that add functionality into samba. If you wish to send some patches we can look at, you are welcome. Simo. On Tue, 2002-10-22 at 16:56, David Lee wrote: Why SMBClient sends winpopup messages with multi-block message, and not single block message Where I use multi and where I use single message block??? The single-frame version can only send a short message (less than 128 bytes), whereas the multi-frame version allows up to 1600 bytes total. See the description of the File Sharing Protocol. (Use Google to search for INTEL Part Number 138446.) Over the last couple of years I have looked at generalising this code in Samba, and made some progress. (In a test implementation, I was able to use UNIX commands such as wall and write to produce WinPopup messages on the client PCs.) This required extracting, and altering, some code from smbclient, but this can be done in a re-useable way. If someone of the Samba Team is willing to facilitate this, I'll willingly submit the changes I made as a possible starting-point. -- : David LeeI.T. Service : : Systems Programmer Computer Centre : : University of Durham : : http://www.dur.ac.uk/t.d.lee/South Road: : Durham: : Phone: +44 191 374 2882 U.K. : -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: Coming round to SURS...
On Tue, 2002-10-22 at 20:02, Luke Kenneth Casson Leighton wrote: i have a question for the people who sponsor the samba team. when are you going to realise that your money is being wasted by not sponsoring me as a design architect on NT compatibility software suites for unix? Probably you should understand that people may be interested in other features and not sponsoring this particular part of the code. here - yet again, another demonstration of how much money you have been wasting. Well let's look at the TNG printing code status ... hopefully this time this really new proposal - i.e. yet ANOTHER idea and proposal introduced by me almost three years ago - will actually get done, and done properly. This is NOTHING new Luke, we know the SID-[g,u]id mapping problems since a lot of time, the fact that you formalized the problem does not change the problem. I just double checked your draft, and it is just nice useless wording that show the problem but does never even propose an implementation, you always write that implementation is not in the scope of the document. We have not implemented what you call SURS part because of lack of time being busy implementing other more important parts of samba, and part because we wanted to get it right (and we tought your implementation was not). The api proposed by metze is just an api proposal to finally start coding it having found a way to implement it the right way as we finally have found what seem the right way to do it, taking in account all limits and trying to find out the best compromise. This is the part the ask for more hard work. Plus we have not limited ourselves to solve the problem locally, but to solve the problem in a distributed environment. You may claim you have told there was a problem 3 years ago. Well that's true nobody say it different. Problem is that solving it 3 years ago was not possible to do properly, too many pieces of code were missing or were not stable and usable at a point that implementing it 3 years ago would have simply be a waste of time. with sincere esteem, Simo. -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: apologies
On Fri, 2002-10-18 at 13:23, Stefan Metzmacher wrote: if some one has 27.000 users and these users may access to any computer in 10 domains, and one (sub)tree is required for domain, then we enforce to maintain 270.000 accounts... 27.000 per domain, and this may be a pain... is a real case. Do you want that every user is in every domain? and only non_unix_account users are in one domain? Ever heard of trusted domains?? -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: file locking question: Unix/NT environment
It really depends on which OS you are using. Currently only linux 2.4.x (whith x something than 4 I think) and IRIX latest kernels have support for kernel oplocks and the ability to share locks beetween samba and nfs. On Sat, 2002-10-19 at 00:28, Jinhai Yang wrote: We have some files on a Unix/Samba server which the users can access from both the Unix side and Windows NT side. We'd like to implement file locking on these files for client applications which could run from both the unix boxes and the NT boxes. However, I cannot seem to get it right. On NT, we used: ... _locking( fd, LK_LCK, 100L ); ... On Unix, we used: ... fcntl(fd, F_SETLKW, fl); ... The NT clients can lock out each other, the Unix clients can also lock out each other. However, a NT client CANNOT lock out a Unix client, and vice versa. Am I using the right call? Is there something I missed? Or is there something in samba.conf I should tweak? I'm fairly new to Samba, thanks for any help. - Jinhai Yang Triant Technology Inc. -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: [Samba] upgrade to 3.0alpha20: accented chars in filenamesunreadable
This is the proper way! If you have to maintain compatibility, you set the unix charset to be a code page instead of unicode. Or you mean you want a way to make samba recognize which kind of charset have been used previously and support both the former and utf-8 at the same time? Simo. On Thu, 2002-10-17 at 09:48, Louis-David Mitterrand wrote: On Wed, Oct 16, 2002 at 05:03:01PM +0200, Ignacio Coupeau wrote: the samba share; and the filename is impossible to modify from windows: samba log says file not found. From the shell the file looks like r?sum?.xls but the ? are actually 0x83. In a hurry I used unix charset = CP850 http://www.unav.es/cti/ldap-smb/smb-ldap-3-howto.html#internationalization this solved our problems (redhat 7.2; samba-3.0a20) for example in the profile load on the spanish xp (ie Star menu--menú Inicio). Thanks for sharing this. It certainly is an excellent stopgap measure, until proper filename conversion can be done. The best way, if possible, would be to retain backward compatibility for reading samba-2.2.x filenames (as with unix charset) while having new or modified files written in unicode (or whatever the default in samba-3.x). BTW: keep up the great job on your smb-ldap howto, it is a precious ressource. Cheers, -- PANOPE: Au Prince votre fils l'un donne son suffrage, Madame ; et de l'Etat l'autre oubliant les lois, Au fils de l'étrangère ose donner sa voix. (Phèdre, J-B Racine, acte 1, scène 4) -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: Commit my stuff to 3.0?
On Mon, 2002-10-14 at 09:05, [EMAIL PROTECTED] wrote: Yes, we need a simple solution, but I'm not sure there is one... Seeing all these Problems I am now not sure if removing all the dependencies on algorithmic mapping is a good idea. I'm currently looking at the code from a different perspective: All this mess came up for the vampire stuff. So, why not treat these RIDs as the exception, and really go for the algorithmic mapping as the rule. I know, I have argued very strongly against that, but it might only have been because I did not see all the consequences. The code probably would have to be cleaned up, but it might simplify a lot. No, algorithmic mapping is only a source of problems. It is easy to implement but does not scale at all. There are no many parts in the code the assume algorithmic mapping and an idmap is all we need. Btw, this issue existed for months before the vampire (eg. cifs 2001 at least), vampire is only the last one. Simo. -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: Commit my stuff to 3.0?
On Mon, 2002-10-14 at 11:54, Volker Lendecke wrote: On Mon, Oct 14, 2002 at 10:09:36AM +0200, Jean Francois Micouleau wrote: so I propose to map the users to the normal domain SID (S-1-5-21-x-y-z) and create their accounts with the ACCOUNT_DISABLED flag. I hesitated to do that, but I also like this idea. I already implemented it for groups, so why not for users as well. Work to do :-) that's the way to go. simo. -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: Commit my stuff to 3.0?
On Sun, 2002-10-13 at 15:43, Andrew Bartlett wrote: Well, we operate in 2 fundementally different modes: Winbind based users are fixed in SID, and we set the UID/GID. Unix based users are fixed in uid/gid and we allocate the SID. I think this is what metze was meaning. but it is the wrong approach imho, we should really push for winbind, however when for any reason winbind is not available, we should still use idmap to solve sids-uids only the admin will be forced to do the mapping by hand with a tool like smbgroupmapping that currently we use for groups. I really think that until the admin does not map the suers, the unmapped uids shuld simply not be mapped, and an error sent into the log (we may also think of an automatic mapping for NAS products, and lazy admins ;) Simo. -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: Commit my stuff to 3.0?
We have many of these problems already, but they get worse when allocated RIDs are the norm, rather then the exception. Perhaps we should move SID-uid and uid-SID stuff into a seperate module? This was somthing we were looking at for the 'new SAM', but maybe we need it sooner. (It is not dependent on the rest of the work). I remember the word SURS ;-) I think this would not help. We will never be perfect NT, we will always have rough edges. But at least if the behaviour is known and documented, I would be happy. I need to *explain* that stuff to people sitting in courses. For this simplicity is really important. Yes, we need a simple solution, but I'm not sure there is one... Isn't idmap the right place to go? -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: Commit my stuff to 3.0?
On Sun, 2002-10-13 at 15:13, Stefan (metze) Metzmacher wrote: I think idmap is the right place. we should move it from nsswitch to an own directory and make it plugable. (See Roadmap of 3_0: it is needed) I'm not sure we need it to be pluggable, please explain the benefits. And let it map sid - u/gids and u/gids - sid. Maybe let it hold two contexts: why?? 1. for all trusted domains (and our domain if we are a member server) uses winbind uid = winbind gid = to export mapping to unix (nss_winbind) and samba 2. for our local sam (witch is also the domain sam if we are a DC) uses idmap uid = idmap gid = to export mappings to samba (and maybe later also to unix via winbind) Makes no sense, we need only a single idmap that handles all sid-[u,g]id [u,g]id-sid, splitting it into pieces is the most wrong thing we may do. Simo. -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: Commit my stuff to 3.0?
On Sun, 2002-10-13 at 14:58, Andrew Bartlett wrote: Simo Sorce wrote: Isn't idmap the right place to go? I think so. And I think we can construct one that makes sense for admins. For example, we could contstruct an LDAP based one that uses the uidNumber on the user's LDAP record. I would only ask you to take in account we must have a generalized way to do it that does not rely on ldap, but can use different methods. We might end up doing this via the passdb interface (despite the fact I was really hoping to move unix stuff out of there) becouse I found the performance issues surrounding the current stuff to be problematic. :-( can you explain, this phrasing is criptic to me. Whatever we do, uid-sid and sid-uid needs to be a single lookup. you mean we have to be sure we do a single query to idmap? or something else? idra: you proposed (and even added) these to the passdb API a little while back. Do you think that's still a viable solution? If we implement the 'ldap trust uids' thing (stops Get_Pwnam() inside ldap) then this would certainly scale much better than existing code. Well as I said before we should make a generalized api, and not to be forced to use ldap. About trusting the storage I see no problems, in the case of ldap you may use it as idmap storage and implicitly trust it. But user account lookup is a minor issue imho, I do not mind if 2 calls are made (one to retrieve the account and one to retrieve the mapping), if you can optimize, then better for you. What we stress idmap with is really file system acces check and ACL handling, so it need to be *fast* (and I'm not sure ldap is the right place for that in this regard). I would like to use an internal tdb to do that, the fact that the api currently have the uid-sid dis-uid call is because at time we had alghorithmic rid mapping and in the move towards free sid mapping it was an easy place to do so (and make you easy to optimize things with ldap). However in case of ldap, I would like to see a different approach for speed, I woul like to see a way to use the tdb to read mappings, and a slow path in case we set a new mapping and have ldap, in this case we may set the map in ldap, and then cache it again in tdb to handle retrievals, so that only writes are slow. But to use ldap as a central storage you have to solve how to handle foreign or builtin/special SIDs! Simo. -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: VFS modules?
yep, see samba/examples/VFS/ there are few modules here, Simo. On Wed, 2002-10-09 at 19:38, Kris Van Hees wrote: Has anyone implemented a VFS module already? It does not seem that there are any as part of the CVS HEAD version, and I could not find a reference to any on the web site. Kris -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Gums (Groups and Users Managent System)
Hi list, my work is reaching a point I want to start receiving comments before I put more effort into it. As said on some sources, I was not satisfied with how the new sam interface was coming out, and wanted to explorer a slightly different path. But I have little time and can work mostly on the weekend which is already pretty busy. This mean I have not put as many comments as I would have liked to put. If you do not understand why I choose to do something one way and not another feel free to ask, contribution is really welcome. Something on the patch: The most important thing is gums.h here it is the interface I had in mind mostly. gums.c is just here to be filled. Helper.c instead is a bunch of work i've done while researching how bits are in a real PDC, so I commit it to not risk loosing that work, it does include a bunch of slightly modified routines (to include talloc contexts mostly) made by jean francois that are yet in group/mapping.c, these functions should on a later date be moved to a more appropriate file like lib/util_seaccess.c or into a specifica file like lib/util_secdesc.c (I vote for this one :) Remember it is still work in progress, it is not ready even for a 0.1 version for my standards :-) Enjoy, Simo. -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399 diff -uPr cvs.samba.org/samba/source/gums/gums.c source/gums/gums.c --- cvs.samba.org/samba/source/gums/gums.c Thu Jan 1 01:00:00 1970 +++ source/gums/gums.c Thu Oct 3 16:47:03 2002 @@ -0,0 +1,86 @@ +/* + Unix SMB/CIFS implementation. + Grops and Users Management System initializations. + Copyright (C) Simo Sorce 2002 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include includes.h + +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_GUMS + +#define GMV_MAJOR 0 +#define GMV_MINOR 1 + +static GUMS_FUNCTIONS *gums_functions; +static void *dl_handle; + +PRIVS privs[] = { + {SE_PRIV_NONE, no_privs, No privilege}, /* this one MUST be first */ + {SE_PRIV_ADD_MACHINES, SeMachineAccountPrivilege, Add workstations to the domain }, + {SE_PRIV_SEC_PRIV, SeSecurityPrivilege, Manage the audit logs }, + {SE_PRIV_TAKE_OWNER, SeTakeOwnershipPrivilege, Take ownership of file }, + {SE_PRIV_ADD_USERS, SaAddUsers,Add users to the domain - Samba }, + {SE_PRIV_PRINT_OPERATOR, SaPrintOp, Add or remove printers - Samba }, + {SE_PRIV_ALL,SaAllPrivs,all privileges } +}; + +NTSTATUS gums_init(const char *module_name) +{ + int (*module_version)(int); + NTSTATUS (*module_init)(); + gums_module_init module_init; + NTSTATUS ret = NT_STATUS_UNSUCCESSFUL; + + DEBUG(5, (Opening gums module %s\n, module_name)); + dl_handle = sys_dlopen(module_name, RTLD_NOW); + if (!dl_handle) { + DEBUG(0, (ERROR: Failed to load gums module %s, error: %s\n, module_name, sys_dlerror())); + return NT_STATUS_UNSUCCESSFUL; + } + + module_version = sys_dlsym(dl_handle, gums_version); + if (!module_version) { + DEBUG(0, (ERROR: Failed to find gums module version!\n)); + goto error; + } + + if (module_version(GMV_MAJOR) != GUMS_VERSION_MAJOR) { + DEBUG(0, (ERROR: Module's major version does not match gums version!\n)); + goto error; + } + + if (module_version(GMV_MINOR) != GUMS_VERSION_MINOR) { + DEBUG(1, (WARNING: Module's minor version does not match gums version!\n)); + } + + module_init = sys_dlsym(dl_handle, gums_init); + if (!module_init) { + DEBUG(0, (ERROR: Failed to find gums module's init function!\n)); + goto error; + } + + DEBUG(5, (Initializing module %s\n, module_name)); + + ret = module_init(gums_functions); + +error: +} + +NTSTATUS gums_unload(void) { + +} diff -uPr cvs.samba.org/samba/source/gums/helper.c source/gums/helper.c --- cvs.samba.org/samba/source/gums/helper.c Thu Jan 1 01:00:00 1970 +++ source/gums/helper.c Mon Oct 7 00:36:08 2002 @@ -0,0 +1,560 @@ +/* + Unix SMB/CIFS implementation. + GUMS backends helper functions + Copyright (C) Simo Sorce 2002 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either
Re: [PATCH] sam backend parameter
On Thu, 2002-10-03 at 03:01, Andrew Bartlett wrote: Simo Sorce wrote: Plus I have some questions about the current sam interface: - what is all the context thing needed for? I don't like global variables, and this allows us to construct seperate contexts for operations like sam2sam, and testing, without fiddiling with global variables. There's no problem in having global variables, provided they are used correctly. Insisting to not use them in any case just as a preconcept is as wrong as using them too much. It is all a question on how and where you use them. sam2sam operation does not need access checking and interface virtualization, it is an administrative task only anyway, try to put sam2sam above the sam interface instead of making it directly connect to the backends is just a bad idea, it add complexity and potential problems and gain nothing, imho. And sam2 sam is the only case where it could be useful to have 2 backends loaded at the same time. So it is perfectly possible to make it's own init function that load 2 backends into 2 local (to samedit) variables, while still loading the sam backend into a global variable used by the sam interface inside smbd. - what is the handle thing needed for ? Same as the SAM_ACCOUNT in pdb. If it's a SAM_ACCOUNT then call it with it's name. Also I really to not like the private substructure. We are all adult and vaccinated, and must trust each other ability to code and use internal structures properly, trying to say: I do not trust other coders is not a bright move imho, add unneeded complexity, SAM_ACCOUNT structure directly will do so regardless if theres a thing called private or not. Adding this layer only makes the interface a lot more heavier and trickier, make code slower (adds a function call for each parameter to be set into a structure) and the sam interface a lot bigger. Effort should be spent to educate other programmers to use the thing the right way by writing documentation, not by setting artificial barriers. - what is access desired meant to do ? Authorization is a different thing then storage, a backend is a storage! The SAM interface layer is the 'choke point'. If we do not wan't nasty races, then we must reterive things like the security descriptor with the data it applies to. This implies that the ACL checking code must resise either in the SAM backend, or the SAM interface. If we export it above this layer, we *will* get places where we don't check it properly. It must be in the Interface, putting it on the backend is the wrong move for many reasons: - code duplication, you have to implement the access checking into evry backend. - code review, authorization is a critical part of the security in samba, if you have to double check every module to be sure it does things the right way, you simply castrate the potentiality of a loadble module interface, as you put too much responsibility on independent module coders. - consistency every change you need to make to the access checking code, bust be made to any module and will make out of sync any modules not under your control, increasing the module versioning nightmare. - races may be easily solved supporting locks on the backend. - why do we insist to have a thing called unix accounts? It just does not make sense to me. We need real users/groups mapping instead (opposed to created on the fly by winbind based accounts). I'm not sure what you mean here - the current code doesn't even know about unix accounts. They are present in pdb, and I remember at some point of the discussion we had on IRC someone claimed that multiple modules were also a way to solve the unix accounts problem like done in with pdb backends. What Instead I think is that we should not threat unix accounts in any special way, but instead we need to map them to normal users when they are present, if a user do not have a local unix user then it will be created in winbindd, otherwise the uid-SID mapping will be done so that the user is mapped on a unix user. All the mapping should consist ONLY of a SID-[u,g]id mapping imho, and we should discourage using unix groups provided from /etc/group file and use instead winbindd to provide them to the system, but still use them from /etc/group if the administrator want to do so. Simo. -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: [PATCH] sam backend parameter
On Thu, 2002-10-03 at 07:22, Jelmer Vernooij wrote: On Thu, Oct 03, 2002 at 12:16:53AM +0200, Simo Sorce wrote about 'Re: [PATCH] sam backend parameter': yes a thing I'm not sure has ever been a good idea. to be able to have sam2sam that is really read a backend + store all info into another backend we may take several ways. We never need the 2 backend to be loaded at the same time to do the operation, we may easily read all the accounts chnage the backend and store them into the new one, or simply make custom code to load 2 different backends, and use theyr calls. It's easy to have 2 structures calle backend1 and backend2 that holds the functon pointers for 2 backends. Al the context things always seemed to me overcomplicated even for multiple backend code. the context stuff has been in passdb since the beginning and is not at all used for multiple backends - multiple backends are achieved by having multiple 'methods' structs in one context. Next to that, a 'multidb' backend will have to use multiple contexts. We don't want to spoil global name space with the variables sam_context contains. If we are removing multiple domain support, we could remove sam_methods perhaps and move all the functions in sam_methods to sam_context, but sam_context definitely has to stay... Jelmer Ok, I looked back at what do currently context contain in passdb (see below Appendix A). It is simply a structure containing the function pointers of the backend. Of course it need to stay here, it only have a really bad name that make you think of a totally different thing :-) I think pdb_functions could have been a better name (no not methods, we are programmin in C not in Java ;-) Simo. Appendix A: typedef struct pdb_context { struct pdb_methods *pdb_methods; struct pdb_methods *pwent_methods; /* These functions are wrappers for the functions listed above. They may do extra things like re-reading a SAM_ACCOUNT on update */ BOOL (*pdb_setsampwent)(struct pdb_context *, BOOL update); void (*pdb_endsampwent)(struct pdb_context *); BOOL (*pdb_getsampwent)(struct pdb_context *, SAM_ACCOUNT *user); BOOL (*pdb_getsampwnam)(struct pdb_context *, SAM_ACCOUNT *sam_acct, const char *username); BOOL (*pdb_getsampwsid)(struct pdb_context *, SAM_ACCOUNT *sam_acct, const DOM_SID *sid); BOOL (*pdb_add_sam_account)(struct pdb_context *, SAM_ACCOUNT *sampass); BOOL (*pdb_update_sam_account)(struct pdb_context *, SAM_ACCOUNT *sampass); BOOL (*pdb_delete_sam_account)(struct pdb_context *, SAM_ACCOUNT *username); void (*free_fn)(struct pdb_context **); TALLOC_CTX *mem_ctx; } PDB_CONTEXT; -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: [PATCH] sam backend parameter
On Thu, 2002-10-03 at 08:06, Andrew Bartlett wrote: [EMAIL PROTECTED] wrote: Let just remove the multi-domain stuff for now and try and get 3.0 in a shippable state. The 'new SAM' stuff is not being proposed for 3.0! Certainly not yet, we have a *lot* of work to do, before it gets there! Also, *please* don't confuse that with the multi-backend stuff. That has a very different purpose, and was not included in the new SAM design for exactly the reasons people don't want it in passdb. The use of multiple backends in passdb has acknowledged issues, and I'm not particularly fussed if you feel it should not ship with this functionality enabled. However, please do note that this *is* being used at present, and cannot be 'just removed'. (We map our non-passdb users into the system via this method). Volker has some solutions to this issue however, which look very neat. I'll need to check if they actually catch it all the cases. So let me understand: you say sam will not be in 3.0 you see currently passdb has been made so that nobody like it and is not good but you also say we should not end up using a correct solution because you want to maintain the status quo? We have to fix passdb or sam, just let decide on which one we should work on or go for a third way. Simo. -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: [PATCH] sam backend parameter
On Thu, 2002-10-03 at 08:47, Andrew Bartlett wrote: [EMAIL PROTECTED] wrote: Well it's not being used really, as it's not in a production release. We don't make guarentees until it gets into a production release. What non-passdb users are being mapped into the system via this method ? Surely as a PDC we need passdb entries for every user we're exporting ? I mean it's being used by code. The problem is mainly on the fileserver: For the DC side of things, every user is in the SAM, or they can't really do much. But on the fileserver side, we have the problem that a user may select to view the Owner or the ACL entries of a file. I think we should simply document the fact the admins should really map each user or groups that own files on the shares, and if they do not do it they may get in troubles. When they do not do it, I think we should simply return a simple Unknown SID allocated for that purpose. This will eliminate the problem and make us not need algorithmic mapping at all, that is however wrong solution, as today also the uid/gid space is 32 bit as rid space so that we can go out of mapping space anyway and need to handle that situation too. Algorithmic mapping should go away completely imho. Simo. -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: [PATCH] sam backend parameter
On Thu, 2002-10-03 at 12:34, Andrew Bartlett wrote: Simo Sorce wrote: It is all a question on how and where you use them. ^^ Except that global variables are particularly nasty in C - we don't have an autoprototyper on them, and we cannot ensure that they are correctly declared in all modules. Also, we cannot validate the input into any such variables, or assume auto-initialisation. The methods employed in the pdb and sam provide this. Honestly, it is a matter of taste. I like the way that pdb (and now the SAM code) has been constructed, and the distinct lack of 'special cases'. If pdbedit becomes a special case, then it is more likely to break. If the rest of Samba has to use that code path, then accidents are less likely to happen. pdbedit is not a special case, it only uses the backend interface and not the sam interface, they will be both quite consistent! No better the backend interface should be even more solid and stable then sam interface as it have to deal with potentially external modules, so i really do not see pdb/sam/gums/**edit to break so easily. | smbd| --- | --- |sam interface| --- | |--| pdbedit | --- | backend | --- Effort should be spent to educate other programmers to use the thing the right way by writing documentation, not by setting artificial barriers. Here we disagree. I take a different approach, were I prefer to make it harder to make mistakes. Harder to make mistake is good only when it does not imply harder to code. I abide to the Keep it Simple Stuipd! religion :-) The use of 'set' routines has also allowed us to (with minimal changes to the interface) track 'default' values for many parameters - avoiding the storage of extra (fixed) values in LDAP. I intend to expand this to every attribute for the new SAM. The set routines may stay at the sam interface level, nobody prohibits you to use them and they are certainly appealing in some situation, even if I do not like them much and would prefer do be able to change a structure directly if I need to do it (again I have to remember we are using C not Java, and an object oriented way to do things is not always a good thing imho). Also I think it is bad you do not put extra values in LDAP, what happen if you discover you need to support that to provide some functionality? A re you going to change the LDAP schema between minor releases? Furthermore, we use the get/set routines to allow the users of the passdb interface to get feedback on the ability to get/set *individual* elements on the SAM handle, rather than the lot. ability to set/get individual values ? What do you exactly mean ? I advocate strong interfaces, because I feel it assists in modular programming. By using the get/set routines, I can ensure that data is correctly 'const', for example. Finally, it allows us to strdup() all assigned strings, and ensure they are not accidentally assigned stack pointers, while avoiding memory leaks. On a project as large as Samba, I prefer all the help I can get in ensuring code quality. You will get more quality documenting it then making barriers into it imho. I'm not saying we do not need clean interfaces, but that we should just not push too much. It must be in the Interface, putting it on the backend is the wrong move for many reasons: - code duplication, you have to implement the access checking into evry backend. - code review, authorization is a critical part of the security in samba, if you have to double check every module to be sure it does things the right way, you simply castrate the potentiality of a loadble module interface, as you put too much responsibility on independent module coders. - consistency every change you need to make to the access checking code, bust be made to any module and will make out of sync any modules not under your control, increasing the module versioning nightmare. - races may be easily solved supporting locks on the backend. We cannot assume locks in the backend. The interface is not designed in isolation - we have to work with the fact that LDAP *will* be a primary backend, and does not support this kind of locking. I prefer to create a solution that does not impose additional constraints on this. We can of course. There are many way to simulate locks even for ldap, as it is clear that people should not be able to change user values if not going through samba. Reading is not a problem, we only need lock on write. Your points are very valid, and I have proposed a solution in the my reply to Jerry's mail. That is, the backend can do it's own ACL checks if it likes, but it passes the security descriptor
Re: Explaining the new SAM
On Thu, 2002-10-03 at 03:13, Andrew Bartlett wrote: Jean Francois Micouleau wrote: It's getting clear that you are reinventing something we already have. All your SAM api is simply the SAMR server pipe code. Why do you want to implement a new api as we already have one ? I have a history of doing this - and I intend to continue... I think jfm was criticizing the fact that you are building the interface too much close to samr one, and that we do not have the need to do so. I really do not think the jfm was proposing to use the samr interface for internal use. I agree to this vision, following too much the samr interface make us only more unfriendly to the rest of samba code, that need much greater flexibility as you recognized. Simo. -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: --wuth-tdbsam ?
On Fri, 2002-09-27 at 03:53, Andrew Bartlett wrote: I honestly doubt tdbsam is sufficiently stable for use as a default. I think we need that kind of backend, but given it's extremly limited testing, it worries me. Yes, this is circular dependency. I haven't had an extensive test setup yet, but it is now more than an year that I personally use only tdbsam and have no problems since months! Tdbsam is not that difficult piece of code, and most later problems have come out becouse of changes on other parts of samba (like SAM_ACCOUNT-private + const mess), and they are all fixed. The way the ldap stuff got around it was that we had a 'pull' from users, but users by and large don't appriciate the benifits of tdbsam, so don't go out of their way to use it. I know of users using tdbsam, simply because they _do not_ want to use ldap, but need the extended functionality of tdbsam, like setting per user home directories, profile paths, expiration times, etc ... Except we have a flag for 'password does not expire' - and we don't have a sensible way to set a negating flag 'password does expire'. Forcing that flag 'on' might be the most sensible choice, except then we get a mismatch between smbpasswd and the other backends (again...). This is a non problem, we only need to set all the defaults to behave like smbpasswd would do. So no expiration at all, the administrator will after that chose if he wants to set such policies. Simo. -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: removing group_rid from SAM_ACCOUNT rules outnon-unix-accounts:-(
It seem easy, but that prevented (at least in my case) to make the system better. The way we use multiple module in passdb is subtly broken and exposes us to inconsistency and a lot of races. and is not nice to have races in the users database. the sam initially made a sane route and we also discusse dto not permit anymore multiple backends at the same time, consistency and races where my concern, but seem that thesse arguments have not stick I still think sam is in the wrong direction, as multiple domain will never be supported in samba so going that direction by default instead of relegating the possibility in an module is wrong imho. Plus I recently found another big problem in the interfaces that have to do with race conditions, but that's another story ... Simo. On Fri, 2002-09-27 at 12:51, Andrew Bartlett wrote: Simo Sorce wrote: And in my honest opinion we should get out the possibility to have multiple backends active at the same time, I really think that move has put us back 6 months in development and has caused more problems than what the pros get with such a monster. I still don't see where you draw such a conclusion. In the pdb code, the multiple backends case just fell out of the design - it cost us very little indeed. The same applies to the new SAM stuff, it didn't impose a significant design penelty, but was catered for. (In the case of the SAM, each domain must have only one backend however). Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: Using winbind with Wine
Imho the best way to go, is to wait until we will be able to provide an interface for loadable modules in samba that couples with the MS-RPC subsystem. At that point you will only need to make the .so library as GPL and build your socket mechanism to speak to the other LGPLed end integrated into wine. Simo. On Thu, 2002-09-26 at 13:47, Martin Wilck wrote: Am Mit, 2002-09-25 um 19.38 schrieb Richard Sharpe: I do not think that libsmbclient is the right way to do this. I think that the correct way is to make the various Samba client RPC libaries available as separate DSOs so that clients can make dirrect use of what they need. Then the wine group can possibly build a thing DLL wrapper around the underlying RPC libraries. Licensing is an important issue. I future Samba RPC libraries come with GPL, they won't be usable for Wine (as you probably know, Wine is LGPL and ReWind X11). I don't want to start a licensing debate here. I expect the Samba team to release their stuff GPL'd in the future, thus I accept is as a fact that Wine cannot be linked to Samba libraries, present or future. For that reason I find the winbind concept of socket communication attractive. To my understanding this would not raise license issues. We are not currently worried about performance, we just need access to a few RPC calls. To initiate this process we'd only need a standardized protocol for the socket communication. Andrew said that doesn't exist and won't with regard to winbind. I'd like to focus the discussion in this direction. - is the winbind team willing to standardize the protocol, or at least ensure backward compatibility in future versions? - is the winbind team willing to add more RPC calls to the interface? If not, Wine might do best by creating a winebind that meets these requirements. That might be the best way after all, because incorporating the functionality needed by Windows clients into winbind would make no sense in environments where Wine is not running, just increase winbind's size unnecessarily. winebind would be linked against Samba libraries, and therefore be GPL from the start. Martin -- Martin WilckPhone: +49 5251 8 15113 Fujitsu Siemens Computers Fax: +49 5251 8 20409 Heinz-Nixdorf-Ring 1 mailto:[EMAIL PROTECTED] D-33106 Paderborn http://www.fujitsu-siemens.com/primergy -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: approaching release of 3.0alpha20
I think we should never put a NULL value in function handlers, but always a stub function !! Simo. On Wed, 2002-09-25 at 13:32, Stefan (metze) Metzmacher wrote: At 10:01 23.09.2002 -0500, Gerald Carter wrote: Everyone, I would like to do another alpha snapshot release of the 3.0 code base later this week. Does anyone know of any code that is too unstable for a release (seg faults, etc...)? metze there's a bug in pdb_interface.c: in context_setsampwent @ctrlsoft what's the bug? metze we don't check if they backend has a valid setsampwent function metze (*pdb_method)-setsampwent = NULL; metze (*pdb_method)-endsampwent = NULL; metze (*pdb_method)-getsampwent = NULL; metze in pdb_unix metze will cause seg faults metze - Stefan metze Metzmacher [EMAIL PROTECTED] -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: approaching release of 3.0alpha20
Yes, returning always NT_STATUS_NOT_IMPLEMENTED is the way to go imho. Simo. On Wed, 2002-09-25 at 15:18, Jelmer Vernooij wrote: Then that would be a function that always returns False / NT_STATUS_NOT_IMPLEMENTED - I think the system can figure that out as well... On Wed, Sep 25, 2002 at 03:14:18PM +0200, Simo Sorce wrote about 'Re: approaching release of 3.0alpha20': I think we should never put a NULL value in function handlers, but always a stub function !! Simo. On Wed, 2002-09-25 at 13:32, Stefan (metze) Metzmacher wrote: At 10:01 23.09.2002 -0500, Gerald Carter wrote: Everyone, I would like to do another alpha snapshot release of the 3.0 code base later this week. Does anyone know of any code that is too unstable for a release (seg faults, etc...)? metze there's a bug in pdb_interface.c: in context_setsampwent @ctrlsoft what's the bug? metze we don't check if they backend has a valid setsampwent function metze (*pdb_method)-setsampwent = NULL; metze (*pdb_method)-endsampwent = NULL; metze (*pdb_method)-getsampwent = NULL; metze in pdb_unix metze will cause seg faults metze - Stefan metze Metzmacher [EMAIL PROTECTED] -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399 -- Jelmer Vernooij [EMAIL PROTECTED] - http://nl.linux.org/~jelmer/ Development And Underdevelopment: http://library.thinkquest.org/C0110231/ Listening to 15:18:27 up 3:18, 8 users, load average: 0.35, 0.17, 0.12 -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: approaching release of 3.0alpha20
On Wed, 2002-09-25 at 15:48, Stefan (metze) Metzmacher wrote: At 23:34 25.09.2002 +1000, Andrew Bartlett wrote: Simo Sorce wrote: Yes, returning always NT_STATUS_NOT_IMPLEMENTED is the way to go imho. This is in the old pdb code, so we don't have NTSTATUS there yet - so for there I think the null pointer works. For the new code, then certainly I think the NTSTATUS return makes sense. yep. But we always have to check for NULL pointers :-) sorry ? -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: logon problem
Samba never runs scripts!! From my memory I remember that you have to teel win2k you want to run a sript at startup, I think you can do that modifying the user profile. Simo. On Wed, 2002-09-18 at 16:13, Shane Tapper wrote: Im desperate. I have set the appropriate path for a logon script and assured the .cmd file is located there. It however does not run at all. The file itself can be executed successfully on a W2k machine. It does not appear samba is even attempting to run it. Any suggestions? Troubleshooting tips? Shane -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: nmbd sends SYN packet to external Network address
On Thu, 2002-09-12 at 14:11, Andreas Moroder wrote: Hello Volker, it tries to send at the ports 139 and 445 Since today at midnight it is a 2.2.6.pre2 are you sure it is nmbd? it seem instead an smbclient trying to connect to a share as 139 and 445 are the smb ports (netbios and naked). Simo. -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: Sanity check.
It come me to mind that recentely we changed the code to check the packet is really an smb packet by checking the header field for the SMB. string, so I suppose samba will not support RAW calls anymore too. Simo. On Tue, 2002-09-10 at 06:49, Christopher R. Hertel wrote: Just a quick sanity check, if any of you have the time. In my book I'm trying to describe the MaxBufferSize and MaxRawSize fields in the NegProt response. I neither want or need to go into great depth, but I do need to be as close to correct in my descriptions as SMB allows. If anyone has any constructive criticism on the notes below please send it along. Looking forward to your replies. Chris -)- MaxBufferSize MaxBufferSize is the size (in bytes) of the largest message that the server can receive. Keep in mind that the transport layer will fragment and defragment packets as necessary. It is, therefore, possible to send very large SMBs and let the lower layers worry about ensuring safe, fast, reliable delivery. How big can an SMB message be? In the NT LM 0.12 dialect, the MaxBufferSize field is an unsigned longword. As described much earlier on, however, the Length field in the NBT SESSION MESSAGE is 17-bits wide and the naked transport header has a 24-bit Length field. So the session headers place slightly more reasonable limits on the maximum size of a single SMB message. MaxRawSize This is the maximum size of a raw data buffer. The X/Open doc describes the READ RAW and WRITE RAW SMBs, which were introduced with the Extended 1.0 version of SMB (the MICROSOFT NETWORKS 3.0 and LANMAN1.0 dialects). These were a speed hack. For a large read or write operation, the first message would be a proper SMB, but subsequent messages would be sent in raw mode, with no SMB or session header. The raw blocks could be as large as MaxRawSize bytes in length. Once again, the transport layer was expected to take care of fragmentation/defragmentation and the re-sending of any lost packets. Raw mode is not used much any more. Among other things, it conflicts with message signing because there the raw messages have no header in which to put the MAC signature. Thus, the field is considered obsolete. -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED] -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: Bug in cli_samr_get_dom_pwinfo ad Win2k Server (PR#25465)
This problem better be discussed on samba technical (CCed)! I will also remember to all list members that samba-bugs is to be used only to report well defined secure bugs in stable releases. All help request, technical discussion, doubts and the like should be discussed on proper forums, to preserve critical resources of the team. Thank you all, Simo. On Tue, 2002-09-10 at 16:03, [EMAIL PROTECTED] wrote: Hi, I would like to change a user's password using SamrChangePasswordUser. It looks as if I will have to implement this function, but the prequiste call SamGetDomainPasswordInformation is already implemented in cli_samr_get_dom_pwinfo. I added the call to cli_samr_get_dom_pwinfo in my code: /result = cli_samr_get_dom_pwinfo(cli, mem_ctx, 0,0,0);/ and I get the following error: * prs_mem_get: reading data of size 4 would overrun buffer.* From the ethereal trace it looks as if the payload of the DCE portion of the packet is: 00 00 00 00 00 00 00 00 00 00 00 00 while the code //* SAMR_R_GET_DOM_PWINFO *// /typedef struct r_samr_get_dom_pwinfo { /* * Previously this was 3 uint16's. However, after some tests * it appears that the data len for the signing needs to be 16. * Not sure how 3 unit16's ever worked since the length always/ an just comment o / * turned out to 12. 3 uint32's + NT_STATUS == 16 bytes. Tested * using NT and 2k. --jerry */ *uint32 unk_0; uint32 unk_1; uint32 unk_2; NTSTATUS status;* } SAMR_R_GET_DOM_PWINFO;/ is expecting 4 bytes more. It looks like this is a bug.. I can send the ethereal traces if you like.SamrChangePasswordUser One easy solution would be to comment out one of the fields, but I don't want to break anything else. Could you please review and suggest a soultion? Also is there any plan to add the SamrChangePasswordUser before I go ahead and do it?... Thanks, Paul -- Simo Sorce - [EMAIL PROTECTED] Samba Team - http://www.samba.org
Re: mangling scheme
On Mon, 2002-09-09 at 08:33, Lucas Correia Villa Real wrote: Hi, Recently I did find a little trouble in a program: it creates links to the most recently used files, but using the not-so-'default' Win9X mangling scheme, that is, 'program files' becomes 'progra~1' and not 'progr~-1'. This seem to me the correct behaviour, why do you think it should be progr~1 ? I did a search over the samba archives and noticed some patches and discussions about performance and even about non-compliance between Win9x and WinNT mangling methods. Is there a working* patch to do that kind of stuff? If not, can someone point me to the algorithms used by Win9X/NT to do that? Will such a patch be welcome by Samba? I extendedly tested the w2k alghorithms, that I suppose are the same as NT, and they seem to use the 6chars+~1 through ~5 and then they start to produce a poor hash based name like prA9BF~1 that is clearly a 2 bytes lenght hex representation. The exact alghorithm is not known to me, but we tested that it is really poor and prone to lot of name collisions. We implemented a new mangling alghorithm for HEAD called hash2 that is pretty good. Look at smbd/mangle_hash2.c if you are curious. About patches they are always welcome, but to be accepted they need to address a real problem and get it the right way, what do you have in mind exactly? Thanks in advance, Lucas * performance is not a problem in my target network, so anything will be really welcome :) I have some code for a tdb based persistent mangling db that could help but it is not ready yet and broken in little pieces part of new code and part of code from an older not very good implementation. Simo. -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: mangling scheme
However this is a strange behaviour, generally apps should not try to guess by it's own the mangling scheme but ask the system to tell them which is the short name other wise the application is poorly made. Have you migrated an installation by chance? That may explain the problem, many installations do save 8.3 paths in registry after the system has told them which is the mangled name, so may be you can simply tweak your registry to reflect the correct name. Simo. On Mon, 2002-09-09 at 10:26, Lucas Correia Villa Real wrote: On 09 Sep 2002 09:27:21 +0200 Simo Sorce [EMAIL PROTECTED] wrote: On Mon, 2002-09-09 at 08:33, Lucas Correia Villa Real wrote: Hi, Recently I did find a little trouble in a program: it creates links to the most recently used files, but using the not-so-'default' Win9X mangling scheme, that is, 'program files' becomes 'progra~1' and not 'progr~-1'. This seem to me the correct behaviour, why do you think it should be progr~1 ? Sorry, I think I was misunderstood here. What the program do is to address 'program files' into 'progra~1', the same way as the WinNT server was doing, but with Samba the same entry become 'progr~-1', using the hash1 algorithm. I did a search over the samba archives and noticed some patches and discussions about performance and even about non-compliance between Win9x and WinNT mangling methods. Is there a working* patch to do that kind of stuff? If not, can someone point me to the algorithms used by Win9X/NT to do that? Will such a patch be welcome by Samba? I extendedly tested the w2k alghorithms, that I suppose are the same as NT, and they seem to use the 6chars+~1 through ~5 and then they start to produce a poor hash based name like prA9BF~1 that is clearly a 2 bytes lenght hex representation. The exact alghorithm is not known to me, but we tested that it is really poor and prone to lot of name collisions. We implemented a new mangling alghorithm for HEAD called hash2 that is pretty good. Look at smbd/mangle_hash2.c if you are curious. About patches they are always welcome, but to be accepted they need to address a real problem and get it the right way, what do you have in mind exactly? I just got the sources, and as far as I could see, that's exactly what I was looking for. I will put it in action today. I have some code for a tdb based persistent mangling db that could help but it is not ready yet and broken in little pieces part of new code and part of code from an older not very good implementation. Thanks for your attention, if I feel I will need to use a different scheme I will try to give a look at it. Lucas -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: sed: can't read ./../examples/VFS/block/Makefile.in: No suchfile or directory
Sorry forgot to commit configure after configure.in but to solve this problem you only need to execute autoconf anyway. Committed now. Thanks, Simo. On Sat, 2002-09-07 at 18:43, Stefan (metze) Metzmacher wrote: Hi Simo, you removed this files...please fix this creating ../examples/VFS/Makefile creating ../examples/VFS/block/Makefile creating ../examples/VFS/netatalk/Makefile sed: can't read ./../examples/VFS/netatalk/Makefile.in: No such file or directory metze - Stefan metze Metzmacher [EMAIL PROTECTED] -- Simo Sorce - [EMAIL PROTECTED] Samba Team - http://www.samba.org
Re: trusted domains patch n+3
On Fri, 2002-09-06 at 15:56, Andrew Bartlett wrote: One is the username they wanted, the other is the username they got (after the username map file). Similarly for domains - if the domain they wanted is trusted, and we are not allowing trusted domains, or if the domain doesn't exist, then we replace it with our own domain. We may still need their original username/domain for authenticaion (NTLMv2 comes to mind in particular), hence why we keep both. What are you trying to do there? Why should we replace a domain name with another??? Simo. -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: trusted domains patch n+3
Ok, that was clear, what I want to ask, is: why should we try to logon a user that provides bad information? Shouldn't we simply deny it with an error? How do NT behaves in such situations? Simo. On Sat, 2002-09-07 at 00:42, Andrew Bartlett wrote: Rafal Szczesniak wrote: On Fri, Sep 06, 2002 at 05:01:25PM +0200, Simo Sorce wrote: On Fri, 2002-09-06 at 16:37, Rafal Szczesniak wrote: On Fri, Sep 06, 2002 at 04:42:53PM +0200, Simo Sorce wrote: What are you trying to do there? Why should we replace a domain name with another??? For instance, when lp_allow_trusted_domains() is set to false, then user's domain name should is replaced with our domain name. Authentication modules will then look for username in our domain's SAM instead querying trusted domains. Can you explain me why we should not simply fail? In case of ? OK, time for an explaination: We can receive all sorts of things in the 'domain' feild from a client. Mostly it's their current domain. If we are a standalone server, or don't trust the domain they supplied, then we replace it with our own for authenticaion. Similarly if we are not using truste domains at all - then every login gets changed to our local domain. However, some parts of the code (NTLMv2 in particular) need the original domain, so we keep that around. Does that make a bit more sense? Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: Maximum number of mounts ?
I think you are mounting against a workstation. Keep in mind microsoft permit only 10 concurrent access to their workstation OS, if you need more you must buy a server OS and licenses if you have more than 5 clients. Simo. On Sat, 2002-09-07 at 01:54, root wrote: I'm currently using Samba 2.2.5-pre1 on a Mandrake 8.1 system with kernel 2.4.19-8. I need to mount 15 remote filesystems. I can manage 9. Is there some kind of configuration option I need to set, or have I found a bug? It _almost_ works. On 3 of the mounts during linux boot, I get the error 'ERRSRV ERRnoresource'. The mounts that fail are on the same system as 5 other mounts that work fine, so it's neither the LAN nor the client configuration. Permissions are also correct (All of the shares are configured identically). The mountpoint directories exist. I turned debug up to 5, but I don't see anything that looks like the problem. My guess (and that's ALL it is) based on the error message, is that I've got some kind of resource exhaust. How do I increase whatever it is that's failing? I went thru the 'Samba Administrators Handbook' and I don't see any options that look applicable. (I did try increasing the shared mem size - no change). All of the servers are OS/2, if it matters. TIA! Mike- -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: bug in debug.c
Fixed, can you test? Thank you very much. On Sun, 2002-09-01 at 00:00, Kai Krueger wrote: Hi There seems to be a bug in debug.c. It causes samba to crash with SIGSEGV on startup if a unknown debug class is specified in smb.conf. The problem is in debug_parse_params(). This function gets a pointer to the debug classes as parameter instead of useing the global DEBUGLEVEL_CLASS arrays. In most cases this doesn't make a difference, but if the arrays change while still in the function it causes a segmentation fault. Now this is exactly what happens if you specify an unknown debug class. debug_parse_params() looks for the debug class with debug_lookup_classname(). If debug_lookup_classname() doesn't find the class and debug_auto_add_unknown_class is true, the debug class is added. This causes the DEBUGLEVEL_CLASS to be reallocated and the next time debug_parse_params() tries to access it with its local point (still pointing to the old DEBUGLEVEL_CLASS) it crashes as it accesses it out of bounds. What is the best solution to this problem. Can debug_parse_params() just use the global version? Kai -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: Man Pages and code mismatches ... with respect to name mangling
We should update the man page with description on different mangling methods. Simo. On Sat, 2002-08-31 at 23:44, Richard Sharpe wrote: Hi, I notice that the code (at least for mangling method = hash2) does different things to what the man pages claim. Man pages say that if the file starts with a leading ., it is replaced with three underscores. Either Ethereal can't count, or they are not. Only one is placed there. In addition, it seems that more characters than a leading . (dot) are replaced by a single underscore. For example, the # character (known as pound or hash) is also replaced by a single underscore. Secondly, the man pages claim that the first three characters of the extension (after the right most period) are forced to upper case etc. What it omits to say is that this only true if the extension consists of three or less characters. If there are more than five characters in the extension, well, they get lost. Which of these two behaviours is the intended one? Regards - Richard Sharpe, [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: [Samba-Technical] Wrtiing files from one linux to another linux
But why do you want to use CIFS for a linux to linux file sharing ??? Wait at least until the Unix extension are ok and work well ... On Fri, 2002-08-30 at 13:05, Kevin Liao wrote: The local system isn't running in any ram disk when using smbfs. Even if you connect to a localhost samba server, that is a remote system as far as smbfs is concerned. I'm not sure I understood you here. /Urban Sorry I didn't mention it clearly. The local machine does not have any hard drive but only one flash (16 or 32 M) and the whole root filesystem is running in ram disk (/dev/ram).I don't know whether such a system can be called an embedded system. Anyway the local machine will try to smbmount to the remote machine which is just a normal PC with linux installed. After the connection has been established successfully, the local system begins writing files continuously to the remote end. Therefore, what we want to do is to detect whether the file had been really saved in the remote storage device and if something goes wrong we may smbmount to another remote machine then keep working. Regards, Kevin -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: [patch] client/client.c: commands reget and reput
Thanks, I've committed a patch that adds these commands to smbclient. I made it a bit different tough. (Also added a patch for xfile.c) Simo. On Tue, 2002-08-20 at 11:48, Josef Zlomek wrote: Hello! I have written the commands reget and reput for smbclient. When user gets/puts a large file and the connection brokes the user is unhappy (s)he has to transfer the file from the beginning. So with this patch (s)he can use command reget/reput that will continue in the transfer, i.e. it will seek both in local and remote file to position of the end of target file and continue with the transfer from this position. Although the local networks are fast, it takes several minutes to tranfer a 650 MB large file (e.g. ISO image) so I think these commands are useful. Patch for the main branch (HEAD) follows, it needs my patch [patch] basic seeking support for XFILE to be installed before this patch. Josef diff -ur samba.cvs/source/client/client.c samba.reget_reput/source/client/client.c --- samba.cvs/source/client/client.c Sat Jul 13 05:51:27 2002 +++ samba.reget_reput/source/client/client.c Tue Aug 20 10:13:38 2002 @@ -60,6 +60,7 @@ /* value for unused fid field in trans2 secondary request */ #define FID_UNUSED (0x) +BOOL restart_at_file_end = False; time_t newer_than = 0; static int archive_level = 0; @@ -651,7 +652,7 @@ / static int do_get(char *rname,char *lname) { - int handle=0,fnum; + int handle = -1, fnum; BOOL newhandle = False; char *data; struct timeval tp_start; @@ -659,6 +660,7 @@ uint16 attr; size_t size; off_t nread = 0; + off_t start = 0; int rc = 0; GetTimeOfDay(tp_start); @@ -677,7 +679,18 @@ if(!strcmp(lname,-)) { handle = fileno(stdout); } else { - handle = sys_open(lname,O_WRONLY|O_CREAT|O_TRUNC,0644); + if (restart_at_file_end) { + handle = sys_open(lname,O_WRONLY|O_CREAT,0644); + if (handle = 0) { + start = sys_lseek(handle, 0, SEEK_END); + if (start == -1) { + d_printf(Error seeking local file\n); + return 1; + } + } + } + if (handle 0) + handle = sys_open(lname,O_WRONLY|O_CREAT|O_TRUNC,0644); newhandle = True; } if (handle 0) { @@ -704,7 +717,7 @@ } while (1) { - int n = cli_read(cli, fnum, data, nread, read_size); + int n = cli_read(cli, fnum, data, nread + start, read_size); if (n = 0) break; @@ -717,7 +730,7 @@ nread += n; } - if (nread size) { + if (nread + start size) { DEBUG (0, (Short read when getting file %s. Only got %ld bytes.\n, rname, (long)nread)); @@ -787,6 +800,21 @@ / + get a file restarting at end of local file + / +static int cmd_reget(void) +{ + int rc; + + restart_at_file_end = True; + rc = cmd_get(); + restart_at_file_end = False; + + return rc; +} + + +/ do a mget operation on one file / static void do_mget(file_info *finfo) @@ -1048,9 +1076,10 @@ / static int do_put(char *rname,char *lname) { - int fnum; + int fnum = -1; XFILE *f; - int nread=0; + size_t nread = 0; + size_t start = 0; char *buf=NULL; int maxwrite=io_bufsize; int rc = 0; @@ -1058,7 +1087,21 @@ struct timeval tp_start; GetTimeOfDay(tp_start); - fnum = cli_open(cli, rname, O_RDWR|O_CREAT|O_TRUNC, DENY_NONE); + if (restart_at_file_end) { + fnum = cli_open(cli, rname, O_RDWR|O_CREAT, DENY_NONE); + if (fnum = 0) { + if (!cli_qfileinfo(cli, fnum, NULL, start, +NULL, NULL, NULL, NULL, NULL) + !cli_getattrE(cli, fnum, NULL, start, + NULL, NULL, NULL)) { + d_printf(getattrib: %s\n,cli_errstr(cli)); + return 1; + } + } + } + if (fnum == -1) { + fnum = cli_open(cli, rname, O_RDWR|O_CREAT|O_TRUNC, DENY_NONE
Re: Direct NetBIOS calls. Is it possible?
Look at libsmbclient within samba, but remember it is GPL! Simo. On Wed, 2002-08-21 at 15:15, Adilson Oliveira wrote: Hello guys! First of all, let me tell you that I'm a samba user and never got into the beast so excuse-me if this seen weird. I have a project to port an old DOS system to linux and this systems uses direct netbios calls (using 5C interrupts) to communicate with windows machines. Basicaly sending datagrams one to another. This customer does not want to change the windows side so I need to simulate de same functions. Is it possible? And how? Thanks a lot! Adilson. P.S. Hey Jeremy! I'm the brazilian guy you met at linuxconf this year :) You're great man! -- TWT Embedded Solutions -- Simo Sorce - [EMAIL PROTECTED] Samba Team - http://www.samba.org
Re: WINS proxy
Unmanaged clients are unreliable by default. It's not something you can fix. Better you make a reason of that. Simo. On Wed, 2002-08-21 at 20:33, Alex Torkhov wrote: - Original Message - From: Bradley W. Langhorst [EMAIL PROTECTED] To: Alex Torkhov [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Wednesday, August 21, 2002 9:41 PM Subject: Re: WINS proxy If you can't access the clients then this is not your problem anyway - forget about it or tell the administrator of the clients to configure them to talk to your WINS server. I am administrator of router (Linux, Samba, ...) And clients are admins of themselves. And it is not possible to tell them anything. Alex. -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: WINS proxy
There is an easy way: if they ask for that you may simply answer that they only need to set your server as wins server. if they are asking something, they may also be willing to do something to have their requests satisfied. Simo. On Wed, 2002-08-21 at 21:26, Alex Torkhov wrote: - Original Message - From: Simo Sorce [EMAIL PROTECTED] To: Alex Torkhov [EMAIL PROTECTED] Cc: Bradley W. Langhorst [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, August 21, 2002 10:53 PM Subject: Re: WINS proxy Even clients are unmaintained, they always want something. Now they wants cross-subnet windows networking. I see 2 ways to resolv my problem: 1. Add new feature to Samba (something like WINS registration proxy) 2. Use lmhosts in WINS server. Docs says that on every computer should have a copy of lmhosts. And I don`t found doc about using WINS with lmhosts. May be someone other find? Third way may be implemented something like this: small script (like findsmb) runs every 5 minutes and grabs all local names (workstations/workgroups) into lmhosts file, and when b-mode clients asks WINS server (proxy) it looks into this file. Alex. -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: [patch] fixed some messages
Fixed, thanks On Tue, 2002-08-20 at 07:37, Josef Zlomek wrote: Hello, this patch fixes some (debug) messages in source/client/client.c It is applicable to both HEAD and 2_2 branches, I'm not sure about other branches because I have not checked them out. Patch follows. Josef diff -urN samba.cvs/source/client/client.c samba.messages/source/client/client.c --- samba.cvs/source/client/client.c Sat Jul 13 05:51:27 2002 +++ samba.messages/source/client/client.c Tue Aug 20 07:28:30 2002 @@ -307,7 +307,7 @@ if (*fileselection !mask_match(finfo-name,fileselection,False)) { - DEBUG(3,(match_match %s failed\n, finfo-name)); + DEBUG(3,(mask_match %s failed\n, finfo-name)); return False; } @@ -695,7 +695,7 @@ } DEBUG(2,(getting file %s of size %.0f as %s , - lname, (double)size, lname)); + rname, (double)size, lname)); if(!(data = (char *)malloc(read_size))) { d_printf(malloc fail for size %d\n, read_size); -- Simo Sorce - [EMAIL PROTECTED] Samba Team - http://www.samba.org
Re: [2.2 patch] client/client.c: reget and reput commands
Interesting, but can you make a patch against head instead? Thank you, Simo. On Mon, 2002-08-19 at 19:52, Josef Zlomek wrote: Hello! I have written the reget and reput commands for samba 2.2. When user gets/puts a large file and the connection brokes the user is unhappy (s)he has to transfer the file from the beginning. So with this patch (s)he can use command reget/reput that will continue in the transfer, i.e. it will seek both in local and remote file to position of the end of target file and continue with the transfer from this position. Although the local networks are fast, it takes several minutes to tranfer a 650 MB large file (e.g. ISO image) so I think this commands are useful. While writing these commands I found something that confuses me: the get and put commands are similar so one would thing that get and put would use similar functions. But function writefile (that is used by command get) uses function write, and function readfile (that is used by command get) uses function fread. I think that both functions should use either open/read/write/close, or fopen/fread/fwrite/fclose. Because of this, I'm not sending the patch for samba 3.0 right now, because seek is not supported by XFILE (that is used in 3.0's put) yet. I would like to know first whether it is better to use syscalls in both get and put, or write x_fseek for reput. Patch follows. Josef Zlomek Index: source/client/client.c === RCS file: /cvsroot/samba/source/client/client.c,v retrieving revision 1.148.2.28 diff -u -r1.148.2.28 client.c --- source/client/client.c14 May 2002 14:00:49 - 1.148.2.28 +++ source/client/client.c19 Aug 2002 12:49:11 - @@ -57,6 +57,7 @@ /* value for unused fid field in trans2 secondary request */ #define FID_UNUSED (0x) +BOOL restart_at_file_end = False; time_t newer_than = 0; int archive_level = 0; @@ -638,7 +639,7 @@ / static void do_get(char *rname,char *lname) { - int handle=0,fnum; + int handle = -1, fnum; BOOL newhandle = False; char *data; struct timeval tp_start; @@ -646,6 +647,7 @@ uint16 attr; size_t size; off_t nread = 0; + off_t start = 0; GetTimeOfDay(tp_start); @@ -663,7 +665,18 @@ if(!strcmp(lname,-)) { handle = fileno(stdout); } else { - handle = sys_open(lname,O_WRONLY|O_CREAT|O_TRUNC,0644); + if (restart_at_file_end) { + handle = sys_open(lname,O_WRONLY|O_CREAT,0644); + if (handle = 0) { + start = sys_lseek(handle, 0, SEEK_END); + if (start == -1) { + DEBUG(0,(Error seeking local file\n)); + return; + } + } + } + if (handle 0) + handle = sys_open(lname,O_WRONLY|O_CREAT|O_TRUNC,0644); newhandle = True; } if (handle 0) { @@ -690,7 +703,7 @@ } while (1) { - int n = cli_read(cli, fnum, data, nread, read_size); + int n = cli_read(cli, fnum, data, nread + start, read_size); if (n = 0) break; @@ -702,7 +715,7 @@ nread += n; } - if (nread size) { + if (nread + start size) { DEBUG (0, (Short read when getting file %s. Only got %ld bytes.\n, rname, (long)nread)); } @@ -767,6 +780,17 @@ / + get a file restarting at end of local file + / +static void cmd_reget(void) +{ + restart_at_file_end = True; + cmd_get(); + restart_at_file_end = False; +} + + +/ do a mget operation on one file / static void do_mget(file_info *finfo) @@ -1015,16 +1039,31 @@ / static void do_put(char *rname,char *lname) { - int fnum; + int fnum = -1; FILE *f; - int nread=0; + size_t nread = 0; + size_t start = 0; char *buf=NULL; int maxwrite=io_bufsize; struct timeval tp_start; GetTimeOfDay(tp_start); - fnum = cli_open(cli, rname, O_RDWR|O_CREAT|O_TRUNC, DENY_NONE); + if (restart_at_file_end) { + fnum = cli_open(cli, rname, O_RDWR|O_CREAT, DENY_NONE); + if (fnum = 0
RE: Prepending \ to user name w/Win98 Domain Login
I've just looked at the code, and it retest later with username only if it has not got access with the domain name set, so I see no problems at all. Can you provide more informations eventually? On Fri, 2002-08-16 at 17:21, Jeff Mandel wrote: [snip] This call supposedly validates the domain\user string. On Solaris, with NIS a win98 box tries to connect to a samba PDC. There's no domain name passed by the win98 client, but the setup for the string is domainwinbindseparatoruser. look a few lines later it does another sys_getpwnam() with user name only. There's no domain - the string is now \user 1) If there's no domain, why would a winbind separator do something useful? see above 2) The wacky thing here is that \user actually returns successful with NIS. jeff@host% getent passwd jeff jeff:x:6789:6789::/export/home/jeff:/bin/ksh jeff@host% getent passwd \jeff jeff:x:6789:6789::/export/home/jeff:/bin/ksh this test is not right you should write \\jeff to check if NIS really ignores a leading \ because \ is an escape and the shell will interpret \j as pure j I've just setup a linux NIS server and couldn't reproduce this bug, BTW 3) The valadation doesn't really validate in this case since the value used is not what the sytem returned: \jeff != jeff, but the check in reply.c is only for != NULL. When this gets looked up the the samba password db, failure is certain. There's no \jeff in the samba password database. what != NULL case do you refer to? sesssetupX:name=[JEFF] [2002/08/11 12:21:44, 3] smbd/reply.c:reply_sesssetup_and_X(929) Using unix username \JEFF [2002/08/11 12:21:44, 2] smbd/reply.c:reply_sesssetup_and_X(982) Defaulting to Lanman password for \jeff [2002/08/11 12:21:44, 1] smbd/password.c:pass_check_smb(545) Couldn't find user '\jeff' in passdb. [2002/08/11 12:21:44, 1] smbd/reply.c:reply_sesssetup_and_X(998) Rejecting user '\jeff': authentication failed This log seem to avail your claim, can you provide informations about client OS, NIS server OS, samba version 4) When the client is win2k which passes a domain in, this code is called to lookup getpwnam(domainsepuser). Without some special module, when would a unix system ever return a positive response to this kind of lookup? see above (if that lookup fails, username alone is tested) Simo. -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399 -- Simo Sorce - [EMAIL PROTECTED] Samba Team - http://www.samba.org
Re: Use less 'magic' environment variables
On Fri, 2002-08-16 at 15:24, Andrew Bartlett wrote: This patch removes WINBINDD_DOMAIN, and some of the misguided (and fruitless) attempts to prevent winbind from calling smbd recursivly. (I fixed that the 'proper' way, and the worst case is a pipe timeout of 30 sec, not a lockup). Which is the 'proper' way? -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: case sensitive parameter - was Re: Any help would be greatlyappreciated...
On Fri, 2002-08-16 at 02:17, John E. Malmberg wrote: Tim Potter wrote: On Thu, Aug 15, 2002 at 12:29:32AM -0500, Gerald (Jerry) Carter wrote: Can't we get rid of the case sensitive option?. It just seems to cause people lots of uncessary pain. Strangely enough, having case_sensitive = yes, makes SAMBA more responsive for case insensitive file systems. Probably because with case sensitive = yes we avoid lot of code needed to handle case insensitivity. It probably would be better to have SAMBA allow the VFS level to do the file name matching, so that it can be taylored to the file system. Yes, I think we will go in that direction soon. The OpenVMS file api that is eventually called by readdir() accepts a wildcard mask. yes but probably accepted wildcards differs between NT and OpenVMS So if a vfs_wild_reeaddir() existed, it would do the wildcard matching and the wildcard file lookup could be optimized to the file system. yes of course, and there are also lot more advantages, like having a file system able to handle mangling directly. Simo. -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: Importing smbpasswd with pdbedit -i
I do not what's wrong in pdbedit, works fine for me (I use HEAD). Simo. On Mon, 2002-07-08 at 11:58, [EMAIL PROTECTED] wrote: Hi, I used pdbedit -i to import my old /etc/smbpasswd into a NIS+ table. pdbedit generated for Workstationaccounts entries like this: degpd060w147$:1064:3128:502:2005:[U ]:C39B59E02D... well, the workstation can log into the domain and works quite well, but when you throw away the old installation on the client and then want to join the workstation (with the same name) again, Samba is unable to delete the workstation account and create a new one. I worte a little script to fix up all Workstation Accounts to be like this: degpd060w147$:1064:3128:502:2005:[W ]:C39B59E02D... Is it possible to correct the behavior of pdbedit? Yes, I'm using Samba 2.2.5 regards Thomas -- German Parcel Thomas Mieslinger German-Parcel-Str. 1-7 fon: +49 6677 17 463 36286 Neuensteinfax: +49 6677 17 111 Germany eMail: [EMAIL PROTECTED] -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: FW: Fixed: queryaliasmem always fails in V2.2.5 redhat 7.3 andre dhat 7.2
On Sun, 2002-08-11 at 13:57, Phill Bertolus wrote: Hi List, I think I'm posting to the right place. It appears [EMAIL PROTECTED] is now dead. samba-bugs is not dead but it is reserved to be used only for bugs signaling for stable releases _and_ through the web interface, patches must be sent in diff -u format to [EMAIL PROTECTED] I still try to sort out as much as I can from samba-bugs, sending to the right people the messages I think are valid. Simo -- Simo Sorce - [EMAIL PROTECTED] Samba Team - http://www.samba.org
Re: Win2K resetting connections. Is there a service pack?
Seem the same logic tridge and abartlet found about authentication against w2k. Seem a childish way to avoid possible DoS oir something like that. If you have not finished authentication and the same client issue a second request, w2k drops the connection. And if I remember correctly, this happens at the TCP/IP stack level not even at the NetBIOS one. Simo. On Thu, 2002-08-01 at 20:24, Christopher R. Hertel wrote: On Fri, Aug 02, 2002 at 04:49:55AM +0930, Richard Sharpe wrote: : It's the NegProt. Once the first NegProt is issued on any open TCP connection, all the others get RSTs if they have not got past that point. It is bizare. They come from another planet, I tell you. Odd. Are these all connections from the same client? If not, then it's definitely a bug. You'd have only one client able to connect at a time... If it only happens across multiple connections from the same client, then it makes a kind of twisted sense. Microsoft may assume (since, as I understand it, their software works this way) that there will be only one TCP connection per SMB client system. I think that the SMB session is handled within the OS on Windows boxes, so only one TCP connection is needed, and therefore only one NegProt will be sent. I'm already several guesses deep, but if the server gets a new NegProt from the same client, it may assume that the other connections are now bogus. W2K expects other Windows systems to be its clients, so it may also expect the clients to crash and be rebooted frequently. Given those assumptions, it makes sense that a new NegProt would be taken by the server as a signal that the client was rebooted and the other connections should be dropped. It's bogus, but it is the same kind of logic that is behind the VC=0 reset. I wonder what would happen if you simply didn't send the NegProt or SessionSetup, and just started using a [V]UID from one of the other sessions... Ooohh. Ouch. Chris -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED] -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: How are capabilities like can set the time and can manageprinters handled
On Fri, 2002-08-02 at 04:53, Richard Sharpe wrote: Hi, Are all these things strictly local decisions or are they now all encoded in groups, or are there some capability bits associated with users? A new complete SAM system is being introduced into HEAD. In the plans this new SAM will contains all permissions and capabilities bit. Actually those implemented are done locally in the code. Simo. -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part