[Samba] Samba and LDAP error
I am a newbe to Samba. I am having a problem getting Samba to bind to my LDAP server. While I have found some related articles in the archives, I have not yet seen an answer which would help me. Any help will be appreciated. I am running Samba 2.2.7b and Openldap 2.1.12. The platform is a Sun machine running Solaris 2.6. The compiler is gcc. When I use smbpasswd to add a user to the database I always get the error that Samba cannot bind to the LDAP database. My bind dn is defined in slapd.conf as cn=Manager, dc=myorg,dc=com. The bind password is secret In ldap.conf I use the same bind dn and password, but the rootbinddn is uid=root,dc=myorg,dc=com. In smb.conf I have tried both the Manager DN and the root DN. In both cases I store the password in /usr/local/samba/private/secrets.tdb. The password is also strored in /etc/ldap.secret in clear text. What am I doing wrong? Thank you . Dan Hobbs -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] OSX Server - Excel files
On Fri, 2003-02-28 at 00:32, Hugh Evans wrote: Hi, I am new to this list, so please excuse any redundancy in my question. I have 60 Windows XP users who are tied into three Mac OSX File - Xserve file servers. There is one big problem - ... we are having issues with Excel files, that on occasion, are not being recognized, taking literally minutes to load and other quirky abnormalities. Excel on the XP desktop machines will refuse to save documents back to the file server - though Excel can still browse, load and save other Excel files. This is not happening all the time - maybe once in every five access' *** Did you solve your problem in the mean time? -- Cheers, Zoran. Home is where you hang your @ -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Profiles problem
On Fri, 2003-03-14 at 21:01, Raj Saxena wrote: Grigory, If you have win2k workstations then go in to -my computer -properties -advanced -user profiles and make the profile change to locally cached copy as opposed to roaming profile. Hope this helps. It was driving me nuts too !! Thanks, some PC's working ok with this, but some of them continue working strange... And more: no records about that in log files (or maybe I've not found it...) -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] File locking with different (client) platforms
I have a problem with file locking on different platforms. System environment: Samba Server 2.2.3.a on Red Hat 7.3 Some Windows 2000 Clients with MS-Office 2000 and OpenOffice 1.0.1 Some Red Hat 8.0 Clients with Open Office 1.0.1 The Linux Clients mounts the Samba Shares with smbmount: smbmount //Server/shares $HOME/path -o credentials=file,ip=ip,debug=0,workgroup=name,port=139,iocharset=8859-15 Working only with Windows clients is ok. If they open a document, the file is locked for other users in network. On Samba Server Status (Swat) open files are visible: Sharing-DenyNone, Read/Write, No Oplock (Winword), Excl.+Batch Oplock (OOWriter) Working with OOWriter on Linux Workstation shows the following: Sharing-DenyNone, Read/Write, No Oplock (OOWriter) In practice file locking by opening the same document (on Samba-Server) between Winword and OpenOffice is working good. Working with OO on both sides (Linux and Windows) is also ok. But there is no file locking if someone opens a document with Word on Windows and then with OO on Linux or the other way round! /proc/locks on SERVER shows the following by opening a document: Winword (Windows Client): POSIX ADVISORY WRITE 12115 08:02:162885 ... POSIX ADVISORY WRITE 12115 08:02:162885 ... POSIX ADVISORY WRITE 12115 08:02:162885 ... OOwriter (Windows Client): LEASE MANDATORY WRITE 12115 08:02:162885 ... FLOCK MSNFS READ 12115 08:02:162885 ... OOWriter (Linux Client): No entry ! Here I found an entry in the local /proc/locks on the Linux CLIENT (!): OOWriter (Linux Client): POSIX ADVISORY WRITE 2251 00:0e:19 ... Is this a (logical) bug? Opening an with smbmount mounted file on a samba share, locks only in local filesystem, but not files on server? Is there another way to work with inhomogenous environments? Thank you Andreas Appendix: An extract from my smb.conf. [global] workgroup = XY netbios name = BS01 server string = XY encrypt passwords = Yes passwd program = /usr/bin/passwd %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n *passwd:*all*authentication*tokens*updated*successfully* log file = /var/log/samba/%m.log max log size = 100 deadtime = 60 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 show add printer wizard = No character set = ISO8859-15 logon path = logon home = domain logons = Yes os level = 65 preferred master = True domain master = True dns proxy = No wins proxy = Yes wins support = Yes valid chars = : : : ' hosts allow = 192.168.0. 127. strict locking = Yes [XY] path = /xy valid users = read only = No create mask = 0777 directory mask = 0777 browseable = No [Public] path = /xy/public valid users = read only = No create mask = 0777 directory mask = 0777 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] subdirectory of home
On Fri, 14 Mar 2003 09:59:45 +0100 Mar [EMAIL PROTECTED] wrote: |What I want is to share a subdirectory of home instead the home itself. |In this manner, when a user try connect to his home directory, he really |will connect with, by example, /home/user/subdir. | |I don't now if it's possible to do that in the [homes] section, or I |must create a new different section for every user. See if adding this to your smb.conf would work... | -- | [homes] | comment = Home Directories path = %H/subdir | read only = No | browseable = No peace Brian Wiese | [EMAIL PROTECTED] | aim: unolinuxguru -- GnuPG/PGP key 0x1E820A73 | FREEDOM! - Braveheart -- This is not about Napster or DVDs. It's about your Freedom. I'll see your DMCA and raise you a First Amendment. http://www.anti-dmca.org -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] integrating multiple NT4 domains with Samba
On version 2.0 using security = domain and include = globals.%m I could specify what PDC to use depending on client name. This was a neat arrangement to integrate legacy NT4 domains - I asked the remote admins to add the samba server to their domain, and ran smbpasswd -j various -r various pdc's to end up with multiple machine.sid's in private. All was wonderful, and then I upgraded . . . Now 2.2.7a with single secrets.tdb, samba is again added to the various domains, and can authenticate to any of them individually (their workgroup in smb.conf), but a %m globals match always produces an auth2 error. I think samba's pulling the wrong SID out of secrets.tdb, always using the %m workgroup, but the smb.conf global workgroup SID to authenticate! Does anyone else bring together NT4 domains with samba to avoid trusts? Do you use this method, how does it work for you? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Sync Linux - NT Domain passwords
On Fri, 14 Mar 2003 09:15:54 +1100 Simeonidis, Steve [EMAIL PROTECTED] wrote: |I've tried synchronising their passwords so when they change their |Windows password it changes their |Linux password, but unfortunately that doesn't happen. Though I understand unix password sync will provide this functionality (sync the unix password when the samba password changes), is there a procedure to do the reverse (sync the samba password when the user's unix password is changed)? Someone mentioned earlier on the list that a script or alias could be used to do this, would anyone care to elaborate?? What I am eventually looking for is a single sign-on functionality with samba and how best to achieve it, would PAM help with this? peace Brian Wiese | [EMAIL PROTECTED] | aim: unolinuxguru -- GnuPG/PGP key 0x1E820A73 | FREEDOM! - Braveheart -- This is not about Napster or DVDs. It's about your Freedom. I'll see your DMCA and raise you a First Amendment. http://www.anti-dmca.org -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] user auth and then rejection
I think you'll have to enable encrypted passwords on samba, set reg on w2k back to original...don't forget sign-or-seal reg mod on w2k for domain membership though..and machine accounts too. regards, Richard Coates On Wed, 2003-03-12 at 08:34, Gurnish Anand wrote: I'm trying to get roaming profiles running. I loggon to the domain SAMBAPDC and then get rejected to access the profiles. The following is the log that i get. The operating system I use is Win2k SP2/SP3 Win98 doesnt seems to have a problembut i do not test on it since we have to migrate to win2k. On 98 i loggon to the domain and get all the drives mapped perfectly with the same username/password im using on win2k. Win2k settings are out-of-box kind...I cannot select roaming profiles under user profiles...can that be a problem?? I do send plain text passwords by changing the registry settings. Or do I have to use encrypt passwords on smb.conf... please advice...below is the log file... [2003/03/11 14:01:25, 2] lib/access.c:check_access(329) Allowed connection from (192.168.2.213) [2003/03/11 14:01:25, 2] lib/access.c:check_access(329) Allowed connection from (192.168.2.213) [2003/03/11 14:01:25, 1] lib/util_sock.c:get_socket_name(977) Gethostbyaddr failed for 192.168.2.213 [2003/03/11 14:01:29, 2] lib/access.c:check_access(329) Allowed connection from (192.168.2.213) [2003/03/11 14:01:29, 2] smbd/reply.c:reply_sesssetup_and_X(985) Defaulting to Lanman password for gurnish [2003/03/11 14:01:29, 1] smbd/reply.c:reply_sesssetup_and_X(1001) Rejecting user 'gurnish': authentication failed [2003/03/11 14:01:42, 2] smbd/reply.c:reply_sesssetup_and_X(985) Defaulting to Lanman password for gurnish [2003/03/11 14:01:42, 1] smbd/reply.c:reply_sesssetup_and_X(1001) Rejecting user 'gurnish': authentication failed [2003/03/11 14:01:46, 2] smbd/reply.c:reply_sesssetup_and_X(985) Defaulting to Lanman password for gurnish [2003/03/11 14:01:46, 1] smbd/reply.c:reply_sesssetup_and_X(1001) Rejecting user 'gurnish': authentication failed [2003/03/11 14:01:46, 2] smbd/reply.c:reply_sesssetup_and_X(985) Defaulting to Lanman password for gurnish [2003/03/11 14:01:46, 1] smbd/reply.c:reply_sesssetup_and_X(1001) Rejecting user 'gurnish': authentication failed -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba BDC and secrets.tdb question
Do you want/expect the bdc to be a logon server for w2k/xp ? If you do then you can't use security=domain, logon server=yes, as in my experience, Xp-pro will not reliably domain/logon to its pdc if another samba server is configured as a logon-server as well. I'd love to be proven wrong here. security=user uses local auth files. You have to rsync FROM the master to bdc ..occasionally.. for a consistent smbpasswd, passwd, and group across the domain. Or replicated ldap... smbpasswd -S ..should update sid ...see man smbpasswd hope this helps, Richard Coates. On Fri, 2003-03-14 at 00:59, Robert Styma wrote: I have a question about setting up a samba BDC (with a samba PDC). I am running Samba as the PDC on a small network. Other Unix boxes on the network are running with: security = DOMAIN encrypt passwords = Yes update encrypted = Yes password server = 192.168.1.5 So they make use of the PDC for smbmount and smbsh applications. The W2K box also uses Samba at the PDC. I want to set up a Redhat 8 box as a BDC. smbpasswd -S got the machine ID informationa across to the secrets.tbd per the BDC howto. Later it the document, it says I have to blindly copy the secrets.tbd from the PDC to the BDC. It also says I have to change from security = DOMAIN to security = USER This appears to indicate that the BDC will now use it's own authentication information rather than defering to the PDC. 1. Is this true? 2. Blindly copying the secrets.tbd across seems a dangerous idea. Is there an equivalent to smbpasswd -S which just copies across the relevant data.? 3. If not, is it really safe to copy secrets.tbd from the PDC to the BDC? I do not want to foul things up trying to get the BDC to work. I am not ready to try switching to LDAP, although I will do this if it is the only way. Thanks for any help. -- Robert E. Styma Principal Engineer AG Communication Systems, Phoenix - A subsidiary of Lucent Email: [EMAIL PROTECTED] Phone: 623-582-7323 FAX: 623-581-4884 Company: http://www.agcs.com Personal: http://www.swlink.net/~styma -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Am I getting the best performance?
John H Terpstra [EMAIL PROTECTED] wrote in news:[EMAIL PROTECTED]: On Fri, 14 Mar 2003, Matthew Daubenspeck wrote: On Fri, Mar 14, 2003 at 06:49:07PM +, John H Terpstra wrote: All my server file systems are ext3. Good results then. Try ext2fs. Should ext2 perform better then ext3? Try it! Simple enough to answer this question - try it. You can simply mount an ext3 partition as ext2 right? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] restrict anonymous used wbinfo -A what next?
On Sat, 2003-03-15 at 00:37, Bobby Guerra wrote: I am trying to get samba to work with winbind and still have the DC (w2k) use restrict anonymous. If I run wbinfo -A it will allow me to enumerate all the user accounts and groups but I still get prompted for a password when I try to access samba shares. I can turn off restrict anonymous and I can access the samba box all day with no problem but as soon as I turn on restrict anonymous it breaks. Do I need to do anything other then wbinfo -A in order to get around restrict anonymous? It sounds like you might have a very high level of 'restrict anonymous' set on the DC, (that is 'restrictanonymous=2'). This breaks all pre-win2k systems, and Samba's NTLM logins. If you upgrade to Samba 3.0 alpha, we can use the winbindd connections to get to the NETLOGON pipe, and authenticate NTLM logins (I hope), but the real advantage is we get kerberos, which works much better anyway :-) Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba PDC and MMC - Problems changing password ofservices
On Sat, 2003-03-15 at 01:53, [EMAIL PROTECTED] wrote: Hy, im using Samba as PDC. When im logging into another W2K machine with MMC an try to change the password of a service, windows is bringing up the error: A device attached to the system is not functioning. This is the windows equiv of 'NT_STATUS_UNSUCCESSFUL' - about the most useless message we can possibly give :-) We will need to see what's being called, and you would be advised to try again with Samba 3.0 alpha or Samba HEAD A strange thing is, that some people can change there password from the client by using ctrl+alt+del change password and some can't do. The error Message ist something like The original password is wrong. This is interesting - you should be able to get some idea from the debug logs - particularly of the 3.0 version. (At least I know what to look for in them :-) I think it has something to do with rpc-call and there authentication, but i'm absolutly not sure. Only the network and logfile traces will really tell you. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Windows LocalSystem Account - Linux Samba Server -What's the userID?
On Fri, 2003-03-14 at 03:16, Jim Garrison wrote: I have a Linux Samba server I access from a Win2K system. I want to allow a process started from a Windows service to access a share on the Samba server. The Windows service is set to run as LocalSystem instead of a specific userID. What userID do I need to define on the Samba server to allow LocalSystem to access files on a Samba share? I think the way you do this is to add a domain user, with the right privs, and then start the service as that user, with that password. However, I've never played with this myself. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] file corruption problem - smb log informationwritten to files on shares
Hi I am having a really strange problem with my samba server I am currently running samba-2.2.1a-4 on a Redhat 7.2 box (dual PII processors, IDE raid promise, I GB RAM). Its being operating more or less smoothly for the last 6 months. Suddenly users started to complain about corrupted files on shares. On examination of the files we noticed that smb log information was being written to the top of the files (the same stuff was written to log.machine_name in /var/log/samba Here is an example from an excel file that has be zapped 2003/03/13 12:14:37, 2] smbd/open.c:open_file(213) lprescott opened file Working Papers/Trade/Co info.xls read=Yes write=Yes (numopen=1) [2003/03/13 12:14:37, 5] smbd/nttrans.c:reply_ntcreate_and_X(1025) reply_ntcreate_and_X: fnum = 11331, open name = Working Papers/Trade/Co info.xls [2003/03/13 12:14:37, 5] lib/util.c:show_msg(285) size=103 smb_com=0xa2 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=1 [2003/03/13 12:14:37, 5] lib/util.c:show_msg(293) smb_tid=2 smb_pid=260 smb_uid=100 smb_mid=21442 smt_wct=34 [2003/03/13 12:14:37, 5] lib/util.c:show_msg(302) smb_vwv[0]=255 (0xFF) [2003/03/13 12:14:37, 5] lib/util.c:show_msg(302) smb_vwv[1]=0 (0x0) [2003/03/13 12:14:37, 5] lib/util.c:show_msg(302) smb_vwv[2]=17152 (0x4300) [2003/03/13 12:14:37, 5] lib/util.c:show_msg(302) ---this goes on for many hundred lines (6000?!!) These is some remnant of the binary but I can't recover it. Lucky I had a back up This file was located on the users home share /home/blabla As I say this user had become pretty comfortable working with documents on the server. At we we blamed Excel as the problems started when we were forced to give some of our users MS Office instead of OO (compatibility issues they claimed). The first file that we noticed with the problem was a Ms Word file We did some reading and figured it was probably something to do with op locks. So we turned off all op locking (although this made downloading ofuser profiles lot slower slow but..) Unfortunately the problem keeps croping up sporadically and zapping theusers data. Yesterday, the librarian lost he NTUSER.DAT and thus could not log in with roaming profile examination of the file showed corruption with smb logs messed up the file We have been forced to tell users to edit documents on local Machines and just keep a backups on the server (data transfer (COPY/PASTE) seems go OK. It seems that the problem occurs when you open a file ind an application read/writeon a remote share) I am wondering if this has somting to do with buffer sizes?? Can any one out there help us? This is a real show stopper for us We were on the verge of migrating everbody (going from 10 - 20 users)to SAMBA before these problems occured. Chris Anyway, here is the samba.conf - [global] workgroup = CCMSUWI netbios name = ALLISTER server string = Samba PDC running %v encrypt passwords = Yes passwd program = /usr/bin/passwd unix password sync = Yes log level = 5 # to help with corruption problem log file = /var/log/samba/log.%m max log size = 50 socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=8192 SO_RCVBUF=8192 logon script = netlogon.bat logon path = \\%L\profiles\%U logon drive = H: logon home = \\%L\%U\.profile domain logons = Yes os level = 64 preferred master = True domain master = True hosts allow = 127.0.0.1 192.168.1.0/255.255.255.0 oplocks = No level2 oplocks = No [homes] comment = Home Directories read only = No browseable = No [profiles] path = /home/samba/profiles read only = No create mask = 0600 directory mask = 0700 browseable = No [netlogon] comment = Network Logon Service path = /home/netlogon write list = root lprescott ssankarsingh cclarke rkarim agordon kaguillera mdass lcharles acaton browseable = No [research_data] path = /home/DATA read only = No create mask = 0664 directory mask = 0775 guest ok = Yes [CMS] path = /home/DATA/CMS valid users = lprescott acaton pjoseph mdass lcharles cclarke read only = No create mask = 0664 directory mask = 0775 [printers] comment = All Printers path = /var/spool/samba create mask = 0700 guest ok = Yes -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Windows XP SMBecho request every 30-33 secs
On Sat, 2003-03-15 at 09:39, chris parker wrote: The server is low on memory (384 MB). Normally the deadtime parameter in smb.conf will allow the smbd daemon for that connection to die. This echo request keeps the smbd alive. Each active connection requires between 400K and 3 MB depending on the level of activity. Can't add more memory in the MB, larger swap doesn't solve the problem either. We will go to another MB with 2 GB of RAM, but not for a while. Well, it sounds like WinXP is trying to avoid the nasty consequences of a dead connection - or it might have something todo with the 'offline file cache'. Either way, I think that ignoring the smbecho as 'activity' would probably be a bad idea. In this case it's a bit of a pity that the cost of processing that echo is so high, but I can't really see a good way around it. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] local user admin rights on samba pdc
Hi guys, I have a issue. I have a redhat 8.0 with the stock samba 2.25-10 that ships with it. I have that running as a pdc. the problem is when users try access a palm pilot it wants local user admin rights. All my clients are win2k sp3. I have noticed that it is causing a problem for some other software also. I know that i need to grant local admin rights for that user but what is the best method on doing this? If I try to access softare bylogging in as root on the win2k boxon the pdc domain it still prevents me from installing a palm pilot or running some particular software. All of the software that needs some sort of admin priveledges work fine if you logon as administrator to the local machine. Thanks, Raj --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.461 / Virus Database: 260 - Release Date: 3/10/2003 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] INTERNAL ERROR / enable to unmarshall / Linux Windows2000
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 14 Mar 2003, Joyce LAMBERT wrote: Hello I have install and configure samba 2.2.3a-12 on a debian woody === [2003/03/14 18:15:08, 0] lib/fault.c:fault_report(39) INTERNAL ERROR: Signal 11 in pid 16133 (2.2.3a-12 for Debian) Please read the file BUGS.txt in the distribution [2003/03/14 18:15:08, 0] lib/fault.c:fault_report(41) === Can you retest against 2.2.8? This sounds like an old bug. cheers, jerry -- Hewlett-Packard- http://www.hp.com SAMBA Team -- http://www.samba.org GnuPG Key http://www.plainjoe.org/gpg_public.asc You can never go home again, Oatman, but I guess you can shop there. --John Cusack - Grosse Point Blank (1997) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.0 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iD8DBQE+c1OsIR7qMdg1EfYRAjIDAJ9TqMOI07LBmw3XLU/eutwW4PpkFACgkIeE 4frUsnTlJZ+KvFOEZv3y2Wo= =Gvqy -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Miliardowy rynek
Miliardowy rynek INTERNET losc finansowa zaczyna sie w Internecie! eraz! rzygotuj sie na cos zupelnie nowego Zarabiaj z nami w Internecie! I to podwójnie i potrójnie... W najszybciej rozwijajacej sie branzy tysiaclecia - Projektowanie stron WWW - Handel elektroniczny - Shopping-Mall - Telekomunikacja Przygotuj sie na cos wspanialego. Zarabiaj w naszym Centrum eBiznesu i to nie ruszajac sie z domu, bez dlugich podrózy, bez sprzedazy bezposredniej, bez magazynów, bez dodatkowych kosztów i bez duzych inwestycji. Ale tu nie chodzi tylko o produkty i dochody. W inicjatywie euNet24 chodzi o ludzi. Chodzi o to zeby zycie tysiecy Europelczyków stalo sie latwiejsze, lepsze, wartosciowsze i interesujace. Prowadzimy kampanie przeciwko utracie szans wielu ludzi w dzisiejszym systemie. Chodzi o integracje najnowoczesniejszego medium INTERNETU z Waszymi dzialaniami biznesowymi. W ten sposób osiagniecie przelomowy sukces na platformie euNet24 i to na skale europejska. Przygotuj sie na cos niewiarygodnego. Kiedy Twoje Centrum eBiznesu zacznie nabierac rozpedu, poczujesz to. W domu, na urlopie, w calym swoim otoczeniu. Kazdego roku. W przyszlosci. I bedziesz sobie zadawal pytanie: Jak udalo nam sie osiagnac taki sukces? Bil Gates znany dzieki systemowi Windows i swojej firmie Microsoft, z majatkiem wartym prawie 40 miliardów Euro jest najbogatszym czlowiekiem w USA. Sukces ten osiagnal majac 40 lat. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] can't print after upgrade to 2.2.7a
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, 14 Mar 2003, Jeff D. Hamann wrote: I've recently upgraded from samba 2.0.10 to 2.2.7a and can access my shares on my FreeBSD 4.4 machine just fine. I can access file, etc and when I went to print I got the following message laserjet2200 on Stimpy Access denied, unable to connect. I have the following smb.conf file... set disable spolss = yes in the [global] section to make samba 2.2. behave like samba 2.0 wrt to printing. cheers, jerry -- Hewlett-Packard- http://www.hp.com SAMBA Team -- http://www.samba.org GnuPG Key http://www.plainjoe.org/gpg_public.asc You can never go home again, Oatman, but I guess you can shop there. --John Cusack - Grosse Point Blank (1997) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.0 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iD8DBQE+c1PbIR7qMdg1EfYRAv7OAKC/ImQoMXT7P3KrjootTuH2aeyNnACdExK6 ZvyzwNM2RF9F9AAAlZ5HOuk= =6HKp -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] [SECURITY] Samba 2.2.8 available for download
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 This release provides an important security fix outlined in the release notes that follow. This is the latest stable release of Samba and the version that all production Samba servers should be running for all current bug-fixes. The source code can be downloaded from : http://download.samba.org/samba/ftp/ in the file samba-2.2.8.tar.gz or samba-2.2.8.tar.bz2. The uncompressed tarball has been signed using the Samba Distribution Key (available in the same directory). Binary packages will be released shortly for major platforms and can be found at http://download.samba.org/samba/ftp/Binary_Packages/ As always, all bugs are our responsibility. --Sincerely The Samba Team * IMPORTANT: Security bugfix for Samba * Summary - --- The SuSE security audit team, in particular Sebastian Krahmer [EMAIL PROTECTED], has found a flaw in the Samba main smbd code which could allow an external attacker to remotely and anonymously gain Super User (root) privileges on a server running a Samba server. This flaw exists in previous versions of Samba from 2.0.x to 2.2.7a inclusive. This is a serious problem and all sites should either upgrade to Samba 2.2.8 immediately or prohibit access to TCP ports 139 and 445. Advice created by Andrew Tridgell, the leader of the Samba Team, on how to protect an unpatched Samba server is given at the end of this section. The SMB/CIFS protocol implemented by Samba is vulnerable to many attacks, even without specific security holes. The TCP ports 139 and the new port 445 (used by Win2k and the Samba 3.0 alpha code in particular) should never be exposed to untrusted networks. Description - --- A buffer overrun condition exists in the SMB/CIFS packet fragment re-assembly code in smbd which would allow an attacker to cause smbd to overwrite arbitrary areas of memory in its own process address space. This could allow a skilled attacker to inject binary specific exploit code into smbd. This version of Samba adds explicit overrun and overflow checks on fragment re-assembly of SMB/CIFS packets to ensure that only valid re-assembly is performed by smbd. In addition, the same checks have been added to the re-assembly functions in the client code, making it safe for use in other services. Credit - -- This security flaw was discovered and reported to the Samba Team by Sebastian Krahmer [EMAIL PROTECTED] of the SuSE Security Audit Team. The fix was prepared by Jeremy Allison and reviewed by engineers from the Samba Team, SuSE, HP, SGI, Apple, and the Linux vendor engineers on the Linux Vendor security mailing list. The Samba Team would like to thank SuSE and Sebastian Krahmer for their excellent auditing work and for drawing attention to this flaw. Patch Availability - - As this is a security issue, patches for this flaw specific to earlier versions of Samba will be posted on the [EMAIL PROTECTED] mailing list as requested. Protecting an unpatched Samba server Samba Team, March 2003 This is a note on how to provide your Samba server some protection against the recently discovered remote security hole if you are unable to upgrade to the fixed version immediately. Even if you do upgrade you might like to think about the suggestions in this note to provide you with additional levels of protection. Using host based protection --- In many installations of Samba the greatest threat comes for outside your immediate network. By default Samba will accept connections from any host, which means that if you run an insecure version of Samba on a host that is directly connected to the Internet you can be especially vulnerable. One of the simplest fixes in this case is to use the 'hosts allow' and 'hosts deny' options in the Samba smb.conf configuration file to only allow access to your server from a specific range of hosts. An example might be: hosts allow = 127.0.0.1 192.168.2.0/24 192.168.3.0/24 hosts deny = 0.0.0.0/0 The above will only allow SMB connections from 'localhost' (your own computer) and from the two private networks 192.168.2 and 192.168.3. All other connections will be refused connections as soon as the client sends its first packet. The refusal will be marked as a 'not listening on called name' error. Using interface protection -- By default Samba will accept connections on any network interface that it finds on your system. That means if you have a ISDN line or a PPP connection to the Internet then Samba will accept connections on those links. This may not be what you want. You can change this behavior
[Samba] CacheHandling for XP/W2k?
Is there a fix for the fact that when i delete a file from a windows application, it still shows in the pane until i do a refresh? I didnt have this problem when i was running samba as packaged by RedHat (6.2 that was a long time ago), but on all my self-compiles and Debian packages i have this problem. Any hints? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] smblib/auth
I need to do an smb auth in an application I'm writing. I've looked at the source in smblib/*.c but I'm unsure which library and which function call I should link against. I'm looking for something like this $result = smb_auth($user,$pass,$pdc); so that I can check if a user/pass combination is a valid username/password on the windows network. What library, and what function call should I use? I'm working with Samba 2.2.8 Thanks Paul -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Windows XP SMBecho request every 30-33 secs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, 14 Mar 2003, chris parker wrote: The server is low on memory (384 MB). Normally the deadtime parameter in smb.conf will allow the smbd daemon for that connection to die. This echo request keeps the smbd alive. Each active connection requires between 400K and 3 MB depending on the level of activity. Can't add more memory in the MB, larger swap doesn't solve the problem either. We will go to another MB with 2 GB of RAM, but not for a while. echo's don't affect the checks to see if a connection is idle IIRC. Are you sure that the client doesn't have any open files? What version of Samba are you running? There was a reference count bug in some versions that kept us from closing idle smbds. cheers, jerry -- Hewlett-Packard- http://www.hp.com SAMBA Team -- http://www.samba.org GnuPG Key http://www.plainjoe.org/gpg_public.asc You can never go home again, Oatman, but I guess you can shop there. --John Cusack - Grosse Point Blank (1997) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.0 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iD8DBQE+c1NlIR7qMdg1EfYRAq7fAKCdJpnNZPqlGlmvH8bJIobTjNetFACeP3Pc oVbZEzhWRACqS4zTNGgm2WQ= =YYKt -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba 3.0 alpha22 confiugre problem
I updated my copy of samba 3.0 from cvs today and ran configure and got the following error: checking for broken linux sendfile support... yes checking whether to build winbind... yes checking whether struct passwd has pw_comment... no checking whether struct passwd has pw_age... no checking for poptGetContext in -lpopt... yes checking whether to use included popt... no checking configure summary... yes configure: creating ./config.status config.status: creating include/stamp-h config.status: creating Makefile config.status: creating script/findsmb config.status: creating include/config.h config.status: error: cannot find input file: include/config.h.in I looked for the file and it is definatly not there. Is this a problem I can fix? Patrick -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] client VPN disconnects samba shares
I am running Samba 2.2.7a in domain mode .. all is great. I have a XP user on my local network that connects to samba as a domain user - so far so good. This users also has a Cisco VPN client for connecting over the internet to another application at a service bureau. When the VPN client is activated, all traffic from this machine is only forwarding network traffic over the VPN pipe. Obviously, this causes a problem with my Samba shares as they are no longer available. When the VPN client is shutdown all is well again. The VPN configuration is provided by the service bureau so I have no control over its configuration. My local network is DHCP controlled using 192.168.0.*/24 and the VPN pipe is connected to a public address over the internet connection. I am using WINS on the Samba server, put I still cannot ping anything on my local network. I may be answering my own question, but do I need to get the service bureau to supply me with a VPN configuration that places everything over the VPN Pipe except for 192.168.0.* addresses? Any thoughts? Pat -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smblib/auth
On Sun, 2003-03-16 at 05:53, Paul Reilly wrote: I need to do an smb auth in an application I'm writing. I've looked at the source in smblib/*.c but I'm unsure which library and which function call I should link against. I'm looking for something like this $result = smb_auth($user,$pass,$pdc); so that I can check if a user/pass combination is a valid username/password on the windows network. What library, and what function call should I use? I'm working with Samba 2.2.8 None. Do not use smblib. If you want to verify a password against Windows, use winbindd and pam_winbind or ntlm_auth (new in 3.0 alpha). smblib has had a number of issues over the years, and I understand that the authentication is usually just LM based (case-insensitive). More particularly, there is no way for it to tell if it's actually talking to the DC. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] file corruption problem - smb log informationwrittento files on shares
On Sun, 2003-03-16 at 01:37, Arva Clarke wrote: Hi I am having a really strange problem with my samba server I am currently running samba-2.2.1a-4 on a Redhat 7.2 box (dual PII processors, IDE raid promise, I GB RAM). Its being operating more or less smoothly for the last 6 months. Suddenly users started to complain about corrupted files on shares. On examination of the files we noticed that smb log information was being written to the top of the files (the same stuff was written to log.machine_name in /var/log/samba Here is an example from an excel file that has be zapped We have been chasing this one for a while, and I'm pretty sure we came to some resolution since 2.2.6 or 2.2.7. You should upgrade to 2.2.8 for the security fixes anyway, and see if the problem persists. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Why winbindd dont run?
Can you help me please? [EMAIL PROTECTED] init.d]# smbpasswd -r cleo.surson -j surson -UAdministrator%camais Joined domain SURSON. [EMAIL PROTECTED] init.d]# ./smb start Iniciando os serviços SMB: [ OK ] Iniciando os serviços NMB: [ OK ] Iniciando os serviços Winbind: [ OK ] [EMAIL PROTECTED] init.d]# ./smb status smbd (pid 2325) está rodando... nmbd (pid 2039) está rodando... winbind está parado ( stoped) Franco Catena http://www.surson.com.br tel 011-44374040 cel:78535362 NEXTEL: 55*26006*1 MSN: [EMAIL PROTECTED] ICQ: 24755602 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.461 / Virus Database: 260 - Release Date: 10/3/2003 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: XP logon failure but still logs on -- no roamingprofile
I remember another post where applying the critical updates was actually the cause of the problem!? can't remember all the details..but something about auto-application making incorrect assumptions. hope this is of some help, regards Richard Coates. ps: I like your ideas in logon.bat. Do you have any suggestions/ideas on the best way to implement password-age, password-history in Xp/samba domain? On Wed, 2003-03-12 at 04:13, Brian White wrote: so if you reboot you get a successful logon? xp -pre sp1 ? Usually, yes. I did get one case where it did not but the computer had been on for a while before I tried to log on. SP1 was installed. I just did another update of all critical updatecritical updatess but it made no difference. After I reboot, I could logon, logoff, logon, logoff, but the third time I tried to logon, I got the error. On a hunch, I tried removing everything from the logon.bat script. It didn't help, though. After a reboot, I could logon/off three times and then I started getting the error. Continuing logon/logoff sequences shows no discernable pattern, though it only fails about 1/2 to 1/3 of the tries. After restoring the content of the logon.bat file, the logon process fails much more often but not every time. I began to wonder if it had something to do with network activity/idle periods since when I was typing results in to this message, it seemed that the next logon attempt would work. Taking a more patient approach to this, I've discovered that the problem is at least somewhat related to how long I stay logged in. With the full login.bat content (because it makes the problem more obvious) I've discovered that: - Logout immediately after logon (waiting for logon.bat to complete first) causes a logon failure every time. - Waiting 20 seconds after a logon failure before logout will ensure that the next logon attempt is successful. Waiting only 10 seconds is not enough. The next logon attempt(after one that was successful) will fail even if I again wait over 30 _minutes_ before logout. - Waiting at the press CTRL-ALT-DELETE to logon prompt, even up to 60 seconds, does not help; it fails every time. Attached is the logon.bat file renamed to logon.txt so it doesn't get stripped by any virus scanners. In addition to mapping a number of network drives, it also tries to map H: to /home/userid (if it exists) or to the users home computer on the network if they're logging in to a different machine (sort of like a unix automounter would do for home directories on different machines). Brian ( [EMAIL PROTECTED] ) --- Tired of spam? See what you can do to fight it at: http://www.cauce.org/ :-net accounts /forcelogoff:no /minpwlen:4 /minpwage:0 /maxpwage:unlimited /uniquepw:5 :- :- Mount the home directory :- net use h: /d subst h: /d if exist C:\Home\%USERNAME%\nul.x goto localhome :nethome call %USERPROFILE%\Network\homedir.bat goto donehome :localhome subst h: C:\Home\%USERNAME% mkdir %USERPROFILE%\Network echo net use h: \\%COMPUTERNAME%\home\%USERNAME% /persistent:no /yes %USERPROFILE%\Network\homedir.bat goto donehome :donehome :- :- Mount network drives :- net use o: \\share\office2000p /persistent:no /yes net use p: \\share\precidia /persistent:no /yes net use s: \\share\win32 /persistent:no /yes net use t: \\ftp\ftp /persistent:no /yes net use x: \\share\tmp /persistent:no /yes :- :- Set some environment variables :- mkdir C:\tmp\%USERNAME% s:\bin\setx TEMP C:\tmp\%USERNAME% s:\bin\setx TMP C:\tmp\%USERNAME% :- s:\bin\setx HOMEDRIVE H: :- :- Update the computers clock :- net time \\share /set /yes -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: recycle.so compiling problem
On Fri, 14 Mar 2003 14:21:51 -0500, Ben Griffith wrote: You have to run ./configure in the main samba-2.2.7a/source directory in order to generate That was it. It worked, thanks. -- Ciao, Marco. ...Fragile, Yes 1972 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Samba 3.0 alpha22 confiugre problem
On Sun, 2003-03-16 at 04:25, Patrick Gunerud wrote: I updated my copy of samba 3.0 from cvs today and ran configure and got the following error: checking for broken linux sendfile support... yes checking whether to build winbind... yes checking whether struct passwd has pw_comment... no checking whether struct passwd has pw_age... no checking for poptGetContext in -lpopt... yes checking whether to use included popt... no checking configure summary... yes configure: creating ./config.status config.status: creating include/stamp-h config.status: creating Makefile config.status: creating script/findsmb config.status: creating include/config.h config.status: error: cannot find input file: include/config.h.in I looked for the file and it is definatly not there. Is this a problem I can fix? You have to run ./autogen.sh before you start. We no longer include these generated files in CVS. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] LDAP and Samba
The option -with-ldapsam is trying to compile samba with Openldap support, which perhaps you don't have installed? Do you want/need ldap? Do you really need to compile your own? as there are RPM/packages available for many distros. regards, Richard Coates. On Sat, 2003-03-15 at 04:37, Mike wrote: dear all, we try to compile Samba with the option (-with-ldapsam). When we launch build-samba.depot.sh. The first step goes without any problem but when the program launch the Makefile, it gives an error saying that the program can't fin any library ldap. We don't use OpenLdap but Directory Server from Iplanet. I have looked for days for documentation but I found nothing at all. Someone could help us? Mike -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Change somebody else's domain password?
On Fri, Mar 14, 2003 at 10:05:08AM -0600, Genchev, Sergei said: Hi, I am trying to find a way to change NT4 domain password from linux. smbpasswd works fine if you know user's old password but I am looking for a way to connect to PDC using all-mighty Administrator credentials and change other user's password. Log in as root. -- Adam Smith Information Technology Officer SAGE Automation Ltd. [EMAIL PROTECTED] http://www.sageautomation.com -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba problems
I'm trying the latest versions of Samba on a LRP box (kernel 2.2.19), namely versions 2.2.7a and 2.2.8, but whenever I try to access a share it fails and the smbd log has the following error message: build_sam_account: smbpasswd database is corrupt! username smb1 not in unix passwd database! I have the user accounts defined in the smbpasswd file and in /etc/passwd. When using an older version (2.0.4b) I have no problems at all. Also, when trying to change a Samba password using smbpasswd I get a similar error message: build_sam_account: smbpasswd database is corrupt! username smb1 not in unix passwd database! Failed to find entry for user smb1. Failed to modify password entry for user smb1 I configured it during the build to use the traditional smbpasswd file. Does anybody know what this is?. Another issue is that nmbd won't start up if I have interfaces = all specified in the global section of smb.conf, which again wasn't a problem with the older version. Thanks in advance for any help. -- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba problems
On Sat, 15 Mar 2003, Spiro Philopoulos wrote: I'm trying the latest versions of Samba on a LRP box (kernel 2.2.19), namely versions 2.2.7a and 2.2.8, but whenever I try to access a share it fails and the smbd log has the following error message: build_sam_account: smbpasswd database is corrupt! username smb1 not in unix passwd database! Email me your smb.conf and smbpasswd file please to [EMAIL PROTECTED] - NOT to this list. I have the user accounts defined in the smbpasswd file and in /etc/passwd. When using an older version (2.0.4b) I have no problems at all. Also, when trying to change a Samba password using smbpasswd I get a similar error message: build_sam_account: smbpasswd database is corrupt! username smb1 not in unix passwd database! Failed to find entry for user smb1. Failed to modify password entry for user smb1 I configured it during the build to use the traditional smbpasswd file. Does anybody know what this is?. Another issue is that nmbd won't start up if I have interfaces = all If you want all interfaces (even if it is just one) comment out this line. ie: Comment out interfaces = specified in the global section of smb.conf, which again wasn't a problem with the older version. Thanks in advance for any help. - John T. -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] client VPN disconnects samba shares
is your problem that you cannot see/ping your local lan while your cisco-vpn is up? If yes then its a cisco-vpn-client/xp routing issue and nothing to do with samba. Easy solution...close vpn when you want to work locally. Sorry I can't suggest anything more practical. Richard Coates. On Sun, 2003-03-16 at 06:26, Pat Schlehuber wrote: I am running Samba 2.2.7a in domain mode .. all is great. I have a XP user on my local network that connects to samba as a domain user - so far so good. This users also has a Cisco VPN client for connecting over the internet to another application at a service bureau. When the VPN client is activated, all traffic from this machine is only forwarding network traffic over the VPN pipe. Obviously, this causes a problem with my Samba shares as they are no longer available. When the VPN client is shutdown all is well again. The VPN configuration is provided by the service bureau so I have no control over its configuration. My local network is DHCP controlled using 192.168.0.*/24 and the VPN pipe is connected to a public address over the internet connection. I am using WINS on the Samba server, put I still cannot ping anything on my local network. I may be answering my own question, but do I need to get the service bureau to supply me with a VPN configuration that places everything over the VPN Pipe except for 192.168.0.* addresses? Any thoughts? Pat -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[SECURITY] Samba 2.2.8 available for download
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 This release provides an important security fix outlined in the release notes that follow. This is the latest stable release of Samba and the version that all production Samba servers should be running for all current bug-fixes. The source code can be downloaded from : http://download.samba.org/samba/ftp/ in the file samba-2.2.8.tar.gz or samba-2.2.8.tar.bz2. The uncompressed tarball has been signed using the Samba Distribution Key (available in the same directory). Binary packages will be released shortly for major platforms and can be found at http://download.samba.org/samba/ftp/Binary_Packages/ As always, all bugs are our responsibility. --Sincerely The Samba Team * IMPORTANT: Security bugfix for Samba * Summary - --- The SuSE security audit team, in particular Sebastian Krahmer [EMAIL PROTECTED], has found a flaw in the Samba main smbd code which could allow an external attacker to remotely and anonymously gain Super User (root) privileges on a server running a Samba server. This flaw exists in previous versions of Samba from 2.0.x to 2.2.7a inclusive. This is a serious problem and all sites should either upgrade to Samba 2.2.8 immediately or prohibit access to TCP ports 139 and 445. Advice created by Andrew Tridgell, the leader of the Samba Team, on how to protect an unpatched Samba server is given at the end of this section. The SMB/CIFS protocol implemented by Samba is vulnerable to many attacks, even without specific security holes. The TCP ports 139 and the new port 445 (used by Win2k and the Samba 3.0 alpha code in particular) should never be exposed to untrusted networks. Description - --- A buffer overrun condition exists in the SMB/CIFS packet fragment re-assembly code in smbd which would allow an attacker to cause smbd to overwrite arbitrary areas of memory in its own process address space. This could allow a skilled attacker to inject binary specific exploit code into smbd. This version of Samba adds explicit overrun and overflow checks on fragment re-assembly of SMB/CIFS packets to ensure that only valid re-assembly is performed by smbd. In addition, the same checks have been added to the re-assembly functions in the client code, making it safe for use in other services. Credit - -- This security flaw was discovered and reported to the Samba Team by Sebastian Krahmer [EMAIL PROTECTED] of the SuSE Security Audit Team. The fix was prepared by Jeremy Allison and reviewed by engineers from the Samba Team, SuSE, HP, SGI, Apple, and the Linux vendor engineers on the Linux Vendor security mailing list. The Samba Team would like to thank SuSE and Sebastian Krahmer for their excellent auditing work and for drawing attention to this flaw. Patch Availability - - As this is a security issue, patches for this flaw specific to earlier versions of Samba will be posted on the [EMAIL PROTECTED] mailing list as requested. Protecting an unpatched Samba server Samba Team, March 2003 This is a note on how to provide your Samba server some protection against the recently discovered remote security hole if you are unable to upgrade to the fixed version immediately. Even if you do upgrade you might like to think about the suggestions in this note to provide you with additional levels of protection. Using host based protection --- In many installations of Samba the greatest threat comes for outside your immediate network. By default Samba will accept connections from any host, which means that if you run an insecure version of Samba on a host that is directly connected to the Internet you can be especially vulnerable. One of the simplest fixes in this case is to use the 'hosts allow' and 'hosts deny' options in the Samba smb.conf configuration file to only allow access to your server from a specific range of hosts. An example might be: hosts allow = 127.0.0.1 192.168.2.0/24 192.168.3.0/24 hosts deny = 0.0.0.0/0 The above will only allow SMB connections from 'localhost' (your own computer) and from the two private networks 192.168.2 and 192.168.3. All other connections will be refused connections as soon as the client sends its first packet. The refusal will be marked as a 'not listening on called name' error. Using interface protection -- By default Samba will accept connections on any network interface that it finds on your system. That means if you have a ISDN line or a PPP connection to the Internet then Samba will accept connections on those links. This may not be what you want. You can change this behavior
Samba 3.0 alpha22 confiugre problem
I updated my copy of samba 3.0 from cvs today and ran configure and got the following error: checking for broken linux sendfile support... yes checking whether to build winbind... yes checking whether struct passwd has pw_comment... no checking whether struct passwd has pw_age... no checking for poptGetContext in -lpopt... yes checking whether to use included popt... no checking configure summary... yes configure: creating ./config.status config.status: creating include/stamp-h config.status: creating Makefile config.status: creating script/findsmb config.status: creating include/config.h config.status: error: cannot find input file: include/config.h.in I looked for the file and it is definatly not there. Is this a problem I can fix? Patrick
Passwd sync on ldapsam
Hi, I configured samba 2.2.7a with --ldapsam. Works fine. Pasword changes are updated on ldap server on lmPassword and ntPassword atributes. Good. But I want to synchronize unix password too. Samba did not update userPassword or never call /bin/passwd or pam to change it. This behavior doesnt depend on setting unix password sync = yes or pam password change = yes smbpasswd does: - bind ldap seerver search (uid=joe)(objectClass=sambaAccount) - bind ldap server search (objectClass=posixAccount)(uid=joe) - bind ldap server modify DN: uid=joe,dc=People,dc=company,dc=com attribute ntPassword attribute lmPassword - bind ldap server search (uid=joe)(objectClass=sambaAccount) search (objectClass=posixAccount)(uid=joe) I think correct behavior is modify userPassword too. Best regs Petr smime.p7s Description: S/MIME Cryptographic Signature
client VPN disconnects samba shares
I am running Samba 2.2.7a in domain mode .. all is great. I have a XP user on my local network that connects to samba as a domain user - so far so good. This users also has a Cisco VPN client for connecting over the internet to another application at a service bureau. When the VPN client is activated, all traffic from this machine is only forwarding network traffic over the VPN pipe. Obviously, this causes a problem with my Samba shares as they are no longer available. When the VPN client is shutdown all is well again. The VPN configuration is provided by the service bureau so I have no control over its configuration. My local network is DHCP controlled using 192.168.0.*/24 and the VPN pipe is connected to a public address over the internet connection. I am using WINS on the Samba server, put I still cannot ping anything on my local network. I may be answering my own question, but do I need to get the service bureau to supply me with a VPN configuration that places everything over the VPN Pipe except for 192.168.0.* addresses? Any thoughts? Pat
Re: client VPN disconnects samba shares
Please do not cross-post to both Samba and Samba-Technical. These lists are for different purposes. Pat Schlehuber wrote: I am running Samba 2.2.7a in domain mode .. all is great. I have a XP user on my local network that connects to samba as a domain user - so far so good. This users also has a Cisco VPN client for connecting over the internet to another application at a service bureau. When the VPN client is activated, all traffic from this machine is only forwarding network traffic over the VPN pipe. Obviously, this causes a problem with my Samba shares as they are no longer available. When the VPN client is shutdown all is well again. Normal behvior for the Cisco VPN product. So what's the problem? The VPN configuration is provided by the service bureau so I have no control over its configuration. Yep. Now, if they'd just allow Split Tunneling or let you exclude the local LAN from the VPN you'd be okay. My local network is DHCP controlled using 192.168.0.*/24 and the VPN pipe is connected to a public address over the internet connection. I am using WINS on the Samba server, put I still cannot ping anything on my local network. The Cisco VPN client acts as a shim. It sits between your IP stack and the real interface and examines packets. If Split Tunneling is enabled, then the VPN client does a limited form of routing. Packets meant to go over the VPN tunnel will be encrypted and sent through the tunnel, and others will be dropped through to the real interface. Split tunneling is server-controlled. The other option is to set the Exclude Local Network (or similar) option on the client side. That will ensure that packets for the local IP LAN will drop through to the real interface. If you don't have any configuration control, then you cannot do either of these things and *all* traffic normally out-bound through that interface will be captured by the shim and redirected to the VPN server via the tunnel. I may be answering my own question, but do I need to get the service bureau to supply me with a VPN configuration that places everything over the VPN Pipe except for 192.168.0.* addresses? Unless you can change the client configuration yourself, yes. Any thoughts? This really isn't a Samba-Technical question. Chris -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: Samba 3.0 alpha22 confiugre problem
On Sun, 2003-03-16 at 04:25, Patrick Gunerud wrote: I updated my copy of samba 3.0 from cvs today and ran configure and got the following error: checking for broken linux sendfile support... yes checking whether to build winbind... yes checking whether struct passwd has pw_comment... no checking whether struct passwd has pw_age... no checking for poptGetContext in -lpopt... yes checking whether to use included popt... no checking configure summary... yes configure: creating ./config.status config.status: creating include/stamp-h config.status: creating Makefile config.status: creating script/findsmb config.status: creating include/config.h config.status: error: cannot find input file: include/config.h.in I looked for the file and it is definatly not there. Is this a problem I can fix? You have to run ./autogen.sh before you start. We no longer include these generated files in CVS. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part
CVS update: samba/source/lib
Date: Sat Mar 15 08:03:11 2003 Author: abartlet Update of /data/cvs/samba/source/lib In directory dp.samba.org:/tmp/cvs-serv25890/lib Modified Files: charcnv.c Log Message: Remove an unused function and fix the build. Andrew Bartlett Revisions: charcnv.c 1.73 = 1.74 http://www.samba.org/cgi-bin/cvsweb/samba/source/lib/charcnv.c?r1=1.73r2=1.74
CVS update: samba/source/utils
Date: Sat Mar 15 08:18:29 2003 Author: abartlet Update of /data/cvs/samba/source/utils In directory dp.samba.org:/tmp/cvs-serv28976/utils Modified Files: net_ads.c Log Message: Minor fixes. - signed/unsigned - quieten warning about assignment as truth value - whitespace Andrew Bartlett Revisions: net_ads.c 1.65 = 1.66 http://www.samba.org/cgi-bin/cvsweb/samba/source/utils/net_ads.c?r1=1.65r2=1.66
CVS update: samba/source/include
Date: Sat Mar 15 08:18:29 2003 Author: abartlet Update of /data/cvs/samba/source/include In directory dp.samba.org:/tmp/cvs-serv28976/include Modified Files: rpc_lsa.h Log Message: Minor fixes. - signed/unsigned - quieten warning about assignment as truth value - whitespace Andrew Bartlett Revisions: rpc_lsa.h 1.47 = 1.48 http://www.samba.org/cgi-bin/cvsweb/samba/source/include/rpc_lsa.h?r1=1.47r2=1.48
CVS update: samba/source/include
Date: Sat Mar 15 10:59:14 2003 Author: abartlet Update of /data/cvs/samba/source/include In directory dp.samba.org:/tmp/cvs-serv3611/include Modified Files: safe_string.h Log Message: Fix the non-DEVELOPER case of my macro madness... Andrew Bartlett Revisions: safe_string.h 1.17 = 1.18 http://www.samba.org/cgi-bin/cvsweb/samba/source/include/safe_string.h?r1=1.17r2=1.18
CVS update: samba/source/include
Date: Sat Mar 15 11:28:45 2003 Author: abartlet Update of /data/cvs/samba/source/include In directory dp.samba.org:/tmp/cvs-serv7870/include Modified Files: safe_string.h Log Message: Fix the 'non-optomizing compiler' case... Andrew Bartlett Revisions: safe_string.h 1.18 = 1.19 http://www.samba.org/cgi-bin/cvsweb/samba/source/include/safe_string.h?r1=1.18r2=1.19
Re: CVS update: samba/source/auth
On Sat, Mar 15, 2003 at 06:10:49AM +, [EMAIL PROTECTED] wrote: Date: Sat Mar 15 06:10:49 2003 Author: abartlet Update of /data/cvs/samba/source/auth In directory dp.samba.org:/tmp/cvs-serv4501/auth Modified Files: auth_util.c Log Message: Now that mimir has done the grunt work, I'll fix up the comment Indeed :) I forgot to remove it. cheers, -- Rafal Szczesniak mimir[at]diament.ists.pwr.wroc.pl Samba Team member mimir[at]samba.org +-+ *BSD, GNU/Linux and Samba http://www.samba.org +-+
CVS update: sambaweb
Date: Sat Mar 15 14:12:55 2003 Author: jerry Update of /data/cvs/sambaweb In directory dp.samba.org:/tmp/cvs-serv7924 Modified Files: samba.html Log Message: announcing the samba-2.2.8 release Revisions: samba.html 1.182 = 1.183 http://www.samba.org/cgi-bin/cvsweb/sambaweb/samba.html?r1=1.182r2=1.183
CVS update: sambaweb/whatsnew
Date: Sat Mar 15 14:12:55 2003 Author: jerry Update of /data/cvs/sambaweb/whatsnew In directory dp.samba.org:/tmp/cvs-serv7924/whatsnew Modified Files: index.html Added Files: samba-2.2.8.html Log Message: announcing the samba-2.2.8 release Revisions: samba-2.2.8.htmlNONE = 1.1 http://www.samba.org/cgi-bin/cvsweb/sambaweb/whatsnew/samba-2.2.8.html?rev=1.1 index.html 1.41 = 1.42 http://www.samba.org/cgi-bin/cvsweb/sambaweb/whatsnew/index.html?r1=1.41r2=1.42
CVS update: samba/source/client
Date: Sat Mar 15 22:35:47 2003 Author: sfrench Update of /home/cvs/samba/source/client In directory dp.samba.org:/tmp/cvs-serv24034 Modified Files: mount.cifs.c Log Message: Checkin cifs vfs for Linux mount helper Revisions: mount.cifs.c1.1 = 1.2 http://www.samba.org/cgi-bin/cvsweb/samba/source/client/mount.cifs.c?r1=1.1r2=1.2
CVS update: samba/source
Date: Sat Mar 15 22:57:00 2003 Author: abartlet Update of /data/cvs/samba/source In directory dp.samba.org:/tmp/cvs-serv26229 Modified Files: Makefile.in Log Message: Fix non-gmake syntax error. Revisions: Makefile.in 1.629 = 1.630 http://www.samba.org/cgi-bin/cvsweb/samba/source/Makefile.in?r1=1.629r2=1.630
CVS update: samba/source/include
Date: Sat Mar 15 23:16:40 2003 Author: abartlet Update of /data/cvs/samba/source/include In directory dp.samba.org:/tmp/cvs-serv28640/include Modified Files: ads.h Log Message: A hack to get us building on a slightly older heimdal kerberos. It appears that we don't need this flag - heimdal's internal password change routines don't set it. Andrew Bartlett Revisions: ads.h 1.24 = 1.25 http://www.samba.org/cgi-bin/cvsweb/samba/source/include/ads.h?r1=1.24r2=1.25
CVS update: samba/source/include
Date: Sun Mar 16 00:39:40 2003 Author: abartlet Update of /data/cvs/samba/source/include In directory dp.samba.org:/tmp/cvs-serv8341/include Modified Files: safe_string.h Log Message: More work on my macro mess - we need function prototypes of different types, and we were missing the 'char' type. Andrew Bartlett Revisions: safe_string.h 1.19 = 1.20 http://www.samba.org/cgi-bin/cvsweb/samba/source/include/safe_string.h?r1=1.19r2=1.20
CVS update: samba/source/utils
Date: Sun Mar 16 02:14:05 2003 Author: abartlet Update of /data/cvs/samba/source/utils In directory dp.samba.org:/tmp/cvs-serv21945/utils Modified Files: net_ads.c Log Message: Changes to help the kerberos change password code work on systems that have some of the labels 'duplicated' (ie, the defines double-up). Also, to an ads_connect() to try and find our KDC. (So we don't segfualt *every* time) Andrew Bartlett Revisions: net_ads.c 1.66 = 1.67 http://www.samba.org/cgi-bin/cvsweb/samba/source/utils/net_ads.c?r1=1.66r2=1.67
CVS update: samba/source/libads
Date: Sun Mar 16 02:14:05 2003 Author: abartlet Update of /data/cvs/samba/source/libads In directory dp.samba.org:/tmp/cvs-serv21945/libads Modified Files: krb5_setpw.c Log Message: Changes to help the kerberos change password code work on systems that have some of the labels 'duplicated' (ie, the defines double-up). Also, to an ads_connect() to try and find our KDC. (So we don't segfualt *every* time) Andrew Bartlett Revisions: krb5_setpw.c1.15 = 1.16 http://www.samba.org/cgi-bin/cvsweb/samba/source/libads/krb5_setpw.c?r1=1.15r2=1.16
CVS update: samba/source/include
Date: Sun Mar 16 03:21:58 2003 Author: abartlet Update of /data/cvs/samba/source/include In directory dp.samba.org:/tmp/cvs-serv346/include Modified Files: safe_string.h Log Message: Fix nmbd under -DDEVELOPER (pstrcpy on not-pstring). Make a new macro to help in this situation, and add memcpy() parinoia Andrew Bartlett Revisions: safe_string.h 1.20 = 1.21 http://www.samba.org/cgi-bin/cvsweb/samba/source/include/safe_string.h?r1=1.20r2=1.21
CVS update: samba/source/nmbd
Date: Sun Mar 16 03:21:59 2003 Author: abartlet Update of /data/cvs/samba/source/nmbd In directory dp.samba.org:/tmp/cvs-serv346/nmbd Modified Files: nmbd_packets.c Log Message: Fix nmbd under -DDEVELOPER (pstrcpy on not-pstring). Make a new macro to help in this situation, and add memcpy() parinoia Andrew Bartlett Revisions: nmbd_packets.c 1.61 = 1.62 http://www.samba.org/cgi-bin/cvsweb/samba/source/nmbd/nmbd_packets.c?r1=1.61r2=1.62