[Samba] Q: winbind getgroups errors?
Hi, I am running samba 3.0.7 on a FC 2 box with the following setup (testparm output): snip [global] workgroup = X realm = X.Y.COM security = ADS log level = 1 log file = /var/log/samba/%m.log max log size = 50 load printers = No os level = 0 preferred master = No local master = No domain master = No idmap uid = 1-2 idmap gid = 1-2 winbind separator = _ /snip This seems to work fine (at least all users can access shares and printers, though sometimes rather slow), but /var/log/samba/winbindd.log is filled with LOTS of messages like: snip nsswitch/winbindd_group.c:winbindd_getgroups(1059) user 'local_user' does not exist /snip Such a message seems to be generated for any local user (i.e. not listed in AD) which logs in, or for each process started using su etc. Might this come from pam? Any way to suppress it (as it clutters the logs)? Tia, cheers, Albrecht -- LIOS Technology GmbH Dr. Albrecht Dreß Software Design Schanzenstrasse 6 - 20 D-51063 Köln Germany Phone +49 221 676 2742 Fax +49 221 676 2069 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] installing printer in a logon script
Manuel Capinha wrote: Connect to the server and enter the Printers and Faxes folder. Right click, choose Server Properties. Go into the Drivers tab and add the driver, just like as if it was a Windows server. Afterwards, select the printer and set it up to use your newly setup driver. All of this is explained in the manual in much more depth, off course :) hint: look at the subject (installing printer in a script). it has to be done *fully* automatically, there is no place for going there and clicking here. this is done on a freshly installed machine, which didn't even join the domain. any more ideas? Tomek -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Using winbind authentication with Windows 2003 AD - SSH login failures
Hi all, I have been trying to setup authentication of users on a Linux server against Windows server 2003 using winbind. I am at the point where an su - ADUSERNAME works, but sshing as that user still doesn't work. When I try to ssh as an AD user as follows: ssh -l RILINUX+testuser server.domain.com I get the following output in /var/log/messages: server pam_winbind[5906]: request failed: No such user, PAM error was 10, NT error was NT_STATUS_NO_SUCH_USER server sshd(pam_unix)[5906]: check pass; user unknown server sshd(pam_unix)[5906]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=server.domain.com At the same time, I see this Failure Audit in the Security section of Event viewer on the AD server: Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: NOUSER Source Workstation:\\LONLT-SVR9 Error Code:0xC064 I then changed my setup to use winbid use default domain = yes and tried with ssh -l testuser server.domain.com I got the same result as when using the DOMAIN+user syntax wbinfo -u shows this test user in the list. My smb.conf is as follows: [global] workgroup = MYADDOMAIN netbios name = servername winbind separator = + winbind use default domain = yes idmap uid = 1-2 idmap gid = 1-2 winbind enum users = yes winbind enum groups = yes template homedir = /home/%U template shell = /bin/bash security = ads encrypt passwords = yes realm = MYKERBEROSREALM.COM password server = 10.xxx.xxx.xxx My various pam configs are as follows: /etc/pam.d/login auth required pam_securetty.so auth sufficient pam_winbind.so auth required pam_stack.so service=system-auth auth required pam_nologin.so accountsufficient pam_winbind.so accountrequired pam_stack.so service=system-auth password required pam_stack.so service=system-auth sessionrequired pam_stack.so service=system-auth sessionoptional pam_console.so /etc/pam.d/sshd auth required pam_stack.so service=system-auth auth sufficient pam_winbind.so auth required pam_nologin.so accountsufficient pam_winbind.so accountrequired pam_stack.so service=system-auth password required pam_stack.so service=system-auth sessionrequired pam_stack.so service=system-auth sessionrequired pam_limits.so sessionoptional pam_console.so I'm using Red Hat EL AS 3 which I believe tries to centralise most of this in system-auth, and this is what I have there: authrequired /lib/security/$ISA/pam_env.so authsufficient/lib/security/$ISA/pam_winbind.so authsufficient/lib/security/$ISA/pam_unix.so likeauth nullok authrequired /lib/security/$ISA/pam_deny.so account sufficient/lib/security/$ISA/pam_winbind.so account required /lib/security/$ISA/pam_unix.so passwordrequired /lib/security/$ISA/pam_cracklib.so retry=3 type= passwordsufficient/lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow passwordrequired /lib/security/$ISA/pam_deny.so session required /lib/security/pam_mkhomedir.so skel=/etc/skel/ session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so I'm not sure if this is related to my problem, but I see quite a few of the following messages in my security section of event viewer: Pre-authentication failed: User Name: servername$ User ID:MYDOMAIN\servername$ Service Name: krbtgt/MYKERBEROSREALM.COM Pre-Authentication Type:0x0 Failure Code: 0x19 Client Address: 10.xxx.xxx.xxx Can anyone advise how to rectify this problem ? Thanks in advance, -- Wayne Pascoe -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Upgrading 2.2.8a to 3.0.7 UID problems
I have been running samba 2.2.8a with approx 600 users accessing it for their network drives. What I need to do now is to upgrade it to version 3.0.7. I have been trying to upgrade my development system with limited success this is what I have done. I have 2 test environments one is under vm-ware and one is under vm on os390:- In order to test the upgrade i did the following:- In the windows vm-ware environment:- created NT PDC and imported 10,000 users from live domain. built 2 linux images both with 2.2.8a samba built 1 linux image with 3.0.7 samba All server worked fine. I then upgraded one of the 2.2.8a samba boxes by basically just installing 3.0.7 over the top of it everything worked i.e the users UID's remained the same. I then tried to repeat this process on the test samba server on vm on os390, I followed the same procedure i.e just installed over the top, all seemed to go well but the users/group UID's/GID's have changed. Can anybody think of why this might be happening? The only way I have been able to get it to work on os390 is to copy the original var/locks/*.tbd files off to a safe directory then upgrade to 3.0.7 the copy the files back this seems to ensure the UID's remain the same. The only other way is for me to build another samba server on os390 with samba 3.0.7 and migrate the users from the old 2.2.8a samba server, but this is not ideal. Thanks in advance for any help you may be able to offer. Unencrypted electronic mail is not secure and may not be authentic. If you have any doubts as to the contents please telephone to confirm. The information contained in this message is confidential and is intended for the addressee(s) only. If you have received this message in error or there are any problems, please notify the originator immediately. The unauthorised use, disclosure, copying or alteration of this message is strictly forbidden. Opinions, conclusions and other information expressed in this message are not given or endorsed by Safeway unless otherwise indicated by an authorised representative independent of this message. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Trusting and trusted domain (home mapping) problem
Hi Igor (and samba team), I have done the following:- -I have upgraded the samba versions of the both servers to be the same. -The ldap servers are in the same version. -DomainAPDC and DomainBPDC has winbind in nsswitch -wbinfo all works. -getent group and getent passwd shows ldap entries of local domain and winbind entries of the remote domain. -However I still cannot map the home directory of the Domain_B_user when I log into Domain_B on Domain_A_XP computer. - smbclient //domain_A_PDC/shared -U domain_B/domain_B_user is working. The command I run on the command prompt (which will work) if I am Domain_A_user into Domain_A on Domain_A_XP_computer is net use x: /home. But before I map it, the home directory is already mapped based on the sambahomepath and sambahomedrive in the ldap entries. I am using the net use command to do testing. If I were to run the same net use x: /home command as a Domain_B_User logging into Domain_B on Domain_A_XP_computer, the home directory never gets mapped. Igor has make it work on his server but I am still stuck. (Igor, if you run net use z: /home command as the Domain_B_User logging into Domain_B on DOmain_A_XP, does it work?) On my winbind log on Domain_A_PDC, I get the following :- legend:- uwcstu is domain_B grade2 is domain_B_user 1 is gid of DomainB\Domain Users group on Domain_A_PDC. staff is domain A - [2004/11/05 19:10:16, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(124) [29440]: getpwnam uwcstu\grade2 [2004/11/05 19:10:16, 3] nsswitch/winbindd_group.c:winbindd_getgroups(1030) [29440]: getgroups UWCSTU\grade2 [2004/11/05 19:10:16, 3] nsswitch/winbindd_sid.c:winbindd_gid_to_sid(374) [29440]: gid to sid 1 [2004/11/05 19:10:16, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(124) [29440]: getpwnam uwcstu\grade2 [2004/11/05 19:10:16, 3] nsswitch/winbindd_group.c:winbindd_getgrnam(243) [29440]: getgrnam grade2 [2004/11/05 19:10:16, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2008) ldapsam_getgroup: Did not find group [2004/11/05 19:10:16, 1] nsswitch/winbindd_group.c:winbindd_getgrnam(298) group grade2 in domain STAFF does not exist Questions:- 1. Why domain_A_PDC will try to getgrnam grade2? How did grade2 ended up as a group and not a user? 2. Isn't it supposed to be getgrnam UWCSTU\Domain Users since winbindd_gid_to_sid is converting 1 to UWCSTU\Domain Users? 3. Any commands for me to test getgroups? 4. Any ideas how to proceed on? Thanks so much. adrian -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Problems trying to print to Windows printer via ssh and Samba
Hello, I am trying to do a rather wild thing. I want to print from a Windows XP laptop (over TCP/IP) to a Linux box (Fedora Core 2) which sends the print data through ssh (puTTY) to a Windows 2000 Print server. The problem in detail: The laptop is not a member of our domain, so it cannot see the domain printers. I have a running Linux server which shall provide a printer queue in the form of 123.456.789.012/printer (or an equivalent if you have an idea how to do it). This printer should be sending its data through an ssh connection (preferably puTTY) to a Windows Network printer. I have to do this in such a complicated way because the Linux server is in a DMZ and is not seeing the Windows Network printer, since they are -of course- behind a firewall. I did manage to make the Linux box print via ssh once about 3 weeks ago, but I had to do my final exam in the meantime, so I forgot the working settings. What would the correct path to my machine look like, e.g. something like smb://workgroup/localhost/share (localhost because of the tunneling)? This doesn't work, I tried many different settings (e.g. with and without the workgroup, w and w/o username and password etc.). BTW: I forwarded (through puTTY) the following ports: 137, 138, 139 and 631 and get errors like this: Unable to connect to SAMBA host, will retry in 60 seconds...ERROR: Connection failed with error NT_STATUS_LOGON_FAILURE. What I want to know is, which username is required for connecting to the Windows print server? Up to now I use an admin user and its respective password, but to no avail. If anybody could give me some advice I will greatly appreciate it. Of course, any other possibility is also very welcome. Thanks in advance Jan -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
TR: [Samba] Configuration with Windows clients
It doesn't work as I want : With this, everyboby has ALL accesses to Shared_pcs Although I have put : write list = root !! -Message d'origine- De : Matt Perkins [mailto:[EMAIL PROTECTED] Envoyé : jeudi 4 novembre 2004 21:49 À : Albert HERVO Cc : Samba Objet : Re: [Samba] Configuration with Windows clients Try this [Shared_pcs] path = /Common/Shared_pcs guest ok = yes create mask = 0777 browseable = yes write list = user1, user2, etc. On Thu, 2004-11-04 at 11:13, Albert HERVO wrote: I try to configure a Samba Server to give access to a shared directory and subdirectories : - Read access to everyboby WITHOUT need to give a login (User/password): to all PCs on my network (workgroup) - Write access to only some Users , or some PC ( authorized by their @IP) I have this in the smb.conf (on the linux Server): [Shared_pcs] path = /Common/Shared_pcs guest only = No public = Yes writable = Yes create mask = 0777 browseable = Yes Whith this , all users can read but nobody can write in the directory Shared_pcs -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problem with smbmount
Same results... try adding fmask=770 as well -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] installing printer in a logon script
Reorganizing the posts for sanity: Tomasz Chmielewski wrote: Manuel Capinha wrote: Connect to the server and enter the Printers and Faxes folder. Right click, choose Server Properties. Go into the Drivers tab and add the driver, just like as if it was a Windows server. hint: look at the subject (installing printer in a script). it has to be done *fully* automatically, there is no place for going there and clicking here. You need to do this to install the server copy of the printer driver. When you run your rundll command with the /in flag, it looks for the driver as it has been installed using (more or less) the procedure above. This is how it's done, not with what you said about 'putting the driver in /blah/X32HP200C'. When you do the install command from a login script there is no 'going there and clicking here', just a status box that disappears all by itself. You should probably grab yourself a copy of '...By Example' by whatever means you like and bone up on the printing sections. You can start here if you don't know where to find it. http://us3.samba.org/samba/docs/man/Samba-Guide/happy.html#id2541726 this is done on a freshly installed machine, which didn't even join the domain. If you didn't join the domain then how exactly is the login script being run?!?!? -- -- Paul GiengerOffice: 701-281-1884 Applied Engineering Inc. Systems Architect Fax:701-281-1322 URL: www.ae-solutions.com mailto: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] export_smbpasswd.pl for samba 3 branch?
Hi all, is export_smbpasswd.pl rewritten for samba 3 ldap schema anywhere? I wanna use it for cronly ldap grabbing to auth in a poptop server patched for /etc/samba/smbpasswd. I know there are others ways to do it but this seems to me quite more easy. Regards -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] export_smbpasswd.pl for samba 3 branch?
I wanna use it for cronly ldap grabbing to auth in a poptop server patched for /etc/samba/smbpasswd. Would you care to rewrite that in english? Taking a stab at the broken version of that question: Perhaps you should take a look at the pdbedit command possibly using the --import and --export flags. -- -- Paul GiengerOffice: 701-281-1884 Applied Engineering Inc. Systems Architect Fax:701-281-1322 URL: www.ae-solutions.com mailto: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] HELP - Samba/Swat 3.0.2 and OsX 10.3.5
Dear Samba Team, from a few days i'm trying to use samba on my powerbook, with panther 10.3.5. I'm also trying to enable swat where i succeded, but with some anomalies. I will explain some of the steps i done during this day because i really don't ever know what to do now. I never had problems with samba over linux but here the things seems a little different. I starting by open the door 901 for swat in the file /etc/services, putting there the know string swat 901/tcp # Samba Web Administration Tool. Then i created a file called swat in the directory /etc/xinitd.d/ that contains: # default: off # description: SWAT is the Samba Web Admin Tool. Use swat \ # to configure your Samba server. To use SWAT, \ # connect to port 901 with your favorite web browser. service swat { port= 901 socket_type = stream wait= no only_from = localhost user= root server = /usr/sbin/swat server_args = -s /etc/smb.conf log_on_failure += USERID disable = no } and i also created in /etc/ a file called smb.conf that contain the following string: [global] dos charset = 437 unix charset = UTF-8-MAC display charset = UTF-8-MAC server string = Mac OS X auth methods = guest, opendirectory passdb backend = opendirectorysam, guest guest account = unknown use spnego = No printer admin = @admin, @staff After enabling the windows share in the preference pane... nothing works! I cannot add user (neither the user created in the system) to samba cause i get: /etc/pdb/opendirectorysam.so undefined reference to _get_opendirectory_authenticator expected to be defined in the executable Trace/BPT trap and i can enter swat only if i put it in demo mode with the option -a in the server_args instead of -s. But anyway no way of creating users. I tryed to solve the problem of the password authentication by pdbedit, so i use the command pdbedit -L -w to list the entire user on the system and print it out in a smbpasswd compatible list. I put the list in a file called smbpasswd by using a redirection command like and i put the file in /var/db/samba/ (should be that directory, i don't remember...). So i modified my smb.conf where i changed the passdb backend by putting it = smbdpasswd:/var/db/samba/smbpasswd. Well... something did seems working, i can add password without having error, but... anyway nothing works! I cannot anyway enter in swat... I can delete also the user but i can't recreate it... :-| Some other test, and i switched back to the original samba configuration, by putting as smb.conf the smb.conf.template, and putting the string enable = no in the swat file. The result is that now not only i cannot enter to swat neither by putting it into demo mode, but now i cannot neither stop swat! Also if i say in the swat file to not start, there is some things that keep it running! But i didn't do nothing :-| Sorry for the long e-mail but i really don't know what to do, i spent the last days reading everywhere and trying everythings but i'm again at the start point! Thanks in advance for your time! Sorry for my english! Alessandro Lorenzo Casali [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] smbpasswd hash type
I've found an issue for us when users do a windows password change. The password is stored in LDAP with a crypt type of SMD5, which apparently is not liked very well by our smtp server, and manifests itself as the user not being able to use smpt-auth. When I change my password from the command line with the unix password change I get md5crypt, so it's not using the system password settings. The smbldap-tools.conf file lists the password hash as CRYPT, of course I doubt this is actually being called. My question is: Is there a way to tell samba what kind of password hash to use when changing passwords? There's other things that break for us with what samba (or whatever it is calling) is doing, but mail/smtp-auth is the biggest one. -- -- Paul GiengerOffice: 701-281-1884 Applied Engineering Inc. Systems Architect Fax:701-281-1322 URL: www.ae-solutions.com mailto: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] HELP - Samba/Swat 3.0.2 and OsX 10.3.5
Dear Samba Team, from a few days i'm trying to use samba on my powerbook, with panther 10.3.5. I'm also trying to enable swat where i succeded, but with some anomalies. I will explain some of the steps i done during this day because i really don't ever know what to do now. I never had problems with samba over linux but here the things seems a little different. I starting by open the door 901 for swat in the file /etc/services, putting there the know string swat 901/tcp # Samba Web Administration Tool. Then i created a file called swat in the directory /etc/xinitd.d/ that contains: # default: off # description: SWAT is the Samba Web Admin Tool. Use swat \ # to configure your Samba server. To use SWAT, \ # connect to port 901 with your favorite web browser. service swat { port= 901 socket_type = stream wait= no only_from = localhost user= root server = /usr/sbin/swat server_args = -s /etc/smb.conf log_on_failure += USERID disable = no } and i also created in /etc/ a file called smb.conf that contain the following string: [global] dos charset = 437 unix charset = UTF-8-MAC display charset = UTF-8-MAC server string = Mac OS X auth methods = guest, opendirectory passdb backend = opendirectorysam, guest guest account = unknown use spnego = No printer admin = @admin, @staff After enabling the windows share in the preference pane... nothing works! I cannot add user (neither the user created in the system) to samba cause i get: /etc/pdb/opendirectorysam.so undefined reference to _get_opendirectory_authenticator expected to be defined in the executable Trace/BPT trap and i can enter swat only if i put it in demo mode with the option -a in the server_args instead of -s. But anyway no way of creating users. I tryed to solve the problem of the password authentication by pdbedit, so i use the command pdbedit -L -w to list the entire user on the system and print it out in a smbpasswd compatible list. I put the list in a file called smbpasswd by using a redirection command like and i put the file in /var/db/samba/ (should be that directory, i don't remember...). So i modified my smb.conf where i changed the passdb backend by putting it = smbdpasswd:/var/db/samba/smbpasswd. Well... something did seems working, i can add password without having error, but... anyway nothing works! I cannot anyway enter in swat... I can delete also the user but i can't recreate it... :-| Some other test, and i switched back to the original samba configuration, by putting as smb.conf the smb.conf.template, and putting the string enable = no in the swat file. The result is that now not only i cannot enter to swat neither by putting it into demo mode, but now i cannot neither stop swat! Also if i say in the swat file to not start, there is some things that keep it running! But i didn't do nothing :-| Sorry for the long e-mail but i really don't know what to do, i spent the last days reading everywhere and trying everythings but i'm again at the start point! Thanks in advance for your time! Sorry for my english! Alessandro Lorenzo Casali [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] HELP - Samba/Swat 3.0.2 and OsX 10.3.5
Dear Samba Team, from a few days i'm trying to use samba on my powerbook, with panther 10.3.5. I'm also trying to enable swat where i succeded, but with some anomalies. I will explain some of the steps i done during this day because i really don't ever know what to do now. I never had problems with samba over linux but here the things seems a little different. I starting by open the door 901 for swat in the file /etc/services, putting there the know string swat 901/tcp # Samba Web Administration Tool. Then i created a file called swat in the directory /etc/xinitd.d/ that contains: # default: off # description: SWAT is the Samba Web Admin Tool. Use swat \ # to configure your Samba server. To use SWAT, \ # connect to port 901 with your favorite web browser. service swat { port= 901 socket_type = stream wait= no only_from = localhost user= root server = /usr/sbin/swat server_args = -s /etc/smb.conf log_on_failure += USERID disable = no } and i also created in /etc/ a file called smb.conf that contain the following string: [global] dos charset = 437 unix charset = UTF-8-MAC display charset = UTF-8-MAC server string = Mac OS X auth methods = guest, opendirectory passdb backend = opendirectorysam, guest guest account = unknown use spnego = No printer admin = @admin, @staff After enabling the windows share in the preference pane... nothing works! I cannot add user (neither the user created in the system) to samba cause i get: /etc/pdb/opendirectorysam.so undefined reference to _get_opendirectory_authenticator expected to be defined in the executable Trace/BPT trap and i can enter swat only if i put it in demo mode with the option -a in the server_args instead of -s. But anyway no way of creating users. I tryed to solve the problem of the password authentication by pdbedit, so i use the command pdbedit -L -w to list the entire user on the system and print it out in a smbpasswd compatible list. I put the list in a file called smbpasswd by using a redirection command like and i put the file in /var/db/samba/ (should be that directory, i don't remember...). So i modified my smb.conf where i changed the passdb backend by putting it = smbdpasswd:/var/db/samba/smbpasswd. Well... something did seems working, i can add password without having error, but... anyway nothing works! I cannot anyway enter in swat... I can delete also the user but i can't recreate it... :-| Some other test, and i switched back to the original samba configuration, by putting as smb.conf the smb.conf.template, and putting the string enable = no in the swat file. The result is that now not only i cannot enter to swat neither by putting it into demo mode, but now i cannot neither stop swat! Also if i say in the swat file to not start, there is some things that keep it running! But i didn't do nothing :-| Sorry for the long e-mail but i really don't know what to do, i spent the last days reading everywhere and trying everythings but i'm again at the start point! Thanks in advance for your time! Sorry for my english! Alessandro Lorenzo Casali [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] 3.0.8pre2 and domain admins question
Greetings, I have been playing with 3.0.8rc2 on a test machine to get ready to upgrade my samba 2 PDC to Samba 3. I ran across an issue with mapping the domain admin group to a local UNIX group on the server and I wanted to know if the behavior I saw was normal or not. The Samba server is a Sun ultra 1 running Solaris 9, user and group information is kept in plain old /etc/passwd, /etc/shadow, and /etc/group. My group mappings look like: Domain Admins (S-1-5-21-4122618152-3960105789-1472380918-512) - ntadmin Domain Guests (S-1-5-21-4122618152-3960105789-1472380918-514) - nobody Domain Users (S-1-5-21-4122618152-3960105789-1472380918-513) - staff My test user was a member of the ntadmin group - BUT it was NOT the primary group for that account (the primary group was staff.) Every time I logged in as the test user the windows machine refused to accept the test user as an administrator. I tried changing the test user's primary group to a group other than the one mapped to Domain Users in case Samba/Windows was selecting the most restrictive group membership for use - but that did not make a difference. When I changed the test user's primary group to ntadmin, then the windows client accepted the test user as an administrator. So, now my questions - I did not read anything in the chapter 11 of the manual that covered this. Is this the expected behavior? Does Samba not look at secondary group memberships for accounts? Is this something odd because I am on a Solaris box? (hey, it has happened before.) Thanks! Bob Martel -- *** Bob Martel,System Administrator I met someone who looks a lot like you Levin College of Urban Affairs She does the things you do Cleveland State University But she is an IBM (216) 687-2214 [EMAIL PROTECTED]-Jeff Lynne *** -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Using winbind authentication with Windows 2003 AD - SSH login failures
Wayne, Precisely what steps did you take to join the Samba server to the ADS? - John T. On Friday 05 November 2004 03:10, Wayne Pascoe wrote: Hi all, I have been trying to setup authentication of users on a Linux server against Windows server 2003 using winbind. I am at the point where an su - ADUSERNAME works, but sshing as that user still doesn't work. When I try to ssh as an AD user as follows: ssh -l RILINUX+testuser server.domain.com I get the following output in /var/log/messages: server pam_winbind[5906]: request failed: No such user, PAM error was 10, NT error was NT_STATUS_NO_SUCH_USER server sshd(pam_unix)[5906]: check pass; user unknown server sshd(pam_unix)[5906]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=server.domain.com At the same time, I see this Failure Audit in the Security section of Event viewer on the AD server: Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: NOUSER Source Workstation: \\LONLT-SVR9 Error Code: 0xC064 I then changed my setup to use winbid use default domain = yes and tried with ssh -l testuser server.domain.com I got the same result as when using the DOMAIN+user syntax wbinfo -u shows this test user in the list. My smb.conf is as follows: [global] workgroup = MYADDOMAIN netbios name = servername winbind separator = + winbind use default domain = yes idmap uid = 1-2 idmap gid = 1-2 winbind enum users = yes winbind enum groups = yes template homedir = /home/%U template shell = /bin/bash security = ads encrypt passwords = yes realm = MYKERBEROSREALM.COM password server = 10.xxx.xxx.xxx My various pam configs are as follows: /etc/pam.d/login auth required pam_securetty.so auth sufficient pam_winbind.so auth required pam_stack.so service=system-auth auth required pam_nologin.so accountsufficient pam_winbind.so accountrequired pam_stack.so service=system-auth password required pam_stack.so service=system-auth sessionrequired pam_stack.so service=system-auth sessionoptional pam_console.so /etc/pam.d/sshd auth required pam_stack.so service=system-auth auth sufficient pam_winbind.so auth required pam_nologin.so accountsufficient pam_winbind.so accountrequired pam_stack.so service=system-auth password required pam_stack.so service=system-auth sessionrequired pam_stack.so service=system-auth sessionrequired pam_limits.so sessionoptional pam_console.so I'm using Red Hat EL AS 3 which I believe tries to centralise most of this in system-auth, and this is what I have there: authrequired /lib/security/$ISA/pam_env.so authsufficient/lib/security/$ISA/pam_winbind.so authsufficient/lib/security/$ISA/pam_unix.so likeauth nullok authrequired /lib/security/$ISA/pam_deny.so account sufficient/lib/security/$ISA/pam_winbind.so account required /lib/security/$ISA/pam_unix.so passwordrequired /lib/security/$ISA/pam_cracklib.so retry=3 type= passwordsufficient/lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow passwordrequired /lib/security/$ISA/pam_deny.so session required /lib/security/pam_mkhomedir.so skel=/etc/skel/ session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so I'm not sure if this is related to my problem, but I see quite a few of the following messages in my security section of event viewer: Pre-authentication failed: User Name: servername$ User ID:MYDOMAIN\servername$ Service Name: krbtgt/MYKERBEROSREALM.COM Pre-Authentication Type:0x0 Failure Code: 0x19 Client Address: 10.xxx.xxx.xxx Can anyone advise how to rectify this problem ? Thanks in advance, -- Wayne Pascoe -- John H Terpstra, CTO PrimaStasys Inc. Phone: +1 (650) 580-8668 Author: The Official Samba-3 HOWTO Reference Guide, ISBN: 0131453556 Samba-3 by Example, ISBN: 0131472216 Hardening Linux, ISBN: 0072254971 Other books in production. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] 3.0.8pre2 and domain admins question
Is this the expected behavior? Does Samba not look at secondary group memberships for accounts? Is this something odd because I am on a Solaris box? (hey, it has happened before.) That all depends. What is your passdb backend and system auth mode? There's a filed bug against secondary groups coming from LDAP in Solaris 8/9 past a certain release/patch level and also Solaris 10. -- -- Paul GiengerOffice: 701-281-1884 Applied Engineering Inc. Systems Architect Fax:701-281-1322 URL: www.ae-solutions.com mailto: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] export_smbpasswd.pl for samba 3 branch?
Paul Gienger schrieb: I wanna use it for cronly ldap grabbing to auth in a poptop server patched for /etc/samba/smbpasswd. Would you care to rewrite that in english? Taking a stab at the broken version of that question: Perhaps you should take a look at the pdbedit command possibly using the --import and --export flags. Hi Paul, sorry for my evil english *g youre right pdbedit -e=smbpasswd does the job so sorry sometimes i am thinking more complicated as it is needed Regards Robert -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Configuration with Windows clients
Yes, until now it works well : I had written a mistake in the smb.conf ! Sorry Thanks a lot -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Albert HERVO Envoyé : vendredi 5 novembre 2004 13:25 À : Samba Objet : TR: [Samba] Configuration with Windows clients It doesn't work as I want : With this, everyboby has ALL accesses to Shared_pcs Although I have put : write list = root !! -Message d'origine- De : Matt Perkins [mailto:[EMAIL PROTECTED] Envoyé : jeudi 4 novembre 2004 21:49 À : Albert HERVO Cc : Samba Objet : Re: [Samba] Configuration with Windows clients Try this [Shared_pcs] path = /Common/Shared_pcs guest ok = yes create mask = 0777 browseable = yes write list = user1, user2, etc. On Thu, 2004-11-04 at 11:13, Albert HERVO wrote: I try to configure a Samba Server to give access to a shared directory and subdirectories : - Read access to everyboby WITHOUT need to give a login (User/password): to all PCs on my network (workgroup) - Write access to only some Users , or some PC ( authorized by their @IP) I have this in the smb.conf (on the linux Server): [Shared_pcs] path = /Common/Shared_pcs guest only = No public = Yes writable = Yes create mask = 0777 browseable = Yes Whith this , all users can read but nobody can write in the directory Shared_pcs -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] 3.0.8pre2 and domain admins question
On 11/05/2004 10:39 AM, Paul Gienger wrote: Is this the expected behavior? Does Samba not look at secondary group memberships for accounts? Is this something odd because I am on a Solaris box? (hey, it has happened before.) That all depends. What is your passdb backend and system auth mode? There's a filed bug against secondary groups coming from LDAP in Solaris 8/9 past a certain release/patch level and also Solaris 10. Ha, knew I forgot something. Right now the test system is using the old smbpasswd back end and is set for security = user - it is currently functioning as a PDC for the a test domain. -Bob -- *** Bob Martel,System Administrator I met someone who looks a lot like you Levin College of Urban Affairs She does the things you do Cleveland State University But she is an IBM (216) 687-2214 [EMAIL PROTECTED]-Jeff Lynne *** -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind fails
Hello everyone, This a response to a problem that I posted earlier this year. I just wanted to let everyone know that this problem has been solved and it was NOT samba or winbind that was causing it. As mentioned in the problem description below our site has 4 active directory DCs. In my smb.conf I had password server = * so it would authenticate with any DC in the realm for redundancy. Well after looking at all the logs I finally realized that it was always getting hung up while communicating with 1 of the four DCs. I changed the password server = dc2.dns.name dc3.dns.name dc4.dns.name forcing authentication to only the 3 DCs that were working properly and left out the 1 DC that winbind was getting hung up on. After that change, no more accumulating CLOSE_WAITs, logon speeds are phenomenal, and overall performance and stability are excellent. Our Linux box is now acting as a Linux box should. This problem has been fixed for a few months now, I just now figured I would post my experience. I updated to 3.0.7 a day or two after it was released, and it has been running flawlessly ever since (I still haven't restarted the service). As for the problematic DC, the admin never really figured out what the problem was. All they said was that they saw a few RPC errors in the event logs from time to time. They wouldn't really take me seriously because I was using Linux and samba for our local file/cvs server. They didn't really do anything about the problem until other windows users (or other departmental Microsoft admins started to have problems with Active Dir. logon scripts). They ended up having to rebuild the server to solve the problem. So all in all, I wanted to thank the developers for the efforts Majeed Majeed wrote: I have been having the same problem with winbind for quite a while now and have researched up and down, but I cant get the problem resolved. I have dealing with this since 3.0.2. I then moved to 3.0.2a, then to 3.0.3pre2 since the release notes stated a crash fix when in ads mode, then to 3.0.3 since it was a production release and then to 3.0.4 since some memory leaks and socket handling issues were fixed in winbind. I will now illustrate my problem. Info: - 4 windows 2000 domain controllers - linux box joins the domain and uses Kerberos active directory authentication to shares - distribution: Gentoo 1.4 - kernel 2.4.26 (stock sources) - current version of samba: 3.0.4 - If anything else is need please let me know - configure command to compile: ./configure --prefix=/usr --sysconfdir=/etc/samba --localstatedir=/var --libdir=/usr/lib/samba --with-privatedir=/etc/samba/private --with-lockdir=/var/cache/samba --with-piddir=/var/run/samba --with-swatdir=/usr/share/swat --with-configdir=/etc/samba --with-logfilebase=/var/log/samba --enable-static --enable-shared --with-manpages-langs=en --without-spinlocks --with-libsmbclient --with-automount --with-smbmount --with-winbind --with-syslog --with-idmap --with-ldap --with-ads --with-krb5 --with-pam Problem: After compiling and installing samba and copying the pam_winbind.so, libnss_winbind.so, and libnss_wins.so files to the appropriate directories I then start samba and winbind using a startup script. It takes about 30sec to a minute for authentication to start working (probably winbind talking to the DCs). Once it starts authenticating it works GREAT and will continue to do so for a period of 3 days to a week. Once it hits a certain point winbind will no longer authenticate. Since I have having this problem for a while now, I have been monitoring winbindd. It seems that around 3 hours after I start winbindd sockets in the CLOSE_WAIT state will start accumulating when I run the netstat antupo command. All the sockets in this state are owned by the winbindd process. They will never close unless I kill the winbindd process. Once the number of CLOSE_WAITs accumulate up around 1000 it will cause winbindd to stop authenticating, samba to crash, and I will not be able to ssh in (I can connect, I can authenticate, but after I successfully authenticate ssh shoots back a signal 11 error and drops the connection). I believe the ssh problem is caused by winbind because of all sockets and port numbers it has tied up in the close_wait state. Once I restart winbindd and sshd everything works fine again until that certain amount of time. After doing much research I found that it is usually the application that is not closing the socket correctly, due to a bug. At first I thought it might be the kernel so I upgraded from 2.4.25 to 2.4.26 but the same symptoms came about. After that I was reading a developers forum and someone said that if you kill the process that owns the sockets in the close_wait state and they disappear then it is not a kernel issue. Also during the monitoring of winbindd I noticed that amount of memory consumption steadily increases (maybe a leak?). I wanted to be able to show the developers and everyone else what I was
Re: [Samba] Re: Trusting and trusted domain (home mapping) problem
Adrian Chow wrote: Hi Igor (and samba team), I have done the following:- -I have upgraded the samba versions of the both servers to be the same. -The ldap servers are in the same version. -DomainAPDC and DomainBPDC has winbind in nsswitch -wbinfo all works. -getent group and getent passwd shows ldap entries of local domain and winbind entries of the remote domain. -However I still cannot map the home directory of the Domain_B_user when I log into Domain_B on Domain_A_XP computer. - smbclient //domain_A_PDC/shared -U domain_B/domain_B_user is working. The command I run on the command prompt (which will work) if I am Domain_A_user into Domain_A on Domain_A_XP_computer is net use x: /home. But before I map it, the home directory is already mapped based on the sambahomepath and sambahomedrive in the ldap entries. I am using the net use command to do testing. If I were to run the same net use x: /home command as a Domain_B_User logging into Domain_B on Domain_A_XP_computer, the home directory never gets mapped. Igor has make it work on his server but I am still stuck. (Igor, if you run net use z: /home command as the Domain_B_User logging into Domain_B on DOmain_A_XP, does it work?) I think there's some miscommunication involved. :) User's home directory does get mapped during login according to sambaHomePath and sambaHomeDrive LDAP entries. I can verify this by looking at the net use output. However, when I run net use x: /home it gives me an error: The user's home directory could not be determined. Accroding to DomainA log during this call the user's home share get created on ServerA (PDC for DomainA) instead of using the one specified as sambaHomePath: [2004/11/05 08:17:44, 3] param/loadparm.c:lp_add_home(2341) adding home's share [testA] for user 'DOMAINA\testA' at '/home/DOMAINA/testA' I'm still investigating if this is based solely on XP request (XP side problem) of if this is a way Samba responds on a general net use x: /home request (Samba side problem). On my winbind log on Domain_A_PDC, I get the following :- legend:- uwcstu is domain_B grade2 is domain_B_user 1 is gid of DomainB\Domain Users group on Domain_A_PDC. staff is domain A - [2004/11/05 19:10:16, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(124) [29440]: getpwnam uwcstu\grade2 [2004/11/05 19:10:16, 3] nsswitch/winbindd_group.c:winbindd_getgroups(1030) [29440]: getgroups UWCSTU\grade2 [2004/11/05 19:10:16, 3] nsswitch/winbindd_sid.c:winbindd_gid_to_sid(374) [29440]: gid to sid 1 [2004/11/05 19:10:16, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(124) [29440]: getpwnam uwcstu\grade2 [2004/11/05 19:10:16, 3] nsswitch/winbindd_group.c:winbindd_getgrnam(243) [29440]: getgrnam grade2 [2004/11/05 19:10:16, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2008) ldapsam_getgroup: Did not find group [2004/11/05 19:10:16, 1] nsswitch/winbindd_group.c:winbindd_getgrnam(298) group grade2 in domain STAFF does not exist Questions:- 1. Why domain_A_PDC will try to getgrnam grade2? How did grade2 ended up as a group and not a user? 2. Isn't it supposed to be getgrnam UWCSTU\Domain Users since winbindd_gid_to_sid is converting 1 to UWCSTU\Domain Users? 3. Any commands for me to test getgroups? 4. Any ideas how to proceed on? I have similar problem - the same errors in winbind log. I'm investigating this as well. I actually have 2 groups for userA and one gets mapping into user's name with domain stripped out, another into 'tty'. I suspect it's a Samba bug. But, again - it does not cause problems with automatic map of user home. The only suggestion I have at the moment is to look into the source... Igor -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] 3.0.8pre2 and domain admins question
Right now the test system is using the old smbpasswd back end and is set for security = user - it is currently functioning as a PDC for the a test domain. And system users are coming froom? /etc/passwd and /etc/group or something else? That's really the proper question (my bad for asking too many and not all relevant) -- -- Paul GiengerOffice: 701-281-1884 Applied Engineering Inc. Systems Architect Fax:701-281-1322 URL: www.ae-solutions.com mailto: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] 3.0.8pre2 and domain admins question
On 11/05/2004 12:07 PM, Paul Gienger wrote: Right now the test system is using the old smbpasswd back end and is set for security = user - it is currently functioning as a PDC for the a test domain. And system users are coming froom? /etc/passwd and /etc/group or something else? That's really the proper question (my bad for asking too many and not all relevant) I don't understand your question I guess. User information is kept in /etc/passwd and /etc/shadow, group info kept in /etc/group. Samba is using the old smbpasswd back end - the text file kept in /usr/local/samba/lib. I have used the smbpasswd command to add the users and machines to the smbpasswd file. I think that is about as basic as it gets - no NIS, no NIS+, no LDAP, just plain, old flat files holding the info. Thanks, Bob -- *** Bob Martel,System Administrator I met someone who looks a lot like you Levin College of Urban Affairs She does the things you do Cleveland State University But she is an IBM (216) 687-2214 [EMAIL PROTECTED]-Jeff Lynne *** -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Possible bug with Samba and LDAP
Andrew Bartlett [EMAIL PROTECTED] on Thursday, November 04, 2004 at 11:31 PM -0800 wrote: On Fri, 2004-11-05 at 11:49, Jeremy Allison wrote: On Thu, Nov 04, 2004 at 04:40:07PM -0800, Erik Horn wrote: The ldap client libraries are from openldap-2.1.29. I would use strace to find out who is resetting that signal handler. It isn't smbd. nss_ldap? That was the suspect in one of these cases before. Andrew Bartlett After doing some doing some searching around, I believe that it is nss_ldap that is causing the problem. I found some references to a bug in signal handling that affected nss_ldap versions 200 and 213-219. We are running 217 (the current version for FC2). Before we upgraded, we were running version 202 therefore didn't see the problem. I am building a test system so that I can verify that the newer nss_ldap library fixes the problem. If it does, I'll file a bug report with the fedora project so they can update the distribution. References: PADL bug #173: http://bugzilla.padl.com/show_bug.cgi?id=173 Redhat bug #84344: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=84344 Thanks, Erik -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Doubt about samba
Anoop Pudhukode mailto:[EMAIL PROTECTED] wrote: I am trying to load a module trying to replace all the system calls. Is smbfs in client or server? Why is it a different beast? smbfs is a filesystem that allows Windows network shares to be mounted on a unix system. I'm sorry I even mentioned it as it's not a part of the Samba suite. But it was the only sort-of-Samba-related kernel module that I could think of. I think it's a safe bet that if you're trying to replace system calls with the module you're loading that the problem is with your module and not with Samba. I highly reccomend contacting the authors of the module you're trying to load and explaining the problem to them. If you would give the name of the module you're trying to load, or a link to where you got it, or something then maybe someone else who's running that module and Samba might be able to help you out. HTH, --J(K) --- Jason Balicki [EMAIL PROTECTED] wrote: On Thu, 2004-11-04 at 17:54, Anoop Pudhukode wrote: Are there kernel loadable modules in samba for linux? If so any idea what they do? Because after I load my module samba stops working. No, there are no loadable kernel modules for Samba (there is smbfs, but that is a different beast entirely and would not affect the function of the server Samba.) What module are you trying to load? --J(K) -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba = Anoop M Pudhukode 40 W. 26th Pl,#203 San Mateo, CA 94403 408 839 6211(C) __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: SAMBA PDC
Excuse me for lating answear, but I am ill now and have no possibillity to test this. If I am feeling better tommorow, I will test it. Yet again - thank you for helping me! On Thursday 04 November 2004 22:20, Jim C. wrote: Just delete the values for these two and then give it a try. GQ is good for this. I believe these can be set using smbldap-tools but as I recall, the tools will not accept a blank setting which is what you probably need if you want the default settings in smb.conf: sambaProfilePath: \\PDC\profiles\yyovkov sambaHomePath: \\PDC\homes Jim C. -- - | I can be reached on the following Instant Messenger services: | |---| | MSN: j_c_llings @ hotmail.com AIM: WyteLi0n ICQ: 123291844 | |---| | Y!: j_c_llingsJabber: jcllings @ njs.netlab.cz | - -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] installing printer in a logon script
Paul Gienger wrote: Reorganizing the posts for sanity: Tomasz Chmielewski wrote: Manuel Capinha wrote: Connect to the server and enter the Printers and Faxes folder. Right click, choose Server Properties. Go into the Drivers tab and add the driver, just like as if it was a Windows server. hint: look at the subject (installing printer in a script). it has to be done *fully* automatically, there is no place for going there and clicking here. You need to do this to install the server copy of the printer driver. When you run your rundll command with the /in flag, it looks for the driver as it has been installed using (more or less) the procedure above. This is how it's done, not with what you said about 'putting the driver in /blah/X32HP200C'. When you do the install command from a login script there is no 'going there and clicking here', just a status box that disappears all by itself. No, it doesn't disappear by itself, even if I'm logged into a domain. I agree, if the driver was installed *before* - now Windows knows that it has it. But if it's installed for the *first* time, I have this window prompt. You should probably grab yourself a copy of '...By Example' by whatever means you like and bone up on the printing sections. You can start here if you don't know where to find it. http://us3.samba.org/samba/docs/man/Samba-Guide/happy.html#id2541726 Yeah I read this, but it didn't say how to install printer drivers without user interaction. this is done on a freshly installed machine, which didn't even join the domain. If you didn't join the domain then how exactly is the login script being run?!?!? Actually, it's Unattended script (see unattended.sf.net) - a Windows deployment system - in other words, an unattended installation of Windows (handy if you have to install Windows on a large number of machines). You insert a CD to a blank PC (can be done over a network without a CD if mainboard supports it, too), choose a name for a computer - and there you go - it installs Windows, all desired software, joins the domain etc. without any need to click or type anything (well, you have to prepare a script that does that all before of course). As the Windows is installed and the software is being installed, it is all done as Administrator (*that* computer Administrator) - and we're not logged into a domain (yet). I can do everything automatically, apart of this printer driver :( Tomek -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] installing printer in a logon script
Connect to the server and enter the Printers and Faxes folder. Right click, choose Server Properties. Go into the Drivers tab and add the driver, just like as if it was a Windows server. hint: look at the subject (installing printer in a script). it has to be done *fully* automatically, there is no place for going there and clicking here. You need to do this to install the server copy of the printer driver. When you run your rundll command with the /in flag, it looks for the driver as it has been installed using (more or less) the procedure above. This is how it's done, not with what you said about 'putting the driver in /blah/X32HP200C'. When you do the install command from a login script there is no 'going there and clicking here', just a status box that disappears all by itself. No, it doesn't disappear by itself, even if I'm logged into a domain. I agree, if the driver was installed *before* - now Windows knows that it has it. But if it's installed for the *first* time, I have this window prompt. It really sounds like you're not understanding what we're telling you. You need to store the printer driver on the samba server so that when you issue the rundll command, with the /in switch, your client knows what you're talking about. To do this, go to a windows machine that is already on your network, try your personal station, seems to work well for me. Follow through the part that I sent the address to. Really. When you are done, you should be able to run (from your server) rpcclient servername and then once logged in do an enumdrivers and see them listed. You should also be able to do an enumprinters and see more interesting information. If these commands don't work, stop and re-examine your setup. Any number of things could be wrong so perhaps tell us what you get from those commands. When you are done, you should be able to walk over to any machine, issue your rundll command from the command line and all that will happen is that a box will come up saying that it is installing the printer name from host (or possibly the ip depending on your version of samba) and it should just go away. Now if you're using 3.0.7 (I believe) there is a known bug in these routines that will cause some issue with your naming. You'll have to play around with your rundll command and the printer names to get it right. If you get here, post your enumprinters and enumdrivers output from above and maybe a valid statement can be made for you. -- -- Paul GiengerOffice: 701-281-1884 Applied Engineering Inc. Systems Architect Fax:701-281-1322 URL: www.ae-solutions.com mailto: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Options fmask,dmask etc doesn't work in FC2
I have a box with Samba, with an repository file share, all machines in my network office has permissions to read/write in this share. But in boxes with Fedora Core 2 when I mount the share with options fmask=777 and dmask=777 only the directory that I mounted the share gets the fmask and dmask configurations, and the subdirectories continue with the same attributes of the server. How can I fix it? thanks Andre Luis Fogagnoli -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] installing printer in a logon script
Paul Gienger wrote: You need to do this to install the server copy of the printer driver. When you run your rundll command with the /in flag, it looks for the driver as it has been installed using (more or less) the procedure above. This is how it's done, not with what you said about 'putting the driver in /blah/X32HP200C'. When you do the install command from a login script there is no 'going there and clicking here', just a status box that disappears all by itself. No, it doesn't disappear by itself, even if I'm logged into a domain. I agree, if the driver was installed *before* - now Windows knows that it has it. But if it's installed for the *first* time, I have this window prompt. It really sounds like you're not understanding what we're telling you. You need to store the printer driver on the samba server so that when you issue the rundll command, with the /in switch, your client knows what you're talking about. To do this, go to a windows machine that is already on your network, try your personal station, seems to work well for me. Follow through the part that I sent the address to. Really. When you are done, you should be able to run (from your server) OK, sorry for misunderstanding. Will try that on Manday. Tomek -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba + LDAP PDC on Gentoo
Has anyone got this setup running? Can you point me to a HOWTO? I'm stuck with a problem in smbldap_tools.pm when I do any kind of basic thing. I keep getting this error: == vulcan root # smbldap-usershow.pl Administrator Can't call method search on an undefined value at /usr/lib/perl5/5.8.4/i686-linux/smbldap_tools.pm line 595. == Another thing that's puzzling me is the lack of PAM/NSS/LDAP intermingling. I can't do a getent passwd Administrator and get a positive result. Yet I can cleary see that I have an Administrator account with slapcat: == dn: uid=Administrator,ou=Users,dc=nei-ky,dc=com cn: Administrator sn: Administrator objectClass: inetOrgPerson objectClass: sambaSamAccount objectClass: posixAccount gidNumber: 512 uid: Administrator uidNumber: 998 homeDirectory: /home/ sambaPwdLastSet: 0 sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaPwdMustChange: 2147483647 sambaHomePath: \\vulcan\homes sambaHomeDrive: H: sambaProfilePath: \erase\me sambaPrimaryGroupSID: S-1-5-21-2155631241-3177187520-276014414-512 sambaLMPassword: XXX sambaNTPassword: XXX sambaAcctFlags: [U ] sambaSID: S-1-5-21-2155631241-3177187520-276014414-2996 loginShell: /bin/false gecos: Netbios Domain Administrator structuralObjectClass: inetOrgPerson entryUUID: a72b1fa4-c3aa-1028-83b5-f53b37bd2261 creatorsName: cn=Manager,dc=nei-ky,dc=com createTimestamp: 20041105191425Z entryCSN: 2004110519:14:25Z#0x0005#0# modifiersName: cn=Manager,dc=nei-ky,dc=com modifyTimestamp: 20041105191425Z == So basically I'm looking for any pointers at all. :) -- Kevin L. Collins, MCSE Systems Manager Nesbitt Engineering, Inc. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba + LDAP PDC on Gentoo - UPDATE
I've been able to get PAM/NSS/LDAP working properly - silly typo. Still failing on the smbldap-tools use though. :( Kevin Has anyone got this setup running? Can you point me to a HOWTO? I'm stuck with a problem in smbldap_tools.pm when I do any kind of basic thing. I keep getting this error: == == == vulcan root # smbldap-usershow.pl Administrator Can't call method search on an undefined value at /usr/lib/perl5/5.8.4/i686-linux/smbldap_tools.pm line 595. == == == Another thing that's puzzling me is the lack of PAM/NSS/LDAP intermingling. I can't do a getent passwd Administrator and get a positive result. Yet I can cleary see that I have an Administrator account with slapcat: == == == dn: uid=Administrator,ou=Users,dc=nei-ky,dc=com cn: Administrator sn: Administrator objectClass: inetOrgPerson objectClass: sambaSamAccount objectClass: posixAccount gidNumber: 512 uid: Administrator uidNumber: 998 homeDirectory: /home/ sambaPwdLastSet: 0 sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaPwdMustChange: 2147483647 sambaHomePath: \\vulcan\homes sambaHomeDrive: H: sambaProfilePath: \erase\me sambaPrimaryGroupSID: S-1-5-21-2155631241-3177187520-276014414-512 sambaLMPassword: XXX sambaNTPassword: XXX sambaAcctFlags: [U ] sambaSID: S-1-5-21-2155631241-3177187520-276014414-2996 loginShell: /bin/false gecos: Netbios Domain Administrator structuralObjectClass: inetOrgPerson entryUUID: a72b1fa4-c3aa-1028-83b5-f53b37bd2261 creatorsName: cn=Manager,dc=nei-ky,dc=com createTimestamp: 20041105191425Z entryCSN: 2004110519:14:25Z#0x0005#0# modifiersName: cn=Manager,dc=nei-ky,dc=com modifyTimestamp: 20041105191425Z == == == So basically I'm looking for any pointers at all. :) -- Kevin L. Collins, MCSE Systems Manager Nesbitt Engineering, Inc. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] for small samba srv, need both smbd and nmbd?
Hello, we need to run the smallest samba server foot print. All it needs to do is function like a b-node, or at most a h-node. No serving, no nothing, it just needs to be able to be found on a windows network using NBT. When I do a testparm there's lots of settings and we want this to be as innocuous as possible e.g. (no master browser, or election fighting etc.) We would like it to be as secure as possible since it's not really doing anything. Here's what I've got so far [global] #workgroup = this is only needed in h-node mode #wins server = same as above netbios name = %h security = SHARE server string = some name interfaces = eth0 Do I need any more than this, or any less? Do I need to start both smbd and nmbd? Versions: OS: fully patched redhat 7.3 Samba software: samba-2.2.7-3.7.3 Server=[Samba 2.2.7-security-rollup-fix] Thanks, Mark -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] cupsaddsmb problems...
Hey everyone. Having a little problem getting cupsaddsmb to work correctly. I have been reading throw the Samb 3 book today as i am trying to have the ability for drivers for our printers to be automatically downloaded when a client adds the printer. I am using: FreeBSD 4.10 samba 2.2.11 cups 1.1 cups-samba I put the following info in smb.conf: [printers] comment = All printers path = /var/spool/samba printer admin = root jwilliams guest ok = yes printable = yes browseable = no hosts allow = 192.168.1. printer name = HP8150 4th floor public = yes writeable = no [print$] comment = Printer Drivers path = /usr/local/share/cups/drivers browseable = yes guest ok = no read only = yes write list = root On the 'printer's portion, the printer name section, is a printer that I added through the cups web interface. I then proceeded to execute this command: cupsaddsmb -U root -a -v (for verbose output) Here is the output: oxygen# cupsaddsmb -U root -a -v Password for root required to access localhost via SAMBA: Running command: smbclient //localhost/print\$ -N -U'root%test' -c 'mkdir W32X86;put /var/spool/cups/tmp/418bc44b04fd5 W32X86/SalesPrinter-4.ppd;put /usr/local/share/cups/drivers/cupsdrv5.dll W32X86/cupsdrv5.dll;put /usr/local/share/cups/drivers/cupsui5.dll W32X86/cupsui5.dll;put /usr/local/share/cups/drivers/cups5.hlp W32X86/cups5.hlp' added interface ip=192.168.1.93 bcast=192.168.1.255 nmask=255.255.255.0 Domain=[COURTESY] OS=[Unix] Server=[Samba 2.2.11] NT_STATUS_OBJECT_NAME_COLLISION making remote directory \W32X86 putting file /var/spool/cups/tmp/418bc44b04fd5 as \W32X86/SalesPrinter-4.ppd (9730.0 kb/s) (average Inf kb/s) putting file /usr/local/share/cups/drivers/cupsdrv5.dll as \W32X86/cupsdrv5.dll (54738.8 kb/s) (average 56640.2 kb/s) putting file /usr/local/share/cups/drivers/cupsui5.dll as \W32X86/cupsui5.dll (42878.1 kb/s) (average 49759.6 kb/s) putting file /usr/local/share/cups/drivers/cups5.hlp as \W32X86/cups5.hlp (14234.0 kb/s) (average 51149.6 kb/s) Running command: rpcclient localhost -N -U'root%test' -c 'adddriver Windows NT x86 SalesPrinter-4:cupsdrv5.dll:SalesPrinter-4.ppd:cupsui5.dll:cups5.hlp:NULL:RAW:NULL' cmd = adddriver Windows NT x86 SalesPrinter-4:cupsdrv5.dll:SalesPrinter-4.ppd:cupsui5.dll:cups5.hlp:NULL:RAW:NULL result was NT_STATUS_UNSUCCESSFUL Running command: rpcclient localhost -N -U'root%test' -c 'setdriver SalesPrinter-4 SalesPrinter-4' cmd = setdriver SalesPrinter-4 SalesPrinter-4 SetPrinter call failed! result was NT_STATUS_UNSUCCESSFUL (I hope this formats correctly). but as you can see, the result is NT_STATUS_UNSUCCESFUL. Now, I am having a heck of a time trying to figure out what the problem is. Also, here is a snip of what I see in /var/log/messages when I execute the above command: Nov 5 13:11:46 oxygen smbd[52086]: [2004/11/05 13:11:46, 0] printing/nt_printing.c:get_correct_cversion(1099) Nov 5 13:11:46 oxygen smbd[52086]: get_correct_cversion: Unable to connect I was hoping to get some help here to let me know what I am doing wrong. i appreciate the help. Jason -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] HP-UX binary help
I am trying to install Samba on HP-UX 11.00 using the 3.0.5 binary from Samba.org. I installed the openssl and libiconv libraries from utah.edu. When I try to start smbd it coredumps with can not find path to libcrypto.sl. I have libcrypto.a in /opt/openssl/lib and I put it in my LD_LIRARY_PATH. Any ideas? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: SAMBA PDC
Excuse me for lating answear, but I am ill now and have no possibillity to test this. If I am feeling better tommorow, I will test it. I hope you will be feeling better soon. I also hope that my latest advice is of some use to you as I've not encountered anything else that would cause this kind of trouble. Jim C. -- - | I can be reached on the following Instant Messenger services: | |---| | MSN: j_c_llings @ hotmail.com AIM: WyteLi0n ICQ: 123291844 | |---| | Y!: j_c_llingsJabber: jcllings @ njs.netlab.cz| - -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Samba + LDAP PDC on Gentoo
Has anyone got this setup running? Can you point me to a HOWTO? Mine works but I don't use Gentoo. I'm stuck with a problem in smbldap_tools.pm when I do any kind of basic thing. I keep getting this error: == vulcan root # smbldap-usershow.pl Administrator Can't call method search on an undefined value at /usr/lib/perl5/5.8.4/i686-linux/smbldap_tools.pm line 595. Post your smbldap_tools.pm and make sure you XX out any passwords. For smbldap tools have a look at: http://mandrake.vmlinuz.ca/bin/view/Main/SambaThreeDomainController#Install_and_Configure_Idealx_SMB This may be enlightening but it is for Mandrake not Gentoo. Jim C. -- - | I can be reached on the following Instant Messenger services: | |---| | MSN: j_c_llings @ hotmail.com AIM: WyteLi0n ICQ: 123291844 | |---| | Y!: j_c_llingsJabber: jcllings @ njs.netlab.cz| - -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Allow access to a share to all members of a container?
This script will add all of the users in an OU to a Group. Copy it and save it with a .vbs extension. Begin Script ' The OU that contains the users you want to add. Set oContainer = GetObject (LDAP://OU=Test,DC=domain,DC=com;) ' The group you want to add them too. GroupAdd = New Group ' Old style Domain Name DomainName = DOMAIN Set GroupObj = GetObject(WinNT:// DomainName / GroupAdd) ModifyUsers oContainer Sub ModifyUsers(oObject) Dim oUser oObject.Filter = Array(User) For Each oUser in oObject If oUser.Class = user Then ' Comment in the next line in for testing. ' WScript.Echo ouser.samAccountName ' The next line adds the users to the group. GroupObj.Add (WinNT:// DomainName / _ oUser.samAccountName) End If Next End Sub End Script On Thu, 2004-11-04 at 14:52, Tom Dickson wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 They are in a 2000 ADS OU. - -Tom Matt Perkins wrote: | Do the users exist in an OPENLDAP database or Windows Active Directory? | | On Thu, 2004-11-04 at 10:47, Tom Dickson wrote: | | I have 104,000 users, some of which are in the OU: | | ad.network.local\AD\People\IFAS\Hort | | Is there an easy way to find all the users in this OU and grant them | access to a share? | | Or do I have to list each user individually? | | And if so, can I use net user to list the users in an OU? | | -Tom | . -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBipZ72dxAfYNwANIRAjU0AJ9f2izoSLin4WcDIc3ikiirzXDRpACff/kg SomENjyM72ClkA2hz+BaJuc= =zeTr -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] How to stop samba from showing in share title
When I map a drive to samba unsing Windows XP, the my computer windows displays username on 'Samba 3.0.7 (hostname)' H: How do I prevent/change the Samba 3.0.7 portion of this name. I certainly do not want to advertise the version that I am using. Thanks, -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Trusting and trusted domain (home mapping) problem
Hi Igor, Thanks so much for troubleshooting all this while and we found out none of our configuration is the problem but the source code. Hope that the samba team will modify to a working code so that I can deploy it. Actually my dateline to deploy is coming soon and I do not know what to do now. when do you think the code will be modified and be released? Thanks so much for your help. adrian -- Original Message -- From: Igor Belyi [EMAIL PROTECTED] Date: Fri, 05 Nov 2004 12:03:46 -0500 Adrian Chow wrote: Hi Igor (and samba team), I have done the following:- -I have upgraded the samba versions of the both servers to be the same. -The ldap servers are in the same version. -DomainAPDC and DomainBPDC has winbind in nsswitch -wbinfo all works. -getent group and getent passwd shows ldap entries of local domain and winbind entries of the remote domain. -However I still cannot map the home directory of the Domain_B_user when I log into Domain_B on Domain_A_XP computer. - smbclient //domain_A_PDC/shared -U domain_B/domain_B_user is working. The command I run on the command prompt (which will work) if I am Domain_A_user into Domain_A on Domain_A_XP_computer is net use x: /home. But before I map it, the home directory is already mapped based on the sambahomepath and sambahomedrive in the ldap entries. I am using the net use command to do testing. If I were to run the same net use x: /home command as a Domain_B_User logging into Domain_B on Domain_A_XP_computer, the home directory never gets mapped. Igor has make it work on his server but I am still stuck. (Igor, if you run net use z: /home command as the Domain_B_User logging into Domain_B on DOmain_A_XP, does it work?) I think there's some miscommunication involved. :) User's home directory does get mapped during login according to sambaHomePath and sambaHomeDrive LDAP entries. I can verify this by looking at the net use output. However, when I run net use x: /home it gives me an error: The user's home directory could not be determined. Accroding to DomainA log during this call the user's home share get created on ServerA (PDC for DomainA) instead of using the one specified as sambaHomePath: [2004/11/05 08:17:44, 3] param/loadparm.c:lp_add_home(2341) adding home's share [testA] for user 'DOMAINA\testA' at '/home/DOMAINA/testA' I'm still investigating if this is based solely on XP request (XP side problem) of if this is a way Samba responds on a general net use x: /home request (Samba side problem). On my winbind log on Domain_A_PDC, I get the following :- legend:- uwcstu is domain_B grade2 is domain_B_user 1 is gid of DomainB\Domain Users group on Domain_A_PDC. staff is domain A - [2004/11/05 19:10:16, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(124) [29440]: getpwnam uwcstu\grade2 [2004/11/05 19:10:16, 3] nsswitch/winbindd_group.c:winbindd_getgroups(1030) [29440]: getgroups UWCSTU\grade2 [2004/11/05 19:10:16, 3] nsswitch/winbindd_sid.c:winbindd_gid_to_sid(374) [29440]: gid to sid 1 [2004/11/05 19:10:16, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(124) [29440]: getpwnam uwcstu\grade2 [2004/11/05 19:10:16, 3] nsswitch/winbindd_group.c:winbindd_getgrnam(243) [29440]: getgrnam grade2 [2004/11/05 19:10:16, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2008) ldapsam_getgroup: Did not find group [2004/11/05 19:10:16, 1] nsswitch/winbindd_group.c:winbindd_getgrnam(298) group grade2 in domain STAFF does not exist Questions:- 1. Why domain_A_PDC will try to getgrnam grade2? How did grade2 ended up as a group and not a user? 2. Isn't it supposed to be getgrnam UWCSTU\Domain Users since winbindd_gid_to_sid is converting 1 to UWCSTU\Domain Users? 3. Any commands for me to test getgroups? 4. Any ideas how to proceed on? I have similar problem - the same errors in winbind log. I'm investigating this as well. I actually have 2 groups for userA and one gets mapping into user's name with domain stripped out, another into 'tty'. I suspect it's a Samba bug. But, again - it does not cause problems with automatic map of user home. The only suggestion I have at the moment is to look into the source... Igor -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] How to stop samba from showing in share title
On Friday 05 November 2004 16:51, Evan Rempel wrote: When I map a drive to samba unsing Windows XP, the my computer windows displays username on 'Samba 3.0.7 (hostname)' H: How do I prevent/change the Samba 3.0.7 portion of this name. I certainly do not want to advertise the version that I am using. In your smb.conf [global] add: server string = Grany's Apple Pie - John T. -- John H Terpstra Samba-Team Member Phone: +1 (650) 580-8668 Author: The Official Samba-3 HOWTO Reference Guide, ISBN: 0131453556 Samba-3 by Example, ISBN: 0131472216 Hardening Linux, ISBN: 0072254971 Other books in production. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] How to stop samba from showing in share title
This will certainly make the server string show up in the network browser, but when you map a drive letter, and then open My Computer the mapped drive letter will still show 'Samba 3.0.7 (hostname)' H: Evan. On Fri, 5 Nov 2004, John H Terpstra wrote: On Friday 05 November 2004 16:51, Evan Rempel wrote: When I map a drive to samba unsing Windows XP, the my computer windows displays username on 'Samba 3.0.7 (hostname)' H: How do I prevent/change the Samba 3.0.7 portion of this name. I certainly do not want to advertise the version that I am using. In your smb.conf [global] add: server string = Grany's Apple Pie - John T. -- John H Terpstra Samba-Team Member Phone: +1 (650) 580-8668 Author: The Official Samba-3 HOWTO Reference Guide, ISBN: 0131453556 Samba-3 by Example, ISBN: 0131472216 Hardening Linux, ISBN: 0072254971 Other books in production. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba Evan Rempel [EMAIL PROTECTED] Senior Programmer Analyst University of Victoria -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba + LDAP PDC on Gentoo - UPDATE
Kevin, I have this up, running and in production. Please e-mail me off list on Monday, and I will work with you to figure out the hold up. =) Of course, you can try me this weekend as well. thanks, Joshua signature.asc Description: OpenPGP digital signature -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
svn commit: samba r3546 - in branches/SAMBA_4_0/source/lib/registry/tools: .
Author: tridge Date: 2004-11-05 09:19:42 + (Fri, 05 Nov 2004) New Revision: 3546 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=3546 Log: including includes.h twice causes gcc 3.4 to crash with pch Modified: branches/SAMBA_4_0/source/lib/registry/tools/regpatch.c Changeset: Modified: branches/SAMBA_4_0/source/lib/registry/tools/regpatch.c === --- branches/SAMBA_4_0/source/lib/registry/tools/regpatch.c 2004-11-05 07:29:02 UTC (rev 3545) +++ branches/SAMBA_4_0/source/lib/registry/tools/regpatch.c 2004-11-05 09:19:42 UTC (rev 3546) @@ -59,8 +59,6 @@ #define CMD_KEY 1 #define CMD_VAL 2 -#include includes.h - typedef struct val_spec_list { struct val_spec_list *next; char *name;
svn commit: samba r3547 - in branches/SAMBA_4_0/source/build/tests: .
Author: tridge Date: 2004-11-05 10:30:54 + (Fri, 05 Nov 2004) New Revision: 3547 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=3547 Log: fixed waitpid in fcntl_lock.c (thanks to jbm for pointing this out) Modified: branches/SAMBA_4_0/source/build/tests/fcntl_lock.c Changeset: Modified: branches/SAMBA_4_0/source/build/tests/fcntl_lock.c === --- branches/SAMBA_4_0/source/build/tests/fcntl_lock.c 2004-11-05 09:19:42 UTC (rev 3546) +++ branches/SAMBA_4_0/source/build/tests/fcntl_lock.c 2004-11-05 10:30:54 UTC (rev 3547) @@ -89,7 +89,7 @@ /* set a 4 byte write lock */ fcntl(fd,F_SETLK,lock); - sys_waitpid(pid, status, 0); + waitpid(pid, status, 0); unlink(DATA);
svn commit: samba r3548 - in branches/SAMBA_4_0/source/lib/netif: .
Author: tridge Date: 2004-11-05 10:53:20 + (Fri, 05 Nov 2004) New Revision: 3548 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=3548 Log: removed extra net/if.h include Modified: branches/SAMBA_4_0/source/lib/netif/netif.c Changeset: Modified: branches/SAMBA_4_0/source/lib/netif/netif.c === --- branches/SAMBA_4_0/source/lib/netif/netif.c 2004-11-05 10:30:54 UTC (rev 3547) +++ branches/SAMBA_4_0/source/lib/netif/netif.c 2004-11-05 10:53:20 UTC (rev 3548) @@ -40,7 +40,6 @@ #include netdb.h #include sys/ioctl.h #include sys/time.h -#include net/if.h #ifndef AUTOCONF_TEST #include lib/netif/netif.h
svn commit: samba r3549 - in branches/SAMBA_4_0/source: include librpc/idl librpc/ndr ntvfs/posix
Author: tridge Date: 2004-11-05 11:31:35 + (Fri, 05 Nov 2004) New Revision: 3549 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=3549 Log: added support for DOS extended attribute lists (name/value pairs) stored in posix xattrs Modified: branches/SAMBA_4_0/source/include/smb_interfaces.h branches/SAMBA_4_0/source/include/structs.h branches/SAMBA_4_0/source/librpc/idl/idl_types.h branches/SAMBA_4_0/source/librpc/idl/xattr.idl branches/SAMBA_4_0/source/librpc/ndr/libndr.h branches/SAMBA_4_0/source/librpc/ndr/ndr_basic.c branches/SAMBA_4_0/source/ntvfs/posix/config.m4 branches/SAMBA_4_0/source/ntvfs/posix/config.mk branches/SAMBA_4_0/source/ntvfs/posix/pvfs_fileinfo.c branches/SAMBA_4_0/source/ntvfs/posix/pvfs_open.c branches/SAMBA_4_0/source/ntvfs/posix/pvfs_qfileinfo.c branches/SAMBA_4_0/source/ntvfs/posix/pvfs_setfileinfo.c branches/SAMBA_4_0/source/ntvfs/posix/pvfs_xattr.c Changeset: Sorry, the patch is too large (660 lines) to include; please use WebSVN to see it! WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=3549
svn commit: samba r3550 - in branches/SAMBA_4_0/source/ntvfs/posix: .
Author: tridge Date: 2004-11-05 11:49:37 + (Fri, 05 Nov 2004) New Revision: 3550 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=3550 Log: fixed initial attribute on file create (inlusion of FILE_ATTRIBUTE_ARCHIVE) Modified: branches/SAMBA_4_0/source/ntvfs/posix/pvfs_open.c Changeset: Modified: branches/SAMBA_4_0/source/ntvfs/posix/pvfs_open.c === --- branches/SAMBA_4_0/source/ntvfs/posix/pvfs_open.c 2004-11-05 11:31:35 UTC (rev 3549) +++ branches/SAMBA_4_0/source/ntvfs/posix/pvfs_open.c 2004-11-05 11:49:37 UTC (rev 3550) @@ -284,6 +284,7 @@ uint32_t share_access = io-generic.in.share_access; uint32_t access_mask = io-generic.in.access_mask; mode_t mode; + uint32_t attrib; if ((io-ntcreatex.in.file_attr FILE_ATTRIBUTE_READONLY) (create_options NTCREATEX_OPTIONS_DELETE_ON_CLOSE)) { @@ -313,7 +314,8 @@ return NT_STATUS_TOO_MANY_OPENED_FILES; } - mode = pvfs_fileperms(pvfs, io-ntcreatex.in.file_attr | FILE_ATTRIBUTE_ARCHIVE); + attrib = io-ntcreatex.in.file_attr | FILE_ATTRIBUTE_ARCHIVE; + mode = pvfs_fileperms(pvfs, attrib); /* create the file */ fd = open(name-full_name, flags | O_CREAT | O_EXCL, mode); @@ -330,7 +332,7 @@ return status; } - name-dos.attrib = io-ntcreatex.in.file_attr; + name-dos.attrib = attrib; status = pvfs_dosattrib_save(pvfs, name, fd); if (!NT_STATUS_IS_OK(status)) { idr_remove(pvfs-idtree_fnum, fnum);
svn commit: samba r3551 - in branches/SAMBA_4_0/source/utils: .
Author: tridge Date: 2004-11-05 12:06:36 + (Fri, 05 Nov 2004) New Revision: 3551 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=3551 Log: these utils need system/filesys.h Modified: branches/SAMBA_4_0/source/utils/getntacl.c branches/SAMBA_4_0/source/utils/setntacl.c branches/SAMBA_4_0/source/utils/setnttoken.c Changeset: Modified: branches/SAMBA_4_0/source/utils/getntacl.c === --- branches/SAMBA_4_0/source/utils/getntacl.c 2004-11-05 11:49:37 UTC (rev 3550) +++ branches/SAMBA_4_0/source/utils/getntacl.c 2004-11-05 12:06:36 UTC (rev 3551) @@ -21,6 +21,7 @@ */ #include includes.h +#include system/filesys.h #if (!defined(HAVE_NO_ACLS) || !defined(HAVE_XATTR_SUPPORT)) Modified: branches/SAMBA_4_0/source/utils/setntacl.c === --- branches/SAMBA_4_0/source/utils/setntacl.c 2004-11-05 11:49:37 UTC (rev 3550) +++ branches/SAMBA_4_0/source/utils/setntacl.c 2004-11-05 12:06:36 UTC (rev 3551) @@ -21,6 +21,7 @@ */ #include includes.h +#include system/filesys.h #if (!defined(HAVE_NO_ACLS) || !defined(HAVE_XATTR_SUPPORT)) Modified: branches/SAMBA_4_0/source/utils/setnttoken.c === --- branches/SAMBA_4_0/source/utils/setnttoken.c2004-11-05 11:49:37 UTC (rev 3550) +++ branches/SAMBA_4_0/source/utils/setnttoken.c2004-11-05 12:06:36 UTC (rev 3551) @@ -21,6 +21,7 @@ */ #include includes.h +#include system/filesys.h #if (!defined(HAVE_NO_ACLS) || !defined(HAVE_XATTR_SUPPORT))
svn commit: samba-web r395 - in trunk/support: .
Author: deryck Date: 2004-11-05 12:21:06 + (Fri, 05 Nov 2004) New Revision: 395 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=samba-webrev=395 Log: Add support company at company's request. --deryck Modified: trunk/support/canada.html Changeset: Modified: trunk/support/canada.html === --- trunk/support/canada.html 2004-11-04 15:14:11 UTC (rev 394) +++ trunk/support/canada.html 2004-11-05 12:21:06 UTC (rev 395) @@ -136,6 +136,25 @@ /small/pre +!-- Added: 05 November 204 -- +hr/ +presmall +Linux Network Care +Toronto, Ontario, Canada + +a href=http://www.linuxnetworkcare.com;http://www.linuxnetworkcare.com/a +a href=mailto:[EMAIL PROTECTED][EMAIL PROTECTED]/a +Phone: 647-722-5303 + +Linux Network Care specializes in providing Linux based solutions for +small, medium and corporate sized businesses. We pride ourselves on our +delivery of dependable network solutions, world class server +administration, tight server security and easy to understand Linux +training. We also provide speedy and reliable reseller web hosting with +one of the fastest backbones on the Internet. +/small/pre + + !-- Updated: 19 May 2004 -- hr / h3Quebec/h3
svn commit: samba r3554 - in branches/SAMBA_4_0/source/auth: .
Author: abartlet Date: 2004-11-05 12:44:18 + (Fri, 05 Nov 2004) New Revision: 3554 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=3554 Log: Use the new talloc_reference changes to simply the conversion of returned validation information into the server_info struct. Also allow for easier expansion to different variations on validation levels. Andrew Bartlett Modified: branches/SAMBA_4_0/source/auth/auth_util.c Changeset: Modified: branches/SAMBA_4_0/source/auth/auth_util.c === --- branches/SAMBA_4_0/source/auth/auth_util.c 2004-11-05 12:20:27 UTC (rev 3553) +++ branches/SAMBA_4_0/source/auth/auth_util.c 2004-11-05 12:44:18 UTC (rev 3554) @@ -492,12 +492,34 @@ Make a server_info struct from the info3 returned by a domain logon ***/ -NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, - const char *internal_username, - struct auth_serversupplied_info **server_info, - struct netr_SamInfo3 *info3) +NTSTATUS make_server_info_netlogon_validation(TALLOC_CTX *mem_ctx, + const char *internal_username, + struct auth_serversupplied_info **server_info, + uint16 validation_level, + union netr_Validation *validation) { NTSTATUS nt_status; + struct netr_SamBaseInfo *base; + switch (validation_level) { + case 2: + if (!validation || !validation-sam2) { + return NT_STATUS_INVALID_PARAMETER; + } + base = validation-sam2-base; + break; + case 3: + if (!validation || !validation-sam3) { + return NT_STATUS_INVALID_PARAMETER; + } + base = validation-sam3-base; + break; + case 6: + if (!validation || !validation-sam6) { + return NT_STATUS_INVALID_PARAMETER; + } + base = validation-sam6-base; + break; + } nt_status = make_server_info(mem_ctx, server_info, internal_username); @@ -513,98 +535,93 @@ matches. */ - (*server_info)-user_sid = dom_sid_add_rid(*server_info, dom_sid_dup(*server_info, info3-base.domain_sid), info3-base.rid); - (*server_info)-primary_group_sid = dom_sid_add_rid(*server_info, dom_sid_dup(*server_info, info3-base.domain_sid), info3-base.primary_gid); + (*server_info)-user_sid = dom_sid_add_rid(*server_info, dom_sid_dup(*server_info, base-domain_sid), base-rid); + (*server_info)-primary_group_sid = dom_sid_add_rid(*server_info, dom_sid_dup(*server_info, base-domain_sid), base-primary_gid); - /* TODO: pull in other groups: */ - - - (*server_info)-domain_groups = talloc_array_p((*server_info), struct dom_sid*, info3-base.group_count); + (*server_info)-domain_groups = talloc_array_p((*server_info), struct dom_sid*, base-group_count); if (!(*server_info)-domain_groups) { return NT_STATUS_NO_MEMORY; } for ((*server_info)-n_domain_groups = 0; -(*server_info)-n_domain_groups info3-base.group_count; +(*server_info)-n_domain_groups base-group_count; (*server_info)-n_domain_groups++) { struct dom_sid *sid; - sid = dom_sid_dup(*server_info, info3-base.domain_sid); + sid = dom_sid_dup((*server_info)-domain_groups, base-domain_sid); if (!sid) { return NT_STATUS_NO_MEMORY; } (*server_info)-domain_groups[(*server_info)-n_domain_groups] = dom_sid_add_rid(*server_info, sid, - info3-base.groupids[(*server_info)-n_domain_groups].rid); + base-groupids[(*server_info)-n_domain_groups].rid); if (!(*server_info)-domain_groups[(*server_info)-n_domain_groups]) { return NT_STATUS_NO_MEMORY; } } - if (info3-base.account_name.string) { - (*server_info)-account_name = talloc_reference(*server_info, info3-base.account_name.string); - } else { - (*server_info)-account_name = talloc_strdup(*server_info, internal_username); - } + /* Copy 'other' sids. We need to do sid filtering here to + prevent possible elevation of privileges. See: - if (info3-base.domain.string) { -
svn commit: samba r3555 - in branches/SAMBA_4_0/source/auth: .
Author: abartlet Date: 2004-11-05 12:46:00 + (Fri, 05 Nov 2004) New Revision: 3555 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=3555 Log: Fix auth_winbind to work with the new auth_util conversion code. Andrew Bartlett Modified: branches/SAMBA_4_0/source/auth/auth_winbind.c Changeset: Modified: branches/SAMBA_4_0/source/auth/auth_winbind.c === --- branches/SAMBA_4_0/source/auth/auth_winbind.c 2004-11-05 12:44:18 UTC (rev 3554) +++ branches/SAMBA_4_0/source/auth/auth_winbind.c 2004-11-05 12:46:00 UTC (rev 3555) @@ -104,14 +104,16 @@ } if (result == NSS_STATUS_SUCCESS response.extra_data) { - if (NT_STATUS_IS_OK(nt_status)) { - if (NT_STATUS_IS_OK(nt_status = get_info3_from_ndr(mem_ctx, response, info3))) { - nt_status = - make_server_info_info3(mem_ctx, - user_info-internal_username.str, - server_info, - info3); - } + nt_status = get_info3_from_ndr(mem_ctx, response, info3); + if (NT_STATUS_IS_OK(nt_status)) { + union netr_Validation validation; + validation.sam3 = info3; + nt_status = + make_server_info_netlogon_validation(mem_ctx, + user_info-internal_username.str, +server_info, +3, +validation); } SAFE_FREE(response.extra_data); } else if (result == NSS_STATUS_SUCCESS !response.extra_data) {
svn commit: samba r3556 - in branches/SAMBA_4_0/source/build/smb_build: .
Author: abartlet Date: 2004-11-05 12:48:22 + (Fri, 05 Nov 2004) New Revision: 3556 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=3556 Log: Remove --enable-krb5developer and --enable-gtkdeveloper, as the new modular headers confine the warnings, and everwhere else we need them. Use the gcc option to suppress the silly strftime warning. Andrew Bartlett Modified: branches/SAMBA_4_0/source/build/smb_build/check_path.m4 Changeset: Modified: branches/SAMBA_4_0/source/build/smb_build/check_path.m4 === --- branches/SAMBA_4_0/source/build/smb_build/check_path.m4 2004-11-05 12:46:00 UTC (rev 3555) +++ branches/SAMBA_4_0/source/build/smb_build/check_path.m4 2004-11-05 12:48:22 UTC (rev 3556) @@ -129,25 +129,9 @@ debug=yes CFLAGS=${CFLAGS} -g -Wall developer=yes - DEVELOPER_CFLAGS=-Wshadow -Werror-implicit-function-declaration -Wstrict-prototypes -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wdeclaration-after-statement -Wmissing-format-attribute -Wformat=2 -DDEBUG_PASSWORD -DDEVELOPER + DEVELOPER_CFLAGS=-Wshadow -Werror-implicit-function-declaration -Wstrict-prototypes -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wdeclaration-after-statement -Wmissing-format-attribute -Wformat=2 -Wno-format-y2k -DDEBUG_PASSWORD -DDEVELOPER fi]) -AC_ARG_ENABLE(krb5developer, [ --enable-krb5developer Turn on developer warnings and debugging, except -Wstrict-prototypes (default=no)], -[if eval test x$enable_krb5developer = xyes; then - debug=yes - CFLAGS=${CFLAGS} -g -Wall -developer=yes - DEVELOPER_CFLAGS=-Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wdeclaration-after-statement -Wmissing-format-attribute -DDEBUG_PASSWORD -DDEVELOPER -fi]) - -AC_ARG_ENABLE(gtkdeveloper, [ --enable-gtkdeveloper Turn on developer warnings and debugging, except -Wstrict-prototypes and -Wshadow (default=no)], -[if eval test x$enable_gtkdeveloper = xyes; then - debug=yes - CFLAGS=${CFLAGS} -g -Wall -developer=yes - DEVELOPER_CFLAGS=-Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wdeclaration-after-statement -Wmissing-format-attribute -DDEBUG_PASSWORD -DDEVELOPER -fi]) - experimental=no AC_ARG_ENABLE(experimental, [ --enable-experimental Turn on experimental features (default=no)], [if eval test x$enable_experimental = xyes; then
svn commit: samba r3558 - in branches/SAMBA_4_0/source/librpc/idl: .
Author: abartlet Date: 2004-11-05 12:53:04 + (Fri, 05 Nov 2004) New Revision: 3558 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=3558 Log: We don't seem to need these as [public] any more. Andrew Bartlett Modified: branches/SAMBA_4_0/source/librpc/idl/netlogon.idl Changeset: Modified: branches/SAMBA_4_0/source/librpc/idl/netlogon.idl === --- branches/SAMBA_4_0/source/librpc/idl/netlogon.idl 2004-11-05 12:52:09 UTC (rev 3557) +++ branches/SAMBA_4_0/source/librpc/idl/netlogon.idl 2004-11-05 12:53:04 UTC (rev 3558) @@ -137,7 +137,7 @@ uint8 key[8]; } netr_LMSessionKey; - typedef [public] struct { + typedef struct { NTTIME last_logon; NTTIME last_logoff; NTTIME acct_expiry; @@ -166,11 +166,11 @@ uint32 unknown[7]; } netr_SamBaseInfo; - typedef [public] struct { + typedef struct { netr_SamBaseInfo base; } netr_SamInfo2; - typedef [public] struct { + typedef struct { dom_sid2 *sid; uint32 attribute; } netr_SidAttr;
svn commit: samba r3559 - in branches/SAMBA_3_0/source/smbd: .
Author: vlendec Date: 2004-11-05 21:45:02 + (Fri, 05 Nov 2004) New Revision: 3559 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=3559 Log: If called interactively, on shutdown dump the talloc contexts left. Idea stolen from samba4 ... ;-) Volker Modified: branches/SAMBA_3_0/source/smbd/server.c Changeset: Modified: branches/SAMBA_3_0/source/smbd/server.c === --- branches/SAMBA_3_0/source/smbd/server.c 2004-11-05 12:53:04 UTC (rev 3558) +++ branches/SAMBA_3_0/source/smbd/server.c 2004-11-05 21:45:02 UTC (rev 3559) @@ -910,6 +910,15 @@ smbd_process(); namecache_shutdown(); + + if (interactive) { + TALLOC_CTX *mem_ctx = talloc_init(end_description); + char *description = talloc_describe_all(mem_ctx); + + DEBUG(3, (tallocs left:\n%s\n, description)); + talloc_destroy(mem_ctx); + } + exit_server(normal exit); return(0); }
svn commit: samba r3560 - in trunk/source/smbd: .
Author: vlendec Date: 2004-11-05 21:45:35 + (Fri, 05 Nov 2004) New Revision: 3560 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=3560 Log: If called interactively, on shutdown dump the talloc contexts left. Idea stolen from samba4 ... ;-) Volker Modified: trunk/source/smbd/server.c Changeset: Modified: trunk/source/smbd/server.c === --- trunk/source/smbd/server.c 2004-11-05 21:45:02 UTC (rev 3559) +++ trunk/source/smbd/server.c 2004-11-05 21:45:35 UTC (rev 3560) @@ -915,6 +915,15 @@ smbd_process(); namecache_shutdown(); + + if (interactive) { + TALLOC_CTX *mem_ctx = talloc_init(end_description); + char *description = talloc_describe_all(mem_ctx); + + DEBUG(3, (tallocs left:\n%s\n, description)); + talloc_destroy(mem_ctx); + } + exit_server(normal exit); return(0); }
svn commit: samba r3561 - in branches/SAMBA_3_0/source: groupdb lib
Author: vlendec Date: 2004-11-05 21:55:21 + (Fri, 05 Nov 2004) New Revision: 3561 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=3561 Log: Since we have tdb_reopen_all() after all forks, the local_pid logic is not correct anymore. If we actually open the tdb before the fork, we end up opening the tdb twice. Jerry, jra, this also happens in the locking and printing subsystems. You might want to check it there (not that it actually happens right now, but this gave me some confusion lately...). Volker Modified: branches/SAMBA_3_0/source/groupdb/mapping.c branches/SAMBA_3_0/source/lib/account_pol.c Changeset: Modified: branches/SAMBA_3_0/source/groupdb/mapping.c === --- branches/SAMBA_3_0/source/groupdb/mapping.c 2004-11-05 21:45:35 UTC (rev 3560) +++ branches/SAMBA_3_0/source/groupdb/mapping.c 2004-11-05 21:55:21 UTC (rev 3561) @@ -135,11 +135,10 @@ static BOOL init_group_mapping(void) { - static pid_t local_pid; const char *vstring = INFO/version; int32 vers_id; - if (tdb local_pid == sys_getpid()) + if (tdb) return True; tdb = tdb_open_log(lock_path(group_mapping.tdb), 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600); if (!tdb) { @@ -147,8 +146,6 @@ return False; } - local_pid = sys_getpid(); - /* handle a Samba upgrade */ tdb_lock_bystring(tdb, vstring, 0); Modified: branches/SAMBA_3_0/source/lib/account_pol.c === --- branches/SAMBA_3_0/source/lib/account_pol.c 2004-11-05 21:45:35 UTC (rev 3560) +++ branches/SAMBA_3_0/source/lib/account_pol.c 2004-11-05 21:55:21 UTC (rev 3561) @@ -30,11 +30,10 @@ BOOL init_account_policy(void) { - static pid_t local_pid; const char *vstring = INFO/version; uint32 version; - if (tdb local_pid == sys_getpid()) + if (tdb) return True; tdb = tdb_open_log(lock_path(account_policy.tdb), 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600); if (!tdb) { @@ -42,8 +41,6 @@ return False; } - local_pid = sys_getpid(); - /* handle a Samba upgrade */ tdb_lock_bystring(tdb, vstring,0); if (!tdb_fetch_uint32(tdb, vstring, version) || version != DATABASE_VERSION) {
svn commit: samba r3562 - in trunk/source: groupdb lib
Author: vlendec Date: 2004-11-05 21:55:45 + (Fri, 05 Nov 2004) New Revision: 3562 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=3562 Log: Since we have tdb_reopen_all() after all forks, the local_pid logic is not correct anymore. If we actually open the tdb before the fork, we end up opening the tdb twice. Jerry, jra, this also happens in the locking and printing subsystems. You might want to check it there (not that it actually happens right now, but this gave me some confusion lately...). Volker Modified: trunk/source/groupdb/mapping.c trunk/source/lib/account_pol.c Changeset: Modified: trunk/source/groupdb/mapping.c === --- trunk/source/groupdb/mapping.c 2004-11-05 21:55:21 UTC (rev 3561) +++ trunk/source/groupdb/mapping.c 2004-11-05 21:55:45 UTC (rev 3562) @@ -124,11 +124,10 @@ static BOOL init_group_mapping(void) { - static pid_t local_pid; const char *vstring = INFO/version; int32 vers_id; - if (tdb local_pid == sys_getpid()) + if (tdb) return True; tdb = tdb_open_log(lock_path(group_mapping.tdb), 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600); if (!tdb) { @@ -136,8 +135,6 @@ return False; } - local_pid = sys_getpid(); - /* handle a Samba upgrade */ tdb_lock_bystring(tdb, vstring, 0); Modified: trunk/source/lib/account_pol.c === --- trunk/source/lib/account_pol.c 2004-11-05 21:55:21 UTC (rev 3561) +++ trunk/source/lib/account_pol.c 2004-11-05 21:55:45 UTC (rev 3562) @@ -30,11 +30,10 @@ BOOL init_account_policy(void) { - static pid_t local_pid; const char *vstring = INFO/version; uint32 version; - if (tdb local_pid == sys_getpid()) + if (tdb) return True; tdb = tdb_open_log(lock_path(account_policy.tdb), 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600); if (!tdb) { @@ -42,8 +41,6 @@ return False; } - local_pid = sys_getpid(); - /* handle a Samba upgrade */ tdb_lock_bystring(tdb, vstring,0); if (!tdb_fetch_uint32(tdb, vstring, version) || version != DATABASE_VERSION) {
svn commit: samba r3563 - in branches/SAMBA_3_0/source: auth include lib passdb smbd
Author: vlendec Date: 2004-11-05 22:53:35 + (Fri, 05 Nov 2004) New Revision: 3563 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=3563 Log: During a typical logon a modern workstation makes a lot of anonymous session setups on its way to open a pipe. This gets rid of many round-trips to the LDAP server during logon by setting up the server_info_guest once and not asking the LDAP server and nss every time. Make sure that the ldap connection is reopened in the child. (I did not look at the sql backends.) Volker Modified: branches/SAMBA_3_0/source/auth/auth_util.c branches/SAMBA_3_0/source/include/smbldap.h branches/SAMBA_3_0/source/lib/smbldap.c branches/SAMBA_3_0/source/passdb/passdb.c branches/SAMBA_3_0/source/smbd/server.c Changeset: Modified: branches/SAMBA_3_0/source/auth/auth_util.c === --- branches/SAMBA_3_0/source/auth/auth_util.c 2004-11-05 21:55:45 UTC (rev 3562) +++ branches/SAMBA_3_0/source/auth/auth_util.c 2004-11-05 22:53:35 UTC (rev 3563) @@ -884,7 +884,7 @@ Make (and fill) a user_info struct for a guest login. ***/ -NTSTATUS make_server_info_guest(auth_serversupplied_info **server_info) +static NTSTATUS make_new_server_info_guest(auth_serversupplied_info **server_info) { NTSTATUS nt_status; SAM_ACCOUNT *sampass = NULL; @@ -919,6 +919,49 @@ return nt_status; } +static auth_serversupplied_info *copy_serverinfo(auth_serversupplied_info *src) +{ + auth_serversupplied_info *dst; + + if (!NT_STATUS_IS_OK(make_server_info(dst))) + return NULL; + + dst-guest = src-guest; + dst-uid = src-uid; + dst-gid = src-gid; + dst-n_groups = src-n_groups; + if (src-n_groups != 0) + dst-groups = memdup(src-groups, sizeof(gid_t)*dst-n_groups); + else + dst-groups = NULL; + dst-ptok = dup_nt_token(src-ptok); + dst-user_session_key = data_blob(src-user_session_key.data, + src-user_session_key.length); + dst-lm_session_key = data_blob(src-lm_session_key.data, + src-lm_session_key.length); + pdb_copy_sam_account(src-sam_account, dst-sam_account); + dst-pam_handle = NULL; + dst-unix_name = smb_xstrdup(src-unix_name); + + return dst; +} + +static auth_serversupplied_info *guest_info = NULL; + +BOOL init_guest_info(void) +{ + if (guest_info != NULL) + return True; + + return NT_STATUS_IS_OK(make_new_server_info_guest(guest_info)); +} + +NTSTATUS make_server_info_guest(auth_serversupplied_info **server_info) +{ + *server_info = copy_serverinfo(guest_info); + return (*server_info != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY; +} + /*** Purely internal function for make_server_info_info3 Fill the sam account from getpwnam Modified: branches/SAMBA_3_0/source/include/smbldap.h === --- branches/SAMBA_3_0/source/include/smbldap.h 2004-11-05 21:55:45 UTC (rev 3562) +++ branches/SAMBA_3_0/source/include/smbldap.h 2004-11-05 22:53:35 UTC (rev 3563) @@ -139,6 +139,7 @@ struct smbldap_state { LDAP *ldap_struct; + pid_t pid; time_t last_ping; /* retrive-once info */ const char *uri; Modified: branches/SAMBA_3_0/source/lib/smbldap.c === --- branches/SAMBA_3_0/source/lib/smbldap.c 2004-11-05 21:55:45 UTC (rev 3562) +++ branches/SAMBA_3_0/source/lib/smbldap.c 2004-11-05 22:53:35 UTC (rev 3563) @@ -907,6 +907,7 @@ ldap_state-last_ping = time(NULL); + ldap_state-pid = sys_getpid(); DEBUG(4,(The LDAP server is succesfully connected\n)); return LDAP_SUCCESS; @@ -965,6 +966,9 @@ got_alarm = False; old_handler = CatchSignal(SIGALRM, gotalarm_sig); alarm(endtime - now); + + if (ldap_state-pid != sys_getpid()) + smbldap_close(ldap_state); } while (1) { Modified: branches/SAMBA_3_0/source/passdb/passdb.c === --- branches/SAMBA_3_0/source/passdb/passdb.c 2004-11-05 21:55:45 UTC (rev 3562) +++ branches/SAMBA_3_0/source/passdb/passdb.c 2004-11-05 22:53:35 UTC (rev 3563) @@ -2215,6 +2215,28 @@ return (buflen); } +BOOL pdb_copy_sam_account(const SAM_ACCOUNT *src, SAM_ACCOUNT **dst) +{ + BOOL result; + uint8 *buf; + int len; + + if ((*dst == NULL) (!NT_STATUS_IS_OK(pdb_init_sam(dst + return False; + + len = init_buffer_from_sam_v2(buf, src, False); + + if (len == -1) +
svn commit: samba r3564 - in trunk/source: auth include lib passdb smbd
Author: vlendec Date: 2004-11-05 22:54:48 + (Fri, 05 Nov 2004) New Revision: 3564 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=3564 Log: During a typical logon a modern workstation makes a lot of anonymous session setups on its way to open a pipe. This gets rid of many round-trips to the LDAP server during logon by setting up the server_info_guest once and not asking the LDAP server and nss every time. Make sure that the ldap connection is reopened in the child. (I did not look at the sql backends.) Volker Modified: trunk/source/auth/auth_util.c trunk/source/include/smbldap.h trunk/source/lib/smbldap.c trunk/source/passdb/passdb.c trunk/source/smbd/server.c Changeset: Modified: trunk/source/auth/auth_util.c === --- trunk/source/auth/auth_util.c 2004-11-05 22:53:35 UTC (rev 3563) +++ trunk/source/auth/auth_util.c 2004-11-05 22:54:48 UTC (rev 3564) @@ -910,7 +910,7 @@ Make (and fill) a user_info struct for a guest login. ***/ -NTSTATUS make_server_info_guest(auth_serversupplied_info **server_info) +static NTSTATUS make_new_server_info_guest(auth_serversupplied_info **server_info) { NTSTATUS nt_status; SAM_ACCOUNT *sampass = NULL; @@ -945,6 +945,49 @@ return nt_status; } +static auth_serversupplied_info *copy_serverinfo(auth_serversupplied_info *src) +{ + auth_serversupplied_info *dst; + + if (!NT_STATUS_IS_OK(make_server_info(dst))) + return NULL; + + dst-guest = src-guest; + dst-uid = src-uid; + dst-gid = src-gid; + dst-n_groups = src-n_groups; + if (src-n_groups != 0) + dst-groups = memdup(src-groups, sizeof(gid_t)*dst-n_groups); + else + dst-groups = NULL; + dst-ptok = dup_nt_token(src-ptok); + dst-user_session_key = data_blob(src-user_session_key.data, + src-user_session_key.length); + dst-lm_session_key = data_blob(src-lm_session_key.data, + src-lm_session_key.length); + pdb_copy_sam_account(src-sam_account, dst-sam_account); + dst-pam_handle = NULL; + dst-unix_name = smb_xstrdup(src-unix_name); + + return dst; +} + +static auth_serversupplied_info *guest_info = NULL; + +BOOL init_guest_info(void) +{ + if (guest_info != NULL) + return True; + + return NT_STATUS_IS_OK(make_new_server_info_guest(guest_info)); +} + +NTSTATUS make_server_info_guest(auth_serversupplied_info **server_info) +{ + *server_info = copy_serverinfo(guest_info); + return (*server_info != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY; +} + /*** Purely internal function for make_server_info_info3 Fill the sam account from getpwnam Modified: trunk/source/include/smbldap.h === --- trunk/source/include/smbldap.h 2004-11-05 22:53:35 UTC (rev 3563) +++ trunk/source/include/smbldap.h 2004-11-05 22:54:48 UTC (rev 3564) @@ -147,6 +147,7 @@ struct smbldap_state { LDAP *ldap_struct; + pid_t pid; time_t last_ping; /* retrive-once info */ const char *uri; Modified: trunk/source/lib/smbldap.c === --- trunk/source/lib/smbldap.c 2004-11-05 22:53:35 UTC (rev 3563) +++ trunk/source/lib/smbldap.c 2004-11-05 22:54:48 UTC (rev 3564) @@ -929,6 +929,7 @@ ldap_state-last_ping = time(NULL); + ldap_state-pid = sys_getpid(); DEBUG(4,(The LDAP server is succesfully connected\n)); return LDAP_SUCCESS; @@ -987,6 +988,9 @@ got_alarm = False; old_handler = CatchSignal(SIGALRM, gotalarm_sig); alarm(endtime - now); + + if (ldap_state-pid != sys_getpid()) + smbldap_close(ldap_state); } while (1) { Modified: trunk/source/passdb/passdb.c === --- trunk/source/passdb/passdb.c2004-11-05 22:53:35 UTC (rev 3563) +++ trunk/source/passdb/passdb.c2004-11-05 22:54:48 UTC (rev 3564) @@ -2210,6 +2210,28 @@ return (buflen); } +BOOL pdb_copy_sam_account(const SAM_ACCOUNT *src, SAM_ACCOUNT **dst) +{ + BOOL result; + uint8 *buf; + int len; + + if ((*dst == NULL) (!NT_STATUS_IS_OK(pdb_init_sam(dst + return False; + + len = init_buffer_from_sam_v2(buf, src, False); + + if (len == -1) + return False; + + result = init_sam_from_buffer_v2(*dst, buf, len); + (*dst)-methods = src-methods; + + free(buf); + + return result; +} +
svn commit: samba r3565 - in branches/SAMBA_4_0/source/libcli/auth: .
Author: abartlet Date: 2004-11-05 23:26:02 + (Fri, 05 Nov 2004) New Revision: 3565 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=3565 Log: Move PAC parsing into the session_info generation, and out of the basic krb5 request path. The idea is that we should not do the extra work, if we are not going to use the results. Andrew Bartlett Modified: branches/SAMBA_4_0/source/libcli/auth/gensec_krb5.c Changeset: Modified: branches/SAMBA_4_0/source/libcli/auth/gensec_krb5.c === --- branches/SAMBA_4_0/source/libcli/auth/gensec_krb5.c 2004-11-05 22:54:48 UTC (rev 3564) +++ branches/SAMBA_4_0/source/libcli/auth/gensec_krb5.c 2004-11-05 23:26:02 UTC (rev 3565) @@ -43,7 +43,7 @@ struct gensec_krb5_state { DATA_BLOB session_key; - struct PAC_LOGON_INFO *logon_info; + DATA_BLOB pac; enum GENSEC_KRB5_STATE state_position; krb5_context krb5_context; krb5_auth_context krb5_auth_context; @@ -281,6 +281,7 @@ ZERO_STRUCT(gensec_krb5_state-ticket); ZERO_STRUCT(gensec_krb5_state-krb5_keyblock); gensec_krb5_state-session_key = data_blob(NULL, 0); + gensec_krb5_state-pac = data_blob(NULL, 0); ret = krb5_init_context(gensec_krb5_state-krb5_context); if (ret) { @@ -544,12 +545,7 @@ } if (pac.data) { - /* decode and verify the pac */ - nt_status = gensec_krb5_decode_pac(gensec_krb5_state, gensec_krb5_state-logon_info, pac, - gensec_krb5_state); - } else { - /* NULL PAC, we might need to figure this information out the hard way */ - gensec_krb5_state-logon_info = NULL; + gensec_krb5_state-pac = data_blob_talloc_reference(gensec_krb5_state, pac); } if (NT_STATUS_IS_OK(nt_status)) { @@ -612,7 +608,7 @@ struct gensec_krb5_state *gensec_krb5_state = gensec_security-private_data; struct auth_serversupplied_info *server_info = NULL; struct auth_session_info *session_info = NULL; - struct PAC_LOGON_INFO *logon_info = gensec_krb5_state-logon_info; + struct PAC_LOGON_INFO *logon_info; struct nt_user_token *ptoken; struct dom_sid *sid; char *p; @@ -622,10 +618,6 @@ *session_info_out = NULL; - /* IF we have the PAC - otherwise we need to get this -* data from elsewere - local ldb, or (TODO) lookup of some -* kind... */ - principal = talloc_strdup(gensec_krb5_state, gensec_krb5_state-peer_principal); p = strchr(principal, '@'); if (p) { @@ -635,17 +627,50 @@ username = principal; realm = p; - if (logon_info) { + /* decode and verify the pac */ + nt_status = gensec_krb5_decode_pac(gensec_krb5_state, logon_info, gensec_krb5_state-pac, + gensec_krb5_state); + + /* IF we have the PAC - otherwise we need to get this +* data from elsewere - local ldb, or (TODO) lookup of some +* kind... */ + + if (NT_STATUS_IS_OK(nt_status)) { nt_status = make_server_info(gensec_krb5_state, server_info, gensec_krb5_state-peer_principal); if (!NT_STATUS_IS_OK(nt_status)) { return nt_status; } server_info-guest = False; + + if (logon_info-account_name.string) { + server_info-account_name + = talloc_reference(server_info, + logon_info-account_name.string); + } else { + server_info-account_name = talloc_strdup(server_info, username); + } + + server_info-domain = talloc_reference(server_info, + logon_info-dom_name.string); + server_info-realm = talloc_strdup(server_info, realm); + server_info-full_name = talloc_reference(server_info, + logon_info-full_name.string); + server_info-logon_script = talloc_reference(server_info, + logon_info-logon_script.string); + server_info-profile_path = talloc_reference(server_info, + logon_info-profile_path.string); + server_info-home_directory = talloc_reference(server_info, + logon_info-home_directory.string); + server_info-home_drive = talloc_reference(server_info, +
svn commit: samba r3566 - in branches/SAMBA_3_0/source: groupdb include nsswitch passdb rpc_server utils
Author: vlendec Date: 2004-11-05 23:34:00 + (Fri, 05 Nov 2004) New Revision: 3566 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=3566 Log: Completely replace the queryuseraliases call. The previous implementation does not exactly match what you would expect. XP workstations during login actually do this, so we should better become a bit more correct. The LDAP query issued is not really fully optimal, but it is a lot faster and more correct than what was there before. The change in passdb.h makes it possible that queryuseraliases is done with a single ldap query. Volker Modified: branches/SAMBA_3_0/source/groupdb/mapping.c branches/SAMBA_3_0/source/include/passdb.h branches/SAMBA_3_0/source/nsswitch/winbindd_group.c branches/SAMBA_3_0/source/passdb/pdb_interface.c branches/SAMBA_3_0/source/passdb/pdb_ldap.c branches/SAMBA_3_0/source/passdb/util_sam_sid.c branches/SAMBA_3_0/source/rpc_server/srv_samr_nt.c branches/SAMBA_3_0/source/rpc_server/srv_util.c branches/SAMBA_3_0/source/utils/net_groupmap.c Changeset: Sorry, the patch is too large (661 lines) to include; please use WebSVN to see it! WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=3566
svn commit: samba r3567 - in trunk/source: groupdb include nsswitch passdb rpc_server utils
Author: vlendec Date: 2004-11-05 23:34:29 + (Fri, 05 Nov 2004) New Revision: 3567 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=3567 Log: Completely replace the queryuseraliases call. The previous implementation does not exactly match what you would expect. XP workstations during login actually do this, so we should better become a bit more correct. The LDAP query issued is not really fully optimal, but it is a lot faster and more correct than what was there before. The change in passdb.h makes it possible that queryuseraliases is done with a single ldap query. Volker Modified: trunk/source/groupdb/mapping.c trunk/source/include/passdb.h trunk/source/nsswitch/winbindd_group.c trunk/source/passdb/pdb_interface.c trunk/source/passdb/pdb_ldap.c trunk/source/passdb/util_sam_sid.c trunk/source/rpc_server/srv_samr_nt.c trunk/source/rpc_server/srv_util.c trunk/source/utils/net_groupmap.c Changeset: Sorry, the patch is too large (634 lines) to include; please use WebSVN to see it! WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=3567
svn commit: samba r3568 - in trunk/source/libads: .
Author: jra Date: 2004-11-05 23:50:04 + (Fri, 05 Nov 2004) New Revision: 3568 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=3568 Log: Fix for bug #1651, added extra servicePrincipalNames for kerberos interop. Modified the redhat patch some... Jeremy. Modified: trunk/source/libads/ldap.c Changeset: Modified: trunk/source/libads/ldap.c === --- trunk/source/libads/ldap.c 2004-11-05 23:34:29 UTC (rev 3567) +++ trunk/source/libads/ldap.c 2004-11-05 23:50:04 UTC (rev 3568) @@ -1228,11 +1228,11 @@ ADS_STATUS ret; TALLOC_CTX *ctx; LDAPMessage *res = NULL; - char *host_spn, *host_upn, *psp1, *psp2; + char *host_spn, *host_upn, *psp1, *psp2, *psp3; ADS_MODLIST mods; fstring my_fqdn; char *dn_string = NULL; - const char *servicePrincipalName[3] = {NULL, NULL, NULL}; + const char *servicePrincipalName[4] = {NULL, NULL, NULL, NULL}; ret = ads_find_machine_acct(ads, (void **)res, machine_name); if (!ADS_ERR_OK(ret) || ads_count_replies(ads, res) != 1) { @@ -1251,6 +1251,8 @@ } name_to_fqdn(my_fqdn, machine_name); + strlower_m(my_fqdn); + if (!(host_spn = talloc_asprintf(ctx, HOST/%s, my_fqdn))) { talloc_destroy(ctx); ads_msgfree(ads, res); @@ -1274,6 +1276,17 @@ DEBUG(5,(ads_add_service_principal_name: INFO: Adding %s to host %s\n, psp2, machine_name)); servicePrincipalName[1] = psp2; + /* Add another principal in case the realm != the DNS domain, so that +* the KDC doesn't send server principal unknown errors to clients +* which use the DNS name in determining service principal names. */ + psp3 = talloc_asprintf(ctx, %s/%s, spn, my_fqdn); + strupper_m(psp3); + strlower_m(psp3[strlen(spn)]); + if (strcmp(psp2, psp3) != 0) { + DEBUG(5,(ads_add_service_principal_name: INFO: Adding %s to host %s\n, psp3, machine_name)); + servicePrincipalName[2] = psp3; + } + if (!(mods = ads_init_mods(ctx))) { talloc_destroy(ctx); ads_msgfree(ads, res); @@ -1325,12 +1338,13 @@ ADS_MODLIST mods; const char *objectClass[] = {top, person, organizationalPerson, user, computer, NULL}; - const char *servicePrincipalName[5] = {NULL, NULL, NULL, NULL, NULL}; - char *psp, *psp2; + const char *servicePrincipalName[7] = {NULL, NULL, NULL, NULL, NULL, NULL, NULL}; + char *psp, *psp2, *psp3, *psp4; unsigned acct_control; unsigned exists=0; fstring my_fqdn; LDAPMessage *res = NULL; + int i, next_spn; if (!(ctx = talloc_init(ads_add_machine_acct))) return ADS_ERROR(LDAP_NO_MEMORY); @@ -1384,6 +1398,30 @@ strlower_m(psp2[5]); servicePrincipalName[3] = psp2; + /* Ensure servicePrincipalName[4] and [5] are unique. */ + strlower_m(my_fqdn); + psp3 = talloc_asprintf(ctx, CIFS/%s, my_fqdn); + strlower_m(psp3[5]); + + next_spn = 4; + for (i = 0; i next_spn; i++) { + if (strequal(servicePrincipalName[i], psp3)) + break; + } + if (i == next_spn) { + servicePrincipalName[next_spn++] = psp3; + } + + psp4 = talloc_asprintf(ctx, HOST/%s, my_fqdn); + strlower_m(psp4[5]); + for (i = 0; i next_spn; i++) { + if (strequal(servicePrincipalName[i], psp3)) + break; + } + if (i == next_spn) { + servicePrincipalName[next_spn++] = psp4; + } + if (!(samAccountName = talloc_asprintf(ctx, %s$, machine_name))) { goto done; } @@ -1683,14 +1721,14 @@ status = ads_add_machine_acct(ads, machine, account_type, org_unit); if (!ADS_ERR_OK(status)) { - DEBUG(0, (ads_add_machine_acct (%s): %s\n, machine, ads_errstr(status))); + DEBUG(0, (ads_join_realm: ads_add_machine_acct failed (%s): %s\n, machine, ads_errstr(status))); SAFE_FREE(machine); return status; } status = ads_find_machine_acct(ads, (void **)res, machine); if (!ADS_ERR_OK(status)) { - DEBUG(0, (Host account test failed for machine %s\n, machine)); + DEBUG(0, (ads_join_realm: Host account test failed for machine %s\n, machine)); SAFE_FREE(machine); return status; }
svn commit: samba r3569 - in branches/SAMBA_3_0/source/libads: .
Author: jra Date: 2004-11-05 23:50:26 + (Fri, 05 Nov 2004) New Revision: 3569 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=3569 Log: Fix for bug #1651, added extra servicePrincipalNames for kerberos interop. Modified the redhat patch some... Jeremy. Modified: branches/SAMBA_3_0/source/libads/ldap.c Changeset: Modified: branches/SAMBA_3_0/source/libads/ldap.c === --- branches/SAMBA_3_0/source/libads/ldap.c 2004-11-05 23:50:04 UTC (rev 3568) +++ branches/SAMBA_3_0/source/libads/ldap.c 2004-11-05 23:50:26 UTC (rev 3569) @@ -1228,11 +1228,11 @@ ADS_STATUS ret; TALLOC_CTX *ctx; LDAPMessage *res = NULL; - char *host_spn, *host_upn, *psp1, *psp2; + char *host_spn, *host_upn, *psp1, *psp2, *psp3; ADS_MODLIST mods; fstring my_fqdn; char *dn_string = NULL; - const char *servicePrincipalName[3] = {NULL, NULL, NULL}; + const char *servicePrincipalName[4] = {NULL, NULL, NULL, NULL}; ret = ads_find_machine_acct(ads, (void **)res, machine_name); if (!ADS_ERR_OK(ret) || ads_count_replies(ads, res) != 1) { @@ -1251,6 +1251,8 @@ } name_to_fqdn(my_fqdn, machine_name); + strlower_m(my_fqdn); + if (!(host_spn = talloc_asprintf(ctx, HOST/%s, my_fqdn))) { talloc_destroy(ctx); ads_msgfree(ads, res); @@ -1274,6 +1276,17 @@ DEBUG(5,(ads_add_service_principal_name: INFO: Adding %s to host %s\n, psp2, machine_name)); servicePrincipalName[1] = psp2; + /* Add another principal in case the realm != the DNS domain, so that +* the KDC doesn't send server principal unknown errors to clients +* which use the DNS name in determining service principal names. */ + psp3 = talloc_asprintf(ctx, %s/%s, spn, my_fqdn); + strupper_m(psp3); + strlower_m(psp3[strlen(spn)]); + if (strcmp(psp2, psp3) != 0) { + DEBUG(5,(ads_add_service_principal_name: INFO: Adding %s to host %s\n, psp3, machine_name)); + servicePrincipalName[2] = psp3; + } + if (!(mods = ads_init_mods(ctx))) { talloc_destroy(ctx); ads_msgfree(ads, res); @@ -1325,12 +1338,13 @@ ADS_MODLIST mods; const char *objectClass[] = {top, person, organizationalPerson, user, computer, NULL}; - const char *servicePrincipalName[5] = {NULL, NULL, NULL, NULL, NULL}; - char *psp, *psp2; + const char *servicePrincipalName[7] = {NULL, NULL, NULL, NULL, NULL, NULL, NULL}; + char *psp, *psp2, *psp3, *psp4; unsigned acct_control; unsigned exists=0; fstring my_fqdn; LDAPMessage *res = NULL; + int i, next_spn; if (!(ctx = talloc_init(ads_add_machine_acct))) return ADS_ERROR(LDAP_NO_MEMORY); @@ -1384,6 +1398,30 @@ strlower_m(psp2[5]); servicePrincipalName[3] = psp2; + /* Ensure servicePrincipalName[4] and [5] are unique. */ + strlower_m(my_fqdn); + psp3 = talloc_asprintf(ctx, CIFS/%s, my_fqdn); + strlower_m(psp3[5]); + + next_spn = 4; + for (i = 0; i next_spn; i++) { + if (strequal(servicePrincipalName[i], psp3)) + break; + } + if (i == next_spn) { + servicePrincipalName[next_spn++] = psp3; + } + + psp4 = talloc_asprintf(ctx, HOST/%s, my_fqdn); + strlower_m(psp4[5]); + for (i = 0; i next_spn; i++) { + if (strequal(servicePrincipalName[i], psp3)) + break; + } + if (i == next_spn) { + servicePrincipalName[next_spn++] = psp4; + } + if (!(samAccountName = talloc_asprintf(ctx, %s$, machine_name))) { goto done; } @@ -1683,14 +1721,14 @@ status = ads_add_machine_acct(ads, machine, account_type, org_unit); if (!ADS_ERR_OK(status)) { - DEBUG(0, (ads_add_machine_acct (%s): %s\n, machine, ads_errstr(status))); + DEBUG(0, (ads_join_realm: ads_add_machine_acct failed (%s): %s\n, machine, ads_errstr(status))); SAFE_FREE(machine); return status; } status = ads_find_machine_acct(ads, (void **)res, machine); if (!ADS_ERR_OK(status)) { - DEBUG(0, (Host account test failed for machine %s\n, machine)); + DEBUG(0, (ads_join_realm: Host account test failed for machine %s\n, machine)); SAFE_FREE(machine); return status; }
svn commit: samba-docs r271 - in trunk/Samba-HOWTO-Collection: .
Author: jht Date: 2004-11-06 00:11:16 + (Sat, 06 Nov 2004) New Revision: 271 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=samba-docsrev=271 Log: More work in progress - further commits to follow. Modified: trunk/Samba-HOWTO-Collection/IDMAP.xml Changeset: Modified: trunk/Samba-HOWTO-Collection/IDMAP.xml === --- trunk/Samba-HOWTO-Collection/IDMAP.xml 2004-11-05 06:59:26 UTC (rev 270) +++ trunk/Samba-HOWTO-Collection/IDMAP.xml 2004-11-06 00:11:16 UTC (rev 271) @@ -315,20 +315,150 @@ titleIDMAP Backend Usage/title para +Anyone who wishes to use commandwinbind/command will find the following example configurations helpful. +Remember that in the majority of cases commandwinbind/command is of primary interest for use with +Domain Member Servers (DMSs) and Domain Member Clients (DMCs). /para sect2 titleDefault Winbind TDB/title para + The following is a simple example of an NT4 DMS smb.conf; file that shows only the global section. +screen +#Global parameters +[global] +workgroup = MEGANET2 +security = DOMAIN +idmap uid = 1-2 +idmap gid = 1-2 +template primary group = Domain Users +template shell = /bin/bash +winbind separator = + +/screen /para + para + The creation of the DMS requires the following steps: + /para + + procedure + steppara + Create or install and smb.conf; file with the above configuration. + /para/step + + steppara + Execute: +screen +rootprompt; net rpc join -UAdministrator%password +Joined domain MEGANET2. +/screen + The success or failure of the join can be confirmed with the following command: +screen +rootprompt; net rpc testjoin +Join to 'MIDEARTH' is OK +/screen + A failed join would report the following: +screen +rootprompt; net rpc testjoin +[2004/11/05 16:34:12, 0] utils/net_rpc_join.c:net_rpc_join_ok(66) +Join to domain 'MEGANET2' is not valid +/screen + /para/step + + steppara + Start the commandnmbd, winbind,/command and commandsmbd/command daemons in the order shown. + /para/step + /procedure + + para + The procedure for joining and ADS domain is similar to the NT4 domain join, except the smb.conf; file + will have the following contents: +screen +# Global parameters +[global] +workgroup = BUTTERNET + netbios name = GARGOYLE +realm = BUTTERNET.BIZ +security = ADS +template shell = /bin/bash +idmap uid = 500-1000 +idmap gid = 500-1000 +winbind use default domain = Yes +winbind nested groups = Yes +printer admin = BUTTERNET\Domain Admins +/screen + /para + + para + ADS DMS operation requires use of kerberos (KRB). For this to work the filenamekrb5.conf/filename + must be configured. The exact requirements depends on which version of MIT or Heimdal kerberos is being + used. It is sound advice to use only the latest version, which at this time are MIT kerberos version + 1.3.5 and Heimdal 0.61. + /para + + para + The creation of the DMS requires the following steps: + /para + + procedure + steppara + Create or install and smb.conf; file with the above configuration. + /para/step + + steppara + Execute: +screen +rootprompt; net ads join -UAdministrator%password +Joined domain BUTTERNET. +/screen + The success or failure of the join can be confirmed with the following command: +screen +rootprompt; net ads testjoin +Join to 'BUTTERNET' is OK +/screen + /para + + para + An invalid or failed join can be detected by executing: +screen +rootprompt; net ads testjoin +GARGOYLE$@'s password: +[2004/11/05 16:53:03, 0] utils/net_ads.c:ads_startup(186) + ads_connect: No results returned +Join to domain is not valid +/screen + /para/step + + steppara + Start the commandnmbd, winbind,/command and commandsmbd/command daemons in the order shown. + /para/step + + /procedure + /sect2 sect2 titleIDMAP Storage in LDAP using Winbind/title para +screen +# Global parameters +[global] +workgroup = SNOWSHOW +realm = SNOWSHOW.COM +server string = Samba Server +security = ADS +log level = 1 ads:10 auth:10 sam:10 rpc:10 +ldap admin dn = cn=Manager,dc=SNOWSHOW,dc=COM +ldap idmap suffix = ou=Idmap +ldap suffix = dc=SNOWSHOW,dc=COM +idmap backend = ldap:ldap://ldap.snowshow.com +idmap uid = 15-55 +idmap gid = 15-55 +template shell = /bin/bash +
svn commit: samba r3570 - in branches/SAMBA_4_0/source/utils: .
Author: abartlet Date: 2004-11-06 01:20:28 + (Sat, 06 Nov 2004) New Revision: 3570 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=3570 Log: Export the user's group list from ntlm_auth, via a new command 'UG' (user groups). The form of this is not final, but is this should be a discussion point with the squid team. Andrew Bartlett Modified: branches/SAMBA_4_0/source/utils/ntlm_auth.c Changeset: Modified: branches/SAMBA_4_0/source/utils/ntlm_auth.c === --- branches/SAMBA_4_0/source/utils/ntlm_auth.c 2004-11-05 23:50:26 UTC (rev 3569) +++ branches/SAMBA_4_0/source/utils/ntlm_auth.c 2004-11-06 01:20:28 UTC (rev 3570) @@ -332,6 +332,7 @@ (strncmp(buf, KK , 3) != 0) (strncmp(buf, AF , 3) != 0) (strncmp(buf, NA , 3) != 0) + (strncmp(buf, UG, 2) != 0) (strncmp(buf, PW , 3) != 0)) { DEBUG(1, (SPNEGO request [%s] invalid\n, buf)); mux_printf(mux_id, BH\n); @@ -405,8 +406,8 @@ talloc_strndup((*gensec_state), (const char *)in.data, in.length { - DEBUG(1, (Out of memory\n)); - mux_printf(mux_id, BH\n); + DEBUG(1, (gensec_set_password failed: %s\n, nt_errstr(nt_status))); + mux_printf(mux_id, BH %s\n, nt_errstr(nt_status)); data_blob_free(in); return; } @@ -416,6 +417,33 @@ return; } + if (strncmp(buf, UG, 2) == 0) { + int i; + char *grouplist = NULL; + struct auth_session_info *session_info; + + if (!NT_STATUS_IS_OK(gensec_session_info(*gensec_state, session_info))) { + DEBUG(1, (gensec_session_info failed: %s\n, nt_errstr(nt_status))); + mux_printf(mux_id, BH %s\n, nt_errstr(nt_status)); + data_blob_free(in); + return; + } + + /* get the string onto the context */ + grouplist = talloc_strdup(session_info, ); + + for (i=0; i session_info-nt_user_token-num_sids; i++) { + grouplist = talloc_asprintf_append(grouplist, %s,, + dom_sid_string(session_info, + session_info-nt_user_token-user_sids[i])); + } + + mux_printf(mux_id, GL %s\n, grouplist); + free_session_info(session_info); + data_blob_free(in); + return; + } + /* update */ nt_status = gensec_update(*gensec_state, NULL, in, out);
svn commit: samba r3571 - in branches/SAMBA_4_0/source: auth include lib libcli/auth
Author: tridge Date: 2004-11-06 03:44:16 + (Sat, 06 Nov 2004) New Revision: 3571 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=3571 Log: rough guesses at what abartlet really wanted to do in his last commit (which I suspect was missing some pieces) this at least fixes the build so i can keep going on pvfs. Please review/fix Andrew. Modified: branches/SAMBA_4_0/source/auth/auth.h branches/SAMBA_4_0/source/include/structs.h branches/SAMBA_4_0/source/lib/data_blob.c branches/SAMBA_4_0/source/libcli/auth/gensec_krb5.c Changeset: Modified: branches/SAMBA_4_0/source/auth/auth.h === --- branches/SAMBA_4_0/source/auth/auth.h 2004-11-06 01:20:28 UTC (rev 3570) +++ branches/SAMBA_4_0/source/auth/auth.h 2004-11-06 03:44:16 UTC (rev 3571) @@ -76,6 +76,7 @@ const char *account_name; const char *domain; + const char *realm; const char *full_name; const char *logon_script; Modified: branches/SAMBA_4_0/source/include/structs.h === --- branches/SAMBA_4_0/source/include/structs.h 2004-11-06 01:20:28 UTC (rev 3570) +++ branches/SAMBA_4_0/source/include/structs.h 2004-11-06 03:44:16 UTC (rev 3571) @@ -48,6 +48,7 @@ struct netr_SamInfo3; struct netr_Authenticator; +union netr_Validation; struct iface_struct; Modified: branches/SAMBA_4_0/source/lib/data_blob.c === --- branches/SAMBA_4_0/source/lib/data_blob.c 2004-11-06 01:20:28 UTC (rev 3570) +++ branches/SAMBA_4_0/source/lib/data_blob.c 2004-11-06 03:44:16 UTC (rev 3571) @@ -61,7 +61,19 @@ return ret; } + /*** + construct a data blob which is a reference to another blob, in +the given mem context +***/ +DATA_BLOB data_blob_talloc_reference(TALLOC_CTX *mem_ctx, DATA_BLOB *blob) +{ + DATA_BLOB ret = *blob; + ret.data = talloc_reference(mem_ctx, ret.data); + return ret; +} + +/*** construct a zero data blob, using supplied TALLOC_CTX. use this sparingly as it initialises data - better to initialise yourself if you want specific data in the blob Modified: branches/SAMBA_4_0/source/libcli/auth/gensec_krb5.c === --- branches/SAMBA_4_0/source/libcli/auth/gensec_krb5.c 2004-11-06 01:20:28 UTC (rev 3570) +++ branches/SAMBA_4_0/source/libcli/auth/gensec_krb5.c 2004-11-06 03:44:16 UTC (rev 3571) @@ -668,7 +668,9 @@ server_info-logon_count = logon_info-logon_count; /* TODO: bad password count */ +#if ABARTLET_HAS_FIXED_BUILD server_info-acct_flags = logon_info-acct_flags; +#endif if (!server_info-domain || !server_info-account_name || !server_info-realm) { free_server_info(server_info);
svn commit: samba r3572 - in branches/SAMBA_4_0/source: lib libcli/auth librpc/idl
Author: abartlet Date: 2004-11-06 05:40:34 + (Sat, 06 Nov 2004) New Revision: 3572 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=3572 Log: Thanks to tridge for his patience with my build breakage. This concludes the proper fixes. Andrew Bartlett Modified: branches/SAMBA_4_0/source/lib/data_blob.c branches/SAMBA_4_0/source/libcli/auth/gensec_krb5.c branches/SAMBA_4_0/source/librpc/idl/krb5pac.idl Changeset: Modified: branches/SAMBA_4_0/source/lib/data_blob.c === --- branches/SAMBA_4_0/source/lib/data_blob.c 2004-11-06 03:44:16 UTC (rev 3571) +++ branches/SAMBA_4_0/source/lib/data_blob.c 2004-11-06 05:40:34 UTC (rev 3572) @@ -63,13 +63,18 @@ /*** - construct a data blob which is a reference to another blob, in -the given mem context + reference a data blob, to the supplied TALLOC_CTX. + Returns a NULL DATA_BLOB on failure ***/ DATA_BLOB data_blob_talloc_reference(TALLOC_CTX *mem_ctx, DATA_BLOB *blob) { DATA_BLOB ret = *blob; - ret.data = talloc_reference(mem_ctx, ret.data); + + ret.data = talloc_reference(mem_ctx, blob-data); + + if (!ret.data) { + return data_blob(NULL, 0); + } return ret; } Modified: branches/SAMBA_4_0/source/libcli/auth/gensec_krb5.c === --- branches/SAMBA_4_0/source/libcli/auth/gensec_krb5.c 2004-11-06 03:44:16 UTC (rev 3571) +++ branches/SAMBA_4_0/source/libcli/auth/gensec_krb5.c 2004-11-06 05:40:34 UTC (rev 3572) @@ -668,9 +668,7 @@ server_info-logon_count = logon_info-logon_count; /* TODO: bad password count */ -#if ABARTLET_HAS_FIXED_BUILD server_info-acct_flags = logon_info-acct_flags; -#endif if (!server_info-domain || !server_info-account_name || !server_info-realm) { free_server_info(server_info); Modified: branches/SAMBA_4_0/source/librpc/idl/krb5pac.idl === --- branches/SAMBA_4_0/source/librpc/idl/krb5pac.idl2004-11-06 03:44:16 UTC (rev 3571) +++ branches/SAMBA_4_0/source/librpc/idl/krb5pac.idl2004-11-06 05:40:34 UTC (rev 3572) @@ -75,7 +75,7 @@ dom_sid2 *dom_sid; uint32 reserved16[2]; - uint32 reserved17; /* looks like it may be acb_info */ + uint32 acct_flags; /* looks like it may be acb_info */ uint32 reserved18[7]; uint32 extra_sids_count;
svn commit: samba r3573 - in branches/SAMBA_4_0/source: librpc/idl ntvfs ntvfs/posix smb_server torture/raw
Author: tridge Date: 2004-11-06 07:58:45 + (Sat, 06 Nov 2004) New Revision: 3573 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=3573 Log: added trans2open support to smbd and pvfs, and fine-tuned the open-generic ntvfs mapping code. Modified: branches/SAMBA_4_0/source/librpc/idl/xattr.idl branches/SAMBA_4_0/source/ntvfs/ntvfs_generic.c branches/SAMBA_4_0/source/ntvfs/posix/pvfs_open.c branches/SAMBA_4_0/source/ntvfs/posix/pvfs_setfileinfo.c branches/SAMBA_4_0/source/smb_server/reply.c branches/SAMBA_4_0/source/smb_server/trans2.c branches/SAMBA_4_0/source/torture/raw/open.c Changeset: Sorry, the patch is too large (459 lines) to include; please use WebSVN to see it! WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=3573