Re: [Samba] Listing Domain Local Groups from a Samba Member (NT4 PDC)
Hi Gary, Sorry for the late response just looking through my spams folder and my eye caught this one, phew... I since then have tweaked my yahoo mail settings and all Samba contents is going to a specified Samba folder... Anyhow Back to your question: I installed ubuntu 10.04 and if i remember i did the Apt-get install samba which brought this version down... r...@wfmmon-gbl:~# smbd -version r...@wfmmon-gbl:~# smbd r...@wfmmon-gbl:~# smbd --version Version 3.0.28a r...@wfmmon-gbl:~# mmm i did change my /etc/apt/sources.list to a local server here in Hungary, because of my impatience... But i have set it back to default and currently waiting for apt-get update to finish.. Seems we might be onto something here. :o) I will let you know , and Thanks for your response! Regards M. --- On Thu, 1/7/10, Guy Rouillier guyr-...@burntmail.com wrote: From: Guy Rouillier guyr-...@burntmail.com Subject: Re: [Samba] Listing Domain Local Groups from a Samba Member (NT4 PDC) To: samba@lists.samba.org Date: Thursday, 1 July, 2010, 0:11 On 6/30/2010 2:30 AM, Mark Sheard wrote: I have Ubuntu version 10.04 Samba ver 3.0.28a-1ubuntu4.12 I just did a fresh install of 10.04 x86 32-bit, and smbd reports version 3.4.7. How did you end up with 3.0.28? Try smbd -version and see what that reports. -- Guy Rouillier -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] smbldap-usermod timeout for Terminal Server
Hello, When I modify a user account adding him to a customized group, there is a delay which can be up to 2 hours to take effect. - the user account is already created with smbldap-useradd. - the user account is modified later (with smbldap-usermod), adding him to a group which has the right allow log on through terminal services properties on the local security policy The samba server act as a PDC. I've tried a lot of things to bypass the delay : - restart of samba - restart of openldap - gpupdate /force on windows server - modify the delay in GPO : group policy refresh interval for users and for computers - purge of samba cache in /var/cache/samba - purge of nscd cache in /var/cache nscd If I give the right directly to the user on windows server, it take effect immediatly and I can log on Terminal Server. The error message I have when the policy hasn't take yet effect is to log on this remote computer, you must be granted the allow log on through terminal services right. By default, members of the Remote Desktop Users group have this right. If you are not a member of remote desktop users group ot another group that has this right, or if the remote desktop user group does not have this right, you must be granted this right manually. It seem that there is a cache for groups. What service can be responsible of this delay ? Terminal server, GPO, samba, ldap, some cache,... ? Thank you for your help or advice --- Roland JARRY -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba clients losing domain membership
Hello, we are currently in the process of migrating Windows machines to Ubuntu 10.04. For now, these machines act as samba clients in a Windows domain (which is controlled also by a samba PDC), and are itself sharing files via SMB/CIFS. The clients are - from time to time and with no apparent reason - losing their domain membership. When this happens, access to shares on the PDC still seems to work, but access to shares served by the client do not. sudo net rpc testjoin gives: failed to get schannel session key from server PDC for Domain DOM. Error was: NT_STATUS_ACCESS_DENIED Join to Domain 'DOM' is not valid: NT_STATUS_ACCESS_DENIED Doing 'sudo net rpc join' re-establishes connection. Since the machines in question are not older than 4 weeks, I doubt it has anything to do with trust account password change or the like. Clients are using Ubuntu 10.04 with samba 3.4.7 and Linux 2.6.32; Server is Debian 5.0 with samba 3.2.5 and Linux 2.6.26. PDC is configured to use LDAP as passdb backend, this is also the UNIX user db for both server and clients (using libnss-ldap/libpam-ldap). I increased debug level to 3 and got this on client and server/PDC when trying to access a share on the client machine: Client side log: [2010/07/06 08:57:59, 3] auth/auth.c:222(check_ntlm_password) check_ntlm_password: Checking password for unmapped user [dom]\[...@[admin2-desktop] with the new password interface [2010/07/06 08:57:59, 3] auth/auth.c:225(check_ntlm_password) check_ntlm_password: mapped user is: [dom]\[...@[admin2-desktop] [2010/07/06 08:57:59, 3] smbd/sec_ctx.c:210(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2010/07/06 08:57:59, 3] smbd/uid.c:428(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2010/07/06 08:57:59, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2010/07/06 08:57:59, 3] smbd/sec_ctx.c:418(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2010/07/06 08:57:59, 2] auth/auth.c:320(check_ntlm_password) check_ntlm_password: Authentication for user [ah] - [ah] FAILED with error NT_STATUS_ACCESS_DENIED [2010/07/06 08:57:59, 3] smbd/error.c:60(error_packet_set) error packet at smbd/sesssetup.c(122) cmd=115 (SMBsesssetupX) NT_STATUS_ACCESS_DENIED [2010/07/06 08:57:59, 3] smbd/process.c:1459(process_smb) Transaction 3 of length 92 (0 toread) [2010/07/06 08:57:59, 3] smbd/process.c:1273(switch_message) switch message SMBsesssetupX (pid 3710) conn 0x0 [2010/07/06 08:57:59, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2010/07/06 08:57:59, 3] smbd/sesssetup.c:1404(reply_sesssetup_and_X) wct=13 flg2=0xc801 [2010/07/06 08:57:59, 3] smbd/sesssetup.c:1607(reply_sesssetup_and_X) Domain=[] NativeOS=[Unix] NativeLanMan=[Samba] PrimaryDomain=[] [2010/07/06 08:57:59, 3] smbd/sesssetup.c:1623(reply_sesssetup_and_X) sesssetupX:name=[]...@[admin2-desktop] [2010/07/06 08:57:59, 3] smbd/sesssetup.c:151(check_guest_password) Got anonymous request [2010/07/06 08:57:59, 3] auth/auth.c:222(check_ntlm_password) check_ntlm_password: Checking password for unmapped user []...@[] with the new password interface [2010/07/06 08:57:59, 3] auth/auth.c:225(check_ntlm_password) check_ntlm_password: mapped user is: []...@[] [2010/07/06 08:57:59, 3] smbd/sec_ctx.c:210(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2010/07/06 08:57:59, 3] smbd/uid.c:428(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2010/07/06 08:57:59, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2010/07/06 08:57:59, 3] smbd/sec_ctx.c:418(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2010/07/06 08:57:59, 3] smbd/sec_ctx.c:210(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2010/07/06 08:57:59, 3] smbd/uid.c:428(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2010/07/06 08:57:59, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2010/07/06 08:57:59, 3] smbd/sec_ctx.c:418(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2010/07/06 08:57:59, 3] smbd/sec_ctx.c:210(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2010/07/06 08:57:59, 3] smbd/uid.c:428(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2010/07/06 08:57:59, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2010/07/06 08:57:59, 3] smbd/sec_ctx.c:210(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2 [2010/07/06 08:57:59, 3] smbd/uid.c:428(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 1 [2010/07/06 08:57:59, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2 [2010/07/06 08:57:59, 3] smbd/sec_ctx.c:418(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1 [2010/07/06 08:57:59, 3] smbd/sec_ctx.c:418(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2010/07/06 08:57:59, 3]
Re: [Samba] net ads testjoin
Is there anyone who can help with this question? Regards, Khaled 2010/4/30 Khaled Blah khaled.b...@googlemail.com: Can anyone give me any hints please? I've read the man pages for smb.conf and for net and then I read the manual about the net command. Still, I don't know what testjoin actually does or tries to do. Regards, Khaled 2010/4/26 Khaled Blah khaled.b...@googlemail.com: I hope bumping is not frowned upon in this list :) cheers, Khaled 2010/4/24 Khaled Blah khaled.b...@googlemail.com: Hello all, I am new to this list and hopefully I am at the right place. Firstly, thanks to everyone involved in this project. You do a great job! Now, I use net to join Windows AD domains and was wondering where I can find out more information on what happens during a net ads testjoin. The information I found on the documentation pages of net or smb.conf on the website did not say much about it. I have noticed that a testjoin will ask for a password when the domain membership is not valid and it'll ignore kerberos tickets. Is there something I am missing here? I am grateful to any insight you guys could give me! Regards, Khaled -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Password policies in the LDAP server
On 2010-06-28 at 12:40 +0200 Juan Asensio Sánchez sent off: So, the Samba passwords are changed, but the unix password is not changed because the LDAP rejects it because it is not as string as required. Is there any way to avoid this? Shouldn't the unix password be changed before the samba passwords to check if the LDAP server accepts it? this is also described in https://bugzilla.samba.org/show_bug.cgi?id=7101 can you please try out how well the patch from https://bugzilla.samba.org/attachment.cgi?id=5277 works for you? Thanks Björn -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-37-0, fax: +49-551-37-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] windows 7 samba domain
On Monday 05 July 2010 09:14:47 Ufficiotecnico Acknow Srl wrote: Hi, I succesfuly joined five windows 7 client to a samba (version 3-3.2.15-40) domain with passdb backend = tdbsam, the client works correctly, user domain, network share printers etc, after 2 weeks the client does not access to domain, with this error: the trust relationship between this workstation and the primary domain failed, to resolve I remove the client from domain and join again, the problem reappears after a few days. I have a similar problem with Samba 3.4.0, running on an Ubuntu server. I have seen this problem reported a number of times (on this list and elsewhere), but I have not seen any solution for it yet (still searching!). It seems to affect a number of people, but not all - some setups with Windows 7 work fine. I read in a forum that could be a cache password problem related with nscd, now i disabled service ncsd and enable winbind. I noticed after a trust relationship had broken that this machine's trust password had changed on the same day. I assume this is linked, though I am not sure who initiates this password change - is it Samba or is it the Windows 7 computer ? Here is a scenario I noticed : 1. User logs on fine in the morning ; 2. The pdb entry for that user suggests that the machine account password gets changed after the user has logged in ; 3. After a restart, the machine complains of a broken trust relationship. For instance here is the entry for a machine that was reported to have lost it's trust relation ship on Friday 2nd of July. The 'Password last set' field corresponds roughly to the time the user logged on. After restart, the trust relationship was broken : # pdbedit -Lv -u ct405$ Unix username: CT405$ NT username: Account Flags: [W ] User SID: S-1-5-21-4063849384-1695801231-3426977757-1029 Primary Group SID: S-1-5-21-4063849384-1695801231-3426977757-513 Full Name: CT405$ Home Directory: \\\ct405_ HomeDir Drive: H: Logon Script: ct405_.bat Profile Path: \\\Profiles\ct405_ Domain: xx Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: never Kickoff time: never Password last set: Fri, 02 Jul 2010 09:20:39 BST Password can change: Fri, 02 Jul 2010 09:20:39 BST Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FF I don't know if any of this can help people suggest a fix. If you have ideas of things I could try, or would like me to run some tests, I will be more than happy to oblige ! Thanks, Anselm -- -- Netuxo Ltd a workers' co-operative providing low-cost IT solutions for peace, environmental and social justice groups and the radical NGO sector VAT Registration No 943 6779 76 Registered as a company in England and Wales. No 4798478 Registered office: Unit 31, Daro Works, 80-84 Wallis Road, London E9 5LW, Britain -- office: 020 8985 6843 mobile: 07921 466 360 general enquiries: off...@netuxo.co.uk support requests: supp...@netuxo.co.uk http://www.netuxo.co.uk -- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Cross subnet browsing + OpenVPN
Hi All, I'm having a problem with cross subnet browsing and name resolution across an openvpn tunnel. i've found quite a few people who've had the same on mail lists but none of their fixes have worked. The spec of the setups at both ends of the tunnel are as follows: OS - CentOS 5.5 Samba Version 3.5.4 OpenVPN Version 2.0.9-1 Each server is configured in gateway mode with two NICS, one to the lan and the other to a modem/router. The first machine, HEADOFFICE, has an internal IP address of 192.168.0.1 and an external of 192.168.10.4. The second machine, REMOTE1, has an internal address of 192.168.1.254 and an external of 192.168.20.4. On openVPN, I have configured client to client and routes and iroutes to allow machines on each network to ping machines at the other end as well as the server IP's. So far so good and I can ping any machine on either subnet from anywhere and get a reply. The servers are configured as Samba servers with the HEADOFFICE machine working as a PDC, DMC and WINS server and the REMOTE1 machine configured as a BDC and WINS proxy. In order to maintain logon facilities in the event of broadband failure, I have replicated the LDAP server from HEADOFFICE to REMOTE1 and updates and password changes propogate successfully from one site to the other. If I try to access HEADOFFICE from REMOTE1 and REMOTE1's subnet it works perfectly but trying to access REMOTE1 from HEADOFFICE and its subnet fails on name resolution while entering \\192.168.1.254\ brings up Windows Explorer and a list of shares. I've included the remote browse entries in smb.conf on the PDC and have WINS Proxying set up on the BDC but I can't get it to push REMOTE1's IP back to the WINS server. Port scanning the internal IP of each machine from the oher end of the tunnel returns a full set of open ports for the services I'm using but no IP. If anyone can spot what I'm doing wrong I'd be grateful. Thanks. smb.conf - HEADOFFICE ### Included 2nd subnet for second remote site in browse sync [ global] workgroup = NEWDOM netbios name = HEADOFFICE security = user enable privileges = yes interfaces = 192.168.0.1 127.0.0.1 # hosts allow = 192.168.0.0/255.255.255.0 192.168.1.0/255.255.255.0 194.168.2.0/255.255.255.0 127.0.0.1 remote announce = 192.168.2.255/NEWDOM 192.168.1.255/NEWDOM remote browse sync = 192.168.1.255 192.168.2.255 wins support = yes name resolve order = wins hosts bcast username map = /etc/samba/smbusers server string = Samba Server %v encrypt passwords = Yes ldap ssl = no unix password sync = yes ldap passwd sync = no passwd program = /usr/sbin/smbldap-passwd -u %u passwd chat = Changing *\nNew password* %n\n *Retype new password* %n\n #public = yes #browseable = yes #lm announce = yes #browse list = yes #auto services = yes log level = 3 syslog = 0 log file = /var/log/samba/log.%U max log size = 10 time server = Yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 mangling method = hash2 Dos charset = 850 Unix charset = ISO8859-1 local master = Yes domain logons = Yes domain master = Yes os level = 65 preferred master = Yes wins support = yes passdb backend = ldapsam:ldap://127.0.0.1 ldap admin dn = cn=Manager,dc=newdom,dc=ldm ldap suffix = dc=newdom,dc=ldm ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Computers ldap idmap suffix = ou=Idmap add user script = /usr/sbin/smbldap-useradd -m %u ldap delete dn = Yes delete user script = /usr/sbin/smbldap-userdel %u add machine script = /usr/sbin/smbldap-useradd -t 0 -w %u add group script = /usr/sbin/smbldap-groupadd -p %g #delete group script = /usr/sbin/smbldap-groupdel %g add user to group script = /usr/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' [shared] comment = shared directory path = /dat browseable = yes read only = no create mask = 0660 directory mask = 0770 smb.conf - REMOTE1 # [global] workgroup = NEWDOM netbios name = REMOTE1 security = user enable privileges = yes interfaces = 192.168.1.254 127.0.0.1 #hosts allow = 192.168.0.0/24 192.168.1.0/24 192.168.2.0/24 10.8.0.0/24 127.0.0.1 wins server = 192.168.0.1 wins proxy = yes username map = /etc/samba/smbusers name resolve order = wins bcast hosts server string = Samba
Re: [Samba] net ads testjoin
SNIP Is there anyone who can help with this question? prism# net ads testjoin Join is OK That's about it. Pretty simple. Regards, Khaled 2010/4/30 Khaled Blah khaled.b...@googlemail.com: Can anyone give me any hints please? I've read the man pages for smb.conf and for net and then I read the manual about the net command. Still, I don't know what testjoin actually does or tries to do. Regards, Khaled 2010/4/26 Khaled Blah khaled.b...@googlemail.com: I hope bumping is not frowned upon in this list :) cheers, Khaled 2010/4/24 Khaled Blah khaled.b...@googlemail.com: Hello all, I am new to this list and hopefully I am at the right place. Firstly, thanks to everyone involved in this project. You do a great job! Now, I use net to join Windows AD domains and was wondering where I can find out more information on what happens during a net ads testjoin. The information I found on the documentation pages of net or smb.conf on the website did not say much about it. I have noticed that a testjoin will ask for a password when the domain membership is not valid and it'll ignore kerberos tickets. Is there something I am missing here? I am grateful to any insight you guys could give me! Regards, Khaled -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] windows 7 samba domain
A strange thing is that i have three domain with samba 3 and windows 7 client, in two of this scenario no problem: opensuse + samba samba3-3.3.10-40 and centos + samba samba3-3.3.12-40 while with sles 10 and samba3-3.2.15-40 the problem persist, the field password last set in the scenario with no problem is 1 month earlier while in the problematic domain is setted with the date of login. Il 06/07/2010 13:33, Anselm Heaton ha scritto: On Monday 05 July 2010 09:14:47 Ufficiotecnico Acknow Srl wrote: Hi, I succesfuly joined five windows 7 client to a samba (version 3-3.2.15-40) domain with passdb backend = tdbsam, the client works correctly, user domain, network share printers etc, after 2 weeks the client does not access to domain, with this error: the trust relationship between this workstation and the primary domain failed, to resolve I remove the client from domain and join again, the problem reappears after a few days. I have a similar problem with Samba 3.4.0, running on an Ubuntu server. I have seen this problem reported a number of times (on this list and elsewhere), but I have not seen any solution for it yet (still searching!). It seems to affect a number of people, but not all - some setups with Windows 7 work fine. I read in a forum that could be a cache password problem related with nscd, now i disabled service ncsd and enable winbind. I noticed after a trust relationship had broken that this machine's trust password had changed on the same day. I assume this is linked, though I am not sure who initiates this password change - is it Samba or is it the Windows 7 computer ? Here is a scenario I noticed : 1. User logs on fine in the morning ; 2. The pdb entry for that user suggests that the machine account password gets changed after the user has logged in ; 3. After a restart, the machine complains of a broken trust relationship. For instance here is the entry for a machine that was reported to have lost it's trust relation ship on Friday 2nd of July. The 'Password last set' field corresponds roughly to the time the user logged on. After restart, the trust relationship was broken : # pdbedit -Lv -u ct405$ Unix username: CT405$ NT username: Account Flags: [W ] User SID: S-1-5-21-4063849384-1695801231-3426977757-1029 Primary Group SID: S-1-5-21-4063849384-1695801231-3426977757-513 Full Name: CT405$ Home Directory: \\\ct405_ HomeDir Drive: H: Logon Script: ct405_.bat Profile Path: \\\Profiles\ct405_ Domain: xx Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: never Kickoff time: never Password last set: Fri, 02 Jul 2010 09:20:39 BST Password can change: Fri, 02 Jul 2010 09:20:39 BST Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FF I don't know if any of this can help people suggest a fix. If you have ideas of things I could try, or would like me to run some tests, I will be more than happy to oblige ! Thanks, Anselm -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Cross subnet browsing + OpenVPN
SNIP Hi All, I'm having a problem with cross subnet browsing and name resolution across an openvpn tunnel. i've found quite a few people who've had the same on mail lists but none of their fixes have worked. The spec of the setups at both ends of the tunnel are as follows: remote announce = 192.168.2.255/NEWDOM 192.168.1.255/NEWDOM remote browse sync = 192.168.1.255 192.168.2.255 This looks odd to me. remote announce = wins server ip/DOMNAME remote browse sync = wins server ip NEEDED in both smb.conf wins server = wins server ip Can't remember default for this setting so enhanced browsing = Yes in both smb.conf DHCP should point clients to headoffice for WINS. WINS proxy is not useful. OS - CentOS 5.5 Samba Version 3.5.4 OpenVPN Version 2.0.9-1 Each server is configured in gateway mode with two NICS, one to the lan and the other to a modem/router. The first machine, HEADOFFICE, has an internal IP address of 192.168.0.1 and an external of 192.168.10.4. The second machine, REMOTE1, has an internal address of 192.168.1.254 and an external of 192.168.20.4. On openVPN, I have configured client to client and routes and iroutes to allow machines on each network to ping machines at the other end as well as the server IP's. So far so good and I can ping any machine on either subnet from anywhere and get a reply. The servers are configured as Samba servers with the HEADOFFICE machine working as a PDC, DMC and WINS server and the REMOTE1 machine configured as a BDC and WINS proxy. In order to maintain logon facilities in the event of broadband failure, I have replicated the LDAP server from HEADOFFICE to REMOTE1 and updates and password changes propogate successfully from one site to the other. If I try to access HEADOFFICE from REMOTE1 and REMOTE1's subnet it works perfectly but trying to access REMOTE1 from HEADOFFICE and its subnet fails on name resolution while entering \\192.168.1.254\ brings up Windows Explorer and a list of shares. I've included the remote browse entries in smb.conf on the PDC and have WINS Proxying set up on the BDC but I can't get it to push REMOTE1's IP back to the WINS server. Port scanning the internal IP of each machine from the oher end of the tunnel returns a full set of open ports for the services I'm using but no IP. If anyone can spot what I'm doing wrong I'd be grateful. Thanks. smb.conf - HEADOFFICE ### Included 2nd subnet for second remote site in browse sync [ global] workgroup = NEWDOM netbios name = HEADOFFICE security = user enable privileges = yes interfaces = 192.168.0.1 127.0.0.1 # hosts allow = 192.168.0.0/255.255.255.0 192.168.1.0/255.255.255.0 194.168.2.0/255.255.255.0 127.0.0.1 remote announce = 192.168.2.255/NEWDOM 192.168.1.255/NEWDOM remote browse sync = 192.168.1.255 192.168.2.255 wins support = yes name resolve order = wins hosts bcast username map = /etc/samba/smbusers server string = Samba Server %v encrypt passwords = Yes ldap ssl = no unix password sync = yes ldap passwd sync = no passwd program = /usr/sbin/smbldap-passwd -u %u passwd chat = Changing *\nNew password* %n\n *Retype new password* %n\n #public = yes #browseable = yes #lm announce = yes #browse list = yes #auto services = yes log level = 3 syslog = 0 log file = /var/log/samba/log.%U max log size = 10 time server = Yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 mangling method = hash2 Dos charset = 850 Unix charset = ISO8859-1 local master = Yes domain logons = Yes domain master = Yes os level = 65 preferred master = Yes wins support = yes passdb backend = ldapsam:ldap://127.0.0.1 ldap admin dn = cn=Manager,dc=newdom,dc=ldm ldap suffix = dc=newdom,dc=ldm ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Computers ldap idmap suffix = ou=Idmap add user script = /usr/sbin/smbldap-useradd -m %u ldap delete dn = Yes delete user script = /usr/sbin/smbldap-userdel %u add machine script = /usr/sbin/smbldap-useradd -t 0 -w %u add group script = /usr/sbin/smbldap-groupadd -p %g #delete group script
[Samba] WG: Cross subnet browsing + OpenVPN
What about your openvpn config? The tun net must have an entry in your hosts allow. If you work with briding the remote network has to be the same subnet as the local!? Bridging is the best way to have a remote net integrated. I have one logging in form Berlin on my Samba-Domain. Daniel --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Julian Pilfold-Bagwell Gesendet: Dienstag, 6. Juli 2010 14:12 An: samba@lists.samba.org Betreff: [Samba] Cross subnet browsing + OpenVPN Hi All, I'm having a problem with cross subnet browsing and name resolution across an openvpn tunnel. i've found quite a few people who've had the same on mail lists but none of their fixes have worked. The spec of the setups at both ends of the tunnel are as follows: OS - CentOS 5.5 Samba Version 3.5.4 OpenVPN Version 2.0.9-1 Each server is configured in gateway mode with two NICS, one to the lan and the other to a modem/router. The first machine, HEADOFFICE, has an internal IP address of 192.168.0.1 and an external of 192.168.10.4. The second machine, REMOTE1, has an internal address of 192.168.1.254 and an external of 192.168.20.4. On openVPN, I have configured client to client and routes and iroutes to allow machines on each network to ping machines at the other end as well as the server IP's. So far so good and I can ping any machine on either subnet from anywhere and get a reply. The servers are configured as Samba servers with the HEADOFFICE machine working as a PDC, DMC and WINS server and the REMOTE1 machine configured as a BDC and WINS proxy. In order to maintain logon facilities in the event of broadband failure, I have replicated the LDAP server from HEADOFFICE to REMOTE1 and updates and password changes propogate successfully from one site to the other. If I try to access HEADOFFICE from REMOTE1 and REMOTE1's subnet it works perfectly but trying to access REMOTE1 from HEADOFFICE and its subnet fails on name resolution while entering \\192.168.1.254\ brings up Windows Explorer and a list of shares. I've included the remote browse entries in smb.conf on the PDC and have WINS Proxying set up on the BDC but I can't get it to push REMOTE1's IP back to the WINS server. Port scanning the internal IP of each machine from the oher end of the tunnel returns a full set of open ports for the services I'm using but no IP. If anyone can spot what I'm doing wrong I'd be grateful. Thanks. smb.conf - HEADOFFICE ### Included 2nd subnet for second remote site in browse sync [ global] workgroup = NEWDOM netbios name = HEADOFFICE security = user enable privileges = yes interfaces = 192.168.0.1 127.0.0.1 # hosts allow = 192.168.0.0/255.255.255.0 192.168.1.0/255.255.255.0 194.168.2.0/255.255.255.0 127.0.0.1 remote announce = 192.168.2.255/NEWDOM 192.168.1.255/NEWDOM remote browse sync = 192.168.1.255 192.168.2.255 wins support = yes name resolve order = wins hosts bcast username map = /etc/samba/smbusers server string = Samba Server %v encrypt passwords = Yes ldap ssl = no unix password sync = yes ldap passwd sync = no passwd program = /usr/sbin/smbldap-passwd -u %u passwd chat = Changing *\nNew password* %n\n *Retype new password* %n\n #public = yes #browseable = yes #lm announce = yes #browse list = yes #auto services = yes log level = 3 syslog = 0 log file = /var/log/samba/log.%U max log size = 10 time server = Yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 mangling method = hash2 Dos charset = 850 Unix charset = ISO8859-1 local master = Yes domain logons = Yes domain master = Yes os level = 65 preferred master = Yes wins support = yes passdb backend = ldapsam:ldap://127.0.0.1 ldap admin dn = cn=Manager,dc=newdom,dc=ldm ldap suffix = dc=newdom,dc=ldm ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Computers ldap idmap suffix = ou=Idmap add user script = /usr/sbin/smbldap-useradd -m %u ldap delete dn = Yes delete user script = /usr/sbin/smbldap-userdel %u add machine script = /usr/sbin/smbldap-useradd -t 0 -w %u add group script = /usr/sbin/smbldap-groupadd -p %g #delete group script = /usr/sbin/smbldap-groupdel %g
[Samba] wbinfo -g gives no output , ndr_pull_error
Hello, after upgrade Samba from 3.4.3 to 3.5.4 wbinfo -g gives no output. Log Entry: [2010/07/06 14:48:49.086377, 3] winbindd/winbindd_list_groups.c:58(winbindd_list_groups_send) list_groups [2010/07/06 14:48:49.086504, 1] ../librpc/ndr/ndr.c:395(ndr_pull_error) ndr_pull_error(1): String terminator not present or outside string boundaries wbinfo -u is working as expected. # net ads testjoin Join is OK # wbinfo -t checking the trust secret for domain GLA-RLP via RPC calls succeeded any Ideas how to get wbinfo -g working again? thanks Alexander -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] *update* SMB Trans2 Response STATUS_OBJECT_NAME_NOT_FOUND Problem
I need to establish a connection with a Windows host (Windows 7) via smbclient (from ubuntu linux), to run a script which needs to get some file informations (eg. size, version, etc..). Connection and authentication works perfectly. From linux, i can execute the following command: smb: \ allinfo test.txt altname: test.txt create_time:Thu 01 Jul 2010 11:06:30 AM CEST CEST access_time:Thu 01 Jul 2010 11:06:30 AM CEST CEST write_time: Thu 01 Jul 2010 11:06:30 AM CEST CEST change_time:Thu 01 Jul 2010 12:12:07 PM CEST CEST stream: [::$DATA], 0 bytes response from Windows: 20 bytes (data_len within cli_qpathinfo_alt_name()) But, when i try to do the same thing on another file (let's say Windows\twain.dll or any other file) i got: smb: \Windows\ allinfo twain.dll ERRSRV - ERRerror (Non-specific error code.) getting alt name for \Windows\twain.dll response from Windows: 0 bytes (?) Wireshark say: SMB - Trans2 Request, QUERY_PATH_INFO, Query File Alt Name Info, Path:\Windows\twain.dll SMB - Trans2 Response, QUERY_PATH_INFO, Error: STATUS_OBJECT_NAME_NOT_FOUND (0xc034) However, for the same file, the GET command works without any problem. It looks like i've an issue on Windows :/ The same problem happen with smb: \ allinfo autoexec.bat as well as many other files. *update* Using FileSpy (from osronline.com) i can see the following, in response to the allinfo command: C:\autoexec.bat STATUS_SUCCESS FILE_OPEN CreOpts: 0020 Access: 0080 Share: 0007 Attrib: 0 Result: FILE_OPENED -- So it shouldn't be a permissions issue System ... IRP_MJ_QUERY_INFORMATION ..C:\autoexec.bat STATUS_OBJECT_NAME_NOT_FOUNDFileAlternateNameInformation FileAlternateNameInformation - From http://msdn.microsoft.com/en-us/library/cc232089%28PROT.10%29.aspx This information class is used to query alternate name information for a file. The alternate name for a file is its 8.3 format name (eight characters that appear before the . and three characters that appear after). A file MAY have an alternate name to achieve compatibility with the 8.3 naming requirements of legacy applications...This operation returns a status code...The status code returned directly by the function that processes this file information class MUST be STATUS_SUCCESS or one of the following. STATUS_INFO_LENGTH_MISMATCH 0xC004 or STATUS_OBJECT_NAME_NOT_FOUND 0xC034 What do you think? For some reason, when smbclient issue the allinfo command, FileAlternateNameInformation seems to fail for some reason on the windows host. I've tried to follow http://technet.microsoft.com/en-us/library/cc778996%28WS.10%29.aspx (change that value to 1) but the problem is still there, at least on Windows Vista and 7. Is there any way i can solve this problem? I've found this problem with: - smbclient --version Version 3.4.7 Version 3.5.4 on Ubuntu 10.04 2.6.32-23-generic x86_64 and gentoo Thanks for your attention -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Browser Elections Failing
Samba 3.4.7 on CentOS 5.4 (although I saw the same behaviour with earlier versions of both). Samba is set to be the PDC and master browser, and we have bumped the os level up to its maximum: workgroup = WORKGROUP netbios name = LINUX os level = 255 preferred master = Yes local master = Yes domain master = Yes browse list = Yes enhanced browsing = Yes wins proxy = No wins support = Yes Periodically, however, some Windows laptop comes onto our network and steals Local Master from the Samba server. Then, when the laptop is removed, no further browser elections occur. I can force an election with smbcontrol nmbd force-election, which the server wins (no pun intended), but isn't that supposed to happen automatically if the previous master disappears? Any ideas why a server with those settings would lose Local Master, or fail to regain it when the other machine becomes unavailable? Moray. To err is human. To purr, feline -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba Scenario
Hi All I have been asked by my company management to look into moving file share server from Windows 2003 server OS to Ubuntu 10.4 using Samba. I have successfully configured active directory authentication using winbind and have configured samba and am able to access my file share successfully. The complication arise as a result of implementing ACL mappings on Linux, as I need fine grained control over specific subfolders and files. From what I have read, I cant map all 13 permissions to respective unix rwx permissions. I have a use case where a certain group called A has read write execute rights on a folder/file but they shouldnt be allowed to delete the specific folder/file. On windows, all I have to do is set up my security permissions to deny 'delete subfolders and files' and 'delete' and it works well. In linux world I understand I cant do this as the user has rwx permissions on the folder/file and he can do whatever he likes. I googled a lot around this issue and found that if you set up sticky bit on the directory I can still read and write from the file or directory and wont be able to delete it. It works in case of most document types but MS office. From samba help I figured that Word does the following when you modify/change a Word document: MS Word creates a new document with a temporary name. Word then closes the old document and deletes it, then renames the new document to the original document name. The url is http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/AccessControls.html#id2615334 So if the sticky bit is set on the directory containing word files for instance, linux wont be able to delete the file (as required in write operations by MS office) and hence comes with an error. I shall be highly obliged if some one can shed light on this issue. Alternatively I would love to learn about other solutions for the use case mentioned. Thanks in advance Hass. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba Scenario
Linux ext3 and ext4 file systems should support acl's, which allow for multiple users and groups and the more fine grained controls you are looking for.The setfacl and getfacl commands should verify if this is working. I am running Samba on Solaris with the zfs file system- so this is not exactly your situation. However it does demonstrate that Unix-to-Samba ACL support does work (although not always perfectly.) testparm -v | grep acl should let you know which options are available for smb.conf On 07/06/2010 10:12 AM, Hasnain Badami wrote: Hi All I have been asked by my company management to look into moving file share server from Windows 2003 server OS to Ubuntu 10.4 using Samba. I have successfully configured active directory authentication using winbind and have configured samba and am able to access my file share successfully. The complication arise as a result of implementing ACL mappings on Linux, as I need fine grained control over specific subfolders and files. From what I have read, I cant map all 13 permissions to respective unix rwx permissions. I have a use case where a certain group called A has read write execute rights on a folder/file but they shouldnt be allowed to delete the specific folder/file. On windows, all I have to do is set up my security permissions to deny 'delete subfolders and files' and 'delete' and it works well. In linux world I understand I cant do this as the user has rwx permissions on the folder/file and he can do whatever he likes. I googled a lot around this issue and found that if you set up sticky bit on the directory I can still read and write from the file or directory and wont be able to delete it. It works in case of most document types but MS office. From samba help I figured that Word does the following when you modify/change a Word document: MS Word creates a new document with a temporary name. Word then closes the old document and deletes it, then renames the new document to the original document name. The url is http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/AccessControls.html#id2615334 So if the sticky bit is set on the directory containing word files for instance, linux wont be able to delete the file (as required in write operations by MS office) and hence comes with an error. I shall be highly obliged if some one can shed light on this issue. Alternatively I would love to learn about other solutions for the use case mentioned. Thanks in advance Hass. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] net ads testjoin
It seems you didn't even read my initial question. Quoting myself here: quote Now, I use net to join Windows AD domains and was wondering where I can find out more information on what happens during a net ads testjoin. The information I found on the documentation pages of net or smb.conf on the website did not say much about it. I have noticed that a testjoin will ask for a password when the domain membership is not valid and it'll ignore kerberos tickets. Is there something I am missing here? /quote Regards, Khaled 2010/7/6 t...@tms3.com: SNIP Is there anyone who can help with this question? prism# net ads testjoin Join is OK That's about it. Pretty simple. Regards, Khaled -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] protocol negotiation failed: NT_STATUS_END_OF_FILE
Hi all, I have deleted and reinstalled samba 3.4.0 and then I got a failure at starting samba .I guess that was because of lacking of smb.conf ( I have deleted it manually and it didn't install it back) And I have decided to install samba4 which gave me also the same failure so I have again installed samba 3.4.0 and I found out an smb.conf file from /usr/share/doc/samba-doc/examples/smb.conf.default.gz then I copied it into /etc/samba afterwards I didn't get the same failure but whenever I try smbclient -L localhost -U% I get the following error Domain=[WORKGROUP] OS=[Unix] Server=[Samba 4.0.0alpha9-GIT-27087e6] tree connect failed: NT_STATUS_BAD_NETWORK_NAME I guess Samba 4.0.0alpha9-GIT-27087e6 explains there are still some samba4 files that effects the system but I have deleted it. I have autoremoved samba4 then purged samba and samba-common and install samba again and this time when I try smbclient -L localhost -U% I get another failure protocol negotiation failed: NT_STATUS_END_OF_FILE. Does anyone have any idea what is going wrong? Thanks in Advance Murat Can Tuna _ Hotmail: Trusted email with powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] net ads testjoin
On Tuesday 06/07/2010 at 8:03 am, Khaled Blah wrote: It seems you didn't even read my initial question. Quoting myself here: It seems you are asking for the answer to the ultimate question, the answer of which is 42. However, you haven't asked THE question. quote Now, I use net to join Windows AD domains and was wondering where I can find out more information on what happens during a net ads testjoin. It tests the validity of the Samba server's AD machine account status. You can see what's happening with wireshark or other packet sniffer. The information I found on the documentation pages of net or smb.conf on the website did not say much about it. I have noticed that a testjoin will ask for a password when the domain membership is not valid and it'll ignore kerberos tickets. Is there something I am missing here? I dunno, what are you looking for? /quote Regards, Khaled 2010/7/6 t...@tms3.com: SNIP Is there anyone who can help with this question? prism# net ads testjoin Join is OK That's about it. Pretty simple. Regards, Khaled -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] net ads testjoin
On Tue, Jul 6, 2010 at 10:01 AM, t...@tms3.com wrote: On Tuesday 06/07/2010 at 8:03 am, Khaled Blah wrote: It seems you didn't even read my initial question. Quoting myself here: It seems you are asking for the answer to the ultimate question, the answer of which is 42. However, you haven't asked THE question. quote Now, I use net to join Windows AD domains and was wondering where I can find out more information on what happens during a net ads testjoin. It tests the validity of the Samba server's AD machine account status. You can see what's happening with wireshark or other packet sniffer. The information I found on the documentation pages of net or smb.conf on the website did not say much about it. I have noticed that a testjoin will ask for a password when the domain membership is not valid and it'll ignore kerberos tickets. Is there something I am missing here? I dunno, what are you looking for? /quote Regards, Khaled 2010/7/6 t...@tms3.com: SNIP Is there anyone who can help with this question? prism# net ads testjoin Join is OK That's about it. Pretty simple. Regards, Khaled You may find some information in chapter 10 of the book Using Samba by **Gerald Carter http://www.oreillynet.com/pub/au/1035; Jay Tshttp://www.oreillynet.com/pub/au/996; Robert Eckstein http://www.oreillynet.com/pub/au/155 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Throughput problem with Samba 3.3.1 on NetBSD
Hello everyone, I need some collective wisdom, I have recently start using NetBSD and works quite well on everything but with Samba. I have played with the smb.conf to try to improve performance but to no avail. The setup is fairly simple. Here is my smb.conf [global] workgroup=HOME netbios aliases = MEDIALAB security = user socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192 use sendfile = true local master = yes os level = 33 wins support = yes [homes] comment = Home Directories browseable = no writable = yes [musica] comment= Musica para alegrar la vida path = /media/external/Multimedia/Musica public = no writable = no write list = @wheel browsable = yes [peliculas] comment= Algunas pelis para entretenerse path = /media/external/Multimedia/Peliculas public = no writable = no write list = @wheel browsable = yes The problem is that I cannot get not even 1Mbps, while on the exact same environment with CentOS 5 I was getting over the Wireless G 48Mbps. Any ideas on how I might improve performance?, I tried already the NetBSD user mail list to no avail. Thanks in advanced. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Throughput problem with Samba 3.3.1 on NetBSD
On Tue, Jul 06, 2010 at 11:50:16AM -0600, Max León wrote: Hello everyone, I need some collective wisdom, I have recently start using NetBSD and works quite well on everything but with Samba. I have played with the smb.conf to try to improve performance but to no avail. The setup is fairly simple. Here is my smb.conf [global] workgroup=HOME netbios aliases = MEDIALAB security = user socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192 Just dump the SO_SNDBUF and SO_RCVBUF or increase those values dramatically to at least 128k. But I would guess NetBSD is better at figuring out those values itself. Volker -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Throughput problem with Samba 3.3.1 on NetBSD
SNIP On Tue, Jul 06, 2010 at 11:50:16AM -0600, Max León wrote: Hello everyone, I need some collective wisdom, I have recently start using NetBSD and works quite well on everything but with Samba. I have played with the smb.conf to try to improve performance but to no avail. The setup is fairly simple. Here is my smb.conf [global] workgroup=HOME netbios aliases = MEDIALAB security = user socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192 Just dump the SO_SNDBUF and SO_RCVBUF or increase those values dramatically to at least 128k. But I would guess NetBSD is better at figuring out those values itself. As well, I've had some good performance on FreeBSD with aio_load=YES in /boot/loader.conf and aio read size = 1000 aio write size = 1000 aio write behind = false You're using wireless, yes? Hopefully a fully kernel driver and not a blob? Volker -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Fail to join a Windows 2008 R2 to a Samba+LDAP PDC version 3.5.4
Try removing ||HKLM\System\CurrentControlSet\Services\Netlogon\Parameters DWORD RequireSignOrSeal = 0 DWORD RequireStrongKey = 0 | These options used to be needed, but were not needed when I joined my R2 machine to my Samba3.5 server - and when those reg keys were added, the join worked, but you couldn't log on. Sean -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Default Hidden Disk Shares
On Mon, Jul 05, 2010 at 10:00:46AM +0100, Atkinson, Robert wrote: Before I reply, please take my response in the light it's meant, which is curious interest and intrigue. I'm not and don't want to drag this out into a full blown dissemination of Windows security. The 'admins' directive in the CONF file holds a list of Admin users, and gives elevated privileges to those accounts. I'm at a loss to see how this differs from also giving root visibility to the same users. I see this one of two ways. Either there isn't enough faith in the SAMBA code to feel that it's a robust secure system (I personally think it is), or there's a paranoia amongst the community. Given the way Windows is constantly hacked, this second observation may well be indirectly true. It isn't a matter of either or. It's a belt-and-braces approach. Yes, if the root elevated privilege code has a bug it's game over, but with an admin share of /, now you have *two* avenues of attack not one. Why make everyone pay that cost instead of just the people who want it ? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Set ACLs on Samba share from Windows
On Sun, 04 Jul 2010 20:26:47 -0400, Gaiseric Vandal wrote: It works for me - Solaris 10, ZFS file system, configured as a PDC or BDC #testparm -v | grep acl acl compatibility = auto acl check permissions = Yes acl group control = No acl map full control = Yes force unknown acl user = No nt acl support = Yes map acl inherit = No I'll try those settings and see if that works. Can you use setfacl to change permissions on a file on the unix level using the uid of a domain user? Yes. Can you, in windows, set permissions for someone defined as a local user? I don't know. I'll have to set up user mappings to get that to work. That might indicated if the problem is really with ACL's or if the problem is with winbind retrieving users from the domain controller. (Although getent seems to indicate that that winbind is not the problem.) Thanks. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Set ACLs on Samba share from Windows
On Sun, 04 Jul 2010 15:55:26 -0700, tms3 wrote: Operating system Samba Version. Fedora 13. Samba 3.5.4 (the one supplied with Fedora) Does *Nix file system used support ACL's? Yes. Are ACL's turned on for the samba share mountpoint? Is this an OS setting or a Samba setting? Thanks. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Set ACLs on Samba share from Windows
On 07/07/10 01:11 AM, Dadoo wrote: On Sun, 04 Jul 2010 15:55:26 -0700, tms3 wrote: Operating system Samba Version. Fedora 13. Samba 3.5.4 (the one supplied with Fedora) Does *Nix file system used support ACL's? Yes. Are ACL's turned on for the samba share mountpoint? Is this an OS setting or a Samba setting? Thanks. ACLs can sometimes be turned on or off on a file system as a mount option. Other times it's inherent in the system. It may even be a format-time option. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Set ACLs on Samba share from Windows
Is this an OS setting or a Samba setting? File system/OS. For instance, with FreeBSD in /etc/fstab I might have /dev/ad8s3d /home/sambaufs rw,acls 2 2 Check your OS manual regarding settings for the file system you are using. TMS III Thanks. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Build status as of Tue Jul 6 06:00:01 2010
URL: http://build.samba.org/ --- /home/build/master/cache/broken_results.txt.old 2010-07-05 00:00:05.0 -0600 +++ /home/build/master/cache/broken_results.txt 2010-07-06 00:00:03.0 -0600 @@ -1,4 +1,4 @@ -Build status as of Mon Jul 5 06:00:01 2010 +Build status as of Tue Jul 6 06:00:01 2010 Build counts: Tree Total Broken Panic @@ -16,7 +16,7 @@ samba_3_master 28 28 1 samba_3_next 28 28 2 samba_4_0_test 30 30 0 -samba_4_0_waf 30 29 6 +samba_4_0_waf 30 29 3 talloc 30 7 0 tdb 28 7 0
[SCM] Samba Shared Repository - branch v3-5-test updated
The branch, v3-5-test has been updated via b4803af... s3: Fix bug 7336: Enable idmap_passdb module build as shared (cherry picked from commit 8c0fbc410798512b7a4b7db73bcb24cde6fa7849) from f3c852e... s3-printing: Fix Bug #7541, %D in printer admin causing smbd crash. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-5-test - Log - commit b4803af11525823ea508d0ca4e58402d55901194 Author: Volker Lendecke v...@samba.org Date: Sun Jul 4 10:01:42 2010 +0200 s3: Fix bug 7336: Enable idmap_passdb module build as shared (cherry picked from commit 8c0fbc410798512b7a4b7db73bcb24cde6fa7849) --- Summary of changes: source3/Makefile.in |4 1 files changed, 4 insertions(+), 0 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/Makefile.in b/source3/Makefile.in index 08581a4..9e960c9 100644 --- a/source3/Makefile.in +++ b/source3/Makefile.in @@ -2617,6 +2617,10 @@ bin/r...@shlibext@: $(BINARY_PREREQS) winbindd/idmap_rid.o @echo Building plugin $@ @$(SHLD_MODULE) winbindd/idmap_rid.o +bin/pass...@shlibext@: $(BINARY_PREREQS) winbindd/idmap_passdb.o + @echo Building plugin $@ + @$(SHLD_MODULE) winbindd/idmap_passdb.o + bin/a...@shlibext@: $(BINARY_PREREQS) winbindd/idmap_ad.o @echo Building plugin $@ @$(SHLD_MODULE) winbindd/idmap_ad.o -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v3-4-test updated
The branch, v3-4-test has been updated via 1b22e94... s3: Fix bug 7336: Enable idmap_passdb module build as shared (cherry picked from commit 8c0fbc410798512b7a4b7db73bcb24cde6fa7849) (cherry picked from commit b4803af11525823ea508d0ca4e58402d55901194) from 10e34cf... s3-librpc: Fixed GUID_from_data_blob() with length of 32. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-4-test - Log - commit 1b22e942aa869d51dc9e50b74c44ece004c30947 Author: Volker Lendecke v...@samba.org Date: Sun Jul 4 10:01:42 2010 +0200 s3: Fix bug 7336: Enable idmap_passdb module build as shared (cherry picked from commit 8c0fbc410798512b7a4b7db73bcb24cde6fa7849) (cherry picked from commit b4803af11525823ea508d0ca4e58402d55901194) --- Summary of changes: source3/Makefile.in |4 1 files changed, 4 insertions(+), 0 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/Makefile.in b/source3/Makefile.in index f1f8471..b863e36 100644 --- a/source3/Makefile.in +++ b/source3/Makefile.in @@ -2454,6 +2454,10 @@ bin/r...@shlibext@: $(BINARY_PREREQS) winbindd/idmap_rid.o @echo Building plugin $@ @$(SHLD_MODULE) winbindd/idmap_rid.o +bin/pass...@shlibext@: $(BINARY_PREREQS) winbindd/idmap_passdb.o + @echo Building plugin $@ + @$(SHLD_MODULE) winbindd/idmap_passdb.o + bin/a...@shlibext@: $(BINARY_PREREQS) winbindd/idmap_ad.o @echo Building plugin $@ @$(SHLD_MODULE) winbindd/idmap_ad.o -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 60a3cc8... s3: Fix another winbind crash from 1dcf0e9... pidl: s3 server stubs: make sure LIBNDR_FLAG_BIGENDIAN is set when negotiated. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 60a3cc850a27a14110541439c05387efb0312210 Author: Volker Lendecke v...@samba.org Date: Tue Jul 6 11:54:31 2010 +0200 s3: Fix another winbind crash This is similar to 09a9cc3, this re-arranges winbindd_ads.c:query_user_list() so that ads is not accessed anymore across a call to nss_get_info_cached() call which can destroy it behind the scenes. --- Summary of changes: source3/winbindd/winbindd_ads.c | 83 ++ 1 files changed, 48 insertions(+), 35 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c index 366732a..c73e1a0 100644 --- a/source3/winbindd/winbindd_ads.c +++ b/source3/winbindd/winbindd_ads.c @@ -153,7 +153,7 @@ static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain) static NTSTATUS query_user_list(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, uint32 *num_entries, - struct wbint_userinfo **info) + struct wbint_userinfo **pinfo) { ADS_STRUCT *ads = NULL; const char *attrs[] = { *, NULL }; @@ -192,23 +192,18 @@ static NTSTATUS query_user_list(struct winbindd_domain *domain, goto done; } - (*info) = TALLOC_ZERO_ARRAY(mem_ctx, struct wbint_userinfo, count); - if (!*info) { + (*pinfo) = TALLOC_ZERO_ARRAY(mem_ctx, struct wbint_userinfo, count); + if (!*pinfo) { status = NT_STATUS_NO_MEMORY; goto done; } - i = 0; + count = 0; for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) { - const char *name; - const char *gecos = NULL; - const char *homedir = NULL; - const char *shell = NULL; + struct wbint_userinfo *info = ((*pinfo)[count]); uint32 group; uint32 atype; - struct dom_sid user_sid; - gid_t primary_gid = (gid_t)-1; if (!ads_pull_uint32(ads, msg, sAMAccountType, atype) || ds_atype_map(atype) != SID_NAME_USER) { @@ -216,46 +211,64 @@ static NTSTATUS query_user_list(struct winbindd_domain *domain, continue; } - name = ads_pull_username(ads, mem_ctx, msg); - - if ( ads_pull_sid( ads, msg, objectSid, user_sid ) ) { - status = nss_get_info_cached( domain, user_sid, mem_ctx, - ads, msg, homedir, shell, gecos, - primary_gid ); - } - - if (gecos == NULL) { - gecos = ads_pull_string(ads, mem_ctx, msg, name); - } + info-acct_name = ads_pull_username(ads, mem_ctx, msg); + info-full_name = ads_pull_string(ads, mem_ctx, msg, name); + info-homedir = NULL; + info-shell = NULL; + info-primary_gid = (gid_t)-1; if (!ads_pull_sid(ads, msg, objectSid, - (*info)[i].user_sid)) { - DEBUG(1,(No sid for %s !?\n, name)); + info-user_sid)) { + DEBUG(1, (No sid for %s !?\n, info-acct_name)); continue; } + if (!ads_pull_uint32(ads, msg, primaryGroupID, group)) { - DEBUG(1,(No primary group for %s !?\n, name)); + DEBUG(1, (No primary group for %s !?\n, + info-acct_name)); continue; } + sid_compose(info-group_sid, domain-sid, group); - (*info)[i].acct_name = name; - (*info)[i].full_name = gecos; - (*info)[i].homedir = homedir; - (*info)[i].shell = shell; - (*info)[i].primary_gid = primary_gid; - sid_compose((*info)[i].group_sid, domain-sid, group); - i++; + count += 1; + } + + (*num_entries) = count; + ads_msgfree(ads, res); + + for (i=0; icount; i++) { + struct wbint_userinfo *info = ((*pinfo)[i]); + const char *gecos = NULL; + gid_t primary_gid = (gid_t)-1; + + /* +* Don't use our variable ads in this call here,
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via b4c3f72... s3: Fix a segfault in the RPC server from 60a3cc8... s3: Fix another winbind crash http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit b4c3f72d445a5659971b0080ab1eba88695d2a0d Author: Volker Lendecke v...@samba.org Date: Tue Jul 6 15:07:05 2010 +0200 s3: Fix a segfault in the RPC server After converting the rpc infratructure to talloc, read_from_internal_pipe freed the outdata too early. If the last fragment was read in two pieces (as rpcclient does it), all the outdata was freed during the read of the first piece of the read of the last fragment. Later readx calls, trying to read the rest of the last fragment stepped into p-out_data.frag with non-zero offset when this was already freed. --- Summary of changes: source3/rpc_server/srv_pipe_hnd.c | 17 + 1 files changed, 9 insertions(+), 8 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/rpc_server/srv_pipe_hnd.c b/source3/rpc_server/srv_pipe_hnd.c index a77b9ea..e933992 100644 --- a/source3/rpc_server/srv_pipe_hnd.c +++ b/source3/rpc_server/srv_pipe_hnd.c @@ -858,15 +858,16 @@ static ssize_t read_from_internal_pipe(struct pipes_struct *p, char *data, * current_pdu_sent. */ p-out_data.current_pdu_sent = 0; prs_mem_free(p-out_data.frag); - } - if(p-out_data.data_sent_length = prs_offset(p-out_data.rdata)) { - /* -* We're completely finished with both outgoing and -* incoming data streams. It's safe to free all temporary -* data from this request. -*/ - free_pipe_context(p); + if (p-out_data.data_sent_length + = prs_offset(p-out_data.rdata)) { + /* +* We're completely finished with both outgoing and +* incoming data streams. It's safe to free all +* temporary data from this request. +*/ + free_pipe_context(p); + } } return data_returned; -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 4efa108... s4:rpc_server/lsa/dcesrv_lsa.c - fix typo from b4c3f72... s3: Fix a segfault in the RPC server http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 4efa1081aadc4de22bc1e8c51c41978464730f95 Author: Sumit Bose sb...@redhat.com Date: Tue Jul 6 14:55:32 2010 -0400 s4:rpc_server/lsa/dcesrv_lsa.c - fix typo Signed-off-by: Günther Deschner g...@samba.org --- Summary of changes: source4/rpc_server/lsa/dcesrv_lsa.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c index 85fddf7..3f5c9ff 100644 --- a/source4/rpc_server/lsa/dcesrv_lsa.c +++ b/source4/rpc_server/lsa/dcesrv_lsa.c @@ -4159,7 +4159,7 @@ static NTSTATUS check_ft_info(TALLOC_CTX *mem_ctx, tln_conflict = false; } - if (nrec-type != FOREST_TRUST_DOMAIN_INFO) { + if (trec-type != FOREST_TRUST_DOMAIN_INFO) { continue; } -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via a56c688... s3: Fix another aspect of bug 7262 and make paged results work again from 4efa108... s4:rpc_server/lsa/dcesrv_lsa.c - fix typo http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit a56c6883661123ed7eb07f7e6f0e947714d1d575 Author: Volker Lendecke v...@samba.org Date: Tue Jul 6 16:55:14 2010 +0200 s3: Fix another aspect of bug 7262 and make paged results work again --- Summary of changes: source3/passdb/pdb_ldap.c |8 1 files changed, 4 insertions(+), 4 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/passdb/pdb_ldap.c b/source3/passdb/pdb_ldap.c index 6ac8f0d..f4c8dbe 100644 --- a/source3/passdb/pdb_ldap.c +++ b/source3/passdb/pdb_ldap.c @@ -4483,10 +4483,6 @@ static bool ldapsam_search_next_entry(struct pdb_search *search, bool result; retry: - if (state-current_entry == NULL) { - return false; - } - if ((state-entries == NULL) (state-pagedresults_cookie == NULL)) return False; @@ -4494,6 +4490,10 @@ static bool ldapsam_search_next_entry(struct pdb_search *search, !ldapsam_search_nextpage(search)) return False; + if (state-current_entry == NULL) { + return false; + } + result = state-ldap2displayentry(state, search, state-connection-ldap_struct, state-current_entry, entry); -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 44d8c8d... s3-winbind: Handle aliases in rpc_lookup_groupmem(). via 11ae9af... s3-winbind: Fixed the winbind caching. via 66fc77e... s3-winbind: Use same format for all msrpc debug messages. via 2794c5a... s3-winbind: Fixed debug messages of open_internal_lsa_pipe(). via 9d23f8f... s3-winbind: Make sure that the policy handles are closed. via c5cd356... s3-winbind: Make sure we close all policy handles in sam. via c67cff0... s3-winbind: Create all logfiles in the same directory. from a56c688... s3: Fix another aspect of bug 7262 and make paged results work again http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 44d8c8dbb721eadface3785cee135b2912ca00e7 Author: Andreas Schneider a...@samba.org Date: Tue Jul 6 14:56:50 2010 +0200 s3-winbind: Handle aliases in rpc_lookup_groupmem(). commit 11ae9aff971759f2b4658b294e9f1845500ecd4e Author: Günther Deschner g...@samba.org Date: Tue Jul 6 12:50:48 2010 +0200 s3-winbind: Fixed the winbind caching. commit 66fc77e8863ef126317c1077628989e437827514 Author: Andreas Schneider a...@samba.org Date: Tue Jul 6 10:58:46 2010 +0200 s3-winbind: Use same format for all msrpc debug messages. commit 2794c5ad24170c58d9d491e1f6cec1a58b82ad3f Author: Andreas Schneider a...@samba.org Date: Tue Jul 6 10:53:01 2010 +0200 s3-winbind: Fixed debug messages of open_internal_lsa_pipe(). commit 9d23f8fbc5b80b0a2f34bbd1a1beef63cb06d3c1 Author: Andreas Schneider a...@samba.org Date: Tue Jul 6 15:33:50 2010 +0200 s3-winbind: Make sure that the policy handles are closed. commit c5cd35658be8c473893f4aa230b38de667f12154 Author: Andreas Schneider a...@samba.org Date: Tue Jul 6 01:05:39 2010 +0200 s3-winbind: Make sure we close all policy handles in sam. commit c67cff0372d987d13105b81a7625ff42a3ceac43 Author: Andreas Schneider a...@samba.org Date: Mon Jul 5 19:43:25 2010 +0200 s3-winbind: Create all logfiles in the same directory. If log file is set in the config file, we should create the log files of the winbind child processes in the same directory. --- Summary of changes: source3/winbindd/winbindd_cache.c |8 +++ source3/winbindd/winbindd_cm.c| 12 source3/winbindd/winbindd_dual.c | 23 - source3/winbindd/winbindd_msrpc.c | 19 --- source3/winbindd/winbindd_rpc.c | 103 ++-- source3/winbindd/winbindd_samr.c | 87 ++- source3/winbindd/winbindd_util.c |7 +-- 7 files changed, 213 insertions(+), 46 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c index 1bfbdb6..a3e202b 100644 --- a/source3/winbindd/winbindd_cache.c +++ b/source3/winbindd/winbindd_cache.c @@ -41,6 +41,7 @@ extern struct winbindd_methods reconnect_methods; extern struct winbindd_methods ads_methods; #endif extern struct winbindd_methods builtin_passdb_methods; +extern struct winbindd_methods sam_passdb_methods; /* * JRA. KEEP THIS LIST UP TO DATE IF YOU ADD CACHE ENTRIES. @@ -143,6 +144,13 @@ static struct winbind_cache *get_cache(struct winbindd_domain *domain) domain-backend = builtin_passdb_methods; domain-initialized = True; } + + if (strequal(domain-name, get_global_sam_name()) + sid_equal(domain-sid, get_global_sam_sid())) { + domain-backend = sam_passdb_methods; + domain-initialized = True; + } + if ( !domain-initialized ) { init_dc_connection( domain ); } diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c index 19b73bc..fa1b78c 100644 --- a/source3/winbindd/winbindd_cm.c +++ b/source3/winbindd/winbindd_cm.c @@ -1574,6 +1574,10 @@ void invalidate_cm_connection(struct winbindd_cm_conn *conn) } if (conn-samr_pipe != NULL) { + if (is_valid_policy_hnd(conn-sam_connect_handle)) { + rpccli_samr_Close(conn-samr_pipe, talloc_tos(), + conn-sam_connect_handle); + } TALLOC_FREE(conn-samr_pipe); /* Ok, it must be dead. Drop timeout to 0.5 sec. */ if (conn-cli) { @@ -1582,6 +1586,10 @@ void invalidate_cm_connection(struct winbindd_cm_conn *conn) } if (conn-lsa_pipe != NULL) { + if (is_valid_policy_hnd(conn-lsa_policy)) { + rpccli_lsa_Close(conn-lsa_pipe, talloc_tos(), +conn-lsa_policy); + } TALLOC_FREE(conn-lsa_pipe); /* Ok, it must be dead. Drop timeout to 0.5 sec. */
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via a679319... s3:pdb_ldap: change LDAP password before samba password hashes from 44d8c8d... s3-winbind: Handle aliases in rpc_lookup_groupmem(). http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit a679319192a50f8115c830ceabe33010d584e3c9 Author: Björn Jacke b...@sernet.de Date: Tue Jul 6 18:39:26 2010 +0200 s3:pdb_ldap: change LDAP password before samba password hashes this way we can catch up with password change refuses from ldap password policy overlays and abort the password change early. Thanks to Andy Hanton andyhan...@gmail.com for the initial patch. --- Summary of changes: source3/passdb/pdb_ldap.c | 67 +++-- 1 files changed, 34 insertions(+), 33 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/passdb/pdb_ldap.c b/source3/passdb/pdb_ldap.c index f4c8dbe..2e48023 100644 --- a/source3/passdb/pdb_ldap.c +++ b/source3/passdb/pdb_ldap.c @@ -1737,39 +1737,6 @@ static NTSTATUS ldapsam_modify_entry(struct pdb_methods *my_methods, return NT_STATUS_INVALID_PARAMETER; } - if (!mods) { - DEBUG(5,(ldapsam_modify_entry: mods is empty: nothing to modify\n)); - /* may be password change below however */ - } else { - switch(ldap_op) { - case LDAP_MOD_ADD: - if (ldap_state-is_nds_ldap) { - smbldap_set_mod(mods, LDAP_MOD_ADD, - objectclass, - inetOrgPerson); - } else { - smbldap_set_mod(mods, LDAP_MOD_ADD, - objectclass, - LDAP_OBJ_ACCOUNT); - } - rc = smbldap_add(ldap_state-smbldap_state, -dn, mods); - break; - case LDAP_MOD_REPLACE: - rc = smbldap_modify(ldap_state-smbldap_state, - dn ,mods); - break; - default: - DEBUG(0,(ldapsam_modify_entry: Wrong LDAP operation type: %d!\n, -ldap_op)); - return NT_STATUS_INVALID_PARAMETER; - } - - if (rc!=LDAP_SUCCESS) { - return NT_STATUS_UNSUCCESSFUL; - } - } - if (!(pdb_get_acct_ctrl(newpwd)(ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST)) (lp_ldap_passwd_sync() != LDAP_PASSWD_SYNC_OFF) need_update(newpwd, PDB_PLAINTEXT_PW) @@ -1895,6 +1862,40 @@ static NTSTATUS ldapsam_modify_entry(struct pdb_methods *my_methods, } ber_bvfree(bv); } + + if (!mods) { + DEBUG(5,(ldapsam_modify_entry: mods is empty: nothing to modify\n)); + /* may be password change below however */ + } else { + switch(ldap_op) { + case LDAP_MOD_ADD: + if (ldap_state-is_nds_ldap) { + smbldap_set_mod(mods, LDAP_MOD_ADD, + objectclass, + inetOrgPerson); + } else { + smbldap_set_mod(mods, LDAP_MOD_ADD, + objectclass, + LDAP_OBJ_ACCOUNT); + } + rc = smbldap_add(ldap_state-smbldap_state, +dn, mods); + break; + case LDAP_MOD_REPLACE: + rc = smbldap_modify(ldap_state-smbldap_state, + dn ,mods); + break; + default: + DEBUG(0,(ldapsam_modify_entry: Wrong LDAP operation type: %d!\n, +ldap_op)); + return NT_STATUS_INVALID_PARAMETER; + } + + if (rc!=LDAP_SUCCESS) { + return NT_STATUS_UNSUCCESSFUL; + } + } + return NT_STATUS_OK;
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 293d3eb... s3-selftest: add make testenv target to Makefile. from a679319... s3:pdb_ldap: change LDAP password before samba password hashes http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 293d3eb545b04438a13313b06927469f928d6479 Author: Günther Deschner g...@samba.org Date: Tue Jul 6 19:53:37 2010 +0200 s3-selftest: add make testenv target to Makefile. Guenther --- Summary of changes: source3/Makefile.in |6 ++ 1 files changed, 6 insertions(+), 0 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/Makefile.in b/source3/Makefile.in index 69f3425..4cfcbbe 100644 --- a/source3/Makefile.in +++ b/source3/Makefile.in @@ -3258,6 +3258,12 @@ selftest:: all torture timelimit selftest-%: $(MAKE) selftest TESTS=$* +SELFTEST_TESTENV = dc + +testenv: + $(MAKE) selftest SELFTEST_TESTENV=$(SELFTEST_TESTENV) TESTS=--testenv + + # Check for Winbind struct 32/64bit padding test_wbpad: @echo Testing winbind request/response structure for 32/64bit padding -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 502bddf... s4:new_partition LDB module - fix an uninitalised variable warning via b03040c... s4:SAMR rpc server - SetUserInfo - fix the implementation of the expire flag via 7f15ca4... s4:SAMR rpc server - QueryUserInfo - send back the password expired flag on level 21 via 9c81357... s4:dsdb - samdb_result_force_password_change - also when pwdLastSet is -1 we shouldn't force a password change from 293d3eb... s3-selftest: add make testenv target to Makefile. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 502bddf7676b8061a877e7c83b647a64963c3efe Author: Matthias Dieter Wallnöfer m...@samba.org Date: Tue Jul 6 17:51:00 2010 +0200 s4:new_partition LDB module - fix an uninitalised variable warning [ 651/1946] Compiling dsdb/samdb/ldb_modules/new_partition.c ../dsdb/samdb/ldb_modules/new_partition.c: In function 'new_partition_add': ../dsdb/samdb/ldb_modules/new_partition.c:195: warning: 'down_req' may be used uninitialized in this function The down_req variable isn't used anymore. commit b03040c5a903e24a8216b9245f2925eb2205cd67 Author: Matthias Dieter Wallnöfer m...@samba.org Date: Mon Jul 5 17:42:40 2010 +0200 s4:SAMR rpc server - SetUserInfo - fix the implementation of the expire flag It has to consider the password_expires flag to known if the pwdLastSet has to be updated or to be resetted. commit 7f15ca4427ae07520a457fa8f19991f6e350205b Author: Matthias Dieter Wallnöfer m...@samba.org Date: Mon Jul 5 15:54:21 2010 +0200 s4:SAMR rpc server - QueryUserInfo - send back the password expired flag on level 21 Taken from the s3 server code commit 9c8135785ad7b2bee4a0d37470dc37fed04a6516 Author: Matthias Dieter Wallnöfer m...@samba.org Date: Mon Jul 5 16:55:50 2010 +0200 s4:dsdb - samdb_result_force_password_change - also when pwdLastSet is -1 we shouldn't force a password change This value is set by the ADUC console. --- Summary of changes: source4/dsdb/common/util.c | 12 ++-- source4/dsdb/samdb/ldb_modules/new_partition.c |3 +- source4/rpc_server/samr/dcesrv_samr.c | 32 +--- 3 files changed, 38 insertions(+), 9 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c index 80736b1..d248038 100644 --- a/source4/dsdb/common/util.c +++ b/source4/dsdb/common/util.c @@ -520,8 +520,10 @@ NTTIME samdb_result_force_password_change(struct ldb_context *sam_ldb, struct ldb_dn *domain_dn, struct ldb_message *msg) { - uint64_t attr_time = samdb_result_uint64(msg, pwdLastSet, 0); - uint32_t userAccountControl = samdb_result_uint64(msg, userAccountControl, 0); + int64_t attr_time = samdb_result_int64(msg, pwdLastSet, 0); + uint32_t userAccountControl = ldb_msg_find_attr_as_uint(msg, + userAccountControl, + 0); int64_t maxPwdAge; /* Machine accounts don't expire, and there is a flag for 'no expiry' */ @@ -533,8 +535,12 @@ NTTIME samdb_result_force_password_change(struct ldb_context *sam_ldb, if (attr_time == 0) { return 0; } + if (attr_time == -1) { + return 0x7FFFULL; + } - maxPwdAge = samdb_search_int64(sam_ldb, mem_ctx, 0, domain_dn, maxPwdAge, NULL); + maxPwdAge = samdb_search_int64(sam_ldb, mem_ctx, 0, domain_dn, + maxPwdAge, NULL); if (maxPwdAge == 0) { return 0x7FFFULL; } else { diff --git a/source4/dsdb/samdb/ldb_modules/new_partition.c b/source4/dsdb/samdb/ldb_modules/new_partition.c index 63c9200..a6102d6 100644 --- a/source4/dsdb/samdb/ldb_modules/new_partition.c +++ b/source4/dsdb/samdb/ldb_modules/new_partition.c @@ -135,7 +135,6 @@ static int np_part_search_callback(struct ldb_request *req, struct ldb_reply *ar static int new_partition_add(struct ldb_module *module, struct ldb_request *req) { struct ldb_context *ldb; - struct ldb_request *down_req; struct np_context *ac; int ret; @@ -192,7 +191,7 @@ static int new_partition_add(struct ldb_module *module, struct ldb_request *req) } /* go on with the call chain */ - return ldb_next_request(module, down_req); + return ldb_next_request(module, req); } _PUBLIC_ const struct ldb_module_ops ldb_new_partition_module_ops = { diff --git a/source4/rpc_server/samr/dcesrv_samr.c b/source4/rpc_server/samr/dcesrv_samr.c index
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 85504ae... s4:libcli: Modify S4 client library to check for proper CN alignment via 00056e7... s3:smbd: Align change notify replies on 4-byte boundary from 502bddf... s4:new_partition LDB module - fix an uninitalised variable warning http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 85504ae6ff72204894ea7a856f0f36b44ad77fe2 Author: Steven Danneman steven.danne...@isilon.com Date: Mon Jun 28 16:06:33 2010 -0700 s4:libcli: Modify S4 client library to check for proper CN alignment MS-CIFS 2.2.7.4.2 states that FILE_NOTIFY_INFORMATION structures in change notify replies must be aligned to 4-byte boundaries. This updates s4 client to check for this restriction and also adds a torture test which should tickle a server into giving unaligned structures if it doesn't follow the spec. commit 00056e73c1cb54f5d6c10e63b70afc2c84e5883e Author: Chere Zhou chere.z...@isilon.com Date: Mon Jul 5 17:18:35 2010 -0700 s3:smbd: Align change notify replies on 4-byte boundary MS-CIFS section 2.2.7.4.2 states this is mandatory. WinXP clients don't seem to care, but a Win7 client will send an immediate Close() to the directory handle when receiving an incorrectly aligned change notify response. --- Summary of changes: source3/smbd/notify.c | 10 source4/libcli/raw/rawnotify.c |4 +- source4/torture/raw/notify.c | 100 +++- 3 files changed, 112 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/smbd/notify.c b/source3/smbd/notify.c index dc13aad..e473d99 100644 --- a/source3/smbd/notify.c +++ b/source3/smbd/notify.c @@ -77,6 +77,7 @@ static bool notify_marshall_changes(int num_changes, for (i=0; inum_changes; i++) { struct notify_change *c; size_t namelen; + intrem = 0; uint32 u32_tmp; /* Temp arg to prs_uint32 to avoid * signed/unsigned issues */ @@ -102,6 +103,11 @@ static bool notify_marshall_changes(int num_changes, */ u32_tmp = (i == num_changes-1) ? 0 : namelen + 12; + + /* Align on 4-byte boundary according to MS-CIFS 2.2.7.4.2 */ + if ((rem = u32_tmp % 4 ) != 0) + u32_tmp += 4 - rem; + if (!prs_uint32(offset, ps, 1, u32_tmp)) goto fail; u32_tmp = c-action; @@ -117,6 +123,10 @@ static bool notify_marshall_changes(int num_changes, */ prs_set_offset(ps, prs_offset(ps)-2); + if (rem != 0) { + if (!prs_align_custom(ps, 4)) goto fail; + } + TALLOC_FREE(uni_name.buffer); if (prs_offset(ps) max_offset) { diff --git a/source4/libcli/raw/rawnotify.c b/source4/libcli/raw/rawnotify.c index 2155076..40256aa 100644 --- a/source4/libcli/raw/rawnotify.c +++ b/source4/libcli/raw/rawnotify.c @@ -71,10 +71,12 @@ _PUBLIC_ NTSTATUS smb_raw_changenotify_recv(struct smbcli_request *req, parms-nttrans.out.changes = NULL; parms-nttrans.out.num_changes = 0; - + /* count them */ for (ofs=0; nt.out.params.length - ofs 12; ) { uint32_t next = IVAL(nt.out.params.data, ofs); + if (next % 4 != 0) + return NT_STATUS_INVALID_NETWORK_RESPONSE; parms-nttrans.out.num_changes++; if (next == 0 || ofs + next = nt.out.params.length) break; diff --git a/source4/torture/raw/notify.c b/source4/torture/raw/notify.c index 5bf7f4a..dd3aae3 100644 --- a/source4/torture/raw/notify.c +++ b/source4/torture/raw/notify.c @@ -50,6 +50,14 @@ goto done; \ }} while (0) +#define CHECK_WSTR2(tctx, field, value, flags) \ +do { \ + if (!field.s || strcmp(field.s, value) || \ + wire_bad_flags(field, flags, cli-transport)) { \ + torture_result(tctx, TORTURE_FAIL, \ + (%d) %s [%s] != %s\n, __LINE__, #field, field.s, value); \ + } \ +} while (0) /* basic testing of change notify on directories @@ -1594,7 +1602,96 @@ done: } -/* +/* + testing alignment of multiple change notify infos +*/ +static bool test_notify_alignment(struct smbcli_state *cli, +struct torture_context *tctx) +{ + NTSTATUS status; + union smb_notify notify; + union smb_open io; + int i, fnum, fnum2; + struct smbcli_request *req; + const char *fname = BASEDIR \\starter; + const char *fnames[] = { a, +ab, +abc, +abcd }; +