[Samba] Windows 7 access keeps locking-up but others are fine?
Hi, I'm using Samba on Solaris 10 with Winbind SSO. When using Windows XP/2000/etc., it works fine. But when I use Windows 7 to access the same Samba server, then a login window pops up and my account gets locked up and I have to unlock it each time. Is it something to do with SMB2 or some smb.conf configuration? Any clues would be appreciated. Thanks. - Kevin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba 3.5.6 offline logon?
Hi, Is anybody successfully using offline logon with samba 3.5.6? I've set everything up as per the documentation but even if I manually set winbind offline using smbcontrol winbindd offline I cannot logon if I disconnect the machine from the network. To enable offline logon I added the following settings: /etc/samba/smb.conf winbind offline logon = yes winbind reconnect delay = 5 /etc/security/pam_winbind.conf krb5_auth = yes krb5_ccache_type = FILE cached_login = yes I'm using idmap backend ad with schema mode rfc2307 and also winbind nss info = rfc2307, perhaps that combination is not supported for offline logon? Andy -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba-winbind 3.5.4 primary group is always domainusers!!!???
On Wed, Oct 20, 2010 at 12:36 PM, Oliver Weinmann oliver.weinm...@vega.de wrote: Hi, Any news regarding this problem? I have testet samba 3.5.6 and the problem still persists. I had to downgrade to 3.3 on a few machines now. Regards, Oliver -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Oliver Weinmann Sent: Donnerstag, 9. September 2010 13:13 To: samba@lists.samba.org Subject: [Samba] Samba-winbind 3.5.4 primary group is always domainusers!!!??? Dear All, I stepped over a strange issue today. I have one installation of samba winbind 3.3.2 on a Ubuntu machine. Changing the primary unix group of a user is updated immediately. On a newer samba 3.5.4 installation the primary group is not updated at all. It always displays domain users. Is there a new setting for the smb.conf? Here is my smb.conf: [global] netbios name = gedail1 realm = SOMEDOMAIN.NET workgroup = SOMEDOMAIN security = ADS encrypt passwords = true password server = server1.somedomain.net server2.somedomain.net os level = 20 idmap backend = ad idmap config SOMEDOMAIN : backend = ad idmap config SOMEDOMAIN : schema_mode = sfu idmap config SOMEDOMAIN : range = 0- winbind nss info = sfu winbind enum users = yes winbind enum groups = yes preferred master = no winbind nested groups = Yes winbind use default domain = Yes max log size = 50 log level = 10 log file = /var/log/samba/log.%m dns proxy = no wins server = 172.20.200.18 172.18.200.20 allow trusted domains = no client use spnego = Yes use kerberos keytab = true winbind refresh tickets = yes idmap cache time = 1 winbind cache time = 1 It's a W2k3 AD Domain. Regards, Oliver -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba I've noticed the same with samba 3.5.6, our administrator user has primary group name/gid Domain Admins but the primary group on our linux systems is domain users. I've noticed that searching AD for users with rfc2307/sfu attributes shows the correct gid: net ads search '(|(uidNumber=*)(gidNumber=*))' objectCategory sAMAccountName uidNumber gidNumber -P sAMAccountName: Domain Users objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=josims,DC=local gidNumber: 1 sAMAccountName: test objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=josims,DC=local uidNumber: 10009 gidNumber: 10010 The gid returned is correct, and if I change it and remove the cache file it updates, so it is definitely being read from AD, but all users have gid domain users: wbinfo -i test test:*:10009:1:test:/home/test:/bin/bash Andy -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba-winbind 3.5.4 primary group is always domainusers!!!???
Good to know that I'm not the only one facing this serious problem. I would really like to know why this is not the case under samba 3.3. Currently I have stopped upgrading from 3.3 to 3.5.x because this problem is generating a lot of trouble for us when users of different projects create files and they are read/write for all members of domain users. The only way around this is to use the SGID on the folder to inherit the project group. -Original Message- From: Andrew Lyon [mailto:andrew.l...@gmail.com] Sent: Freitag, 22. Oktober 2010 11:50 To: Oliver Weinmann Cc: samba@lists.samba.org Subject: Re: [Samba] Samba-winbind 3.5.4 primary group is always domainusers!!!??? On Wed, Oct 20, 2010 at 12:36 PM, Oliver Weinmann oliver.weinm...@vega.de wrote: Hi, Any news regarding this problem? I have testet samba 3.5.6 and the problem still persists. I had to downgrade to 3.3 on a few machines now. Regards, Oliver -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Oliver Weinmann Sent: Donnerstag, 9. September 2010 13:13 To: samba@lists.samba.org Subject: [Samba] Samba-winbind 3.5.4 primary group is always domainusers!!!??? Dear All, I stepped over a strange issue today. I have one installation of samba winbind 3.3.2 on a Ubuntu machine. Changing the primary unix group of a user is updated immediately. On a newer samba 3.5.4 installation the primary group is not updated at all. It always displays domain users. Is there a new setting for the smb.conf? Here is my smb.conf: [global] netbios name = gedail1 realm = SOMEDOMAIN.NET workgroup = SOMEDOMAIN security = ADS encrypt passwords = true password server = server1.somedomain.net server2.somedomain.net os level = 20 idmap backend = ad idmap config SOMEDOMAIN : backend = ad idmap config SOMEDOMAIN : schema_mode = sfu idmap config SOMEDOMAIN : range = 0- winbind nss info = sfu winbind enum users = yes winbind enum groups = yes preferred master = no winbind nested groups = Yes winbind use default domain = Yes max log size = 50 log level = 10 log file = /var/log/samba/log.%m dns proxy = no wins server = 172.20.200.18 172.18.200.20 allow trusted domains = no client use spnego = Yes use kerberos keytab = true winbind refresh tickets = yes idmap cache time = 1 winbind cache time = 1 It's a W2k3 AD Domain. Regards, Oliver -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba I've noticed the same with samba 3.5.6, our administrator user has primary group name/gid Domain Admins but the primary group on our linux systems is domain users. I've noticed that searching AD for users with rfc2307/sfu attributes shows the correct gid: net ads search '(|(uidNumber=*)(gidNumber=*))' objectCategory sAMAccountName uidNumber gidNumber -P sAMAccountName: Domain Users objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=josims,DC=local gidNumber: 1 sAMAccountName: test objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=josims,DC=local uidNumber: 10009 gidNumber: 10010 The gid returned is correct, and if I change it and remove the cache file it updates, so it is definitely being read from AD, but all users have gid domain users: wbinfo -i test test:*:10009:1:test:/home/test:/bin/bash Andy __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Joining domain works - logging in doesn't
I'm building a replacement samba 3.5.6 domain controller to replace an old 3.0 one. Some other things are changing too. Our user accounts are now in LDAP rather than flat files (although the machine trust accounts will remain in a flat file), but that should be hidden from samba as it's going to be done through NSS. The smbpasswd file is a TDB file and will remain so. Our users don't authenticate with any native services on the server other than samba and PAM hasn't been configured to use LDAP. Samba was built with --without-pam as it authenticates using its own smbpasswd file and nothing else will need to authenticate that way. Our intention is to move over to an entirely LDAP based system, but we're doing that a stage at a time. So far, so good. Samba duly starts and I can join an XP PC to the domain without an issue. But when I try to log into the domain using my username I get: The system cannot log you on now because the domain KIS2 is not available nmblookup happily returns querying KIS2 on 160.5.10.3 160.5.10.3 KIS21c so it looks like its registered as a domain controller happily and besides, PC's can join the domain. I can mount shares from the server using my username and I can see the IPC$ share anonymously. I can log into the PC using a local account and mount shares using my username. Anonymous login successful Domain=[KIS2] OS=[Unix] Server=[Samba 3.5.6] Sharename Type Comment - --- IPC$IPC IPC Service (Keele I.T. Services) Anonymous login successful Domain=[KIS2] OS=[Unix] Server=[Samba 3.5.6] Server Comment ---- OATCAKE Keele I.T. Services WorkgroupMaster ---- KIS2 OATCAKE Oatcake is the samba server and nmblookup shows it with the right IP address. Testparm shows the critical options as: map untrusted to domain = Yes domain logons = Yes domain master = Yes So I can't see an obvious problem there. So clearly I've made some sort of obvious error somewhere that escapes me. At the risk of appearing foolish amongst my peers I am posting in the hope that you can point me in the direction I need to investigate. I'll include the end of the log.smbd running at debug level 5 which shows the logon process access the IPC$ share and then the connection being dropped. 2010/10/22 12:01:55.413644, 3] smbd/sec_ctx.c:418(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2010/10/22 12:01:55.413761, 3] smbd/sec_ctx.c:210(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2010/10/22 12:01:55.413789, 3] smbd/uid.c:429(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2010/10/22 12:01:55.413810, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2010/10/22 12:01:55.413832, 5] auth/token_util.c:525(debug_nt_user_token) NT user token: (NULL) [2010/10/22 12:01:55.413853, 5] auth/token_util.c:551(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2010/10/22 12:01:55.413896, 5] passdb/pdb_interface.c:1473(lookup_global_sam_rid) lookup_global_sam_rid: looking up RID 513. [2010/10/22 12:01:55.413959, 3] smbd/sec_ctx.c:210(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2 [2010/10/22 12:01:55.413985, 3] smbd/uid.c:429(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 1 [2010/10/22 12:01:55.414007, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2 [2010/10/22 12:01:55.414029, 5] auth/token_util.c:525(debug_nt_user_token) NT user token: (NULL) [2010/10/22 12:01:55.414050, 5] auth/token_util.c:551(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2010/10/22 12:01:55.414460, 5] passdb/pdb_tdb.c:609(tdbsam_getsampwrid) pdb_getsampwrid (TDB): error looking up RID 513 by key RID_0201. [2010/10/22 12:01:55.414652, 3] smbd/sec_ctx.c:418(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1 [2010/10/22 12:01:55.414690, 3] smbd/sec_ctx.c:418(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2010/10/22 12:01:55.414718, 3] auth/auth.c:265(check_ntlm_password) check_ntlm_password: guest authentication for user [] succeeded [2010/10/22 12:01:55.414742, 5] auth/auth.c:304(check_ntlm_password) check_ntlm_password: guest authentication for user [] - [] - [nobody] succeeded [2010/10/22 12:01:55.414765, 5] auth/auth_util.c:2119(free_user_info) attempting to free (and zero) a user_info structure [2010/10/22 12:01:55.414819, 3] smbd/sec_ctx.c:210(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2010/10/22 12:01:55.414846, 3] smbd/uid.c:429(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2010/10/22 12:01:55.414868, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) -
Re: [Samba] ldap user suffix
Thanks Luk I have to store users in different OU, because there is two separate Units running inside one organization. They have nothing to do with each other and their parent organization is same and their is only one Server to manage both. Thanks On 10/20/10, Lukasz Zalewski lu...@eecs.qmul.ac.uk wrote: On 10/20/2010 08:16 AM, vishesh kumar wrote: Thanks oliver for your reply, But No this is not possible in my case Thanks Why do you want to store users in two separate OU's? What is the rule that defines which OU should be used? You could look into openldap overlays, which might allow you to do dynamic re-write of dn's (amongst other things). Some distros ship openldap without overlays enabled so you need to check (this approach sounds like an overkill though, and might be more trouble than its worth) I'm assuming you are using openldap Regards Luk On 10/20/10, Olivier FONTESoliv...@famille-fontes.net wrote: On Wed, 20 Oct 2010 11:19:12 +0530, vishesh kumar linuxtovish...@gmail.com wrote: Dear friends My domain users in two diffrent OU, one OU is TEMP_USERS and other OU is PEOPLE. What i should mention in smb.conf ? If i mention ldap user suffix = ou=PEOPLE, then users of ou TEMP_USERS is not able to authenticate. Please guide me. Thanks -- http://linuxinterviews.blogspot.com Hi, is it possible to put the two OU into a specific OU that you could mention in your smb.conf ?? I had a similar problem, i solved it this way. Olivier --- Le domaine famille-fontes.net est auto hébergé à mon domicile. Contactez moi si vous souhaitez faire de même. -- http://linuxinterviews.blogspot.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind user authentication (-a) fails, but kerberos authentication succeeds
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 10/21/2010 09:36 PM, Gaiseric Vandal wrote: What kind of domain - samba PDC or Windows Active Directory ? Maybe the samba version is just too old. -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Steven Moyse Sent: Thursday, October 21, 2010 8:52 PM To: samba@lists.samba.org Subject: [Samba] Winbind user authentication (-a) fails, but kerberos authentication succeeds I am having trouble setting up winbind authentication. I have successfully joined the domain winbind -t OK winbind -u OK winbind -g OK winbind -K 'DOMAIN\user%password' OK winbind -a 'DOMAIN\user%password' FAIL For winbind -a: Plaintext authentication is attempted, and fails with NT_STATUS_ACCESS_DENIED challenge/response authentication is attempted, and fails with NT_STATUS_ACCESS_DENIED Am using SAMBA 3.0.33 on Redhat 5.4 patched to latest. I have previously configured many SAMBA servers If you are joined to a Windows domain, you can update your RHEL to 5.5 and take advantage of Red Hat's Samba3x package. I wrote up a quickie migration doc to get there: https://wiki.uits.iu.edu/confluence-prd/pages/viewpage.action?pageId=116097702 It may be a good idea to migrate to it anyway to take advantages of newer features. - -- Robert Freeman-Day https://launchpad.net/~presgas GPG Public Key: http://keyserver.ubuntu.com:11371/pks/lookup?op=getsearch=0xBA9DF9ED3E4C7D36 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkzBh18ACgkQup357T5MfTYAgACfeuGaOaI51WMgD86dVNCgzq4b agkAoM2a2FT4qJSBC126yz1H/Zg/fCbP =pzMb -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ldap user suffix
If the two organizations having nothing to do with each other, does that mean they don't need access to the same files? Will the following solution work for you - configure a 2nd IP on the server - run two instances of samba- each samba instance has its own smb.conf file, with unique ip, server name, ldap settings, local configuration directories etc. The two samba instances don't even have to be in the same domain or workgroup.I would however make one the WINS server for the whole organization. -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of vishesh kumar Sent: Friday, October 22, 2010 8:18 AM To: Lukasz Zalewski Cc: samba@lists.samba.org Subject: Re: [Samba] ldap user suffix Thanks Luk I have to store users in different OU, because there is two separate Units running inside one organization. They have nothing to do with each other and their parent organization is same and their is only one Server to manage both. Thanks On 10/20/10, Lukasz Zalewski lu...@eecs.qmul.ac.uk wrote: On 10/20/2010 08:16 AM, vishesh kumar wrote: Thanks oliver for your reply, But No this is not possible in my case Thanks Why do you want to store users in two separate OU's? What is the rule that defines which OU should be used? You could look into openldap overlays, which might allow you to do dynamic re-write of dn's (amongst other things). Some distros ship openldap without overlays enabled so you need to check (this approach sounds like an overkill though, and might be more trouble than its worth) I'm assuming you are using openldap Regards Luk On 10/20/10, Olivier FONTESoliv...@famille-fontes.net wrote: On Wed, 20 Oct 2010 11:19:12 +0530, vishesh kumar linuxtovish...@gmail.com wrote: Dear friends My domain users in two diffrent OU, one OU is TEMP_USERS and other OU is PEOPLE. What i should mention in smb.conf ? If i mention ldap user suffix = ou=PEOPLE, then users of ou TEMP_USERS is not able to authenticate. Please guide me. Thanks -- http://linuxinterviews.blogspot.com Hi, is it possible to put the two OU into a specific OU that you could mention in your smb.conf ?? I had a similar problem, i solved it this way. Olivier --- Le domaine famille-fontes.net est auto hébergé à mon domicile. Contactez moi si vous souhaitez faire de même. -- http://linuxinterviews.blogspot.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Guest ? logon problems
Hi, I have just upgraded to Samba 3.4.7 on Ubuntu 10.04 runing as a PDC We have a short cut on the desktop which pointed to the server ( \\server ) Previously when we clicked this it asked for logon credentials immediatley. Since the upgrade it shows a list of shares ( printers, netlogon etc ) and dosn't ask for credentials until you try to access a share. This means the first time you click the server shortcut you wont see your home drive listed. You need to click one of the shares , logon then close the window and click on the shortcut again before you see your home drive. I have gone through the smb.conf and turned off guest access on all the shares and anywhere else I could find it ( printer section etc ) . How do I revert to the previous behavour ? Many thanks -- Simon Kelsall Network Administrator St James the Great R.C Primary Nursery School http://www.stjamesthegreat.org/ This message was sent using IMP, the Internet Messaging Program. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ldap user suffix
I have to store users in different OU, because there is two separate Units running inside one organization. They have nothing to do with each other and their parent organization is same and their is only one Server to manage both. I don't quite understand what is your problem here. You can a ou inside another ou and then search the user base dn with a scope of sub. Let's say: ou=Users ou=Users,ou=Organization1 ou=Users,ou=Organization2 Then, in /etc/ldap.conf, you would specify: nss_base_passwd ou=Users,dc=domain,dc=com?sub instead of nss_base_passwd ou=Users,dc=domain,dc=com?one Did I understand your question wrongly? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Can print when logged in as domain user
This is on an XP Pro workstation. Now I am trying to print. I can print from a local user. I added domain\user to the permisssions for the printer. I try a test print from the printer properties and get an error. Then I think, well I can print to the printer from the Samba PDC directly, and I have a print share, so lets attach it. So I go to the run dialog and enter \\server I get a windows browser window of all of my shares including the printer share. So I right click on it and check connect and I get the error: A policy is in effect on your computer which prevents you from connecting to this print queue. Please contact your system administrator (which of course is me :( ). So what policy might this be that is blocking printing and how can I fix this for printing either way... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Can print when logged in as domain user
On 22/10/2010 18:13, Robert Moskowitz wrote: This is on an XP Pro workstation. Now I am trying to print. I can print from a local user. I added domain\user to the permisssions for the printer. I try a test print from the printer properties and get an error. Then I think, well I can print to the printer from the Samba PDC directly, and I have a print share, so lets attach it. So I go to the run dialog and enter \\server I get a windows browser window of all of my shares including the printer share. So I right click on it and check connect and I get the error: A policy is in effect on your computer which prevents you from connecting to this print queue. Please contact your system administrator (which of course is me :( ). So what policy might this be that is blocking printing and how can I fix this for printing either way... Check Point and Print Restrictions http://technet.microsoft.com/en-us/library/cc781985%28WS.10%29.aspx HTH Luk -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Guest shares in an ADS security model
Ok. In my mind, guest access should be just that - no authentication. On Thu, Oct 21, 2010 at 3:51 PM, Michael Wood esiot...@gmail.com wrote: On 21 October 2010 20:54, Madhusudan Singh singh.madhusu...@gmail.com wrote: Hello, I have no control over the active directory. I just authenticate a subset of its members to give them access to the fileserver. Does this mean that there is no true guest access when using ADS ? I do not know enough about AD to answer your question. -- Michael Wood esiot...@gmail.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Joining domain works - logging in doesn't
Jonathan, A guess -- I had the same error message and similar log entries because I had set server signing = auto The 3.5.x PDC would work only with the default No. Dale On 10/22/2010 6:06 AM, Jonathan Knight wrote: I'm building a replacement samba 3.5.6 domain controller to replace an old 3.0 one. Some other things are changing too. Our user accounts are now in LDAP rather than flat files (although the machine trust accounts will remain in a flat file), but that should be hidden from samba as it's going to be done through NSS. The smbpasswd file is a TDB file and will remain so. Our users don't authenticate with any native services on the server other than samba and PAM hasn't been configured to use LDAP. Samba was built with --without-pam as it authenticates using its own smbpasswd file and nothing else will need to authenticate that way. Our intention is to move over to an entirely LDAP based system, but we're doing that a stage at a time. So far, so good. Samba duly starts and I can join an XP PC to the domain without an issue. But when I try to log into the domain using my username I get: The system cannot log you on now because the domain KIS2 is not available nmblookup happily returns querying KIS2 on 160.5.10.3 160.5.10.3 KIS21c so it looks like its registered as a domain controller happily and besides, PC's can join the domain. I can mount shares from the server using my username and I can see the IPC$ share anonymously. I can log into the PC using a local account and mount shares using my username. Anonymous login successful Domain=[KIS2] OS=[Unix] Server=[Samba 3.5.6] Sharename Type Comment - --- IPC$IPC IPC Service (Keele I.T. Services) Anonymous login successful Domain=[KIS2] OS=[Unix] Server=[Samba 3.5.6] Server Comment ---- OATCAKE Keele I.T. Services WorkgroupMaster ---- KIS2 OATCAKE Oatcake is the samba server and nmblookup shows it with the right IP address. Testparm shows the critical options as: map untrusted to domain = Yes domain logons = Yes domain master = Yes So I can't see an obvious problem there. So clearly I've made some sort of obvious error somewhere that escapes me. At the risk of appearing foolish amongst my peers I am posting in the hope that you can point me in the direction I need to investigate. I'll include the end of the log.smbd running at debug level 5 which shows the logon process access the IPC$ share and then the connection being dropped. 2010/10/22 12:01:55.413644, 3] smbd/sec_ctx.c:418(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2010/10/22 12:01:55.413761, 3] smbd/sec_ctx.c:210(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2010/10/22 12:01:55.413789, 3] smbd/uid.c:429(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2010/10/22 12:01:55.413810, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2010/10/22 12:01:55.413832, 5] auth/token_util.c:525(debug_nt_user_token) NT user token: (NULL) [2010/10/22 12:01:55.413853, 5] auth/token_util.c:551(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2010/10/22 12:01:55.413896, 5] passdb/pdb_interface.c:1473(lookup_global_sam_rid) lookup_global_sam_rid: looking up RID 513. [2010/10/22 12:01:55.413959, 3] smbd/sec_ctx.c:210(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2 [2010/10/22 12:01:55.413985, 3] smbd/uid.c:429(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 1 [2010/10/22 12:01:55.414007, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2 [2010/10/22 12:01:55.414029, 5] auth/token_util.c:525(debug_nt_user_token) NT user token: (NULL) [2010/10/22 12:01:55.414050, 5] auth/token_util.c:551(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2010/10/22 12:01:55.414460, 5] passdb/pdb_tdb.c:609(tdbsam_getsampwrid) pdb_getsampwrid (TDB): error looking up RID 513 by key RID_0201. [2010/10/22 12:01:55.414652, 3] smbd/sec_ctx.c:418(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1 [2010/10/22 12:01:55.414690, 3] smbd/sec_ctx.c:418(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2010/10/22 12:01:55.414718, 3] auth/auth.c:265(check_ntlm_password) check_ntlm_password: guest authentication for user [] succeeded [2010/10/22 12:01:55.414742, 5] auth/auth.c:304(check_ntlm_password) check_ntlm_password: guest authentication for user [] - [] - [nobody] succeeded [2010/10/22 12:01:55.414765, 5] auth/auth_util.c:2119(free_user_info) attempting to free (and zero) a user_info structure [2010/10/22 12:01:55.414819, 3] smbd/sec_ctx.c:210(push_sec_ctx)
Re: [Samba] Can print when logged in as domain user
On 10/22/2010 01:33 PM, Lukasz Zalewski wrote: On 22/10/2010 18:13, Robert Moskowitz wrote: This is on an XP Pro workstation. Now I am trying to print. I can print from a local user. I added domain\user to the permisssions for the printer. I try a test print from the printer properties and get an error. Then I think, well I can print to the printer from the Samba PDC directly, and I have a print share, so lets attach it. So I go to the run dialog and enter \\server I get a windows browser window of all of my shares including the printer share. So I right click on it and check connect and I get the error: A policy is in effect on your computer which prevents you from connecting to this print queue. Please contact your system administrator (which of course is me :( ). So what policy might this be that is blocking printing and how can I fix this for printing either way... Check Point and Print Restrictions http://technet.microsoft.com/en-us/library/cc781985%28WS.10%29.aspx I have and can't figure out what to do with this :( -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Guest shares in an ADS security model
On 22 October 2010 19:36, Madhusudan Singh singh.madhusu...@gmail.com wrote: Ok. In my mind, guest access should be just that - no authentication. Well, I believe that it is. But that you need to enable the Guest account in AD for it to be allowed. I might be wrong, of course, but I think that's how it works. What you want to do is bypass AD for one print share. Maybe that's possible, but I don't know. On Thu, Oct 21, 2010 at 3:51 PM, Michael Wood esiot...@gmail.com wrote: On 21 October 2010 20:54, Madhusudan Singh singh.madhusu...@gmail.com wrote: Hello, I have no control over the active directory. I just authenticate a subset of its members to give them access to the fileserver. Does this mean that there is no true guest access when using ADS ? I do not know enough about AD to answer your question. -- Michael Wood esiot...@gmail.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Can print when logged in as domain user
On 10/22/2010 02:02 PM, Robert Moskowitz wrote: On 10/22/2010 01:33 PM, Lukasz Zalewski wrote: On 22/10/2010 18:13, Robert Moskowitz wrote: This is on an XP Pro workstation. Now I am trying to print. I can print from a local user. I added domain\user to the permisssions for the printer. I try a test print from the printer properties and get an error. Then I think, well I can print to the printer from the Samba PDC directly, and I have a print share, so lets attach it. So I go to the run dialog and enter \\server I get a windows browser window of all of my shares including the printer share. So I right click on it and check connect and I get the error: A policy is in effect on your computer which prevents you from connecting to this print queue. Please contact your system administrator (which of course is me :( ). So what policy might this be that is blocking printing and how can I fix this for printing either way... Check Point and Print Restrictions http://technet.microsoft.com/en-us/library/cc781985%28WS.10%29.aspx I have and can't figure out what to do with this :( I got group editor running, but in Computer Configuration Administrative Templates There is no Printer option at all Nor can I figure out how to add it. It is not in the list of allowable templates to add. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Guest shares in an ADS security model
On 10/22/2010 2:12 PM, Michael Wood wrote: On 22 October 2010 19:36, Madhusudan Singhsingh.madhusu...@gmail.com wrote: Ok. In my mind, guest access should be just that - no authentication. Well, I believe that it is. But that you need to enable the Guest account in AD for it to be allowed. AFAIK, the Guest account is disabled by default in AD (at least, the later versions, 2003 onwards, possibly earlier). -- Michael J. Leone, mailto:tur...@mike-leone.com PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF Photo Gallery: http://www.flickr.com/photos/mikeleonephotos You have become an avatar of woe and ire, and all of your deeds will conduce to evil Fatal Revenant, Stephen R. Donaldson -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Can print when logged in as domain user
On 10/22/2010 02:12 PM, Robert Moskowitz wrote: On 10/22/2010 02:02 PM, Robert Moskowitz wrote: On 10/22/2010 01:33 PM, Lukasz Zalewski wrote: On 22/10/2010 18:13, Robert Moskowitz wrote: This is on an XP Pro workstation. Now I am trying to print. I can print from a local user. I added domain\user to the permisssions for the printer. I try a test print from the printer properties and get an error. Then I think, well I can print to the printer from the Samba PDC directly, and I have a print share, so lets attach it. So I go to the run dialog and enter \\server I get a windows browser window of all of my shares including the printer share. So I right click on it and check connect and I get the error: A policy is in effect on your computer which prevents you from connecting to this print queue. Please contact your system administrator (which of course is me :( ). So what policy might this be that is blocking printing and how can I fix this for printing either way... Check Point and Print Restrictions http://technet.microsoft.com/en-us/library/cc781985%28WS.10%29.aspx I have and can't figure out what to do with this :( I got group editor running, but in Computer Configuration Administrative Templates There is no Printer option at all Nor can I figure out how to add it. It is not in the list of allowable templates to add. This is an OEM installed XP from a resaler. I would NOT be supprised that there are some serious limitations on the XP installed. Am I going to have to reinstall? (and first remove the workstation from the domain)? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Our success story with samba4
Hi Lukasz On 19 October 2010 11:12, Lukasz Zalewski lu...@eecs.qmul.ac.uk wrote: Hi all, This message is a testament to the great work samba team has done, but its also an encouragement to those of you that still not sure if samba4 will work in your environment. This semester we have moved from samba 3.0.X DC to samba4 DC for students, and things are working great The move was predominantly driven by switching from Windows XP to Windows 7 desktop platform (but also by a need for proper group policy). Our setup is quite simple and includes: One samba4 DC (running on centos 5.5 x64) with nsd dns backend [...] Do you have dynamic DNS updates working with nsd? Using Kerberos? From clients too or just with the samba_dnsupdate script? How was it to set up compared to bind? -- Michael Wood esiot...@gmail.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Can print when logged in as domain user
On Fri, Oct 22, 2010 at 2:43 PM, Robert Moskowitz r...@htt-consult.com wrote: This is an OEM installed XP from a resaler. I would NOT be supprised that there are some serious limitations on the XP installed. No functional limitations on OEM versions, except that some were tied to specific manufacturers (they wouldn't install if the BIOS string did not identify the device as that manufacturers). -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Can print when logged in as domain user
On 10/22/2010 03:22 PM, Chris Smith wrote: On Fri, Oct 22, 2010 at 2:43 PM, Robert Moskowitzr...@htt-consult.com wrote: This is an OEM installed XP from a resaler. I would NOT be supprised that there are some serious limitations on the XP installed. No functional limitations on OEM versions, except that some were tied to specific manufacturers (they wouldn't install if the BIOS string did not identify the device as that manufacturers). The license is an OEM license (per system properties) registered to the E-Waste Recycler I bought it from. It is an IBM SFF. But why no policies for allowing printing when attacked to a domain? Why not connect when domain logged in. I tried connecting to the server printer share from a local login, and that got past the policy block and was asking for the printer driver. So it is REALLY something tied into how a domain user acts on this system. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Guest shares in an ADS security model
Yes. I guess this is a question about whether share-wise security models can be specified. On Fri, Oct 22, 2010 at 1:12 PM, Michael Wood esiot...@gmail.com wrote: On 22 October 2010 19:36, Madhusudan Singh singh.madhusu...@gmail.com wrote: Ok. In my mind, guest access should be just that - no authentication. Well, I believe that it is. But that you need to enable the Guest account in AD for it to be allowed. I might be wrong, of course, but I think that's how it works. What you want to do is bypass AD for one print share. Maybe that's possible, but I don't know. On Thu, Oct 21, 2010 at 3:51 PM, Michael Wood esiot...@gmail.com wrote: On 21 October 2010 20:54, Madhusudan Singh singh.madhusu...@gmail.com wrote: Hello, I have no control over the active directory. I just authenticate a subset of its members to give them access to the fileserver. Does this mean that there is no true guest access when using ADS ? I do not know enough about AD to answer your question. -- Michael Wood esiot...@gmail.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Guest shares in an ADS security model
Thanks for clearing that up. I would not want the AD to get involved at all for this share anyways. On Fri, Oct 22, 2010 at 1:15 PM, Mike Leone tur...@mike-leone.com wrote: On 10/22/2010 2:12 PM, Michael Wood wrote: On 22 October 2010 19:36, Madhusudan Singhsingh.madhusu...@gmail.com wrote: Ok. In my mind, guest access should be just that - no authentication. Well, I believe that it is. But that you need to enable the Guest account in AD for it to be allowed. AFAIK, the Guest account is disabled by default in AD (at least, the later versions, 2003 onwards, possibly earlier). -- Michael J. Leone, mailto:tur...@mike-leone.com PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF Photo Gallery: http://www.flickr.com/photos/mikeleonephotos You have become an avatar of woe and ire, and all of your deeds will conduce to evil Fatal Revenant, Stephen R. Donaldson -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Our success story with samba4
On 22/10/2010 19:52, Michael Wood wrote: Hi Michael, Hi Lukasz On 19 October 2010 11:12, Lukasz Zalewskilu...@eecs.qmul.ac.uk wrote: Hi all, This message is a testament to the great work samba team has done, but its also an encouragement to those of you that still not sure if samba4 will work in your environment. This semester we have moved from samba 3.0.X DC to samba4 DC for students, and things are working great The move was predominantly driven by switching from Windows XP to Windows 7 desktop platform (but also by a need for proper group policy). Our setup is quite simple and includes: One samba4 DC (running on centos 5.5 x64) with nsd dns backend [...] Do you have dynamic DNS updates working with nsd? Using Kerberos? From clients too or just with the samba_dnsupdate script? Nope, AFAIK nsd can't do ms style dynamic updates (its the one bundled with Centos 5.5). We decided to go for static dns (we have only one s4 DC), which is composed of the bind config file generated by s4 provision (nsd can use bind config files, but TXT records have to be quoted for some reason) and all other records generated from database. How was it to set up compared to bind? Besides not setting up dynamic updates, quite easy (I think easier than bind). As mentioned earlier, it supports bind config syntax (but TXT records have to be quoted). Regards Luk -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Can print when logged in as domain user
On 22/10/2010 20:38, Robert Moskowitz wrote: On 10/22/2010 03:22 PM, Chris Smith wrote: On Fri, Oct 22, 2010 at 2:43 PM, Robert Moskowitzr...@htt-consult.com wrote: This is an OEM installed XP from a resaler. I would NOT be supprised that there are some serious limitations on the XP installed. No functional limitations on OEM versions, except that some were tied to specific manufacturers (they wouldn't install if the BIOS string did not identify the device as that manufacturers). The license is an OEM license (per system properties) registered to the E-Waste Recycler I bought it from. It is an IBM SFF. But why no policies for allowing printing when attacked to a domain? Why not connect when domain logged in. Robert, Are you using AD for group policy, samba (system policy) or local group policy. I have noticed, that on my XP client machines not all of the policies are present until you add appropriate templates (don't know if its SP3 feature). If you right-click on Administrative templates, there will be an option to Add/Remove templates. The required policy is part of system.adm I tried connecting to the server printer share from a local login, and that got past the policy block and was asking for the printer driver. So it is REALLY something tied into how a domain user acts on this system. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Can print when logged in as domain user
On 10/22/2010 04:03 PM, Lukasz Zalewski wrote: On 22/10/2010 20:38, Robert Moskowitz wrote: On 10/22/2010 03:22 PM, Chris Smith wrote: On Fri, Oct 22, 2010 at 2:43 PM, Robert Moskowitzr...@htt-consult.com wrote: This is an OEM installed XP from a resaler. I would NOT be supprised that there are some serious limitations on the XP installed. No functional limitations on OEM versions, except that some were tied to specific manufacturers (they wouldn't install if the BIOS string did not identify the device as that manufacturers). The license is an OEM license (per system properties) registered to the E-Waste Recycler I bought it from. It is an IBM SFF. But why no policies for allowing printing when attacked to a domain? Why not connect when domain logged in. Robert, Are you using AD for group policy, samba (system policy) or local group policy. I have noticed, that on my XP client machines not all of the policies are present until you add appropriate templates (don't know if its SP3 feature). If you right-click on Administrative templates, there will be an option to Add/Remove templates. The required policy is part of system.adm I don't know what policy I am using. I suppose whatever is installed on the system? Oh, NOW I see what I was doing wrong. Now I have added system.adm policy and I see printers. Here goes! I tried connecting to the server printer share from a local login, and that got past the policy block and was asking for the printer driver. So it is REALLY something tied into how a domain user acts on this system. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Can print when logged in as domain user
On 10/22/2010 04:17 PM, Robert Moskowitz wrote: On 10/22/2010 04:03 PM, Lukasz Zalewski wrote: On 22/10/2010 20:38, Robert Moskowitz wrote: On 10/22/2010 03:22 PM, Chris Smith wrote: On Fri, Oct 22, 2010 at 2:43 PM, Robert Moskowitzr...@htt-consult.com wrote: This is an OEM installed XP from a resaler. I would NOT be supprised that there are some serious limitations on the XP installed. No functional limitations on OEM versions, except that some were tied to specific manufacturers (they wouldn't install if the BIOS string did not identify the device as that manufacturers). The license is an OEM license (per system properties) registered to the E-Waste Recycler I bought it from. It is an IBM SFF. But why no policies for allowing printing when attacked to a domain? Why not connect when domain logged in. Robert, Are you using AD for group policy, samba (system policy) or local group policy. I have noticed, that on my XP client machines not all of the policies are present until you add appropriate templates (don't know if its SP3 feature). If you right-click on Administrative templates, there will be an option to Add/Remove templates. The required policy is part of system.adm I don't know what policy I am using. I suppose whatever is installed on the system? Oh, NOW I see what I was doing wrong. Now I have added system.adm policy and I see printers. Here goes! Well I enabled a couple of things. I disabled: Disallow install of printers using ker-mode drv I enabled: Allow print spooler to accept clients Web-based printing I could not figure out what really to do. This has not made any change to the system behaviour :( I am off now until Saturday night. I will look for help again then! I tried connecting to the server printer share from a local login, and that got past the policy block and was asking for the printer driver. So it is REALLY something tied into how a domain user acts on this system. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Build status as of Fri Oct 22 06:00:02 2010
URL: http://build.samba.org/ --- /home/build/master/cache/broken_results.txt.old 2010-10-21 00:00:02.0 -0600 +++ /home/build/master/cache/broken_results.txt 2010-10-22 00:00:03.0 -0600 @@ -1,4 +1,4 @@ -Build status as of Thu Oct 21 06:00:01 2010 +Build status as of Fri Oct 22 06:00:02 2010 Build counts: Tree Total Broken Panic @@ -13,10 +13,10 @@ rsync32 15 0 samba-docs 0 0 0 samba-web0 0 0 -samba_3_current 32 32 5 -samba_3_master 32 24 0 -samba_3_next 32 29 0 -samba_4_0_test 36 31 0 +samba_3_current 31 31 5 +samba_3_master 32 20 0 +samba_3_next 32 32 0 +samba_4_0_test 37 33 1 talloc 32 6 0 -tdb 30 11 0 +tdb 30 12 0
Re: [SCM] Samba Shared Repository - branch master updated
Hi Matthieu, -- commit c74ef7acf49f5e447373643c2e28c1dad56f451d Author: Matthieu Patou m...@matws.net Date: Fri Oct 22 01:01:53 2010 +0400 waf: Mark the replacement zlib private so that it can build on machine without a system zlib Autobuild-User: Matthieu Patou m...@samba.org Autobuild-Date: Thu Oct 21 21:47:46 UTC 2010 on sn-devel-104 commit 4ea7d4694a8353fc55ecd12cb09b9c91ffde7b3f Author: Matthieu Patou m...@matws.net Date: Thu Oct 21 02:14:39 2010 +0400 replace: use replace for non 'samba' compliant strptime commit 2d0ac59fcc490517b202180f49b178ab80c2534e Author: Matthieu Patou m...@matws.net Date: Thu Oct 21 00:13:54 2010 +0400 replace: use a wrapper around strtoll if it didn't behave as expected We also need this wscript changes also for the autoconf build in libreplace.m4. metze signature.asc Description: OpenPGP digital signature
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via a8b9568 Wrap security_token_has_privilege() with a check for lp_enable_privileges(). Needed to maintain compatibility with smb.conf manpage. via 3e79cd6 Fix const warning. Allocate off NULL as we always talloc_free(). from 2a00138 s4-dsdb/schema_syntax: Separate validation for numericoid OID values http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit a8b95686a7bde3f96f141b6938e24e101567ef54 Author: Jeremy Allison j...@samba.org Date: Fri Oct 22 10:31:06 2010 -0700 Wrap security_token_has_privilege() with a check for lp_enable_privileges(). Needed to maintain compatibility with smb.conf manpage. Jeremy. Autobuild-User: Jeremy Allison j...@samba.org Autobuild-Date: Fri Oct 22 18:15:48 UTC 2010 on sn-devel-104 commit 3e79cd6856e5c76cc39ad2be68b40534a524cecd Author: Jeremy Allison j...@samba.org Date: Thu Oct 21 12:50:33 2010 -0700 Fix const warning. Allocate off NULL as we always talloc_free(). --- Summary of changes: libcli/security/access_check.c |2 +- source3/include/proto.h|1 + source3/param/loadparm.c |8 source3/printing/nt_printing.c |2 +- source3/registry/reg_backend_smbconf.c |2 +- source3/rpc_server/srv_samr_nt.c | 10 +- source3/rpc_server/srv_spoolss_nt.c| 18 +- source3/rpc_server/srv_srvsvc_nt.c |8 source3/rpc_server/srv_winreg_nt.c |6 +++--- source3/rpc_server/srv_wkssvc_nt.c |4 ++-- source3/smbd/open.c|4 ++-- source3/smbd/posix_acls.c |4 ++-- 12 files changed, 39 insertions(+), 30 deletions(-) Changeset truncated at 500 lines: diff --git a/libcli/security/access_check.c b/libcli/security/access_check.c index b0d4f4a..c5f89af 100644 --- a/libcli/security/access_check.c +++ b/libcli/security/access_check.c @@ -285,7 +285,7 @@ NTSTATUS sec_access_check_ds(const struct security_descriptor *sd, uint32_t bits_remaining; struct object_tree *node; const struct GUID *type; -struct dom_sid *ps_sid = dom_sid_parse_talloc(sd, SID_NT_SELF); +struct dom_sid *ps_sid = dom_sid_parse_talloc(NULL, SID_NT_SELF); *access_granted = access_desired; bits_remaining = access_desired; diff --git a/source3/include/proto.h b/source3/include/proto.h index 6ce27b8..304fdb4 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -3586,6 +3586,7 @@ char* lp_perfcount_module(void); void lp_set_passdb_backend(const char *backend); void widelinks_warning(int snum); char *lp_ncalrpc_dir(void); +bool s3_security_token_has_privilege(const struct security_token *token, enum sec_privilege privilege); /* The following definitions come from param/loadparm_server_role.c */ diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index 8dadebf..b11effd 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -10132,3 +10132,11 @@ bool lp_readraw(void) } return _lp_readraw(); } + +bool s3_security_token_has_privilege(const struct security_token *token, enum sec_privilege privilege) +{ +if (!lp_enable_privileges()) { +return false; +} +return security_token_has_privilege(token, privilege); +} diff --git a/source3/printing/nt_printing.c b/source3/printing/nt_printing.c index 84de565..026161b 100644 --- a/source3/printing/nt_printing.c +++ b/source3/printing/nt_printing.c @@ -2082,7 +2082,7 @@ bool print_access_check(const struct auth_serversupplied_info *server_info, /* Always allow root or SE_PRINT_OPERATROR to do anything */ if (server_info-utok.uid == sec_initial_uid() - || security_token_has_privilege(server_info-ptok, SEC_PRIV_PRINT_OPERATOR)) { + || s3_security_token_has_privilege(server_info-ptok, SEC_PRIV_PRINT_OPERATOR)) { return True; } diff --git a/source3/registry/reg_backend_smbconf.c b/source3/registry/reg_backend_smbconf.c index b96c73b..f638223 100644 --- a/source3/registry/reg_backend_smbconf.c +++ b/source3/registry/reg_backend_smbconf.c @@ -60,7 +60,7 @@ static bool smbconf_reg_access_check(const char *keyname, uint32 requested, uint32 *granted, const struct security_token *token) { - if (!security_token_has_privilege(token, SEC_PRIV_DISK_OPERATOR)) { + if (!s3_security_token_has_privilege(token, SEC_PRIV_DISK_OPERATOR)) { return False; } diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index a04584e..c2bf13e 100644 --- a/source3/rpc_server/srv_samr_nt.c +++
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via d46ca0e s4-dsdb_syntax: Setup String(Case Sensitive) syntax from a8b9568 Wrap security_token_has_privilege() with a check for lp_enable_privileges(). Needed to maintain compatibility with smb.conf manpage. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit d46ca0eb801f2664cedb17c50a9a94e58ebdb0b6 Author: Kamen Mazdrashki kame...@samba.org Date: Sat Oct 23 00:13:09 2010 +0300 s4-dsdb_syntax: Setup String(Case Sensitive) syntax Currently it is mapped to Octet String LDAP syntax for comparison purposes. According to LDAP rfc we should be using same comparison as Directory String (LDB_SYNTAX_DIRECTORY_STRING), but case sensitive. But according to ms docs binary compare should do the job: http://msdn.microsoft.com/en-us/library/cc223200(v=PROT.10).aspx Autobuild-User: Kamen Mazdrashki kame...@samba.org Autobuild-Date: Fri Oct 22 22:19:50 UTC 2010 on sn-devel-104 --- Summary of changes: source4/dsdb/schema/schema_syntax.c | 13 ++--- 1 files changed, 10 insertions(+), 3 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/schema/schema_syntax.c b/source4/dsdb/schema/schema_syntax.c index d6e4527..2f68ea2 100644 --- a/source4/dsdb/schema/schema_syntax.c +++ b/source4/dsdb/schema/schema_syntax.c @@ -2393,9 +2393,16 @@ static const struct dsdb_syntax dsdb_syntaxes[] = { .ldap_oid = 1.2.840.113556.1.4.1362, .oMSyntax = 27, .attributeSyntax_oid= 2.5.5.3, - .drsuapi_to_ldb = dsdb_syntax_FOOBAR_drsuapi_to_ldb, - .ldb_to_drsuapi = dsdb_syntax_FOOBAR_ldb_to_drsuapi, - .validate_ldb = dsdb_syntax_FOOBAR_validate_ldb, + .drsuapi_to_ldb = dsdb_syntax_DATA_BLOB_drsuapi_to_ldb, + .ldb_to_drsuapi = dsdb_syntax_DATA_BLOB_ldb_to_drsuapi, + .validate_ldb = dsdb_syntax_DATA_BLOB_validate_ldb, + .equality = caseExactMatch, + .substring = caseExactSubstringsMatch, + /* TODO (kim): according to LDAP rfc we should be using same comparison +* as Directory String (LDB_SYNTAX_DIRECTORY_STRING), but case sensitive. +* But according to ms docs binary compare should do the job: +* http://msdn.microsoft.com/en-us/library/cc223200(v=PROT.10).aspx */ + .ldb_syntax = LDB_SYNTAX_OCTET_STRING, },{ .name = String(Unicode), .ldap_oid = LDB_SYNTAX_DIRECTORY_STRING, -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 272feb7 Revert Wrap security_token_has_privilege() with a check for lp_enable_privileges(). Needed from d46ca0e s4-dsdb_syntax: Setup String(Case Sensitive) syntax http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 272feb7bd133344e88864ffc75d251451ddd681c Author: Jeremy Allison j...@samba.org Date: Fri Oct 22 15:58:40 2010 -0700 Revert Wrap security_token_has_privilege() with a check for lp_enable_privileges(). Needed Not needed - privileges code prevents enable privileges = no from adding privileges anyway. This reverts commit a8b95686a7bde3f96f141b6938e24e101567ef54. Autobuild-User: Jeremy Allison j...@samba.org Autobuild-Date: Fri Oct 22 23:41:36 UTC 2010 on sn-devel-104 --- Summary of changes: source3/include/proto.h|1 - source3/param/loadparm.c |8 source3/printing/nt_printing.c |2 +- source3/registry/reg_backend_smbconf.c |2 +- source3/rpc_server/srv_samr_nt.c | 10 +- source3/rpc_server/srv_spoolss_nt.c| 18 +- source3/rpc_server/srv_srvsvc_nt.c |8 source3/rpc_server/srv_winreg_nt.c |6 +++--- source3/rpc_server/srv_wkssvc_nt.c |4 ++-- source3/smbd/open.c|4 ++-- source3/smbd/posix_acls.c |4 ++-- 11 files changed, 29 insertions(+), 38 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/include/proto.h b/source3/include/proto.h index 304fdb4..6ce27b8 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -3586,7 +3586,6 @@ char* lp_perfcount_module(void); void lp_set_passdb_backend(const char *backend); void widelinks_warning(int snum); char *lp_ncalrpc_dir(void); -bool s3_security_token_has_privilege(const struct security_token *token, enum sec_privilege privilege); /* The following definitions come from param/loadparm_server_role.c */ diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index b11effd..8dadebf 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -10132,11 +10132,3 @@ bool lp_readraw(void) } return _lp_readraw(); } - -bool s3_security_token_has_privilege(const struct security_token *token, enum sec_privilege privilege) -{ -if (!lp_enable_privileges()) { -return false; -} -return security_token_has_privilege(token, privilege); -} diff --git a/source3/printing/nt_printing.c b/source3/printing/nt_printing.c index 026161b..84de565 100644 --- a/source3/printing/nt_printing.c +++ b/source3/printing/nt_printing.c @@ -2082,7 +2082,7 @@ bool print_access_check(const struct auth_serversupplied_info *server_info, /* Always allow root or SE_PRINT_OPERATROR to do anything */ if (server_info-utok.uid == sec_initial_uid() - || s3_security_token_has_privilege(server_info-ptok, SEC_PRIV_PRINT_OPERATOR)) { + || security_token_has_privilege(server_info-ptok, SEC_PRIV_PRINT_OPERATOR)) { return True; } diff --git a/source3/registry/reg_backend_smbconf.c b/source3/registry/reg_backend_smbconf.c index f638223..b96c73b 100644 --- a/source3/registry/reg_backend_smbconf.c +++ b/source3/registry/reg_backend_smbconf.c @@ -60,7 +60,7 @@ static bool smbconf_reg_access_check(const char *keyname, uint32 requested, uint32 *granted, const struct security_token *token) { - if (!s3_security_token_has_privilege(token, SEC_PRIV_DISK_OPERATOR)) { + if (!security_token_has_privilege(token, SEC_PRIV_DISK_OPERATOR)) { return False; } diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index c2bf13e..a04584e 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -200,8 +200,8 @@ NTSTATUS access_check_object( struct security_descriptor *psd, struct security_t by privileges (mostly having to do with creating/modifying/deleting users and groups) */ - if ((needed_priv_1 != SEC_PRIV_INVALID s3_security_token_has_privilege(token, needed_priv_1)) || - (needed_priv_2 != SEC_PRIV_INVALID s3_security_token_has_privilege(token, needed_priv_2))) { + if ((needed_priv_1 != SEC_PRIV_INVALID security_token_has_privilege(token, needed_priv_1)) || + (needed_priv_2 != SEC_PRIV_INVALID security_token_has_privilege(token, needed_priv_2))) { saved_mask = (des_access rights_mask); des_access = ~saved_mask; @@ -572,7 +572,7 @@ NTSTATUS _samr_OpenDomain(struct pipes_struct *p, * Users with SeAddUser get the ability to manipulate groups