date:20110424

[Samba] Windows prompt for password complexity

2011-04-24 Thread Tom Lobato


Hi all,
I`ve successfully configured samba as PDC using LDAP. All is working
very fine, but when the user password expires and the new password that
the user typed does not meet the complexity check made by check
password script, I need to give him a custom change password message
(based on my own criterion).
check password script cannot do more than return status 0 or != 0
to tell samba about check result. Would be nice if this could return the
custom error message to Samba, so it could tell the user properly.

Is there some way to customize this message?



Thank you,
Tom Lobato 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Windows prompt for password complexity

2011-04-24 Thread Tom Lobato


Sorry, forgot something:

I`m running Ubuntu 10.04 and Samba 3.4.7~dfsg-1ubuntu3.5.


On 24-04-2011 13:26, Tom Lobato wrote:
 Hi all,
 I`ve successfully configured samba as PDC using LDAP. All is working
 very fine, but when the user password expires and the new password that
 the user typed does not meet the complexity check made by check
 password script, I need to give him a custom change password message
 (based on my own criterion).
 check password script cannot do more than return status 0 or != 0
 to tell samba about check result. Would be nice if this could return the
 custom error message to Samba, so it could tell the user properly.

 Is there some way to customize this message?



 Thank you,
 Tom Lobato 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Using groups with windows

2011-04-24 Thread A.Dura


Hi,

we are using samba with ldap for our pdc.

And i was told by another admin, that when you use a windows server, you 
can only get the Domain Users and Domain Admins groups from the 
samba/ldap pdc.


So i tried to add a group, which i know exists on the server, to my 
windows server, but windows couldn't find it.


Is there a way to make other groups then domain users and domain 
admins usable under windows?


Regards,
adura

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Using groups with windows

2011-04-24 Thread Andrew Dumaresq




On 4/24/2011 12:45 PM, A.Dura wrote:

Hi,

we are using samba with ldap for our pdc.

And i was told by another admin, that when you use a windows server, 
you can only get the Domain Users and Domain Admins groups from 
the samba/ldap pdc.


So i tried to add a group, which i know exists on the server, to my 
windows server, but windows couldn't find it.


Is there a way to make other groups then domain users and domain 
admins usable under windows?


Regards,
adura



Which version of Samba are you using?  I was able to get quite a few 
groups out of LDAP from samba4, but I had to add these entries to my 
ldap.conf:


nss_map_objectclass posixGroup group
nss_map_attribute uniqueMember member

I also needed to add GID and a password  value into the sam.ldb entries 
that I wanted to flow.


In the end I found that some groups hung (not sure why) and the setup 
caused problems when I installed software (because groupadd doesn't work 
right).  So I turned off getting groups from ldap.   I am getting my 
users from ldap and this works well (except I can't get ssl to work).  
If you are using Samba3 there are lots of guides on how to do it...







--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] ldapsearch with samba4 (now a question about SASL and ldaps

2011-04-24 Thread Andrew Dumaresq




On 4/23/2011 2:34 PM, Andrew Dumaresq wrote:

Hi,

I've got ldapsearch mostly working:

root@morannon:/usr/local/samba/private/tls# ldapsearch 
'(sAMAccountName=dumaresq)'

SASL/GSSAPI authentication started
SASL username: administrator@XXX
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base  (default) with scope subtree
# filter: (sAMAccountName=dumaresq)
# requesting: ALL
#

results in here...


# search result
search: 5
result: 0 Success

# numResponses: 2
# numEntries: 1


I cannot get ldapsearch -Z  or ldaps working:

ldapsearch '(sAMAccountName=dumaresq)' -Z
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Server is unwilling to perform (53)
additional info: SASL:[GSSAPI]: Sign or Seal are not allowed 
if TLS is used



Here is what I get in samba.log when I do did that command:

[2011/04/23 14:29:56,  3] 
../source4/lib/ldb-samba/ldb_wrap.c:319(ldb_wrap_connect)

  ldb_wrap open of secrets.ldb
[2011/04/23 14:29:56,  3] 
../source4/lib/ldb-samba/ldb_wrap.c:319(ldb_wrap_connect)

  ldb_wrap open of secrets.ldb
[2011/04/23 14:29:56,  3] 
../source4/lib/ldb-samba/ldb_wrap.c:319(ldb_wrap_connect)

  ldb_wrap open of secrets.ldb
[2011/04/23 14:29:56,  3] 
../source4/smbd/service_stream.c:62(stream_terminate_connection)
  Terminating connection - 'ldapsrv_call_loop: 
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2011/04/23 14:29:56,  3] 
../source4/smbd/process_single.c:104(single_terminate)
  single_terminate: reason[ldapsrv_call_loop: 
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]



I'm not sure where to go from here.  I've tried several different 
options in /etc/ldap/ldap.conf and I always get that error, unless I 
comment out #TLS_REQCERT allow

then I get:

ldapsearch '(sAMAccountName=dumaresq)' -Z
ldap_start_tls: Connect error (-11)
additional info: (unknown error code)
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1
additional info: (unknown error code)




Update...

I did get ldaps and -Z working, but I can't do it with SASL, I can't 
find docs that say, but is it possible that SASL (GSSAPI) and ldaps are 
not compatible?



ldapsearch -H ldaps://ldapserver.domain -Y GSSAPI
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Server is unwilling to perform (53)
additional info: SASL:[GSSAPI]: Sign or Seal are not allowed if 
TLS is used


dumaresq@morannon:~$ ldapsearch -H ldaps://ldapserver.domain -D 
'CN=Administrator,CN=Users,DC=dumaresq,DC=local' -w AdminsPassword 
'(sAMAccountName=dumaresq)'

# extended LDIF
#
# LDAPv3
# base  (default) with scope subtree
# filter: (sAMAccountName=dumaresq)
# requesting: ALL
#

(response in here)

# numResponses: 2
# numEntries: 1

So the question is are SASL and ldaps not compatible and if that is the 
case which is better?  I like GSSAPI because I don't need to store 
passwords on the system, but I'm not clear on how encrypted the data 
being transmitted is.  I did a packet capture and I do see some data 
that doesn't look like clear text, but that's all I know for sure :)


Comments, suggestions?
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[SCM] Samba Shared Repository - branch master updated

2011-04-24 Thread Stefan Metzmacher

The branch, master has been updated
   via  f7bc844 s3:rpc_client: map fault codes to NTSTATUS with 
dcerpc_fault_to_nt_status()
   via  e7cf720 s3:winbindd: let winbindd_lookup_names() use 
dcerpc_binding_handle functions
   via  7309daa s3:winbindd: let winbindd_lookup_sids() 
dcerpc_binding_handle functions
   via  c0441b1 lib/util: add RBVAL, RBVALS, RSBVAL and RSRBVALS macros
   via  5b32708 s3:includes: simplify INO_T_VAL macros
   via  d7aa2eb s3:includes: simplify BIG_UINT macros
   via  9127e55 s3:smbd/trans2: make use of BVAL() and remove ugly 
LARGE_SMB_OFF_T ifdef's
  from  fb05e82 Fix license info for talloc in manpage.

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit f7bc84409a7a6736ec2cf1110dd7200a954e3b7e
Author: Stefan Metzmacher me...@samba.org
Date:   Sun Apr 24 00:00:40 2011 +0200

s3:rpc_client: map fault codes to NTSTATUS with dcerpc_fault_to_nt_status()

Most fault codes have a NTSTATUS representation, so use that.

This brings the fault handling in common with the source4/librpc/rpc code,
which make it possible to share more highlevel code, between source3 and
source4 as the error checking can be the same now.

metze

Autobuild-User: Stefan Metzmacher me...@samba.org
Autobuild-Date: Sun Apr 24 10:44:53 CEST 2011 on sn-devel-104

commit e7cf7204e60552b45952325f343ea894fda21346
Author: Stefan Metzmacher me...@samba.org
Date:   Sat Apr 23 23:57:19 2011 +0200

s3:winbindd: let winbindd_lookup_names() use dcerpc_binding_handle functions

metze

commit 7309daa532c9689d64ce3f33da522f23635213d6
Author: Stefan Metzmacher me...@samba.org
Date:   Sat Apr 23 23:56:27 2011 +0200

s3:winbindd: let winbindd_lookup_sids() dcerpc_binding_handle functions

metze

commit c0441b17e6580de65d87d28bfd9ae72d09a3508f
Author: Stefan Metzmacher me...@samba.org
Date:   Sat Apr 23 11:01:34 2011 +0200

lib/util: add RBVAL, RBVALS, RSBVAL and RSRBVALS macros

They pull and push [u]int64_t values in big endian.

metze

commit 5b327085775f279976c66cdd5f105132fda0965a
Author: Stefan Metzmacher me...@samba.org
Date:   Sat Apr 23 11:15:30 2011 +0200

s3:includes: simplify INO_T_VAL macros

metze

commit d7aa2eb7b664c10551cb45c36d3b564d829e9d44
Author: Stefan Metzmacher me...@samba.org
Date:   Sat Apr 23 11:10:05 2011 +0200

s3:includes: simplify BIG_UINT macros

metze

commit 9127e555ab043000adc516a9177e43812e52fd4b
Author: Stefan Metzmacher me...@samba.org
Date:   Sat Apr 23 10:30:59 2011 +0200

s3:smbd/trans2: make use of BVAL() and remove ugly LARGE_SMB_OFF_T ifdef's

We rely on uint64_t for a long time now...

metze

---

Summary of changes:
 lib/util/byteorder.h  |   17 ++---
 source3/include/includes.h|   15 
 source3/lib/netapi/user.c |2 +-
 source3/libnet/libnet_join.c  |2 +-
 source3/rpc_client/cli_pipe.c |6 +---
 source3/smbd/trans2.c |   30 +---
 source3/winbindd/winbindd_cm.c|2 +-
 source3/winbindd/winbindd_msrpc.c |   67 +++-
 source3/winbindd/winbindd_pam.c   |   10 +++---
 9 files changed, 72 insertions(+), 79 deletions(-)


Changeset truncated at 500 lines:

diff --git a/lib/util/byteorder.h b/lib/util/byteorder.h
index 59ad837..6bcf71e 100644
--- a/lib/util/byteorder.h
+++ b/lib/util/byteorder.h
@@ -201,18 +201,29 @@ static __inline__ void st_le32(uint32_t *addr, const 
uint32_t val)
 
 #endif /* not CAREFUL_ALIGNMENT */
 
+/* 64 bit macros */
+#define BVAL(p, ofs) (IVAL(p,ofs) | (((uint64_t)IVAL(p,(ofs)+4))  32))
+#define BVALS(p, ofs) ((int64_t)BVAL(p,ofs))
+#define SBVAL(p, ofs, v) (SIVAL(p,ofs,(v)0x), 
SIVAL(p,(ofs)+4,((uint64_t)(v))32))
+#define SBVALS(p, ofs, v) (SBVAL(p,ofs,(uint64_t)v))
+
 /* now the reverse routines - these are used in nmb packets (mostly) */
 #define SREV(x) x)0xFF)8) | (((x)8)0xFF))
 #define IREV(x) ((SREV(x)16) | (SREV((x)16)))
+#define BREV(x) ((IREV(x)32) | (IREV((x)32)))
 
 #define RSVAL(buf,pos) SREV(SVAL(buf,pos))
 #define RSVALS(buf,pos) SREV(SVALS(buf,pos))
 #define RIVAL(buf,pos) IREV(IVAL(buf,pos))
 #define RIVALS(buf,pos) IREV(IVALS(buf,pos))
+#define RBVAL(buf,pos) BREV(BVAL(buf,pos))
+#define RBVALS(buf,pos) BREV(BVALS(buf,pos))
 #define RSSVAL(buf,pos,val) SSVAL(buf,pos,SREV(val))
 #define RSSVALS(buf,pos,val) SSVALS(buf,pos,SREV(val))
 #define RSIVAL(buf,pos,val) SIVAL(buf,pos,IREV(val))
 #define RSIVALS(buf,pos,val) SIVALS(buf,pos,IREV(val))
+#define RSBVAL(buf,pos,val) SBVAL(buf,pos,BREV(val))
+#define RSBVALS(buf,pos,val) SBVALS(buf,pos,BREV(val))
 
 /* Alignment macros. */
 #define ALIGN4(p,base) ((p) + ((4 - (PTR_DIFF((p), (base))  3))  3))
@@ -222,10 +233,4 @@ static __inline__ void st_le32(uint32_t

[Samba] Windows prompt for password complexity

Re: [Samba] Windows prompt for password complexity

[Samba] Using groups with windows

Re: [Samba] Using groups with windows

Re: [Samba] ldapsearch with samba4 (now a question about SASL and ldaps

[SCM] Samba Shared Repository - branch master updated

6 matches

Site Navigation

Mail list logo

Footer information