[Samba] security = user vs security = domain and winbind trust
If you require and more information let me know and thanks in advance .. I'm working with dansguardian and squid with ntlm_auth. I join squid to the domain and it works for 7 days. After 7 days to the minute from the time I joined the server to the domain winbind decides it has lost its trust. And then squid cant utilize ntlm_auth as it requires winbind to function properly. I'm using the packaged version from Ubuntu Lucid.. samba 3.4.7.. I guess from what I've researched winbind isn't able to change or doesn't get updated with the machine password? CAn I force this somehow? Does it have anything to do with the fact I don't have an AD domain and using security = domain? security = user (winbind doesn't return users or groups with wbinfo and squid will not authenticate.) security = domain ( winbind works for 7 days as does squid, once the 7 days is up I have to rejoin the machine to the domain in order to get it in a working condition..) My DC is a samba server with openldap as it's backend. wbinfo -t returns the following checking the trust secret via RPC calls failed error code was NT_STATUS_ACCESS_DENIED (0xc022) Could not check secret Below is a snipet of winbind.log initialize_winbindd_cache: clearing cache and re-creating with version number 1 [2011/05/19 08:57:27, 2] winbindd/winbindd_util.c:235(add_trusted_domain) Added domain BUILTIN S-1-5-32 [2011/05/19 08:57:27, 2] winbindd/winbindd_util.c:235(add_trusted_domain) Added domain APPSRV5 S-1-5-21-2430456434-2706775456-2994855025 [2011/05/19 08:57:27, 2] winbindd/winbindd_util.c:235(add_trusted_domain) Added domain EXAMPLE S-1-5-21-496710657-683828429-1874078741 [2011/05/19 08:57:28, 3] libsmb/cliconnect.c:940(cli_session_setup_spnego) Doing spnego session setup (blob length=58) [2011/05/19 08:57:28, 3] libsmb/cliconnect.c:967(cli_session_setup_spnego) got OID=1.3.6.1.4.1.311.2.2.10 [2011/05/19 08:57:28, 3] libsmb/cliconnect.c:975(cli_session_setup_spnego) got principal=NONE [2011/05/19 08:57:28, 3] libsmb/ntlmssp.c:1023(ntlmssp_client_challenge) Got challenge flags: [2011/05/19 08:57:28, 3] libsmb/ntlmssp.c:62(debug_ntlmssp_flags) Got NTLMSSP neg_flags=0x60898215 [2011/05/19 08:57:28, 3] libsmb/ntlmssp.c:1045(ntlmssp_client_challenge) NTLMSSP: Set final flags: [2011/05/19 08:57:28, 3] libsmb/ntlmssp.c:62(debug_ntlmssp_flags) Got NTLMSSP neg_flags=0x60088215 [2011/05/19 08:57:28, 3] libsmb/ntlmssp_sign.c:342(ntlmssp_sign_init) NTLMSSP Sign/Seal - Initialising with flags: [2011/05/19 08:57:28, 3] libsmb/ntlmssp.c:62(debug_ntlmssp_flags) Got NTLMSSP neg_flags=0x60088215 [2011/05/19 08:57:28, 3] winbindd/winbindd_cm.c:570(cm_get_ipc_userpass) cm_get_ipc_userpass: No auth-user defined [2011/05/19 08:57:28, 1] rpc_client/cli_pipe.c:949(cli_pipe_validate_current_pdu) cli_pipe_validate_current_pdu: RPC fault code DCERPC_FAULT_OP_RNG_ERROR received from host NETFILES2! [2011/05/19 08:57:31, 3] winbindd/winbindd_misc.c:754(winbindd_interface_version) [10751]: request interface version [2011/05/19 08:57:31, 3] winbindd/winbindd_misc.c:787(winbindd_priv_pipe_dir) [10751]: request location of privileged pipe [2011/05/19 08:57:31, 3] winbindd/winbindd_misc.c:34(winbindd_check_machine_acct) [10751]: check machine account -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 and gpo in win7
On 16/05/2011 12:50, Kalle Pettersson wrote: Attached a wireshark file with captures during a gpupdate from a win7 client. In fact we have more then one DC. All of the times when trying to access sysvol folder I´v tried through \\ip-nr\sysvol and not through \\domain.com\sysvol. Through \\domain.com\sysvol I cannot access sysvol. You seems to have a big problem in your DNS configuration as you are not even doing SMB calls, and looking at DNS problems it's quite clear. You had to fix them before being able to move forward. Matthieu. Is it must to access it that way? Or is it me that getting this all wrong? - Ursprungligt meddelande - Från: Matthieu Patoum...@samba.org Till: samba@lists.samba.org Skickat: fredag, 13 maj 2011 22:22:50 Ämne: Re: [Samba] Samba 4 and gpo in win7 On 13/05/2011 20:34, Michael Wood wrote: On 13 May 2011 13:23, Kalle Petterssontae...@bredband.net wrote: Hi! Could access sysvol directory per default from xp and win7 machines. Tried adding adding host msdfs = yes in smb.conf. Afterwards non of the clients could access sysvol directory through explorer view. First, what path did you try to connect to exactly? Assuming your server is called server.example.com, did you connect to \\SERVER\... or was it \\example.com\...? you have to try \\domain.tld\ because that's the way client will do. And still no gpo applying for win7 clients. I´m kinda confused. Are gpo suppose to work with samba4 and win7? It works perfect with my win xp clients. I think it is supposed to work, but I've not tried it. I'm sure one of the Samba developers will say if it's not supposed to work. Might be a bug (what a surprise ;-) ) in the dfs referal naming resolution, I really happy to help I just need more information. Like a trace and the fact if you have more than 1 DC. In short if you don't have host msdfs = yes, the client will revert to NT4 authentication when trying to access \\domain.tld\sysvol ... as the client can't do kerberos authentication on a domain SPN. XP is quite ok with this degradation, w7 has some problems some time and tend to do unauthenticated mode which of course fail ! Starting samba in more verbose mode could help too (-d 4 should be good). Matthieu -- Matthieu Patou Samba Teamhttp://samba.org Private repo http://git.samba.org/?p=mat/samba.git;a=summary -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] human understandable log format?
Hi, I would like to look at a logfile containing simple summary lines like this: timestamp - client ip - user - action (eg. login, connect to a share) - result (ok, password wrong, permission denied, io error, etc) I find log.smb and log.nmb very complicated and smbaudit too; also i would like to have all this information in a single log gile. How can I achieve this? Is there any native samba combination of options in smb.conf that can result in achieving this type of log? Can (and how?) I configure samba in such a way that some external tools can parse and extract this information from logfiles? thank you -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 and gpo in win7
On 12/05/2011 11:21, tae...@bredband.net wrote: Hello! Having an issue with getting gpo to apply for my win7 clients. Running samba4. Creating gpo with gpmc and they are created under var/locks/sysvol/mydomain/policies They applies just perfect on win xp clients but when trying on win7 clients they just won´t apply. When runnin gpupdate /force we get this(summary): So I pushed a few fixes in the Git tree of samba and made a lot of tests about this. First you need: host msdfs = yes in the [global] part of your configuration. Then reboot XP / windows7. Try to access \\domain.tld\sysvol and also navigate inside it. If it works it means that dfs for sysvol is working in most the case it will solve Windows7 problems with fetching the GPO. If not make trace from the samba server and send us for analysis, trace can be done like this: tcpdump -i any host ip_of_the_client -s 16000 -w /tmp/trace.pcap. Matthieu. -- Matthieu Patou Samba Teamhttp://samba.org Private repo http://git.samba.org/?p=mat/samba.git;a=summary -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Strange problem with my new PDC
Hi everyone , I have setup a new Server, based on Ubuntu Linux. Since the Samba version from it's repository was too old for my purposes, I downloaded and installed Samba from source (version 3.5.8). Everything went fine so far. We currently run an older version (3.0.26a) of samba as PDC . I copied the tdbsam databases from the current PDC over to the new one. This seems to have worked very well, since all users and computeraccounts were accessible by pdbedit. I could also logon with my old credentials, too! My password was accepted, my roaming profile was read and written correctly, etc. All seems very good. Now to the problem: I asked two collegues of mine to try their logins with a Windows Server 2008 R2 and an Windows 7 system. They can login, but become immediately logged off again. They not even see the Desktop for a short time. This was tested on several Windows 7 and Server 2008 Systems now and it happens everywhere. I can logon with my user without a problem on any system. I cannot find anything relevant in the logs, but that doesn't have to mean much, since this seems very cryptic to me. I tried and googled for three days now! Could please anyone assist me with this issue? I tried to send a gziped Logfile as attachment to the list already, but it was blocked, because the resulting mail was too big. I cannot put the logs to pastebin, since this ist too big, too. So I copied the logs to my webspace: The log with the successful login attempt: http://www.marc-richter.info/Success.log The log with the unsuccessful login attempt: http://www.marc-richter.info/Failing.log The PDC is named thalos. The Windows 2008 R2 machine from which the two logins are done is named gollum. The Domain is named MFC2. The user who succeedes is named mr and the one which is failing is named ab. I could really need help here ... Best regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] vfs_scannedonly fails to connect to socket.
Hello All, I'm trying to configure the scannedonly module with ClamAV on OpenSuSE 11.3 but it's failing to connect to the clamav socket and I can't figure out why. Clamd is running and the socket is has 666 permissions. I've increase log level = 5, tried stracing the processes but nothing. Any thoughts on what to try next? OpenSuSE 11.3 samba-3.5.4 clamav-0.97 [share] path = /srv/samba/share read only = No browseable = No directory mask = 0775 create mask = 0644 oplocks = False # Virus scanning vfs objects = scannedonly scannedonly:domain_socket = True scannedonly:socketname = /var/lib/clamav/clamd-socket scannedonly:hide_nonscanned_files = True ls -l /var/lib/clamav/clamd-socket srw-rw-rw- 1 vscan vscan 0 May 19 12:29 /var/lib/clamav/clamd-socket [2011/05/19 12:46:32.541300, 2] modules/vfs_scannedonly.c:207(connect_to_scanner) failed to connect to socket /var/lib/clamav/clamd-socket Initialising custom vfs hooks from [scannedonly] vfs module [scannedonly] not loaded - trying to load... Module '/usr/lib64/samba/vfs/scannedonly.so' loaded Successfully added vfs backend 'scannedonly' Successfully loaded vfs module [scannedonly] with the new modules system [2011/05/19 12:46:32.822708, 2] modules/vfs_scannedonly.c:207(connect_to_scanner) failed to connect to socket /var/lib/clamav/clamd-socket [2011/05/19 12:46:33.980909, 3] modules/vfs_scannedonly.c:264(flush_sendbuffer) scannedonly flush_sendbuffer: error sending on socket 34 to scanner: Transport endpoint is not connected (107) [2011/05/19 12:46:33.980953, 2] modules/vfs_scannedonly.c:207(connect_to_scanner) failed to connect to socket /var/lib/clamav/clamd-socket [2011/05/19 12:46:33.980965, 2] modules/vfs_scannedonly.c:302(flush_sendbuffer) scannedonly flush_sendbuffer: failed to send files to AV scanner, discarding files.smbd_dirptr_get_entry mask=[*] found dperusich/test.txt is being scanned for viruses fname=test.txt is being scanned for viruses (test.txt is being scanned for viruses) smbd_dirptr_get_entry mask=[*] found dperusich/eicar.com is being scanned for viruses fname=eicar.com is being scanned for viruses (eicar.com is being scanned for viruses) [2011/05/19 12:46:33.993187, 3] modules/vfs_scannedonly.c:264(flush_sendbuffer) scannedonly flush_sendbuffer: error sending on socket 37 to scanner: Transport endpoint is not connected (107) [2011/05/19 12:46:33.993216, 2] modules/vfs_scannedonly.c:207(connect_to_scanner) failed to connect to socket /var/lib/clamav/clamd-socket [2011/05/19 12:46:33.993228, 2] modules/vfs_scannedonly.c:302(flush_sendbuffer) scannedonly flush_sendbuffer: failed to send files to AV scanner, discarding files.Transaction 173 of length 188 (0 toread) -- Later, Darin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] vfs_scannedonly fails to connect to socket.
On Thu, May 19, 2011 at 01:03:05PM -0400, Darin Perusich wrote: Hello All, I'm trying to configure the scannedonly module with ClamAV on OpenSuSE 11.3 but it's failing to connect to the clamav socket and I can't figure out why. Clamd is running and the socket is has 666 permissions. I've increase log level = 5, tried stracing the processes but nothing. Any thoughts on what to try next? Add a debug message to print out the errno error message after the connection fails. (I'll do this for the git code). Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] regpatch writing to local registry hive with -F not working (registery-utils 4.0.0~alpha15~git20110124.dfsg1-2ubuntu1)
On Thu, 2011-05-19 at 09:08 +0200, denis.bonnenfant wrote: Wilco Baan Hofman a écrit : On Wed, 2011-05-18 at 16:01 +0200, denis bonnenfant wrote: Le mercredi 18 mai 2011 à 15:07 +0200, Wilco Baan Hofman a écrit : On Wed, 2011-05-18 at 12:33 +0200, Michael Wood wrote: Then it seems the -F option should be removed from regpatch. Or should regpatch be replaced with something similar to the Python script you included below? My patch adds a -K option to regpatch for specifying the predef key where -F registry should be mounted. I will submit it for review soon, I'm currently experimenting a little bit, and there are still some bugs in .reg parsing In fact it doesn't make sense to mount regf files to anything but HKCU , so -K option is not necessary, and HKCU can be hardcoded as mountpoint for files specified by -F option. Sorry if I am misunderstanding something here, but if the .reg file is modifying a software or system key shouldn't regpatch mount the appropriate hive, mounting under HKLM/Software system under HKLM/system etc. ? (I currently am using Ghost's linux ghregedit to do this, but I am hoping for a license free version, ... I have been searching for a very long time for something that actually works!) I was envisaging a usage along these lines; regpatch -F /mnt/xp/WINDOWS/ myregpatch.reg #regpatch loads the hives needed itself based on the WNIDOWS target dir (auto filling system32/config), this approximates to how ghrededit works ..or more in keeping with how its setup at the moment regpatch -F /mnt/something/software,/mnt/something/system myregpatch.reg #tell it what hives to load I appreciate all the effort everyone is putting in. Thanks. I use this quite a bit and I'm aware of two bugs, which is not directly related to the parsing, but that on windows unicode is implicit for certain data types even when the data is given in binary format, it's still converted. The other 'bug' is that unicode .reg files are not yet supported. I'd be very interested to know what other bugs there are. I found some problems with value deletion, sometimes values are not deleted, reg_expand_sz data not correctly saved, but i'm not sure that the problem is in parsing. I'm going to experiment a little bit more. Denis -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] How can I confirm that idmap_ad is being used?
Hi Kai, Have a look at: log.winbindd-idmap Also have a look at: https://bugzilla.samba.org/show_bug.cgi?id=6322 Not totally sure but I think you have to configure it separately for each domain for which you want to use it, using disjoint ranges. Cheers, Daniel -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Kai Lanz Gesendet: Dienstag, 17. Mai 2011 02:56 An: samba@lists.samba.org Betreff: [Samba] How can I confirm that idmap_ad is being used? How can I confirm that idmap_ad is being called? I've configured Samba with --with-shared-modules=idmap_ad, built and installed it; the file ad.so is now present in /usr/local/samba/lib/ idmap/ as expected. I then added the following to smb.conf: idmap backend = tdb idmap uid = 65536 - 99 idmap gid = 65536 - 99 idmap config SU : backend = ad idmap config SU : schema_mode = rfc2307 idmap config SU : range = 1 - 65535 idmap config WIN : backend = ad idmap config WIN : schema_mode = rfc2307 idmap config WIN : range = 1 - 65535 Now I fire up winbindd with debug-level = 10, and issue some queries via wbinfo. Some requests work as expected, some fail, but when I look in log.winbindd I never see any reference to idmap.c or idmap_ad.c. I'd like to confirm that this module is being used. I went so far as to deliberately break the smb.conf by specifying idmap config SU range = 1 - which I expected to produce an error from idmap_ad_initialize(), invalid filter range. But that message is never logged; instead I see only errors from winbindd_util.c, add_trusted_domain(): [2011/05/16 16:57:11.442318, 1] winbindd/winbindd_util.c: 204(add_trusted_domain) invalid range syntax in idmap config SU: 1 - Have I missed out on some crucial bit of configuration that's required to enable idmap_ad? -- Kai Lanz Stanford University School of Earth Sciences -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] How can I confirm that idmap_ad is being used?
Hi Daniel, On May 17, 2011, at 5:50 AM, Zabel, Daniel wrote: Have a look at: log.winbindd-idmap I've looked at that file; it's empty. (Not a single entry.) I run my tests with winbindd -n -d 10 -D. Also have a look at: https://bugzilla.samba.org/show_bug.cgi?id=6322 Now, this is interesting! The problem Edgar Holleis describes sounds exactly like the one I am facing. See my post to the Samba mailing list, Winbindd can't convert between SIDs and uid/gid. Edgar said: Winbind correctly resolves: User-Name-SID (wbinfo -n), Group-Name-SID (wbinfo -s) What doesn't work: SID-UID (wbinfo -S), UID-SID (wbinfo -U), SID-GID (wbinfo -Y), GID-UID (wbinfo -G) (Except, wbinfo -s is SID-User-name, the reverse of wbinfo -n, not Group-Name-SID as Edgar wrote...) That's the same pattern of success and failure I get in my wbinfo tests. So, how does one go from Edgar's bug report, with 4 failing wbinfo queries, to your comment, wbinfo resolves everything correctly? I'm running samba-3.5.8 on OpenSolaris. Following Michael Adam's example, I tried the following in my smb.conf: idmap backend = tdb idmap uid = 5 - 9 idmap gid = 5 - 9 idmap config SU : backend = ad idmap config SU : schema_mode = rfc2307 idmap config SU : range = 1 - 2 idmap config WIN : backend = ad idmap config WIN : schema_mode = rfc2307 idmap config WIN : range = 3 - 4 Note the disjoint ranges for each domain. I still get the same failures with wbinfo S, U, G, and Y. It seems I'm still missing something, since our wbinfo doesn't resolve everything correctly. Is nsswitch.conf important, perhaps? It doesn't seem to make any difference whether I add winbind to the passwd and group lines or not. Is that expected? -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org ] Im Auftrag von Kai Lanz Gesendet: Dienstag, 17. Mai 2011 02:56 An: samba@lists.samba.org Betreff: [Samba] How can I confirm that idmap_ad is being used? How can I confirm that idmap_ad is being called? I've configured Samba with --with-shared-modules=idmap_ad, built and installed it; the file ad.so is now present in /usr/local/samba/lib/ idmap/ as expected. I then added the following to smb.conf: idmap backend = tdb idmap uid = 65536 - 99 idmap gid = 65536 - 99 idmap config SU : backend = ad idmap config SU : schema_mode = rfc2307 idmap config SU : range = 1 - 65535 idmap config WIN : backend = ad idmap config WIN : schema_mode = rfc2307 idmap config WIN : range = 1 - 65535 Now I fire up winbindd with debug-level = 10, and issue some queries via wbinfo. Some requests work as expected, some fail, but when I look in log.winbindd I never see any reference to idmap.c or idmap_ad.c. I'd like to confirm that this module is being used. I went so far as to deliberately break the smb.conf by specifying idmap config SU range = 1 - which I expected to produce an error from idmap_ad_initialize(), invalid filter range. But that message is never logged; instead I see only errors from winbindd_util.c, add_trusted_domain(): [2011/05/16 16:57:11.442318, 1] winbindd/winbindd_util.c: 204(add_trusted_domain) invalid range syntax in idmap config SU: 1 - Have I missed out on some crucial bit of configuration that's required to enable idmap_ad? -- Kai Lanz Stanford University School of Earth Sciences -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- Kai Lanz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] regpatch writing to local registry hive with -F not working (registery-utils 4.0.0~alpha15~git20110124.dfsg1-2ubuntu1)
On Sun, 2011-05-15 at 00:28 +0200, Michael Wood wrote: On 14 May 2011 22:09, Michael Wood esiot...@gmail.com wrote: On 14 May 2011 19:53, RiCH r...@richud.com wrote: Hi, I was hoping I could modify a locally mounted registry hive using regpatch and a .reg file but the -F argument seems to have no function. Correct. It does not on regpatch, afaik. Try this patch (untested, but based on what regtree does). Won't work. See below. I've either got errors like: $ bin/regpatch -F /tmp/NTUSER.DAT /tmp/test.reg Error adding new key 'HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main': WERR_BADFILE Error adding key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main I hope the patch helps, but I'm not sure that just using start_key-context is the right thing to do. Actually, the reason this doesn't work is that -F loads a registry hive, not a full registry and .reg files only work on a full registry. If you load a hive with -F you cannot patch it. A simple python script will work, however.. something like this: --- sys.path.append(samba_python_path) from samba import registry import samba.getopt as options # Open the hive lp = sambaopts.get_loadparm() creds = credopts.get_credentials(lp) hive = registry.open_hive(hivepath, lp_ctx=lp, credentials=creds) # Mount the hive to HKEY_CURRENT_USER reg = registry.Registry() reg.mount_hive(hive, registry.HKEY_CURRENT_USER) reg.diff_apply(patchfile) --- Regards, Wilco Baan Hofman -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Issue with Bind
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 2011-05-13 14:49, fe...@epepm.cupet.cu wrote: But I keep reveceiving the following message in log.samba: RuntimeError: kinit for sam...@mydomain.com failed (Cannot contact any KDC for requested realm) And Samba4 is up and running and configured as a domain controller? Cheers, Kai - -- Kai Blin Worldforge developer http://www.worldforge.org/ Wine developer http://wiki.winehq.org/KaiBlin Samba team member http://www.samba.org/samba/team/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk3TYAkACgkQEKXX/bF2FpQRiwCfRZkA88SZQTf27wEUSVUmDci+ rd0AoJhnfS9Xi/yuGFJxlqmyXXF8rrmk =86Zi -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] How can I confirm that idmap_ad is being used?
Hi Kai, I've looked at that file; it's empty. (Not a single entry.) I run my tests with winbindd -n -d 10 -D. Try to add to your smb.conf: log level = 3 idmap:10 winbind:10 to force idmap Logging also to Debuglevel 10. Note the disjoint ranges for each domain. I still get the same failures with wbinfo S, U, G, and Y. It seems I'm still missing something, since our wbinfo doesn't resolve everything correctly. Is nsswitch.conf important, perhaps? It doesn't seem to make any difference whether I add winbind to the passwd and group lines or not. Is that expected? Did net ads testjoin and net ads info work? Nsswicth.conf is important! Should look like this: passwd:files winbind group: files winbind These winbind relevant seetings I have also in my config winbind nss info = rfc2307 template winbind normalize names = yes winbind use default domain = yes winbind offline logon = yes winbind cache time = 180 winbind enum users = yes winbind enum groups = yes winbind nested groups = yes winbind trusted domains only = no Cheers, Daniel Hi Daniel, On May 17, 2011, at 5:50 AM, Zabel, Daniel wrote: Have a look at: log.winbindd-idmap I've looked at that file; it's empty. (Not a single entry.) I run my tests with winbindd -n -d 10 -D. Also have a look at: https://bugzilla.samba.org/show_bug.cgi?id=6322 Now, this is interesting! The problem Edgar Holleis describes sounds exactly like the one I am facing. See my post to the Samba mailing list, Winbindd can't convert between SIDs and uid/gid. Edgar said: Winbind correctly resolves: User-Name-SID (wbinfo -n), Group-Name-SID (wbinfo -s) What doesn't work: SID-UID (wbinfo -S), UID-SID (wbinfo -U), GID (wbinfo -Y), GID-UID SID-(wbinfo -G) (Except, wbinfo -s is SID-User-name, the reverse of wbinfo -n, not Group-Name-SID as Edgar wrote...) That's the same pattern of success and failure I get in my wbinfo tests. So, how does one go from Edgar's bug report, with 4 failing wbinfo queries, to your comment, wbinfo resolves everything correctly? I'm running samba-3.5.8 on OpenSolaris. Following Michael Adam's example, I tried the following in my smb.conf: idmap backend = tdb idmap uid = 5 - 9 idmap gid = 5 - 9 idmap config SU : backend = ad idmap config SU : schema_mode = rfc2307 idmap config SU : range = 1 - 2 idmap config WIN : backend = ad idmap config WIN : schema_mode = rfc2307 idmap config WIN : range = 3 - 4 Note the disjoint ranges for each domain. I still get the same failures with wbinfo S, U, G, and Y. It seems I'm still missing something, since our wbinfo doesn't resolve everything correctly. Is nsswitch.conf important, perhaps? It doesn't seem to make any difference whether I add winbind to the passwd and group lines or not. Is that expected? -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org ] Im Auftrag von Kai Lanz Gesendet: Dienstag, 17. Mai 2011 02:56 An: samba@lists.samba.org Betreff: [Samba] How can I confirm that idmap_ad is being used? How can I confirm that idmap_ad is being called? I've configured Samba with --with-shared-modules=idmap_ad, built and installed it; the file ad.so is now present in /usr/local/samba/lib/ idmap/ as expected. I then added the following to smb.conf: idmap backend = tdb idmap uid = 65536 - 99 idmap gid = 65536 - 99 idmap config SU : backend = ad idmap config SU : schema_mode = rfc2307 idmap config SU : range = 1 - 65535 idmap config WIN : backend = ad idmap config WIN : schema_mode = rfc2307 idmap config WIN : range = 1 - 65535 Now I fire up winbindd with debug-level = 10, and issue some queries via wbinfo. Some requests work as expected, some fail, but when I look in log.winbindd I never see any reference to idmap.c or idmap_ad.c. I'd like to confirm that this module is being used. I went so far as to deliberately break the smb.conf by specifying idmap config SU range = 1 - which I expected to produce an error from idmap_ad_initialize(), invalid filter range. But that message is never logged; instead I see only errors from winbindd_util.c, add_trusted_domain(): [2011/05/16 16:57:11.442318, 1] winbindd/winbindd_util.c: 204(add_trusted_domain) invalid range syntax in idmap config SU: 1 - Have I missed out on some crucial bit of configuration that's required to enable idmap_ad? -- Kai Lanz Stanford University School of Earth Sciences -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- Kai Lanz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] regpatch writing to local registry hive with -F not working (registery-utils 4.0.0~alpha15~git20110124.dfsg1-2ubuntu1)
On Wed, 2011-05-18 at 12:33 +0200, Michael Wood wrote: Then it seems the -F option should be removed from regpatch. Or should regpatch be replaced with something similar to the Python script you included below? The latter would be preferable, but you'd have to be able to specify mountpoints for the hives. --- sys.path.append(samba_python_path) from samba import registry import samba.getopt as options # Open the hive lp = sambaopts.get_loadparm() creds = credopts.get_credentials(lp) hive = registry.open_hive(hivepath, lp_ctx=lp, credentials=creds) So hivepath here is the path to e.g. some user's NTUSER.DAT? Indeed. # Mount the hive to HKEY_CURRENT_USER reg = registry.Registry() reg.mount_hive(hive, registry.HKEY_CURRENT_USER) reg.diff_apply(patchfile) --- Regards, Wilco Baan Hofman -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] regpatch writing to local registry hive with -F not working (registery-utils 4.0.0~alpha15~git20110124.dfsg1-2ubuntu1)
Le mercredi 18 mai 2011 à 15:07 +0200, Wilco Baan Hofman a écrit : On Wed, 2011-05-18 at 12:33 +0200, Michael Wood wrote: Then it seems the -F option should be removed from regpatch. Or should regpatch be replaced with something similar to the Python script you included below? My patch adds a -K option to regpatch for specifying the predef key where -F registry should be mounted. I will submit it for review soon, I'm currently experimenting a little bit, and there are still some bugs in .reg parsing Denis -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] regpatch writing to local registry hive with -F not working (registery-utils 4.0.0~alpha15~git20110124.dfsg1-2ubuntu1)
On Wed, 2011-05-18 at 16:01 +0200, denis bonnenfant wrote: Le mercredi 18 mai 2011 à 15:07 +0200, Wilco Baan Hofman a écrit : On Wed, 2011-05-18 at 12:33 +0200, Michael Wood wrote: Then it seems the -F option should be removed from regpatch. Or should regpatch be replaced with something similar to the Python script you included below? My patch adds a -K option to regpatch for specifying the predef key where -F registry should be mounted. I will submit it for review soon, I'm currently experimenting a little bit, and there are still some bugs in .reg parsing I use this quite a bit and I'm aware of two bugs, which is not directly related to the parsing, but that on windows unicode is implicit for certain data types even when the data is given in binary format, it's still converted. The other 'bug' is that unicode .reg files are not yet supported. I'd be very interested to know what other bugs there are. Regards, Wilco Baan Hofman -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] regpatch writing to local registry hive with -F not working (registery-utils 4.0.0~alpha15~git20110124.dfsg1-2ubuntu1)
Wilco Baan Hofman a écrit : On Wed, 2011-05-18 at 16:01 +0200, denis bonnenfant wrote: Le mercredi 18 mai 2011 à 15:07 +0200, Wilco Baan Hofman a écrit : On Wed, 2011-05-18 at 12:33 +0200, Michael Wood wrote: Then it seems the -F option should be removed from regpatch. Or should regpatch be replaced with something similar to the Python script you included below? My patch adds a -K option to regpatch for specifying the predef key where -F registry should be mounted. I will submit it for review soon, I'm currently experimenting a little bit, and there are still some bugs in .reg parsing In fact it doesn't make sense to mount regf files to anything but HKCU , so -K option is not necessary, and HKCU can be hardcoded as mountpoint for files specified by -F option. I use this quite a bit and I'm aware of two bugs, which is not directly related to the parsing, but that on windows unicode is implicit for certain data types even when the data is given in binary format, it's still converted. The other 'bug' is that unicode .reg files are not yet supported. I'd be very interested to know what other bugs there are. I found some problems with value deletion, sometimes values are not deleted, reg_expand_sz data not correctly saved, but i'm not sure that the problem is in parsing. I'm going to experiment a little bit more. Denis -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Building Samba 356 on Solaris 10
Just in case this helps anyone, please find below the steps I took to compile
Samba version 356 on our Sun Solaris servers:
Setting Up A Sun Solaris Server To Integrate With Samba 356 AD
Download the latest stable SOURCE version of Kerberos from
http://web.mit.edu/kerberos/dist/
Run mkdir /usr/local/sambaAD358
krb5.1.7
cd krb5*/src
./configure --prefix=/usr/local/sambaAD358 --enable-dns-for-realm
make
make install
==
From http://www.openldap.org/download the latest source
Run gunzip openldap?.tgz to uncompress
This will create a tar file
Run tar xvf openldap?.tar to uncompress
cd openldap
bash
CPPFLAGS=-I/usr/local/samba358/include
export CPPFLAGS
LDFLAGS=-L/usr/local/sambaAD358/lib -R/usr/local/sambaAD358/lib
export LDFLAGS
./configure --prefix=/usr/local/sambaAD358 --disable-slapd --disable-slurpd
--without-tls
make depend
make
make install
Install packages:
autoconf-2.68-sol10-sparc-local
perl-5.12.3-sol10-sparc-local
m4-1.4.16-sol10-sparc-local
libsigsegv-2.10-sol10-sparc-local
libiconv-1.13.1-sol10-sparc-local
gcc-3.4.6-sol10-sparc-local
make-3.82-sol10-sparc-local
libintl-3.4.0-sol10-sparc-local
Ensure libreadline is installed
/usr/local/lib/libreadline.a
/usr/local/lib/libreadline.so
/usr/local/lib/libreadline.so.4
/usr/local/lib/libreadline.so.5
set path=(/usr/sbin /bin /usr/bin /usr/ucb /etc /usr/etc /usr/local/bin
$OPENWINHOME/bin . /usr/ccs/bin /usr/sadm/bin )
setenv LD_LIBRARY_PATH
$OPENWINHOME/lib:/usr/dt/lib:/usr/local/lib:/usr/local/include:/usr/ucblib:/usr/local/sambaAD358/lib
setenv CC /usr/local/bin/gcc
bash
LDFLAGS=-L/usr/local/sambaAD358/lib -R/usr/local/sambaAD358/lib
-L/usr/local/lib -R/usr/local/lib -L/usr/local/krb5/lib
-L/usr/local/cyrus-sasl/lib -L/usr/local/libiconv/lib -R/usr/local/krb5/lib
-R/usr/local/cyrus-sasl/lib -R/usr/local/libiconv/lib
export LDFLAGS
./autogen.sh
./configure --prefix=/usr/local/sambaAD358 --with-ads --with-ldap
--with-winbind --with-krb5=/usr/local/sambaAD358 --with-acl-support
--with-shared-modules=idmap_ad,vfs_zfsacl
/usr/local/bin/make
/usr/local/bin/make install
create the file krb5.conf under /etc and put something like this in it:
#
# Copyright 2004 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
# ident @(#)krb5.conf 1.3 04/03/25 SMI
#
# krb5.conf template
# In order to complete this configuration file
# you will need to replace the __name__ placeholders
# with appropriate values for your network.
#
[libdefaults]
default_realm = {DOMAIN}.GOV.UK
[realms]
DARTFORD.GOV.UK = {
kdc = {server}.{domain}.gov.uk
kdc = {server}.{domin}.gov.uk
}
[domain_realm]
.{domain}.gov.uk = {DOMAIN}.GOV.UK
[logging]
default = FILE:/var/krb5/kdc.log
kdc = FILE:/var/krb5/kdc.log
kdc_rotate = {
period = 1d
versions = 10
}
[appdefaults]
kinit = {
renewable = true
forwardable= true
}
gkadmin = {
# help_url = http://docs.sun.com:80/ab2/coll.384.1/SEAM/@AB2PageVi
ew/1195
}
Run:
ln -s /etc/krb5.conf /etc/krb5/krb5.conf
Create a smb.conf file under /usr/local/samba???/lib containing something like:
[global]
workgroup = {DOMAIN}
bind interfaces only = yes
netbios name = {server_name}
security = ADS
realm = {DOMAIN}.GOV.UK
server string = Samba (%v) domain (%h)
encrypt passwords = yes
preferred master = no
pid directory = /usr/local/sambaAD358/var/locks
log level = 5
log file = /usr/local/sambaAD358/logs/log.%m
smb passwd file = /usr/local/sambaAD358/private/smbpasswd
private dir = /usr/local/sambaAD358/private
lock dir = /usr/local/sambaAD358/var/locks
winbind cache time = 300
allow trusted domains = yes
idmap backend = rid:ADS=10-20
idmap uid = 10-20
idmap gid = 10-20
winbind enum groups = yes
winbind enum users = yes
enhanced browsing = yes
winbind use default domain = yes
load printers = no
restrict anonymous = 1
smb ports = 445 139
client use spnego = yes
[pcclients]
browseable = yes
comment = Access to Pcclients
path = /pcclients
public = no
guest ok = no
writeable = yes
valid users = @{DOMAIN}\everyone {DOMAIN}\cccam
force user = nobody
force group = nobody
force create mode = 0777
create mask = 0777
Run the following command to test the smb.conf file content:
cd /usr/local/samba???/bin
testparm -s ../lib/smb.conf
mkdir /usr/local/samba/logs
If all looks OK attach the server to the AD using:
cd /usr/local/samba/bin
./net ads join -U Administrator
NB: this may take a number of hours to sync across the network
[Samba] Mapping drive
We have a server running linux with a samba shared directory. We have sever windows xp machines that map the samba shared directory using the same user name and password. All has gone well for a couple of years. Now, on some of the machines, it won't allow the mapping of the samba share reporting Access denied I have made sure that the proper user name and password is used. There has been no recent updates on the server or user's computer...that we know of. One hint of a problem is that the windows machines appears to be trying to send the windows machine's group name as part of the log in which I know it didn't do before. Any ideas? Thanks to all that answer Brian Brian Germann Wayne Enterprises Inc. Linden, CA 209-887-2008 mailto:br...@revolution911.com http://www.revolution911.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Mapping drive
We have a server running linux with a samba shared directory. We have sever windows xp machines that map the samba shared directory using the same user name and password. All has gone well for a couple of years. Now, on some of the machines, it won't allow the mapping of the samba share reporting Access denied I have made sure that the proper user name and password is used. There has been no recent updates on the server or user's computer...that we know of. One hint of a problem is that the windows machines appears to be trying to send the windows machine's group name as part of the log in which I know it didn't do before. Any ideas? Thanks to all that answer Brian Brian Germann Wayne Enterprises Inc. Linden, CA 209-887-2008 mailto:br...@revolution911.com http://www.revolution911.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Strange problem with my new PDC
Hi everyone , I have setup a new Server, based on Ubuntu Linux. Since the Samba version from it's repository was too old for my purposes, I downloaded and installed Samba from source (version 3.5.8). Everything went fine so far. We currently run an older version (3.0.26a) of samba as PDC . I copied the tdbsam databases from the current PDC over to the new one. This seems to have worked very well, since all users and computeraccounts were accessible by pdbedit. I could also logon with my old credentials, too! My password was accepted, my roaming profile was read and written correctly, etc. All seems very good. Now to the problem: I asked two collegues of mine to try their logins with a Windows Server 2008 R2 and an Windows 7 system. They can login, but become immediately logged off again. They not even see the Desktop for a short time. This was tested on several Windows 7 and Server 2008 Systems now and it happens everywhere. I can logon with my user without a problem on any system. I cannot find anything relevant in the logs, but that doesn't have to mean much, since this seems very cryptic to me. I tried and googled for three days now! Could please anyone assist me with this issue? You can find two Logfiles in the attached archive. One's named Success.log and the other one Failing.log. The PDC is named thalos. The Windows 2008 R2 machine from which the two logins are done is named gollum. The Domain is named MFC2. The user who succeedes is named mr and the one which is failing is named ab. I could really need help here ... Best regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
s3-testparm Warn more on incorrect use of 'password server'
Hi Andrew, commit 06435acf3b9afa94019f7654cda4ad9386c6384b Author: Andrew Bartlett abart...@samba.org Date: Wed May 18 11:53:34 2011 +1000 s3-testparm Warn more on incorrect use of 'password server' The usage of password server in security = ads setup is very common. We should really only print a warning, so I guess we need to remove the ret = 1 there. metze signature.asc Description: OpenPGP digital signature
autobuild: intermittent test failure detected
The autobuild test system has detected an intermittent failing test in the current master tree. The autobuild log of the failure is available here: http://git.samba.org/autobuild.flakey/2011-05-19-1634/flakey.log The samba3 build logs are available here: http://git.samba.org/autobuild.flakey/2011-05-19-1634/samba3.stderr http://git.samba.org/autobuild.flakey/2011-05-19-1634/samba3.stdout The source4 build logs are available here: http://git.samba.org/autobuild.flakey/2011-05-19-1634/samba4.stderr http://git.samba.org/autobuild.flakey/2011-05-19-1634/samba4.stdout The top commit at the time of the failure was: commit 66c3d5d74b25b9b7703c2f48fd02a43f1d2ae9f2 Author: Jeremy Allison j...@samba.org Date: Wed May 18 15:28:28 2011 -0700 Fix bug found when building on an IPv6-only system by Kai Blin. When building on IPv6-only, doing: hints.ai_family = AF_INET; getaddrinfo(0.0.0.0, NULL, hints, ppres) fails as AF_INET is unavailable on an IPv6-only system. This causes us to fallback to our replacement getaddrinfo code which is IPv4-only. As we're only trying to detect a specific AIX bug here, broaden the tests to find that bug, and also test for working getaddrinfo in an IPv6-only safe way. Autobuild-User: Jeremy Allison j...@samba.org Autobuild-Date: Thu May 19 02:21:54 CEST 2011 on sn-devel-104
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via d753b3b fix the WAF build
via 0645deb s3: Do central cli_set_error
via bc7df52 s3: Remove the use of cli-inbuf/outbuf from
cli_session_request
via efbed2c s3: Add sync read_smb
via e7e43ba s3: Make read_smb_send/recv public
from 66c3d5d Fix bug found when building on an IPv6-only system by Kai
Blin.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit d753b3b0639d88579ce4d7118bfb586207017316
Author: Volker Lendecke v...@samba.org
Date: Thu May 19 17:37:19 2011 +0200
fix the WAF build
Autobuild-User: Volker Lendecke vlen...@samba.org
Autobuild-Date: Thu May 19 18:46:51 CEST 2011 on sn-devel-104
commit 0645deb1b4a70e45f88116fae16ec7f3a1b4d5ed
Author: Volker Lendecke v...@samba.org
Date: Thu May 19 13:43:15 2011 +0200
s3: Do central cli_set_error
commit bc7df5265345c6dfc32dcdc02826d6c73179805f
Author: Volker Lendecke v...@samba.org
Date: Thu May 19 09:12:13 2011 +0200
s3: Remove the use of cli-inbuf/outbuf from cli_session_request
commit efbed2ce90ff10cd82543f22cba1fe0a4cfbb7fd
Author: Volker Lendecke v...@samba.org
Date: Thu May 19 08:36:54 2011 +0200
s3: Add sync read_smb
commit e7e43ba6a135b23865a7c9363a0ee0f479696067
Author: Volker Lendecke v...@samba.org
Date: Thu May 19 08:23:50 2011 +0200
s3: Make read_smb_send/recv public
---
Summary of changes:
source3/Makefile.in|1 +
source3/libsmb/async_smb.c | 90 +-
source3/libsmb/cliconnect.c| 125 ---
source3/libsmb/clifile.c | 116 -
source3/libsmb/clifsinfo.c |9 --
source3/libsmb/clilist.c |9 --
source3/libsmb/clioplock.c |3 -
source3/libsmb/clirap.c| 12 --
source3/libsmb/clireadwrite.c | 10 --
source3/libsmb/clitrans.c |3 -
source3/libsmb/read_smb.c | 134
.../testspoolss.h = source3/libsmb/read_smb.h | 39 ++
source3/wscript_build |2 +-
13 files changed, 203 insertions(+), 350 deletions(-)
create mode 100644 source3/libsmb/read_smb.c
copy testprogs/win32/spoolss/testspoolss.h = source3/libsmb/read_smb.h (58%)
Changeset truncated at 500 lines:
diff --git a/source3/Makefile.in b/source3/Makefile.in
index 847f811..03b4273 100644
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -595,6 +595,7 @@ LIBSMB_OBJ = libsmb/clientgen.o libsmb/cliconnect.o
libsmb/clifile.o \
libsmb/clistr.o libsmb/cliquota.o libsmb/clifsinfo.o
libsmb/clidfs.o \
libsmb/clioplock.o libsmb/clirap2.o \
libsmb/smb_seal.o libsmb/async_smb.o \
+libsmb/read_smb.o \
libsmb/cli_np_tstream.o \
libsmb/smbsock_connect.o \
$(LIBSAMBA_OBJ) \
diff --git a/source3/libsmb/async_smb.c b/source3/libsmb/async_smb.c
index 82dbc74..dfab82a 100644
--- a/source3/libsmb/async_smb.c
+++ b/source3/libsmb/async_smb.c
@@ -25,93 +25,7 @@
#include async_smb.h
#include smb_crypt.h
#include libsmb/nmblib.h
-
-/*
- * Read an smb packet asynchronously, discard keepalives
- */
-
-struct read_smb_state {
- struct tevent_context *ev;
- int fd;
- uint8_t *buf;
-};
-
-static ssize_t read_smb_more(uint8_t *buf, size_t buflen, void *private_data);
-static void read_smb_done(struct tevent_req *subreq);
-
-static struct tevent_req *read_smb_send(TALLOC_CTX *mem_ctx,
- struct tevent_context *ev,
- int fd)
-{
- struct tevent_req *result, *subreq;
- struct read_smb_state *state;
-
- result = tevent_req_create(mem_ctx, state, struct read_smb_state);
- if (result == NULL) {
- return NULL;
- }
- state-ev = ev;
- state-fd = fd;
-
- subreq = read_packet_send(state, ev, fd, 4, read_smb_more, NULL);
- if (subreq == NULL) {
- goto fail;
- }
- tevent_req_set_callback(subreq, read_smb_done, result);
- return result;
- fail:
- TALLOC_FREE(result);
- return NULL;
-}
-
-static ssize_t read_smb_more(uint8_t *buf, size_t buflen, void *private_data)
-{
- if (buflen 4) {
- return 0; /* We've been here, we're done */
- }
- return smb_len_large(buf);
-}
-
-static void read_smb_done(struct tevent_req *subreq)
-{
- struct tevent_req *req = tevent_req_callback_data(
- subreq, struct tevent_req);
- struct read_smb_state *state = tevent_req_data(
- req, struct
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 58b77f2 s3: Remove a use of cli_send_smb
from d753b3b fix the WAF build
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 58b77f226767f5641a3fc0ecd557b613c6441c66
Author: Volker Lendecke v...@samba.org
Date: Thu May 19 18:48:09 2011 +0200
s3: Remove a use of cli_send_smb
Autobuild-User: Volker Lendecke vlen...@samba.org
Autobuild-Date: Thu May 19 20:11:33 CEST 2011 on sn-devel-104
---
Summary of changes:
source3/torture/torture.c | 99 -
1 files changed, 53 insertions(+), 46 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/torture/torture.c b/source3/torture/torture.c
index c3497f7..a28078f 100644
--- a/source3/torture/torture.c
+++ b/source3/torture/torture.c
@@ -37,6 +37,7 @@
#include libsmb/nmblib.h
#include ../lib/util/tevent_ntstatus.h
#include util_tdb.h
+#include libsmb/read_smb.h
extern char *optarg;
extern int optind;
@@ -237,75 +238,81 @@ static struct cli_state *open_nbt_connection(void)
static bool cli_bad_session_request(struct cli_state *cli,
struct nmb_name *calling, struct nmb_name *called)
{
-char *p;
-int len = 4;
-int namelen = 0;
-char *tmp;
+ TALLOC_CTX *frame;
+ uint8_t len_buf[4];
+ struct iovec iov[3];
+ ssize_t len;
+ uint8_t *inbuf;
+ int err;
+ bool ret = false;
memcpy((cli-calling), calling, sizeof(*calling));
memcpy((cli-called ), called , sizeof(*called ));
-/* put in the destination name */
+ /* 445 doesn't have session request */
+ if (cli-port == 445)
+ return True;
-tmp = name_mangle(talloc_tos(), cli-called.name,
- cli-called.name_type);
-if (tmp == NULL) {
-return false;
-}
+ frame = talloc_stackframe();
-p = cli-outbuf+len;
-namelen = name_len((unsigned char *)tmp, talloc_get_size(tmp));
-if (namelen 0) {
-memcpy(p, tmp, namelen);
-len += namelen;
-}
-TALLOC_FREE(tmp);
+ iov[0].iov_base = len_buf;
+ iov[0].iov_len = sizeof(len_buf);
- /* Deliberately corrupt the name len (first byte) */
- *p = 100;
+ /* put in the destination name */
-/* and my name */
+ iov[1].iov_base = name_mangle(talloc_tos(), called-name,
+ called-name_type);
+ if (iov[1].iov_base == NULL) {
+ goto fail;
+ }
+ iov[1].iov_len = name_len((unsigned char *)iov[1].iov_base,
+ talloc_get_size(iov[1].iov_base));
-tmp = name_mangle(talloc_tos(), cli-calling.name,
- cli-calling.name_type);
-if (tmp == NULL) {
-return false;
-}
+ /* and my name */
+
+ iov[2].iov_base = name_mangle(talloc_tos(), calling-name,
+ calling-name_type);
+ if (iov[2].iov_base == NULL) {
+ goto fail;
+ }
+ iov[2].iov_len = name_len((unsigned char *)iov[2].iov_base,
+ talloc_get_size(iov[2].iov_base));
-p = cli-outbuf+len;
-namelen = name_len((unsigned char *)tmp, talloc_get_size(tmp));
-if (namelen 0) {
-memcpy(p, tmp, namelen);
-len += namelen;
-}
-TALLOC_FREE(tmp);
/* Deliberately corrupt the name len (first byte) */
- *p = 100;
+ *((uint8_t *)iov[2].iov_base) = 100;
-/* send a session request (RFC 1002) */
-/* setup the packet length
+ /* send a session request (RFC 1002) */
+ /* setup the packet length
* Remove four bytes from the length count, since the length
* field in the NBT Session Service header counts the number
* of bytes which follow. The cli_send_smb() function knows
* about this and accounts for those four bytes.
* CRH.
*/
-len -= 4;
-_smb_setlen(cli-outbuf,len);
-SCVAL(cli-outbuf,0,0x81);
-cli_send_smb(cli);
-DEBUG(5,(Sent session request\n));
+ _smb_setlen(len_buf, iov[1].iov_len + iov[2].iov_len);
+ SCVAL(len_buf,0,0x81);
-if (!cli_receive_smb(cli))
-return False;
+ len = write_data_iov(cli-fd, iov, 3);
+ if (len == -1) {
+ goto fail;
+ }
+ len = read_smb(cli-fd, talloc_tos(), inbuf, err);
+ if (len == -1) {
+ errno = err;
+ goto fail;
+ }
-if (CVAL(cli-inbuf,0) != 0x82) {
+if (CVAL(inbuf,0) != 0x82) {
/* This is the
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 642c6ba Fix Bug 8152 - smbd crash in release_ip()
from 58b77f2 s3: Remove a use of cli_send_smb
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 642c6ba2b9c581bacfcb9a6cb4c5c95d446263ce
Author: Christian Ambach a...@samba.org
Date: Thu May 19 18:13:40 2011 +0200
Fix Bug 8152 - smbd crash in release_ip()
release_ip() needs the private_data, but it was never saved away
to feed it into release_ip() later
Autobuild-User: Christian Ambach a...@samba.org
Autobuild-Date: Thu May 19 21:21:14 CEST 2011 on sn-devel-104
---
Summary of changes:
source3/lib/ctdbd_conn.c |5 +
source3/smbd/process.c |3 +++
2 files changed, 8 insertions(+), 0 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/lib/ctdbd_conn.c b/source3/lib/ctdbd_conn.c
index d271869..f422906 100644
--- a/source3/lib/ctdbd_conn.c
+++ b/source3/lib/ctdbd_conn.c
@@ -1358,6 +1358,11 @@ NTSTATUS ctdbd_register_ips(struct ctdbd_connection
*conn,
}
conn-release_ip_handler = release_ip_handler;
+ /*
+* store the IP address of the server socket for later
+* comparison in release_ip()
+*/
+ conn-release_ip_priv = private_data;
/*
* We want to be told about IP releases
diff --git a/source3/smbd/process.c b/source3/smbd/process.c
index d58baeb..5f9845c 100644
--- a/source3/smbd/process.c
+++ b/source3/smbd/process.c
@@ -2358,6 +2358,9 @@ static void release_ip(const char *ip, void *priv)
p = addr + 7;
}
+ DEBUG(10, (Got release IP message for %s,
+ our address is %s\n, ip, p));
+
if ((strcmp(p, ip) == 0) || ((p != addr) strcmp(addr, ip) == 0)) {
/* we can't afford to do a clean exit - that involves
database writes, which would potentially mean we
--
Samba Shared Repository
