Re: [Samba] Samba 4 and GSSAPI kerberos ldap connect
On 01/17/2012 09:40 PM, Gémes Géza wrote: Hi, See comments inline: Hi everyone I'm trying to use kerberos to authenticate to Samba 4 ldap. At the moment, I authenticate by specifying the binddn and password in /etc/nslcd.conf and all works fine If I add the line: sasl_mech GSSAPI That should suffice, but please note, that nslcd should also have access to some kind of keytab, to authenticate itself. This is done on Debian/Ubuntu via the /etc/default/nsldcd.conf (mine is looking like): # Defaults for nslcd init script # Whether to start k5start (for obtaining and keeping a Kerberos ticket) # By default k5start is started if nslcd.conf has sasl_mech set to GSSAPI # and krb5_ccname is set to a file-type ticket cache. # Set to yes to force starting k5start, any other value will not start # k5start. K5START_START=yes # Options for k5start. K5START_BIN=/usr/bin/k5start K5START_KEYTAB=/etc/krb5.keytab K5START_CCREFRESH=60 K5START_PRINCIPAL=host/$(hostname -f) And must have k5start installed (it is wrapper which keeps fresh tickets for long runing services) to /etc/nslcd.conf and restart nslcd, no one can connect to the database. Nothing works. ldapsearch and getent passwd draw a blank. ldapsearch -x -b '' -sbase supportedSASLMechanisms gives me: dn: supportedSASLMechanisms: GSS-SPNEGO supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: NTLM but ldapsearch -Y GSSAPI gives: SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database) before you can do an SASL/GSSAPI based ldap operation you must have valid kerberos tickets (so do a kinit first)! and Samba gives: Kerberos: TGS-REQ administra...@hh3.site from ipv4:192.168.1.3:56859 for ldap/hh3.s...@hh3.site [canonicalize, renewable] Kerberos: Searching referral for hh3.site Kerberos: Returning a referral to realm SITE for server ldap/hh3.s...@hh3.site that was not found Failed find a single entry for ((objectClass=trustedDomain)(|(flatname=SITE)(trustPartner=SITE))): got 0 Kerberos: samba_kdc_fetch: could not find principal in DB Kerberos: Server not found in database: krbtgt/s...@hh3.site: no such entry found in hdb Kerberos: Failed building TGS-REP to ipv4:192.168.1.3:56859 I've tried making a ldap principal but samba-tool spn doesn't let me add an ldap principal. Any ideas anyone? Thanks, Steve Regards Geza Hi Geza OK. Now on Ubuntu. I have k5init installed and have made a host principal: klist -k /etc/host.keytab Keytab name: WRFILE:/etc/host.keytab KVNO Principal -- 1 host/hh3.s...@hh3.site 1 host/hh3.s...@hh3.site 1 host/hh3.s...@hh3.site Just to be sure I have: ls -la /etc/host.keytab -rw-rw-rw- 1 root root 193 2012-01-18 11:34 /etc/host.keytab cat /etc/default/nslcd # Defaults for nslcd init script # Whether to start k5start (for obtaining and keeping a Kerberos ticket) # By default k5start is started if nslcd.conf has sasl_mech set to GSSAPI # and krb5_ccname is set to a file-type ticket cache. # Set to yes to force starting k5start, any other value will not start # k5start. K5START_START=yes # Options for k5start. K5START_BIN=/usr/bin/k5start K5START_KEYTAB=/etc/host.keytab K5START_CCREFRESH=60 #K5START_PRINCIPAL=host/$(hostname -f) K5START_PRINCIPAL=host/HH3.SITE -f I did kinit Administrator and have a cache in /tmp/krbcc_0 cat /etc/nslcd.conf uid nslcd gid nslcd uri ldap://127.0.0.1 base dc=hh3,dc=site binddn cn=Administrator,cn=Users,dc=hh3,dc=site mappasswd uid sAMAccountName mappasswd homeDirectoryunixHomeDirectory mapshadow uid sAMAccountName sasl_mech GSSAPI sasl_realm HH3.SITE krb5_ccname /tmp/krb5cc_0 But: service nslcd restart * Restarting LDAP connection daemon nslcd [ OK ] * Stopping Keep alive Kerberos ticket k5start No process in pidfile '/var/run/nslcd/k5start_nslcd.pid' found running; none killed. [ OK ] * Starting Keep alive Kerberos ticket k5start k5start: error getting credentials: Client not found in Kerberos database [fail] [ OK ] and Samba gives: Kerberos: AS-REQ host/hh3.s...@hh3.site from ipv4:192.168.1.3:38618 for krbtgt/hh3.s...@hh3.site Kerberos: UNKNOWN -- host/hh3.s...@hh3.site: no such entry found in hdb Why isn't the host principal being found? Ahhgg!! Where to start? Any ideas? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Internal DNS server question [Was: Great LWN Samba article !]
On Wed, 2012-01-18 at 08:51 +0100, Daniel Müller wrote: In this article there is told about an internal dns server for samba4. Is there a version of samba4 out where I can test it. Will this internal DNS server replicate to/from an MS-AD DNS server? -- System Network Administrator [ LPI NCLA ] http://www.whitemiceconsulting.com OpenGroupware Developer http://www.opengroupware.us Adam Tauno Williams signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 4 will not start after new checkout
Version 4.0.0alpha18-GIT-e75c436 Ubuntu 11.10 Built now with make clean ./configure.developer make make install samba -i -d3 gives this: ldb: unable to stat module ${PREFIX}/modules/ldb : No such file or directory ldb_wrap open of privilege.ldb samba: using 'standard' process model Unknown process model 'standard' my $PREFIX should be /usr/local/samba I think. The path is there and I can export PREFIX=/usr/local/samba but nada. Also, what about Unknown process model 'standard'. Can anyone help? Thanks Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 error joining W2003 DC
Hi, While I wait someone to give me a hand, I've been serching and searching and trying to find a workarround for my problem. I've tryied to vampire from the windows 2003 server and it could get some part of the tree, but bearly 98 records from 533 that I can see with ldapsearch. Also, the servers are not replicating to the samba server and when I do samba-tool drs kcc -Uadministrator windowsdc.samba.example.com (with the proper data) I get # bin/samba-tool drs kcc -Uadministrador montecarlotv.com.uy Password for [CANAL4\administrador]: Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for e3514235-4b06-11d1-ab04-00c04fc2dcd2@ncacn_ip_tcp:montecarlotv.com.uy[1024,seal] NT_STATUS_NET_WRITE_FAULT ERROR(class 'samba.drs_utils.drsException'): DRS connection to montecarlotv.com.uy failed - drsException: DRS connection to montecarlotv.com.uy failed: (-1073741614, 'NT_STATUS_NET_WRITE_FAULT') File /usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/drs.py, line 42, in drsuapi_connect (ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) = drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds) File /usr/local/samba/lib64/python2.6/site-packages/samba/drs_utils.py, line 56, in drsuapi_connect raise drsException(DRS connection to %s failed: %s % (server, e)) So, I'm still stucked needing a helping hand Thanks, JPL -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba server dropping off the domain
Well, I have been unable to find out why our server drops after 15 to 40 minutes. Gone over everything on the domain servers and not seeing any errors there. And no error message on the samba side either. So I took out my sledge hammer and pounded the square peg into the circle hole with a crontab to rejoin to the domain every 10 minutes. I found I do not need to stop and restart samba for this. That's working, and I can move on to other things. On 1/5/12 3:11 PM, Don Krause wrote: On Jan 5, 2012, at 2:00 PM, CJ Keist wrote: I have strange problem. Installed 3.6.1 on SL Linux (Scientific Linux release 6.1 (Carbon)). Compiled: ./configure --prefix=/WWW/apps/samba-3.6.1 --with-quotas --disable-shared-libs make and make install all clean. Joined to our windows domain via command: ./net join -S domainserver -w DOMAIN -U adminuser Start up Samba via web gui and all is working for about 40 minutes to an hour. At which point it stops allowing connections. Only fix is to stop Samba and rerun the net join command and then restart Samba which it will work for about 40 minutes and then stop again. Anyone seen this before? Conf: [global] workgroup = DOMAIN server string = Web Server security = DOMAIN passdb backend = smbpasswd map untrusted to domain = Yes log level = 1 log file = /var/log/samba/logs/log.%m name resolve order = host bcast unix extensions = No keepalive = 0 max open files = 1 socket options = TCP_NODELAY SO_KEEPALIVE load printers = No dns proxy = No lock spin time = 3 remote announce = xxx.xx.xxx.xx idmap config * : range = idmap config * : backend = tdb strict locking = No [WWW] comment = Web Pages path = /WWW/docs read only = No create mask = 0774 directory mask = 0775 inherit permissions = Yes -- C. J. Keist Email: cj.ke...@colostate.edu Systems Group Manager Solaris 10 OS (SAI) Engineering Network ServicesPhone: 970-491-0630 College of Engineering, CSU Fax: 970-491-5569 Ft. Collins, CO 80523-1301 We've seen this recently as well, Samba 3.5.0 on Ubuntu (9.04 or 9.10), against a pair of 2008r2 AD servers. (Security = ADS) Fortunately, we're usually good for a week or so. This is a recent event on a box that had been running great for over a year. Sorry, I don't know a fix yet. -- Don Krause Head Systems Geek, Waver of Deceased Chickens. Optivus Proton Therapy, Inc. P.O. Box 608 Loma Linda, California 92354 909.799.8327 Tel 909.799.8366 Fax dkra...@optivus.com www.optivus.com This message represents the official view of the voices in my head. -- C. J. Keist Email: cj.ke...@colostate.edu Systems Group Manager Solaris 10 OS (SAI) Engineering Network ServicesPhone: 970-491-0630 College of Engineering, CSU Fax: 970-491-5569 Ft. Collins, CO 80523-1301 All I want is a chance to prove 'Money can't buy happiness' -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Can't compile 3.6.2 on Solaris 11
I did. See the bug I filed: https://bugzilla.samba.org/show_bug.cgi?id=8557 Andy On Tue, 17 Jan 2012, Blaster wrote: No one has attempted to compile 3.6.1 on Solaris 11 at all? On 1/8/2012 11:24 AM, Blaster wrote: Trying to compile Samba 3.6.2 on Solaris 11, getting the following error: gmake Using CFLAGS = -O -I. -I/export/home1/src/samba-3.6.1/source3 -I/export/home1/src/samba-3.6.1/source3/../lib/iniparser/src -Iinclude -I./include -I. -I. -I./../lib/replace -I./../lib/tevent -I./librpc -I./.. -I./../lib/talloc -I../lib/tdb/include -DHAVE_CONFIG_H -D_REENTRANT -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -DLDAP_DEPRECATED -DSUNOS5 -I/export/home1/src/samba-3.6.1/source3/lib -I.. -D_SAMBA_BUILD_=3 -D_SAMBA_BUILD_=3 PICFLAG= -fPIC LIBS = -lsendfile -lresolv -lnsl -lsocket -liconv -laio LDFLAGS= -pie -lintl -R/opt/samba/lib -L/usr/ccs/lib -R/usr/ccs/lib -L/usr/sfw/lib -R/usr/sfw/lib -L/opt/samba/lib -R/opt/samba/lib -lthread -L./bin DYNEXP = LDSHFLAGS = -fPIC -shared -lintl -R/opt/samba/lib -L/usr/ccs/lib -R/usr/ccs/lib -L/usr/sfw/lib -R/usr/sfw/lib -L/opt/samba/lib -R/opt/samba/lib -lthread -L./bin -lc -Wl,-z,defs SHLIBEXT = so SONAMEFLAG = -Wl,-h, Linking shared library bin/libnetapi.so.0 Undefinedfirst referenced symbol in file tdb_jenkins_hashlib/util.o wbcSidsToUnixIdspassdb/lookup_sid.o tdb_transaction_start_nonblock lib/gencache.o ld: fatal: symbol referencing errors. No output written to bin/libnetapi.so.0 collect2: ld returned 1 exit status gmake: *** [bin/libnetapi.so.0] Error 1 my configure line: ./configure --prefix=/opt/samba --with-automount --with-acl-support --enable-socket-wrapper --with-sys-quotas --with-aio-support --enable-shared --enable-cups --enable-swat --with-quotas --enable-nss-wrapper --without-pam LDFLAGS=-lintl -R/opt/samba/lib -L/usr/ccs/lib -R/usr/ccs/lib -L/usr/sfw/lib -R/usr/sfw/lib -L/opt/samba/lib -R/opt/samba/lib Any idea what library I'm missing? Thanks... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Can't compile 3.6.2 on Solaris 11
I'm sorry. I was compiling on Solaris 10, not Solaris 11. Apparently there are problems on both. If you are having a problem compiling on Solaris 11, you should probably file a new bug. Andy On Wed, 18 Jan 2012, Andrew Morgan wrote: I did. See the bug I filed: https://bugzilla.samba.org/show_bug.cgi?id=8557 Andy On Tue, 17 Jan 2012, Blaster wrote: No one has attempted to compile 3.6.1 on Solaris 11 at all? On 1/8/2012 11:24 AM, Blaster wrote: Trying to compile Samba 3.6.2 on Solaris 11, getting the following error: gmake Using CFLAGS = -O -I. -I/export/home1/src/samba-3.6.1/source3 -I/export/home1/src/samba-3.6.1/source3/../lib/iniparser/src -Iinclude -I./include -I. -I. -I./../lib/replace -I./../lib/tevent -I./librpc -I./.. -I./../lib/talloc -I../lib/tdb/include -DHAVE_CONFIG_H -D_REENTRANT -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -DLDAP_DEPRECATED -DSUNOS5 -I/export/home1/src/samba-3.6.1/source3/lib -I.. -D_SAMBA_BUILD_=3 -D_SAMBA_BUILD_=3 PICFLAG= -fPIC LIBS = -lsendfile -lresolv -lnsl -lsocket -liconv -laio LDFLAGS= -pie -lintl -R/opt/samba/lib -L/usr/ccs/lib -R/usr/ccs/lib -L/usr/sfw/lib -R/usr/sfw/lib -L/opt/samba/lib -R/opt/samba/lib -lthread -L./bin DYNEXP = LDSHFLAGS = -fPIC -shared -lintl -R/opt/samba/lib -L/usr/ccs/lib -R/usr/ccs/lib -L/usr/sfw/lib -R/usr/sfw/lib -L/opt/samba/lib -R/opt/samba/lib -lthread -L./bin -lc -Wl,-z,defs SHLIBEXT = so SONAMEFLAG = -Wl,-h, Linking shared library bin/libnetapi.so.0 Undefinedfirst referenced symbol in file tdb_jenkins_hashlib/util.o wbcSidsToUnixIdspassdb/lookup_sid.o tdb_transaction_start_nonblock lib/gencache.o ld: fatal: symbol referencing errors. No output written to bin/libnetapi.so.0 collect2: ld returned 1 exit status gmake: *** [bin/libnetapi.so.0] Error 1 my configure line: ./configure --prefix=/opt/samba --with-automount --with-acl-support --enable-socket-wrapper --with-sys-quotas --with-aio-support --enable-shared --enable-cups --enable-swat --with-quotas --enable-nss-wrapper --without-pam LDFLAGS=-lintl -R/opt/samba/lib -L/usr/ccs/lib -R/usr/ccs/lib -L/usr/sfw/lib -R/usr/sfw/lib -L/opt/samba/lib -R/opt/samba/lib Any idea what library I'm missing? Thanks... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 will not start after new checkout
Are you using bind9.8, 9.7 or the internal bind server? On Wed, Jan 18, 2012 at 11:21 AM, steve st...@steve-ss.com wrote: Version 4.0.0alpha18-GIT-e75c436 Ubuntu 11.10 Built now with make clean ./configure.developer make make install samba -i -d3 gives this: ldb: unable to stat module ${PREFIX}/modules/ldb : No such file or directory ldb_wrap open of privilege.ldb samba: using 'standard' process model Unknown process model 'standard' my $PREFIX should be /usr/local/samba I think. The path is there and I can export PREFIX=/usr/local/samba but nada. Also, what about Unknown process model 'standard'. Can anyone help? Thanks Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/**mailman/options/sambahttps://lists.samba.org/mailman/options/samba -- Charles Tryon _ It's the job that's never started that takes longest to finish. -- Samwise Gamgee -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 will not start after new checkout
Hi I couldn't get any bind to work for Ubuntu on previous checkouts except 9.9.0b1 Have modified source4/dns_server/dlz_minimal.h Is bind the prob? If so how do I use the internal bind? Thanks Steve On 01/18/2012 07:31 PM, Charles Tryon wrote: Are you using bind9.8, 9.7 or the internal bind server? On Wed, Jan 18, 2012 at 11:21 AM, steve st...@steve-ss.com mailto:st...@steve-ss.com wrote: Version 4.0.0alpha18-GIT-e75c436 Ubuntu 11.10 Built now with make clean ./configure.developer make make install samba -i -d3 gives this: ldb: unable to stat module ${PREFIX}/modules/ldb : No such file or directory ldb_wrap open of privilege.ldb samba: using 'standard' process model Unknown process model 'standard' my $PREFIX should be /usr/local/samba I think. The path is there and I can export PREFIX=/usr/local/samba but nada. Also, what about Unknown process model 'standard'. Can anyone help? Thanks Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- Charles Tryon _ It's the job that's never started that takes longest to finish. -- Samwise Gamgee -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Error while display user info using wbinfo command
On 01/17/2012 7:35 PM, kartheek katakam wrote: Hello, I was trying to integrate AD to Cent OS 6 server. As part of it I was running into these error, listed below. Authentication is successful against the AD server using wbinfo, but cant able to list user information using wbinfo. Not sure what might be the issue. error message: [2012/01/17 15:12:49.472876, 1] winbindd/idmap_ad.c:651(idmap_ad_sids_to_unixids) Could not get unix ID [root@HOSTNAME1V ~]# wbinfo -a z5073%Car108 plaintext password authentication succeeded challenge/response password authentication succeeded [root@HOSTNAME1V ~]# wbinfo -i z5073 Could not get info for user z5073 [root@HOSTNAME1V ~]# Thanks Regards, You didn't state the Samba version you are using, but if it's 3.6.x, then it may be related to this bug: https://bugzilla.samba.org/show_bug.cgi?id=8676 Dale -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 will not start after new checkout
Ummm... no, unless it's with using ANY external bind rather than the internal one. I'm now finding that ALL the test systems that I have tried to update to the latest GIT repository are failing. I'm dead in the water. =8-0 On Wed, Jan 18, 2012 at 1:48 PM, steve st...@steve-ss.com wrote: Hi I couldn't get any bind to work for Ubuntu on previous checkouts except 9.9.0b1 Have modified source4/dns_server/dlz_**minimal.h Is bind the prob? If so how do I use the internal bind? Thanks Steve On 01/18/2012 07:31 PM, Charles Tryon wrote: Are you using bind9.8, 9.7 or the internal bind server? On Wed, Jan 18, 2012 at 11:21 AM, steve st...@steve-ss.com mailto: st...@steve-ss.com wrote: Version 4.0.0alpha18-GIT-e75c436 Ubuntu 11.10 Built now with make clean ./configure.developer make make install samba -i -d3 gives this: ldb: unable to stat module ${PREFIX}/modules/ldb : No such file or directory ldb_wrap open of privilege.ldb samba: using 'standard' process model Unknown process model 'standard' my $PREFIX should be /usr/local/samba I think. The path is there and I can export PREFIX=/usr/local/samba but nada. Also, what about Unknown process model 'standard'. Can anyone help? Thanks Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/**mailman/options/sambahttps://lists.samba.org/mailman/options/samba -- Charles Tryon __**__** _ It's the job that's never started that takes longest to finish. -- Samwise Gamgee -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/**mailman/options/sambahttps://lists.samba.org/mailman/options/samba -- Charles Tryon _ It's the job that's never started that takes longest to finish. -- Samwise Gamgee -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] winbind not working with openlikewise
Hello all, I'm having a problem with winbind not able to start. I've joined an active directory domain successfully using likewise and for brief time this was working, people were able to mount drives by their active directory account. I know that likewise is working because I'm successfully able to ssh into the box using these accounts. But now windbind has stubbornly refused to start. Yet strangely when I run net ads info I get good information back but winbind claims this Could not fetch our SID - did we join? Any thoughts? thank you eric ubuntu 10.4 LTS likewise-open5.4.0.42111-2ubu samba2:3.4.7~dfsg-1ub error message: [2012/01/18 11:03:18, 0] winbindd/winbindd.c:1258(main) winbindd version 3.4.7 started. Copyright Andrew Tridgell and the Samba Team 1992-2009 [2012/01/18 11:03:18, 0] winbindd/winbindd_cache.c:2578(initialize_winbindd_cache) initialize_winbindd_cache: clearing cache and re-creating with version number 1 [2012/01/18 11:03:18, 0] winbindd/winbindd_util.c:782(init_domain_list) Could not fetch our SID - did we join? [2012/01/18 11:03:18, 0] winbindd/winbindd.c:1399(main) unable to initialize domain list root@iron:~# net ads info LDAP server: 192.168.1.220 LDAP server name: lewis.ts3d.lan Realm: TS3D.LAN Bind Path: dc=TS3D,dc=LAN LDAP port: 389 Server time: Wed, 18 Jan 2012 11:02:33 PST KDC server: 192.168.1.220 Server time offset: 6 smb.conf workgroup = TS3D realm = TS3D.LAN server string = %h server (Samba, Ubuntu) security = ADS idmap backend = lwopen idmap uid = 6000-99 idmap gid = 12000-99 encrypt passwords = yes winbind use default domain = yes LSA Server Status: Compiled daemon version: 5.0.0.0 Packaged product version: 5.4.0.42111 Uptime:0 days 18 hours 3 minutes 31 seconds [Authentication provider: lsa-activedirectory-provider] Status:Online Mode: Un-provisioned Domain:TS3D.LAN Forest:ts3d.lan Site: Default-First-Site-Name Online check interval: 300 seconds [Trusted Domains: 4] [Domain: TS3D] DNS Domain: ts3d.lan Netbios name: TS3D Forest name: ts3d.lan Trustee DNS name: Client site name: Default-First-Site-Name Domain SID: S-1-5-21-1829495566-3183369087-890321766 Domain GUID: 2e91032e-23fb-ba48-881d-b29c3c40f2bd Trust Flags: [0x001d] [0x0001 - In forest] [0x0004 - Tree root] [0x0008 - Primary] [0x0010 - Native] Trust type: Up Level Trust Attributes: [0x] Trust Direction: Primary Domain Trust Mode: In my forest Trust (MFT) Domain flags: [0x0001] [0x0001 - Primary] [Domain Controller (DC) Information] DC Name: lewis.ts3d.lan DC Address: xxx.xxx.xxx DC Site: Default-First-Site-Name DC Flags: [0x33fd] DC Is PDC:yes DC is time server:yes DC has writeable DS: yes DC is Global Catalog: yes DC is running KDC:yes eric Eric Smith Senior Network Administrator | Tech Soft 3D http://www.techsoft3d.com skype: eric_ae_smith phone: 510-333-1729 Build with the Best -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] LDAP password store
Hi all, I have an openLDAP backend on my Samba installation, and it's using the LDAP attribute sambaNTPassword to store the NT hashed password for the users. This is allowing for windows users to auth against the PDC and linux users are authenticating through the samba PAM module Now, I want to use this openLDAP backend for a GoogleApps SSO service and this expects to find the password as a SHA hashed password in the LDAP entry userPassword So, I'd like samba to take it's auth from this password field or else we will end up with out of sync passwords; one for some services and one for others. Suggestions? Thanks Tom Harvey -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 and GSSAPI kerberos ldap connect
2012-01-18 12:12 keltezéssel, steve írta: On 01/17/2012 09:40 PM, Gémes Géza wrote: Hi, See comments inline: Hi everyone I'm trying to use kerberos to authenticate to Samba 4 ldap. At the moment, I authenticate by specifying the binddn and password in /etc/nslcd.conf and all works fine If I add the line: sasl_mech GSSAPI That should suffice, but please note, that nslcd should also have access to some kind of keytab, to authenticate itself. This is done on Debian/Ubuntu via the /etc/default/nsldcd.conf (mine is looking like): # Defaults for nslcd init script # Whether to start k5start (for obtaining and keeping a Kerberos ticket) # By default k5start is started if nslcd.conf has sasl_mech set to GSSAPI # and krb5_ccname is set to a file-type ticket cache. # Set to yes to force starting k5start, any other value will not start # k5start. K5START_START=yes # Options for k5start. K5START_BIN=/usr/bin/k5start K5START_KEYTAB=/etc/krb5.keytab K5START_CCREFRESH=60 K5START_PRINCIPAL=host/$(hostname -f) And must have k5start installed (it is wrapper which keeps fresh tickets for long runing services) to /etc/nslcd.conf and restart nslcd, no one can connect to the database. Nothing works. ldapsearch and getent passwd draw a blank. ldapsearch -x -b '' -sbase supportedSASLMechanisms gives me: dn: supportedSASLMechanisms: GSS-SPNEGO supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: NTLM but ldapsearch -Y GSSAPI gives: SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database) before you can do an SASL/GSSAPI based ldap operation you must have valid kerberos tickets (so do a kinit first)! and Samba gives: Kerberos: TGS-REQ administra...@hh3.site from ipv4:192.168.1.3:56859 for ldap/hh3.s...@hh3.site [canonicalize, renewable] Kerberos: Searching referral for hh3.site Kerberos: Returning a referral to realm SITE for server ldap/hh3.s...@hh3.site that was not found Failed find a single entry for ((objectClass=trustedDomain)(|(flatname=SITE)(trustPartner=SITE))): got 0 Kerberos: samba_kdc_fetch: could not find principal in DB Kerberos: Server not found in database: krbtgt/s...@hh3.site: no such entry found in hdb Kerberos: Failed building TGS-REP to ipv4:192.168.1.3:56859 I've tried making a ldap principal but samba-tool spn doesn't let me add an ldap principal. Any ideas anyone? Thanks, Steve Regards Geza Hi Geza OK. Now on Ubuntu. I have k5init installed and have made a host principal: klist -k /etc/host.keytab Keytab name: WRFILE:/etc/host.keytab KVNO Principal -- 1 host/hh3.s...@hh3.site 1 host/hh3.s...@hh3.site 1 host/hh3.s...@hh3.site Just to be sure I have: ls -la /etc/host.keytab -rw-rw-rw- 1 root root 193 2012-01-18 11:34 /etc/host.keytab cat /etc/default/nslcd # Defaults for nslcd init script # Whether to start k5start (for obtaining and keeping a Kerberos ticket) # By default k5start is started if nslcd.conf has sasl_mech set to GSSAPI # and krb5_ccname is set to a file-type ticket cache. # Set to yes to force starting k5start, any other value will not start # k5start. K5START_START=yes # Options for k5start. K5START_BIN=/usr/bin/k5start K5START_KEYTAB=/etc/host.keytab K5START_CCREFRESH=60 #K5START_PRINCIPAL=host/$(hostname -f) K5START_PRINCIPAL=host/HH3.SITE -f I did kinit Administrator and have a cache in /tmp/krbcc_0 cat /etc/nslcd.conf uid nslcd gid nslcd uri ldap://127.0.0.1 base dc=hh3,dc=site binddn cn=Administrator,cn=Users,dc=hh3,dc=site mappasswd uid sAMAccountName mappasswd homeDirectoryunixHomeDirectory mapshadow uid sAMAccountName sasl_mech GSSAPI sasl_realm HH3.SITE krb5_ccname /tmp/krb5cc_0 But: service nslcd restart * Restarting LDAP connection daemon nslcd [ OK ] * Stopping Keep alive Kerberos ticket k5start No process in pidfile '/var/run/nslcd/k5start_nslcd.pid' found running; none killed. [ OK ] * Starting Keep alive Kerberos ticket k5start k5start: error getting credentials: Client not found in Kerberos database [fail] [ OK ] and Samba gives: Kerberos: AS-REQ host/hh3.s...@hh3.site from ipv4:192.168.1.3:38618 for krbtgt/hh3.s...@hh3.site Kerberos: UNKNOWN -- host/hh3.s...@hh3.site: no such entry found in hdb Why isn't the host principal being found? Ahhgg!! Where to start? Any ideas? Cheers, Steve
Re: [Samba] winbind not working with openlikewise
On Wed, Jan 18, 2012 at 07:36:31PM +, Eric Smith wrote: I'm having a problem with winbind not able to start. I've joined an active directory domain successfully using likewise and for brief time this was working, people were able to mount drives by their active directory account. I know that likewise is working because I'm successfully able to ssh into the box using these accounts. But now windbind has stubbornly refused to start. Yet strangely when I run net ads info I get good information back but winbind claims this Could not fetch our SID - did we join? Any thoughts? As far as I know parts of likewise functionality is exactly what winbind does. So it does not really make sense to run them simultaneously. Either run winbind or run likewise. With best regards, Volker Lendecke -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-37-0, fax: +49-551-37-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.sernet.de, mailto:kont...@sernet.de -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Hello
Iam working with samba4 alfa 18 + debian 6, iam follow the step to the URL https://wiki.samba.org/index.php/Samba4/HOWTO, but today update to samba master with the command git pull and everything is ok. the problem was when i realiced the step 4 to the how to, rerefed to ./source4/setup/provision --realm=samdom.example.com --domain=SAMDOM --adminpass=SOMEPASSWORD --server-role='domain controller' the errors was ldb: unable to stat module $[prefix}/modlue/ldb bo such file or directory, and the bind9 do not create the named.conf in /usr/local/samba/private somebody can help me -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind not working with openlikewise
Here's where it gets opaque, I don't see a clear documentation for the tools that are used by samba to make calls into open-likewise db. One document I found, Likewise Samba Guild makes the claim that winbind is necessary, which makes sense is that the beast that is going be making calls into a wins system. I assume I'm completely wrong, but there's no documentation pointing that way. So my question is this, with open likewise 5 and samba 3, does it use when winbind via the idmap backend = lwopen setting? eric Eric Smith Senior Network Administrator | Tech Soft 3D http://www.techsoft3d.com skype: eric_ae_smith phone: 510-333-1729 Build with the Best On Jan 18, 2012, at 1:45 PM, Volker Lendecke wrote: On Wed, Jan 18, 2012 at 07:36:31PM +, Eric Smith wrote: I'm having a problem with winbind not able to start. I've joined an active directory domain successfully using likewise and for brief time this was working, people were able to mount drives by their active directory account. I know that likewise is working because I'm successfully able to ssh into the box using these accounts. But now windbind has stubbornly refused to start. Yet strangely when I run net ads info I get good information back but winbind claims this Could not fetch our SID - did we join? Any thoughts? As far as I know parts of likewise functionality is exactly what winbind does. So it does not really make sense to run them simultaneously. Either run winbind or run likewise. With best regards, Volker Lendecke -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-37-0, fax: +49-551-37-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.sernet.de, mailto:kont...@sernet.de -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Great LWN Samba article !
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 2012-01-18 18:51, Daniel Müller wrote: Hi Daniel, In this article there is told about an internal dns server for samba4. Is there a version of samba4 out where I can test it. This is checked into the master branch. A current checkout should get you there. provision with --dns_backend=SAMBA_INTERNAL There is also an allow dns updates setting that you can set to True to allow unsigned DNS updates from your clients. Signed updates are not supported so far. I'll try to make some time to document this stuff on the wiki, but I'm currently at a conference, so no promises on when I'll get around to this. Cheers, Kai - -- Kai Blin Worldforge developer http://www.worldforge.org/ Wine developer http://wiki.winehq.org/KaiBlin Samba team member http://www.samba.org/samba/team/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk8Xir8ACgkQEKXX/bF2FpTvHACcCFS8yBk1J/9PoNOymyjKt8n0 tPMAnRzOnzTPZxdHqgGlnqXrBi6O+mQK =tGUI -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind not working with openlikewise
On Wed, Jan 18, 2012 at 11:06:45PM +, Eric Smith wrote: Here's where it gets opaque, I don't see a clear documentation for the tools that are used by samba to make calls into open-likewise db. One document I found, Likewise Samba Guild makes the claim that winbind is necessary, which makes sense is that the beast that is going be making calls into a wins system. I assume I'm completely wrong, but there's no documentation pointing that way. So my question is this, with open likewise 5 and samba 3, does it use when winbind via the idmap backend = lwopen setting? No clue, sorry. Upstream Samba does not have a lwopen idmap backend, so this must be an addition by Likewise to a modified version of Samba. Samba has the idmap_adex and idmap_hash backends, which were contributed by Likewise (correct me if I'm wrong here), but no lwopen backend. Please contact Likewise for more support on this. Volker Lendecke -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-37-0, fax: +49-551-37-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.sernet.de, mailto:kont...@sernet.de -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[SCM] SAMBA-CTDB repository - branch master deleted - 488de939b78125ac38822760102e05298a5e70c5
The branch, master has been deleted was 488de939b78125ac38822760102e05298a5e70c5 --- 488de939b78125ac38822760102e05298a5e70c5 Fix a cutpaste error --- -- SAMBA-CTDB repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via e75c436 s3-passdb: trying to decouple passdb and secrets a little. from a325e7b s3: Fix bug 8695 http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit e75c436fe6a9ee44f6adc744b6269e99f4920431 Author: Günther Deschner g...@samba.org Date: Mon Oct 17 22:00:45 2011 +0200 s3-passdb: trying to decouple passdb and secrets a little. Guenther Autobuild-User: Günther Deschner g...@samba.org Autobuild-Date: Wed Jan 18 14:46:18 CET 2012 on sn-devel-104 --- Summary of changes: source3/Makefile.in|3 +- source3/include/secrets.h |3 - source3/passdb/machine_sid.c |2 +- source3/passdb/pdb_interface.c |1 + source3/passdb/pdb_secrets.c | 137 .../secacl.h = source3/passdb/pdb_secrets.h | 22 ++-- source3/passdb/secrets.c | 99 -- source3/wscript_build |3 +- 8 files changed, 153 insertions(+), 117 deletions(-) create mode 100644 source3/passdb/pdb_secrets.c copy libcli/security/secacl.h = source3/passdb/pdb_secrets.h (60%) Changeset truncated at 500 lines: diff --git a/source3/Makefile.in b/source3/Makefile.in index 810fdaf..f2d8942 100644 --- a/source3/Makefile.in +++ b/source3/Makefile.in @@ -808,7 +808,8 @@ PASSDB_OBJ = $(PASSDB_GET_SET_OBJ) passdb/passdb.o passdb/pdb_interface.o \ passdb/login_cache.o @PDB_STATIC@ \ passdb/account_pol.o $(PRIVILEGES_OBJ) \ lib/util_nscd.o lib/winbind_util.o $(SERVER_MUTEX_OBJ) \ - passdb/pdb_util.o passdb/pdb_ldap_schema.o + passdb/pdb_util.o passdb/pdb_ldap_schema.o \ + passdb/pdb_secrets.o DEVEL_HELP_WEIRD_OBJ = ../lib/util/charset/weird.o CHARSET_MACOSXFS_OBJ = ../lib/util/charset/charset_macosxfs.o diff --git a/source3/include/secrets.h b/source3/include/secrets.h index 3e36f2e..705a329 100644 --- a/source3/include/secrets.h +++ b/source3/include/secrets.h @@ -116,9 +116,6 @@ char *secrets_fetch_machine_password(const char *domain, bool trusted_domain_password_delete(const char *domain); bool secrets_store_ldap_pw(const char* dn, char* pw); bool fetch_ldap_pw(char **dn, char** pw); -struct trustdom_info; -NTSTATUS secrets_trusted_domains(TALLOC_CTX *mem_ctx, uint32 *num_domains, -struct trustdom_info ***domains); bool secrets_store_afs_keyfile(const char *cell, const struct afs_keyfile *keyfile); bool secrets_fetch_afs_key(const char *cell, struct afs_key *result); void secrets_fetch_ipc_userpass(char **username, char **domain, char **password); diff --git a/source3/passdb/machine_sid.c b/source3/passdb/machine_sid.c index b242cff..bc663f0 100644 --- a/source3/passdb/machine_sid.c +++ b/source3/passdb/machine_sid.c @@ -21,7 +21,7 @@ */ #include includes.h -#include passdb.h +#include passdb/machine_sid.h #include secrets.h #include dbwrap/dbwrap.h #include ../libcli/security/security.h diff --git a/source3/passdb/pdb_interface.c b/source3/passdb/pdb_interface.c index b202d43..410ea77 100644 --- a/source3/passdb/pdb_interface.c +++ b/source3/passdb/pdb_interface.c @@ -32,6 +32,7 @@ #include nsswitch/winbind_client.h #include ../libcli/security/security.h #include ../lib/util/util_pw.h +#include passdb/pdb_secrets.h #undef DBGC_CLASS #define DBGC_CLASS DBGC_PASSDB diff --git a/source3/passdb/pdb_secrets.c b/source3/passdb/pdb_secrets.c new file mode 100644 index 000..30262c9 --- /dev/null +++ b/source3/passdb/pdb_secrets.c @@ -0,0 +1,137 @@ +/* + Unix SMB/CIFS implementation. + Copyright (C) Andrew Tridgell 1992-2001 + Copyright (C) Andrew Bartlett 2002 + Copyright (C) Rafal Szczesniak 2002 + Copyright (C) Tim Potter 2001 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see http://www.gnu.org/licenses/. +*/ + +/* the Samba secrets database stores any generated, private information + such as the local SID and machine trust password */ + +#include includes.h +#include passdb.h +#include passdb/pdb_secrets.h +#include librpc/gen_ndr/ndr_secrets.h +#include secrets.h
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via d2bf6af s3: Use lock_order for setting the db priority via d2068d3 s3: Pass down lock_order to db_open_ctdb via b9e8060 Revert Fix bug #8175 - smbd deadlock. via cf77a21 s3: Change locking order between brlock and locking via 333c923 s3: Enforce a lock order in dbwrap via 45e61fc s3: Add a lock_order argument to db_open from e75c436 s3-passdb: trying to decouple passdb and secrets a little. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit d2bf6af1651c44b29d69be6944cd6148d90caed0 Author: Volker Lendecke v...@samba.org Date: Mon Jan 16 13:42:52 2012 +0100 s3: Use lock_order for setting the db priority Autobuild-User: Volker Lendecke vlen...@samba.org Autobuild-Date: Wed Jan 18 16:21:52 CET 2012 on sn-devel-104 commit d2068d33a4adcb10037c63c092669efe7f077b8e Author: Volker Lendecke v...@samba.org Date: Mon Jan 16 12:50:44 2012 +0100 s3: Pass down lock_order to db_open_ctdb commit b9e806050f65b3f787a797c125131200e59304d2 Author: Volker Lendecke v...@samba.org Date: Fri Jan 13 14:10:44 2012 +0100 Revert Fix bug #8175 - smbd deadlock. This reverts commit 5a2b5b6cfed74e0e9c2965525995f64cdad7b7c9. commit cf77a21c633807b178fb716dba7a6284cca58511 Author: Volker Lendecke v...@samba.org Date: Fri Jan 13 13:26:41 2012 +0100 s3: Change locking order between brlock and locking But 8175 was fixed in a way that brlock.tdb was always locked before locking.tdb. This patch fixes the bug in a different way. locking.tdb is the central tdb for files and should always be locked first. This patch solves the problem by postponing the level2 break messages, which are async anyway. commit 333c92384b0680b8f8e5198dd68d49b249b34ec7 Author: Volker Lendecke v...@samba.org Date: Sun Jan 8 19:04:39 2012 +0100 s3: Enforce a lock order in dbwrap This makes sure we do not deadlock from doing two dbwrap_fetch_locked in two processes in different orders. At open time, we assign a strict order to all databases. lock_order 1 will be locked first, lock_order 2 second. No two records of the same lock order may be locked at the same time. commit 45e61fcf61ed9863fbe2b116fe0763fc139bbe0d Author: Volker Lendecke v...@samba.org Date: Fri Jan 6 17:19:54 2012 +0100 s3: Add a lock_order argument to db_open This will be used to enforce a lock hierarchy between the databases. We have seen deadlocks between locking.tdb, brlock.tdb, serverid.tdb and notify*.tdb. These should be fixed by refusing a dbwrap_fetch_locked that does not follow a defined lock hierarchy. --- Summary of changes: source3/groupdb/mapping_tdb.c |3 +- source3/lib/conn_tdb.c |3 +- source3/lib/dbwrap/dbwrap.c | 81 +- source3/lib/dbwrap/dbwrap_ctdb.c| 24 - source3/lib/dbwrap/dbwrap_ctdb.h|5 ++- source3/lib/dbwrap/dbwrap_open.c| 25 - source3/lib/dbwrap/dbwrap_open.h|8 +++- source3/lib/dbwrap/dbwrap_private.h |3 + source3/lib/dbwrap/dbwrap_rbt.c |1 + source3/lib/g_lock.c|3 +- source3/lib/serverid.c |3 +- source3/lib/sessionid_tdb.c |3 +- source3/lib/sharesec.c |3 +- source3/locking/brlock.c|3 +- source3/locking/share_mode_lock.c |3 +- source3/modules/nfs4_acls.c |3 +- source3/modules/vfs_acl_tdb.c |3 +- source3/modules/vfs_xattr_tdb.c |3 +- source3/passdb/account_pol.c|5 +- source3/passdb/pdb_tdb.c|9 ++- source3/passdb/secrets.c|3 +- source3/printing/printer_list.c |2 +- source3/registry/reg_backend_db.c |9 ++- source3/smbd/notify_internal.c |6 ++- source3/smbd/open.c | 94 ++- source3/smbd/oplock.c | 66 +--- source3/torture/torture.c |2 +- source3/utils/dbwrap_tool.c |3 +- source3/utils/dbwrap_torture.c |3 +- source3/utils/net_idmap.c | 12 +++-- source3/utils/net_idmap_check.c |3 +- source3/utils/net_registry_check.c |6 ++- source3/utils/status.c |3 +- source3/winbindd/idmap_autorid.c|3 +- source3/winbindd/idmap_tdb.c|3 +- source3/winbindd/idmap_tdb2.c |3 +- 36 files changed, 294 insertions(+), 121 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/groupdb/mapping_tdb.c b/source3/groupdb/mapping_tdb.c index 1dea9e4..088874f 100644 --- a/source3/groupdb/mapping_tdb.c +++ b/source3/groupdb/mapping_tdb.c @@ -53,7 +53,8 @@ static bool init_group_mapping(void)
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 6411faf auth/gensec: align common elements between gse_context and gensec_gssapi_state via e249bdd s3-gse: align common elements between gse_context and gensec_gssapi_state via 6727978 s3-gensec: Add hook to allow gensec to know if kerberos is permitted via 45ec777 s3-gse: Make gensec_gse cope with non-DCE GSSAPI via 545c1ad s3-gse: the server should not check for GSS_C_MUTUAL_FLAG via c5864de s3-gse: verify that we got GSS_C_DCE_STYLE when expected via ed88012 s3-gse Remove authenticated flag from gse via c759097 s3-gse remove special more_processing hook from gse via 5b90bcf s3-gse Rename gss_c_flags and ret_flags in gse via cf39b63 s3-gse Rename gss_ctx to match gensec_gssapi_context via e8c8d29 s3-gse Rename delegated_creds to match gensec_gssapi_context via 40715e1 s3-librpc: pass struct ndr_interface_table down to cli_pipe_open_generic/spnego() via 9729bdf s3-utils/net: pass struct ndr_interface_table down via 34d5253 s3-rpcclient: pass struct ndr_interface_table down via c62af4f s3-librpc Make cli_rpc_pipe_open_spnego_ntlmssp() generic via f14bcdf s3-gse gss_wrap_iov_length() only needs the type and length via 23a062b s3-gse Make seal parameter a boolean for clarity via f2efb0f s3-librpc Remove special case for spnego session key via 1818612 s3-librpc Remove special case for spnego dcerpc sign/seal via ad14b8c s3-gse Move GSS_C_DCE_STYLE backup definition to gse.c via 0132cca s3-gse Add const via 90efbe0 s3-gse Remove or make static unused/local-only GSE functions via 1b5870a s3-librpc Remove unused dcesrv_gssapi.[ch] functions via f70c9fb s3-librpc Remove layer around struct gensec_security via 5ddec11 s3-librpc: Simplify SPNEGO code now that all mechs use a struct gensec_security via 0c1b4c2 s3-librpc Call SPENGO/GSSAPI via the auth_generic layer and gensec via 53cc9c6 s3-librpc Allow spnego_generic_init_client to handle kerberos too via e012ad9 s3-librpc Call GSSAPI via the auth_generic layer and gensec via 1b63562 s3-libsmb Use the gse_krb5 gensec module as client via d95d591 s3-gse Make gse available as a gensec client module via 60e1aa7 s3-build: Rework object lists to allow gse gensec module via cbd8231 s3-gse: Add gensec wrapper for gse GSSAPI client via 43092cc s3-auth Match session setup handling of krb5, store the PAC via f8c9ae3 s3-auth Add auth hook for PAC parsing from d2bf6af s3: Use lock_order for setting the db priority http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 6411faf379e002605f5397c693d11760ba615abc Author: Andrew Bartlett abart...@samba.org Date: Wed Jan 11 11:52:13 2012 +1100 auth/gensec: align common elements between gse_context and gensec_gssapi_state Signed-off-by: Stefan Metzmacher me...@samba.org Autobuild-User: Stefan Metzmacher me...@samba.org Autobuild-Date: Wed Jan 18 19:29:40 CET 2012 on sn-devel-104 commit e249bdd32ef9d6342901c596bba825c731d96180 Author: Andrew Bartlett abart...@samba.org Date: Wed Jan 11 11:52:13 2012 +1100 s3-gse: align common elements between gse_context and gensec_gssapi_state Signed-off-by: Stefan Metzmacher me...@samba.org commit 67279780dd5742397918b532b4bc5e89072ab82d Author: Andrew Bartlett abart...@samba.org Date: Thu Jan 12 21:16:36 2012 +1100 s3-gensec: Add hook to allow gensec to know if kerberos is permitted Signed-off-by: Stefan Metzmacher me...@samba.org commit 45ec777e0ea78a1194980624ac9127a42b4b29fe Author: Andrew Bartlett abart...@samba.org Date: Sat Jan 14 11:40:18 2012 +1100 s3-gse: Make gensec_gse cope with non-DCE GSSAPI The validation of the mutual authentication reply produces no further data to send to the server. Andrew Bartlett Signed-off-by: Stefan Metzmacher me...@samba.org commit 545c1ad1b939015b618a1a979c435dbba70845bd Author: Stefan Metzmacher me...@samba.org Date: Sat Jan 14 11:28:28 2012 +0100 s3-gse: the server should not check for GSS_C_MUTUAL_FLAG It up to the client to ask for GSS_C_MUTUAL_FLAG, except for the dcerpc case, where the server is stricter. metze commit c5864deadcd24dcf1f9a99607deacc635e091fd4 Author: Stefan Metzmacher me...@samba.org Date: Sat Jan 14 11:27:21 2012 +0100 s3-gse: verify that we got GSS_C_DCE_STYLE when expected GSS_C_DCE_STYLE implies GSS_C_MUTUAL_FLAG, so also check for it. metze commit ed88012dd22c330117ed81c9adcc9e5c6e545bf8 Author: Andrew Bartlett abart...@samba.org Date: Wed Jan 11 11:39:17 2012 +1100 s3-gse Remove authenticated flag from gse The only user for this flag is called only
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 6d14128 s3-aio-pthread: num threads should be int from 6411faf auth/gensec: align common elements between gse_context and gensec_gssapi_state http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 6d141282424f1eb62ee225a32e376162b773e7a8 Author: Volker Lendecke v...@samba.org Date: Wed Jan 18 18:12:57 2012 +0100 s3-aio-pthread: num threads should be int Autobuild-User: Volker Lendecke vlen...@samba.org Autobuild-Date: Wed Jan 18 21:04:20 CET 2012 on sn-devel-104 --- Summary of changes: source3/modules/vfs_aio_pthread.c |6 ++ 1 files changed, 2 insertions(+), 4 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/modules/vfs_aio_pthread.c b/source3/modules/vfs_aio_pthread.c index b6d4e1e..aeacf28 100644 --- a/source3/modules/vfs_aio_pthread.c +++ b/source3/modules/vfs_aio_pthread.c @@ -61,10 +61,8 @@ static void aio_pthread_handle_completion(struct event_context *event_ctx, static int aio_get_num_threads(struct vfs_handle_struct *handle) { - return lp_parm_bool(SNUM(handle-conn), - aio_pthread, - aio num threads, - 100); + return lp_parm_int(SNUM(handle-conn), + aio_pthread, aio num threads, 100); } / -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v3-6-test updated
The branch, v3-6-test has been updated via 6e77eac Fix bug #8664 - Renaming a symlink fails if the symlink target is outside of the share. from c92513e idl: add to_null property http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-test - Log - commit 6e77eac8f21925460e3b1946c2c22f6eff296322 Author: Jeremy Allison j...@samba.org Date: Fri Dec 16 15:53:46 2011 -0800 Fix bug #8664 - Renaming a symlink fails if the symlink target is outside of the share. --- Summary of changes: source3/smbd/reply.c |6 -- 1 files changed, 4 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c index b86ccd3..c0e8a98 100644 --- a/source3/smbd/reply.c +++ b/source3/smbd/reply.c @@ -6603,6 +6603,8 @@ void reply_mv(struct smb_request *req) TALLOC_CTX *ctx = talloc_tos(); struct smb_filename *smb_fname_src = NULL; struct smb_filename *smb_fname_dst = NULL; + uint32_t src_ucf_flags = lp_posix_pathnames() ? UCF_UNIX_NAME_LOOKUP : UCF_COND_ALLOW_WCARD_LCOMP; + uint32_t dst_ucf_flags = UCF_SAVE_LCOMP | (lp_posix_pathnames() ? 0 : UCF_COND_ALLOW_WCARD_LCOMP); bool stream_rename = false; START_PROFILE(SMBmv); @@ -6645,7 +6647,7 @@ void reply_mv(struct smb_request *req) conn, req-flags2 FLAGS2_DFS_PATHNAMES, name, - UCF_COND_ALLOW_WCARD_LCOMP, + src_ucf_flags, src_has_wcard, smb_fname_src); @@ -6663,7 +6665,7 @@ void reply_mv(struct smb_request *req) conn, req-flags2 FLAGS2_DFS_PATHNAMES, newname, - UCF_COND_ALLOW_WCARD_LCOMP | UCF_SAVE_LCOMP, + dst_ucf_flags, dest_has_wcard, smb_fname_dst); -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v3-5-test updated
The branch, v3-5-test has been updated via 33fd999 Fix bug #8664 - Renaming a symlink fails if the symlink target is outside of the share. from aa217fb s3-libads: fix malloc/talloc mismatch in ads_keytab_verify_ticket(). http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-5-test - Log - commit 33fd99946178e3c2649b289580b1ae1285c46d23 Author: Jeremy Allison j...@samba.org Date: Fri Dec 16 12:13:52 2011 -0800 Fix bug #8664 - Renaming a symlink fails if the symlink target is outside of the share. --- Summary of changes: source3/smbd/reply.c |6 -- 1 files changed, 4 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c index 12d20ff..9138aa6 100644 --- a/source3/smbd/reply.c +++ b/source3/smbd/reply.c @@ -6278,6 +6278,8 @@ void reply_mv(struct smb_request *req) TALLOC_CTX *ctx = talloc_tos(); struct smb_filename *smb_fname_src = NULL; struct smb_filename *smb_fname_dst = NULL; + uint32_t src_ucf_flags = lp_posix_pathnames() ? UCF_UNIX_NAME_LOOKUP : UCF_COND_ALLOW_WCARD_LCOMP; + uint32_t dst_ucf_flags = UCF_SAVE_LCOMP | (lp_posix_pathnames() ? 0 : UCF_COND_ALLOW_WCARD_LCOMP); START_PROFILE(SMBmv); @@ -6307,7 +6309,7 @@ void reply_mv(struct smb_request *req) conn, req-flags2 FLAGS2_DFS_PATHNAMES, name, - UCF_COND_ALLOW_WCARD_LCOMP, + src_ucf_flags, src_has_wcard, smb_fname_src); @@ -6325,7 +6327,7 @@ void reply_mv(struct smb_request *req) conn, req-flags2 FLAGS2_DFS_PATHNAMES, newname, - UCF_COND_ALLOW_WCARD_LCOMP | UCF_SAVE_LCOMP, + dst_ucf_flags, dest_has_wcard, smb_fname_dst); -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 39c627b Fix bug 8710 - connections.tdb - major leak with SMB2. from 6d14128 s3-aio-pthread: num threads should be int http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 39c627b60754bd89c419b2d7e32d32c7a9af5a11 Author: Jeremy Allison j...@samba.org Date: Wed Jan 18 12:38:14 2012 -0800 Fix bug 8710 - connections.tdb - major leak with SMB2. Ensure the cnum used to claim the connection for SMB2 is the id that will be used for the SMB2 tcon. Based on code from Ira Cooper i...@wakeful.net. Autobuild-User: Jeremy Allison j...@samba.org Autobuild-Date: Wed Jan 18 23:14:32 CET 2012 on sn-devel-104 --- Summary of changes: source3/smbd/proto.h |6 ++- source3/smbd/service.c | 88 +- source3/smbd/smb2_tcon.c |6 ++-- 3 files changed, 78 insertions(+), 22 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/smbd/proto.h b/source3/smbd/proto.h index 92b1443..d4ee4d2 100644 --- a/source3/smbd/proto.h +++ b/source3/smbd/proto.h @@ -971,8 +971,10 @@ bool set_current_service(connection_struct *conn, uint16 flags, bool do_chdir); void load_registry_shares(void); int add_home_service(const char *service, const char *username, const char *homedir); int find_service(TALLOC_CTX *ctx, const char *service, char **p_service_out); -connection_struct *make_connection_snum(struct smbd_server_connection *sconn, - int snum, user_struct *vuser, +struct smbd_smb2_tcon; +connection_struct *make_connection_smb2(struct smbd_server_connection *sconn, + struct smbd_smb2_tcon *tcon, + user_struct *vuser, DATA_BLOB password, const char *pdev, NTSTATUS *pstatus); diff --git a/source3/smbd/service.c b/source3/smbd/service.c index 6d6f963..4d55977 100644 --- a/source3/smbd/service.c +++ b/source3/smbd/service.c @@ -527,13 +527,13 @@ NTSTATUS set_conn_force_user_group(connection_struct *conn, int snum) connecting user if appropriate. / -connection_struct *make_connection_snum(struct smbd_server_connection *sconn, +static connection_struct *make_connection_snum(struct smbd_server_connection *sconn, + connection_struct *conn, int snum, user_struct *vuser, DATA_BLOB password, const char *pdev, NTSTATUS *pstatus) { - connection_struct *conn = NULL; struct smb_filename *smb_fname_cpath = NULL; fstring dev; int ret; @@ -553,13 +553,6 @@ connection_struct *make_connection_snum(struct smbd_server_connection *sconn, goto err_root_exit; } - conn = conn_new(sconn); - if (!conn) { - DEBUG(0,(Couldn't find free connection.\n)); - *pstatus = NT_STATUS_INSUFFICIENT_RESOURCES; - goto err_root_exit; - } - conn-params-service = snum; status = create_connection_session_info(sconn, @@ -609,7 +602,6 @@ connection_struct *make_connection_snum(struct smbd_server_connection *sconn, status = set_conn_force_user_group(conn, snum); if (!NT_STATUS_IS_OK(status)) { - conn_free(conn); *pstatus = status; return NULL; } @@ -907,14 +899,76 @@ connection_struct *make_connection_snum(struct smbd_server_connection *sconn, if (claimed_connection) { yield_connection(conn, lp_servicename(snum)); } - if (conn) { + return NULL; +} + +/ + Make a connection to a service from SMB1. Internal interface. +/ + +static connection_struct *make_connection_smb1(struct smbd_server_connection *sconn, + int snum, user_struct *vuser, + DATA_BLOB password, + const char *pdev, + NTSTATUS *pstatus) +{ + connection_struct *ret_conn = NULL; + connection_struct *conn = conn_new(sconn); + if (!conn) { + DEBUG(0,(make_connection_smb1: Couldn't find free connection.\n)); + *pstatus = NT_STATUS_INSUFFICIENT_RESOURCES; + return NULL; + } + ret_conn =
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 6712997 dynconfig/wscript: correctly cleanup PRIVATELIBDIR and MODULESDIR defaults from 39c627b Fix bug 8710 - connections.tdb - major leak with SMB2. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 6712997839d72e603dac51c5a13eea468f89ab36 Author: Stefan Metzmacher me...@samba.org Date: Wed Jan 18 22:54:28 2012 +0100 dynconfig/wscript: correctly cleanup PRIVATELIBDIR and MODULESDIR defaults metze Autobuild-User: Stefan Metzmacher me...@samba.org Autobuild-Date: Thu Jan 19 00:47:50 CET 2012 on sn-devel-104 --- Summary of changes: dynconfig/wscript |2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) Changeset truncated at 500 lines: diff --git a/dynconfig/wscript b/dynconfig/wscript index 517f76e..2a60a2a 100755 --- a/dynconfig/wscript +++ b/dynconfig/wscript @@ -260,6 +260,8 @@ def set_options(opt): option = opt.parser.get_option(k) if option: opt.parser.remove_option(k) +del opt.parser.defaults['PRIVATELIBDIR'] +del opt.parser.defaults['MODULESDIR'] # get all the basic GNU options from the gnu_dirs tool -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 95c514a Now make_connection_snum() is a static function that takes a connection_struct as a parameter, fix the interface to allow it to return an NTSTATUS. from 6712997 dynconfig/wscript: correctly cleanup PRIVATELIBDIR and MODULESDIR defaults http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 95c514a010ad9a58d573cdc5a87a3551de95 Author: Jeremy Allison j...@samba.org Date: Wed Jan 18 20:52:47 2012 -0800 Now make_connection_snum() is a static function that takes a connection_struct as a parameter, fix the interface to allow it to return an NTSTATUS. Autobuild-User: Jeremy Allison j...@samba.org Autobuild-Date: Thu Jan 19 07:25:49 CET 2012 on sn-devel-104 --- Summary of changes: source3/smbd/service.c | 59 +-- 1 files changed, 26 insertions(+), 33 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/smbd/service.c b/source3/smbd/service.c index 4d55977..f4f6e9a 100644 --- a/source3/smbd/service.c +++ b/source3/smbd/service.c @@ -527,12 +527,11 @@ NTSTATUS set_conn_force_user_group(connection_struct *conn, int snum) connecting user if appropriate. / -static connection_struct *make_connection_snum(struct smbd_server_connection *sconn, +static NTSTATUS make_connection_snum(struct smbd_server_connection *sconn, connection_struct *conn, int snum, user_struct *vuser, DATA_BLOB password, - const char *pdev, - NTSTATUS *pstatus) + const char *pdev) { struct smb_filename *smb_fname_cpath = NULL; fstring dev; @@ -545,11 +544,11 @@ static connection_struct *make_connection_snum(struct smbd_server_connection *sc fstrcpy(dev, pdev); - *pstatus = share_sanity_checks(sconn-remote_address, + status = share_sanity_checks(sconn-remote_address, sconn-remote_hostname, snum, dev); - if (NT_STATUS_IS_ERR(*pstatus)) { + if (NT_STATUS_IS_ERR(status)) { goto err_root_exit; } @@ -562,7 +561,6 @@ static connection_struct *make_connection_snum(struct smbd_server_connection *sc if (!NT_STATUS_IS_OK(status)) { DEBUG(1, (create_connection_session_info failed: %s\n, nt_errstr(status))); - *pstatus = status; goto err_root_exit; } @@ -602,8 +600,7 @@ static connection_struct *make_connection_snum(struct smbd_server_connection *sc status = set_conn_force_user_group(conn, snum); if (!NT_STATUS_IS_OK(status)) { - *pstatus = status; - return NULL; + goto err_root_exit; } conn-vuid = (vuser != NULL) ? vuser-vuid : UID_FIELD_INVALID; @@ -618,13 +615,13 @@ static connection_struct *make_connection_snum(struct smbd_server_connection *sc conn-session_info-info-domain_name, lp_pathname(snum)); if (!s) { - *pstatus = NT_STATUS_NO_MEMORY; + status = NT_STATUS_NO_MEMORY; goto err_root_exit; } if (!set_conn_connectpath(conn,s)) { TALLOC_FREE(s); - *pstatus = NT_STATUS_NO_MEMORY; + status = NT_STATUS_NO_MEMORY; goto err_root_exit; } DEBUG(3,(Connect path is '%s' for service [%s]\n,s, @@ -650,7 +647,7 @@ static connection_struct *make_connection_snum(struct smbd_server_connection *sc denied due to security descriptor.\n, lp_servicename(snum))); - *pstatus = NT_STATUS_ACCESS_DENIED; + status = NT_STATUS_ACCESS_DENIED; goto err_root_exit; } else { conn-read_only = True; @@ -661,7 +658,7 @@ static connection_struct *make_connection_snum(struct smbd_server_connection *sc if (!smbd_vfs_init(conn)) { DEBUG(0, (vfs_init failed for service %s\n, lp_servicename(snum))); - *pstatus = NT_STATUS_BAD_NETWORK_NAME; + status = NT_STATUS_BAD_NETWORK_NAME; goto err_root_exit;