Re: [Samba] Samba network shares over VPN
This is a windows7 bug and not a openvpn. I solve this by just connecting with openvpn and then running a script to map the drives with interact username and password. If you use openvpn in brige mode you do not need the scripts. --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Fernando Lozano Gesendet: Mittwoch, 22. Februar 2012 14:47 An: samba@lists.samba.org Betreff: [Samba] Samba network shares over VPN Hi there, I have two computers, one Windows XP other Windows 7 (actually a dozen each) which are members of a Samba domain. Users have no problem login in to the domain, running the login script to map network drives and accesssing files on them, for both computers. I want to give users remote access using a VPN (OpenVPN to be exact). The idea is to login on a disconnected computer using a domain account cached profie, then connnect to the VPN, then map network drives. OpenVPN allows running a batch file on connection sucessfull and I use this to run the user login script from the PDC netlogon share. The Windows XP computer does this fine. Happy remote users. But the Windows 7 doesn't. It asks for user login and password for each server (network drives are on different samba member servers) Someone told me the problem should to be related to the fact the TAP adapter (the VPN virtual network adapter) is considered by windows as an unknown network and classified as a public network. But I could not find a way to turn this into a home / work or domain network location. I already tried customising and disabling windows firewall, no changes. Any ideas on how to transparently access network shares from domain member servers over a vpn using windows 7? []s, Fernnado Lozano -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 3.5 to 3.6
Dear reader, I tried to switch my server from samba 3.5 to 3.6. Unfortunately I was not successful. The smb.conf below works without any problems under 3.5 With 3.6.3 I get the following error: [2012/02/23 09:32:21.669389, 1] auth/server_info.c:391(samu_to_SamInfo3) The primary group domain sid(S-1-5-21-463168302-511420122-2937072671-513) does not match the domain sid(S-1-5-21-706331994-863180292-319919955) for mos(S-1-5-21-706331994-863180292-319919955-5019) [2012/02/23 09:32:21.669528, 0] auth/check_samsec.c:491(check_sam_security) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_UNSUCCESSFUL' Any ideas ? Cheers Marco [global] workgroup = PSF netbios name = rhea server string = Test local master = no domain master = no preferred master = no os level = 100 load printers = no security = user passdb backend = ldapsam:ldap://XXX ldap://YYY; guest account = Gast map acl inherit = yes ldap suffix = dc=XXX ldap user suffix = ou=People ldap group suffix = ou=Groups ldap idmap suffix = ou=People ldap admin dn = XXX ldap ssl = start tls ldap passwd sync = yes ldap delete dn = no socket options = TCP_NODELAY interfaces = br0 bind interfaces only = Yes wins support = no wins server = 10.199.0.248 dns proxy = yes keep alive = 60 deadtime = 15 log level = 1 read raw = yes write raw = yes oplocks = yes kernel oplocks = yes max xmit = 65535 getwd cache = yes create mode = 0666 directory mask = 0777 short preserve case = no preserve case = yes name resolve order = host bcast name cache timeout = 600 enable privileges = yes Follow symlinks = yes write cache size = 262144 strict allocate = yes use sendfile = yes encrypt passwords = true unix charset = UTF-8 display charset = ISO8859-1 dos charset = 850 vfs objects = fileid fileid:algorithm = fsid [MyShare] comment = Test path = /data/local/samba public = yes guest ok = yes writeable = yes create mask = 0777 directory mask = 0777 force group = +Mitarbeiter oplocks = yes level2 oplocks = yes inherit acls = yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba 3.5.6 as PDC LDAP - roaming profile problem
I googled few days I tryed all what I can find but with no luck. It will be great if somebody could help me with this because I have no idea what is a root cause of my issue. Hi The cause is usually because of wrong permissions on the profiles folder. Try the big hammer first: Backup /profiles chmod -R 0777 /profiles comment out: create mask = 0600 directory mask = 0700 create a new user login as the new user. That user should have his profile OK. Then put the security back one stage at a time until it doesn't work again. HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba 3.5.6 as PDC LDAP - roaming profile problem
Hi; It didn't help. Now for /profiles I have permissions: drwxrwxrwt 13 root root 4096 Feb 17 20:05 profiles and if user login to domain firth time its profile dir is created but nothing else ... Now /profiles looks lie: /profiles ├── [drwx-- czarus Domain U] czarus ├── [drwx-- domainad domainad] domainadm ├── [drwxrwxrwx jas Domain A] jas ├── [drwx-- root root] root ├── [drwx-- sambaroo Domain U] sambaroot2 ├── [drwx-- sambaroo Domain U] sambaroot2.V2 ├── [drwx-- sambaroo Domain U] sambaroot3 ├── [drwx-- sambaroo Domain U] sambaroot3.V2 ├── [drwx-- test2Domain U] test2 │ └── [drwx-- test2Domain U] dfd ├── [drwx-- test5domainad] test5 2012/2/23 steve st...@steve-ss.com I googled few days I tryed all what I can find but with no luck. It will be great if somebody could help me with this because I have no idea what is a root cause of my issue. Hi The cause is usually because of wrong permissions on the profiles folder. Try the big hammer first: Backup /profiles chmod -R 0777 /profiles comment out: create mask = 0600 directory mask = 0700 create a new user login as the new user. That user should have his profile OK. Then put the security back one stage at a time until it doesn't work again. HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/**mailman/options/sambahttps://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 3.5 to 3.6
On 02/23/2012 11:38 AM, marco.schaer...@proteomics.com wrote: [2012/02/23 09:32:21.669389, 1] auth/server_info.c:391(samu_to_SamInfo3) The primary group domain sid(S-1-5-21-463168302-511420122-2937072671-513) does not match the domain sid(S-1-5-21-706331994-863180292-319919955) for mos(S-1-5-21-706331994-863180292-319919955-5019) [2012/02/23 09:32:21.669528, 0] auth/check_samsec.c:491(check_sam_security) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_UNSUCCESSFUL' The entries for the domain and the users/groups are inconsistent. Newer Samba versions added some more consistency checks. So the primary group has domain SID S-1-5-21-463168302-511420122-2937072671 while user mos has domain SID of S-1-5-21-706331994-863180292-319919955 The domain SIDs need to be in sync to pass the semantical checks in Samba. Cheers, Christian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Error accessing others domains in forest
Hello all. After last update (from winbind-3.5.3 and krb5-1.8.1 to winbind-3.5.10 and krb5-1.9.1) users from a trusted domain can't authenticate any more. Machines are joined to domain PERSONALE, and users from domain STUDENTI aren't recognized. Domains are handled by W2k8 or W2k8r2 (I have no control on these). Last lines from /var/log/samba/log.wb-STUDENTI report: [2012/02/23 10:42:20.205656, 3] libads/sasl.c:793(ads_sasl_spnego_bind) ads_sasl_spnego_bind: got server principal name = edge$@STUDENTI.DIR.UNIBO.IT [2012/02/23 10:42:20.239823, 1] libsmb/clikrb5.c:789(ads_krb5_mk_req) ads_krb5_mk_req: smb_krb5_get_credentials failed for ldap/edge.studenti.dir.unibo...@studenti.dir.unibo.it (Realm not local to KDC) [2012/02/23 10:42:20.311687, 1] libsmb/clikrb5.c:789(ads_krb5_mk_req) ads_krb5_mk_req: smb_krb5_get_credentials failed for ldap/edge.studenti.dir.unibo...@studenti.dir.unibo.it (Realm not local to KDC) [2012/02/23 10:42:20.311765, 0] libads/sasl.c:823(ads_sasl_spnego_bind) kinit succeeded but ads_sasl_spnego_krb5_bind failed: Realm not local to KDC [2012/02/23 10:42:20.312246, 1] winbindd/winbindd_ads.c:126(ads_cached_connection) ads_connect for domain STUDENTI failed: Realm not local to KDC [2012/02/23 11:04:15.428341, 3] winbindd/winbindd_dual.c:53(child_read_request) child_read_request: read_data failed: NT_STATUS_END_OF_FILE 'edge' is one of the DCs of the STUDENTI domain, but it seems the PC can't acquire a ticket for that domain. Machine is correctly joined, and actually my employee account works. But not the student one :( [root@str00160-bibl4 ~]# wbinfo -i studenti\\diego.zuccato2 Could not get info for user studenti\diego.zuccato2 [root@str00160-bibl4 ~]# wbinfo -i diego.zuccato diego.zuccato:*:108036:100013:Mat032398:/home/PERSONALE/diego.zuccato:/bin/bash I already tried deleting all .tdb files (in /etc/samba and /var/cache/samba ) and rejoining (some hickups here, but net ads testjoin reports join is OK). My /etc/samba/smb.conf is the same that worked for a couple of years: [global] workgroup = PERSONALE realm = PERSONALE.DIR.UNIBO.IT server string = %v security = ADS encrypt passwords = Yes #password server = atu.personale.dir.unibo.it log file = /var/log/samba/log.%m log level = 3 max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 local master = No dns proxy = No #winbind separator = - winbind enum users = No winbind enum groups = No winbind offline logon = Yes winbind nested groups = Yes winbind normalize names = Yes winbind refresh tickets = Yes winbind use default domain = yes winbind uid = 10-1 winbind gid = 10-1 idmap config PERSONALE:backend = rid idmap config PERSONALE:base_rid = 500 idmap config PERSONALE:range = 10 - 4999 idmap config STUDENTI:backend = rid idmap config STUDENTI:base_rid = 500 idmap config STUDENTI:range = 5000 - template homedir = /home/local/%D/%U template shell = /bin/bash And the same for my /etc/krb5.conf (but I think this one gets ignored): [logging] default = FILE:/var/log/kerberos/krb5libs.log kdc = FILE:/var/log/kerberos/krb5kdc.log admin_server = FILE:/var/log/kerberos/kadmind.log [libdefaults] ticket_lifetime = 24000 default_realm = PERSONALE.DIR.UNIBO.IT dns_lookup_realm = true dns_lookup_kdc = true [realms] PERSONALE.DIR.UNIBO.IT = { kdc = aki.PERSONALE.DIR.UNIBO.IT:88 admin_server = aki.PERSONALE.DIR.UNIBO.IT:749 default_domain = PERSONALE.DIR.UNIBO.IT } [domain_realm] .PERSONALE.DIR.UNIBO.IT = PERSONALE.DIR.UNIBO.IT [kdc] profile = /etc/kerberos/krb5kdc/kdc.conf [login] krb4_convert = false krb4_get_tickets = false [appdefaults] pam = { debug = true ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = true mappings = ([a-z\.]*)@studio.unibo.it STUDENTI-$1 } Too bad I already upgraded more than 60 machines to the new packages... What can I do to fix it? Next week students start coming to the lab... TIA! BYtE, Diego. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] system freeze with message CIFS VFS: Unexpected lookup error -88
Hi everyone, I have had a few system freezes in the recent months (debian squeeze with vmlinuz-2.6.32-5-686-bigmem), with the following message in dmesg : CIFS VFS: Unexpected lookup error -88 CIFS VFS: Send error in SessSetup = -88 It is the same symptoms as in the redhat bugzilla : https://bugzilla.redhat.com/show_bug.cgi?id=711400 It it mentionned that it is patched in redhat kernel kernel-2.6.32-170.el6, but I have not found any information if that patch was sent upstream, and if yes, in which cifs module version. If anyone has information on this one, I'd be glad to hear. Cheers, Denis Cardon -- Denis Cardon Tranquil IT Systems 44 bvd des pas enchantés 44230 Saint Sébastien sur Loire tel : +33 (0) 2.40.97.57.57 http://www.tranquil-it-systems.fr -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Is there a startup script for ubuntu 10.04.1 lts for samba4 alpha 18?
I just took the smb3 init script and edited / commented out what wasn't relevent.. On 02/23/2012 02:04 AM, Michael Wood wrote: On 22 February 2012 23:13, timothy mcdanieltimnb...@gmail.com wrote: Is there a startup script for ubuntu 10.04.1 LTS for samba4 alpha 18? Please could someone please give me a script so that samba4 is automaticly started up when my server starts up? You can try the attached script. (Let's hope the mailing list doesn't strip it.) Move it to /etc/init.d/samba4 and make sure it is executable. Then run: update-rc.d samba4 defaults -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] V4 - New Install - Missing Zone File
On Thu, Feb 23, 2012 at 4:33 PM, Jeremy Davisjdavis4...@gmail.com wrote: I forgot to mention that nsupdate command should also include -g flag to force secure (kerberos) updates. nsupdate command = /path/to/nsupdate -g dlz_bind9 module only allows secure dynamic updates. Amitay. I added the -g to the smb.conf and restarted samba and named but it doesn't seem to do anything. Could this be an issue with kerberos? I am able to authenticate with my Windows machine and via the command line using the tests on the samba4 wiki. Any ideas as to what this could be? What happens when you run samba_dnsupdate --verbose? What's the output from BIND? Amitay. Well, the samba_dnsupdate logs are the same but bind is now showing a little different error. samba-dnsupdate: IPs: ['2002:4b46:c8ad:0:a00:27ff:fe14:5491', 'fe80::a00:27ff:fe14:5491%eth0', 'fe80::a00:27ff:fee5:5840%eth1', '192.168.7.30', '192.168.30.1'] Looking for DNS entry A bob-dc.com 192.168.7.30 as bob-dc.com. Looking for DNS entry A dc1.bob-dc.com 192.168.7.30 as dc1.bob-dc.com. Looking for DNS entry bob-dc.com 2002:4b46:c8ad:0:a00:27ff:fe14:5491 as bob-dc.com. Failed to find matching DNS entry bob-dc.com 2002:4b46:c8ad:0:a00:27ff:fe14:5491 Looking for DNS entry dc1.bob-dc.com 2002:4b46:c8ad:0:a00:27ff:fe14:5491 as dc1.bob-dc.com. Failed to find matching DNS entry dc1.bob-dc.com 2002:4b46:c8ad:0:a00:27ff:fe14:5491 Looking for DNS entry A gc._msdcs.bob-dc.com 192.168.7.30 as gc._msdcs.bob-dc.com. Looking for DNS entry gc._msdcs.bob-dc.com 2002:4b46:c8ad:0:a00:27ff:fe14:5491 as gc._msdcs.bob-dc.com. Failed to find matching DNS entry gc._msdcs.bob-dc.com 2002:4b46:c8ad:0:a00:27ff:fe14:5491 Looking for DNS entry CNAME 48c0fc0c-dcc1-425d-bcb2-a229d40ab48c._msdcs.bob-dc.com dc1.bob-dc.com as 48c0fc0c-dcc1-425d-bcb2-a229d40ab48c._msdcs.bob-dc.com. Looking for DNS entry SRV _kpasswd._tcp.bob-dc.com dc1.bob-dc.com 464 as _kpasswd._tcp.bob-dc.com. Checking 0 100 464 dc1.bob-dc.com. against SRV _kpasswd._tcp.bob-dc.com dc1.bob-dc.com 464 Looking for DNS entry SRV _kpasswd._udp.bob-dc.com dc1.bob-dc.com 464 as _kpasswd._udp.bob-dc.com. Checking 0 100 464 dc1.bob-dc.com. against SRV _kpasswd._udp.bob-dc.com dc1.bob-dc.com 464 Looking for DNS entry SRV _kerberos._tcp.bob-dc.com dc1.bob-dc.com 88 as _kerberos._tcp.bob-dc.com. Checking 0 100 88 dc1.bob-dc.com. against SRV _kerberos._tcp.bob-dc.com dc1.bob-dc.com 88 Looking for DNS entry SRV _kerberos._tcp.dc._msdcs.bob-dc.com dc1.bob-dc.com 88 as _kerberos._tcp.dc._msdcs.bob-dc.com. Checking 0 100 88 dc1.bob-dc.com. against SRV _kerberos._tcp.dc._msdcs.bob-dc.com dc1.bob-dc.com 88 Looking for DNS entry SRV _kerberos._tcp.default-first-site-name._sites.bob-dc.com dc1.bob-dc.com 88 as _kerberos._tcp.default-first-site-name._sites.bob-dc.com. Checking 0 100 88 dc1.bob-dc.com. against SRV _kerberos._tcp.default-first-site-name._sites.bob-dc.com dc1.bob-dc.com 88 Looking for DNS entry SRV _kerberos._tcp.default-first-site-name._sites.dc._msdcs.bob-dc.com dc1.bob-dc.com 88 as _kerberos._tcp.default-first-site-name._sites.dc._msdcs.bob-dc.com. Checking 0 100 88 dc1.bob-dc.com. against SRV _kerberos._tcp.default-first-site-name._sites.dc._msdcs.bob-dc.com dc1.bob-dc.com 88 Looking for DNS entry SRV _kerberos._udp.bob-dc.com dc1.bob-dc.com 88 as _kerberos._udp.bob-dc.com. Checking 0 100 88 dc1.bob-dc.com. against SRV _kerberos._udp.bob-dc.com dc1.bob-dc.com 88 Looking for DNS entry SRV _ldap._tcp.bob-dc.com dc1.bob-dc.com 389 as _ldap._tcp.bob-dc.com. Checking 0 100 389 dc1.bob-dc.com. against SRV _ldap._tcp.bob-dc.com dc1.bob-dc.com 389 Looking for DNS entry SRV _ldap._tcp.dc._msdcs.bob-dc.com dc1.bob-dc.com 389 as _ldap._tcp.dc._msdcs.bob-dc.com. Checking 0 100 389 dc1.bob-dc.com. against SRV _ldap._tcp.dc._msdcs.bob-dc.com dc1.bob-dc.com 389 Looking for DNS entry SRV _ldap._tcp.gc._msdcs.bob-dc.com dc1.bob-dc.com 3268 as _ldap._tcp.gc._msdcs.bob-dc.com. Checking 0 100 3268 dc1.bob-dc.com. against SRV _ldap._tcp.gc._msdcs.bob-dc.com dc1.bob-dc.com 3268 Looking for DNS entry SRV _ldap._tcp.pdc._msdcs.bob-dc.com dc1.bob-dc.com 389 as _ldap._tcp.pdc._msdcs.bob-dc.com. Checking 0 100 389 dc1.bob-dc.com. against SRV _ldap._tcp.pdc._msdcs.bob-dc.com dc1.bob-dc.com 389 Looking for DNS entry SRV _ldap._tcp.default-first-site-name._sites.bob-dc.com dc1.bob-dc.com 389 as _ldap._tcp.default-first-site-name._sites.bob-dc.com. Checking 0 100 389 dc1.bob-dc.com. against SRV _ldap._tcp.default-first-site-name._sites.bob-dc.com dc1.bob-dc.com 389 Looking for DNS entry SRV _ldap._tcp.default-first-site-name._sites.dc._msdcs.bob-dc.com dc1.bob-dc.com 389 as _ldap._tcp.default-first-site-name._sites.dc._msdcs.bob-dc.com. Checking 0 100 389 dc1.bob-dc.com. against SRV _ldap._tcp.default-first-site-name._sites.dc._msdcs.bob-dc.com dc1.bob-dc.com 389 Looking for DNS entry SRV _ldap._tcp.default-first-site-name._sites.gc._msdcs.bob-dc.com dc1.bob-dc.com
[Samba] wbinfo -u not showing domain users
Hi, One of my customers is trying to get his AD integrated with samba 3.5.8 he is running with an older version of CentOs. His domain consist of 1 PDC, 1 BDC and onother DC that replicates the PDC in a remote location. The join to the domain seem to be successful. When I run the command net ads testjoin I get a OK message. I can see the users of the domain, when I run the command net ads user. However wbinfo -u does not show me the user list. When I run wbinfo --online-status, the domain I have joined to is not shown. Only the BUILTIN and the host name is output. The winbindd logs say that the domain is not known when I run the command wbinfo --domain=DOMAIN -u. How can this happen? How can I get winbindd to recognize the domain? Thanks in advance Pete -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] A couple of quick questions
Il 20/02/2012 17:20, Daniel Patrick Sullivan ha scritto: The first is; 1) Is it possible to deterministically set the domain name that will be used when the winbind use default domain = Yes option is configured in /etc/samba/smb.conf? I want to set a default domain, however I do not want the default domain to reflect the domain membership of the server. I do not see this in the documentation, although I admittedly haven't looked *that* hard. That would be useful to me, too. I tried setting idmap config STUDENTI:default = yes w/o results (machine is joined to PERSONALE domain). 2) I am using a configuration line such as the following to restrict access; winbind use default domain = Yes authrequisite pam_succeed_if.so user ingroup AD\org_cri_cri_galaxy_administrators debug This is working all fine and good, although I would like to actually have another group. It seems that whenever I add another similar line the pam auth bombs out after the first failure. Is it possible to restrict authorization to multiple groups in this manner? I think it can check only one group, but that's not a problem: just create a group (whose membership you'll check) that contains the other groups you want to enable access. I usually do that for users allowed to access a machine: a 'machinename-authorized' group that contains 'lab-administrators' group and users/groups allowed to access that machine. This way I can be sure 'lab-administrators' are allowed access. BYtE, Diego. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] slow creating files
On Wed, Feb 08, 2012 at 05:12:14PM +0400, Gankov Aleksey wrote: We tried to migrate from old Windows fileserver (p4, single HDD) to Samba (FedoraCore15, Samba 3.5.12-72.fc15, ext4 volume, xeon, raid5). Our pipeline is so, that some special software generates files on that fileserver. The typical filesize ~50 mbytes. On the old hardware, software (win2k3 server) the time of single file creation was about 10 seconds. On the new configuration it takes 20-25 seconds. Copying of large files to\from samba server is ok (more than 80 mbytes\sec). It was default Samba installation. The usual tuning doesn't help at all (TCPNODELAY etc...) Is there any idea for tuning? Also, I wrote easy test that confused me: #include stdio.h #include stdlib.h #include time.h void main(int argc, char *argv[]) { int fsize=4000; int i=0; FILE *to; char str[]=0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890; time_t start, end; double diff; time(start); to=fopen(argv[1], w+); for(i=0; i fsize/100; i++) { fprintf(to, \n%7d-%s,i, str); fflush(to); // makes it slow! } fclose(to); time(end); diff=difftime(end,start); printf(\n \t time_diff = %.2lf, diff); } This was started on Win7 client PC, It creates about 40 mbytes size file in pointed path. Comparing timings on our samba share and win2k3 share gives: ~40 seconds on Samba and on 3-4 seconds win2k3! That means that fflush cause dramatically slow down of fileshare. Ensure you're setting strict allocate = yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] V4 - New Install - Missing Zone File
Hello All, On 02/23/2012 09:31 AM, Jeremy Davis wrote: On Thu, Feb 23, 2012 at 4:33 PM, Jeremy Davisjdavis4...@gmail.com wrote: I forgot to mention that nsupdate command should also include -g flag to force secure (kerberos) updates. nsupdate command = /path/to/nsupdate -g dlz_bind9 module only allows secure dynamic updates. Amitay. I added the -g to the smb.conf and restarted samba and named but it doesn't seem to do anything. Could this be an issue with kerberos? I am able to authenticate with my Windows machine and via the command line using the tests on the samba4 wiki. Any ideas as to what this could be? What happens when you run samba_dnsupdate --verbose? What's the output from BIND? Amitay. Well, the samba_dnsupdate logs are the same but bind is now showing a little different error. samba-dnsupdate: IPs: ['2002:4b46:c8ad:0:a00:27ff:fe14:5491', 'fe80::a00:27ff:fe14:5491%eth0', 'fe80::a00:27ff:fee5:5840%eth1', '192.168.7.30', '192.168.30.1'] Looking for DNS entry A bob-dc.com 192.168.7.30 as bob-dc.com. Looking for DNS entry A dc1.bob-dc.com 192.168.7.30 as dc1.bob-dc.com. Looking for DNS entry bob-dc.com 2002:4b46:c8ad:0:a00:27ff:fe14:5491 as bob-dc.com. Failed to find matching DNS entry bob-dc.com 2002:4b46:c8ad:0:a00:27ff:fe14:5491 Looking for DNS entry dc1.bob-dc.com 2002:4b46:c8ad:0:a00:27ff:fe14:5491 as dc1.bob-dc.com. Failed to find matching DNS entry dc1.bob-dc.com 2002:4b46:c8ad:0:a00:27ff:fe14:5491 Looking for DNS entry A gc._msdcs.bob-dc.com 192.168.7.30 as gc._msdcs.bob-dc.com. Looking for DNS entry gc._msdcs.bob-dc.com 2002:4b46:c8ad:0:a00:27ff:fe14:5491 as gc._msdcs.bob-dc.com. Failed to find matching DNS entry gc._msdcs.bob-dc.com 2002:4b46:c8ad:0:a00:27ff:fe14:5491 Looking for DNS entry CNAME 48c0fc0c-dcc1-425d-bcb2-a229d40ab48c._msdcs.bob-dc.com dc1.bob-dc.com as 48c0fc0c-dcc1-425d-bcb2-a229d40ab48c._msdcs.bob-dc.com. Looking for DNS entry SRV _kpasswd._tcp.bob-dc.com dc1.bob-dc.com 464 as _kpasswd._tcp.bob-dc.com. Checking 0 100 464 dc1.bob-dc.com. against SRV _kpasswd._tcp.bob-dc.com dc1.bob-dc.com 464 Looking for DNS entry SRV _kpasswd._udp.bob-dc.com dc1.bob-dc.com 464 as _kpasswd._udp.bob-dc.com. Checking 0 100 464 dc1.bob-dc.com. against SRV _kpasswd._udp.bob-dc.com dc1.bob-dc.com 464 Looking for DNS entry SRV _kerberos._tcp.bob-dc.com dc1.bob-dc.com 88 as _kerberos._tcp.bob-dc.com. Checking 0 100 88 dc1.bob-dc.com. against SRV _kerberos._tcp.bob-dc.com dc1.bob-dc.com 88 Looking for DNS entry SRV _kerberos._tcp.dc._msdcs.bob-dc.com dc1.bob-dc.com 88 as _kerberos._tcp.dc._msdcs.bob-dc.com. Checking 0 100 88 dc1.bob-dc.com. against SRV _kerberos._tcp.dc._msdcs.bob-dc.com dc1.bob-dc.com 88 Looking for DNS entry SRV _kerberos._tcp.default-first-site-name._sites.bob-dc.com dc1.bob-dc.com 88 as _kerberos._tcp.default-first-site-name._sites.bob-dc.com. Checking 0 100 88 dc1.bob-dc.com. against SRV _kerberos._tcp.default-first-site-name._sites.bob-dc.com dc1.bob-dc.com 88 Looking for DNS entry SRV _kerberos._tcp.default-first-site-name._sites.dc._msdcs.bob-dc.com dc1.bob-dc.com 88 as _kerberos._tcp.default-first-site-name._sites.dc._msdcs.bob-dc.com. Checking 0 100 88 dc1.bob-dc.com. against SRV _kerberos._tcp.default-first-site-name._sites.dc._msdcs.bob-dc.com dc1.bob-dc.com 88 Looking for DNS entry SRV _kerberos._udp.bob-dc.com dc1.bob-dc.com 88 as _kerberos._udp.bob-dc.com. Checking 0 100 88 dc1.bob-dc.com. against SRV _kerberos._udp.bob-dc.com dc1.bob-dc.com 88 Looking for DNS entry SRV _ldap._tcp.bob-dc.com dc1.bob-dc.com 389 as _ldap._tcp.bob-dc.com. Checking 0 100 389 dc1.bob-dc.com. against SRV _ldap._tcp.bob-dc.com dc1.bob-dc.com 389 Looking for DNS entry SRV _ldap._tcp.dc._msdcs.bob-dc.com dc1.bob-dc.com 389 as _ldap._tcp.dc._msdcs.bob-dc.com. Checking 0 100 389 dc1.bob-dc.com. against SRV _ldap._tcp.dc._msdcs.bob-dc.com dc1.bob-dc.com 389 Looking for DNS entry SRV _ldap._tcp.gc._msdcs.bob-dc.com dc1.bob-dc.com 3268 as _ldap._tcp.gc._msdcs.bob-dc.com. Checking 0 100 3268 dc1.bob-dc.com. against SRV _ldap._tcp.gc._msdcs.bob-dc.com dc1.bob-dc.com 3268 Looking for DNS entry SRV _ldap._tcp.pdc._msdcs.bob-dc.com dc1.bob-dc.com 389 as _ldap._tcp.pdc._msdcs.bob-dc.com. Checking 0 100 389 dc1.bob-dc.com. against SRV _ldap._tcp.pdc._msdcs.bob-dc.com dc1.bob-dc.com 389 Looking for DNS entry SRV _ldap._tcp.default-first-site-name._sites.bob-dc.com dc1.bob-dc.com 389 as _ldap._tcp.default-first-site-name._sites.bob-dc.com. Checking 0 100 389 dc1.bob-dc.com. against SRV _ldap._tcp.default-first-site-name._sites.bob-dc.com dc1.bob-dc.com 389 Looking for DNS entry SRV _ldap._tcp.default-first-site-name._sites.dc._msdcs.bob-dc.com dc1.bob-dc.com 389 as _ldap._tcp.default-first-site-name._sites.dc._msdcs.bob-dc.com. Checking 0 100 389 dc1.bob-dc.com. against SRV _ldap._tcp.default-first-site-name._sites.dc._msdcs.bob-dc.com dc1.bob-dc.com 389 Looking for DNS entry SRV
[Samba] rid/autorid issues 3.6.2
I'm having issues with idmap autorid and rid on 3.6.2. If I use tdb backend, it works fine. If I do wbinfo -i testuser when using rid/autorid, I get this: failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user testuser The same command with tdb returns the info as expected. wbinfo -u and wbinfo -g work fine under all configurations. I could not find anything relevant on bugzilla either. Anyone have any ideas? Here's my settings: #with tdb (this works perfectly) idmap config MYDOMAIN : range = 2 - 2000 idmap config MYDOMAIN : backend = tdb #with rid (does not work) idmap config MYDOMAIN : range = 2 - 2000 idmap config MYDOMAIN : backend = rid -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 6f8f24c selftest: Do not skip environments that fail to start up via c623b4b s4-provision: Fix typo in 9b9fdeefb47f2657c9bb4c2f48318550da510209 via b0798cc s3-libads: Remove unused ads_set_machine_password() via a6aa244 s3-libads: Remove unused ads_pull_sids_from_extendeddn() via 1c7725a s3-utils: Remove unused connect_to_ipc_krb5() via 7724533 wintest: Change to a new Win2008R2 VM via bea0515 s3-libsmb: Remove unused spnego functions via 757c9b7 s3-rpc_server Remove unused function auth_generic_server_start() from fe24ab4 s4:smbcli:smb2: add a random GUID to the transport connection in smb2_transport_init() http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 6f8f24c5f2564cf0d0f742af556e3f641803efbd Author: Andrew Bartlett abart...@samba.org Date: Thu Feb 23 16:34:47 2012 +1100 selftest: Do not skip environments that fail to start up This is a regression in 70f4a96c68e91e407651e2487cc3c66a80262fa2. Andrew Bartlett Autobuild-User: Andrew Bartlett abart...@samba.org Autobuild-Date: Thu Feb 23 10:55:20 CET 2012 on sn-devel-104 commit c623b4bbb8963baf82d1582abe29b7d54d09397c Author: Andrew Bartlett abart...@samba.org Date: Thu Feb 23 16:36:33 2012 +1100 s4-provision: Fix typo in 9b9fdeefb47f2657c9bb4c2f48318550da510209 This was not found to to a bug in the selftest system. Andrew Bartlett commit b0798cc0131df4abc314317e43f597c328deaceb Author: Andrew Bartlett abart...@samba.org Date: Thu Feb 9 15:59:38 2012 +1100 s3-libads: Remove unused ads_set_machine_password() Found by callcatcher. Andrew Bartlett commit a6aa24428add3faeb38461929576dc28670c25c6 Author: Andrew Bartlett abart...@samba.org Date: Thu Feb 9 16:04:30 2012 +1100 s3-libads: Remove unused ads_pull_sids_from_extendeddn() Found by callcatcher. Andrew Bartlett commit 1c7725ae8a4ed3270720ce71de08f4949aa83ea7 Author: Andrew Bartlett abart...@samba.org Date: Thu Feb 9 16:07:06 2012 +1100 s3-utils: Remove unused connect_to_ipc_krb5() Found by callcatcher. Andrew Bartlett commit 7724533d8065a2cd78573e6a07fcad9879296c71 Author: Andrew Bartlett abart...@samba.org Date: Tue Feb 21 11:55:50 2012 +1100 wintest: Change to a new Win2008R2 VM commit bea05159e4239e04dc5e8782b881ed7f70b231fc Author: Andrew Bartlett abart...@samba.org Date: Mon Feb 20 17:03:25 2012 +1100 s3-libsmb: Remove unused spnego functions commit 757c9b79ea1b2a599d9db1f6e686534777abd3a7 Author: Andrew Bartlett abart...@samba.org Date: Mon Feb 20 16:42:20 2012 +1100 s3-rpc_server Remove unused function auth_generic_server_start() --- Summary of changes: selftest/selftest.pl |2 +- selftest/target/Samba.pm |8 +- source3/include/proto.h| 11 -- source3/libads/ads_ldap_protos.h |7 -- source3/libads/ads_proto.h |3 - source3/libads/kerberos_util.c | 30 -- source3/libads/ldap.c | 55 -- source3/libsmb/clispnego.c | 109 source3/rpc_server/dcesrv_auth_generic.c | 53 -- source3/rpc_server/dcesrv_auth_generic.h | 10 -- source3/utils/net_proto.h |4 - source3/utils/net_util.c | 53 -- .../scripting/python/samba/provision/sambadns.py |6 +- wintest/conf/abartlet.conf | 12 +- 14 files changed, 16 insertions(+), 347 deletions(-) Changeset truncated at 500 lines: diff --git a/selftest/selftest.pl b/selftest/selftest.pl index 4625172..72e9ddf 100755 --- a/selftest/selftest.pl +++ b/selftest/selftest.pl @@ -888,7 +888,7 @@ sub setup_env($$) $testenv_vars-{target} = $target; } if (not defined($testenv_vars)) { - warn($opt_target can't provide environment '$envname'); + warn($opt_target can't start up known environment '$envname'); } } diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm index eea1987..445cbb2 100644 --- a/selftest/target/Samba.pm +++ b/selftest/target/Samba.pm @@ -31,7 +31,7 @@ sub setup_env($$$) if (not defined($env-{target})) { $env-{target} = $self-{samba4}; } - } else { + } elsif (defined($env) and $env eq UNKNOWN) { $env = $self-{samba3}-setup_env($envname, $path); if (defined($env) and $env ne UNKNOWN) { if (not
autobuild: intermittent test failure detected
The autobuild test system has detected an intermittent failing test in the current master tree. The autobuild log of the failure is available here: http://git.samba.org/autobuild.flakey/2012-02-23-1110/flakey.log The samba3 build logs are available here: http://git.samba.org/autobuild.flakey/2012-02-23-1110/samba3.stderr http://git.samba.org/autobuild.flakey/2012-02-23-1110/samba3.stdout The source4 build logs are available here: http://git.samba.org/autobuild.flakey/2012-02-23-1110/samba4.stderr http://git.samba.org/autobuild.flakey/2012-02-23-1110/samba4.stdout The top commit at the time of the failure was: commit fe24ab4e53cde22e6b72d6073592cd3e31dc97f0 Author: Michael Adam ob...@samba.org Date: Wed Feb 22 15:29:26 2012 +0100 s4:smbcli:smb2: add a random GUID to the transport connection in smb2_transport_init() This GUID is used in the smb2 negprot when max protocol is bigger than 0x0202. According to section 2.2.3 of the MS-SMB2 document, the Client GUID filed in the SMB2 negotiate request must be filled with a (non-zero) GUID if there are other dialects than 0x0202 in the dialects field. http://msdn.microsoft.com/en-us/library/cc246543%28v=prot.13%29.aspx Apart from corresponding to the docs, this change makes some of our durable-open tests (e.g reopen2 and open-oplock) _not_ hang when running against windows 8 preview (which might be still buggy). Pair-Programmed-With: Gregor Beck gb...@sernet.de Autobuild-User: Michael Adam ob...@samba.org Autobuild-Date: Thu Feb 23 03:23:57 CET 2012 on sn-devel-104
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via f1dc8b2 s3: smb_request-vwv can be const from 6f8f24c selftest: Do not skip environments that fail to start up http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit f1dc8b28b7323aa5d44df6bd8d1fbcece91cc397 Author: Volker Lendecke v...@samba.org Date: Thu Feb 23 10:50:46 2012 +0100 s3: smb_request-vwv can be const Autobuild-User: Volker Lendecke v...@samba.org Autobuild-Date: Thu Feb 23 12:37:23 CET 2012 on sn-devel-104 --- Summary of changes: source3/include/smb.h |2 +- source3/smbd/process.c |2 +- 2 files changed, 2 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/include/smb.h b/source3/include/smb.h index 7dd77ec..10e4798 100644 --- a/source3/include/smb.h +++ b/source3/include/smb.h @@ -452,7 +452,7 @@ struct smb_request { uint16 vuid; uint16 tid; uint8 wct; - uint16_t *vwv; + const uint16_t *vwv; uint16_t buflen; const uint8_t *buf; const uint8 *inbuf; diff --git a/source3/smbd/process.c b/source3/smbd/process.c index 139f1f0..3cb44c4 100644 --- a/source3/smbd/process.c +++ b/source3/smbd/process.c @@ -529,7 +529,7 @@ static bool init_smb_request(struct smb_request *req, req-vuid = SVAL(inbuf, smb_uid); req-tid= SVAL(inbuf, smb_tid); req-wct= CVAL(inbuf, smb_wct); - req-vwv= discard_const_p(uint16_t, (inbuf+smb_vwv)); + req-vwv= (const uint16_t *)(inbuf+smb_vwv); req-buflen = smb_buflen(inbuf); req-buf= (const uint8_t *)smb_buf_const(inbuf); req-unread_bytes = unread_bytes; -- Samba Shared Repository
autobuild: intermittent test failure detected
The autobuild test system has detected an intermittent failing test in the current master tree. The autobuild log of the failure is available here: http://git.samba.org/autobuild.flakey/2012-02-23-1852/flakey.log The samba3 build logs are available here: http://git.samba.org/autobuild.flakey/2012-02-23-1852/samba3.stderr http://git.samba.org/autobuild.flakey/2012-02-23-1852/samba3.stdout The source4 build logs are available here: http://git.samba.org/autobuild.flakey/2012-02-23-1852/samba4.stderr http://git.samba.org/autobuild.flakey/2012-02-23-1852/samba4.stdout The top commit at the time of the failure was: commit f25d1f5006c627892b97c72b77cd3e1398cde7a7 Author: Jelmer Vernooij jel...@samba.org Date: Thu Feb 23 14:51:00 2012 +0100 dcerpc_server: Add 'modulesdir' variable to pkg-config file. Autobuild-User: Jelmer Vernooij jel...@samba.org Autobuild-Date: Thu Feb 23 16:26:25 CET 2012 on sn-devel-104
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 101bd18 s3:smbd/utmp.c - fix the build on FreeBSD 9 without utmp.h from f25d1f5 dcerpc_server: Add 'modulesdir' variable to pkg-config file. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 101bd184d1a007b36e4fb889434e3013bdd3d1ea Author: Matthias Dieter Wallnöfer m...@samba.org Date: Thu Feb 23 11:41:11 2012 +0100 s3:smbd/utmp.c - fix the build on FreeBSD 9 without utmp.h https://bugzilla.samba.org/show_bug.cgi?id=8709 Reviewed-by: Jelmer Autobuild-User: Matthias Dieter Wallnöfer m...@samba.org Autobuild-Date: Thu Feb 23 19:17:25 CET 2012 on sn-devel-104 --- Summary of changes: source3/smbd/utmp.c |2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/smbd/utmp.c b/source3/smbd/utmp.c index 47462f6..6837c07 100644 --- a/source3/smbd/utmp.c +++ b/source3/smbd/utmp.c @@ -126,7 +126,9 @@ void sys_utmp_yield(const char *username, const char *hostname, #else /* WITH_UTMP */ +#ifdef HAVE_UTMP_H #include utmp.h +#endif #ifdef HAVE_UTMPX_H #include utmpx.h -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via aed0735 waf: Make sure libraries are installed with the execute flag set. via 8ba8267 s4-heimdal: Remove the execute flag of cfx.c. from 101bd18 s3:smbd/utmp.c - fix the build on FreeBSD 9 without utmp.h http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit aed0735862f9517c49918bb4e4b27d924b2e Author: Andreas Schneider a...@samba.org Date: Thu Feb 23 11:05:09 2012 +0100 waf: Make sure libraries are installed with the execute flag set. There are two reasons for that. The first is that libraries are executables and can have main functions (see libc). The second reason is that rpm script to extract debuginfo are looking for executables and then check if it is the right file to extract the info. Autobuild-User: Andreas Schneider a...@cryptomilk.org Autobuild-Date: Thu Feb 23 20:57:11 CET 2012 on sn-devel-104 commit 8ba82673084fcc1c6beaf630da5a1d42f6d84f1c Author: Andreas Schneider a...@samba.org Date: Thu Feb 23 09:24:02 2012 +0100 s4-heimdal: Remove the execute flag of cfx.c. The scripts which are extracting debuginfo are looking for files with the executable bit and find cfx.c which isn't a executable. --- Summary of changes: buildtools/wafsamba/samba_install.py |3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) mode change 100755 = 100644 source4/heimdal/lib/gssapi/krb5/cfx.c Changeset truncated at 500 lines: diff --git a/buildtools/wafsamba/samba_install.py b/buildtools/wafsamba/samba_install.py index 26d0a37..5e53989 100644 --- a/buildtools/wafsamba/samba_install.py +++ b/buildtools/wafsamba/samba_install.py @@ -134,7 +134,8 @@ def install_library(self): # tell waf to install the library bld.install_as(os.path.join(install_path, install_name), - os.path.join(self.path.abspath(bld.env), inst_name)) + os.path.join(self.path.abspath(bld.env), inst_name), + chmod=MODE_755) if install_link and install_link != install_name: # and the symlink if needed bld.symlink_as(os.path.join(install_path, install_link), os.path.basename(install_name)) diff --git a/source4/heimdal/lib/gssapi/krb5/cfx.c b/source4/heimdal/lib/gssapi/krb5/cfx.c old mode 100755 new mode 100644 -- Samba Shared Repository
[SCM] Samba Website Repository - branch master updated
The branch, master has been updated via 7e39675 Add draft of CVE-2012-0870 annoucement. from 7a4f50b Replace no longer existing sfconservancy web host http://gitweb.samba.org/?p=samba-web.git;a=shortlog;h=master - Log - commit 7e396756df36ae8893ad93e7df035be929308121 Author: Lars Müller l...@samba.org Date: Thu Feb 23 22:20:06 2012 +0100 Add draft of CVE-2012-0870 annoucement. --- Summary of changes: security/CVE-2012-0870.html | 73 +++ 1 files changed, 73 insertions(+), 0 deletions(-) create mode 100644 security/CVE-2012-0870.html Changeset truncated at 500 lines: diff --git a/security/CVE-2012-0870.html b/security/CVE-2012-0870.html new file mode 100644 index 000..452eebf --- /dev/null +++ b/security/CVE-2012-0870.html @@ -0,0 +1,73 @@ +!DOCTYPE html PUBLIC -//W3C//DTD XHTML 1.0 Transitional//EN +http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd; +html xmlns=http://www.w3.org/1999/xhtml; + +head +titleSamba - Security Announcement Archive/title +/head + +body + + H2CVE-2012-0870:/H2 + +p +pre +=== +== Subject: Remote code execution vulnerability in smbd +== +== CVE ID#: CVE-2012-0870 +== +== Versions:Samba pre-3.4.0 +== +== Summary: Ensure AndX offsets are increasing strictly monotonically +in pre-3.4 versions +== +=== + +=== +Description +=== + +Samba versions up to 3.4.0 do not ensure that AndX offsets of the smb daemon +(smbd) are increasing strictly monotonically. + +Therefore a remote code execution vulnerability exists in the service. +A remote attacker could use the vulnerability to launch an exploit over a +network connection + +== +Workaround +== + +None. + +== +Patch Availability +== + +A patch addressing this defect has been posted to + + http://www.samba.org/samba/security/ + +As all pre-3.4.0 versions are discontinued at least since August 9, 2011 even +for security patches, the patches are provided as an extra service to our +community, users, and verndors. + +=== +Credits +=== + +The vulnerability was discovered by Andy Davis of NGS Secure¹ and reported by +Greg Kinasewitz of Research In Motion². Patches were written by Volker +Lendecke of the Samba Team. + +== +References +== + +¹ http://www.ngssecure.com/research/research-overview.aspx +² http://www.blackberry.com/btsc/KB29565 + +/pre +/body +/html -- Samba Website Repository
[SCM] Samba Website Repository - branch master updated
The branch, master has been updated via 55e304c Smaller typo fixes and cleanup. from 7e39675 Add draft of CVE-2012-0870 annoucement. http://gitweb.samba.org/?p=samba-web.git;a=shortlog;h=master - Log - commit 55e304cd7d0807f8f906fbb9ba7928731af3a0a6 Author: Lars Müller l...@samba.org Date: Thu Feb 23 22:38:48 2012 +0100 Smaller typo fixes and cleanup. --- Summary of changes: security/CVE-2012-0870.html |6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) Changeset truncated at 500 lines: diff --git a/security/CVE-2012-0870.html b/security/CVE-2012-0870.html index 452eebf..3c1ef3d 100644 --- a/security/CVE-2012-0870.html +++ b/security/CVE-2012-0870.html @@ -31,9 +31,9 @@ Description Samba versions up to 3.4.0 do not ensure that AndX offsets of the smb daemon (smbd) are increasing strictly monotonically. -Therefore a remote code execution vulnerability exists in the service. +Therefore a remote code execution vulnerability exists in the smbd service. A remote attacker could use the vulnerability to launch an exploit over a -network connection +network connection. == Workaround @@ -51,7 +51,7 @@ A patch addressing this defect has been posted to As all pre-3.4.0 versions are discontinued at least since August 9, 2011 even for security patches, the patches are provided as an extra service to our -community, users, and verndors. +community, users, and vendors. === Credits -- Samba Website Repository
[SCM] Samba Website Repository - branch master updated
The branch, master has been updated via 44d414c Add CVE-2012-0870 to the security overview from 55e304c Smaller typo fixes and cleanup. http://gitweb.samba.org/?p=samba-web.git;a=shortlog;h=master - Log - commit 44d414c67d610b8ee3c15a96c96e70e0ed99d279 Author: Lars Müller l...@samba.org Date: Thu Feb 23 23:09:38 2012 +0100 Add CVE-2012-0870 to the security overview --- Summary of changes: history/security.html | 14 ++ 1 files changed, 14 insertions(+), 0 deletions(-) Changeset truncated at 500 lines: diff --git a/history/security.html b/history/security.html index ab6d93f..4439835 100755 --- a/history/security.html +++ b/history/security.html @@ -22,6 +22,20 @@ link to full release notes for each release./p /tr tr + td23 Feb 2012/td + tda href=/samba/ftp/patches/security/samba-3.0-CVE-2012-0870.patch + patch for Samba 3.0/a + a href=/samba/ftp/patches/security/samba-3.2-CVE-2012-0870.patch + patch for Samba 3.2/a + a href=/samba/ftp/patches/security/samba-3.3-CVE-2012-0870.patch + patch for Samba 3.3/a + tdRemote code execution vulnerability in smbd/td + tdpre-3.4/td + tda href=http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0870;CVE-2012-0870/a/td + tda href=/samba/security/CVE-2012-0870Announcement/a/td +/tr + +tr td29 Jan 2012/td tda href=/samba/ftp/patches/security/samba-3.6.2-CVE-2012-0817.patch patch for Samba 3.6.2/a -- Samba Website Repository
[SCM] Samba Website Repository - branch master updated
The branch, master has been updated via 78c6523 Add missing == chars from 44d414c Add CVE-2012-0870 to the security overview http://gitweb.samba.org/?p=samba-web.git;a=shortlog;h=master - Log - commit 78c652387997132604fc6903dc258e62ddcdc7a9 Author: Lars Müller l...@samba.org Date: Thu Feb 23 23:17:46 2012 +0100 Add missing == chars --- Summary of changes: security/CVE-2012-0870.html |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) Changeset truncated at 500 lines: diff --git a/security/CVE-2012-0870.html b/security/CVE-2012-0870.html index 3c1ef3d..1bc834b 100644 --- a/security/CVE-2012-0870.html +++ b/security/CVE-2012-0870.html @@ -20,7 +20,7 @@ == Versions:Samba pre-3.4.0 == == Summary: Ensure AndX offsets are increasing strictly monotonically -in pre-3.4 versions +== in pre-3.4 versions == === -- Samba Website Repository
[SCM] Samba Website Repository - branch master updated
The branch, master has been updated via 97ffa8e Update latest bodies and headlines regarding CVE-2012-0870 from 78c6523 Add missing == chars http://gitweb.samba.org/?p=samba-web.git;a=shortlog;h=master - Log - commit 97ffa8e11345dc26c69b52a84155a76a7b227148 Author: Lars Müller l...@samba.org Date: Thu Feb 23 23:36:10 2012 +0100 Update latest bodies and headlines regarding CVE-2012-0870 --- Summary of changes: generated_news/latest_10_bodies.html| 14 ++ generated_news/latest_10_headlines.html |4 ++-- generated_news/latest_2_bodies.html | 15 ++- 3 files changed, 14 insertions(+), 19 deletions(-) Changeset truncated at 500 lines: diff --git a/generated_news/latest_10_bodies.html b/generated_news/latest_10_bodies.html index 06268ce..c1cd654 100644 --- a/generated_news/latest_10_bodies.html +++ b/generated_news/latest_10_bodies.html @@ -1,3 +1,9 @@ + h5a name=CVE-2012-087023 February 2012/a/h5 + p class=headlineSamba pre-3.4 Security Issue/p + pPatches for a href=http://www.samba.org/samba/ftp/patches/security/samba-3.0-CVE-2012-0870.patch;3.0/a, a href=http://www.samba.org/samba/ftp/patches/security/samba-3.2-CVE-2012-0870.patch;3.2/a, a href=http://www.samba.org/samba/ftp/patches/security/samba-3.3-CVE-2012-0870.patch;and 3.3/a got released in order to address a href=http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-CVE-2012-0870;CVE-2012-0870 (Remote code execution vulnerability in smbd)/a./p + +pSee a href=http://www.samba.org/samba/security/CVE-2012-0870.html;the security announcement for more details/a./p + h5a name=3.6.329 January 2012/a/h5 p class=headlineSamba 3.6.3 Security Release Available for Download/p pThis is a security release in order to address a href=http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-CVE-2012-0817;CVE-2012-0817 (Memory leak/Denial of service)/a./p @@ -83,11 +89,3 @@ enhanced library components./p a href=/samba/news/releases/3.6.0.htmlhighlights of 3.6/a?/p - h5a name=3.6.009 August 2011/a/h5 - p class=headlineSamba 3.6.0 Available for Download/p - pThis is the latest stable release of the Samba 3.6 series./p - -pThe uncompressed tarballs and patch files have been signed -using GnuPG (ID 6568B7EA). The source code can be -a href=http://samba.org/samba/ftp/stable/samba-3.6.0.tar.gz;downloaded -now/a. A a href=http://samba.org/samba/ftp/patches/patch-3.5.11-3.6.0.diffs.gz;patch against Samba 3.5.11/a is also available. See a href=http://samba.org/samba/history/samba-3.6.0.html;the release notes for more info/a./p diff --git a/generated_news/latest_10_headlines.html b/generated_news/latest_10_headlines.html index f8b235c..7740819 100644 --- a/generated_news/latest_10_headlines.html +++ b/generated_news/latest_10_headlines.html @@ -1,4 +1,6 @@ ul + li 23 February 2012 a href=#CVE-2012-0870Samba pre-3.4 Security Issue/a/li + li 29 January 2012 a href=#3.6.3Samba 3.6.3 Security Release Available for Download/a/li li 25 January 2012 a href=#3.6.2Samba 3.6.2 Available for Download/a/li @@ -16,6 +18,4 @@ li 23 August 2011 a href=#3.4.15Samba 3.4.15 Available for Download/a/li li 09 August 2011 a href=/samba/news/releases/3.6.0.htmlThe highlights of Samba 3.6/a/li - - li 09 August 2011 a href=#3.6.0Samba 3.6.0 Available for Download/a/li /ul diff --git a/generated_news/latest_2_bodies.html b/generated_news/latest_2_bodies.html index 7376bf6..f0dbcea 100644 --- a/generated_news/latest_2_bodies.html +++ b/generated_news/latest_2_bodies.html @@ -1,3 +1,9 @@ + h5a name=CVE-2012-087023 February 2012/a/h5 + p class=headlineSamba pre-3.4 Security Issue/p + pPatches for a href=http://www.samba.org/samba/ftp/patches/security/samba-3.0-CVE-2012-0870.patch;3.0/a, a href=http://www.samba.org/samba/ftp/patches/security/samba-3.2-CVE-2012-0870.patch;3.2/a, a href=http://www.samba.org/samba/ftp/patches/security/samba-3.3-CVE-2012-0870.patch;and 3.3/a got released in order to address a href=http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-CVE-2012-0870;CVE-2012-0870 (Remote code execution vulnerability in smbd)/a./p + +pSee a href=http://www.samba.org/samba/security/CVE-2012-0870.html;the security announcement for more details/a./p + h5a name=3.6.329 January 2012/a/h5 p class=headlineSamba 3.6.3 Security Release Available for Download/p pThis is a security release in order to address a href=http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-CVE-2012-0817;CVE-2012-0817 (Memory leak/Denial of service)/a./p @@ -6,12 +12,3 @@ using GnuPG (ID 6568B7EA). The source code can be a href=http://samba.org/samba/ftp/stable/samba-3.6.3.tar.gz;downloaded now/a. A a
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via f14dffa s3-selftest: Verify GK and GF flag behaviour via b947d84 s3-selftest: run ntlm_auth against winbindd in make test via 111d9f3 auth: Remove plugable password-check functions from gensec_ntlmssp via 83810f8 auth: consolidate gensec_ntlmssp_server wrapper functions via a61298e s3-libsmb: Remove unused ntlmssp_server_start() via 9de7fb8 s3-ntlm_auth: Convert ntlm_auth to use gensec_ntlmssp server-side via 4478f31 s3-auth: Provide helper routine to check password and return session_info via e3cebef auth: Rename some elements of auth4_context via 8a9b6fe s3-auth: Add a way to get an auth4_context from the auth stack from aed0735 waf: Make sure libraries are installed with the execute flag set. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit f14dffa815b47af4061cf1d0c35e0237d35c07a9 Author: Andrew Bartlett abart...@samba.org Date: Fri Feb 24 12:19:27 2012 +1100 s3-selftest: Verify GK and GF flag behaviour At least this ensures that the helper has not crashed, it will require a little more to ensure that the values are correct. Andrew Bartlett Autobuild-User: Andrew Bartlett abart...@samba.org Autobuild-Date: Fri Feb 24 03:53:38 CET 2012 on sn-devel-104 commit b947d84c88d1fcc3bdd75f3002bb38b673cbecd3 Author: Andrew Bartlett abart...@samba.org Date: Fri Feb 24 12:12:48 2012 +1100 s3-selftest: run ntlm_auth against winbindd in make test commit 111d9f3eb20ad0c3e3b6a7a01f7c997111c660d9 Author: Andrew Bartlett abart...@samba.org Date: Tue Feb 7 17:47:42 2012 +1100 auth: Remove plugable password-check functions from gensec_ntlmssp The auth4_context layer now provides the plugability here. Andrew Bartlett commit 83810f8afad85818edb7a21428dbbef305147b8c Author: Andrew Bartlett abart...@samba.org Date: Tue Feb 7 17:12:19 2012 +1100 auth: consolidate gensec_ntlmssp_server wrapper functions commit a61298e8028574d10358e2d53c956f74ab641ef4 Author: Andrew Bartlett abart...@samba.org Date: Tue Feb 7 17:07:52 2012 +1100 s3-libsmb: Remove unused ntlmssp_server_start() commit 9de7fb8706d3314951ddc1fc6c919b4872f2ea92 Author: Andrew Bartlett abart...@samba.org Date: Tue Feb 7 17:02:14 2012 +1100 s3-ntlm_auth: Convert ntlm_auth to use gensec_ntlmssp server-side This uses the common gensec_ntlmssp server code for ntlm_auth, removing the last non-gensec use of the NTLMSSP server. Andrew Bartlett commit 4478f315e6cb178b53114033e1247e265f82ab8f Author: Andrew Bartlett abart...@samba.org Date: Fri Feb 3 23:32:26 2012 +1100 s3-auth: Provide helper routine to check password and return session_info commit e3cebef0cf93ddade8e698ea292d2c03cf005a7b Author: Andrew Bartlett abart...@samba.org Date: Fri Feb 3 16:33:44 2012 +1100 auth: Rename some elements of auth4_context These operate on NTLM authentication, so make that clear. Andrew Bartlett commit 8a9b6fe26dc347afd6dc17570354e0af391b351d Author: Andrew Bartlett abart...@samba.org Date: Fri Feb 3 16:14:42 2012 +1100 s3-auth: Add a way to get an auth4_context from the auth stack This will allow us to use the same layer that auth_ntlmssp does in the non-SPNEGO session setup, which will in turn make the authentication code more consistent in the AD server case. Andrew Bartlett --- Summary of changes: auth/common_auth.h| 14 +- auth/ntlmssp/gensec_ntlmssp_server.c | 180 auth/ntlmssp/ntlmssp.c| 33 ++- auth/ntlmssp/ntlmssp.h| 54 + auth/ntlmssp/ntlmssp_client.c |8 - auth/ntlmssp/ntlmssp_server.c | 139 -- source3/auth/auth.c |6 +- source3/auth/auth_generic.c | 84 +- source3/auth/auth_samba4.c| 54 source3/auth/proto.h |6 + source3/include/auth.h|7 +- source3/libsmb/ntlmssp.c | 121 source3/script/tests/test_ntlm_auth_s3.sh |8 +- source3/selftest/tests.py |2 +- source3/torture/test_ntlm_auth.py | 37 +++- source3/utils/ntlm_auth.c | 426 ++--- source4/auth/ntlm/auth.c |6 +- 17 files changed, 659 insertions(+), 526 deletions(-) Changeset truncated at 500 lines: diff --git a/auth/common_auth.h b/auth/common_auth.h index c0fd6b6..cf21543 100644 --- a/auth/common_auth.h +++ b/auth/common_auth.h @@ -105,17 +105,17 @@ struct auth4_context { /* Private data for the callbacks on this auth context */ void *private_data; - NTSTATUS
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 0cf7a36 on our way with Samba 4.0alpha19 via 0a4827f prepare WHATSNEW for Samba 4.0alpha18 release and mark as release. via cab24da s3-libsmb: Remove unused spnego_parse_auth_and_mic from f14dffa s3-selftest: Verify GK and GF flag behaviour http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 0cf7a3680aee282dd6c1a012401df83e2e111a2d Author: Andrew Bartlett abart...@samba.org Date: Fri Feb 24 15:24:00 2012 +1100 on our way with Samba 4.0alpha19 Autobuild-User: Andrew Bartlett abart...@samba.org Autobuild-Date: Fri Feb 24 07:20:10 CET 2012 on sn-devel-104 commit 0a4827f594c87e5f0866999e8cfcae29c72ce675 Author: Andrew Bartlett abart...@samba.org Date: Thu Feb 16 16:45:10 2012 +1100 prepare WHATSNEW for Samba 4.0alpha18 release and mark as release. commit cab24da68dbebc419efaaf660b20994b71e42203 Author: Andrew Bartlett abart...@samba.org Date: Fri Feb 24 12:36:23 2012 +1100 s3-libsmb: Remove unused spnego_parse_auth_and_mic --- Summary of changes: VERSION|2 +- WHATSNEW.txt | 94 +++ source3/include/proto.h|2 - source3/libsmb/clispnego.c | 40 --- upgrading-samba4.txt |8 5 files changed, 51 insertions(+), 95 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index 866376e..952ff93 100644 --- a/VERSION +++ b/VERSION @@ -57,7 +57,7 @@ SAMBA_VERSION_TP_RELEASE= # e.g. SAMBA_VERSION_ALPHA_RELEASE=1 # # - 4.0.0alpha1 # -SAMBA_VERSION_ALPHA_RELEASE=18 +SAMBA_VERSION_ALPHA_RELEASE=19 # For 'pre' releases the version will be # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 3fac360..a9258b0 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,4 +1,4 @@ -What's new in Samba 4 alpha17 +What's new in Samba 4 alpha18 = Samba 4.0 will be the next version of the Samba suite and incorporates @@ -10,7 +10,7 @@ and above. WARNINGS -Samba4 alpha17 is not a final Samba release, however we are now making +Samba4 alpha18 is not a final Samba release, however we are now making good progress towards a Samba 4.0 release, of which this is a preview. Be aware the this release contains both the technology of Samba 3.6 (that you can reasonably expect to upgrade existing Samba 3.x releases @@ -55,84 +55,74 @@ programs to interface to Samba's internals, and many tools and internal workings of the DC code is now implemented in python. -CHANGES SINCE alpha16 +CHANGES SINCE alpha17 = -For a list of changes since alpha 15, please see the git log. +For a list of changes since alpha 17, please see the git log. $ git clone git://git.samba.org/samba.git $ cd samba.git -$ git log release-4-0-0alpha16..release-4-0-0alpha17 +$ git log samba-4.0.0alpha17..samba-4.0.0alpha18 Some major user-visible changes include: -samba-tool dbcheck --- +Improvements to DNS servers. Samba4 now has 3 options for the +handling of DNS: The default option is to use the BIND 9.8 DLZ plugin, +which stores the information about the DNS zone in the directory. +There is also an internal DNS server (but which does not support +secure DNS updates at this time) and the flat file BIND 9.8 backend +(storing the data in traditional zone files). -We now have an fsck-like tool for Samba's internal sam.ldb database. -Run samba-tool dbcheck after installation to check your database for -self-consistency. Any database created with a previous Samba4 alpha -will have a very large number of consistency errors, which this tool -can fix. +To migrate from zone files to directory based DNS servers, a migration +tool (upgradedns) has been added. -See also the -H option to point dbcheck at a different database to the -default, and the --fix and --yes options to make changes and to not -prompt about those changes. +samba-tool dns commands to manage DNS records stored in directory. -After upgrading Samba, it is suggested that you do the following: +smbwrapper (a user-space file system based on LD_PRELOAD) has been +removed. - - stop samba - - take a backup copy of your sam.ldb and sam.ldb.d/* database files - - run samba-tool dbcheck --cross-ncs --fix - - use 'all' to say yes to fixing each type of error found - - after it has finished, run dbcheck again to ensure it reports no -errors +Improvement to the upgrade process between Samba 3.x domains and Samba +4.0 AD domains (samba-tool domain samba3upgrade). -There will be a lot of errors fixed, particularly related to -bad/missing
[SCM] Samba Shared Repository - annotated tag samba-4.0.0alpha18 created
The annotated tag, samba-4.0.0alpha18 has been created at b9298b97efc6350d9ed363463c1bc4b90cecac25 (tag) tagging 0a4827f594c87e5f0866999e8cfcae29c72ce675 (commit) replaces tevent-0.9.15 tagged by Andrew Bartlett on Fri Feb 24 17:25:48 2012 +1100 - Log - samba4: tag release samba-4.0.0alpha18 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQBPRy1sz4A8Wyi0NrsRAjQRAJ4jl04XY4v/JTQaBrQ9pM0O5NXafgCfYIlX QozBS2tInhNmApae6Tu/7w8= =2XFz -END PGP SIGNATURE- Amitay Isaacs (20): mkversion: Add quotes around various version strings s4-dsdb: Check if metadata.tdb exists, before trying to open it lib/tdb2: Do not include config.h in (to-be) public library, use replace. lib/tdb2: Mark public function as such lib/tdb2: Fix wscript lib/tdb2: Convert tdb2 to a standalone library lib/tdb2: 2.0.0 ABI dlz_bind9: Do not remove LDB record in subrdataset and delrdataset samba-tool: dns: Add MXRecord type to add/update mx records samba-tool: dns: Convert dns data in a string to DNS record samba-tool: dns: Convert dns data into a dns record for comparison samba-tool: dns: Add support to add/update/delete MX and SRV records samba-tool: dns: Add extra references for string objects as workaround samba-tool: dns: Fix the output display of DNS records samba-tool: dns: Update the copyright dlz_bind9: Fix the log message level s4-provision: dns: Refactor population of dns data code s4-provision: dns: Do not re-calculate ntdsguid, use from names s4-provision: dns: Add txt DNS record upgradedns: Upgrade DNS provision from BIND9_FLATFILE to AD based DNS Andreas Schneider (4): s3-net: Don't use an internal krb5 for kdc lookup. s3-libsmb: Remove obsolete smb_krb5_locate_kdc. s4-heimdal: Remove the execute flag of cfx.c. waf: Make sure libraries are installed with the execute flag set. Andrew Bartlett (129): credentials: Show returned error_string in debug message heimdal: Re-run lexyacc.sh heimdal_build: omit #line statments heimdal: Re-run lexyacc.sh to remove #line statements build: Add --enable-coverage option to build with gcov support charset: Remove unused iconv_talloc() s3-charcnv: Remove unused pull_string_fn s3-registry: Remove unused prs_uint8() s3-lib: Remove unused pid_path() s4-cmdline: Remove unused popt_common_dont_ask() s4-lib/tls: remove unused tls_support() charset: Remove unused strcmp_w() lib/util: Remove unused str_format_nbt_domain() s4-lib/samba3: Remove unused smbpasswd_decode_acb_info() s3-param: Remove unused share_defined() s3-libsmb: Remove unused smb_krb5_mk_error() s3-charcnv: Remove unused rpcstr_push() s3-lib: Remove unused is_myworkgroup() s3-libsmb: Remove unused kerberos_compatible_enctypes s3-libsmb: Remove unused kerberos_set_creds_enctype() s4-nbt_server: remove unused winsdb_get_seqnumber() Revert gensec: Fix a memory corruption in gensec_use_kerberos_mechs gensec: set flag to continue in outer for loop in gensec_use_kerberos_mechs gensec: explain gensec_use_kerberos_mechs() logic auth: Pass in the SMB username (for %U) into generate_session_info s3-lib/addns: Move to system/kerberos.h and HAVE_KRB5 s3-libads: Move to using only the HAVE_KRB5 define s3-build: expliticly require gssapi for HAVE_KRB5 and remove HAVE_GSSAPI selftest: Allow setup_env() to signal that an environment name is unknown s3-selftest: Do not assume $USERNAME is the same as $DC_USERNAME s3-nmbd: Initialise newly non-static variables wintest: connect to correct hostname in test_net_use wintest: Retry joining the domain a few times wintest: Allow access denied when turning off the firewall wintest: Update VM used for W2K8R2A wintest: s3 moved smb.conf to /etc wintest: Cope with nc not timing out even when -w 1 is specified wintest: Samba is now all version 4.0 wintest: Give the Windows VM a little more time to start back up wintest: Change Windows 7 VM wintest: update WinXP-1 snapshot selftest: Make plugin_s4_dc set the cached environment correctly selftest: Do not start up an already-running test environment s3-selftest: Require SMB signing for ktest environment selftest: skip targets that are not compiled in if we do not have ADS selftest: Run nsstest against more environments selftest: skip plugin_s4_dc if we do not have ADS s3-smbd: Avoid starting log lines with the word 'error' selftest: Remove 'if have_ads_support:' from tests.py s3-selftest: Remove .posix_s3 from s3 test names s3-librpc: make gensec result handling more generic s3-librpc: Remove unused bool