Re: [Samba] Git- Samba 4.1 Glusterfs 3.4, CentOs 6.4
Hmmm... Odd... Okay. Open a bug for it in the Samba Bugzilla and I will follow up. Chris -)- On Wed, Jul 24, 2013 at 08:24:20AM +0200, Daniel M?ller wrote: This is the result when deleting the vfs-glusterfs.c and then running make:# Project rules pass Waf: Leaving directory `/root/samba4/samba-master/bin' source not found: 'vfs_glusterfs.c' in 'dir:///root/samba4/samba-master/source3/modules' make: *** [all] Fehler 1 I am afraid there is more to do in configure and configure.developer --- EDV Daniel M?ller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 T?bingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Urspr?ngliche Nachricht- Von: Christopher R. Hertel [mailto:c...@ubiqx.mn.org] Gesendet: Mittwoch, 24. Juli 2013 07:55 An: Daniel M?ller Cc: samba@lists.samba.org; samba-techni...@samba.org Betreff: Re: Git- Samba 4.1 Glusterfs 3.4, CentOs 6.4 Daniel, If we can reproduce the build bug, we will certainly work to fix it. The vfs_glusterfs module is, however, fairly new so there has not been time to produce useful documentation. If you would like to contribute documentation, we'll be happy to review it. The Gluster VFS project is hosted on forge.gluster.org. Please provide the BZ number of the Bugzilla bug you're created for this. Also, you should be able to work around the problem by deleting the vfs_glustefs.c file from the source tree. You'll find it in source3/modules/. Chris -)- On Wed, Jul 24, 2013 at 07:40:34AM +0200, Daniel M?ller wrote: Dear all, to your notice:Samba 4.1 pulled from git will not compile under CentOs 6.4 if Glusterfs 3.4 is installed from epel-repo. Make will die with an error concerning vfs modul glusterfs. There should be more documentation about the vfs modul glusterfs. Daniel --- EDV Daniel M?ller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 T?bingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Git- Samba 4.1 Glusterfs 3.4, CentOs 6.4
Daniel, If we can reproduce the build bug, we will certainly work to fix it. The vfs_glusterfs module is, however, fairly new so there has not been time to produce useful documentation. If you would like to contribute documentation, we'll be happy to review it. The Gluster VFS project is hosted on forge.gluster.org. Please provide the BZ number of the Bugzilla bug you're created for this. Also, you should be able to work around the problem by deleting the vfs_glustefs.c file from the source tree. You'll find it in source3/modules/. Chris -)- On Wed, Jul 24, 2013 at 07:40:34AM +0200, Daniel M?ller wrote: Dear all, to your notice:Samba 4.1 pulled from git will not compile under CentOs 6.4 if Glusterfs 3.4 is installed from epel-repo. Make will die with an error concerning vfs modul glusterfs. There should be more documentation about the vfs modul glusterfs. Daniel --- EDV Daniel M?ller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 T?bingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Re: utmp update for bsd systems (try 2)
From the FAQ: The Samba 2.2 branch is no longer maintained. It's EOL was October 1, 2004. It's GPL'd, though, so if you want to maintain patches for it you are more than welcome to do so. Chris -)- On Thu, Apr 14, 2005 at 01:11:08PM -0400, Michael Shalayeff wrote: re i have posted this before but received no response... is there anybod reading on this address? cu - Forwarded message (env-from mickey) - re this is a patch against samba-2.2.12p0 and adds support for updating utmp on bsds. code similarly ripped from openbsd's ftpd (; cu -- paranoic mickey (my employers have changed but, the name has remained) --- utmp.cThu Aug 12 14:24:20 2004 +++ /home/mickey/utmp.c Wed Mar 30 15:51:40 2005 @@ -261,6 +261,7 @@ } #ifndef HAVE_PUTUTLINE +#include ttyent.h / Update utmp file directly. No subroutine interface: probably a BSD system. @@ -268,8 +269,50 @@ static void pututline_my(pstring uname, struct utmp *u, BOOL claim) { - DEBUG(1,(pututline_my: not yet implemented\n)); - /* BSD implementor: may want to consider (or not) adjusting lastlog */ + int fd, topslot; + struct utmp ubuf; + + if ((fd = open(uname, O_RDWR, 0)) 0) + return; + + if (!setttyent()) + return; + + for (topslot = 0; getttyent() != (struct ttyent *)NULL; ) + topslot++; + + if (!endttyent()) + return; + + (void) lseek(fd, (off_t)(topslot * sizeof(struct utmp)), SEEK_SET); + + DEBUG(1,(pututline(%s, %s, %d); topslot=%d\n, + u-ut_line, u-ut_name, claim, topslot)); + + while (1) { + if (read(fd, ubuf, sizeof(ubuf)) == sizeof(ubuf)) { + if ((claim !ubuf.ut_name[0]) || + (!claim ubuf.ut_name[0] + !strncmp(ubuf.ut_line, u-ut_line, UT_LINESIZE))) { + (void) lseek(fd, -(off_t)sizeof(struct utmp), + SEEK_CUR); + break; + } + topslot++; + } else { + (void) lseek(fd, (off_t)(topslot * + sizeof(struct utmp)), SEEK_SET); + break; + } + } + + if (! claim) { + memset((char *)u-ut_name, '\0', sizeof(u-ut_name)); + memset((char *)u-ut_host, '\0', sizeof(u-ut_host)); + } + (void) write(fd, u, sizeof(struct utmp)); + + (void) close(fd); } #endif /* HAVE_PUTUTLINE */ - End of forwarded message (env-from mickey) - -- paranoic mickey (my employers have changed but, the name has remained) -- Implementing CIFS - the Common Internet FileSystem ISBN: 013047116X Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: [linux-cifs-client] Mounting directories below share level
Just FYI... I added a short annotation regarding this thread here: http://ubiqx.org/cifs/NetBIOS.html#NBT.1.1 (Click the Notes icon.) I do hope that we'll get client developers (Steve, Conrad, the Thursby folk, etc.) to implement this feature. Chris -)- -- Implementing CIFS - the Common Internet FileSystem ISBN: 013047116X Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: [linux-cifs-client] Mounting directories below share level
On Thu, Mar 03, 2005 at 03:13:36PM +, J. A. Landamore wrote: From my investigations, and searching the archives, it seems that smbfs can only mount shares, and not directories under the share i.e. smbmount //host/share /mntworks smbmount //host/share/directory /mnt doesn't work Yes. That's because the protocol itself wasn't really designed to do what you're trying to do. On the other hand, I just tried it and I can indeed mount a subdirectory of a share under W2K. I'll need to do a packet capture later on see what's going on here. The server in my little test was Samba, and I don't recall that we had to do anything to specifically support this, so my guess (without looking at captures) is that W2K is actually doing a tree connect to the share itself and then mapping the drive letter to the subdirectory (sort of like the old 'subst' command). It's possible that the entire UNC path (including the subdirectory name) is being provided in the TreeConnect... I'd have to take a look. Steve: Any insight? Chris -)- -- Implementing CIFS - the Common Internet FileSystem ISBN: 013047116X Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: [linux-cifs-client] Mounting directories below share level
I just did a quick capture of Deep Mapping (as Kenneth MacDonald informed us it's called). As I had suspected, the TreeConnectAndX connects to the share, but the client then performs all operations on the requested subdirectory. So... it appears (from my quick look) as though my earlier guess was correct. That is, Deep Mapping occurs on the client side. Kewl stuff. Thanks! Chris -)- -- Implementing CIFS - the Common Internet FileSystem ISBN: 013047116X Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Tiny CC [Was: svn commit: samba r5437 - in branches/SAMBA_4_0/source: build/smb_build lib/events libcli/auth rpc_server rpc_server/samr]
On Thu, Feb 17, 2005 at 11:11:26PM +, [EMAIL PROTECTED] wrote: Author: jelmer Date: 2005-02-17 23:11:26 + (Thu, 17 Feb 2005) New Revision: 5437 : Log: Allow Samba4 to be compiled by tcc (www.tinycc.org). It still crashes when linking though. Sounds like I need to learn more about tinycc. I'm still puddling with Samba4 on the NSLU2... Chris -)- -- Implementing CIFS - the Common Internet FileSystem ISBN: 013047116X Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: svn commit: samba r4885 - in branches/SAMBA_4_0/source: include libcli libcli/nbt librpc librpc/idl librpc/ndr
Dang. Building a client library was on the top of my when-I-get-a-minute-to-breath list. Ah, well... I do have one started, and it's been a great deal of help to me, but it's not far enough along for an nmbd replacement. Curious: - Why use IDL? The packet formats are well-known, simple, and not likely to change. Hard-coding them might take a little more time and require a bit more careful debugging, but once done they'd be done. - I'm a big fan of randomizing packet IDs, but I can't think of a good reason to do so for NBT TRNs since (as far as I know) there's nothing that makes use of packet sequence. What is gained? Chris -)- On Fri, Jan 21, 2005 at 06:54:10AM +, [EMAIL PROTECTED] wrote: Author: tridge Date: 2005-01-21 06:54:10 + (Fri, 21 Jan 2005) New Revision: 4885 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=4885 Log: added a new NBT client library. Features include: - structures defined using IDL in nbt.idl - build around our events structure, and talloc - fully async - supports all NBT packet fields as per rfc1002 - easy interfaces for name query and status For the moment there are just a couple of test functions in namequery.c, test_name_query() and test_name_status(). These will be removed when we hook the new library into libcli/ fully The new library will also be a fairly good basis for a nbt server. Although it can't be a server as-is, I wrote it with the needs of a server in mind (for example, extremely scalable idtree based packet handling) Added: branches/SAMBA_4_0/source/libcli/nbt/ branches/SAMBA_4_0/source/libcli/nbt/libnbt.h branches/SAMBA_4_0/source/libcli/nbt/namequery.c branches/SAMBA_4_0/source/libcli/nbt/nbtname.c branches/SAMBA_4_0/source/libcli/nbt/nbtsocket.c branches/SAMBA_4_0/source/librpc/idl/nbt.idl Modified: branches/SAMBA_4_0/source/include/structs.h branches/SAMBA_4_0/source/libcli/config.mk branches/SAMBA_4_0/source/librpc/config.mk branches/SAMBA_4_0/source/librpc/idl/idl_types.h branches/SAMBA_4_0/source/librpc/ndr/libndr.h branches/SAMBA_4_0/source/librpc/ndr/ndr.c branches/SAMBA_4_0/source/librpc/ndr/ndr_basic.c Changeset: Sorry, the patch is too large (1445 lines) to include; please use WebSVN to see it! WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=4885 -- Implementing CIFS - the Common Internet FileSystem ISBN: 013047116X Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: svn commit: samba r4885 - in branches/SAMBA_4_0/source: include libcli libcli/nbt librpc librpc/idl librpc/ndr
On Sat, Jan 22, 2005 at 07:58:48AM +1100, Andrew Tridgell wrote: : - I'm a big fan of randomizing packet IDs, but I can't think of a good reason to do so for NBT TRNs since (as far as I know) there's nothing that makes use of packet sequence. What is gained? Nothing makes use of them? The name_trn_id is the key to matching response records to queries. No, you misread my question... The TRN numbers, yes. Those are used. It's the *sequence* I'm asking about. I cannot think of anything within the protocol that relies on the sequencing of the packets. That it, it doesn't matter (to NBT) if you use randomly generated TRNs or not. That being the case (unless I'm wrong) I'm trying to understand what the actual advantage is of using random numbers. I did write testing code a while back that used random numbers (and a simple table to receive replies and avoid duplicates). I couldn't figure a reason that random numbers were a benefit. The idtree code plus random() is ideal for this. Using idtree means that even if we have 20 thousand outstanding packets we still only take a instructions to find the matching record (no more linear linked lists for response records!). I always meant to make that a splay tree. :) ...but yes, that's the kind of thing I wrote for testing when I was doing my book. Wonder where that code is now... It also makes name takeover attacks on switched networks that use wins much harder, as the attacker needs to send a huge number of packets to have a good chance of getting a hit. How does that attack work? This is what I was asking about, actually. I wanted to know what the advantage of randomization was. As I understand it, this sort of takeover attack can work if the attacker is simply faster at responding to a query than the real owner of the name. Let's see... Were I to try such a thing: Option 1: In B mode, just answer the query first (and/or send a NAME CONFLICT DEMAND or NAME RELEASE DEMAND and hope that the real owner will quietly sulk in the corner). Option 2: In P mode, send a registratration request to the NBNS. It will, most likely, query the real owner. The evildoer's options are to: - send the Name Conflict or Name Release Demand messages to the real owner, hoping to convince it that it has lost ownership of the name (some Windows boxes accept these messages). - spoof a name release request, then register the name. - send a Negative response to the NBNS, spoofing the real owner and hoping that the spoofed response will arive first. In this case, you'd have to know the TRN_ID of the query and yes, you could gain a few ms if you could predict the TRN_ID. (Particularly helpful if you're not on the same subnet.) So, of the attacks of which I am aware, that last one (the most difficult) is the only one in which I see an advantage to random TRN_ID's. ...so I'm probably missing something. :) That makes it more likely the attack will be noticed. You can't make nbt completely secure, but this is about as close as you can get. Again, I'm not sure how the attack you're describing works. that tiny bit of code generates the following debug log. Received nbt packet of length 62 from 192.168.115.5:137 packet: struct nbt_name_packet : : : Right... but the testing code I've got in my library does the same thing (well, something very similar). I showed it to you two CIFS conferences ago. :) Still, mine isn't auto-generated. I hand-tooled it and it would need a little work to be as generic as the IDL/NDR decoding. Question: The function call you cited starts with NDR_. How does NDR encoding relate to NBT? Do you bypass the NDR encoding itself? It's like having a little packet analyser built in, and makes debugging difficult problems _much_ easier. It all comes for free with pidl :-) All good things. As I tried to explain to Mr. Bartlett, I'm only trying to wrap my brain around it. Chris -)- -- Implementing CIFS - the Common Internet FileSystem ISBN: 013047116X Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: svn commit: samba-web r105 - trunk/support
On Tue, Jun 22, 2004 at 11:21:23PM +0200, Rafal Szczesniak wrote: On Tue, Jun 22, 2004 at 09:02:48PM +, [EMAIL PROTECTED] wrote: Author: deryck Date: 2004-06-22 21:02:48 + (Tue, 22 Jun 2004) New Revision: 105 Removed: trunk/support/poland.html Absolutely no one replied in Poland ??? Time to set up shop and list yourself. :) Chris -)- -- Implementing CIFS - the Common Internet FileSystem ISBN: 013047116X Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
[Samba] Re: Request patch for samba 2.2.2
On Tue, Jun 08, 2004 at 11:57:26PM -0700, Richard Sharpe wrote: On Tue, 8 Jun 2004, Udomchai Srisuk (LAD:1Logic) wrote: I'm request patch for samba 2.2.2 on Sun Server (Solaris) There is no such patch. Since you ask for a patch, you most likely are happy to work with source. You should upgrade to 3.0.4, but if you must continue with the 2.2.x stream, then you should move to 2.2.9. Could it be a Sun patch for Solaris? -- Implementing CIFS - the Common Internet FileSystem ISBN: 013047116X Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Using the '.' in names.
[EMAIL PROTECTED] wrote: Date: Fri Mar 12 21:35:15 2004 Author: herb Update of /data/cvs/samba/source/libsmb In directory dp.samba.org:/tmp/cvs-serv24318/libsmb Modified Files: Tag: SAMBA_3_0 nmblib.c Log Message: if we are truncating to the . we need to start at the beginning in case there are multiple .'s in the name. This code is protected with an #ifdef TRUNCATE_NETBIOS_NAME and this is #define'd to 1 directly above. Should we also get rid of the #ifdef? Revisions: nmblib.c1.68.2.12 = 1.68.2.13 Sure is an interesting bit of code and commentary. The way the code reads, it truncates at the 'last' dot, not the first. That may be the correct way to handle the problem. As always, I think you'ld need to see what Windows does. Urg. What's worse is that it may require seeing what happens with several flavors of Windows. Chris -)- -- Implementing CIFS - the Common Internet FileSystem ISBN: 013047116X Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: CVS update: samba/source/lib
On Thu, Jun 05, 2003 at 08:29:55PM +, [EMAIL PROTECTED] wrote: Date: Thu Jun 5 20:29:55 2003 Author: jra Update of /data/cvs/samba/source/lib In directory dp.samba.org:/tmp/cvs-serv12817/lib Modified Files: Tag: SAMBA_3_0 system.c Log Message: Get ready for EA code... Add Linux interface. Jeremy. Just curious... Is this OS/2 style Extended Attributes? Chris -)- -- Implementing CIFS - the Common Internet FileSystem ISBN: 013047116X Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: CVS update: samba/source/lib
On Thu, Jun 05, 2003 at 09:12:31PM +, [EMAIL PROTECTED] wrote: On Thu, Jun 05, 2003 at 04:00:02PM -0500, Christopher R. Hertel wrote: On Thu, Jun 05, 2003 at 08:29:55PM +, [EMAIL PROTECTED] wrote: Date: Thu Jun 5 20:29:55 2003 Author: jra Update of /data/cvs/samba/source/lib In directory dp.samba.org:/tmp/cvs-serv12817/lib Modified Files: Tag: SAMBA_3_0 system.c Log Message: Get ready for EA code... Add Linux interface. Jeremy. Just curious... Is this OS/2 style Extended Attributes? This will allow that yes. Although I'm currently getting ready for some 'magic acl' stuff. Kewl. Thanks... Chris -)- -- Implementing CIFS - the Common Internet FileSystem ISBN: 013047116X Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: ??????: ???`: ??????: When the keep-alive packet sentout,rfc1002 says different things!!
On Tue, Apr 01, 2003 at 06:01:54PM +0800, [EMAIL PROTECTED] wrote: : Ethereal is recommended, if only because the rest of us know how to read it... ^^ Thanks, I will download it and try.Is it more powerful than NAI sniffer? NAI sniffer will treat a packet simply beginning with 0x85 as keep-alive, an obvious bug:) I have no idea, since I know nothing about the NAI sniffer. What I do know is that there are some very bright Samba folk committing code to the Ethereal project. When they receive an *NBT* packet. The NBT keepalive timer is managed at the NBT layer. The TCP stream won't reset the timer, but the initial READ RAW request *should* reset the timer. But I think raw data is also an NBT packet, which is passed through to user layer. Ah... No, it's not! :) These are layered protocols. The entire READ RAW is considered one SMB 'message'. Each SMB message is packed within a single NBT Session Service wrapper (which is just the header). So, server is responsible to reset the timer anyway. And the read raw request, doesn't reset timer either, as I have seen, just between two read request, keep-alive occurs. The way it *should* work is that the initial request (the READ RAW request or the WRITE RAW request) should reset the timer. Even if that didn't happen, the READ/WRITE RAW response *should* complete before the server sends any keep-alives. What I *think* you are saying is that neither of those things happen. Again, I have trouble imagining it, but I'm certainly willing to look at a capture. I really can't imagine Samba making the mistake of sending the keep-alive while it is in the middle of a READ RAW operation, but I would believe it if I saw a capture that shows it (an Ethereal capture would be best...www.ethereal.com...it's free). ^^^ I really don't see this too. What I have seen is that keep-alive appends to the head of response or a seperate keep-alive packet. But I have no evidence that it will NOT be sent out during raw data stream,especially in a mutithread environment. Hmmm... A keep-alive before or after the READ/WRITE RAW is perfectly okay. The keep-alives are part of the NBT layer, not the SMB layer, and may show up asynchronously. They *should*, however, show up before or after another NBT message...definitely not in the middle. I understand your concern, but unless there is evidence of a keep-alive showing up inside another NBT message I wouldn't worry about it. ^^^ And I find a way,in windows, there is a registry key controlling sessionkeepalive(it just name of it) So, I can switch it off then none of keep-alive can be sent out any more.If no other safer solution, I will do it this way. That's not a safe solution, since you won't have control over the server once you release your client software. Good luck! Chris -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Realization re UDP138 and the Browse Service
Just a note... something I figured out while working on my book. There was a complaint a while back (a long while, possibly) that the datagram service--the MSBrowse Protocol in particular--did not respond to the correct port. If, for example, a client opens a high-numbered UDP port to send a GetBackupListRequest the GetBackupListResponse is sent to port 138, even though that's not the source port of the original Request. Turns out that this is correct behavior. Yes, really. See, the problem is that the mailslot protocol is not a two-way protocol. It's all one-way. There are no replies in the traditional sense. It's more like stimulus-response. Mailslot functions generate a mailslot message... and that's it. End of story. The fact that the original message illicits a reaction from some other node is secondary. The response is also a mailslot message, so it gets sent to port 138. Weird, yes. Still, that seems to be the way it was designed. Chris -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: When the keep-alive packet sent out,rfc1002 says differentthings!!
On Mon, Mar 31, 2003 at 08:07:16PM +1000, Andrew Bartlett wrote: On Mon, 2003-03-31 at 19:42, [EMAIL PROTECTED] wrote: Hello everyone, When I am programming a samba client in freeDOS,using wattcp, I found a strange thing, which is not the same as rfc1002 claims. In rfc 1002,see below: So,during I write data or read data to server, it seems that server will not send me any keep-alive packet because he will reset the timer.But in fact,during I raw write a very large piece data to server(not matter windows or linux),it will send me a keep-alive occasionally,leading my defendless code crash. I REALLY don't understand why they don't obey the rules, or do I mistake rfc1002? Urgently hope for your kindly help,thank you See www.ubiqx.org/cifs for a description of this horrid protocol... Also, make sure you understand - the standard is what Microsoft does, not what what any RFC says. Also note that you may have trouble with ReadRaw and WriteRaw. Microsoft published documentation regarding these SMBs a long time ago and never suggested that there might be licensing issues. Just about a year ago, however, they coughed up some patents which may or may not apply to implementations of ReadRaw and WriteRaw. See: http://us3.samba.org/samba/ms_license.html That said, the problem you are experiencing, if I understand correctly, is that the server is sending keep-alives during a WriteRaw from your client because the server-side keep-alive timer is not reset. Two solutions: 1) Send an SMB ECHO just before doing the WriteRaw. That will reset the timer. 2) Handle the keep-alive. For case #2, the keep-alive will contain the bytes { 0x85, 0, 0, 0 } and that's it. You should be able to recognize those and simply discard them. Chris -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: Samba performance
On Mon, Mar 31, 2003 at 10:41:25PM +, [EMAIL PROTECTED] wrote: Please resend with a mailer that doesn't wrap at 80 columns :-). Jeremy. Looks more like 55 c -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: Samba performance
On Mon, Mar 31, 2003 at 10:41:25PM +, [EMAIL PROTECTED] wrote: Please resend with a mailer that doesn't wrap at 80 columns :-). Jeremy. Looks more like 60 columns. -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: only the first wins server works?
On Mon, Mar 31, 2003 at 04:04:30PM -0800, Chere Zhou wrote: If I have 2 wins server set in smb.conf like the following: wins server = 172.16.0.61, 172.16.10.8 I can verify that only the first works, the second does not, because the 2 wins servers have different contents in them, one for some domains and the other for some other domains. I have trusted domains in both of the wins servers. The domains are w2k domains, so the trust works through DNS, but I joined samba 3.0 as an NT4 server. So my question is, is this by design of how WINS suppose to work, or otherwise a problem in samba? I am using cvs HEAD code of Mar. 19th. WINS is badly designed. The original NBNS design was better. Samba has to be compatible with WINS, though, so we're stuck with Microsoft's design. That said... The 'wins server' parameter handles *two* different new features. The first is WINS failover, and the second is multi-namespace. WINS failover (which is what your line above is using) allows Samba to try a second WINS server if the first WINS server fails. So, the way you have things written, if 172.16.0.61 gets crushed by a falling asteroid, Samba will use 172.16.0.8. That only works if the two WINS servers are synchronized. Otherwise, they will have separate (and incompatible) namespaces. The other new feature is multi-namespace. If you use a colon (:) to separate the IP addresses, the second WINS server will be used if the first could not resolve the NetBIOS name to an address. Note that it is dangerous to have a single node using multiple namespaces. NBT was not designed to work that way, and conflicts can occur. Chris -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: [patch] uppercase workgroup in browse request
On Sun, Mar 30, 2003 at 04:03:45PM +0200, Stephan Kulow wrote: : There's a question above. I asked Do I read this correctly?. You added a smiley behind it, so it appeared ironicly to me. It was just an attempt to appear friendly. So, what is your intention with this patch? What was the problem you were detecting? You never specified. Before I dig into the patch I want to know what you are trying to accomplish. Well, host names in URLs are usually case insensitive and with samba servers smb://mygrp gives indeed the same as smb://MYGRP. But not when the server is running winME, win98 or XP (that's the versions I tried). As KDE's URL handling lower cases the host part (and that's what MYGRP is), you'll notice. The problem is that NetBIOS names are supposed to be upper case, though Windows sometimes gets this wrong. Samba decodes the wire-format of the name and uses a case insensitive comparison. Windows systems do not decode the wire format, so their comparison is case sensitive. Meanwhile Andrew pointed out that my patch wasn't safe, so I changed it to use STR_UPPER. Please check that the correct patch was applied. I believe Richard Sharpe (who is the primary maintainer of libsmbclient) has applied a fix, which should be in the current CVS. Thanks! Chris -)- PS. Will you be at the Samba/eXPo conference? -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: tcon torture test
[EMAIL PROTECTED] wrote: If two SessionSetups are sent, each resulting in a separate [V]UID, then does Windows apply correct restrictions to each or does it allow the greater set of permissions? That is: The question doesn't really make sense for SMBwriteX. It is similar to the way write() works in posix - a open file handle can be used in any security context, it doesn't matter what euid you change to before calling write() Ah. Bingo. So the context is based on the file handle. Makes sense. I really want to know more about your NTVFS rewrite. :) well, it involves rewriting just about every core function in smbd. So far I have 4 files compiling in the rewrite (server.c, process.c, negprot.c and request.c). I was hoping I'd have something working to demo at SambaXP but it may not get done in time. see http://samba.org/~tridge/hack/diffs.txt for a patch that shows what I'm doing. I need to finish this book thing this week, so I will have to catch up later. Perhaps at SambaXP. I'll try not to ask too many questions. :) Chris -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: [patch] uppercase workgroup in browse request
On Thu, Mar 27, 2003 at 05:43:55PM +0100, Stephan Kulow wrote: Am Thursday 27 March 2003 03:43 schrieb Christopher R. Hertel: Stephan Kulow wrote: Hi! I noticed a difference between testsmbc smb://MYGRP and testsmbc smb://mygrp (it doesn't make a difference for SAMBA servers, but it does for XP and for winME) So please apply the included patch. Hang on... Do I read this correctly? Are we forgetting to up-case the workgroup name? (...it always helps to provide a little clue along with the patch.) :) Samba decodes NetBIOS names and then performs a case-insensitive comparison on the original name. Windows (the versions I've tested) simply compares the wire-format strings. That's faster, but it's also case sensitive. I don't currently have any ME or XP systems to test. I don't understand. You seem to agree with the patch, still it's not applied. I don't understand. I asked for clarification. :) There's a question above. I asked Do I read this correctly?. So, what is your intention with this patch? What was the problem you were detecting? You never specified. Before I dig into the patch I want to know what you are trying to accomplish. Chris -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: modules: BOOL vs. int
Not that this is correct or anything... just my 2cents. I tend in my own code to return negative integers to indicate warnings or errors, with different negative values having different meaning (as needed). That way, I can simply check for 0 on return. If I want to get specific about what the error was I can look more carefully at the return value. I spent a little time programming in Icon. Interesting language. Every function returns a status code in addition to all other data. Chris -)- On Thu, Mar 27, 2003 at 02:29:11PM +0100, Stefan (metze) Metzmacher wrote: At 12:12 27.03.2003 +0100, Jelmer Vernooij wrote: I noticed that all smb_register_*() fn's return BOOL and the init_module() fn's returns int so this is wrong: I don't have problems with this. We only need the return value in smb_probe_module() to check for failure, and False is defined to be equal to 0. The current way is more flexible. Some functions return a BOOL, but others return an int (such as in rpc). You're right but I think its confusing can't we name the return var BOOL when we use True or False or!!! int when we use 0 or -1 because int 0 means often success and BOOL False (int 0) means failure (this is confusing and cries for bugs!!!) And just for a better coding style :-) And I want it to be equal for all smb_register_*() fn's int auth_sam_init(void) { smb_register_auth(samstrict_dc, auth_init_samstrict_dc, AUTH_INTERFACE_VERSION); smb_register_auth(samstrict, auth_init_samstrict, AUTH_INTERFACE_VERSION); smb_register_auth(sam, auth_init_sam, AUTH_INTERFACE_VERSION); return True; } When would you want the function to fail ? If registering one of the functions fails? ok don't fail but a warning would be good metze - Stefan metze Metzmacher [EMAIL PROTECTED] -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: sesssetup.c, encrypted passwords and unicode
I posted some further analysis of this problem to the list a while back. I've got some captures. Basically, different Windows clients that can provide plaintext upper-case don't quite get it right. At least, they are not all formatting things the same way. I don't have time just now to look more deeply into this. If anyone else does, let me know and I'll forward my info. Chris -)- On Thu, Mar 27, 2003 at 09:36:48PM +0200, Nir Soffer wrote: Hi there! I've been trying to get Samba 3.0 to use plaintext passwords and unicode for a while now. The first thing I stumbled on was solved, it was a service pack that needed to be applied to w2k. (Thanks!) This is the second thing I stumbled on: In line 613 of sesssetup.c (latest CVS) there is the following code snippet: } else { pstring pass; srvstr_pull(inbuf, pass, smb_buf(inbuf), sizeof(pass), passlen1, STR_TERMINATE); plaintext_password = data_blob(pass, strlen(pass)+1); } From what (limited) understanding I have, passlen1 in this case is the non-unicode password, and passlen2 is the unicode password. The code pull the wrong passlen, and consequently the wrong password was checked against the database. ( a password with a length of 0) Changing the code to use passlen2 basically allowed me to login, but I'm pretty sure this is not the correct fix (I would think that one should first check if the connection is unicode or not). Just FYI, Thanks :) Nir. -- Nir Soffer -=- Exanet Inc. -=- http://www.evilpuppy.org Father, why are all the children weeping? / They are merely crying son O, are they merely crying, father? / Yes, true weeping is yet to come -- Nick Cave and the Bad Seeds, The Weeping Song -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: [jcifs] Re: SMB URL
On Wed, Mar 26, 2003 at 03:42:34AM -0500, Michael B. Allen wrote: : The other part missing is the query handling. Currently libsmbclient relies on ~/.smb/smb.conf for the workgroup (which is a bit problematic when you want to copy files from one workgroup to another from a linux client ;( Above that it gives a ?WORKGROUP=COOLO - no such file I'm not sure I understand this. Do you mean domain? Does libsmbclient support the forms: smb://domain;user:[EMAIL PROTECTED]/share/path/to/file and smb://workgroup/ I'm just throwing in a side-comment on terminology... After a lot of discussion I (personally) have settled on the following: Workgroup: The scope of the browse environment. NT Domain: An authentication domain. It's flakey, but the terminology is flakey to begin with. Regarding that definition of workgroup... If you have two subnets and all of the nodes belong to the FOO workgroup then: - if there is a DMB, and the LMBs on both subnets are exchanging browse lists with the DMB, then you have a single workgroup named FOO. - if there is no DMB, or if the LMBs are not exchanging browse information (perhaps one is a B node, or perhaps there are different WINS serves) then you have two separate workgroups, both nmaed FOO. Again, it's flakey, but it's the best I've been able to come up with. Chris -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: [jcifs] Re: SMB URL
On Wed, Mar 26, 2003 at 07:55:58PM -0500, Allen, Michael B (RSCH) wrote: : It's flakey, but the terminology is flakey to begin with. This is how I always distinguished workgroups and domains. Okay. Then it's probably just me that's flakey. Chrudz -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: [patch] uppercase workgroup in browse request
Stephan Kulow wrote: Hi! I noticed a difference between testsmbc smb://MYGRP and testsmbc smb://mygrp (it doesn't make a difference for SAMBA servers, but it does for XP and for winME) So please apply the included patch. Hang on... Do I read this correctly? Are we forgetting to up-case the workgroup name? (...it always helps to provide a little clue along with the patch.) :) Samba decodes NetBIOS names and then performs a case-insensitive comparison on the original name. Windows (the versions I've tested) simply compares the wire-format strings. That's faster, but it's also case sensitive. I don't currently have any ME or XP systems to test. Then again, Windows also allows applications to register names with lower case characters (consider INet~Services1C), which is icky. Chris -)- Greetings, Stephan Index: libsmb/clirap.c === RCS file: /cvsroot/samba/source/libsmb/clirap.c,v retrieving revision 1.30 diff -u -3 -p -u -r1.30 clirap.c --- libsmb/clirap.c 15 Mar 2003 06:45:19 - 1.30 +++ libsmb/clirap.c 25 Mar 2003 15:25:20 - @@ -233,8 +233,10 @@ BOOL cli_NetServerEnum(struct cli_state SIVAL(p,0,stype); p += 4; - p += push_pstring_base(p, workgroup, param); - + pstrcpy_base(p, workgroup, param); + strupper(p); + p += strlen(p); + if (cli_api(cli, param, PTR_DIFF(p,param), 8,/* params, length, max */ NULL, 0, CLI_BUFFER_SIZE, /* data, length, max */ -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Discovering the local IP on a multi-homed host.
Is there a simple, portable way to discover the outgoing IP address of a datagram socket on a multi-homed host? ...that is... I want to send a browser message. I know the destination address (a host address or the local broadcast address). Once I open the socket I can use getsockname(2) to discover the outgoing port number (that is, the source port). The problem is that getsockname(2) returns INADDR_ANY (0.0.0.0), which is reasonable since the system doesn't know the outbound interface address until the message gets routed. So, is there any portable way to ask the system which IP address (which interface, I suppose) will be used as the source address before sending the datagram? Chris -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: CVS update: samba/source/client
Is that portable? I thought it was Linux-specific. Chris -)- On Sat, Mar 22, 2003 at 11:55:33PM +, [EMAIL PROTECTED] wrote: Date: Sat Mar 22 23:55:33 2003 Author: jelmer Update of /home/cvs/samba/source/client In directory dp.samba.org:/tmp/cvs-serv30866/client Modified Files: client.c Log Message: Convert to popt. Revisions: client.c 1.238 = 1.239 http://www.samba.org/cgi-bin/cvsweb/samba/source/client/client.c?r1=1.238r2=1.239 -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: Support for Multiple Data Streams?
Ken, How would you store that information on a Unix filesystem? How do you prevent users or other services from messing things up? There are solutions, but it's a much bigger problem than it seems on the surface. Chris -)- On Thu, Mar 20, 2003 at 03:01:51PM -0500, Ken Cross wrote: Samba-folk: Samba apparently does not support Alternate Data Streams/Multiple Data Streams. ADS/MDS are the hidden files associated with the Summary tab on a 2K/XP/.Net version of Windows. A file on a SAMBA_3_0 server does not even display the Summary tab on the Properties page. Is this on anybody's To-Do list? Ken Ken Cross Network Storage Solutions Phone 865.675.4070 ext 31 [EMAIL PROTECTED] -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: Support for Multiple Data Streams?
On Thu, Mar 20, 2003 at 01:14:29PM -0800, Richard Sharpe wrote: On Thu, 20 Mar 2003, Christopher R. Hertel wrote: Ken, How would you store that information on a Unix filesystem? How do you prevent users or other services from messing things up? There are solutions, but it's a much bigger problem than it seems on the surface. There are some interesting issues here. Alternate Data Streams can be accessed via CIFS, but there is no special support built into the protocol. Right. On the other hand, the old-style OS/2 EAs do require special protocol handling. They are similar in concept to alternate streams, and NTFS does support them. I think there is also an NTTrans call for exchaning navel lint, and NTFS has an attribute set aside for storing walrus blubber against a long cold winter. Man, what a system... Chris -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: Support for Multiple Data Streams?
Stefan (metze) Metzmacher wrote: : in samba we filter out path names witch include ':' and return STATUS_OBJECT_NAME_NOT_FOUND Kewl... So, what do we do if the filename on the server actually *does* have a colon in it? (I can check for myself but it's worth discussing...) Chris -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: Browsing across subnets without WINS
On Wed, Mar 19, 2003 at 11:22:51AM -0600, Steve Langasek wrote: : The point is, though, that to have multiple workgroups you need to have multiple LMBs. The problem comes from using Win9x as an LMB, since Win9x does NOT do its job of exchanging browse lists with the DMB. I would love to see traces that show this, too. I'm not sure, though, how to get a packet capture of something that doesn't happen. :) You do also need to have some 'exchange point' -- a subnet with representatives (functional LMBs) of the various workgroups. Without that, the MS browsing protocols give no way to find out who's in those other workgroups. Right. That's why Samba has the advanced browsing options. One note, though. There was one report somewhere along this thread that Samba doesn't notice a #1B entry in the lmhosts file. I don't have confirmation on this, and if it is true then it may have something to do with name resolution order, or somesuch problem (that is, a configuration issue). If there's anyone who can provide more information on this I would love to see it. So indeed, if you have a configuration where each remote site represents a workgroup, or the only shared subnets are running stupid Win9x machines, it becomes difficult to move between the workgroups without investing in some hardware for a number of LMBs at one of the sites. I would suggest that an old 486 would do the job just fine. Run Samba with no shares offered, but configured to act as an LMB or even DMB for the workgroup. If you like low-power options, get something like this: http://www.soekris.com/ This can be done with a single Unix machine, though, running multiple discrete copies of nmbd on different IPs -- I haven't seen anyone do *that* with Windows yet. :) Yep, and they can be virtual interfaces so you only need one physical interface. Chris -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: error message.
I think that this is a simple misconfiguration. Something to be handled on the [EMAIL PROTECTED] list, not on the samba-technical list (which is for detailed developer discussion). Also, version 2.0.6 is *way* out of date. 2.2.8 is the current production release. It appears that the problem is that node SC08954D at IP address 10.68.1.102 thinks that your Samba server is the WINS server. If you have not configured Samba to be the WINS server, then node SC08954D is probably misconfigured, and is sending name registrations to the wrong system. Chris -)- On Tue, Mar 18, 2003 at 06:43:02PM +0100, Hassen Chaker wrote: Hye, I have installed a printer SHARP on a LAN network. I have an HPserver 10.20 with SAMBA 2.0.6 and I have this error messages in nmbd logs : [2003/03/18 18:27:22, 0] nmbd/nmbd_incomingrequests.c:(222) process_name_registration_request: unicast name registration request received for name SC08954D00 from IP 10.68.1.102 on subnet UNICAST_SUBNET. Error - should be sent to WINS server [2003/03/18 18:27:27, 0] nmbd/nmbd_incomingrequests.c:(222) Thank you for help. Hassen CHAKER -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: Browsing across subnets without WINS
lab at a conference and I did not have either time or resources. I think that it would help me to have a better understanding of the situation above. At this point I'm just guessing... Chris -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: Browsing across subnets without WINS
Alex @ Avantel wrote: It's been a while since I looked at this stuff but at the time, WINS replication was not available with samba, and there was no apparent solution to browsing multiple subnets when the 'workgroup' name was different on each subnet. That caused a problem for use of samba in WAN VPNs as documented at; http://www.avantel.ca/samba.html That same problem, as far as I have been able to determine, still exists. Any comments/corrections/suggestions welcome. The first comment/correction/suggestion is that there needs to be a *lot* better understanding of the workings of the NBT namespace. You don't need WINS replication (but JF has been working on it). WINS replication simply means that you have two WINS servers with the same data. That gives you redundancy, but that's all. So how does redundancy help with browsing? It doesn't. As for the workgroup name being different on each subnet... That's the way Browsing works. Really. Promise. As for the workgroup name being different on different subnets... combining browse lists from multiple workgroups has *nothing* to do with WINS replication. With Windows, the only way that the browse list for workgroup A gets combined with the browselist for workgroup B is if there is a subnet somewhere that has a Local Master Browser for A *and* an LMB for B on the same subnet. Browselists from separate workgroups are combined when the LMBs on a subnet exchange information. That combined lists are then uploaded to the DMBs and re-propogated. If all of your DMBs are Samba-based, then you can use Samba's 'enhanced browsing' and 'remote browse sync' options to improve things. Read up on these options in the smb.conf documentation. I hope that makes a little more sense. I've seen the Avantel docs and, well, that's why I am writing a book about how this stuff actually works. Chris -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: client VPN disconnects samba shares
Please do not cross-post to both Samba and Samba-Technical. These lists are for different purposes. Pat Schlehuber wrote: I am running Samba 2.2.7a in domain mode .. all is great. I have a XP user on my local network that connects to samba as a domain user - so far so good. This users also has a Cisco VPN client for connecting over the internet to another application at a service bureau. When the VPN client is activated, all traffic from this machine is only forwarding network traffic over the VPN pipe. Obviously, this causes a problem with my Samba shares as they are no longer available. When the VPN client is shutdown all is well again. Normal behvior for the Cisco VPN product. So what's the problem? The VPN configuration is provided by the service bureau so I have no control over its configuration. Yep. Now, if they'd just allow Split Tunneling or let you exclude the local LAN from the VPN you'd be okay. My local network is DHCP controlled using 192.168.0.*/24 and the VPN pipe is connected to a public address over the internet connection. I am using WINS on the Samba server, put I still cannot ping anything on my local network. The Cisco VPN client acts as a shim. It sits between your IP stack and the real interface and examines packets. If Split Tunneling is enabled, then the VPN client does a limited form of routing. Packets meant to go over the VPN tunnel will be encrypted and sent through the tunnel, and others will be dropped through to the real interface. Split tunneling is server-controlled. The other option is to set the Exclude Local Network (or similar) option on the client side. That will ensure that packets for the local IP LAN will drop through to the real interface. If you don't have any configuration control, then you cannot do either of these things and *all* traffic normally out-bound through that interface will be captured by the shim and redirected to the VPN server via the tunnel. I may be answering my own question, but do I need to get the service bureau to supply me with a VPN configuration that places everything over the VPN Pipe except for 192.168.0.* addresses? Unless you can change the client configuration yourself, yes. Any thoughts? This really isn't a Samba-Technical question. Chris -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: FW: encrypt passwords = no, security=user, samba 3.0a22
Richard Sharpe wrote: On Tue, 11 Mar 2003, Nir Soffer wrote: FWIW turning off unicode with unicode=no helps somewhat, and both ethereal and Samba parse the session request correctly: Hmmm, I fixed a problem in Ethereal around Unicode handling last week at Connectathon. I would be very interested in a trace that shows the problem. Run Samba 3.0 with plaintext passwords. Then log on from both a W2K and a W/XP system. Make sure the Windows clients have been registry-hacked to allow plaintext. Piece of cake. I'm pretty sure I've sent you a capture on this before. I also sent one that showed that WindowsNT4SP3 adds extra nul bytes following some Unicode strings, and that Window2000 will sometime drop one nul byte at the end of the PrimaryDomain field (such that the PrimaryDomain Unicode string isn't properly terminated). See also the !Alert box in section 2.7.2 of my book. ;l file:///home/crh/work/docs/cifsdocs/SMB.html#SMB.7.2 Chris -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: could not find domain entry for domain @xxxxx
schmieder, holger wrote: Have anybody seen that problem ? We have that in an NT40Serverfarm with samba 2.2.7a as BDC. during the start of winbind we saw also following message: could not get sid of domain ... The users get access to there shares but the policies dont work corectly We have an IP-Segmented network, the server are in there own net, wins is running on the NT40 PDC. Thanks for every idea Holger We would need a lot more information. First thing to try is this: $ nmblookup -R -U wins server IP domain#1C That checks to see that all of the 1C IP addresses for your WINS database. Chris -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: NTLMv2 and NTLMSSP
Yixin Jin wrote: Hi folks, It may be a dumb question. Is NTLMv2 meant to work within NTLMSSP only? NTLMv1 can work with or without NTLMSSP. So what about NTLMv2? Thanks Yixin NTLMv2 and LMv2 can both be used without NTLMSSP. See: http://ubiqx.org/cifs/SMB.html#SMB.8.5 Have fun... Chris -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: FW: encrypt passwords = no, security=user, samba 3.0a22
Nir Soffer wrote: : : It seems to me that a more correct fix would be, in the case of encrypt passwords = no, to request a normal password and not a UNICODE one. Is this even possible in the protocol? (e.g - request non-unicode passwords, but still support non-unicode filenames?) Unicode is either ON or OFF. If Unicode is negotiated, then the Windows clients will try to send a Unicode password. This is definitely broken now if this the case, regardless where the bug is... There are bugs in the Windows clients, clearly, but I think that we can work around them. I also think that smbclient needs to be tested in this regard. Chris -)- PS. It would also be nice (hint to others on this list) if Ethereal were patched to read these messed-up packets correctly. :) -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: FW: encrypt passwords = no, security=user, samba 3.0a22
Nir Soffer wrote: : FWIW turning off unicode with unicode=no helps somewhat, and both ethereal and Samba parse the session request correctly: [2003/03/11 20:11:30, 3] smbd/sesssetup.c:reply_sesssetup_and_X(732) Domain=[CACOMISTLE] NativeOS=[Windows 2000 2195] NativeLanMan=[Windows 2000 5 .0] [2003/03/11 20:11:30, 3] smbd/sesssetup.c:reply_sesssetup_and_X(742) sesssetupX:[EMAIL PROTECTED] So it seems you hit the mark. Now it's time to figure out how to fix it :) It's something I would do if I had time right now, but I am trying to finish up several projects all at once. Thanks again! We aims to please. :) Chris -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: breakage in cliconnect or thereabouts
On Mon, Mar 10, 2003 at 08:20:34AM +1100, Andrew Bartlett wrote: On Mon, 2003-03-10 at 08:05, Ronan Waide wrote: Hi folks, * libsmb/smb_signing.c, libsmb/smbencrypt.c, Makefile.in, include/client.h, libsmb/cliconnect.c, libsmb/clientgen.c: Change the way we sign SMB packets, to a function pointer interface. The intention is to allow for NTLMSSP and kerberos signing of packets, but for now it's just what I call 'simple' signing. (aka SMB signing per the SNIA spec) Andrew Bartlett some part of this change is currently stopping connections to an NT4SP6 PDC working from Samba. I'm getting session request to SERVER failed (Called name not present) If I find the bug, I'll post further. If not, I'm sure someone else will catch it :) Yes - I was clobbering the 'signature' field of the packet, but the session request is NBT, not SMB so doesn't have this field. Right. The Called Name Not Present error is at the NBT layer and it would occur well before you would start signing packets. There is no SMB exchange happening yet at the point at which that error comes up. Do I remember correctly that there was a post from rsharpe regarding the *SMBSERVER name not being tried? Chris -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: SessionSetup_and_X with VC=0
I don't have all the answers here but I did write up some information about the intentions behind the VC number, and the problems with doing anything other than ignoring it. See: http://ubiqx.org/cifs/SMB.html#SMB.7 ...and scroll down a little. The interesting bit is probably in section 2.7.1.1. Chris -)- On Thu, Mar 06, 2003 at 04:55:50PM -0500, Peter Hurley wrote: I was following an earlier thread Samba doesn't free network resource with XP clients, and in investigating the SessionSetup_and_X handling I have a couple of questions. (I only looked at 2.2.7a (not 3.0)) 1) It appears that in reply_sesssetup_and_X(), the VC is in essence ignored. When I look at an ethereal trace of browsing from a W2k workstation, many SessionSetups are transacted for user anonymous, and *new* uids are being issued. Is not reclaiming users by tracking VCs chewing up pdb entries? Or is the uid simply being advanced without *real* resource allocation for the guest user? 2) Is it possible to have multiple child smbds servicing one W2k workstation? If so, under what conditions? I can only get it to use the same negotiated session key over and over again. Thanks, Peter Hurley -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: client: browse doesn't work with only win98 in workgroup
On Mon, Mar 03, 2003 at 09:41:51AM -0500, [EMAIL PROTECTED] wrote: : I know enough right now to ask intelligible questions, although not yet with correct terminology. I appreciate you setting me straight. Your explanation of not only the correct terminology, but why the terminology I was using actually had a different meaning, was enlightening. Most welcome. As it happens, I am currently working on writing the Browsing section of my online book, so the stuff is fairly fresh in my mind. :) Chris -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
SMB_COM_NT_TRANSACT
How/when is the SMB_COM_NT_TRANSACT SMB used? I am fairly certain that the layout given in both the SNAI doc and the Leach/Naik drafts are off a bit. The Interim Response for the SMB_COM_NT_TRANSACT is shown as having a USHORT ByteCount field... but that doesn't make sense since the whole point of the NT_TRANSACT is to allow transfers larger than 64K. I imagine that SMB_COM_NT_TRANSACT is used with some of the more advanced RPC calls. Am I anywhere close to the mark? Chris -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Mapping of Transact calls to subprotocols.
I am assuming that the SMB_COM_TRANSACTION calls are generally used for older subprotocols, such as RAP and mailslot protocol. I'm further assuming that SMB_COM_TRANSACTION2 and SMB_COM_NT_TRANSACT are used for RPC calls. Is that oversimplified? Chris -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Found a bug in my docs...
I don't get to work on my book much during the week, when everyone is available on-line. I spend a lot of weekend time, though. :) I found an interesting bug in my book... The Flags2 SMB_FLAGS2_EAS bit indicates client support for OS/2 extended attributes. These are similar to, though more limited than, the concept of forks. I had confused this concept with Extended File Attributes (arg!), which have to do with 32-bit access masks and such. Fixed now. When can we just make all of this go away? Chris -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: client: browse doesn't work with only win98 in workgroup
[EMAIL PROTECTED] wrote: [EMAIL PROTECTED] writes: Christopher R. Hertel [EMAIL PROTECTED] writes: I am interested in looking into this, but I won't have time until the weekend. ... In the mean time, I have modified smbw_dir.c to include a new function smbw_browse_workgroup_alternate() with the following patch. The code is basically stolen from nmblookup.c. More testing (and the Duh! factor upon reviewing the code) reveals that the code I added does not find all hosts in a workgroup; it finds some of the hosts. Actually, it finds _one_ host each time it's run, not necessarily the same host each time. I'll have to work on this some more if the cli_session_request() method can't be made to work properly with win98 and win95 machines as master browsers. Derrell, Can you give me a better idea of what you are trying to do? Above, you say you are trying to find all hosts that are members of a given workgroup. The question is: why? What is it that you are actually trying to accomplish? Keep in mind that there is a *very* big difference between the set of hosts that are members of a workgroup and the set of servers offering services within that workgroup. Two distinct systems are used to gather those two lists. Chris -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: client: browse doesn't work with only win98 in workgroup
Okay, I understand the problem now. The problem is that W/9x boxes do not recognize the generic *SMBSERVER name in the NBT Session Setup Request. Also, W/9x boxes will send back an error if the called name is not correct in the NBT Session Setup Request. You should get a NEGATIVE SESSION RESPONSE (0x83) message with an error code of: 0x82: Called Name Not Present Since W/9x systems do not support the generic *SMBSERVER name, this error message is correct. Basically, it's the NBT equivalent of That port isn't listening for a connection. The solution is to find the Server Service name on the remote machine. This is typically done by sending a Node Status query and looking for a name with a suffix byte value of 0x20. More inline below... [EMAIL PROTECTED] wrote: Christopher R. Hertel [EMAIL PROTECTED] writes: Derrell, Can you give me a better idea of what you are trying to do? Above, you say you are trying to find all hosts that are members of a given workgroup. The question is: why? What is it that you are actually trying to accomplish? I'm working on providing a tree-style view of the network in a fashion similar to what Windows Explorer does. The top level of an SMB/CIFS network is something like Microsoft Windows Network. The next level down is the list of workgroups/domains within the network; Okay. At this level what you need to do is talk to *a\ny* Local Master Browser on the local LAN. If you know a specific workgroup name you can use that, otherwise you can find a list of workgroups by querying for the \x01\x02__MSBROWSE__\x0201 name. (That last 01 is the suffix byte, value 0x01). If the network is relatively stable, the LMBs will have exchanged data with one another, and any LMB will have the list of all other workgroups that are known. Anyway, once you have one (or more) LMB IP addresses, you can try to query for the Browse List. In this case, you want only the workgroup/domain entries, so what you should see on the wire is a NetServerEnum2 Domain Enum request. then the hosts within each workgroup; Nope. You can only get the list of servers in the workgroup that are advertising services. The list of all hosts which are workgroup members is not kept by the browse service. ...but that's not what you really want, anyway. What you really want is the list of known servers. That's a NetServerEnum2 with all the server type bits turned on. The LMB (or any available backup browser) should have this list. then the shares within each share, etc. Shares offered by the server. Okay. Note that some servers require authentication before they allow enumeration of shares. I don't know what version of Windows will be the master browser, and I don't want to force it by using Samba as the master browser. Right. Therefore I have to be able to enumerate the hosts within a workgroup regardless of what versions of Windows happen to be on the network. That's not a problem, as long as you have a valid CALLED name in the NBT Session Request. Samba ignores the CALLED name, W/NT and W2K accept the generic *SMBSERVER name (so Samba can 'guess'), and I don't know about W/XP. W/9x, as you've seen, requires the correct name in this field. Keep in mind that there is a *very* big difference between the set of hosts that are members of a workgroup and the set of servers offering services within that workgroup. Two distinct systems are used to gather those two lists. The latter works fine. If I already know the host name, I can see the shares on that host. No. That's not what I said. The latter in my note above is the set of servers offering services within a workgroup which is exactly what you're having trouble finding. The problem is enumerating the hosts within a workgroup. I know that this is pedantic, but it's important to understand that there is a difference between the set of hosts in a workgroup and the servers offering SMB services in the workgroup. A host may be a client and it may not be offering SMB services, in which case it will not show up when you try listing the servers in the workgroup. In the case of smbwrapper and smbsh, one is supposed to be able to do: ls /smb to see the list of workgroups/domains, and ls /smb/WORKGROUP to see the list of hosts within the workgroup WORKGROUP, and ...all of the servers in the workgroup... ls /smb/WORKGROUP/HOST to see a list of shares on the computer called HOST. Right. We leverage that hierarchy with the SMB URL. See: http://www.ietf.org/internet-drafts/draft-crhertel-smb-url-04.txt All of these work with the method implemented in smbwrapper, except for enumerating the list of hosts within a workgroup where the master browser for the workgroup is a Windows 98 or Windows 95 machine. Ah! Okay. As Richard asked... What tool are you using (libsmbclient?) to do this? It may be that you need to do the extra reverse-resolution step yourself
Re: Samba doesn't free network resource with XP clients
Charles Bueche wrote: Hi, OK, I understand why this fix wasn't implemented as such, but still, my problem remain. Here is a copy of my post to [EMAIL PROTECTED] Subject is Samba doesn't free network resource with XP clients, and the previous post, on 21.2.03, title 2.2.7a breaks on ATM stack on AIX 4.3. I would appreciate having your opinion on the best way to solve this problem. My opinion is that the best way to slove this problem is to figure out what is causing it and then fix whatever is broken. One random thought is to look at the socket options parameter in smb.conf and enable SO_KEEPALIVE ...or perhaps use the keepalive parameter. I don't know if these will fix anything because I can't tell from where I sit what the problem really is. I can't offer you any solutions if I don't know what is actually wrong. I can only offer guesses. Good luck. Chris -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: Samba doesn't free network resource with XP clients
On Fri, Feb 28, 2003 at 10:23:16PM +0100, Charles Bueche wrote: Hi, I posted my problem to [EMAIL PROTECTED] as well, I think it boils down to the post below. Is there a known fix to this problem ? That is an old message, and I am sure we would not have changed Samba to send all connected SMB's a disconnect. Doing so can have very bad consequences. There is another Windows KB article which explains, for example, that this causes clients of a W2K server that are behind a NAT to have their sessions shut down if a new client connects. The new client sends VC=0 and the W2K server (since it sees all connections as coming from a single IP) disconnects all the other clients. Ouch. Microsoft has a patch for this, I believe. Anyway, I did not see your port to [EMAIL PROTECTED] so I have to guess that your server is keeping TCP connections open until they time out. Is that correct? Which problem are you trying to solve? Chris -)- === On Tue, Sep 17, 2002 at 09:50:28PM +0400, Vladimir I. Umnov wrote: Hello, Fredrik. FA Ah.. So that's the reason for some of the problems.. Why can't samba FA correctly process nt status code? Do you know? Samba process nt status code, but besides nt status code must die send many other commands, and there is no documention about this commands. But Microsoft KB article says, that only nt status code processed incorrectly. I think, this is a politics of Microsoft. They want kill free software!!! FA Should it be a dword och a regular string in the registry? From KB article: Start Registry Editor (Regedt32.exe). Locate and then click the following key in the registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\ parameters On the Edit menu, click Add Value, and then add the following registry value: Value name: EnableDownLevelLogOff Data type: REG_DWORD Radix: Hexadecimal Value data: 1 Quit Registry Editor. Ah. Now I think I get it .. The new Microsoft redirectors use the feature of Microsoft SMB implementations that SessionSetup SMB with the VC number set to 0 should terminate all previous sessions from the same client, they don't bother to send a Logoff command any more. We can change Samba to send all connected SMB's a disconnect message when we get a new VC=0 SessionSetup to fix this I think. I will investigate further. Jeremy. === -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
MS Publisher and printing...
I have a LAN Admin reporting a problem when printing from MS-Publisher. I assume this has to do with the RPC printing system. I'd like to understand the problem better so that I can help out. Clues? Anyone else seeing this specific problem? Chris -)- --- Product: Microsoft Office 2000 SP3 Product ID: 50158-700-3658033-02491 Application: Microsoft Publisher 2000 SP3 - From CD #2 (Latest Patch Ver) MSPUB.EXE - Friday, June 28, 2002, 3:01:04 PM - 2,719,784 bytes Error: document name - Microsoft Publisher: MSPUB.EXE - Application Error The instruction at 0x77f578d3 referenced memory at 0x0048. The memory could not be read. Operating System: Microsoft Windows 2000 (5.00.2195) SP3 How the error occurs: When you go to File - Print, and then you choose a Samba Printer from the list of printers Then you click on Advanced Print Settings... OR click OK to print the Application Error message pops up, and Publisher closes out. This error did _not_ occur when the printers were served off of a NT 4.0 Server. No other application we use here has a problem with the Samba Print Server: Some examples are: MS Word, Excel, Access 97 MS Word 2000 MS Excel 2000 Visio 2000 Internet Explorer Netscape 4.x+ Mozilla 1.0+ Adobe Acrobat The types of printers that are served via the Samba Server: HP LaserJet 1200 (Using Latest PCL 6 Drivers) HP LaserJet 5si PCL (Using Latest PCL 5e Drivers, and Latest PS Drivers) HP LaserJet 8100DN (Using Latest PCL 6, PCL 5e, and PS Drivers) Xerox Document Center 332 (Using Latest PS Drivers) The Version of Samba we are running is 2.2.7a Server: Redhat Linux 8.0, + samba-2.2.7-2 RPM package (Latest/Greatest Version) --- Chris -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: ports in samba
On Thu, Feb 27, 2003 at 12:47:59AM -0800, D Jemms wrote: Port 445 is Microsoft's direct SMB over TCP (no NetBIOS in the middle) the preferred method for Windows 2000 and XP - should be a cleaner way to work with, but I do not know it well yet... According to http://support.microsoft.com/?kbid=204279 if I disable NetBios over TCP/IP on windows2000, ideally it whould use port 445 and all SMBs should come directly over TCP. But in traces I can see TCP, NBT and then SMB, for all the SMBs ???What is wrong here ? can it be possible to see TCP,SMB in traces without NBT in between ? If yes,What is the procedure? Help on this will be highly appreciated. You need to read http://ubiqx.org/cifs/ There is a four byte header between the TCP header and the SMB message. The four byte header is used with both SMB over NBT and SMB over naked TCP. It is needed so that the length of the SMB message can be discovered. Ethereal will call this the NBT header even if you are capturing port 445 (naked TCP transport). Chris -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: Authenticating WinXP with Samba 3.0 CVS (plaintext) problem
On Wed, Feb 26, 2003 at 12:59:58PM -0500, Kris Van Hees wrote: I have a WinXP box that has plaintext password enabled. I have a Samba 3.0 CVS server that also does not use encrypted passwords (uses PAM). I cannot connect to shares from the WinXP box because apparantly the non-encrypted password is sent as the NT password, and nothing as the LM password. You mean that XP sends the plaintext password in the Unicode Password field? That's sick. Does it send it as ASCII or Unicode. The protocol that was negotiated was NT LM 0.12. That would be correct. From the code, it seems that the Samba server believes that plaintext passwords should only be sent for the protocols PROTOCOL_NT1 (anything other than NT LM 0.12 or NT LANMAN 1.0). No, Samba can handle plaintext just fine in the NT LM 0.12 dialect. It's just that Samba needs to know where to *find* the password. Plaintext passwords are always sent in the first password field (ASCII Password, or CaseInsensitivePassword, depending on which documentation you read). Has anyone else seen this? Am I missing something here? Getting WinXP to work with plaintext passwords is rather important for my setup. No, but I don't have an XP system available. I'd be interested in seeing the SessionSetupAndX from an Ethereal trace. Chris -)- -- Never underestimate a Mage with: - the Intelligence to cast Magic Missile, - the Constitution to survive the first hit, and - the Dexterity to run fast enough to avoid being hit a second time. I've got a fourth-level wombat teaser that's +4 on musk. -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: Authenticating WinXP with Samba 3.0 CVS (plaintext) problem
On Wed, Feb 26, 2003 at 02:54:00PM -0500, Kris Van Hees wrote: On Wed, Feb 26, 2003 at 01:39:26PM -0600, Christopher R. Hertel wrote: On Wed, Feb 26, 2003 at 12:59:58PM -0500, Kris Van Hees wrote: I have a WinXP box that has plaintext password enabled. I have a Samba 3.0 CVS server that also does not use encrypted passwords (uses PAM). I cannot connect to shares from the WinXP box because apparantly the non-encrypted password is sent as the NT password, and nothing as the LM password. You mean that XP sends the plaintext password in the Unicode Password field? That's sick. Does it send it as ASCII or Unicode. That is correct, and it is in Unicode indeed (2 bytes per character). ...and there's no ASCII password? Unicode Plaintext is a very unusual combination. I have tested this combination before (Samba can be made to do it) but since we've never had anything to test against... Would a tcpdump of the dialogue also be acceptable? :) I can of course also send the samba.log and/or SMBtconX.* files etc... Tcpdump is perfect. :) Oh! ...but use a bogus password, or change the password after you've captured the data. I don't want your real auth data. :) Send directly to me, please. If anyone else on the Team wants a look I'll share. I may run it past a few other folks as well, and I would love to have the information for my book. Thanks! Chris -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: NT_Create: Anything special I need to know?
On Wed, Feb 26, 2003 at 08:28:32PM +, [EMAIL PROTECTED] wrote: On Wed, Feb 26, 2003 at 12:24:09AM -0600, Christopher R. Hertel wrote: I'm going to do a very brief writeup of NT_CREATE_ANDX, but I remember hearing rumors dark lurking daemons. What do I need to know? What is there about this command that should be documented? It's *monstrous*. There are so many special cases, corners and daemons living in there that it's hard to list them all. Thanks Jeremy. I have a warning blurb in my book about this. If you get a chance, please take a look. I'm not sure I can even remember them all, but all we've found are in the smbd code. It would be fun to have them cataloged, but I need to finish my book sometime this centrury. ;) Chris -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
[Samba] Re: Recovery from Domain/WINS Outage - Didn't work well
Hall, Ken (ECSS) wrote: We're using Samba 2.2.5 and 2.2.7 in SECURITY=DOMAIN mode. This morning we lost contact with our PDC, and for about 2 hours, users were unable to logon. After chasing this down, we determined that we were also unable to contact the WINS server defined in smb.conf. Our backup WINS server was available, but it seems Samba only supports one WINS server in smb.conf, so this didn't help much. After manually switching to the other WINS server, we were able to connect. WINS failover has been implemented. It may, however, only be available in the 3.0 beta. I am not sure. I wrote the original implementation but Tridge came up with a (much) better way to handle this. We're still new with this, and so far Samba isn't looking too reliable to our management. This is the second time a WINS-related problem has knocked us down while the Windows servers remained available. Was the missing WINS server a Samba server or a Windows box? In all seriousness, we did not bother implementing WINS failover because the Samba-based WINS servers generally didn't go down. The decision to add it came from pressure from people who used Samba in a primarily Windows environment. I'm assuming we're still only allowed to specify a single WINS server. Does anyone have any idea if this will be fixed anytime soon? You might try putting in two IP addresses separated by a colon. The first will be the primary and the second the secondary WINS server. The code that makes this work is in 2.2.7 *but it was not completed* so it was left undocumented. It is a beta feature in 2.2.x. Should Samba have recovered from the DC outage? It appears that after losing contact with the DC, it went back to WINS, and tried to get a new list. Does it only try the first DC on the list, or does it work down till it finds a good one? Am I correct in assuming that being unable to connect to the WINS server would prevent this from happening? When a client sends a query for a 1C name the Windows WINS server responds by sending a list of IPs. This is correct per the RFCs, but unusual for WINS (Microsoft's original implementation was kludged such that it replies to group name queries by sending only the limited broadcast address: 255.255.255.255). Anyway, the first entry in the list of 1C names is the PDC. All others are BDCs. Thanks in advance for any info you can provide. Hope that's somewhat useful. Chris -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: Recovery from Domain/WINS Outage - Didn't work well
Hall, Ken (ECSS) wrote: We're using Samba 2.2.5 and 2.2.7 in SECURITY=DOMAIN mode. This morning we lost contact with our PDC, and for about 2 hours, users were unable to logon. After chasing this down, we determined that we were also unable to contact the WINS server defined in smb.conf. Our backup WINS server was available, but it seems Samba only supports one WINS server in smb.conf, so this didn't help much. After manually switching to the other WINS server, we were able to connect. WINS failover has been implemented. It may, however, only be available in the 3.0 beta. I am not sure. I wrote the original implementation but Tridge came up with a (much) better way to handle this. We're still new with this, and so far Samba isn't looking too reliable to our management. This is the second time a WINS-related problem has knocked us down while the Windows servers remained available. Was the missing WINS server a Samba server or a Windows box? In all seriousness, we did not bother implementing WINS failover because the Samba-based WINS servers generally didn't go down. The decision to add it came from pressure from people who used Samba in a primarily Windows environment. I'm assuming we're still only allowed to specify a single WINS server. Does anyone have any idea if this will be fixed anytime soon? You might try putting in two IP addresses separated by a colon. The first will be the primary and the second the secondary WINS server. The code that makes this work is in 2.2.7 *but it was not completed* so it was left undocumented. It is a beta feature in 2.2.x. Should Samba have recovered from the DC outage? It appears that after losing contact with the DC, it went back to WINS, and tried to get a new list. Does it only try the first DC on the list, or does it work down till it finds a good one? Am I correct in assuming that being unable to connect to the WINS server would prevent this from happening? When a client sends a query for a 1C name the Windows WINS server responds by sending a list of IPs. This is correct per the RFCs, but unusual for WINS (Microsoft's original implementation was kludged such that it replies to group name queries by sending only the limited broadcast address: 255.255.255.255). Anyway, the first entry in the list of 1C names is the PDC. All others are BDCs. Thanks in advance for any info you can provide. Hope that's somewhat useful. Chris -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: SMB_QUERY_FILE_ALL_INFO not correct in SNIA spec?
Richard Sharpe wrote: On Tue, 18 Feb 2003, Joey Collins wrote: : My questions: 1) Can anyone else confirm my interpretation? If you can send us a capture, we can look at it to see if we agree with your interpretation, and perhaps modify Ethereal as well. Before modifying Ethereal there will likely be more testing done... 2) Are there server-dependent variations on the format? There should not be any server-dependent variations that cannot be determined by looking at WordCount or Protocol Dialect. ...but this is CIFS we're talking about. There are bugs introduced by different implementations. Mike Allen was able to show that W2K's WINS implementation returns invalid packets in several instances. If you are careful, you can interpret them correctly, but it really helps to know that some servers have specific quirks. Chris -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: problem with oplocks.
On Mon, Feb 17, 2003 at 02:53:14PM +0100, Olaf Fr?czyk wrote: On Mon, 2003-02-17 at 14:42, Ireneusz Piasecki wrote: Hi. I use samba with linux 7.2 kernel 4.7, samba 2.2.1a Is there any solution to avoid these errors ?? With redhat 6.2 and samba 2.0.2 (?) tehere were no errors. Hi, I had the same problems. Upgrade your samba to 2.2.7a and it will work OK. It was fixed about 2.2.6 AFAIK. BTW, oplocks are unreliable by definition, so I don't use them. The small speed improvement (if any) is not worth loosing data integrity from my point of view. Um... Just curious, but how are oplocks are unreliable by definition? Chris -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: Well, the large file offset stuff in smbclient seems to work
Richard, Any chance you can do some jCIFS testing for us? Chris -)- On Sat, Feb 15, 2003 at 10:01:48PM -0500, Michael B. Allen wrote: On Sat, 15 Feb 2003 21:26:16 -0500 John E. Malmberg [EMAIL PROTECTED] wrote: Michael B. Allen wrote: Richard Sharpe [EMAIL PROTECTED] wrote: Just reporting that the large file offset code in smbclient and libsmb now seems to work. I have been chasing a weird problem with 20+ second delays in completing writes at times, and have got to 130 GB in a file. Heading towards 350GB and later 1TB. Wouldn't anything after 4GB be redundant? No. Strange effects can happen at many different file sizes. If you do not test it, you do not know that it works. Can you give me a specific example? I've written a client and I never tested it past 5-6GB. You have me worried now :-/ Mike -- A program should be written to model the concepts of the task it performs rather than the physical world or a process because this maximizes the potential for it to be applied to tasks that are conceptually similar and, more important, to tasks that have not yet been conceived. -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: Pushing Samba functions into the kernel
On Thu, Feb 13, 2003 at 11:41:35AM -0800, Richard Sharpe wrote: : The return from the syscall would be a complete SMB, possibly with the NetBIOS header in a separate buffer, and maybe more. The entire NBT layer could be placed into the kernel. I would see, perhaps, LMB, DMB, and NBNS functionality in a daemon but the essential parts of the NBT layer are trivial (in comparison with the rest of SMB) and could definitely be isolated out. This would not impact SMB since, once the NBT Session is established, the NBT SMB packets are identical to naked TCP tranport-ed SMB packets. They can just be passed through to whatever piece handles SMB (even directly to the existing smbd, thus allowing kernelization in stages). The only issue is in any interprocess communication that Samba currently does between smbd and nmbd. I think that's isolated to LMB and DMB activity, but may be wrong there. Chris -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: Samba 3.0: vfs_netatalk.c
Paul Green wrote: Anthony Liguori [mailto:aliguor at us.ibm.com] wrote: scandir() (and it's [alpha|version]sort() brethren) is a BSD/Linux-ism and therefore isn't very portable. Since this is in a VFS module (and therefore only optional) I guess this is ok. then Herb Lewis [mailto:herb at sgi.com] found this info: IRIX: scandir, scandir64, alphasort, alphasort64 BSD: scandir, alphasort I just checked and neither scandir* nor alphasort* are in POSIX-1996 or POSIX-2001. I'm not trying to build vfs_netatalk here on VOS, but if I was, it looks like I'd be writing some code first. I don't consider these functions portable either. My vote is for sticking with functions in POSIX if at all possible. PG I have not been following this thread closely, but it occurs to me that we have tools that would make this easy to implement by hand. If I understand the docs, the goal is to create an array of pointers to directory entry structures (the latter allocated via malloc()). One catch is that there is a difference between BSD and System V implementations, but that's something that should be handle-able with ./configure. It seems to me that in either case the data could be sorted using the binary tree stuff or by qsort(). This should be fairly do-able. Chris -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: Samba 3.0: vfs_netatalk.c
On Tue, Feb 11, 2003 at 02:00:18PM -0700, Anthony Liguori wrote: One catch is that there is a difference between BSD and System V implementations, but that's something that should be handle-able with ./configure. It seems to me that in either case the data could be sorted using the binary tree stuff or by qsort(). This should be fairly do-able. On some systems, scandir() doesn't even exist. I think the only reason why there's been any discussion as to whether this is a problem is because of the fact that it's a module. I think the general sentiment has been that even modules need to be concerned about portability unless there's good reason. Thus my thinking that it might be worth writing a replacement that would be platform-independent. The only hitch, I *believe*, is that there may be differences in the dirent structure between systems, but surely this is something we've solved elsewhere. Chris -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: query
On Mon, Feb 10, 2003 at 08:14:12AM -0800, Richard Sharpe wrote: On Mon, 10 Feb 2003, ankit bhatnagar wrote: i m doing a project to develop a NAS appliance for which i need to cutomize and compress the kernel size as much as i can and then integrate samba with that can anyone help me do that and how to go about it. Ha ha ha. Great troll. :-) To expand on that very appropriate comment just a bit (for the benefit of those who might still be clueless)... There are certainly folks who are willing to be hired for a reasonable fee to work on tuning Samba for a specific commercial application. If you want to hire an expert, please say so. If you want free help for a commercial product, you probably won't get it here. We simply do not have the time. Take another approach: If you have specific technical questions, the answers to which might benefit the list members as a whole, then ask. People like answering good questions. Chris -)- PS. Commercial products vendors who use Samba in their products might consider making a contribution to the Team fund. See any Samba mirror site. -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Security registry settings.
Okay, folks. Here's where I am on security settings and their impact. The settings below are all based on NT4SP6, but similar stuff is (should be?) available for W2K and other Windows flavors. 1) MAC Signing: On the server: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters The parameter EnableSecuritySignature is used to enable and disable SMB MAC signatures. If enabled (set to one (1) instead of zero (0)), the server will sign SMB packets if the client wants to sign packets. The parameter RequireSecuritySignature is used to force SMB MAC signatures. The RequireSecuritySignature parameter has no effect unless EnableSecuritySignature is also enabled. If both are set to one (1), the server will require that the client use MAC signatures. On the client: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Rdr\Parameters Notice that the path is different (Rdr instead of LanManServer). Otherwise, this is all similar to the server, if EnableSecuritySignature is enabled then the client will perform MAC signing if the server supports or requires it. If both EnableSecuritySignature and RequireSecuritySignature are enabled, then the client must use MAC signing. The session will fail if the server does not have MAC signing enabled. (The client closes the TCP connection immediately after the server sends the NegProt Response with the SecurityMode field indicating that it doesn't support MAC signing.) There are docs which state that W/9x cannot do server-side MAC signing, but can do client-side. 2) Challenge/Response algorithm: The following KB articles are useful references: 147706, 239869. The registry variable HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\control\LSA\LMCompatibilityLevel is used to set the minimum challenge/response algorithm. On W/9x boxes the variable is LMCompatibility rather than LMCompatibilityLevel. (Why do they do things like that?) Anyway, this is an annoying variable because it does too much. There are six possible values, ranging from 0..5. They work like so: Client Domain Controller (or Server) -- - 0 Default. Client sends both LM Default. DC accepts LM, NTLM, and NTLM[v1] Response. LMv2, and NTLMv2 responses. 1 Discussion below. Discussion below. 2 Client sends the NTLMv1 responseDC accepts LM, NTLM, LMv2, in both password fields (the same and NTLMv2 responses. value twice...I've seen it, it's real). 3 The Client places the 24-byte LMv2 According to the docs, at this response into the ANSI password setting the DC still accepts field, and the longer NTLMv2LM, NTLM, LMv2, and NTLMv2. response into the Unicode password field. 4 The client sends both a 24-byte The DC does not compare any response (probably the LMv2) andresponse against the LM response the longer NTLMv2 response. NTLM, LMv2, and NTLMv2 are accepted. 5 Same as level 4.The DC does not compare against LM or NTLM. Only LMv2 and NTLMv2 are accepted. From the testing I've done, the above is pretty close to reality. The setting that bangs me on the head until my feet ache is LMCompatibilityLevel = 1. The docs say that this enables NTLMv2 Session Security, but I can't find docs on that. Abartlet tells me that it's specific to NTLMSSP. My question, at this point, is: how do the client and server know to use NTLMSSP? Digging... Chris -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
NTLMv2 Session Security
While trying to document NTLMv2 authentication, I stumbled across something known as NTLMv2 Session Security. Does anyone know what this is? I can set HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\LMCompatibilityLevel to 1 to enable NTLMv2 Session Security, but I'm not sure what it does. Some sources say that it allows the client and server to 'negotiate' the use of NTLMv2 challenge/response (how?). Other sources say that it provides message integrity and confidentiality (how?). I've played with this enough to know that enabling NTLMv2 Session Security does not enable SMB packet signing (MAC signing). There's a different set of registry variables for that. Perhaps they all interact with one another... Clues welcome. Chris -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: NTLMv2 Session Security
On Thu, Feb 06, 2003 at 09:58:17PM +, Xyster ! wrote: From my experience, read below... : Changing the registry setting either turns on or off NTLMv2. The server can guess which is being used by the client based on the blob lengths. The modes documented by MS to allow negotiation do nothing. There is no way in the NegProt or SessionSetupX to negotiate this. That's the conclusion I had reached, but I wanted to see if someone could prove me wrong. NTLMv2 does not provide integrity or confidentiality. For Integrity to happen the flags2 Security Signature bit needs to be set in the SMB header when doing a Session Setup. I'm not sure that NTLMv2 needs to be used as well. My understanding is that the SMB_FLAGS2_SECURITY_SIGNATURE bit indicates that the MAC is in in use, but that MAC signatures are negotiated using the SecurityMode field in the NEGOTIATE_PROTOCOL_RESPONSE. Confidentiality I've never seen happen. You sent to a public list, so I *hope* you didn't want confidentiality. ;) Thanks! Chris -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: called name not present
On Wed, Feb 05, 2003 at 10:57:10AM -0800, Richard Sharpe wrote: On Wed, 5 Feb 2003, David Bear wrote: I've encountered a strange error. I have samba 2.2.7 installed on freebsd 4.7. I've run testparm on the smb.conf and don't see any errors. I can connect to a service from a windows 2k machine using standard net use commands. HOWEVER, when I try to use smbclient from another machine to view my bsd samba, I get the following error: bash-2.05a$ smbclient -L //npcenter added interface ip=129.219.120.183 bcast=129.219.120.191 nmask=255.255.255.192 session request to NPCENTER failed (Called name not present) Password: Anonymous login successful Domain=[CUI] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager] tree connect failed: NT_STATUS_DUPLICATE_NAME == Hmmm, I am not aware of any version of Samba claiming to be Windows 5.0 or Windows 2000 LAN Manager. Are you sure that you are connecting to a Samba server, and not, say, a Win2K server by some accident? Richard is being polite. :) That definitley shows that you've connected to a W2K machine. The best guess is that the name NPCENTER is in use by both machines, and that the W2K system is answering first when the query goes out (either that, or you are using WINS and the W2K system has registered that name in the NBNS database). The NT_STATUS_DUPLICATE_NAME error code seems to confirm this, but I'm not sure. A tcpdump trace showing ports 137 and 139 would help. Chris -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: nmblookup -A and MS XP Clients
Matt Pavlovich wrote: A nmblookup -A $IP against a NT 4.0 client will return the name of any logged in user. This same query against an XP Professional client does not return any user names. Has anyone seen this before? -- Matt Pavlovich [EMAIL PROTECTED] Allegiance Telecom, Inc. I assume you are getting some results, yes? XP does not register as many names as earlier version of Windows, suggesting that it doesn't know how to offer some services. If I recall correctly (I don't have XP to test against) it does not register the client#00 unique name (the client service). There are others missing as well. You can't really count on Windows to register names for all of the services. The services seem to come and go and move to other names and such. Chris -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: NBT length parameter larger than necessary in session request
Michael B. Allen wrote: Hi guys, Ever notice smbclient sends an NBT session request with an NBT length field that is 4 bytes longer than necessary? No harm, but is there a reason for this? Yes. It was a bug. The header length was being added to the total length. It didn't cause any trouble, but I fixed it (somewhere around 2.2.6, I think). I'm using 2.2.1a shipped with RH connecting to the same version of Samba over loopback. Good catch. Newer versions should not have this bug. Chris -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: SMB and message
On Thu, Jan 30, 2003 at 04:56:53AM -0800, D Jemms wrote: I am new to samba world .Hvae many questions in mind. can anyone tell me the description of SMB and message ? What is the functionality of receive_message_or_smb() If you want to know more about the internals of the SMB protocol, you'll need to do a bit of reading. See: http://ubiqx.org/cifs/References.html Chris -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: Samba and XP
John H Terpstra wrote: : Slap! Slap! Chris, you did not mention which of the XP products your are referring to. XP Home is an entirely different product from XP Professional. So 'fess up Chris, which is it? ;) Oh, that's right. I keep forgetting that each Windows product is actually a family of products which may or may not actually be related to one another by something other than their marketing. Microsoft makes strange bedfellows. I don't have any WiXPy stuff hanging 'round so I haven't actually played with any of it. PS: I was guilty of that too I note. Double slap to me! Oh, I like that! :) I knew you would. -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: NTLMv2 Response (Only) yields Unicode password length of 78
On Tue, Jan 28, 2003 at 08:11:54PM -0700, Vance Lankhaar wrote: Check out Chris' book - http://www.ubiqx.org/cifs/SMB.html#SMB.8.5 He's got a great explanation of what we observed while looking at a few captures. Also, if you would have a capture of it of the response, I'd love to take a look at it - there's a few bytes that are still unknown. Thanks, Vance. :) I'm interested too, of course. More below... On Wed, 2003-01-29 at 19:57, Joey Collins wrote: Good evening folks, I have a WIN2K system and I am failing to authenticate to a Samba 2.2 installation, which I suspect is due to the weird length of Unicode password length in the SessionSetupAndX message. Here is my circumstance. On my W2K machine: -Run the secpol.msc management plug-in thingie. -Click Local Policies -Click Security Options -In the right pain, look for LAN Manager Authentication Level -Double click on this. -In the pull-down, set it to Send NTLMv2 response only -Commit that change. -Now, connect to the Samba machine. The ANSI password length in the SessionSetupAndX is 24, but in my case the Unicode Password Length is 78 (this is according to the latest greatest ethereal built from sources yesterday). Yes, that would be correct. The 24-byte ANSI password is, in fact, an LMv2 response. It is a simpler version of the NTLMv2 response. The NTLMv2 response is the hash of some known data and a blob of garblage. The garblage is typically around 64 bytes, give or take a few. In your case, it appears that the blob is 62 bytes. When I change the setting in LAN Manager Authentication Level back to the default, I can connect to Samba 2.2 using the same creds. We have had LMv2 code available for a while (thanks to the TNG folk) but there was little impetus to push ahead with it. Few people have asked. You're one of the few. :) I tried this on a W2K - W2K setup (not active directory) and the same trace occurs, but this time, the Unicode password length was 66 (it was a different account/password)! Makes sense. See the link Vance provided above. That'll explain it. Anyone else see this? Does anyone know how the binary response of 78 bytes is created? Lots of zeros, it does not appear to be ASN.1 It's probably not ASN.1 but, once you know what's in there (or what *might* be in there) then it will probably make you think of NDR. I would not have recognized it, but others on the Team know this stuff so well that it's second nature. Have a great night, I'll do my best. :) You too. Chridz -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Sign Seal vs. MAC signing.
The SNIA doc provides information on Message Authentication Codes (MACs). These are signatures contained in the SMB header. Are these the same as Sign and Seal or are we talking about two different basilisks altogether? Chris -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: Sign Seal vs. MAC signing.
On Wed, Jan 29, 2003 at 11:26:16PM -0800, Richard Sharpe wrote: On Thu, 30 Jan 2003, Christopher R. Hertel wrote: The SNIA doc provides information on Message Authentication Codes (MACs). These are signatures contained in the SMB header. Are these the same as Sign and Seal or are we talking about two different basilisks altogether? TDB. Sign and seal, AFAIK, relates to the DCE-RPC headers, while MAC signing is, as you say, in the SMB header. Ahh. That does make sense. Thanks! Chris -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: amiga suvival (fwd) - feedback to the Samba team!
The work Olaf did would probably be of interest to anyone trying to port Samba code to non-Posix platforms, particularly small platforms such as appliance systems. Chris -)- On Tue, Jan 28, 2003 at 06:24:10PM +0100, Olaf Barthel wrote: : If I manage to attend SambaXP this year and there's a guarantee that I'm not going to be persecuted for boring listeners to death, I may end up telling the whole story of how the current Samba port came together. But in brief, it worked like this: the initial Amiga Samba ports were not particularly stable, so I set about porting Samba using the most mature Amiga 'C' compiler and a wrapper to go between the Samba core code and the Amiga operating system. This worked rather well, but I hit a wall with Samba 2.2.x which could not ported in this fashion. So I had to write my own 'C' compiler runtime library which made porting possible. As a side-effect, that library also made it possible to port GCC natively to the Amiga. So now we've got Samba 2.0.7 running stable and Samba 2.2.5 looking good enough to use (it's rather bulky, though). -- Home: Olaf Barthel, Gneisenaustrasse 43, D-31275 Lehrte Net: [EMAIL PROTECTED] (Home), [EMAIL PROTECTED] (Work) -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: Auth question.
On Wed, Jan 22, 2003 at 06:14:49AM -0500, Ken Cross wrote: I'm pretty sure that Kerberos uses port 88, but that's just for authentication. Port 445 is used for connecting to shares. We've been running tests blocking ports. With ports 137 - 139 and 445 blocked for UDP and TCP, the join fails but the computer name is still entered in the AD. With just ports 137 - 139 blocked (445 enabled), the join succeeds and all client share operations seem to function correctly as long as there is no NetBIOS name resolution involved. Hope this helps. Thanks, Ken, but it's not really what I'm trying to figure out. The problem, though, is in my presentation of the question. More... On Wed, Jan 22, 2003 at 02:26:43PM +, Andrew Bartlett wrote: On Wed, Jan 22, 2003 at 12:41:34AM -0600, Christopher R. Hertel wrote: So, unless I'm totally insane, the likelihood of Kerberos auth being used over port 139 is low. Samba 3.0 listening on 139 only. This can and does happen. Firewall rules, or anything else that makes the 445 connect fail. I would not attempt to draw this genralisation in a published work ;-) What I am trying to do is understand the relationship between the different authentication types and the different transports. It's not the ports, per. se., that I'm interested in (139 vs. 445), but the relationship between the different implementations and the different auth types. From a Windows perspective, Kerberos Auth is tied in with Active Directory. I suspect, then, that only W2K and WXP.pro can cope with Kerberos auth. I would also suspect that other Windows systems can't. (I don't know about /Me or /XP.home). XP.pro and W2K are also the only Windows systems of which I'm aware that can do SMB over naked TCP transport on port 445. So, from a simple perspective, there is a relationship between SMB over naked TCP and Kerberos Auth. That relationship is that the Windows systems that can handle the former can handle the latter. Anyway, I'm just trying to gain a better sense of that relationship and its limits. This helps. Thanks! Chris -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Auth question.
I *think* it's a rule that Kerberos authentication is always used with SMB over TCP (port 445) and that Kerberos is *not* used with SMB over NBT (port 139). Am I wrong? Chris -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: Auth question.
On Wed, Jan 22, 2003 at 05:30:45AM +, Andrew Bartlett wrote: On Tue, Jan 21, 2003 at 09:13:38PM -0600, Christopher R. Hertel wrote: I *think* it's a rule that Kerberos authentication is always used with SMB over TCP (port 445) and that Kerberos is *not* used with SMB over NBT (port 139). Am I wrong? I think you are wrong. As far as I know there is no per-port stuff. Quite possibly. That's why I asked. :) ...but which clients would actually do this, and under what conditions? Of the Windows clients and servers, only W2K and XP-pro know how to work with Kerberos (does /Me handled Kerberos auth?). I *imagine* that those systems use port 445 instead of 139 whenever they can. If both client and server know how to handle Kerberos then they likely also know how to use port 445. So, unless I'm totally insane, the likelihood of Kerberos auth being used over port 139 is low. Totally Insane -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: CVS update: samba/source/nsswitch
On Thu, Jan 16, 2003 at 12:50:57PM +1100, Martin Pool wrote: On 16 Jan 2003, Andrew Bartlett [EMAIL PROTECTED] wrote: Win2k has a bug (feature?) where there is a connection reset if there is a second connection from the SAME IP, before the first session-setup. So an unprivileged process on the client can cause a local denial of service just by repeatedly half-opening connections? Yes. Early versions of jCIFS did this, in fact. I was testing it at the CIFS conference one year and every time jCIFS reconnected the client would lose all of the smbclient connections that it had. Tridge kindly explained it to me. :) This behavior is actually written up in the SNIA doc and, I think, the Leach/Naik draft. Normally it doesn't impact Microsoft clients, but there is a hotfix for it, since it causes all sorts of trouble for clients on the far side of a NAT. Both races need to be protected be separate mutexes. The first should be protected in as generic a manner as possible, due to the fact that it is *any* connection from the IP. Can the connection function be called by a nonprivileged process (say rpcclient or smbclient) on the unix machine? Is so we either need to put the mutex somewhere world-writeable (gross) or just be willing to take our chances without it. There are several SMB clients out there now days. There's jCIFS, the FreeBSD SMB filesystem, and a few others. I don't think that there really is a fix for this problem. Not on the client side, anyway. Chris -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Building a custom auth back-end.
Abartlet, et. al., I've been asked to check on something. I haven't been working with this aspect of the authentication code in Samba so I need a little guidance. Question: How hard is it, if we're *not* using PAM, to build a custom authentication back-end for Samba? The reason that we (the University, where I work) are not using PAM is that there are a lot of servers out there on all sorts of platforms. Some use PAM, some don't. A general solution would need to work without. The authentication database is a big central system. It can do RADIUS and LDAP and a few other schemes, but RADIUS is preferred. It already stores NTLMv1 hashes. To give you an idea of scale (and why this is an interesting project), the central database has on the order of 130,000 user entries. We're a big shop, in some ways, a lot of little shops in others. Anyway, the goal is to let Windows users connect to Samba servers, authenticating against the central database. I think it should be easy to do, if we have the hooks to do it. I think I remember someone saying we have such hooks. As you know, my head has been burried in my book so I'm a little lost with regard to such things. Chris -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Of interest: PDA Samba
About a year back I mentioned that Samba had been ported to the Sharp Zaurus Palmtop. It seems it's now part of the official build: http://www.dynamism.com/zaurus/index.shtml Scan down to the heading Synchronization. Chris -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: smbclient -M sends NetBIOS session service header to port 445
Steve, SMB messages sent via NBT or via naked TCP both have a four-byte header at the top. Under NBT this is the NetBIOS Session Service header, and it should have one byte of zero (indicating it's a Session Message) followed by 7-bits of zero (an unused flags field) followed by 17-bits of message size (some folks think of the flags field being an 8-bit field with the lowest bit meaning add 0x1 to the length field.) Anyway, Microsoft carried that header over to SMB over naked TCP so, yes, it's always there. It's a throw-back to NBT, but on port 445 it's just used as a 17-bit length field. Some folks say it's read as a 24-bit length... Gotta love this stuff, eh? As for smbclient, there are a number of things that can only really be done via port 139. The Messenger Service is one such, because it is bound to NetBIOS (though there is an alternate version that uses MS-RPC...but I haven't dug into that yet so all I know is that it uses port 135 somehow). The NetServerEnum2 calls also don't work on port 445. That's logical, because these are generally used to list workgroups and servers within a workgroup, both of which are NetBIOS concepts that don't exist on port 445. (Would be nice if they listed Active Directory info.) There is a problem that I have not had time to address, which is that newer versions of smbclient (HEAD, for example) default to trying to use port 445 first (which makes sense because it's much quicker in some cases to recover and try 139 if 445 fails then doing things the other way 'round). The problem is that if smbclient succeeds in connecting to 445 then it will try sending the NetServerEnum2 queries on that port, and Windows will send back either an error message or empty results (can't remember which off hand). So, smbclient should default to using port 139 for the NetServerEnum2 calls (-L option) unless -p is actually specified. Basically, the same problem as -M. In your example, though, you specify both -M and -p. Personally, I think that in this case smbclient is doing the right thing. If I enter 'smbclient -M server -p 10973', then I would expect smbclient to try sending the message to that port. The defaults should be 'best normal behavior' but smbclient is much more useful if I can bend it to my will. :) Chris -)- On Mon, Jan 06, 2003 at 09:17:35AM -0600, Steve Langasek wrote: If Samba is configured to try port 445 first, the 'smbclient -M' command can't send messages to Win2K machines: $ smbclient -M server -p 445 added interface ip=192.168.8.5 bcast=192.168.8.255 nmask=255.255.255.0 Got a positive name query response from 192.168.8.10 ( 192.168.8.10 ) read_socket_with_timeout: timeout read. read error = Connection reset by peer. message start: Read error: Connection reset by peer Ethereal shows that the packets sent by Samba include a 'Netbios Session Service' header. Is this the cause of the failure, or is the Windows messaging service inextricably bound to NetBIOS? In the former case, where would I look in the code to remove the NetBIOS header from the packet? -- Steve Langasek postmodern programmer -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: smbclient -M sends NetBIOS session service header to port 445
Steve, That would be great. Please also look at the -L option too, as that should default to 139 as well. (Sort of... it's not necessary for listing shares.) The -p option should override the defaults in any case, though. There are folks who use port-redirection (for SSH links to the server, etc.). They'd want -p to be authoritative, rather than just explicit. :) Thanks! Chris -)- On Mon, Jan 06, 2003 at 11:33:40AM -0600, Steve Langasek wrote: On Mon, Jan 06, 2003 at 11:08:32AM -0600, Christopher R. Hertel wrote: So, smbclient should default to using port 139 for the NetServerEnum2 calls (-L option) unless -p is actually specified. Basically, the same problem as -M. Ok, that was the same conclusion I arrived at. I'll put together a patch to make 'smbclient -M' force a connection to port 139. In your example, though, you specify both -M and -p. Personally, I think that in this case smbclient is doing the right thing. If I enter 'smbclient -M server -p 10973', then I would expect smbclient to try sending the message to that port. The defaults should be 'best normal behavior' but smbclient is much more useful if I can bend it to my will. Well, the -p option was added only for the purpose of being explicit. In 3.0, port 445 is currently the default port for *all* operations, including smbclient -M. So the code does need to change if -M needs port 139. -- Steve Langasek postmodern programmer -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: smbclient -M sends NetBIOS session service header to port 445
On Mon, Jan 06, 2003 at 02:23:13PM -0600, Steve Langasek wrote: On Mon, Jan 06, 2003 at 11:51:24AM -0600, Christopher R. Hertel wrote: That would be great. Please also look at the -L option too, as that should default to 139 as well. (Sort of... it's not necessary for listing shares.) Ok. I'll add that to my queue behind getting libsmbclient to use the RPC call for share enumeration instead of the RAP call. :) Oooh... That will be nice. It does need to do both, though, to handle older machines. Sigh. The -p option should override the defaults in any case, though. There are folks who use port-redirection (for SSH links to the server, etc.). They'd want -p to be authoritative, rather than just explicit. :) Done. See attached. -- Steve Langasek postmodern programmer diff -ur samba-3.0alpha21.orig/source/client/client.c samba-3.0alpha21/source/client/client.c --- samba-3.0alpha21.orig/source/client/client.c 2002-11-26 20:54:18.0 -0600 +++ samba-3.0alpha21/source/client/client.c 2003-01-06 14:08:54.0 -0600 @@ -2995,6 +2995,12 @@ } } + /* If -M is specified and -p is not, make sure we use port 139 +instead of port 445. srl */ + if (message port == 0) { + port = 139; + } + init_names(); if(*new_name_resolve_order) Piece of cake. Very nice! If no one else grabs it I'll try to get to it today. ...after I finish writhing up NTLMv2. :) Chris -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: smbclient -L can't see shares with spaces in the name
On Sat, Dec 21, 2002 at 09:29:04PM -0600, Steve Langasek wrote: On Sat, Dec 21, 2002 at 08:40:45PM -0600, Christopher R. Hertel wrote: Note also that none of the calls appear to work properly on port 445. If the call is made on 445 a Windows server will respond, but the response will be empty. Listing of NBT workgroups, servers, and shares must be done on port 139, it seems. I am not sure whether this is true of the newer NetrShareEnum call. ^ rpcclient -d 3 -S server -W domain -U administrator -c 'netshareenum 1' lp_load: refreshing parameters Initialising global parameters params.c:pm_process() - Processing configuration file /etc/samba/smb.conf Processing section [global] added interface ip=192.168.3.2 bcast=192.168.3.3 nmask=255.255.255.254 resolve_lmhosts: Attempting lmhosts lookup for name server0x20 resolve_hosts: Attempting host lookup for name server0x20 Password: Connecting to host=server share=IPC$ Connecting to 192.168.3.1 at port 445 ^^^ Doing spnego session setup (blob length=118) got OID=1 2 840 48018 1 2 2 got OID=1 2 840 113554 1 2 2 got OID=1 2 840 113554 1 2 2 3 got OID=1 3 6 1 4 1 311 2 2 10 got principal=server$@DOMAIN.FQDN.COM lsa_io_sec_qos: length c does not match size 8 netname: IPC$ remark: Remote IPC snip list of remaining shares Looks like this call works fine on port 445. Interesting. Try the older RAP calls, though. They do work on both ports but don't return any information if the call is made via port 445. At least, that's true of the NetShareEnum2 calls for the workgroup and server lists. I assume the above was against a W2K server, yes? Chris -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: CVS update: samba/source/nmbd
On Thu, Dec 19, 2002 at 05:14:40PM -0500, [EMAIL PROTECTED] wrote: Date: Thu Dec 19 22:14:40 2002 Author: jra Update of /data/cvs/samba/source/nmbd In directory dp.samba.org:/tmp/cvs-serv29717/nmbd Modified Files: Tag: SAMBA_3_0 nmbd_namequery.c Log Message: Protect nmbd against malformed reply packets. Some reports on the lists showing these. Jeremy. Just curious... Are these the malformed replies from the W2K WINS server? Mike Allen (jCIFS) noted these as well. Chris -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Can't get 'net' to access AD server.
I'm doing something stupid and need to be hit with a cluebat. I'm trying to use the 'net' command to access an AD server. I'm getting this error: ADS support not compiled in ...but I ran configure with the --with-ads directive just to be sure. Has anyone run across this? Chris -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: something's wrong with CVS server
Mirror updates are also down. On Sun, Dec 15, 2002 at 09:32:26PM +0100, Rafal Szczesniak wrote: Does anyone know what happened to CVS server ? Neither cvs tree update nor browsing links on samba-cvs work. All started yesterday or day before (more-less). -- cheers, ++ |Rafal 'Mimir' Szczesniak [EMAIL PROTECTED] | |*BSD, GNU/Linux and Samba / |__/ -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Head/2.2 differences in browse list retrieval.
Is anyone else seeing this? I was fiddling with something and noticed that smbclient from 2.2 is able to list servers and workgroups from a W2K box, but the smbclient version in HEAD cannot. It seems that the HEAD version is sending the NetShareEnum, NetServerEnum2( Servers ) and NetServerEnum2( Workgroups ) requests to the W2K box on port 445. W2K is responding with empty records, status 2 (unknown status). W2K seems perfectly happy to report servers and workgroups if the queries are sent to port 139 instead of 445. I am curious about this. It makes sense that NBT workgroups and servers would not be listed if I connect to port 445, since the two represent different transports and servers workgroups available via NBT might not be available via naked TCP using port 445. The next question is this: In an Active Directory environment, do the NetServerEnum2 calls list W2K domains and servers that register with AD? If so, how? What gets listed? I don't have an AD environment to test against. I have a capture if anyone wants to see it. Here's the output: $ samba.head/source/bin/smbclient -N -L wiggly -I 192.168.101.51 added interface ip=192.168.101.21 bcast=192.168.101.255 nmask=255.255.255.0 Doing spnego session setup (blob length=16) Anonymous login successful Domain=[UBIQX] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager] Sharename Type Comment - --- Error returning browse list: NT_STATUS_ACCESS_DENIED Server Comment ---- WorkgroupMaster ---- $ samba.2.2/source/bin/smbclient -N -L wiggly -I 192.168.101.51 added interface ip=192.168.101.21 bcast=192.168.101.255 nmask=255.255.255.0 Anonymous login successful Domain=[UBIQX] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager] Sharename Type Comment - --- Error returning browse list: NT_STATUS_ACCESS_DENIED Server Comment ---- DUPLODuplo Debian/GNU Linux FAVOGSamba 2.2.3a OMEGADangerous... WIGGLY ZATHRAS Business Computer WorkgroupMaster ---- UBIQXFAVOG Chris -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: Need clue regarding CAP_NT_FIND.
That helps. Thanks! I wonder why that never made it into the doc... Chris -)- On Sat, Nov 30, 2002 at 07:36:56PM -0500, Green, Paul wrote: Christopher R. Hertel [mailto:[EMAIL PROTECTED]] asked: There doesn't seem to be any documentation regarding the CAP_NT_FIND capability bit. Where might I look for clues? I've checked the Leach/Naik IETF drafts and the SNIA doc. Chris -)- Google found this document, which seems to give a clue. I have no idea whether it is accurate: http://samba.cadcamlab.org/lists/samba-technical/Feb2000/00310.html PG -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: Browsing
On Tue, Nov 26, 2002 at 10:03:08AM -0600, Steve Langasek wrote: : It's far better to use the defaults for all of these values, particularly since Win9x wets itself when it's left in charge of a subnet as the LMB. (He probably is using non-default values for at least one of the above options, if Samba is interfering with the NT domain.) I'd love to get some hard data on this. Does anyone have a description of what happens so I can reproduce it and get some traces? Chris -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: Browsing
On Tue, Nov 26, 2002 at 12:56:14PM -0600, Steve Langasek wrote: : Win9x servers are able to successfully collate browse lists for the local segment when acting as the LMB. However, they do not sync their browse list with the DMB, so a segment which has a Win9x machine as LMB can't participate in cross-subnet browsing. That's what I wanted to know. If your Samba machine is on the same segment as your DMB, it's not a big deal to tell it to never be an LMB -- the only time it would need to be the LMB is when all other NT servers, including the DMB, are off-line, so syncing becomes a non-issue. Even so, random twiddling of Samba defaults is not the best way to fix a problem, and is more likely to cause issues down the line. If your Samba machine is on the same segment as your DMB, it should lose the LMB election, if it's not misconfigured. The DMB should always win the election on the local subnet. If the DMB is on a separate subnet, then I would personally prefer to have Samba as the LMB on its own subnet. I trust it more. Random twiddling of Samba config parameters is never a good idea. Chris -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
[Samba] Re: Bug ?
Well, you could start by running Samba V2.2.7, which is the current production release. 2.0.7 is quite old now. Please do not cross-post to the samba-technical and [EMAIL PROTECTED] lists. These lists have separate purposes. The [EMAIL PROTECTED] list is for community support, questions, answers, discussions about desired improvements, etc. The samba-technical list is for developer technical discussions; protocols, code details, etc.. It is very, very rare that a message belongs on both lists. Yours is clearly a question for the [EMAIL PROTECTED] list. Chris -)- On Fri, Nov 22, 2002 at 02:22:03PM -, Goncalo Ramos wrote: Hi I'm using samba 2.0.7, on Solaris 8. I'm having problems with samba. On the log file under /usr/local/samba/var/log.pcname, I have the following error: [2002/11/22 14:15:12, 0] smbd/files.c:file_new(85) ERROR! Out of file structures [2002/11/22 14:15:12, 0] smbd/files.c:file_new(85) ERROR! Out of file structures [2002/11/22 14:15:12, 0] smbd/files.c:file_new(85) ERROR! Out of file structures [2002/11/22 14:15:12, 0] smbd/files.c:file_new(85) ERROR! Out of file structures To resolve this immediately, I normally kill smbd process, with pkill -9 smbd. Do you have any patches to correct this problem ? PS: I need an urgently answer Gonçalo ___ Gonçalo Mendes Ramos Unix System Administrator IT Department NEC Portugal S.A. Direcção Geral de Desenvolvimento Avenida Dr. Mario Sacramento, n. 177 3810-106 AVEIRO PORTUGAL Phone: (+351) 234 372 075 Mobile: (+351) 914 644 883 Fax:(+351) 234 372 021 E-mail: [EMAIL PROTECTED] Web:http://www.nec.pt -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: netibios name len
On Fri, Nov 22, 2002 at 04:08:07AM +1030, Richard Sharpe wrote: On Thu, 21 Nov 2002, Christopher R. Hertel wrote: On Thu, Nov 21, 2002 at 03:17:05PM +0100, Paolo Abeni wrote: hi there, I had some troubles while configuring a samba printer. The host component of the netbios resource name was longer than 15 bytes and my smbclient (version 2.2.5) truncates the netbois host name at that length. NetBIOS names are 16 bytes maximum, and Microsoft reserves the 16th byte for special use. Hmmm, this makes it sound like Microsoft has some sort of evil intentions :-) When IBM (Barry Feigenbaum) designed the protocol back in '84, the 16th byte was reserved as a type byte then. Some notes on this: - I know that Barry Feigenbaum developed the SMB (originally BAF) protocol. I had not heard that he was also responsible for NetBIOS (though it certainly seems plausible). - I have found contradictory information regarding IBM's use of the 16th byte. Some sources show no indication that it was 'reserved', others (mostly secondary sources) say that it was. - The RFCs, published in 1987, make no mention of the 16th byte being reserved. - The suffix byte value used to indicate the SMB Server Service is 20. That's a space--the *same* character used as padding. So, a name padded to 16 bytes would be the same as a name padded to 15 bytes with a type byte of 20. - To my knowledge, the vast majority (though clearly not all) of the defined NetBIOS suffix byte values in use today are Microsoft's fault. It could be, however, that those are the only documented ones. - As to Microsoft having evil intentions, I think that's just well-earned paranoia on your part. :) :) :) Thus my statement that Microsoft reserves the 16th byte. At present, they're in charge. The evidence I have available to me is unclear regarding the status of that byte back in the early 80's, but in my book I've written that it was likely a practice initiated by IBM. Captain Pedantic -)- ;) -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: multiple wins server
Preliminary support was introduced for the 2.2 series but was not completed. That was my fault really. The system worked, but there was an incompatibility with some existing code within nmbd and I did not resolve the problem so the failover code was never enabled. Tridge came up with a better design, which should be made available in 3.0. Chris -)- On Wed, Nov 20, 2002 at 09:08:41PM +, lin li wrote: Does samba support using multiple wins server? In my situation (I use 2.2.5), nmbd timeout all the time connecting to the first wins server(which is down) and never try the second one. Thanks, Lin _ STOP MORE SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: NULL sessions - Listing shares anonymously - restrict anonymous
Yannick Mercier wrote: : Unfortunately, Ill have to back out to samba 2.2 because I'm using this samba server as a PDC also, and when I logon with my WinXP workstation, the PC reboots during Loading desktop settings I guess its a bug in the alpha version of samba If the XP system reboots then there's a bug in XP. The fact that the alpha version of Samba excersizes the XP bug is something we will want to fix, but XP shouldn't be rebooting on error. Chris -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]