Re: mac mini build broken was Re: [SCM] Samba Shared Repository - branch master updated
Matthieu, SLIST_ENTRY should be defined by mechqueue.h or sys/queue.h, without cpp output it hard to determine what went wrong. Love 2 dec 2010 kl. 03.45 skrev Matthieu Patou: Hi Andrews, I highly suspect the new import of heimdal to be the root cause of the breakage on mac mini can one of you look on it ? Thanks. Matthieu. On 01/12/2010 09:49, Andrew Tridgell wrote: The branch, master has been updated via b7172e7 s4-drs: cope with invalid NTDS DNs from DsReplicaInfo() via 00ecbdb wintest: cope with w2k3 form of dcdiag output via 06fd5b7 wintest Move stopping of BIND into a new step via c5bea98 s4:heimdal: import lorikeet-heimdal-201012010201 (commit 81fe27bcc0148d410ca4617f8759b9df1a5e935c) from 9c84f98 wintest: make command matching case insensitive by default http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit b7172e7a71b152be687fe5045565c8cd99a73a18 Author: Andrew Tridgelltri...@samba.org Date: Wed Dec 1 16:40:17 2010 +1100 s4-drs: cope with invalid NTDS DNs from DsReplicaInfo() w2k3 sometimes returns a deleted DN Autobuild-User: Andrew Tridgelltri...@samba.org Autobuild-Date: Wed Dec 1 07:48:19 CET 2010 on sn-devel-104 commit 00ecbdbbd13ba191400c6f4185df2dd8e72d1459 Author: Andrew Tridgelltri...@samba.org Date: Wed Dec 1 16:34:16 2010 +1100 wintest: cope with w2k3 form of dcdiag output commit 06fd5b70037728800cfeb2d1989ad8e851f604df Author: Andrew Bartlettabart...@samba.org Date: Wed Dec 1 15:34:19 2010 +1100 wintest Move stopping of BIND into a new step We must run this early, to ensure that BIND isn't alive to write to the zone file after provision has cleaned it up. Andrew Bartlett commit c5bea98ddb2f7967df572160f639da3cba381a87 Author: Andrew Bartlettabart...@samba.org Date: Mon Nov 29 11:24:08 2010 +1100 s4:heimdal: import lorikeet-heimdal-201012010201 (commit 81fe27bcc0148d410ca4617f8759b9df1a5e935c) --- Summary of changes: source4/heimdal/base/baselocl.h | 52 +- source4/heimdal/base/heimbase.c | 15 +- source4/heimdal/cf/make-proto.pl |1 + source4/heimdal/kdc/default_config.c |3 +- source4/heimdal/kdc/kaserver.c| 955 source4/heimdal/kdc/misc.c| 21 +- source4/heimdal/kdc/process.c | 77 -- source4/heimdal/kuser/kinit.c | 14 +- source4/heimdal/kuser/kuser_locl.h|3 + source4/heimdal/lib/asn1/asn1parse.c | 724 + source4/heimdal/lib/asn1/asn1parse.y |4 + source4/heimdal/lib/asn1/gen_template.c |4 +- source4/heimdal/lib/com_err/com_err.h | 20 - source4/heimdal/lib/com_err/com_right.h | 35 +- source4/heimdal/lib/com_err/error.c |8 +- source4/heimdal/lib/com_err/lex.c | 83 +-- source4/heimdal/lib/com_err/lex.h |2 +- source4/heimdal/lib/com_err/lex.l |5 +- source4/heimdal/lib/com_err/parse.c | 265 --- source4/heimdal/lib/com_err/parse.y |5 +- source4/heimdal/lib/gssapi/gssapi/gssapi.h| 85 ++- source4/heimdal/lib/gssapi/gssapi/gssapi_krb5.h | 73 -- source4/heimdal/lib/gssapi/gssapi/gssapi_oid.h| 231 + source4/heimdal/lib/gssapi/gssapi_mech.h | 80 ++- source4/heimdal/lib/gssapi/krb5/acquire_cred.c| 14 +- source4/heimdal/lib/gssapi/krb5/external.c| 238 +++--- source4/heimdal/lib/gssapi/krb5/set_cred_option.c |9 - source4/heimdal/lib/gssapi/mech/gss_mech_switch.c |2 +- source4/heimdal/lib/gssapi/mech/gss_mo.c | 464 ++ source4/heimdal/lib/gssapi/mech/gss_oid.c | 253 ++ source4/heimdal/lib/gssapi/mech/gss_oid_equal.c |2 +- source4/heimdal/lib/gssapi/mech/gss_oid_to_str.c | 31 + source4/heimdal/lib/gssapi/mech/gss_wrap.c| 15 + source4/heimdal/lib/gssapi/mech/mech_locl.h | 15 +- source4/heimdal/lib/gssapi/spnego/external.c | 49 +- source4/heimdal/lib/hcrypto/rsa-ltm.c |3 +- source4/heimdal/lib/hcrypto/validate.c|1 - source4/heimdal/lib/hdb/db.c |2 +- source4/heimdal/lib/hdb/hdb-keytab.c | 10 +- source4/heimdal/lib/hdb/hdb.c |2 +- source4/heimdal/lib/hdb/hdb.h | 22 +- source4/heimdal/lib/hdb/keytab.c | 15 +- source4/heimdal/lib/hdb/ndbm.c|2 +- source4/heimdal/lib/hx509/sel-gram.c | 248 --- source4
Re: [Samba] Broken support for Smart Card Logon in Windows 2003 and XP
17 okt 2010 kl. 20.31 skrev Николай Домуховский: 2010/10/7 Love Hörnquist Åstrand l...@kth.se: 6 okt 2010 kl. 02:49 skrev Michael Wood: hx509_cms_create_signed function and make sigctx.cmsidflag always equal CMS_ID_NAME) I think this failed because you are looking at enveloped data and not signed data. try patching fill_CMSIdentifier() in hx509_cms_envelope_1() instead. Love Thanks, Love. I've tried patching hx509_cms_ebvelope_1() but it didn't help. But now, I'm think, I've found real issue: XP box include in KRB5_AS_REQ only one supported digest algorithm: md5withRSAEncryption (1.2.840.113549.1.1.4) (and this is only supported algorithm for XP, 2000 and 2003 - this is written in secrion 2.2 of MS-PKCA). But response from Samba (I found a way to decrypt it!!!) contains digital signature made with sha512WithRSAEncryptions (in fact it is rather hard to understand openssl ans1parse output, but fact that there is no md5withRSAEncryption signature). So it looks like some bug in Heimdal code - I will investigate it further and try to locate exact place, where wrong signature formed, but maybe you already know answer... P.S. If you need I can send trafic capture files and decrypted KDC answers (both form Windows DC and from Samba). You can probably change the code in kdc/pkinit.c around 870 that sets up the supported cms types it will use, if you use hx509_signature_rsa_with_md5() and hx509_signature_md5() instead of SHA1 it might work for you. Love -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Broken support for Smart Card Logon in Windows 2003 and XP
6 okt 2010 kl. 02:49 skrev Michael Wood: hx509_cms_create_signed function and make sigctx.cmsidflag always equal CMS_ID_NAME) I think this failed because you are looking at enveloped data and not signed data. try patching fill_CMSIdentifier() in hx509_cms_envelope_1() instead. Love -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: svn commit: lorikeet r583 - in trunk/heimdal/lib/hdb: .
+ret = (*db-hdb_fetch)(context, db, principal, + HDB_F_DECRYPT|| is that really correct using '||'? No, that correct, its wrong :) Love
[Samba] Remote Downlevel Document Hangs in XP Pro Print Queue
I used SAMBA, CUPS, hplip, and linuxprinting.org documentation to made all configuration changes necessary to successfully print from FC3 print server using samba-3.0.10-1.fc3 for a HP PSC 1350 SAMBA windoww share on a XPPro SP2 PC. I created the FC3 print queue using the CUPS web interface-Device=Windows Printer via SAMBA-URI=smb/DOMAIN/HOST/Sharename-Mode/Driver=raw-Model/Driver=raw. Under CUPS only configuration, when testing, the test file enters the XP print queue as remote downlevel document, the printer goes into maintenance mode and the print queue hangs while displaying refreshing intermittently. The only way to clear the document is to turn the printer off and reboot the XPPro PC. Under CUPS+HPLIP configuration using Mode/Driver=HP-Model/Driver=HP_DeskJet3320 and URI=hp:/net/deskjet_3320?ip=XP Host IP address or URI=socket://XP Host:9100 the system complaints Open device failed. How do I resolve the SAMBA Window Share printing problem? Flash -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: Compiler waring with heimdal-0.5.1
[EMAIL PROTECTED] writes: Anybody else seen this ? This is brokenness in the Heimdal header files, not in Samba. The Heimdal developers need to compile with more warnings set in gcc. What more then -Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs ? It a mistake to make it `open', it originates from RFC2744 and was copied verbose from the spec. I'll make sure it get fixed to next release of heimdal. Love
Re: auto-detecting krb versions for build
Jim McDonough [EMAIL PROTECTED] writes: As some of you may have noticed, the UL builds on the farm don't work. The culprit is the pre- 0.5 heimdal that is installed, as it doesn't have AP_OPTS_USE_SUBKEY, which is needed to do password changes. Unless someone knows how to accomplish password changes to a win KDC without it, we need to be able to detect the package and release of kerberos installed. Heimdal before 0.5 doesn't have it. I'm not sure how far you have to go back in MIT to not find it. Heimdal before 0.5 didn't have AP_OPTS_USE_SUBKEY, however I think it allways generated and used a subkey anyway, so defining it to 0 should make it work. krb5-config takes a --version option and prints something like: heimdal 0.4d $Id: krb5-config.in,v 1.8 2001/01/29 06:56:51 assar Exp $ or in the case of MIT: Kerberos 5 release 0.0.0 Yes, 0.0.0, but I'm using a dev version. In any case, I'd like to take that output, and if it has heimdal, make a decision based on the number...since I'm not a wiz (more like a whiz) at these sorts of string cutting/comparing in shells...anyone want to tell me how to do it? `expr expr1 : expr2` or case statement is usully what I use. Love
Re: samba + w2k + kerberos + trusted realm
Luke Howard [EMAIL PROTECTED] writes: What is it that limit samba to root ? When I use samba with afs beeing root will certenly not help samba access files, what else do samba need. SAMBA does need to bind to privileged ports. Ok, sure. Now concentrate on the other issues :) Its not that simple as my patch it since samba breaks itself after a couple of hours and the key seem to change. Dunno what key, if its the in memory key or the key in the (ad/kdc) database. Love
Re: Samba as a gateway to OpenAFS
Andrew Bartlett [EMAIL PROTECTED] writes: 1. Get rid of AFS's need for plaintext passwords. [] Ah, of course credential forwarding/proxying would be a requirement for making this work without giving the gateway special privileges; I'd completely overlooked that. I'm afraid I don't know the answer, though. Perhaps someone currently doing Samba 3.0 work has run into this and can say? I see no reason why this would not be possible. We would need to do a little bit of work on the smbd side of things, but credential forwarding is pretty standard. This assumes either a AD domain, or Samba modified to correctlly function with krb5 but without AD (which also implies windows clients joined to such a domain). So, so how do you tell the client to forward creds to the fileserver, and can you chose want creds you want to forward ? Love
Re: Samba as a gateway to OpenAFS
Andrew Bartlett [EMAIL PROTECTED] writes: I see no reason why this would not be possible. We would need to do a little bit of work on the smbd side of things, but credential forwarding is pretty standard. This assumes either a AD domain, or Samba modified to correctlly function with krb5 but without AD (which also implies windows clients joined to such a domain). So, so how do you tell the client to forward creds to the fileserver, and can you chose want creds you want to forward ? This assumes krb5, where this is all quite standard. Sure, but the question is if there any provision make for this within SMB/CIFS ? Doing it out of band make it quite a lot harder, since the all (smb) clients need to have a program that forward their creds to the server. Love
Re: Samba as a gateway to OpenAFS
Steve Langasek [EMAIL PROTECTED] writes: To re-phrase, I am trying to: 1. Get rid of AFS's need for plaintext passwords. 2. Establish a registration mechanism for new samba users and those that change their passwords. 3. Turn on encrypted password support. The patches that will give you AFS support with plaintext turned on can be found at www.ualberta.ca/~sholstea The routines that will allow me to turn on encrypted pasword support for AFS users are still under developement. Unfortunately, my interest in this is strictly academic, since my current employer doesn't use AFS and won't any time soon, either. Nevertheless, I'm quite pleased to see development in this area. I assume that as a large university, you have a need for supporting old Windows clients that precludes a pure Active Directory+AFS style of integration (NT password hashes only)? Is there credtioal forwardation i smb/cifs or is there a need to send that out of band ? The solution I've been using is giving the samba gateway priveliges into the afs-space (by storing the afs KeyFile on the gateway and cooking cred's on the fly). I'd be tickled pink if someone were actually implementing a Samba-AFS gateway using pure Kerberos 5, but AIUI there's still quite a lot of work involved in getting OpenAFS to use /anything/ other than DES. Its not talking des, its using fcrypt. And yes there is work in progress to make it talk something better then fcrypt, and no, its not that hard. Love
