Re: [Samba] Windows 7 machine trust accounts expiring
On 2010-10-04 16:23, John Drescher wrote: On Thu, Jul 15, 2010 at 11:52 AM, Peter Rindfuss wrote: There was an earlier thread about failing trust relationships between Windows 7 and Samba. Since we occasionally experience the same problem with Win 7 clients against a Samba 3.5.4 server, I investigated this a bit further. I think it happens when - the time to change the machine password has arrived - the Win 7 machine is up, but no one is logged on (login box is shown on the screen). To reproduce this, I reduced the machine password change interval to one day on a test computer, then let the login prompt sit there for a day or so - and indeed I could not log in anymore because of a trust relationship failure. I will try this a couple more times. I hope this helps to find a remedy. Did you ever solve this issue? How did you change the "machine password change interval"? I just had a single windows 7 box fail trust relationship and I saw that the last modify time in ldap for that account was August 30, 2010. John Our solution: We disabled the machine password change on all win7 clients by setting HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters DisablePasswordChange = dword:1 We never had a single issue after that. The "machine password change interval" can be set in the client's registry with HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters MaximumPasswordAge = dword:n, n being a number of days. Default is 30. Instead "DisablePasswordChange = 1" we might have tried "MaximumPasswordAge = 100", a million days. Finally, we might have tried against an MS server HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters RefusePasswordChange = dword:1 Note that this is a server setting, not a client setting. In Samba, it should translate to "sambaRefuseMachinePwdChange = 1" in LDAP. Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Automatic change of machine passwords seems to brake trust relationship for Windows 7 clients
On 2010-08-09 14:18, Stefan Oberwahrenbrock wrote: We are observing the following phenomenon: After 30 days our Windows 7 clients lose their trust relationship with the samba domain. We think, that the automatic machine password change on these clients fails. I posted a message about the very same problem on July 15. I think it does not always happen after 30 days (or whatever the change interval is set to), but only occurs when the machine password change time has arrived and the computer is on, but not no one is logged on (i.e. the login box is shown). Since we are only starting to deploy Windows 7, we simply turned the machine password change off in the registry of our imaged installation and the few real installations. We had no more problems afterwards. There are three ways to change the machine password behavior: Client-Registry: HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters DisablePasswordChange = dword:1 or Client-Registry: HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters MaximumPasswordAge = dword:100 or Server-Registry (if you have a Windows server) HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters RefusePasswordChange = dword:1 With Samba + OpenLDAP, set sambaRefuseMachinePwdChange = 1 in the sambaDomainName= entry. Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Windows 7 machine trust accounts expiring
There was an earlier thread about failing trust relationships between Windows 7 and Samba. Since we occasionally experience the same problem with Win 7 clients against a Samba 3.5.4 server, I investigated this a bit further. I think it happens when - the time to change the machine password has arrived - the Win 7 machine is up, but no one is logged on (login box is shown on the screen). To reproduce this, I reduced the machine password change interval to one day on a test computer, then let the login prompt sit there for a day or so - and indeed I could not log in anymore because of a trust relationship failure. I will try this a couple more times. I hope this helps to find a remedy. Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samab unable to contact ldap or something else
vishesh kumar wrote: > [global] > ldap suffix = "dc=abp=,dc=del" There is an extra = sign in there. I'd say this should be ldap suffix = "dc=abp,dc=del" Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] map acl inherit stopped working
On 2009-10-22 19:23, Jeremy Allison wrote: On Thu, Oct 22, 2009 at 10:46:40AM +0200, Peter Rindfuss wrote: On 2009-10-22 01:36, Jeremy Allison wrote: OPk, this is where you log a bug on it with *exact* details on how to reproduce, and I fix it for you :-). Ok, I have added bug 6841: https://bugzilla.samba.org/show_bug.cgi?id=6841 Please let me know what else may be needed. Best, Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] map acl inherit stopped working
On 2009-10-22 01:36, Jeremy Allison wrote: I'm guessing this is the version 1 to version 2 upgrade. (From posix_acls.c) Thank you for your reply. The posix_acls.c code says that version 2 SAMBA_PAI is always written now. But apparently it is not interpreted correctly as opposed to existing version 1 entries. As far as I can tell, it is not the mix of v1 and v2 that causes the problems. It also happens on a fresh empty share with no v1. So what can I do about it (if I can) ? Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] map acl inherit stopped working
On 2009-10-19 23:04, Jeremy Allison wrote: On Sat, Oct 17, 2009 at 12:40:10AM +0200, Peter Rindfuss wrote: Hi, It seems that at some point "map acl inherit = yes" stopped working for me. I now have Samba 3.4.2, but this problem started with an earlier version, possibly some 3.2.x or 3.3.x. No SAMBA_PAI extended attributes are created anymore, but existing ones are still honored. OS is Suse 11.0, file system is XFS. What could be wrong? Not sure, can you log a bug and upload logs please ? Hi Jeremy, I will file a bug, if necessary, but perhaps my further investigations can help. My statement "no SAMBA_PAI extended attributes are created anymore" is wrong, I apologize. But it is interesting what really happens to SAMBA_PAI: I looked at an old existing folder: Windows security tab shows that rights are inherited from the folder above. SAMBA_PAI is 0x01000300039a750151c302009a750151c302 When I remove and (try to) set inheritance again, SAMBA_PAI becomes 0x02048d030003009a75000151c303020b009a750b0151c30302 and inheritance is gone, same as if SAMBA_PAI were not there at all. When I manually set SAMBA_PAI to the first value, inherited rights are back there again. One more interesting observation: The acl_xattr VFS module seems to work fine with respect to inheritance (on a test share). BTW, the SAMBA_PAI created with acl_xattr looks similar to the non-working one above. Cheers, Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] map acl inherit stopped working
Hi, It seems that at some point "map acl inherit = yes" stopped working for me. I now have Samba 3.4.2, but this problem started with an earlier version, possibly some 3.2.x or 3.3.x. No SAMBA_PAI extended attributes are created anymore, but existing ones are still honored. OS is Suse 11.0, file system is XFS. What could be wrong? Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] openldap error messages after upgrade 3.3.6 -> 3.4.2
Hi, I just upgraded Samba from 3.3.6 to 3.4.2. We use it as PDC with OpenLDAP 2.4.19. After the upgrade, I see occasional log messages coming from OpenLDAP like: Oct 16 16:19:31 selene slapd[10158]: conn=71 op=2 do_search: invalid dn (sambaDomainName=,sambaDomainName=WZB,ou=accounts,dc=wzb,dc=eu) There were no such messages with 3.3.6. So far, it doesn't seem to cause problems, but who knows. Any idea what could be causing this? Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Wrong ACL in subdir
Hi, I've noticed the following ACL problem in a newly created subfolder: Let a folder have full rights for the owner, no rights for the primary group, no rights for everyone, no further rights defined. Add, from WinXP, an ACL for another user with Read&Execute rights and the option "This folder only". Now create a subfolder: in the new subfolder, the parent group has "Full control" although it had no rights in the parent. In the log I can find the entry change_dir_owner_to_parent: device/inode/mode on directory ... changed. Refusing to chown ! Happens with Samba 3.2.7, 3.3.5, 3.3.6 (no other versions tested) Details on this are in https://bugzilla.samba.org/show_bug.cgi?id=6507 Peter Rindfuss -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [Release Planning 3.4] 3.4.0pre1 will be delayed
Remy Zandwijk wrote: > Peter Rindfuss wrote: >> On 15.04.2009 15:12, Karolin Seeger wrote: >> >>> The code change between 3.2.9 is really small and it was not the >>> intention >>> to introduce the bug, but maybe it happened. >>> >> I went from 3.2.8 to 3.2.10, i.e. the bug could have been introduced >> either in 3.2.9 or 3.2.10. >> >> In the meantime, I reverted to 3.2.8, and things are ok again. > > > FWIW: I've setup a virgin PDC based on 3.2.10 and I could join a XP-SP2 > machine without problems. > > -Remy > Remy, I can confirm this. For testing purposes, I installed a "fresh" WinXP SP2 on a PC. I had no problems to join this machine to 3.2.10, but after the next login, the problems showed up as described. Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [Release Planning 3.4] 3.4.0pre1 will be delayed
On 15.04.2009 15:12, Karolin Seeger wrote: The code change between 3.2.9 is really small and it was not the intention to introduce the bug, but maybe it happened. I went from 3.2.8 to 3.2.10, i.e. the bug could have been introduced either in 3.2.9 or 3.2.10. In the meantime, I reverted to 3.2.8, and things are ok again. Best, Peter Rindfuss -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 3.2.10: WinXP SP2 trouble
Hi, Yesterday I upgraded our PDC and BDC from Samba 3.2.8 to 3.2.10 (OpenSUSE 11.0). Now all WinXP SP3 clients are still working fine, but those (fortunately few) clients with only SP2 or SP1 cannot correctly login anymore. After login, a lsass.exe error shows up, and Windows starts shutting down (60 seconds left) If one stops the shutdown, all file access to the PDC works nicely, but the system control panel shows the domain name as *unknown*, and a message pops up telling that the RPC server is not available. If I do a local login instead of a domain login, no problem occurs, and I even can map a network drive in explorer with no bad consequences. What could be wrong? Thanks for hints Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ntlm hashes..
On 03.04.2009 12:05, Collen Blijenberg wrote: Thx, found both packages. and they fit my needs... (-: Greets, Collen Peter Rindfuss wrote: On 03.04.2009 10:29, Collen Blijenberg wrote: Hello, How can i make an lm/ntlm hash from a plain text password ?? i need a way to generate a ntlm password to put into an external database. we make the users and there passwords on a machine that is not direct connected to the samba domain. we can export the database, so the only prob i have left is, how to get the samba passwords (lm/nt) in the database. You could use perl and the Crypt::SMBHash module. I forgot to mention: I also have some C/C++ code that creates a ntlm passwd using ms windows crypto functions. Let me know if you want it. Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ntlm hashes..
On 03.04.2009 10:29, Collen Blijenberg wrote: Hello, How can i make an lm/ntlm hash from a plain text password ?? i need a way to generate a ntlm password to put into an external database. we make the users and there passwords on a machine that is not direct connected to the samba domain. we can export the database, so the only prob i have left is, how to get the samba passwords (lm/nt) in the database. You could use perl and the Crypt::SMBHash module. Peter Rindfuss -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] 3.2.4 ACL inheritance trouble
On 2008-11-04 22:55, Jeremy Allison wrote: On Tue, Nov 04, 2008 at 04:23:03PM +0100, Peter Rindfuss wrote: Sorry, not possible. 3.2.x was introduced here when upgrading from Suse 10.0 to OpenSuse 11.0. OpenSuse 11 comes with 3.2.0, I think, but when we went to production use, we already had installed 3.2.4. That was 2 weeks ago. The "(maybe earlier, but I doubt it)" in my original post makes no sense as we did not test it with any earlier version than 3.2.4. I found some possibly discussion at http://webui.sourcelabs.com/samba/issues/5052 Ok, thanks. Can you log a bug for me at bugzilla.samba.org so I can track this when I get back to the USA. See bug 5873: https://bugzilla.samba.org/show_bug.cgi?id=5873 Best, Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] 3.2.4 ACL inheritance trouble
On 2008-11-04 14:59, Jeremy Allison wrote: On Tue, Nov 04, 2008 at 02:16:24PM +0100, Peter Rindfuss wrote: Hi, Since 3.2.4 (maybe earlier, but I doubt it), one important feature does not work anymore for me: I cannot break ACL inheritance anymore in the Windows ACL editor. With previous Samba versions, I entered the "Advanced" dialog of the Windows ACL editor and unchecked the flag "Inherit from parent the permission entries that apply to child objects. Include these with entries explicitly defined here". Afterwards, I could remove or change ACLs as needed. If I do this now, ACLs that exist on the next higher directory level re-appear after having deleted them. Are there changed configuration options or am I missing something else here? Breaking inheritance is very important in our system as we often need to restrict access to subdirectories. At the moment, I can only try to modify ACLs on the Linux level in order to get the desired behavior. Can you help me determine when this behavior changed ? 3.2.3 has a small change here that might affect this, but I'd be very interested to know if this was in 3.2.0, 3.2.1 or 3.2.3 (when it was introduced). I'm travelling at the moment with no access to Windows VM's to test this with, so if you need me to reproduce it'll have to wait until next monday (US Pacific time). Sorry, not possible. 3.2.x was introduced here when upgrading from Suse 10.0 to OpenSuse 11.0. OpenSuse 11 comes with 3.2.0, I think, but when we went to production use, we already had installed 3.2.4. That was 2 weeks ago. The "(maybe earlier, but I doubt it)" in my original post makes no sense as we did not test it with any earlier version than 3.2.4. I found some possibly discussion at http://webui.sourcelabs.com/samba/issues/5052 Best, Peter Rindfuss -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] 3.2.4 ACL inheritance trouble
Hi, Since 3.2.4 (maybe earlier, but I doubt it), one important feature does not work anymore for me: I cannot break ACL inheritance anymore in the Windows ACL editor. With previous Samba versions, I entered the "Advanced" dialog of the Windows ACL editor and unchecked the flag "Inherit from parent the permission entries that apply to child objects. Include these with entries explicitly defined here". Afterwards, I could remove or change ACLs as needed. If I do this now, ACLs that exist on the next higher directory level re-appear after having deleted them. Are there changed configuration options or am I missing something else here? Breaking inheritance is very important in our system as we often need to restrict access to subdirectories. At the moment, I can only try to modify ACLs on the Linux level in order to get the desired behavior. Thanks in advance for help Peter Rindfuss -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] 3.2.4 CreateDirectory panic
Hi, For some reason I am not able to send the level 10 debug output as an attachment to the list. Therefore, I have prepared a download link: http://www.wzb.eu/wzb/dv/downloads/log.smbd.gz Cheers, Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] 3.2.4 CreateDirectory panic
Jeremy Allison wrote: > On Mon, Oct 20, 2008 at 04:09:57PM +0200, Peter Rindfuss wrote: >> On 2008-10-20 15:17, Volker Lendecke wrote: >>> On Mon, Oct 20, 2008 at 03:11:41PM +0200, Peter Rindfuss wrote: >>>> On 2008-10-20 15:02, Volker Lendecke wrote: >>>>> On Mon, Oct 20, 2008 at 02:34:23PM +0200, Peter Rindfuss wrote: >>>>>> attached is the subroutine that I used for testing. >>>>>> The part enclosed in #ifdef createdir_alt worked with 3.0.24, but >>>>>> not with 3.2.4. The #else part works with 3.2.4. Both versions >>>>>> are based upon the same security descriptor structure. >>>>> Can you also send your smb.conf and a debug level 10 log >>>>> leading to this error? >>>>> >>>> smb.conf is attached. >>>> >>>> Is it possible to turn on level 10 logging without restarting the >>>> daemon? It is our production server and I'm not willing to disturb >>>> any existing connection. >>> Sure. Just set "debug level = 10". Then all new connections >>> will get the higher debuglevel. Alternatively, connect from >>> your client, look at smbstatus output to find "your" smbd >>> pid and issue >>> >>> smbcontrol debug 10 >>> >>> to make just that one smbd use that debuglevel. >>> >>> Volker >> Here comes the log; I went to the CreateDirectory call in the debugger, >> turned level 10 on and stepped over the call. >> >> Second try; gzipped now. > > No log attached to this message I'm afraid. Can you > try again please ? > Sure. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] 3.2.4 CreateDirectory panic
On 2008-10-20 15:17, Volker Lendecke wrote: On Mon, Oct 20, 2008 at 03:11:41PM +0200, Peter Rindfuss wrote: On 2008-10-20 15:02, Volker Lendecke wrote: On Mon, Oct 20, 2008 at 02:34:23PM +0200, Peter Rindfuss wrote: attached is the subroutine that I used for testing. The part enclosed in #ifdef createdir_alt worked with 3.0.24, but not with 3.2.4. The #else part works with 3.2.4. Both versions are based upon the same security descriptor structure. Can you also send your smb.conf and a debug level 10 log leading to this error? smb.conf is attached. Is it possible to turn on level 10 logging without restarting the daemon? It is our production server and I'm not willing to disturb any existing connection. Sure. Just set "debug level = 10". Then all new connections will get the higher debuglevel. Alternatively, connect from your client, look at smbstatus output to find "your" smbd pid and issue smbcontrol debug 10 to make just that one smbd use that debuglevel. Volker Here comes the log; I went to the CreateDirectory call in the debugger, turned level 10 on and stepped over the call. Second try; gzipped now. Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] 3.2.4 CreateDirectory panic
On 2008-10-20 15:02, Volker Lendecke wrote: On Mon, Oct 20, 2008 at 02:34:23PM +0200, Peter Rindfuss wrote: attached is the subroutine that I used for testing. The part enclosed in #ifdef createdir_alt worked with 3.0.24, but not with 3.2.4. The #else part works with 3.2.4. Both versions are based upon the same security descriptor structure. Can you also send your smb.conf and a debug level 10 log leading to this error? smb.conf is attached. Is it possible to turn on level 10 logging without restarting the daemon? It is our production server and I'm not willing to disturb any existing connection. Peter # Samba config file created using SWAT # from 193.174.6.50 (193.174.6.50) # Date: 2008/08/15 10:55:55 [global] display charset = UTF-8 workgroup = WZB server string = File Server interfaces = 127.0.0.1, 193.174.6.4 bind interfaces only = Yes passdb backend = ldapsam:ldapi://%2fvar%2frun%2fslapd%2fldapi/ guest account = guest passwd program = /usr/local/sbin/wzbpasswd -U -M -s -x %u passwd chat = *Enter*password* %n\n *Re-enter*password* %n\n *changed* username map = /etc/samba/smbusers unix password sync = Yes lanman auth = No syslog = 0 smb ports = 139 time server = Yes socket options = TCP_NODELAY SO_KEEPALIVE load printers = No printcap name = /dev/null add user script = /usr/local/sbin/wzbuseradd -q -I -y -c %u delete user script = /usr/local/sbin/wzbuserdel -q -d %u add group script = /usr/local/sbin/wzbgroupadd -q -y '%g' delete group script = /usr/local/sbin/wzbgroupdel -q '%g' add user to group script = /usr/local/sbin/wzbgroupmemberadd -q '%g' %u delete user from group script = /usr/local/sbin/wzbgroupmemberdel -q '%g' %u set primary group script = /usr/local/sbin/wzbgroupprim -q %u '%g' add machine script = /usr/local/sbin/wzbuseradd -q -y -x %m logon script = login.cmd logon path = logon home = \\selene\wzb domain logons = Yes os level = 65 preferred master = Yes domain master = Yes dns proxy = No wins support = Yes kernel oplocks = No ldap admin dn = cn=root,dc=wzb,dc=eu ldap group suffix = ou=groups ldap machine suffix = ou=machines ldap suffix = ou=accounts,dc=wzb,dc=eu ldap ssl = no ldap user suffix = ou=users host msdfs = No vscan-fsav:config-file = /etc/samba/fsav.conf ldapsam:trusted = Yes admin users = @admins create mask = 0700 directory mask = 0700 hosts allow = 193.174.6.0/255.255.254.0 ea support = Yes map acl inherit = Yes cups options = raw hide unreadable = Yes map archive = No mangled names = No store dos attributes = Yes dos filemode = Yes [printers] comment = Network Printers path = /var/spool/cups create mask = 0600 hosts allow = 127.0.0.1, 193.174.6.0/23 hosts deny = 0.0.0.0 printable = Yes browseable = No [print$] comment = Printer Drivers path = /var/lib/samba/drivers write list = @admins force group = @admins create mask = 0664 directory mask = 0775 available = No [netlogon] comment = Network Logon Service path = /wzb/netlogon valid users = @admins, @users, root admin users = @admins, root guest ok = Yes browseable = No [wzb] comment = WZB File Server path = /wzb/samba valid users = @admins, @users, root admin users = @admins, root read only = No inherit permissions = Yes inherit acls = Yes inherit owner = Yes use sendfile = Yes hide dot files = No hide special files = Yes map readonly = permissions mangled names = Yes root preexec = /usr/local/sbin/wzbldapsettime %u sambaLogonTime root postexec = /usr/local/sbin/wzbldapsettime %u sambaLogoffTime [admin] comment = Zugriff auf Alles für die Admins path = / valid users = @admins, root admin users = @admins, root read only = No inherit acls = Yes inherit owner = Yes hide dot files = No hide unreadable = No mangled names = Yes browseable = No [wzbadmin] path = /wzb valid users = @admins read only = No inherit permissions = Yes inherit acls = Yes inherit owner = Yes mangled names = Yes [pmail] comment = Pegasus Mail Share path = /wzb/pmail valid users = @admins, @users read only = No inherit permissions = Yes inherit acls = Yes
Re: [Samba] 3.2.4 CreateDirectory panic
On 2008-10-20 14:45, Volker Lendecke wrote: On Mon, Oct 20, 2008 at 02:34:23PM +0200, Peter Rindfuss wrote: attached is the subroutine that I used for testing. The part enclosed in #ifdef createdir_alt worked with 3.0.24, but not with 3.2.4. The #else part works with 3.2.4. Both versions are based upon the same security descriptor structure. Sorry, the binary would be much more helpful. I don't have Visual Studio installed anywhere. Volker It's Borland C++ 5, actually. I'd love to give you the executable but it is highly site-specific, does many non-samba things (needs libmySQL.dll, for instance), has an ini file that contains a sensitive password and so on. It will not work for you. If I find the time I'll put together a small program that just calls the test code. Cheers, Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] 3.2.4 CreateDirectory panic
On 2008-10-20 13:55, Volker Lendecke wrote: On Mon, Oct 20, 2008 at 01:18:11PM +0200, Peter Rindfuss wrote: Hi, I have just set up a new 64bit server as PDC with opensuse 11 and samba 3.2.4. The configuration was taken over from suse 10 with samba 3.0.24. So far, everything on the new server works fine but this: I have a C++ utility program running under win xp which creates users and home directories usind win32 api calls. It worked fine with samba 3.0.24 and before, but causes a samba panic when it executes the CreateDirectory win32 api call for the home directory. A log file snippet is attached. My own testing shows that the panic only happens when CreateDirectory is called with a SECURITY_ATTRIBUTES structure in order to set the correct acls for the new directory: CreateDirectory(HomePath, &security_attributes); -> panic whereas CreateDirectory(HomePath, NULL); -> ok I tried some variants like CreateDirectory ( HomePath, NULL ) ; -> ok SetFileSecurity(Homepath, ..., security_descriptor); -> panic and finally came up with this solution CreateDirectory(HomePath, NULL); -> ok SetNamedSecurityInfo( ); -> ok Strange thing is that in all variants I start out with the same SECURITY_DESCRIPTOR structure. Can you send me that utility or a sniff? Volker Hi Volker, attached is the subroutine that I used for testing. The part enclosed in #ifdef createdir_alt worked with 3.0.24, but not with 3.2.4. The #else part works with 3.2.4. Both versions are based upon the same security descriptor structure. Peter bool SeleneConnection::TestDACL ( void ) { bool ok ; int needed ; int status ; int i, n ; char *sddl ; volatile DWORD error ; static char path[] = "selene\\wzbadmin\\samba\\user\\aaa" ; static char sidnewstring[] = "S-1-5-21-3308023661-3915791984-1724325443-61014" ; // some user static char groupsidstring[] = "S-1-5-21-3308023661-3915791984-1724325443-513" ; // "Domain Users" (unix group 'users') // sddlfmt was obtained by means of the utility 'subinacl' static const char sddlfmt[] = "O:%sG:%sD:(A;OICI;FA;;;%s)(A;OICIWD)(A;%s)(A;OICIIO;FA;;;CO)(A;OICIIOCG)" ; PSECURITY_DESCRIPTOR secdes ; #ifdef createdir_alt SECURITY_ATTRIBUTES secattr ; #else PACL dacl ; PSID owner, group ; BOOL present, def ; #endif ok = false ; needed = (sizeof(sddlfmt) - 1) + ((lstrlen(sidnewstring) - 2) + (lstrlen(groupsidstring) - 2)) * 2 + 1 ; sddl = new char[needed] ; wsprintf ( sddl, sddlfmt, sidnewstring, groupsidstring, sidnewstring, groupsidstring ) ; ok = ConvertStringSecurityDescriptorToSecurityDescriptor ( sddl, SDDL_REVISION_1, &secdes, NULL ) ; delete[] sddl ; if ( ! ok ) goto exit0 ; #ifdef createdir_alt // this does work in 3.0.24, but not in 3.2.4 secattr.nLength = sizeof ( SECURITY_ATTRIBUTES ) ; secattr.lpSecurityDescriptor = secdes ; secattr.bInheritHandle = false ; ok = CreateDirectory ( HomePath, &secattr ) ; // --> panic error = GetLastError () ; #else // this does work in 3.2.4 ok = CreateDirectory ( path, NULL ) ; ok = ok && GetSecurityDescriptorDacl ( secdes, &present, &dacl, &def ) ; ok = ok && GetSecurityDescriptorOwner ( secdes, &owner, &def ) ; ok = ok && GetSecurityDescriptorGroup ( secdes, &group, &def ) ; if ( ok ) { ok = (SetNamedSecurityInfo ( path, SE_FILE_OBJECT, OWNER_SECURITY_INFORMATION|GROUP_SECURITY_INFORMATION|DACL_SECURITY_INFORMATION, owner, group, dacl, NULL ) == ERROR_SUCCESS) ; error = GetLastError () ; } #endif LocalFree ( secdes ) ; if ( ! ok ) goto exit0 ; ok = true ; exit0: return ( ok ) ; } -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] 3.2.4 CreateDirectory panic
Hi, I have just set up a new 64bit server as PDC with opensuse 11 and samba 3.2.4. The configuration was taken over from suse 10 with samba 3.0.24. So far, everything on the new server works fine but this: I have a C++ utility program running under win xp which creates users and home directories usind win32 api calls. It worked fine with samba 3.0.24 and before, but causes a samba panic when it executes the CreateDirectory win32 api call for the home directory. A log file snippet is attached. My own testing shows that the panic only happens when CreateDirectory is called with a SECURITY_ATTRIBUTES structure in order to set the correct acls for the new directory: CreateDirectory(HomePath, &security_attributes); -> panic whereas CreateDirectory(HomePath, NULL); -> ok I tried some variants like CreateDirectory ( HomePath, NULL ) ; -> ok SetFileSecurity(Homepath, ..., security_descriptor); -> panic and finally came up with this solution CreateDirectory(HomePath, NULL); -> ok SetNamedSecurityInfo( ); -> ok Strange thing is that in all variants I start out with the same SECURITY_DESCRIPTOR structure. Peter Rindfuss [2008/10/19 19:23:44, 0] lib/fault.c:fault_report(40) === [2008/10/19 19:23:44, 0] lib/fault.c:fault_report(41) INTERNAL ERROR: Signal 11 in pid 5515 (3.2.4-0.1.130-1906-SUSE-SL11.0) Please read the Trouble-Shooting section of the Samba3-HOWTO [2008/10/19 19:23:44, 0] lib/fault.c:fault_report(43) From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf [2008/10/19 19:23:44, 0] lib/fault.c:fault_report(44) === [2008/10/19 19:23:44, 0] lib/util.c:smb_panic(1663) PANIC (pid 5515): internal error [2008/10/19 19:23:44, 0] lib/util.c:log_stack_trace(1767) BACKTRACE: 18 stack frames: #0 /usr/sbin/smbd(log_stack_trace+0x1a) [0x7fb621ea] #1 /usr/sbin/smbd(smb_panic+0x1f) [0x7fb622bf] #2 /usr/sbin/smbd [0x7fb621feb000] #3 /lib64/libpthread.so.0 [0x7fb61fbb1b30] #4 /usr/sbin/smbd(sid_compare+0x28) [0x7fb621ff91d8] #5 /usr/sbin/smbd(add_sid_to_array_unique+0x4d) [0x7fb621ff98ad] #6 /usr/sbin/smbd(create_token_from_username+0x4a6) [0x7fb622045b56] #7 /usr/sbin/smbd(user_in_group_sid+0x5a) [0x7fb62204630a] #8 /usr/sbin/smbd [0x7fb621e7104e] #9 /usr/sbin/smbd(set_nt_acl+0xab5) [0x7fb621e76265] #10 /usr/sbin/smbd [0x7fb621e8ae01] #11 /usr/sbin/smbd [0x7fb621e31fbc] #12 /usr/sbin/smbd(reply_nttrans+0x75c) [0x7fb621e32f8c] #13 /usr/sbin/smbd [0x7fb621e788ce] #14 /usr/sbin/smbd(smbd_process+0x263) [0x7fb621e7ab93] #15 /usr/sbin/smbd(main+0x1fa2) [0x7fb6221f9ad2] #16 /lib64/libc.so.6(__libc_start_main+0xe6) [0x7fb61e173436] #17 /usr/sbin/smbd [0x7fb621e01aa9] [2008/10/19 19:23:44, 0] lib/fault.c:dump_core(201) dumping core in /var/log/samba/cores/smbd-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] BDC returning wrong Domain Group membership ?
Hi all, I have just noticed the following situation: Our NT4-style domain users are often (not always) seen by Windows XP as members of Domain Users and Domain Guests and Domain Admins and Domain Computers although they are definitely only members of "Domain Users". This gives us a security problem as "Domain Admins" become local Administrators. They are no real "Domain Admins", i.e. there is no problem for the domain functions. Our environment is: Samba 3.0.24 PDC (Suse Linux 10.0) [cannot upgrade at the moment} Samba 3.2.1 BDC (Suse Linux 10.3) Win XP Pro SP3 clients Database on PDC and BDC is OpenLDAP (replication on BDC). I could track this down to the following: If I turn off Samba on the BDC, everything (after logoff/logon) is ok. Analyses with "Wireshark" and "Process Monitor" show that only if a client retrieves information from the BDC, things go wrong. N.B. The same problem existed when the BDC was at Samba 3.026a. Thanks in advance for ideas and help Peter Rindfuss -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] BDC returning wrong Domain Group membership ?
Hi all, I have just noticed the following situation: Our NT4-style domain users are often (not always) seen by Windows XP as members of Domain Users and Domain Guests and Domain Admins and Domain Computers although they are definitely only members of "Domain Users". This gives us a security problem as "Domain Admins" become local Administrators. They are no real "Domain Admins", i.e. there is no problem for the domain functions. Our environment is: Samba 3.0.24 PDC (Suse Linux 10.0) [cannot upgrade at the moment} Samba 3.2.1 BDC (Suse Linux 10.3) Win XP Pro SP3 clients Database on PDC and BDC is OpenLDAP (replication on BDC). I could track this down to the following: If I turn off Samba on the BDC, everything (after logoff/logon) is ok. Analyses with "Wireshark" and "Process Monitor" show that only if a client retrieves information from the BDC, things go wrong. N.B. The same problem existed when the BDC was at Samba 3.026a. Thanks in advance for ideas and help Peter Rindfuss -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Bug in NetSessionEnum implementation ?
Hi Everybody, It seems that there is a bug in the implementation of the MS Windows API function NetSessionEnum. I am using Windows XP against a Samba 3.023d domain controller. When NetSessionEnum is successful it is supposed to return either NERR_Success (0) when it is finished or ERROR_MORE_DATA when there is more data outstanding. In my program which tries to retrieve all currently logged-on users from the domain controller, NetSessionEnum always return NERR_Success, even if there is more data to come. NetSessionEnum returns data in chunks of 32 entries. So it pretends to be finished after the first 32 entries retrieved. I've developped a workaround for this, but I still think it is wrong. I'm not sure whether the bug is in Windows or in Samba, as I have no Windows based domain controller to test it. But I could imagine that the Samba server gives an incorrect response. BTW, the problem does not occur in my own program only, but can be reproduced in the computer management console of Windows XP like this: Open the computer management console, select Action->Connect to another computer, connect to the domain controller, click System Tools->Shared Folders->Sessions, and you will never see more than 32 entries, even if many more people are connected. Best, Peter Rindfuss -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] 3.0.23c: cannot access LDAP when not root
Hi Everybody, I have set up a Samba 3.0.23c PDC with LDAP and ACLs on Suse 10.0. Things seem to work fine, but log.smbd gets filled with many smbldap_open: cannot access LDAP when not root messages whenever I move around on the mounted user share using Windows XP Explorer from a client computer. More precisely, whenever I move the cursor to a new subfolder in explorer, I get a new bunch of the above messages in log.smbd, the quantity apparently depending on the number of ACL entries for the folder. Any idea what could be wrong? Let me know if you need more information, smb.conf and extended logs. TIA, Peter Rindfuss Wissenschaftszentrum Berlin fuer Sozialforschung (Social Science Research Center Berlin, Germany) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Machine account question / unjoining a domain
Hi to all, When I join a machine to a Samba domain, a machine account is created in the Samba domain controller's database. When I unjoin a machine from a Samba domain, the machine account is not deleted, but remains in the PDC's database. Is that - because I misconfigured something in smb.conf - a script specified in my smb.conf is not working correctly - by design. If by design, is it - by Microsoft design - by Samba design If it is by Samba design, why so ? Best regards, Peter Rindfuss -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] 'ldap machine suffix' is ignored?
I think I read somewhere that 'ldap machine suffix' is used only if winbindd is used as well. Peter -- Peter Rindfuss Wissenschaftszentrum Berlin fuer Sozialforschung (Social Science Research Center Berlin, Germany) email: [EMAIL PROTECTED] phone: +49-30-25491-566 fax: +49-30-25491-558 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba