VS: Default ACL dosn't work
I've had the exact same problem. there has been no way to set samba use the rights. only way around was to set inheritance on acl's and permissions. anyway, this does not prevent samba from setting itself the file permissions. it forces them to be owner, domain users, and everyone! silly I say. seems that the acl-code in samba is not really considered as a solution but more as addin, sadly. so can't have real NT connectivity on file-level yet with samba. cheers, Jooel -Alkuperäinen viesti- Lähettäjä: alex [mailto:[EMAIL PROTECTED]] Lähetetty: 30. kesäkuuta 2002 0541 Vastaanottaja: [EMAIL PROTECTED] Aihe: Fw: Default ACL dosn't work Hi, I've a problem with the default ACL, I'm using samba 2.2.3a and the lastest XFS ACL patch. I setted a default acl at console, it worked at local site, I created a new file, and it inherited the default acl. But when I created a file from windows 2000, the file didn't use default acl. What's the problem? Thanks! Alex
Re: Proposed patch for DNS and name resolution related problems inappliance branch
On Mon, 2002-07-01 at 03:55, Tim Potter wrote: I know Jeremy initially wasn't keen on the resolve/retry stuff going in to HEAD but maybe in the context of optimising name resolution he will change his mind. (-: I heartedly agree. We need some kind of DNS caching both of positive and negative results. Samba is yet overcomplicated sometimes due to stupid NetBIOS habbits, and adding mis-configured DNS headaches to administrator is just foul. It would perhaps be very interesting tough to make an independent module that can be reused by other apps too, something like an advanced resolver. Only one thing, be sure not to cache which are DNS servers. I hate very much applications (like galeon or mozilla) that do not mind checcking if resolv.conf has changed, and stop working when I move my notebook from a network to another one, or when I connect to a different provider. Simo. -- Simo Sorce -- Una scelta di liberta': Software Libero. A choice of freedom: Free Software. http://www.softwarelibero.it
RE: Proposed patch for DNS and name resolution related problems inappliance branch
Please keep in mind that there is ns cache on some platforms already (solaris nscd etc), so this feature should be possible to be switched off. toomas -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Simo Sorce Sent: Monday, July 01, 2002 11:03 AM To: Tim Potter Cc: [EMAIL PROTECTED] Subject: Re: Proposed patch for DNS and name resolution related problems inappliance branch On Mon, 2002-07-01 at 03:55, Tim Potter wrote: I know Jeremy initially wasn't keen on the resolve/retry stuff going in to HEAD but maybe in the context of optimising name resolution he will change his mind. (-: I heartedly agree. We need some kind of DNS caching both of positive and negative results. Samba is yet overcomplicated sometimes due to stupid NetBIOS habbits, and adding mis-configured DNS headaches to administrator is just foul. It would perhaps be very interesting tough to make an independent module that can be reused by other apps too, something like an advanced resolver. Only one thing, be sure not to cache which are DNS servers. I hate very much applications (like galeon or mozilla) that do not mind checcking if resolv.conf has changed, and stop working when I move my notebook from a network to another one, or when I connect to a different provider. Simo. -- Simo Sorce -- Una scelta di liberta': Software Libero. A choice of freedom: Free Software. http://www.softwarelibero.it
VS: Default ACL dosn't work
I'm using bestbits ACL-patch too. got exchausted with the xfs. about samba picking the acl, yes it did pick it up. there is no other problem than making the default work. even if I manually locally make some domain group to be the default instead of domain users samba sets it to be domain users next time I create or copy a file there. if I then try to remove the domain users after added domain admins and some other groups, I get access denied. so, should it work or is this in-desing flaw? Jooel -Alkuperäinen viesti- Lähettäjä: Noel Kelly [mailto:[EMAIL PROTECTED]] Lähetetty: 1. heinäkuuta 2002 1056 Vastaanottaja: 'Nieminen, Jooel'; [EMAIL PROTECTED] Aihe: RE: Default ACL dosn't work I had the default ACLs working fine with Samba - but I was using the ACL patches from bestbits not XFS. I tried XFS also but had a lot of problems creating a default ACL at all! Eventual solution was to upgrade the ACL utilities to the latest version but after I also had some disk corruption with XFS my enthusiasm for it waned and I am back with EXT2/3. Did you check that Samba had picked up the ACLs in the filesystem during the configure? I seem to remember that Samba does not pick XFS ACLs up if you compile --with-pam? Can you add multiple ACLs to a directory/file but find it is only the default ACLs which don't work? Noel -Original Message- From: Nieminen, Jooel [mailto:[EMAIL PROTECTED]] Sent: 01 July 2002 07:11 To: [EMAIL PROTECTED] Subject: VS: Default ACL dosn't work I've had the exact same problem. there has been no way to set samba use the rights. only way around was to set inheritance on acl's and permissions. anyway, this does not prevent samba from setting itself the file permissions. it forces them to be owner, domain users, and everyone! silly I say. seems that the acl-code in samba is not really considered as a solution but more as addin, sadly. so can't have real NT connectivity on file-level yet with samba. cheers, Jooel -Alkuperäinen viesti- Lähettäjä: alex [mailto:[EMAIL PROTECTED]] Lähetetty: 30. kesäkuuta 2002 0541 Vastaanottaja: [EMAIL PROTECTED] Aihe: Fw: Default ACL dosn't work Hi, I've a problem with the default ACL, I'm using samba 2.2.3a and the lastest XFS ACL patch. I setted a default acl at console, it worked at local site, I created a new file, and it inherited the default acl. But when I created a file from windows 2000, the file didn't use default acl. What's the problem? Thanks! Alex --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.372 / Virus Database: 207 - Release Date: 20/06/2002 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.372 / Virus Database: 207 - Release Date: 20/06/2002
Re: smbd
On Fri, 28 Jun 2002, Lupscha, Franc (AU - Sydney) wrote: I am running Samba 2.2.2 on SUN SPARC Solaris 8 (feb 2002) with all the latest patches. Samba appears to be running fine except that I get the following appearing in the log.smbd file . yield_connection: tdb_delete for name failed with error Record does not exist. Is this normal or is this a bug ? I, too have seen that. I don't recall whether it is normal or a bug. But I do know that the early Samba 2.2.x (including 2.2.2) and Solaris were not the happiest of companions, and I would strongly urge you to migrate to a later release of Samba. (My direct experience was that 2.2.3a was much better than 2.2.2; I have heard that even this and 2.2.4 still had occasional problems under Solaris. Not heard anything bad about 2.2.5/Solaris.) So I'd suggest that you investigate 2.2.5 . Hope that helps. -- : David LeeI.T. Service : : Systems Programmer Computer Centre : : University of Durham : : http://www.dur.ac.uk/t.d.lee/South Road: : Durham: : Phone: +44 191 374 2882 U.K. :
Samba and Netatalk
Hi! I've got a Problem with the interaction between Samba and Netatalk. I compiled Samba with the --with_netatalk option for configure. I thought it should create the correct files in .AppleDouble but it doesn't. Can anybody help me with this? greets max bidlingmaier
RE: (no subject)
On Mon, 2002-07-01 at 11:42, Ulf Bertilsson wrote: An dummy desktop.ini and some generic cached fileid to show fancy icons would be nice, but brake stuff. I would not make that. Then my os allow many strange filenames, how should that be dealt with ? We check if the filename is OK (do not have invalid chracters) yet, if so we mangle it, but this a O(n) operation. -- Simo Sorce -- Una scelta di liberta': Software Libero. A choice of freedom: Free Software. http://www.softwarelibero.it
Smbpasswd
Hi, I am in the process of tranfering my samba users(around 150) from a Redhat6.1 server to a new Redhat7.3 server. I have successfully tranfered the smbusers file to the new 7.3 server.I have also tranfered over the passwd file,group file and shadow file over successfully.Now, my users are not able to access their 'home' drive from their pcs. In the previous 6.1 server, I have synchronize all of their password together with smbpassword.Can you help? Thanks. Kelvin
Re: Smbpasswd
Have you transfered also the (/etc[/samba/]/)smbpasswd file? Is it a domain? In this case have you copied over MACHINE.SID / secrets.tdb files? On Mon, 2002-07-01 at 14:04, kelvin wrote: Hi, I am in the process of tranfering my samba users(around 150) from a Redhat6.1 server to a new Redhat7.3 server. I have successfully tranfered the smbusers file to the new 7.3 server.I have also tranfered over the passwd file,group file and shadow file over successfully.Now, my users are not able to access their 'home' drive from their pcs. In the previous 6.1 server, I have synchronize all of their password together with smbpassword.Can you help? Thanks. Kelvin -- Simo Sorce -- Una scelta di liberta': Software Libero. A choice of freedom: Free Software. http://www.softwarelibero.it
sessionid.tdb missing after build and client read failutre
Hello, The latest samba head as of 6/30/02 seems to not provide sessionid.tdb and gives me the following errors: I see this information in the log: 6/28 16:35:59, 3] nsswitch/winbindd_misc.c:winbindd_check_machine_acct(91) secret is good [2002/06/28 16:35:59, 5] nsswitch/winbindd_misc.c:winbindd_check_machine_acct(100) Checking the trust account password returned NT_STATUS_OK [2002/06/28 16:35:59, 10] nsswitch/winbindd.c:client_write(456) client_write: wrote 1300 bytes. [2002/06/28 16:35:59, 10] nsswitch/winbindd.c:winbind_client_read(408) client_read: read 0 bytes. Need 1304 more for a full request. [2002/06/28 16:35:59, 5] nsswitch/winbindd.c:winbind_client_read(415) read failed on sock 13, pid 1002: EOF It is a little confusing. It says secret is good in the log, but it has some error about not reading enough bytes and a sock 13 error. In addition, which may be related to the above, it looks for davidsha instead of INS+DavidSha even though smb.conf has it set to not have the server in INS by default. David E. Shapiro Senior Unix Admin BTi - the future of communications 4300 Six Forks Road, Raleigh, NC 27609
RE: Proposed patch for DNS and name resolution related problemsinappliance branch
On Mon, 2002-07-01 at 04:37, Toomas Soome wrote: Please keep in mind that there is ns cache on some platforms already (solaris nscd etc), so this feature should be possible to be switched off. toomas nscd only comes into play when get*by*() routines (e.g. gethostbyname()) are used. If you bypass the name service switch by calling res_*(), nscd does not cache the info. I think that it is safe to say that if you link against libresolv, you will be bypassing nscd. But... that begs the question, why not just use gethostbyname()? This way it will get resolved out of /etc/hosts, NIS, LDAP, DNS, etc., and nscd will take care of it. nscd exists on Solaris, Linux, and should be available anywhere else that glibc works. Mike
RE: Proposed patch for DNS and name resolution related problemsinappliance branch
On Mon, 2002-07-01 at 09:38, Mike Gerdts wrote: But... that begs the question, why not just use gethostbyname()? This way it will get resolved out of /etc/hosts, NIS, LDAP, DNS, etc., and nscd will take care of it. nscd exists on Solaris, Linux, and should be available anywhere else that glibc works. Oh, yeah.. the problem was that DNS timeouts took too long. It looks as though this has already been addressed in /etc/resolv.conf: options Allows certain internal resolver variables to be modified. The syntax is options option ... where option is one of the following: [items removed] timeout:n sets the amount of time the resolver will wait for a response from a remote name server before retrying the query via a different name server. Measured in sec onds, the default is RES_TIMEOUT (see resolv.h ). attempts:n sets the number of times the resolver will send a query to its name servers before giving up and return ing an error to the calling application. The default is RES_DFLRETRY (see resolv.h ). Mike
NT permissions
[Sorry, i post this message on samba list last week but without success] Hello, I try to use NT permissions on 2 Sun Solaris with ACL and samba 2.2.5. I configure samba --with-acl. I can modify permissions on the PDC (security = USER). But on the other one (XYZ) (security = SERVER and password server = PDC) i get an error message when i click on the ADD button (property of a file/Security) The selector of object cannot be open because it cannot determine if XYZ belong to a domain (sorry, bad translation from win2k-french message) Thanks for any hints. Guy Roussin --French version Bonjour, Je souhaite utiliser le support des droits windows NT sur des partages windows hébergés sur 2 stations Solaris 8 en utilisant les ACL et samba 2.2.5. Je configure samba avec l'option --with-acl avant compilation, installation, ... J'arrive à faire marcher cette fonctionnalité sans probleme si la station Solaris qui abrite les partages dont je veux gérer les droits est PDC (security = USER dans smb.conf). Par contre sur la station non-PDC (security = SERVER) qui utilise la station PDC (password server = PDC) pour l'authentification, j'ai un message d'erreur lorsque j'essaye d'ajouter des droits windows sur les partage de cette station non PDC: Le Sélecteur d'objet ne peut pas être ouvert car il ne peut déterminer si 'non-PDC' appartient à un domaine. Visiblement un problème d'authentification de cette machine sur le domaine ? J'ai essayé d'authentifier cette station avec une méthode comparable à ce qui se fait pour des WinNT/2K mais sans succès (useradd ... non-PDC$ pui smbpasswd -a -m non-PDC ). Rien n'y fait. Quelqu'un peut-il me donner une piste ? Merci beaucoup. -- Guy Roussin
RE: Samba and Netatalk
Title: RE: Samba and Netatalk Last time I looked at that code (two weeks ago?) in the 2.2 branch, it wasn't being called anywhere. -Original Message- From: Max Bidlingmaier [mailto:[EMAIL PROTECTED]] Sent: Monday, July 01, 2002 5:30 AM To: [EMAIL PROTECTED] Subject: Samba and Netatalk Hi! I've got a Problem with the interaction between Samba and Netatalk. I compiled Samba with the --with_netatalk option for configure. I thought it should create the correct files in .AppleDouble but it doesn't. Can anybody help me with this? greets max bidlingmaier
Re: sessionid.tdb missing after build and client read failutre
On Mon, 1 Jul 2002, David Shapiro wrote: Hello, The latest samba head as of 6/30/02 seems to not provide sessionid.tdb and gives me the following errors: I see this information in the log: 6/28 16:35:59, 3] nsswitch/winbindd_misc.c:winbindd_check_machine_acct(91) secret is good [2002/06/28 16:35:59, 5] nsswitch/winbindd_misc.c:winbindd_check_machine_acct(100) Checking the trust account password returned NT_STATUS_OK [2002/06/28 16:35:59, 10] nsswitch/winbindd.c:client_write(456) client_write: wrote 1300 bytes. [2002/06/28 16:35:59, 10] nsswitch/winbindd.c:winbind_client_read(408) client_read: read 0 bytes. Need 1304 more for a full request. [2002/06/28 16:35:59, 5] nsswitch/winbindd.c:winbind_client_read(415) read failed on sock 13, pid 1002: EOF It is a little confusing. It says secret is good in the log, but it has some error about not reading enough bytes and a sock 13 error. This just means that the client of winbindd closed the socket/whatever and stopped talking to winbindd. In addition, which may be related to the above, it looks for davidsha instead of INS+DavidSha even though smb.conf has it set to not have the server in INS by default. David E. Shapiro Senior Unix Admin BTi - the future of communications 4300 Six Forks Road, Raleigh, NC 27609 -- Regards - Richard Sharpe, [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED]
RE: (no subject)
On Mon, 2002-07-01 at 11:42, Ulf Bertilsson wrote: An dummy desktop.ini and some generic cached fileid to show fancy icons would be nice, but brake stuff. I would not make that. I know, it don't make sence but the idea would provide great preformance. Like, my os don't multiuser filesystem (builtin that is) Why should we waste IO to try emulate unix rights when we could just give an mask ? NT also do this crazy file IO, why not just feed it some generic stuff to keep it happy. My OS don't support half of it's operands anyway. Not to mention the file examination explorer do. Isn't the .icon stuff stured in the PX exe file resource ? (Ages size I played with it) Then my os allow many strange filenames, how should that be dealt with ? We check if the filename is OK (do not have invalid chracters) yet, if so we mangle it, but this a O(n) operation. What would the correct way be here. Bear in mind that there is more none POSIX platforms out there. An basic open() on the file first for sanity check ? -- Ulf
[Security Problem] --with-tdbsam
In Samba-JP, buffer overflow problem was reported.
If samba is configured with --with-tdbsam, init_sam_from_buffer function
contains a buffer overflow vulnerability.
In a certain case, user can use this vulnerability by changing his password.
Please examine this security problem and take measures to be necessary.
vulnerable version
2.2.3, 2.2.3a, 2.2.4, 2.2.5
-- CUT HERE ---
diff -uNr samba-2.2.5.orig/source/passdb/pdb_tdb.c samba-2.2.5/source/passdb/pdb_tdb.c
--- samba-2.2.5.orig/source/passdb/pdb_tdb.cFri May 3 10:03:27 2002
+++ samba-2.2.5/source/passdb/pdb_tdb.c Mon Jul 1 18:58:05 2002
-81,6 +81,7
static uint8*lm_pw_ptr, *nt_pw_ptr;
uint32 len = 0;
uint32 lmpwlen, ntpwlen, hourslen;
+ pstring cvt_buf;
BOOL ret = True;
BOOL setflag;
struct passwd *pw;
-160,9 +161,10
if (homedir) setflag = True;
else {
setflag = False;
- homedir = strdup(lp_logon_home());
+ pstrcpy(cvt_buf, lp_logon_home());
+ standard_sub_advanced(-1, username, , gid, cvt_buf);
+ homedir = strdup(cvt_buf);
if(!homedir) { ret = False; goto done; }
- standard_sub_advanced(-1, username, , gid, homedir);
DEBUG(5,(Home directory set back to %s\n, homedir));
}
pdb_set_homedir(sampass, homedir, setflag);
-170,9 +172,10
if (dir_drive) setflag = True;
else {
setflag = False;
- dir_drive = strdup(lp_logon_drive());
+ pstrcpy(cvt_buf, lp_logon_drive());
+ standard_sub_advanced(-1, username, , gid, cvt_buf);
+ dir_drive = strdup(cvt_buf);
if(!dir_drive) { ret = False; goto done; }
- standard_sub_advanced(-1, username, , gid, dir_drive);
DEBUG(5,(Home directory set back to %s\n, dir_drive));
}
pdb_set_dir_drive(sampass, dir_drive, setflag);
-180,9 +183,10
if (logon_script) setflag = True;
else {
setflag = False;
- logon_script = strdup(lp_logon_script());
+ pstrcpy(cvt_buf, lp_logon_script());
+ standard_sub_advanced(-1, username, , gid, cvt_buf);
+ logon_script = strdup(cvt_buf);
if(!logon_script) { ret = False; goto done; }
- standard_sub_advanced(-1, username, , gid, logon_script);
DEBUG(5,(Home directory set back to %s\n, logon_script));
}
pdb_set_logon_script(sampass, logon_script, setflag);
-190,9 +194,10
if (profile_path) setflag = True;
else {
setflag = False;
- profile_path = strdup(lp_logon_path());
+ pstrcpy(cvt_buf, lp_logon_path());
+ standard_sub_advanced(-1, username, , gid, cvt_buf);
+ profile_path = strdup(cvt_buf);
if(!profile_path) { ret = False; goto done; }
- standard_sub_advanced(-1, username, , gid, profile_path);
DEBUG(5,(Home directory set back to %s\n, profile_path));
}
pdb_set_profile_path(sampass, profile_path, setflag);
- END
Regards,
Yasuma Takeda
RE: sessionid.tdb missing after build and client read failutre
Thanks. Any idea on why wbinfo -t fails? Is it related to sessionid.tdb missing? How do I get this file? I did remove myself from INS domain and rejoined again. David -Original Message- From: Richard Sharpe [mailto:[EMAIL PROTECTED]] Sent: Monday, July 01, 2002 12:08 PM To: David Shapiro Cc: '[EMAIL PROTECTED]' Subject: Re: sessionid.tdb missing after build and client read failutre On Mon, 1 Jul 2002, David Shapiro wrote: Hello, The latest samba head as of 6/30/02 seems to not provide sessionid.tdb and gives me the following errors: I see this information in the log: 6/28 16:35:59, 3] nsswitch/winbindd_misc.c:winbindd_check_machine_acct(91) secret is good [2002/06/28 16:35:59, 5] nsswitch/winbindd_misc.c:winbindd_check_machine_acct(100) Checking the trust account password returned NT_STATUS_OK [2002/06/28 16:35:59, 10] nsswitch/winbindd.c:client_write(456) client_write: wrote 1300 bytes. [2002/06/28 16:35:59, 10] nsswitch/winbindd.c:winbind_client_read(408) client_read: read 0 bytes. Need 1304 more for a full request. [2002/06/28 16:35:59, 5] nsswitch/winbindd.c:winbind_client_read(415) read failed on sock 13, pid 1002: EOF It is a little confusing. It says secret is good in the log, but it has some error about not reading enough bytes and a sock 13 error. This just means that the client of winbindd closed the socket/whatever and stopped talking to winbindd. In addition, which may be related to the above, it looks for davidsha instead of INS+DavidSha even though smb.conf has it set to not have the server in INS by default. David E. Shapiro Senior Unix Admin BTi - the future of communications 4300 Six Forks Road, Raleigh, NC 27609 -- Regards - Richard Sharpe, [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED]
RE: Default ACL dosn't work
yes i can see what you are getting at. we got around the group assignment by using the 'force group' parameter but this is more of a work around than a true ACL interpretation. -Original Message- From: Nieminen, Jooel [mailto:[EMAIL PROTECTED]] Sent: 01 July 2002 09:46 To: Noel Kelly; [EMAIL PROTECTED] Subject: VS: Default ACL dosn't work I'm using bestbits ACL-patch too. got exchausted with the xfs. about samba picking the acl, yes it did pick it up. there is no other problem than making the default work. even if I manually locally make some domain group to be the default instead of domain users samba sets it to be domain users next time I create or copy a file there. if I then try to remove the domain users after added domain admins and some other groups, I get access denied. so, should it work or is this in-desing flaw? Jooel -Alkuperäinen viesti- Lähettäjä: Noel Kelly [mailto:[EMAIL PROTECTED]] Lähetetty: 1. heinäkuuta 2002 1056 Vastaanottaja: 'Nieminen, Jooel'; [EMAIL PROTECTED] Aihe: RE: Default ACL dosn't work I had the default ACLs working fine with Samba - but I was using the ACL patches from bestbits not XFS. I tried XFS also but had a lot of problems creating a default ACL at all! Eventual solution was to upgrade the ACL utilities to the latest version but after I also had some disk corruption with XFS my enthusiasm for it waned and I am back with EXT2/3. Did you check that Samba had picked up the ACLs in the filesystem during the configure? I seem to remember that Samba does not pick XFS ACLs up if you compile --with-pam? Can you add multiple ACLs to a directory/file but find it is only the default ACLs which don't work? Noel -Original Message- From: Nieminen, Jooel [mailto:[EMAIL PROTECTED]] Sent: 01 July 2002 07:11 To: [EMAIL PROTECTED] Subject: VS: Default ACL dosn't work I've had the exact same problem. there has been no way to set samba use the rights. only way around was to set inheritance on acl's and permissions. anyway, this does not prevent samba from setting itself the file permissions. it forces them to be owner, domain users, and everyone! silly I say. seems that the acl-code in samba is not really considered as a solution but more as addin, sadly. so can't have real NT connectivity on file-level yet with samba. cheers, Jooel -Alkuperäinen viesti- Lähettäjä: alex [mailto:[EMAIL PROTECTED]] Lähetetty: 30. kesäkuuta 2002 0541 Vastaanottaja: [EMAIL PROTECTED] Aihe: Fw: Default ACL dosn't work Hi, I've a problem with the default ACL, I'm using samba 2.2.3a and the lastest XFS ACL patch. I setted a default acl at console, it worked at local site, I created a new file, and it inherited the default acl. But when I created a file from windows 2000, the file didn't use default acl. What's the problem? Thanks! Alex --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.372 / Virus Database: 207 - Release Date: 20/06/2002 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.372 / Virus Database: 207 - Release Date: 20/06/2002 --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.372 / Virus Database: 207 - Release Date: 20/06/2002 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.372 / Virus Database: 207 - Release Date: 20/06/2002
RE: sessionid.tdb missing after build and client read failutre
On Mon, 1 Jul 2002, David Shapiro wrote: Thanks. Any idea on why wbinfo -t fails? Is it related to sessionid.tdb missing? How do I get this file? I did remove myself from INS domain and rejoined again. Typically that fails because you have not joined the domain properly, or you cannot connect to th DC (ie, name lookup fails). David -Original Message- From: Richard Sharpe [mailto:[EMAIL PROTECTED]] Sent: Monday, July 01, 2002 12:08 PM To: David Shapiro Cc: '[EMAIL PROTECTED]' Subject: Re: sessionid.tdb missing after build and client read failutre On Mon, 1 Jul 2002, David Shapiro wrote: Hello, The latest samba head as of 6/30/02 seems to not provide sessionid.tdb and gives me the following errors: I see this information in the log: 6/28 16:35:59, 3] nsswitch/winbindd_misc.c:winbindd_check_machine_acct(91) secret is good [2002/06/28 16:35:59, 5] nsswitch/winbindd_misc.c:winbindd_check_machine_acct(100) Checking the trust account password returned NT_STATUS_OK [2002/06/28 16:35:59, 10] nsswitch/winbindd.c:client_write(456) client_write: wrote 1300 bytes. [2002/06/28 16:35:59, 10] nsswitch/winbindd.c:winbind_client_read(408) client_read: read 0 bytes. Need 1304 more for a full request. [2002/06/28 16:35:59, 5] nsswitch/winbindd.c:winbind_client_read(415) read failed on sock 13, pid 1002: EOF It is a little confusing. It says secret is good in the log, but it has some error about not reading enough bytes and a sock 13 error. This just means that the client of winbindd closed the socket/whatever and stopped talking to winbindd. In addition, which may be related to the above, it looks for davidsha instead of INS+DavidSha even though smb.conf has it set to not have the server in INS by default. David E. Shapiro Senior Unix Admin BTi - the future of communications 4300 Six Forks Road, Raleigh, NC 27609 -- Regards - Richard Sharpe, [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED]
Re: [Security Problem] --with-tdbsam
On Mon, Jul 01, 2002 at 09:39:46PM +0900, Yasuma Takeda wrote: In Samba-JP, buffer overflow problem was reported. If samba is configured with --with-tdbsam, init_sam_from_buffer function contains a buffer overflow vulnerability. In a certain case, user can use this vulnerability by changing his password. Please examine this security problem and take measures to be necessary. Can you send more details please to [EMAIL PROTECTED], and CC: [EMAIL PROTECTED] I don't immediately see the problem this patch is fixing and need to understand it before I can apply it. Thanks for pointing this out, Jeremy.
Re: [Security Problem] --with-tdbsam
On Mon, Jul 01, 2002 at 02:08:03PM -0700, Jeremy Allison wrote: Can you send more details please to [EMAIL PROTECTED], and CC: [EMAIL PROTECTED] I don't immediately see the problem this patch is fixing and need to understand it before I can apply it. Never mind - I see the problem now. Thanks ! Jeremy.
Re: [Security Problem] --with-tdbsam
On Mon, Jul 01, 2002 at 03:27:02PM -0700, Jeremy Allison wrote: Please examine this security problem and take measures to be necessary. Ok - in conversation with tridge we don't think this is an exploitable hole. If you believe otherwise can you please mail [EMAIL PROTECTED] with full exploit details. The address is actually [EMAIL PROTECTED] Tim.
Re: Proposed patch for DNS and name resolution related problems in appliance branch
OK I've been working at this a bit more and have come up with some performance modifications: - Only cache the #1b and #1c names for a very short period of time (say 10 seconds) as these names can change quickly especially if they are stored on a WINS server. - If a cli_connect() fails to a name, clear the cache entry for that name. We don't want to have multiple tries connecting to a cached name that doesn't work. Tim.
