Re: smb_retry always show on console
On Wed, 17 Jul 2002 [EMAIL PROTECTED] wrote: My Console always show the following message: smb_retry: signal failed, error=-3 Is the error is genrate by Samba or my Linux. It's generated by smbfs (linux) and means that smbmount has terminated unexpectedly. To find the reason of that try specifying a higher debug level when mounting (try: debug=4) and see if you get anything useful written to smbmount.log (where the rest of the samba logfiles are). /Urban
user password expiration patch (Samba 2.2.4/2.2.5 PDC with LDAP)
the following problem occurs when using samba 2.2.4 or 2.2.5 with ldap
support as PDC:
any time when a user logs on he is asked to change his/her password.
whether he change it or not he will be asked again next time he logs on.
this is annoying.
the reason is, that the LDAP attribute 'pwdMustChange' is not updated at all.
the easiest way to solve this to set the attribute to the highest possible
value so the user will be never asked.
maybe a better solution is a new smb.conf parameter for example 'user
password exipration' that describes the time a new user password is valid.
to handle this new option we have patched the related files.
this patch has already been sent to [EMAIL PROTECTED] but was probably
deleted. may be there was a problem with our mail or the jitterbug system.
were nice to integrate this patch into the official samba release, because we
need this functionality here at our university.
any suggestions?
diff -ur --new-file samba.org/source/param/loadparm.c
samba-2.2.4/source/param/loadparm.c
--- samba.org/source/param/loadparm.c Fri May 3 03:03:25 2002
+++ samba-2.2.4/source/param/loadparm.c Thu Jun 6 16:49:53 2002
@@ -204,6 +204,7 @@
int client_code_page;
int announce_as;/* This is initialised in init_globals */
int machine_password_timeout;
+ int user_password_expiration;
int change_notify_timeout;
int stat_cache_size;
int map_to_guest;
@@ -953,6 +954,8 @@
#endif /* USING_GROUPNAME_MAP */
{machine password timeout, P_INTEGER, P_GLOBAL,
Globals.machine_password_timeout, NULL, NULL, 0},
+
+ {user password expiration, P_INTEGER, P_GLOBAL,
Globals.user_password_expiration, NULL, NULL, 0},
{Logon Options, P_SEP, P_SEPARATOR},
@@ -1327,6 +1330,7 @@
Globals.max_wins_ttl = 60 * 60 * 24 * 6;/* 6 days default. */
Globals.min_wins_ttl = 60 * 60 * 6; /* 6 hours default. */
Globals.machine_password_timeout = 60 * 60 * 24 * 7;/* 7 days default. */
+ Globals.user_password_expiration = 60 * 60 * 24 * 21; /* 21 days default. */
Globals.change_notify_timeout = 60; /* 1 minute default. */
Globals.ReadSize = 16 * 1024;
Globals.lm_announce = 2;/* = Auto: send only if LM clients found */
@@ -1673,6 +1677,7 @@
FN_GLOBAL_INTEGER(lp_lm_announce, Globals.lm_announce)
FN_GLOBAL_INTEGER(lp_lm_interval, Globals.lm_interval)
FN_GLOBAL_INTEGER(lp_machine_password_timeout,
Globals.machine_password_timeout)
+FN_GLOBAL_INTEGER(lp_user_password_expiration,
Globals.user_password_expiration)
FN_GLOBAL_INTEGER(lp_change_notify_timeout, Globals.change_notify_timeout)
FN_GLOBAL_INTEGER(lp_stat_cache_size, Globals.stat_cache_size)
FN_GLOBAL_INTEGER(lp_map_to_guest, Globals.map_to_guest)
diff -ur --new-file samba.org/source/passdb/pdb_ldap.c
samba-2.2.4/source/passdb/pdb_ldap.c
--- samba.org/source/passdb/pdb_ldap.c Fri May 3 03:03:26 2002
+++ samba-2.2.4/source/passdb/pdb_ldap.cFri Jun 7 14:39:10 2002
@@ -608,7 +608,7 @@
slprintf (temp, sizeof (temp) - 1, %li,
pdb_get_pass_can_change_time(sampass));
make_a_mod(mods, ldap_state, pwdCanChange, temp);
- slprintf (temp, sizeof (temp) - 1, %li,
pdb_get_pass_must_change_time(sampass));
+ slprintf (temp, sizeof (temp) - 1, %li,
time(NULL)+lp_user_password_expiration());
make_a_mod(mods, ldap_state, pwdMustChange, temp);
/* displayName, cn, and gecos should all be the same
diff -ur --new-file samba.org/source/passdb/pdb_smbpasswd.c
samba-2.2.4/source/passdb/pdb_smbpasswd.c
--- samba.org/source/passdb/pdb_smbpasswd.c Sun Feb 3 01:46:49 2002
+++ samba-2.2.4/source/passdb/pdb_smbpasswd.c Thu Jun 6 17:11:02 2002
@@ -1222,10 +1222,11 @@
pdb_set_dir_drive (sam_pass, lp_logon_drive(), False);
- /* FIXME!! What should this be set to? New smb.conf parameter maybe?
- max password age? For now, we'll use the current time + 21 days.
- --jerry */
- pdb_set_pass_must_change_time (sam_pass, time(NULL)+1814400);
+ /* to jerry --
+ FIXED!! New smb.conf parameter user password expiration
+ default is 21 days in sec.
+ --marcus fred */
+ pdb_set_pass_must_change_time (sam_pass,
time(NULL)+lp_user_password_expiration());
/* check if this is a user account or a machine account */
if (samlogon_user[strlen(samlogon_user)-1] != '$')
diff -ur --new-file samba.org/source/passdb/pdb_tdb.c
samba-2.2.4/source/passdb/pdb_tdb.c
--- samba.org/source/passdb/pdb_tdb.c Fri May 3 03:03:27 2002
+++ samba-2.2.4/source/passdb/pdb_tdb.c Fri Jun 7 14:48:27 2002
@@ -289,7 +289,7 @@
logoff_time = (uint32)pdb_get_logoff_time(sampass);
kickoff_time = (uint32)pdb_get_kickoff_time(sampass);
pass_can_change_time = (uint32)pdb_get_pass_can_change_time(sampass);
- pass_must_change_time =
trusted domains patch
This is yet one patch to trusted domains functionality collection.
No revolution -- just some updates and new utility to net tool.
This allows to list domains trusted by samba (by reading secrets.tdb).
More patches are under construction...
--
cheers,
++
|Rafal 'Mimir' Szczesniak [EMAIL PROTECTED] |
|*BSD, GNU/Linux and Samba /
|__/
Index: lib/util_unistr.c
===
RCS file: /cvsroot/samba/source/lib/util_unistr.c,v
retrieving revision 1.93
diff -u -r1.93 util_unistr.c
--- lib/util_unistr.c 14 Apr 2002 09:44:14 - 1.93
+++ lib/util_unistr.c 18 Jul 2002 10:26:24 -
@@ -218,6 +218,29 @@
pull_ucs2(NULL, dest, str-buffer, maxlen, str-uni_str_len*2, STR_NOALIGN);
}
+/**
+ * Convert smb_ucs2_t string to an ASCII string
+ *
+ * @param dest Destination ASCII string
+ * @param src Source UCS2 string
+ * @para maxlen maximum number of characters to be copied to dest
+ */
+char* ucs2_to_ascii(char *dest, const smb_ucs2_t *src, size_t maxlen)
+{
+ size_t src_len;
+
+ if (src == NULL) {
+ *dest = '\0';
+ return dest;
+ }
+
+ src_len = strlen_w(src);
+
+ pull_ucs2(NULL, dest, src, maxlen, src_len * 2, STR_NOALIGN);
+
+ return dest;
+}
+
/***
duplicate a UNISTR2 string into a null terminated char*
Index: libsmb/cli_lsarpc.c
===
RCS file: /cvsroot/samba/source/libsmb/cli_lsarpc.c,v
retrieving revision 1.46
diff -u -r1.46 cli_lsarpc.c
--- libsmb/cli_lsarpc.c 1 Jun 2002 00:10:08 - 1.46
+++ libsmb/cli_lsarpc.c 18 Jul 2002 10:26:28 -
@@ -632,6 +632,108 @@
return result;
}
+
+/**
+ * Enumerate list of trusted domains - higher level wrapper function for
+ * @see cli_lsa_enum_trust_dom()
+ *
+ * @param cli client state (cli_state) structure of the connection
+ * @param mem_ctx memory context
+ * @param pol opened lsa policy handle
+ * @param pref_num_domains preferred max number of entries returned in one response
+ * @param num_domains total number of trusted domains returned during enumeration
+ * @param domain_names returned trusted domain names
+ * @param domain_sids returned trusted domain sids
+ *
+ * @return nt status code of response
+ **/
+NTSTATUS cli_lsa_enum_trust_domains(struct cli_state *cli, TALLOC_CTX *mem_ctx,
+ POLICY_HND *pol, uint32 *pref_num_domains,
+ uint32 *num_domains,
+ char ***domain_names, DOM_SID **domain_sids)
+{
+ NTSTATUS status;
+ uint32 enum_ctx = 0;
+ int alloc_chunk = 1;
+
+ /* l_ prefix is for locally used variables */
+ char **l_domain_names;
+ DOM_SID *l_domain_sids;
+ uint32 l_num_domains = 0;
+
+ if (!pref_num_domains) {
+ pref_num_domains = talloc(mem_ctx, sizeof(*pref_num_domains));
+ if (!pref_num_domains)
+ return NT_STATUS_NO_MEMORY;
+
+ *pref_num_domains = 5;
+ }
+
+ /*
+* allocate memory for arrays of domain names and sids
+* that will be returned
+* TODO: all pointers in the arrays should be zeroed
+*/
+ *domain_names = (char **)talloc(mem_ctx, sizeof(char*) * alloc_chunk);
+
+ if (!*domain_names) {
+ DEBUG(0, (cli_lsa_enum_trust_dom(): out of memory\n));
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ *domain_sids = (DOM_SID *)talloc(mem_ctx, sizeof(DOM_SID) * alloc_chunk);
+ if (!domain_sids) {
+ DEBUG(0, (cli_lsa_enum_trust_dom(): out of memory\n));
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ do {
+ int i;
+
+ /* perform a single lsa_enum_trust_dom request */
+ status = cli_lsa_enum_trust_dom(cli, mem_ctx, pol, enum_ctx,
+ pref_num_domains, l_num_domains,
+ l_domain_names, l_domain_sids);
+
+ *num_domains += l_num_domains;
+
+ if (*num_domains alloc_chunk) {
+ alloc_chunk += 5;
+
+ /*
+* number of enumerated domains so far, has exceeded
+* size of arrays that are to be returned.
+* do reallocation of the arrays.
+*/
+ *domain_names = (char**) talloc_realloc(mem_ctx, (void
+*)*domain_names,
+
Re: Winbindd Success :) [was Re: winbindd, (radio)active directoryand other pains...]
On Thu, 2002-07-18 at 02:03, Bogdan Iamandei wrote: 1). I don't seem to be able to specify multiple ranges of ID's for winbindd. For example: winbind uid = 1000-2 25000-3 Would this be possible in the future? :) Please? :) 2). For some reason winbindd is reading the winbindd_cache.tdb and winbindd_idmap.tdb after a restart. All would be fine, but if I change the UID ranges, winbindd will still use the old range. The workaround is to remove those two TDBs and try again. Are you proposing that if winbindd finds a UID in the cache that does not fit in the range that a new UID from the range should be assigned? That wouldn't be too hard to implement, but I am not sure that it is desirable. The side effect would be that all the files and ACLs that were created would maintain the old uids. When the user gets a new uid, files that they previously created or ACLs that they were added to would not be accessible with the new uid. 3). (not really a nitpick - more like a small warning) Beware of nscd daemon on Solaris. It basically takes a little while until it kicks in for the first time. A while back I reported a bug in winbindd that caused it to crash nscd. While debugging this problem, I found that winbindd was horribly slow without the caching done by nscd. After fixing the problem so that nscd would stay alive, name lookups became MUCH faster because repeat lookups were being answered by nscd rather than by winbindd. I suspect that this slowness is because winbindd talking to PDC across the WAN rather than the local PDC. I never really looked into it. Since I didn't see other people complaining about slowness, I assumed that it was something wierd with our domain configuration. 4). After a while (5-10 minutes) running samba, attempting to connect a share - takes a long - long time and in the end it fails with something like Error - 0. I'll have to test it some more - before giving some more details though. I have seen that one too, but forget the exact circumstances. Mike
Re: GPL licensing issues
I'm probably now going to rewrite my module to be PHP4-licensed and to communicate with an external (GPLed) daemon that uses libsmbclient. This might or might not comply with the GPL, depending on whether your PHP4-licensed module and the demon are two separate programs, or one combined program. It is hard to be sure what copyright law implies about that question. I think that if the protocol used between the two modules is a general-purpose one, then they are two separate programs and the GPL is not violated. Otherwise this combination is not allowed. However, you might want to ask the Samba developers what they think about the matter.
lockdir
In freshly cvs updated source (just now) I noticed at the top of configure.in
lockdir=\${VARDIR}/cache/samba
...
lockdir=\${VARDIR}/locks
One must be wrong?
I used --with-lockdir=/var/spool/lock and then got the error
ERROR: pid directory /var/db/samba/locks does not exist
Sure enough VARDIR=localstatedir=/var/db/samba.. So lockdir is ignored?
Cheers,
Patrick
cosmetic manpage fixes for HEAD
Hello,
With the recent announcement that the Samba Team is focusing all further
development efforts on 3.0, a push has begun to sort through the niggly
issues that need to be resolved in order to produce packages for Debian
that can be uploaded to the archive. This first patch addresses an
issue I ran into while trying to install manpages: all English-language
manpages ended up in /usr/share/man/lang/man{1,5,7,8} instead of the
expected /usr/share/man/man{1,5,7,8}. The below patch against CVS HEAD
should cause the manpages to install in the correct directories, without
interfering with the ongoing i18n support.
Regards,
Steve Langasek
postmodern programmer
Index: script/installman.sh
===
RCS file: /cvsroot/samba/source/script/installman.sh,v
retrieving revision 1.11
diff -u -w -r1.11 installman.sh
--- script/installman.sh25 Sep 2001 02:01:29 - 1.11
+++ script/installman.sh18 Jul 2002 20:46:57 -
-22,8 +22,8
echo Installing \$lang\ man pages in $MANDIR/lang/$lang
fi
-langdir=$MANDIR/lang/$lang
-for d in $MANDIR $MANDIR/lang $langdir $langdir/man1 $langdir/man5 $langdir/man7
$langdir/man8; do
+langdir=$MANDIR/$lang
+for d in $MANDIR $langdir $langdir/man1 $langdir/man5 $langdir/man7
+$langdir/man8; do
if [ ! -d $d ]; then
mkdir $d
if [ ! -d $d ]; then
FHS support in HEAD?
Hello, Early last year, a patch was accepted into Samba to add a --with-fhs option to configure. For OSes that aspire to follow the FHS (which includes most Linux distros, AFAIK), this is a good thing. Unfortunately, the original patch didn't make Samba's paths completely FHS-compliant, and things have decayed since then to the point that current CVS's terminology and usage bears little real resemblance to the FHS. Is anyone within the Samba Team interested in seeing this FHS support updated and fleshed out? I'd be happy to supply patches to do so, but if there's really no interest, I may as well create a local patch instead and spare myself the effort of making this mesh nicely with the default directory layout. One way or the other, the patch will be there for Debian's sake, and of course I'd rather see this cleanly integrated upstream (for the benefit of other Linux distros as well as for our own benefit), but that would depend on someone on the inside being willing to follow through on it. Thanks, Steve Langasek postmodern programmer msg02076/pgp0.pgp Description: PGP signature
Re: FHS support in HEAD?
On Thu, 18 Jul 2002, Steve Langasek wrote: Hello, Early last year, a patch was accepted into Samba to add a --with-fhs option to configure. For OSes that aspire to follow the FHS (which includes most Linux distros, AFAIK), this is a good thing. Unfortunately, the original patch didn't make Samba's paths completely FHS-compliant, and things have decayed since then to the point that current CVS's terminology and usage bears little real resemblance to the FHS. Is anyone within the Samba Team interested in seeing this FHS support updated and fleshed out? I'd be happy to supply patches to do so, but if there's really no interest, I may as well create a local patch instead and spare myself the effort of making this mesh nicely with the default directory layout. One way or the other, the patch will be there for Debian's sake, and of course I'd rather see this cleanly integrated upstream (for the benefit of other Linux distros as well as for our own benefit), but that would depend on someone on the inside being willing to follow through on it. Well, I think that this is important, so I would be interested in seeing the patch. It might not be accepted into Samba 2.2.X, but should be fair game for Samba 3.0.x Regards - Richard Sharpe, [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED]
Re: Winbindd Success :) [was Re: winbindd, (radio)active directoryand other pains...]
Mike Gerdts wrote: On Thu, 2002-07-18 at 02:03, Bogdan Iamandei wrote: 1). I don't seem to be able to specify multiple ranges of ID's for winbindd. For example: winbind uid = 1000-2 25000-3 Would this be possible in the future? :) Please? :) 2). For some reason winbindd is reading the winbindd_cache.tdb and winbindd_idmap.tdb after a restart. All would be fine, but if I change the UID ranges, winbindd will still use the old range. The workaround is to remove those two TDBs and try again. Are you proposing that if winbindd finds a UID in the cache that does not fit in the range that a new UID from the range should be assigned? That wouldn't be too hard to implement, but I am not sure that it is desirable. The side effect would be that all the files and ACLs that were created would maintain the old uids. When the user gets a new uid, files that they previously created or ACLs that they were added to would not be accessible with the new uid. Damn - I haven't thought of this. You're right. 3). (not really a nitpick - more like a small warning) Beware of nscd daemon on Solaris. It basically takes a little while until it kicks in for the first time. A while back I reported a bug in winbindd that caused it to crash nscd. While debugging this problem, I found that winbindd was horribly slow without the caching done by nscd. After fixing the problem so that nscd would stay alive, name lookups became MUCH faster because repeat lookups were being answered by nscd rather than by winbindd. I suspect that this slowness is because winbindd talking to PDC across the WAN rather than the local PDC. I never really looked into it. Since I didn't see other people complaining about slowness, I assumed that it was something wierd with our domain configuration. Hmm... not really - since same authentication - going over the WAN to the Kerberos5 swerver goes faster. But then again - the usernames are all in the local passwd file, so lookup is necessary. 4). After a while (5-10 minutes) running samba, attempting to connect a share - takes a long - long time and in the end it fails with something like Error - 0. I'll have to test it some more - before giving some more details though. I have seen that one too, but forget the exact circumstances. Ahaa! so it's not only my perception. That's good to know. Ino!~ -- I have seen things you people wouldn't believe. Attack ships on fire off the shoulder of Orion. I watched C-beams glitter in the dark near the Tannhauser Gate. All those moments will be lost in time, like tears in rain. Time to die.
