Re: Setting the time through a logon script
On Wed, 2002-09-25 at 22:05, Shane Tapper wrote: How do I set the clock through a logon script if I wish to keep the user a standard user line of logon script net time \\viagra /set /yes You have to add this right to standard users group on Windows. This is something like: Permit users to set local time, or something similar. It works for NT. For Win2k haven't tried - on Win2k I have only set advanced users. Regards, Olaf Fraczyk
Re: Setting the time through a logon script
On Thu, Sep 26, 2002 at 09:45:03AM +0200, Olaf Frączyk wrote: On Wed, 2002-09-25 at 22:05, Shane Tapper wrote: How do I set the clock through a logon script if I wish to keep the user a standard user line of logon script net time \\viagra /set /yes You have to add this right to standard users group on Windows. This is something like: Permit users to set local time, or something similar. It works for NT. For Win2k haven't tried - on Win2k I have only set advanced users. For WinNT running such command requires 'Power Users' membership or 'Change system time' privilege. -- cheers, ++ |Rafal 'Mimir' Szczesniak [EMAIL PROTECTED] | |*BSD, GNU/Linux and Samba / |__/
Re: Samba 3.0 and UserManager? (solved)
Kai, Thank you, it works exactly like you told me. Loggin in as root from a workstation works for usermgr. Eddie. - Original Message - From: Kai Krueger [EMAIL PROTECTED] To: Eddie Lania [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Thursday, September 26, 2002 11:21 AM Subject: Re: Samba 3.0 and UserManager? - Original Message - From: Eddie Lania [EMAIL PROTECTED] Sent: Wednesday, September 25, 2002 8:47 PM I haven't got this to work altough I have read several mails now on this list of people that seem to have it working. I was wondering how this should be done. I can start UserManager for windows NT and see the accounts and groups, but whenever I try to open one of them I get a permission denied. This is a known bug. It was introduced about two months ago if I remember correctly. It however only affects users other than root that are in the BUILTIN\Administrators group of the samba PDC. So not many people will have noticed it. Please, can somebody help me? If it is the bug I'm thinking of, then there are three solutions to it: 1) Use the user root (it must be added to passdb) to administer with usrmgr 2) Apply a patch I've appended 3) wait till Andrew Bartlet has applied the patch to HEAD The preferred solution is using the root user on the windows machines. Currently only root has write access to the sam. With the two other solutions, you will be able to open your users in usrmgr, but not change anything. Once the new sam subsystem is in place, all members of the Administrators groups should be able to administer the sam, but that is no where near ready yet. Eddie. Kai
Re: approaching release of 3.0alpha20
At 07:13 26.09.2002 +1000, Andrew Bartlett wrote: Stefan (metze) Metzmacher wrote: Hi Jerry, please don't kick 3.0alpha20 before this is fixed. Andrew B. optimizes my patch... metze, I want to get that patch 'right', so I may take some time... In particular, you changed the parsing for the info21, but not info23, and I want to track the difference between null pointers and zero length strings correctly. ok let it go... Stefan Metzmacher [EMAIL PROTECTED]
Re: approaching release of 3.0alpha20
Stefan Metzmacher wrote: At 07:13 26.09.2002 +1000, Andrew Bartlett wrote: Stefan (metze) Metzmacher wrote: Hi Jerry, please don't kick 3.0alpha20 before this is fixed. Andrew B. optimizes my patch... metze, I want to get that patch 'right', so I may take some time... In particular, you changed the parsing for the info21, but not info23, and I want to track the difference between null pointers and zero length strings correctly. ok let it go... I'm just testing my alterations of that patch, but it is looking good! Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net
Re: Samba 3.0 and UserManager?
- Original Message - From: Eddie Lania [EMAIL PROTECTED] Sent: Wednesday, September 25, 2002 8:47 PM I haven't got this to work altough I have read several mails now on this list of people that seem to have it working. I was wondering how this should be done. I can start UserManager for windows NT and see the accounts and groups, but whenever I try to open one of them I get a permission denied. This is a known bug. It was introduced about two months ago if I remember correctly. It however only affects users other than root that are in the BUILTIN\Administrators group of the samba PDC. So not many people will have noticed it. Please, can somebody help me? If it is the bug I'm thinking of, then there are three solutions to it: 1) Use the user root (it must be added to passdb) to administer with usrmgr 2) Apply a patch I've appended 3) wait till Andrew Bartlet has applied the patch to HEAD The preferred solution is using the root user on the windows machines. Currently only root has write access to the sam. With the two other solutions, you will be able to open your users in usrmgr, but not change anything. Once the new sam subsystem is in place, all members of the Administrators groups should be able to administer the sam, but that is no where near ready yet. Eddie. Kai access_bits_correction.diff Description: Binary data
Windbind and Samba, What do I do next?
Hi all, I've had a long ride setting up SAMBA and Winbind, essentially whatI'm trying to do at the moment is transfer the file server from the Win2kserver to a Linux machine to east the strain and spread the network trafficout over different switches.I am using SAMBA 2.2.5 and Debian 3.0.I have SAMBA working fine, I can browse the Public and Temp shares and writeto them from a Win2k machine.I have Winbind working as far as I can tell, wbinfo -t gives an ok,wbinfo -u returns users and same for -g. (Thanks to your help yesterday)I have done getent passwd and getent group and all the users show up ok.When I try and logout and log back into Xwindows with a Domain rather thanlocal user (they are all listed correctly in kdm DOMAIN+User), the loginalways fails even when I know the password is correct.I can browse my home directory, but only if I have a local user on the linuxmachine that matches my network logon if I try from another logon withoutthe equivalent linux entry it doesn't work.The domain authentication doesn't seem to working.(security = domain is set).How do I create and get home directories working and how do I set up shareswith group properties, e.g. only Managers are allowed access etc.Config files and more available on request.Thanks--Shaolin - IT SystemsWillowbrook Ltd.
Re: Samba 3.0 and UserManager?
Does this also removes the bug that causes the user password time settings being changed, even when the cancel button is pressed in usermgr? - Original Message - From: Andrew Bartlett [EMAIL PROTECTED] To: Kai Krueger [EMAIL PROTECTED] Cc: Eddie Lania [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Thursday, September 26, 2002 3:32 PM Subject: Re: Samba 3.0 and UserManager? Kai Krueger wrote: - Original Message - From: Eddie Lania [EMAIL PROTECTED] Sent: Wednesday, September 25, 2002 8:47 PM I haven't got this to work altough I have read several mails now on this list of people that seem to have it working. I was wondering how this should be done. I can start UserManager for windows NT and see the accounts and groups, but whenever I try to open one of them I get a permission denied. This is a known bug. It was introduced about two months ago if I remember correctly. It however only affects users other than root that are in the BUILTIN\Administrators group of the samba PDC. So not many people will have noticed it. 3) wait till Andrew Bartlet has applied the patch to HEAD Applied. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net
Re: Samba 3.0 and UserManager?
Kai Krueger wrote: - Original Message - From: Eddie Lania [EMAIL PROTECTED] Sent: Wednesday, September 25, 2002 8:47 PM I haven't got this to work altough I have read several mails now on this list of people that seem to have it working. I was wondering how this should be done. I can start UserManager for windows NT and see the accounts and groups, but whenever I try to open one of them I get a permission denied. This is a known bug. It was introduced about two months ago if I remember correctly. It however only affects users other than root that are in the BUILTIN\Administrators group of the samba PDC. So not many people will have noticed it. 3) wait till Andrew Bartlet has applied the patch to HEAD Applied. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net
Re: Using winbind with Wine
Imho the best way to go, is to wait until we will be able to provide an interface for loadable modules in samba that couples with the MS-RPC subsystem. At that point you will only need to make the .so library as GPL and build your socket mechanism to speak to the other LGPLed end integrated into wine. Simo. On Thu, 2002-09-26 at 13:47, Martin Wilck wrote: Am Mit, 2002-09-25 um 19.38 schrieb Richard Sharpe: I do not think that libsmbclient is the right way to do this. I think that the correct way is to make the various Samba client RPC libaries available as separate DSOs so that clients can make dirrect use of what they need. Then the wine group can possibly build a thing DLL wrapper around the underlying RPC libraries. Licensing is an important issue. I future Samba RPC libraries come with GPL, they won't be usable for Wine (as you probably know, Wine is LGPL and ReWind X11). I don't want to start a licensing debate here. I expect the Samba team to release their stuff GPL'd in the future, thus I accept is as a fact that Wine cannot be linked to Samba libraries, present or future. For that reason I find the winbind concept of socket communication attractive. To my understanding this would not raise license issues. We are not currently worried about performance, we just need access to a few RPC calls. To initiate this process we'd only need a standardized protocol for the socket communication. Andrew said that doesn't exist and won't with regard to winbind. I'd like to focus the discussion in this direction. - is the winbind team willing to standardize the protocol, or at least ensure backward compatibility in future versions? - is the winbind team willing to add more RPC calls to the interface? If not, Wine might do best by creating a winebind that meets these requirements. That might be the best way after all, because incorporating the functionality needed by Windows clients into winbind would make no sense in environments where Wine is not running, just increase winbind's size unnecessarily. winebind would be linked against Samba libraries, and therefore be GPL from the start. Martin -- Martin WilckPhone: +49 5251 8 15113 Fujitsu Siemens Computers Fax: +49 5251 8 20409 Heinz-Nixdorf-Ring 1 mailto:[EMAIL PROTECTED] D-33106 Paderborn http://www.fujitsu-siemens.com/primergy -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: Using winbind with Wine
- is the winbind team willing to standardize the protocol, or at least ensure backward compatibility in future versions? Rather than inventing new protocols, why not just use DCE RPC over domain sockets or TCP/IP? The only catch is that you need a DCE RPC client library. We're using the OSF DCE runtime (actually, FreeDCE), which is BSD-licensed. We are doing a similar thing, except in reverse, so that SAMBA can act as a named pipe front-end to our proprietary DCE RPC services. More information is at http://www.padl.com/Research/XAD.html. -- Luke -- Luke Howard | PADL Software Pty Ltd | www.padl.com
Re: Using winbind with Wine
On Fri, Sep 27, 2002 at 12:50:57AM +1000, Luke Howard wrote: - is the winbind team willing to standardize the protocol, or at least ensure backward compatibility in future versions? Rather than inventing new protocols, why not just use DCE RPC over domain sockets or TCP/IP? The only catch is that you need a DCE RPC client library. We're using the OSF DCE runtime (actually, FreeDCE), which is BSD-licensed. Because DCE/RPC is *horrible* ? :-) :-). If you need a new RPC protocol please use ONC/RPC/NDR not DCE :-). Jeremy.
RE: Setting the time through a logon script
Line of logon script net time \\viagra /set /yes The user is a created in the default RedHat group. The user is an Administrator on the W2K box. When not logged into the Samba Server script runs wonderfully. What group do I need to assure the user is in on the Linux Box to allow time change when authenticated by Samba.
--wuth-tdbsam ?
Anyone? Why do we still have a configure flag for this since it is selectable at run time ? cheers, jerry
(no subject)
Hi. I am not a developer but Id like to help with testing if needed. The roadmap indicates some areas of interest for me personally and if you could use the help Trust relationships and the migration script would be some of the areas where I could help. Let me know James Bowes, Senior Systems Consultant, Xisit. ph: 604-535-6508 ext.305 fax: 604-535-6509 email: [EMAIL PROTECTED] web: http://xisit.net BEGIN:VCARD VERSION:2.1 N:Bowes;James FN:James Bowes ([EMAIL PROTECTED]) ORG:Express Computer Service Centre TITLE:Senior Systems Consultant TEL;WORK;VOICE:604-535-6508 ext.305 TEL;WORK;FAX:604-535-6509 ADR;WORK:;;16 - 3033 King George Hwy,;Surrey;BC;V4P 1B8;Canada LABEL;WORK;ENCODING=QUOTED-PRINTABLE:16 - 3033 King George Hwy,=0D=0ASurrey, BC V4P 1B8=0D=0ACanada EMAIL;PREF;INTERNET:[EMAIL PROTECTED] REV:20020923T200714Z END:VCARD
Re: --with-libsmbclient=no the default ?
On Thu, 26 Sep 2002, Jelmer Vernooij wrote: On Thu, Sep 26, 2002 at 02:20:06PM -0500, Gerald (Jerry) Carter wrote about '--with-libsmbclient=no the default ?': I thought libsmbclient should be built by default in 3.0 ? When ( why) did this change ? Was it me ? According to configure.in, it is build by default if the OS has support for shared libraries. That's what I though, but it didn't build on my last check. I'll go back and see why not cheers, jerry
Future plans for next alpha release
Folks, With the release of 3.0alpha20, I'm declaring the official maintainence of the SAMBA_3_0 cvs branch. WHat this means is that there will be no more blind copy HEAD onto SAMBA_3_0 for the next alpha. Any bugs fixes into HEAD should also be fixed in SAMBA_3_0. Developers are responsible for their own code. If you have a question about whether or not something should be merged, feel free to ask on this list. I've also updated the 3.0 roadmap on Samba .org to include plans for the next alpha release. One goal is to get the packaging in order to produce RPMs for the next snapshot. If anyone else wants to step up to the plate and offer another item up as well, feel free. Possibilities include * make sure that smb.conf is updated. * have net rpc vampire functioning * anything else on the roadmap. This list will help to determine when the next alpha will go out so let's be reasonable and try to keep the snapshots on a regular basis. People might also want to consider committing to have a feature done by alpha XX for longer jobs. I'm not focusing on specific dates here, only feature lists. We'll see how this approach goes. If people find it intrusive, we'll try something else to keep the momentum going. In addition to continue coding, we need to start looking at what needs to be polished for release. This may eat time from some of the fun coding everyone's been doing, but is going to be necessary if 3.0 is ever to see the light of day. cheers, jerry - Hewlett-Packard http://www.hp.com SAMBA Team http://www.samba.org --http://www.plainjoe.org SAMS Teach Yourself Samba in 24 Hours 2ed. ISBN 0-672-32269-2 --I never saved anything for the swim back. Ethan Hawk in Gattaca--
Samba and SNAP
We recently migrated our PDC away from Microsoft to SAMBA and have nearly completed the migration except for 1 little annoyance. Our SNAP server is unable to view the users on the SAMBA PDC. I have RTFMs, googled for awhile, posted on the SAMBA-USERS mailing list, and Ive called quantum tech support with no luck. Is there some type of config Im setting incorrectly or is Samba not compatible with SNAP servers? Im willing to post any logs you may wish to get this problem resolved (If at all possible). Really appreciate any help! Thanks! IRV MYVERSIONS Debian 3.0 ii samba 2.2.3a-6 A LanManager like file and printer server fo ii samba-common 2.2.3a-6 Samba common files used by both the server a
Re: --wuth-tdbsam ?
On Thu, Sep 26, 2002 at 09:20:19PM +0200, Jelmer Vernooij wrote: On Thu, Sep 26, 2002 at 09:14:39PM +0200, Jean Francois Micouleau wrote about 'Re: --wuth-tdbsam ?': On Thu, 26 Sep 2002, Gerald (Jerry) Carter wrote: Anyone? Why do we still have a configure flag for this since it is selectable at run time ? I guees it used to be optional since we didn't want to compile in unstable code. and tdbsam should be the default passdb backend in 3.0. We should remove the smbpasswd file and provide a migration script. 'pdbedit -i smbpasswd -e tdbsam' does exactly that.. now we only need to document it :-) Is pdb importing from smbpasswd going to be fixed first so that everyone's passwords don't expire 12 days after they upgrade? :) Steve Langasek postmodern programmer msg03275/pgp0.pgp Description: PGP signature
A RID allocator and its consequences
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi!
This is a surprisingly little (compiled, but not tested) patch that
mainly should do the following:
Implement a rid allocator in secrets.tdb. This might not be the right
place to do it, but as we are one-domain with passdb, RID allocation
is a global thing.
Second, in get_group_from_gid it initializes a new group mapping as an
alias on the fly. So if the gid exists it should basically not fail
anymore.
Third, as a consequence of get_group_from_gid, most of the calls to
pdb_gid_to_group_rid are gone. There's two left in passdb.c which I
don't really understand. Maybe it's too late now. The remaining one is
in pdb_nisplus which I will not touch for now.
This is only an interim step I think, the next step would be to remove
the group_sid from SAM_ACCOUNT completely, as we can now always get a
SID for a gid.
Volker
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Key-ID ADE377D8, Fingerprint available: phone +49 551 370
iD8DBQE9k3PwZeeQha3jd9gRAs4qAJ49Ua2+Qx+T7Zvd8mNdCAXunOcv7ACeOCQe
i2OZ34EVYmXfLS8hzTUoidc=
=BVZQ
-END PGP SIGNATURE-
diff -ur samba/cvs/head/samba/source/Makefile.in head/source/Makefile.in
--- samba/cvs/head/samba/source/Makefile.in Thu Sep 26 14:13:29 2002
+++ head/source/Makefile.in Thu Sep 26 17:37:42 2002
-429,8 +429,9
$(UBIQX_OBJ) $(LIB_OBJ)
SMBCACLS_OBJ = utils/smbcacls.o $(LOCKING_OBJ) $(LIBSMB_OBJ) $(PARAM_OBJ) \
- $(UBIQX_OBJ) $(LIB_OBJ) $(RPC_PARSE_OBJ) $(PASSDB_GET_SET_OBJ) \
-$(LIBMSRPC_OBJ)
+ $(UBIQX_OBJ) $(LIB_OBJ) $(RPC_PARSE_OBJ) $(SECRETS_OBJ) \
+$(LIBMSRPC_OBJ) $(PASSDB_OBJ) $(GROUPDB_OBJ)
+
TALLOCTORT_OBJ = lib/talloctort.o $(LIB_OBJ) $(PARAM_OBJ) $(UBIQX_OBJ)
-494,7 +495,7
nsswitch/winbindd_dual.o
WINBINDD_OBJ = \
- $(WINBINDD_OBJ1) $(PASSDB_GET_SET_OBJ) \
+ $(WINBINDD_OBJ1) $(PASSDB_OBJ) $(GROUPDB_OBJ) \
$(LIBNMB_OBJ) $(PARAM_OBJ) $(UBIQX_OBJ) $(LIB_OBJ) \
$(LIBSMB_OBJ) $(LIBMSRPC_OBJ) $(RPC_PARSE_OBJ) \
$(PROFILE_OBJ) $(UNIGRP_OBJ) \
diff -ur samba/cvs/head/samba/source/groupdb/mapping.c head/source/groupdb/mapping.c
--- samba/cvs/head/samba/source/groupdb/mapping.c Mon Sep 23 18:34:17 2002
+++ head/source/groupdb/mapping.c Thu Sep 26 22:39:00 2002
-1040,14 +1040,13
return True;
}
-
-
/
Returns a GROUP_MAP struct based on the gid.
/
BOOL get_group_from_gid(gid_t gid, GROUP_MAP *map, BOOL with_priv)
{
struct group *grp;
+ uint32 rid;
if(!init_group_mapping()) {
DEBUG(0,(failed to initialize group mapping));
-1057,24 +1056,46
if ( (grp=getgrgid(gid)) == NULL)
return False;
- /*
-* make a group map from scratch if doesn't exist.
-*/
- if (!get_group_map_from_gid(gid, map, with_priv)) {
- map-gid=gid;
- map-sid_name_use=SID_NAME_ALIAS;
- map-systemaccount=PR_ACCESS_FROM_NETWORK;
- init_privilege(map-priv_set);
-
- /* interim solution until we have a last RID allocated */
+ if (get_group_map_from_gid(gid, map, with_priv))
+ return True;
- sid_copy(map-sid, get_global_sam_sid());
- sid_append_rid(map-sid, pdb_gid_to_group_rid(gid));
+ /* There's no mapping, try to create one on the fly. */
- fstrcpy(map-nt_name, grp-gr_name);
- fstrcpy(map-comment, Local Unix Group);
+ if ((rid = secrets_allocate_rid()) != 0) {
+ DOM_SID sid;
+ fstring string_sid;
+ PRIVILEGE_SET priv_set;
+
+ sid_copy(sid, get_global_sam_sid());
+ sid_append_rid(sid, rid);
+ sid_to_string(string_sid, sid);
+ init_privilege(priv_set);
+
+ if (add_initial_entry(gid, string_sid, SID_NAME_ALIAS,
+ grp-gr_name, Local Unix Group,
+ priv_set, PR_ACCESS_FROM_NETWORK)) {
+ if (get_group_map_from_gid(gid, map, with_priv))
+ return True;
+ }
+ DEBUG(0, (Weird! Did not find the group map just created\n));
}
-
+
+ /* Fake a group. This is just a bad hack, as
+ the RID will clash with a mapped group. */
+
+ DEBUG(0, (Faking a group mapping\n));
+
+ map-gid=gid;
+ map-sid_name_use=SID_NAME_ALIAS;
+ map-systemaccount=PR_ACCESS_FROM_NETWORK;
+ init_privilege(map-priv_set);
+
+ sid_copy(map-sid, get_global_sam_sid());
+ sid_append_rid(map-sid, pdb_gid_to_group_rid(gid));
+
+
Re: --wuth-tdbsam ?
On Thu, Sep 26, 2002 at 03:30:44PM -0500, Steve Langasek wrote about 'Re: --wuth-tdbsam ?': and tdbsam should be the default passdb backend in 3.0. We should remove the smbpasswd file and provide a migration script. 'pdbedit -i smbpasswd -e tdbsam' does exactly that.. now we only need to document it :-) Is pdb importing from smbpasswd going to be fixed first so that everyone's passwords don't expire 12 days after they upgrade? :) PDB importing should work.. Jelmer
Re: (no subject)
On Thu, Sep 26, 2002 at 12:02:51PM -0700, James Bowes wrote: Hi. I am not a developer but I'd like to help with testing if needed. The roadmap indicates some areas of interest for me personally and if you could use the help. Trust relationships and the migration script would be some of the areas where I could help. If you're able to test some parts of samba trusted domains capability, then it's good to know. This area may need a lots of testing soon. -- cheers, ++ |Rafal 'Mimir' Szczesniak [EMAIL PROTECTED] | |*BSD, GNU/Linux and Samba / |__/
Re: Using winbind with Wine
On Thu, Sep 26, 2002 at 01:47:38PM +0200, Martin Wilck wrote: To initiate this process we'd only need a standardized protocol for the socket communication. Andrew said that doesn't exist and won't with regard to winbind. I'd like to focus the discussion in this direction. - is the winbind team willing to standardize the protocol, or at least ensure backward compatibility in future versions? There is a LGPL client library (well library is probably doing it more justice than it deserves) called wb_client.c which is used in the NSS modules that talk to winbindd. I would think that would be a preferable way of talking to winbindd rather then rewriting code to talk the winbindd protocol. - is the winbind team willing to add more RPC calls to the interface? Not unless they are related to authentication or user/group enumeration. winebind would be linked against Samba libraries, and therefore be GPL from the start. Heh - cute name. (-: Tim.
Re: --wuth-tdbsam ?
On Thu, Sep 26, 2002 at 11:29:51PM +0200, Jelmer Vernooij wrote: On Thu, Sep 26, 2002 at 03:30:44PM -0500, Steve Langasek wrote about 'Re: --wuth-tdbsam ?': and tdbsam should be the default passdb backend in 3.0. We should remove the smbpasswd file and provide a migration script. 'pdbedit -i smbpasswd -e tdbsam' does exactly that.. now we only need to document it :-) Is pdb importing from smbpasswd going to be fixed first so that everyone's passwords don't expire 12 days after they upgrade? :) PDB importing should work.. Meaning that this bug has already been fixed? I haven't tried it in over a month now; no one tells me when these things are fixed, only when they're broken... :D Steve Langasek postmodern programmer msg03283/pgp0.pgp Description: PGP signature
Re: Samba 3.0 and UserManager?
Eddie Lania wrote: Does this also removes the bug that causes the user password time settings being changed, even when the cancel button is pressed in usermgr? No, but my other commit (the patch from metze) could well have helped on that. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net
Re: Using winbind with Wine
Tim Potter wrote: On Thu, Sep 26, 2002 at 01:47:38PM +0200, Martin Wilck wrote: To initiate this process we'd only need a standardized protocol for the socket communication. Andrew said that doesn't exist and won't with regard to winbind. I'd like to focus the discussion in this direction. - is the winbind team willing to standardize the protocol, or at least ensure backward compatibility in future versions? There is a LGPL client library (well library is probably doing it more justice than it deserves) called wb_client.c which is used in the NSS modules that talk to winbindd. I would think that would be a preferable way of talking to winbindd rather then rewriting code to talk the winbindd protocol. The problem is that we don't ship it as a shared lib, and it still expects the client program to fill in the winbind struct. This is the problem, becouse that struct changes shape regularly. - is the winbind team willing to add more RPC calls to the interface? Not unless they are related to authentication or user/group enumeration. Agreed. (However I am thinking of moving nss_wins in there soon too, to match the IRIX code). Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net
Don't miss out on these special events at OKbridge!
Dear Fellow Bridge Player: We have some exciting events planned at OKbridge. We're sure you'll want to join our club to get in on the fun! Here is just a sample of what we have in store for you this fall: OCTOBER GOLDWAY MATCH On October 11, #1 ACBL Masterpoint Winner Paul Soloway and Richard Pavlicek, Sr. will play against national champions George Jacobs and Ralph Katz. You can log in to watch these experts in action and tune in as celebrity guests comment on each play. DEAR BILLY CYBERCHAT On November 21, we'll host a live chat with Dear Billy! Back by popular demand, Billy Miller, professional player, noted teacher and ACBL Bulletin columnist will answer your toughest bridge questions. Don't miss out on this unique and fun way to improve your bridge game! OKbridge is committed to being the best online bridge club. We work hard to provide our members with fun events, challenging bridge games, and a friendly atmosphere. As a member, you'll get unlimited bridge games, plus access to exclusive events like these. Why not try us out with a risk-free 7-day trial membership? You won't be disappointed. To sign up, call us at 1-888-652-7434 or go to: http://www.okbridge.com/special/signup_redirect.php3?s=emaile=82595l=1m=Message_200209a_b To learn more about OKbridge and our free trial membership, please visit us at http://www.okbridge.com/special/msg_2k206.htm?s=emaile=82595l=2m=Message_200209a_b We hope to see you at the tables very soon! Sincerely, The OKbridge Team 1-888-652-7434 You are receiving this email as a former guest or member of OKbridge. If you would like to be removed from this list, please click here: http://www.okbridge.com/special/elist_remove.php3?e=82595
Re: --wuth-tdbsam ?
Steve Langasek wrote: On Thu, Sep 26, 2002 at 09:20:19PM +0200, Jelmer Vernooij wrote: On Thu, Sep 26, 2002 at 09:14:39PM +0200, Jean Francois Micouleau wrote about 'Re: --wuth-tdbsam ?': On Thu, 26 Sep 2002, Gerald (Jerry) Carter wrote: Anyone? Why do we still have a configure flag for this since it is selectable at run time ? I guees it used to be optional since we didn't want to compile in unstable code. and tdbsam should be the default passdb backend in 3.0. We should remove the smbpasswd file and provide a migration script. 'pdbedit -i smbpasswd -e tdbsam' does exactly that.. now we only need to document it :-) Is pdb importing from smbpasswd going to be fixed first so that everyone's passwords don't expire 12 days after they upgrade? :) The problem isn't actually tdbsam, it's smbpasswd. Smbpasswd is giving out dodgy made up values. See, we have a policy database that stores the 'max password age' etc, but we don't do 'last change time + max password age = must change time' yet. I was going to do that, but with a default value of 21 days, it would lock a lot of people out (who would certainly not be expecting it). Really, people have been using smbpasswd on the assumption that 'password does not expire' was implicity set. Possibly having an easy tool to set that on every account might be a good idea, but I'm just not sure. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net
Re: Future plans for next alpha release
On Fri, 27 Sep 2002, Jelmer Vernooij wrote: What should happen to features that are marked 'not required' on the roadmap ? Should these go into HEAD or 3_0 when they are developed? What about the sam system? My opinion is that something that is not required for 3.0 to ship should continue to be developed in HEAD. Once it is finished, then we will discuss whether or not it is suitable to be merged into 3.0[.x] If the risk assessment comes out OK, then we can look at merging it for a 3.0.x release. Not that code that changes the semantics seen by an admin or user will take a lot of convincing for me. Internal changes for correctness are much easier to swallow. cheers, jerry - Hewlett-Packard http://www.hp.com SAMBA Team http://www.samba.org --http://www.plainjoe.org SAMS Teach Yourself Samba in 24 Hours 2ed. ISBN 0-672-32269-2 --I never saved anything for the swim back. Ethan Hawk in Gattaca--
Re: --with-libsmbclient=no the default ?
Gerald (Jerry) Carter wrote: On Thu, 26 Sep 2002, Jelmer Vernooij wrote: On Thu, Sep 26, 2002 at 02:20:06PM -0500, Gerald (Jerry) Carter wrote about '--with-libsmbclient=no the default ?': I thought libsmbclient should be built by default in 3.0 ? When ( why) did this change ? Was it me ? According to configure.in, it is build by default if the OS has support for shared libraries. That's what I though, but it didn't build on my last check. I'll go back and see why not It's not in the 'all' target. I had to move to 'make everything' to get the build farm to do it. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net
Re: --with-libsmbclient=no the default ?
On Fri, Sep 27, 2002 at 11:28:38AM +1000, Andrew Bartlett wrote: Gerald (Jerry) Carter wrote: On Thu, 26 Sep 2002, Jelmer Vernooij wrote: On Thu, Sep 26, 2002 at 02:20:06PM -0500, Gerald (Jerry) Carter wrote about '--with-libsmbclient=no the default ?': I thought libsmbclient should be built by default in 3.0 ? When ( why) did this change ? Was it me ? According to configure.in, it is build by default if the OS has support for shared libraries. That's what I though, but it didn't build on my last check. I'll go back and see why not It's not in the 'all' target. I had to move to 'make everything' to get the build farm to do it. When you get to 'make universe', you know it's time to rethink your naming schemes for Makefile targets. ;) Steve Langasek postmodern programmer msg03290/pgp0.pgp Description: PGP signature
Re: CVS update: samba/source
On Thu, 26 Sep 2002 [EMAIL PROTECTED] wrote: Date: Fri Sep 27 01:02:37 2002 Author: abartlet Update of /data/cvs/samba/source In directory dp.samba.org:/tmp/cvs-serv18726 Modified Files: configure.in configure Log Message: Readd the 2.2 --with-ldapsam paramaters so as to allow a smooth upgrade path to a 3.0 based PDC. Andrew, I'm confused. Why does this help with an upgrade? Sorry. I can't envision a scanario where this would matter. What am I not seeing here? cheers, jerry
Re: --wuth-tdbsam ?
On Fri, Sep 27, 2002 at 11:18:01AM +1000, Andrew Bartlett wrote: On Thu, Sep 26, 2002 at 09:20:19PM +0200, Jelmer Vernooij wrote: On Thu, Sep 26, 2002 at 09:14:39PM +0200, Jean Francois Micouleau wrote about 'Re: --wuth-tdbsam ?': On Thu, 26 Sep 2002, Gerald (Jerry) Carter wrote: Anyone? Why do we still have a configure flag for this since it is selectable at run time ? I guees it used to be optional since we didn't want to compile in unstable code. and tdbsam should be the default passdb backend in 3.0. We should remove the smbpasswd file and provide a migration script. 'pdbedit -i smbpasswd -e tdbsam' does exactly that.. now we only need to document it :-) Is pdb importing from smbpasswd going to be fixed first so that everyone's passwords don't expire 12 days after they upgrade? :) The problem isn't actually tdbsam, it's smbpasswd. Smbpasswd is giving out dodgy made up values. See, we have a policy database that stores the 'max password age' etc, but we don't do 'last change time + max password age = must change time' yet. I was going to do that, but with a default value of 21 days, it would lock a lot of people out (who would certainly not be expecting it). Well, the users aren't going to care /where/ the problem lies if they upgrade and find that the defaults cause them to start being locked out of their accounts... :) The fact is that if tdbsam is going to become the default and preferred backend, users are going to need some way to sanely migrate from smbpasswd to tdbsam. Really, people have been using smbpasswd on the assumption that 'password does not expire' was implicity set. Possibly having an easy tool to set that on every account might be a good idea, but I'm just not sure. So then, doesn't it make sense to treat smbpasswd entries as if password does not expire is set as part of the smbpasswd pdb interface? Why change the semantics of the smbpasswd entry unnecessarily? Steve Langasek postmodern programmer msg03292/pgp0.pgp Description: PGP signature
Re: CVS update: samba/source
Gerald (Jerry) Carter wrote: On Thu, 26 Sep 2002 [EMAIL PROTECTED] wrote: Date: Fri Sep 27 01:02:37 2002 Author: abartlet Update of /data/cvs/samba/source In directory dp.samba.org:/tmp/cvs-serv18726 Modified Files: configure.in configure Log Message: Readd the 2.2 --with-ldapsam paramaters so as to allow a smooth upgrade path to a 3.0 based PDC. Andrew, I'm confused. Why does this help with an upgrade? Sorry. I can't envision a scanario where this would matter. What am I not seeing here? OK, in HEAD I dropped 'ldap server' and 'ldap port' as parmaters, moving to the 'passdb backend' scheme. However, this would mean that a valid 2.2 configuration would not function in 3.0. This change (and the bit I forgot - making ldapsam the default passdb backend...) should make 'direct' upgrades possible. Now if you were thinking of doing somthing different, that's fine - we may well have misunderstood each other. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net
Re: --wuth-tdbsam ?
Steve Langasek wrote: On Fri, Sep 27, 2002 at 11:18:01AM +1000, Andrew Bartlett wrote: The problem isn't actually tdbsam, it's smbpasswd. Smbpasswd is giving out dodgy made up values. See, we have a policy database that stores the 'max password age' etc, but we don't do 'last change time + max password age = must change time' yet. I was going to do that, but with a default value of 21 days, it would lock a lot of people out (who would certainly not be expecting it). Well, the users aren't going to care /where/ the problem lies if they upgrade and find that the defaults cause them to start being locked out of their accounts... :) The fact is that if tdbsam is going to become the default and preferred backend, users are going to need some way to sanely migrate from smbpasswd to tdbsam. I honestly doubt tdbsam is sufficiently stable for use as a default. I think we need that kind of backend, but given it's extremly limited testing, it worries me. Yes, this is circular dependency. The way the ldap stuff got around it was that we had a 'pull' from users, but users by and large don't appriciate the benifits of tdbsam, so don't go out of their way to use it. Really, people have been using smbpasswd on the assumption that 'password does not expire' was implicity set. Possibly having an easy tool to set that on every account might be a good idea, but I'm just not sure. So then, doesn't it make sense to treat smbpasswd entries as if password does not expire is set as part of the smbpasswd pdb interface? Why change the semantics of the smbpasswd entry unnecessarily? Except we have a flag for 'password does not expire' - and we don't have a sensible way to set a negating flag 'password does expire'. Forcing that flag 'on' might be the most sensible choice, except then we get a mismatch between smbpasswd and the other backends (again...). Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net
Re: CVS update: samba/source
On Fri, 27 Sep 2002, Andrew Bartlett wrote: OK, in HEAD I dropped 'ldap server' and 'ldap port' as parmaters, moving to the 'passdb backend' scheme. However, this would mean that a valid 2.2 configuration would not function in 3.0. This change (and the bit I forgot - making ldapsam the default passdb backend...) should make 'direct' upgrades possible. Now if you were thinking of doing somthing different, that's fine - we may well have misunderstood each other. No.. I should have looked at the diff before mailing you. The commit message made me think that you had added the autoconf option back in. That's what I couldn't understand :-) But you just readded the smb.conf parameters. That's fine. Thanks. cheers, jerry
Re: CVS for alpha release?
On Thu, 26 Sep 2002, James Bowes wrote: Hi. I have offered to test some trusts and migration scripts for this project. The CVS source configures well but does not build a usable Makefile. Just wondering if there's something I am missing Well, I built the CVS tree just yesterday under FreeBSD and Linux, and it built just fine, from configure, through make through running it. What sort of error messages do you get? Regards - Richard Sharpe, [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED]
Re: A RID allocator and its consequences
On Fri, Sep 27, 2002 at 07:44:36AM +1000, Tim Potter wrote: It is the wrong place to do it. If some data should only be accessible by root then it should live in secrets.tdb otherwise it should go somewhere else. I know. This is just experimental code playing with the thought how far you can take the existing passdb interface. Take out the domain SIDs as well? Volker msg03299/pgp0.pgp Description: PGP signature
Re: A RID allocator and its consequences
Volker Lendecke wrote: On Fri, Sep 27, 2002 at 07:44:36AM +1000, Tim Potter wrote: It is the wrong place to do it. If some data should only be accessible by root then it should live in secrets.tdb otherwise it should go somewhere else. I know. This is just experimental code playing with the thought how far you can take the existing passdb interface. Take out the domain SIDs as well? yes, domain sids do belong elsewhere. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net
Re: A RID allocator and its consequences
[EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi! This is a surprisingly little (compiled, but not tested) patch that mainly should do the following: Implement a rid allocator in secrets.tdb. This might not be the right place to do it, but as we are one-domain with passdb, RID allocation is a global thing. Second, in get_group_from_gid it initializes a new group mapping as an alias on the fly. So if the gid exists it should basically not fail anymore. Third, as a consequence of get_group_from_gid, most of the calls to pdb_gid_to_group_rid are gone. There's two left in passdb.c which I don't really understand. Maybe it's too late now. The remaining one is in pdb_nisplus which I will not touch for now. This is only an interim step I think, the next step would be to remove the group_sid from SAM_ACCOUNT completely, as we can now always get a SID for a gid. OK, the really nasty bit about this is the implict mapping of existing unix accounts to rids. I went to a lot of effor to try and get rid of it - but the best I could do was hide it under a pile of interfaces and pretend it wasn't there ;-) If you use smbpasswd, naturally, you get 'algorithmic' rids. Fine, you probably won't be using smbpasswd for this game anyway. The problem is that any unix user must also have a RID. This is becouse at any time, a user might try and get the security descriptor of a file. The next problem is that we don't like reusing RIDs - so if that rid was ever available 'implicitly' then we should not use it. Also, a user 'upgraded' from /etc/passwd should keep the same RID. This is the reasoning for the crazy stuff in unixsam. (I'm still undecided if it's very neat or an ugly hack...). However, there is an 'out'. If you never specify 'unixsam', and always import users, setting a rid when you add them (currently smbpasswd uses the algorithm or their unixsam upgrade), then this will work. But if sombody asks for a security descriptor on a file, and we don't know the mapping for that owner, then it will fail. BTW, using 'hide unreadable' counts as asking for the mapping, as I found out recently... Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net
