Re: upgrade to 3.0alpha20: accented chars in filenames unreadable

2002-10-17 Thread Louis-David Mitterrand 

On Wed, Oct 16, 2002 at 09:30:20AM -0500, Steve Langasek wrote:
 
 The current Debian Samba package uses the following shell snippet to
 convert between 2.2-style character set settings and 3.0-style settings,
 if the user has opted to let Debian manage the smb.conf file directly.
 If the user has chosen to not allow automatic management of smb.conf, any
 character set and client code page values in smb.conf will need to be
 converted by hand to the new unix charset and dos charset values.
 
 If the user previously had these settings in smb.conf, and they were
 converted but accents are still broken, please let me know.  (Preferably,
 a bug would be filed with the Debian BTS.)

But the problem occurs if smb.conf:

- is not managed by debconf,

- does not contain any character setting,

Which is probably a very common situation among samba admins using
debian. 

There should be a big warning during installation if these two condtions
are met, suggesting that unix charset should be used if filenames
contain accented chars.

-- 
 HIPPOLYTE: N'osez-vous confier ce secret à ma foi ?
THESEE: Perfide, oses-tu bien te montrer devant moi ?
  (Phèdre, J-B Racine, acte 4, scène 2)

Re: [Samba] upgrade to 3.0alpha20: accented chars in filenames unreadable

2002-10-17 Thread Louis-David Mitterrand 

On Wed, Oct 16, 2002 at 05:03:01PM +0200, Ignacio Coupeau wrote:
 the samba share; and the filename is impossible to modify from windows:
 samba log says file not found. From the shell the file looks like
 r?sum?.xls but the ? are actually 0x83.
 
 In a hurry I used
   unix charset = CP850
 http://www.unav.es/cti/ldap-smb/smb-ldap-3-howto.html#internationalization
 
 this solved our problems (redhat 7.2; samba-3.0a20) for example in the 
 profile load on the spanish xp (ie Star menu--menú Inicio).

Thanks for sharing this. It certainly is an excellent stopgap measure,
until proper filename conversion can be done.

The best way, if possible, would be to retain backward compatibility for
reading samba-2.2.x filenames (as with unix charset) while having new
or modified files written in unicode (or whatever the default in
samba-3.x). 

BTW: keep up the great job on your smb-ldap howto, it is a precious
ressource.

Cheers,

-- 
PANOPE: Au Prince votre fils l'un donne son suffrage,
Madame ; et de l'Etat l'autre oubliant les lois,
Au fils de l'étrangère ose donner sa voix.
  (Phèdre, J-B Racine, acte 1, scène 4)

Re: [Samba] upgrade to 3.0alpha20: accented chars in filenamesunreadable

2002-10-17 Thread Simo Sorce 

This is the proper way!
If you have to maintain compatibility, you set the unix charset to be a
code page instead of unicode.

Or you mean you want a way to make samba recognize which kind of charset
have been used previously and support both the former and utf-8 at the
same time?

Simo.

On Thu, 2002-10-17 at 09:48, Louis-David Mitterrand wrote:
 On Wed, Oct 16, 2002 at 05:03:01PM +0200, Ignacio Coupeau wrote:
  the samba share; and the filename is impossible to modify from windows:
  samba log says file not found. From the shell the file looks like
  r?sum?.xls but the ? are actually 0x83.
  
  In a hurry I used
  unix charset = CP850
  http://www.unav.es/cti/ldap-smb/smb-ldap-3-howto.html#internationalization
  
  this solved our problems (redhat 7.2; samba-3.0a20) for example in the 
  profile load on the spanish xp (ie Star menu--menú Inicio).
 
 Thanks for sharing this. It certainly is an excellent stopgap measure,
 until proper filename conversion can be done.
 
 The best way, if possible, would be to retain backward compatibility for
 reading samba-2.2.x filenames (as with unix charset) while having new
 or modified files written in unicode (or whatever the default in
 samba-3.x). 
 
 BTW: keep up the great job on your smb-ldap howto, it is a precious
 ressource.
 
 Cheers,
 
 -- 
 PANOPE: Au Prince votre fils l'un donne son suffrage,
 Madame ; et de l'Etat l'autre oubliant les lois,
 Au fils de l'étrangère ose donner sa voix.
   (Phèdre, J-B Racine, acte 1, scène 4)
-- 
Simo Sorce - [EMAIL PROTECTED]
Xsec s.r.l.
via Durando 10 Ed. G - 20158 - Milano
tel. +39 02 2399 7130 - fax: +39 02 700 442 399



signature.asc
Description: This is a digitally signed message part

Re: Hmmm. Special XP weirdness/brokenness. Windows 2K working on 2.2.2 and 2.2.5 and Windows XP Not (not the usual problems)

2002-10-17 Thread Andrew Bartlett 
Alan Jones wrote:
 
 Hi,
 
 We have some special weirdness happening with Samba and windows XP here.
 
 Background:
 
 We are wanting to install a third party product passlogix, V-GO single
 sign on product on windows
 (http://www.passlogix.com), which authenticates against a windows
 server. Basically it uses the windows
 Authentication to allow the decryption of a credential database, to
 allow automatic signing on to many
 Applications. It allows a user only to have to remember a single
 password, and then sign on to multiple
 Applications. Great appplication. Useful for medicos, who otherwise have
 to remember 10 passwords that roll each month
 Etc.
 
 Anyway. To cut a long story short. We have tried this on 2.2.5 and 2.2.2
 and the same thing happens. Anyway.
 
 We install the product on W2K and it works and on WINXP (against the
 same samba server and she broke).
 
 The product requires the user to re-authenticate prior to decrypting the
 credential database.

This is after the domain logon?  And how does it do that?  

 When we use *DISCONNECT* the WINXP box from the network (using winXP)
 cached credentials, ie no samba
 Authentication it works like a treat. ONLY when Samba is queried she
 broke.

Hmm - I'm assuming this is using a domain logon.  It could be somthing
to do with session keys, or other such fun.

 We can provide a copy of the passlogix product if people are keen to
 help.
 
 Seems like the WinXP is doing things differently.

WinXP does a few things differently. :-(

 Now I should point out that WINXP, authenticates against the samba
 server as part of the windows login PERFECTLY.
 So as far as windows is concerned everything is nice with samba, only
 this third party product, which WE HAVE
 To RUN is broken. All help is gladly appreciated. I don't want to have
 to install active directory.

This looks very interesting - I'll need a lot more detail before I can
be much use unfortuntly.  But given sufficnet traces, we should be able
to track this down...

Andrew Bartlett

-- 
Andrew Bartlett [EMAIL PROTECTED]
Manager, Authentication Subsystems, Samba Team  [EMAIL PROTECTED]
Student Network Administrator, Hawker College   [EMAIL PROTECTED]
http://samba.org http://build.samba.org http://hawkerc.net

Re: [PATCH] Heimdal build fix

2002-10-17 Thread Guenther Deschner 
hi luke,

i have tried your patch with heimdal-0.5 and heimdal-0.4e
and added some rough configure.in-checks so that you can choose now 
between your kerberbos implementation:

  --with-krb5impl={heimdal,mit}Choose Kerberos 5 implementation
(default=mit)
  --with-krb5libs=DIR Locate Kerberos 5 libs (default=/usr)
  --with-krb5includes=DIR Locate Kerberos 5 includes (default=/usr/)

if you have choosen heimdal and configure finds your libs/includes, 
HAVE_HEIMDAL is going to be set.
i also had to add $(LIBADS_OBJ) $(LIBADS_SERVER_OBJ) on several occasions 
in the Makefile to link the missing krb5_set_real_time-function 
(i think this should not be the long-term solution.)

everything compiles fine now (with heimdal-0.5, because 0.4e does not have
AP_OPTS_USE_SUBKEY), net ads and smbclient do work *correctly* towards
win2k advanced server, but smbd and winbindd do *not* correctly retrieve 
their ticket in ads-mode. while smbd fails with:

libads/kerberos_verify.c:ads_verify_ticket(192)
  krb5_rd_req with auth failed (Unknown error -1765328203)

winbind immediately panics.

i suspect that heimdal cannot correctly handle the des-cbc-md5-enctype
that ads uses when the machine is joined to the domain, but i am really 
not a kerberos expert... 

it would be great to finally have samba3 working with heimdal.

thanks a lot,
guenther

On Wed, Oct 09, 2002 at 05:56:17PM +1000, Luke Howard wrote:
 We're using a custom version of Heimdal, so I may have left out
 a few things that prevent it from building on a normal system.
 Please let me know if I have and I'll fix the patch. It is also
 untested right now, so you may wish to wait until I've had time
 to test it before applying it. :-)
 
 There is no auto-detection; you must configure with -DHEIMDAL.
 You may also need to comment out the /usr/kerberos check in
 configure.in if building on a RedHat system.
 
 regards,
 
 -- Luke


-- 
Guenther Deschner  [EMAIL PROTECTED]
SuSE Linux AGGnuPG: 8EE11688
Berliner Str. 27  phone:  +49 (0) 30 / 430944778
D-13507 Berlin   fax:  +49 (0) 30 / 43732804

--- source/include/includes.h   18 Sep 2002 19:06:58 -  1.280
+++ source/include/includes.h   9 Oct 2002 07:51:53 -
@@ -397,6 +397,9 @@
 #endif
 
 #if HAVE_KRB5_H
+#ifdef HAVE_HEIMDAL
+#define __MD5_H__
+#endif
 #include krb5.h
 #else
 #undef HAVE_KRB5
@@ -410,6 +413,12 @@
 #include ldap.h
 #else
 #undef HAVE_LDAP
+#endif
+
+#if HAVE_GSSAPI_H
+#include gssapi.h
+#else
+#undef HAVE_KRB5
 #endif
 
 #if HAVE_GSSAPI_GSSAPI_H
--- source/libads/kerberos_verify.c 4 Oct 2002 07:41:56 -   1.3
+++ source/libads/kerberos_verify.c 9 Oct 2002 07:51:54 -
@@ -24,6 +24,27 @@
 
 #ifdef HAVE_KRB5
 
+#if defined(HAVE_HEIMDAL)  !defined(XAD)
+/*
+ * This function is not in the Heimdal mainline.
+ */
+krb5_error_code krb5_set_real_time(krb5_context context,
+  int32_t seconds, int32_t microseconds)
+{   
+   krb5_error_code ret;
+   int32_t sec, usec;
+
+   ret = krb5_us_timeofday(context, sec, usec);
+   if (ret)
+   return ret;
+
+   context-kdc_sec_offset = seconds - sec;
+   context-kdc_usec_offset = microseconds - usec;
+
+   return 0;
+}
+#endif /* HAVE_HEIMDAL  !XAD */
+
 /*
   verify an incoming ticket and parse out the principal name and 
   authorization_data if available 
@@ -36,10 +57,14 @@
krb5_keytab keytab = NULL;
krb5_data packet;
krb5_ticket *tkt = NULL;
+#ifdef HAVE_HEIMDAL
+   krb5_salt salt;
+#else
krb5_data salt;
krb5_encrypt_block eblock;
+#endif /* HAVE_HEIMDAL */
int ret, i;
-   krb5_keyblock * key;
+   krb5_keyblock *key;
krb5_principal host_princ;
char *host_princ_s;
extern pstring global_myname;
@@ -48,6 +73,9 @@
krb5_data password;
krb5_enctype *enctypes = NULL;
 
+#ifdef XAD
+   /* We would rather use the keytab. */
+#else
if (!secrets_init()) {
DEBUG(1,(secrets_init failed\n));
return NT_STATUS_LOGON_FAILURE;
@@ -61,6 +89,7 @@
 
password.data = password_s;
password.length = strlen(password_s);
+#endif /* XAD */
 
ret = krb5_init_context(context);
if (ret) {
@@ -92,39 +121,68 @@
return NT_STATUS_LOGON_FAILURE;
}
 
+#ifdef HAVE_HEIMDAL
+   ret = krb5_get_pw_salt(context, host_princ, salt);
+   if (ret) {
+   DEBUG(1,(krb5_get_pw_salt failed (%s)\n, error_message(ret)));
+   return NT_STATUS_LOGON_FAILURE;
+   }
+#else
ret = krb5_principal2salt(context, host_princ, salt);
if (ret) {
DEBUG(1,(krb5_principal2salt failed (%s)\n, error_message(ret)));
return NT_STATUS_LOGON_FAILURE;
}
+#endif /* HAVE_HEIMDAL */
 
if (!(key = (krb5_keyblock *)malloc(sizeof(*key

'On the Fly' mappings and PDC/BDC interactions

2002-10-17 Thread Andrew Bartlett 
I'm just wondering if anybody has considered the impact of creating 'on
the fly' mappings for groups/users (uid-sid stuff) and how this plays
with PDC/BDC relationships...

If we have a BDC that is asked for a not-yet-mapped group, and gives it
a SID, how do we get that information back to the PDC?

In particular, I don't like the idea that the BDC must contact the PDC
in real time here - that would seem to defeat the point of having a
PDC/BDC.  (In particular, I can imagine setups where the BDC simply
cannot contact the PDC ever, and just assumes LDAP handles the
replications).  

Also, it would of course need to play with 'net rpc vampire'
correctly...

Anyway, this area is messy.

Andrew Bartlett
-- 
Andrew Bartlett [EMAIL PROTECTED]
Manager, Authentication Subsystems, Samba Team  [EMAIL PROTECTED]
Student Network Administrator, Hawker College   [EMAIL PROTECTED]
http://samba.org http://build.samba.org http://hawkerc.net

[PATCH] ldap connection caching (not ready!!!)

2002-10-17 Thread Stefan (metze) Metzmacher 
Hi Andrew,

here's the NOT READY version of my ldap connection chaching patch


metze
-
Stefan metze Metzmacher [EMAIL PROTECTED]
diff -Npur --exclude=CVS --exclude=*.bak --exclude=*.o --exclude=*.po --exclude=.#* 
HEAD/source/passdb/pdb_ldap.c HEAD-pdb/source/passdb/pdb_ldap.c
--- HEAD/source/passdb/pdb_ldap.c   Thu Oct 17 14:32:53 2002
+++ HEAD-pdb/source/passdb/pdb_ldap.c   Thu Oct 17 14:29:57 2002
@@ -681,6 +681,11 @@ static BOOL init_sam_from_ldap (struct l
pstrcpy(nt_username, username);
 
pstrcpy(domain, lp_workgroup());
+   
+   pdb_set_username(sampass, username, PDB_SET);
+
+   pdb_set_domain(sampass, domain, PDB_DEFAULT);
+   pdb_set_nt_username(sampass, nt_username, PDB_SET);
 
get_single_attribute(ldap_struct, entry, rid, temp);
user_rid = (uint32)atol(temp);
@@ -848,9 +853,10 @@ static BOOL init_sam_from_ldap (struct l
memset(hours, 0xff, hours_len);
 
if (!get_single_attribute (ldap_struct, entry, lmPassword, temp)) {
-   /* leave as default */
+   DEBUG(2,(no lmPassword found for user: 
+%s\n,pdb_get_username(sampass)));
} else {
pdb_gethexpwd(temp, smblmpwd);
+   DEBUG(2,(lmPassword found for user: %s 
+%s\n,pdb_get_username(sampass),temp)); 
memset((char *)temp, '\0', strlen(temp)+1);
if (!pdb_set_lanman_passwd(sampass, smblmpwd, PDB_SET))
return False;
@@ -858,9 +864,10 @@ static BOOL init_sam_from_ldap (struct l
}
 
if (!get_single_attribute (ldap_struct, entry, ntPassword, temp)) {
-   /* leave as default */
+   DEBUG(2,(no ntPassword found for user: 
+%s\n,pdb_get_username(sampass)));
} else {
pdb_gethexpwd(temp, smbntpwd);
+   DEBUG(2,(ntPassword found for user: %s 
+%s\n,pdb_get_username(sampass),temp)); 
memset((char *)temp, '\0', strlen(temp)+1);
if (!pdb_set_nt_passwd(sampass, smbntpwd, PDB_SET))
return False;
@@ -881,11 +888,6 @@ static BOOL init_sam_from_ldap (struct l
pdb_set_hours_len(sampass, hours_len, PDB_SET);
pdb_set_logon_divs(sampass, logon_divs, PDB_SET);
 
-   pdb_set_username(sampass, username, PDB_SET);
-
-   pdb_set_domain(sampass, domain, PDB_DEFAULT);
-   pdb_set_nt_username(sampass, nt_username, PDB_SET);
-
pdb_set_munged_dial(sampass, munged_dial, PDB_SET);

/* pdb_set_unknown_3(sampass, unknown3, PDB_SET); */
@@ -1217,6 +1219,50 @@ static uint32 ldapsam_get_next_available
 }
 
 /**
+Connect to LDAP server 
+*/
+static NTSTATUS ldapsam_open(struct pdb_methods *my_methods)
+{
+   struct ldapsam_privates *ldap_state = (struct ldapsam_privates 
+*)my_methods-private_data;
+
+   if (ldap_state-ldap_struct != NULL) {
+   DEBUG(4,(The connection to the LDAP server is up\n));
+   /* maybe we should check if the connection is still up --metze*/
+   return NT_STATUS_OK;
+   }
+
+   if (!ldapsam_open_connection(ldap_state, ldap_state-ldap_struct)) {
+   return NT_STATUS_UNSUCCESSFUL;
+   }
+   if (!ldapsam_connect_system(ldap_state, ldap_state-ldap_struct)) {
+   ldap_unbind(ldap_state-ldap_struct);
+   ldap_state-ldap_struct = NULL;
+   return NT_STATUS_UNSUCCESSFUL;
+   }
+   DEBUG(4,(The LDAP server is succesful connected\n));
+
+   return NT_STATUS_OK;
+}
+
+/**
+Disconnect from LDAP server 
+*/
+static NTSTATUS ldapsam_close(struct pdb_methods *my_methods)
+{
+   struct ldapsam_privates *ldap_state = (struct ldapsam_privates 
+*)my_methods-private_data;
+
+   if (ldap_state-ldap_struct != NULL) {
+   ldap_unbind(ldap_state-ldap_struct);
+   ldap_state-ldap_struct = NULL;
+   }
+   
+   DEBUG(5,(The connection to the LDAP server was closed\n));
+   /* maybe free the results here --metze */
+   
+   return NT_STATUS_OK;
+}
+
+/**
 Connect to LDAP server for password enumeration
 */
 static NTSTATUS ldapsam_setsampwent(struct pdb_methods *my_methods, BOOL update)
@@ -1226,11 +1272,8 @@ static NTSTATUS ldapsam_setsampwent(stru
int rc;
pstring filter;
 
-   if (!ldapsam_open_connection(ldap_state, ldap_state-ldap_struct)) {
-   return ret;
-   }
-   if (!ldapsam_connect_system(ldap_state,

Re: [PATCH] rid allocator in passdb backend

2002-10-17 Thread Matt Pavlovich 
 This patch does not yet handle the case where we already have a
 sambaDomainInfo entry, but no rid attribute. I do not know how you can
 make sure that you do not end up with to rid attributes. Does anybody
 know how to do this?

Define the rid attribute to be SINGLE-VALUE in the schema.  

Matt Pavlovich

Re: Bug in samba 2.2 + kernel 2.4?

2002-10-17 Thread Gerald (Jerry) Carter 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Thu, 17 Oct 2002, Jon Monroe wrote:

 I'm seeing tons of leftover directory handles for any directories
 visited on a samba share (via a win2k/win9x workstation). For every
 directory access inside a samba share, 3 handles are initially opened --
 2 read handles, and a single CWD handle. The CWD handle goes away, but
 the read handles sit around forever, or until you kill the smbd process
 that opened them. These add up pretty quick.
 
 What's really weird is I only see this on kernel 2.4 (2.4.18). If I go back 
 to my old kernel 2.2 box, the problem doesn't seem to exist.

No idea, but disablign kernel oplocks comes to mind.  This is all off the 
top of my head of course.





cheers, jerry
 -
 Hewlett-Packard   - http://www.hp.com
 SAMBA Team-- http://www.samba.org
 GnuPG Key  http://www.plainjoe.org/gpg_public.asc
 ISBN 0-672-32269-2SAMS Teach Yourself Samba in 24 Hours 2ed
 I never saved anything for the swim back. Ethan Hawk in Gattaca
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/

iD8DBQE9rz+fIR7qMdg1EfYRAiMmAKCRj64jrHdIXuFur3u3FFLjCa+QJgCg3yyp
Ytk5Ws633fl59RMaeTGL1WI=
=6JCH
-END PGP SIGNATURE-

Failed to open /usr/local/samba/private/secrets.tdb

2002-10-17 Thread steve 
All, 

TIA, I have a feeling this is a question everyone knows the answer to but 
me, why do I keep getting the message: 

Failed to open /usr/local/samba/private/secrets.tdb 

Solaris 8 02/02 release.  private/secrets.tdb does not exist, and 
/usr/local/samba is root:other ownership. /etc/init.d/samba.server start 
will start smbd and nmbd, nbtstat shows the share, but I can't create any 
samba users. smb.conf  and smb.log at bottom. 

When I run: 

#smbpasswd -a root
Failed to open /usr/local/samba/private/secrets.tdb
New SMB password:
Retype new SMB password:
unable to open passdb database.
startsmbfilepwent_internal: too many race conditions creating file 
/usr/local/samba/private/smbpasswd
add_smbfilepwd_entry: unable to open file.
Failed to add entry for user root.
Failed to modify password entry for user root
# 


This is created: 


Copyright Andrew Tridgell and the Samba Team 1992-2002 [2002/10/16 11:41:56, 
0] passdb/secrets.c:secrets_init(43)
Failed to open /usr/local/samba/private/secrets.tdb
[2002/10/16 11:41:57, 0] passdb/machine_sid.c:pdb_generate_sam_sid(163)
pdb_generate_sam_sid: Failed to store generated machine SID. [2002/10/16 
11:41:57, 0] smbd/server.c:main(793)
ERROR: Samba cannot create a SAM SID.
[2002/10/16 11:43:31, 0] smbd/server.c:main(707)
smbd version 2.2.5 started.
Copyright Andrew Tridgell and the Samba Team 1992-2002 [2002/10/16 
11:43:31, 0] passdb/secrets.c:secrets_init(43)
Failed to open /usr/local/samba/private/secrets.tdb
[2002/10/16 11:43:31, 0] passdb/machine_sid.c:pdb_generate_sam_sid(163)
pdb_generate_sam_sid: Failed to store generated machine SID. [2002/10/16 
11:43:31, 0] smbd/server.c:main(793)
ERROR: Samba cannot create a SAM SID. 

- 

smb.conf 

- 


# This is the main Samba configuration file. You should read the # 
smb.conf(5) manual page in order to understand the options listed # here. 
Samba has a huge number of configurable options (perhaps too # many!) most 
of which are not shown in this example # # Any line which starts with a ; 
(semi-colon) or a # (hash) # is a comment and is ignored. In this example we 
will use a # # for commentry and a ; for parts of the config file that you # 
may wish to enable # # NOTE: Whenever you modify this file you should run 
the command testparm # to check that you have not many any basic syntactic 
errors. # #=== Global Settings 
=
[global] 

##
## Basic Server Settings
## 

	# workgroup = NT-Domain-Name or Workgroup-Name, eg: REDHAT4
	workgroup = MYGROUP 

	# server string is the equivalent of the NT Description field
	server string = Samba Server 

	# This option is important for security. It allows you to restrict
	# connections to machines which are on your local network. The
	# following example restricts access to two C class networks and
	# the loopback interface. For more examples of the syntax see
	# the smb.conf man page
	; hosts allow = 192.168.1. 192.168.2.0./24 192.168.3.0/255.255.255.0 
127.0.0.1
	 hosts allow = 10.53.210.32 10.53.210.31 127.0.0.1 

	# Uncomment this if you want a guest account, you must add this to 
/etc/passwd
	# otherwise the user nobody is used
	; guest account = pcguest 

	# this tells Samba to use a separate log file for each machine
	# that connects
	log file = /usr/local/samba/var/log.%m 

	# How much information do you want to see in the logs?
	# default is only to log critical messages
	; log level = 4 

	# Put a capping on the size of the log files (in Kb).
	max log size = 50 

	# Security mode. Most people will want user level security. See
	# security_level.txt for details.
	security = user 

	# Using the following line enables you to customise your configuration
	# on a per machine basis. The %m gets replaced with the netbios name
	# of the machine that is connecting.
	# Note: Consider carefully the location in the configuration file of
	#   this line.  The included file is read at that point.
	;   include = /usr/local/samba/lib/smb.conf.%m 

	# Most people will find that this option gives better performance.
	# See speed.txt and the manual pages for details
	# You may want to add the following on a Linux system:
	# SO_RCVBUF=8192 SO_SNDBUF=8192
	; socket options = TCP_NODELAY 

	# Configure Samba to use multiple interfaces
	# If you have multiple network interfaces and want to limit smbd will
	# use, list the ones desired here.  Otherwise smbd  nmbd will bind to all
	# active interfaces on the system.  See the man page for details.
	;   interfaces = 192.168.12.2/24 192.168.13.2/24
	   interfaces = 10.53.208.24/24 

	# Should smbd report that it has MS-DFS Capabilities? Only available
	# if --with-msdfs was passed to ./configure
	; host msdfs = yes 

##
## Network Browsing
##
	# set local master to no if you don't want Samba to become a master
	# browser on your network. Otherwise the normal election rules apply
	;

Re: Bug in samba 2.2 + kernel 2.4?

2002-10-17 Thread Jon Monroe 
Hi Jerry,

I tried disabling kernel oplocks. I also tried disabling in different 
combinations:

oplocks
level2 oplocks
posix locking
locking

All variations seem to produce similar results -- 2 extra directory locks 
for each directory for each visitation.

I'm going to try kernel 2.4.19 when I get the chance.

Thanks again!

Jon

At 05:54 PM 10/17/2002 -0500, Gerald (Jerry) Carter wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Thu, 17 Oct 2002, Jon Monroe wrote:

 I'm seeing tons of leftover directory handles for any directories
 visited on a samba share (via a win2k/win9x workstation). For every
 directory access inside a samba share, 3 handles are initially opened --
 2 read handles, and a single CWD handle. The CWD handle goes away, but
 the read handles sit around forever, or until you kill the smbd process
 that opened them. These add up pretty quick.

 What's really weird is I only see this on kernel 2.4 (2.4.18). If I go 
back
 to my old kernel 2.2 box, the problem doesn't seem to exist.

No idea, but disablign kernel oplocks comes to mind.  This is all off the
top of my head of course.





cheers, jerry
 -
 Hewlett-Packard   - http://www.hp.com
 SAMBA Team-- http://www.samba.org
 GnuPG Key  http://www.plainjoe.org/gpg_public.asc
 ISBN 0-672-32269-2SAMS Teach Yourself Samba in 24 Hours 2ed
 I never saved anything for the swim back. Ethan Hawk in Gattaca
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/

iD8DBQE9rz+fIR7qMdg1EfYRAiMmAKCRj64jrHdIXuFur3u3FFLjCa+QJgCg3yyp
Ytk5Ws633fl59RMaeTGL1WI=
=6JCH
-END PGP SIGNATURE-

[PATCH] rid allocator in passdb backend

2002-10-17 Thread Volker . Lendecke 
Hi!

This patch puts a RID allocator into the passdb backend. The outside interface
are two calls.

pdb_max_used_rid is for net rpc vampire to set the maximum RID that the PDC
gave us.

pdb_allocate_rid_for_gid allocates a new RID for the given unix group id. The
passdb backend must allocate RIDs for users itself. The group mapping code
should be able to get a new RID. The unix gid is handed to the pdb backend for
smbpasswd an unixsam to be able to use the algorithmic mapping.

The interface is definitely not the last word, as the group mapping might one
day be moved into the passdb backend.

One interesting part here might be the LDAP schema change which is to be
discussed.

The LDAP routines themselves quite reliably do an atomic set and increment. I
tested it with my laptop and 100 (really) concurrent pdbedit processes beating
the OpenLDAP 2.0.12. The random function in the sleep should probably done
differently. On my machine 100 concurrent processes can quite reliably get
their RID with a modulo of 200, 200 processes need more. But this is a bit
extreme load. At least I never got corruption.

The tdb backend could handle a load of 500 with no problem at all.

Volker


Index: examples/LDAP/samba.schema
===
RCS file: /data/cvs/samba/examples/LDAP/samba.schema,v
retrieving revision 1.8
diff -u -r1.8 samba.schema
--- examples/LDAP/samba.schema  19 Jul 2002 16:03:52 -  1.8
+++ examples/LDAP/samba.schema  17 Oct 2002 18:19:28 -
 -110,6 +110,11 
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
 
+attributetype ( 1.3.6.1.4.1.7165.2.1.19 NAME 'domainSID'
+   DESC 'Domain SID'
+   EQUALITY caseIgnoreIA5Match
+   SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+
 ##
 ## The smbPasswordEntry objectclass has been depreciated in favor of the
 ## sambaAccount objectclass
 -138,6 +143,11 
logoffTime $ kickoffTime $ pwdCanChange $ pwdMustChange $ acctFlags $ 
displayName $ smbHome $ homeDrive $ scriptPath $ profilePath $
description $ userWorkstations $ primaryGroupID $ domain ))
+
+objectclass ( 1.3.6.1.4.1.7165.2.2.4 NAME 'sambaDomainInfo' SUP top AUXILIARY
+   DESC 'Samba Domain Information'
+   MUST ( domain ) 
+   MAY  ( rid $ domainSID ))
 
 ##
 ## Used for Winbind experimentation
Index: source/include/passdb.h
===
RCS file: /data/cvs/samba/source/include/passdb.h,v
retrieving revision 1.20
diff -u -r1.20 passdb.h
--- source/include/passdb.h 12 Oct 2002 03:38:07 -  1.20
+++ source/include/passdb.h 17 Oct 2002 18:19:29 -
 -64,6 +64,10 
NTSTATUS (*pdb_update_sam_account)(struct pdb_context *, SAM_ACCOUNT *sampass);

NTSTATUS (*pdb_delete_sam_account)(struct pdb_context *, SAM_ACCOUNT 
*username);
+
+   NTSTATUS (*pdb_allocate_rid_for_gid)(struct pdb_context *, gid_t, uint32 *);
+
+   NTSTATUS (*pdb_max_used_rid)(struct pdb_context *, uint32);

void (*free_fn)(struct pdb_context **);

 -95,6 +99,10 
NTSTATUS (*update_sam_account)(struct pdb_methods *, SAM_ACCOUNT *sampass);

NTSTATUS (*delete_sam_account)(struct pdb_methods *, SAM_ACCOUNT *username);
+
+   NTSTATUS (*allocate_rid_for_gid)(struct pdb_methods *, gid_t, uint32 *);
+
+   NTSTATUS (*max_used_rid)(struct pdb_methods *, uint32);

void *private_data;  /* Private data of some kind */

Index: source/passdb/pdb_interface.c
===
RCS file: /data/cvs/samba/source/passdb/pdb_interface.c,v
retrieving revision 1.25
diff -u -r1.25 pdb_interface.c
--- source/passdb/pdb_interface.c   26 Sep 2002 09:50:52 -  1.25
+++ source/passdb/pdb_interface.c   17 Oct 2002 18:19:29 -
 -162,6 +162,34 
return context-pdb_methods-add_sam_account(context-pdb_methods, sam_acct);
 }
 
+static NTSTATUS context_allocate_rid_for_gid(struct pdb_context *context, gid_t gid, 
+uint32 *rid)
+{
+   NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
+
+   if ((!context) || (!context-pdb_methods)) {
+   DEBUG(0, (invalid pdb_context specified!\n));
+   return ret;
+   }
+
+   return context-pdb_methods-allocate_rid_for_gid(context-pdb_methods, gid, 
+rid);
+}
+
+static NTSTATUS context_max_used_rid(struct pdb_context *context, uint32 rid)
+{
+   NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
+
+   if ((!context) || (!context-pdb_methods)) {
+   DEBUG(0, (invalid pdb_context specified!\n));
+   return ret;
+   }
+
+   /** todo  This is where a 're-read on add' should be done */
+   /* We now add a new account to the first database listed. 
+* Should we? */
+
+   return context-pdb_methods-max_used_rid(context-pdb_methods, rid);
+}
+
 static NTSTATUS

Re: [PATCH] rid allocator in passdb backend

2002-10-17 Thread Volker.Lendecke 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi again!

 This patch puts a RID allocator into the passdb backend. The outside interface
 are two calls.

I forgot one thing:

This patch does not yet handle the case where we already have a
sambaDomainInfo entry, but no rid attribute. I do not know how you can
make sure that you do not end up with to rid attributes. Does anybody
know how to do this?

Volker

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Key-ID ADE377D8, Fingerprint available: phone +49 551 370

iD8DBQE9rwPqZeeQha3jd9gRAgwUAJ0Xg4Ie7/lpmyzycQHOJX6RPRampACdHLcP
AJ1J4CSR8OGLq2WAAa0AdDI=
=7RSP
-END PGP SIGNATURE-

Quick, outdated share-level question.

2002-10-17 Thread Christopher R. Hertel 
For my book...

Do I understand correctly that Samba does not offer a per-share password,
even when running under security=share?

In the original, outdated design of SMB (COREP.TXT) passwords were assigned
to shares.  I don't see a mechanism in newer Samba docs that allows for a
per-share password (though there are a lot of docs and I have been known to
lose track of the nose on my face--folks who've met me face-to-face will
find that hard to believe).  It looks as though there's a fudge in place to
make username/password pairs work instead.

I'm curious, only for documentation purposes.  If there is no share password
support I think it makes sense.  It's just that it's not what W/9x does.  :)

Chris -)-

-- 
Samba Team -- http://www.samba.org/ -)-   Christopher R. Hertel
jCIFS Team -- http://jcifs.samba.org/   -)-   ubiqx development, uninq.
ubiqx Team -- http://www.ubiqx.org/ -)-   [EMAIL PROTECTED]
OnLineBook -- http://ubiqx.org/cifs/-)-   [EMAIL PROTECTED]

Re: [PATCH] ldap connection caching (not ready!!!)

2002-10-17 Thread Andrew Bartlett 
Stefan (metze) Metzmacher wrote:
 
 Hi Andrew,
 
 here's the next NOT WORKING version of my ldap connection chaching patch
 
 there's a problem with the LM and NT passwords.
 
 I've got the following errors??? Can anybody test it I can't find the bug
 :-( I'm sitting here for hours now...
 
 btw the ldap server send's the password, I see them in ethereal. AND HEAD
 WORKS!???

A 'make clean' can do wonders...

In any case, what do you mean by 'HEAD works'?  Is your patch against
3.0 + your passdb patch or .. ?

On the patch - the 'wrapper' functions need to include a while loop.

do {
try again()
} while (error == LDAP_SERVER_DOWN)

With appropirate sleep/backoff - see the nss_ldap code for a good
example.

While doing a 'ping' to the server before we start catches most of the
dropout cases, it does add latency (may or may not be an issue), and we
really need to deal with it in the actual operation I think.

Andrew Bartlett

-- 
Andrew Bartlett [EMAIL PROTECTED]
Manager, Authentication Subsystems, Samba Team  [EMAIL PROTECTED]
Student Network Administrator, Hawker College   [EMAIL PROTECTED]
http://samba.org http://build.samba.org http://hawkerc.net