Re: Comparing SAMBA_3_0 to HEAD

[Stefan (metze) Metzmacher]

Hi,


here're the latest diffs between HEAD and 3_0 (docu is excluded here, I 
think it should be completely in sync, sam/gums stuff shouldn't be in 3_0...)

I think all small fixes should synced...and maybe all big patches two:-)

jelmer:Recognize FreeBSD5 correctly (not as being sysv...)
Files HEAD/source/include/includes.h and 3_0/source/include/includes.h differ

abartlet: Patch from Steve Langasek [EMAIL PROTECTED] to use nice big 
integers when attempting to calculate the bytes/second being 
transferred.  (Avoid overflow etc)
jelmer: Don't encourage people to use -P - it's obsolete
Files HEAD/source/client/client.c and 3_0/source/client/client.c differ

jelmer: Remove useless spaces - this broke make proto
Files HEAD/source/lib/getsmbpass.c and 3_0/source/lib/getsmbpass.c differ

jmcd: Format objectGUIDs on ads dumps.
Files HEAD/source/lib/util_uuid.c and 3_0/source/lib/util_uuid.c differ

tridge: support all permitted encoding types in tickets. This allows us to
decode a type 23 ticket when the machine account is setup for non-DES
tickets
Files HEAD/source/libads/kerberos_verify.c and 
3_0/source/libads/kerberos_verify.c differ

tridge: .NET likes both forms of servicePrincipalName in the machine account
record
tridge: only set UF_USE_DES_KEY_ONLY if we are using krb5 libraries that can't
do type 23
jmcd: Format objectGUIDs on ads dumps.
Files HEAD/source/libads/ldap.c and 3_0/source/libads/ldap.c differ

jelmer: Don't use usage function, but use popt for usage and help info
Files HEAD/source/nsswitch/wbinfo.c and 3_0/source/nsswitch/wbinfo.c differ

tridge: - we need to rescan the trusted domain list regularly to cope with
transitive trusts, and trusts that are added while winbindd is running
- removed an unnecessary call to time()
Files HEAD/source/nsswitch/winbindd.c and 3_0/source/nsswitch/winbindd.c differ

tridge: much simpler code to choose a DC to contact in winbindd. We now always
choose the server that has the most bits in common in its IP with one
of our interfaces.
Files HEAD/source/nsswitch/winbindd_cm.c and 
3_0/source/nsswitch/winbindd_cm.c differ

herb:   must add one to the extra_data size to transfer the 0 string 
terminator.
This was causing wbinfo --sequence to access past the end of 
malloced
memory.
Files HEAD/source/nsswitch/winbindd_misc.c and 
3_0/source/nsswitch/winbindd_misc.c differ

tridge: - we need to rescan the trusted domain list regularly to cope with
transitive trusts, and trusts that are added while winbindd is running
- removed an unnecessary call to time()
tridge: if trusted domains are disabled then we should not try to connect to
them in winbindd
Files HEAD/source/nsswitch/winbindd_util.c and 
3_0/source/nsswitch/winbindd_util.c differ

vlendec: This fixes some bugs for NT4 usrmgr.exe
abartlet(metze): PDB_SET patch
Files HEAD/source/rpc_parse/parse_samr.c and 
3_0/source/rpc_parse/parse_samr.c differ

vlendec: Fix full_name for info23 as well. Thanks, Andrew.
vlendec: This fixes some bugs for NT4 usrmgr.exe
abartlet(metze): PDB_SET patch
Files HEAD/source/rpc_server/srv_util.c and 
3_0/source/rpc_server/srv_util.c differ

vlendec: ...
Files HEAD/source/script/creategroup and 3_0/source/script/creategroup differ

jerry:...
Files HEAD/source/script/cvslog.pl and 3_0/source/script/cvslog.pl differ

vlendec: group_map patch
sharpe: Push Steve Langasek's fix ...
Files HEAD/source/smbd/lanman.c and 3_0/source/smbd/lanman.c differ

sharpe: Fix John's little typo ...
jht: Fix ability to locate if we are a WINS client.
Files HEAD/source/web/swat.c and 3_0/source/web/swat.c differ

jerry: more doc structure updates.  SWAT now on links to the TOC for
the HOWTO collection instead of linking each article.
Files HEAD/swat/help/welcome.html and 3_0/swat/help/welcome.html differ

vlendec: Implement 'net maxrid'. Needed to find the maximum current rid to
 set 'algorithmic rid base' correctly after a 'net rpc vampire'.
Files HEAD/source/utils/net.c and 3_0/source/utils/net.c differ

vlendec: In my test, sync_context simply has to be incremented. Can
somebody with a large domain do a net rpc samdump to verify this?
Without this change, I don't get everything from a NT4 SP1 and SP6
PDC.
vlendec: group_map patch
abartlet(metze): PDB_SET patch
Files HEAD/source/utils/net_rpc_samsync.c and 
3_0/source/utils/net_rpc_samsync.c differ

idra: try to put every security descriptors related definitions in the same 
file.
  also try to uniform names to a clean scheme.
Files HEAD/source/include/rpc_samr.h and 3_0/source/include/rpc_samr.h differ
Files HEAD/source/include/rpc_secdes.h and 3_0/source/include/rpc_secdes.h 
differ
Files HEAD/source/lib/util_seaccess.c and 3_0/source/lib/util_seaccess.c differ
Files HEAD/source/rpc_server/srv_reg_nt.c and 
3_0/source/rpc_server/srv_reg_nt.c differ
Files HEAD/source/rpc_server/srv_samr.c and 

Format of NTUSER.DAT ...

[Richard Sharpe]

Hi,

By inspection with od -ha etc, I can see much of the format of NTUSER.DAT.

The early part has, in UNICODE, CRLF (sic) delimited lines, it seems.

Anyway, a little way through has the line $$$PROTO.HIV and then a little 
further on are the SIDS, in the format:

  LEN of this desc   2 bytes
  Permissions4 bytes
  SID in binary format - remaining bytes
 
So, I figure I can write a small utility to print this out.

Regards
-
Richard Sharpe, [EMAIL PROTECTED], [EMAIL PROTECTED], 
[EMAIL PROTECTED], http://www.richardsharpe.com

ÖÐСÐÍÍøÕ¾Ê×Ñ¡¿Õ¼ä£¡

[hszheng991]

×ð¾´µÄÐÂÀÏ¿Í»§£º

ÄúºÃ£¬ÎÒ¹«Ë¾ÓŻݲúÆ·ÒѽøÈë×îºóµ¹Êý30Ì죬30Ììºó¼Û¸ñ½«Éϵ÷£¬Óû¹º´ÓËÙ£º

ΪºÎÎÒÃÇ»áÔÙÉϵ÷¼Û¸ñÄØ£¬ÕâÖ÷ÒªÊÇÎÒÃÇ·þÎñÆ÷ÅäÖÃÔ½À´Ô½ºÃ£¬Ëٶȼ«¿ì£¡

 1¡¢200M£¨´¿HTML¿Õ¼ä£©+ ËÍÒ»¹ú¼ÊÓòÃû£¬½öÊÛ150Ôª/Äê
 
 2¡¢60M¿Õ¼ä+60MÆóÒµÓÊ¾Ö + Ö§³ÖASP£¬CGI + ËÍÒ»¹ú¼ÊÓòÃû£¬½öÊÛ236Ôª/Äê
   
 3¡¢200MP¿Õ¼ä+200MÆóÒµÓÊ¾Ö + Ö§³ÖASP£¬CGI£¬ACCESS + ËÍÒ»¹ú¼ÊÓòÃû£¬½öÊÛ336Ôª/Äê 
   
¸ü¶à¿Õ¼ä×éºÏ£¬¸ü¶àÑ¡Ôñ--Çëµã»÷ÎÒÃǹ«Ë¾Ö÷Õ¾ ¡¡http://www.88dns.com/¡¡Á˽âÏêÇé.

ÎÒ¹«Ë¾ÊÇÒ»¼ÒרÃÅÖÂÁ¦ÓÚ¸ßÐÂÍøÂç¼¼ÊõµÄ¹«Ë¾£¬ÓÐ×ŶàÄêµÄ¾­Ñ飬ÔÚ×öÐéÄâÖ÷»ú·½ÃæÎÒÃÇ
ÓÐמø¶ÔµÄÓÅÊÆ£º

¢ÙÖ÷»ú100MµÄ¿í´ø½ÓÈë(Íøͨ¿í´øÔÚÏÃÃŵÄÖն˽ÓÈëÊÇÓÉÎÒ˾´úÀíµÄ)£»
¢ÚÓµÓÐÒ»Åú¸ß¼¶µÄÍøÂç¹ÜÀíÈËÔ±£¬Ö÷»úÓÉÎÒÃÇ×Ô¼ºÑϸñ¹ÜÀí£¬È·Èϵ¥×Óºó24СʱÄÚ¿ªÍ¨£»
¢Û¶ÔËùÓеÄÍøÕ¾ÄÚÈÝÎÒÃǶ¼½øÐб¸·Ý£¬²¢½øÐÐʵʱ¼à¿Ø±£Ö¤ÁËÆäÎȶ¨ÐÔ£»

ÁíÄúÈçÐèÎÒÃÇ°ïÄú×öÍøÒ³»òÓÐÒâ×öÎÒÃǵĴúÀí»¶Ó­¸úÎÒÃÇÁªÏµ£¡

ÁªÏµE-mail:¡¡[EMAIL PROTECTED] ¡¡QQ£º40327558¡¡µç»°£º0592-8667174¡¡Ö£ÏÈÉúÁªÏµ

 лл!
×£ÄúÂíÄ꼪Ïé¡¢ºÃÔËÌìÌìÓС¢ÐÒÔ˳£°éËæ!!!
 
¡¡
ӯͨԶº½¿Æ¼¼¡¡












































































































































---
·ÐµãȺ·¢Óʼþ,À´×ÔÈí¼þ¹¤³Ìר¼ÒÍø(http://www.21cmm.com)

½øCMMÍøУ(http://www.21cmm.com)£¬³ÉÏîÄ¿¹ÜÀíר¼Ò

Thank You

[mase]

I have to be glad when received mailling list about samba-technical, but i 
worry about my inbox capacity, I have small size of mailbox so can't receive 
more e-mail.

Please remove my e-mail address from your mailling list. I will access to 
your site and look for documents when i need.

Thank you.

__

´èǹ  Promotion ÃѺÅÁ˹ÒǡѺ http://HOSTdozy.com
ÊÑ觨ͧà¹×éÍ·ÕèÊÓËÃѺàÇçºä«µì¢Í§¤Ø³Çѹ¹Õé
ÃѺ¿ÃÕ !! à¹×éÍ·Õèà¾ÔèÁà»ç¹ 4 à·èҷѹ·Õ !
__

àÁÅì´Ù«Õè! ºÃÔ¡ÒÿÃÕÍÕàÁÅì 50 MB !!! ¢Í§¤¹ä·Â
ÊÁѤÃÊÁÒªÔ¡ä´é·Õè http://MAILdozy.com ¿ÃÕ
__

RE: Fixed: OpLocks caused the corruptions/slowness (Was: How Samba let us down)

[Green, Paul]

Jay Ts [mailto:jay;jayts.cx] said: [excerpt]
 I know this is a tough issue, and I'm not sure what I'd
 do if I were in the driver's seat.  Perhaps as a
 minimum, adding some documentation to the /docs directory,
 as Chris suggests, and also putting lines in the example
 smb.conf files showing how to turn off oplocks, and why.
 Or maybe the example smb.conf files should turn them off,
 with a comment explaining that the lines can be removed if
 the Samba server isn't serving database files, and has good
 network hardware, etc.

Jay, your thoughts on how to fix the oplock-related corruption problem has
reminded me of a long-held belief that I hold regarding the process of
maintaining open-source software. The following (semi) rant is not directed
at you personally, but at the Samba community. This is my personal view, not
necessarily shared by anyone else on the team. (Well, I hope others share
it, but I'll leave it to them to say so).


My opinion is that the right fix is for anyone who is experiencing data
corruption of any sort, whether with oplocks on, off, or sideways, to work
with the Samba team to come up with a reproducible test case so that we can
root cause the true source of the problem.  Then, we can design and test
some sort of fix, and no one else will ever have to worry about it.
Anything less than this is guesswork.  We *might* be able to think of an
effective fix with the slim information we have now. We *absolutely* should
be able to get a great fix with full cooperation.

I'll go further and say that if you are using open-source/free software and
not willing to perform this task, then you should not bother to report
problems at all, but should simply stop using the software.  Yes, this is an
extreme position.  But the ONLY way we can make Samba or any other
open-source package better is with the full cooperation of the user
community.  Yes, I know we are asking you to spend precious time and
resources on a task that benefits others more than it benefits you.  But
isn't this the nature of the entire open-source movement?  Aren't you
getting something of extremely high value for a rock-bottom price when it
all works?  Isn't that worth something to you?  Go read Eric Raymond's essay
on The Cathedral and The Bazaar; it may help give you some perspective on
this movement. (http://www.tuxedo.org/~esr/).


Thanks
PG
--
Paul Green, Senior Technical Consultant, Stratus Computer, Inc.
Voice: +1 978-461-7557; FAX: +1 978-461-3610; Video on request.
Speaking from Stratus not for Stratus

Patches for RedHat 8.0 rpms in SAMBA_2_2 (was: 2.2.6-1 src rpm)

[Axel Thimm]

Hello,

attached are small patches for makerpms.sh.tmpl and samba2.spec.tmpl which
allow compiling  installing samba rpms on RedHat 8 (hope this is the right
place to submit them).

o tarfile: allow samba-${VERSION} to be a symlink to another directory
  (e.g. plain samba)
o Use rpmbuild instead of rpm, as rpm under RedHat 8.0 does no more support
  building etc.
o Remove permission bits from examples and doc directories to fool the
  automatic dependency generator.

Regards, Axel.

On Sun, Oct 27, 2002 at 11:37:27AM +1100, Andrew Bartlett wrote:
 Gerald (Jerry) Carter wrote:
  On Sat, 26 Oct 2002, Justin Georgeson wrote:
   Trying to install the built RPM (no errors in the build process) results
   in these unmet dependencies:
  
   # rpm -Uvh samba-2.2.6-1.i686.rpm
   error: Failed dependencies:
perl(fix_print_html.lib) is needed by samba-2.2.6-1
perl(Net::LDAP) is needed by samba-2.2.6-1
  
  Same thing I hit.  Haven't figured out a way around it yet.
  The Net::LDAP modules if from the examples/LDAP scripts
  and the fix_print_html.lib must be from the docbook stuff.  Neither
  which matter for a normal installation.  You can just install with the
  - --nodeps option to rpm.
 
 RedHat used an ugly hack to get around this:  They override their
 depenedncy generator with one that does a negitive grep on the Net::LDAP
 module.
 
   These weren't listed in the spec file as dependencies, and I'm not sure
   how to meet them.
  
   Is there any ETA for RH 8 RPMs, source or binary? Any idea how to get
   past this?
  
  Once I figure out how to get rpmbuild not to pickup these wrong
  dependencies, i'll be releasing offical samba.org RedHat 8 RPMS.

-- 
[EMAIL PROTECTED]

Index: makerpms.sh.tmpl
===
RCS file: /cvsroot/samba/packaging/RedHat/makerpms.sh.tmpl,v
retrieving revision 1.2.6.4
diff -u -d -r1.2.6.4 makerpms.sh.tmpl
--- makerpms.sh.tmpl6 Jan 2002 06:58:17 -   1.2.6.4
+++ makerpms.sh.tmpl29 Oct 2002 13:56:12 -
@@ -62,7 +62,7 @@
(cd ../../.. ; mv samba samba-${VERSION} )
 fi
 
-( cd ../../.. ; tar --exclude=CVS -czvf ${SRCDIR}/samba-${VERSION}.tar.gz 
samba-${VERSION} )
+( cd ../../.. ; tar --exclude=CVS -czvf ${SRCDIR}/samba-${VERSION}.tar.gz 
+samba-${VERSION}/. )
 
 cp -av samba.spec ${SPECDIR}
 cp -av samba-devel.spec ${SPECDIR}
@@ -72,11 +72,11 @@
( cd ../../.. ; mv samba-${VERSION} samba )
echo Getting Ready to build Developmental Build
cd ${SPECDIR}
-   rpm -ba -v samba-devel.spec
+   rpmbuild -ba -v samba-devel.spec
 else
echo Getting Ready to build release package
cd ${SPECDIR}
-   rpm -ba -v --clean --rmsource samba.spec
+   rpmbuild -ba -v --clean --rmsource samba.spec
 fi
 
 echo Done.
Index: samba2.spec.tmpl
===
RCS file: /cvsroot/samba/packaging/RedHat/samba2.spec.tmpl,v
retrieving revision 1.18.6.54
diff -u -d -r1.18.6.54 samba2.spec.tmpl
--- samba2.spec.tmpl17 Oct 2002 02:22:00 -  1.18.6.54
+++ samba2.spec.tmpl29 Oct 2002 13:56:14 -
@@ -196,8 +196,10 @@
 --prefix=%{prefix} \
 --localstatedir=/var
 make
+cd ../..
 
-
+# Remove some permission bits to avoid to many dependencies
+find examples docs -type f | xargs -r chmod -x
 
 %install
 rm -rf $RPM_BUILD_ROOT

Re: Fixes for netlogon unigroup.

[Alexander Bokovoy]

On Sun, Oct 27, 2002 at 02:14:54PM +1100, Andrew Bartlett wrote:
 I was wondering, would you have time to look at the netlogon unigroup
 issue again?
I'll add this to TODO list. I finally have an arragement to dedicate 
up to 8-16 hrs of work time per week to Samba development during next 
several months.

 Since that code was commited, we have found that we need to use the
 'extra sids' in the info3 as well.   I was thinking the cache should be
 redesigned to be indexed by SID only (not domain-sid/rid) and to store
 full sids for each group.
 
 Also, we never addressed the timeout issue (we should not cache that
 info forever).
Should we also move to Mimir's new cache code as well?


-- 
/ Alexander Bokovoy
---
The next person to mention spaghetti stacks to me is going to have
his head knocked off.
-- Bill Conrad

Re: Fixed: OpLocks caused the corruptions/slowness (Was: How Samba let us down)

[Chris de Vidal]

You hit it _on_the_nose_ here.  We wish someone had
commented in the smb.conf, the manpages, the
documents, ANYWHERE, about potential
corruption/slowness with large database files and
OpLocks.  There is a chance we would have been spared
grief.

/dev/idal

--- Jay Ts [EMAIL PROTECTED] wrote:
 Jeremy Allison ([EMAIL PROTECTED]) wrote:
  Chris de Vidal wrote:
  
   Still, wouldn't you welcome documentation
 advising
   people of potential corruption?  I think we both
 agree
   that there is no guarantee that everyone's
 network is
   100% on and the danger of corruption appears
 to be
   greater when there are large files read and
 written to
   a record at a time (namely, flat databases).
  
  Well we ship by default with the same options as
  Windows.
 
 But, is that a good idea?  Sometimes, matching the
 behavior of Windows is not for the best! ;-)
 Certainly the extra 30% (?) performance is a nice
 thing, and helps Samba get good reviews when
 compared
 to Windows.  But I think we can agree that a policy
 of
 matching the reliability of Windows is questionable.
 
 I think what Chris is getting at (and I wince while
 writing this, but I agree) is that it's better to
 give priority to data integrity (as you've said),
 and since many Samba users are now trusting Samba
 servers with their database files, the default
 either
 needs to be oplocks = no, or to have very obvious
 documentation somewhere where new Samba admins will
 surely see it -- and this is not easy, considering
 that
 Samba now comes bundled with all the popular Linux
 systems,
 and other Unices as well.  And also considering that
 the issue is not easy for Samba newbies (or even
 oldbies) to understand.
 
 I know this is a tough issue, and I'm not sure what
 I'd
 do if I were in the driver's seat.  Perhaps as a
 minimum, adding some documentation to the /docs
 directory,
 as Chris suggests, and also putting lines in the
 example
 smb.conf files showing how to turn off oplocks, and
 why.
 Or maybe the example smb.conf files should turn them
 off,
 with a comment explaining that the lines can be
 removed if
 the Samba server isn't serving database files, and
 has good
 network hardware, etc.
 
 I should have said this much earlier: I think if
 everyone
 is told straight out about this, then it will make
 life
 much easier for Samba administrators, help magazine
 testing
 labs _fairly_ compare Samba performance with that of
 Windows
 (they can make sure to turn oplocks on before
 running the test),
 and also make Microsoft look bad, as they should,
 IMO, since
 they created this stuff.  Maybe it will pressure
 Microsoft
 into disabling oplocks by default, and level the
 playing
 field in favor of data integrity!
 
 Jay Ts
 author, Using Samba, 2nd ed.



__
Do you Yahoo!?
HotJobs - Search new jobs daily now
http://hotjobs.yahoo.com/

RE: Fixed: OpLocks caused the corruptions/slowness (Was: How Samb a let us down)

[David Brodbeck]

 -Original Message-
 From: Green, Paul [mailto:Paul.Green;stratus.com]

 My opinion is that the right fix is for anyone who is 
 experiencing data corruption of any sort, whether with oplocks on, off, or

 sideways, to work with the Samba team to come up with a reproducible test
case 
 so that we can root cause the true source of the problem.  Then, we can 
 design and test some sort of fix, and no one else will ever have to worry
about it.

What I'm seeing from the Samba team is this is a Windows client bug or
this is an MS Access bug.  I'm not saying they're wrong, but if that's the
conclusion that's been reached wouldn't the rest of us just be wasting our
time by trying to test this?  The consensus seems to be that oplocks with
Windows clients are simply broken by design.

FWIW, I've never seen any corruption I could blame on Samba, with oplocks
on, but my site only has 30 users, tops, and the most we ever had using the
Access database simultaneously was five or six.  (I did turn kernel oplocks
off a couple months ago, but only because we don't need them -- nothing gets
accessed from the UNIX side except during backups.)  We actually saw more
corruption in the Access database under Windows NT, but I blame this on a
user who had a bad network connection that we discovered about the time we
switched to Samba.  This would tend to back up the theory that dropped
packets aggravate this problem.  It's rather shocking to me that SMB reacts
to poorly to network problems, but I realize there's not much Samba can do
about the crummy protocol design. ;)

RE: Fixed: OpLocks caused the corruptions/slowness (Was: How Samb a let us down)

[Chris de Vidal]

--- Green, Paul [EMAIL PROTECTED] wrote:
 My opinion is that the right fix is for anyone who
 is experiencing data
 corruption of any sort, whether with oplocks on,
 off, or sideways, to work
 with the Samba team to come up with a reproducible
 test case so that we can
 root cause the true source of the problem.

My #1 priority as a sysadmin is, make it work.  But
you are right; There is implied responsibility, when
using free software, to help with problems.  As you
said, I am getting top-quality software at a
rock-bottom price.  It is worth our time and effort. 
I just hope I can convince the powers-that-be to let
me test some configurations/clients.

The challenge is it doesn't appear to be a problem
with Samba but the clients.  Regardless, I feel the
Samba documentation ought to be noted when/if we can
reproduceably show it to be the client's fault, so
others don't fall into the same trap.  If I'd have
been warned, there is a chance we wouldn't have had
the grief we did.

/dev/idal

P.S. The Cathedral is a great book.

__
Do you Yahoo!?
HotJobs - Search new jobs daily now
http://hotjobs.yahoo.com/

RE: Fixed: OpLocks caused the corruptions/slowness (Was: How Samb a let us down)

[Chris de Vidal]

--- David Brodbeck [EMAIL PROTECTED] wrote:
 It's rather
 shocking to me that SMB reacts
 to poorly to network problems, but I realize there's
 not much Samba can do
 about the crummy protocol design. ;)

There is one thing: (Now I'm beating a dead horse on
this, so I'll shut up and see what I can do to help)

Make the user aware.

/dev/idal

__
Do you Yahoo!?
HotJobs - Search new jobs daily now
http://hotjobs.yahoo.com/

RE: Fixed: OpLocks caused the corruptions/slowness (Was: How Samb a let us down)

[David Brodbeck]

 -Original Message-
 From: Chris de Vidal [mailto:cdevidal;yahoo.com]

 
 --- David Brodbeck [EMAIL PROTECTED] wrote:
  It's rather
  shocking to me that SMB reacts
  to poorly to network problems, but I realize there's
  not much Samba can do
  about the crummy protocol design. ;)
 
 There is one thing: (Now I'm beating a dead horse on
 this, so I'll shut up and see what I can do to help)
 
 Make the user aware.

True.  I agree this problem should be mentioned in the documentation, and
perhaps the fact that turning off oplocks can help.  I think it should be
pointed out that this is often a band-aid fix to mask network performance
problems, though.  Obviously going into detail about specific network
problems and solutions is out of the scope of the Samba documentation, but
it would be a good idea to at least point people in that direction.

Help for connectivity between Unix and Windows NT Server 4.0

[ggue2408]

I have a server Unix with Samba version 2.0.6 and a server NT version 4.0,
they are connected on a unique domain.
The share directories are in the Unix server and the users - the groups
(global and local) are in the NT Server.
I don't kwnow how is it possible to give access to the shared folders on

the Unix server with the groups defined on the NT server ?

Please help me.

Solaris/Samba logon slowness

[Len Laughridge]

Hello:

I've been following the thread about oplocks recently, and have been waiting 
for more info on the (now dormant) thread about Solaris fcntl() issues.

My server is a Sun E-250, 2x400MHz, 1-Gig RAM, lots of storage, samba 2.2.5

1.  WinXP logon/logoff is unbearably, excruciatingly, painfully, s*l*o*w.  
'loading your personal settings' and 'saving your settings' can take 
upwards of 10 minutes for some users.  In the process, users either get 
impatient and forcibly power off their machines/undock their notebooks, which 
leads to data corruption and damaged profiles.  Sometimes, minutes into the 
process, a '...could not update your [local|roaming] profile...' message will 
appear.  Is there *anything* that can be done to help with this in the short 
run?  (Not using Windows would be the best, but it's not an option.)

2.  I may upgrade to 2.2.6 tonight.  Is there anything special I should do 
besides ./configure  make  make install which could remedy the situation?

Thanks in advance.  I can post my smb.conf if needed, but I'll save the 
bandwidth until it's requested.

-- 
Len Laughridge, Director of Information Technology
Kitchen  Associates Architectural Services, PA
Architecture - Planning - Interior Design
856.854.1880 x101

RE: Fixed: OpLocks caused the corruptions/slowness -- Understand technology not products

[Bryan J. Smith]

Quoting Chris de Vidal [EMAIL PROTECTED]:
 The challenge is it doesn't appear to be a problem
 with Samba but the clients.  Regardless, I feel the
 Samba documentation ought to be noted when/if we can
 reproduceably show it to be the client's fault, so
 others don't fall into the same trap.  If I'd have
 been warned, there is a chance we wouldn't have had
 the grief we did.

But you aren't warned with Windows servers either.  It's the responsibility of
the sysadmin to get familiar with the _technologies_** involved, _not_ just the
products**.  The SMB protocol is a moving target and a PITA atop of that
(although NFS and AFS have their PITA points too ;-).

There are endless options and configuration choices in Samba _because_ of
Microsoft and their SMB protocol.  It's a bitch to pick it all up, but that's
not the fault of the Samba team.  *BUT* there is plenty of extra documentation
 filesoutside of the already massive smb.conf man page that covers all this.

IN A NUTSHELL:  I recommend reading _most_ of all those extra documentation
files _regardless_ of whether or not you run Samba -- because their content is
100% applicable to even native Windows servers!

Understanding the _technology_**, SMB in this case, is the key to successful
sysadmin'ing.  Which is the #1 reason why I thank God for Open Source.  It puts
the focus back on the technology, so you can resolve issues the vendors don't
talk about but you _always_ run into.

-- Bryan TheBS Smith

**SIDE NOTE:  This is the #1 reason why I _dispise_ vendor certifications (even
though I just recently obtained several, but only to secure employment).  They
focus on products instead of technologies.  E.g., understand X.500 and LDAP,
and you can understand Microsoft ActiveDirectory or Novell NDS fairly easily.

-- 
Bryan J. Smith, E.I.Contact Info:  http://thebs.org
A+/i-Net+/Linux+/Network+/Server+ CCNA CIWA CNA SCSA/SCWSE/SCNA
---
   limit  guilt   = { psychopath,
 remorse-0innocent }

RE: Fixed: OpLocks caused the corruptions/slowness (Was: How Samb a let us down)

[John H Terpstra]

On Tue, 29 Oct 2002, David Brodbeck wrote:



  -Original Message-
  From: Green, Paul [mailto:Paul.Green;stratus.com]

  My opinion is that the right fix is for anyone who is
  experiencing data corruption of any sort, whether with oplocks on, off, or

  sideways, to work with the Samba team to come up with a reproducible test
 case
  so that we can root cause the true source of the problem.  Then, we can
  design and test some sort of fix, and no one else will ever have to worry
 about it.

 What I'm seeing from the Samba team is this is a Windows client bug or
 this is an MS Access bug.  I'm not saying they're wrong, but if that's the
 conclusion that's been reached wouldn't the rest of us just be wasting our
 time by trying to test this?  The consensus seems to be that oplocks with
 Windows clients are simply broken by design.

Correct, but we still need to emulate the way it works correctly. So if we
have a bug, we need to find and fix it. We need help from our users to
create the test case that reproduces the problem. In the absence of this
all we can really do is offer empathy with the pain.


 FWIW, I've never seen any corruption I could blame on Samba, with oplocks
 on, but my site only has 30 users, tops, and the most we ever had using the
 Access database simultaneously was five or six.  (I did turn kernel oplocks
 off a couple months ago, but only because we don't need them -- nothing gets
 accessed from the UNIX side except during backups.)  We actually saw more
 corruption in the Access database under Windows NT, but I blame this on a
 user who had a bad network connection that we discovered about the time we
 switched to Samba.

This is a not uncommon finding. I have followed up with many users who
have complained of Linux and / or Samba problems to find that they were
having problems with MS Windows NT so they decided to try Samba. So when
this fails they turn to this list (or even mail team members directly)
complaining that Samba is broken. We all know that all software is likely
to be broken in some way - bugs are inevitable and the risk increases
exponentially with the size of the code base. (Don't flame me for this
statement please ;))

Here are the more common causes of corruption problems:

1. Defective HUBs/Switches (especially the cheaper varieties)
2. Defective Network cards
3. Defective Routers (in particular incorrect use of NetBIOS
UDP forwarding)
4. Defective Hard Disk on server
5. ESD (Electro-Static Damage) to motherboard
- many older style motherboards suffered ESD damage to
  the interrupt controller chip.
6. Bad TCP/IP configuration _or_ inconsistent installation of
   multiple network protocols (on MS Windows clients)
- ie: Inconsistent LANA ordering on MS Windows (9X,NT,...)

I am sure that with a little effort we can expand this list, just like I
am certain that when someone is in trouble they like to find help, though
some do it by blaming the gasolene when the tires wear out.

I do agree that we could better document the ins and outs of data
corruption and how to correctly diagnose a problem situation. Then again,
when in the heat of a serious problem, it is a bit trying to rememeber to
RTFM isn't it?


 This would tend to back up the theory that dropped
 packets aggravate this problem.  It's rather shocking to me that SMB reacts
 to poorly to network problems, but I realize there's not much Samba can do
 about the crummy protocol design. ;)


- John T.
-- 
John H Terpstra
Email: [EMAIL PROTECTED]

RE: Fixed: OpLocks caused the corruptions/slowness (Was: How Samb a let us down)

[David Brodbeck]

 -Original Message-
 From: John H Terpstra [mailto:jht;samba.org]

 This is a not uncommon finding. I have followed up with many users who
 have complained of Linux and / or Samba problems to find that 
 they were having problems with MS Windows NT so they decided to try 
 Samba.

That wasn't really the case in my situation, but Samba *did* help me track
down the problem.  See, with NT it mostly manifested itself in hidden,
irreproducable ways, like data corruption, that were easy to blame on
general flakiness.  We switched to Samba, and suddenly there was a major
reproducable issue -- the user would find that AutoCAD files he had opened,
then closed, tended to stay locked, forcing him to reboot before accessing
them again.  An investigation showed he had been connected to a badly
overloaded hub by mistake.  When this was fixed, our Access corruption
problems magically disappeared as well.

 Here are the more common causes of corruption problems:
 
   1. Defective HUBs/Switches (especially the cheaper varieties)
   2. Defective Network cards

I'd add Duplex mismatch problems.  This isn't the same thing as 1 and 2,
because it can happen through misconfiguration even when all the hardware is
operating as designed.

Re: Solaris/Samba logon slowness

[Andy Bakun]

 1.  WinXP logon/logoff is unbearably, excruciatingly, painfully, s*l*o*w.  
 'loading your personal settings' and 'saving your settings' can take 
 upwards of 10 minutes for some users.  In the process, users either get 
 impatient and forcibly power off their machines/undock their notebooks, which 
 leads to data corruption and damaged profiles.  Sometimes, minutes into the 
 process, a '...could not update your [local|roaming] profile...' message will 
 appear.  Is there *anything* that can be done to help with this in the short 
 run?  (Not using Windows would be the best, but it's not an option.)

Verify that IE's cache isn't being stored in the user's profile.  That
has been the number one cause of long logon/logoff on my network. Go to
Internet Properties, General, Temporary Internet Files, Settings, Move
Folder.  I usually stick it in C:\TEMP.  Slight security issue, cache
may be accessible to other people use the same machine.  After you make
this change, it'll chug for a bit while it moves things around, you
may want to delete all offline content first, it goes much faster then
(at least with IE5.5).

Andy.

Re: Solaris/Samba logon slowness

[Len Laughridge]

On Tuesday 29 October 2002 11:50, Andy Bakun wrote:
  1.  WinXP logon/logoff is unbearably, excruciatingly, painfully, s*l*o*w.
  'loading your personal settings' and 'saving your settings' can
  take upwards of 10 minutes for some users.  In the process, users either
  get impatient and forcibly power off their machines/undock their
  notebooks, which leads to data corruption and damaged profiles. 
  Sometimes, minutes into the process, a '...could not update your
  [local|roaming] profile...' message will appear.  Is there *anything*
  that can be done to help with this in the short run?  (Not using Windows
  would be the best, but it's not an option.)

 Verify that IE's cache isn't being stored in the user's profile.
...
 may want to delete all offline content first, it goes much faster then
 (at least with IE5.5).

 Andy.

Andy - Thanks, will look into it, but I have an ntconfig.pol file set with 
policies to do that automatically.  Although  the ntconfig.pol is an 
NT/2K carryover that isn't 100% supported on XP, so maybe it's slipping 
through...


-- 
Len Laughridge, Director of Information Technology
Kitchen  Associates Architectural Services, PA
Architecture - Planning - Interior Design
856.854.1880 x101

Separate profiles (solution? comments please)

[Len Laughridge]

Hello, Group:

I'm not a developer at all, but I follow the list pretty closely to get useful 
tips and insight for my samba installations.

Some time ago I saw a question from a list member which was something I had 
been wondering myself.  There were no responses to that question (I checked 
with the poster directly, too), so I set about seeing if I could solve it.  
Here's my concept, and I may wind up testing this tonight to solve some 
serious problems we've been having.

Scenario:
KA-1 is a Solaris 8/Samba 2.2.5 server  PDC.
KA-2 is an NT4TSE/Citrix server, configured as member-server.  It serves 
published apps to the Solaris workstations (36 of them).  
KA is the netbios domain.

There are some PC workstations in the company as well.  Executives  
secretaries have notebooks  desktops, and the rest of the Sun users 
frequently log in at 2 'open' stations to run some specialised software that 
can't be done reasonably through Citrix.  ALL OF THESE are WindowsXP.

When people log into the Citrix server, they DO need access to their home 
directory on h:\ and other shared volumes.  They DO NOT need any other 
aspects of their Windows profile.

If you have a Windows profile that is 'pure' XP, when you log into the citrix 
session everything is a mess, especially printer drivers.  If you have an XP 
profile, and log into the NT4 Citrix server, it messes up your XP profile 
(e.g. non-functional shortcuts in the start menu, 'My Briefcase' icon that's 
non-functional under XP, email settings get overwritten, or mail  documents 
get lost, etc.)

I want separate profiles for each.  I want the NT4/Citrix profiles to be small 
(no cached email, etc.) and I want to be able to delete them on a whim 
without it messing up the XP profiles.  The problem is that Samba does not 
support having a separate 'terminal profile' path.

In going through the mailing list archives and the smb.conf manual, I came up 
with this idea (untested, as of yet):

In smb.conf:

netbios name = KA-1
netbios aliases = KA-1-TSE
...
domain logons = Yes
logon drive = h:
logon path = \\%L\profiles\%L\%U
logon home = \\%L\%U\profile
logon script = logon.bat
...


Then, on the terminal server, DISABLE any WINS lookups by deleting the ip 
address of the primary WINS (the samba box).  Check the box for 'enable 
LMHOSTS lookup', and import an LMHOSTS file like below:

# Force the SaMBa PDC to be called by an alias
192.168.1.15KA-1-TSE
# Other things we need to browse, since WINS is disabled...
...

Lastly, in the logon.bat file, you need some logic to say that if you are 
logging on at the Citrix box, then you need to map drives using the alias 
name, since that's all this machine understands, and if you're logging on at 
any other machine, map drives using the 'real' NETBIOS name from WINS like in 
this abbreviated sample:

if '%COMPUTERNAME%'=='KA-2' goto :nt4tse
if not '%COMPUTERNAME%'=='KA-2' goto :winxp
goto :end
:nt4tse
net use f: \\ka-1-tse\Private /yes
net use g: \\ka-1-tse\Public /yes
net use h: /home /yes
net use i: \\ka-1-tse\Archive /yes
:winxp
net use f: \\ka-1\Private /yes
net use g: \\ka-1\Public /yes
net use h: /home /yes
net use i: \\ka-1\Archive /yes
:end

What do you think?  If this works, should this be added to a HOWTO so that 
others can learn/improve/extend/submit improvments?

Thanks,

-- 
Len Laughridge, Director of Information Technology
Kitchen  Associates Architectural Services, PA
Architecture - Planning - Interior Design
856.854.1880 x101

Re: RPC message service?

[Christopher R. Hertel]

Yep.  I know it's *similar* to 'net send'.  The thing is that 'net send' 
typically starts off by trying to use port 139, connecting to the 03 
NetBIOS name.

From other messages I have received, I also understand that there is an 
MS-RPC call that handle's messaging.  The spammers are using this RPC call 
because most folks know to block port 139.  We have not had trouble with 
these pop-up messages where I work because we have been blocking port 135 
for a while now.

Thanks!

Chris -)-

On Tue, Oct 29, 2002 at 12:19:50PM -, Gareth Davies wrote:
  Original Message -
 From: Christopher R. Hertel [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Sent: Monday, October 28, 2002 10:24 PM
 Subject: RPC message service?
 
 
  A curious article:
 
http://www.wired.com/news/technology/0,1282,55795,00.html
 
  It says that the Messenger Service Spammers are using port 135, which
  means that they're not using regular WinPOPUP stuff (the 03 names on
  port 139).  I do, in fact, see connect attempts to port 135 in my home
  firewall logs.  (I think they should be called slimewalls.)
 
  I'm guessing that they're doing something RPC-related that has, basically,
  the same effect.  I'm just curious to know what it is...
 snip
 
 They are they are using Windows messenger..
 
 net send ip address message goes here
 
 AFAIK
 
  Shaolin - IT Systems
  WB Ltd.
 .: http://www.security-forums.com :.
 

-- 
Samba Team -- http://www.samba.org/ -)-   Christopher R. Hertel
jCIFS Team -- http://jcifs.samba.org/   -)-   ubiqx development, uninq.
ubiqx Team -- http://www.ubiqx.org/ -)-   [EMAIL PROTECTED]
OnLineBook -- http://ubiqx.org/cifs/-)-   [EMAIL PROTECTED]

Re: Solaris/Samba logon slowness

[jra]

On Tue, Oct 29, 2002 at 11:38:57AM -0400, Len Laughridge wrote:
 
 
 Hello:
 
 I've been following the thread about oplocks recently, and have been waiting 
 for more info on the (now dormant) thread about Solaris fcntl() issues.
 
 My server is a Sun E-250, 2x400MHz, 1-Gig RAM, lots of storage, samba 2.2.5
 
 1.  WinXP logon/logoff is unbearably, excruciatingly, painfully, s*l*o*w.  
 'loading your personal settings' and 'saving your settings' can take 
 upwards of 10 minutes for some users.  In the process, users either get 
 impatient and forcibly power off their machines/undock their notebooks, which 
 leads to data corruption and damaged profiles.  Sometimes, minutes into the 
 process, a '...could not update your [local|roaming] profile...' message will 
 appear.  Is there *anything* that can be done to help with this in the short 
 run?  (Not using Windows would be the best, but it's not an option.)
 
 2.  I may upgrade to 2.2.6 tonight.  Is there anything special I should do 
 besides ./configure  make  make install which could remedy the situation?
 
 Thanks in advance.  I can post my smb.conf if needed, but I'll save the 
 bandwidth until it's requested.

You need the Sun patch (sorry I'm not in my office right now and
can't get to the patch-id). *Definately*. Samba will be slow on
Solaris without it.

Jeremy.

Re: ActiveX Core Technology Reference

[jra]

On Tue, Oct 29, 2002 at 07:09:11PM +1030, Richard Sharpe wrote:
 Hi,
 
 Are people aware of this?
 
 http://www.opengroup.org/onlinepubs/009899899/toc.htm


Yes, I printed it out a long time ago :-).

Jeremy.

Re: Fixes for netlogon unigroup.

[Andrew Bartlett]

Alexander Bokovoy wrote:
 
 On Sun, Oct 27, 2002 at 02:14:54PM +1100, Andrew Bartlett wrote:
  I was wondering, would you have time to look at the netlogon unigroup
  issue again?
 I'll add this to TODO list. I finally have an arragement to dedicate
 up to 8-16 hrs of work time per week to Samba development during next
 several months.
 
  Since that code was commited, we have found that we need to use the
  'extra sids' in the info3 as well.   I was thinking the cache should be
  redesigned to be indexed by SID only (not domain-sid/rid) and to store
  full sids for each group.
 
  Also, we never addressed the timeout issue (we should not cache that
  info forever).
 Should we also move to Mimir's new cache code as well?

Now that would make sense :-).  The only problem is deciding how long to
cache it for...

Andrew Bartlett

-- 
Andrew Bartlett [EMAIL PROTECTED]
Manager, Authentication Subsystems, Samba Team  [EMAIL PROTECTED]
Student Network Administrator, Hawker College   [EMAIL PROTECTED]
http://samba.org http://build.samba.org http://hawkerc.net

Re: [PATCH] security hole in Samba 3.0 start tls handling

[Andrew Bartlett]

Steve Langasek wrote:
 
 It appears that in Samba 3.0, the meaning of ldap ssl = start tls is
 somewhat diluted.  First, the start tls command is only ever issued if
 the given ldapsam URI has a protocol string of ldaps://, which is
 definitely an issue -- TLS is quite a different protocol from SSL, and
 the whole point of TLS is to NOT use a separate port for SSL
 connections.  Second, the STARTTLS support is completely disabled if
 using newer versions of the OpenLDAP client libs, resulting in the
 ldap ssl option being *silently* ignored to the detriment of SAM
 security.
 
 A workaround for existing systems is to use ldaps instead of tls.  The
 attached patch against SAMBA_3_0 will add support for STARTTLS when
 using OpenLDAP libs.  The muddled interaction between TLS and SSL is
 not addressed.

Hmm - I had hoped that we could specify as much information in that URL
as possible...

Is there no way to indicate this in the URL?

Andrew Bartlett

-- 
Andrew Bartlett [EMAIL PROTECTED]
Manager, Authentication Subsystems, Samba Team  [EMAIL PROTECTED]
Student Network Administrator, Hawker College   [EMAIL PROTECTED]
http://samba.org http://build.samba.org http://hawkerc.net

Re: [PATCH] security hole in Samba 3.0 start tls handling

[Steve Langasek]

On Wed, Oct 30, 2002 at 10:15:46AM +1100, Andrew Bartlett wrote:

  It appears that in Samba 3.0, the meaning of ldap ssl = start tls is
  somewhat diluted.  First, the start tls command is only ever issued if
  the given ldapsam URI has a protocol string of ldaps://, which is
  definitely an issue -- TLS is quite a different protocol from SSL, and
  the whole point of TLS is to NOT use a separate port for SSL
  connections.  Second, the STARTTLS support is completely disabled if
  using newer versions of the OpenLDAP client libs, resulting in the
  ldap ssl option being *silently* ignored to the detriment of SAM
  security.

  A workaround for existing systems is to use ldaps instead of tls.  The
  attached patch against SAMBA_3_0 will add support for STARTTLS when
  using OpenLDAP libs.  The muddled interaction between TLS and SSL is
  not addressed.

 Hmm - I had hoped that we could specify as much information in that URL
 as possible...

 Is there no way to indicate this in the URL?

No, no more than you can indicate SASL preferences in a URL.  You
*could* embed this information in a URI string, but there would be
nothing particularly standard about this, and the LDAP libraries are
unlikely to understand them -- so Samba will still have to parse these
components out of the URL and handle them directly.

Steve Langasek
postmodern programmer



msg04134/pgp0.pgp
Description: PGP signature

Re: [PATCH] security hole in Samba 3.0 start tls handling

[Andrew Bartlett]

Steve Langasek wrote:
 
 On Wed, Oct 30, 2002 at 10:15:46AM +1100, Andrew Bartlett wrote:
 
   It appears that in Samba 3.0, the meaning of ldap ssl = start tls is
   somewhat diluted.  First, the start tls command is only ever issued if
   the given ldapsam URI has a protocol string of ldaps://, which is
   definitely an issue -- TLS is quite a different protocol from SSL, and
   the whole point of TLS is to NOT use a separate port for SSL
   connections.  Second, the STARTTLS support is completely disabled if
   using newer versions of the OpenLDAP client libs, resulting in the
   ldap ssl option being *silently* ignored to the detriment of SAM
   security.
 
   A workaround for existing systems is to use ldaps instead of tls.  The
   attached patch against SAMBA_3_0 will add support for STARTTLS when
   using OpenLDAP libs.  The muddled interaction between TLS and SSL is
   not addressed.
 
  Hmm - I had hoped that we could specify as much information in that URL
  as possible...
 
  Is there no way to indicate this in the URL?
 
 No, no more than you can indicate SASL preferences in a URL.  You
 *could* embed this information in a URI string, but there would be
 nothing particularly standard about this, and the LDAP libraries are
 unlikely to understand them -- so Samba will still have to parse these
 components out of the URL and handle them directly.

That's fine then - but you can put quite a bit in that URL.  (Like bind
dn, search suffix and quite a few other things).

Andrew Bartlett

-- 
Andrew Bartlett [EMAIL PROTECTED]
Manager, Authentication Subsystems, Samba Team  [EMAIL PROTECTED]
Student Network Administrator, Hawker College   [EMAIL PROTECTED]
http://samba.org http://build.samba.org http://hawkerc.net

Re: RPC message service?

[John E. Malmberg]

Gareth Davies wrote:

 Original Message -
From: Christopher R. Hertel [EMAIL PROTECTED]
A curious article:


 http://www.wired.com/news/technology/0,1282,55795,00.html

It says that the Messenger Service Spammers are using port 135, which
means that they're not using regular WinPOPUP stuff (the 03 names on
port 139).  I do, in fact, see connect attempts to port 135 in my home
firewall logs.  (I think they should be called slimewalls.)


When it is coming from any major U.S. ISP, a copy of the firewall logs, 
along with the time and timezone e-mailed to the abuse@ and the 
security@ seems to stop it for a while.

I'm guessing that they're doing something RPC-related that has, basically,
the same effect.  I'm just curious to know what it is...


snip

They are they are using Windows messenger..

net send ip address message goes here



It looks like the author of the spamware issued a press release and 
conned a bunch of reporters into giving them free advertising.

I have not followed the latest link, but they are hawking the spamware 
for between $300 U.S.D. and $700 a copy.

There was also a report that someone was offering $2000 U.S.D for a 
program to send such spam.

Here is a great opportunity for Samba Developer's, especially published 
authors to get their name in print while delivering a clue to these 
reporters about what the real story is.

-John
[EMAIL PROTECTED]
Personal Opinion Only

Re: Comparing SAMBA_3_0 to HEAD

[Stefan (metze) Metzmacher]

At 09:33 29.10.2002 -0500, you wrote:


Thanks for doing this...can I ask how you did it?  I'm not so good at cvs.


I just have to tree's and run 'diff --brief HEAD 3_0'

then I looked up each file in http://cvs.samba.org/cgi-bin/cvsweb/samba/source/

but I think I can write a little script that do this automaticly...
(If I do this I tell you)



Jim McDonough
IBM Linux Technology Center
Samba Team
6 Minuteman Drive
Scarborough, ME 04074
USA

[EMAIL PROTECTED]
[EMAIL PROTECTED]

Phone: (207) 885-5565
IBM tie-line: 776-9984



metze
-
Stefan metze Metzmacher [EMAIL PROTECTED]

Profile permissions ...

[Richard Sharpe]

Hi,

In looking at NTUSER.DAT, it seems that the permissions associated with 
some of the SIDs are:

  0x000f003f

Hmmm, here is one of the entries:

   0x0014 003f 000f 0101   0005 0012 

Which seems to be:

  ACCESS Denied, No Propogate Inherit, All Access, S-1-5-4608

Does this seem reasonable? 
 
Regards
-
Richard Sharpe, [EMAIL PROTECTED], [EMAIL PROTECTED], 
[EMAIL PROTECTED], http://www.richardsharpe.com

Re: Profile permissions ...

[Jean Francois Micouleau]

On Wed, 30 Oct 2002, Richard Sharpe wrote:

 Hi,

 In looking at NTUSER.DAT, it seems that the permissions associated with
 some of the SIDs are:

   0x000f003f

 Hmmm, here is one of the entries:

0x0014 003f 000f 0101   0005 0012 

 Which seems to be:

   ACCESS Denied, No Propogate Inherit, All Access, S-1-5-4608

 Does this seem reasonable?

hum the sid looks more like S-1-5-18 (this one exists i'm sure) or
S-1-5-18-0 (don't remember that one).

Are you sure the access mask is a file's access mask ? The lower bits of
an access mask is linked to the type of the object, it applies to.

files access bits != printer access bits != SAM access bits != LSA access
bits, and so on.

J.F.

Re: [Samba] auth to two diff PDCs? (success, sort of)

[Mike Brodbelt]

Collins, Kevin wrote:
 Hi All:
 
 Excuse me for butting in here, but I'm planning a migration from WinNT 4
 to Samba in the near future and this thread has caused me to worry a
 little.
 
 Take the case that I'm planning:  3 Domains each to its own LAN
 (connected via 128k Frame Relay lines to form a WAN) Each domain
 currently has a NT 4 PDC and each domain trusts each other.  How do I
 accomplish these trusts only using Samba PDCs?

With difficulty. There are a number of ways to hack round the problem
which you'll find if you search, but it's not supported functionality ATM.

 Meaning:  If I rip out the NT Domains, replace the PDCs with Samba PDCs
 and rebuild new domains (new Domain Names, new NetBIOS names for the
 PDCs, etc.)  How do I get the three domains to once again trust each
 other?  Is there a Samba command to do this?

Not at present. The current release branch of Samba (2.2.x) does not
support trust relationships between domains. Samba 3.x will support this
functionality, and I believe the code is already in CVS to do it.

You could get an alpha of Samba 3.x, or a CVS checkout, and try to make
it work with that. If I were you, I think I'd try this, but run 2 copies
of Samba on each server, 3.x alpha for the PDC aspect, and 2.2.x for the
actual file/print serving. You can bind two IP's to the NIC in your
machines, and run 3.x on one IP, and 2.2 on the other.

Mike.

RE: Samba PDCs/BDCs and Trusts WAS: auth to two diff PDCs? (success, sort of)

[Collins, Kevin]

Andrew Barlett wrote:
 
 Domain trusts (in terms of us being a PDC trusting other DCs) are
 currenetly a work in progress.  We hope to have it finished for Samba
 3.0.
 
 However, why do you need domain trusts?  (There are lots of 
 good answers
 to this question, but make sure you do have one of the answers).
 
 Samba 2.2 has always supported being a member server in a domain with
 domain trusts, for the record.
 


Andrew:

Interesting you should ask about the *need* for my three domains and
their trusts.  Myself and a junior-admin had this same discussion the
day I wrote the post.  Looking back, it just seemed the logical thing to
do.  You see, in the beginning the three domains weren't connected -
definite need then.  When we put the WAN in place we didn't want to
rip-out anything, so we used the trusts to bind the domains together
- *need* defined as we needed it working ASAP.  Personally, I would
prefer to keep them separate just for greater user/group control.

But, I can also see that I may not *need* the independent PDCs that
trust each other, but maybe a PDC and 2 BDCs.  I'm looking hard at the
latter just so I do not hit any major hurdles when moving to SAMBA.
Thinking along those lines I must pose the question:  Will a SAMBA BDC
function as an NT BDC in that an NT BDC will cache (i.e. store locally)
user/group/SID information and only update/sync with the PDC at a
specified intervals?

If we go with the one domain concept here, I'm going to need the BDCs in
each office to basically run the show for that office when it comes to
authentication.  I do not want logons, etc. being passed to the PDC
across a 128K frame line half-way across the state - except in an
emergency like the BDC being offline.  The reason I ask is that I've not
tried to simulate this yet and it really is the only sticking point in
the single domain plan (that I can see now).

Thanks for your response and I hope that I have not broad-sided you with
my theorizing and planning.

Thanks,

Kevin L. Collins, MCSE
Systems Manager
Nesbitt Engineering, Inc.



smime.p7s
Description: application/pkcs7-signature

RE: Samba PDCs/BDCs and Trusts WAS: auth to two diff PDCs? (succe ss, sort of)

[Collins, Kevin]

Steven Langasek wrote:
 Having one PDC and two BDCs also gives you greater 
 fault-tolerance than
 having three domains with a single PDC each.
 
 Samba+LDAP can give you this fault tolerance; it can't give you trust
 relationships today, without a lot of finagling.
 
 Steve Langasek
 postmodern programmer
 

Steve:

I understand the role of/need for the BDC, I'm just concerned about
flooding the WAN connections with replication traffic and not being able
to send things like e-mail or project files.  I can control the
replication in NT, but I need to know if I can do the same in SAMBA.
With all the tweaks god knows there should be. :-)

I've thought about the LDAP course too but haven't given it enough
serious thought yet.  You know of a good HOWTO?

Thanks,

Kevin L. Collins, MCSE
Systems Manager
Nesbitt Engineering, Inc.

(859) 233-3111 x24 



smime.p7s
Description: application/pkcs7-signature

Re: Samba PDCs/BDCs and Trusts WAS: auth to two diff PDCs? (succe ss, sort of)

[Steve Langasek]

On Tue, Oct 29, 2002 at 11:10:22AM -0500, Collins, Kevin wrote:
 Steven Langasek wrote:
  Having one PDC and two BDCs also gives you greater 
  fault-tolerance than
  having three domains with a single PDC each.

  Samba+LDAP can give you this fault tolerance; it can't give you trust
  relationships today, without a lot of finagling.

  Steve Langasek
  postmodern programmer

 I understand the role of/need for the BDC, I'm just concerned about
 flooding the WAN connections with replication traffic and not being able
 to send things like e-mail or project files.  I can control the
 replication in NT, but I need to know if I can do the same in SAMBA.
 With all the tweaks god knows there should be. :-)

The only pre-packaged BDC implementation for Samba that I know of is
based on LDAP.  With LDAP, only changes are replicated across the link,
so you have no excess traffic associated with keeping the DCs in sync.
Samba sorta skipped over the NT4 technology and went straight to an
ActiveDirectory approach to management... :)

 I've thought about the LDAP course too but haven't given it enough
 serious thought yet.  You know of a good HOWTO?

There is a Samba-PDC-LDAP HOWTO included with the Samba documentation.
You can also find Ignacio Coupeau's step-by-step guide at
http://www.unav.es/cti/ldap-smb/ldap-smb-2_2-howto.html.

Steve Langasek
postmodern programmer



msg04148/pgp0.pgp
Description: PGP signature

Re: Samba PDCs/BDCs and Trusts WAS: auth to two diff PDCs? (success, sort of)

[Simo Sorce]

There's another poor man way.
Use the classic smbpasswd file and use rsync to sync the file
periodically with a cron (of course you'll miss the ability to have
things promptly synced but generally this is a good enough solution for
many environments).

Simo.

On Tue, 2002-10-29 at 17:23, Steve Langasek wrote:
 On Tue, Oct 29, 2002 at 11:10:22AM -0500, Collins, Kevin wrote:
  Steven Langasek wrote:
   Having one PDC and two BDCs also gives you greater 
   fault-tolerance than
   having three domains with a single PDC each.
 
   Samba+LDAP can give you this fault tolerance; it can't give you trust
   relationships today, without a lot of finagling.
 
   Steve Langasek
   postmodern programmer
 
  I understand the role of/need for the BDC, I'm just concerned about
  flooding the WAN connections with replication traffic and not being able
  to send things like e-mail or project files.  I can control the
  replication in NT, but I need to know if I can do the same in SAMBA.
  With all the tweaks god knows there should be. :-)
 
 The only pre-packaged BDC implementation for Samba that I know of is
 based on LDAP.  With LDAP, only changes are replicated across the link,
 so you have no excess traffic associated with keeping the DCs in sync.
 Samba sorta skipped over the NT4 technology and went straight to an
 ActiveDirectory approach to management... :)
 
  I've thought about the LDAP course too but haven't given it enough
  serious thought yet.  You know of a good HOWTO?
 
 There is a Samba-PDC-LDAP HOWTO included with the Samba documentation.
 You can also find Ignacio Coupeau's step-by-step guide at
 http://www.unav.es/cti/ldap-smb/ldap-smb-2_2-howto.html.
 
 Steve Langasek
 postmodern programmer
-- 
Simo Sorce - [EMAIL PROTECTED]
Xsec s.r.l.
via Durando 10 Ed. G - 20158 - Milano
tel. +39 02 2399 7130 - fax: +39 02 700 442 399



signature.asc
Description: This is a digitally signed message part

Re: [Samba] Re: strange locks

[mlh]

[EMAIL PROTECTED] wrote



The locks you see here are used by MS Office as semaphores.
No one really knows why (well the MS Office programmers do,
but they're not telling :-).


Thank s!  That explains that.

But I expected to see  locks for the whole of
the file for the duration of the MS-Word session.

Why don't I see that?Without that, I don't see how
Samba locks could play nicely with other Unix processes.

Actually, being a Samba techo newbie, I sort of expected
that those sort of locks would be dealt with internally to
Samba, and smbd would lock the whole file anyway.
Anyway to get that behaviour?

(Thinks: probably not as Samba doesn't know why the
file is being locked -- could be a word doco, could be
a database I s'pose)

-Matt