Stop in build 2.2.8 on FreeBSD 5.0 from ports
Building from the ports collection it stops in 'nsswitch/pam_winbind.po' every time. Stop in bulid for 5.0-RELEASE Not sure if this is a known bug for 5.0. Same problem with both my freshly installed 5.0 boxes. Tariq. . . . Linking bin/winbindd Compiling nsswitch/pam_winbind.c with -fPIC -DPIC nsswitch/pam_winbind.c: In function `_make_remark': nsswitch/pam_winbind.c:90: warning: assignment discards qualifiers from pointer target type nsswitch/pam_winbind.c: In function `_winbind_read_password': nsswitch/pam_winbind.c:277: `PAM_AUTHTOK_RECOVER_ERR' undeclared (first use in this function) nsswitch/pam_winbind.c:277: (Each undeclared identifier is reported only once nsswitch/pam_winbind.c:277: for each function it appears in.) nsswitch/pam_winbind.c:298: warning: assignment discards qualifiers from pointer target type nsswitch/pam_winbind.c:306: warning: assignment discards qualifiers from pointer target type nsswitch/pam_winbind.c:312: warning: assignment discards qualifiers from pointer target type gmake: *** [nsswitch/pam_winbind.po] Error 1 *** Error code 2 Stop in /usr/ports/net/samba. *** Error code 1 Stop in /usr/ports/net/samba. $ ---
LDAP Coding??
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi (lukeh?)! Why does my LDAP server deny the following request? ldapmodify sends this IA== (base64 for blank) as '04 01 20' according to ethereal. If I have a non-base64 value, say 'xxx', in 'profilePath' this works perfecly fine. This is a standard debian woody, so I have slapd 2.0.23. I'm still seeing this as my error, or could this also be an OpenLDAP bug? Thanks! Volker [EMAIL PROTECTED]:~/ldif$ ldapsearch -x uid=vl profilePath version: 2 # # filter: uid=vl # requesting: profilePath # # vl, samba, org dn: uid=vl,dc=samba,dc=org profilePath:: IA== # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 [EMAIL PROTECTED]:~/ldif$ cat test.ldif dn: uid=vl,dc=samba,dc=org changetype: modify delete: profilePath profilePath:: IA== [EMAIL PROTECTED]:~/ldif$ ldapmodify -x -D cn=admin,dc=samba,dc=org -w secret -f test.ldif modifying entry uid=vl,dc=kampf,dc=de ldap_modify: Invalid syntax additional info: modify: delete values failed ldif_record() = 21 [EMAIL PROTECTED]:~/ldif$ -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Key-ID D32186CF, Fingerprint available: phone +49 551 370 iD8DBQE+guPQOmSXH9Mhhs8RAj0eAJoDQkBwFmwJdJkqfDSTOF5Pr10rIgCeM2zI LLqc4ungKdauZaSCqD+4LTw= =yC2n -END PGP SIGNATURE-
Re: LDAP Coding??
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 profilePath:: IA== [EMAIL PROTECTED]:~/ldif$ ldapmodify -x -D cn=admin,dc=samba,dc=org -w secret -f test.ldif modifying entry uid=vl,dc=kampf,dc=de ldap_modify: Invalid syntax Ooops. I had wanted to edit this completely... Volker -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Key-ID D32186CF, Fingerprint available: phone +49 551 370 iD8DBQE+guRpOmSXH9Mhhs8RAlbtAKCA8Rz+z9YFj14NPp/PqSAnx8G7qgCdG+wr P+o2yPwPhTq5MM2eqtNjGlA= =EGpG -END PGP SIGNATURE-
Re: Next alpha of 3.0 planned for Friday
In [EMAIL PROTECTED], [EMAIL PROTECTED] wrote: This is just a heads up for everyone. I'm planning the 3.0alpha23 release for this Friday. If you have code that needs to be merged of commited to the SAMBA_3_0 cvs tree, please get in checked in by 8am EST on Friday of the week. Would someone take a look at CIDR-like notation problem by Mr. Takeda (and following mail by me) ? If this is right, example config described in securing-samba.sgml will not work as expected. (http://lists.samba.org/pipermail/samba-technical/2003-March/042993.html) Tomoki AONO ([EMAIL PROTECTED])
Re: modules: BOOL vs. int
At 12:12 27.03.2003 +0100, Jelmer Vernooij wrote:
I noticed that all smb_register_*() fn's return BOOL
and the init_module() fn's returns int
so this is wrong:
I don't have problems with this. We only need the return value in
smb_probe_module() to check for failure, and False is defined to be
equal to 0. The current way is more flexible. Some functions return a
BOOL, but others return an int (such as in rpc).
You're right but I think its confusing
can't we name the return var
BOOL when we use True or False
or!!!
int when we use 0 or -1
because int 0 means often success and BOOL False (int 0) means failure
(this is confusing and cries for bugs!!!)
And just for a better coding style :-)
And I want it to be equal for all smb_register_*() fn's
int auth_sam_init(void)
{
smb_register_auth(samstrict_dc, auth_init_samstrict_dc,
AUTH_INTERFACE_VERSION);
smb_register_auth(samstrict, auth_init_samstrict,
AUTH_INTERFACE_VERSION);
smb_register_auth(sam, auth_init_sam, AUTH_INTERFACE_VERSION);
return True;
}
When would you want the function to fail ? If registering one of the
functions fails?
ok don't fail but a warning would be good
metze
-
Stefan metze Metzmacher [EMAIL PROTECTED]
Re: LDAP Coding??
On Thu, Mar 27, 2003 at 12:44:55PM +0100, Volker Lendecke wrote: Why does my LDAP server deny the following request? Ok, this seems to be something specific to OpenLDAP 2.0. With 2.1.16 just compiled this works as expected. Could this be called a bug? Volker pgp0.pgp Description: PGP signature
2.2.8 - can't view/change permissions from NT clients
We were using 2.0.6 on a SunOS 5.6 server, using domain security in an NT domain, and have upgraded to 2.2.8 for the security fix. Now, when the file permissions are displayed on an NT client, ACL's are only shown for user/group/other if there are R,W, or X permissions. If u, g, or o have no rights, the ACL is not displayed for them. Example, in 2.0.6, with a file with r--r- permissions (440), the NT permissions display would have an ACL for the owner with R permissions, an ACL for the group with R permissions, and the Everyone group would show as O for no permissions. In 2.2.8 with the same file, the NT permissions dialog only shows an ACL line for the owner, and an ACL line for the group, but NO ACL line for Everyone since they have no permissions If a file had r permissions, there won't be an ACL line for the group either. In addition, we can't Add an ACL for the ones not displayed - In other words, in the first example, we couldn't Add the Everyone group with R prrmissions to give world read. Is this normal behavior in 2.2.8, or should we see the same displays as before? How can we get the displays to show as before, or what might we have missed?
RE: encrypt passwords=no, security=yes, samba 2.2.8, W2K user auth fails
Hi tony, based on your log file, it sure does APPEAR that you have NOT turned off encrypted passwords, as samba is trying to open /usr/local/samba/private/smbpasswd. It should only do that if it negotiated encrypted passwords in the negot prot call, which it should only be able to do if encrypted passwords is set to yes. I note that you are including ANOTHER smb.conf file at the end of your global section; please check there and see if you have an encrypt passwords = yes, and/or include the contents of that smb.conf file as well in your next message to the list, ok? include=/etc/sfw/local-smb.conf -Original Message- From: tony shepherd [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 25, 2003 21:31 To: [EMAIL PROTECTED] Cc: tony.shepherd Subject: BUG: encrypt passwords=no, security=yes, samba 2.2.8, W2K user auth fails folks ** I am not on this mail list. Can all replied please be Cc'ed to me as well. ** I have come across the following bug using samba 2.2.8 (in the throws of upgrading from 2.0.10 to fix security vul). I discovered this bug using a W2K system; it was not present when testing with win98. I am running the samba server on a solaris 9 system. I am using encrypt passwords = no and security=user and using the Unix passwords for authentication. Registry modification have been made to the windows system. To replicate the bug, I do the following: * log onto w2k system as user ts74081, passwd: fred * try and open the share: \\huey\ts74081. As my password is different between the windows system and the samba server, it prompts me for a username/password pair. I give the correct values but I still get rejected. * I then try to access the share as a different user (one that does not exist on the system): username fred, passwd fred. Naturally it fails. * I then try again with the proper username/password pair and I get authenticated correctly and the share is made available. If I do not try and authenticate as a different user before retrying with the proper username, it will continue to fail to authenticate. I have attached debug 3 logs of the above scenario as well as the smb.conf I am using. If I change the security parameter to security=share, the above bug does not show itself. thanks tony
I: new smb.conf.5 build system is coming
Hi all! I'm commiting a new framework for working with smb.conf(5) Docbook sources into HEAD docs/docbook/smbdotconf/. It is not yet ready for production (most of parameters not yet converted to new meta-information description system) but infrastructure is there and should allow more easily maintain smb.conf(5). docs/docbook/smbdotconf/ not yet used for actual Samba documentation generation but I plan switch somewhere later next week or so when (hopefully) all information will be updated and other components of SGML documentation will be converted to XML too (most of them already prepared but not all). I'm including doc/docbook/smbdotconf/README below with more detailed description of structure and internals of new framework. --- DocBook XML 4.2 source code for smb.conf(5) documentation for Samba 3.0 Author of the document: Alexander Bokovoy [EMAIL PROTECTED] Welcome to new smb.conf(5) documentation build system! This directory contains a new incarnation of Samba's smb.conf(5) Docbook XML 4.2 sources. Note that the output might be unsatisfying untill all smb.conf(5) parameters will converted to new format (see Chapter 4 for details). Content --- 0. Prerequisites 1. Structure 2. XSLT stylesheets 3. Usage 4. Current status of converted parameters Prerequisites - In order to compile smb.conf(5) documentation from Docbook XML 4.2 sources you'll need: - a working libxml2 and libxslt installation, together with xsltproc utility - a locally installed Docbook XSL 4.2 or higher - a working xmlcatalog to eliminate Web access for Docbook XSL The latter requisite is important: we do not specify local copies of Docbook XSL stylesheets in our XSLTs because of real nightmare in their location in most distributions. Fortunately, libxml2 provides standard way to access locally installed external resources via so-called 'xmlcatalog' tool. It is working in RedHat, Mandrake, ALT Linux, and some other distributions but wasn't at the moment of this writting (Late March'03) in Debian. Structure - smb.conf(5) sources consist of a number of XML files distributed across a number of subdirectories. Each subdirectory represents a group of smb.conf(5) parameters dedicated to one specific task as described in Samba's loadparm.c source file (and shown in SWAT). Each XML file in subdirectories represents one parameter description, together with some additional meta-information about it. Complete list of meta-information attributes attribute description --- namesmb.conf(5) parameter name context G for global, S for services basic set to 1 if loadparm.c's decription wizard includes appropriate flag for advancedthis parameter (FLAG_BASIC, developer FLAG_ADVANCED, FLAG_WIZARD, FLAG_DEVELOPER) --- Main XML file for smb.conf(5) is smb.conf.5.xml. It contains a general stub for man page and several XML instructions to include: - a list of global parameters (auto-generated); - a list of service parameters (auto-generated); - a complete list of alphabetically sorted parameters (auto-generated). XSLT stylesheets In order to combine and build final version of smb.conf(5) we apply a set of XSLT stylesheets to smb.conf(5) sources. Following is the complete description of existing stylesheets in smb.conf(5) source tree: 1. [expand-smb.conf.xsl] Main driver, produces big XML source with all smaller components combined. The resulted tree is then feed to Docbook XSL for final producing. This stylesheet performs two main transformations: - Replaces samba:parameter tag by varlistentry one; - Generates term and anchor tags for each samba:parameter. The latter step needs some explanation. We generate automatically anchor and term tags based on meta-information about parameter. This way all anchors have predictable names (capitalized parameter name with all spaces supressed) and we really don't need to dublicate data. There was only one exception to the generation rule in smb.conf.5.sgml: use spnego parameter had anchor SPNEGO which is now unified to USESPNEGO. This also fixes a bug in SWAT which was unable to find SPNEGO achnor. 2. [generate-context.xsl] An utility stylesheet which main purpose is to produce a list of parameters which are applicable for selected context (global or service). The generate-context.xsl is run twice to generate both parameters.global.xml and parameters.service.xml which are included then by smb.conf.5.xml. This stylesheet relies on parameters.all.xml file which is generated by [generate-file-list.sh] shell script. The parameters.all.xml
Re: [patch] uppercase workgroup in browse request
Am Thursday 27 March 2003 03:43 schrieb Christopher R. Hertel: Stephan Kulow wrote: Hi! I noticed a difference between testsmbc smb://MYGRP and testsmbc smb://mygrp (it doesn't make a difference for SAMBA servers, but it does for XP and for winME) So please apply the included patch. Hang on... Do I read this correctly? Are we forgetting to up-case the workgroup name? (...it always helps to provide a little clue along with the patch.) :) Samba decodes NetBIOS names and then performs a case-insensitive comparison on the original name. Windows (the versions I've tested) simply compares the wire-format strings. That's faster, but it's also case sensitive. I don't currently have any ME or XP systems to test. I don't understand. You seem to agree with the patch, still it's not applied. Greetings, Stephan
Patch for Bad Password Attempt Lockout, samba3.0a22.
I have implemented the bad password attempt lockout policy. If an user
attempt with the bad password more than the count setted in the policy, then
his account will be auto-locked, like what did NT. The implementation is only
for LDAP passdb backend.
To do this, I have to introduce a new integer attribute in
samba.schema, badPwAttempt.
Folllowing are the patches, any comments?
Jianliang Lu
TieSse s.p.a.
Via Jervis, 60. 10015 Ivrea (To) - Italy
[EMAIL PROTECTED]
[EMAIL PROTECTED]
--- samba-3.0alpha22-orig/source/auth/auth_sam.cMon Feb 17 16:31:06 2003
+++ samba-3.0alpha22-orig/source/auth/auth_sam.c.fixThu Mar 27 12:40:10 2003
@@ -326,6 +326,12 @@
return NT_STATUS_ACCOUNT_DISABLED;
}
+ /* Quit if the account was locked out. */
+ if (acct_ctrl ACB_AUTOLOCK) {
+ DEBUG(1,(Account for user '%s' was locked out.\n,
pdb_get_username(sampass)));
+ return NT_STATUS_ACCOUNT_LOCKED_OUT;
+ }
+
/* Test account expire time */
kickoff_time = pdb_get_kickoff_time(sampass);
@@ -414,6 +420,7 @@
NTSTATUS nt_status;
uint8 user_sess_key[16];
const uint8* lm_hash;
+ uint32 account_policy_lockout, badpwattempt;
if (!user_info || !auth_context) {
return NT_STATUS_UNSUCCESSFUL;
@@ -448,10 +455,43 @@
nt_status = sam_password_ok(auth_context, mem_ctx, sampass, user_info,
user_sess_key);
if (!NT_STATUS_IS_OK(nt_status)) {
+ if (NT_STATUS_EQUAL(nt_status,NT_STATUS_WRONG_PASSWORD)) {
+ badpwattempt = (uint32)pdb_get_bad_pw_attempt(sampass) + 1;
+ if (!pdb_set_bad_pw_attempt(sampass, badpwattempt,
PDB_CHANGED))
+ DEBUG(1, (Failed to set 'badPwAttempt' for
user % s. \n,
+
user_info-internal_username.str));
+ account_policy_get(AP_BAD_ATTEMPT_LOCKOUT,
account_policy_lockout);
+ if (badpwattempt = account_policy_lockout)
+ if (!pdb_set_acct_ctrl (sampass,
+
pdb_get_acct_ctrl(sampass) |ACB_AUTOLOCK,
+
PDB_CHANGED)) {
+ DEBUG(1, (Failed to set 'disabled' flag for
user % s. \n,
+
user_info-internal_username.str));
+ }
+
+ become_root();
+ if (!pdb_update_sam_account(sampass)) {
+ DEBUG(1, (Failed to modify entry for user % s.\n,
+
user_info-internal_username.str));
+ unbecome_root();
+}
+ }
pdb_free_sam(sampass);
return nt_status;
}
+ if (!pdb_set_bad_pw_attempt(sampass, 0, PDB_CHANGED))
+ DEBUG(1, (Failed to set 'badPwAttempt' for user % s. \n,
+user_info-internal_username.str));
+ if (!pdb_set_logon_time(sampass, time(NULL), PDB_CHANGED))
+ DEBUG(1, (auth_sam.c : pdb_set_logon_time fialed!\n));
+
+ become_root();
+ if(!pdb_update_sam_account(sampass))
+ DEBUG(1, (Failed to modify entry for user % s.\n,
+user_info-internal_username.str));
+ unbecome_root();
+
if (!NT_STATUS_IS_OK(nt_status = make_server_info_sam(server_info, sampass)))
{
DEBUG(0,(check_sam_security: make_server_info_sam() failed with
'%s'\n, nt_errstr(nt_status)));
return nt_status;
--- samba-3.0alpha22-orig/source/passdb/passdb.cMon Feb 24 16:12:31 2003
+++ samba-3.0alpha22-orig/source/passdb/passdb.c.fixThu Mar 27 12:40:10 2003
@@ -60,6 +60,7 @@
memset(user-private.hours, 0xff, user-private.hours_len); /* available at
all hours */
user-private.unknown_5 = 0x; /* don't know */
user-private.unknown_6 = 0x04ec; /* don't know */
+ user-private.bad_pw_attempt = 0; /* bad password attemp count */
/* Some parts of samba strlen their pdb_get...() returns,
so this keeps the interface unchanged for now. */
--- samba-3.0alpha22-orig/source/passdb/pdb_get_set.c Thu Jan 9 20:05:59 2003
+++ samba-3.0alpha22-orig/source/passdb/pdb_get_set.c.fix Thu Mar 27 12:40:10
2003
@@ -172,6 +172,14 @@
return (NULL);
}
+uint32 pdb_get_bad_pw_attempt (const SAM_ACCOUNT *sampass)
+{
+ if (sampass)
+ return (sampass-private.bad_pw_attempt);
+ else
+ return (-1);
+}
+
/**
* Get flags showing what is initalised
Re: Weird problems with Samba 2.2.8 under Solaris 8 + latest kernelpatch
Hi, Quick follow up... the problem was on another server. After the last reboot, not too long ago, fast-ethernet negotiation between the Cisco switch and the Sun server did not work properly. Cisco switch negotiated at 100Mbps/full and the Sun server in half duplex. Pierre B. Pierre Belanger wrote: Hello all, This weekend, we upgraded our Samba servers to 2.2.8 (pre3 according to the include/version.h -- CVS synced this past Saturday afternoon, EDT). I compiled this new release for the following Solaris/kernel : Solaris 6 : kernel patch 105181-33 Solaris 7 : kernel patch 106541-23 Solaris 8 : kernel patch 108528-19 Prior to Solaris 8 108528-19, that was installed yesterday *not by me* , we were running 108528-12. Solaris 8 with kernel patch 108518-19 + latest Samba is causing us troubles. ps : nothing changed in our smb.conf file / we had no problems before (the fcntl() bug was not an issue for us, we only have around ~ 150 concurrent connections on that machine). There's no problems on the other boxes (Solaris 6 7), note that we have much less connections on those boxes. [Q] Is there anyone on this list running with the latest Solaris 8 (108528-19) kernel patch and with Samba 2.2.8? After receiving a few complains, I decided to dig into the log files. Here's what I found: 1- Many dptr_close() errors, more than usually. log.wcanomp1775:[2003/03/17 14:04:09, 0] smbd/dir.c:dptr_close(277) log.wcanomp1775: Invalid key 256 given to dptr_close 2- Many oplock_break errors, much more than we had: [2003/03/17 15:32:49, 0] smbd/oplock.c:oplock_break(791) oplock_break: end of file from client oplock_break failed for file New Lisp/mbold.lsp (dev = 3d8000a, inode = 1467387, file_id = 15). [2003/03/17 15:32:49, 0] smbd/oplock.c:oplock_break(879) oplock_break: client failure in break - shutting down this smbd. [2003/03/17 15:32:49, 1] smbd/service.c:close_cnum(677) wcanomp2081 (10.10.92.33) closed connection to service imews [2003/03/17 15:32:49, 1] smbd/service.c:close_cnum(677) wcanomp2081 (10.10.92.33) closed connection to service site_doc [2003/03/17 15:32:49, 1] smbd/service.c:close_cnum(677) wcanomp2081 (10.10.92.33) closed connection to service docoss [2003/03/17 15:34:24, 1] smbd/service.c:make_connection(636) wcanomp2081 (10.10.92.33) connect to service site_doc as user imews (uid=2138, gid=240) (pid 4863) [2003/03/17 15:35:10, 0] smbd/oplock.c:request_oplock_break(1011) request_oplock_break: no response received to oplock break request to pid 4858 on port 56392 for dev = 3d8000a, inode = 825700, file_id = 15 [2003/03/17 15:35:10, 0] smbd/open.c:open_mode_check(652) open_mode_check: exlusive oplock left by process 4858 after break ! For file C 1505A/AA1710-W.dwg, dev = 3d8000a, inode = 825700. Deleting it to continue... [2003/03/17 15:35:10, 0] smbd/open.c:open_mode_check(656) open_mode_check: Existent process 4858 left active oplock. [2003/03/17 15:36:59, 1] smbd/service.c:make_connection(636) wcanomp2081 (10.10.92.33) connect to service site_doc as user imews (uid=2138, gid=240) (pid 4883) [2003/03/17 15:36:59, 0] smbd/dir.c:dptr_close(277) Invalid key 256 given to dptr_close [2003/03/17 15:36:59, 0] smbd/dir.c:dptr_close(277) Invalid key 257 given to dptr_close [2003/03/17 15:37:10, 0] smbd/oplock.c:process_local_message(397) process_local_message: Received unsolicited break reply - dumping info. [2003/03/17 15:37:10, 0] smbd/oplock.c:process_local_message(412) process_local_message: unsolicited oplock break reply from pid 4863, port 56392, dev = 3d8000a, inode = 825700, file_id = 15 [2003/03/17 15:38:02, 1] smbd/service.c:close_cnum(677) wcanomp2081 (10.10.92.33) closed connection to service site_doc [2003/03/17 15:38:09, 1] smbd/service.c:make_connection(636) wcanomp2081 (10.10.92.33) connect to service site_doc as user imews (uid=2138, gid=240) (pid 4904) [2003/03/17 15:41:22, 1] smbd/service.c:close_cnum(677) wcanomp2081 (10.10.92.33) closed connection to service imews [2003/03/17 15:41:22, 1] smbd/service.c:close_cnum(677) wcanomp2081 (10.10.92.33) closed connection to service docoss I will downgrade tonight to the previous version that we were running prior to the upgrade, it says 2.2.8pre1 but I remember taken that from CVS around February the 5th, according to the installation date!!! I wish I would have more time for this but I don't :-( I'll find time tomorrow to let you know if the downgrade helped or not. Cheers, Pierre B.
sesssetup.c, encrypted passwords and unicode
Hi there! I've been trying to get Samba 3.0 to use plaintext passwords and unicode for
a while now.
The first thing I stumbled on was solved, it was a service pack that needed to be
applied to w2k. (Thanks!)
This is the second thing I stumbled on:
In line 613 of sesssetup.c (latest CVS) there is the following code snippet:
} else {
pstring pass;
srvstr_pull(inbuf, pass, smb_buf(inbuf),
sizeof(pass), passlen1, STR_TERMINATE);
plaintext_password = data_blob(pass, strlen(pass)+1);
}
From what (limited) understanding I have, passlen1 in this case is the non-unicode
password, and passlen2 is the unicode password. The code pull the wrong passlen, and
consequently the wrong password was checked against the database. ( a password with a
length of 0)
Changing the code to use passlen2 basically allowed me to login, but I'm pretty sure
this is not the correct fix (I would think that one should first check if the
connection is unicode or not).
Just FYI,
Thanks :)
Nir.
--
Nir Soffer -=- Exanet Inc. -=- http://www.evilpuppy.org
Father, why are all the children weeping? / They are merely crying son
O, are they merely crying, father? / Yes, true weeping is yet to come
-- Nick Cave and the Bad Seeds, The Weeping Song
Re: Patch for Bad Password Attempt Lockout, samba3.0a22.
Remember, this opens up a new vulnerability, to denial
of service attacks. See, for example
http://www.uksecurityonline.com/threat/password.php
If you're implementing this, implement the approved strategy,
also use by NT, of locking it for a settable period, and
not locking out priveledged accounts.
From
http://calnetad.berkeley.edu/documentation/technical/uc_domain_policy.html
Account lockout duration
Sets the number of minutes an account will be locked out.
Allowable values are 0 (account is lockout out until
administrator unlocks it) or between 1 and 9 minutes.
WARNING: Setting this value to 0 (until administrator
unlocks) may allow a potential denial of service attack.
It is important to note that the built-in Administrator
account cannot be locked out.
--dave
Jianliang Lu wrote:
I have implemented the bad password attempt lockout policy. If an user
attempt with the bad password more than the count setted in the policy, then
his account will be auto-locked, like what did NT. The implementation is only
for LDAP passdb backend.
To do this, I have to introduce a new integer attribute in
samba.schema, badPwAttempt.
Folllowing are the patches, any comments?
Jianliang Lu
TieSse s.p.a.
Via Jervis, 60. 10015 Ivrea (To) - Italy
[EMAIL PROTECTED]
[EMAIL PROTECTED]
--- samba-3.0alpha22-orig/source/auth/auth_sam.c Mon Feb 17 16:31:06 2003
+++ samba-3.0alpha22-orig/source/auth/auth_sam.c.fix Thu Mar 27 12:40:10 2003
@@ -326,6 +326,12 @@
return NT_STATUS_ACCOUNT_DISABLED;
}
+ /* Quit if the account was locked out. */
+ if (acct_ctrl ACB_AUTOLOCK) {
+ DEBUG(1,(Account for user '%s' was locked out.\n, pdb_get_username(sampass)));
+ return NT_STATUS_ACCOUNT_LOCKED_OUT;
+ }
+
/* Test account expire time */
kickoff_time = pdb_get_kickoff_time(sampass);
@@ -414,6 +420,7 @@
NTSTATUS nt_status;
uint8 user_sess_key[16];
const uint8* lm_hash;
+ uint32 account_policy_lockout, badpwattempt;
if (!user_info || !auth_context) {
return NT_STATUS_UNSUCCESSFUL;
@@ -448,10 +455,43 @@
nt_status = sam_password_ok(auth_context, mem_ctx, sampass, user_info, user_sess_key);
if (!NT_STATUS_IS_OK(nt_status)) {
+ if (NT_STATUS_EQUAL(nt_status,NT_STATUS_WRONG_PASSWORD)) {
+ badpwattempt = (uint32)pdb_get_bad_pw_attempt(sampass) + 1;
+ if (!pdb_set_bad_pw_attempt(sampass, badpwattempt, PDB_CHANGED))
+ DEBUG(1, (Failed to set 'badPwAttempt' for user % s. \n,
+ user_info-internal_username.str));
+ account_policy_get(AP_BAD_ATTEMPT_LOCKOUT, account_policy_lockout);
+ if (badpwattempt = account_policy_lockout)
+if (!pdb_set_acct_ctrl (sampass,
+ pdb_get_acct_ctrl(sampass) |ACB_AUTOLOCK,
+ PDB_CHANGED)) {
+ DEBUG(1, (Failed to set 'disabled' flag for user % s. \n,
+ user_info-internal_username.str));
+ }
+
+ become_root();
+ if (!pdb_update_sam_account(sampass)) {
+ DEBUG(1, (Failed to modify entry for user % s.\n,
+ user_info-internal_username.str));
+ unbecome_root();
+}
+ }
pdb_free_sam(sampass);
return nt_status;
}
+ if (!pdb_set_bad_pw_attempt(sampass, 0, PDB_CHANGED))
+ DEBUG(1, (Failed to set 'badPwAttempt' for user % s. \n,
+ user_info-internal_username.str));
+ if (!pdb_set_logon_time(sampass, time(NULL), PDB_CHANGED))
+ DEBUG(1, (auth_sam.c : pdb_set_logon_time fialed!\n));
+
+ become_root();
+ if(!pdb_update_sam_account(sampass))
+ DEBUG(1, (Failed to modify entry for user % s.\n,
+ user_info-internal_username.str));
+ unbecome_root();
+
if (!NT_STATUS_IS_OK(nt_status = make_server_info_sam(server_info, sampass))) {
DEBUG(0,(check_sam_security: make_server_info_sam() failed with '%s'\n, nt_errstr(nt_status)));
return nt_status;
--- samba-3.0alpha22-orig/source/passdb/passdb.c Mon Feb 24 16:12:31 2003
+++ samba-3.0alpha22-orig/source/passdb/passdb.c.fix Thu Mar 27 12:40:10 2003
@@ -60,6 +60,7 @@
memset(user-private.hours, 0xff, user-private.hours_len); /* available at all hours */
user-private.unknown_5 = 0x; /* don't know */
user-private.unknown_6 = 0x04ec; /* don't know */
+ user-private.bad_pw_attempt = 0; /* bad password attemp count */
/* Some parts of samba strlen their pdb_get...() returns,
so this keeps the interface unchanged for now. */
--- samba-3.0alpha22-orig/source/passdb/pdb_get_set.c Thu Jan 9 20:05:59 2003
+++ samba-3.0alpha22-orig/source/passdb/pdb_get_set.c.fix Thu Mar 27 12:40:10 2003
@@ -172,6 +172,14 @@
return (NULL);
}
+uint32 pdb_get_bad_pw_attempt (const SAM_ACCOUNT *sampass)
+{
+ if (sampass)
+ return (sampass-private.bad_pw_attempt);
+ else
+ return (-1);
+}
+
/**
* Get flags showing
use sendfile problems with Windows 95
Hi, I turned on use sendfile, not too long after (on the next logon) someone called me. His Windows 95 was having trouble opening files on the server. He can explore the shared volume but when trying to open a file, his computer hangs and needs to reboot. I've been using sendfile myself with Samba under Solaris 8 with NT 2000 XP since a long time with no trouble at all. I tested with another Windows 95 box -- same problem. Even after ~ 5 min. the box is still hanged. I'm wondering if Windows 98/ME are also affected by this? I don't have access to Windows ME boxes but I might find a Windows 98 box... I'll post when I am able to test. I generated a level 10 log file, it's 155KB (gzip -9). Someone wants to look at it? (I did not want to post this hughe file here). Here's the first place where the communication breaks: [2003/03/27 14:53:01, 6] lib/util_sock.c:write_socket(521) write_socket(5,1588) wrote 1588 [2003/03/27 14:53:47, 0] lib/util_sock.c:read_data(436) read_data: read failure for 4. Error = Connection reset by peer [2003/03/27 14:53:47, 10] lib/util_sock.c:receive_smb(609) receive_smb: length 0 ! [2003/03/27 14:53:47, 3] smbd/process.c:timeout_processing(1105) receive_smb error (Connection reset by peer) exiting I'll check on Microsoft's web site for any patches! Regards, Pierre B.
Re: use sendfile problems with Windows 95
On Thu, Mar 27, 2003 at 03:01:55PM -0500, Pierre Belanger wrote: Hi, I turned on use sendfile, not too long after (on the next logon) someone called me. His Windows 95 was having trouble opening files on the server. He can explore the shared volume but when trying to open a file, his computer hangs and needs to reboot. I've been using sendfile myself with Samba under Solaris 8 with NT 2000 XP since a long time with no trouble at all. I tested with another Windows 95 box -- same problem. Even after ~ 5 min. the box is still hanged. I'm wondering if Windows 98/ME are also affected by this? I don't have access to Windows ME boxes but I might find a Windows 98 box... I'll post when I am able to test. I generated a level 10 log file, it's 155KB (gzip -9). Someone wants to look at it? (I did not want to post this hughe file here). A log file won't help I don't think. It looks like sendfile is simply overwhelming the Win95 box's ability to process incoming TCP. Windows 95 is broken in many subtle and not-so-subtle ways w.r.t. SMB networking I'm afraid. Turning off sendfile might be your only option. Jeremy.
Re: [patch] uppercase workgroup in browse request
On Thu, Mar 27, 2003 at 05:43:55PM +0100, Stephan Kulow wrote: Am Thursday 27 March 2003 03:43 schrieb Christopher R. Hertel: Stephan Kulow wrote: Hi! I noticed a difference between testsmbc smb://MYGRP and testsmbc smb://mygrp (it doesn't make a difference for SAMBA servers, but it does for XP and for winME) So please apply the included patch. Hang on... Do I read this correctly? Are we forgetting to up-case the workgroup name? (...it always helps to provide a little clue along with the patch.) :) Samba decodes NetBIOS names and then performs a case-insensitive comparison on the original name. Windows (the versions I've tested) simply compares the wire-format strings. That's faster, but it's also case sensitive. I don't currently have any ME or XP systems to test. I don't understand. You seem to agree with the patch, still it's not applied. I don't understand. I asked for clarification. :) There's a question above. I asked Do I read this correctly?. So, what is your intention with this patch? What was the problem you were detecting? You never specified. Before I dig into the patch I want to know what you are trying to accomplish. Chris -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: Patch for Bad Password Attempt Lockout, samba3.0a22.
On Fri, 2003-03-28 at 06:58, David Collier-Brown -- Customer Engineering wrote: Remember, this opens up a new vulnerability, to denial of service attacks. See, for example http://www.uksecurityonline.com/threat/password.php If you're implementing this, implement the approved strategy, also use by NT, of locking it for a settable period, and not locking out priveledged accounts. From http://calnetad.berkeley.edu/documentation/technical/uc_domain_policy.html Account lockout duration Sets the number of minutes an account will be locked out. Allowable values are 0 (account is lockout out until administrator unlocks it) or between 1 and 9 minutes. WARNING: Setting this value to 0 (until administrator unlocks) may allow a potential denial of service attack. It is important to note that the built-in Administrator account cannot be locked out. Once these issues are sorted, I'm inclined to apply this patch! Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part
extended ACL problems for default group w/ 2.2.7a 2.2.8
We're having problems on Samba 2.2.7a and 2.2.8, IBM JFS 1.1.1, Linux version 2.4.20, bestbits ACLs, etc. The problem is seen with Windows 2000 and Windows XP clients. I get different permissions for the default group on new files directories depending on if the directory tree is xcopied or is moved via drag drop in the GUI. According to level 10 samba logs and ethereal traces the difference that causes this problem is that the xcopy triggers serveral transaction2 SET_FILE_INFORMATION level 1004 calls. Samba does a chmod on the file or directory while processing this call. Nothing in this call looks to me like it should be changing the permissions. I tried the same test against a Windows 2000 server and found the resulting permissions are the same for both trees regardless of the copy method. Items from smb.conf [acl-test] comment = Temp Space to test ACL path = /home/group/new inherit acls = yes nt acl support = yes We don't have any mention of mask, mode, etc. in the smb.conf Comparison of the ACLs: [EMAIL PROTECTED] d1]# getfacl smtest # file: smtest # owner: bmarsh # group: bmarsh user::rwx group::--- group:admin:rwx mask::rwx other::--- default:user::rwx default:group::--- default:group:admin:rwx default:mask::rwx default:other::--- [EMAIL PROTECTED] d1]# getfacl smtestx # file: smtestx # owner: bmarsh # group: bmarsh user::rwx group::rwx group:admin:rwx mask::rwx other::--x default:user::rwx default:group::--- default:group:admin:rwx default:mask::rwx default:other::--- ACL on the parent directory of smtest smtestx: [EMAIL PROTECTED] new]# getfacl d1 # file: d1 # owner: bmarsh # group: bmarsh user::rwx group::--- group:admin:rwx mask::rwx other::--- default:user::rwx default:group::--- default:group:admin:rwx default:mask::rwx default:other::--- How the directories were created: Y:\xcopy smtest y:\d1\smtestx /s /e (I use the new dir smtestX for xcopy) Does Y:\d1\smtestx specify a file name or directory name on the target (F = file, D = directory)? d smtest\t1.txt 1 File(s) copied Then I drag and drop the same directory onto the same server to get smtest Thanks, Bill Marshall
security tab on shares not showing up in SAMBA_3_0
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 John, I just confirmed that the security tab on a share is missing with a recent build of SAMBA_3_0. I'll look into this (unless someone has an immediate idea). cheers, jerry -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.0 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iD8DBQE+gzMMIR7qMdg1EfYRAqiHAJ0b5tQyuAHy3carW+vFU7GJ1I1PigCg8r0H +AKWx7bdn0uNVXVELgrm1uI= =v9zk -END PGP SIGNATURE-
Re: modules: BOOL vs. int
Not that this is correct or anything... just my 2cents.
I tend in my own code to return negative integers to indicate warnings or
errors, with different negative values having different meaning (as
needed). That way, I can simply check for 0 on return. If I want to
get specific about what the error was I can look more carefully at the
return value.
I spent a little time programming in Icon. Interesting language. Every
function returns a status code in addition to all other data.
Chris -)-
On Thu, Mar 27, 2003 at 02:29:11PM +0100, Stefan (metze) Metzmacher wrote:
At 12:12 27.03.2003 +0100, Jelmer Vernooij wrote:
I noticed that all smb_register_*() fn's return BOOL
and the init_module() fn's returns int
so this is wrong:
I don't have problems with this. We only need the return value in
smb_probe_module() to check for failure, and False is defined to be
equal to 0. The current way is more flexible. Some functions return a
BOOL, but others return an int (such as in rpc).
You're right but I think its confusing
can't we name the return var
BOOL when we use True or False
or!!!
int when we use 0 or -1
because int 0 means often success and BOOL False (int 0) means failure
(this is confusing and cries for bugs!!!)
And just for a better coding style :-)
And I want it to be equal for all smb_register_*() fn's
int auth_sam_init(void)
{
smb_register_auth(samstrict_dc, auth_init_samstrict_dc,
AUTH_INTERFACE_VERSION);
smb_register_auth(samstrict, auth_init_samstrict,
AUTH_INTERFACE_VERSION);
smb_register_auth(sam, auth_init_sam, AUTH_INTERFACE_VERSION);
return True;
}
When would you want the function to fail ? If registering one of the
functions fails?
ok don't fail but a warning would be good
metze
-
Stefan metze Metzmacher [EMAIL PROTECTED]
--
Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel
jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq.
ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED]
OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: security tab on shares not showing up in SAMBA_3_0
On Thu, 27 Mar 2003, Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 John, I just confirmed that the security tab on a share is missing with a recent build of SAMBA_3_0. I'll look into this (unless someone has an immediate idea). Thanks. I was beginning to think it was something I was doing. Argh! - John T. -- John H Terpstra Email: [EMAIL PROTECTED]
bug in pjob_store (3.0alpha20)
Before I send all the details, I thought I'd check to see if this is
a known problem. I've got version 3.0 alpha20 running on a FreeBSD
-current box. When I try to print from a Win2000 box, smbd encounters
an internal error. Gdb shows pjob_store() is calling pjob_store_notify()
with a bad old_data.dptr pointer.
(gdb) p old_data
$1 = {dptr = 0x800 Error reading address 0x800: Bad address, dsize = 0}
(gdb) frame
#9 0x081a4ce4 in pjob_store (snum=6, jobid=3, pjob=0xbfbfec90)
at printing/printing.c:582
582 pjob_store_notify( snum, jobid, (struct printjob
*)old_data.dptr, pjob );
I've got, use client driver = yes, in my smb.conf file.
Shall I provide more details, or is this a known problem?
mike
Re: sesssetup.c, encrypted passwords and unicode
I posted some further analysis of this problem to the list a while back.
I've got some captures. Basically, different Windows clients that can
provide plaintext upper-case don't quite get it right. At least, they are
not all formatting things the same way.
I don't have time just now to look more deeply into this. If anyone else
does, let me know and I'll forward my info.
Chris -)-
On Thu, Mar 27, 2003 at 09:36:48PM +0200, Nir Soffer wrote:
Hi there! I've been trying to get Samba 3.0 to use plaintext passwords and unicode
for a while now.
The first thing I stumbled on was solved, it was a service pack that needed to be
applied to w2k. (Thanks!)
This is the second thing I stumbled on:
In line 613 of sesssetup.c (latest CVS) there is the following code snippet:
} else {
pstring pass;
srvstr_pull(inbuf, pass, smb_buf(inbuf),
sizeof(pass), passlen1, STR_TERMINATE);
plaintext_password = data_blob(pass, strlen(pass)+1);
}
From what (limited) understanding I have, passlen1 in this case is the non-unicode
password, and passlen2 is the unicode password. The code pull the wrong passlen,
and consequently the wrong password was checked against the database. ( a password
with a length of 0)
Changing the code to use passlen2 basically allowed me to login, but I'm pretty sure
this is not the correct fix (I would think that one should first check if the
connection is unicode or not).
Just FYI,
Thanks :)
Nir.
--
Nir Soffer -=- Exanet Inc. -=- http://www.evilpuppy.org
Father, why are all the children weeping? / They are merely crying son
O, are they merely crying, father? / Yes, true weeping is yet to come
-- Nick Cave and the Bad Seeds, The Weeping Song
--
Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel
jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq.
ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED]
OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: use sendfile problems with Windows 95
On Thu, 27 Mar 2003, Pierre Belanger wrote: Hi, I turned on use sendfile, not too long after (on the next logon) someone called me. His Windows 95 was having trouble opening files on the server. He can explore the shared volume but when trying to open a file, his computer hangs and needs to reboot. I've been using sendfile myself with Samba under Solaris 8 with NT 2000 XP since a long time with no trouble at all. I tested with another Windows 95 box -- same problem. Even after ~ 5 min. the box is still hanged. I'm wondering if Windows 98/ME are also affected by this? I don't have access to Windows ME boxes but I might find a Windows 98 box... I'll post when I am able to test. I generated a level 10 log file, it's 155KB (gzip -9). Someone wants to look at it? (I did not want to post this hughe file here). Can you get us a sniff? Regards - Richard Sharpe, rsharpe[at]ns.aus.com, rsharpe[at]samba.org, sharpe[at]ethereal.com, http://www.richardsharpe.com
Re: Patch for Bad Password Attempt Lockout, samba3.0a22.
You can already do that through pam_tally, what does your approach add ? Simo. On Thu, 2003-03-27 at 15:34, Jianliang Lu wrote: I have implemented the bad password attempt lockout policy. If an user attempt with the bad password more than the count setted in the policy, then his account will be auto-locked, like what did NT. The implementation is only for LDAP passdb backend. To do this, I have to introduce a new integer attribute in samba.schema, badPwAttempt. Folllowing are the patches, any comments? -- Simo Sorce- [EMAIL PROTECTED] Samba Team- http://www.samba.org Italian Site - http://samba.xsec.it
Re: OPLOCK and locking problems: (Resource deadlock avoided)
On Fri, 2003-03-28 at 07:34, [EMAIL PROTECTED] wrote: On Sun, Mar 23, 2003 at 02:23:45PM +1100, Andrew Bartlett wrote: Earlier this week, I had a serious meltdown of Samba HEAD at my site. (A 100 concurrent user, domain logon and homedir setup). All the users share a single mandatory profile, which they think they can write two, but can't. (due to file permissions). They think they can due to the use of 'vfs_fake_perms.so'. In any case, no matter what the client thinks, I'm told this should not happen: I've attached the first 6 mins on the log, but by the time it got to 11 AM I'm told it got impossible to use the system. As smbds got caught up in waiting for oplocks, I think the clients decided to reconnect. This created even more load, and by 12PM when I got onto the system, there were way more smbd processes than machines to account for them. The load at 12PM was 20, and just logging into the system with SSH took *ages*. Unfortunately I was unable to get an strace or gdb the culprit, as I had to get the system back up and going again. There is a slight possibility of tdb corruption (I should have removed the locking tdb after the last crash), but no segfaulting processes. (This has occurred before, but I had blamed that). By the end of the logfile, we have multiple smbds all sending oplock replies to processes that don't expect them, connections being reset and all hell breaking loose... Personally, I suspect a tdb bug as the root cause, but our UDP based oplock handling can't get off the hook either. Are you running the Solaris kernel scalabel-fcntl patch ? If not, that was your problem, not the Samba code. Nope, RedHat 8, kernel 2.4.18. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part
Re: Patch for Bad Password Attempt Lockout, samba3.0a22.
On Fri, 2003-03-28 at 07:40, Simo wrote: You can already do that through pam_tally, what does your approach add ? We can't correctly trigger pam_tally from the encrypted password check. Also, the pam_tally is dodgy - it doesn't correctly handle 'oh, they got it right'. (It makes assumptions about the way applications call PAM). Andrew, -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part
generating core dumps in winbindd and smbd
I was poking around in the segv signal handling code today as I'm in a situation where an actual core dump would be handy to have. The intent of the current code looks like core dumps are to be made in $LOGDIR/corefiles but the dump_core() function is never executed as the argument to fault_setup() is never used. Do we want to keep the existing behaviour or shall I fix it to do what was intended? Tim.
Re: generating core dumps in winbindd and smbd
On Fri, 28 Mar 2003, Tim Potter wrote: I was poking around in the segv signal handling code today as I'm in a situation where an actual core dump would be handy to have. The intent of the current code looks like core dumps are to be made in $LOGDIR/corefiles but the dump_core() function is never executed as the argument to fault_setup() is never used. Do we want to keep the existing behaviour or shall I fix it to do what was intended? I would say do what was intended. I often need core files :-( Regards - Richard Sharpe, rsharpe[at]ns.aus.com, rsharpe[at]samba.org, sharpe[at]ethereal.com, http://www.richardsharpe.com
Re: generating core dumps in winbindd and smbd
On Thu, Mar 27, 2003 at 09:41:55PM -0800, Richard Sharpe wrote: On Fri, 28 Mar 2003, Tim Potter wrote: I was poking around in the segv signal handling code today as I'm in a situation where an actual core dump would be handy to have. The intent of the current code looks like core dumps are to be made in $LOGDIR/corefiles but the dump_core() function is never executed as the argument to fault_setup() is never used. Do we want to keep the existing behaviour or shall I fix it to do what was intended? I would say do what was intended. I often need core files :-( It would also be nice to have a core-server-pid filename for the core dump but I'm not sure how portable that is.
Re: generating core dumps in winbindd and smbd
On Fri, 2003-03-28 at 17:17, Tim Potter wrote: On Thu, Mar 27, 2003 at 09:41:55PM -0800, Richard Sharpe wrote: On Fri, 28 Mar 2003, Tim Potter wrote: I was poking around in the segv signal handling code today as I'm in a situation where an actual core dump would be handy to have. The intent of the current code looks like core dumps are to be made in $LOGDIR/corefiles but the dump_core() function is never executed as the argument to fault_setup() is never used. Do we want to keep the existing behaviour or shall I fix it to do what was intended? I would say do what was intended. I often need core files :-( It would also be nice to have a core-server-pid filename for the core dump but I'm not sure how portable that is. Isn't that what the mkdir() stuff is about? Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part
RE: [Samba] print$ share problem URGENT - BUG
Whoops! extract is really expand.
expand /? at the command prompt shows the options for expanding files
with the trailing underscore. I use
expand -r *.??_
which creates new, renamed, expanded files from the compressed ones.
A word of warning: some compressed files do not have the original name
embedded within the file. This will created expanded files with the
underscore removed, not replaced with the original last character. In
these situations, one must refer to the .INF file to discover the true
name.
What would be great is if someone wrote a simple Win32 program that
parses the .INF print driver installation file, expanding the files as
necessary, getting files from the local workstation and uploading them
into the appropriate [print$] share directory, and doing the adddriver
and setdriver RPCs. That way print driver installation would be free of
the hoops imposed by drivers show add printer wizard goofiness.
Thanks,
Peter Hurley
[EMAIL PROTECTED]
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Thursday, March 27, 2003 8:18 AM
To: [EMAIL PROTECTED]
Subject: RE: [Samba] print$ share problem URGENT - BUG
Heya, I'm looking at having to do the same thing... a couple of
manufacturer's drivers either fail to install on samba, or install
incorrectly. I'm using a W2k pro client but have no extract command.
Is this a program that comes with w2k or something you got from
somewhere else?
Btw, thanks for explaining the {2227a280-3aea...} messages. Googling
turned up lots of hits, but the only suggested solution was to delete
the key from the client's registry (which didn't seem like a good idea
to me). I didn't know that InProcServer was depended on by some driver
installations. Realizing that samba as a print-server w/ automatic
driver download has more hurdles than getting a devmode set...
Thanks for letting me know about extract,
~ Daniel
On Wednesday, March 26, 2003 5:45 PM Peter Hurley wrote:
I do not know why your logs are showing an smb_panic(), but
the failure
to make a connection to {2227a280-3aea} is because the printer
driver is attempting to open the Printers InProcServer on the remote
print server.
***Snippet from logs***
[2003/03/26 14:33:08, 0] smbd/service.c:make_connection(252)
donglesvr (10.217.7.11) couldn't find service
::{2227a280-3aea-1069-a2de-08002b30309d}
***
Since the print server is a Samba machine (that has no registry or
capability to run InProcServers), that service doesn't exist. I had
this happen to me when trying to add additional drivers from my W2k
workstation to our 2.2.7a Samba server for a new HP2200
network printer.
The solution I used was to add them manually via rpcclient on
the Samba
server itself. It took me quite a while. Basically the process is:
1) expand the driver files on your local W2k workstation, via the
extract command line utility.
2) copy the driver files up to the appropriate directory on the
[print$] share. See section 6.2.1 of the Samba HOWTO for the
directory
structure.
Basically, NT4/W2K/XP drivers go in W32X86 and 95/98/Me go into WIN40.
3) on the samba server, run rpcclient.
4) at the rpcclient prompt, use adddriver to install the files into
the appropriate architecture location. The tricky part of this is
looking at the *.INF file to determine what parameters go where in the
adddriver command. The format is:
adddriver Architecture LongPrinterName:DriverFile:DataFile:
ConfigFile:HelpFile:LanguageMonitorFile:DataType:ListOfFiles
See rpcclient() man page for list of Architectures.
The ListOfFiles are the files not already specified in the other
parameters.
For example,
adddriver Windows NT x86 HP LaserJet 2200 Series PCL 6:
HPBF3222.DLL:HPBF3224.PMD:HPBF3220.DLL:HPBF3220.HLP:HPBMMON.DLL:RAW:
HPBAFD32.DLL,HPBFTM32.DLL,HPDOMON.DLL,HPBHEALR.DLL
5) when you have added the driver successfully, then you use the
setdriver command (still at the rpcclient prompt) to associate the
printer share with the driver.
For example,
setdriver hp2200 HP LaserJet 2200 Series PCL 6
Now automatic driver download should work.
This process was so painful, eventually I'm going to look at the
Imprints package to see if that works (there's a reference to this
package in section 6.3 of the Samba HOWTO).
Thanks,
Peter Hurley
[EMAIL PROTECTED]
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
On Behalf Of Stéphane Purnelle
Sent: Wednesday, March 26, 2003 4:33 PM
To: [EMAIL PROTECTED]; samba US; samba-tech
Subject: Re: [Samba] print$ share problem URGENT - BUG
Why I have no answer for my questions ?
I repeat the situation :
RedHat 8.0 with samba 2.2.8 compiled wiwth ldapsam and acl-support
I need the print$ share and this system dont't work.
I explain :
when I add a driver, the system copy the data to the share, but after
the
