Re: FW: encrypt passwords=no, security=yes, samba 2.2.8, W2K useraut h fails
That's highly undesirable, as it breaks single-signon (unless you're an NT-cenric organization, which Sun isn't (:-)) --dave |Hi Tony, |Another workaround would be to populate an smbpasswd file with all the names | |from your /etc/passwd file. |But I realize this can be onerous. Samba has a script to help with this, |mksmbpasswd.sh |since you won't be needing passwords from this smbpasswd file, this would do |it for you, I think if your distribution doesn't install this script, |it |can be found in the source at /usr/local/samba/source/script/mksmbpasswd.sh | |useage: | |cat /etc/passwd|./mksmbpasswd.sh /usr/local/samba/var/private/smbpasswd | |Hope this helps |Don
Re: Patch for Bad Password Attempt Lockout, samba3.0a22.
Remember, this opens up a new vulnerability, to denial of service attacks. See, for example http://www.uksecurityonline.com/threat/password.php If you're implementing this, implement the approved strategy, also use by NT, of locking it for a settable period, and not locking out priveledged accounts. From http://calnetad.berkeley.edu/documentation/technical/uc_domain_policy.html Account lockout duration Sets the number of minutes an account will be locked out. Allowable values are 0 (account is lockout out until administrator unlocks it) or between 1 and 9 minutes. WARNING: Setting this value to 0 (until administrator unlocks) may allow a potential denial of service attack. It is important to note that the built-in Administrator account cannot be locked out. --dave Jianliang Lu wrote: I have implemented the bad password attempt lockout policy. If an user attempt with the bad password more than the count setted in the policy, then his account will be auto-locked, like what did NT. The implementation is only for LDAP passdb backend. To do this, I have to introduce a new integer attribute in samba.schema, badPwAttempt. Folllowing are the patches, any comments? Jianliang Lu TieSse s.p.a. Via Jervis, 60. 10015 Ivrea (To) - Italy [EMAIL PROTECTED] [EMAIL PROTECTED] --- samba-3.0alpha22-orig/source/auth/auth_sam.c Mon Feb 17 16:31:06 2003 +++ samba-3.0alpha22-orig/source/auth/auth_sam.c.fix Thu Mar 27 12:40:10 2003 @@ -326,6 +326,12 @@ return NT_STATUS_ACCOUNT_DISABLED; } + /* Quit if the account was locked out. */ + if (acct_ctrl ACB_AUTOLOCK) { + DEBUG(1,(Account for user '%s' was locked out.\n, pdb_get_username(sampass))); + return NT_STATUS_ACCOUNT_LOCKED_OUT; + } + /* Test account expire time */ kickoff_time = pdb_get_kickoff_time(sampass); @@ -414,6 +420,7 @@ NTSTATUS nt_status; uint8 user_sess_key[16]; const uint8* lm_hash; + uint32 account_policy_lockout, badpwattempt; if (!user_info || !auth_context) { return NT_STATUS_UNSUCCESSFUL; @@ -448,10 +455,43 @@ nt_status = sam_password_ok(auth_context, mem_ctx, sampass, user_info, user_sess_key); if (!NT_STATUS_IS_OK(nt_status)) { + if (NT_STATUS_EQUAL(nt_status,NT_STATUS_WRONG_PASSWORD)) { + badpwattempt = (uint32)pdb_get_bad_pw_attempt(sampass) + 1; + if (!pdb_set_bad_pw_attempt(sampass, badpwattempt, PDB_CHANGED)) + DEBUG(1, (Failed to set 'badPwAttempt' for user % s. \n, + user_info-internal_username.str)); + account_policy_get(AP_BAD_ATTEMPT_LOCKOUT, account_policy_lockout); + if (badpwattempt = account_policy_lockout) +if (!pdb_set_acct_ctrl (sampass, + pdb_get_acct_ctrl(sampass) |ACB_AUTOLOCK, + PDB_CHANGED)) { + DEBUG(1, (Failed to set 'disabled' flag for user % s. \n, + user_info-internal_username.str)); + } + + become_root(); + if (!pdb_update_sam_account(sampass)) { + DEBUG(1, (Failed to modify entry for user % s.\n, + user_info-internal_username.str)); + unbecome_root(); +} + } pdb_free_sam(sampass); return nt_status; } + if (!pdb_set_bad_pw_attempt(sampass, 0, PDB_CHANGED)) + DEBUG(1, (Failed to set 'badPwAttempt' for user % s. \n, + user_info-internal_username.str)); + if (!pdb_set_logon_time(sampass, time(NULL), PDB_CHANGED)) + DEBUG(1, (auth_sam.c : pdb_set_logon_time fialed!\n)); + + become_root(); + if(!pdb_update_sam_account(sampass)) + DEBUG(1, (Failed to modify entry for user % s.\n, + user_info-internal_username.str)); + unbecome_root(); + if (!NT_STATUS_IS_OK(nt_status = make_server_info_sam(server_info, sampass))) { DEBUG(0,(check_sam_security: make_server_info_sam() failed with '%s'\n, nt_errstr(nt_status))); return nt_status; --- samba-3.0alpha22-orig/source/passdb/passdb.c Mon Feb 24 16:12:31 2003 +++ samba-3.0alpha22-orig/source/passdb/passdb.c.fix Thu Mar 27 12:40:10 2003 @@ -60,6 +60,7 @@ memset(user-private.hours, 0xff, user-private.hours_len); /* available at all hours */ user-private.unknown_5 = 0x; /* don't know */ user-private.unknown_6 = 0x04ec; /* don't know */ + user-private.bad_pw_attempt = 0; /* bad password attemp count */ /* Some parts of samba strlen their pdb_get...() returns, so this keeps the interface unchanged for now. */ --- samba-3.0alpha22-orig/source/passdb/pdb_get_set.c Thu Jan 9 20:05:59 2003 +++ samba-3.0alpha22-orig/source/passdb/pdb_get_set.c.fix Thu Mar 27 12:40:10 2003 @@ -172,6 +172,14 @@ return (NULL); } +uint32 pdb_get_bad_pw_attempt (const SAM_ACCOUNT *sampass) +{ + if (sampass) + return (sampass-private.bad_pw_attempt); + else + return (-1); +} + /** * Get flags showing
Re: discussion on implementation of bad attempt locakout policy
This has some downsides, you understand: you can lock someone else out of their account by making a bunch of attempts to log in as them. Don't want root tracking your breakin attempts? Lock him out first! If you do go down this path, consider a) doing it in a PAM module so the same policy applies to Samba as to all other logins b) set a short delay (say, 10 minutes) when someone tries to log in, not a unilateral lockout, and notify root by email. --dave Jianliang Lu wrote: Hi, I'm looking at bad attempt locakout on samba3.0 a22. My opinion is to introduce a new variable uint32 bad_pw_counts in the struct user_data of SAM_ACCOUNT. so in the auth.c, routine check_ntlm_password(), I can check the bad password attemped against the AP_BAD_ATTEMPT_LOCKOUT, if it were more than that, I will lock the user. I'd like to have your sugestions on this issue, specially to know where I can put the count of the bad_pw_counts. Jianliang Lu TieSse s.p.a. Via Jervis, 60 10015 Ivrea (To)ITALY [EMAIL PROTECTED] [EMAIL PROTECTED] -- David Collier-Brown, | Always do right. This will gratify Sun Microsystems DCMO | some people and astonish the rest. Toronto, Ontario | (905) 415-2849 or x52849 | [EMAIL PROTECTED]
Re: [SECURITY] Samba 2.2.8 available for download
Green, Paul wrote: However, on a chip that does distinguish areas of virtual memory that are code, and areas that are data, and further disallows execution of data (absent a specific operating system call to change the access mode of that region of virtual memory), it seems to me that it would be almost impossible for even a highly skilled attacker to inject binary specific code. I consider myself highly skilled on the Stratus VOS operating system and I can't for the life of my see how I could get the HP PA-RISC microprocessor to execute code that came down the wire as data. I'm inclined to think you're right: if I set stack and data spaces non-executable on my machine (a SPARC), it makes it distincltly harder to build an stack-overflow exploit. The writer can't insert a return address in the code he's added, but instead has to run something that already exists in the address space. In addition, if the code space is protected, it's hard for the attacker to put exploit code there. Intel and Samba experts, can you expand on this? --dave -- David Collier-Brown, | Always do right. This will gratify Sun Microsystems DCMO | some people and astonish the rest. Toronto, Ontario | (905) 415-2849 or x52849 | [EMAIL PROTECTED]
Re: Browsing across subnets without WINS
Thank you, kind sir! --dave Christopher R. Hertel wrote: On Tue, Mar 18, 2003 at 07:34:45AM -0500, David Collier-Brown -- Customer Engineering wrote: Guys, is this an expected behavior? Unless you have WINS up (which causes issues with multihomed machines), one seemingly cannot synchronize browse lists across subnets. Samba's WINS does a good job of handling multi-homed systems. Microsoft's design for multi-homed WINS entries is ugly...but it should work. More... --dave Pedro Guedes wrote: Browsing across subnets is well documented on the 2 main books about Samba (the o´reilly one and the John D. Blair older one - the first of all). I usually do not use WINS, even on W2K because it does not work correctly on multihomed servers. I have heard many reports (and seen a few traces) of bugs in W2K's WINS implementation. It binds on only one interface (the primary one if one can state correctly which one it is - on 99% of the cases the one on the lowest PCI slot). Samba's WINS can be set to bind to which ever interfaces you like. One can read a couple of white papers from microsoft stating just that, I think this is due to the NetBIOS name coupled to the machine in contrast to the name coupled to the IP interface, even in the NeBT world. NetBIOS names are assigned to services or applications. Not to interfaces or devices. That's the way NetBIOS works. So that's right in the sense that the NetBIOS name is never bound to the interface. What I tried to do is make samba win browse master elections (in subnets away from the subnet where the PDC resides - it always wins and without any local NT4 Backup Domain Controlller or W2K Domain controller) based on the idea of the Unix server being always on-line should always take the role despite the presence of W98 W2K Professional always coming and going. Yes, but having Samba become the *local* master browser doesn't help much. The idea is to change browse lists with the domain master browser (the PDC or FSMO on W2K) so that browsing accross subnets works for everybody. ...but the DMB can't be contacted unless you can find the name via WINS. In fact Samba becomes the master browser on the LAN due to higher values on election based on the setting os level. It wins over W2K Professional (the highest Windows on the LAN). Right. But Despite settings of remote announce ,remote browse sync, entries like 192.168.5.20ISLA#1B in lmhosts to talk to the PDC/FSMO (I known it says it only works with other samba server) what the Domain Master Browser receives is only the samba server itself, no neighbours listed at all. Remote Announce sends the Samba server's announcement directly to the DMB, so the DMB will know about the Samba server. That's what you are seeing. Remote Browse Sync only works between Samba servers. I have, since the early samba releases, noted this behaviour. So, what I do is make W2K Professional force and win browse master election when it boots. (look at HKLM\System\CurrentControlSet\Services\Browser\ for the values MaintainServerList - yes IsDomaiMasterBrowser - yes This way browse lists always propagate correctly to the Domain Master Browser. This samba behaviour (or lack of it) is quite unfortunate Samba's browsing behavior is a *superset* of Windows behavior. since the W2K Professionals are always coming and going making subnets browsing quite unstable. It is strange that the samba servers have such poor behaviour despite their phenomenal growth in the integration Unix/Windows arena. A little bit more could be written about this. If you have any sugestions they would be welcome. This matter truly deserves an article somewhere. In O´reilly web pages, on Linux/Windows Magazines. Maybe a better writer than me could write a paper on it. I am currently finishing the Browsing section of my book. See: http://ubiqx.org/cifs/Browsing.html I'll be finishing as much as I can in the next week or so. See also: ftp://ftp.microsoft.com/developr/drg/CIFS/cifsbrow.txt ...and also read the discussions of browsing parameters in the smb.conf manual pages. Basically, though Samba does a good job with browsing. Better than many Windows implementations. The key thing is that synchronising complete browse lists with a DMB will *not* work unless the LMBs know where to find the DMB. WINS is typically the way that is done. I don't know whether adding a #1B entry to the lmhosts file will signal Samba that it needs to browse sync with the given entry. If Samba is not aware of a WINS server it *may* not try to sync with any DMBs. *This is pure supposition on my part.* I don't know that part of the code as well as I should (yet). In any case, make sure you have lmhosts name resulotion enabled. I *have* seen a problem with browsing between Samba and Windows systems. I was not able to resolve the problem at the time because it was a problem in a computer lab at a conference and I did not have either
Sidebar to Testing framework
If you're considering performance tests as well, I can help on metrics and analysis. I often use Samba as the guinea-pig in my work work. --dave -- David Collier-Brown, | Always do right. This will gratify Sun Microsystems DCMO | some people and astonish the rest. Toronto, Ontario | (905) 415-2849 or x52849 | [EMAIL PROTECTED]
Re: Samba non-oplock performance on Solaris 7/8
Nastasi, John wrote: Do you know if there are any issues with Samba running on Solaris that would cause the application to run very, very slow with oplocks turned off? No, and that's the kind of problem we should raise with the Samba team: I'm cc'ing this to them. Specifically, with oplocks turned on I get acceptable performance trying to open an MS-Access (Jet) database. The operation completes in no more than a minute or so. Turning off oplocks (as suggested repeatedly by many folks for multiple users accessing an MDB on a Samba share) completely hoses the same operation - 9 minutes to complete. We need to see what Samba's doing differently between the two cases. There are three places to look: 1) Samba logs, at log level = 3 or more 2) truss reports 3) packet dumps. I recommend them in roughly that order: I'm good at reading truss, and the team is real good at logs. I've tried the configuration on a Solaris 7 (Ent 4500) running Samba 2.0.10 and also on a Solaris 8 (V100) running Samba 2.2.7a - same result. I'm about to try the latest kernel patch to see if it could be an fcntl related issue, but was curious if you knew of anything else that could be causing the problem. Based upon what I've read - oplocks being turned off should help multi-user, MDB access performance. What I'm seeing, however, is just the opposite. Yes, specifically by avoiding transferring the whole file to the client and then transferring it back. Turning of oplocks **in principle should** cause the db to read only the records it wants to change, then writing them back. The times imply it's still transferring the whole file, which is utterly evil (;-)) Of course, using smb file locking as the mechanism to do database locking is brain-dead in the first place. Being able to do so is just a way of letting you try out a DBMS, get used to it and eventually buy the back-end DBMS and a server to put it on. --dave -- David Collier-Brown, | Always do right. This will gratify Sun Microsystems DCMO | some people and astonish the rest. Toronto, Ontario | (905) 415-2849 or x52849 | [EMAIL PROTECTED] -- David Collier-Brown, | Always do right. This will gratify Sun Microsystems DCMO | some people and astonish the rest. Toronto, Ontario | (905) 415-2849 or x52849 | [EMAIL PROTECTED]
RE: Samba Performance on Solaris 7/8
Nastasi, John [EMAIL PROTECTED] writes: --- I almost thought I had the problem licked yesterday by leaving oplocks on, and utilizing the veto oplock option to selectively exclude certain file types. Going this route, I was able to exclude both .MDB and .DBF file types with no degradation in performance (single-user). The minute I tried to exclude .SHP file types, however, the problem re-appeared. Using smbstatus, I came to the conclusion that our app is attempting to gain an exclusive lock on a specific .SHP file and, upon failing, continues to re-try at 30 second intervals -- finally moving on after 9 minutes (20 attempts I presume). Checking with our developers unveiled that our app is programmed in Visual Basic and makes use of Map Objects from ESRI for GIS activities. Apparently Map Objects is where the .DBF and .SHP (shape) files are coming into play, and the source of the file locking problem. Because the problem (appears) to emanate from Map Objects, I'm not sure there's going to be a way to work around it. I'm just disappointed that it works on an NT/2000 based share and not Samba. The client that I'm working on this for is a large Sun user, and apparently has no real desire to drop a Windows box into the mix. Thanks again for your help, and if you can think of anything that may work in this situation -- I'd be very interested in your thoughts. Although I've not yet had the opportunity to run a TRUSS or packet capture, I can certainly get in and learn how to do it real quick if you think that would help in any way. Have a good one... John Nastasi -Original Message- From: David Collier-Brown -- Customer Engineering [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 11, 2003 9:00 AM To: Nastasi, John Cc: '[EMAIL PROTECTED]' Subject: Re: Samba Performance on Solaris 7/8 Nastasi, John wrote: Do you know if there are any issues with Samba running on Solaris that would cause the application to run very, very slow with oplocks turned off? No, and that's the kind of problem we should raise with the Samba team: I'm cc'ing this to them. Specifically, with oplocks turned on I get acceptable performance trying to open an MS-Access (Jet) database. The operation completes in no more than a minute or so. Turning off oplocks (as suggested repeatedly by many folks for multiple users accessing an MDB on a Samba share) completely hoses the same operation - 9 minutes to complete. We need to see what Samba's doing differently between the two cases. There are three places to look: 1) Samba logs, at log level = 3 or more 2) truss reports 3) packet dumps. I recommend them in roughly that order: I'm good at reading truss, and the team is real good at logs. I've tried the configuration on a Solaris 7 (Ent 4500) running Samba 2.0.10 and also on a Solaris 8 (V100) running Samba 2.2.7a - same result. I'm about to try the latest kernel patch to see if it could be an fcntl related issue, but was curious if you knew of anything else that could be causing the problem. Based upon what I've read - oplocks being turned off should help multi-user, MDB access performance. What I'm seeing, however, is just the opposite. Yes, specifically by avoiding transferring the whole file to the client and then transferring it back. Turning of oplocks **in principle should** cause the db to read only the records it wants to change, then writing them back. The times imply it's still transferring the whole file, which is utterly evil (;-)) Of course, using smb file locking as the mechanism to do database locking is brain-dead in the first place. Being able to do so is just a way of letting you try out a DBMS, get used to it and eventually buy the back-end DBMS and a server to put it on. --dave -- David Collier-Brown, | Always do right. This will gratify Sun Microsystems DCMO | some people and astonish the rest. Toronto, Ontario | (905) 415-2849 or x52849 | [EMAIL PROTECTED] -- David Collier-Brown, | Always do right. This will gratify Sun Microsystems DCMO | some people and astonish the rest. Toronto, Ontario | (905) 415-2849 or x52849 | [EMAIL PROTECTED]
RE: Samba Performance on Solaris 7/8 (oplocks)
Could someone add a one-liner to the FAQs about the .mdb/.dbf/.shp spcial case? --dave John wrote: | I did. The ESRI MapObjects part of our application, | however, doesn't like being denied an exclusive lock on | those .shp files -- despite the fact that it only needs | to open them for read access. | Fake oplocks more/less a workaround for MapObjects. | It's just unfortunate that you have to apply fake | oplocks to the entire service and not just the | .shp extension. -Original Message- From: David Collier-Brown -- Customer Engineering [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 11, 2003 2:37 PM To: Nastasi, John Cc: '[EMAIL PROTECTED]' Subject: Re: FW: Samba Performance on Solaris 7/8 Possibly dumb question: didn't you say you tried veto oplock files = /.mdb/.dbf/.shp/ --dave (whose short-term memory is starting to go (;-)) c-b Nastasi, John wrote: David, Just as a follow-up, I wanted to pass along that by adding... Oplocks = False Fake Oplocks = True ...to the service, it appears to have fixed the problem. Since none of the .MDB, .DBF, or .SHP files should ever be written to (by our app -- in theory) I'm anxious to see if any data corruption issues result. If Samba had a way to fake oplocks for just a certain file type (mainly .SHP) it seems like that would be the ideal way to go. That would allow MapObjects to believe it had an exclusive on .SHP files -- which it really doesn't require -- and other file types including .MDB and .DBF to be excluded from oplocking altogether. John Nastasi -Original Message- From: David Collier-Brown -- Customer Engineering [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 11, 2003 9:00 AM To: Nastasi, John Cc: '[EMAIL PROTECTED]' Subject: Re: Samba Performance on Solaris 7/8 Nastasi, John wrote: Do you know if there are any issues with Samba running on Solaris that would cause the application to run very, very slow with oplocks turned off? No, and that's the kind of problem we should raise with the Samba team: I'm cc'ing this to them. Specifically, with oplocks turned on I get acceptable performance trying to open an MS-Access (Jet) database. The operation completes in no more than a minute or so. Turning off oplocks (as suggested repeatedly by many folks for multiple users accessing an MDB on a Samba share) completely hoses the same operation - 9 minutes to complete. We need to see what Samba's doing differently between the two cases. There are three places to look: 1) Samba logs, at log level = 3 or more 2) truss reports 3) packet dumps. I recommend them in roughly that order: I'm good at reading truss, and the team is real good at logs. I've tried the configuration on a Solaris 7 (Ent 4500) running Samba 2.0.10 and also on a Solaris 8 (V100) running Samba 2.2.7a - same result. I'm about to try the latest kernel patch to see if it could be an fcntl related issue, but was curious if you knew of anything else that could be causing the problem. Based upon what I've read - oplocks being turned off should help multi-user, MDB access performance. What I'm seeing, however, is just the opposite. Yes, specifically by avoiding transferring the whole file to the client and then transferring it back. Turning of oplocks **in principle should** cause the db to read only the records it wants to change, then writing them back. The times imply it's still transferring the whole file, which is utterly evil (;-)) Of course, using smb file locking as the mechanism to do database locking is brain-dead in the first place. Being able to do so is just a way of letting you try out a DBMS, get used to it and eventually buy the back-end DBMS and a server to put it on. --dave -- David Collier-Brown, | Always do right. This will gratify Sun Microsystems DCMO | some people and astonish the rest. Toronto, Ontario | (905) 415-2849 or x52849 | [EMAIL PROTECTED]
Re: Urgent: Cvs download has changed unexpectedly
Dave Collier-Brown wrote: 1) If I run cvs update -d :pserver:[EMAIL PROTECTED]:/cvsroot -P it returns No CVSROOT specified! Please use the `-d' option, which, you understand, I did (;-)) This also applies if I change the host from [EMAIL PROTECTED] to [EMAIL PROTECTED] --dave -- David Collier-Brown, | Always do right. This will gratify Sun Microsystems DCMO | some people and astonish the rest. Toronto, Ontario | (905) 415-2849 or x52849 | [EMAIL PROTECTED]
Re: Urgent: Cvs download has changed unexpectedly
I deleted the whole tree, changed the makefile to the new syntax, and it fails with the identical messages. The good news is that we documented pserver.samba.org in the second edition... the bad news is that I can't get it to work (;-)) --dave Tim Potter wrote: On Sun, Mar 09, 2003 at 02:13:17PM -0500, Dave Collier-Brown wrote: For that last few years, I've been using a makefile to download and build samba, based on the instructions in http://us1.samba.org/samba/cvs.html These are the same instructions that we put in Using Samba, and are unchanged in the second edition. The cvs.html file has probably changed since then, specifically it has been modified to split the anonymous cvs repository to pserver.samba.org and the writable cvs repository staying at cvs.samba.org. According to the CVS logs this split was done in October 2000. Alas, they now only cause diagnostics, at least three of which are bogus! 1) If I run cvs update -d :pserver:[EMAIL PROTECTED]:/cvsroot -P it returns No CVSROOT specified! Please use the `-d' option, which, you understand, I did (;-)) There are instructions for reparenting a cvs repository using some simple unix commands on the new cvs.html page. I'm sorry the new version of your book has the old information in it - that's a real bummer. )-: Tim. -- David Collier-Brown, | Always do right. This will gratify Sun Microsystems DCMO | some people and astonish the rest. Toronto, Ontario | (905) 415-2849 or x52849 | [EMAIL PROTECTED]
Re: [patch] Allow chown of directories from W2k domain clients
Andrew Furey wrote: Because I couldn't find it :( The closest I could come was #21 (listed in asm/errno.h), but I couldn't confirm it - whenever I tried to access the errno variable (by logging it) smbd would segfault :( My C is a bit (OK, a lot) rusty... I think you may have missed a #include errno.h which defines it specially. On Solaris, for example, errno is actually (*(___errno())), a function. --dave -- David Collier-Brown, | Always do right. This will gratify Sun Microsystems DCMO | some people and astonish the rest. Toronto, Ontario | (905) 415-2849 or x52849 | [EMAIL PROTECTED]
Re: Winbindd limited by select
Ken Cross wrote: #define FD_SETSIZE 2048 /* Max # of winbindd connections */ must occur before the first invocation of sys/types. This could be a build option, but it might be much simpler to hard-code it in local.h, which is what I did to fix it. Can somebody check the implications of this on Solaris, HPUX, etc.? On Solaris, compiled as a 32-bit app, the limit applies. Compiled as a 64-bit app, you can have as many FDs as you want. However, there is currently no good reason to build Samba as a 64-bit app: it doesn't need a bigger address space. --dave -- David Collier-Brown, | Always do right. This will gratify Sun Microsystems DCMO | some people and astonish the rest. Toronto, Ontario | (905) 415-2849 or x52849 | [EMAIL PROTECTED]
Re: password quality script aka --with-cracklib replacement
Martin Pool wrote: The PAM module might store previous passwords in a database (e.g. tdb) that it maintains. Every time a password is set, it gets put in there, with any other appropriate information (date?). When a new password-setting attempt is made, it checks against the history, plus other strength checks. Do we even need to save the decrypted password? A colleague once saved old encrypted passwords to allow the do they really know the old one test to be done via challange-response. --dave -- David Collier-Brown, | Always do right. This will gratify Sun Microsystems DCMO | some people and astonish the rest. Toronto, Ontario | (905) 415-2849 or x52849 | [EMAIL PROTECTED]
Re: password quality script aka --with-cracklib replacement
Andrew Bartlett wrote: or else your users change from password1 to password2 to password3 then back to password1. They sure do! I hate that... I spoke to my colleague, and he refreshed my memory about that part: we variously used crypt or an MD4 hash to encrypt passwords and stored the encrypted form in a lookup table of N elements per user. If someone changed their password, we encrypted it and looked to se if it was already there, and if not replaced the oldest stored copy. To avoid collisions with other people's passwords causing false positives, we generated a salt from the userid, and applied it as part of the encryption, but did not store the salt in the lookup table so you couldn't see it was salted deterninistically from just looking at the file. --dave -- David Collier-Brown, | Always do right. This will gratify Sun Microsystems DCMO | some people and astonish the rest. Toronto, Ontario | (905) 415-2849 or x52849 | [EMAIL PROTECTED]
Re: Solaris fcntl CPU/Lock update
On Mon, Feb 03, 2003 at 07:38:31AM -0800, Jeff Mandel wrote: Reading symbols from /usr/lib/libpthread.so.1...done. Loaded symbols for /usr/lib/libpthread.so.1 jra wrote: This is a much more interesting backtrace than the other. Why is smbd linking in pthread libraries ? smbd is *NOT* a threaded program. The library lsit on my Solaris 8 workstation is much shorter: $ pvs smbd libsocket.so.1 (SISCD_2.3); libnsl.so.1 (SUNW_0.7, SUNWprivate_1.1); libdl.so.1 (SISCD_2.3); libc.so.1 (SUNW_1.1); No pthread at all! --dave -- David Collier-Brown, | Always do right. This will gratify Sun Microsystems DCMO | some people and astonish the rest. Toronto, Ontario | (905) 415-2849 or x52849 | [EMAIL PROTECTED]
Re: Patch for solaris 2.x to provide nsswitch wins resolution
Steven Tamm wrote: Sorry if this is not the right forum, but the documents on the website kind of implied I should send this to the list. I needed to get wins resolution added on Solaris to nsswitch specifically for gethostbyname. The problem was that libnss_wins.so didn't include the solaris wrapper and that libnss_winbind.so didn't include gethostbyname. Here is a patch off of 2.2.7a that solves both issues (I'm not sure about the #if SUN). The predefined macros fron a Sun SC-series compilers are __sun __unix __SUNPRO_C=0x500 __sparc (SPARC) __sparcv9 (SPARC with -xarch=v9|v9a) __i386 (x86) __SVR4 Not that those are double leading underscores. From memory and a quick check on linux, GCC defines a partially overlapping set including __linux and __sun. --dave -- David Collier-Brown, | Always do right. This will gratify Sun Microsystems DCMO | some people and astonish the rest. Toronto, Ontario | (905) 415-2849 or x52849 | [EMAIL PROTECTED]
Re: Cannot get net ads join to work under Solaris 8
Andrew Bartlett wrote: Actually, we got confused - the function that Samba replaced, which I suspected could be a problem is 'timegm'. Either way, there is a but in there somewhere, as it doesn't work for a non-GMT timezone. Ok, timegm is obsoleted in the standard, but it's still supported on lots of systems, specifically including anything with the Gnu libc, but not in Solaris or the Apple BSD. It's the inverse of gmtime, defined as time_t timegm(struct tm *tm); and is perfectly useful in some specific cases, where one wants to turn a struct tm back into a time_t. The usual inverse is time_t mktime(struct tm *timeptr); (see http://www.opengroup.org/onlinepubs/007908799/xsh/mktime.html) and it looks like there is enough functionality to implement timegm. Older man pages disagree, but standards folks don't get to frivolously remove things we still need. If they were to try, my Evil Twin, David J. Brown, would spank them (:-)) --- The POSIX man page says: The original values of the tm_wday and tm_yday components of the structure are ignored, and the original values of the other components are not restricted to the ranges described in the time.h entry. A positive or 0 value for tm_isdst causes mktime() to presume initially that Daylight Savings Time, respectively, is or is not in effect for the specified time. A negative value for tm_isdst causes mktime() to attempt to determine whether Daylight Saving Time is in effect for the specified time. Local timezone information is set as though mktime() called tzset(). --- and the older man pages say: The functions mktime() and timegm() convert the broken-down time in the structure pointed to by tm into a time value with the same encoding as that of the values returned by the time(3) function (that is, seconds from the Epoch, UTC). mktime() interprets the input structure according to the current timezone setting (see tzset(3)). timegm() interprets the input structure as representing Universal Coordinated Time (UTC). --- The workaround is to set the time zone, as you did, but I suspect there's a better one: probably something like if ((x = mktime(timeptr) != -1)) x -= altzone; I'll ask My Smarter Colleagues[tm]. --dave -- David Collier-Brown, | Always do right. This will gratify Sun Microsystems DCMO | some people and astonish the rest. Toronto, Ontario | (905) 415-2849 or x52849 | [EMAIL PROTECTED]
Re: Cannot get net ads join to work under Solaris 8
Andrew Bartlett wrote: Well, it just means that we need to find a real replacement for gmtime(). Any chance you could have a look at that function, and see if you can figure out why the current replacement doesn't work? Huh? My Solaris box has gmtime and gmtime_r, the reentrant variant. In principle, gmtime creates a struct tm, in Coordinated Universal Time (UTC), just as if you called localtime when machine was set to GMT. --dave -- David Collier-Brown, | Always do right. This will gratify Sun Microsystems DCMO | some people and astonish the rest. Toronto, Ontario | (905) 415-2849 or x52849 | [EMAIL PROTECTED]
WinXP_PlainPassword.reg
I know folks dislike the plain password hack, but Unix sites who don't trust their authentication to and NT server still use these, deficiencies and all. So: here's an XP .reg file, same as the w2k reg file, to go in the docs/Registry directory, as created by regedit. Can you check it out and publish it, please? --dave -- David Collier-Brown, | Always do right. This will gratify Sun Microsystems DCMO | some people and astonish the rest. Toronto, Ontario | (905) 415-2849 or x52849 | [EMAIL PROTECTED] WinXP_PlainPassword.reg Description: Binary data
Re: [Samba] Re: How Samba let us down
Steve Langasek wrote: If oplock support is disabled, yes, you can expect two Samba installations to play nicely with locks on the same set of files. If oplocking is enabled, it might also be possible to make them behave, though this would at least require some symlink magic. There are also some sharable filesystems that could result in two sambae sharing the same files: supposedy my employer sells one (:-)) --dave -- David Collier-Brown, | Always do right. This will gratify DMCO's MTEC team in Toronto| some people and astonish the rest. Formerly Opcom, ACE and SIS. | (905) 415-2849 or x52849 | [EMAIL PROTECTED]