[Samba] Samba compatibility with NetAPP filers.
Hey I've read this thread and I have same problem I've checked it with 3.0.4 and 3.0.10 (downloading now 3.0.20 for the check) I've checked it with OnTap: 6.5.1 NetApp side log - o.k. with this output: Sat Sep 10 23:22:40 IDT [Auth01:info]: Login attempt by GROUP\username from XXX(xxx.xxx.xxx.xxx) Sat Sep 10 23:22:40 IDT [Auth01:info]: Attempting authentication with DC \\DC_SERVER Sat Sep 10 23:22:41 IDT [Auth01:info]: User authenticated by DC Sat Sep 10 23:22:41 IDT [Auth01:info]: Attempting to map PC user name to UNIX user username Sat Sep 10 23:22:41 IDT [Auth01:info]: User's CIFS home directory is set to /vol/vol0/home/username Sat Sep 10 23:22:41 IDT [Auth01:info]: Unix user changed to root by wafl.nt_admin_priv_map_to_root Sat Sep 10 23:22:41 IDT [Auth01:info]: Login accepted and that o.k. for all users include windows standard access, while smbclient gave: # /usr/bin/smbclient '\\filer.domain.name\public' 'PASS' -d 3 -U username -W DC lp_load: refreshing parameters Initialising global parameters params.c:pm_process() - Processing configuration file /etc/samba/smb.conf Processing section [global] added interface ip=xxx.xxx.xxx.xxx bcast=xxx.xxx.xxx.xxx nmask=255.255.255.0 Client started (version 3.0.4-SUSE). Connecting to xxx.xxx.xxx.xxx at port 445 Doing spnego session setup (blob length=93) got OID=1 2 840 48018 1 2 2 got OID=1 3 6 1 4 1 311 2 2 10 got [EMAIL PROTECTED] Got challenge flags: Got NTLMSSP neg_flags=0x00890205 NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x00080215 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x00080215 spnego_parse_auth_response failed at 9 Failed to parse auth response SPNEGO login failed: Unexpected information received session setup failed: SUCCESS - 0 BTW - Jeremy if needed you may get a NetApp_OnTap_Filer_emulator on now.netapp.com - look there - if not found plesae contact me. -- Yair Yair Rajwan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] settings for control panel of Windows clients
Hello, can I write logonscripts to do settings for the contol panel of Windows NT/XP clients with samba as an pdc? Perhaps, I can get some informations about logon scripts for samba/ldap. many thanks and best regards Andreas -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Attempt to bind using schannel without successful serverauth2 in 3.0.20 logs
Jeremy Allison wrote: [2005/09/10 10:15:56, 0] rpc_server/srv_pipe.c:api_pipe_bind_req(981) Attempt to bind using schannel without successful serverauth2 [...] This is on a 3.0.20 (with patches) PDC. [...] Right now it's informative - I'd like to see the traffic that is causing it though. Can you get me an ethereal trace please ? Here this message is generated after joining a (XP SP2) client to the 3.0.20 PDC. After the restart (after joining) and the first access to the domain (choosing not the local machine but the domain for login) I have a very, very long delay (2 minutes ore more?) on the XP client with the message window Erstelle Domain Suchliste (creating domain search list) and in the end the error message in the samba log: [2005/09/01 19:15:05.972914, 0, pid=26410] rpc_server/srv_pipe.c:api_pipe_bind_req(981) Attempt to bind using schannel without successful serverauth2 der tom -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Error 1326 Connecting from Windows XP
I am using Samba 3.0.13-1.1 which I installed as part of installing Suse 9.3. I started working my way through the Samba manual and set up the following simple configuration file: [general] workgroup = TUX-NET [homes] guest ok = no read only = no I was then able to successfully connect from another Linux client also running Suse 9.3. However, when I moved to my Windows client, I received the following error when I used net use z: \\fragbox\cj user:cj pippin System error 1240 - The account is not authorized to log in from this station. I did some googling and some Microsoft postings which indicated that this was related to encryption or not having guest enabled. So I changed my configuration to the following [general] workgroup = TUX-NET encrypt passwords = yes [homes] guest ok = yes read only = no Now I get the following error: System error 1326 has occurred. Logon failure: unknown user name or bad password. Also, with encryption on, my test from the Linux client also fails. Several other points. I do have a user account on the my Samba server (fragbox) with the user name cj and the password pippin. Also, I did change my work group name on Microsoft to TUX-NET and I see TUX-NET when I use the Microsoft browse facility. I have looked at the two logs under /var/log/samba and there is no message in the logs when I initiate anything from the Windows side. I have used Samba successfully a couple of years ago but only with unencrypted passwords. Given the concerns about security, I do not want to resort to that again. We are proposing to replace an old Novell server with a new Linux server at a non-profit agency. So I need to verify that this will really work before I recommend that they make such a move. Please note that this is all volunteer and not for profit on my part. Thanks, Cindy Jeness -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Error 1326 Connecting from Windows XP
On Sun, 2005-09-11 at 08:40 -0400, Cynthia Jeness wrote: I am using Samba 3.0.13-1.1 which I installed as part of installing Suse 9.3. I started working my way through the Samba manual and set up the following simple configuration file: [general] workgroup = TUX-NET [homes] guest ok = no read only = no I was then able to successfully connect from another Linux client also running Suse 9.3. However, when I moved to my Windows client, I received the following error when I used net use z: \\fragbox\cj user:cj pippin System error 1240 - The account is not authorized to log in from this station. I did some googling and some Microsoft postings which indicated that this was related to encryption or not having guest enabled. So I changed my configuration to the following [general] workgroup = TUX-NET encrypt passwords = yes [homes] guest ok = yes read only = no Now I get the following error: System error 1326 has occurred. Logon failure: unknown user name or bad password. Also, with encryption on, my test from the Linux client also fails. Several other points. I do have a user account on the my Samba server (fragbox) with the user name cj and the password pippin. Also, I did change my work group name on Microsoft to TUX-NET and I see TUX-NET when I use the Microsoft browse facility. I have looked at the two logs under /var/log/samba and there is no message in the logs when I initiate anything from the Windows side. I have used Samba successfully a couple of years ago but only with unencrypted passwords. Given the concerns about security, I do not want to resort to that again. We are proposing to replace an old Novell server with a new Linux server at a non-profit agency. So I need to verify that this will really work before I recommend that they make such a move. Please note that this is all volunteer and not for profit on my part. Yes - it works Samba has excellent documentation http://www.samba.org/samba/docs/ I would suggest that you look at Samba by Example and find an example that most represents yours. man smb.conf map to guest (G) This parameter is only useful in security modes other than security = share - i.e. user, server, and domain. This parameter can take three different values, which tell smbd(8) what to do with user login requests that don’t match a valid UNIX user in some way. The three settings are : · Never - Means user login requests with an invalid password are rejected. This is the default. · Bad User - Means user logins with an invalid password are rejected, unless the username does not exist, in which case it is treated as a guest login and mapped into the guest account. · Bad Password - Means user logins with an invalid password are treated as a guest login and mapped into the guest account. Note that this can cause problems as it means that any user incorrectly typing their password will be silently logged on as guest - and will not know the reason they cannot access files they think they should - there will have been no message given to them that they got their password wrong. Helpdesk services will hate you if you set the map to guest parameter this way :-). Note that this parameter is needed to set up Guest share services when using security modes other than share. This is because in these modes the name of the resource being requested is not sent to the server until after the server has successfully authenticated the client so the server cannot make authentication decisions at the correct time (connection to the share) for Guest shares. For people familiar with the older Samba releases, this parameter maps to the old compile-time setting of the GUEST_SESSSETUP value in local.h. Default: map to guest = Never Example: map to guest = Bad User -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Error 1326 Connecting from Windows XP
Cynthia Jeness wrote: ... encrypt passwords = yes ... Also, with encryption on, my test from the Linux client also fails. Several other points. I do have a user account on the my Samba server (fragbox) with the user name cj and the password pippin. You must add the password to the smbpasswd file (as root) on the server: smbpasswd -a cj Mogens -- Mogens Kjaer, Carlsberg A/S, Computer Department Gamle Carlsberg Vej 10, DK-2500 Valby, Denmark Phone: +45 33 27 53 25, Fax: +45 33 27 47 08 Email: [EMAIL PROTECTED] Homepage: http://www.crc.dk -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Problem with winbind on Samba PDC after 3.0.20
Hi, I'm using winbind to authenticate squid proxy users via ntlm_auth. Squid, samba and winbind run on the same server. The server is PDC and a member of the domain. After update samba from 3.0.14a up to 3.0.20 ntlm_auth does not work. Also wbinfo got error: # wbinfo -t checking the trust secret via RPC calls failed error code was NT_STATUS_ACCESS_DENIED (0xc022) Could not check secret winbind log (winbindd -S -F -i -d 4): cm_get_ipc_userpass: No auth-user defined Serverzone is -14400 Using cleartext machine password cli_net_req_chal: LSA Request Challenge from SERVER to \\SERVER cred_session_key cred_create cli_net_auth2: srv:\\SERVER acct:WORKGROUP$ sc:6 mc: SERVER neg: 400701ff could not open handle to NETLOGON pipe Checking the trust account password returned NT_STATUS_ACCESS_DENIED But if i run winbind with custom config: # diff -u smb.conf wb.conf --- smb.confSun Sep 11 20:03:54 2005 +++ wb.conf Sun Sep 11 20:04:08 2005 @@ -8,7 +8,7 @@ display charset = KOI8-R dos charset = 866 winbind use default domain = yes -domain logons = yes +domain logons = no it work fine for me: # wbinfo -t checking the trust secret via RPC calls succeeded winbind log (winbindd -S -F -i -d 4 -s wb.conf): cm_get_ipc_userpass: No auth-user defined Serverzone is -14400 lsa_io_sec_qos: length c does not match size 8 [0]: request interface version [0]: request location of privileged pipe [0]: check machine account child daemon request 26 [31109]: check machine account cm_get_ipc_userpass: No auth-user defined Using cleartext machine password cli_net_req_chal: LSA Request Challenge from SERVER to \\SERVER cred_session_key cred_create cli_net_auth2: srv:\\SERVER acct:SERVER$ sc:6 mc: SERVER neg: 400701ff cred_create cred_assert secret is good Tell me please: it is a bug or feature? smb.conf: [global] workgroup = WORKGROUP admin users = tiamat guest account = guest log file = /var/log/samba/%m.log security = user encrypt passwords = yes unix charset = KOI8-R display charset = KOI8-R dos charset = 866 winbind use default domain = yes domain logons = yes [homes] browseable = no writeable = yes valid users = %S [netlogon] path = /home/samba/netlogon browseable = no Server join into domain with: # net join -U tiamat Password: Joined domain WORKGROUP. Thanks a lot! -- Alex Deiter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Error 1326 Connecting from Windows XP
Thank-you. This solved my immediate problem under both Linux and Windows. As I said in my post, I am working my way through the documentation and got stuck on the section that had you test the installation (Chapter 1 page 5-6).This section did not address the encryption problem which will obviously show up when anyone tries to test their installation under Windows. It did list some common problems but not encryption. This is not meant to be a criticism; I greatly appreciate the effort that has been put into all aspects of the Samba project. Cindy Jeness Mogens Kjaer wrote: Cynthia Jeness wrote: ... encrypt passwords = yes ... Also, with encryption on, my test from the Linux client also fails. Several other points. I do have a user account on the my Samba server (fragbox) with the user name cj and the password pippin. You must add the password to the smbpasswd file (as root) on the server: smbpasswd -a cj Mogens -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Attempt to bind using schannel without successful serverauth2 in 3.0.20 logs
On Sun, Sep 11, 2005 at 03:20:18PM +0200, Thomas Bork wrote: Jeremy Allison wrote: [2005/09/10 10:15:56, 0] rpc_server/srv_pipe.c:api_pipe_bind_req(981) Attempt to bind using schannel without successful serverauth2 [...] This is on a 3.0.20 (with patches) PDC. [...] Right now it's informative - I'd like to see the traffic that is causing it though. Can you get me an ethereal trace please ? Here this message is generated after joining a (XP SP2) client to the 3.0.20 PDC. After the restart (after joining) and the first access to the domain (choosing not the local machine but the domain for login) I have a very, very long delay (2 minutes ore more?) on the XP client with the message window Erstelle Domain Suchliste (creating domain search list) and in the end the error message in the samba log: [2005/09/01 19:15:05.972914, 0, pid=26410] rpc_server/srv_pipe.c:api_pipe_bind_req(981) Attempt to bind using schannel without successful serverauth2 Ok - it's the ethereal trace of that particular step that I need to see to make sure this is fixed. Thanks, Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Attempt to bind using schannel without successful serverauth2 in 3.0.20 logs
On Sun, Sep 11, 2005 at 12:37:30AM -0400, Chris wrote: On Saturday 10 September 2005 03:55 pm, Jeremy Allison wrote: On Sat, Sep 10, 2005 at 11:30:53AM -0400, Chris wrote: Samba logs show many of these: [2005/09/10 10:15:56, 0] rpc_server/srv_pipe.c:api_pipe_bind_req(981) Attempt to bind using schannel without successful serverauth2 [2005/09/10 10:26:04, 0] rpc_server/srv_pipe.c:api_pipe_bind_req(981) Attempt to bind using schannel without successful serverauth2 [2005/09/10 11:26:01, 0] rpc_server/srv_pipe.c:api_pipe_bind_req(981) Attempt to bind using schannel without successful serverauth2 This is on a 3.0.20 (with patches) PDC. Anyhone know what can cause this message? Is it just informative or does something need to be fixed? Right now it's informative - I'd like to see the traffic that is causing it though. Can you get me an ethereal trace please ? Jeremy, Attached is an ethereal trace, I believe a few of the errors are in there but I'm new to using the tool (actually was a tethereal caprture) and there was little traffic going on at the time. Let me know if you need anything else. Very interesting capture, thanks. The interesting frames are around frame 137. It's a new session setup between 192.168.1.8 and 192.168.1.4, followed by a pipe open of \NETLOGON, followed by a schannel setup bind request from what appears to be a completely TCP new connection set up at frames 134-136 (SYN, SYN-ACK, ACK). The previous TCP connection (between machines 192.168.1.8 and 192.168.1.4) was dropped at frames 46 and 47 (the FIN and the FIN-ACK). The server 192.168.1.4 seems to be dropping the connection here after 60 seconds of inactivity, probably because the client has released all resources. The client (having received the bind failure) then correctly re-sets up with a auth2 request response negotiation. Looks like in the Windows world the client expects the schannel state setup to be persistent per-machine across connections. It doesn't seem to hurt the client if it isn't though, as it just re-authenticates the connection. I'm starting to think the correct fix is just to raise the debug level of the message in smbd so that people don't get worried by it - it seems to be part of normal operation and I really don't want to have to create a persistent cache across smbd's for this state :-). The other interesting test would be to set the server deadtime to zero (the default) - what do you have it set to in your smb.conf ? Thanks, Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Attempt to bind using schannel without successful serverauth2 in 3.0.20 logs
On Sun, Sep 11, 2005 at 11:53:19AM -0700, Jeremy Allison wrote: The other interesting test would be to set the server deadtime to zero (the default) - what do you have it set to in your smb.conf ? Actually scratch that - it's hitting the auto disconnect if the client has no resources open (which is 60 seconds). deadtime has nothing to do with this. Jeremy -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] CUPS-based printing
Hi! Ok, I'm running LFS 6.0 with Samba 3.0.14a and CUPS 1.1.23. My question is, how do I install the postscript drivers for automatic download when a windoze client connects to the printer? I've done everything I can think of (or find on the 'net), but still I get an error message saying: The server for the 'Laser' printer does not have the correct printer driver installed HELP!!! -- Paul -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba+LDAP+IdealX - Can't add to domain
Hello, I am running Samba 3.0.14a under Debian Sarge with a LDAP backend (OpenLDAP) following the IdealX guide. I am using smbldap-tools, too. Everything seems to work fine, except when I try a machine to join the domain: Windows XP SP2 says it cannot find the user. I have tried joining the domain with a domain user account and with a domain administrator account, but it does not work anyway. BTW, the name of the administrator account is not manager but administrator, but I changed it everywhere, as stated in the smbldap-tools manual. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] CUPS-based printing
Paul Simpson schrieb: Hi! Ok, I'm running LFS 6.0 with Samba 3.0.14a and CUPS 1.1.23. My question is, how do I install the postscript drivers for automatic download when a windoze client connects to the printer? I've done everything I can think of (or find on the 'net), but still I get an error message saying: The server for the 'Laser' printer does not have the correct printer driver installed I copy/paste the answer I gave a couple of days ago: try to do it like this: 2) configure your CUPS printer, make sure your server can print on that printer 1) put PostScript drivers into /usr/share/cups/drivers: ps5ui.dll pscript5.dll pscript.hlp pscript.ntf These four files you will find on every Windows XP workstation. 2) configure your CUPS printer, make sure your server can print on that printer 3) when printer works, reload (or restart) Samba - it has to be aware of new printers: /etc/init.d/smb reload (or restart) 4) finally, add cups drivers to a given printer: # cupsaddsmb -U Administrator -a -v where Administrator is the domain admin. You will be prompted for a password, and after supplying one, the drivers will be attached to a given printer. 5) right click on the printer from the server, and choose Connect. the drivers will be downloaded from the workstation to the server automatically. You can do it also in startup scripts - so you don't even need to touch any workstation, and can do everything remotely: This one has to be executed as Administrator or SYSTEM - you can use WPKG for that :) rundll32 printui.dll,PrintUIEntry /q /y /ga /in /n \\server\kyocera And once again, as a user netlogon script: rundll32 printui.dll,PrintUIEntry /q /y /ga /in /n \\server\kyocera That's because the normal user has no permission to set a new printer, unless it's first installed on the workstation by someone with appropriate privileges. -- Tomek http://wpkg.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba+LDAP+IdealX - Can't add to domain
Pau Garcia i Quiles schrieb: Hello, I am running Samba 3.0.14a under Debian Sarge with a LDAP backend (OpenLDAP) following the IdealX guide. I am using smbldap-tools, too. Everything seems to work fine, except when I try a machine to join the domain: Windows XP SP2 says it cannot find the user. I have tried joining the domain with a domain user account and with a domain administrator account, but it does not work anyway. it should be the domain admin account, not the user. try the following: 1) set the log level to 3 and see the logs for a given machinename when you are adding it 2) use the add machine script from the command line (smbldap-useradd -w testname$), and see if it gets added (getent passwd; it should be at the end) -- Tomek http://wpkg.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Error Code -36
I'm running OS X 10.3.9/Samba 3.0.10. When I try to connect to my Windows 2000 machine from my user account, I enter the correct workgroup/user/password and then get the message 'The Finder cannot complete the operation because some data in smb://machinename could not be read or written. (Error code -36).' (Error code -36 in OS X is i/O error (bummers).) I can connect fine to the Windows machine with the same workgroup/user/password from another user account on the same OS X machine. From both user accounts, the Windows machine shows up when I run smbtree. When attempting the connection, I get the following in console.log: mount_smbfs: session setup phase failed: syserr = Permission denied mount_smbfs: could not login to server MACHINENAME: syserr = Permission denied mount_smbfs: session setup phase failed: syserr = Socket is not connected mount_smbfs: could not login to server MACHINENAME: syserr = Socket is not connected The first two lines show up in the log when the SMB/CIFS Filesystem Authentication window first pops up, before I've even typed anything. The second two lines show up after I click OK in the authentication dialog. I used svn to get the source from the SAMBA_3_0_RELEASE branch, but couldn't find the string session setup phase failed in any of the files. I'm not really sure where to go next in troubleshooting. I'd certainly appreciate any tips. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: not seeing windows XP
On Fri, 09 Sep 2005 01:04:40 -0400, Justin Allen wrote: I had some similar problems with my samba setup with XP Pro machines. The fix that I found was to disable the computer browser service on the XP Pro machines to prevent them from taking over the master browser role from the samba server and force the samba server to be master browser through the smb.conf file. Also I made my samba server into a WINS server and pointed the XP machines to that although I am not sure if this step is required. More than likely the problem is that you have 2 master browsers on the network so if you disable the computer browser service on the other 2 machines then that will likely fix the problem. Hope this helps, Justin Ahh, thank you for replying. I did find the problem and came back to reply to myself in case someone else was searching the archives with the same problem. So now they have two possible solutions! This problem was partly political. The user in this case did not have either virus checkers or spybot checkers and as soon as I laid down the law,and downloaded a free virus checker (and got rid of 6, plus umpteen spybots,) the problem was miraculously fixed. Now all I have to do is, stop the nightmares about wondering what on earth was happening on his computer that he didn't know about. I wonder how much incidental spam was sent out by his computer while these nasties were infecting his computer. Talk about a Xmas tree for malicious hackers! Shelagh -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] problem with Samba upgrade
Recently I've upgraded our Samba installation. ... From what version of samba to what version of samba? Mogens -- Mogens Kjaer, Carlsberg A/S, Computer Department Gamle Carlsberg Vej 10, DK-2500 Valby, Denmark Phone: +45 33 27 53 25, Fax: +45 33 27 47 08 Email: mk at crc.dk Homepage: http://www.crc.dk Dear Sir, I must apologize for not supplying enough information. Here they are: 1. I was upgrading from v3.0.6 to v3.0.20. 2. configure --prefix=, make, and make install were all successful. 3. Then I copied the old samba/private/smbpasswd to /private/ and invoked nmbd -D and smbd -D. 4. There was no problem with Win9x/ME workstations. But users could not logon from WinXP workstations. 5. Then I killed nmbd and smbd, obtained the old SID from the old installation, and set the new SID to this, and invoked nmbd -D,smbd -D again. 6. However, the situation remained the same. Our smb.conf file is shown below: [global] netbios name = server string = Samba server workgroup = SMBDomain ; guest ok = no ; hosts allow = xxx.xxx.xxx. localhost hosts deny = ALL EXCEPT xxx.xxx.xxx. localhost bind interfaces only = yes ; log file = /var/log.%I max log size = 700 debug timestamp = yes syslog = 1 syslog only = no ; browseable = no browse list = no local master = yes preferred master = yes domain master = yes os level = 999 ; follow symlinks = yes wide links = no ; wide links = yes hide dot files = yes ; map archive = no map system = no map hidden = no create mask = 0600 directory mask = 0700 delete readonly = no ; valid users = root, nobody, @some_groups, some_users security = user ; encrypt passwords = yes unix password sync = yes passwd chat = *new*password* %n\n *re*enter*password* %n\n *password*changed* passwd chat debug = yes update encrypted = yes ; domain logons = yes ; logon script = logon.bat logon path = \\%L\Profiles\%u logon drive = F: ; load printers = yes printcap name = /etc/printcap ; ; dns proxy = no ; socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 time server = yes [netlogon] path = read only = yes [homes] read only = no create mask = 0604 directory mask = 0701 [Profiles] path = read only = no create mask = 0604 directory mask = 0701 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
svn commit: lorikeet r468 - in trunk/heimdal/lib/gssapi: .
Author: abartlet Date: 2005-09-11 09:26:55 + (Sun, 11 Sep 2005) New Revision: 468 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=lorikeetrev=468 Log: This patch adds a new function: OM_uint32 gsskrb5_wrap_size ( OM_uint32 * /*minor_status*/, const gss_ctx_id_t /*context_handle*/, int /*conf_req_flag*/, gss_qop_t /*qop_req*/, OM_uint32 /*req_input_size*/, OM_uint32 * /*output_size*/ ); This tells the caller what the wrapped size would be, given an input size. From there, I can tell what the 'signature' portion would be, as well as correctly filling in the length in the DCE/RPC header. My testing so far has been on AES and ARCFOUR over DCE/RPC, where this seems to match up with the results of the actual sealing. I've posted it to the samba-technical and heimdal-discuss lists, but I'm still happy to get comments on this patch. (as well as any hints towards any testing setup that may already exist for the size_limit function). I have renamed it from gss_wrap_size(), as it was correctly pointed out that mechs other than krb5 may not provide such a simple link. Andrew Bartlett Modified: trunk/heimdal/lib/gssapi/arcfour.c trunk/heimdal/lib/gssapi/arcfour.h trunk/heimdal/lib/gssapi/cfx.c trunk/heimdal/lib/gssapi/cfx.h trunk/heimdal/lib/gssapi/gssapi.h trunk/heimdal/lib/gssapi/wrap.c Changeset: Sorry, the patch is too large (337 lines) to include; please use WebSVN to see it! WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=lorikeetrev=468
svn commit: samba r10153 - in branches/SAMBA_4_0/source: auth/gensec auth/ntlmssp heimdal/lib/gssapi librpc/rpc rpc_server
Author: abartlet Date: 2005-09-11 11:19:02 + (Sun, 11 Sep 2005) New Revision: 10153 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=10153 Log: This patch adds a new parameter to gensec_sig_size(), the size of the data to be signed/sealed. We can use this to split the data from the signature portion of the resultant wrapped packet. This required merging the gsskrb5_wrap_size patch from lorikeet-heimdal, and fixes AES encrption issues on DCE/RPC (we no longer use a static 45 byte value). This fixes one of the krb5 issues in my list. Andrew Bartlett Modified: branches/SAMBA_4_0/source/auth/gensec/gensec.c branches/SAMBA_4_0/source/auth/gensec/gensec.h branches/SAMBA_4_0/source/auth/gensec/gensec_gssapi.c branches/SAMBA_4_0/source/auth/gensec/schannel.c branches/SAMBA_4_0/source/auth/gensec/spnego.c branches/SAMBA_4_0/source/auth/ntlmssp/ntlmssp_sign.c branches/SAMBA_4_0/source/heimdal/lib/gssapi/arcfour.c branches/SAMBA_4_0/source/heimdal/lib/gssapi/arcfour.h branches/SAMBA_4_0/source/heimdal/lib/gssapi/cfx.c branches/SAMBA_4_0/source/heimdal/lib/gssapi/cfx.h branches/SAMBA_4_0/source/heimdal/lib/gssapi/gssapi.h branches/SAMBA_4_0/source/heimdal/lib/gssapi/wrap.c branches/SAMBA_4_0/source/librpc/rpc/dcerpc.c branches/SAMBA_4_0/source/rpc_server/dcesrv_auth.c Changeset: Sorry, the patch is too large (595 lines) to include; please use WebSVN to see it! WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=10153
svn commit: samba-docs r813 - in trunk/manpages-3: .
Author: jht Date: 2005-09-11 20:26:46 + (Sun, 11 Sep 2005) New Revision: 813 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=samba-docsrev=813 Log: Fix typo. Modified: trunk/manpages-3/smb.conf.5.xml Changeset: Modified: trunk/manpages-3/smb.conf.5.xml === --- trunk/manpages-3/smb.conf.5.xml 2005-09-09 06:52:15 UTC (rev 812) +++ trunk/manpages-3/smb.conf.5.xml 2005-09-11 20:26:46 UTC (rev 813) @@ -116,7 +116,7 @@ smbconfblock smbconfsection name=[foo]/ smbconfoption name=path/home/bar/smbconfoption - smbconfoption name=read onlyread only = no/smbconfoption + smbconfoption name=read onlyno/smbconfoption /smbconfblock para
svn commit: samba r10154 - branches/SAMBA_3_0/source/printing trunk/source/printing
Author: gd Date: 2005-09-11 20:53:21 + (Sun, 11 Sep 2005) New Revision: 10154 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=10154 Log: Fix crash bug on security descriptor upgrade (as seen on x86_64). Guenther Modified: branches/SAMBA_3_0/source/printing/nt_printing.c trunk/source/printing/nt_printing.c Changeset: Modified: branches/SAMBA_3_0/source/printing/nt_printing.c === --- branches/SAMBA_3_0/source/printing/nt_printing.c2005-09-11 11:19:02 UTC (rev 10153) +++ branches/SAMBA_3_0/source/printing/nt_printing.c2005-09-11 20:53:21 UTC (rev 10154) @@ -342,7 +342,8 @@ SEC_DESC *sec, *new_sec; TALLOC_CTX *ctx = state; int result, i; - uint32 sd_size, size_new_sec; + uint32 sd_size; + size_t size_new_sec; DOM_SID sid; if (!data.dptr || data.dsize == 0) Modified: trunk/source/printing/nt_printing.c === --- trunk/source/printing/nt_printing.c 2005-09-11 11:19:02 UTC (rev 10153) +++ trunk/source/printing/nt_printing.c 2005-09-11 20:53:21 UTC (rev 10154) @@ -342,7 +342,8 @@ SEC_DESC *sec, *new_sec; TALLOC_CTX *ctx = state; int result, i; - uint32 sd_size, size_new_sec; + uint32 sd_size; + size_t size_new_sec; DOM_SID sid; if (!data.dptr || data.dsize == 0)
Re: svn commit: samba r10119 - in trunk/source: auth include libads libsmb nsswitch passdb rpc_client rpc_parse rpc_server rpcclient smbd utils
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [EMAIL PROTECTED] wrote: | Author: jra | Date: 2005-09-09 17:39:09 + (Fri, 09 Sep 2005) | New Revision: 10119 | | WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=10119 | | Log: | Ok, I'm being really evil here. The RPC rewrite is finished, but needs | testing. I could leave it in my tree and test, but if I do that it will | never get enough testing. By moving it over into HEAD, I make it everyone | else's problem :-). Hey - at least it compiles ! Be thankfull for small | mercies :-). ok. Please fix domain logons so I can continue to work on the service control stuff :-) cheers, jerry -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDJKLZIR7qMdg1EfYRAkXkAKCGbAIf4fUtYJbDkCxjgEDfsBVSkwCeJoiI 6h4K6PSOVtr4ZEvyTgEjuVA= =Hxgi -END PGP SIGNATURE-
Build status as of Mon Sep 12 00:00:02 2005
URL: http://build.samba.org/ --- /home/build/master/cache/broken_results.txt.old 2005-09-11 00:00:12.0 + +++ /home/build/master/cache/broken_results.txt 2005-09-12 00:00:10.0 + @@ -1,17 +1,17 @@ -Build status as of Sun Sep 11 00:00:02 2005 +Build status as of Mon Sep 12 00:00:02 2005 Build counts: Tree Total Broken Panic ccache 6 2 0 distcc 7 1 0 -lorikeet-heimdal 35 16 0 +lorikeet-heimdal 34 16 0 ppp 23 0 0 rsync36 2 0 samba1 0 0 samba-docs 0 0 0 samba4 42 11 0 -samba_3_039 20 0 -smb-build29 3 0 +samba_3_039 15 0 +smb-build30 3 0 talloc 9 4 0 tdb 6 3 0
svn commit: samba r10155 - in branches/SAMBA_4_0/source/auth/kerberos: .
Author: abartlet Date: 2005-09-12 00:29:37 + (Mon, 12 Sep 2005) New Revision: 10155 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=10155 Log: Add more notes on required gsskrb5 functions. Andrew Bartlett Modified: branches/SAMBA_4_0/source/auth/kerberos/kerberos-notes.txt Changeset: Modified: branches/SAMBA_4_0/source/auth/kerberos/kerberos-notes.txt === --- branches/SAMBA_4_0/source/auth/kerberos/kerberos-notes.txt 2005-09-11 20:53:21 UTC (rev 10154) +++ branches/SAMBA_4_0/source/auth/kerberos/kerberos-notes.txt 2005-09-12 00:29:37 UTC (rev 10155) @@ -233,11 +233,16 @@ has always asked for. gsskrb5_get_subkey() might do what we need anyway) - - gsskrb5_get_authz_data() - - gsskrb5_acquire_creds() (takes keytab and/or ccache as input parameters, see keytab and state machine discussion) + - gsskrb5_extract_authtime_from_sec_context (get authtime from + kerberos ticket) + - gsskrb5_extract_authz_data_from_sec_context (get authdata from + ticket, ie the PAC) + - gsskrb5_wrap_size (find out how big the wrapped packet will be, + given input length). + Keytab requirements ---
svn commit: samba r10156 - in trunk/source/rpc_server: .
Author: jra Date: 2005-09-12 01:00:06 + (Mon, 12 Sep 2005) New Revision: 10156 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=10156 Log: Enable me to identify what's going wrong with the auth2 (it's failure to find a machine account). Jeremy. Modified: trunk/source/rpc_server/srv_netlog_nt.c Changeset: Modified: trunk/source/rpc_server/srv_netlog_nt.c === --- trunk/source/rpc_server/srv_netlog_nt.c 2005-09-12 00:29:37 UTC (rev 10155) +++ trunk/source/rpc_server/srv_netlog_nt.c 2005-09-12 01:00:06 UTC (rev 10156) @@ -380,7 +380,14 @@ fstring remote_machine; DOM_CHAL srv_chal_out; + rpcstr_pull(mach_acct, q_u-clnt_id.uni_acct_name.buffer,sizeof(fstring), + q_u-clnt_id.uni_acct_name.uni_str_len*2,0); + rpcstr_pull(remote_machine, q_u-clnt_id.uni_comp_name.buffer,sizeof(fstring), + q_u-clnt_id.uni_comp_name.uni_str_len*2,0); + if (!p-dc || !p-dc-challenge_sent) { + DEBUG(0,(_net_auth2: no challenge sent to client %s\n, + remote_machine )); return NT_STATUS_ACCESS_DENIED; } @@ -388,15 +395,16 @@ ((q_u-clnt_flgs.neg_flags NETLOGON_NEG_SCHANNEL) == 0) ) { /* schannel must be used, but client did not offer it. */ + DEBUG(0,(_net_auth2: schannel required but client failed + to offer it. Client was %s\n, + mach_acct )); return NT_STATUS_ACCESS_DENIED; } - rpcstr_pull(mach_acct, q_u-clnt_id.uni_acct_name.buffer,sizeof(fstring), - q_u-clnt_id.uni_acct_name.uni_str_len*2,0); - rpcstr_pull(remote_machine, q_u-clnt_id.uni_comp_name.buffer,sizeof(fstring), - q_u-clnt_id.uni_comp_name.uni_str_len*2,0); - if (get_md4pw((char *)p-dc-mach_pw, mach_acct)) { + DEBUG(0,(_net_auth2: failed to get machine password for + account %s\n, + mach_acct )); return NT_STATUS_ACCESS_DENIED; }
svn commit: samba r10157 - in branches/SAMBA_4_0/source: . kdc
Author: jpeach Date: 2005-09-12 01:32:57 + (Mon, 12 Sep 2005) New Revision: 10157 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=10157 Log: Remove the last traces of heimdal/include. Modified: branches/SAMBA_4_0/source/extra_cflags.txt branches/SAMBA_4_0/source/kdc/heimdal_config.mk Changeset: Modified: branches/SAMBA_4_0/source/extra_cflags.txt === --- branches/SAMBA_4_0/source/extra_cflags.txt 2005-09-12 01:00:06 UTC (rev 10156) +++ branches/SAMBA_4_0/source/extra_cflags.txt 2005-09-12 01:32:57 UTC (rev 10157) @@ -1,4 +1,4 @@ heimdal -Iheimdal_build -Iheimdal/kdc -Iheimdal/lib/des -Iheimdal/lib/roken -DNO_PRINTF_ATTRIBUTE -heimdal/lib/com_err -Iheimdal_build -Iheimdal/lib/com_err -Iheimdal/kdc -Iheimdal/lib/des -Iheimdal/lib/roken -Iheimdal/include -DNO_PRINTF_ATTRIBUTE -heimdal/lib/asn1 -Iheimdal_build -Iheimdal/lib/asn1 -Iheimdal/kdc -Iheimdal/lib/des -Iheimdal/lib/roken -Iheimdal/include -DNO_PRINTF_ATTRIBUTE +heimdal/lib/com_err -Iheimdal_build -Iheimdal/lib/com_err -Iheimdal/kdc -Iheimdal/lib/des -Iheimdal/lib/roken -DNO_PRINTF_ATTRIBUTE +heimdal/lib/asn1 -Iheimdal_build -Iheimdal/lib/asn1 -Iheimdal/kdc -Iheimdal/lib/des -Iheimdal/lib/roken -DNO_PRINTF_ATTRIBUTE heimdal_build/replace.o -Iheimdal_build -Iheimdal/lib/roken Modified: branches/SAMBA_4_0/source/kdc/heimdal_config.mk === --- branches/SAMBA_4_0/source/kdc/heimdal_config.mk 2005-09-12 01:00:06 UTC (rev 10156) +++ branches/SAMBA_4_0/source/kdc/heimdal_config.mk 2005-09-12 01:32:57 UTC (rev 10157) @@ -335,6 +335,6 @@ heimdal/lib/sl/strupr.o \ heimdal/lib/roken/strupr.o NOPROTO = YES -TARGET_CFLAGS = -Iheimdal/include -Iheimdal/lib/krb5 -Iheimdal/kdc -Iheimdal/lib/asn1 -Iheimdal/lib/des +TARGET_CFLAGS = -Iheimdal/lib/krb5 -Iheimdal/kdc -Iheimdal/lib/asn1 -Iheimdal/lib/des # End SUBSYSTEM HEIMDAL ###
svn commit: samba r10158 - in trunk/source/rpc_server: .
Author: jra Date: 2005-09-12 01:34:38 + (Mon, 12 Sep 2005) New Revision: 10158 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=10158 Log: Quieten Jerry's initial bellyaching about domain joins (remember to check correct version of a boolean fn. - check for False not true :-). Ok - it still fails with stub got bad data but it's closer :-). Jeremy. Modified: trunk/source/rpc_server/srv_netlog_nt.c Changeset: Modified: trunk/source/rpc_server/srv_netlog_nt.c === --- trunk/source/rpc_server/srv_netlog_nt.c 2005-09-12 01:32:57 UTC (rev 10157) +++ trunk/source/rpc_server/srv_netlog_nt.c 2005-09-12 01:34:38 UTC (rev 10158) @@ -327,7 +327,11 @@ rpcstr_pull(remote_machine, q_u-clnt_id.uni_comp_name.buffer,sizeof(fstring), q_u-clnt_id.uni_comp_name.uni_str_len*2,0); - if (get_md4pw((char *)p-dc-mach_pw, mach_acct)) { + if (!get_md4pw((char *)p-dc-mach_pw, mach_acct)) { + DEBUG(0,(_net_auth: creds_server_check failed. Failed to + get pasword for machine account %s + from client %s\n, + mach_acct, remote_machine )); return NT_STATUS_ACCESS_DENIED; } @@ -401,7 +405,7 @@ return NT_STATUS_ACCESS_DENIED; } - if (get_md4pw((char *)p-dc-mach_pw, mach_acct)) { + if (!get_md4pw((char *)p-dc-mach_pw, mach_acct)) { DEBUG(0,(_net_auth2: failed to get machine password for account %s\n, mach_acct ));
svn commit: samba r10159 - in branches/SAMBA_4_0/source/heimdal/lib/gssapi: .
Author: jpeach Date: 2005-09-12 01:34:51 + (Mon, 12 Sep 2005) New Revision: 10159 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=10159 Log: Dereference padsize before comparing to an int. Modified: branches/SAMBA_4_0/source/heimdal/lib/gssapi/cfx.c Changeset: Modified: branches/SAMBA_4_0/source/heimdal/lib/gssapi/cfx.c === --- branches/SAMBA_4_0/source/heimdal/lib/gssapi/cfx.c 2005-09-12 01:34:38 UTC (rev 10158) +++ branches/SAMBA_4_0/source/heimdal/lib/gssapi/cfx.c 2005-09-12 01:34:51 UTC (rev 10159) @@ -77,7 +77,7 @@ if (ret) { return ret; } - if (padsize 1) { + if (*padsize 1) { /* XXX check this */ *padlength = *padsize - (input_length % *padsize); }
svn commit: samba r10160 - in trunk/source/rpc_server: .
Author: jra Date: 2005-09-12 02:01:56 + (Mon, 12 Sep 2005) New Revision: 10160 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=10160 Log: Fix netlogons for Jerry :-). When refactoring auth2 server code I forgot to set the authenticated flag in the dcinfo struct (this was done at a strange place in the older 3.0 code in my defense :-). Jeremy. Modified: trunk/source/rpc_server/srv_netlog_nt.c Changeset: Modified: trunk/source/rpc_server/srv_netlog_nt.c === --- trunk/source/rpc_server/srv_netlog_nt.c 2005-09-12 01:34:51 UTC (rev 10159) +++ trunk/source/rpc_server/srv_netlog_nt.c 2005-09-12 02:01:56 UTC (rev 10160) @@ -437,6 +437,7 @@ init_net_r_auth_2(r_u, srv_chal_out, srv_flgs, NT_STATUS_OK); server_auth2_negotiated = True; + p-dc-authenticated = True; last_dcinfo = *p-dc; return r_u-status; @@ -623,18 +624,19 @@ if (!get_valid_user_struct(p-vuid)) return NT_STATUS_NO_SUCH_USER; + if (!p-dc || !p-dc-authenticated) { + return NT_STATUS_INVALID_HANDLE; + } if ( (lp_server_schannel() == True) (p-auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) ) { /* 'server schannel = yes' should enforce use of schannel, the client did offer it in auth2, but obviously did not use it. */ + DEBUG(0,(_net_sam_logoff: client %s not using schannel for netlogon\n, + p-dc-remote_machine )); return NT_STATUS_ACCESS_DENIED; } - if (!p-dc || !p-dc-authenticated) { - return NT_STATUS_INVALID_HANDLE; - } - /* checks and updates credentials. creates reply credentials */ if (!creds_server_step(p-dc, q_u-sam_id.client.cred)) { DEBUG(0,(_net_sam_logoff: creds_server_step failed. Rejecting auth
svn commit: samba r10161 - in branches/SAMBA_4_0/source/lib/popt: .
Author: jpeach Date: 2005-09-12 02:34:22 + (Mon, 12 Sep 2005) New Revision: 10161 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=10161 Log: Check for alloca.h to prevent incorrect local declaration. Modified: branches/SAMBA_4_0/source/lib/popt/config.m4 Changeset: Modified: branches/SAMBA_4_0/source/lib/popt/config.m4 === --- branches/SAMBA_4_0/source/lib/popt/config.m42005-09-12 02:01:56 UTC (rev 10160) +++ branches/SAMBA_4_0/source/lib/popt/config.m42005-09-12 02:34:22 UTC (rev 10161) @@ -38,4 +38,4 @@ AC_MSG_RESULT(no) fi -AC_CHECK_HEADERS([float.h]) +AC_CHECK_HEADERS([float.h alloca.h])