Re: [Samba] Samba 4 AD DC and BIND
/usr/local/samba/bin/samba-tool dns query yourdnshost.your.domain your.domain @ ALL Ex: samba-tool dns query samba4.tplechler.kkh tlechler.kkh @ ALL Will do: Password for [administra...@tplechler.kkh]: Greetings Daniel --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Gerry Reno Gesendet: Mittwoch, 20. März 2013 04:06 An: samba@lists.samba.org Betreff: Re: [Samba] Samba 4 AD DC and BIND On 03/19/2013 10:57 PM, Ricky Nance wrote: Try first a kinit administrator, then enter the administrator password, then /usr/local/samba/bin/samba-tool dns query COMPANY.company.com http://COMPANY.company.com company.com http://company.com/ @ ALL (notice no -U this time, and the format of host.realm instead of just host... I mistyped that in the last message) and see if it works, this will cause that tool to use kerberos instead of the regular login. Ricky Nope. Did the kinit and got a good ticket. # /usr/local/samba/bin/samba-tool dns query COMPANY.company.com company.com @ ALL ERROR(runtime): uncaught exception - (-1073741772, 'NT_STATUS_OBJECT_NAME_NOT_FOUND') File /usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py, line 175, in _run return self.run(*args, **kwargs) File /usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/dns.py, line 970, in run dns_conn = dns_connect(server, self.lp, self.creds) File /usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/dns.py, line 37, in dns_connect dns_conn = dnsserver.dnsserver(binding_str, lp, creds) -Gerry -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba4 LDAP password hashes
Hello, I'm running samba4 and I installed phpldapadmin to connect to the samba ldap. When I am logged in as administrator i can't see the password hashes of my users or myself. Does samba need any extra configuration/ compile parameters to view the password hashes? Or does samba has a default manager ldap account? Best Regards Tim Vangehugten -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] update target when source becomes a link pointing outside of the tree
hi everybody I posted to rsync mailing list but it's quiet there maybe here? just as in the subject update target when source becomes a link pointing outside of the tree command rsync -rptgoA --safe-links --delete-before --delete-excluded --exclude something I was hmm.. hoping I guess that, --safe-links --delete-before would remove target when source became a symlink which points out of the tree, but it doesn't. can this be done with/in rsync? regards -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] network neighborhood
Hello: I would like to know what is wrong in my configuration. I can't see this server in network neighborhood. samba 3.5.6 joined to my active directory domain. [global] # message command = /bin/sh -c '/usr/bin/linpopup %f %m %s; rm %s' security = ADS netbios name = dos realm = EPEPM.CUPET.CU password server = ad.epepm.cupet.cu workgroup = EPEPM log level = 1 syslog = 0 idmap uid = 1-2 idmap gid = 1-2 winbind separator = + winbind enum users = yes winbind enum groups = yes winbind use default domain = yes template homedir = /home/%D/%U template shell = /bin/bash client use spnego = yes domain master = no server string = Servidor Dos encrypt passwords = true Best regards, Felix. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 AD DC and BIND
On 03/20/2013 02:59 AM, Daniel Müller wrote: /usr/local/samba/bin/samba-tool dns query yourdnshost.your.domain your.domain @ ALL Ex: samba-tool dns query samba4.tplechler.kkh tlechler.kkh @ ALL Will do: Password for [administra...@tplechler.kkh]: Greetings Daniel Hi Daniel, yes you're correct. That works with my BIND9 DLZ backend. When I use dns name for the samba machine, eg: samba.company.com then it works both with and without Kerberos auth. But if I use anything else, even the machine IP, it fails. Seems like it should work if you use the machine IP but it doesn't -Gerry -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Clients no longer updating DNS unable to delete MX records
Hello, After noticing some odd behavior on my domain, I realized that many of my DNS records are incorrect and that clients are no longer properly updating DNS. While looking into this, I also discovered that I am unable to delete MX records via AD DNS Manager or samba-tool. Both tools see the record but report it does not exist when I attempt to delete it. I can create new MX records, but cannot delete them. I can create and delete both A and CNAME records. The same behavior occurs under all zones. I can create and delete new forward lookup zones. [root@ADC1 log]# samba-tool dns query adc1 internal.testdom.com mailsrv MX GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'sasl-DIGEST-MD5' registered GENSEC backend 'schannel' registered GENSEC backend 'spnego' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered Using binding ncacn_ip_tcp:adc1[,sign] Name=, Records=3, Children=0 MX: mailsrv.internal.testdom.com. (10) (flags=f0, serial=4, ttl=900) [root@ADC1 log]# samba-tool dns delete adc1 internal.testdom.com mailsrv MX 'mailsrv.internal.testdom.com 10' GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'sasl-DIGEST-MD5' registered GENSEC backend 'schannel' registered GENSEC backend 'spnego' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered Using binding ncacn_ip_tcp:adc1[,sign] ERROR(runtime): uncaught exception - (9701, 'WERR_DNS_ERROR_RECORD_DOES_NOT_EXIST') File /usr/local/samba/lib/python2.6/site-packages/samba/netcmd/__init__.py, line 175, in _run return self.run(*args, **kwargs) File /usr/local/samba/lib/python2.6/site-packages/samba/netcmd/dns.py, line 1169, in run del_rec_buf) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 AD DC and BIND
It looks as if the script does not like reverse lookups!??? --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Gerry Reno Gesendet: Mittwoch, 20. März 2013 13:59 An: samba@lists.samba.org Betreff: Re: [Samba] Samba 4 AD DC and BIND On 03/20/2013 02:59 AM, Daniel Müller wrote: /usr/local/samba/bin/samba-tool dns query yourdnshost.your.domain your.domain @ ALL Ex: samba-tool dns query samba4.tplechler.kkh tlechler.kkh @ ALL Will do: Password for [administra...@tplechler.kkh]: Greetings Daniel Hi Daniel, yes you're correct. That works with my BIND9 DLZ backend. When I use dns name for the samba machine, eg: samba.company.com then it works both with and without Kerberos auth. But if I use anything else, even the machine IP, it fails. Seems like it should work if you use the machine IP but it doesn't -Gerry -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 AD DC and BIND
This should do the reverse lookup: Ex: samba-tool dns query 192.168.132.123 132.168.192.in-addr.arpa @ All Name=, Records=3, Children=0 SOA: serial=6, refresh=900, retry=600, expire=86400, ns=linux2.tplechler.kkh., email=hostmaster.tplechler.kkh. (flags=60f0, serial=6, ttl=3600) NS: linux2.tplechler.kkh. (flags=60f0, serial=1, ttl=0) NS: samba4.tplechler.kkh. (flags=60f0, serial=5, ttl=0) Name=kkh, Records=0, Children=1 Name=123, Records=1, Children=0 PTR: linux2.tplechler.kkh (flags=f0, serial=2, ttl=0) Name=132, Records=1, Children=0 PTR: samba4.tplechler.kkh (flags=f0, serial=3, ttl=0) Samba-tool dns query IP.YOUR.DNS:SERVER reverse.dns.zone.in-addr.arpa @ ALL --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Daniel Müller Gesendet: Mittwoch, 20. März 2013 14:15 An: 'Gerry Reno'; samba@lists.samba.org Betreff: Re: [Samba] Samba 4 AD DC and BIND It looks as if the script does not like reverse lookups!??? --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Gerry Reno Gesendet: Mittwoch, 20. März 2013 13:59 An: samba@lists.samba.org Betreff: Re: [Samba] Samba 4 AD DC and BIND On 03/20/2013 02:59 AM, Daniel Müller wrote: /usr/local/samba/bin/samba-tool dns query yourdnshost.your.domain your.domain @ ALL Ex: samba-tool dns query samba4.tplechler.kkh tlechler.kkh @ ALL Will do: Password for [administra...@tplechler.kkh]: Greetings Daniel Hi Daniel, yes you're correct. That works with my BIND9 DLZ backend. When I use dns name for the samba machine, eg: samba.company.com then it works both with and without Kerberos auth. But if I use anything else, even the machine IP, it fails. Seems like it should work if you use the machine IP but it doesn't -Gerry -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 AD DC and BIND
On 20/03/13 13:15, Daniel Müller wrote: It looks as if the script does not like reverse lookups!??? --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Gerry Reno Gesendet: Mittwoch, 20. März 2013 13:59 An: samba@lists.samba.org Betreff: Re: [Samba] Samba 4 AD DC and BIND On 03/20/2013 02:59 AM, Daniel Müller wrote: /usr/local/samba/bin/samba-tool dns query yourdnshost.your.domain your.domain @ ALL Ex: samba-tool dns query samba4.tplechler.kkh tlechler.kkh @ ALL Will do: Password for [administra...@tplechler.kkh]: Greetings Daniel Hi Daniel, yes you're correct. That works with my BIND9 DLZ backend. When I use dns name for the samba machine, eg: samba.company.com then it works both with and without Kerberos auth. But if I use anything else, even the machine IP, it fails. Seems like it should work if you use the machine IP but it doesn't -Gerry -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Hi, have you created a reverse zone? Rowland -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 AD DC and BIND
On 03/20/2013 08:59 AM, Gerry Reno wrote: On 03/20/2013 02:59 AM, Daniel Müller wrote: /usr/local/samba/bin/samba-tool dns query yourdnshost.your.domain your.domain @ ALL Ex: samba-tool dns query samba4.tplechler.kkh tlechler.kkh @ ALL Will do: Password for [administra...@tplechler.kkh]: Greetings Daniel Hi Daniel, yes you're correct. That works with my BIND9 DLZ backend. When I use dns name for the samba machine, eg: samba.company.com then it works both with and without Kerberos auth. But if I use anything else, even the machine IP, it fails. Seems like it should work if you use the machine IP but it doesn't -Gerry Correction, ok IP will work but just not using Kerberos. -Gerry -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Error creating host keytab
I am running Samba 3.0.35. When I run net ads join or net ads keytab create I see that the keytab file cannot be created. Here's a portion of the log: [2013/03/20 07:57:50, 3] libads/kerberos.c:(337) kerberos_secrets_store_des_salt: Storing salt host/pitviper.DOMAIN@REALM [2013/03/20 07:57:50, 2] libads/kerberos_keytab.c:(260) ads_keytab_add_entry: Using default system keytab: FILE:/etc/krb5/krb5.keytab [2013/03/20 07:57:50, 3] libads/kerberos_keytab.c:(184) smb_krb5_kt_add_entry: adding keytab entry for (host/pitviper.DOMAIN@REALM) with encryption type (1) and version (8) [2013/03/20 07:57:50, 1] libads/kerberos_keytab.c:(189) smb_krb5_kt_add_entry: adding entry to keytab failed (Cannot write to specified key table) [2013/03/20 07:57:50, 1] libads/kerberos_keytab.c:(346) ads_keytab_add_entry: Failed to add entry to keytab file [2013/03/20 07:57:50, 1] libads/kerberos_keytab.c:(508) ads_keytab_create_default: ads_keytab_add_entry failed while adding 'host'. [2013/03/20 07:57:50, 1] utils/net_ads.c:(1647) Error creating host keytab! Joined 'PITVIPER' to realm 'REALM' [2013/03/20 07:57:50, 2] utils/net.c:(1075) return code = 0 I've tried creating /etc/krb5/krb5.keytab with no luck. Any ideas? TIA -Kevin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 AD DC and BIND
I spent the better part of this morning playing around with samba-tool dns and also nsupdate -g. I was never able to add delegation records using this samba-tool dns. It always kept giving me errors about dns name not found. I was however fully successful at adding delegation records to samba when using the nsupdate -g. Just a note in case anyone else has problems adding delegation records to samba. -Gerry -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] not permitted to access this share
On Tue, Mar 19, 2013 at 02:54:52PM -0400, Mark Drummond wrote: Hello all, Been fighting with this all day and I am at a loss. Maybe I've been staring at it too long. I'm getting a not permitted to access this share error where I think I should be getting in no problem. user 'fizbin' (from session setup) not permitted to access this share (logs) Configuration: Two AIX 6.1 (6100-06-06) LPARs both running Samba 3.3.12 binaries from IBM. LPAR1 is working great. No problem accessing the shares created there. On LPAR2 I cannot access any shares. Both are configured for domain authentication and that seems to be working. wbinfo -u returns a list of domain users. On both systems I get: check_ntlm_password: authentication for user [fizbin] - [fizbin] - [fizbin] succeeded The global sections of smb.conf are the same on both machines. Not sure where to go from here. The two systems seem to be identical. Any tips would be appreciated. Debug level 10 log. Look into the lines just before the not permitted to access this share message. My guess would be ACLs on the share itself. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba4 - mapping Network Drives based on Group membership
Hi All I have a problem running a logon script to map network drives based on Group Membership. The script is a VBScript that resides in the netlogon share. It Works just fine when the logged in user is a Domain Admin but fails to get the Group information when logged in as a regular user. For example when I login as administrator who is a member of every Group (For test only all the requested Drives are mapped. When I login as testuser1 who is a member of HR Group say, only a Public drive is mapped and nothing else. This seems to be a permission issue querying Active Directory, and I have no idea on how to give users the permission to Query the AD in Samba4. Can anyone help? for reference here is the VBScript I use: On Error Resume Next Set objSysInfo = CreateObject(ADSystemInfo) Set objNetwork = CreateObject(Wscript.Network) strUserPath = LDAP:// objSysInfo.UserName Set objUser = GetObject(strUserPath) objNetwork.MapNetworkDrive Z:, \\10.100.1.128\Public For Each strGroup in objUser.MemberOf strGroupPath = LDAP:// strGroup Set objGroup = GetObject(strGroupPath) strGroupName = objGroup.CN Select Case strGroupName Case HR objNetwork.MapNetworkDrive N:, \\10.100.1.128\HR Case Engineering objNetwork.MapNetworkDrive y:, \\10.100.1.128\Engineering Case Payroll objNetwork.MapNetworkDrive M:, \\10.100.1.128\Payroll Case IT objNetwork.MapNetworkDrive O:, \\10.100.1.128\Data objNetwork.MapNetworkDrive X:, \\10.100.1.128\IT-APS End Select Next Thanks -- *Varouj (V.J.) Avanessians | Sr. Linux Sys Administrator | ACCO Engineered Systems* 6265 San Fernando Rd | Glendale, California | 91201- 2214 (818)-730-5846 Mobile | (818)-244-6571 Main* * -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Can smbclient bind the source IP address?
On Fri, Mar 15, 2013 at 08:44:35AM +, Marcel Hernandez Bertran wrote: I'd like to know if there's any way to bind a source IP address for smbclient requests, the likes of ssh's -b argument: ssh [-1246AaCfgkMNnqsTtVvXxY] [-b bind_address]... -b bind_address Use bind_address on the local machine as the source address of the connection. Only useful on systems with more than one address. No we dont' have that option. If you can think of a good letter we haven't yet used then we might be able to add that :-). -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Clients no longer updating DNS unable to delete MX records
On Wed, Mar 20, 2013 at 9:05 AM, Thomas Simmons twsn...@gmail.com wrote: Hello, After noticing some odd behavior on my domain, I realized that many of my DNS records are incorrect and that clients are no longer properly updating DNS. While looking into this, I also discovered that I am unable to delete MX records via AD DNS Manager or samba-tool. Both tools see the record but report it does not exist when I attempt to delete it. I can create new MX records, but cannot delete them. I can create and delete both A and CNAME records. The same behavior occurs under all zones. I can create and delete new forward lookup zones. [root@ADC1 log]# samba-tool dns query adc1 internal.testdom.com mailsrv MX GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'sasl-DIGEST-MD5' registered GENSEC backend 'schannel' registered GENSEC backend 'spnego' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered Using binding ncacn_ip_tcp:adc1[,sign] Name=, Records=3, Children=0 MX: mailsrv.internal.testdom.com. (10) (flags=f0, serial=4, ttl=900) [root@ADC1 log]# samba-tool dns delete adc1 internal.testdom.com mailsrv MX 'mailsrv.internal.testdom.com 10' GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'sasl-DIGEST-MD5' registered GENSEC backend 'schannel' registered GENSEC backend 'spnego' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered Using binding ncacn_ip_tcp:adc1[,sign] ERROR(runtime): uncaught exception - (9701, 'WERR_DNS_ERROR_RECORD_DOES_NOT_EXIST') File /usr/local/samba/lib/python2.6/site-packages/samba/netcmd/__init__.py, line 175, in _run return self.run(*args, **kwargs) File /usr/local/samba/lib/python2.6/site-packages/samba/netcmd/dns.py, line 1169, in run del_rec_buf) With log level = 10, when attempting to deleting the record, it appears to find it, but reports it doesn't exist anyway. Has anyone seen this behavior before? The last DNS update was nearly 2 weeks ago and I am not aware of anything that happened around that time that would have triggered this. I don't know it this MX problem and the clients being unable to update DNS are related. [2013/03/20 13:52:20, 5, pid=2064, effective(0, 0), real(0, 0)] ../lib/ldb-samba/ldb_wrap.c:69(ldb_wrap_debug) ldb: ldb_trace_request: SEARCH dn: DC=internal.testdom.com ,CN=MicrosoftDNS,DC=DomainDnsZones,DC=internal,DC=testdom,DC=com scope: one expr: ((objectClass=dnsNode)(name=mailsrv)) attr: dnsRecord control: NONE [2013/03/20 13:52:20, 5, pid=2064, effective(0, 0), real(0, 0)] ../lib/ldb-samba/ldb_wrap.c:69(ldb_wrap_debug) ldb: ldb_trace_request: (resolve_oids)-search ... ... ... [2013/03/20 13:52:20, 5, pid=2064, effective(0, 0), real(0, 0)] ../lib/ldb-samba/ldb_wrap.c:69(ldb_wrap_debug) ldb: ldb_trace_response: ENTRY dn: DC=mailsrv,DC=internal.testdom.com ,CN=MicrosoftDNS,DC=DomainDnsZones,DC=internal,DC=testdom,DC=com dnsRecord:: IgAPAAXwAAAEAAADhAALIDcAAAoeBAdtYWlsc3J2CGludGVybmFsB7G4YX lzZXMDY29tAA== dnsRecord:: EAAPAAXwAAA+AADcIjcAAAoMAgZnb29nbGUDY29tAA== dnsRecord:: IgAPAAXwAAAEAAADhAALIDcAAAoeBAdtYWlsc3J2CGludGVybmFsB7G4YX lzZXMDY29tAA== [2013/03/20 13:52:20, 5, pid=2064, effective(0, 0), real(0, 0)] ../lib/ldb-samba/ldb_wrap.c:69(ldb_wrap_debug) ldb: ldb_trace_response: DONE error: 0 [2013/03/20 13:52:20, 1, pid=2064, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:282(ndr_print_function_debug) DnssrvUpdateRecord2: struct DnssrvUpdateRecord2 out: struct DnssrvUpdateRecord2 result : WERR_DNS_ERROR_RECORD_DOES_NOT_EXIST -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] RPM building tools for Samba 4.0.3 on RHEL 6 published bye me on Github
I tested the .spec file you posted today. There's still a glitch remaining. If built with the file as it is (%global with_dc 0) the packages build cleanly. However, if %global with_dc 1 is used, the build fails with the following error: RPM build errors: Installed (but unpackaged) file(s) found: /usr/lib64/samba/ldb/ildap.so I can see that this file is excluded in the packging list pertaining to DC-LIBS, if with_dc is disabled but it is not one of the # ldb libraries built with DC activated, contrary to the other file always excluded in the Fedora .spec (ldbsamba_extensions.so), which is listed in your file. When I do a rpm query for --whatrequires both files, the answer is that no package requires either file. As such, they should probably be always excluded, as happens with the Fedora .spec file. One more thing: since Samba 4.0.4 is out now, maybe you should update your files to match? This is just a security release that presents no problem whatsoever when built with the same specs as 4.0.3. I did it and all went well. I have an experimental AD domain controller working correctly it it. Thank you again -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] idmap migration settings.
Hi. I had note the changes in samba 3.6.x, I have a DOMAIN with Samba 3.5.x, I have 3 servers and I start updating my OS Centos to the latest 5.9, there I note this changes. Now I have search around the globe for the doc that show us how to make the changes. But is only in maillist or forums. What I understand is this: idmap uid idmap gid idmap range === In my smb,conf I don't have this settings but I understand that is this value: 1-2 right? Are replace by: idmap config * : range idmap config * : backend Now, how my setup will have to be? idmap config * : ldap idmap config * : 1-2 Now I have other warning that samba 3.5.x won't complain about: WARNING: The setting 'security=domain' should NOT be combined with the 'password server' parameter. What problem with this one? Thanks for your time. -- LIving the dream... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Making users local administrators
I have Samba 4 (lastest version, I think) set up for Active Driectory. Everything is working just, using Microsoft's Group Policy Editor to manage stuff. Except one thing: For reasons you don't want to get me started on, I need all users to have local administrative priviliges on any computer on the domain. This is supposed to be a simple, straightforward thing. Google has led me to half a dozen different ways to do this through group policies. And none of them work. I can set any other kind of group policy I want, power saving settings, screen saver settings, various security settings in IE, and the new settings show up with a gpupdate /force, but I cannot figure out how to add someone to the local administrators group. Can somebody point me to a really remedial howto? Something like group policies for complete idiots maybe. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] RPM building tools for Samba 4.0.3 on RHEL 6 published bye me on Github
I forgot something. %{_libdir}/samba/libdfs_server_ad.so %{_libdir}/samba/libposix_eadb.so As I said before, those two entries MUST be within ### LIBS, under %if %with_dc. Otherwise, the build completes cleanly but the install process of samba-libs and samba fails with the following: error: Failed dependencies: libdfs_server_ad.so()(64bit) is needed by samba-libs-0:4.0.4-1.el6.x86_64 libdfs_server_ad.so(SAMBA_4.0.4)(64bit) is needed by samba-libs-0:4.0.4-1.el6.x86_64 error: Failed dependencies: libposix_eadb.so()(64bit) is needed by samba-0:4.0.3-0.6.el6.x86_64 libposix_eadb.so(SAMBA_4.0.3)(64bit) is needed by samba-0:4.0.3-0.6.el6.x86_64 I suggest doing the described inclusions and, for the sake of consistency, moving the correspondent exclusion to the same section: ### LIBS %if %with_dc %{_libdir}/samba/libdfs_server_ad.so %{_libdir}/samba/libposix_eadb.so %else # formerly excluded in files dc %exclude %{_libdir}/samba/libdfs_server_ad.so %endif # with_dc If these steps are taken, everything builds and installs correctly, whether AD DC is activated or not. The Fedora .spec file excludes samba/libdfs_server_ad.so from the build process altogether because Fedora is not using the AD DC component of Samba 4 due to lack of support with MIT Kerberos. --- On the matter of the release of Samba 4.0.4, shouldn't the Obsoletes statement now include the form Obsoletes: samba %{samba_depver} instead of only Obsoletes: samba4 %{samba_depver}? You now need to Obsolete all versions of Samba 4 prior to 4.0.4, both release and pre-release. Also, I think that the form you are still using for Provides (for example Provides: samba4-common = %{samba_depver}) is no longer correct. According to the Samba team conventions, after the release of Samba 4 the form should now be Provides: samba-common = %{samba_depver}. In a previous mail to you, I suggested: Provides: samba = %{samba_depver} Conflicts: samba4 %{samba_depver} Obsoletes: samba %{samba_depver} I used Conflicts for samba4 because there are significant differences between the pre-release and the release versions. Or maybe we could use two Obsoletes statements instead... Best regards Miguel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 LDAP password hashes
On Wed, 2013-03-20 at 11:44 +0100, Tim Vangehugten wrote: Hello, I'm running samba4 and I installed phpldapadmin to connect to the samba ldap. When I am logged in as administrator i can't see the password hashes of my users or myself. Does samba need any extra configuration/ compile parameters to view the password hashes? Or does samba has a default manager ldap account? No AD DC (including Samba 4.0 as an AD DC) exposes password hashes across LDAP over TCP, for security reasons. Why do you need to read the password hash values over LDAP? Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Making users local administrators
An easy way is: For the Administrator group on the local machine, add domain users to that *local* group. [This means that any domain authenticated user will have local admin privs.] --- While I've not done this via GPO - this looks like a reasonable way of doing so. http://www.expta.com/2011/02/adding-users-to-local-security-groups.html HTH -Greg TA I have Samba 4 (lastest version, I think) set up for Active Driectory. TA Everything is working just, using Microsoft's Group Policy Editor to manage TA stuff. Except one thing: TA For reasons you don't want to get me started on, I need all users to have TA local administrative priviliges on any computer on the domain. This is TA supposed to be a simple, straightforward thing. Google has led me to half a TA dozen different ways to do this through group policies. And none of them TA work. I can set any other kind of group policy I want, power saving TA settings, screen saver settings, various security settings in IE, and the TA new settings show up with a gpupdate /force, but I cannot figure out how to TA add someone to the local administrators group. Can somebody point me to a TA really remedial howto? Something like group policies for complete idiots TA maybe. -- Gregory Sloop, Principal: Sloop Network Computer Consulting Voice: 503.251.0452 x82 EMail: gr...@sloop.net http://www.sloop.net --- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Making users local administrators
Yeah, I figured that out. It's not the right way, because it has to be done on each machine in the domain, but so does setting it to log in to the domain in the first place. So it's just a new line in my deployment checklist. Thanks. On 20 Mar 2013 at 15:56, Gregory Sloop wrote: An easy way is: For the Administrator group on the local machine, add domain users to that *local* group. [This means that any domain authenticated user will have local admin privs.] --- While I've not done this via GPO - this looks like a reasonable way of doing so. http://www.expta.com/2011/02/adding-users-to-local-security-groups.html HTH -Greg TA I have Samba 4 (lastest version, I think) set up for Active Driectory. TA Everything is working just, using Microsoft's Group Policy Editor to manage TA stuff. Except one thing: TA For reasons you don't want to get me started on, I need all users to have TA local administrative priviliges on any computer on the domain. This is TA supposed to be a simple, straightforward thing. Google has led me to half a TA dozen different ways to do this through group policies. And none of them TA work. I can set any other kind of group policy I want, power saving TA settings, screen saver settings, various security settings in IE, and the TA new settings show up with a gpupdate /force, but I cannot figure out how to TA add someone to the local administrators group. Can somebody point me to a TA really remedial howto? Something like group policies for complete idiots TA maybe. -- Gregory Sloop, Principal: Sloop Network Computer Consulting Voice: 503.251.0452 x82 EMail: gr...@sloop.net http://www.sloop.net --- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Making users local administrators
The linky-thingy did have a way of doing so via a GPO. I've not tried it, but it certainly looks like it should work. While I've not done this via GPO - this looks like a reasonable way of doing so. http://www.expta.com/2011/02/adding-users-to-local-security-groups.html Try it. -Greg -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [Announce] Samba 4.0.4 Security Release Available for Download
As our announcement of 4.0.4 has confused some of our administrators as to who is affected, and because there are IMPORTANT STEPS included that affected administrators need to follow, I'm posting the whole advisory text below: On Tue, 2013-03-19 at 11:04 +0100, Karolin Seeger wrote: Release Announcements - This is a security release in order to address CVE-2013-1863 (World-writeable files may be created in additional shares on a Samba 4.0 AD DC). o CVE-2013-1863: Administrators of the Samba 4.0 Active Directory Domain Controller might unexpectedly find files created world-writeable if additional CIFS file shares are created on the AD DC. Samba versions 4.0.0rc6 - 4.0.3 (inclusive) are affected by this defect. Changes since 4.0.3: o Andrew Bartlett abart...@samba.org * BUG 9709: CVE-2013-1863: Remove forced set of 'create mask' to 0777. === == Subject: World-writeable files may be created in additional shares on a == Samba 4.0 AD DC == == CVE ID#: CVE-2013-1863 == == Versions:Samba 4.0.0rc6 - 4.0.3 (inclusive) == == Summary: Administrators of the Samba 4.0 Active Directory Domain == Controller might unexpectedly find files created world-writeable == if additional CIFS file shares are created on the AD DC. == === === Description === Administrators of the Samba 4.0 Active Directory Domain Controller might unexpectedly find files created world-writeable if additional CIFS file shares are created on the AD DC. By default the AD DC is not vulnerable to this issue, as a specific inheritable ACL is set on the files in the [sysvol] and [netlogon] shares. However, on other shares, when only configured with simple unix user/group/other permissions, the forced setting of 'create mask' and 'directory mask' on AD DC installations would apply, resulting in world-writable file permissions being set. These permissions are visible with the standard tools, and only the initial file creation is affected. As Samba honours the unix permissions, the security of files where explicit permissions have been set are not affected. Administrators will need to manually correct the permissions of any world-writable files and directories. After upgrading, either recursively set correct permissions using the Windows ACL editor, or run something like e.g.: sudo setfacl -b -R /path/to/share sudo chmod o-w,g-w -R /path/to/share (Please note that this command might need to be adapted to your needs). This will remove all the ACLs (a reasonable step as this only impacts on shares without an ACL set), including a problematic default posix ACL on subdirectories. == Mitigating factors == By default the AD DC is not vulnerable to this issue, as a specific inheritable ACL is set on the files in the default [sysvol] and [netlogon] shares. Users of our file server when configured in any other mode, such as a standalone server, domain member (including of a Samba 4.0 AD Domain), file server or classic (NT4-like) domain controller are not impacted. Many Samba 4.0 AD DC installations have followed the Team's advise to split their installation in this way, and so are not affected. Similarly, samba 4.0 AD DC installations based on the 'ntvfs' file server are not impacted. This is not the default in upstream Samba, but importantly it is the only available configuration in samba4 packages of Samba 4.0 in Debian (including experimental) and Ubuntu supplied packages. Likewise, packages and installations built --without-ad-dc are not impacted, as only AD DC installations will set this configuration. We understand Red Hat and Fedora installations are built in this mode. Unless guest access has been explicitly allowed (guest ok = yes), only authenticated users would be able to read/write any of accidentally world-writable files. Similarly, the 'read only = no' default in the smb.conf still applies. == Workaround == Set a recursive and inherited ACL on the root of the share (for example, using the ACL editor on a Windows client) == Patch Availability == Patches addressing this defect have been posted to http://www.samba.org/samba/security/ Additionally, Samba 4.0.4, has been issued as security releases to correct the defect. Samba administrators running affected versions are advised to upgrade to 4.0.4 or apply the patch as soon as possible. === Credits === The vulnerability was noticed by a number of observant administrators, including Ricky Nance ricky.na...@weaubleau.k12.mo.us. == == Our Code, Our Bugs, Our Responsibility. == The Samba Team == -- Andrew Bartlett
Re: [Samba] RPM building tools for Samba 4.0.3 on RHEL 6 published bye me on Github
I'll update as soon as I find cycles... Nico Kadel-Garcia Email: nka...@gmail.com Sent from iPhone On Mar 20, 2013, at 15:37, Miguel Medalha miguelmeda...@sapo.pt wrote: built -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] upgrade procedure
On 03/19/2013 05:37 PM, Andrew Bartlett wrote: On Tue, 2013-03-19 at 08:39 -0500, Cristian Saavedra wrote: Hello I'm upgrading to 4.0.4 as far as i remember the samba_upgradeprovision must not be used, so i'm asking for the current upgrade procedure: - configure samba 4.0.4 - make - create current samba backup (just in case) - killall samba process - make install - run samba After that, the new binaries are in place, should i do something else? run an script? delete a file? anything? The WHATSNEW includes a suggestion on how to fix the world-writeable permissions on any additional file shares. Make sure you do that. Other than that, this looks correct. Andrew Bartlett I have a clone of v4.0-stable which was 4.0.3 when I pulled. Do I just need to do a 'git pull'? to get 4.0.4? Or is 4.0.4 on some other tag? -Gerry -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] upgrade procedure
On 03/20/2013 09:17 PM, Gerry Reno wrote: On 03/19/2013 05:37 PM, Andrew Bartlett wrote: On Tue, 2013-03-19 at 08:39 -0500, Cristian Saavedra wrote: Hello I'm upgrading to 4.0.4 as far as i remember the samba_upgradeprovision must not be used, so i'm asking for the current upgrade procedure: - configure samba 4.0.4 - make - create current samba backup (just in case) - killall samba process - make install - run samba After that, the new binaries are in place, should i do something else? run an script? delete a file? anything? The WHATSNEW includes a suggestion on how to fix the world-writeable permissions on any additional file shares. Make sure you do that. Other than that, this looks correct. Andrew Bartlett I have a clone of v4.0-stable which was 4.0.3 when I pulled. Do I just need to do a 'git pull'? to get 4.0.4? Or is 4.0.4 on some other tag? -Gerry git pull on v4.0-stable looks like it pulled in 4.0.4. Building now. -Gerry -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] upgrade procedure
On Wed, 2013-03-20 at 21:17 -0400, Gerry Reno wrote: On 03/19/2013 05:37 PM, Andrew Bartlett wrote: On Tue, 2013-03-19 at 08:39 -0500, Cristian Saavedra wrote: Hello I'm upgrading to 4.0.4 as far as i remember the samba_upgradeprovision must not be used, so i'm asking for the current upgrade procedure: - configure samba 4.0.4 - make - create current samba backup (just in case) - killall samba process - make install - run samba After that, the new binaries are in place, should i do something else? run an script? delete a file? anything? The WHATSNEW includes a suggestion on how to fix the world-writeable permissions on any additional file shares. Make sure you do that. Other than that, this looks correct. Andrew Bartlett I have a clone of v4.0-stable which was 4.0.3 when I pulled. Do I just need to do a 'git pull'? to get 4.0.4? Or is 4.0.4 on some other tag? 4.0.4 should be the latest code on the v4-0-stable branch. You can see the version when you build Samba with --version on all the tools, or in the VERSION file. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Password Policy - how to reduce password complexity
On Sun, Mar 3, 2013 at 12:25 AM, Gregory Sloop gr...@sloop.net wrote: Windows cannot set the password for because: The password does not meet the password policy requirements. Check the minimum password length, password complexity and password history requirements. TS It's giving that error because you have a minimum length specified or TS complexity on. If you want to change that you need to run 'samba-tool TS domain passwordsettings set --min-pwd-length=1 --complexity=off'. Do you TS really want to disable complexity and allow very weak passwords? I think best practices show that passwords that are too hard to remember [IMO the complexity requirement starts to get into this area] simply frustrate users and the result will be they write down the password and stick it near the computer. Then is far worse than a weak password. It's a password you can find by pulling open the top drawer of their desk, looking under their keyboard, or simply looking at the postie on the monitor. There are trade-offs (from old security work). Too-complex passwords tend to get used *everywhere* by the same person, and get cut and pasted into scripts. This leads to escalation attacks, where a password sniffed by people using HTTP for LDAP or Kerberos managed passwords or using locally stored passwords for Subversion, chef, CVS, or other risky tools wind up with their site-wide email and login passwords copied or written into Wikis. (God knows I've seen that!!) Too simple passwords get brute-force cracked, remotely, all day long all over the world on exposed hosts, which I've been seeing for over 20 years, since I had to deal with the Morris Worm. I'd recommend something like LastPass, but that's not really applicable here, unless you're going to pull it off your phone or something. I'm personally fond of the XKCD algorighm: http://xkcd.com/936/ Sets of personally memorable words in plain-text, no case mixing, long enough to have much higher entropy than the 8 character l33tSk!z passwords and less likely to cause RSI or mistyping locking you out of your account. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Announce] Samba 4.0.4 Security Release Available for Download
As our announcement of 4.0.4 has confused some of our administrators as to who is affected, and because there are IMPORTANT STEPS included that affected administrators need to follow, I'm posting the whole advisory text below: On Tue, 2013-03-19 at 11:04 +0100, Karolin Seeger wrote: Release Announcements - This is a security release in order to address CVE-2013-1863 (World-writeable files may be created in additional shares on a Samba 4.0 AD DC). o CVE-2013-1863: Administrators of the Samba 4.0 Active Directory Domain Controller might unexpectedly find files created world-writeable if additional CIFS file shares are created on the AD DC. Samba versions 4.0.0rc6 - 4.0.3 (inclusive) are affected by this defect. Changes since 4.0.3: o Andrew Bartlett abart...@samba.org * BUG 9709: CVE-2013-1863: Remove forced set of 'create mask' to 0777. === == Subject: World-writeable files may be created in additional shares on a == Samba 4.0 AD DC == == CVE ID#: CVE-2013-1863 == == Versions:Samba 4.0.0rc6 - 4.0.3 (inclusive) == == Summary: Administrators of the Samba 4.0 Active Directory Domain == Controller might unexpectedly find files created world-writeable == if additional CIFS file shares are created on the AD DC. == === === Description === Administrators of the Samba 4.0 Active Directory Domain Controller might unexpectedly find files created world-writeable if additional CIFS file shares are created on the AD DC. By default the AD DC is not vulnerable to this issue, as a specific inheritable ACL is set on the files in the [sysvol] and [netlogon] shares. However, on other shares, when only configured with simple unix user/group/other permissions, the forced setting of 'create mask' and 'directory mask' on AD DC installations would apply, resulting in world-writable file permissions being set. These permissions are visible with the standard tools, and only the initial file creation is affected. As Samba honours the unix permissions, the security of files where explicit permissions have been set are not affected. Administrators will need to manually correct the permissions of any world-writable files and directories. After upgrading, either recursively set correct permissions using the Windows ACL editor, or run something like e.g.: sudo setfacl -b -R /path/to/share sudo chmod o-w,g-w -R /path/to/share (Please note that this command might need to be adapted to your needs). This will remove all the ACLs (a reasonable step as this only impacts on shares without an ACL set), including a problematic default posix ACL on subdirectories. == Mitigating factors == By default the AD DC is not vulnerable to this issue, as a specific inheritable ACL is set on the files in the default [sysvol] and [netlogon] shares. Users of our file server when configured in any other mode, such as a standalone server, domain member (including of a Samba 4.0 AD Domain), file server or classic (NT4-like) domain controller are not impacted. Many Samba 4.0 AD DC installations have followed the Team's advise to split their installation in this way, and so are not affected. Similarly, samba 4.0 AD DC installations based on the 'ntvfs' file server are not impacted. This is not the default in upstream Samba, but importantly it is the only available configuration in samba4 packages of Samba 4.0 in Debian (including experimental) and Ubuntu supplied packages. Likewise, packages and installations built --without-ad-dc are not impacted, as only AD DC installations will set this configuration. We understand Red Hat and Fedora installations are built in this mode. Unless guest access has been explicitly allowed (guest ok = yes), only authenticated users would be able to read/write any of accidentally world-writable files. Similarly, the 'read only = no' default in the smb.conf still applies. == Workaround == Set a recursive and inherited ACL on the root of the share (for example, using the ACL editor on a Windows client) == Patch Availability == Patches addressing this defect have been posted to http://www.samba.org/samba/security/ Additionally, Samba 4.0.4, has been issued as security releases to correct the defect. Samba administrators running affected versions are advised to upgrade to 4.0.4 or apply the patch as soon as possible. === Credits === The vulnerability was noticed by a number of observant administrators, including Ricky Nance ricky.na...@weaubleau.k12.mo.us. == == Our Code, Our Bugs, Our Responsibility. == The Samba Team == -- Andrew Bartlett
[SCM] Samba Shared Repository - branch v3-6-test updated
The branch, v3-6-test has been updated via fb7971c WHATSNEW: Start release notes for Samba 3.6.14. via 5e70508 VERSION: Bump version number up to 3.6.14. from f70d3d2 WHATSNEW: Prepare release notes for Samba 3.6.13. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-test - Log - commit fb7971cf9305f4a596636c73c17a3c73bfcbdb02 Author: Karolin Seeger ksee...@samba.org Date: Wed Mar 20 09:55:41 2013 +0100 WHATSNEW: Start release notes for Samba 3.6.14. Karolin commit 5e70508c735dee1daab09bbf394b65080e21c551 Author: Karolin Seeger ksee...@samba.org Date: Wed Mar 20 09:52:47 2013 +0100 VERSION: Bump version number up to 3.6.14. Karolin --- Summary of changes: WHATSNEW.txt| 45 +++-- source3/VERSION |2 +- 2 files changed, 44 insertions(+), 3 deletions(-) Changeset truncated at 500 lines: diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 96a8407..e27c6bd 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,4 +1,44 @@ == + Release Notes for Samba 3.6.14 + April 29, 2013 + == + + +This is is the latest stable release of Samba 3.6. + +Major enhancements in Samba 3.6.14 include: + +o + +Changes since 3.6.13: +- + +o Jeremy Allison j...@samba.org + + +## +Reporting bugs Development Discussion +### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical IRC channel on irc.freenode.net. + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. All bug reports should +be filed under the Samba 3.6 product in the project's Bugzilla +database (https://bugzilla.samba.org/). + + +== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +== + +Release notes for older releases follow: + + + == Release Notes for Samba 3.6.13 March 18, 2013 == @@ -94,8 +134,9 @@ database (https://bugzilla.samba.org/). == The Samba Team == -Release notes for older releases follow: - + +-- + == Release Notes for Samba 3.6.12 diff --git a/source3/VERSION b/source3/VERSION index 60503d9..8a10864 100644 --- a/source3/VERSION +++ b/source3/VERSION @@ -25,7 +25,7 @@ SAMBA_VERSION_MAJOR=3 SAMBA_VERSION_MINOR=6 -SAMBA_VERSION_RELEASE=13 +SAMBA_VERSION_RELEASE=14 # Bug fix releases use a letter for the patch revision # -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v3-6-stable updated
The branch, v3-6-stable has been updated via d4382c7 WHATSNEW: Start release notes for Samba 3.6.14. via 51eede7 VERSION: Bump version number up to 3.6.14. from bcb9821 WHATSNEW: Prepare release notes for Samba 3.6.13. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-stable - Log - commit d4382c7b71e8fbfb1fc583ce505035631a121f98 Author: Karolin Seeger ksee...@samba.org Date: Wed Mar 20 09:55:41 2013 +0100 WHATSNEW: Start release notes for Samba 3.6.14. Karolin (cherry picked from commit fb7971cf9305f4a596636c73c17a3c73bfcbdb02) commit 51eede7541e90e86bc3ca0da7593cd01c6a10907 Author: Karolin Seeger ksee...@samba.org Date: Wed Mar 20 09:52:47 2013 +0100 VERSION: Bump version number up to 3.6.14. Karolin (cherry picked from commit 5e70508c735dee1daab09bbf394b65080e21c551) --- Summary of changes: WHATSNEW.txt| 45 +++-- source3/VERSION |2 +- 2 files changed, 44 insertions(+), 3 deletions(-) Changeset truncated at 500 lines: diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 96a8407..e27c6bd 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,4 +1,44 @@ == + Release Notes for Samba 3.6.14 + April 29, 2013 + == + + +This is is the latest stable release of Samba 3.6. + +Major enhancements in Samba 3.6.14 include: + +o + +Changes since 3.6.13: +- + +o Jeremy Allison j...@samba.org + + +## +Reporting bugs Development Discussion +### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical IRC channel on irc.freenode.net. + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. All bug reports should +be filed under the Samba 3.6 product in the project's Bugzilla +database (https://bugzilla.samba.org/). + + +== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +== + +Release notes for older releases follow: + + + == Release Notes for Samba 3.6.13 March 18, 2013 == @@ -94,8 +134,9 @@ database (https://bugzilla.samba.org/). == The Samba Team == -Release notes for older releases follow: - + +-- + == Release Notes for Samba 3.6.12 diff --git a/source3/VERSION b/source3/VERSION index ab58022..46ec559 100644 --- a/source3/VERSION +++ b/source3/VERSION @@ -25,7 +25,7 @@ SAMBA_VERSION_MAJOR=3 SAMBA_VERSION_MINOR=6 -SAMBA_VERSION_RELEASE=13 +SAMBA_VERSION_RELEASE=14 # Bug fix releases use a letter for the patch revision # -- Samba Shared Repository
[SCM] Samba Website Repository - branch master updated
The branch, master has been updated via 91d4fb8 Update latest stable release. from c0a3c0f Announce Samba 4.0.4. http://gitweb.samba.org/?p=samba-web.git;a=shortlog;h=master - Log - commit 91d4fb8e73c53de368e33375bd1dbe4ca06f38ff Author: Karolin Seeger ksee...@samba.org Date: Wed Mar 20 10:05:28 2013 +0100 Update latest stable release. Karolin --- Summary of changes: latest_stable_release.html |6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) Changeset truncated at 500 lines: diff --git a/latest_stable_release.html b/latest_stable_release.html index 6a2f85a..e484b93 100644 --- a/latest_stable_release.html +++ b/latest_stable_release.html @@ -1,5 +1,5 @@ p - a href=/samba/ftp/stable/samba-4.0.3.tar.gzSamba 4.0.3 (gzipped)/abr - a href=/samba/history/samba-4.0.3.htmlRelease Notes/a middot; - a href=/samba/ftp/stable/samba-4.0.3.tar.ascSignature/a + a href=/samba/ftp/stable/samba-4.0.4.tar.gzSamba 4.0.4 (gzipped)/abr + a href=/samba/history/samba-4.0.4.htmlRelease Notes/a middot; + a href=/samba/ftp/stable/samba-4.0.4.tar.ascSignature/a /p -- Samba Website Repository
[SCM] Samba Shared Repository - branch v4-0-test updated
The branch, v4-0-test has been updated via 50c476e VERSION: Bump version number up to 4.0.5. via 730b822 Merge tag 'samba-4.0.4' into v4-0-test via b341371 VERSION: Bump version number up to 4.0.4. via 51ed8a8 WHATSNEW: Prepare release notes for Samba 4.0.4 via ee3ac64 Revert Ensure the masks don't conflict with the ACL checks. via fc19aaf smbd:posix_acls Remove incorrectly added lp_create_mask() and lp_dir_mask() calls via 053dfa2 param: Remove incorrectly added defaults in AD DC allowing WORLD WRITABLE files from e5288a2 Correct the name of the nss_winbind module for FreeBSD by creating a symlink from the FreeBSD required name to the built module. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-0-test - Log - commit 50c476e4de9ce041b8fb8a9ce4e41f89893fcd0e Author: Karolin Seeger ksee...@samba.org Date: Wed Mar 20 12:23:14 2013 +0100 VERSION: Bump version number up to 4.0.5. Signed-off-by: Karolin Seeger ksee...@samba.org commit 730b822549fd5ec96322e1b62af24476eeb92b76 Merge: e5288a2d228a68483fd1bc0dc679b44b327dc0fe b3413711e12c1357cb63cdbdaa250786f9119032 Author: Karolin Seeger ksee...@samba.org Date: Wed Mar 20 12:19:35 2013 +0100 Merge tag 'samba-4.0.4' into v4-0-test samba: tag release samba-4.0.4 --- Summary of changes: VERSION |2 +- WHATSNEW.txt | 52 +- selftest/target/Samba3.pm|3 +- selftest/target/Samba4.pm|3 +- source3/param/loadparm.c |2 - source3/smbd/posix_acls.c| 17 --- source4/scripting/python/samba/tests/posixacl.py |2 +- 7 files changed, 54 insertions(+), 27 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index 2bf84a1..a999766 100644 --- a/VERSION +++ b/VERSION @@ -25,7 +25,7 @@ SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=0 -SAMBA_VERSION_RELEASE=4 +SAMBA_VERSION_RELEASE=5 # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 5464717..d623330 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,4 +1,51 @@ = + Release Notes for Samba 4.0.4 + March 19, 2013 + = + + +This is a security release in order to address CVE-2013-1863 +(World-writeable files may be created in additional shares on a +Samba 4.0 AD DC). + +o CVE-2013-1863: + Administrators of the Samba 4.0 Active Directory Domain + Controller might unexpectedly find files created world-writeable + if additional CIFS file shares are created on the AD DC. + Samba versions 4.0.0rc6 - 4.0.3 (inclusive) are affected by this + defect. + + +Changes since 4.0.3: + + +o Andrew Bartlett abart...@samba.org +* BUG 9709: CVE-2013-1863: Remove forced set of 'create mask' to 0777. + + +## +Reporting bugs Development Discussion +### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical IRC channel on irc.freenode.net. + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. All bug reports should +be filed under the Samba 3.6 product in the project's Bugzilla +database (https://bugzilla.samba.org/). + + +== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +== + +Release notes for older releases follow: + + + = Release Notes for Samba 4.0.3 February 05, 2013 = @@ -172,8 +219,9 @@ database (https://bugzilla.samba.org/). == The Samba Team == -Release notes for older releases follow: - + +-- + = Release Notes for Samba 4.0.2 diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm index 6c63413..70304fe 100755 --- a/selftest/target/Samba3.pm +++
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via f7564ca s3:registry accept windows like long hivenames via 4490e72 s3:include bump profile memory area version number from 05a7a10 wkssvc: Fix bug 9727, NULL pointer dereference http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit f7564cae4cdd1e2629404c5a1229978451584257 Author: Gregor Beck gb...@sernet.de Date: Wed Mar 20 13:00:26 2013 +0100 s3:registry accept windows like long hivenames Signed-off-by: Gregor Beck gb...@sernet.de Reviewed-by: Christian Ambach a...@samba.org Autobuild-User(master): Christian Ambach a...@samba.org Autobuild-Date(master): Wed Mar 20 17:08:52 CET 2013 on sn-devel-104 commit 4490e72426bc55a5680df84fce344aa509219219 Author: Christian Ambach a...@samba.org Date: Thu Mar 14 23:19:25 2013 +0100 s3:include bump profile memory area version number forgot to bump this earlier when removing the counters for setdir Signed-off-by: Christian Ambach a...@samba.org Reviewed-by: Volker Lendecke v...@samba.org --- Summary of changes: source3/include/smbprofile.h |2 +- source3/registry/reg_api.c | 12 +--- 2 files changed, 10 insertions(+), 4 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/include/smbprofile.h b/source3/include/smbprofile.h index 9bcee42..69df2ca 100644 --- a/source3/include/smbprofile.h +++ b/source3/include/smbprofile.h @@ -26,7 +26,7 @@ #define PROF_SHMEM_KEY ((key_t)0x07021999) #define PROF_SHM_MAGIC 0x6349985 -#define PROF_SHM_VERSION 12 +#define PROF_SHM_VERSION 13 /* time values in the following structure are in microseconds */ diff --git a/source3/registry/reg_api.c b/source3/registry/reg_api.c index c263174..ca990e2 100644 --- a/source3/registry/reg_api.c +++ b/source3/registry/reg_api.c @@ -70,6 +70,7 @@ #include reg_dispatcher.h #include reg_objects.h #include ../librpc/gen_ndr/ndr_security.h +#include reg_parse_internal.h #undef DBGC_CLASS #define DBGC_CLASS DBGC_REGISTRY @@ -232,12 +233,17 @@ WERROR reg_openhive(TALLOC_CTX *mem_ctx, const char *hive, const struct security_token *token, struct registry_key **pkey) { + const struct hive_info *hi; SMB_ASSERT(hive != NULL); - SMB_ASSERT(hive[0] != '\0'); SMB_ASSERT(strchr(hive, '\\') == NULL); - return regkey_open_onelevel(mem_ctx, NULL, hive, token, desired_access, - pkey); + hi = hive_info(hive); + if (hi == NULL) { + return WERR_BADFILE; + } + + return regkey_open_onelevel(mem_ctx, NULL, hi-short_name, token, + desired_access, pkey); } -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 599a699 s4:torture: let raw.read accept larger reads than 0x1 via c9066b0 s4:torture: raw.read fix large reads against windows via df618e3 s3:selftest: Add LARGE_READX test into our make test infrastructure. via d9afb2b s3:torture: Add new LARGE_READX test to investigate large SMBreadX behavior. via 5a05e68 s4:smb_server: fix large read_andx requests via fd88520 s3:smbd: Add functions calc_max_read_pdu()/calc_read_size() to work out the length we should return. via 21707de s3:smbd: Remove server_will_accept_large_read() and erroneous comment. via 36f6a8a s3:smbd: Fix off-by 4 error in wrap protection code in create_outbuf() via b80111a s3:smbd: add some const to req_is_in_chain() via be98c1c s3:smbd: remove silly (SMB_OFF_T_BITS == 64) checks via d24b8af s3:smbd: keep global_client_caps and max_send from the first successful session setup via 40c3db9 s3:libsmb: let cli_read_andx_create() accept any length via d46 libcli/smb: smb1cli_inbuf_parse_chain() and smb1cli_conn_dispatch_incoming() should use smb_len_tcp. via 53d348d libcli/smb: defer failing for missing NEGOTIATE_SECURITY_SIGNATURES_ENABLED via b041dc9 s3:libsmb: make use of SMB_CAP_LEGACY_CLIENT_MASK instead of SMB_CAP_CLIENT_MASK via 3d7a4db libcli/smb: add SMB_CAP_LEGACY_CLIENT_MASK define from f7564ca s3:registry accept windows like long hivenames http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 599a699adec1f8f0a432d9c34f378d48930ca29b Author: Stefan Metzmacher me...@samba.org Date: Wed Mar 20 08:49:20 2013 +0100 s4:torture: let raw.read accept larger reads than 0x1 Signed-off-by: Stefan Metzmacher me...@samba.org Reviewed-by: Jeremy Allison j...@samba.org Autobuild-User(master): Jeremy Allison j...@samba.org Autobuild-Date(master): Wed Mar 20 21:53:20 CET 2013 on sn-devel-104 commit c9066b057a6aa3cc1960124c9f2519413a2b57da Author: Stefan Metzmacher me...@samba.org Date: Tue Mar 19 17:11:03 2013 +0100 s4:torture: raw.read fix large reads against windows Signed-off-by: Stefan Metzmacher me...@samba.org Reviewed-by: Jeremy Allison j...@samba.org commit df618e33ac011c018374af8da021c7b5f1cc1427 Author: Jeremy Allison j...@samba.org Date: Wed Mar 13 15:45:12 2013 -0700 s3:selftest: Add LARGE_READX test into our make test infrastructure. Tested against non-encrypted and encrypted connections. Signed-off-by: Jeremy Allison j...@samba.org Reviewed-by: Stefan Metzmacher me...@samba.org commit d9afb2b14df642de5d9225d10cc20cac7fd5133f Author: Jeremy Allison j...@samba.org Date: Wed Mar 13 15:43:21 2013 -0700 s3:torture: Add new LARGE_READX test to investigate large SMBreadX behavior. Signed-off-by: Jeremy Allison j...@samba.org Signed-off-by: Stefan Metzmacher me...@samba.org Reviewed-by: Stefan Metzmacher me...@samba.org commit 5a05e687ce724ea808cdb1e6627b9c67804eb879 Author: Stefan Metzmacher me...@samba.org Date: Mon Mar 18 19:50:38 2013 +0100 s4:smb_server: fix large read_andx requests Signed-off-by: Stefan Metzmacher me...@samba.org Reviewed-by: Jeremy Allison j...@samba.org commit fd88520497b4043e9d81656f7cb56a7b25245c2a Author: Jeremy Allison j...@samba.org Date: Fri Mar 15 11:57:48 2013 -0700 s3:smbd: Add functions calc_max_read_pdu()/calc_read_size() to work out the length we should return. LARGE_READX test shows it's always safe to return a short read. Windows does so. Do the calculations to return what will fit in a read depending on what the client negotiated. Signed-off-by: Jeremy Allison j...@samba.org Signed-off-by: Stefan Metzmacher me...@samba.org Reviewed-by: Stefan Metzmacher me...@samba.org commit 21707defe06e1db18a6645b0b56db4178e3df5f6 Author: Jeremy Allison j...@samba.org Date: Fri Mar 15 11:53:04 2013 -0700 s3:smbd: Remove server_will_accept_large_read() and erroneous comment. We're going to replace this with a function that calculates the max PDU to return on a read and supports short reads. Signed-off-by: Jeremy Allison j...@samba.org Reviewed-by: Stefan Metzmacher me...@samba.org commit 36f6a8abb2ad0c7d0551679cc61a29fa2dc16d80 Author: Jeremy Allison j...@samba.org Date: Mon Mar 18 15:05:24 2013 -0700 s3:smbd: Fix off-by 4 error in wrap protection code in create_outbuf() Subtract 4 from smb_size (39) here as the length of the SMB reply following the 4 byte type+length field can be up to 0xFF bytes. Signed-off-by: Jeremy Allison j...@samba.org Signed-off-by: Stefan Metzmacher me...@samba.org Reviewed-by: Stefan Metzmacher me...@samba.org commit b80111adb3a30ff386b3c45fcf962c417256bb59 Author: Stefan