Re: Patch: convenience feature for non-domain clients

[Mike Gerdts]

Perhaps a slight variant of this that would be useful would be something
along the lines of force domain = auth domain.  The difference is
that when your samba servers are part of a resource domain that is
different than your authentication domain, the authentication would
happen against your authentication domain, rather than the (machine
only) resource domain.

Mike

On Wed, 2002-10-09 at 11:00, Jon. Hallett wrote:
 Attached is a patch against SAMBA_2_2 that we find useful at our site for 
 integrating our domain-member Samba servers with our non-domain-member clients.
 
 The background to this is that our Samba servers use security = domain 
 authentication for user accounts, but not all our Windows clients are 
 members of the domain, with the result that the clients often want to map 
 shares using non-domain clientname\user style accounts.
 
 The patch implements an ignore client domain option which forces Samba to 
 use the server's own domain when authenticating users, ignoring the domain 
 part of the username provided by the client.
 
 This is particularly useful for sites converting from security = server 
 to security  = domain who don't want to go around their clients adding 
 domain parts to all the usernames with which they map shares.
 
 Hope this is of use to someone else,
 
 Jon.

Re: How prevent many logins

[Mike Gerdts]

On Thu, 2002-10-03 at 08:15, Marcus Grando wrote:

 But I dont use pam.
 
 Any other method?

It may be tough to do with PAM as well because each time the user
authenticates to a share the PAM module would increment the number of
connections.  How many connections should be allowed?  1 for IPC?  1 for
the home directory?  How about one for a printer?

You could probably use a VFS module instead.  You would need to write
it.  The way that I would do it is something along the lines of:

grab examples/VFS/skel.c

get rid of all the functions except skel_connect.  Be sure to update
vfs_init() and skel_ops appropriately.

Replace all occurrences of skel_ with oneclient_

In oneclient_connect() (the function that used to be skel_connect()) add
code that traverses the connections TDB looking for this user connected
from a different machine.  If the user is on from another machine,
verify that connection is still good (kill(pid,0)) should work).  If the
tdb entry for the user on another machine and that smbd is really still
alive, call default_vfs_ops.disconnect().

File a bug report on the problems that come up because you are calling
disconnect() from connect().  I don't know that this will cause problems
but I would expect that it could be asking for trouble.  Then again,
maybe that execution path has already been tested by something else.

Mike

[PATCH] core dumps on crash

[Mike Gerdts]

 rlp;
-		getrlimit( RLIMIT_CORE, rlp );
-		rlp.rlim_cur = MAX( 4*1024*1024, rlp.rlim_cur );
-		setrlimit( RLIMIT_CORE, rlp );
-		getrlimit( RLIMIT_CORE, rlp );
-		DEBUG( 3, ( Core limits now %d %d\n, (int)rlp.rlim_cur, (int)rlp.rlim_max ) );
-	}
-#endif
-#endif
- 
-	DEBUG(0,(Dumping core in %s\n,dname));
-	abort();
-	return( True );
-} /* dump_core */
-#endif
-
 / **
  Handle a fault..
   */
Index: smbd/server.c
===
RCS file: /cvsroot/samba/source/smbd/server.c,v
retrieving revision 1.305.2.44
diff -u -r1.305.2.44 server.c
--- smbd/server.c	11 Jun 2002 03:25:50 -	1.305.2.44
+++ smbd/server.c	21 Aug 2002 15:28:14 -
 -391,45 +391,6 
 	return(ret);
 }
 
-#if DUMP_CORE
-/***
- Prepare to dump a core file - carefully !
-/
-
-static BOOL dump_core(void)
-{
-	char *p;
-	pstring dname;
-	pstrcpy(dname,lp_logfile());
-	if ((p=strrchr(dname,'/'))) *p=0;
-	pstrcat(dname,/corefiles);
-	mkdir(dname,0700);
-	sys_chown(dname,getuid(),getgid());
-	chmod(dname,0700);
-	if (chdir(dname)) return(False);
-	umask(~(0700));
-
-#ifdef HAVE_GETRLIMIT
-#ifdef RLIMIT_CORE
-	{
-		struct rlimit rlp;
-		getrlimit(RLIMIT_CORE, rlp);
-		rlp.rlim_cur = MAX(4*1024*1024,rlp.rlim_cur);
-		setrlimit(RLIMIT_CORE, rlp);
-		getrlimit(RLIMIT_CORE, rlp);
-		DEBUG(3,(Core limits now %d %d\n,
-			 (int)rlp.rlim_cur,(int)rlp.rlim_max));
-	}
-#endif
-#endif
-
-
-	DEBUG(0,(Dumping core in %s\n,dname));
-	abort();
-	return(True);
-}
-#endif
-
 /
 update the current smbd process count
 /


Index: lib/util.c
===
RCS file: /cvsroot/samba/source/lib/util.c,v
retrieving revision 1.287.4.55
diff -u -r1.287.4.55 util.c
--- lib/util.c	18 Jul 2002 23:45:02 -	1.287.4.55
+++ lib/util.c	21 Aug 2002 15:28:13 -
 -1082,6 +1082,100 
 	return (gid_t)-1;
 }
 
+/ **
+ Prepare to dump a core file - carefully!
+ TODO: Some uses of this function assume that it will not just do an abort()
+   and that the return value is meaningful.  It is currently ill equipped
+   to deal with such assumptions because it modifies the umask, performs
+   a chdir, and in may cases will exit as the result of an abort().
+   All of these issues existed before I rewrote it. --Mike Gerdts
+  */
+BOOL dump_core(void)
+{
+#if DUMP_CORE
+	char *p;
+	struct stat sbuf;
+	pstring dname;
+	pstrcpy(dname, lp_coredumpdirectory());
+	if ( !(*dname) ) {
+		DEBUG(2,(Core dump skipped because \core dump directory\ not set\n));
+		return False;
+	}
+
+	umask(~(0700));
+
+	gain_root_privilege();
+
+	if (sys_lstat(dname,sbuf)) {
+		DEBUG(0,(Core dump skipped: lstat(%s): %s\n,
+	dname, strerror(errno)));
+		return False;
+	}
+
+	if ( !S_ISDIR(sbuf.st_mode) ) {
+		DEBUG(0,(Core dump skipped: %s is not a directory\n, dname));
+		return False;
+	}
+	
+	if ( sbuf.st_uid != 0) {
+		DEBUG(0,(Core dump skipped: %s not owned by root\n, dname));
+		return False;
+	}
+
+	if ( sbuf.st_mode  (S_IRWXG | S_IRWXO) ) {
+		DEBUG(0,(Core dump skipped: %s is readable or writable by someon other than root\n, dname));
+		return False;
+	}
+	/* TODO: check for ACL's */
+
+	if (chdir(dname)) {
+		DEBUG(0,(Core dump skipped: cannot chdir(%s): %s\n, 
+	dname, strerror(errno)));
+		return False;
+	}
+ 
+#if defined(HAVE_GETRLIMIT)  defined(RLIMIT_CORE)
+	{
+		struct rlimit rlp;
+		getrlimit( RLIMIT_CORE, rlp );
+		rlp.rlim_cur = MAX( 4*1024*1024, rlp.rlim_cur );
+		setrlimit( RLIMIT_CORE, rlp );
+		getrlimit( RLIMIT_CORE, rlp );
+		DEBUG( 3, ( Core limits now %d %d\n, 
+(int)rlp.rlim_cur, (int)rlp.rlim_max ) );
+	}
+#endif
+	
+	DEBUG(0,(Dumping core in %s\n,dname));
+#if defined(HAVE_SYS_PRCTL_H)  defined(PR_SET_DUMPABLE)
+	/* On Linux if euid or uid has changed during execution the process
+	 * will not coredump.  This tells the kernel to dump anyways. */
+	prctl(PR_SET_DUMPABLE,1,0,0,0);
+	abort();
+	return True;	/* Not reached */
+#endif /* HAVE_SYS_PRCTL_H  PR_SET_DUMPABLE */
+
+#ifdef HAVE_GCORE
+	{
+		pstring cmd;
+		snprintf(cmd, sizeof(pstring), %s %d, GCORECOMMAND, 
+(int)getpid());
+		cmd[sizeof(pstring) -1] = '\0';
+		return system(cmd);
+	}
+#endif /* HAVE_GCORE */
+
+	DEBUG(3,(No reliable core dump method found.\n));
+	abort();
+	return  False; 
+
+#else /* DUMP_CORE */
+	DEBUG(0,(Core dumps disabled on this platform\n));
+	return ( False );
+#endif /* DUMP_CORE

RE: Prepending \ to user name w/Win98 Domain Login

[Mike Gerdts]

On Fri, 2002-08-16 at 11:21, Jeff Mandel wrote:
 2) The wacky thing here is that \user actually returns successful with NIS.
 jeff@host% getent passwd jeff
 jeff:x:6789:6789::/export/home/jeff:/bin/ksh
 jeff@host% getent passwd \jeff
 jeff:x:6789:6789::/export/home/jeff:/bin/ksh

Not quite right.  Your shell handled the \j and determined that it
should have just been j.  As such, the getent command really saw
jeff, not \jeff.  The proper test would have been

   jeff@host% getent passwd \\jeff

In this case your shell would have translated \\jeff into \jeff
before sending it as an argument to getent.

Mike

New VFS Module: linktrans

[Mike Gerdts]

I have written a new VFS module that translates symbolic links to MS DFS
links.  You can get it at
http://www.cae.wisc.edu/~gerdts/samba/vfs-linktrans.c

What does it really do?

When a symbolic link to a directory is encountered, a mapping of
UNIX Directories to share names is consulted.  If a match is found,
readlink() translates the standard UNIX symbolic link format into
the format normally expected by the DFS code.  This causes a
redirect to be sent to the SMB client.

The code is smart enough to recognize symbolic links that point to
someplace other than just the root of a share.  That is, if you have
a mapping 

/projects/d1projserv\d1

A symbolic link to /projects/d1/someproject/somepart will redirect
the client to \\projserv\d1\someproject\somepart

Why?

Suppose you have an environment where users were encouraged to just
create symbolic links to get to areas that were not shared out via
Samba.  You are now not happy with the mess that exists because
people may be using the wrong server (samba ends up acting as a
CIFS - NFS gateway), permissions that you intend to force are not
being forced, or access restrictions that you intend to have in
place are being bypassed.

With this module you can transition from promiscuous use of symbolic
links to using the option follow symlinks = no relatively
painlessly.  Or at least that is the theory.

How?

Build samba as you normally would.  Be sure to use --with-msdfs as
one of your configure options.

Copy vfs-linktrans.c to samba-2.2.5/examples/VFS/linktrans.c

Edit samba-2.2.5/examples/VFS/Makefile.in.  Add linktrans.so to the
VFS_OBJS

In samba-2.2.5/examples/VFS, run ./configure, then make.

Copy linktrans.so to a lib directory somewhere.  Presumably
/usr/local/samba/linktrans.so would be a could choice.

Edit /usr/local/samba/lib/smb.conf.  Add host msdfs = yes to the
global section.  Add msdfs root = yes and vfs object =
/usr/local/lib/samba/linktrans.so to each share that you want to
try this out on.

Create the file /etc/linktrans.map (defined in the .c file) with
lines that perform the lowest level mapping.  For example, if all
symbolic links to /project/d1 should really go to \\projserv\d1, add
a line like /project/d1 projserv\d1.

Restart samba.

Reboot the Windows client that will connect to this share.

Does it really work?

As is said in the copyright notice at the top, there is no
warranty.  It has, however, worked for me in a test environment
using Solaris servers and a Windows 2000 client.  I have not yet
used it with multiple clients at once, nor have I put it on any
production servers.



Comments, suggestions for improvement, and patches are welcome.

Mike

Re: Another showstopper in 2.2.5

[Mike Gerdts]

On Mon, 2002-08-12 at 10:54, David Collier-Brown wrote:
 Fredrik Ohrn wrote:
 
  OK, I'll try 30 instead of the default 300. But I don't expect it to help,
  in this case it seems that it's the smbd process that blows up, not the
  client.
   Ok, I was afraid of that!
 
   Blown SMBDs are Bad Things (:-))

I have run into this same problem from time to time with 2.2.2.  I was
hoping that the upgrade to 2.2.5 that I did yesterday would fix it...

On the surface, it appears as though a panic action program that does
lock scrubbing would be useful.  I envision a standalone program that
takes a filename and pid as an argument.  If it encouters a lock
belonging to the given pid, it removes the lock from the database.

Perhaps if the program is given only one argument (the lock file) it
traverses the tdb checking to see if each pid mentioned is alive.

What would this break?

Mike

Re: winbindd: Here's a replacement get_id_from_sid() that gets UNIXu id/gid from /home/dir

[Mike Gerdts]

On Fri, 2002-08-02 at 03:10, Ferguson, Ross wrote:
 
  rebuilding winbindd with the enclosed replacement function gets the UNIX
 uid/gid from the users home directory. If it fails in anyway, it returns
 (g/u)id of 'nobody'  This obviously allows specifically assigned uid's per
 user, allowing them to create files in there home directories while
 maintaining security. I'm running this with 2.2.5 on Solaris9  Proof of
 concept only. Not ported / tested on any other platform.
 Enjoy
Ross

I really like the concept.  A quick look at the implementation shows a
problem, though.  The home directory should come from the template
homedir parameter.  Given the proof of concept nature of the code, such
a shortcut is quite acceptable.  Also, I don't think that putting this
into the core winbind code is necessarily the right place.  It and the
50 other concepts that people come up with will eventually lead to some
pretty signifcant bloat.

A while back I was working on a plug-in system for the idmap
functionality.  I have been sidetracked for a while on that project,
though.  I think that this concept would be an awesome plug-in.

See http://www.cae.wisc.edu/~gerdts/samba/ for my implementation so
far.  Andrew gave me a todo list that has yet to be todone.

http://lists.samba.org/pipermail/samba-technical/2002-May/036877.html

Mike

Re: Visual Studio 6 + Samba 2.2.5 misbehaves.

[Mike Gerdts]

This sounds like you have clocks out of sync.  Be sure that the time on
your workstation, the Samba server, and any NFS servers that Samba may
get shares from all have clocks that are in sync.  I highly suggest
using NTP between all servers.  Once you have NTP running on a unix
server, you can convince win2k clients to sync with that server using:

net time /setsntp:unixservername

Mike

On Thu, 2002-08-01 at 05:37, Fredrik Ohrn wrote:
 
 Hello!
 
 I just noticed 2 problems when using Visual Studio 6 to edit files located 
 on a Samba share.
 
 
 1. This file has been modified outside of the source editor.
 
 To reproduce: Create a C++ file and save it on the share. Type some text, 
 within a couple of seconds it will pop up a message box warning that the 
 file has changed on disk, do you want to reaload it?
 
 When dismissed the message will appear again at semi random intervals, 
 saving the file again is also a sure way to trigger it.
 
 
 2. Windows XP pops up a baloon in the corner with Delayed Write Failed.
 
 Start a new project with it's location on a samba share, create and add a 
 C++ file to the project. Edit and save the file a couple of times and XP 
 will pop up warning baloon and log the following message to the EventLog:
 
 {Delayed Write Failed} Windows was unable to save all the data for the 
 file \Device\LanmanRedirector. The data has been lost. This error may be 
 caused by a failure of your computer hardware or network connection. 
 Please try to save this file elsewhere.
 
 The file in question is ProjectName.ncb, dunno what it is used for. 
 After the message has appared the first time, it will pop up every time 
 you type text in the editor.
 
 
 Needless to say, this makes Visual Studio pretty much useless...
 
 What can I do to help debug this?
 
 
 Regards,
 Fredrik
 
 -- 
It is easy to be blinded to the essential uselessness of computers by
the sense of accomplishment you get from getting them to work at all.
- Douglas Adams
 
 Fredrik Öhrn   Chalmers University of Technology
 [EMAIL PROTECTED]  Sweden
 
 

Re: Build requirements

[Mike Gerdts]

On Mon, 2002-07-22 at 13:02, Max TenEyck Woodbury wrote:
 This is part of the 'do it at least once before you automate it' section of
 my larger build automation project. (That was described here some time ago,
 and it has morphed more than a little since I posted it, but you may be able
 to see how this fits in with a little imagination. The biggest change in that
 plan is that VMWare can be used instead of a bunch of removable disks and
 extra computers.)

For build/packaging for multiple distributions (or just a distribution
that you don't really like to use), you may want to take a look at user
mode linux.  It gives you a lot of what vmware does without the cost of
vmware.

Quick start, (.deb of uml is available too):

$ wget 
http://telia.dl.sourceforge.net/sourceforge/user-mode-linux/user_mode_linux-2.4.18.36um-0.i386.rpm
$ su
# rpm -Uvh user_mode_linux-2.4.18-36um-0.i386.rpm
# exit
$ wget 
http://telia.dl.sourceforge.net/sourceforge/user-mode-linux/root_fs.rh72.pristine.bz2
$ bunzip2 root_fs.rh72.pristine.bz2
$ chmod 400 root_fs.rh72.pristine
$ linux ubd0=root_fs_rw.rh72,root_fs.rh72.pristine \
eth0=tuntap,,fe:fd:0:0:0:1,192.168.0.1
...
login: root
password: root
# ifconfig -a
--- be sure that you have eth0 up if not:
# ifconfig eth0 192.168.0.2 netmask 255.255.0.0 broadcast 192.168.255.255 up
--- then
# route add default gw 192.168.0.1
# mkdir /usr/src/samba
--- this assumes that you have NAT enabled or nfsserver is
--- the machine that you are running uml on (use 192.168.0.1
--- in place of nfsserver)
# mount nfsserver:/export/samba /usr/src/samba
# cd /usr/src/samba/samba-2.2.25
# ./configure  ...


Presumably you could add an init script that makes it possible to
automatically mount the directory that has the samba source, then run
some magical build script that is on that share.  When it has finished
running the script, it halts the uml instance.  Your packages should be
on the nfs server.

With each day's build you could use a fresh root_fs_rw.rh72 so that you
are sure that you are building it based upon a clean distribution.

See http://sourceforge.net/projects/user-mode-linux/ for more details.

HTH,
Mike

Re: Winbindd Success :) [was Re: winbindd, (radio)active directoryand other pains...]

[Mike Gerdts]

On Thu, 2002-07-18 at 02:03, Bogdan Iamandei wrote:

 1). I don't seem to be able to specify multiple ranges of ID's for
 winbindd. For example:
 
 winbind uid = 1000-2 25000-3
 
 Would this be possible in the future? :) Please? :)
 
 2). For some reason winbindd is reading the winbindd_cache.tdb and
 winbindd_idmap.tdb after a restart. All would be fine, but if I change
 the UID ranges, winbindd will still use the old range. The workaround
 is to remove those two TDBs and try again.

Are you proposing that if winbindd finds a UID in the cache that does
not fit in the range that a new UID from the range should be assigned? 
That wouldn't be too hard to implement, but I am not sure that it is
desirable.  The side effect would be that all the files and ACLs that
were created would maintain the old uids.  When the user gets a new uid,
files that they previously created or ACLs that they were added to would
not be accessible with the new uid.  

 3). (not really a nitpick - more like a small warning) Beware of nscd
 daemon on Solaris. It basically takes a little while until it kicks in
 for the first time.

A while back I reported a bug in winbindd that caused it to crash nscd. 
While debugging this problem, I found that winbindd was horribly slow
without the caching done by nscd.  After fixing the problem so that nscd
would stay alive, name lookups became MUCH faster because repeat lookups
were being answered by nscd rather than by winbindd.

I suspect that this slowness is because winbindd talking to PDC across
the WAN rather than the local PDC.  I never really looked into it. 
Since I didn't see other people complaining about slowness, I assumed
that it was something wierd with our domain configuration.

 4). After a while (5-10 minutes) running samba, attempting to connect
 a share - takes a long - long time and in the end it fails with
 something like Error - 0. I'll have to test it some more - before giving
 some more details though.

I have seen that one too, but forget the exact circumstances.

Mike

RE: Proposed patch for DNS and name resolution related problemsinappliance branch

[Mike Gerdts]

On Mon, 2002-07-01 at 04:37, Toomas Soome wrote:
 
 Please keep in mind that there is ns cache on some platforms already
 (solaris nscd etc), so this feature should be possible to be switched
 off.
 
 toomas 

nscd only comes into play when get*by*() routines (e.g. gethostbyname())
are used.  If you bypass the name service switch by calling res_*(),
nscd does not cache the info.  I think that it is safe to say that if
you link against libresolv, you will be bypassing nscd.

But... that begs the question, why not just use gethostbyname()?  This
way it will get resolved out of /etc/hosts, NIS, LDAP, DNS, etc., and
nscd will take care of it.  nscd exists on Solaris, Linux, and should be
available anywhere else that glibc works.

Mike

RE: Proposed patch for DNS and name resolution related problemsinappliance branch

[Mike Gerdts]

On Mon, 2002-07-01 at 09:38, Mike Gerdts wrote:
 But... that begs the question, why not just use gethostbyname()?  This
 way it will get resolved out of /etc/hosts, NIS, LDAP, DNS, etc., and
 nscd will take care of it.  nscd exists on Solaris, Linux, and should be
 available anywhere else that glibc works.

Oh, yeah.. the problem was that DNS timeouts took too long.  It looks as
though this has already been addressed in /etc/resolv.conf:

 options  Allows certain internal resolver variables to be modified.  The
  syntax is
options option ...
  where option is one of the following:

 [items removed]

  timeout:n
sets the amount of time the resolver will wait for a
response from a remote name server before retrying the
query via a different name server.  Measured in sec­
onds, the default is RES_TIMEOUT (see resolv.h ).

  attempts:n
sets the number of times the resolver will send a
query to its name servers before giving up and return­
ing an error to the calling application.  The default
is RES_DFLRETRY (see resolv.h ).

Mike

Re: AW: Winbind authenticatition of user accessing a share withencry pted password.

[Mike Gerdts]

I have not yet had the time to finish up the patch that is referred to
below.  If anyone else wants to move it forward, I would be more than
happy.  In addition to the patches at
http://www.cae.wisc.edu/~gerdts/samba/ I have a private CVS repository
that I would happily tar up and send to anyone that would put it up on a
public CVS server.

A todo list of sorts can be found at
http://lists.samba.org/pipermail/samba-technical/2002-May/036877.html

Mike

On Thu, 2002-06-27 at 08:31, [EMAIL PROTECTED] wrote:
 Hi,
 
 I have not installed samba until 2.2.5 now.
 
 But there is a bug in the winbindd code which has been fixed by Mike Gerdts,
 see attached e-mail.
 I assumed that this patch, wich works for me on samba 2.2.4 solaris 2.6, has
 been added to the 2.2.5 release.
 
 Obviously not.
 
  Re: Samba, winbind, solaris and your patch 
 
 Could you please give me feedback if this works for you an 2.2.5 also.
 
 Best Regards
 
 Roman
 
  -Ursprüngliche Nachricht-
  Von:Allan Nielsen [SMTP:[EMAIL PROTECTED]]
  Gesendet am:Donnerstag, 27. Juni 2002 09:53
  An: [EMAIL PROTECTED]
  Betreff:Winbind authenticatition of user accessing a share with
  encrypted password.
  
  Hi
  
  In relation to your posted message I have exactly the same problem on
  samba
  2.2.5.
  Flags used are --with-winbind --with-winbind-auth-challenge
  --with-acl-support.
  After including  --with-winbind-auth-challenge it is possible to get
  authentication with encrypted passwords from wbinfo -a user%password but
  when accessing a share as this user he is mapped to nobody.
  
  Did you succeed to solve your problem?
  
  I'm using samba now for 6-7 years starting with samba 1.9.18.
  
  I have 6 machines running samba v2.0.7 under linux and solaris
  I have upgraded one of the solaris machines to samba 2.2.3a including
  acl-support and winbind.
  
  I live in a win2k forest, so my domain has a trust relationship with an
  other win2k domain.
  My domain controllers are in mixed mode.
  
  In order to get winbindd and nsswitch up and running I had to adjust the
  Makefile as follows:
  
  nsswitch/libnss_winbind.so: $(WINBIND_NSS_PICOBJS)
  @echo Linking $@
  @$(SHLD) -h $@ -G -o $@ $(WINBIND_NSS_PICOBJS) $(LIBS)
  
  I added the $(LIBS) to the linker-line, without that I had errors when
  doing
  a 'ls -l' for a file which was owned by a DOMAIN+domuser account.
  
  Furthermore I had to copy the nsswitch/libnss_winbind.so as nss_winbind.so
  to /lib
  After configuring nsswitch.conf I can successfully do:
  
  wbinfo -u
  wbinfo -g
  getent passwd
  getent group
  
  From a NT4 or win2k-box I can modify acl an the samba-share as long as I
  use
  a useraccount which is not authenticated by winbind.
  
  when I use:
  wbinfo -a domain\\domuser%password (my winbind separator is '\')
  
  I'll get error:
  
  plaintext password authentication succeeded
  challenge/response password authentication failed
  Could not authenticate user domain\domuser%password with
  challenge/response
  
  Although encrypted passwords are enabled in smb.conf
  
  I can do a
  
  su - domain\\domuser%password
  
  on unix level
  
  When I do a smbclient //server/share -U domain\\domuser%password
  
  I'll get error:
  
  Domain=[DOMAIN] OS=[Unix] Server=[Samba 2.2.3a]
  tree connect failed: NT_STATUS_WRONG_PASSWORD
  
  I can not connect to that server using a winbind authenticated useraccount
  from neither NT4sp6 nor win2ksp2.
  
  In any case I can see in the winbindd-log that the demon is enumerating
  SID's to GID's and UID's, but it states that the password are not
  encrypted.
  
  I was reading through the docs and mailings for the last two days, but I
  did
  not get the proper advice in how to get it up and running.
  
  Can anybody help
  
  Best Regards
  
  Roman
  
  Med venlig hilsen / With kind Regards
  
  Allan Nielsen
  Advisory   IT-Specialist
  
  IBM Danmark A/S   -   Sortemosevej 21   -   3450 Allerød   -   Phone: 4523
  9595   -   Mobil: 23325107   -   Fax: 4523 6803   -   E-mail:
  [EMAIL PROTECTED]
  
 
 

 From: [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Subject: Re: Samba, winbind, solaris and your patch
 Date: 13 May 2002 19:59:46 +0200
 
 On Mon, 2002-05-13 at 11:20, [EMAIL PROTECTED] wrote:
  Hello Mike,
  
  I was veerrryyy interested in your work when I first saw your posting
  concerning winbind and the related problems when running it on more than
 one
  machine.
 
 Glad to hear it.  I was begininning to think that I was the only one
 looking for this functionality.
  
  I therefore immediately downloaded your patch and enhancements to winbind
  and applied it to samba 2.2.4.
  
  But when starting winbindd I get error messages in the log.winbindd
 stating
  that the loader ld.so.1 can not find the symbol main in idmap_file.so.
 
 H... not sure about that.  Could you send me the version that you
 compiled so that I can compare it against the one that works for me? 
 Also

RE: FW: samba woes

[Mike Gerdts]

The automount map below could be simplified using the macros used by
automountd:

*   -fstype=smbfs,credentials=/etc/samba/,uid=

Whether you have 1 user or 100,000 users, all you should need is this
one line.  This is documented on Linux in autofs(5) and on Solaris in
automount(1M).

Mike

On Thu, 2002-06-27 at 10:55, Johnston, Christopher (DCSA) wrote:
 Yea I have tried using the automount.. the tough thing is.. we have alot of users.. 
so maintaing an auto-map can be really tough.. 
 
...
 -Original Message-
 From: Urban Widmark [mailto:[EMAIL PROTECTED]] 
 Sent: Wednesday, June 26, 2002 4:47 PM
 To: '[EMAIL PROTECTED]'
 Cc: Johnston, Christopher (DCSA); Stieglitz, Eric J. (DCSA); 'Jim McDonough'; 
[EMAIL PROTECTED]; '[EMAIL PROTECTED]'
 Subject: Re: FW: samba woes
 

...

 
 You can give only a single user access to the mount. But it will be visible to 
others (inaccessible perhaps, but visible).
 
 An autofs map for /home looking like this could be a starting point:
 username1 -fstype=smbfs,credentials=/etc/samba/cred1,uid=username1 \
   ://server/share
 username2 -fstype=smbfs,credentials=/etc/samba/cred2,uid=username2 \
   ://server/share
 ...
 

Re: 2.2.5pre1: unlink design flaw

[Mike Gerdts]

On Wed, 2002-06-12 at 18:10, Simo Sorce wrote:
 And samba is not the only application that do this kind of operation,
 the proper fix would be to make smbfs driver able to hide a file if it
 is unlilnked but yet open by some process, and then silently unlink it
 when the last process closes it.
 
 It just involves a per open file counter and some kind of magic on
 directory listing/file opening.

Under HP-UX 10.20 I ran into issues with automated software updates (via
package from AFS or rsync, I forget) in that files (executables) that
were in use could not be unlinked.  As a result the software would
rename the file with a .OLD extension.  I then would periodically do a
find through the file system to get rid of all .OLD filess.  What a
waste of I/O bandwidth.

The solution that I did not find the time to implement was to create a
.OLD directory on each mounted file system.  All .OLD files could then
be moved by the update tool into mntpt/.OLD.  Then the cleanup process
would only have one directory per file system to look at.

A similar solution could be used here.  The equivalent of the .OLD
directory could be something that is not exported by samba.  If an
unlink() fails because of ETXTBUSY, rename() could be used to move it
out of the shared directory to a directory that is monitored by a
deleted file reaper.

Mike

RE: 2.2.5pre1: unlink design flaw

[Mike Gerdts]

On Thu, 2002-06-13 at 12:26, Cole, Timothy D. wrote:
  -Original Message-
  From: Mike Gerdts [mailto:[EMAIL PROTECTED]]
  A similar solution could be used here.  The equivalent of the .OLD
  directory could be something that is not exported by samba.  If an
  unlink() fails because of ETXTBUSY, rename() could be used to move it
  out of the shared directory to a directory that is monitored by a
  deleted file reaper.
 
 The way NFS deals with this is typically for the server to rename unlinked
 but open files to .nfs.somethingorother.

But it too relies upon a find through the file system to clean up any
droppings that are left.  From Solaris 9's standard root crontab:

15 3 * * 0 /usr/lib/fs/nfs/nfsfind

Since *nothing* is ever happening on a system at 3:15 in the morning
this seems like a completely reasonable thing to do.  Except for the
fact that your samba file system cleaner is running, your netscape cache
cleaner, the thing that goes around and fixes world writable
directories, and backups.  Now why is it that my full backups on Sunday
morning are not completing on time?  (Sorry... just had a flashback to
when my big file servers will Sparc 20's with 16 5400 RPM 5 1/4 9 gig
drives, software RAID, 1 50 MHz processor, and 64 meg of RAM.)

If I were writing NFS server code, I would make it do the same thing
that I suggested for Samba.  Actually, if I was running a Linux NFS
server and was seeing performance problems that were aggrevated by
nfsfind, I would strongly consider implementing the change myself.

Mike

Re: [PATCH] winbind id assignment module

[Mike Gerdts]

On Sat, 2002-05-18 at 20:54, Andrew Bartlett wrote:
  The patch and a sample module are attached.  The tarball also includes a
  readme, changelog, and a Makefile.
 
 This looks *much* better.
 
 I'm not sure on the 'reload' functionality, but I suppose its a good
 idea.  Other than minor things like indenting,   (Try 8-space tabs) I
 think this is well on its way to inclusion.

A new rev of the patch is out.  Here is the changelog for this release.

winbindd:   Fixed up formatting to get rid of 4-space tabs that existed
before.  Builds off of today's SAMBA_2_2 branch.
winbindd:   If idmap object is defined but fails to load, it no longer
reverts to sequential assignment

The patch, a sample module, changelog, and a readme are available at
http://www.cae.wisc.edu/~gerdts/samba/idmap_file-0.0.4.tar.gz

Enjoy!
Mike



Index: source/nsswitch/winbindd.c
===
RCS file: /cvsroot/samba/source/nsswitch/winbindd.c,v
retrieving revision 1.3.2.29
diff -u -r1.3.2.29 winbindd.c
--- source/nsswitch/winbindd.c	8 May 2002 23:33:31 -	1.3.2.29
+++ source/nsswitch/winbindd.c	20 May 2002 17:23:17 -
 -66,6 +66,7 
 	}
 
 	load_interfaces();
+	load_idmap();
 
 	return(ret);
 }
Index: source/nsswitch/winbindd.h
===
RCS file: /cvsroot/samba/source/nsswitch/winbindd.h,v
retrieving revision 1.3.4.8
diff -u -r1.3.4.8 winbindd.h
--- source/nsswitch/winbindd.h	10 Apr 2002 00:40:10 -	1.3.4.8
+++ source/nsswitch/winbindd.h	20 May 2002 17:23:17 -
 -203,4 +203,15 
 #define SETENV(name, value, overwrite) ;
 #endif
 
+/* Required for the winbindd UID/GID mapping plugin */
+
+#define WINBINDD_IDMAP_INTERFACE_VERSION 0
+extern struct winbind_idmap_ops *idmap_ops;
+
+/* Functions for winbind plug-ins */
+
+struct winbind_idmap_ops {
+	BOOL (*allocate_id)(DOM_SID *sid, uid_t *id, BOOL isgroup);
+};
+
 #endif /* _WINBINDD_H */
Index: source/nsswitch/winbindd_idmap.c
===
RCS file: /cvsroot/samba/source/nsswitch/winbindd_idmap.c,v
retrieving revision 1.3.4.13
diff -u -r1.3.4.13 winbindd_idmap.c
--- source/nsswitch/winbindd_idmap.c	27 Apr 2002 03:04:08 -	1.3.4.13
+++ source/nsswitch/winbindd_idmap.c	20 May 2002 17:23:17 -
 -34,11 +34,91 
 
 static TDB_CONTEXT *idmap_tdb;
 
+struct winbind_idmap_ops *idmap_ops;	/* idmap plug-in */
+
+/* (Re)load the id allocation plugin */
+
+BOOL load_idmap(void) {
+	BOOL rv;
+	struct winbind_idmap_ops* (*idmap_init)(int *);
+	static void *idmap_object = NULL;
+	char *libfile;
+	int idmap_version;
+	
+	libfile = lp_winbind_idmap_object();
+
+	/* Disable any previously loaded idmap object */
+	if ( *libfile == '\0' ) {
+		DEBUG(5, (No winbindd idmap object defined\n));
+		rv = True;
+		goto bail;
+	}
+
+	/* if it was previously loaded, unload it before reloading */
+	/* TODO: determine if this is even a good thing to support */
+	if ( idmap_object != NULL ) {
+		sys_dlclose(idmap_object);
+	}
+
+	idmap_object = sys_dlopen(libfile, RTLD_NOW | RTLD_GLOBAL);
+	if ( idmap_object == NULL ) {
+		DEBUG(0, (Error opening '%s': %s\n, libfile, sys_dlerror()));
+		rv = False;
+		goto bail;
+	}
+
+	idmap_init = sys_dlsym(idmap_object, idmap_init);
+	if ( idmap_init == NULL ) {
+		DEBUG(0, (No idmap_init() symbol found in %s\n, libfile));
+		rv = False;
+		goto bail;
+	}
+
+	if ( (idmap_ops = idmap_init(idmap_version)) == NULL ) {
+		DEBUG(0, (idmap_init function from %s failed\n, libfile));
+		rv = False;
+		goto bail;
+	}
+
+	if ( idmap_version != WINBINDD_IDMAP_INTERFACE_VERSION ) {
+		DEBUG(0, (idmap_init returned wrong interface version info (was %d, should be %d)\n,
+	idmap_version, WINBINDD_IDMAP_INTERFACE_VERSION));
+		rv = False;
+		goto bail;
+	}
+
+	DEBUG(5, (Loaded winbind idmap object '%s'\n, libfile));
+	DEBUG(5, (idmap_ops-allocate_id is %sdefined\n,
+idmap_ops-allocate_id ?  : NOT ));
+	return True;
+
+bail:
+	if ( idmap_object ) {
+		sys_dlclose(idmap_object);
+		idmap_object = NULL;
+	}
+	idmap_ops = NULL;
+	return rv;
+}
+
 /* Allocate either a user or group id from the pool */
 
-static BOOL allocate_id(uid_t *id, BOOL isgroup)
+static BOOL allocate_id(DOM_SID *sid, uid_t *id, BOOL isgroup)
 {
 int hwm;
+	char *idmapfile;
+
+	if ( idmap_ops  idmap_ops-allocate_id ) {
+		DEBUG(4,(allocate_id using module '%s'\n, 
+	lp_winbind_idmap_object()));
+		return(idmap_ops-allocate_id(sid, id, isgroup));
+	}
+
+	if ( *(lp_winbind_idmap_object()) ) {
+		DEBUG(0,(allocate_id configured to use idmap module, but 
+module failed to load\n));
+		return(False);
+	}
 
 /* Get current high water mark */
 
 -105,7 +185,7 
 
 /* Allocate a new id for this sid */
 
-if (id  allocate_id(id, isgroup)) {
+if (id  allocate_id(sid, id, isgroup)) {
 fstring keystr2;
 
 /* Store new id */
Index: 

Re: [PATCH] winbind id assignment module

[Mike Gerdts]

On Sat, 2002-05-18 at 20:54, Andrew Bartlett wrote:
 This looks *much* better.
 
 I'm not sure on the 'reload' functionality, but I suppose its a good
 idea.  Other than minor things like indenting,   (Try 8-space tabs) I
 think this is well on its way to inclusion.

The reload functionality was initially intended to be only load().  My
initial look at the existing code suggested that it would get called
again after getting a HUP (I have to look into that though...).  To me
it looked as though it would be easiest just to make it be able to
handle a reload.  I think that it should work as it is, but I haven't
tested it.  The two things that I would want to test are 1) does it do
what you expect, and 2) does it free up all resources related to the
file such that someone debugging a module can count on a day of HUPs
rather than restarts does end up with 50 copies still mapped.

As for spacing... I tried to follow the standard that I saw in the file
already.  I used 4 character tabs, but they should have expanded out
OK.  I thought that others were using 4 character tabs as well because
sections of winbindd_idmap.c have tabs expanded to four characters.  In
any case, the next version that goes out will get rid of any expanded
tabs and any necessary reformatting for prettiness will take place.

 I like the checking of the .so at loadparm time - its a nice touch.

Thanks!

Mike

Re: Samba 2.2.X, PAM and Kerberos5

[Mike Gerdts]

On Wed, 2002-05-15 at 10:23, Steve Langasek wrote:
 I'm not sure why the 'appdata_ptr == NULL' check is there, but I seem to
 remember that it's true that Solaris does not honor the appdata_ptr
 field.  If Samba now depends on sane handling of appdata_ptr, then it's
 likely that this won't work on Solaris.

As I was looking at implementing Kerberos, I found the Solaris pam_krb5
to be so bug-ridden that I had pretty much rejected it.

Bug 4464325 - su dumps core when pam_krb5 is enabled.  

Reported 5/29/2001, fixed on Solaris 8 with 109805-05 (2/21/2002)

Bug  - pam_krb5.so.1 dumps core in pam_sm_setcred

Reported 9/26/2001, fixed in Solaris 9 build 54, no fix for Solaris
8 as of 5/15/2002

Service order 62638039 - in.rshd dumps core after configuring Kerberos

Case was closed stating it was a documentation error.  I was never
told that this case was going to be closed.  I only found out it was
closed after the fact.  No fix or workaround was even suggested. 
Really nice to see that network facing services that must run as
root can be caused to core dump due to a documentation error.

Bug 4507496 - pam_krb5 is confused between pam_authenticate and
pam_setcred

Reported 10/12/2001, not fixed as of 5/15/2002

Note that none of these problems are fixed for Solaris 7 (SEAM 1.0).
Using pam_krb5 1.31 from Redhat 7.1 resolved every one of these issues.

And now to wander offtopic (and vent) a bit...

Sun's kerberos implementation has several other issues that made me
quite leary of using any parts of it.  I tried to work with Sun to
resolve these issues for Solaris 7 and 8, but they were unable to find
the time to work on Solaris 7 or 8 in favor of new development on 9.

If you are using a Sun kerberos implementation, be sure that you have an
empty /.k5login.  Else, [EMAIL PROTECTED] can
telnet/rsh/whatever to root on any other host without giving a password
and without the standard remote root login restrictions that one would
expect to be controlled by /etc/default/login.  See krb5_auth_rules(5)
from SEAM for details.  As a result of this unexpected behavior I
requested the following as part of a service call, but got no response.

 Could you please file two RFE's?

1) Update each Sun Enterprise Authentication Mechanism x.y.z
Guide  with the warning mentioned above.  There should also be a
mention of this difference in the SEAM Interoperability with MIT
section of SEAM x.y.z Installation and Release Notes.

2) Update telned(1M), rlogind(1M) and rshd(1M) to include the
warning and update the SEE ALSO section of each of the man pages to
refer to krb5_auth_rules(5).

Mike

Re: winbind UID, GID assignment

[Mike Gerdts]

On Mon, 2002-05-13 at 16:51, Andrew Bartlett wrote:
 The problem is that we may not be able to resolve the SID at this
 time.   We can't even assume that the DC is even contactable in some
 situtations, let alone that it is alive and responding to requests in a
 timely manner.

Does that mean that the only problem that you have with the approach
used is that it relies upon knowning the domain and user or group name? 
If so, would it make more sense to pass the sid to allocate_id() and the
plug-in would be responsible for allocating a uid/gid based upon that? 
Presumably in my idmap_files plug-in this would mean that the fields
would be sid:id.


Mike

Re: winbindd uid and gid range assumptions

[Mike Gerdts]

On Mon, 2002-05-13 at 18:42, Andrew Bartlett wrote:
 Moving over the socket is a very expencive operation, particularly
 compared to a simple if statement.  Also, where we know that a uid is
 local, we need to check with code that winbind isn't linked to - the
 passdb backend.

So in a situation where you have UIDs interspersed between NIS and
domain users, it may be cheaper to check to see if it is local first
followed by winbind.  At least this may be better in my situation, as
each of my NFS/Samba servers is already an NIS slave.  Even though a UID
lookup may have to talk to nscd and/or ypserv, it is still on the same
machine, thus avoiding network delays.

Perhaps this would be a place where the plug-in architecture could be
useful as well.  Checks could all be relegated to idmap_ops-islocal(). 
The default op could be to check the winbind id range.  Others that are
willing to or need to pay the price of a socket operation will have the
option of doing so.  Presumably islocal() would not just be a straight
BOOL operation.  I could imagine it replying True, False, LocalFirst, or
DomainFirst.

 But yes, we need to deal with things like getting the uid from the SFU
 LDAP schema, so this may well change in the future. 

Do you have any relative time frame or rough release number that you are
shooting for? 

Do you see a plug-in that merges the functionality of the existing idmap
to the architecture present in the VFS, or should I start barking up a
different tree?

Mike

Re: [SUCCESS] RE: Samba, winbind, solaris and your patch

[Mike Gerdts]

On Tue, 2002-05-14 at 11:30, [EMAIL PROTECTED] wrote:
 Hello Mike,
 
 in the end it works.
 
 I applied your patch to winbind, although it seemed to be applied while I
 compiled your idmap_files.so.
 compiled and installed nss_winbind.so
 restarted nscd
 restarted winbind
 

I guess I should have been more clear... the idmap_files tarball does
not contain the patch.  You have to apply that yourself.


Mike

Re: VFS Question: Is there more vfs_ops ...( difference betweenvfs.c/vfs-wrap.c )

[Mike Gerdts]

On Tue, 2002-05-14 at 11:28, [EMAIL PROTECTED] wrote:
 Whats the difference between vfs.c  vfs-wrap.c ... the code doesn't have
 many  comments.

vfs.c has all the handling for the VFS plugin mechanism, as well as
various utility functions.

vfs-wrap.c is the default module.  If no VFS module exists that
provides the functions defined in vfs-wrap.c, then vfs-wrap's functions
are called.

 
 Why would I put code into vfs-wrap.c ... wouldn't future upgrades go easier
 if it was a vfs modules?

non-bugfix changes that you make would most likely go into your own vfs
module.

 Or does that limit the cmds  funtions you have?

For code in a VFS module to be called, it must either be one of the
defined functions in vfs_ops, or it must be called from one of those
functions.

 Can I get the workstation that made the connection?

Every vfs call has a connection_struct as its first argument.  A quick
look at include/smb.h reveals that one of the items in that struct is:

char client_address[18]; /* String version of client IP address. */

Mike

Re: winbind UID, GID assignment

[Mike Gerdts]

On Mon, 2002-05-13 at 07:35, Andrew Bartlett wrote:
 The username and domain may not be known at the time a mapping is
 required.  Thats the easy bit - we might not even know if it is a uid or
 gid!

Have you taken a look at the patch that I created?  If not, please take
a look at http://www.cae.wisc.edu/~gerdts/samba/ and let me know if the
changes to nsswitch/winbindd_idmap.c address the issue of not knowing
whether the SID is a user or group (or other..) SID.

 There is more to this whole mess than meets the eye, but yes, we do need
 to allow an aribtary SID-uid/gid, uid/gid - SID backend system.

Would you be open to following a structure like the VFS uses now?  The
existing functions could go into the default_idmap_ops structure and
plugins could replace any or all of those ops.  I am quite motivated to
provide a patch that does this.

Mike 

Re: [PATCH] winbind kills nscd on Solaris

[Mike Gerdts]

On Thu, 2002-05-09 at 22:58, Tim Potter wrote:
 On Fri, May 10, 2002 at 11:10:58AM +1000, Tim Potter wrote:
 
   Solaris has a couple extra fields in struct passwd.  Since getpwent(3c)
   says that pw_age and pw_comment are not used, it seems reasonable not to
   fill them in.  nscd may not use them, but assumes that they at least are
   pointers to allocated buffers.  Since they are are not pointers to
   allocated buffers, a SEGV occurs.
 
 OK I've checked in a patch to the HEAD branch.  Would you mind seeing if
 this correctly fixes the problem?  If so I'll merge it into the other
 branches.
 
 
 Tim.

One question about your implementation...


#if HAVE_PASSWD_PW_COMMENT
result-pw_comment = ;
#endif

#if HAVE_PASSWD_PW_AGE
result-pw_age = ;
#endif


Does  get allocated statically, or on the stack?  If it gets allocated
on the stack, then garbage could replace it at some time in the future.

Mike

Re: [PATCH] winbind kills nscd on Solaris

[Mike Gerdts]

On Fri, 2002-05-10 at 09:13, Mike Gerdts wrote:
 Does  get allocated statically, or on the stack?  If it gets allocated
 on the stack, then garbage could replace it at some time in the future.
 
 Mike

I just found a copy of KR and answered the question for myself.  For
anyone else that cares, KR A2.6 says that string literals have a
storage type of static.  According to A4.1,

Static objects may be local to a block or external to all blocks,
but in either case retain their values across exit from and reentry
to functions and blocks.


Mike