Re: Patch: convenience feature for non-domain clients
Perhaps a slight variant of this that would be useful would be something along the lines of force domain = auth domain. The difference is that when your samba servers are part of a resource domain that is different than your authentication domain, the authentication would happen against your authentication domain, rather than the (machine only) resource domain. Mike On Wed, 2002-10-09 at 11:00, Jon. Hallett wrote: Attached is a patch against SAMBA_2_2 that we find useful at our site for integrating our domain-member Samba servers with our non-domain-member clients. The background to this is that our Samba servers use security = domain authentication for user accounts, but not all our Windows clients are members of the domain, with the result that the clients often want to map shares using non-domain clientname\user style accounts. The patch implements an ignore client domain option which forces Samba to use the server's own domain when authenticating users, ignoring the domain part of the username provided by the client. This is particularly useful for sites converting from security = server to security = domain who don't want to go around their clients adding domain parts to all the usernames with which they map shares. Hope this is of use to someone else, Jon.
Re: How prevent many logins
On Thu, 2002-10-03 at 08:15, Marcus Grando wrote: But I dont use pam. Any other method? It may be tough to do with PAM as well because each time the user authenticates to a share the PAM module would increment the number of connections. How many connections should be allowed? 1 for IPC? 1 for the home directory? How about one for a printer? You could probably use a VFS module instead. You would need to write it. The way that I would do it is something along the lines of: grab examples/VFS/skel.c get rid of all the functions except skel_connect. Be sure to update vfs_init() and skel_ops appropriately. Replace all occurrences of skel_ with oneclient_ In oneclient_connect() (the function that used to be skel_connect()) add code that traverses the connections TDB looking for this user connected from a different machine. If the user is on from another machine, verify that connection is still good (kill(pid,0)) should work). If the tdb entry for the user on another machine and that smbd is really still alive, call default_vfs_ops.disconnect(). File a bug report on the problems that come up because you are calling disconnect() from connect(). I don't know that this will cause problems but I would expect that it could be asking for trouble. Then again, maybe that execution path has already been tested by something else. Mike
[PATCH] core dumps on crash
rlp; - getrlimit( RLIMIT_CORE, rlp ); - rlp.rlim_cur = MAX( 4*1024*1024, rlp.rlim_cur ); - setrlimit( RLIMIT_CORE, rlp ); - getrlimit( RLIMIT_CORE, rlp ); - DEBUG( 3, ( Core limits now %d %d\n, (int)rlp.rlim_cur, (int)rlp.rlim_max ) ); - } -#endif -#endif - - DEBUG(0,(Dumping core in %s\n,dname)); - abort(); - return( True ); -} /* dump_core */ -#endif - / ** Handle a fault.. */ Index: smbd/server.c === RCS file: /cvsroot/samba/source/smbd/server.c,v retrieving revision 1.305.2.44 diff -u -r1.305.2.44 server.c --- smbd/server.c 11 Jun 2002 03:25:50 - 1.305.2.44 +++ smbd/server.c 21 Aug 2002 15:28:14 - -391,45 +391,6 return(ret); } -#if DUMP_CORE -/*** - Prepare to dump a core file - carefully ! -/ - -static BOOL dump_core(void) -{ - char *p; - pstring dname; - pstrcpy(dname,lp_logfile()); - if ((p=strrchr(dname,'/'))) *p=0; - pstrcat(dname,/corefiles); - mkdir(dname,0700); - sys_chown(dname,getuid(),getgid()); - chmod(dname,0700); - if (chdir(dname)) return(False); - umask(~(0700)); - -#ifdef HAVE_GETRLIMIT -#ifdef RLIMIT_CORE - { - struct rlimit rlp; - getrlimit(RLIMIT_CORE, rlp); - rlp.rlim_cur = MAX(4*1024*1024,rlp.rlim_cur); - setrlimit(RLIMIT_CORE, rlp); - getrlimit(RLIMIT_CORE, rlp); - DEBUG(3,(Core limits now %d %d\n, - (int)rlp.rlim_cur,(int)rlp.rlim_max)); - } -#endif -#endif - - - DEBUG(0,(Dumping core in %s\n,dname)); - abort(); - return(True); -} -#endif - / update the current smbd process count / Index: lib/util.c === RCS file: /cvsroot/samba/source/lib/util.c,v retrieving revision 1.287.4.55 diff -u -r1.287.4.55 util.c --- lib/util.c 18 Jul 2002 23:45:02 - 1.287.4.55 +++ lib/util.c 21 Aug 2002 15:28:13 - -1082,6 +1082,100 return (gid_t)-1; } +/ ** + Prepare to dump a core file - carefully! + TODO: Some uses of this function assume that it will not just do an abort() + and that the return value is meaningful. It is currently ill equipped + to deal with such assumptions because it modifies the umask, performs + a chdir, and in may cases will exit as the result of an abort(). + All of these issues existed before I rewrote it. --Mike Gerdts + */ +BOOL dump_core(void) +{ +#if DUMP_CORE + char *p; + struct stat sbuf; + pstring dname; + pstrcpy(dname, lp_coredumpdirectory()); + if ( !(*dname) ) { + DEBUG(2,(Core dump skipped because \core dump directory\ not set\n)); + return False; + } + + umask(~(0700)); + + gain_root_privilege(); + + if (sys_lstat(dname,sbuf)) { + DEBUG(0,(Core dump skipped: lstat(%s): %s\n, + dname, strerror(errno))); + return False; + } + + if ( !S_ISDIR(sbuf.st_mode) ) { + DEBUG(0,(Core dump skipped: %s is not a directory\n, dname)); + return False; + } + + if ( sbuf.st_uid != 0) { + DEBUG(0,(Core dump skipped: %s not owned by root\n, dname)); + return False; + } + + if ( sbuf.st_mode (S_IRWXG | S_IRWXO) ) { + DEBUG(0,(Core dump skipped: %s is readable or writable by someon other than root\n, dname)); + return False; + } + /* TODO: check for ACL's */ + + if (chdir(dname)) { + DEBUG(0,(Core dump skipped: cannot chdir(%s): %s\n, + dname, strerror(errno))); + return False; + } + +#if defined(HAVE_GETRLIMIT) defined(RLIMIT_CORE) + { + struct rlimit rlp; + getrlimit( RLIMIT_CORE, rlp ); + rlp.rlim_cur = MAX( 4*1024*1024, rlp.rlim_cur ); + setrlimit( RLIMIT_CORE, rlp ); + getrlimit( RLIMIT_CORE, rlp ); + DEBUG( 3, ( Core limits now %d %d\n, +(int)rlp.rlim_cur, (int)rlp.rlim_max ) ); + } +#endif + + DEBUG(0,(Dumping core in %s\n,dname)); +#if defined(HAVE_SYS_PRCTL_H) defined(PR_SET_DUMPABLE) + /* On Linux if euid or uid has changed during execution the process + * will not coredump. This tells the kernel to dump anyways. */ + prctl(PR_SET_DUMPABLE,1,0,0,0); + abort(); + return True; /* Not reached */ +#endif /* HAVE_SYS_PRCTL_H PR_SET_DUMPABLE */ + +#ifdef HAVE_GCORE + { + pstring cmd; + snprintf(cmd, sizeof(pstring), %s %d, GCORECOMMAND, +(int)getpid()); + cmd[sizeof(pstring) -1] = '\0'; + return system(cmd); + } +#endif /* HAVE_GCORE */ + + DEBUG(3,(No reliable core dump method found.\n)); + abort(); + return False; + +#else /* DUMP_CORE */ + DEBUG(0,(Core dumps disabled on this platform\n)); + return ( False ); +#endif /* DUMP_CORE
RE: Prepending \ to user name w/Win98 Domain Login
On Fri, 2002-08-16 at 11:21, Jeff Mandel wrote: 2) The wacky thing here is that \user actually returns successful with NIS. jeff@host% getent passwd jeff jeff:x:6789:6789::/export/home/jeff:/bin/ksh jeff@host% getent passwd \jeff jeff:x:6789:6789::/export/home/jeff:/bin/ksh Not quite right. Your shell handled the \j and determined that it should have just been j. As such, the getent command really saw jeff, not \jeff. The proper test would have been jeff@host% getent passwd \\jeff In this case your shell would have translated \\jeff into \jeff before sending it as an argument to getent. Mike
New VFS Module: linktrans
I have written a new VFS module that translates symbolic links to MS DFS links. You can get it at http://www.cae.wisc.edu/~gerdts/samba/vfs-linktrans.c What does it really do? When a symbolic link to a directory is encountered, a mapping of UNIX Directories to share names is consulted. If a match is found, readlink() translates the standard UNIX symbolic link format into the format normally expected by the DFS code. This causes a redirect to be sent to the SMB client. The code is smart enough to recognize symbolic links that point to someplace other than just the root of a share. That is, if you have a mapping /projects/d1projserv\d1 A symbolic link to /projects/d1/someproject/somepart will redirect the client to \\projserv\d1\someproject\somepart Why? Suppose you have an environment where users were encouraged to just create symbolic links to get to areas that were not shared out via Samba. You are now not happy with the mess that exists because people may be using the wrong server (samba ends up acting as a CIFS - NFS gateway), permissions that you intend to force are not being forced, or access restrictions that you intend to have in place are being bypassed. With this module you can transition from promiscuous use of symbolic links to using the option follow symlinks = no relatively painlessly. Or at least that is the theory. How? Build samba as you normally would. Be sure to use --with-msdfs as one of your configure options. Copy vfs-linktrans.c to samba-2.2.5/examples/VFS/linktrans.c Edit samba-2.2.5/examples/VFS/Makefile.in. Add linktrans.so to the VFS_OBJS In samba-2.2.5/examples/VFS, run ./configure, then make. Copy linktrans.so to a lib directory somewhere. Presumably /usr/local/samba/linktrans.so would be a could choice. Edit /usr/local/samba/lib/smb.conf. Add host msdfs = yes to the global section. Add msdfs root = yes and vfs object = /usr/local/lib/samba/linktrans.so to each share that you want to try this out on. Create the file /etc/linktrans.map (defined in the .c file) with lines that perform the lowest level mapping. For example, if all symbolic links to /project/d1 should really go to \\projserv\d1, add a line like /project/d1 projserv\d1. Restart samba. Reboot the Windows client that will connect to this share. Does it really work? As is said in the copyright notice at the top, there is no warranty. It has, however, worked for me in a test environment using Solaris servers and a Windows 2000 client. I have not yet used it with multiple clients at once, nor have I put it on any production servers. Comments, suggestions for improvement, and patches are welcome. Mike
Re: Another showstopper in 2.2.5
On Mon, 2002-08-12 at 10:54, David Collier-Brown wrote: Fredrik Ohrn wrote: OK, I'll try 30 instead of the default 300. But I don't expect it to help, in this case it seems that it's the smbd process that blows up, not the client. Ok, I was afraid of that! Blown SMBDs are Bad Things (:-)) I have run into this same problem from time to time with 2.2.2. I was hoping that the upgrade to 2.2.5 that I did yesterday would fix it... On the surface, it appears as though a panic action program that does lock scrubbing would be useful. I envision a standalone program that takes a filename and pid as an argument. If it encouters a lock belonging to the given pid, it removes the lock from the database. Perhaps if the program is given only one argument (the lock file) it traverses the tdb checking to see if each pid mentioned is alive. What would this break? Mike
Re: winbindd: Here's a replacement get_id_from_sid() that gets UNIXu id/gid from /home/dir
On Fri, 2002-08-02 at 03:10, Ferguson, Ross wrote: rebuilding winbindd with the enclosed replacement function gets the UNIX uid/gid from the users home directory. If it fails in anyway, it returns (g/u)id of 'nobody' This obviously allows specifically assigned uid's per user, allowing them to create files in there home directories while maintaining security. I'm running this with 2.2.5 on Solaris9 Proof of concept only. Not ported / tested on any other platform. Enjoy Ross I really like the concept. A quick look at the implementation shows a problem, though. The home directory should come from the template homedir parameter. Given the proof of concept nature of the code, such a shortcut is quite acceptable. Also, I don't think that putting this into the core winbind code is necessarily the right place. It and the 50 other concepts that people come up with will eventually lead to some pretty signifcant bloat. A while back I was working on a plug-in system for the idmap functionality. I have been sidetracked for a while on that project, though. I think that this concept would be an awesome plug-in. See http://www.cae.wisc.edu/~gerdts/samba/ for my implementation so far. Andrew gave me a todo list that has yet to be todone. http://lists.samba.org/pipermail/samba-technical/2002-May/036877.html Mike
Re: Visual Studio 6 + Samba 2.2.5 misbehaves.
This sounds like you have clocks out of sync. Be sure that the time on your workstation, the Samba server, and any NFS servers that Samba may get shares from all have clocks that are in sync. I highly suggest using NTP between all servers. Once you have NTP running on a unix server, you can convince win2k clients to sync with that server using: net time /setsntp:unixservername Mike On Thu, 2002-08-01 at 05:37, Fredrik Ohrn wrote: Hello! I just noticed 2 problems when using Visual Studio 6 to edit files located on a Samba share. 1. This file has been modified outside of the source editor. To reproduce: Create a C++ file and save it on the share. Type some text, within a couple of seconds it will pop up a message box warning that the file has changed on disk, do you want to reaload it? When dismissed the message will appear again at semi random intervals, saving the file again is also a sure way to trigger it. 2. Windows XP pops up a baloon in the corner with Delayed Write Failed. Start a new project with it's location on a samba share, create and add a C++ file to the project. Edit and save the file a couple of times and XP will pop up warning baloon and log the following message to the EventLog: {Delayed Write Failed} Windows was unable to save all the data for the file \Device\LanmanRedirector. The data has been lost. This error may be caused by a failure of your computer hardware or network connection. Please try to save this file elsewhere. The file in question is ProjectName.ncb, dunno what it is used for. After the message has appared the first time, it will pop up every time you type text in the editor. Needless to say, this makes Visual Studio pretty much useless... What can I do to help debug this? Regards, Fredrik -- It is easy to be blinded to the essential uselessness of computers by the sense of accomplishment you get from getting them to work at all. - Douglas Adams Fredrik Öhrn Chalmers University of Technology [EMAIL PROTECTED] Sweden
Re: Build requirements
On Mon, 2002-07-22 at 13:02, Max TenEyck Woodbury wrote: This is part of the 'do it at least once before you automate it' section of my larger build automation project. (That was described here some time ago, and it has morphed more than a little since I posted it, but you may be able to see how this fits in with a little imagination. The biggest change in that plan is that VMWare can be used instead of a bunch of removable disks and extra computers.) For build/packaging for multiple distributions (or just a distribution that you don't really like to use), you may want to take a look at user mode linux. It gives you a lot of what vmware does without the cost of vmware. Quick start, (.deb of uml is available too): $ wget http://telia.dl.sourceforge.net/sourceforge/user-mode-linux/user_mode_linux-2.4.18.36um-0.i386.rpm $ su # rpm -Uvh user_mode_linux-2.4.18-36um-0.i386.rpm # exit $ wget http://telia.dl.sourceforge.net/sourceforge/user-mode-linux/root_fs.rh72.pristine.bz2 $ bunzip2 root_fs.rh72.pristine.bz2 $ chmod 400 root_fs.rh72.pristine $ linux ubd0=root_fs_rw.rh72,root_fs.rh72.pristine \ eth0=tuntap,,fe:fd:0:0:0:1,192.168.0.1 ... login: root password: root # ifconfig -a --- be sure that you have eth0 up if not: # ifconfig eth0 192.168.0.2 netmask 255.255.0.0 broadcast 192.168.255.255 up --- then # route add default gw 192.168.0.1 # mkdir /usr/src/samba --- this assumes that you have NAT enabled or nfsserver is --- the machine that you are running uml on (use 192.168.0.1 --- in place of nfsserver) # mount nfsserver:/export/samba /usr/src/samba # cd /usr/src/samba/samba-2.2.25 # ./configure ... Presumably you could add an init script that makes it possible to automatically mount the directory that has the samba source, then run some magical build script that is on that share. When it has finished running the script, it halts the uml instance. Your packages should be on the nfs server. With each day's build you could use a fresh root_fs_rw.rh72 so that you are sure that you are building it based upon a clean distribution. See http://sourceforge.net/projects/user-mode-linux/ for more details. HTH, Mike
Re: Winbindd Success :) [was Re: winbindd, (radio)active directoryand other pains...]
On Thu, 2002-07-18 at 02:03, Bogdan Iamandei wrote: 1). I don't seem to be able to specify multiple ranges of ID's for winbindd. For example: winbind uid = 1000-2 25000-3 Would this be possible in the future? :) Please? :) 2). For some reason winbindd is reading the winbindd_cache.tdb and winbindd_idmap.tdb after a restart. All would be fine, but if I change the UID ranges, winbindd will still use the old range. The workaround is to remove those two TDBs and try again. Are you proposing that if winbindd finds a UID in the cache that does not fit in the range that a new UID from the range should be assigned? That wouldn't be too hard to implement, but I am not sure that it is desirable. The side effect would be that all the files and ACLs that were created would maintain the old uids. When the user gets a new uid, files that they previously created or ACLs that they were added to would not be accessible with the new uid. 3). (not really a nitpick - more like a small warning) Beware of nscd daemon on Solaris. It basically takes a little while until it kicks in for the first time. A while back I reported a bug in winbindd that caused it to crash nscd. While debugging this problem, I found that winbindd was horribly slow without the caching done by nscd. After fixing the problem so that nscd would stay alive, name lookups became MUCH faster because repeat lookups were being answered by nscd rather than by winbindd. I suspect that this slowness is because winbindd talking to PDC across the WAN rather than the local PDC. I never really looked into it. Since I didn't see other people complaining about slowness, I assumed that it was something wierd with our domain configuration. 4). After a while (5-10 minutes) running samba, attempting to connect a share - takes a long - long time and in the end it fails with something like Error - 0. I'll have to test it some more - before giving some more details though. I have seen that one too, but forget the exact circumstances. Mike
RE: Proposed patch for DNS and name resolution related problemsinappliance branch
On Mon, 2002-07-01 at 04:37, Toomas Soome wrote: Please keep in mind that there is ns cache on some platforms already (solaris nscd etc), so this feature should be possible to be switched off. toomas nscd only comes into play when get*by*() routines (e.g. gethostbyname()) are used. If you bypass the name service switch by calling res_*(), nscd does not cache the info. I think that it is safe to say that if you link against libresolv, you will be bypassing nscd. But... that begs the question, why not just use gethostbyname()? This way it will get resolved out of /etc/hosts, NIS, LDAP, DNS, etc., and nscd will take care of it. nscd exists on Solaris, Linux, and should be available anywhere else that glibc works. Mike
RE: Proposed patch for DNS and name resolution related problemsinappliance branch
On Mon, 2002-07-01 at 09:38, Mike Gerdts wrote: But... that begs the question, why not just use gethostbyname()? This way it will get resolved out of /etc/hosts, NIS, LDAP, DNS, etc., and nscd will take care of it. nscd exists on Solaris, Linux, and should be available anywhere else that glibc works. Oh, yeah.. the problem was that DNS timeouts took too long. It looks as though this has already been addressed in /etc/resolv.conf: options Allows certain internal resolver variables to be modified. The syntax is options option ... where option is one of the following: [items removed] timeout:n sets the amount of time the resolver will wait for a response from a remote name server before retrying the query via a different name server. Measured in sec onds, the default is RES_TIMEOUT (see resolv.h ). attempts:n sets the number of times the resolver will send a query to its name servers before giving up and return ing an error to the calling application. The default is RES_DFLRETRY (see resolv.h ). Mike
Re: AW: Winbind authenticatition of user accessing a share withencry pted password.
I have not yet had the time to finish up the patch that is referred to below. If anyone else wants to move it forward, I would be more than happy. In addition to the patches at http://www.cae.wisc.edu/~gerdts/samba/ I have a private CVS repository that I would happily tar up and send to anyone that would put it up on a public CVS server. A todo list of sorts can be found at http://lists.samba.org/pipermail/samba-technical/2002-May/036877.html Mike On Thu, 2002-06-27 at 08:31, [EMAIL PROTECTED] wrote: Hi, I have not installed samba until 2.2.5 now. But there is a bug in the winbindd code which has been fixed by Mike Gerdts, see attached e-mail. I assumed that this patch, wich works for me on samba 2.2.4 solaris 2.6, has been added to the 2.2.5 release. Obviously not. Re: Samba, winbind, solaris and your patch Could you please give me feedback if this works for you an 2.2.5 also. Best Regards Roman -Ursprüngliche Nachricht- Von:Allan Nielsen [SMTP:[EMAIL PROTECTED]] Gesendet am:Donnerstag, 27. Juni 2002 09:53 An: [EMAIL PROTECTED] Betreff:Winbind authenticatition of user accessing a share with encrypted password. Hi In relation to your posted message I have exactly the same problem on samba 2.2.5. Flags used are --with-winbind --with-winbind-auth-challenge --with-acl-support. After including --with-winbind-auth-challenge it is possible to get authentication with encrypted passwords from wbinfo -a user%password but when accessing a share as this user he is mapped to nobody. Did you succeed to solve your problem? I'm using samba now for 6-7 years starting with samba 1.9.18. I have 6 machines running samba v2.0.7 under linux and solaris I have upgraded one of the solaris machines to samba 2.2.3a including acl-support and winbind. I live in a win2k forest, so my domain has a trust relationship with an other win2k domain. My domain controllers are in mixed mode. In order to get winbindd and nsswitch up and running I had to adjust the Makefile as follows: nsswitch/libnss_winbind.so: $(WINBIND_NSS_PICOBJS) @echo Linking $@ @$(SHLD) -h $@ -G -o $@ $(WINBIND_NSS_PICOBJS) $(LIBS) I added the $(LIBS) to the linker-line, without that I had errors when doing a 'ls -l' for a file which was owned by a DOMAIN+domuser account. Furthermore I had to copy the nsswitch/libnss_winbind.so as nss_winbind.so to /lib After configuring nsswitch.conf I can successfully do: wbinfo -u wbinfo -g getent passwd getent group From a NT4 or win2k-box I can modify acl an the samba-share as long as I use a useraccount which is not authenticated by winbind. when I use: wbinfo -a domain\\domuser%password (my winbind separator is '\') I'll get error: plaintext password authentication succeeded challenge/response password authentication failed Could not authenticate user domain\domuser%password with challenge/response Although encrypted passwords are enabled in smb.conf I can do a su - domain\\domuser%password on unix level When I do a smbclient //server/share -U domain\\domuser%password I'll get error: Domain=[DOMAIN] OS=[Unix] Server=[Samba 2.2.3a] tree connect failed: NT_STATUS_WRONG_PASSWORD I can not connect to that server using a winbind authenticated useraccount from neither NT4sp6 nor win2ksp2. In any case I can see in the winbindd-log that the demon is enumerating SID's to GID's and UID's, but it states that the password are not encrypted. I was reading through the docs and mailings for the last two days, but I did not get the proper advice in how to get it up and running. Can anybody help Best Regards Roman Med venlig hilsen / With kind Regards Allan Nielsen Advisory IT-Specialist IBM Danmark A/S - Sortemosevej 21 - 3450 Allerød - Phone: 4523 9595 - Mobil: 23325107 - Fax: 4523 6803 - E-mail: [EMAIL PROTECTED] From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Samba, winbind, solaris and your patch Date: 13 May 2002 19:59:46 +0200 On Mon, 2002-05-13 at 11:20, [EMAIL PROTECTED] wrote: Hello Mike, I was veerrryyy interested in your work when I first saw your posting concerning winbind and the related problems when running it on more than one machine. Glad to hear it. I was begininning to think that I was the only one looking for this functionality. I therefore immediately downloaded your patch and enhancements to winbind and applied it to samba 2.2.4. But when starting winbindd I get error messages in the log.winbindd stating that the loader ld.so.1 can not find the symbol main in idmap_file.so. H... not sure about that. Could you send me the version that you compiled so that I can compare it against the one that works for me? Also
RE: FW: samba woes
The automount map below could be simplified using the macros used by automountd: * -fstype=smbfs,credentials=/etc/samba/,uid= Whether you have 1 user or 100,000 users, all you should need is this one line. This is documented on Linux in autofs(5) and on Solaris in automount(1M). Mike On Thu, 2002-06-27 at 10:55, Johnston, Christopher (DCSA) wrote: Yea I have tried using the automount.. the tough thing is.. we have alot of users.. so maintaing an auto-map can be really tough.. ... -Original Message- From: Urban Widmark [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 26, 2002 4:47 PM To: '[EMAIL PROTECTED]' Cc: Johnston, Christopher (DCSA); Stieglitz, Eric J. (DCSA); 'Jim McDonough'; [EMAIL PROTECTED]; '[EMAIL PROTECTED]' Subject: Re: FW: samba woes ... You can give only a single user access to the mount. But it will be visible to others (inaccessible perhaps, but visible). An autofs map for /home looking like this could be a starting point: username1 -fstype=smbfs,credentials=/etc/samba/cred1,uid=username1 \ ://server/share username2 -fstype=smbfs,credentials=/etc/samba/cred2,uid=username2 \ ://server/share ...
Re: 2.2.5pre1: unlink design flaw
On Wed, 2002-06-12 at 18:10, Simo Sorce wrote: And samba is not the only application that do this kind of operation, the proper fix would be to make smbfs driver able to hide a file if it is unlilnked but yet open by some process, and then silently unlink it when the last process closes it. It just involves a per open file counter and some kind of magic on directory listing/file opening. Under HP-UX 10.20 I ran into issues with automated software updates (via package from AFS or rsync, I forget) in that files (executables) that were in use could not be unlinked. As a result the software would rename the file with a .OLD extension. I then would periodically do a find through the file system to get rid of all .OLD filess. What a waste of I/O bandwidth. The solution that I did not find the time to implement was to create a .OLD directory on each mounted file system. All .OLD files could then be moved by the update tool into mntpt/.OLD. Then the cleanup process would only have one directory per file system to look at. A similar solution could be used here. The equivalent of the .OLD directory could be something that is not exported by samba. If an unlink() fails because of ETXTBUSY, rename() could be used to move it out of the shared directory to a directory that is monitored by a deleted file reaper. Mike
RE: 2.2.5pre1: unlink design flaw
On Thu, 2002-06-13 at 12:26, Cole, Timothy D. wrote: -Original Message- From: Mike Gerdts [mailto:[EMAIL PROTECTED]] A similar solution could be used here. The equivalent of the .OLD directory could be something that is not exported by samba. If an unlink() fails because of ETXTBUSY, rename() could be used to move it out of the shared directory to a directory that is monitored by a deleted file reaper. The way NFS deals with this is typically for the server to rename unlinked but open files to .nfs.somethingorother. But it too relies upon a find through the file system to clean up any droppings that are left. From Solaris 9's standard root crontab: 15 3 * * 0 /usr/lib/fs/nfs/nfsfind Since *nothing* is ever happening on a system at 3:15 in the morning this seems like a completely reasonable thing to do. Except for the fact that your samba file system cleaner is running, your netscape cache cleaner, the thing that goes around and fixes world writable directories, and backups. Now why is it that my full backups on Sunday morning are not completing on time? (Sorry... just had a flashback to when my big file servers will Sparc 20's with 16 5400 RPM 5 1/4 9 gig drives, software RAID, 1 50 MHz processor, and 64 meg of RAM.) If I were writing NFS server code, I would make it do the same thing that I suggested for Samba. Actually, if I was running a Linux NFS server and was seeing performance problems that were aggrevated by nfsfind, I would strongly consider implementing the change myself. Mike
Re: [PATCH] winbind id assignment module
On Sat, 2002-05-18 at 20:54, Andrew Bartlett wrote: The patch and a sample module are attached. The tarball also includes a readme, changelog, and a Makefile. This looks *much* better. I'm not sure on the 'reload' functionality, but I suppose its a good idea. Other than minor things like indenting, (Try 8-space tabs) I think this is well on its way to inclusion. A new rev of the patch is out. Here is the changelog for this release. winbindd: Fixed up formatting to get rid of 4-space tabs that existed before. Builds off of today's SAMBA_2_2 branch. winbindd: If idmap object is defined but fails to load, it no longer reverts to sequential assignment The patch, a sample module, changelog, and a readme are available at http://www.cae.wisc.edu/~gerdts/samba/idmap_file-0.0.4.tar.gz Enjoy! Mike Index: source/nsswitch/winbindd.c === RCS file: /cvsroot/samba/source/nsswitch/winbindd.c,v retrieving revision 1.3.2.29 diff -u -r1.3.2.29 winbindd.c --- source/nsswitch/winbindd.c 8 May 2002 23:33:31 - 1.3.2.29 +++ source/nsswitch/winbindd.c 20 May 2002 17:23:17 - -66,6 +66,7 } load_interfaces(); + load_idmap(); return(ret); } Index: source/nsswitch/winbindd.h === RCS file: /cvsroot/samba/source/nsswitch/winbindd.h,v retrieving revision 1.3.4.8 diff -u -r1.3.4.8 winbindd.h --- source/nsswitch/winbindd.h 10 Apr 2002 00:40:10 - 1.3.4.8 +++ source/nsswitch/winbindd.h 20 May 2002 17:23:17 - -203,4 +203,15 #define SETENV(name, value, overwrite) ; #endif +/* Required for the winbindd UID/GID mapping plugin */ + +#define WINBINDD_IDMAP_INTERFACE_VERSION 0 +extern struct winbind_idmap_ops *idmap_ops; + +/* Functions for winbind plug-ins */ + +struct winbind_idmap_ops { + BOOL (*allocate_id)(DOM_SID *sid, uid_t *id, BOOL isgroup); +}; + #endif /* _WINBINDD_H */ Index: source/nsswitch/winbindd_idmap.c === RCS file: /cvsroot/samba/source/nsswitch/winbindd_idmap.c,v retrieving revision 1.3.4.13 diff -u -r1.3.4.13 winbindd_idmap.c --- source/nsswitch/winbindd_idmap.c 27 Apr 2002 03:04:08 - 1.3.4.13 +++ source/nsswitch/winbindd_idmap.c 20 May 2002 17:23:17 - -34,11 +34,91 static TDB_CONTEXT *idmap_tdb; +struct winbind_idmap_ops *idmap_ops; /* idmap plug-in */ + +/* (Re)load the id allocation plugin */ + +BOOL load_idmap(void) { + BOOL rv; + struct winbind_idmap_ops* (*idmap_init)(int *); + static void *idmap_object = NULL; + char *libfile; + int idmap_version; + + libfile = lp_winbind_idmap_object(); + + /* Disable any previously loaded idmap object */ + if ( *libfile == '\0' ) { + DEBUG(5, (No winbindd idmap object defined\n)); + rv = True; + goto bail; + } + + /* if it was previously loaded, unload it before reloading */ + /* TODO: determine if this is even a good thing to support */ + if ( idmap_object != NULL ) { + sys_dlclose(idmap_object); + } + + idmap_object = sys_dlopen(libfile, RTLD_NOW | RTLD_GLOBAL); + if ( idmap_object == NULL ) { + DEBUG(0, (Error opening '%s': %s\n, libfile, sys_dlerror())); + rv = False; + goto bail; + } + + idmap_init = sys_dlsym(idmap_object, idmap_init); + if ( idmap_init == NULL ) { + DEBUG(0, (No idmap_init() symbol found in %s\n, libfile)); + rv = False; + goto bail; + } + + if ( (idmap_ops = idmap_init(idmap_version)) == NULL ) { + DEBUG(0, (idmap_init function from %s failed\n, libfile)); + rv = False; + goto bail; + } + + if ( idmap_version != WINBINDD_IDMAP_INTERFACE_VERSION ) { + DEBUG(0, (idmap_init returned wrong interface version info (was %d, should be %d)\n, + idmap_version, WINBINDD_IDMAP_INTERFACE_VERSION)); + rv = False; + goto bail; + } + + DEBUG(5, (Loaded winbind idmap object '%s'\n, libfile)); + DEBUG(5, (idmap_ops-allocate_id is %sdefined\n, +idmap_ops-allocate_id ? : NOT )); + return True; + +bail: + if ( idmap_object ) { + sys_dlclose(idmap_object); + idmap_object = NULL; + } + idmap_ops = NULL; + return rv; +} + /* Allocate either a user or group id from the pool */ -static BOOL allocate_id(uid_t *id, BOOL isgroup) +static BOOL allocate_id(DOM_SID *sid, uid_t *id, BOOL isgroup) { int hwm; + char *idmapfile; + + if ( idmap_ops idmap_ops-allocate_id ) { + DEBUG(4,(allocate_id using module '%s'\n, + lp_winbind_idmap_object())); + return(idmap_ops-allocate_id(sid, id, isgroup)); + } + + if ( *(lp_winbind_idmap_object()) ) { + DEBUG(0,(allocate_id configured to use idmap module, but +module failed to load\n)); + return(False); + } /* Get current high water mark */ -105,7 +185,7 /* Allocate a new id for this sid */ -if (id allocate_id(id, isgroup)) { +if (id allocate_id(sid, id, isgroup)) { fstring keystr2; /* Store new id */ Index:
Re: [PATCH] winbind id assignment module
On Sat, 2002-05-18 at 20:54, Andrew Bartlett wrote: This looks *much* better. I'm not sure on the 'reload' functionality, but I suppose its a good idea. Other than minor things like indenting, (Try 8-space tabs) I think this is well on its way to inclusion. The reload functionality was initially intended to be only load(). My initial look at the existing code suggested that it would get called again after getting a HUP (I have to look into that though...). To me it looked as though it would be easiest just to make it be able to handle a reload. I think that it should work as it is, but I haven't tested it. The two things that I would want to test are 1) does it do what you expect, and 2) does it free up all resources related to the file such that someone debugging a module can count on a day of HUPs rather than restarts does end up with 50 copies still mapped. As for spacing... I tried to follow the standard that I saw in the file already. I used 4 character tabs, but they should have expanded out OK. I thought that others were using 4 character tabs as well because sections of winbindd_idmap.c have tabs expanded to four characters. In any case, the next version that goes out will get rid of any expanded tabs and any necessary reformatting for prettiness will take place. I like the checking of the .so at loadparm time - its a nice touch. Thanks! Mike
Re: Samba 2.2.X, PAM and Kerberos5
On Wed, 2002-05-15 at 10:23, Steve Langasek wrote: I'm not sure why the 'appdata_ptr == NULL' check is there, but I seem to remember that it's true that Solaris does not honor the appdata_ptr field. If Samba now depends on sane handling of appdata_ptr, then it's likely that this won't work on Solaris. As I was looking at implementing Kerberos, I found the Solaris pam_krb5 to be so bug-ridden that I had pretty much rejected it. Bug 4464325 - su dumps core when pam_krb5 is enabled. Reported 5/29/2001, fixed on Solaris 8 with 109805-05 (2/21/2002) Bug - pam_krb5.so.1 dumps core in pam_sm_setcred Reported 9/26/2001, fixed in Solaris 9 build 54, no fix for Solaris 8 as of 5/15/2002 Service order 62638039 - in.rshd dumps core after configuring Kerberos Case was closed stating it was a documentation error. I was never told that this case was going to be closed. I only found out it was closed after the fact. No fix or workaround was even suggested. Really nice to see that network facing services that must run as root can be caused to core dump due to a documentation error. Bug 4507496 - pam_krb5 is confused between pam_authenticate and pam_setcred Reported 10/12/2001, not fixed as of 5/15/2002 Note that none of these problems are fixed for Solaris 7 (SEAM 1.0). Using pam_krb5 1.31 from Redhat 7.1 resolved every one of these issues. And now to wander offtopic (and vent) a bit... Sun's kerberos implementation has several other issues that made me quite leary of using any parts of it. I tried to work with Sun to resolve these issues for Solaris 7 and 8, but they were unable to find the time to work on Solaris 7 or 8 in favor of new development on 9. If you are using a Sun kerberos implementation, be sure that you have an empty /.k5login. Else, [EMAIL PROTECTED] can telnet/rsh/whatever to root on any other host without giving a password and without the standard remote root login restrictions that one would expect to be controlled by /etc/default/login. See krb5_auth_rules(5) from SEAM for details. As a result of this unexpected behavior I requested the following as part of a service call, but got no response. Could you please file two RFE's? 1) Update each Sun Enterprise Authentication Mechanism x.y.z Guide with the warning mentioned above. There should also be a mention of this difference in the SEAM Interoperability with MIT section of SEAM x.y.z Installation and Release Notes. 2) Update telned(1M), rlogind(1M) and rshd(1M) to include the warning and update the SEE ALSO section of each of the man pages to refer to krb5_auth_rules(5). Mike
Re: winbind UID, GID assignment
On Mon, 2002-05-13 at 16:51, Andrew Bartlett wrote: The problem is that we may not be able to resolve the SID at this time. We can't even assume that the DC is even contactable in some situtations, let alone that it is alive and responding to requests in a timely manner. Does that mean that the only problem that you have with the approach used is that it relies upon knowning the domain and user or group name? If so, would it make more sense to pass the sid to allocate_id() and the plug-in would be responsible for allocating a uid/gid based upon that? Presumably in my idmap_files plug-in this would mean that the fields would be sid:id. Mike
Re: winbindd uid and gid range assumptions
On Mon, 2002-05-13 at 18:42, Andrew Bartlett wrote: Moving over the socket is a very expencive operation, particularly compared to a simple if statement. Also, where we know that a uid is local, we need to check with code that winbind isn't linked to - the passdb backend. So in a situation where you have UIDs interspersed between NIS and domain users, it may be cheaper to check to see if it is local first followed by winbind. At least this may be better in my situation, as each of my NFS/Samba servers is already an NIS slave. Even though a UID lookup may have to talk to nscd and/or ypserv, it is still on the same machine, thus avoiding network delays. Perhaps this would be a place where the plug-in architecture could be useful as well. Checks could all be relegated to idmap_ops-islocal(). The default op could be to check the winbind id range. Others that are willing to or need to pay the price of a socket operation will have the option of doing so. Presumably islocal() would not just be a straight BOOL operation. I could imagine it replying True, False, LocalFirst, or DomainFirst. But yes, we need to deal with things like getting the uid from the SFU LDAP schema, so this may well change in the future. Do you have any relative time frame or rough release number that you are shooting for? Do you see a plug-in that merges the functionality of the existing idmap to the architecture present in the VFS, or should I start barking up a different tree? Mike
Re: [SUCCESS] RE: Samba, winbind, solaris and your patch
On Tue, 2002-05-14 at 11:30, [EMAIL PROTECTED] wrote: Hello Mike, in the end it works. I applied your patch to winbind, although it seemed to be applied while I compiled your idmap_files.so. compiled and installed nss_winbind.so restarted nscd restarted winbind I guess I should have been more clear... the idmap_files tarball does not contain the patch. You have to apply that yourself. Mike
Re: VFS Question: Is there more vfs_ops ...( difference betweenvfs.c/vfs-wrap.c )
On Tue, 2002-05-14 at 11:28, [EMAIL PROTECTED] wrote: Whats the difference between vfs.c vfs-wrap.c ... the code doesn't have many comments. vfs.c has all the handling for the VFS plugin mechanism, as well as various utility functions. vfs-wrap.c is the default module. If no VFS module exists that provides the functions defined in vfs-wrap.c, then vfs-wrap's functions are called. Why would I put code into vfs-wrap.c ... wouldn't future upgrades go easier if it was a vfs modules? non-bugfix changes that you make would most likely go into your own vfs module. Or does that limit the cmds funtions you have? For code in a VFS module to be called, it must either be one of the defined functions in vfs_ops, or it must be called from one of those functions. Can I get the workstation that made the connection? Every vfs call has a connection_struct as its first argument. A quick look at include/smb.h reveals that one of the items in that struct is: char client_address[18]; /* String version of client IP address. */ Mike
Re: winbind UID, GID assignment
On Mon, 2002-05-13 at 07:35, Andrew Bartlett wrote: The username and domain may not be known at the time a mapping is required. Thats the easy bit - we might not even know if it is a uid or gid! Have you taken a look at the patch that I created? If not, please take a look at http://www.cae.wisc.edu/~gerdts/samba/ and let me know if the changes to nsswitch/winbindd_idmap.c address the issue of not knowing whether the SID is a user or group (or other..) SID. There is more to this whole mess than meets the eye, but yes, we do need to allow an aribtary SID-uid/gid, uid/gid - SID backend system. Would you be open to following a structure like the VFS uses now? The existing functions could go into the default_idmap_ops structure and plugins could replace any or all of those ops. I am quite motivated to provide a patch that does this. Mike
Re: [PATCH] winbind kills nscd on Solaris
On Thu, 2002-05-09 at 22:58, Tim Potter wrote: On Fri, May 10, 2002 at 11:10:58AM +1000, Tim Potter wrote: Solaris has a couple extra fields in struct passwd. Since getpwent(3c) says that pw_age and pw_comment are not used, it seems reasonable not to fill them in. nscd may not use them, but assumes that they at least are pointers to allocated buffers. Since they are are not pointers to allocated buffers, a SEGV occurs. OK I've checked in a patch to the HEAD branch. Would you mind seeing if this correctly fixes the problem? If so I'll merge it into the other branches. Tim. One question about your implementation... #if HAVE_PASSWD_PW_COMMENT result-pw_comment = ; #endif #if HAVE_PASSWD_PW_AGE result-pw_age = ; #endif Does get allocated statically, or on the stack? If it gets allocated on the stack, then garbage could replace it at some time in the future. Mike
Re: [PATCH] winbind kills nscd on Solaris
On Fri, 2002-05-10 at 09:13, Mike Gerdts wrote: Does get allocated statically, or on the stack? If it gets allocated on the stack, then garbage could replace it at some time in the future. Mike I just found a copy of KR and answered the question for myself. For anyone else that cares, KR A2.6 says that string literals have a storage type of static. According to A4.1, Static objects may be local to a block or external to all blocks, but in either case retain their values across exit from and reentry to functions and blocks. Mike